1 diff -urNp linux-2.6.35.4/arch/alpha/include/asm/dma-mapping.h linux-2.6.35.4/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.35.4/arch/alpha/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3 +++ linux-2.6.35.4/arch/alpha/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
6 #include <linux/dma-attrs.h>
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
16 diff -urNp linux-2.6.35.4/arch/alpha/include/asm/elf.h linux-2.6.35.4/arch/alpha/include/asm/elf.h
17 --- linux-2.6.35.4/arch/alpha/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
18 +++ linux-2.6.35.4/arch/alpha/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.35.4/arch/alpha/include/asm/pgtable.h linux-2.6.35.4/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.35.4/arch/alpha/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
35 +++ linux-2.6.35.4/arch/alpha/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.35.4/arch/alpha/kernel/module.c linux-2.6.35.4/arch/alpha/kernel/module.c
55 --- linux-2.6.35.4/arch/alpha/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
56 +++ linux-2.6.35.4/arch/alpha/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
57 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
59 /* The small sections were sorted to the end of the segment.
60 The following should definitely cover them. */
61 - gp = (u64)me->module_core + me->core_size - 0x8000;
62 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
63 got = sechdrs[me->arch.gotsecindex].sh_addr;
65 for (i = 0; i < n; i++) {
66 diff -urNp linux-2.6.35.4/arch/alpha/kernel/osf_sys.c linux-2.6.35.4/arch/alpha/kernel/osf_sys.c
67 --- linux-2.6.35.4/arch/alpha/kernel/osf_sys.c 2010-08-26 19:47:12.000000000 -0400
68 +++ linux-2.6.35.4/arch/alpha/kernel/osf_sys.c 2010-09-17 20:12:09.000000000 -0400
69 @@ -1170,7 +1170,7 @@ arch_get_unmapped_area_1(unsigned long a
70 /* At this point: (!vma || addr < vma->vm_end). */
71 if (limit - len < addr)
73 - if (!vma || addr + len <= vma->vm_start)
74 + if (check_heap_stack_gap(vma, addr, len))
78 @@ -1206,6 +1206,10 @@ arch_get_unmapped_area(struct file *filp
79 merely specific addresses, but regions of memory -- perhaps
80 this feature should be incorporated into all ports? */
82 +#ifdef CONFIG_PAX_RANDMMAP
83 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
87 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
88 if (addr != (unsigned long) -ENOMEM)
89 @@ -1213,8 +1217,8 @@ arch_get_unmapped_area(struct file *filp
92 /* Next, try allocating at TASK_UNMAPPED_BASE. */
93 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
95 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
97 if (addr != (unsigned long) -ENOMEM)
100 diff -urNp linux-2.6.35.4/arch/alpha/kernel/pci_iommu.c linux-2.6.35.4/arch/alpha/kernel/pci_iommu.c
101 --- linux-2.6.35.4/arch/alpha/kernel/pci_iommu.c 2010-08-26 19:47:12.000000000 -0400
102 +++ linux-2.6.35.4/arch/alpha/kernel/pci_iommu.c 2010-09-17 20:12:09.000000000 -0400
103 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
107 -struct dma_map_ops alpha_pci_ops = {
108 +const struct dma_map_ops alpha_pci_ops = {
109 .alloc_coherent = alpha_pci_alloc_coherent,
110 .free_coherent = alpha_pci_free_coherent,
111 .map_page = alpha_pci_map_page,
112 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
113 .set_dma_mask = alpha_pci_set_mask,
116 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
117 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
118 EXPORT_SYMBOL(dma_ops);
119 diff -urNp linux-2.6.35.4/arch/alpha/kernel/pci-noop.c linux-2.6.35.4/arch/alpha/kernel/pci-noop.c
120 --- linux-2.6.35.4/arch/alpha/kernel/pci-noop.c 2010-08-26 19:47:12.000000000 -0400
121 +++ linux-2.6.35.4/arch/alpha/kernel/pci-noop.c 2010-09-17 20:12:09.000000000 -0400
122 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
126 -struct dma_map_ops alpha_noop_ops = {
127 +const struct dma_map_ops alpha_noop_ops = {
128 .alloc_coherent = alpha_noop_alloc_coherent,
129 .free_coherent = alpha_noop_free_coherent,
130 .map_page = alpha_noop_map_page,
131 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
132 .set_dma_mask = alpha_noop_set_mask,
135 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
136 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
137 EXPORT_SYMBOL(dma_ops);
139 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
140 diff -urNp linux-2.6.35.4/arch/alpha/mm/fault.c linux-2.6.35.4/arch/alpha/mm/fault.c
141 --- linux-2.6.35.4/arch/alpha/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
142 +++ linux-2.6.35.4/arch/alpha/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
143 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
144 __reload_thread(pcb);
147 +#ifdef CONFIG_PAX_PAGEEXEC
149 + * PaX: decide what to do with offenders (regs->pc = fault address)
151 + * returns 1 when task should be killed
152 + * 2 when patched PLT trampoline was detected
153 + * 3 when unpatched PLT trampoline was detected
155 +static int pax_handle_fetch_fault(struct pt_regs *regs)
158 +#ifdef CONFIG_PAX_EMUPLT
161 + do { /* PaX: patched PLT emulation #1 */
162 + unsigned int ldah, ldq, jmp;
164 + err = get_user(ldah, (unsigned int *)regs->pc);
165 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
166 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
171 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
172 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
173 + jmp == 0x6BFB0000U)
175 + unsigned long r27, addr;
176 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
177 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
179 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
180 + err = get_user(r27, (unsigned long *)addr);
190 + do { /* PaX: patched PLT emulation #2 */
191 + unsigned int ldah, lda, br;
193 + err = get_user(ldah, (unsigned int *)regs->pc);
194 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
195 + err |= get_user(br, (unsigned int *)(regs->pc+8));
200 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
201 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
202 + (br & 0xFFE00000U) == 0xC3E00000U)
204 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
205 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
206 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
208 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
209 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
214 + do { /* PaX: unpatched PLT emulation */
217 + err = get_user(br, (unsigned int *)regs->pc);
219 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
220 + unsigned int br2, ldq, nop, jmp;
221 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
223 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
224 + err = get_user(br2, (unsigned int *)addr);
225 + err |= get_user(ldq, (unsigned int *)(addr+4));
226 + err |= get_user(nop, (unsigned int *)(addr+8));
227 + err |= get_user(jmp, (unsigned int *)(addr+12));
228 + err |= get_user(resolver, (unsigned long *)(addr+16));
233 + if (br2 == 0xC3600000U &&
234 + ldq == 0xA77B000CU &&
235 + nop == 0x47FF041FU &&
236 + jmp == 0x6B7B0000U)
238 + regs->r28 = regs->pc+4;
239 + regs->r27 = addr+16;
240 + regs->pc = resolver;
250 +void pax_report_insns(void *pc, void *sp)
254 + printk(KERN_ERR "PAX: bytes at PC: ");
255 + for (i = 0; i < 5; i++) {
257 + if (get_user(c, (unsigned int *)pc+i))
258 + printk(KERN_CONT "???????? ");
260 + printk(KERN_CONT "%08x ", c);
267 * This routine handles page faults. It determines the address,
268 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
270 si_code = SEGV_ACCERR;
272 - if (!(vma->vm_flags & VM_EXEC))
273 + if (!(vma->vm_flags & VM_EXEC)) {
275 +#ifdef CONFIG_PAX_PAGEEXEC
276 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
279 + up_read(&mm->mmap_sem);
280 + switch (pax_handle_fetch_fault(regs)) {
282 +#ifdef CONFIG_PAX_EMUPLT
289 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
290 + do_group_exit(SIGKILL);
297 /* Allow reads even for write-only mappings */
298 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
299 diff -urNp linux-2.6.35.4/arch/arm/include/asm/elf.h linux-2.6.35.4/arch/arm/include/asm/elf.h
300 --- linux-2.6.35.4/arch/arm/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
301 +++ linux-2.6.35.4/arch/arm/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
302 @@ -111,7 +111,14 @@ int dump_task_regs(struct task_struct *t
303 the loader. We need to make sure that it is out of the way of the program
304 that it will "exec", and that there is sufficient room for the brk. */
306 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
307 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
309 +#ifdef CONFIG_PAX_ASLR
310 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
312 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
313 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
316 /* When the program starts, a1 contains a pointer to a function to be
317 registered with atexit, as per the SVR4 ABI. A value of 0 means we
318 diff -urNp linux-2.6.35.4/arch/arm/include/asm/kmap_types.h linux-2.6.35.4/arch/arm/include/asm/kmap_types.h
319 --- linux-2.6.35.4/arch/arm/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
320 +++ linux-2.6.35.4/arch/arm/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
321 @@ -21,6 +21,7 @@ enum km_type {
329 diff -urNp linux-2.6.35.4/arch/arm/include/asm/uaccess.h linux-2.6.35.4/arch/arm/include/asm/uaccess.h
330 --- linux-2.6.35.4/arch/arm/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
331 +++ linux-2.6.35.4/arch/arm/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
332 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
334 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
339 if (access_ok(VERIFY_READ, from, n))
340 n = __copy_from_user(to, from, n);
341 else /* security hole - plug it */
342 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
344 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
349 if (access_ok(VERIFY_WRITE, to, n))
350 n = __copy_to_user(to, from, n);
352 diff -urNp linux-2.6.35.4/arch/arm/kernel/kgdb.c linux-2.6.35.4/arch/arm/kernel/kgdb.c
353 --- linux-2.6.35.4/arch/arm/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
354 +++ linux-2.6.35.4/arch/arm/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
355 @@ -208,7 +208,7 @@ void kgdb_arch_exit(void)
356 * and we handle the normal undef case within the do_undefinstr
359 -struct kgdb_arch arch_kgdb_ops = {
360 +const struct kgdb_arch arch_kgdb_ops = {
362 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
363 #else /* ! __ARMEB__ */
364 diff -urNp linux-2.6.35.4/arch/arm/mach-at91/pm.c linux-2.6.35.4/arch/arm/mach-at91/pm.c
365 --- linux-2.6.35.4/arch/arm/mach-at91/pm.c 2010-08-26 19:47:12.000000000 -0400
366 +++ linux-2.6.35.4/arch/arm/mach-at91/pm.c 2010-09-17 20:12:09.000000000 -0400
367 @@ -294,7 +294,7 @@ static void at91_pm_end(void)
371 -static struct platform_suspend_ops at91_pm_ops ={
372 +static const struct platform_suspend_ops at91_pm_ops ={
373 .valid = at91_pm_valid_state,
374 .begin = at91_pm_begin,
375 .enter = at91_pm_enter,
376 diff -urNp linux-2.6.35.4/arch/arm/mach-davinci/pm.c linux-2.6.35.4/arch/arm/mach-davinci/pm.c
377 --- linux-2.6.35.4/arch/arm/mach-davinci/pm.c 2010-08-26 19:47:12.000000000 -0400
378 +++ linux-2.6.35.4/arch/arm/mach-davinci/pm.c 2010-09-17 20:12:09.000000000 -0400
379 @@ -110,7 +110,7 @@ static int davinci_pm_enter(suspend_stat
383 -static struct platform_suspend_ops davinci_pm_ops = {
384 +static const struct platform_suspend_ops davinci_pm_ops = {
385 .enter = davinci_pm_enter,
386 .valid = suspend_valid_only_mem,
388 diff -urNp linux-2.6.35.4/arch/arm/mach-msm/last_radio_log.c linux-2.6.35.4/arch/arm/mach-msm/last_radio_log.c
389 --- linux-2.6.35.4/arch/arm/mach-msm/last_radio_log.c 2010-08-26 19:47:12.000000000 -0400
390 +++ linux-2.6.35.4/arch/arm/mach-msm/last_radio_log.c 2010-09-17 20:12:09.000000000 -0400
391 @@ -47,6 +47,7 @@ static ssize_t last_radio_log_read(struc
395 +/* cannot be const, see msm_init_last_radio_log */
396 static struct file_operations last_radio_log_fops = {
397 .read = last_radio_log_read
399 diff -urNp linux-2.6.35.4/arch/arm/mach-omap1/pm.c linux-2.6.35.4/arch/arm/mach-omap1/pm.c
400 --- linux-2.6.35.4/arch/arm/mach-omap1/pm.c 2010-08-26 19:47:12.000000000 -0400
401 +++ linux-2.6.35.4/arch/arm/mach-omap1/pm.c 2010-09-17 20:12:09.000000000 -0400
402 @@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
406 -static struct platform_suspend_ops omap_pm_ops ={
407 +static const struct platform_suspend_ops omap_pm_ops ={
408 .prepare = omap_pm_prepare,
409 .enter = omap_pm_enter,
410 .finish = omap_pm_finish,
411 diff -urNp linux-2.6.35.4/arch/arm/mach-omap2/pm24xx.c linux-2.6.35.4/arch/arm/mach-omap2/pm24xx.c
412 --- linux-2.6.35.4/arch/arm/mach-omap2/pm24xx.c 2010-08-26 19:47:12.000000000 -0400
413 +++ linux-2.6.35.4/arch/arm/mach-omap2/pm24xx.c 2010-09-17 20:12:09.000000000 -0400
414 @@ -325,7 +325,7 @@ static void omap2_pm_finish(void)
418 -static struct platform_suspend_ops omap_pm_ops = {
419 +static const struct platform_suspend_ops omap_pm_ops = {
420 .prepare = omap2_pm_prepare,
421 .enter = omap2_pm_enter,
422 .finish = omap2_pm_finish,
423 diff -urNp linux-2.6.35.4/arch/arm/mach-omap2/pm34xx.c linux-2.6.35.4/arch/arm/mach-omap2/pm34xx.c
424 --- linux-2.6.35.4/arch/arm/mach-omap2/pm34xx.c 2010-08-26 19:47:12.000000000 -0400
425 +++ linux-2.6.35.4/arch/arm/mach-omap2/pm34xx.c 2010-09-17 20:12:09.000000000 -0400
426 @@ -669,7 +669,7 @@ static void omap3_pm_end(void)
430 -static struct platform_suspend_ops omap_pm_ops = {
431 +static const struct platform_suspend_ops omap_pm_ops = {
432 .begin = omap3_pm_begin,
434 .prepare = omap3_pm_prepare,
435 diff -urNp linux-2.6.35.4/arch/arm/mach-pnx4008/pm.c linux-2.6.35.4/arch/arm/mach-pnx4008/pm.c
436 --- linux-2.6.35.4/arch/arm/mach-pnx4008/pm.c 2010-08-26 19:47:12.000000000 -0400
437 +++ linux-2.6.35.4/arch/arm/mach-pnx4008/pm.c 2010-09-17 20:12:09.000000000 -0400
438 @@ -119,7 +119,7 @@ static int pnx4008_pm_valid(suspend_stat
439 (state == PM_SUSPEND_MEM);
442 -static struct platform_suspend_ops pnx4008_pm_ops = {
443 +static const struct platform_suspend_ops pnx4008_pm_ops = {
444 .enter = pnx4008_pm_enter,
445 .valid = pnx4008_pm_valid,
447 diff -urNp linux-2.6.35.4/arch/arm/mach-pxa/pm.c linux-2.6.35.4/arch/arm/mach-pxa/pm.c
448 --- linux-2.6.35.4/arch/arm/mach-pxa/pm.c 2010-08-26 19:47:12.000000000 -0400
449 +++ linux-2.6.35.4/arch/arm/mach-pxa/pm.c 2010-09-17 20:12:09.000000000 -0400
450 @@ -96,7 +96,7 @@ void pxa_pm_finish(void)
451 pxa_cpu_pm_fns->finish();
454 -static struct platform_suspend_ops pxa_pm_ops = {
455 +static const struct platform_suspend_ops pxa_pm_ops = {
456 .valid = pxa_pm_valid,
457 .enter = pxa_pm_enter,
458 .prepare = pxa_pm_prepare,
459 diff -urNp linux-2.6.35.4/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.35.4/arch/arm/mach-pxa/sharpsl_pm.c
460 --- linux-2.6.35.4/arch/arm/mach-pxa/sharpsl_pm.c 2010-08-26 19:47:12.000000000 -0400
461 +++ linux-2.6.35.4/arch/arm/mach-pxa/sharpsl_pm.c 2010-09-17 20:12:09.000000000 -0400
462 @@ -891,7 +891,7 @@ static void sharpsl_apm_get_power_status
466 -static struct platform_suspend_ops sharpsl_pm_ops = {
467 +static const struct platform_suspend_ops sharpsl_pm_ops = {
468 .prepare = pxa_pm_prepare,
469 .finish = pxa_pm_finish,
470 .enter = corgi_pxa_pm_enter,
471 diff -urNp linux-2.6.35.4/arch/arm/mach-sa1100/pm.c linux-2.6.35.4/arch/arm/mach-sa1100/pm.c
472 --- linux-2.6.35.4/arch/arm/mach-sa1100/pm.c 2010-08-26 19:47:12.000000000 -0400
473 +++ linux-2.6.35.4/arch/arm/mach-sa1100/pm.c 2010-09-17 20:12:09.000000000 -0400
474 @@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
475 return virt_to_phys(sp);
478 -static struct platform_suspend_ops sa11x0_pm_ops = {
479 +static const struct platform_suspend_ops sa11x0_pm_ops = {
480 .enter = sa11x0_pm_enter,
481 .valid = suspend_valid_only_mem,
483 diff -urNp linux-2.6.35.4/arch/arm/mm/fault.c linux-2.6.35.4/arch/arm/mm/fault.c
484 --- linux-2.6.35.4/arch/arm/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
485 +++ linux-2.6.35.4/arch/arm/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
486 @@ -167,6 +167,13 @@ __do_user_fault(struct task_struct *tsk,
490 +#ifdef CONFIG_PAX_PAGEEXEC
491 + if (fsr & FSR_LNX_PF) {
492 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
493 + do_group_exit(SIGKILL);
497 tsk->thread.address = addr;
498 tsk->thread.error_code = fsr;
499 tsk->thread.trap_no = 14;
500 @@ -364,6 +371,33 @@ do_page_fault(unsigned long addr, unsign
502 #endif /* CONFIG_MMU */
504 +#ifdef CONFIG_PAX_PAGEEXEC
505 +void pax_report_insns(void *pc, void *sp)
509 + printk(KERN_ERR "PAX: bytes at PC: ");
510 + for (i = 0; i < 20; i++) {
512 + if (get_user(c, (__force unsigned char __user *)pc+i))
513 + printk(KERN_CONT "?? ");
515 + printk(KERN_CONT "%02x ", c);
519 + printk(KERN_ERR "PAX: bytes at SP-4: ");
520 + for (i = -1; i < 20; i++) {
522 + if (get_user(c, (__force unsigned long __user *)sp+i))
523 + printk(KERN_CONT "???????? ");
525 + printk(KERN_CONT "%08lx ", c);
532 * First Level Translation Fault Handler
534 diff -urNp linux-2.6.35.4/arch/arm/mm/mmap.c linux-2.6.35.4/arch/arm/mm/mmap.c
535 --- linux-2.6.35.4/arch/arm/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
536 +++ linux-2.6.35.4/arch/arm/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
537 @@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp
541 +#ifdef CONFIG_PAX_RANDMMAP
542 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
547 addr = COLOUR_ALIGN(addr, pgoff);
548 @@ -70,15 +74,14 @@ arch_get_unmapped_area(struct file *filp
549 addr = PAGE_ALIGN(addr);
551 vma = find_vma(mm, addr);
552 - if (TASK_SIZE - len >= addr &&
553 - (!vma || addr + len <= vma->vm_start))
554 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
557 if (len > mm->cached_hole_size) {
558 - start_addr = addr = mm->free_area_cache;
559 + start_addr = addr = mm->free_area_cache;
561 - start_addr = addr = TASK_UNMAPPED_BASE;
562 - mm->cached_hole_size = 0;
563 + start_addr = addr = mm->mmap_base;
564 + mm->cached_hole_size = 0;
568 @@ -94,14 +97,14 @@ full_search:
569 * Start a new search - just in case we missed
572 - if (start_addr != TASK_UNMAPPED_BASE) {
573 - start_addr = addr = TASK_UNMAPPED_BASE;
574 + if (start_addr != mm->mmap_base) {
575 + start_addr = addr = mm->mmap_base;
576 mm->cached_hole_size = 0;
581 - if (!vma || addr + len <= vma->vm_start) {
582 + if (check_heap_stack_gap(vma, addr, len)) {
584 * Remember the place where we stopped the search:
586 diff -urNp linux-2.6.35.4/arch/arm/plat-samsung/pm.c linux-2.6.35.4/arch/arm/plat-samsung/pm.c
587 --- linux-2.6.35.4/arch/arm/plat-samsung/pm.c 2010-08-26 19:47:12.000000000 -0400
588 +++ linux-2.6.35.4/arch/arm/plat-samsung/pm.c 2010-09-17 20:12:09.000000000 -0400
589 @@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
590 s3c_pm_check_cleanup();
593 -static struct platform_suspend_ops s3c_pm_ops = {
594 +static const struct platform_suspend_ops s3c_pm_ops = {
595 .enter = s3c_pm_enter,
596 .prepare = s3c_pm_prepare,
597 .finish = s3c_pm_finish,
598 diff -urNp linux-2.6.35.4/arch/avr32/include/asm/elf.h linux-2.6.35.4/arch/avr32/include/asm/elf.h
599 --- linux-2.6.35.4/arch/avr32/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
600 +++ linux-2.6.35.4/arch/avr32/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
601 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
602 the loader. We need to make sure that it is out of the way of the program
603 that it will "exec", and that there is sufficient room for the brk. */
605 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
606 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
608 +#ifdef CONFIG_PAX_ASLR
609 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
611 +#define PAX_DELTA_MMAP_LEN 15
612 +#define PAX_DELTA_STACK_LEN 15
615 /* This yields a mask that user programs can use to figure out what
616 instruction set this CPU supports. This could be done in user space,
617 diff -urNp linux-2.6.35.4/arch/avr32/include/asm/kmap_types.h linux-2.6.35.4/arch/avr32/include/asm/kmap_types.h
618 --- linux-2.6.35.4/arch/avr32/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
619 +++ linux-2.6.35.4/arch/avr32/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
620 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
630 diff -urNp linux-2.6.35.4/arch/avr32/mach-at32ap/pm.c linux-2.6.35.4/arch/avr32/mach-at32ap/pm.c
631 --- linux-2.6.35.4/arch/avr32/mach-at32ap/pm.c 2010-08-26 19:47:12.000000000 -0400
632 +++ linux-2.6.35.4/arch/avr32/mach-at32ap/pm.c 2010-09-17 20:12:09.000000000 -0400
633 @@ -176,7 +176,7 @@ out:
637 -static struct platform_suspend_ops avr32_pm_ops = {
638 +static const struct platform_suspend_ops avr32_pm_ops = {
639 .valid = avr32_pm_valid_state,
640 .enter = avr32_pm_enter,
642 diff -urNp linux-2.6.35.4/arch/avr32/mm/fault.c linux-2.6.35.4/arch/avr32/mm/fault.c
643 --- linux-2.6.35.4/arch/avr32/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
644 +++ linux-2.6.35.4/arch/avr32/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
645 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
647 int exception_trace = 1;
649 +#ifdef CONFIG_PAX_PAGEEXEC
650 +void pax_report_insns(void *pc, void *sp)
654 + printk(KERN_ERR "PAX: bytes at PC: ");
655 + for (i = 0; i < 20; i++) {
657 + if (get_user(c, (unsigned char *)pc+i))
658 + printk(KERN_CONT "???????? ");
660 + printk(KERN_CONT "%02x ", c);
667 * This routine handles page faults. It determines the address and the
668 * problem, and then passes it off to one of the appropriate routines.
669 @@ -157,6 +174,16 @@ bad_area:
670 up_read(&mm->mmap_sem);
672 if (user_mode(regs)) {
674 +#ifdef CONFIG_PAX_PAGEEXEC
675 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
676 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
677 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
678 + do_group_exit(SIGKILL);
683 if (exception_trace && printk_ratelimit())
684 printk("%s%s[%d]: segfault at %08lx pc %08lx "
685 "sp %08lx ecr %lu\n",
686 diff -urNp linux-2.6.35.4/arch/blackfin/kernel/kgdb.c linux-2.6.35.4/arch/blackfin/kernel/kgdb.c
687 --- linux-2.6.35.4/arch/blackfin/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
688 +++ linux-2.6.35.4/arch/blackfin/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
689 @@ -397,7 +397,7 @@ int kgdb_arch_handle_exception(int vecto
690 return -1; /* this means that we do not want to exit from the handler */
693 -struct kgdb_arch arch_kgdb_ops = {
694 +const struct kgdb_arch arch_kgdb_ops = {
695 .gdb_bpt_instr = {0xa1},
697 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
698 diff -urNp linux-2.6.35.4/arch/blackfin/mach-common/pm.c linux-2.6.35.4/arch/blackfin/mach-common/pm.c
699 --- linux-2.6.35.4/arch/blackfin/mach-common/pm.c 2010-08-26 19:47:12.000000000 -0400
700 +++ linux-2.6.35.4/arch/blackfin/mach-common/pm.c 2010-09-17 20:12:09.000000000 -0400
701 @@ -232,7 +232,7 @@ static int bfin_pm_enter(suspend_state_t
705 -struct platform_suspend_ops bfin_pm_ops = {
706 +const struct platform_suspend_ops bfin_pm_ops = {
707 .enter = bfin_pm_enter,
708 .valid = bfin_pm_valid,
710 diff -urNp linux-2.6.35.4/arch/blackfin/mm/maccess.c linux-2.6.35.4/arch/blackfin/mm/maccess.c
711 --- linux-2.6.35.4/arch/blackfin/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
712 +++ linux-2.6.35.4/arch/blackfin/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
713 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
714 return bfin_mem_access_type(addr, size);
717 -long probe_kernel_read(void *dst, void *src, size_t size)
718 +long probe_kernel_read(void *dst, const void *src, size_t size)
720 unsigned long lsrc = (unsigned long)src;
722 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
726 -long probe_kernel_write(void *dst, void *src, size_t size)
727 +long probe_kernel_write(void *dst, const void *src, size_t size)
729 unsigned long ldst = (unsigned long)dst;
731 diff -urNp linux-2.6.35.4/arch/frv/include/asm/kmap_types.h linux-2.6.35.4/arch/frv/include/asm/kmap_types.h
732 --- linux-2.6.35.4/arch/frv/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
733 +++ linux-2.6.35.4/arch/frv/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
734 @@ -23,6 +23,7 @@ enum km_type {
742 diff -urNp linux-2.6.35.4/arch/frv/mm/elf-fdpic.c linux-2.6.35.4/arch/frv/mm/elf-fdpic.c
743 --- linux-2.6.35.4/arch/frv/mm/elf-fdpic.c 2010-08-26 19:47:12.000000000 -0400
744 +++ linux-2.6.35.4/arch/frv/mm/elf-fdpic.c 2010-09-17 20:12:09.000000000 -0400
745 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
747 addr = PAGE_ALIGN(addr);
748 vma = find_vma(current->mm, addr);
749 - if (TASK_SIZE - len >= addr &&
750 - (!vma || addr + len <= vma->vm_start))
751 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
755 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
756 for (; vma; vma = vma->vm_next) {
759 - if (addr + len <= vma->vm_start)
760 + if (check_heap_stack_gap(vma, addr, len))
764 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
765 for (; vma; vma = vma->vm_next) {
768 - if (addr + len <= vma->vm_start)
769 + if (check_heap_stack_gap(vma, addr, len))
773 diff -urNp linux-2.6.35.4/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.35.4/arch/ia64/hp/common/hwsw_iommu.c
774 --- linux-2.6.35.4/arch/ia64/hp/common/hwsw_iommu.c 2010-08-26 19:47:12.000000000 -0400
775 +++ linux-2.6.35.4/arch/ia64/hp/common/hwsw_iommu.c 2010-09-17 20:12:09.000000000 -0400
777 #include <linux/swiotlb.h>
778 #include <asm/machvec.h>
780 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
781 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
783 /* swiotlb declarations & definitions: */
784 extern int swiotlb_late_init_with_default_size (size_t size);
785 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
786 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
789 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
790 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
792 if (use_swiotlb(dev))
793 return &swiotlb_dma_ops;
794 diff -urNp linux-2.6.35.4/arch/ia64/hp/common/sba_iommu.c linux-2.6.35.4/arch/ia64/hp/common/sba_iommu.c
795 --- linux-2.6.35.4/arch/ia64/hp/common/sba_iommu.c 2010-08-26 19:47:12.000000000 -0400
796 +++ linux-2.6.35.4/arch/ia64/hp/common/sba_iommu.c 2010-09-17 20:12:09.000000000 -0400
797 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
801 -extern struct dma_map_ops swiotlb_dma_ops;
802 +extern const struct dma_map_ops swiotlb_dma_ops;
806 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
808 __setup("sbapagesize=",sba_page_override);
810 -struct dma_map_ops sba_dma_ops = {
811 +const struct dma_map_ops sba_dma_ops = {
812 .alloc_coherent = sba_alloc_coherent,
813 .free_coherent = sba_free_coherent,
814 .map_page = sba_map_page,
815 diff -urNp linux-2.6.35.4/arch/ia64/include/asm/compat.h linux-2.6.35.4/arch/ia64/include/asm/compat.h
816 --- linux-2.6.35.4/arch/ia64/include/asm/compat.h 2010-08-26 19:47:12.000000000 -0400
817 +++ linux-2.6.35.4/arch/ia64/include/asm/compat.h 2010-09-17 20:12:37.000000000 -0400
818 @@ -199,7 +199,7 @@ ptr_to_compat(void __user *uptr)
821 static __inline__ void __user *
822 -compat_alloc_user_space (long len)
823 +arch_compat_alloc_user_space (long len)
825 struct pt_regs *regs = task_pt_regs(current);
826 return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len);
827 diff -urNp linux-2.6.35.4/arch/ia64/include/asm/dma-mapping.h linux-2.6.35.4/arch/ia64/include/asm/dma-mapping.h
828 --- linux-2.6.35.4/arch/ia64/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
829 +++ linux-2.6.35.4/arch/ia64/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
832 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
834 -extern struct dma_map_ops *dma_ops;
835 +extern const struct dma_map_ops *dma_ops;
836 extern struct ia64_machine_vector ia64_mv;
837 extern void set_iommu_machvec(void);
839 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
840 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
841 dma_addr_t *daddr, gfp_t gfp)
843 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
844 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
847 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
848 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
849 static inline void dma_free_coherent(struct device *dev, size_t size,
850 void *caddr, dma_addr_t daddr)
852 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
853 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
854 debug_dma_free_coherent(dev, size, caddr, daddr);
855 ops->free_coherent(dev, size, caddr, daddr);
857 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
859 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
861 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
862 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
863 return ops->mapping_error(dev, daddr);
866 static inline int dma_supported(struct device *dev, u64 mask)
868 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
869 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
870 return ops->dma_supported(dev, mask);
873 diff -urNp linux-2.6.35.4/arch/ia64/include/asm/elf.h linux-2.6.35.4/arch/ia64/include/asm/elf.h
874 --- linux-2.6.35.4/arch/ia64/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
875 +++ linux-2.6.35.4/arch/ia64/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
878 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
880 +#ifdef CONFIG_PAX_ASLR
881 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
883 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
884 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
887 #define PT_IA_64_UNWIND 0x70000001
889 /* IA-64 relocations: */
890 diff -urNp linux-2.6.35.4/arch/ia64/include/asm/machvec.h linux-2.6.35.4/arch/ia64/include/asm/machvec.h
891 --- linux-2.6.35.4/arch/ia64/include/asm/machvec.h 2010-08-26 19:47:12.000000000 -0400
892 +++ linux-2.6.35.4/arch/ia64/include/asm/machvec.h 2010-09-17 20:12:09.000000000 -0400
893 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
894 /* DMA-mapping interface: */
895 typedef void ia64_mv_dma_init (void);
896 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
897 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
898 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
901 * WARNING: The legacy I/O space is _architected_. Platforms are
902 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
903 # endif /* CONFIG_IA64_GENERIC */
905 extern void swiotlb_dma_init(void);
906 -extern struct dma_map_ops *dma_get_ops(struct device *);
907 +extern const struct dma_map_ops *dma_get_ops(struct device *);
910 * Define default versions so we can extend machvec for new platforms without having
911 diff -urNp linux-2.6.35.4/arch/ia64/include/asm/pgtable.h linux-2.6.35.4/arch/ia64/include/asm/pgtable.h
912 --- linux-2.6.35.4/arch/ia64/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
913 +++ linux-2.6.35.4/arch/ia64/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
915 * David Mosberger-Tang <davidm@hpl.hp.com>
919 +#include <linux/const.h>
920 #include <asm/mman.h>
921 #include <asm/page.h>
922 #include <asm/processor.h>
924 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
925 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
926 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
928 +#ifdef CONFIG_PAX_PAGEEXEC
929 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
930 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
931 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
933 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
934 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
935 +# define PAGE_COPY_NOEXEC PAGE_COPY
938 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
939 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
940 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
941 diff -urNp linux-2.6.35.4/arch/ia64/include/asm/uaccess.h linux-2.6.35.4/arch/ia64/include/asm/uaccess.h
942 --- linux-2.6.35.4/arch/ia64/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
943 +++ linux-2.6.35.4/arch/ia64/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
944 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
945 const void *__cu_from = (from); \
946 long __cu_len = (n); \
948 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
949 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
950 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
953 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
954 long __cu_len = (n); \
956 __chk_user_ptr(__cu_from); \
957 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
958 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
959 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
962 diff -urNp linux-2.6.35.4/arch/ia64/kernel/dma-mapping.c linux-2.6.35.4/arch/ia64/kernel/dma-mapping.c
963 --- linux-2.6.35.4/arch/ia64/kernel/dma-mapping.c 2010-08-26 19:47:12.000000000 -0400
964 +++ linux-2.6.35.4/arch/ia64/kernel/dma-mapping.c 2010-09-17 20:12:09.000000000 -0400
966 /* Set this to 1 if there is a HW IOMMU in the system */
967 int iommu_detected __read_mostly;
969 -struct dma_map_ops *dma_ops;
970 +const struct dma_map_ops *dma_ops;
971 EXPORT_SYMBOL(dma_ops);
973 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
974 @@ -16,7 +16,7 @@ static int __init dma_init(void)
976 fs_initcall(dma_init);
978 -struct dma_map_ops *dma_get_ops(struct device *dev)
979 +const struct dma_map_ops *dma_get_ops(struct device *dev)
983 diff -urNp linux-2.6.35.4/arch/ia64/kernel/module.c linux-2.6.35.4/arch/ia64/kernel/module.c
984 --- linux-2.6.35.4/arch/ia64/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
985 +++ linux-2.6.35.4/arch/ia64/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
986 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
988 module_free (struct module *mod, void *module_region)
990 - if (mod && mod->arch.init_unw_table &&
991 - module_region == mod->module_init) {
992 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
993 unw_remove_unwind_table(mod->arch.init_unw_table);
994 mod->arch.init_unw_table = NULL;
996 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1000 +in_init_rx (const struct module *mod, uint64_t addr)
1002 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1006 +in_init_rw (const struct module *mod, uint64_t addr)
1008 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1012 in_init (const struct module *mod, uint64_t addr)
1014 - return addr - (uint64_t) mod->module_init < mod->init_size;
1015 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1019 +in_core_rx (const struct module *mod, uint64_t addr)
1021 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1025 +in_core_rw (const struct module *mod, uint64_t addr)
1027 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1031 in_core (const struct module *mod, uint64_t addr)
1033 - return addr - (uint64_t) mod->module_core < mod->core_size;
1034 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1038 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1042 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1043 + if (in_init_rx(mod, val))
1044 + val -= (uint64_t) mod->module_init_rx;
1045 + else if (in_init_rw(mod, val))
1046 + val -= (uint64_t) mod->module_init_rw;
1047 + else if (in_core_rx(mod, val))
1048 + val -= (uint64_t) mod->module_core_rx;
1049 + else if (in_core_rw(mod, val))
1050 + val -= (uint64_t) mod->module_core_rw;
1054 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1055 * addresses have been selected...
1058 - if (mod->core_size > MAX_LTOFF)
1059 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1061 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1062 * at the end of the module.
1064 - gp = mod->core_size - MAX_LTOFF / 2;
1065 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1067 - gp = mod->core_size / 2;
1068 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1069 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1070 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1072 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1074 diff -urNp linux-2.6.35.4/arch/ia64/kernel/pci-dma.c linux-2.6.35.4/arch/ia64/kernel/pci-dma.c
1075 --- linux-2.6.35.4/arch/ia64/kernel/pci-dma.c 2010-08-26 19:47:12.000000000 -0400
1076 +++ linux-2.6.35.4/arch/ia64/kernel/pci-dma.c 2010-09-17 20:12:09.000000000 -0400
1077 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1078 .dma_mask = &fallback_dev.coherent_dma_mask,
1081 -extern struct dma_map_ops intel_dma_ops;
1082 +extern const struct dma_map_ops intel_dma_ops;
1084 static int __init pci_iommu_init(void)
1086 diff -urNp linux-2.6.35.4/arch/ia64/kernel/pci-swiotlb.c linux-2.6.35.4/arch/ia64/kernel/pci-swiotlb.c
1087 --- linux-2.6.35.4/arch/ia64/kernel/pci-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
1088 +++ linux-2.6.35.4/arch/ia64/kernel/pci-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
1089 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
1090 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1093 -struct dma_map_ops swiotlb_dma_ops = {
1094 +const struct dma_map_ops swiotlb_dma_ops = {
1095 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1096 .free_coherent = swiotlb_free_coherent,
1097 .map_page = swiotlb_map_page,
1098 diff -urNp linux-2.6.35.4/arch/ia64/kernel/sys_ia64.c linux-2.6.35.4/arch/ia64/kernel/sys_ia64.c
1099 --- linux-2.6.35.4/arch/ia64/kernel/sys_ia64.c 2010-08-26 19:47:12.000000000 -0400
1100 +++ linux-2.6.35.4/arch/ia64/kernel/sys_ia64.c 2010-09-17 20:12:09.000000000 -0400
1101 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1102 if (REGION_NUMBER(addr) == RGN_HPAGE)
1106 +#ifdef CONFIG_PAX_RANDMMAP
1107 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1108 + addr = mm->free_area_cache;
1113 addr = mm->free_area_cache;
1115 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1116 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1117 /* At this point: (!vma || addr < vma->vm_end). */
1118 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1119 - if (start_addr != TASK_UNMAPPED_BASE) {
1120 + if (start_addr != mm->mmap_base) {
1121 /* Start a new search --- just in case we missed some holes. */
1122 - addr = TASK_UNMAPPED_BASE;
1123 + addr = mm->mmap_base;
1128 - if (!vma || addr + len <= vma->vm_start) {
1129 + if (check_heap_stack_gap(vma, addr, len)) {
1130 /* Remember the address where we stopped this search: */
1131 mm->free_area_cache = addr + len;
1133 diff -urNp linux-2.6.35.4/arch/ia64/kernel/vmlinux.lds.S linux-2.6.35.4/arch/ia64/kernel/vmlinux.lds.S
1134 --- linux-2.6.35.4/arch/ia64/kernel/vmlinux.lds.S 2010-08-26 19:47:12.000000000 -0400
1135 +++ linux-2.6.35.4/arch/ia64/kernel/vmlinux.lds.S 2010-09-17 20:12:09.000000000 -0400
1136 @@ -196,7 +196,7 @@ SECTIONS
1138 . = ALIGN(PERCPU_PAGE_SIZE);
1139 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1140 - __phys_per_cpu_start = __per_cpu_load;
1141 + __phys_per_cpu_start = per_cpu_load;
1142 . = __phys_per_cpu_start + PERCPU_PAGE_SIZE; /* ensure percpu data fits
1143 * into percpu page size
1145 diff -urNp linux-2.6.35.4/arch/ia64/mm/fault.c linux-2.6.35.4/arch/ia64/mm/fault.c
1146 --- linux-2.6.35.4/arch/ia64/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1147 +++ linux-2.6.35.4/arch/ia64/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
1148 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1149 return pte_present(pte);
1152 +#ifdef CONFIG_PAX_PAGEEXEC
1153 +void pax_report_insns(void *pc, void *sp)
1157 + printk(KERN_ERR "PAX: bytes at PC: ");
1158 + for (i = 0; i < 8; i++) {
1160 + if (get_user(c, (unsigned int *)pc+i))
1161 + printk(KERN_CONT "???????? ");
1163 + printk(KERN_CONT "%08x ", c);
1170 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1172 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1173 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1174 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1176 - if ((vma->vm_flags & mask) != mask)
1177 + if ((vma->vm_flags & mask) != mask) {
1179 +#ifdef CONFIG_PAX_PAGEEXEC
1180 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1181 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1184 + up_read(&mm->mmap_sem);
1185 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1186 + do_group_exit(SIGKILL);
1195 * If for any reason at all we couldn't handle the fault, make
1196 * sure we exit gracefully rather than endlessly redo the
1197 diff -urNp linux-2.6.35.4/arch/ia64/mm/hugetlbpage.c linux-2.6.35.4/arch/ia64/mm/hugetlbpage.c
1198 --- linux-2.6.35.4/arch/ia64/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
1199 +++ linux-2.6.35.4/arch/ia64/mm/hugetlbpage.c 2010-09-17 20:12:09.000000000 -0400
1200 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1201 /* At this point: (!vmm || addr < vmm->vm_end). */
1202 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1204 - if (!vmm || (addr + len) <= vmm->vm_start)
1205 + if (check_heap_stack_gap(vmm, addr, len))
1207 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1209 diff -urNp linux-2.6.35.4/arch/ia64/mm/init.c linux-2.6.35.4/arch/ia64/mm/init.c
1210 --- linux-2.6.35.4/arch/ia64/mm/init.c 2010-08-26 19:47:12.000000000 -0400
1211 +++ linux-2.6.35.4/arch/ia64/mm/init.c 2010-09-17 20:12:09.000000000 -0400
1212 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1213 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1214 vma->vm_end = vma->vm_start + PAGE_SIZE;
1215 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1217 +#ifdef CONFIG_PAX_PAGEEXEC
1218 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1219 + vma->vm_flags &= ~VM_EXEC;
1221 +#ifdef CONFIG_PAX_MPROTECT
1222 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1223 + vma->vm_flags &= ~VM_MAYEXEC;
1229 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1230 down_write(¤t->mm->mmap_sem);
1231 if (insert_vm_struct(current->mm, vma)) {
1232 diff -urNp linux-2.6.35.4/arch/ia64/sn/pci/pci_dma.c linux-2.6.35.4/arch/ia64/sn/pci/pci_dma.c
1233 --- linux-2.6.35.4/arch/ia64/sn/pci/pci_dma.c 2010-08-26 19:47:12.000000000 -0400
1234 +++ linux-2.6.35.4/arch/ia64/sn/pci/pci_dma.c 2010-09-17 20:12:09.000000000 -0400
1235 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1239 -static struct dma_map_ops sn_dma_ops = {
1240 +static const struct dma_map_ops sn_dma_ops = {
1241 .alloc_coherent = sn_dma_alloc_coherent,
1242 .free_coherent = sn_dma_free_coherent,
1243 .map_page = sn_dma_map_page,
1244 diff -urNp linux-2.6.35.4/arch/m32r/lib/usercopy.c linux-2.6.35.4/arch/m32r/lib/usercopy.c
1245 --- linux-2.6.35.4/arch/m32r/lib/usercopy.c 2010-08-26 19:47:12.000000000 -0400
1246 +++ linux-2.6.35.4/arch/m32r/lib/usercopy.c 2010-09-17 20:12:09.000000000 -0400
1249 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1255 if (access_ok(VERIFY_WRITE, to, n))
1256 __copy_user(to,from,n);
1257 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1259 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1265 if (access_ok(VERIFY_READ, from, n))
1266 __copy_user_zeroing(to,from,n);
1267 diff -urNp linux-2.6.35.4/arch/microblaze/include/asm/device.h linux-2.6.35.4/arch/microblaze/include/asm/device.h
1268 --- linux-2.6.35.4/arch/microblaze/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
1269 +++ linux-2.6.35.4/arch/microblaze/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
1270 @@ -13,7 +13,7 @@ struct device_node;
1272 struct dev_archdata {
1273 /* DMA operations on that device */
1274 - struct dma_map_ops *dma_ops;
1275 + const struct dma_map_ops *dma_ops;
1279 diff -urNp linux-2.6.35.4/arch/microblaze/include/asm/dma-mapping.h linux-2.6.35.4/arch/microblaze/include/asm/dma-mapping.h
1280 --- linux-2.6.35.4/arch/microblaze/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
1281 +++ linux-2.6.35.4/arch/microblaze/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
1282 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
1283 return 0xfffffffful;
1286 -extern struct dma_map_ops *dma_ops;
1287 +extern const struct dma_map_ops *dma_ops;
1290 * Available generic sets of operations
1292 -extern struct dma_map_ops dma_direct_ops;
1293 +extern const struct dma_map_ops dma_direct_ops;
1295 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1296 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1298 /* We don't handle the NULL dev case for ISA for now. We could
1299 * do it via an out of line call but it is not needed for now. The
1300 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
1301 return dev->archdata.dma_ops;
1304 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1305 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1307 dev->archdata.dma_ops = ops;
1310 static inline int dma_supported(struct device *dev, u64 mask)
1312 - struct dma_map_ops *ops = get_dma_ops(dev);
1313 + const struct dma_map_ops *ops = get_dma_ops(dev);
1317 @@ -87,7 +87,7 @@ static inline int dma_supported(struct d
1319 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1321 - struct dma_map_ops *ops = get_dma_ops(dev);
1322 + const struct dma_map_ops *ops = get_dma_ops(dev);
1324 if (unlikely(ops == NULL))
1326 @@ -103,7 +103,7 @@ static inline int dma_set_mask(struct de
1328 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1330 - struct dma_map_ops *ops = get_dma_ops(dev);
1331 + const struct dma_map_ops *ops = get_dma_ops(dev);
1332 if (ops->mapping_error)
1333 return ops->mapping_error(dev, dma_addr);
1335 @@ -117,7 +117,7 @@ static inline int dma_mapping_error(stru
1336 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1337 dma_addr_t *dma_handle, gfp_t flag)
1339 - struct dma_map_ops *ops = get_dma_ops(dev);
1340 + const struct dma_map_ops *ops = get_dma_ops(dev);
1344 @@ -131,7 +131,7 @@ static inline void *dma_alloc_coherent(s
1345 static inline void dma_free_coherent(struct device *dev, size_t size,
1346 void *cpu_addr, dma_addr_t dma_handle)
1348 - struct dma_map_ops *ops = get_dma_ops(dev);
1349 + const struct dma_map_ops *ops = get_dma_ops(dev);
1352 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
1353 diff -urNp linux-2.6.35.4/arch/microblaze/include/asm/pci.h linux-2.6.35.4/arch/microblaze/include/asm/pci.h
1354 --- linux-2.6.35.4/arch/microblaze/include/asm/pci.h 2010-08-26 19:47:12.000000000 -0400
1355 +++ linux-2.6.35.4/arch/microblaze/include/asm/pci.h 2010-09-17 20:12:09.000000000 -0400
1356 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
1360 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1361 -extern struct dma_map_ops *get_pci_dma_ops(void);
1362 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1363 +extern const struct dma_map_ops *get_pci_dma_ops(void);
1364 #else /* CONFIG_PCI */
1365 #define set_pci_dma_ops(d)
1366 #define get_pci_dma_ops() NULL
1367 diff -urNp linux-2.6.35.4/arch/microblaze/kernel/dma.c linux-2.6.35.4/arch/microblaze/kernel/dma.c
1368 --- linux-2.6.35.4/arch/microblaze/kernel/dma.c 2010-08-26 19:47:12.000000000 -0400
1369 +++ linux-2.6.35.4/arch/microblaze/kernel/dma.c 2010-09-17 20:12:09.000000000 -0400
1370 @@ -133,7 +133,7 @@ static inline void dma_direct_unmap_page
1371 __dma_sync_page(dma_address, 0 , size, direction);
1374 -struct dma_map_ops dma_direct_ops = {
1375 +const struct dma_map_ops dma_direct_ops = {
1376 .alloc_coherent = dma_direct_alloc_coherent,
1377 .free_coherent = dma_direct_free_coherent,
1378 .map_sg = dma_direct_map_sg,
1379 diff -urNp linux-2.6.35.4/arch/microblaze/pci/pci-common.c linux-2.6.35.4/arch/microblaze/pci/pci-common.c
1380 --- linux-2.6.35.4/arch/microblaze/pci/pci-common.c 2010-08-26 19:47:12.000000000 -0400
1381 +++ linux-2.6.35.4/arch/microblaze/pci/pci-common.c 2010-09-17 20:12:09.000000000 -0400
1382 @@ -46,14 +46,14 @@ resource_size_t isa_mem_base;
1383 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
1384 unsigned int pci_flags;
1386 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1387 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1389 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
1390 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
1392 pci_dma_ops = dma_ops;
1395 -struct dma_map_ops *get_pci_dma_ops(void)
1396 +const struct dma_map_ops *get_pci_dma_ops(void)
1400 diff -urNp linux-2.6.35.4/arch/mips/alchemy/devboards/pm.c linux-2.6.35.4/arch/mips/alchemy/devboards/pm.c
1401 --- linux-2.6.35.4/arch/mips/alchemy/devboards/pm.c 2010-08-26 19:47:12.000000000 -0400
1402 +++ linux-2.6.35.4/arch/mips/alchemy/devboards/pm.c 2010-09-17 20:12:09.000000000 -0400
1403 @@ -110,7 +110,7 @@ static void db1x_pm_end(void)
1407 -static struct platform_suspend_ops db1x_pm_ops = {
1408 +static const struct platform_suspend_ops db1x_pm_ops = {
1409 .valid = suspend_valid_only_mem,
1410 .begin = db1x_pm_begin,
1411 .enter = db1x_pm_enter,
1412 diff -urNp linux-2.6.35.4/arch/mips/include/asm/compat.h linux-2.6.35.4/arch/mips/include/asm/compat.h
1413 --- linux-2.6.35.4/arch/mips/include/asm/compat.h 2010-08-26 19:47:12.000000000 -0400
1414 +++ linux-2.6.35.4/arch/mips/include/asm/compat.h 2010-09-17 20:12:37.000000000 -0400
1415 @@ -145,7 +145,7 @@ static inline compat_uptr_t ptr_to_compa
1416 return (u32)(unsigned long)uptr;
1419 -static inline void __user *compat_alloc_user_space(long len)
1420 +static inline void __user *arch_compat_alloc_user_space(long len)
1422 struct pt_regs *regs = (struct pt_regs *)
1423 ((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1;
1424 diff -urNp linux-2.6.35.4/arch/mips/include/asm/elf.h linux-2.6.35.4/arch/mips/include/asm/elf.h
1425 --- linux-2.6.35.4/arch/mips/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
1426 +++ linux-2.6.35.4/arch/mips/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
1427 @@ -368,6 +368,13 @@ extern const char *__elf_platform;
1428 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1431 +#ifdef CONFIG_PAX_ASLR
1432 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1434 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1435 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1438 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1439 struct linux_binprm;
1440 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1441 diff -urNp linux-2.6.35.4/arch/mips/include/asm/page.h linux-2.6.35.4/arch/mips/include/asm/page.h
1442 --- linux-2.6.35.4/arch/mips/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
1443 +++ linux-2.6.35.4/arch/mips/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
1444 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1445 #ifdef CONFIG_CPU_MIPS32
1446 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1447 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1448 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1449 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1451 typedef struct { unsigned long long pte; } pte_t;
1452 #define pte_val(x) ((x).pte)
1453 diff -urNp linux-2.6.35.4/arch/mips/include/asm/system.h linux-2.6.35.4/arch/mips/include/asm/system.h
1454 --- linux-2.6.35.4/arch/mips/include/asm/system.h 2010-08-26 19:47:12.000000000 -0400
1455 +++ linux-2.6.35.4/arch/mips/include/asm/system.h 2010-09-17 20:12:09.000000000 -0400
1456 @@ -234,6 +234,6 @@ extern void per_cpu_trap_init(void);
1458 #define __ARCH_WANT_UNLOCKED_CTXSW
1460 -extern unsigned long arch_align_stack(unsigned long sp);
1461 +#define arch_align_stack(x) ((x) & ALMASK)
1463 #endif /* _ASM_SYSTEM_H */
1464 diff -urNp linux-2.6.35.4/arch/mips/kernel/binfmt_elfn32.c linux-2.6.35.4/arch/mips/kernel/binfmt_elfn32.c
1465 --- linux-2.6.35.4/arch/mips/kernel/binfmt_elfn32.c 2010-08-26 19:47:12.000000000 -0400
1466 +++ linux-2.6.35.4/arch/mips/kernel/binfmt_elfn32.c 2010-09-17 20:12:09.000000000 -0400
1467 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1468 #undef ELF_ET_DYN_BASE
1469 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1471 +#ifdef CONFIG_PAX_ASLR
1472 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1474 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1475 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1478 #include <asm/processor.h>
1479 #include <linux/module.h>
1480 #include <linux/elfcore.h>
1481 diff -urNp linux-2.6.35.4/arch/mips/kernel/binfmt_elfo32.c linux-2.6.35.4/arch/mips/kernel/binfmt_elfo32.c
1482 --- linux-2.6.35.4/arch/mips/kernel/binfmt_elfo32.c 2010-08-26 19:47:12.000000000 -0400
1483 +++ linux-2.6.35.4/arch/mips/kernel/binfmt_elfo32.c 2010-09-17 20:12:09.000000000 -0400
1484 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1485 #undef ELF_ET_DYN_BASE
1486 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1488 +#ifdef CONFIG_PAX_ASLR
1489 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1491 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1492 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1495 #include <asm/processor.h>
1498 diff -urNp linux-2.6.35.4/arch/mips/kernel/kgdb.c linux-2.6.35.4/arch/mips/kernel/kgdb.c
1499 --- linux-2.6.35.4/arch/mips/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
1500 +++ linux-2.6.35.4/arch/mips/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
1501 @@ -270,6 +270,7 @@ int kgdb_arch_handle_exception(int vecto
1505 +/* cannot be const, see kgdb_arch_init */
1506 struct kgdb_arch arch_kgdb_ops;
1509 diff -urNp linux-2.6.35.4/arch/mips/kernel/process.c linux-2.6.35.4/arch/mips/kernel/process.c
1510 --- linux-2.6.35.4/arch/mips/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
1511 +++ linux-2.6.35.4/arch/mips/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
1512 @@ -474,15 +474,3 @@ unsigned long get_wchan(struct task_stru
1518 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1519 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1521 -unsigned long arch_align_stack(unsigned long sp)
1523 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1524 - sp -= get_random_int() & ~PAGE_MASK;
1526 - return sp & ALMASK;
1528 diff -urNp linux-2.6.35.4/arch/mips/kernel/syscall.c linux-2.6.35.4/arch/mips/kernel/syscall.c
1529 --- linux-2.6.35.4/arch/mips/kernel/syscall.c 2010-08-26 19:47:12.000000000 -0400
1530 +++ linux-2.6.35.4/arch/mips/kernel/syscall.c 2010-09-17 20:12:09.000000000 -0400
1531 @@ -106,17 +106,21 @@ unsigned long arch_get_unmapped_area(str
1533 if (filp || (flags & MAP_SHARED))
1536 +#ifdef CONFIG_PAX_RANDMMAP
1537 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1542 addr = COLOUR_ALIGN(addr, pgoff);
1544 addr = PAGE_ALIGN(addr);
1545 vmm = find_vma(current->mm, addr);
1546 - if (task_size - len >= addr &&
1547 - (!vmm || addr + len <= vmm->vm_start))
1548 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1551 - addr = TASK_UNMAPPED_BASE;
1552 + addr = current->mm->mmap_base;
1554 addr = COLOUR_ALIGN(addr, pgoff);
1556 @@ -126,7 +130,7 @@ unsigned long arch_get_unmapped_area(str
1557 /* At this point: (!vmm || addr < vmm->vm_end). */
1558 if (task_size - len < addr)
1560 - if (!vmm || addr + len <= vmm->vm_start)
1561 + if (check_heap_stack_gap(vmm, addr, len))
1565 diff -urNp linux-2.6.35.4/arch/mips/loongson/common/pm.c linux-2.6.35.4/arch/mips/loongson/common/pm.c
1566 --- linux-2.6.35.4/arch/mips/loongson/common/pm.c 2010-08-26 19:47:12.000000000 -0400
1567 +++ linux-2.6.35.4/arch/mips/loongson/common/pm.c 2010-09-17 20:12:09.000000000 -0400
1568 @@ -147,7 +147,7 @@ static int loongson_pm_valid_state(suspe
1572 -static struct platform_suspend_ops loongson_pm_ops = {
1573 +static const struct platform_suspend_ops loongson_pm_ops = {
1574 .valid = loongson_pm_valid_state,
1575 .enter = loongson_pm_enter,
1577 diff -urNp linux-2.6.35.4/arch/mips/mm/fault.c linux-2.6.35.4/arch/mips/mm/fault.c
1578 --- linux-2.6.35.4/arch/mips/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1579 +++ linux-2.6.35.4/arch/mips/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
1581 #include <asm/ptrace.h>
1582 #include <asm/highmem.h> /* For VMALLOC_END */
1584 +#ifdef CONFIG_PAX_PAGEEXEC
1585 +void pax_report_insns(void *pc)
1589 + printk(KERN_ERR "PAX: bytes at PC: ");
1590 + for (i = 0; i < 5; i++) {
1592 + if (get_user(c, (unsigned int *)pc+i))
1593 + printk(KERN_CONT "???????? ");
1595 + printk(KERN_CONT "%08x ", c);
1602 * This routine handles page faults. It determines the address,
1603 * and the problem, and then passes it off to one of the appropriate
1604 diff -urNp linux-2.6.35.4/arch/parisc/include/asm/compat.h linux-2.6.35.4/arch/parisc/include/asm/compat.h
1605 --- linux-2.6.35.4/arch/parisc/include/asm/compat.h 2010-08-26 19:47:12.000000000 -0400
1606 +++ linux-2.6.35.4/arch/parisc/include/asm/compat.h 2010-09-17 20:12:37.000000000 -0400
1607 @@ -147,7 +147,7 @@ static inline compat_uptr_t ptr_to_compa
1608 return (u32)(unsigned long)uptr;
1611 -static __inline__ void __user *compat_alloc_user_space(long len)
1612 +static __inline__ void __user *arch_compat_alloc_user_space(long len)
1614 struct pt_regs *regs = ¤t->thread.regs;
1615 return (void __user *)regs->gr[30];
1616 diff -urNp linux-2.6.35.4/arch/parisc/include/asm/elf.h linux-2.6.35.4/arch/parisc/include/asm/elf.h
1617 --- linux-2.6.35.4/arch/parisc/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
1618 +++ linux-2.6.35.4/arch/parisc/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
1619 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1621 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1623 +#ifdef CONFIG_PAX_ASLR
1624 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1626 +#define PAX_DELTA_MMAP_LEN 16
1627 +#define PAX_DELTA_STACK_LEN 16
1630 /* This yields a mask that user programs can use to figure out what
1631 instruction set this CPU supports. This could be done in user space,
1632 but it's not easy, and we've already done it here. */
1633 diff -urNp linux-2.6.35.4/arch/parisc/include/asm/pgtable.h linux-2.6.35.4/arch/parisc/include/asm/pgtable.h
1634 --- linux-2.6.35.4/arch/parisc/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
1635 +++ linux-2.6.35.4/arch/parisc/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
1636 @@ -207,6 +207,17 @@
1637 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1638 #define PAGE_COPY PAGE_EXECREAD
1639 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1641 +#ifdef CONFIG_PAX_PAGEEXEC
1642 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1643 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1644 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1646 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1647 +# define PAGE_COPY_NOEXEC PAGE_COPY
1648 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1651 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1652 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1653 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1654 diff -urNp linux-2.6.35.4/arch/parisc/kernel/module.c linux-2.6.35.4/arch/parisc/kernel/module.c
1655 --- linux-2.6.35.4/arch/parisc/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
1656 +++ linux-2.6.35.4/arch/parisc/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
1659 /* three functions to determine where in the module core
1660 * or init pieces the location is */
1661 +static inline int in_init_rx(struct module *me, void *loc)
1663 + return (loc >= me->module_init_rx &&
1664 + loc < (me->module_init_rx + me->init_size_rx));
1667 +static inline int in_init_rw(struct module *me, void *loc)
1669 + return (loc >= me->module_init_rw &&
1670 + loc < (me->module_init_rw + me->init_size_rw));
1673 static inline int in_init(struct module *me, void *loc)
1675 - return (loc >= me->module_init &&
1676 - loc <= (me->module_init + me->init_size));
1677 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1680 +static inline int in_core_rx(struct module *me, void *loc)
1682 + return (loc >= me->module_core_rx &&
1683 + loc < (me->module_core_rx + me->core_size_rx));
1686 +static inline int in_core_rw(struct module *me, void *loc)
1688 + return (loc >= me->module_core_rw &&
1689 + loc < (me->module_core_rw + me->core_size_rw));
1692 static inline int in_core(struct module *me, void *loc)
1694 - return (loc >= me->module_core &&
1695 - loc <= (me->module_core + me->core_size));
1696 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1699 static inline int in_local(struct module *me, void *loc)
1700 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
1703 /* align things a bit */
1704 - me->core_size = ALIGN(me->core_size, 16);
1705 - me->arch.got_offset = me->core_size;
1706 - me->core_size += gots * sizeof(struct got_entry);
1708 - me->core_size = ALIGN(me->core_size, 16);
1709 - me->arch.fdesc_offset = me->core_size;
1710 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1711 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1712 + me->arch.got_offset = me->core_size_rw;
1713 + me->core_size_rw += gots * sizeof(struct got_entry);
1715 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1716 + me->arch.fdesc_offset = me->core_size_rw;
1717 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1719 me->arch.got_max = gots;
1720 me->arch.fdesc_max = fdescs;
1721 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
1725 - got = me->module_core + me->arch.got_offset;
1726 + got = me->module_core_rw + me->arch.got_offset;
1727 for (i = 0; got[i].addr; i++)
1728 if (got[i].addr == value)
1730 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
1732 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1734 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1735 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1738 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1739 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
1741 /* Create new one */
1742 fdesc->addr = value;
1743 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1744 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1745 return (Elf_Addr)fdesc;
1747 #endif /* CONFIG_64BIT */
1748 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
1750 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1751 end = table + sechdrs[me->arch.unwind_section].sh_size;
1752 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1753 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1755 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1756 me->arch.unwind_section, table, end, gp);
1757 diff -urNp linux-2.6.35.4/arch/parisc/kernel/sys_parisc.c linux-2.6.35.4/arch/parisc/kernel/sys_parisc.c
1758 --- linux-2.6.35.4/arch/parisc/kernel/sys_parisc.c 2010-08-26 19:47:12.000000000 -0400
1759 +++ linux-2.6.35.4/arch/parisc/kernel/sys_parisc.c 2010-09-17 20:12:09.000000000 -0400
1760 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1761 /* At this point: (!vma || addr < vma->vm_end). */
1762 if (TASK_SIZE - len < addr)
1764 - if (!vma || addr + len <= vma->vm_start)
1765 + if (check_heap_stack_gap(vma, addr, len))
1769 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1770 /* At this point: (!vma || addr < vma->vm_end). */
1771 if (TASK_SIZE - len < addr)
1773 - if (!vma || addr + len <= vma->vm_start)
1774 + if (check_heap_stack_gap(vma, addr, len))
1776 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1777 if (addr < vma->vm_end) /* handle wraparound */
1778 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1779 if (flags & MAP_FIXED)
1782 - addr = TASK_UNMAPPED_BASE;
1783 + addr = current->mm->mmap_base;
1786 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1787 diff -urNp linux-2.6.35.4/arch/parisc/kernel/traps.c linux-2.6.35.4/arch/parisc/kernel/traps.c
1788 --- linux-2.6.35.4/arch/parisc/kernel/traps.c 2010-08-26 19:47:12.000000000 -0400
1789 +++ linux-2.6.35.4/arch/parisc/kernel/traps.c 2010-09-17 20:12:09.000000000 -0400
1790 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1792 down_read(¤t->mm->mmap_sem);
1793 vma = find_vma(current->mm,regs->iaoq[0]);
1794 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1795 - && (vma->vm_flags & VM_EXEC)) {
1797 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1798 fault_address = regs->iaoq[0];
1799 fault_space = regs->iasq[0];
1801 diff -urNp linux-2.6.35.4/arch/parisc/mm/fault.c linux-2.6.35.4/arch/parisc/mm/fault.c
1802 --- linux-2.6.35.4/arch/parisc/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1803 +++ linux-2.6.35.4/arch/parisc/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
1805 #include <linux/sched.h>
1806 #include <linux/interrupt.h>
1807 #include <linux/module.h>
1808 +#include <linux/unistd.h>
1810 #include <asm/uaccess.h>
1811 #include <asm/traps.h>
1812 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1813 static unsigned long
1814 parisc_acctyp(unsigned long code, unsigned int inst)
1816 - if (code == 6 || code == 16)
1817 + if (code == 6 || code == 7 || code == 16)
1820 switch (inst & 0xf0000000) {
1821 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1825 +#ifdef CONFIG_PAX_PAGEEXEC
1827 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1829 + * returns 1 when task should be killed
1830 + * 2 when rt_sigreturn trampoline was detected
1831 + * 3 when unpatched PLT trampoline was detected
1833 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1836 +#ifdef CONFIG_PAX_EMUPLT
1839 + do { /* PaX: unpatched PLT emulation */
1840 + unsigned int bl, depwi;
1842 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1843 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1848 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1849 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1851 + err = get_user(ldw, (unsigned int *)addr);
1852 + err |= get_user(bv, (unsigned int *)(addr+4));
1853 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1858 + if (ldw == 0x0E801096U &&
1859 + bv == 0xEAC0C000U &&
1860 + ldw2 == 0x0E881095U)
1862 + unsigned int resolver, map;
1864 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1865 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1869 + regs->gr[20] = instruction_pointer(regs)+8;
1870 + regs->gr[21] = map;
1871 + regs->gr[22] = resolver;
1872 + regs->iaoq[0] = resolver | 3UL;
1873 + regs->iaoq[1] = regs->iaoq[0] + 4;
1880 +#ifdef CONFIG_PAX_EMUTRAMP
1882 +#ifndef CONFIG_PAX_EMUSIGRT
1883 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1887 + do { /* PaX: rt_sigreturn emulation */
1888 + unsigned int ldi1, ldi2, bel, nop;
1890 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1891 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1892 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1893 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1898 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1899 + ldi2 == 0x3414015AU &&
1900 + bel == 0xE4008200U &&
1901 + nop == 0x08000240U)
1903 + regs->gr[25] = (ldi1 & 2) >> 1;
1904 + regs->gr[20] = __NR_rt_sigreturn;
1905 + regs->gr[31] = regs->iaoq[1] + 16;
1906 + regs->sr[0] = regs->iasq[1];
1907 + regs->iaoq[0] = 0x100UL;
1908 + regs->iaoq[1] = regs->iaoq[0] + 4;
1909 + regs->iasq[0] = regs->sr[2];
1910 + regs->iasq[1] = regs->sr[2];
1919 +void pax_report_insns(void *pc, void *sp)
1923 + printk(KERN_ERR "PAX: bytes at PC: ");
1924 + for (i = 0; i < 5; i++) {
1926 + if (get_user(c, (unsigned int *)pc+i))
1927 + printk(KERN_CONT "???????? ");
1929 + printk(KERN_CONT "%08x ", c);
1935 int fixup_exception(struct pt_regs *regs)
1937 const struct exception_table_entry *fix;
1938 @@ -192,8 +303,33 @@ good_area:
1940 acc_type = parisc_acctyp(code,regs->iir);
1942 - if ((vma->vm_flags & acc_type) != acc_type)
1943 + if ((vma->vm_flags & acc_type) != acc_type) {
1945 +#ifdef CONFIG_PAX_PAGEEXEC
1946 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1947 + (address & ~3UL) == instruction_pointer(regs))
1949 + up_read(&mm->mmap_sem);
1950 + switch (pax_handle_fetch_fault(regs)) {
1952 +#ifdef CONFIG_PAX_EMUPLT
1957 +#ifdef CONFIG_PAX_EMUTRAMP
1963 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1964 + do_group_exit(SIGKILL);
1972 * If for any reason at all we couldn't handle the fault, make
1973 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/compat.h linux-2.6.35.4/arch/powerpc/include/asm/compat.h
1974 --- linux-2.6.35.4/arch/powerpc/include/asm/compat.h 2010-08-26 19:47:12.000000000 -0400
1975 +++ linux-2.6.35.4/arch/powerpc/include/asm/compat.h 2010-09-17 20:12:37.000000000 -0400
1976 @@ -134,7 +134,7 @@ static inline compat_uptr_t ptr_to_compa
1977 return (u32)(unsigned long)uptr;
1980 -static inline void __user *compat_alloc_user_space(long len)
1981 +static inline void __user *arch_compat_alloc_user_space(long len)
1983 struct pt_regs *regs = current->thread.regs;
1984 unsigned long usp = regs->gpr[1];
1985 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/device.h linux-2.6.35.4/arch/powerpc/include/asm/device.h
1986 --- linux-2.6.35.4/arch/powerpc/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
1987 +++ linux-2.6.35.4/arch/powerpc/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
1988 @@ -11,7 +11,7 @@ struct device_node;
1990 struct dev_archdata {
1991 /* DMA operations on that device */
1992 - struct dma_map_ops *dma_ops;
1993 + const struct dma_map_ops *dma_ops;
1996 * When an iommu is in use, dma_data is used as a ptr to the base of the
1997 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/dma-mapping.h linux-2.6.35.4/arch/powerpc/include/asm/dma-mapping.h
1998 --- linux-2.6.35.4/arch/powerpc/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
1999 +++ linux-2.6.35.4/arch/powerpc/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
2000 @@ -66,12 +66,13 @@ static inline unsigned long device_to_ma
2002 * Available generic sets of operations
2004 +/* cannot be const */
2006 extern struct dma_map_ops dma_iommu_ops;
2008 -extern struct dma_map_ops dma_direct_ops;
2009 +extern const struct dma_map_ops dma_direct_ops;
2011 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2012 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2014 /* We don't handle the NULL dev case for ISA for now. We could
2015 * do it via an out of line call but it is not needed for now. The
2016 @@ -84,7 +85,7 @@ static inline struct dma_map_ops *get_dm
2017 return dev->archdata.dma_ops;
2020 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2021 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2023 dev->archdata.dma_ops = ops;
2025 @@ -118,7 +119,7 @@ static inline void set_dma_offset(struct
2027 static inline int dma_supported(struct device *dev, u64 mask)
2029 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2030 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2032 if (unlikely(dma_ops == NULL))
2034 @@ -129,7 +130,7 @@ static inline int dma_supported(struct d
2036 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
2038 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2039 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2041 if (unlikely(dma_ops == NULL))
2043 @@ -144,7 +145,7 @@ static inline int dma_set_mask(struct de
2044 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2045 dma_addr_t *dma_handle, gfp_t flag)
2047 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2048 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2052 @@ -159,7 +160,7 @@ static inline void *dma_alloc_coherent(s
2053 static inline void dma_free_coherent(struct device *dev, size_t size,
2054 void *cpu_addr, dma_addr_t dma_handle)
2056 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2057 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2061 @@ -170,7 +171,7 @@ static inline void dma_free_coherent(str
2063 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2065 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2066 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2068 if (dma_ops->mapping_error)
2069 return dma_ops->mapping_error(dev, dma_addr);
2070 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/elf.h linux-2.6.35.4/arch/powerpc/include/asm/elf.h
2071 --- linux-2.6.35.4/arch/powerpc/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
2072 +++ linux-2.6.35.4/arch/powerpc/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
2073 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2074 the loader. We need to make sure that it is out of the way of the program
2075 that it will "exec", and that there is sufficient room for the brk. */
2077 -extern unsigned long randomize_et_dyn(unsigned long base);
2078 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2079 +#define ELF_ET_DYN_BASE (0x20000000)
2081 +#ifdef CONFIG_PAX_ASLR
2082 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2084 +#ifdef __powerpc64__
2085 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2086 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2088 +#define PAX_DELTA_MMAP_LEN 15
2089 +#define PAX_DELTA_STACK_LEN 15
2094 * Our registers are always unsigned longs, whether we're a 32 bit
2095 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
2096 (0x7ff >> (PAGE_SHIFT - 12)) : \
2097 (0x3ffff >> (PAGE_SHIFT - 12)))
2099 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2100 -#define arch_randomize_brk arch_randomize_brk
2102 #endif /* __KERNEL__ */
2105 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/iommu.h linux-2.6.35.4/arch/powerpc/include/asm/iommu.h
2106 --- linux-2.6.35.4/arch/powerpc/include/asm/iommu.h 2010-08-26 19:47:12.000000000 -0400
2107 +++ linux-2.6.35.4/arch/powerpc/include/asm/iommu.h 2010-09-17 20:12:09.000000000 -0400
2108 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2109 extern void iommu_init_early_dart(void);
2110 extern void iommu_init_early_pasemi(void);
2113 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2116 extern void pci_iommu_init(void);
2117 extern void pci_direct_iommu_init(void);
2118 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/kmap_types.h linux-2.6.35.4/arch/powerpc/include/asm/kmap_types.h
2119 --- linux-2.6.35.4/arch/powerpc/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
2120 +++ linux-2.6.35.4/arch/powerpc/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
2121 @@ -27,6 +27,7 @@ enum km_type {
2129 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/page_64.h linux-2.6.35.4/arch/powerpc/include/asm/page_64.h
2130 --- linux-2.6.35.4/arch/powerpc/include/asm/page_64.h 2010-08-26 19:47:12.000000000 -0400
2131 +++ linux-2.6.35.4/arch/powerpc/include/asm/page_64.h 2010-09-17 20:12:09.000000000 -0400
2132 @@ -172,15 +172,18 @@ do { \
2133 * stack by default, so in the absense of a PT_GNU_STACK program header
2134 * we turn execute permission off.
2136 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2137 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2138 +#define VM_STACK_DEFAULT_FLAGS32 \
2139 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2140 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2142 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2143 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2145 +#ifndef CONFIG_PAX_PAGEEXEC
2146 #define VM_STACK_DEFAULT_FLAGS \
2147 (test_thread_flag(TIF_32BIT) ? \
2148 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2151 #include <asm-generic/getorder.h>
2153 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/page.h linux-2.6.35.4/arch/powerpc/include/asm/page.h
2154 --- linux-2.6.35.4/arch/powerpc/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
2155 +++ linux-2.6.35.4/arch/powerpc/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
2156 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
2157 * and needs to be executable. This means the whole heap ends
2158 * up being executable.
2160 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2161 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2162 +#define VM_DATA_DEFAULT_FLAGS32 \
2163 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2164 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2166 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2167 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2168 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
2169 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2172 +#define ktla_ktva(addr) (addr)
2173 +#define ktva_ktla(addr) (addr)
2175 #ifndef __ASSEMBLY__
2177 #undef STRICT_MM_TYPECHECKS
2178 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/pci.h linux-2.6.35.4/arch/powerpc/include/asm/pci.h
2179 --- linux-2.6.35.4/arch/powerpc/include/asm/pci.h 2010-08-26 19:47:12.000000000 -0400
2180 +++ linux-2.6.35.4/arch/powerpc/include/asm/pci.h 2010-09-17 20:12:09.000000000 -0400
2181 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2185 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2186 -extern struct dma_map_ops *get_pci_dma_ops(void);
2187 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2188 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2189 #else /* CONFIG_PCI */
2190 #define set_pci_dma_ops(d)
2191 #define get_pci_dma_ops() NULL
2192 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/pte-hash32.h linux-2.6.35.4/arch/powerpc/include/asm/pte-hash32.h
2193 --- linux-2.6.35.4/arch/powerpc/include/asm/pte-hash32.h 2010-08-26 19:47:12.000000000 -0400
2194 +++ linux-2.6.35.4/arch/powerpc/include/asm/pte-hash32.h 2010-09-17 20:12:09.000000000 -0400
2196 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2197 #define _PAGE_USER 0x004 /* usermode access allowed */
2198 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2199 +#define _PAGE_EXEC _PAGE_GUARDED
2200 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2201 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2202 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2203 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/reg.h linux-2.6.35.4/arch/powerpc/include/asm/reg.h
2204 --- linux-2.6.35.4/arch/powerpc/include/asm/reg.h 2010-08-26 19:47:12.000000000 -0400
2205 +++ linux-2.6.35.4/arch/powerpc/include/asm/reg.h 2010-09-17 20:12:09.000000000 -0400
2207 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2208 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2209 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2210 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2211 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2212 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2213 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2214 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/swiotlb.h linux-2.6.35.4/arch/powerpc/include/asm/swiotlb.h
2215 --- linux-2.6.35.4/arch/powerpc/include/asm/swiotlb.h 2010-08-26 19:47:12.000000000 -0400
2216 +++ linux-2.6.35.4/arch/powerpc/include/asm/swiotlb.h 2010-09-17 20:12:09.000000000 -0400
2219 #include <linux/swiotlb.h>
2221 -extern struct dma_map_ops swiotlb_dma_ops;
2222 +extern const struct dma_map_ops swiotlb_dma_ops;
2224 static inline void dma_mark_clean(void *addr, size_t size) {}
2226 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/uaccess.h linux-2.6.35.4/arch/powerpc/include/asm/uaccess.h
2227 --- linux-2.6.35.4/arch/powerpc/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
2228 +++ linux-2.6.35.4/arch/powerpc/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
2230 #define VERIFY_READ 0
2231 #define VERIFY_WRITE 1
2233 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2236 * The fs value determines whether argument validity checking should be
2237 * performed or not. If get_fs() == USER_DS, checking is performed, with
2238 @@ -327,52 +329,6 @@ do { \
2239 extern unsigned long __copy_tofrom_user(void __user *to,
2240 const void __user *from, unsigned long size);
2242 -#ifndef __powerpc64__
2244 -static inline unsigned long copy_from_user(void *to,
2245 - const void __user *from, unsigned long n)
2247 - unsigned long over;
2249 - if (access_ok(VERIFY_READ, from, n))
2250 - return __copy_tofrom_user((__force void __user *)to, from, n);
2251 - if ((unsigned long)from < TASK_SIZE) {
2252 - over = (unsigned long)from + n - TASK_SIZE;
2253 - return __copy_tofrom_user((__force void __user *)to, from,
2259 -static inline unsigned long copy_to_user(void __user *to,
2260 - const void *from, unsigned long n)
2262 - unsigned long over;
2264 - if (access_ok(VERIFY_WRITE, to, n))
2265 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2266 - if ((unsigned long)to < TASK_SIZE) {
2267 - over = (unsigned long)to + n - TASK_SIZE;
2268 - return __copy_tofrom_user(to, (__force void __user *)from,
2274 -#else /* __powerpc64__ */
2276 -#define __copy_in_user(to, from, size) \
2277 - __copy_tofrom_user((to), (from), (size))
2279 -extern unsigned long copy_from_user(void *to, const void __user *from,
2281 -extern unsigned long copy_to_user(void __user *to, const void *from,
2283 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2286 -#endif /* __powerpc64__ */
2288 static inline unsigned long __copy_from_user_inatomic(void *to,
2289 const void __user *from, unsigned long n)
2291 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2296 + if (!__builtin_constant_p(n))
2297 + check_object_size(to, n, false);
2299 return __copy_tofrom_user((__force void __user *)to, from, n);
2302 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2307 + if (!__builtin_constant_p(n))
2308 + check_object_size(from, n, true);
2310 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2313 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2314 return __copy_to_user_inatomic(to, from, size);
2317 +#ifndef __powerpc64__
2319 +static inline unsigned long __must_check copy_from_user(void *to,
2320 + const void __user *from, unsigned long n)
2322 + unsigned long over;
2327 + if (access_ok(VERIFY_READ, from, n)) {
2328 + if (!__builtin_constant_p(n))
2329 + check_object_size(to, n, false);
2330 + return __copy_tofrom_user((__force void __user *)to, from, n);
2332 + if ((unsigned long)from < TASK_SIZE) {
2333 + over = (unsigned long)from + n - TASK_SIZE;
2334 + if (!__builtin_constant_p(n - over))
2335 + check_object_size(to, n - over, false);
2336 + return __copy_tofrom_user((__force void __user *)to, from,
2342 +static inline unsigned long __must_check copy_to_user(void __user *to,
2343 + const void *from, unsigned long n)
2345 + unsigned long over;
2350 + if (access_ok(VERIFY_WRITE, to, n)) {
2351 + if (!__builtin_constant_p(n))
2352 + check_object_size(from, n, true);
2353 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2355 + if ((unsigned long)to < TASK_SIZE) {
2356 + over = (unsigned long)to + n - TASK_SIZE;
2357 + if (!__builtin_constant_p(n))
2358 + check_object_size(from, n - over, true);
2359 + return __copy_tofrom_user(to, (__force void __user *)from,
2365 +#else /* __powerpc64__ */
2367 +#define __copy_in_user(to, from, size) \
2368 + __copy_tofrom_user((to), (from), (size))
2370 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2372 + if ((long)n < 0 || n > INT_MAX)
2375 + if (!__builtin_constant_p(n))
2376 + check_object_size(to, n, false);
2378 + if (likely(access_ok(VERIFY_READ, from, n)))
2379 + n = __copy_from_user(to, from, n);
2385 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2387 + if ((long)n < 0 || n > INT_MAX)
2390 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2391 + if (!__builtin_constant_p(n))
2392 + check_object_size(from, n, true);
2393 + n = __copy_to_user(to, from, n);
2398 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2401 +#endif /* __powerpc64__ */
2403 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2405 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2406 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/dma.c linux-2.6.35.4/arch/powerpc/kernel/dma.c
2407 --- linux-2.6.35.4/arch/powerpc/kernel/dma.c 2010-08-26 19:47:12.000000000 -0400
2408 +++ linux-2.6.35.4/arch/powerpc/kernel/dma.c 2010-09-17 20:12:09.000000000 -0400
2409 @@ -135,7 +135,7 @@ static inline void dma_direct_sync_singl
2413 -struct dma_map_ops dma_direct_ops = {
2414 +const struct dma_map_ops dma_direct_ops = {
2415 .alloc_coherent = dma_direct_alloc_coherent,
2416 .free_coherent = dma_direct_free_coherent,
2417 .map_sg = dma_direct_map_sg,
2418 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/dma-iommu.c linux-2.6.35.4/arch/powerpc/kernel/dma-iommu.c
2419 --- linux-2.6.35.4/arch/powerpc/kernel/dma-iommu.c 2010-08-26 19:47:12.000000000 -0400
2420 +++ linux-2.6.35.4/arch/powerpc/kernel/dma-iommu.c 2010-09-17 20:12:09.000000000 -0400
2421 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2424 /* We support DMA to/from any memory page via the iommu */
2425 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2426 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2428 struct iommu_table *tbl = get_iommu_table_base(dev);
2430 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.35.4/arch/powerpc/kernel/dma-swiotlb.c
2431 --- linux-2.6.35.4/arch/powerpc/kernel/dma-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
2432 +++ linux-2.6.35.4/arch/powerpc/kernel/dma-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
2433 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2434 * map_page, and unmap_page on highmem, use normal dma_ops
2435 * for everything else.
2437 -struct dma_map_ops swiotlb_dma_ops = {
2438 +const struct dma_map_ops swiotlb_dma_ops = {
2439 .alloc_coherent = dma_direct_alloc_coherent,
2440 .free_coherent = dma_direct_free_coherent,
2441 .map_sg = swiotlb_map_sg_attrs,
2442 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/exceptions-64e.S linux-2.6.35.4/arch/powerpc/kernel/exceptions-64e.S
2443 --- linux-2.6.35.4/arch/powerpc/kernel/exceptions-64e.S 2010-08-26 19:47:12.000000000 -0400
2444 +++ linux-2.6.35.4/arch/powerpc/kernel/exceptions-64e.S 2010-09-17 20:12:09.000000000 -0400
2445 @@ -455,6 +455,7 @@ storage_fault_common:
2448 addi r3,r1,STACK_FRAME_OVERHEAD
2452 ld r14,PACA_EXGEN+EX_R14(r13)
2453 @@ -464,8 +465,7 @@ storage_fault_common:
2456 b .ret_from_except_lite
2460 addi r3,r1,STACK_FRAME_OVERHEAD
2463 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/exceptions-64s.S linux-2.6.35.4/arch/powerpc/kernel/exceptions-64s.S
2464 --- linux-2.6.35.4/arch/powerpc/kernel/exceptions-64s.S 2010-08-26 19:47:12.000000000 -0400
2465 +++ linux-2.6.35.4/arch/powerpc/kernel/exceptions-64s.S 2010-09-17 20:12:09.000000000 -0400
2466 @@ -840,10 +840,10 @@ handle_page_fault:
2469 addi r3,r1,STACK_FRAME_OVERHEAD
2476 addi r3,r1,STACK_FRAME_OVERHEAD
2478 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/ibmebus.c linux-2.6.35.4/arch/powerpc/kernel/ibmebus.c
2479 --- linux-2.6.35.4/arch/powerpc/kernel/ibmebus.c 2010-08-26 19:47:12.000000000 -0400
2480 +++ linux-2.6.35.4/arch/powerpc/kernel/ibmebus.c 2010-09-17 20:12:09.000000000 -0400
2481 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
2485 -static struct dma_map_ops ibmebus_dma_ops = {
2486 +static const struct dma_map_ops ibmebus_dma_ops = {
2487 .alloc_coherent = ibmebus_alloc_coherent,
2488 .free_coherent = ibmebus_free_coherent,
2489 .map_sg = ibmebus_map_sg,
2490 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/kgdb.c linux-2.6.35.4/arch/powerpc/kernel/kgdb.c
2491 --- linux-2.6.35.4/arch/powerpc/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
2492 +++ linux-2.6.35.4/arch/powerpc/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
2493 @@ -128,7 +128,7 @@ static int kgdb_handle_breakpoint(struct
2494 if (kgdb_handle_exception(1, SIGTRAP, 0, regs) != 0)
2497 - if (*(u32 *) (regs->nip) == *(u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2498 + if (*(u32 *) (regs->nip) == *(const u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2502 @@ -360,7 +360,7 @@ int kgdb_arch_handle_exception(int vecto
2506 -struct kgdb_arch arch_kgdb_ops = {
2507 +const struct kgdb_arch arch_kgdb_ops = {
2508 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2511 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/module_32.c linux-2.6.35.4/arch/powerpc/kernel/module_32.c
2512 --- linux-2.6.35.4/arch/powerpc/kernel/module_32.c 2010-08-26 19:47:12.000000000 -0400
2513 +++ linux-2.6.35.4/arch/powerpc/kernel/module_32.c 2010-09-17 20:12:09.000000000 -0400
2514 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2515 me->arch.core_plt_section = i;
2517 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2518 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2519 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2523 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2525 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2526 /* Init, or core PLT? */
2527 - if (location >= mod->module_core
2528 - && location < mod->module_core + mod->core_size)
2529 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2530 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2531 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2533 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2534 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2535 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2537 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2541 /* Find this entry, or if that fails, the next avail. entry */
2542 while (entry->jump[0]) {
2543 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/module.c linux-2.6.35.4/arch/powerpc/kernel/module.c
2544 --- linux-2.6.35.4/arch/powerpc/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
2545 +++ linux-2.6.35.4/arch/powerpc/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
2548 LIST_HEAD(module_bug_list);
2550 +#ifdef CONFIG_PAX_KERNEXEC
2551 void *module_alloc(unsigned long size)
2556 + return vmalloc(size);
2559 +void *module_alloc_exec(unsigned long size)
2561 +void *module_alloc(unsigned long size)
2568 return vmalloc_exec(size);
2571 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2572 vfree(module_region);
2575 +#ifdef CONFIG_PAX_KERNEXEC
2576 +void module_free_exec(struct module *mod, void *module_region)
2578 + module_free(mod, module_region);
2582 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2583 const Elf_Shdr *sechdrs,
2585 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/pci-common.c linux-2.6.35.4/arch/powerpc/kernel/pci-common.c
2586 --- linux-2.6.35.4/arch/powerpc/kernel/pci-common.c 2010-08-26 19:47:12.000000000 -0400
2587 +++ linux-2.6.35.4/arch/powerpc/kernel/pci-common.c 2010-09-17 20:12:09.000000000 -0400
2588 @@ -51,14 +51,14 @@ resource_size_t isa_mem_base;
2589 unsigned int ppc_pci_flags = 0;
2592 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2593 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2595 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2596 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2598 pci_dma_ops = dma_ops;
2601 -struct dma_map_ops *get_pci_dma_ops(void)
2602 +const struct dma_map_ops *get_pci_dma_ops(void)
2606 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/process.c linux-2.6.35.4/arch/powerpc/kernel/process.c
2607 --- linux-2.6.35.4/arch/powerpc/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
2608 +++ linux-2.6.35.4/arch/powerpc/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
2609 @@ -1215,51 +1215,3 @@ unsigned long arch_align_stack(unsigned
2610 sp -= get_random_int() & ~PAGE_MASK;
2614 -static inline unsigned long brk_rnd(void)
2616 - unsigned long rnd = 0;
2618 - /* 8MB for 32bit, 1GB for 64bit */
2619 - if (is_32bit_task())
2620 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2622 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2624 - return rnd << PAGE_SHIFT;
2627 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2629 - unsigned long base = mm->brk;
2630 - unsigned long ret;
2632 -#ifdef CONFIG_PPC_STD_MMU_64
2634 - * If we are using 1TB segments and we are allowed to randomise
2635 - * the heap, we can put it above 1TB so it is backed by a 1TB
2636 - * segment. Otherwise the heap will be in the bottom 1TB
2637 - * which always uses 256MB segments and this may result in a
2638 - * performance penalty.
2640 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2641 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2644 - ret = PAGE_ALIGN(base + brk_rnd());
2646 - if (ret < mm->brk)
2652 -unsigned long randomize_et_dyn(unsigned long base)
2654 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2661 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/signal_32.c linux-2.6.35.4/arch/powerpc/kernel/signal_32.c
2662 --- linux-2.6.35.4/arch/powerpc/kernel/signal_32.c 2010-08-26 19:47:12.000000000 -0400
2663 +++ linux-2.6.35.4/arch/powerpc/kernel/signal_32.c 2010-09-17 20:12:09.000000000 -0400
2664 @@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
2665 /* Save user registers on the stack */
2666 frame = &rt_sf->uc.uc_mcontext;
2668 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2669 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2670 if (save_user_regs(regs, frame, 0, 1))
2672 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2673 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/signal_64.c linux-2.6.35.4/arch/powerpc/kernel/signal_64.c
2674 --- linux-2.6.35.4/arch/powerpc/kernel/signal_64.c 2010-08-26 19:47:12.000000000 -0400
2675 +++ linux-2.6.35.4/arch/powerpc/kernel/signal_64.c 2010-09-17 20:12:09.000000000 -0400
2676 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2677 current->thread.fpscr.val = 0;
2679 /* Set up to return from userspace. */
2680 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2681 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2682 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2684 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2685 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/vdso.c linux-2.6.35.4/arch/powerpc/kernel/vdso.c
2686 --- linux-2.6.35.4/arch/powerpc/kernel/vdso.c 2010-08-26 19:47:12.000000000 -0400
2687 +++ linux-2.6.35.4/arch/powerpc/kernel/vdso.c 2010-09-17 20:12:09.000000000 -0400
2689 #include <asm/firmware.h>
2690 #include <asm/vdso.h>
2691 #include <asm/vdso_datapage.h>
2692 +#include <asm/mman.h>
2696 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2697 vdso_base = VDSO32_MBASE;
2700 - current->mm->context.vdso_base = 0;
2701 + current->mm->context.vdso_base = ~0UL;
2703 /* vDSO has a problem and was disabled, just don't "enable" it for the
2705 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2706 vdso_base = get_unmapped_area(NULL, vdso_base,
2707 (vdso_pages << PAGE_SHIFT) +
2708 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2710 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2711 if (IS_ERR_VALUE(vdso_base)) {
2714 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/vio.c linux-2.6.35.4/arch/powerpc/kernel/vio.c
2715 --- linux-2.6.35.4/arch/powerpc/kernel/vio.c 2010-08-26 19:47:12.000000000 -0400
2716 +++ linux-2.6.35.4/arch/powerpc/kernel/vio.c 2010-09-17 20:12:09.000000000 -0400
2717 @@ -602,11 +602,12 @@ static void vio_dma_iommu_unmap_sg(struc
2718 vio_cmo_dealloc(viodev, alloc_size);
2721 -struct dma_map_ops vio_dma_mapping_ops = {
2722 +static const struct dma_map_ops vio_dma_mapping_ops = {
2723 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2724 .free_coherent = vio_dma_iommu_free_coherent,
2725 .map_sg = vio_dma_iommu_map_sg,
2726 .unmap_sg = vio_dma_iommu_unmap_sg,
2727 + .dma_supported = dma_iommu_dma_supported,
2728 .map_page = vio_dma_iommu_map_page,
2729 .unmap_page = vio_dma_iommu_unmap_page,
2731 @@ -860,7 +861,6 @@ static void vio_cmo_bus_remove(struct vi
2733 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2735 - vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2736 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2739 diff -urNp linux-2.6.35.4/arch/powerpc/lib/usercopy_64.c linux-2.6.35.4/arch/powerpc/lib/usercopy_64.c
2740 --- linux-2.6.35.4/arch/powerpc/lib/usercopy_64.c 2010-08-26 19:47:12.000000000 -0400
2741 +++ linux-2.6.35.4/arch/powerpc/lib/usercopy_64.c 2010-09-17 20:12:09.000000000 -0400
2743 #include <linux/module.h>
2744 #include <asm/uaccess.h>
2746 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2748 - if (likely(access_ok(VERIFY_READ, from, n)))
2749 - n = __copy_from_user(to, from, n);
2755 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2757 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2758 - n = __copy_to_user(to, from, n);
2762 unsigned long copy_in_user(void __user *to, const void __user *from,
2765 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2769 -EXPORT_SYMBOL(copy_from_user);
2770 -EXPORT_SYMBOL(copy_to_user);
2771 EXPORT_SYMBOL(copy_in_user);
2773 diff -urNp linux-2.6.35.4/arch/powerpc/mm/fault.c linux-2.6.35.4/arch/powerpc/mm/fault.c
2774 --- linux-2.6.35.4/arch/powerpc/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
2775 +++ linux-2.6.35.4/arch/powerpc/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
2777 #include <linux/kprobes.h>
2778 #include <linux/kdebug.h>
2779 #include <linux/perf_event.h>
2780 +#include <linux/slab.h>
2781 +#include <linux/pagemap.h>
2782 +#include <linux/compiler.h>
2783 +#include <linux/unistd.h>
2785 #include <asm/firmware.h>
2786 #include <asm/page.h>
2788 #include <asm/tlbflush.h>
2789 #include <asm/siginfo.h>
2790 #include <mm/mmu_decl.h>
2791 +#include <asm/ptrace.h>
2793 #ifdef CONFIG_KPROBES
2794 static inline int notify_page_fault(struct pt_regs *regs)
2795 @@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
2799 +#ifdef CONFIG_PAX_PAGEEXEC
2801 + * PaX: decide what to do with offenders (regs->nip = fault address)
2803 + * returns 1 when task should be killed
2805 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2810 +void pax_report_insns(void *pc, void *sp)
2814 + printk(KERN_ERR "PAX: bytes at PC: ");
2815 + for (i = 0; i < 5; i++) {
2817 + if (get_user(c, (unsigned int __user *)pc+i))
2818 + printk(KERN_CONT "???????? ");
2820 + printk(KERN_CONT "%08x ", c);
2827 * Check whether the instruction at regs->nip is a store using
2828 * an update addressing form which will update r1.
2829 @@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
2830 * indicate errors in DSISR but can validly be set in SRR1.
2833 - error_code &= 0x48200000;
2834 + error_code &= 0x58200000;
2836 is_write = error_code & DSISR_ISSTORE;
2838 @@ -257,7 +289,7 @@ good_area:
2839 * "undefined". Of those that can be set, this is the only
2840 * one which seems bad.
2842 - if (error_code & 0x10000000)
2843 + if (error_code & DSISR_GUARDED)
2844 /* Guarded storage error. */
2846 #endif /* CONFIG_8xx */
2847 @@ -272,7 +304,7 @@ good_area:
2848 * processors use the same I/D cache coherency mechanism
2851 - if (error_code & DSISR_PROTFAULT)
2852 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2854 #endif /* CONFIG_PPC_STD_MMU */
2856 @@ -341,6 +373,23 @@ bad_area:
2857 bad_area_nosemaphore:
2858 /* User mode accesses cause a SIGSEGV */
2859 if (user_mode(regs)) {
2861 +#ifdef CONFIG_PAX_PAGEEXEC
2862 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2863 +#ifdef CONFIG_PPC_STD_MMU
2864 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2866 + if (is_exec && regs->nip == address) {
2868 + switch (pax_handle_fetch_fault(regs)) {
2871 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2872 + do_group_exit(SIGKILL);
2877 _exception(SIGSEGV, regs, code, address);
2880 diff -urNp linux-2.6.35.4/arch/powerpc/mm/mmap_64.c linux-2.6.35.4/arch/powerpc/mm/mmap_64.c
2881 --- linux-2.6.35.4/arch/powerpc/mm/mmap_64.c 2010-08-26 19:47:12.000000000 -0400
2882 +++ linux-2.6.35.4/arch/powerpc/mm/mmap_64.c 2010-09-17 20:12:09.000000000 -0400
2883 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2885 if (mmap_is_legacy()) {
2886 mm->mmap_base = TASK_UNMAPPED_BASE;
2888 +#ifdef CONFIG_PAX_RANDMMAP
2889 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2890 + mm->mmap_base += mm->delta_mmap;
2893 mm->get_unmapped_area = arch_get_unmapped_area;
2894 mm->unmap_area = arch_unmap_area;
2896 mm->mmap_base = mmap_base();
2898 +#ifdef CONFIG_PAX_RANDMMAP
2899 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2900 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2903 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2904 mm->unmap_area = arch_unmap_area_topdown;
2906 diff -urNp linux-2.6.35.4/arch/powerpc/mm/slice.c linux-2.6.35.4/arch/powerpc/mm/slice.c
2907 --- linux-2.6.35.4/arch/powerpc/mm/slice.c 2010-08-26 19:47:12.000000000 -0400
2908 +++ linux-2.6.35.4/arch/powerpc/mm/slice.c 2010-09-17 20:12:09.000000000 -0400
2909 @@ -98,10 +98,9 @@ static int slice_area_is_free(struct mm_
2910 if ((mm->task_size - len) < addr)
2912 vma = find_vma(mm, addr);
2913 - return (!vma || (addr + len) <= vma->vm_start);
2914 + return check_heap_stack_gap(vma, addr, len);
2917 -static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
2919 return !slice_area_is_free(mm, slice << SLICE_LOW_SHIFT,
2920 1ul << SLICE_LOW_SHIFT);
2921 @@ -256,7 +255,7 @@ full_search:
2922 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
2925 - if (!vma || addr + len <= vma->vm_start) {
2926 + if (check_heap_stack_gap(vma, addr, len)) {
2928 * Remember the place where we stopped the search:
2930 @@ -336,7 +335,7 @@ static unsigned long slice_find_area_top
2931 * return with success:
2933 vma = find_vma(mm, addr);
2934 - if (!vma || (addr + len) <= vma->vm_start) {
2935 + if (check_heap_stack_gap(vma, addr, len)) {
2936 /* remember the address as a hint for next time */
2938 mm->free_area_cache = addr;
2939 @@ -426,6 +425,11 @@ unsigned long slice_get_unmapped_area(un
2940 if (fixed && addr > (mm->task_size - len))
2943 +#ifdef CONFIG_PAX_RANDMMAP
2944 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
2948 /* If hint, make sure it matches our alignment restrictions */
2949 if (!fixed && addr) {
2950 addr = _ALIGN_UP(addr, 1ul << pshift);
2951 diff -urNp linux-2.6.35.4/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.35.4/arch/powerpc/platforms/52xx/lite5200_pm.c
2952 --- linux-2.6.35.4/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-08-26 19:47:12.000000000 -0400
2953 +++ linux-2.6.35.4/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-09-17 20:12:09.000000000 -0400
2954 @@ -235,7 +235,7 @@ static void lite5200_pm_end(void)
2955 lite5200_pm_target_state = PM_SUSPEND_ON;
2958 -static struct platform_suspend_ops lite5200_pm_ops = {
2959 +static const struct platform_suspend_ops lite5200_pm_ops = {
2960 .valid = lite5200_pm_valid,
2961 .begin = lite5200_pm_begin,
2962 .prepare = lite5200_pm_prepare,
2963 diff -urNp linux-2.6.35.4/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.35.4/arch/powerpc/platforms/52xx/mpc52xx_pm.c
2964 --- linux-2.6.35.4/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-08-26 19:47:12.000000000 -0400
2965 +++ linux-2.6.35.4/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-09-17 20:12:09.000000000 -0400
2966 @@ -189,7 +189,7 @@ void mpc52xx_pm_finish(void)
2970 -static struct platform_suspend_ops mpc52xx_pm_ops = {
2971 +static const struct platform_suspend_ops mpc52xx_pm_ops = {
2972 .valid = mpc52xx_pm_valid,
2973 .prepare = mpc52xx_pm_prepare,
2974 .enter = mpc52xx_pm_enter,
2975 diff -urNp linux-2.6.35.4/arch/powerpc/platforms/83xx/suspend.c linux-2.6.35.4/arch/powerpc/platforms/83xx/suspend.c
2976 --- linux-2.6.35.4/arch/powerpc/platforms/83xx/suspend.c 2010-08-26 19:47:12.000000000 -0400
2977 +++ linux-2.6.35.4/arch/powerpc/platforms/83xx/suspend.c 2010-09-17 20:12:09.000000000 -0400
2978 @@ -311,7 +311,7 @@ static int mpc83xx_is_pci_agent(void)
2982 -static struct platform_suspend_ops mpc83xx_suspend_ops = {
2983 +static const struct platform_suspend_ops mpc83xx_suspend_ops = {
2984 .valid = mpc83xx_suspend_valid,
2985 .begin = mpc83xx_suspend_begin,
2986 .enter = mpc83xx_suspend_enter,
2987 diff -urNp linux-2.6.35.4/arch/powerpc/platforms/cell/iommu.c linux-2.6.35.4/arch/powerpc/platforms/cell/iommu.c
2988 --- linux-2.6.35.4/arch/powerpc/platforms/cell/iommu.c 2010-08-26 19:47:12.000000000 -0400
2989 +++ linux-2.6.35.4/arch/powerpc/platforms/cell/iommu.c 2010-09-17 20:12:09.000000000 -0400
2990 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
2992 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
2994 -struct dma_map_ops dma_iommu_fixed_ops = {
2995 +const struct dma_map_ops dma_iommu_fixed_ops = {
2996 .alloc_coherent = dma_fixed_alloc_coherent,
2997 .free_coherent = dma_fixed_free_coherent,
2998 .map_sg = dma_fixed_map_sg,
2999 diff -urNp linux-2.6.35.4/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.35.4/arch/powerpc/platforms/ps3/system-bus.c
3000 --- linux-2.6.35.4/arch/powerpc/platforms/ps3/system-bus.c 2010-08-26 19:47:12.000000000 -0400
3001 +++ linux-2.6.35.4/arch/powerpc/platforms/ps3/system-bus.c 2010-09-17 20:12:09.000000000 -0400
3002 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
3003 return mask >= DMA_BIT_MASK(32);
3006 -static struct dma_map_ops ps3_sb_dma_ops = {
3007 +static const struct dma_map_ops ps3_sb_dma_ops = {
3008 .alloc_coherent = ps3_alloc_coherent,
3009 .free_coherent = ps3_free_coherent,
3010 .map_sg = ps3_sb_map_sg,
3011 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
3012 .unmap_page = ps3_unmap_page,
3015 -static struct dma_map_ops ps3_ioc0_dma_ops = {
3016 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
3017 .alloc_coherent = ps3_alloc_coherent,
3018 .free_coherent = ps3_free_coherent,
3019 .map_sg = ps3_ioc0_map_sg,
3020 diff -urNp linux-2.6.35.4/arch/powerpc/sysdev/fsl_pmc.c linux-2.6.35.4/arch/powerpc/sysdev/fsl_pmc.c
3021 --- linux-2.6.35.4/arch/powerpc/sysdev/fsl_pmc.c 2010-08-26 19:47:12.000000000 -0400
3022 +++ linux-2.6.35.4/arch/powerpc/sysdev/fsl_pmc.c 2010-09-17 20:12:09.000000000 -0400
3023 @@ -53,7 +53,7 @@ static int pmc_suspend_valid(suspend_sta
3027 -static struct platform_suspend_ops pmc_suspend_ops = {
3028 +static const struct platform_suspend_ops pmc_suspend_ops = {
3029 .valid = pmc_suspend_valid,
3030 .enter = pmc_suspend_enter,
3032 diff -urNp linux-2.6.35.4/arch/s390/include/asm/compat.h linux-2.6.35.4/arch/s390/include/asm/compat.h
3033 --- linux-2.6.35.4/arch/s390/include/asm/compat.h 2010-08-26 19:47:12.000000000 -0400
3034 +++ linux-2.6.35.4/arch/s390/include/asm/compat.h 2010-09-17 20:12:37.000000000 -0400
3035 @@ -181,7 +181,7 @@ static inline int is_compat_task(void)
3039 -static inline void __user *compat_alloc_user_space(long len)
3040 +static inline void __user *arch_compat_alloc_user_space(long len)
3042 unsigned long stack;
3044 diff -urNp linux-2.6.35.4/arch/s390/include/asm/elf.h linux-2.6.35.4/arch/s390/include/asm/elf.h
3045 --- linux-2.6.35.4/arch/s390/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
3046 +++ linux-2.6.35.4/arch/s390/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
3047 @@ -163,6 +163,13 @@ extern unsigned int vdso_enabled;
3048 that it will "exec", and that there is sufficient room for the brk. */
3049 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
3051 +#ifdef CONFIG_PAX_ASLR
3052 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
3054 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3055 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3058 /* This yields a mask that user programs can use to figure out what
3059 instruction set this CPU supports. */
3061 diff -urNp linux-2.6.35.4/arch/s390/include/asm/uaccess.h linux-2.6.35.4/arch/s390/include/asm/uaccess.h
3062 --- linux-2.6.35.4/arch/s390/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
3063 +++ linux-2.6.35.4/arch/s390/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
3064 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
3065 copy_to_user(void __user *to, const void *from, unsigned long n)
3072 if (access_ok(VERIFY_WRITE, to, n))
3073 n = __copy_to_user(to, from, n);
3075 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
3076 static inline unsigned long __must_check
3077 __copy_from_user(void *to, const void __user *from, unsigned long n)
3082 if (__builtin_constant_p(n) && (n <= 256))
3083 return uaccess.copy_from_user_small(n, from, to);
3085 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
3086 unsigned int sz = __compiletime_object_size(to);
3093 if (unlikely(sz != -1 && sz < n)) {
3094 copy_from_user_overflow();
3096 diff -urNp linux-2.6.35.4/arch/s390/Kconfig linux-2.6.35.4/arch/s390/Kconfig
3097 --- linux-2.6.35.4/arch/s390/Kconfig 2010-08-26 19:47:12.000000000 -0400
3098 +++ linux-2.6.35.4/arch/s390/Kconfig 2010-09-17 20:12:09.000000000 -0400
3099 @@ -230,13 +230,12 @@ config AUDIT_ARCH
3101 config S390_EXEC_PROTECT
3102 bool "Data execute protection"
3105 This option allows to enable a buffer overflow protection for user
3106 - space programs and it also selects the addressing mode option above.
3107 - The kernel parameter noexec=on will enable this feature and also
3108 - switch the addressing modes, default is disabled. Enabling this (via
3109 - kernel parameter) on machines earlier than IBM System z9-109 EC/BC
3110 - will reduce system performance.
3112 + Enabling this on machines earlier than IBM System z9-109 EC/BC will
3113 + reduce system performance.
3115 comment "Code generation options"
3117 diff -urNp linux-2.6.35.4/arch/s390/kernel/module.c linux-2.6.35.4/arch/s390/kernel/module.c
3118 --- linux-2.6.35.4/arch/s390/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
3119 +++ linux-2.6.35.4/arch/s390/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
3120 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3122 /* Increase core size by size of got & plt and set start
3123 offsets for got and plt. */
3124 - me->core_size = ALIGN(me->core_size, 4);
3125 - me->arch.got_offset = me->core_size;
3126 - me->core_size += me->arch.got_size;
3127 - me->arch.plt_offset = me->core_size;
3128 - me->core_size += me->arch.plt_size;
3129 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3130 + me->arch.got_offset = me->core_size_rw;
3131 + me->core_size_rw += me->arch.got_size;
3132 + me->arch.plt_offset = me->core_size_rx;
3133 + me->core_size_rx += me->arch.plt_size;
3137 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3138 if (info->got_initialized == 0) {
3141 - gotent = me->module_core + me->arch.got_offset +
3142 + gotent = me->module_core_rw + me->arch.got_offset +
3145 info->got_initialized = 1;
3146 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3147 else if (r_type == R_390_GOTENT ||
3148 r_type == R_390_GOTPLTENT)
3149 *(unsigned int *) loc =
3150 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3151 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3152 else if (r_type == R_390_GOT64 ||
3153 r_type == R_390_GOTPLT64)
3154 *(unsigned long *) loc = val;
3155 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3156 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3157 if (info->plt_initialized == 0) {
3159 - ip = me->module_core + me->arch.plt_offset +
3160 + ip = me->module_core_rx + me->arch.plt_offset +
3162 #ifndef CONFIG_64BIT
3163 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3164 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3165 val - loc + 0xffffUL < 0x1ffffeUL) ||
3166 (r_type == R_390_PLT32DBL &&
3167 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3168 - val = (Elf_Addr) me->module_core +
3169 + val = (Elf_Addr) me->module_core_rx +
3170 me->arch.plt_offset +
3172 val += rela->r_addend - loc;
3173 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3174 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3175 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3176 val = val + rela->r_addend -
3177 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3178 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3179 if (r_type == R_390_GOTOFF16)
3180 *(unsigned short *) loc = val;
3181 else if (r_type == R_390_GOTOFF32)
3182 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3184 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3185 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3186 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3187 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3188 rela->r_addend - loc;
3189 if (r_type == R_390_GOTPC)
3190 *(unsigned int *) loc = val;
3191 diff -urNp linux-2.6.35.4/arch/s390/kernel/setup.c linux-2.6.35.4/arch/s390/kernel/setup.c
3192 --- linux-2.6.35.4/arch/s390/kernel/setup.c 2010-08-26 19:47:12.000000000 -0400
3193 +++ linux-2.6.35.4/arch/s390/kernel/setup.c 2010-09-17 20:12:09.000000000 -0400
3194 @@ -281,7 +281,7 @@ static int __init early_parse_mem(char *
3196 early_param("mem", early_parse_mem);
3198 -unsigned int user_mode = HOME_SPACE_MODE;
3199 +unsigned int user_mode = SECONDARY_SPACE_MODE;
3200 EXPORT_SYMBOL_GPL(user_mode);
3202 static int set_amode_and_uaccess(unsigned long user_amode,
3203 @@ -310,17 +310,6 @@ static int set_amode_and_uaccess(unsigne
3208 - * Switch kernel/user addressing modes?
3210 -static int __init early_parse_switch_amode(char *p)
3212 - if (user_mode != SECONDARY_SPACE_MODE)
3213 - user_mode = PRIMARY_SPACE_MODE;
3216 -early_param("switch_amode", early_parse_switch_amode);
3218 static int __init early_parse_user_mode(char *p)
3220 if (p && strcmp(p, "primary") == 0)
3221 @@ -337,20 +326,6 @@ static int __init early_parse_user_mode(
3223 early_param("user_mode", early_parse_user_mode);
3225 -#ifdef CONFIG_S390_EXEC_PROTECT
3227 - * Enable execute protection?
3229 -static int __init early_parse_noexec(char *p)
3231 - if (!strncmp(p, "off", 3))
3233 - user_mode = SECONDARY_SPACE_MODE;
3236 -early_param("noexec", early_parse_noexec);
3237 -#endif /* CONFIG_S390_EXEC_PROTECT */
3239 static void setup_addressing_mode(void)
3241 if (user_mode == SECONDARY_SPACE_MODE) {
3242 diff -urNp linux-2.6.35.4/arch/s390/mm/maccess.c linux-2.6.35.4/arch/s390/mm/maccess.c
3243 --- linux-2.6.35.4/arch/s390/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
3244 +++ linux-2.6.35.4/arch/s390/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
3245 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
3246 return rc ? rc : count;
3249 -long probe_kernel_write(void *dst, void *src, size_t size)
3250 +long probe_kernel_write(void *dst, const void *src, size_t size)
3254 diff -urNp linux-2.6.35.4/arch/s390/mm/mmap.c linux-2.6.35.4/arch/s390/mm/mmap.c
3255 --- linux-2.6.35.4/arch/s390/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
3256 +++ linux-2.6.35.4/arch/s390/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
3257 @@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
3259 if (mmap_is_legacy()) {
3260 mm->mmap_base = TASK_UNMAPPED_BASE;
3262 +#ifdef CONFIG_PAX_RANDMMAP
3263 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3264 + mm->mmap_base += mm->delta_mmap;
3267 mm->get_unmapped_area = arch_get_unmapped_area;
3268 mm->unmap_area = arch_unmap_area;
3270 mm->mmap_base = mmap_base();
3272 +#ifdef CONFIG_PAX_RANDMMAP
3273 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3274 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3277 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3278 mm->unmap_area = arch_unmap_area_topdown;
3280 @@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
3282 if (mmap_is_legacy()) {
3283 mm->mmap_base = TASK_UNMAPPED_BASE;
3285 +#ifdef CONFIG_PAX_RANDMMAP
3286 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3287 + mm->mmap_base += mm->delta_mmap;
3290 mm->get_unmapped_area = s390_get_unmapped_area;
3291 mm->unmap_area = arch_unmap_area;
3293 mm->mmap_base = mmap_base();
3295 +#ifdef CONFIG_PAX_RANDMMAP
3296 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3297 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3300 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3301 mm->unmap_area = arch_unmap_area_topdown;
3303 diff -urNp linux-2.6.35.4/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.35.4/arch/sh/boards/mach-hp6xx/pm.c
3304 --- linux-2.6.35.4/arch/sh/boards/mach-hp6xx/pm.c 2010-08-26 19:47:12.000000000 -0400
3305 +++ linux-2.6.35.4/arch/sh/boards/mach-hp6xx/pm.c 2010-09-17 20:12:09.000000000 -0400
3306 @@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
3310 -static struct platform_suspend_ops hp6x0_pm_ops = {
3311 +static const struct platform_suspend_ops hp6x0_pm_ops = {
3312 .enter = hp6x0_pm_enter,
3313 .valid = suspend_valid_only_mem,
3315 diff -urNp linux-2.6.35.4/arch/sh/include/asm/dma-mapping.h linux-2.6.35.4/arch/sh/include/asm/dma-mapping.h
3316 --- linux-2.6.35.4/arch/sh/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3317 +++ linux-2.6.35.4/arch/sh/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
3319 #ifndef __ASM_SH_DMA_MAPPING_H
3320 #define __ASM_SH_DMA_MAPPING_H
3322 -extern struct dma_map_ops *dma_ops;
3323 +extern const struct dma_map_ops *dma_ops;
3324 extern void no_iommu_init(void);
3326 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3327 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3331 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
3333 static inline int dma_supported(struct device *dev, u64 mask)
3335 - struct dma_map_ops *ops = get_dma_ops(dev);
3336 + const struct dma_map_ops *ops = get_dma_ops(dev);
3338 if (ops->dma_supported)
3339 return ops->dma_supported(dev, mask);
3340 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
3342 static inline int dma_set_mask(struct device *dev, u64 mask)
3344 - struct dma_map_ops *ops = get_dma_ops(dev);
3345 + const struct dma_map_ops *ops = get_dma_ops(dev);
3347 if (!dev->dma_mask || !dma_supported(dev, mask))
3349 @@ -59,7 +59,7 @@ static inline int dma_get_cache_alignmen
3351 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3353 - struct dma_map_ops *ops = get_dma_ops(dev);
3354 + const struct dma_map_ops *ops = get_dma_ops(dev);
3356 if (ops->mapping_error)
3357 return ops->mapping_error(dev, dma_addr);
3358 @@ -70,7 +70,7 @@ static inline int dma_mapping_error(stru
3359 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3360 dma_addr_t *dma_handle, gfp_t gfp)
3362 - struct dma_map_ops *ops = get_dma_ops(dev);
3363 + const struct dma_map_ops *ops = get_dma_ops(dev);
3366 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3367 @@ -87,7 +87,7 @@ static inline void *dma_alloc_coherent(s
3368 static inline void dma_free_coherent(struct device *dev, size_t size,
3369 void *vaddr, dma_addr_t dma_handle)
3371 - struct dma_map_ops *ops = get_dma_ops(dev);
3372 + const struct dma_map_ops *ops = get_dma_ops(dev);
3374 if (dma_release_from_coherent(dev, get_order(size), vaddr))
3376 diff -urNp linux-2.6.35.4/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.35.4/arch/sh/kernel/cpu/shmobile/pm.c
3377 --- linux-2.6.35.4/arch/sh/kernel/cpu/shmobile/pm.c 2010-08-26 19:47:12.000000000 -0400
3378 +++ linux-2.6.35.4/arch/sh/kernel/cpu/shmobile/pm.c 2010-09-17 20:12:09.000000000 -0400
3379 @@ -141,7 +141,7 @@ static int sh_pm_enter(suspend_state_t s
3383 -static struct platform_suspend_ops sh_pm_ops = {
3384 +static const struct platform_suspend_ops sh_pm_ops = {
3385 .enter = sh_pm_enter,
3386 .valid = suspend_valid_only_mem,
3388 diff -urNp linux-2.6.35.4/arch/sh/kernel/dma-nommu.c linux-2.6.35.4/arch/sh/kernel/dma-nommu.c
3389 --- linux-2.6.35.4/arch/sh/kernel/dma-nommu.c 2010-08-26 19:47:12.000000000 -0400
3390 +++ linux-2.6.35.4/arch/sh/kernel/dma-nommu.c 2010-09-17 20:12:09.000000000 -0400
3391 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3395 -struct dma_map_ops nommu_dma_ops = {
3396 +const struct dma_map_ops nommu_dma_ops = {
3397 .alloc_coherent = dma_generic_alloc_coherent,
3398 .free_coherent = dma_generic_free_coherent,
3399 .map_page = nommu_map_page,
3400 diff -urNp linux-2.6.35.4/arch/sh/kernel/kgdb.c linux-2.6.35.4/arch/sh/kernel/kgdb.c
3401 --- linux-2.6.35.4/arch/sh/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
3402 +++ linux-2.6.35.4/arch/sh/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
3403 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
3404 unregister_die_notifier(&kgdb_notifier);
3407 -struct kgdb_arch arch_kgdb_ops = {
3408 +const struct kgdb_arch arch_kgdb_ops = {
3409 /* Breakpoint instruction: trapa #0x3c */
3410 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3411 .gdb_bpt_instr = { 0x3c, 0xc3 },
3412 diff -urNp linux-2.6.35.4/arch/sh/mm/consistent.c linux-2.6.35.4/arch/sh/mm/consistent.c
3413 --- linux-2.6.35.4/arch/sh/mm/consistent.c 2010-08-26 19:47:12.000000000 -0400
3414 +++ linux-2.6.35.4/arch/sh/mm/consistent.c 2010-09-17 20:12:09.000000000 -0400
3417 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3419 -struct dma_map_ops *dma_ops;
3420 +const struct dma_map_ops *dma_ops;
3421 EXPORT_SYMBOL(dma_ops);
3423 static int __init dma_init(void)
3424 diff -urNp linux-2.6.35.4/arch/sh/mm/mmap.c linux-2.6.35.4/arch/sh/mm/mmap.c
3425 --- linux-2.6.35.4/arch/sh/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
3426 +++ linux-2.6.35.4/arch/sh/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
3427 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3428 addr = PAGE_ALIGN(addr);
3430 vma = find_vma(mm, addr);
3431 - if (TASK_SIZE - len >= addr &&
3432 - (!vma || addr + len <= vma->vm_start))
3433 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3437 @@ -106,7 +105,7 @@ full_search:
3441 - if (likely(!vma || addr + len <= vma->vm_start)) {
3442 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3444 * Remember the place where we stopped the search:
3446 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3447 addr = PAGE_ALIGN(addr);
3449 vma = find_vma(mm, addr);
3450 - if (TASK_SIZE - len >= addr &&
3451 - (!vma || addr + len <= vma->vm_start))
3452 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3456 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3457 /* make sure it can fit in the remaining address space */
3458 if (likely(addr > len)) {
3459 vma = find_vma(mm, addr-len);
3460 - if (!vma || addr <= vma->vm_start) {
3461 + if (check_heap_stack_gap(vma, addr - len, len)) {
3462 /* remember the address as a hint for next time */
3463 return (mm->free_area_cache = addr-len);
3465 @@ -199,7 +197,7 @@ arch_get_unmapped_area_topdown(struct fi
3466 * return with success:
3468 vma = find_vma(mm, addr);
3469 - if (likely(!vma || addr+len <= vma->vm_start)) {
3470 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3471 /* remember the address as a hint for next time */
3472 return (mm->free_area_cache = addr);
3474 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/atomic_64.h linux-2.6.35.4/arch/sparc/include/asm/atomic_64.h
3475 --- linux-2.6.35.4/arch/sparc/include/asm/atomic_64.h 2010-08-26 19:47:12.000000000 -0400
3476 +++ linux-2.6.35.4/arch/sparc/include/asm/atomic_64.h 2010-09-17 20:12:09.000000000 -0400
3478 #define ATOMIC64_INIT(i) { (i) }
3480 #define atomic_read(v) (*(volatile int *)&(v)->counter)
3481 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3483 + return v->counter;
3485 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
3486 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3488 + return v->counter;
3491 #define atomic_set(v, i) (((v)->counter) = i)
3492 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3496 #define atomic64_set(v, i) (((v)->counter) = i)
3497 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3502 extern void atomic_add(int, atomic_t *);
3503 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3504 extern void atomic64_add(long, atomic64_t *);
3505 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3506 extern void atomic_sub(int, atomic_t *);
3507 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3508 extern void atomic64_sub(long, atomic64_t *);
3509 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3511 extern int atomic_add_ret(int, atomic_t *);
3512 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3513 extern long atomic64_add_ret(long, atomic64_t *);
3514 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3515 extern int atomic_sub_ret(int, atomic_t *);
3516 extern long atomic64_sub_ret(long, atomic64_t *);
3518 @@ -33,7 +55,15 @@ extern long atomic64_sub_ret(long, atomi
3519 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3521 #define atomic_inc_return(v) atomic_add_ret(1, v)
3522 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3524 + return atomic_add_ret_unchecked(1, v);
3526 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3527 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3529 + return atomic64_add_ret_unchecked(1, v);
3532 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3533 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3534 @@ -59,10 +89,26 @@ extern long atomic64_sub_ret(long, atomi
3535 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3537 #define atomic_inc(v) atomic_add(1, v)
3538 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3540 + atomic_add_unchecked(1, v);
3542 #define atomic64_inc(v) atomic64_add(1, v)
3543 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3545 + atomic64_add_unchecked(1, v);
3548 #define atomic_dec(v) atomic_sub(1, v)
3549 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3551 + atomic_sub_unchecked(1, v);
3553 #define atomic64_dec(v) atomic64_sub(1, v)
3554 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3556 + atomic64_sub_unchecked(1, v);
3559 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3560 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3561 @@ -72,17 +118,28 @@ extern long atomic64_sub_ret(long, atomi
3563 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3569 - if (unlikely(c == (u)))
3570 + if (unlikely(c == u))
3572 - old = atomic_cmpxchg((v), c, c + (a));
3574 + asm volatile("addcc %2, %0, %0\n"
3576 +#ifdef CONFIG_PAX_REFCOUNT
3581 + : "0" (c), "ir" (a)
3584 + old = atomic_cmpxchg(v, c, new);
3585 if (likely(old == c))
3593 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3594 @@ -93,17 +150,28 @@ static inline int atomic_add_unless(atom
3596 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3600 c = atomic64_read(v);
3602 - if (unlikely(c == (u)))
3603 + if (unlikely(c == u))
3605 - old = atomic64_cmpxchg((v), c, c + (a));
3607 + asm volatile("addcc %2, %0, %0\n"
3609 +#ifdef CONFIG_PAX_REFCOUNT
3614 + : "0" (c), "ir" (a)
3617 + old = atomic64_cmpxchg(v, c, new);
3618 if (likely(old == c))
3626 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3627 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/compat.h linux-2.6.35.4/arch/sparc/include/asm/compat.h
3628 --- linux-2.6.35.4/arch/sparc/include/asm/compat.h 2010-08-26 19:47:12.000000000 -0400
3629 +++ linux-2.6.35.4/arch/sparc/include/asm/compat.h 2010-09-17 20:12:37.000000000 -0400
3630 @@ -167,7 +167,7 @@ static inline compat_uptr_t ptr_to_compa
3631 return (u32)(unsigned long)uptr;
3634 -static inline void __user *compat_alloc_user_space(long len)
3635 +static inline void __user *arch_compat_alloc_user_space(long len)
3637 struct pt_regs *regs = current_thread_info()->kregs;
3638 unsigned long usp = regs->u_regs[UREG_I6];
3639 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/dma-mapping.h linux-2.6.35.4/arch/sparc/include/asm/dma-mapping.h
3640 --- linux-2.6.35.4/arch/sparc/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3641 +++ linux-2.6.35.4/arch/sparc/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
3642 @@ -13,10 +13,10 @@ extern int dma_supported(struct device *
3643 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3644 #define dma_is_consistent(d, h) (1)
3646 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3647 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3648 extern struct bus_type pci_bus_type;
3650 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3651 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3653 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3654 if (dev->bus == &pci_bus_type)
3655 @@ -30,7 +30,7 @@ static inline struct dma_map_ops *get_dm
3656 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3657 dma_addr_t *dma_handle, gfp_t flag)
3659 - struct dma_map_ops *ops = get_dma_ops(dev);
3660 + const struct dma_map_ops *ops = get_dma_ops(dev);
3663 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3664 @@ -41,7 +41,7 @@ static inline void *dma_alloc_coherent(s
3665 static inline void dma_free_coherent(struct device *dev, size_t size,
3666 void *cpu_addr, dma_addr_t dma_handle)
3668 - struct dma_map_ops *ops = get_dma_ops(dev);
3669 + const struct dma_map_ops *ops = get_dma_ops(dev);
3671 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3672 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3673 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/elf_32.h linux-2.6.35.4/arch/sparc/include/asm/elf_32.h
3674 --- linux-2.6.35.4/arch/sparc/include/asm/elf_32.h 2010-08-26 19:47:12.000000000 -0400
3675 +++ linux-2.6.35.4/arch/sparc/include/asm/elf_32.h 2010-09-17 20:12:09.000000000 -0400
3676 @@ -114,6 +114,13 @@ typedef struct {
3678 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3680 +#ifdef CONFIG_PAX_ASLR
3681 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3683 +#define PAX_DELTA_MMAP_LEN 16
3684 +#define PAX_DELTA_STACK_LEN 16
3687 /* This yields a mask that user programs can use to figure out what
3688 instruction set this cpu supports. This can NOT be done in userspace
3690 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/elf_64.h linux-2.6.35.4/arch/sparc/include/asm/elf_64.h
3691 --- linux-2.6.35.4/arch/sparc/include/asm/elf_64.h 2010-08-26 19:47:12.000000000 -0400
3692 +++ linux-2.6.35.4/arch/sparc/include/asm/elf_64.h 2010-09-17 20:12:09.000000000 -0400
3693 @@ -162,6 +162,12 @@ typedef struct {
3694 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3695 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3697 +#ifdef CONFIG_PAX_ASLR
3698 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3700 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3701 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3704 /* This yields a mask that user programs can use to figure out what
3705 instruction set this cpu supports. */
3706 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/pgtable_32.h linux-2.6.35.4/arch/sparc/include/asm/pgtable_32.h
3707 --- linux-2.6.35.4/arch/sparc/include/asm/pgtable_32.h 2010-08-26 19:47:12.000000000 -0400
3708 +++ linux-2.6.35.4/arch/sparc/include/asm/pgtable_32.h 2010-09-17 20:12:09.000000000 -0400
3709 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3710 BTFIXUPDEF_INT(page_none)
3711 BTFIXUPDEF_INT(page_copy)
3712 BTFIXUPDEF_INT(page_readonly)
3714 +#ifdef CONFIG_PAX_PAGEEXEC
3715 +BTFIXUPDEF_INT(page_shared_noexec)
3716 +BTFIXUPDEF_INT(page_copy_noexec)
3717 +BTFIXUPDEF_INT(page_readonly_noexec)
3720 BTFIXUPDEF_INT(page_kernel)
3722 #define PMD_SHIFT SUN4C_PMD_SHIFT
3723 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3724 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3725 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3727 +#ifdef CONFIG_PAX_PAGEEXEC
3728 +extern pgprot_t PAGE_SHARED_NOEXEC;
3729 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3730 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3732 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3733 +# define PAGE_COPY_NOEXEC PAGE_COPY
3734 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3737 extern unsigned long page_kernel;
3740 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.35.4/arch/sparc/include/asm/pgtsrmmu.h
3741 --- linux-2.6.35.4/arch/sparc/include/asm/pgtsrmmu.h 2010-08-26 19:47:12.000000000 -0400
3742 +++ linux-2.6.35.4/arch/sparc/include/asm/pgtsrmmu.h 2010-09-17 20:12:09.000000000 -0400
3743 @@ -115,6 +115,13 @@
3744 SRMMU_EXEC | SRMMU_REF)
3745 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3746 SRMMU_EXEC | SRMMU_REF)
3748 +#ifdef CONFIG_PAX_PAGEEXEC
3749 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3750 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3751 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3754 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3755 SRMMU_DIRTY | SRMMU_REF)
3757 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/spinlock_64.h linux-2.6.35.4/arch/sparc/include/asm/spinlock_64.h
3758 --- linux-2.6.35.4/arch/sparc/include/asm/spinlock_64.h 2010-08-26 19:47:12.000000000 -0400
3759 +++ linux-2.6.35.4/arch/sparc/include/asm/spinlock_64.h 2010-09-17 20:12:09.000000000 -0400
3760 @@ -99,7 +99,12 @@ static void inline arch_read_lock(arch_r
3761 __asm__ __volatile__ (
3762 "1: ldsw [%2], %0\n"
3764 -"4: add %0, 1, %1\n"
3765 +"4: addcc %0, 1, %1\n"
3767 +#ifdef CONFIG_PAX_REFCOUNT
3771 " cas [%2], %0, %1\n"
3773 " bne,pn %%icc, 1b\n"
3774 @@ -112,7 +117,7 @@ static void inline arch_read_lock(arch_r
3776 : "=&r" (tmp1), "=&r" (tmp2)
3779 + : "memory", "cc");
3782 static int inline arch_read_trylock(arch_rwlock_t *lock)
3783 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3784 "1: ldsw [%2], %0\n"
3785 " brlz,a,pn %0, 2f\n"
3788 +" addcc %0, 1, %1\n"
3790 +#ifdef CONFIG_PAX_REFCOUNT
3794 " cas [%2], %0, %1\n"
3796 " bne,pn %%icc, 1b\n"
3797 @@ -142,7 +152,12 @@ static void inline arch_read_unlock(arch
3799 __asm__ __volatile__(
3800 "1: lduw [%2], %0\n"
3802 +" subcc %0, 1, %1\n"
3804 +#ifdef CONFIG_PAX_REFCOUNT
3808 " cas [%2], %0, %1\n"
3810 " bne,pn %%xcc, 1b\n"
3811 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/uaccess_32.h linux-2.6.35.4/arch/sparc/include/asm/uaccess_32.h
3812 --- linux-2.6.35.4/arch/sparc/include/asm/uaccess_32.h 2010-08-26 19:47:12.000000000 -0400
3813 +++ linux-2.6.35.4/arch/sparc/include/asm/uaccess_32.h 2010-09-17 20:12:09.000000000 -0400
3814 @@ -249,14 +249,25 @@ extern unsigned long __copy_user(void __
3816 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3818 - if (n && __access_ok((unsigned long) to, n))
3822 + if (n && __access_ok((unsigned long) to, n)) {
3823 + if (!__builtin_constant_p(n))
3824 + check_object_size(from, n, true);
3825 return __copy_user(to, (__force void __user *) from, n);
3831 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3836 + if (!__builtin_constant_p(n))
3837 + check_object_size(from, n, true);
3839 return __copy_user(to, (__force void __user *) from, n);
3842 @@ -272,19 +283,27 @@ static inline unsigned long copy_from_us
3844 int sz = __compiletime_object_size(to);
3849 if (unlikely(sz != -1 && sz < n)) {
3850 copy_from_user_overflow();
3854 - if (n && __access_ok((unsigned long) from, n))
3855 + if (n && __access_ok((unsigned long) from, n)) {
3856 + if (!__builtin_constant_p(n))
3857 + check_object_size(to, n, false);
3858 return __copy_user((__force void __user *) to, from, n);
3864 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3869 return __copy_user((__force void __user *) to, from, n);
3872 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/uaccess_64.h linux-2.6.35.4/arch/sparc/include/asm/uaccess_64.h
3873 --- linux-2.6.35.4/arch/sparc/include/asm/uaccess_64.h 2010-08-26 19:47:12.000000000 -0400
3874 +++ linux-2.6.35.4/arch/sparc/include/asm/uaccess_64.h 2010-09-17 20:12:09.000000000 -0400
3876 #include <linux/compiler.h>
3877 #include <linux/string.h>
3878 #include <linux/thread_info.h>
3879 +#include <linux/kernel.h>
3880 #include <asm/asi.h>
3881 #include <asm/system.h>
3882 #include <asm/spitfire.h>
3883 @@ -224,6 +225,12 @@ copy_from_user(void *to, const void __us
3884 int sz = __compiletime_object_size(to);
3885 unsigned long ret = size;
3887 + if ((long)size < 0 || size > INT_MAX)
3890 + if (!__builtin_constant_p(size))
3891 + check_object_size(to, size, false);
3893 if (likely(sz == -1 || sz >= size)) {
3894 ret = ___copy_from_user(to, from, size);
3896 @@ -243,8 +250,15 @@ extern unsigned long copy_to_user_fixup(
3897 static inline unsigned long __must_check
3898 copy_to_user(void __user *to, const void *from, unsigned long size)
3900 - unsigned long ret = ___copy_to_user(to, from, size);
3901 + unsigned long ret;
3903 + if ((long)size < 0 || size > INT_MAX)
3906 + if (!__builtin_constant_p(size))
3907 + check_object_size(from, size, true);
3909 + ret = ___copy_to_user(to, from, size);
3911 ret = copy_to_user_fixup(to, from, size);
3913 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/uaccess.h linux-2.6.35.4/arch/sparc/include/asm/uaccess.h
3914 --- linux-2.6.35.4/arch/sparc/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
3915 +++ linux-2.6.35.4/arch/sparc/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
3917 #ifndef ___ASM_SPARC_UACCESS_H
3918 #define ___ASM_SPARC_UACCESS_H
3921 +#ifndef __ASSEMBLY__
3922 +#include <linux/types.h>
3923 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
3927 #if defined(__sparc__) && defined(__arch64__)
3928 #include <asm/uaccess_64.h>
3930 diff -urNp linux-2.6.35.4/arch/sparc/kernel/iommu.c linux-2.6.35.4/arch/sparc/kernel/iommu.c
3931 --- linux-2.6.35.4/arch/sparc/kernel/iommu.c 2010-08-26 19:47:12.000000000 -0400
3932 +++ linux-2.6.35.4/arch/sparc/kernel/iommu.c 2010-09-17 20:12:09.000000000 -0400
3933 @@ -828,7 +828,7 @@ static void dma_4u_sync_sg_for_cpu(struc
3934 spin_unlock_irqrestore(&iommu->lock, flags);
3937 -static struct dma_map_ops sun4u_dma_ops = {
3938 +static const struct dma_map_ops sun4u_dma_ops = {
3939 .alloc_coherent = dma_4u_alloc_coherent,
3940 .free_coherent = dma_4u_free_coherent,
3941 .map_page = dma_4u_map_page,
3942 @@ -839,7 +839,7 @@ static struct dma_map_ops sun4u_dma_ops
3943 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
3946 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3947 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3948 EXPORT_SYMBOL(dma_ops);
3950 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
3951 diff -urNp linux-2.6.35.4/arch/sparc/kernel/ioport.c linux-2.6.35.4/arch/sparc/kernel/ioport.c
3952 --- linux-2.6.35.4/arch/sparc/kernel/ioport.c 2010-08-26 19:47:12.000000000 -0400
3953 +++ linux-2.6.35.4/arch/sparc/kernel/ioport.c 2010-09-17 20:12:09.000000000 -0400
3954 @@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
3958 -struct dma_map_ops sbus_dma_ops = {
3959 +const struct dma_map_ops sbus_dma_ops = {
3960 .alloc_coherent = sbus_alloc_coherent,
3961 .free_coherent = sbus_free_coherent,
3962 .map_page = sbus_map_page,
3963 @@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
3964 .sync_sg_for_device = sbus_sync_sg_for_device,
3967 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
3968 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
3969 EXPORT_SYMBOL(dma_ops);
3971 static int __init sparc_register_ioport(void)
3972 @@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
3976 -struct dma_map_ops pci32_dma_ops = {
3977 +const struct dma_map_ops pci32_dma_ops = {
3978 .alloc_coherent = pci32_alloc_coherent,
3979 .free_coherent = pci32_free_coherent,
3980 .map_page = pci32_map_page,
3981 diff -urNp linux-2.6.35.4/arch/sparc/kernel/kgdb_32.c linux-2.6.35.4/arch/sparc/kernel/kgdb_32.c
3982 --- linux-2.6.35.4/arch/sparc/kernel/kgdb_32.c 2010-08-26 19:47:12.000000000 -0400
3983 +++ linux-2.6.35.4/arch/sparc/kernel/kgdb_32.c 2010-09-17 20:12:09.000000000 -0400
3984 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
3985 regs->npc = regs->pc + 4;
3988 -struct kgdb_arch arch_kgdb_ops = {
3989 +const struct kgdb_arch arch_kgdb_ops = {
3990 /* Breakpoint instruction: ta 0x7d */
3991 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
3993 diff -urNp linux-2.6.35.4/arch/sparc/kernel/kgdb_64.c linux-2.6.35.4/arch/sparc/kernel/kgdb_64.c
3994 --- linux-2.6.35.4/arch/sparc/kernel/kgdb_64.c 2010-08-26 19:47:12.000000000 -0400
3995 +++ linux-2.6.35.4/arch/sparc/kernel/kgdb_64.c 2010-09-17 20:12:09.000000000 -0400
3996 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
3997 regs->tnpc = regs->tpc + 4;
4000 -struct kgdb_arch arch_kgdb_ops = {
4001 +const struct kgdb_arch arch_kgdb_ops = {
4002 /* Breakpoint instruction: ta 0x72 */
4003 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
4005 diff -urNp linux-2.6.35.4/arch/sparc/kernel/Makefile linux-2.6.35.4/arch/sparc/kernel/Makefile
4006 --- linux-2.6.35.4/arch/sparc/kernel/Makefile 2010-08-26 19:47:12.000000000 -0400
4007 +++ linux-2.6.35.4/arch/sparc/kernel/Makefile 2010-09-17 20:12:09.000000000 -0400
4012 -ccflags-y := -Werror
4013 +#ccflags-y := -Werror
4015 extra-y := head_$(BITS).o
4016 extra-y += init_task.o
4017 diff -urNp linux-2.6.35.4/arch/sparc/kernel/pci_sun4v.c linux-2.6.35.4/arch/sparc/kernel/pci_sun4v.c
4018 --- linux-2.6.35.4/arch/sparc/kernel/pci_sun4v.c 2010-08-26 19:47:12.000000000 -0400
4019 +++ linux-2.6.35.4/arch/sparc/kernel/pci_sun4v.c 2010-09-17 20:12:09.000000000 -0400
4020 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
4021 spin_unlock_irqrestore(&iommu->lock, flags);
4024 -static struct dma_map_ops sun4v_dma_ops = {
4025 +static const struct dma_map_ops sun4v_dma_ops = {
4026 .alloc_coherent = dma_4v_alloc_coherent,
4027 .free_coherent = dma_4v_free_coherent,
4028 .map_page = dma_4v_map_page,
4029 diff -urNp linux-2.6.35.4/arch/sparc/kernel/sys_sparc_32.c linux-2.6.35.4/arch/sparc/kernel/sys_sparc_32.c
4030 --- linux-2.6.35.4/arch/sparc/kernel/sys_sparc_32.c 2010-08-26 19:47:12.000000000 -0400
4031 +++ linux-2.6.35.4/arch/sparc/kernel/sys_sparc_32.c 2010-09-17 20:12:09.000000000 -0400
4032 @@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
4033 if (ARCH_SUN4C && len > 0x20000000)
4036 - addr = TASK_UNMAPPED_BASE;
4037 + addr = current->mm->mmap_base;
4039 if (flags & MAP_SHARED)
4040 addr = COLOUR_ALIGN(addr);
4041 @@ -72,7 +72,7 @@ unsigned long arch_get_unmapped_area(str
4043 if (TASK_SIZE - PAGE_SIZE - len < addr)
4045 - if (!vmm || addr + len <= vmm->vm_start)
4046 + if (check_heap_stack_gap(vmm, addr, len))
4049 if (flags & MAP_SHARED)
4050 diff -urNp linux-2.6.35.4/arch/sparc/kernel/sys_sparc_64.c linux-2.6.35.4/arch/sparc/kernel/sys_sparc_64.c
4051 --- linux-2.6.35.4/arch/sparc/kernel/sys_sparc_64.c 2010-08-26 19:47:12.000000000 -0400
4052 +++ linux-2.6.35.4/arch/sparc/kernel/sys_sparc_64.c 2010-09-17 20:12:09.000000000 -0400
4053 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
4054 /* We do not accept a shared mapping if it would violate
4055 * cache aliasing constraints.
4057 - if ((flags & MAP_SHARED) &&
4058 + if ((filp || (flags & MAP_SHARED)) &&
4059 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4062 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
4063 if (filp || (flags & MAP_SHARED))
4066 +#ifdef CONFIG_PAX_RANDMMAP
4067 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4072 addr = COLOUR_ALIGN(addr, pgoff);
4073 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
4074 addr = PAGE_ALIGN(addr);
4076 vma = find_vma(mm, addr);
4077 - if (task_size - len >= addr &&
4078 - (!vma || addr + len <= vma->vm_start))
4079 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4083 if (len > mm->cached_hole_size) {
4084 - start_addr = addr = mm->free_area_cache;
4085 + start_addr = addr = mm->free_area_cache;
4087 - start_addr = addr = TASK_UNMAPPED_BASE;
4088 + start_addr = addr = mm->mmap_base;
4089 mm->cached_hole_size = 0;
4092 @@ -174,14 +177,14 @@ full_search:
4093 vma = find_vma(mm, VA_EXCLUDE_END);
4095 if (unlikely(task_size < addr)) {
4096 - if (start_addr != TASK_UNMAPPED_BASE) {
4097 - start_addr = addr = TASK_UNMAPPED_BASE;
4098 + if (start_addr != mm->mmap_base) {
4099 + start_addr = addr = mm->mmap_base;
4100 mm->cached_hole_size = 0;
4105 - if (likely(!vma || addr + len <= vma->vm_start)) {
4106 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4108 * Remember the place where we stopped the search:
4110 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
4111 /* We do not accept a shared mapping if it would violate
4112 * cache aliasing constraints.
4114 - if ((flags & MAP_SHARED) &&
4115 + if ((filp || (flags & MAP_SHARED)) &&
4116 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4119 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
4120 addr = PAGE_ALIGN(addr);
4122 vma = find_vma(mm, addr);
4123 - if (task_size - len >= addr &&
4124 - (!vma || addr + len <= vma->vm_start))
4125 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4129 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
4130 /* make sure it can fit in the remaining address space */
4131 if (likely(addr > len)) {
4132 vma = find_vma(mm, addr-len);
4133 - if (!vma || addr <= vma->vm_start) {
4134 + if (check_heap_stack_gap(vma, addr - len, len)) {
4135 /* remember the address as a hint for next time */
4136 return (mm->free_area_cache = addr-len);
4138 @@ -278,7 +280,7 @@ arch_get_unmapped_area_topdown(struct fi
4139 * return with success:
4141 vma = find_vma(mm, addr);
4142 - if (likely(!vma || addr+len <= vma->vm_start)) {
4143 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4144 /* remember the address as a hint for next time */
4145 return (mm->free_area_cache = addr);
4147 @@ -385,6 +387,12 @@ void arch_pick_mmap_layout(struct mm_str
4148 gap == RLIM_INFINITY ||
4149 sysctl_legacy_va_layout) {
4150 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4152 +#ifdef CONFIG_PAX_RANDMMAP
4153 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4154 + mm->mmap_base += mm->delta_mmap;
4157 mm->get_unmapped_area = arch_get_unmapped_area;
4158 mm->unmap_area = arch_unmap_area;
4160 @@ -397,6 +405,12 @@ void arch_pick_mmap_layout(struct mm_str
4161 gap = (task_size / 6 * 5);
4163 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4165 +#ifdef CONFIG_PAX_RANDMMAP
4166 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4167 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4170 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4171 mm->unmap_area = arch_unmap_area_topdown;
4173 diff -urNp linux-2.6.35.4/arch/sparc/kernel/traps_64.c linux-2.6.35.4/arch/sparc/kernel/traps_64.c
4174 --- linux-2.6.35.4/arch/sparc/kernel/traps_64.c 2010-08-26 19:47:12.000000000 -0400
4175 +++ linux-2.6.35.4/arch/sparc/kernel/traps_64.c 2010-09-17 20:12:09.000000000 -0400
4176 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
4179 if (regs->tstate & TSTATE_PRIV) {
4181 +#ifdef CONFIG_PAX_REFCOUNT
4183 + pax_report_refcount_overflow(regs);
4186 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4187 die_if_kernel(buffer, regs);
4189 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
4190 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4195 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4196 0, lvl, SIGTRAP) == NOTIFY_STOP)
4199 +#ifdef CONFIG_PAX_REFCOUNT
4201 + pax_report_refcount_overflow(regs);
4204 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4206 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4207 diff -urNp linux-2.6.35.4/arch/sparc/lib/atomic_64.S linux-2.6.35.4/arch/sparc/lib/atomic_64.S
4208 --- linux-2.6.35.4/arch/sparc/lib/atomic_64.S 2010-08-26 19:47:12.000000000 -0400
4209 +++ linux-2.6.35.4/arch/sparc/lib/atomic_64.S 2010-09-17 20:12:37.000000000 -0400
4211 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4215 + addcc %g1, %o0, %g7
4217 +#ifdef CONFIG_PAX_REFCOUNT
4224 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4225 2: BACKOFF_SPIN(%o2, %o3, 1b)
4226 .size atomic_add, .-atomic_add
4228 + .globl atomic_add_unchecked
4229 + .type atomic_add_unchecked,#function
4230 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4231 + BACKOFF_SETUP(%o2)
4234 + cas [%o1], %g1, %g7
4240 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4241 + .size atomic_add_unchecked, .-atomic_add_unchecked
4244 .type atomic_sub,#function
4245 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4249 + subcc %g1, %o0, %g7
4251 +#ifdef CONFIG_PAX_REFCOUNT
4258 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4259 2: BACKOFF_SPIN(%o2, %o3, 1b)
4260 .size atomic_sub, .-atomic_sub
4262 + .globl atomic_sub_unchecked
4263 + .type atomic_sub_unchecked,#function
4264 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4265 + BACKOFF_SETUP(%o2)
4268 + cas [%o1], %g1, %g7
4274 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4275 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4277 .globl atomic_add_ret
4278 .type atomic_add_ret,#function
4279 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4283 + addcc %g1, %o0, %g7
4285 +#ifdef CONFIG_PAX_REFCOUNT
4292 @@ -59,12 +104,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4293 2: BACKOFF_SPIN(%o2, %o3, 1b)
4294 .size atomic_add_ret, .-atomic_add_ret
4296 + .globl atomic_add_ret_unchecked
4297 + .type atomic_add_ret_unchecked,#function
4298 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4299 + BACKOFF_SETUP(%o2)
4301 + addcc %g1, %o0, %g7
4302 + cas [%o1], %g1, %g7
4309 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4310 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4312 .globl atomic_sub_ret
4313 .type atomic_sub_ret,#function
4314 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4318 + subcc %g1, %o0, %g7
4320 +#ifdef CONFIG_PAX_REFCOUNT
4327 @@ -80,7 +146,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4328 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4332 + addcc %g1, %o0, %g7
4334 +#ifdef CONFIG_PAX_REFCOUNT
4338 casx [%o1], %g1, %g7
4341 @@ -90,12 +161,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4342 2: BACKOFF_SPIN(%o2, %o3, 1b)
4343 .size atomic64_add, .-atomic64_add
4345 + .globl atomic64_add_unchecked
4346 + .type atomic64_add_unchecked,#function
4347 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4348 + BACKOFF_SETUP(%o2)
4350 + addcc %g1, %o0, %g7
4351 + casx [%o1], %g1, %g7
4357 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4358 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4361 .type atomic64_sub,#function
4362 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4366 + subcc %g1, %o0, %g7
4368 +#ifdef CONFIG_PAX_REFCOUNT
4372 casx [%o1], %g1, %g7
4375 @@ -105,12 +196,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4376 2: BACKOFF_SPIN(%o2, %o3, 1b)
4377 .size atomic64_sub, .-atomic64_sub
4379 + .globl atomic64_sub_unchecked
4380 + .type atomic64_sub_unchecked,#function
4381 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4382 + BACKOFF_SETUP(%o2)
4384 + subcc %g1, %o0, %g7
4385 + casx [%o1], %g1, %g7
4391 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4392 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4394 .globl atomic64_add_ret
4395 .type atomic64_add_ret,#function
4396 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4400 + addcc %g1, %o0, %g7
4402 +#ifdef CONFIG_PAX_REFCOUNT
4406 casx [%o1], %g1, %g7
4409 @@ -121,12 +232,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4410 2: BACKOFF_SPIN(%o2, %o3, 1b)
4411 .size atomic64_add_ret, .-atomic64_add_ret
4413 + .globl atomic64_add_ret_unchecked
4414 + .type atomic64_add_ret_unchecked,#function
4415 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4416 + BACKOFF_SETUP(%o2)
4418 + addcc %g1, %o0, %g7
4419 + casx [%o1], %g1, %g7
4426 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4427 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4429 .globl atomic64_sub_ret
4430 .type atomic64_sub_ret,#function
4431 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4435 + subcc %g1, %o0, %g7
4437 +#ifdef CONFIG_PAX_REFCOUNT
4441 casx [%o1], %g1, %g7
4444 diff -urNp linux-2.6.35.4/arch/sparc/lib/ksyms.c linux-2.6.35.4/arch/sparc/lib/ksyms.c
4445 --- linux-2.6.35.4/arch/sparc/lib/ksyms.c 2010-08-26 19:47:12.000000000 -0400
4446 +++ linux-2.6.35.4/arch/sparc/lib/ksyms.c 2010-09-17 20:12:09.000000000 -0400
4447 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
4449 /* Atomic counter implementation. */
4450 EXPORT_SYMBOL(atomic_add);
4451 +EXPORT_SYMBOL(atomic_add_unchecked);
4452 EXPORT_SYMBOL(atomic_add_ret);
4453 EXPORT_SYMBOL(atomic_sub);
4454 +EXPORT_SYMBOL(atomic_sub_unchecked);
4455 EXPORT_SYMBOL(atomic_sub_ret);
4456 EXPORT_SYMBOL(atomic64_add);
4457 +EXPORT_SYMBOL(atomic64_add_unchecked);
4458 EXPORT_SYMBOL(atomic64_add_ret);
4459 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4460 EXPORT_SYMBOL(atomic64_sub);
4461 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4462 EXPORT_SYMBOL(atomic64_sub_ret);
4464 /* Atomic bit operations. */
4465 diff -urNp linux-2.6.35.4/arch/sparc/lib/rwsem_64.S linux-2.6.35.4/arch/sparc/lib/rwsem_64.S
4466 --- linux-2.6.35.4/arch/sparc/lib/rwsem_64.S 2010-08-26 19:47:12.000000000 -0400
4467 +++ linux-2.6.35.4/arch/sparc/lib/rwsem_64.S 2010-09-17 20:12:09.000000000 -0400
4475 +#ifdef CONFIG_PAX_REFCOUNT
4482 @@ -33,7 +38,12 @@ __down_read:
4483 .globl __down_read_trylock
4484 __down_read_trylock:
4489 +#ifdef CONFIG_PAX_REFCOUNT
4496 @@ -51,7 +61,12 @@ __down_write:
4497 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
4501 + addcc %g3, %g1, %g7
4503 +#ifdef CONFIG_PAX_REFCOUNT
4510 @@ -77,7 +92,12 @@ __down_write_trylock:
4515 + addcc %g3, %g1, %g7
4517 +#ifdef CONFIG_PAX_REFCOUNT
4524 @@ -90,7 +110,12 @@ __down_write_trylock:
4531 +#ifdef CONFIG_PAX_REFCOUNT
4538 @@ -118,7 +143,12 @@ __up_write:
4539 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
4543 + subcc %g3, %g1, %g7
4545 +#ifdef CONFIG_PAX_REFCOUNT
4552 @@ -143,7 +173,12 @@ __downgrade_write:
4553 or %g1, %lo(RWSEM_WAITING_BIAS), %g1
4557 + subcc %g3, %g1, %g7
4559 +#ifdef CONFIG_PAX_REFCOUNT
4566 diff -urNp linux-2.6.35.4/arch/sparc/Makefile linux-2.6.35.4/arch/sparc/Makefile
4567 --- linux-2.6.35.4/arch/sparc/Makefile 2010-08-26 19:47:12.000000000 -0400
4568 +++ linux-2.6.35.4/arch/sparc/Makefile 2010-09-17 20:12:37.000000000 -0400
4569 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4570 # Export what is needed by arch/sparc/boot/Makefile
4571 export VMLINUX_INIT VMLINUX_MAIN
4572 VMLINUX_INIT := $(head-y) $(init-y)
4573 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4574 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4575 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4576 VMLINUX_MAIN += $(drivers-y) $(net-y)
4578 diff -urNp linux-2.6.35.4/arch/sparc/mm/fault_32.c linux-2.6.35.4/arch/sparc/mm/fault_32.c
4579 --- linux-2.6.35.4/arch/sparc/mm/fault_32.c 2010-08-26 19:47:12.000000000 -0400
4580 +++ linux-2.6.35.4/arch/sparc/mm/fault_32.c 2010-09-17 20:12:09.000000000 -0400
4582 #include <linux/interrupt.h>
4583 #include <linux/module.h>
4584 #include <linux/kdebug.h>
4585 +#include <linux/slab.h>
4586 +#include <linux/pagemap.h>
4587 +#include <linux/compiler.h>
4589 #include <asm/system.h>
4590 #include <asm/page.h>
4591 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4592 return safe_compute_effective_address(regs, insn);
4595 +#ifdef CONFIG_PAX_PAGEEXEC
4596 +#ifdef CONFIG_PAX_DLRESOLVE
4597 +static void pax_emuplt_close(struct vm_area_struct *vma)
4599 + vma->vm_mm->call_dl_resolve = 0UL;
4602 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4604 + unsigned int *kaddr;
4606 + vmf->page = alloc_page(GFP_HIGHUSER);
4608 + return VM_FAULT_OOM;
4610 + kaddr = kmap(vmf->page);
4611 + memset(kaddr, 0, PAGE_SIZE);
4612 + kaddr[0] = 0x9DE3BFA8U; /* save */
4613 + flush_dcache_page(vmf->page);
4614 + kunmap(vmf->page);
4615 + return VM_FAULT_MAJOR;
4618 +static const struct vm_operations_struct pax_vm_ops = {
4619 + .close = pax_emuplt_close,
4620 + .fault = pax_emuplt_fault
4623 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4627 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4628 + vma->vm_mm = current->mm;
4629 + vma->vm_start = addr;
4630 + vma->vm_end = addr + PAGE_SIZE;
4631 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4632 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4633 + vma->vm_ops = &pax_vm_ops;
4635 + ret = insert_vm_struct(current->mm, vma);
4639 + ++current->mm->total_vm;
4645 + * PaX: decide what to do with offenders (regs->pc = fault address)
4647 + * returns 1 when task should be killed
4648 + * 2 when patched PLT trampoline was detected
4649 + * 3 when unpatched PLT trampoline was detected
4651 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4654 +#ifdef CONFIG_PAX_EMUPLT
4657 + do { /* PaX: patched PLT emulation #1 */
4658 + unsigned int sethi1, sethi2, jmpl;
4660 + err = get_user(sethi1, (unsigned int *)regs->pc);
4661 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4662 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4667 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4668 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4669 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4671 + unsigned int addr;
4673 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4674 + addr = regs->u_regs[UREG_G1];
4675 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4677 + regs->npc = addr+4;
4682 + { /* PaX: patched PLT emulation #2 */
4685 + err = get_user(ba, (unsigned int *)regs->pc);
4687 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4688 + unsigned int addr;
4690 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4692 + regs->npc = addr+4;
4697 + do { /* PaX: patched PLT emulation #3 */
4698 + unsigned int sethi, jmpl, nop;
4700 + err = get_user(sethi, (unsigned int *)regs->pc);
4701 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4702 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4707 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4708 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4709 + nop == 0x01000000U)
4711 + unsigned int addr;
4713 + addr = (sethi & 0x003FFFFFU) << 10;
4714 + regs->u_regs[UREG_G1] = addr;
4715 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4717 + regs->npc = addr+4;
4722 + do { /* PaX: unpatched PLT emulation step 1 */
4723 + unsigned int sethi, ba, nop;
4725 + err = get_user(sethi, (unsigned int *)regs->pc);
4726 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
4727 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4732 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4733 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4734 + nop == 0x01000000U)
4736 + unsigned int addr, save, call;
4738 + if ((ba & 0xFFC00000U) == 0x30800000U)
4739 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4741 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4743 + err = get_user(save, (unsigned int *)addr);
4744 + err |= get_user(call, (unsigned int *)(addr+4));
4745 + err |= get_user(nop, (unsigned int *)(addr+8));
4749 +#ifdef CONFIG_PAX_DLRESOLVE
4750 + if (save == 0x9DE3BFA8U &&
4751 + (call & 0xC0000000U) == 0x40000000U &&
4752 + nop == 0x01000000U)
4754 + struct vm_area_struct *vma;
4755 + unsigned long call_dl_resolve;
4757 + down_read(¤t->mm->mmap_sem);
4758 + call_dl_resolve = current->mm->call_dl_resolve;
4759 + up_read(¤t->mm->mmap_sem);
4760 + if (likely(call_dl_resolve))
4763 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4765 + down_write(¤t->mm->mmap_sem);
4766 + if (current->mm->call_dl_resolve) {
4767 + call_dl_resolve = current->mm->call_dl_resolve;
4768 + up_write(¤t->mm->mmap_sem);
4770 + kmem_cache_free(vm_area_cachep, vma);
4774 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4775 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4776 + up_write(¤t->mm->mmap_sem);
4778 + kmem_cache_free(vm_area_cachep, vma);
4782 + if (pax_insert_vma(vma, call_dl_resolve)) {
4783 + up_write(¤t->mm->mmap_sem);
4784 + kmem_cache_free(vm_area_cachep, vma);
4788 + current->mm->call_dl_resolve = call_dl_resolve;
4789 + up_write(¤t->mm->mmap_sem);
4792 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4793 + regs->pc = call_dl_resolve;
4794 + regs->npc = addr+4;
4799 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4800 + if ((save & 0xFFC00000U) == 0x05000000U &&
4801 + (call & 0xFFFFE000U) == 0x85C0A000U &&
4802 + nop == 0x01000000U)
4804 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4805 + regs->u_regs[UREG_G2] = addr + 4;
4806 + addr = (save & 0x003FFFFFU) << 10;
4807 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4809 + regs->npc = addr+4;
4815 + do { /* PaX: unpatched PLT emulation step 2 */
4816 + unsigned int save, call, nop;
4818 + err = get_user(save, (unsigned int *)(regs->pc-4));
4819 + err |= get_user(call, (unsigned int *)regs->pc);
4820 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
4824 + if (save == 0x9DE3BFA8U &&
4825 + (call & 0xC0000000U) == 0x40000000U &&
4826 + nop == 0x01000000U)
4828 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
4830 + regs->u_regs[UREG_RETPC] = regs->pc;
4831 + regs->pc = dl_resolve;
4832 + regs->npc = dl_resolve+4;
4841 +void pax_report_insns(void *pc, void *sp)
4845 + printk(KERN_ERR "PAX: bytes at PC: ");
4846 + for (i = 0; i < 8; i++) {
4848 + if (get_user(c, (unsigned int *)pc+i))
4849 + printk(KERN_CONT "???????? ");
4851 + printk(KERN_CONT "%08x ", c);
4857 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
4860 @@ -282,6 +547,24 @@ good_area:
4861 if(!(vma->vm_flags & VM_WRITE))
4865 +#ifdef CONFIG_PAX_PAGEEXEC
4866 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
4867 + up_read(&mm->mmap_sem);
4868 + switch (pax_handle_fetch_fault(regs)) {
4870 +#ifdef CONFIG_PAX_EMUPLT
4877 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
4878 + do_group_exit(SIGKILL);
4882 /* Allow reads even for write-only mappings */
4883 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
4885 diff -urNp linux-2.6.35.4/arch/sparc/mm/fault_64.c linux-2.6.35.4/arch/sparc/mm/fault_64.c
4886 --- linux-2.6.35.4/arch/sparc/mm/fault_64.c 2010-08-26 19:47:12.000000000 -0400
4887 +++ linux-2.6.35.4/arch/sparc/mm/fault_64.c 2010-09-17 20:12:09.000000000 -0400
4889 #include <linux/kprobes.h>
4890 #include <linux/kdebug.h>
4891 #include <linux/percpu.h>
4892 +#include <linux/slab.h>
4893 +#include <linux/pagemap.h>
4894 +#include <linux/compiler.h>
4896 #include <asm/page.h>
4897 #include <asm/pgtable.h>
4898 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
4902 +#ifdef CONFIG_PAX_PAGEEXEC
4903 +#ifdef CONFIG_PAX_DLRESOLVE
4904 +static void pax_emuplt_close(struct vm_area_struct *vma)
4906 + vma->vm_mm->call_dl_resolve = 0UL;
4909 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4911 + unsigned int *kaddr;
4913 + vmf->page = alloc_page(GFP_HIGHUSER);
4915 + return VM_FAULT_OOM;
4917 + kaddr = kmap(vmf->page);
4918 + memset(kaddr, 0, PAGE_SIZE);
4919 + kaddr[0] = 0x9DE3BFA8U; /* save */
4920 + flush_dcache_page(vmf->page);
4921 + kunmap(vmf->page);
4922 + return VM_FAULT_MAJOR;
4925 +static const struct vm_operations_struct pax_vm_ops = {
4926 + .close = pax_emuplt_close,
4927 + .fault = pax_emuplt_fault
4930 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4934 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4935 + vma->vm_mm = current->mm;
4936 + vma->vm_start = addr;
4937 + vma->vm_end = addr + PAGE_SIZE;
4938 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4939 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4940 + vma->vm_ops = &pax_vm_ops;
4942 + ret = insert_vm_struct(current->mm, vma);
4946 + ++current->mm->total_vm;
4952 + * PaX: decide what to do with offenders (regs->tpc = fault address)
4954 + * returns 1 when task should be killed
4955 + * 2 when patched PLT trampoline was detected
4956 + * 3 when unpatched PLT trampoline was detected
4958 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4961 +#ifdef CONFIG_PAX_EMUPLT
4964 + do { /* PaX: patched PLT emulation #1 */
4965 + unsigned int sethi1, sethi2, jmpl;
4967 + err = get_user(sethi1, (unsigned int *)regs->tpc);
4968 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
4969 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
4974 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4975 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4976 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4978 + unsigned long addr;
4980 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4981 + addr = regs->u_regs[UREG_G1];
4982 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4984 + if (test_thread_flag(TIF_32BIT))
4985 + addr &= 0xFFFFFFFFUL;
4988 + regs->tnpc = addr+4;
4993 + { /* PaX: patched PLT emulation #2 */
4996 + err = get_user(ba, (unsigned int *)regs->tpc);
4998 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4999 + unsigned long addr;
5001 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5003 + if (test_thread_flag(TIF_32BIT))
5004 + addr &= 0xFFFFFFFFUL;
5007 + regs->tnpc = addr+4;
5012 + do { /* PaX: patched PLT emulation #3 */
5013 + unsigned int sethi, jmpl, nop;
5015 + err = get_user(sethi, (unsigned int *)regs->tpc);
5016 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
5017 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5022 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5023 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5024 + nop == 0x01000000U)
5026 + unsigned long addr;
5028 + addr = (sethi & 0x003FFFFFU) << 10;
5029 + regs->u_regs[UREG_G1] = addr;
5030 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5032 + if (test_thread_flag(TIF_32BIT))
5033 + addr &= 0xFFFFFFFFUL;
5036 + regs->tnpc = addr+4;
5041 + do { /* PaX: patched PLT emulation #4 */
5042 + unsigned int sethi, mov1, call, mov2;
5044 + err = get_user(sethi, (unsigned int *)regs->tpc);
5045 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
5046 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
5047 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
5052 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5053 + mov1 == 0x8210000FU &&
5054 + (call & 0xC0000000U) == 0x40000000U &&
5055 + mov2 == 0x9E100001U)
5057 + unsigned long addr;
5059 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5060 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5062 + if (test_thread_flag(TIF_32BIT))
5063 + addr &= 0xFFFFFFFFUL;
5066 + regs->tnpc = addr+4;
5071 + do { /* PaX: patched PLT emulation #5 */
5072 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5074 + err = get_user(sethi, (unsigned int *)regs->tpc);
5075 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5076 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5077 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5078 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5079 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5080 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5081 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5086 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5087 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5088 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5089 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5090 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5091 + sllx == 0x83287020U &&
5092 + jmpl == 0x81C04005U &&
5093 + nop == 0x01000000U)
5095 + unsigned long addr;
5097 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5098 + regs->u_regs[UREG_G1] <<= 32;
5099 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5100 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5102 + regs->tnpc = addr+4;
5107 + do { /* PaX: patched PLT emulation #6 */
5108 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5110 + err = get_user(sethi, (unsigned int *)regs->tpc);
5111 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5112 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5113 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5114 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5115 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5116 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5121 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5122 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5123 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5124 + sllx == 0x83287020U &&
5125 + (or & 0xFFFFE000U) == 0x8A116000U &&
5126 + jmpl == 0x81C04005U &&
5127 + nop == 0x01000000U)
5129 + unsigned long addr;
5131 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5132 + regs->u_regs[UREG_G1] <<= 32;
5133 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5134 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5136 + regs->tnpc = addr+4;
5141 + do { /* PaX: unpatched PLT emulation step 1 */
5142 + unsigned int sethi, ba, nop;
5144 + err = get_user(sethi, (unsigned int *)regs->tpc);
5145 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5146 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5151 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5152 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5153 + nop == 0x01000000U)
5155 + unsigned long addr;
5156 + unsigned int save, call;
5157 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5159 + if ((ba & 0xFFC00000U) == 0x30800000U)
5160 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5162 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5164 + if (test_thread_flag(TIF_32BIT))
5165 + addr &= 0xFFFFFFFFUL;
5167 + err = get_user(save, (unsigned int *)addr);
5168 + err |= get_user(call, (unsigned int *)(addr+4));
5169 + err |= get_user(nop, (unsigned int *)(addr+8));
5173 +#ifdef CONFIG_PAX_DLRESOLVE
5174 + if (save == 0x9DE3BFA8U &&
5175 + (call & 0xC0000000U) == 0x40000000U &&
5176 + nop == 0x01000000U)
5178 + struct vm_area_struct *vma;
5179 + unsigned long call_dl_resolve;
5181 + down_read(¤t->mm->mmap_sem);
5182 + call_dl_resolve = current->mm->call_dl_resolve;
5183 + up_read(¤t->mm->mmap_sem);
5184 + if (likely(call_dl_resolve))
5187 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5189 + down_write(¤t->mm->mmap_sem);
5190 + if (current->mm->call_dl_resolve) {
5191 + call_dl_resolve = current->mm->call_dl_resolve;
5192 + up_write(¤t->mm->mmap_sem);
5194 + kmem_cache_free(vm_area_cachep, vma);
5198 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5199 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5200 + up_write(¤t->mm->mmap_sem);
5202 + kmem_cache_free(vm_area_cachep, vma);
5206 + if (pax_insert_vma(vma, call_dl_resolve)) {
5207 + up_write(¤t->mm->mmap_sem);
5208 + kmem_cache_free(vm_area_cachep, vma);
5212 + current->mm->call_dl_resolve = call_dl_resolve;
5213 + up_write(¤t->mm->mmap_sem);
5216 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5217 + regs->tpc = call_dl_resolve;
5218 + regs->tnpc = addr+4;
5223 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5224 + if ((save & 0xFFC00000U) == 0x05000000U &&
5225 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5226 + nop == 0x01000000U)
5228 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5229 + regs->u_regs[UREG_G2] = addr + 4;
5230 + addr = (save & 0x003FFFFFU) << 10;
5231 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5233 + if (test_thread_flag(TIF_32BIT))
5234 + addr &= 0xFFFFFFFFUL;
5237 + regs->tnpc = addr+4;
5241 + /* PaX: 64-bit PLT stub */
5242 + err = get_user(sethi1, (unsigned int *)addr);
5243 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5244 + err |= get_user(or1, (unsigned int *)(addr+8));
5245 + err |= get_user(or2, (unsigned int *)(addr+12));
5246 + err |= get_user(sllx, (unsigned int *)(addr+16));
5247 + err |= get_user(add, (unsigned int *)(addr+20));
5248 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5249 + err |= get_user(nop, (unsigned int *)(addr+28));
5253 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5254 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5255 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5256 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5257 + sllx == 0x89293020U &&
5258 + add == 0x8A010005U &&
5259 + jmpl == 0x89C14000U &&
5260 + nop == 0x01000000U)
5262 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5263 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5264 + regs->u_regs[UREG_G4] <<= 32;
5265 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5266 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5267 + regs->u_regs[UREG_G4] = addr + 24;
5268 + addr = regs->u_regs[UREG_G5];
5270 + regs->tnpc = addr+4;
5276 +#ifdef CONFIG_PAX_DLRESOLVE
5277 + do { /* PaX: unpatched PLT emulation step 2 */
5278 + unsigned int save, call, nop;
5280 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5281 + err |= get_user(call, (unsigned int *)regs->tpc);
5282 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5286 + if (save == 0x9DE3BFA8U &&
5287 + (call & 0xC0000000U) == 0x40000000U &&
5288 + nop == 0x01000000U)
5290 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5292 + if (test_thread_flag(TIF_32BIT))
5293 + dl_resolve &= 0xFFFFFFFFUL;
5295 + regs->u_regs[UREG_RETPC] = regs->tpc;
5296 + regs->tpc = dl_resolve;
5297 + regs->tnpc = dl_resolve+4;
5303 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5304 + unsigned int sethi, ba, nop;
5306 + err = get_user(sethi, (unsigned int *)regs->tpc);
5307 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5308 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5313 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5314 + (ba & 0xFFF00000U) == 0x30600000U &&
5315 + nop == 0x01000000U)
5317 + unsigned long addr;
5319 + addr = (sethi & 0x003FFFFFU) << 10;
5320 + regs->u_regs[UREG_G1] = addr;
5321 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5323 + if (test_thread_flag(TIF_32BIT))
5324 + addr &= 0xFFFFFFFFUL;
5327 + regs->tnpc = addr+4;
5337 +void pax_report_insns(void *pc, void *sp)
5341 + printk(KERN_ERR "PAX: bytes at PC: ");
5342 + for (i = 0; i < 8; i++) {
5344 + if (get_user(c, (unsigned int *)pc+i))
5345 + printk(KERN_CONT "???????? ");
5347 + printk(KERN_CONT "%08x ", c);
5353 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5355 struct mm_struct *mm = current->mm;
5356 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
5360 +#ifdef CONFIG_PAX_PAGEEXEC
5361 + /* PaX: detect ITLB misses on non-exec pages */
5362 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5363 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5365 + if (address != regs->tpc)
5368 + up_read(&mm->mmap_sem);
5369 + switch (pax_handle_fetch_fault(regs)) {
5371 +#ifdef CONFIG_PAX_EMUPLT
5378 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5379 + do_group_exit(SIGKILL);
5383 /* Pure DTLB misses do not tell us whether the fault causing
5384 * load/store/atomic was a write or not, it only says that there
5385 * was no match. So in such a case we (carefully) read the
5386 diff -urNp linux-2.6.35.4/arch/sparc/mm/hugetlbpage.c linux-2.6.35.4/arch/sparc/mm/hugetlbpage.c
5387 --- linux-2.6.35.4/arch/sparc/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
5388 +++ linux-2.6.35.4/arch/sparc/mm/hugetlbpage.c 2010-09-17 20:12:09.000000000 -0400
5389 @@ -68,7 +68,7 @@ full_search:
5393 - if (likely(!vma || addr + len <= vma->vm_start)) {
5394 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5396 * Remember the place where we stopped the search:
5398 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
5399 /* make sure it can fit in the remaining address space */
5400 if (likely(addr > len)) {
5401 vma = find_vma(mm, addr-len);
5402 - if (!vma || addr <= vma->vm_start) {
5403 + if (check_heap_stack_gap(vma, addr - len, len)) {
5404 /* remember the address as a hint for next time */
5405 return (mm->free_area_cache = addr-len);
5407 @@ -125,7 +125,7 @@ hugetlb_get_unmapped_area_topdown(struct
5408 * return with success:
5410 vma = find_vma(mm, addr);
5411 - if (likely(!vma || addr+len <= vma->vm_start)) {
5412 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5413 /* remember the address as a hint for next time */
5414 return (mm->free_area_cache = addr);
5416 @@ -182,8 +182,7 @@ hugetlb_get_unmapped_area(struct file *f
5418 addr = ALIGN(addr, HPAGE_SIZE);
5419 vma = find_vma(mm, addr);
5420 - if (task_size - len >= addr &&
5421 - (!vma || addr + len <= vma->vm_start))
5422 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5425 if (mm->get_unmapped_area == arch_get_unmapped_area)
5426 diff -urNp linux-2.6.35.4/arch/sparc/mm/init_32.c linux-2.6.35.4/arch/sparc/mm/init_32.c
5427 --- linux-2.6.35.4/arch/sparc/mm/init_32.c 2010-08-26 19:47:12.000000000 -0400
5428 +++ linux-2.6.35.4/arch/sparc/mm/init_32.c 2010-09-17 20:12:09.000000000 -0400
5429 @@ -318,6 +318,9 @@ extern void device_scan(void);
5430 pgprot_t PAGE_SHARED __read_mostly;
5431 EXPORT_SYMBOL(PAGE_SHARED);
5433 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5434 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5436 void __init paging_init(void)
5438 switch(sparc_cpu_model) {
5439 @@ -346,17 +349,17 @@ void __init paging_init(void)
5441 /* Initialize the protection map with non-constant, MMU dependent values. */
5442 protection_map[0] = PAGE_NONE;
5443 - protection_map[1] = PAGE_READONLY;
5444 - protection_map[2] = PAGE_COPY;
5445 - protection_map[3] = PAGE_COPY;
5446 + protection_map[1] = PAGE_READONLY_NOEXEC;
5447 + protection_map[2] = PAGE_COPY_NOEXEC;
5448 + protection_map[3] = PAGE_COPY_NOEXEC;
5449 protection_map[4] = PAGE_READONLY;
5450 protection_map[5] = PAGE_READONLY;
5451 protection_map[6] = PAGE_COPY;
5452 protection_map[7] = PAGE_COPY;
5453 protection_map[8] = PAGE_NONE;
5454 - protection_map[9] = PAGE_READONLY;
5455 - protection_map[10] = PAGE_SHARED;
5456 - protection_map[11] = PAGE_SHARED;
5457 + protection_map[9] = PAGE_READONLY_NOEXEC;
5458 + protection_map[10] = PAGE_SHARED_NOEXEC;
5459 + protection_map[11] = PAGE_SHARED_NOEXEC;
5460 protection_map[12] = PAGE_READONLY;
5461 protection_map[13] = PAGE_READONLY;
5462 protection_map[14] = PAGE_SHARED;
5463 diff -urNp linux-2.6.35.4/arch/sparc/mm/Makefile linux-2.6.35.4/arch/sparc/mm/Makefile
5464 --- linux-2.6.35.4/arch/sparc/mm/Makefile 2010-08-26 19:47:12.000000000 -0400
5465 +++ linux-2.6.35.4/arch/sparc/mm/Makefile 2010-09-17 20:12:09.000000000 -0400
5470 -ccflags-y := -Werror
5471 +#ccflags-y := -Werror
5473 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5474 obj-y += fault_$(BITS).o
5475 diff -urNp linux-2.6.35.4/arch/sparc/mm/srmmu.c linux-2.6.35.4/arch/sparc/mm/srmmu.c
5476 --- linux-2.6.35.4/arch/sparc/mm/srmmu.c 2010-08-26 19:47:12.000000000 -0400
5477 +++ linux-2.6.35.4/arch/sparc/mm/srmmu.c 2010-09-17 20:12:09.000000000 -0400
5478 @@ -2198,6 +2198,13 @@ void __init ld_mmu_srmmu(void)
5479 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5480 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5481 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5483 +#ifdef CONFIG_PAX_PAGEEXEC
5484 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5485 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5486 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5489 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5490 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5492 diff -urNp linux-2.6.35.4/arch/um/include/asm/kmap_types.h linux-2.6.35.4/arch/um/include/asm/kmap_types.h
5493 --- linux-2.6.35.4/arch/um/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
5494 +++ linux-2.6.35.4/arch/um/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
5495 @@ -23,6 +23,7 @@ enum km_type {
5503 diff -urNp linux-2.6.35.4/arch/um/include/asm/page.h linux-2.6.35.4/arch/um/include/asm/page.h
5504 --- linux-2.6.35.4/arch/um/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
5505 +++ linux-2.6.35.4/arch/um/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
5507 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5508 #define PAGE_MASK (~(PAGE_SIZE-1))
5510 +#define ktla_ktva(addr) (addr)
5511 +#define ktva_ktla(addr) (addr)
5513 #ifndef __ASSEMBLY__
5516 diff -urNp linux-2.6.35.4/arch/um/sys-i386/syscalls.c linux-2.6.35.4/arch/um/sys-i386/syscalls.c
5517 --- linux-2.6.35.4/arch/um/sys-i386/syscalls.c 2010-08-26 19:47:12.000000000 -0400
5518 +++ linux-2.6.35.4/arch/um/sys-i386/syscalls.c 2010-09-17 20:12:09.000000000 -0400
5520 #include "asm/uaccess.h"
5521 #include "asm/unistd.h"
5523 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5525 + unsigned long pax_task_size = TASK_SIZE;
5527 +#ifdef CONFIG_PAX_SEGMEXEC
5528 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5529 + pax_task_size = SEGMEXEC_TASK_SIZE;
5532 + if (len > pax_task_size || addr > pax_task_size - len)
5539 * The prototype on i386 is:
5541 diff -urNp linux-2.6.35.4/arch/x86/boot/bitops.h linux-2.6.35.4/arch/x86/boot/bitops.h
5542 --- linux-2.6.35.4/arch/x86/boot/bitops.h 2010-08-26 19:47:12.000000000 -0400
5543 +++ linux-2.6.35.4/arch/x86/boot/bitops.h 2010-09-17 20:12:09.000000000 -0400
5544 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5546 const u32 *p = (const u32 *)addr;
5548 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5549 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5553 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5555 static inline void set_bit(int nr, void *addr)
5557 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5558 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5561 #endif /* BOOT_BITOPS_H */
5562 diff -urNp linux-2.6.35.4/arch/x86/boot/boot.h linux-2.6.35.4/arch/x86/boot/boot.h
5563 --- linux-2.6.35.4/arch/x86/boot/boot.h 2010-08-26 19:47:12.000000000 -0400
5564 +++ linux-2.6.35.4/arch/x86/boot/boot.h 2010-09-17 20:12:09.000000000 -0400
5565 @@ -82,7 +82,7 @@ static inline void io_delay(void)
5566 static inline u16 ds(void)
5569 - asm("movw %%ds,%0" : "=rm" (seg));
5570 + asm volatile("movw %%ds,%0" : "=rm" (seg));
5574 @@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
5575 static inline int memcmp(const void *s1, const void *s2, size_t len)
5578 - asm("repe; cmpsb; setnz %0"
5579 + asm volatile("repe; cmpsb; setnz %0"
5580 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5583 diff -urNp linux-2.6.35.4/arch/x86/boot/compressed/head_32.S linux-2.6.35.4/arch/x86/boot/compressed/head_32.S
5584 --- linux-2.6.35.4/arch/x86/boot/compressed/head_32.S 2010-08-26 19:47:12.000000000 -0400
5585 +++ linux-2.6.35.4/arch/x86/boot/compressed/head_32.S 2010-09-17 20:12:09.000000000 -0400
5586 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5590 - movl $LOAD_PHYSICAL_ADDR, %ebx
5591 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5594 /* Target address to relocate to for decompression */
5595 @@ -149,7 +149,7 @@ relocated:
5596 * and where it was actually loaded.
5599 - subl $LOAD_PHYSICAL_ADDR, %ebx
5600 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5601 jz 2f /* Nothing to be done if loaded at compiled addr. */
5603 * Process relocations.
5604 @@ -157,8 +157,7 @@ relocated:
5611 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5614 diff -urNp linux-2.6.35.4/arch/x86/boot/compressed/head_64.S linux-2.6.35.4/arch/x86/boot/compressed/head_64.S
5615 --- linux-2.6.35.4/arch/x86/boot/compressed/head_64.S 2010-08-26 19:47:12.000000000 -0400
5616 +++ linux-2.6.35.4/arch/x86/boot/compressed/head_64.S 2010-09-17 20:12:09.000000000 -0400
5617 @@ -91,7 +91,7 @@ ENTRY(startup_32)
5621 - movl $LOAD_PHYSICAL_ADDR, %ebx
5622 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5625 /* Target address to relocate to for decompression */
5626 @@ -233,7 +233,7 @@ ENTRY(startup_64)
5630 - movq $LOAD_PHYSICAL_ADDR, %rbp
5631 + movq $____LOAD_PHYSICAL_ADDR, %rbp
5634 /* Target address to relocate to for decompression */
5635 diff -urNp linux-2.6.35.4/arch/x86/boot/compressed/misc.c linux-2.6.35.4/arch/x86/boot/compressed/misc.c
5636 --- linux-2.6.35.4/arch/x86/boot/compressed/misc.c 2010-08-26 19:47:12.000000000 -0400
5637 +++ linux-2.6.35.4/arch/x86/boot/compressed/misc.c 2010-09-17 20:12:09.000000000 -0400
5638 @@ -285,7 +285,7 @@ static void parse_elf(void *output)
5640 #ifdef CONFIG_RELOCATABLE
5642 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5643 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5645 dest = (void *)(phdr->p_paddr);
5647 @@ -332,7 +332,7 @@ asmlinkage void decompress_kernel(void *
5648 error("Destination address too large");
5650 #ifndef CONFIG_RELOCATABLE
5651 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5652 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5653 error("Wrong destination address");
5656 diff -urNp linux-2.6.35.4/arch/x86/boot/compressed/mkpiggy.c linux-2.6.35.4/arch/x86/boot/compressed/mkpiggy.c
5657 --- linux-2.6.35.4/arch/x86/boot/compressed/mkpiggy.c 2010-08-26 19:47:12.000000000 -0400
5658 +++ linux-2.6.35.4/arch/x86/boot/compressed/mkpiggy.c 2010-09-17 20:12:09.000000000 -0400
5659 @@ -74,7 +74,7 @@ int main(int argc, char *argv[])
5661 offs = (olen > ilen) ? olen - ilen : 0;
5662 offs += olen >> 12; /* Add 8 bytes for each 32K block */
5663 - offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
5664 + offs += 64*1024; /* Add 64K bytes slack */
5665 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
5667 printf(".section \".rodata..compressed\",\"a\",@progbits\n");
5668 diff -urNp linux-2.6.35.4/arch/x86/boot/compressed/relocs.c linux-2.6.35.4/arch/x86/boot/compressed/relocs.c
5669 --- linux-2.6.35.4/arch/x86/boot/compressed/relocs.c 2010-08-26 19:47:12.000000000 -0400
5670 +++ linux-2.6.35.4/arch/x86/boot/compressed/relocs.c 2010-09-17 20:12:09.000000000 -0400
5673 static void die(char *fmt, ...);
5675 +#include "../../../../include/generated/autoconf.h"
5677 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5678 static Elf32_Ehdr ehdr;
5679 +static Elf32_Phdr *phdr;
5680 static unsigned long reloc_count, reloc_idx;
5681 static unsigned long *relocs;
5683 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
5687 +static void read_phdrs(FILE *fp)
5691 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5693 + die("Unable to allocate %d program headers\n",
5696 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5697 + die("Seek to %d failed: %s\n",
5698 + ehdr.e_phoff, strerror(errno));
5700 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5701 + die("Cannot read ELF program headers: %s\n",
5704 + for(i = 0; i < ehdr.e_phnum; i++) {
5705 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5706 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5707 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5708 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5709 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5710 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5711 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5712 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5717 static void read_shdrs(FILE *fp)
5723 secs = calloc(ehdr.e_shnum, sizeof(struct section));
5724 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
5726 static void read_strtabs(FILE *fp)
5730 for (i = 0; i < ehdr.e_shnum; i++) {
5731 struct section *sec = &secs[i];
5732 if (sec->shdr.sh_type != SHT_STRTAB) {
5733 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
5735 static void read_symtabs(FILE *fp)
5739 for (i = 0; i < ehdr.e_shnum; i++) {
5740 struct section *sec = &secs[i];
5741 if (sec->shdr.sh_type != SHT_SYMTAB) {
5742 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
5744 static void read_relocs(FILE *fp)
5750 for (i = 0; i < ehdr.e_shnum; i++) {
5751 struct section *sec = &secs[i];
5752 if (sec->shdr.sh_type != SHT_REL) {
5753 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
5754 die("Cannot read symbol table: %s\n",
5758 + for (j = 0; j < ehdr.e_phnum; j++) {
5759 + if (phdr[j].p_type != PT_LOAD )
5761 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
5763 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
5766 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
5767 Elf32_Rel *rel = &sec->reltab[j];
5768 - rel->r_offset = elf32_to_cpu(rel->r_offset);
5769 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
5770 rel->r_info = elf32_to_cpu(rel->r_info);
5773 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
5775 static void print_absolute_symbols(void)
5779 printf("Absolute symbols\n");
5780 printf(" Num: Value Size Type Bind Visibility Name\n");
5781 for (i = 0; i < ehdr.e_shnum; i++) {
5782 struct section *sec = &secs[i];
5784 Elf32_Sym *sh_symtab;
5788 if (sec->shdr.sh_type != SHT_SYMTAB) {
5790 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
5792 static void print_absolute_relocs(void)
5794 - int i, printed = 0;
5795 + unsigned int i, printed = 0;
5797 for (i = 0; i < ehdr.e_shnum; i++) {
5798 struct section *sec = &secs[i];
5799 struct section *sec_applies, *sec_symtab;
5801 Elf32_Sym *sh_symtab;
5804 if (sec->shdr.sh_type != SHT_REL) {
5807 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
5809 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
5813 /* Walk through the relocations */
5814 for (i = 0; i < ehdr.e_shnum; i++) {
5816 Elf32_Sym *sh_symtab;
5817 struct section *sec_applies, *sec_symtab;
5820 struct section *sec = &secs[i];
5822 if (sec->shdr.sh_type != SHT_REL) {
5823 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
5824 !is_rel_reloc(sym_name(sym_strtab, sym))) {
5827 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
5828 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
5831 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
5832 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
5833 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
5835 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
5837 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
5839 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
5846 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
5848 static void emit_relocs(int as_text)
5852 /* Count how many relocations I have and allocate space for them. */
5854 walk_relocs(count_reloc);
5855 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
5856 fname, strerror(errno));
5863 diff -urNp linux-2.6.35.4/arch/x86/boot/cpucheck.c linux-2.6.35.4/arch/x86/boot/cpucheck.c
5864 --- linux-2.6.35.4/arch/x86/boot/cpucheck.c 2010-08-26 19:47:12.000000000 -0400
5865 +++ linux-2.6.35.4/arch/x86/boot/cpucheck.c 2010-09-17 20:12:09.000000000 -0400
5866 @@ -74,7 +74,7 @@ static int has_fpu(void)
5867 u16 fcw = -1, fsw = -1;
5870 - asm("movl %%cr0,%0" : "=r" (cr0));
5871 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
5872 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
5873 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
5874 asm volatile("movl %0,%%cr0" : : "r" (cr0));
5875 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
5880 + asm volatile("pushfl ; "
5884 @@ -115,7 +115,7 @@ static void get_flags(void)
5885 set_bit(X86_FEATURE_FPU, cpu.flags);
5887 if (has_eflag(X86_EFLAGS_ID)) {
5889 + asm volatile("cpuid"
5890 : "=a" (max_intel_level),
5891 "=b" (cpu_vendor[0]),
5892 "=d" (cpu_vendor[1]),
5893 @@ -124,7 +124,7 @@ static void get_flags(void)
5895 if (max_intel_level >= 0x00000001 &&
5896 max_intel_level <= 0x0000ffff) {
5898 + asm volatile("cpuid"
5900 "=c" (cpu.flags[4]),
5902 @@ -136,7 +136,7 @@ static void get_flags(void)
5903 cpu.model += ((tfms >> 16) & 0xf) << 4;
5907 + asm volatile("cpuid"
5908 : "=a" (max_amd_level)
5910 : "ebx", "ecx", "edx");
5911 @@ -144,7 +144,7 @@ static void get_flags(void)
5912 if (max_amd_level >= 0x80000001 &&
5913 max_amd_level <= 0x8000ffff) {
5914 u32 eax = 0x80000001;
5916 + asm volatile("cpuid"
5918 "=c" (cpu.flags[6]),
5920 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5921 u32 ecx = MSR_K7_HWCR;
5924 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5925 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5927 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5928 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5930 get_flags(); /* Make sure it really did something */
5931 err = check_flags();
5932 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5933 u32 ecx = MSR_VIA_FCR;
5936 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5937 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5938 eax |= (1<<1)|(1<<7);
5939 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5940 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5942 set_bit(X86_FEATURE_CX8, cpu.flags);
5943 err = check_flags();
5944 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
5948 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5949 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5951 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5952 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5953 + asm volatile("cpuid"
5954 : "+a" (level), "=d" (cpu.flags[0])
5956 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5957 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5959 err = check_flags();
5961 diff -urNp linux-2.6.35.4/arch/x86/boot/header.S linux-2.6.35.4/arch/x86/boot/header.S
5962 --- linux-2.6.35.4/arch/x86/boot/header.S 2010-08-26 19:47:12.000000000 -0400
5963 +++ linux-2.6.35.4/arch/x86/boot/header.S 2010-09-17 20:12:09.000000000 -0400
5964 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
5965 # single linked list of
5968 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
5969 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
5971 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
5972 #define VO_INIT_SIZE (VO__end - VO__text)
5973 diff -urNp linux-2.6.35.4/arch/x86/boot/memory.c linux-2.6.35.4/arch/x86/boot/memory.c
5974 --- linux-2.6.35.4/arch/x86/boot/memory.c 2010-08-26 19:47:12.000000000 -0400
5975 +++ linux-2.6.35.4/arch/x86/boot/memory.c 2010-09-17 20:12:09.000000000 -0400
5978 static int detect_memory_e820(void)
5981 + unsigned int count = 0;
5982 struct biosregs ireg, oreg;
5983 struct e820entry *desc = boot_params.e820_map;
5984 static struct e820entry buf; /* static so it is zeroed */
5985 diff -urNp linux-2.6.35.4/arch/x86/boot/video.c linux-2.6.35.4/arch/x86/boot/video.c
5986 --- linux-2.6.35.4/arch/x86/boot/video.c 2010-08-26 19:47:12.000000000 -0400
5987 +++ linux-2.6.35.4/arch/x86/boot/video.c 2010-09-17 20:12:09.000000000 -0400
5988 @@ -96,7 +96,7 @@ static void store_mode_params(void)
5989 static unsigned int get_entry(void)
5993 + unsigned int i, len = 0;
5997 diff -urNp linux-2.6.35.4/arch/x86/boot/video-vesa.c linux-2.6.35.4/arch/x86/boot/video-vesa.c
5998 --- linux-2.6.35.4/arch/x86/boot/video-vesa.c 2010-08-26 19:47:12.000000000 -0400
5999 +++ linux-2.6.35.4/arch/x86/boot/video-vesa.c 2010-09-17 20:12:09.000000000 -0400
6000 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
6002 boot_params.screen_info.vesapm_seg = oreg.es;
6003 boot_params.screen_info.vesapm_off = oreg.di;
6004 + boot_params.screen_info.vesapm_size = oreg.cx;
6008 diff -urNp linux-2.6.35.4/arch/x86/ia32/ia32entry.S linux-2.6.35.4/arch/x86/ia32/ia32entry.S
6009 --- linux-2.6.35.4/arch/x86/ia32/ia32entry.S 2010-08-26 19:47:12.000000000 -0400
6010 +++ linux-2.6.35.4/arch/x86/ia32/ia32entry.S 2010-09-17 20:12:37.000000000 -0400
6012 #include <asm/thread_info.h>
6013 #include <asm/segment.h>
6014 #include <asm/irqflags.h>
6015 +#include <asm/pgtable.h>
6016 #include <linux/linkage.h>
6018 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
6021 * Reload arg registers from stack in case ptrace changed them.
6022 * We don't reload %eax because syscall_trace_enter() returned
6023 - * the value it wants us to use in the table lookup.
6024 + * the %rax value we should see. Instead, we just truncate that
6025 + * value to 32 bits again as we did on entry from user mode.
6026 + * If it's a new value set by user_regset during entry tracing,
6027 + * this matches the normal truncation of the user-mode value.
6028 + * If it's -1 to make us punt the syscall, then (u32)-1 is still
6029 + * an appropriately invalid value.
6031 .macro LOAD_ARGS32 offset, _r9=0
6034 movl \offset+48(%rsp),%edx
6035 movl \offset+56(%rsp),%esi
6036 movl \offset+64(%rsp),%edi
6037 + movl %eax,%eax /* zero extension */
6040 .macro CFI_STARTPROC32 simple
6041 @@ -114,6 +121,11 @@ ENTRY(ia32_sysenter_target)
6043 movq PER_CPU_VAR(kernel_stack), %rsp
6044 addq $(KERNEL_STACK_OFFSET),%rsp
6046 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6047 + call pax_enter_kernel_user
6051 * No need to follow this irqs on/off section: the syscall
6052 * disabled irqs, here we enable it straight after entry:
6053 @@ -144,6 +156,12 @@ ENTRY(ia32_sysenter_target)
6055 /* no need to do an access_ok check here because rbp has been
6056 32bit zero extended */
6058 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6059 + mov $PAX_USER_SHADOW_BASE,%r10
6064 .section __ex_table,"a"
6065 .quad 1b,ia32_badarg
6066 @@ -153,7 +171,7 @@ ENTRY(ia32_sysenter_target)
6067 testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
6069 jnz sysenter_tracesys
6070 - cmpl $(IA32_NR_syscalls-1),%eax
6071 + cmpq $(IA32_NR_syscalls-1),%rax
6075 @@ -166,6 +184,11 @@ sysenter_dispatch:
6076 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6078 sysexit_from_sys_call:
6080 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6081 + call pax_exit_kernel_user
6084 andl $~TS_COMPAT,TI_status(%r10)
6085 /* clear IF, that popfq doesn't enable interrupts early */
6086 andl $~0x200,EFLAGS-R11(%rsp)
6087 @@ -195,7 +218,7 @@ sysexit_from_sys_call:
6088 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
6089 call audit_syscall_entry
6090 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
6091 - cmpl $(IA32_NR_syscalls-1),%eax
6092 + cmpq $(IA32_NR_syscalls-1),%rax
6094 movl %ebx,%edi /* reload 1st syscall arg */
6095 movl RCX-ARGOFFSET(%rsp),%esi /* reload 2nd syscall arg */
6096 @@ -248,7 +271,7 @@ sysenter_tracesys:
6097 call syscall_trace_enter
6098 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
6100 - cmpl $(IA32_NR_syscalls-1),%eax
6101 + cmpq $(IA32_NR_syscalls-1),%rax
6102 ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
6103 jmp sysenter_do_call
6105 @@ -284,6 +307,11 @@ ENTRY(ia32_cstar_target)
6108 movq PER_CPU_VAR(kernel_stack),%rsp
6110 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6111 + call pax_enter_kernel_user
6115 * No need to follow this irqs on/off section: the syscall
6116 * disabled irqs and here we enable it straight after entry:
6117 @@ -305,6 +333,12 @@ ENTRY(ia32_cstar_target)
6118 /* no need to do an access_ok check here because r8 has been
6119 32bit zero extended */
6120 /* hardware stack frame is complete now */
6122 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6123 + mov $PAX_USER_SHADOW_BASE,%r10
6128 .section __ex_table,"a"
6129 .quad 1b,ia32_badarg
6130 @@ -314,7 +348,7 @@ ENTRY(ia32_cstar_target)
6131 testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
6134 - cmpl $IA32_NR_syscalls-1,%eax
6135 + cmpq $IA32_NR_syscalls-1,%rax
6139 @@ -327,6 +361,11 @@ cstar_dispatch:
6140 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6142 sysretl_from_sys_call:
6144 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6145 + call pax_exit_kernel_user
6148 andl $~TS_COMPAT,TI_status(%r10)
6149 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6150 movl RIP-ARGOFFSET(%rsp),%ecx
6151 @@ -367,7 +406,7 @@ cstar_tracesys:
6152 LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
6155 - cmpl $(IA32_NR_syscalls-1),%eax
6156 + cmpq $(IA32_NR_syscalls-1),%rax
6157 ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
6159 END(ia32_cstar_target)
6160 @@ -409,6 +448,11 @@ ENTRY(ia32_syscall)
6161 CFI_REL_OFFSET rip,RIP-RIP
6162 PARAVIRT_ADJUST_EXCEPTION_FRAME
6165 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6166 + call pax_enter_kernel_user
6170 * No need to follow this irqs on/off section: the syscall
6171 * disabled irqs and here we enable it straight after entry:
6172 @@ -425,7 +469,7 @@ ENTRY(ia32_syscall)
6173 orl $TS_COMPAT,TI_status(%r10)
6174 testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
6176 - cmpl $(IA32_NR_syscalls-1),%eax
6177 + cmpq $(IA32_NR_syscalls-1),%rax
6181 @@ -444,7 +488,7 @@ ia32_tracesys:
6182 call syscall_trace_enter
6183 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
6185 - cmpl $(IA32_NR_syscalls-1),%eax
6186 + cmpq $(IA32_NR_syscalls-1),%rax
6187 ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */
6190 diff -urNp linux-2.6.35.4/arch/x86/ia32/ia32_signal.c linux-2.6.35.4/arch/x86/ia32/ia32_signal.c
6191 --- linux-2.6.35.4/arch/x86/ia32/ia32_signal.c 2010-08-26 19:47:12.000000000 -0400
6192 +++ linux-2.6.35.4/arch/x86/ia32/ia32_signal.c 2010-09-17 20:12:09.000000000 -0400
6193 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6195 /* Align the stack pointer according to the i386 ABI,
6196 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6197 - sp = ((sp + 4) & -16ul) - 4;
6198 + sp = ((sp - 12) & -16ul) - 4;
6199 return (void __user *) sp;
6202 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6204 __NR_ia32_rt_sigreturn,
6210 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6211 diff -urNp linux-2.6.35.4/arch/x86/include/asm/alternative.h linux-2.6.35.4/arch/x86/include/asm/alternative.h
6212 --- linux-2.6.35.4/arch/x86/include/asm/alternative.h 2010-08-26 19:47:12.000000000 -0400
6213 +++ linux-2.6.35.4/arch/x86/include/asm/alternative.h 2010-09-17 20:12:09.000000000 -0400
6214 @@ -91,7 +91,7 @@ static inline int alternatives_text_rese
6215 " .byte 664f-663f\n" /* replacementlen */ \
6216 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6218 - ".section .altinstr_replacement, \"ax\"\n" \
6219 + ".section .altinstr_replacement, \"a\"\n" \
6220 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6223 diff -urNp linux-2.6.35.4/arch/x86/include/asm/apm.h linux-2.6.35.4/arch/x86/include/asm/apm.h
6224 --- linux-2.6.35.4/arch/x86/include/asm/apm.h 2010-08-26 19:47:12.000000000 -0400
6225 +++ linux-2.6.35.4/arch/x86/include/asm/apm.h 2010-09-17 20:12:09.000000000 -0400
6226 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6227 __asm__ __volatile__(APM_DO_ZERO_SEGS
6230 - "lcall *%%cs:apm_bios_entry\n\t"
6231 + "lcall *%%ss:apm_bios_entry\n\t"
6235 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6236 __asm__ __volatile__(APM_DO_ZERO_SEGS
6239 - "lcall *%%cs:apm_bios_entry\n\t"
6240 + "lcall *%%ss:apm_bios_entry\n\t"
6244 diff -urNp linux-2.6.35.4/arch/x86/include/asm/asm.h linux-2.6.35.4/arch/x86/include/asm/asm.h
6245 --- linux-2.6.35.4/arch/x86/include/asm/asm.h 2010-08-26 19:47:12.000000000 -0400
6246 +++ linux-2.6.35.4/arch/x86/include/asm/asm.h 2010-09-17 20:12:09.000000000 -0400
6248 #define _ASM_SI __ASM_REG(si)
6249 #define _ASM_DI __ASM_REG(di)
6251 +#ifdef CONFIG_X86_32
6252 +#define _ASM_INTO "into"
6254 +#define _ASM_INTO "int $4"
6257 /* Exception table entry */
6259 # define _ASM_EXTABLE(from,to) \
6260 diff -urNp linux-2.6.35.4/arch/x86/include/asm/atomic64_32.h linux-2.6.35.4/arch/x86/include/asm/atomic64_32.h
6261 --- linux-2.6.35.4/arch/x86/include/asm/atomic64_32.h 2010-08-26 19:47:12.000000000 -0400
6262 +++ linux-2.6.35.4/arch/x86/include/asm/atomic64_32.h 2010-09-17 20:12:09.000000000 -0400
6263 @@ -12,6 +12,14 @@ typedef struct {
6264 u64 __aligned(8) counter;
6267 +#ifdef CONFIG_PAX_REFCOUNT
6269 + u64 __aligned(8) counter;
6270 +} atomic64_unchecked_t;
6272 +typedef atomic64_t atomic64_unchecked_t;
6275 #define ATOMIC64_INIT(val) { (val) }
6277 #ifdef CONFIG_X86_CMPXCHG64
6278 diff -urNp linux-2.6.35.4/arch/x86/include/asm/atomic64_64.h linux-2.6.35.4/arch/x86/include/asm/atomic64_64.h
6279 --- linux-2.6.35.4/arch/x86/include/asm/atomic64_64.h 2010-08-26 19:47:12.000000000 -0400
6280 +++ linux-2.6.35.4/arch/x86/include/asm/atomic64_64.h 2010-09-17 20:12:09.000000000 -0400
6281 @@ -22,6 +22,18 @@ static inline long atomic64_read(const a
6285 + * atomic64_read_unchecked - read atomic64 variable
6286 + * @v: pointer of type atomic64_unchecked_t
6288 + * Atomically reads the value of @v.
6289 + * Doesn't imply a read memory barrier.
6291 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6293 + return v->counter;
6297 * atomic64_set - set atomic64 variable
6298 * @v: pointer to type atomic64_t
6299 * @i: required value
6300 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
6304 + * atomic64_set_unchecked - set atomic64 variable
6305 + * @v: pointer to type atomic64_unchecked_t
6306 + * @i: required value
6308 + * Atomically sets the value of @v to @i.
6310 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6316 * atomic64_add - add integer to atomic64 variable
6317 * @i: integer value to add
6318 * @v: pointer to type atomic64_t
6319 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
6321 static inline void atomic64_add(long i, atomic64_t *v)
6323 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6325 +#ifdef CONFIG_PAX_REFCOUNT
6327 + LOCK_PREFIX "subq %1,%0\n"
6329 + _ASM_EXTABLE(0b, 0b)
6332 + : "=m" (v->counter)
6333 + : "er" (i), "m" (v->counter));
6337 + * atomic64_add_unchecked - add integer to atomic64 variable
6338 + * @i: integer value to add
6339 + * @v: pointer to type atomic64_unchecked_t
6341 + * Atomically adds @i to @v.
6343 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6345 asm volatile(LOCK_PREFIX "addq %1,%0"
6347 : "er" (i), "m" (v->counter));
6348 @@ -56,7 +102,15 @@ static inline void atomic64_add(long i,
6350 static inline void atomic64_sub(long i, atomic64_t *v)
6352 - asm volatile(LOCK_PREFIX "subq %1,%0"
6353 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6355 +#ifdef CONFIG_PAX_REFCOUNT
6357 + LOCK_PREFIX "addq %1,%0\n"
6359 + _ASM_EXTABLE(0b, 0b)
6363 : "er" (i), "m" (v->counter));
6365 @@ -74,7 +128,16 @@ static inline int atomic64_sub_and_test(
6369 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6370 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6372 +#ifdef CONFIG_PAX_REFCOUNT
6374 + LOCK_PREFIX "addq %2,%0\n"
6376 + _ASM_EXTABLE(0b, 0b)
6380 : "=m" (v->counter), "=qm" (c)
6381 : "er" (i), "m" (v->counter) : "memory");
6383 @@ -88,6 +151,31 @@ static inline int atomic64_sub_and_test(
6385 static inline void atomic64_inc(atomic64_t *v)
6387 + asm volatile(LOCK_PREFIX "incq %0\n"
6389 +#ifdef CONFIG_PAX_REFCOUNT
6392 + ".pushsection .fixup,\"ax\"\n"
6394 + LOCK_PREFIX "decq %0\n"
6397 + _ASM_EXTABLE(0b, 1b)
6400 + : "=m" (v->counter)
6401 + : "m" (v->counter));
6405 + * atomic64_inc_unchecked - increment atomic64 variable
6406 + * @v: pointer to type atomic64_unchecked_t
6408 + * Atomically increments @v by 1.
6410 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6412 asm volatile(LOCK_PREFIX "incq %0"
6414 : "m" (v->counter));
6415 @@ -101,7 +189,32 @@ static inline void atomic64_inc(atomic64
6417 static inline void atomic64_dec(atomic64_t *v)
6419 - asm volatile(LOCK_PREFIX "decq %0"
6420 + asm volatile(LOCK_PREFIX "decq %0\n"
6422 +#ifdef CONFIG_PAX_REFCOUNT
6425 + ".pushsection .fixup,\"ax\"\n"
6427 + LOCK_PREFIX "incq %0\n"
6430 + _ASM_EXTABLE(0b, 1b)
6433 + : "=m" (v->counter)
6434 + : "m" (v->counter));
6438 + * atomic64_dec_unchecked - decrement atomic64 variable
6439 + * @v: pointer to type atomic64_t
6441 + * Atomically decrements @v by 1.
6443 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6445 + asm volatile(LOCK_PREFIX "decq %0\n"
6447 : "m" (v->counter));
6449 @@ -118,7 +231,20 @@ static inline int atomic64_dec_and_test(
6453 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6454 + asm volatile(LOCK_PREFIX "decq %0\n"
6456 +#ifdef CONFIG_PAX_REFCOUNT
6459 + ".pushsection .fixup,\"ax\"\n"
6461 + LOCK_PREFIX "incq %0\n"
6464 + _ASM_EXTABLE(0b, 1b)
6468 : "=m" (v->counter), "=qm" (c)
6469 : "m" (v->counter) : "memory");
6471 @@ -136,7 +262,20 @@ static inline int atomic64_inc_and_test(
6475 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6476 + asm volatile(LOCK_PREFIX "incq %0\n"
6478 +#ifdef CONFIG_PAX_REFCOUNT
6481 + ".pushsection .fixup,\"ax\"\n"
6483 + LOCK_PREFIX "decq %0\n"
6486 + _ASM_EXTABLE(0b, 1b)
6490 : "=m" (v->counter), "=qm" (c)
6491 : "m" (v->counter) : "memory");
6493 @@ -155,7 +294,16 @@ static inline int atomic64_add_negative(
6497 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6498 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6500 +#ifdef CONFIG_PAX_REFCOUNT
6502 + LOCK_PREFIX "subq %2,%0\n"
6504 + _ASM_EXTABLE(0b, 0b)
6508 : "=m" (v->counter), "=qm" (c)
6509 : "er" (i), "m" (v->counter) : "memory");
6511 @@ -171,7 +319,31 @@ static inline int atomic64_add_negative(
6512 static inline long atomic64_add_return(long i, atomic64_t *v)
6515 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6516 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6518 +#ifdef CONFIG_PAX_REFCOUNT
6522 + _ASM_EXTABLE(0b, 0b)
6525 + : "+r" (i), "+m" (v->counter)
6531 + * atomic64_add_return_unchecked - add and return
6532 + * @i: integer value to add
6533 + * @v: pointer to type atomic64_unchecked_t
6535 + * Atomically adds @i to @v and returns @i + @v
6537 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6540 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
6541 : "+r" (i), "+m" (v->counter)
6544 @@ -183,6 +355,10 @@ static inline long atomic64_sub_return(l
6547 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6548 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6550 + return atomic64_add_return_unchecked(1, v);
6552 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6554 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6555 @@ -206,17 +382,29 @@ static inline long atomic64_xchg(atomic6
6557 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6561 c = atomic64_read(v);
6563 - if (unlikely(c == (u)))
6564 + if (unlikely(c == u))
6566 - old = atomic64_cmpxchg((v), c, c + (a));
6568 + asm volatile("add %2,%0\n"
6570 +#ifdef CONFIG_PAX_REFCOUNT
6573 + _ASM_EXTABLE(0b, 0b)
6577 + : "0" (c), "ir" (a));
6579 + old = atomic64_cmpxchg(v, c, new);
6580 if (likely(old == c))
6588 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
6589 diff -urNp linux-2.6.35.4/arch/x86/include/asm/atomic.h linux-2.6.35.4/arch/x86/include/asm/atomic.h
6590 --- linux-2.6.35.4/arch/x86/include/asm/atomic.h 2010-08-26 19:47:12.000000000 -0400
6591 +++ linux-2.6.35.4/arch/x86/include/asm/atomic.h 2010-09-17 20:12:09.000000000 -0400
6592 @@ -26,6 +26,17 @@ static inline int atomic_read(const atom
6596 + * atomic_read_unchecked - read atomic variable
6597 + * @v: pointer of type atomic_unchecked_t
6599 + * Atomically reads the value of @v.
6601 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6603 + return v->counter;
6607 * atomic_set - set atomic variable
6608 * @v: pointer of type atomic_t
6609 * @i: required value
6610 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6614 + * atomic_set_unchecked - set atomic variable
6615 + * @v: pointer of type atomic_unchecked_t
6616 + * @i: required value
6618 + * Atomically sets the value of @v to @i.
6620 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6626 * atomic_add - add integer to atomic variable
6627 * @i: integer value to add
6628 * @v: pointer of type atomic_t
6629 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6631 static inline void atomic_add(int i, atomic_t *v)
6633 - asm volatile(LOCK_PREFIX "addl %1,%0"
6634 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6636 +#ifdef CONFIG_PAX_REFCOUNT
6638 + LOCK_PREFIX "subl %1,%0\n"
6639 + _ASM_INTO "\n0:\n"
6640 + _ASM_EXTABLE(0b, 0b)
6643 + : "+m" (v->counter)
6648 + * atomic_add_unchecked - add integer to atomic variable
6649 + * @i: integer value to add
6650 + * @v: pointer of type atomic_unchecked_t
6652 + * Atomically adds @i to @v.
6654 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6656 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6660 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6662 static inline void atomic_sub(int i, atomic_t *v)
6664 - asm volatile(LOCK_PREFIX "subl %1,%0"
6665 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6667 +#ifdef CONFIG_PAX_REFCOUNT
6669 + LOCK_PREFIX "addl %1,%0\n"
6670 + _ASM_INTO "\n0:\n"
6671 + _ASM_EXTABLE(0b, 0b)
6674 + : "+m" (v->counter)
6679 + * atomic_sub_unchecked - subtract integer from atomic variable
6680 + * @i: integer value to subtract
6681 + * @v: pointer of type atomic_t
6683 + * Atomically subtracts @i from @v.
6685 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
6687 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6691 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
6695 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
6696 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
6698 +#ifdef CONFIG_PAX_REFCOUNT
6700 + LOCK_PREFIX "addl %2,%0\n"
6701 + _ASM_INTO "\n0:\n"
6702 + _ASM_EXTABLE(0b, 0b)
6706 : "+m" (v->counter), "=qm" (c)
6707 : "ir" (i) : "memory");
6709 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
6711 static inline void atomic_inc(atomic_t *v)
6713 - asm volatile(LOCK_PREFIX "incl %0"
6714 + asm volatile(LOCK_PREFIX "incl %0\n"
6716 +#ifdef CONFIG_PAX_REFCOUNT
6718 + LOCK_PREFIX "decl %0\n"
6719 + _ASM_INTO "\n0:\n"
6720 + _ASM_EXTABLE(0b, 0b)
6723 + : "+m" (v->counter));
6727 + * atomic_inc_unchecked - increment atomic variable
6728 + * @v: pointer of type atomic_unchecked_t
6730 + * Atomically increments @v by 1.
6732 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
6734 + asm volatile(LOCK_PREFIX "incl %0\n"
6735 : "+m" (v->counter));
6738 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
6740 static inline void atomic_dec(atomic_t *v)
6742 - asm volatile(LOCK_PREFIX "decl %0"
6743 + asm volatile(LOCK_PREFIX "decl %0\n"
6745 +#ifdef CONFIG_PAX_REFCOUNT
6747 + LOCK_PREFIX "incl %0\n"
6748 + _ASM_INTO "\n0:\n"
6749 + _ASM_EXTABLE(0b, 0b)
6752 + : "+m" (v->counter));
6756 + * atomic_dec_unchecked - decrement atomic variable
6757 + * @v: pointer of type atomic_t
6759 + * Atomically decrements @v by 1.
6761 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
6763 + asm volatile(LOCK_PREFIX "decl %0\n"
6764 : "+m" (v->counter));
6767 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
6771 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
6772 + asm volatile(LOCK_PREFIX "decl %0\n"
6774 +#ifdef CONFIG_PAX_REFCOUNT
6776 + LOCK_PREFIX "incl %0\n"
6777 + _ASM_INTO "\n0:\n"
6778 + _ASM_EXTABLE(0b, 0b)
6782 : "+m" (v->counter), "=qm" (c)
6785 @@ -138,7 +263,16 @@ static inline int atomic_inc_and_test(at
6789 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
6790 + asm volatile(LOCK_PREFIX "incl %0\n"
6792 +#ifdef CONFIG_PAX_REFCOUNT
6794 + LOCK_PREFIX "decl %0\n"
6795 + _ASM_INTO "\n0:\n"
6796 + _ASM_EXTABLE(0b, 0b)
6800 : "+m" (v->counter), "=qm" (c)
6803 @@ -157,7 +291,16 @@ static inline int atomic_add_negative(in
6807 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
6808 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
6810 +#ifdef CONFIG_PAX_REFCOUNT
6812 + LOCK_PREFIX "subl %2,%0\n"
6813 + _ASM_INTO "\n0:\n"
6814 + _ASM_EXTABLE(0b, 0b)
6818 : "+m" (v->counter), "=qm" (c)
6819 : "ir" (i) : "memory");
6821 @@ -180,6 +323,46 @@ static inline int atomic_add_return(int
6823 /* Modern 486+ processor */
6825 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
6827 +#ifdef CONFIG_PAX_REFCOUNT
6830 + _ASM_INTO "\n0:\n"
6831 + _ASM_EXTABLE(0b, 0b)
6834 + : "+r" (i), "+m" (v->counter)
6839 +no_xadd: /* Legacy 386 processor */
6840 + local_irq_save(flags);
6841 + __i = atomic_read(v);
6842 + atomic_set(v, i + __i);
6843 + local_irq_restore(flags);
6849 + * atomic_add_return_unchecked - add integer and return
6850 + * @v: pointer of type atomic_unchecked_t
6851 + * @i: integer value to add
6853 + * Atomically adds @i to @v and returns @i + @v
6855 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
6859 + unsigned long flags;
6860 + if (unlikely(boot_cpu_data.x86 <= 3))
6863 + /* Modern 486+ processor */
6865 asm volatile(LOCK_PREFIX "xaddl %0, %1"
6866 : "+r" (i), "+m" (v->counter)
6868 @@ -208,6 +391,10 @@ static inline int atomic_sub_return(int
6871 #define atomic_inc_return(v) (atomic_add_return(1, v))
6872 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
6874 + return atomic_add_return_unchecked(1, v);
6876 #define atomic_dec_return(v) (atomic_sub_return(1, v))
6878 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
6879 @@ -231,17 +418,29 @@ static inline int atomic_xchg(atomic_t *
6881 static inline int atomic_add_unless(atomic_t *v, int a, int u)
6887 - if (unlikely(c == (u)))
6888 + if (unlikely(c == u))
6890 - old = atomic_cmpxchg((v), c, c + (a));
6892 + asm volatile("addl %2,%0\n"
6894 +#ifdef CONFIG_PAX_REFCOUNT
6896 + _ASM_INTO "\n0:\n"
6897 + _ASM_EXTABLE(0b, 0b)
6901 + : "0" (c), "ir" (a));
6903 + old = atomic_cmpxchg(v, c, new);
6904 if (likely(old == c))
6912 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
6913 diff -urNp linux-2.6.35.4/arch/x86/include/asm/boot.h linux-2.6.35.4/arch/x86/include/asm/boot.h
6914 --- linux-2.6.35.4/arch/x86/include/asm/boot.h 2010-08-26 19:47:12.000000000 -0400
6915 +++ linux-2.6.35.4/arch/x86/include/asm/boot.h 2010-09-17 20:12:09.000000000 -0400
6917 #include <asm/pgtable_types.h>
6919 /* Physical address where kernel should be loaded. */
6920 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6921 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6922 + (CONFIG_PHYSICAL_ALIGN - 1)) \
6923 & ~(CONFIG_PHYSICAL_ALIGN - 1))
6925 +#ifndef __ASSEMBLY__
6926 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
6927 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
6930 /* Minimum kernel alignment, as a power of two */
6931 #ifdef CONFIG_X86_64
6932 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
6933 diff -urNp linux-2.6.35.4/arch/x86/include/asm/cacheflush.h linux-2.6.35.4/arch/x86/include/asm/cacheflush.h
6934 --- linux-2.6.35.4/arch/x86/include/asm/cacheflush.h 2010-08-26 19:47:12.000000000 -0400
6935 +++ linux-2.6.35.4/arch/x86/include/asm/cacheflush.h 2010-09-17 20:12:09.000000000 -0400
6936 @@ -66,7 +66,7 @@ static inline unsigned long get_page_mem
6937 unsigned long pg_flags = pg->flags & _PGMT_MASK;
6939 if (pg_flags == _PGMT_DEFAULT)
6942 else if (pg_flags == _PGMT_WC)
6943 return _PAGE_CACHE_WC;
6944 else if (pg_flags == _PGMT_UC_MINUS)
6945 diff -urNp linux-2.6.35.4/arch/x86/include/asm/cache.h linux-2.6.35.4/arch/x86/include/asm/cache.h
6946 --- linux-2.6.35.4/arch/x86/include/asm/cache.h 2010-08-26 19:47:12.000000000 -0400
6947 +++ linux-2.6.35.4/arch/x86/include/asm/cache.h 2010-09-17 20:12:09.000000000 -0400
6949 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
6951 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
6952 +#define __read_only __attribute__((__section__(".data..read_only")))
6954 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
6955 #define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
6956 diff -urNp linux-2.6.35.4/arch/x86/include/asm/checksum_32.h linux-2.6.35.4/arch/x86/include/asm/checksum_32.h
6957 --- linux-2.6.35.4/arch/x86/include/asm/checksum_32.h 2010-08-26 19:47:12.000000000 -0400
6958 +++ linux-2.6.35.4/arch/x86/include/asm/checksum_32.h 2010-09-17 20:12:09.000000000 -0400
6959 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
6960 int len, __wsum sum,
6961 int *src_err_ptr, int *dst_err_ptr);
6963 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
6964 + int len, __wsum sum,
6965 + int *src_err_ptr, int *dst_err_ptr);
6967 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
6968 + int len, __wsum sum,
6969 + int *src_err_ptr, int *dst_err_ptr);
6972 * Note: when you get a NULL pointer exception here this means someone
6973 * passed in an incorrect kernel address to one of these functions.
6974 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
6978 - return csum_partial_copy_generic((__force void *)src, dst,
6979 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
6980 len, sum, err_ptr, NULL);
6983 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
6986 if (access_ok(VERIFY_WRITE, dst, len))
6987 - return csum_partial_copy_generic(src, (__force void *)dst,
6988 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
6989 len, sum, NULL, err_ptr);
6992 diff -urNp linux-2.6.35.4/arch/x86/include/asm/compat.h linux-2.6.35.4/arch/x86/include/asm/compat.h
6993 --- linux-2.6.35.4/arch/x86/include/asm/compat.h 2010-08-26 19:47:12.000000000 -0400
6994 +++ linux-2.6.35.4/arch/x86/include/asm/compat.h 2010-09-17 20:12:37.000000000 -0400
6995 @@ -205,7 +205,7 @@ static inline compat_uptr_t ptr_to_compa
6996 return (u32)(unsigned long)uptr;
6999 -static inline void __user *compat_alloc_user_space(long len)
7000 +static inline void __user *arch_compat_alloc_user_space(long len)
7002 struct pt_regs *regs = task_pt_regs(current);
7003 return (void __user *)regs->sp - len;
7004 diff -urNp linux-2.6.35.4/arch/x86/include/asm/cpufeature.h linux-2.6.35.4/arch/x86/include/asm/cpufeature.h
7005 --- linux-2.6.35.4/arch/x86/include/asm/cpufeature.h 2010-08-26 19:47:12.000000000 -0400
7006 +++ linux-2.6.35.4/arch/x86/include/asm/cpufeature.h 2010-09-17 20:12:09.000000000 -0400
7007 @@ -323,7 +323,7 @@ static __always_inline __pure bool __sta
7008 " .byte 4f - 3f\n" /* replacement len */
7009 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* padding */
7011 - ".section .altinstr_replacement,\"ax\"\n"
7012 + ".section .altinstr_replacement,\"a\"\n"
7016 diff -urNp linux-2.6.35.4/arch/x86/include/asm/desc.h linux-2.6.35.4/arch/x86/include/asm/desc.h
7017 --- linux-2.6.35.4/arch/x86/include/asm/desc.h 2010-08-26 19:47:12.000000000 -0400
7018 +++ linux-2.6.35.4/arch/x86/include/asm/desc.h 2010-09-17 20:12:09.000000000 -0400
7020 #include <asm/desc_defs.h>
7021 #include <asm/ldt.h>
7022 #include <asm/mmu.h>
7023 +#include <asm/pgtable.h>
7024 #include <linux/smp.h>
7026 static inline void fill_ldt(struct desc_struct *desc,
7027 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
7028 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
7029 desc->type = (info->read_exec_only ^ 1) << 1;
7030 desc->type |= info->contents << 2;
7031 + desc->type |= info->seg_not_present ^ 1;
7034 desc->p = info->seg_not_present ^ 1;
7035 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
7038 extern struct desc_ptr idt_descr;
7039 -extern gate_desc idt_table[];
7042 - struct desc_struct gdt[GDT_ENTRIES];
7043 -} __attribute__((aligned(PAGE_SIZE)));
7044 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
7045 +extern gate_desc idt_table[256];
7047 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
7048 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
7050 - return per_cpu(gdt_page, cpu).gdt;
7051 + return cpu_gdt_table[cpu];
7054 #ifdef CONFIG_X86_64
7055 @@ -115,19 +113,24 @@ static inline void paravirt_free_ldt(str
7056 static inline void native_write_idt_entry(gate_desc *idt, int entry,
7057 const gate_desc *gate)
7059 + pax_open_kernel();
7060 memcpy(&idt[entry], gate, sizeof(*gate));
7061 + pax_close_kernel();
7064 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
7067 + pax_open_kernel();
7068 memcpy(&ldt[entry], desc, 8);
7069 + pax_close_kernel();
7072 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
7073 const void *desc, int type)
7079 size = sizeof(tss_desc);
7080 @@ -139,7 +142,10 @@ static inline void native_write_gdt_entr
7081 size = sizeof(struct desc_struct);
7085 + pax_open_kernel();
7086 memcpy(&gdt[entry], desc, size);
7087 + pax_close_kernel();
7090 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
7091 @@ -211,7 +217,9 @@ static inline void native_set_ldt(const
7093 static inline void native_load_tr_desc(void)
7095 + pax_open_kernel();
7096 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
7097 + pax_close_kernel();
7100 static inline void native_load_gdt(const struct desc_ptr *dtr)
7101 @@ -246,8 +254,10 @@ static inline void native_load_tls(struc
7103 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
7105 + pax_open_kernel();
7106 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
7107 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
7108 + pax_close_kernel();
7111 #define _LDT_empty(info) \
7112 @@ -309,7 +319,7 @@ static inline void set_desc_limit(struct
7113 desc->limit = (limit >> 16) & 0xf;
7116 -static inline void _set_gate(int gate, unsigned type, void *addr,
7117 +static inline void _set_gate(int gate, unsigned type, const void *addr,
7118 unsigned dpl, unsigned ist, unsigned seg)
7121 @@ -327,7 +337,7 @@ static inline void _set_gate(int gate, u
7122 * Pentium F0 0F bugfix can have resulted in the mapped
7123 * IDT being write-protected.
7125 -static inline void set_intr_gate(unsigned int n, void *addr)
7126 +static inline void set_intr_gate(unsigned int n, const void *addr)
7128 BUG_ON((unsigned)n > 0xFF);
7129 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
7130 @@ -356,19 +366,19 @@ static inline void alloc_intr_gate(unsig
7132 * This routine sets up an interrupt gate at directory privilege level 3.
7134 -static inline void set_system_intr_gate(unsigned int n, void *addr)
7135 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
7137 BUG_ON((unsigned)n > 0xFF);
7138 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
7141 -static inline void set_system_trap_gate(unsigned int n, void *addr)
7142 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
7144 BUG_ON((unsigned)n > 0xFF);
7145 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7148 -static inline void set_trap_gate(unsigned int n, void *addr)
7149 +static inline void set_trap_gate(unsigned int n, const void *addr)
7151 BUG_ON((unsigned)n > 0xFF);
7152 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7153 @@ -377,19 +387,31 @@ static inline void set_trap_gate(unsigne
7154 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7156 BUG_ON((unsigned)n > 0xFF);
7157 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7158 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7161 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7162 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7164 BUG_ON((unsigned)n > 0xFF);
7165 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7168 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7169 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7171 BUG_ON((unsigned)n > 0xFF);
7172 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7175 +#ifdef CONFIG_X86_32
7176 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7178 + struct desc_struct d;
7180 + if (likely(limit))
7181 + limit = (limit - 1UL) >> PAGE_SHIFT;
7182 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
7183 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7187 #endif /* _ASM_X86_DESC_H */
7188 diff -urNp linux-2.6.35.4/arch/x86/include/asm/device.h linux-2.6.35.4/arch/x86/include/asm/device.h
7189 --- linux-2.6.35.4/arch/x86/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
7190 +++ linux-2.6.35.4/arch/x86/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
7191 @@ -6,7 +6,7 @@ struct dev_archdata {
7194 #ifdef CONFIG_X86_64
7195 -struct dma_map_ops *dma_ops;
7196 + const struct dma_map_ops *dma_ops;
7198 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
7199 void *iommu; /* hook for IOMMU specific extension */
7200 diff -urNp linux-2.6.35.4/arch/x86/include/asm/dma-mapping.h linux-2.6.35.4/arch/x86/include/asm/dma-mapping.h
7201 --- linux-2.6.35.4/arch/x86/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
7202 +++ linux-2.6.35.4/arch/x86/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
7203 @@ -26,9 +26,9 @@ extern int iommu_merge;
7204 extern struct device x86_dma_fallback_dev;
7205 extern int panic_on_overflow;
7207 -extern struct dma_map_ops *dma_ops;
7208 +extern const struct dma_map_ops *dma_ops;
7210 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
7211 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
7213 #ifdef CONFIG_X86_32
7215 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
7216 /* Make sure we keep the same behaviour */
7217 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
7219 - struct dma_map_ops *ops = get_dma_ops(dev);
7220 + const struct dma_map_ops *ops = get_dma_ops(dev);
7221 if (ops->mapping_error)
7222 return ops->mapping_error(dev, dma_addr);
7224 @@ -123,7 +123,7 @@ static inline void *
7225 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
7228 - struct dma_map_ops *ops = get_dma_ops(dev);
7229 + const struct dma_map_ops *ops = get_dma_ops(dev);
7232 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
7233 @@ -150,7 +150,7 @@ dma_alloc_coherent(struct device *dev, s
7234 static inline void dma_free_coherent(struct device *dev, size_t size,
7235 void *vaddr, dma_addr_t bus)
7237 - struct dma_map_ops *ops = get_dma_ops(dev);
7238 + const struct dma_map_ops *ops = get_dma_ops(dev);
7240 WARN_ON(irqs_disabled()); /* for portability */
7242 diff -urNp linux-2.6.35.4/arch/x86/include/asm/e820.h linux-2.6.35.4/arch/x86/include/asm/e820.h
7243 --- linux-2.6.35.4/arch/x86/include/asm/e820.h 2010-08-26 19:47:12.000000000 -0400
7244 +++ linux-2.6.35.4/arch/x86/include/asm/e820.h 2010-09-17 20:12:09.000000000 -0400
7245 @@ -69,7 +69,7 @@ struct e820map {
7246 #define ISA_START_ADDRESS 0xa0000
7247 #define ISA_END_ADDRESS 0x100000
7249 -#define BIOS_BEGIN 0x000a0000
7250 +#define BIOS_BEGIN 0x000c0000
7251 #define BIOS_END 0x00100000
7254 diff -urNp linux-2.6.35.4/arch/x86/include/asm/elf.h linux-2.6.35.4/arch/x86/include/asm/elf.h
7255 --- linux-2.6.35.4/arch/x86/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
7256 +++ linux-2.6.35.4/arch/x86/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
7257 @@ -237,7 +237,25 @@ extern int force_personality32;
7258 the loader. We need to make sure that it is out of the way of the program
7259 that it will "exec", and that there is sufficient room for the brk. */
7261 +#ifdef CONFIG_PAX_SEGMEXEC
7262 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7264 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7267 +#ifdef CONFIG_PAX_ASLR
7268 +#ifdef CONFIG_X86_32
7269 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7271 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7272 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7274 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
7276 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7277 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7281 /* This yields a mask that user programs can use to figure out what
7282 instruction set this CPU supports. This could be done in user space,
7283 @@ -291,8 +309,7 @@ do { \
7284 #define ARCH_DLINFO \
7287 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7288 - (unsigned long)current->mm->context.vdso); \
7289 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
7292 #define AT_SYSINFO 32
7293 @@ -303,7 +320,7 @@ do { \
7295 #endif /* !CONFIG_X86_32 */
7297 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7298 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7300 #define VDSO_ENTRY \
7301 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7302 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
7303 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7304 #define compat_arch_setup_additional_pages syscall32_setup_pages
7306 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7307 -#define arch_randomize_brk arch_randomize_brk
7309 #endif /* _ASM_X86_ELF_H */
7310 diff -urNp linux-2.6.35.4/arch/x86/include/asm/futex.h linux-2.6.35.4/arch/x86/include/asm/futex.h
7311 --- linux-2.6.35.4/arch/x86/include/asm/futex.h 2010-08-26 19:47:12.000000000 -0400
7312 +++ linux-2.6.35.4/arch/x86/include/asm/futex.h 2010-09-17 20:12:09.000000000 -0400
7314 #include <asm/processor.h>
7315 #include <asm/system.h>
7317 +#ifdef CONFIG_X86_32
7318 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7320 + "movw\t%w6, %%ds\n" \
7321 + "1:\t" insn "\n" \
7322 + "2:\tpushl\t%%ss\n" \
7323 + "\tpopl\t%%ds\n" \
7324 + "\t.section .fixup,\"ax\"\n" \
7325 + "3:\tmov\t%3, %1\n" \
7328 + _ASM_EXTABLE(1b, 3b) \
7329 + : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7330 + : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
7332 +#define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7333 + asm volatile("movw\t%w7, %%es\n" \
7334 + "1:\tmovl\t%%es:%2, %0\n" \
7335 + "\tmovl\t%0, %3\n" \
7337 + "2:\t" LOCK_PREFIX "cmpxchgl %3, %%es:%2\n"\
7339 + "3:\tpushl\t%%ss\n" \
7340 + "\tpopl\t%%es\n" \
7341 + "\t.section .fixup,\"ax\"\n" \
7342 + "4:\tmov\t%5, %1\n" \
7345 + _ASM_EXTABLE(1b, 4b) \
7346 + _ASM_EXTABLE(2b, 4b) \
7347 + : "=&a" (oldval), "=&r" (ret), \
7348 + "+m" (*uaddr), "=&r" (tem) \
7349 + : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
7351 +#define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7352 + typecheck(u32 *, uaddr); \
7353 asm volatile("1:\t" insn "\n" \
7354 "2:\t.section .fixup,\"ax\"\n" \
7355 "3:\tmov\t%3, %1\n" \
7358 _ASM_EXTABLE(1b, 3b) \
7359 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7360 + : "=r" (oldval), "=r" (ret), \
7361 + "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4))\
7362 : "i" (-EFAULT), "0" (oparg), "1" (0))
7364 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7365 + typecheck(u32 *, uaddr); \
7366 asm volatile("1:\tmovl %2, %0\n" \
7367 "\tmovl\t%0, %3\n" \
7370 _ASM_EXTABLE(1b, 4b) \
7371 _ASM_EXTABLE(2b, 4b) \
7372 : "=&a" (oldval), "=&r" (ret), \
7373 - "+m" (*uaddr), "=&r" (tem) \
7374 + "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4)),\
7376 : "r" (oparg), "i" (-EFAULT), "1" (0))
7379 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
7380 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7382 int op = (encoded_op >> 28) & 7;
7383 int cmp = (encoded_op >> 24) & 15;
7384 @@ -61,11 +100,20 @@ static inline int futex_atomic_op_inuser
7388 +#ifdef CONFIG_X86_32
7389 + __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
7391 __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7395 +#ifdef CONFIG_X86_32
7396 + __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %%ds:%2", ret, oldval,
7399 __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7404 __futex_atomic_op2("orl %4, %3", ret, oldval, uaddr, oparg);
7405 @@ -109,7 +157,7 @@ static inline int futex_atomic_op_inuser
7409 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
7410 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
7414 @@ -119,17 +167,31 @@ static inline int futex_atomic_cmpxchg_i
7418 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
7419 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7422 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7423 - "2:\t.section .fixup, \"ax\"\n"
7425 +#ifdef CONFIG_X86_32
7426 + "\tmovw %w5, %%ds\n"
7427 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %%ds:%1\n"
7428 + "2:\tpushl %%ss\n"
7431 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7434 + "\t.section .fixup, \"ax\"\n"
7438 _ASM_EXTABLE(1b, 3b)
7439 +#ifdef CONFIG_X86_32
7440 : "=a" (oldval), "+m" (*uaddr)
7441 + : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
7443 + : "=a" (oldval), "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4))
7444 : "i" (-EFAULT), "r" (newval), "0" (oldval)
7449 diff -urNp linux-2.6.35.4/arch/x86/include/asm/i387.h linux-2.6.35.4/arch/x86/include/asm/i387.h
7450 --- linux-2.6.35.4/arch/x86/include/asm/i387.h 2010-08-26 19:47:12.000000000 -0400
7451 +++ linux-2.6.35.4/arch/x86/include/asm/i387.h 2010-09-17 20:12:09.000000000 -0400
7452 @@ -77,6 +77,11 @@ static inline int fxrstor_checking(struc
7456 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7457 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7458 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
7461 asm volatile("1: rex64/fxrstor (%[fx])\n\t"
7463 ".section .fixup,\"ax\"\n"
7464 @@ -127,6 +132,11 @@ static inline int fxsave_user(struct i38
7468 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7469 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7470 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7473 asm volatile("1: rex64/fxsave (%[fx])\n\t"
7475 ".section .fixup,\"ax\"\n"
7476 @@ -220,13 +230,8 @@ static inline int fxrstor_checking(struc
7479 /* We need a safe address that is cheap to find and that is already
7480 - in L1 during context switch. The best choices are unfortunately
7481 - different for UP and SMP */
7483 -#define safe_address (__per_cpu_offset[0])
7485 -#define safe_address (kstat_cpu(0).cpustat.user)
7487 + in L1 during context switch. */
7488 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
7491 * These must be called with preempt disabled
7492 diff -urNp linux-2.6.35.4/arch/x86/include/asm/io.h linux-2.6.35.4/arch/x86/include/asm/io.h
7493 --- linux-2.6.35.4/arch/x86/include/asm/io.h 2010-08-26 19:47:12.000000000 -0400
7494 +++ linux-2.6.35.4/arch/x86/include/asm/io.h 2010-09-17 20:12:09.000000000 -0400
7495 @@ -213,6 +213,17 @@ extern void iounmap(volatile void __iome
7497 #include <linux/vmalloc.h>
7499 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
7500 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
7502 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7505 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
7507 + return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7511 * Convert a virtual cached pointer to an uncached pointer
7513 diff -urNp linux-2.6.35.4/arch/x86/include/asm/iommu.h linux-2.6.35.4/arch/x86/include/asm/iommu.h
7514 --- linux-2.6.35.4/arch/x86/include/asm/iommu.h 2010-08-26 19:47:12.000000000 -0400
7515 +++ linux-2.6.35.4/arch/x86/include/asm/iommu.h 2010-09-17 20:12:09.000000000 -0400
7517 #ifndef _ASM_X86_IOMMU_H
7518 #define _ASM_X86_IOMMU_H
7520 -extern struct dma_map_ops nommu_dma_ops;
7521 +extern const struct dma_map_ops nommu_dma_ops;
7522 extern int force_iommu, no_iommu;
7523 extern int iommu_detected;
7524 extern int iommu_pass_through;
7525 diff -urNp linux-2.6.35.4/arch/x86/include/asm/irqflags.h linux-2.6.35.4/arch/x86/include/asm/irqflags.h
7526 --- linux-2.6.35.4/arch/x86/include/asm/irqflags.h 2010-08-26 19:47:12.000000000 -0400
7527 +++ linux-2.6.35.4/arch/x86/include/asm/irqflags.h 2010-09-17 20:12:09.000000000 -0400
7528 @@ -142,6 +142,11 @@ static inline unsigned long __raw_local_
7532 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
7533 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7534 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
7535 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
7538 #define INTERRUPT_RETURN iret
7539 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
7540 diff -urNp linux-2.6.35.4/arch/x86/include/asm/kvm_host.h linux-2.6.35.4/arch/x86/include/asm/kvm_host.h
7541 --- linux-2.6.35.4/arch/x86/include/asm/kvm_host.h 2010-08-26 19:47:12.000000000 -0400
7542 +++ linux-2.6.35.4/arch/x86/include/asm/kvm_host.h 2010-09-17 20:12:09.000000000 -0400
7543 @@ -536,7 +536,7 @@ struct kvm_x86_ops {
7544 const struct trace_print_flags *exit_reasons_str;
7547 -extern struct kvm_x86_ops *kvm_x86_ops;
7548 +extern const struct kvm_x86_ops *kvm_x86_ops;
7550 int kvm_mmu_module_init(void);
7551 void kvm_mmu_module_exit(void);
7552 diff -urNp linux-2.6.35.4/arch/x86/include/asm/local.h linux-2.6.35.4/arch/x86/include/asm/local.h
7553 --- linux-2.6.35.4/arch/x86/include/asm/local.h 2010-08-26 19:47:12.000000000 -0400
7554 +++ linux-2.6.35.4/arch/x86/include/asm/local.h 2010-09-17 20:12:09.000000000 -0400
7555 @@ -18,26 +18,90 @@ typedef struct {
7557 static inline void local_inc(local_t *l)
7559 - asm volatile(_ASM_INC "%0"
7560 + asm volatile(_ASM_INC "%0\n"
7562 +#ifdef CONFIG_PAX_REFCOUNT
7563 +#ifdef CONFIG_X86_32
7569 + ".pushsection .fixup,\"ax\"\n"
7574 + _ASM_EXTABLE(0b, 1b)
7577 : "+m" (l->a.counter));
7580 static inline void local_dec(local_t *l)
7582 - asm volatile(_ASM_DEC "%0"
7583 + asm volatile(_ASM_DEC "%0\n"
7585 +#ifdef CONFIG_PAX_REFCOUNT
7586 +#ifdef CONFIG_X86_32
7592 + ".pushsection .fixup,\"ax\"\n"
7597 + _ASM_EXTABLE(0b, 1b)
7600 : "+m" (l->a.counter));
7603 static inline void local_add(long i, local_t *l)
7605 - asm volatile(_ASM_ADD "%1,%0"
7606 + asm volatile(_ASM_ADD "%1,%0\n"
7608 +#ifdef CONFIG_PAX_REFCOUNT
7609 +#ifdef CONFIG_X86_32
7615 + ".pushsection .fixup,\"ax\"\n"
7617 + _ASM_SUB "%1,%0\n"
7620 + _ASM_EXTABLE(0b, 1b)
7623 : "+m" (l->a.counter)
7627 static inline void local_sub(long i, local_t *l)
7629 - asm volatile(_ASM_SUB "%1,%0"
7630 + asm volatile(_ASM_SUB "%1,%0\n"
7632 +#ifdef CONFIG_PAX_REFCOUNT
7633 +#ifdef CONFIG_X86_32
7639 + ".pushsection .fixup,\"ax\"\n"
7641 + _ASM_ADD "%1,%0\n"
7644 + _ASM_EXTABLE(0b, 1b)
7647 : "+m" (l->a.counter)
7650 @@ -55,7 +119,24 @@ static inline int local_sub_and_test(lon
7654 - asm volatile(_ASM_SUB "%2,%0; sete %1"
7655 + asm volatile(_ASM_SUB "%2,%0\n"
7657 +#ifdef CONFIG_PAX_REFCOUNT
7658 +#ifdef CONFIG_X86_32
7664 + ".pushsection .fixup,\"ax\"\n"
7666 + _ASM_ADD "%2,%0\n"
7669 + _ASM_EXTABLE(0b, 1b)
7673 : "+m" (l->a.counter), "=qm" (c)
7674 : "ir" (i) : "memory");
7676 @@ -73,7 +154,24 @@ static inline int local_dec_and_test(loc
7680 - asm volatile(_ASM_DEC "%0; sete %1"
7681 + asm volatile(_ASM_DEC "%0\n"
7683 +#ifdef CONFIG_PAX_REFCOUNT
7684 +#ifdef CONFIG_X86_32
7690 + ".pushsection .fixup,\"ax\"\n"
7695 + _ASM_EXTABLE(0b, 1b)
7699 : "+m" (l->a.counter), "=qm" (c)
7702 @@ -91,7 +189,24 @@ static inline int local_inc_and_test(loc
7706 - asm volatile(_ASM_INC "%0; sete %1"
7707 + asm volatile(_ASM_INC "%0\n"
7709 +#ifdef CONFIG_PAX_REFCOUNT
7710 +#ifdef CONFIG_X86_32
7716 + ".pushsection .fixup,\"ax\"\n"
7721 + _ASM_EXTABLE(0b, 1b)
7725 : "+m" (l->a.counter), "=qm" (c)
7728 @@ -110,7 +225,24 @@ static inline int local_add_negative(lon
7732 - asm volatile(_ASM_ADD "%2,%0; sets %1"
7733 + asm volatile(_ASM_ADD "%2,%0\n"
7735 +#ifdef CONFIG_PAX_REFCOUNT
7736 +#ifdef CONFIG_X86_32
7742 + ".pushsection .fixup,\"ax\"\n"
7744 + _ASM_SUB "%2,%0\n"
7747 + _ASM_EXTABLE(0b, 1b)
7751 : "+m" (l->a.counter), "=qm" (c)
7752 : "ir" (i) : "memory");
7754 @@ -133,7 +265,23 @@ static inline long local_add_return(long
7756 /* Modern 486+ processor */
7758 - asm volatile(_ASM_XADD "%0, %1;"
7759 + asm volatile(_ASM_XADD "%0, %1\n"
7761 +#ifdef CONFIG_PAX_REFCOUNT
7762 +#ifdef CONFIG_X86_32
7768 + ".pushsection .fixup,\"ax\"\n"
7770 + _ASM_MOV "%0,%1\n"
7773 + _ASM_EXTABLE(0b, 1b)
7776 : "+r" (i), "+m" (l->a.counter)
7779 diff -urNp linux-2.6.35.4/arch/x86/include/asm/mc146818rtc.h linux-2.6.35.4/arch/x86/include/asm/mc146818rtc.h
7780 --- linux-2.6.35.4/arch/x86/include/asm/mc146818rtc.h 2010-08-26 19:47:12.000000000 -0400
7781 +++ linux-2.6.35.4/arch/x86/include/asm/mc146818rtc.h 2010-09-17 20:12:09.000000000 -0400
7782 @@ -81,8 +81,8 @@ static inline unsigned char current_lock
7784 #define lock_cmos_prefix(reg) do {} while (0)
7785 #define lock_cmos_suffix(reg) do {} while (0)
7786 -#define lock_cmos(reg)
7787 -#define unlock_cmos()
7788 +#define lock_cmos(reg) do {} while (0)
7789 +#define unlock_cmos() do {} while (0)
7790 #define do_i_have_lock_cmos() 0
7791 #define current_lock_cmos_reg() 0
7793 diff -urNp linux-2.6.35.4/arch/x86/include/asm/microcode.h linux-2.6.35.4/arch/x86/include/asm/microcode.h
7794 --- linux-2.6.35.4/arch/x86/include/asm/microcode.h 2010-08-26 19:47:12.000000000 -0400
7795 +++ linux-2.6.35.4/arch/x86/include/asm/microcode.h 2010-09-17 20:12:09.000000000 -0400
7796 @@ -12,13 +12,13 @@ struct device;
7797 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
7799 struct microcode_ops {
7800 - enum ucode_state (*request_microcode_user) (int cpu,
7801 + enum ucode_state (* const request_microcode_user) (int cpu,
7802 const void __user *buf, size_t size);
7804 - enum ucode_state (*request_microcode_fw) (int cpu,
7805 + enum ucode_state (* const request_microcode_fw) (int cpu,
7806 struct device *device);
7808 - void (*microcode_fini_cpu) (int cpu);
7809 + void (* const microcode_fini_cpu) (int cpu);
7812 * The generic 'microcode_core' part guarantees that
7813 @@ -38,18 +38,18 @@ struct ucode_cpu_info {
7814 extern struct ucode_cpu_info ucode_cpu_info[];
7816 #ifdef CONFIG_MICROCODE_INTEL
7817 -extern struct microcode_ops * __init init_intel_microcode(void);
7818 +extern const struct microcode_ops * __init init_intel_microcode(void);
7820 -static inline struct microcode_ops * __init init_intel_microcode(void)
7821 +static inline const struct microcode_ops * __init init_intel_microcode(void)
7825 #endif /* CONFIG_MICROCODE_INTEL */
7827 #ifdef CONFIG_MICROCODE_AMD
7828 -extern struct microcode_ops * __init init_amd_microcode(void);
7829 +extern const struct microcode_ops * __init init_amd_microcode(void);
7831 -static inline struct microcode_ops * __init init_amd_microcode(void)
7832 +static inline const struct microcode_ops * __init init_amd_microcode(void)
7836 diff -urNp linux-2.6.35.4/arch/x86/include/asm/mman.h linux-2.6.35.4/arch/x86/include/asm/mman.h
7837 --- linux-2.6.35.4/arch/x86/include/asm/mman.h 2010-08-26 19:47:12.000000000 -0400
7838 +++ linux-2.6.35.4/arch/x86/include/asm/mman.h 2010-09-17 20:12:09.000000000 -0400
7841 #include <asm-generic/mman.h>
7844 +#ifndef __ASSEMBLY__
7845 +#ifdef CONFIG_X86_32
7846 +#define arch_mmap_check i386_mmap_check
7847 +int i386_mmap_check(unsigned long addr, unsigned long len,
7848 + unsigned long flags);
7853 #endif /* _ASM_X86_MMAN_H */
7854 diff -urNp linux-2.6.35.4/arch/x86/include/asm/mmu_context.h linux-2.6.35.4/arch/x86/include/asm/mmu_context.h
7855 --- linux-2.6.35.4/arch/x86/include/asm/mmu_context.h 2010-08-26 19:47:12.000000000 -0400
7856 +++ linux-2.6.35.4/arch/x86/include/asm/mmu_context.h 2010-09-17 20:12:09.000000000 -0400
7857 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
7859 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
7862 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7866 + pax_open_kernel();
7867 + pgd = get_cpu_pgd(smp_processor_id());
7868 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
7869 + if (paravirt_enabled())
7870 + set_pgd(pgd+i, native_make_pgd(0));
7872 + pgd[i] = native_make_pgd(0);
7873 + pax_close_kernel();
7877 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
7878 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
7879 @@ -34,27 +49,70 @@ static inline void switch_mm(struct mm_s
7880 struct task_struct *tsk)
7882 unsigned cpu = smp_processor_id();
7883 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
7884 + int tlbstate = TLBSTATE_OK;
7887 if (likely(prev != next)) {
7888 /* stop flush ipis for the previous mm */
7889 cpumask_clear_cpu(cpu, mm_cpumask(prev));
7891 +#ifdef CONFIG_X86_32
7892 + tlbstate = percpu_read(cpu_tlbstate.state);
7894 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7895 percpu_write(cpu_tlbstate.active_mm, next);
7897 cpumask_set_cpu(cpu, mm_cpumask(next));
7899 /* Re-load page tables */
7900 +#ifdef CONFIG_PAX_PER_CPU_PGD
7901 + pax_open_kernel();
7902 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7903 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7904 + pax_close_kernel();
7905 + load_cr3(get_cpu_pgd(cpu));
7907 load_cr3(next->pgd);
7911 * load the LDT, if the LDT is different:
7913 if (unlikely(prev->context.ldt != next->context.ldt))
7914 load_LDT_nolock(&next->context);
7917 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7918 + if (!(__supported_pte_mask & _PAGE_NX)) {
7919 + smp_mb__before_clear_bit();
7920 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
7921 + smp_mb__after_clear_bit();
7922 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7926 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7927 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
7928 + prev->context.user_cs_limit != next->context.user_cs_limit))
7929 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7931 + else if (unlikely(tlbstate != TLBSTATE_OK))
7932 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7939 +#ifdef CONFIG_PAX_PER_CPU_PGD
7940 + pax_open_kernel();
7941 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7942 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7943 + pax_close_kernel();
7944 + load_cr3(get_cpu_pgd(cpu));
7948 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7949 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
7951 @@ -63,11 +121,28 @@ static inline void switch_mm(struct mm_s
7952 * tlb flush IPI delivery. We must reload CR3
7953 * to make sure to use no freed page tables.
7956 +#ifndef CONFIG_PAX_PER_CPU_PGD
7957 load_cr3(next->pgd);
7960 load_LDT_nolock(&next->context);
7962 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
7963 + if (!(__supported_pte_mask & _PAGE_NX))
7964 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7967 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7968 +#ifdef CONFIG_PAX_PAGEEXEC
7969 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
7971 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7980 #define activate_mm(prev, next) \
7981 diff -urNp linux-2.6.35.4/arch/x86/include/asm/mmu.h linux-2.6.35.4/arch/x86/include/asm/mmu.h
7982 --- linux-2.6.35.4/arch/x86/include/asm/mmu.h 2010-08-26 19:47:12.000000000 -0400
7983 +++ linux-2.6.35.4/arch/x86/include/asm/mmu.h 2010-09-17 20:12:09.000000000 -0400
7985 * we put the segment information here.
7989 + struct desc_struct *ldt;
7993 + unsigned long vdso;
7995 +#ifdef CONFIG_X86_32
7996 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7997 + unsigned long user_cs_base;
7998 + unsigned long user_cs_limit;
8000 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8001 + cpumask_t cpu_user_cs_mask;
8010 diff -urNp linux-2.6.35.4/arch/x86/include/asm/module.h linux-2.6.35.4/arch/x86/include/asm/module.h
8011 --- linux-2.6.35.4/arch/x86/include/asm/module.h 2010-08-26 19:47:12.000000000 -0400
8012 +++ linux-2.6.35.4/arch/x86/include/asm/module.h 2010-09-17 20:12:37.000000000 -0400
8014 #error unknown processor family
8017 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8018 +#define MODULE_PAX_UDEREF "UDEREF "
8020 +#define MODULE_PAX_UDEREF ""
8023 #ifdef CONFIG_X86_32
8024 # ifdef CONFIG_4KSTACKS
8025 # define MODULE_STACKSIZE "4KSTACKS "
8027 # define MODULE_STACKSIZE ""
8029 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
8030 +# ifdef CONFIG_PAX_KERNEXEC
8031 +# define MODULE_PAX_KERNEXEC "KERNEXEC "
8033 +# define MODULE_PAX_KERNEXEC ""
8035 +# ifdef CONFIG_GRKERNSEC
8036 +# define MODULE_GRSEC "GRSECURITY "
8038 +# define MODULE_GRSEC ""
8040 +# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
8042 +# define MODULE_ARCH_VERMAGIC MODULE_PAX_UDEREF
8045 #endif /* _ASM_X86_MODULE_H */
8046 diff -urNp linux-2.6.35.4/arch/x86/include/asm/page_32_types.h linux-2.6.35.4/arch/x86/include/asm/page_32_types.h
8047 --- linux-2.6.35.4/arch/x86/include/asm/page_32_types.h 2010-08-26 19:47:12.000000000 -0400
8048 +++ linux-2.6.35.4/arch/x86/include/asm/page_32_types.h 2010-09-17 20:12:09.000000000 -0400
8051 #define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
8053 +#ifdef CONFIG_PAX_PAGEEXEC
8054 +#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
8057 #ifdef CONFIG_4KSTACKS
8058 #define THREAD_ORDER 0
8060 diff -urNp linux-2.6.35.4/arch/x86/include/asm/paravirt.h linux-2.6.35.4/arch/x86/include/asm/paravirt.h
8061 --- linux-2.6.35.4/arch/x86/include/asm/paravirt.h 2010-08-26 19:47:12.000000000 -0400
8062 +++ linux-2.6.35.4/arch/x86/include/asm/paravirt.h 2010-09-17 20:12:09.000000000 -0400
8063 @@ -720,6 +720,21 @@ static inline void __set_fixmap(unsigned
8064 pv_mmu_ops.set_fixmap(idx, phys, flags);
8067 +#ifdef CONFIG_PAX_KERNEXEC
8068 +static inline unsigned long pax_open_kernel(void)
8070 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
8073 +static inline unsigned long pax_close_kernel(void)
8075 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
8078 +static inline unsigned long pax_open_kernel(void) { return 0; }
8079 +static inline unsigned long pax_close_kernel(void) { return 0; }
8082 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
8084 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
8085 @@ -936,7 +951,7 @@ extern void default_banner(void);
8087 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
8088 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
8089 -#define PARA_INDIRECT(addr) *%cs:addr
8090 +#define PARA_INDIRECT(addr) *%ss:addr
8093 #define INTERRUPT_RETURN \
8094 @@ -1013,6 +1028,21 @@ extern void default_banner(void);
8095 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
8097 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
8099 +#define GET_CR0_INTO_RDI \
8100 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
8103 +#define SET_RDI_INTO_CR0 \
8104 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
8106 +#define GET_CR3_INTO_RDI \
8107 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
8110 +#define SET_RDI_INTO_CR3 \
8111 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
8113 #endif /* CONFIG_X86_32 */
8115 #endif /* __ASSEMBLY__ */
8116 diff -urNp linux-2.6.35.4/arch/x86/include/asm/paravirt_types.h linux-2.6.35.4/arch/x86/include/asm/paravirt_types.h
8117 --- linux-2.6.35.4/arch/x86/include/asm/paravirt_types.h 2010-08-26 19:47:12.000000000 -0400
8118 +++ linux-2.6.35.4/arch/x86/include/asm/paravirt_types.h 2010-09-17 20:12:09.000000000 -0400
8119 @@ -312,6 +312,12 @@ struct pv_mmu_ops {
8120 an mfn. We can tell which is which from the index. */
8121 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
8122 phys_addr_t phys, pgprot_t flags);
8124 +#ifdef CONFIG_PAX_KERNEXEC
8125 + unsigned long (*pax_open_kernel)(void);
8126 + unsigned long (*pax_close_kernel)(void);
8131 struct arch_spinlock;
8132 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pci_x86.h linux-2.6.35.4/arch/x86/include/asm/pci_x86.h
8133 --- linux-2.6.35.4/arch/x86/include/asm/pci_x86.h 2010-08-26 19:47:12.000000000 -0400
8134 +++ linux-2.6.35.4/arch/x86/include/asm/pci_x86.h 2010-09-17 20:12:09.000000000 -0400
8135 @@ -91,16 +91,16 @@ extern int (*pcibios_enable_irq)(struct
8136 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
8138 struct pci_raw_ops {
8139 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8140 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8141 int reg, int len, u32 *val);
8142 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8143 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8144 int reg, int len, u32 val);
8147 -extern struct pci_raw_ops *raw_pci_ops;
8148 -extern struct pci_raw_ops *raw_pci_ext_ops;
8149 +extern const struct pci_raw_ops *raw_pci_ops;
8150 +extern const struct pci_raw_ops *raw_pci_ext_ops;
8152 -extern struct pci_raw_ops pci_direct_conf1;
8153 +extern const struct pci_raw_ops pci_direct_conf1;
8154 extern bool port_cf9_safe;
8156 /* arch_initcall level */
8157 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgalloc.h linux-2.6.35.4/arch/x86/include/asm/pgalloc.h
8158 --- linux-2.6.35.4/arch/x86/include/asm/pgalloc.h 2010-08-26 19:47:12.000000000 -0400
8159 +++ linux-2.6.35.4/arch/x86/include/asm/pgalloc.h 2010-09-17 20:12:09.000000000 -0400
8160 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
8161 pmd_t *pmd, pte_t *pte)
8163 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8164 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8167 +static inline void pmd_populate_user(struct mm_struct *mm,
8168 + pmd_t *pmd, pte_t *pte)
8170 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8171 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8174 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable-2level.h linux-2.6.35.4/arch/x86/include/asm/pgtable-2level.h
8175 --- linux-2.6.35.4/arch/x86/include/asm/pgtable-2level.h 2010-08-26 19:47:12.000000000 -0400
8176 +++ linux-2.6.35.4/arch/x86/include/asm/pgtable-2level.h 2010-09-17 20:12:09.000000000 -0400
8177 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8179 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8181 + pax_open_kernel();
8183 + pax_close_kernel();
8186 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8187 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable_32.h linux-2.6.35.4/arch/x86/include/asm/pgtable_32.h
8188 --- linux-2.6.35.4/arch/x86/include/asm/pgtable_32.h 2010-08-26 19:47:12.000000000 -0400
8189 +++ linux-2.6.35.4/arch/x86/include/asm/pgtable_32.h 2010-09-17 20:12:09.000000000 -0400
8192 struct vm_area_struct;
8194 -extern pgd_t swapper_pg_dir[1024];
8196 static inline void pgtable_cache_init(void) { }
8197 static inline void check_pgt_cache(void) { }
8198 void paging_init(void);
8199 @@ -47,6 +45,11 @@ extern void set_pmd_pfn(unsigned long, u
8200 # include <asm/pgtable-2level.h>
8203 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8204 +#ifdef CONFIG_X86_PAE
8205 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8208 #if defined(CONFIG_HIGHPTE)
8210 (in_nmi() ? KM_NMI_PTE : \
8211 @@ -71,7 +74,9 @@ extern void set_pmd_pfn(unsigned long, u
8212 /* Clear a kernel PTE and flush it from the TLB */
8213 #define kpte_clear_flush(ptep, vaddr) \
8215 + pax_open_kernel(); \
8216 pte_clear(&init_mm, (vaddr), (ptep)); \
8217 + pax_close_kernel(); \
8218 __flush_tlb_one((vaddr)); \
8221 @@ -83,6 +88,9 @@ do { \
8223 #endif /* !__ASSEMBLY__ */
8225 +#define HAVE_ARCH_UNMAPPED_AREA
8226 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8229 * kern_addr_valid() is (1) for FLATMEM and (0) for
8230 * SPARSEMEM and DISCONTIGMEM
8231 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable_32_types.h linux-2.6.35.4/arch/x86/include/asm/pgtable_32_types.h
8232 --- linux-2.6.35.4/arch/x86/include/asm/pgtable_32_types.h 2010-08-26 19:47:12.000000000 -0400
8233 +++ linux-2.6.35.4/arch/x86/include/asm/pgtable_32_types.h 2010-09-17 20:12:09.000000000 -0400
8236 #ifdef CONFIG_X86_PAE
8237 # include <asm/pgtable-3level_types.h>
8238 -# define PMD_SIZE (1UL << PMD_SHIFT)
8239 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8240 # define PMD_MASK (~(PMD_SIZE - 1))
8242 # include <asm/pgtable-2level_types.h>
8243 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8244 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8247 +#ifdef CONFIG_PAX_KERNEXEC
8248 +#ifndef __ASSEMBLY__
8249 +extern unsigned char MODULES_EXEC_VADDR[];
8250 +extern unsigned char MODULES_EXEC_END[];
8252 +#include <asm/boot.h>
8253 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8254 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8256 +#define ktla_ktva(addr) (addr)
8257 +#define ktva_ktla(addr) (addr)
8260 #define MODULES_VADDR VMALLOC_START
8261 #define MODULES_END VMALLOC_END
8262 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8263 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable-3level.h linux-2.6.35.4/arch/x86/include/asm/pgtable-3level.h
8264 --- linux-2.6.35.4/arch/x86/include/asm/pgtable-3level.h 2010-08-26 19:47:12.000000000 -0400
8265 +++ linux-2.6.35.4/arch/x86/include/asm/pgtable-3level.h 2010-09-17 20:12:09.000000000 -0400
8266 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8268 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8270 + pax_open_kernel();
8271 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8272 + pax_close_kernel();
8275 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8277 + pax_open_kernel();
8278 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8279 + pax_close_kernel();
8283 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable_64.h linux-2.6.35.4/arch/x86/include/asm/pgtable_64.h
8284 --- linux-2.6.35.4/arch/x86/include/asm/pgtable_64.h 2010-08-26 19:47:12.000000000 -0400
8285 +++ linux-2.6.35.4/arch/x86/include/asm/pgtable_64.h 2010-09-17 20:12:09.000000000 -0400
8288 extern pud_t level3_kernel_pgt[512];
8289 extern pud_t level3_ident_pgt[512];
8290 +extern pud_t level3_vmalloc_pgt[512];
8291 +extern pud_t level3_vmemmap_pgt[512];
8292 +extern pud_t level2_vmemmap_pgt[512];
8293 extern pmd_t level2_kernel_pgt[512];
8294 extern pmd_t level2_fixmap_pgt[512];
8295 -extern pmd_t level2_ident_pgt[512];
8296 -extern pgd_t init_level4_pgt[];
8297 +extern pmd_t level2_ident_pgt[512*2];
8298 +extern pgd_t init_level4_pgt[512];
8300 #define swapper_pg_dir init_level4_pgt
8302 @@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
8304 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8306 + pax_open_kernel();
8308 + pax_close_kernel();
8311 static inline void native_pmd_clear(pmd_t *pmd)
8312 @@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_
8314 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8316 + pax_open_kernel();
8318 + pax_close_kernel();
8321 static inline void native_pgd_clear(pgd_t *pgd)
8322 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable_64_types.h linux-2.6.35.4/arch/x86/include/asm/pgtable_64_types.h
8323 --- linux-2.6.35.4/arch/x86/include/asm/pgtable_64_types.h 2010-08-26 19:47:12.000000000 -0400
8324 +++ linux-2.6.35.4/arch/x86/include/asm/pgtable_64_types.h 2010-09-17 20:12:09.000000000 -0400
8325 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8326 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8327 #define MODULES_END _AC(0xffffffffff000000, UL)
8328 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8329 +#define MODULES_EXEC_VADDR MODULES_VADDR
8330 +#define MODULES_EXEC_END MODULES_END
8332 +#define ktla_ktva(addr) (addr)
8333 +#define ktva_ktla(addr) (addr)
8335 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8336 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable.h linux-2.6.35.4/arch/x86/include/asm/pgtable.h
8337 --- linux-2.6.35.4/arch/x86/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
8338 +++ linux-2.6.35.4/arch/x86/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
8339 @@ -76,12 +76,51 @@ extern struct list_head pgd_list;
8341 #define arch_end_context_switch(prev) do {} while(0)
8343 +#define pax_open_kernel() native_pax_open_kernel()
8344 +#define pax_close_kernel() native_pax_close_kernel()
8345 #endif /* CONFIG_PARAVIRT */
8347 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
8348 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8350 +#ifdef CONFIG_PAX_KERNEXEC
8351 +static inline unsigned long native_pax_open_kernel(void)
8353 + unsigned long cr0;
8355 + preempt_disable();
8357 + cr0 = read_cr0() ^ X86_CR0_WP;
8358 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
8360 + return cr0 ^ X86_CR0_WP;
8363 +static inline unsigned long native_pax_close_kernel(void)
8365 + unsigned long cr0;
8367 + cr0 = read_cr0() ^ X86_CR0_WP;
8368 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8371 + preempt_enable_no_resched();
8372 + return cr0 ^ X86_CR0_WP;
8375 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
8376 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
8380 * The following only work if pte_present() is true.
8381 * Undefined behaviour if not..
8383 +static inline int pte_user(pte_t pte)
8385 + return pte_val(pte) & _PAGE_USER;
8388 static inline int pte_dirty(pte_t pte)
8390 return pte_flags(pte) & _PAGE_DIRTY;
8391 @@ -169,9 +208,29 @@ static inline pte_t pte_wrprotect(pte_t
8392 return pte_clear_flags(pte, _PAGE_RW);
8395 +static inline pte_t pte_mkread(pte_t pte)
8397 + return __pte(pte_val(pte) | _PAGE_USER);
8400 static inline pte_t pte_mkexec(pte_t pte)
8402 - return pte_clear_flags(pte, _PAGE_NX);
8403 +#ifdef CONFIG_X86_PAE
8404 + if (__supported_pte_mask & _PAGE_NX)
8405 + return pte_clear_flags(pte, _PAGE_NX);
8408 + return pte_set_flags(pte, _PAGE_USER);
8411 +static inline pte_t pte_exprotect(pte_t pte)
8413 +#ifdef CONFIG_X86_PAE
8414 + if (__supported_pte_mask & _PAGE_NX)
8415 + return pte_set_flags(pte, _PAGE_NX);
8418 + return pte_clear_flags(pte, _PAGE_USER);
8421 static inline pte_t pte_mkdirty(pte_t pte)
8422 @@ -304,6 +363,15 @@ pte_t *populate_extra_pte(unsigned long
8425 #ifndef __ASSEMBLY__
8427 +#ifdef CONFIG_PAX_PER_CPU_PGD
8428 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8429 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8431 + return cpu_pgd[cpu];
8435 #include <linux/mm_types.h>
8437 static inline int pte_none(pte_t pte)
8438 @@ -474,7 +542,7 @@ static inline pud_t *pud_offset(pgd_t *p
8440 static inline int pgd_bad(pgd_t pgd)
8442 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8443 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8446 static inline int pgd_none(pgd_t pgd)
8447 @@ -497,7 +565,12 @@ static inline int pgd_none(pgd_t pgd)
8448 * pgd_offset() returns a (pgd_t *)
8449 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8451 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8452 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8454 +#ifdef CONFIG_PAX_PER_CPU_PGD
8455 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8459 * a shortcut which implies the use of the kernel's pgd, instead
8461 @@ -508,6 +581,20 @@ static inline int pgd_none(pgd_t pgd)
8462 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8463 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8465 +#ifdef CONFIG_X86_32
8466 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8468 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8469 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8471 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8472 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8474 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8479 #ifndef __ASSEMBLY__
8481 extern int direct_gbpages;
8482 @@ -613,11 +700,23 @@ static inline void ptep_set_wrprotect(st
8483 * dst and src can be on the same page, but the range must not overlap,
8484 * and must not cross a page boundary.
8486 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8487 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
8489 - memcpy(dst, src, count * sizeof(pgd_t));
8490 + pax_open_kernel();
8493 + pax_close_kernel();
8496 +#ifdef CONFIG_PAX_PER_CPU_PGD
8497 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8500 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8501 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8503 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8506 #include <asm-generic/pgtable.h>
8507 #endif /* __ASSEMBLY__ */
8508 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable_types.h linux-2.6.35.4/arch/x86/include/asm/pgtable_types.h
8509 --- linux-2.6.35.4/arch/x86/include/asm/pgtable_types.h 2010-08-26 19:47:12.000000000 -0400
8510 +++ linux-2.6.35.4/arch/x86/include/asm/pgtable_types.h 2010-09-17 20:12:09.000000000 -0400
8512 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8513 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8514 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8515 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8516 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8517 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8518 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8519 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8520 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8521 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8522 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8523 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8525 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8527 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8528 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8529 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8530 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8531 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8532 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8533 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8536 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8537 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8539 +#elif defined(CONFIG_KMEMCHECK)
8540 #define _PAGE_NX (_AT(pteval_t, 0))
8542 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8545 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8547 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8550 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
8551 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
8553 #define __PAGE_KERNEL_EXEC \
8554 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8555 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8557 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8558 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8559 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8560 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8561 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
8562 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8563 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
8564 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8565 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
8566 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
8568 * bits are combined, this will alow user to access the high address mapped
8569 * VDSO in the presence of CONFIG_COMPAT_VDSO
8571 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8572 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8573 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8574 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8575 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8578 @@ -202,7 +205,17 @@ static inline pgdval_t pgd_flags(pgd_t p
8580 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
8584 +#if PAGETABLE_LEVELS == 3
8585 +#include <asm-generic/pgtable-nopud.h>
8588 +#if PAGETABLE_LEVELS == 2
8589 +#include <asm-generic/pgtable-nopmd.h>
8592 +#ifndef __ASSEMBLY__
8593 #if PAGETABLE_LEVELS > 3
8594 typedef struct { pudval_t pud; } pud_t;
8596 @@ -216,8 +229,6 @@ static inline pudval_t native_pud_val(pu
8600 -#include <asm-generic/pgtable-nopud.h>
8602 static inline pudval_t native_pud_val(pud_t pud)
8604 return native_pgd_val(pud.pgd);
8605 @@ -237,8 +248,6 @@ static inline pmdval_t native_pmd_val(pm
8609 -#include <asm-generic/pgtable-nopmd.h>
8611 static inline pmdval_t native_pmd_val(pmd_t pmd)
8613 return native_pgd_val(pmd.pud.pgd);
8614 @@ -278,7 +287,6 @@ typedef struct page *pgtable_t;
8616 extern pteval_t __supported_pte_mask;
8617 extern void set_nx(void);
8618 -extern int nx_enabled;
8620 #define pgprot_writecombine pgprot_writecombine
8621 extern pgprot_t pgprot_writecombine(pgprot_t prot);
8622 diff -urNp linux-2.6.35.4/arch/x86/include/asm/processor.h linux-2.6.35.4/arch/x86/include/asm/processor.h
8623 --- linux-2.6.35.4/arch/x86/include/asm/processor.h 2010-08-26 19:47:12.000000000 -0400
8624 +++ linux-2.6.35.4/arch/x86/include/asm/processor.h 2010-09-17 20:12:09.000000000 -0400
8625 @@ -269,7 +269,7 @@ struct tss_struct {
8627 } ____cacheline_aligned;
8629 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
8630 +extern struct tss_struct init_tss[NR_CPUS];
8633 * Save the original ist values for checking stack pointers during debugging
8634 @@ -884,8 +884,15 @@ static inline void spin_lock_prefetch(co
8636 #define TASK_SIZE PAGE_OFFSET
8637 #define TASK_SIZE_MAX TASK_SIZE
8639 +#ifdef CONFIG_PAX_SEGMEXEC
8640 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
8641 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
8643 #define STACK_TOP TASK_SIZE
8644 -#define STACK_TOP_MAX STACK_TOP
8647 +#define STACK_TOP_MAX TASK_SIZE
8649 #define INIT_THREAD { \
8650 .sp0 = sizeof(init_stack) + (long)&init_stack, \
8651 @@ -902,7 +909,7 @@ static inline void spin_lock_prefetch(co
8653 #define INIT_TSS { \
8655 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
8656 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8657 .ss0 = __KERNEL_DS, \
8658 .ss1 = __KERNEL_CS, \
8659 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
8660 @@ -913,11 +920,7 @@ static inline void spin_lock_prefetch(co
8661 extern unsigned long thread_saved_pc(struct task_struct *tsk);
8663 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
8664 -#define KSTK_TOP(info) \
8666 - unsigned long *__ptr = (unsigned long *)(info); \
8667 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
8669 +#define KSTK_TOP(info) ((info)->task.thread.sp0)
8672 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
8673 @@ -932,7 +935,7 @@ extern unsigned long thread_saved_pc(str
8674 #define task_pt_regs(task) \
8676 struct pt_regs *__regs__; \
8677 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
8678 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
8682 @@ -942,13 +945,13 @@ extern unsigned long thread_saved_pc(str
8684 * User space process size. 47bits minus one guard page.
8686 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
8687 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
8689 /* This decides where the kernel will search for a free chunk of vm
8690 * space during mmap's.
8692 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
8693 - 0xc0000000 : 0xFFFFe000)
8694 + 0xc0000000 : 0xFFFFf000)
8696 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
8697 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
8698 @@ -985,6 +988,10 @@ extern void start_thread(struct pt_regs
8700 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
8702 +#ifdef CONFIG_PAX_SEGMEXEC
8703 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
8706 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
8708 /* Get/set a process' ability to use the timestamp counter instruction */
8709 diff -urNp linux-2.6.35.4/arch/x86/include/asm/ptrace.h linux-2.6.35.4/arch/x86/include/asm/ptrace.h
8710 --- linux-2.6.35.4/arch/x86/include/asm/ptrace.h 2010-08-26 19:47:12.000000000 -0400
8711 +++ linux-2.6.35.4/arch/x86/include/asm/ptrace.h 2010-09-17 20:12:09.000000000 -0400
8712 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
8716 - * user_mode_vm(regs) determines whether a register set came from user mode.
8717 + * user_mode(regs) determines whether a register set came from user mode.
8718 * This is true if V8086 mode was enabled OR if the register set was from
8719 * protected mode with RPL-3 CS value. This tricky test checks that with
8720 * one comparison. Many places in the kernel can bypass this full check
8721 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
8722 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
8725 -static inline int user_mode(struct pt_regs *regs)
8726 +static inline int user_mode_novm(struct pt_regs *regs)
8728 #ifdef CONFIG_X86_32
8729 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
8731 - return !!(regs->cs & 3);
8732 + return !!(regs->cs & SEGMENT_RPL_MASK);
8736 -static inline int user_mode_vm(struct pt_regs *regs)
8737 +static inline int user_mode(struct pt_regs *regs)
8739 #ifdef CONFIG_X86_32
8740 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
8743 - return user_mode(regs);
8744 + return user_mode_novm(regs);
8748 diff -urNp linux-2.6.35.4/arch/x86/include/asm/reboot.h linux-2.6.35.4/arch/x86/include/asm/reboot.h
8749 --- linux-2.6.35.4/arch/x86/include/asm/reboot.h 2010-08-26 19:47:12.000000000 -0400
8750 +++ linux-2.6.35.4/arch/x86/include/asm/reboot.h 2010-09-17 20:12:09.000000000 -0400
8751 @@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
8753 void native_machine_crash_shutdown(struct pt_regs *regs);
8754 void native_machine_shutdown(void);
8755 -void machine_real_restart(const unsigned char *code, int length);
8756 +void machine_real_restart(const unsigned char *code, unsigned int length);
8758 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
8759 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
8760 diff -urNp linux-2.6.35.4/arch/x86/include/asm/rwsem.h linux-2.6.35.4/arch/x86/include/asm/rwsem.h
8761 --- linux-2.6.35.4/arch/x86/include/asm/rwsem.h 2010-08-26 19:47:12.000000000 -0400
8762 +++ linux-2.6.35.4/arch/x86/include/asm/rwsem.h 2010-09-17 20:12:09.000000000 -0400
8763 @@ -118,10 +118,26 @@ static inline void __down_read(struct rw
8765 asm volatile("# beginning down_read\n\t"
8766 LOCK_PREFIX _ASM_INC "(%1)\n\t"
8768 +#ifdef CONFIG_PAX_REFCOUNT
8769 +#ifdef CONFIG_X86_32
8775 + ".pushsection .fixup,\"ax\"\n"
8777 + LOCK_PREFIX _ASM_DEC "(%1)\n"
8780 + _ASM_EXTABLE(0b, 1b)
8783 /* adds 0x00000001, returns the old value */
8786 " call call_rwsem_down_read_failed\n"
8789 "# ending down_read\n\t"
8792 @@ -136,13 +152,29 @@ static inline int __down_read_trylock(st
8793 rwsem_count_t result, tmp;
8794 asm volatile("# beginning __down_read_trylock\n\t"
8802 +#ifdef CONFIG_PAX_REFCOUNT
8803 +#ifdef CONFIG_X86_32
8809 + ".pushsection .fixup,\"ax\"\n"
8814 + _ASM_EXTABLE(0b, 1b)
8818 LOCK_PREFIX " cmpxchg %2,%0\n\t"
8823 "# ending __down_read_trylock\n\t"
8824 : "+m" (sem->count), "=&a" (result), "=&r" (tmp)
8825 : "i" (RWSEM_ACTIVE_READ_BIAS)
8826 @@ -160,12 +192,28 @@ static inline void __down_write_nested(s
8827 tmp = RWSEM_ACTIVE_WRITE_BIAS;
8828 asm volatile("# beginning down_write\n\t"
8829 LOCK_PREFIX " xadd %1,(%2)\n\t"
8831 +#ifdef CONFIG_PAX_REFCOUNT
8832 +#ifdef CONFIG_X86_32
8838 + ".pushsection .fixup,\"ax\"\n"
8843 + _ASM_EXTABLE(0b, 1b)
8846 /* subtract 0x0000ffff, returns the old value */
8848 /* was the count 0 before? */
8851 " call call_rwsem_down_write_failed\n"
8854 "# ending down_write"
8855 : "+m" (sem->count), "=d" (tmp)
8856 : "a" (sem), "1" (tmp)
8857 @@ -198,10 +246,26 @@ static inline void __up_read(struct rw_s
8858 rwsem_count_t tmp = -RWSEM_ACTIVE_READ_BIAS;
8859 asm volatile("# beginning __up_read\n\t"
8860 LOCK_PREFIX " xadd %1,(%2)\n\t"
8862 +#ifdef CONFIG_PAX_REFCOUNT
8863 +#ifdef CONFIG_X86_32
8869 + ".pushsection .fixup,\"ax\"\n"
8874 + _ASM_EXTABLE(0b, 1b)
8877 /* subtracts 1, returns the old value */
8880 " call call_rwsem_wake\n"
8883 "# ending __up_read\n"
8884 : "+m" (sem->count), "=d" (tmp)
8885 : "a" (sem), "1" (tmp)
8886 @@ -216,11 +280,27 @@ static inline void __up_write(struct rw_
8888 asm volatile("# beginning __up_write\n\t"
8889 LOCK_PREFIX " xadd %1,(%2)\n\t"
8891 +#ifdef CONFIG_PAX_REFCOUNT
8892 +#ifdef CONFIG_X86_32
8898 + ".pushsection .fixup,\"ax\"\n"
8903 + _ASM_EXTABLE(0b, 1b)
8906 /* tries to transition
8907 0xffff0001 -> 0x00000000 */
8910 " call call_rwsem_wake\n"
8913 "# ending __up_write\n"
8914 : "+m" (sem->count), "=d" (tmp)
8915 : "a" (sem), "1" (-RWSEM_ACTIVE_WRITE_BIAS)
8916 @@ -234,13 +314,29 @@ static inline void __downgrade_write(str
8918 asm volatile("# beginning __downgrade_write\n\t"
8919 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
8921 +#ifdef CONFIG_PAX_REFCOUNT
8922 +#ifdef CONFIG_X86_32
8928 + ".pushsection .fixup,\"ax\"\n"
8930 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
8933 + _ASM_EXTABLE(0b, 1b)
8937 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
8938 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
8942 " call call_rwsem_downgrade_wake\n"
8945 "# ending __downgrade_write\n"
8947 : "a" (sem), "er" (-RWSEM_WAITING_BIAS)
8948 @@ -253,7 +349,23 @@ static inline void __downgrade_write(str
8949 static inline void rwsem_atomic_add(rwsem_count_t delta,
8950 struct rw_semaphore *sem)
8952 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
8953 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
8955 +#ifdef CONFIG_PAX_REFCOUNT
8956 +#ifdef CONFIG_X86_32
8962 + ".pushsection .fixup,\"ax\"\n"
8964 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
8967 + _ASM_EXTABLE(0b, 1b)
8973 @@ -266,7 +378,23 @@ static inline rwsem_count_t rwsem_atomic
8975 rwsem_count_t tmp = delta;
8977 - asm volatile(LOCK_PREFIX "xadd %0,%1"
8978 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
8980 +#ifdef CONFIG_PAX_REFCOUNT
8981 +#ifdef CONFIG_X86_32
8987 + ".pushsection .fixup,\"ax\"\n"
8992 + _ASM_EXTABLE(0b, 1b)
8995 : "+r" (tmp), "+m" (sem->count)
8998 diff -urNp linux-2.6.35.4/arch/x86/include/asm/segment.h linux-2.6.35.4/arch/x86/include/asm/segment.h
8999 --- linux-2.6.35.4/arch/x86/include/asm/segment.h 2010-08-26 19:47:12.000000000 -0400
9000 +++ linux-2.6.35.4/arch/x86/include/asm/segment.h 2010-09-17 20:12:09.000000000 -0400
9002 * 26 - ESPFIX small SS
9003 * 27 - per-cpu [ offset to per-cpu data area ]
9004 * 28 - stack_canary-20 [ for stack protector ]
9007 + * 29 - PCI BIOS CS
9008 + * 30 - PCI BIOS DS
9009 * 31 - TSS for double fault handler
9011 #define GDT_ENTRY_TLS_MIN 6
9014 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
9016 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
9018 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
9020 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
9022 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
9023 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
9025 -#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
9026 +#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
9028 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
9030 @@ -102,6 +104,12 @@
9031 #define __KERNEL_STACK_CANARY 0
9034 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
9035 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
9037 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
9038 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
9040 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
9046 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
9047 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
9048 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
9053 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
9054 #define __USER32_DS __USER_DS
9056 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
9058 #define GDT_ENTRY_TSS 8 /* needs two entries */
9059 #define GDT_ENTRY_LDT 10 /* needs two entries */
9060 #define GDT_ENTRY_TLS_MIN 12
9064 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
9065 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
9066 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
9067 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
9068 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
9069 diff -urNp linux-2.6.35.4/arch/x86/include/asm/spinlock.h linux-2.6.35.4/arch/x86/include/asm/spinlock.h
9070 --- linux-2.6.35.4/arch/x86/include/asm/spinlock.h 2010-08-26 19:47:12.000000000 -0400
9071 +++ linux-2.6.35.4/arch/x86/include/asm/spinlock.h 2010-09-17 20:12:09.000000000 -0400
9072 @@ -249,18 +249,50 @@ static inline int arch_write_can_lock(ar
9073 static inline void arch_read_lock(arch_rwlock_t *rw)
9075 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
9077 - "call __read_lock_failed\n\t"
9079 +#ifdef CONFIG_PAX_REFCOUNT
9080 +#ifdef CONFIG_X86_32
9086 + ".pushsection .fixup,\"ax\"\n"
9088 + LOCK_PREFIX " addl $1,(%0)\n"
9091 + _ASM_EXTABLE(0b, 1b)
9095 + "call __read_lock_failed\n\t"
9097 ::LOCK_PTR_REG (rw) : "memory");
9100 static inline void arch_write_lock(arch_rwlock_t *rw)
9102 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
9104 - "call __write_lock_failed\n\t"
9106 +#ifdef CONFIG_PAX_REFCOUNT
9107 +#ifdef CONFIG_X86_32
9113 + ".pushsection .fixup,\"ax\"\n"
9115 + LOCK_PREFIX " addl %1,(%0)\n"
9118 + _ASM_EXTABLE(0b, 1b)
9122 + "call __write_lock_failed\n\t"
9124 ::LOCK_PTR_REG (rw), "i" (RW_LOCK_BIAS) : "memory");
9127 @@ -286,12 +318,45 @@ static inline int arch_write_trylock(arc
9129 static inline void arch_read_unlock(arch_rwlock_t *rw)
9131 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
9132 + asm volatile(LOCK_PREFIX "incl %0\n"
9134 +#ifdef CONFIG_PAX_REFCOUNT
9135 +#ifdef CONFIG_X86_32
9141 + ".pushsection .fixup,\"ax\"\n"
9143 + LOCK_PREFIX "decl %0\n"
9146 + _ASM_EXTABLE(0b, 1b)
9149 + :"+m" (rw->lock) : : "memory");
9152 static inline void arch_write_unlock(arch_rwlock_t *rw)
9154 - asm volatile(LOCK_PREFIX "addl %1, %0"
9155 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
9157 +#ifdef CONFIG_PAX_REFCOUNT
9158 +#ifdef CONFIG_X86_32
9164 + ".pushsection .fixup,\"ax\"\n"
9166 + LOCK_PREFIX "subl %1,%0\n"
9169 + _ASM_EXTABLE(0b, 1b)
9172 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
9175 diff -urNp linux-2.6.35.4/arch/x86/include/asm/system.h linux-2.6.35.4/arch/x86/include/asm/system.h
9176 --- linux-2.6.35.4/arch/x86/include/asm/system.h 2010-08-26 19:47:12.000000000 -0400
9177 +++ linux-2.6.35.4/arch/x86/include/asm/system.h 2010-09-17 20:12:09.000000000 -0400
9178 @@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
9180 unsigned long __limit;
9181 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9182 - return __limit + 1;
9186 static inline void native_clts(void)
9187 @@ -342,7 +342,7 @@ void enable_hlt(void);
9189 void cpu_idle_wait(void);
9191 -extern unsigned long arch_align_stack(unsigned long sp);
9192 +#define arch_align_stack(x) ((x) & ~0xfUL)
9193 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9195 void default_idle(void);
9196 diff -urNp linux-2.6.35.4/arch/x86/include/asm/uaccess_32.h linux-2.6.35.4/arch/x86/include/asm/uaccess_32.h
9197 --- linux-2.6.35.4/arch/x86/include/asm/uaccess_32.h 2010-08-26 19:47:12.000000000 -0400
9198 +++ linux-2.6.35.4/arch/x86/include/asm/uaccess_32.h 2010-09-17 20:12:09.000000000 -0400
9199 @@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
9200 static __always_inline unsigned long __must_check
9201 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9206 if (__builtin_constant_p(n)) {
9209 @@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
9213 + if (!__builtin_constant_p(n))
9214 + check_object_size(from, n, true);
9215 return __copy_to_user_ll(to, from, n);
9218 @@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
9219 static __always_inline unsigned long
9220 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9225 /* Avoid zeroing the tail if the copy fails..
9226 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9227 * but as the zeroing behaviour is only significant when n is not
9228 @@ -138,6 +146,10 @@ static __always_inline unsigned long
9229 __copy_from_user(void *to, const void __user *from, unsigned long n)
9236 if (__builtin_constant_p(n)) {
9239 @@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
9243 + if (!__builtin_constant_p(n))
9244 + check_object_size(to, n, false);
9245 return __copy_from_user_ll(to, from, n);
9248 @@ -160,6 +174,10 @@ static __always_inline unsigned long __c
9249 const void __user *from, unsigned long n)
9256 if (__builtin_constant_p(n)) {
9259 @@ -182,15 +200,19 @@ static __always_inline unsigned long
9260 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9263 - return __copy_from_user_ll_nocache_nozero(to, from, n);
9268 -unsigned long __must_check copy_to_user(void __user *to,
9269 - const void *from, unsigned long n);
9270 -unsigned long __must_check _copy_from_user(void *to,
9271 - const void __user *from,
9273 + return __copy_from_user_ll_nocache_nozero(to, from, n);
9276 +extern void copy_to_user_overflow(void)
9277 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9278 + __compiletime_error("copy_to_user() buffer size is not provably correct")
9280 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
9284 extern void copy_from_user_overflow(void)
9285 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9286 @@ -200,17 +222,61 @@ extern void copy_from_user_overflow(void
9290 -static inline unsigned long __must_check copy_from_user(void *to,
9291 - const void __user *from,
9294 + * copy_to_user: - Copy a block of data into user space.
9295 + * @to: Destination address, in user space.
9296 + * @from: Source address, in kernel space.
9297 + * @n: Number of bytes to copy.
9299 + * Context: User context only. This function may sleep.
9301 + * Copy data from kernel space to user space.
9303 + * Returns number of bytes that could not be copied.
9304 + * On success, this will be zero.
9306 +static inline unsigned long __must_check
9307 +copy_to_user(void __user *to, const void *from, unsigned long n)
9309 + int sz = __compiletime_object_size(from);
9311 + if (unlikely(sz != -1 && sz < n))
9312 + copy_to_user_overflow();
9313 + else if (access_ok(VERIFY_WRITE, to, n))
9314 + n = __copy_to_user(to, from, n);
9319 + * copy_from_user: - Copy a block of data from user space.
9320 + * @to: Destination address, in kernel space.
9321 + * @from: Source address, in user space.
9322 + * @n: Number of bytes to copy.
9324 + * Context: User context only. This function may sleep.
9326 + * Copy data from user space to kernel space.
9328 + * Returns number of bytes that could not be copied.
9329 + * On success, this will be zero.
9331 + * If some data could not be copied, this function will pad the copied
9332 + * data to the requested size using zero bytes.
9334 +static inline unsigned long __must_check
9335 +copy_from_user(void *to, const void __user *from, unsigned long n)
9337 int sz = __compiletime_object_size(to);
9339 - if (likely(sz == -1 || sz >= n))
9340 - n = _copy_from_user(to, from, n);
9342 + if (unlikely(sz != -1 && sz < n))
9343 copy_from_user_overflow();
9345 + else if (access_ok(VERIFY_READ, from, n))
9346 + n = __copy_from_user(to, from, n);
9347 + else if ((long)n > 0) {
9348 + if (!__builtin_constant_p(n))
9349 + check_object_size(to, n, false);
9355 diff -urNp linux-2.6.35.4/arch/x86/include/asm/uaccess_64.h linux-2.6.35.4/arch/x86/include/asm/uaccess_64.h
9356 --- linux-2.6.35.4/arch/x86/include/asm/uaccess_64.h 2010-08-26 19:47:12.000000000 -0400
9357 +++ linux-2.6.35.4/arch/x86/include/asm/uaccess_64.h 2010-09-17 20:12:37.000000000 -0400
9359 #include <asm/alternative.h>
9360 #include <asm/cpufeature.h>
9361 #include <asm/page.h>
9362 +#include <asm/pgtable.h>
9364 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
9366 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
9369 * Copy To/From Userspace
9370 @@ -37,26 +42,26 @@ copy_user_generic(void *to, const void *
9374 -__must_check unsigned long
9375 -_copy_to_user(void __user *to, const void *from, unsigned len);
9376 -__must_check unsigned long
9377 -_copy_from_user(void *to, const void __user *from, unsigned len);
9378 +static __always_inline __must_check unsigned long
9379 +__copy_to_user(void __user *to, const void *from, unsigned len);
9380 +static __always_inline __must_check unsigned long
9381 +__copy_from_user(void *to, const void __user *from, unsigned len);
9382 __must_check unsigned long
9383 copy_in_user(void __user *to, const void __user *from, unsigned len);
9385 static inline unsigned long __must_check copy_from_user(void *to,
9386 const void __user *from,
9390 - int sz = __compiletime_object_size(to);
9393 - if (likely(sz == -1 || sz >= n))
9394 - n = _copy_from_user(to, from, n);
9395 -#ifdef CONFIG_DEBUG_VM
9397 - WARN(1, "Buffer overflow detected!\n");
9400 + if (access_ok(VERIFY_READ, from, n))
9401 + n = __copy_from_user(to, from, n);
9402 + else if ((int)n > 0) {
9403 + if (!__builtin_constant_p(n))
9404 + check_object_size(to, n, false);
9410 @@ -65,17 +70,35 @@ int copy_to_user(void __user *dst, const
9414 - return _copy_to_user(dst, src, size);
9415 + if (access_ok(VERIFY_WRITE, dst, size))
9416 + size = __copy_to_user(dst, src, size);
9420 static __always_inline __must_check
9421 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
9422 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
9425 + int sz = __compiletime_object_size(dst);
9429 - if (!__builtin_constant_p(size))
9431 + if ((int)size < 0)
9434 + if (unlikely(sz != -1 && sz < size)) {
9435 +#ifdef CONFIG_DEBUG_VM
9436 + WARN(1, "Buffer overflow detected!\n");
9441 + if (!__builtin_constant_p(size)) {
9442 + check_object_size(dst, size, false);
9443 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9444 + src += PAX_USER_SHADOW_BASE;
9445 return copy_user_generic(dst, (__force void *)src, size);
9448 case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
9449 ret, "b", "b", "=q", 1);
9450 @@ -108,18 +131,36 @@ int __copy_from_user(void *dst, const vo
9451 ret, "q", "", "=r", 8);
9454 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9455 + src += PAX_USER_SHADOW_BASE;
9456 return copy_user_generic(dst, (__force void *)src, size);
9460 static __always_inline __must_check
9461 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
9462 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
9465 + int sz = __compiletime_object_size(src);
9469 - if (!__builtin_constant_p(size))
9471 + if ((int)size < 0)
9474 + if (unlikely(sz != -1 && sz < size)) {
9475 +#ifdef CONFIG_DEBUG_VM
9476 + WARN(1, "Buffer overflow detected!\n");
9481 + if (!__builtin_constant_p(size)) {
9482 + check_object_size(src, size, true);
9483 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9484 + dst += PAX_USER_SHADOW_BASE;
9485 return copy_user_generic((__force void *)dst, src, size);
9488 case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
9489 ret, "b", "b", "iq", 1);
9490 @@ -152,19 +193,30 @@ int __copy_to_user(void __user *dst, con
9491 ret, "q", "", "er", 8);
9494 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9495 + dst += PAX_USER_SHADOW_BASE;
9496 return copy_user_generic((__force void *)dst, src, size);
9500 static __always_inline __must_check
9501 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9502 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9508 - if (!__builtin_constant_p(size))
9510 + if ((int)size < 0)
9513 + if (!__builtin_constant_p(size)) {
9514 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9515 + src += PAX_USER_SHADOW_BASE;
9516 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9517 + dst += PAX_USER_SHADOW_BASE;
9518 return copy_user_generic((__force void *)dst,
9519 (__force void *)src, size);
9524 @@ -204,6 +256,10 @@ int __copy_in_user(void __user *dst, con
9528 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9529 + src += PAX_USER_SHADOW_BASE;
9530 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9531 + dst += PAX_USER_SHADOW_BASE;
9532 return copy_user_generic((__force void *)dst,
9533 (__force void *)src, size);
9535 @@ -222,33 +278,45 @@ __must_check unsigned long __clear_user(
9536 static __must_check __always_inline int
9537 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
9539 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9540 + src += PAX_USER_SHADOW_BASE;
9541 return copy_user_generic(dst, (__force const void *)src, size);
9544 -static __must_check __always_inline int
9545 +static __must_check __always_inline unsigned long
9546 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
9548 + if ((int)size < 0)
9551 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9552 + dst += PAX_USER_SHADOW_BASE;
9553 return copy_user_generic((__force void *)dst, src, size);
9556 -extern long __copy_user_nocache(void *dst, const void __user *src,
9557 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
9558 unsigned size, int zerorest);
9561 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9562 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9566 + if ((int)size < 0)
9569 return __copy_user_nocache(dst, src, size, 1);
9573 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9574 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9577 + if ((int)size < 0)
9580 return __copy_user_nocache(dst, src, size, 0);
9584 +extern unsigned long
9585 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
9587 #endif /* _ASM_X86_UACCESS_64_H */
9588 diff -urNp linux-2.6.35.4/arch/x86/include/asm/uaccess.h linux-2.6.35.4/arch/x86/include/asm/uaccess.h
9589 --- linux-2.6.35.4/arch/x86/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
9590 +++ linux-2.6.35.4/arch/x86/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
9592 #include <linux/thread_info.h>
9593 #include <linux/prefetch.h>
9594 #include <linux/string.h>
9595 +#include <linux/sched.h>
9596 #include <asm/asm.h>
9597 #include <asm/page.h>
9599 #define VERIFY_READ 0
9600 #define VERIFY_WRITE 1
9602 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
9605 * The fs value determines whether argument validity checking should be
9606 * performed or not. If get_fs() == USER_DS, checking is performed, with
9609 #define get_ds() (KERNEL_DS)
9610 #define get_fs() (current_thread_info()->addr_limit)
9611 +#ifdef CONFIG_X86_32
9612 +void __set_fs(mm_segment_t x, int cpu);
9613 +void set_fs(mm_segment_t x);
9615 #define set_fs(x) (current_thread_info()->addr_limit = (x))
9618 #define segment_eq(a, b) ((a).seg == (b).seg)
9621 * checks that the pointer is in the user space range - after calling
9622 * this function, memory access functions may still return -EFAULT.
9624 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9625 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9626 +#define access_ok(type, addr, size) \
9628 + long __size = size; \
9629 + unsigned long __addr = (unsigned long)addr; \
9630 + unsigned long __addr_ao = __addr & PAGE_MASK; \
9631 + unsigned long __end_ao = __addr + __size - 1; \
9632 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
9633 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
9634 + while(__addr_ao <= __end_ao) { \
9636 + __addr_ao += PAGE_SIZE; \
9637 + if (__size > PAGE_SIZE) \
9639 + if (__get_user(__c_ao, (char __user *)__addr)) \
9641 + if (type != VERIFY_WRITE) { \
9642 + __addr = __addr_ao; \
9645 + if (__put_user(__c_ao, (char __user *)__addr)) \
9647 + __addr = __addr_ao; \
9654 * The exception table consists of pairs of addresses: the first is the
9655 @@ -183,13 +217,21 @@ extern int __get_user_bad(void);
9656 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
9657 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
9660 +#ifdef CONFIG_X86_32
9661 +#define _ASM_LOAD_USER_DS(ds) "movw %w" #ds ",%%ds\n"
9662 +#define _ASM_LOAD_KERNEL_DS "pushl %%ss; popl %%ds\n"
9664 +#define _ASM_LOAD_USER_DS(ds)
9665 +#define _ASM_LOAD_KERNEL_DS
9668 #ifdef CONFIG_X86_32
9669 #define __put_user_asm_u64(x, addr, err, errret) \
9670 - asm volatile("1: movl %%eax,0(%2)\n" \
9671 - "2: movl %%edx,4(%2)\n" \
9672 + asm volatile(_ASM_LOAD_USER_DS(5) \
9673 + "1: movl %%eax,%%ds:0(%2)\n" \
9674 + "2: movl %%edx,%%ds:4(%2)\n" \
9676 + _ASM_LOAD_KERNEL_DS \
9677 ".section .fixup,\"ax\"\n" \
9680 @@ -197,15 +239,18 @@ extern int __get_user_bad(void);
9681 _ASM_EXTABLE(1b, 4b) \
9682 _ASM_EXTABLE(2b, 4b) \
9684 - : "A" (x), "r" (addr), "i" (errret), "0" (err))
9685 + : "A" (x), "r" (addr), "i" (errret), "0" (err), \
9688 #define __put_user_asm_ex_u64(x, addr) \
9689 - asm volatile("1: movl %%eax,0(%1)\n" \
9690 - "2: movl %%edx,4(%1)\n" \
9691 + asm volatile(_ASM_LOAD_USER_DS(2) \
9692 + "1: movl %%eax,%%ds:0(%1)\n" \
9693 + "2: movl %%edx,%%ds:4(%1)\n" \
9695 + _ASM_LOAD_KERNEL_DS \
9696 _ASM_EXTABLE(1b, 2b - 1b) \
9697 _ASM_EXTABLE(2b, 3b - 2b) \
9698 - : : "A" (x), "r" (addr))
9699 + : : "A" (x), "r" (addr), "r"(__USER_DS))
9701 #define __put_user_x8(x, ptr, __ret_pu) \
9702 asm volatile("call __put_user_8" : "=a" (__ret_pu) \
9703 @@ -374,16 +419,18 @@ do { \
9706 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9707 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
9708 + asm volatile(_ASM_LOAD_USER_DS(5) \
9709 + "1: mov"itype" %%ds:%2,%"rtype"1\n" \
9711 + _ASM_LOAD_KERNEL_DS \
9712 ".section .fixup,\"ax\"\n" \
9714 " xor"itype" %"rtype"1,%"rtype"1\n" \
9717 _ASM_EXTABLE(1b, 3b) \
9718 - : "=r" (err), ltype(x) \
9719 - : "m" (__m(addr)), "i" (errret), "0" (err))
9720 + : "=r" (err), ltype (x) \
9721 + : "m" (__m(addr)), "i" (errret), "0" (err), "r"(__USER_DS))
9723 #define __get_user_size_ex(x, ptr, size) \
9725 @@ -407,10 +454,12 @@ do { \
9728 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
9729 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
9730 + asm volatile(_ASM_LOAD_USER_DS(2) \
9731 + "1: mov"itype" %%ds:%1,%"rtype"0\n" \
9733 + _ASM_LOAD_KERNEL_DS \
9734 _ASM_EXTABLE(1b, 2b - 1b) \
9735 - : ltype(x) : "m" (__m(addr)))
9736 + : ltype(x) : "m" (__m(addr)), "r"(__USER_DS))
9738 #define __put_user_nocheck(x, ptr, size) \
9740 @@ -424,13 +473,24 @@ do { \
9742 unsigned long __gu_val; \
9743 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
9744 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
9745 + (x) = (__typeof__(*(ptr)))__gu_val; \
9749 /* FIXME: this hack is definitely wrong -AK */
9750 struct __large_struct { unsigned long buf[100]; };
9751 -#define __m(x) (*(struct __large_struct __user *)(x))
9752 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9755 + unsigned long ____x = (unsigned long)(x); \
9756 + if (____x < PAX_USER_SHADOW_BASE) \
9757 + ____x += PAX_USER_SHADOW_BASE; \
9758 + (void __user *)____x; \
9761 +#define ____m(x) (x)
9763 +#define __m(x) (*(struct __large_struct __user *)____m(x))
9766 * Tell gcc we read from memory instead of writing: this is because
9767 @@ -438,21 +498,26 @@ struct __large_struct { unsigned long bu
9770 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9771 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
9772 + asm volatile(_ASM_LOAD_USER_DS(5) \
9773 + "1: mov"itype" %"rtype"1,%%ds:%2\n" \
9775 + _ASM_LOAD_KERNEL_DS \
9776 ".section .fixup,\"ax\"\n" \
9780 _ASM_EXTABLE(1b, 3b) \
9782 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
9783 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err),\
9786 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
9787 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
9788 + asm volatile(_ASM_LOAD_USER_DS(2) \
9789 + "1: mov"itype" %"rtype"0,%%ds:%1\n" \
9791 + _ASM_LOAD_KERNEL_DS \
9792 _ASM_EXTABLE(1b, 2b - 1b) \
9793 - : : ltype(x), "m" (__m(addr)))
9794 + : : ltype(x), "m" (__m(addr)), "r"(__USER_DS))
9797 * uaccess_try and catch
9798 @@ -530,7 +595,7 @@ struct __large_struct { unsigned long bu
9799 #define get_user_ex(x, ptr) do { \
9800 unsigned long __gue_val; \
9801 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
9802 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
9803 + (x) = (__typeof__(*(ptr)))__gue_val; \
9806 #ifdef CONFIG_X86_WP_WORKS_OK
9807 @@ -567,6 +632,7 @@ extern struct movsl_mask {
9809 #define ARCH_HAS_NOCACHE_UACCESS 1
9811 +#define ARCH_HAS_SORT_EXTABLE
9812 #ifdef CONFIG_X86_32
9813 # include "uaccess_32.h"
9815 diff -urNp linux-2.6.35.4/arch/x86/include/asm/vgtod.h linux-2.6.35.4/arch/x86/include/asm/vgtod.h
9816 --- linux-2.6.35.4/arch/x86/include/asm/vgtod.h 2010-08-26 19:47:12.000000000 -0400
9817 +++ linux-2.6.35.4/arch/x86/include/asm/vgtod.h 2010-09-17 20:12:09.000000000 -0400
9818 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
9820 struct timezone sys_tz;
9821 struct { /* extract of a clocksource struct */
9823 cycle_t (*vread)(void);
9826 diff -urNp linux-2.6.35.4/arch/x86/include/asm/vmi.h linux-2.6.35.4/arch/x86/include/asm/vmi.h
9827 --- linux-2.6.35.4/arch/x86/include/asm/vmi.h 2010-08-26 19:47:12.000000000 -0400
9828 +++ linux-2.6.35.4/arch/x86/include/asm/vmi.h 2010-09-17 20:12:09.000000000 -0400
9829 @@ -191,6 +191,7 @@ struct vrom_header {
9830 u8 reserved[96]; /* Reserved for headers */
9831 char vmi_init[8]; /* VMI_Init jump point */
9832 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
9833 + char rom_data[8048]; /* rest of the option ROM */
9834 } __attribute__((packed));
9837 diff -urNp linux-2.6.35.4/arch/x86/include/asm/vsyscall.h linux-2.6.35.4/arch/x86/include/asm/vsyscall.h
9838 --- linux-2.6.35.4/arch/x86/include/asm/vsyscall.h 2010-08-26 19:47:12.000000000 -0400
9839 +++ linux-2.6.35.4/arch/x86/include/asm/vsyscall.h 2010-09-17 20:12:09.000000000 -0400
9840 @@ -15,9 +15,10 @@ enum vsyscall_num {
9843 #include <linux/seqlock.h>
9844 +#include <linux/getcpu.h>
9845 +#include <linux/time.h>
9847 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
9848 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
9850 /* Definitions for CONFIG_GENERIC_TIME definitions */
9851 #define __section_vsyscall_gtod_data __attribute__ \
9852 @@ -31,7 +32,6 @@ enum vsyscall_num {
9853 #define VGETCPU_LSL 2
9855 extern int __vgetcpu_mode;
9856 -extern volatile unsigned long __jiffies;
9858 /* kernel space (writeable) */
9859 extern int vgetcpu_mode;
9860 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
9862 extern void map_vsyscall(void);
9864 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
9865 +extern time_t vtime(time_t *t);
9866 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
9867 #endif /* __KERNEL__ */
9869 #endif /* _ASM_X86_VSYSCALL_H */
9870 diff -urNp linux-2.6.35.4/arch/x86/include/asm/xsave.h linux-2.6.35.4/arch/x86/include/asm/xsave.h
9871 --- linux-2.6.35.4/arch/x86/include/asm/xsave.h 2010-08-26 19:47:12.000000000 -0400
9872 +++ linux-2.6.35.4/arch/x86/include/asm/xsave.h 2010-09-17 20:12:09.000000000 -0400
9873 @@ -59,6 +59,12 @@ static inline int fpu_xrstor_checking(st
9874 static inline int xsave_user(struct xsave_struct __user *buf)
9878 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9879 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
9880 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
9883 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n"
9885 ".section .fixup,\"ax\"\n"
9886 @@ -85,6 +91,11 @@ static inline int xrestore_user(struct x
9888 u32 hmask = mask >> 32;
9890 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9891 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
9892 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
9895 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
9897 ".section .fixup,\"ax\"\n"
9898 diff -urNp linux-2.6.35.4/arch/x86/Kconfig linux-2.6.35.4/arch/x86/Kconfig
9899 --- linux-2.6.35.4/arch/x86/Kconfig 2010-08-26 19:47:12.000000000 -0400
9900 +++ linux-2.6.35.4/arch/x86/Kconfig 2010-09-17 20:12:37.000000000 -0400
9901 @@ -1038,7 +1038,7 @@ choice
9905 - depends on !X86_NUMAQ
9906 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
9908 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
9909 However, the address space of 32-bit x86 processors is only 4
9910 @@ -1075,7 +1075,7 @@ config NOHIGHMEM
9914 - depends on !X86_NUMAQ
9915 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
9917 Select this if you have a 32-bit processor and between 1 and 4
9918 gigabytes of physical RAM.
9919 @@ -1129,7 +1129,7 @@ config PAGE_OFFSET
9921 default 0xB0000000 if VMSPLIT_3G_OPT
9922 default 0x80000000 if VMSPLIT_2G
9923 - default 0x78000000 if VMSPLIT_2G_OPT
9924 + default 0x70000000 if VMSPLIT_2G_OPT
9925 default 0x40000000 if VMSPLIT_1G
9928 @@ -1461,7 +1461,7 @@ config ARCH_USES_PG_UNCACHED
9931 bool "EFI runtime service support"
9933 + depends on ACPI && !PAX_KERNEXEC
9935 This enables the kernel to use EFI runtime services that are
9936 available (such as the EFI variable services).
9937 @@ -1548,6 +1548,7 @@ config KEXEC_JUMP
9938 config PHYSICAL_START
9939 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
9941 + range 0x400000 0x40000000
9943 This gives the physical address where the kernel is loaded.
9945 @@ -1611,6 +1612,7 @@ config X86_NEED_RELOCS
9946 config PHYSICAL_ALIGN
9947 hex "Alignment value to which kernel should be aligned" if X86_32
9949 + range 0x400000 0x1000000 if PAX_KERNEXEC
9950 range 0x2000 0x1000000
9952 This value puts the alignment restrictions on physical address
9953 @@ -1642,9 +1644,10 @@ config HOTPLUG_CPU
9954 Say N if you want to disable CPU hotplug.
9959 prompt "Compat VDSO support"
9960 depends on X86_32 || IA32_EMULATION
9961 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
9963 Map the 32-bit VDSO to the predictable old-style address too.
9965 diff -urNp linux-2.6.35.4/arch/x86/Kconfig.cpu linux-2.6.35.4/arch/x86/Kconfig.cpu
9966 --- linux-2.6.35.4/arch/x86/Kconfig.cpu 2010-08-26 19:47:12.000000000 -0400
9967 +++ linux-2.6.35.4/arch/x86/Kconfig.cpu 2010-09-17 20:12:09.000000000 -0400
9968 @@ -336,7 +336,7 @@ config X86_PPRO_FENCE
9972 - depends on M586MMX || M586TSC || M586 || M486 || M386
9973 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
9977 @@ -360,7 +360,7 @@ config X86_POPAD_OK
9979 config X86_ALIGNMENT_16
9981 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9982 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9984 config X86_INTEL_USERCOPY
9986 @@ -406,7 +406,7 @@ config X86_CMPXCHG64
9990 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
9991 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
9993 config X86_MINIMUM_CPU_FAMILY
9995 diff -urNp linux-2.6.35.4/arch/x86/Kconfig.debug linux-2.6.35.4/arch/x86/Kconfig.debug
9996 --- linux-2.6.35.4/arch/x86/Kconfig.debug 2010-08-26 19:47:12.000000000 -0400
9997 +++ linux-2.6.35.4/arch/x86/Kconfig.debug 2010-09-17 20:12:09.000000000 -0400
9998 @@ -97,7 +97,7 @@ config X86_PTDUMP
10000 bool "Write protect kernel read-only data structures"
10002 - depends on DEBUG_KERNEL
10003 + depends on DEBUG_KERNEL && BROKEN
10005 Mark the kernel read-only data as write-protected in the pagetables,
10006 in order to catch accidental (and incorrect) writes to such const
10007 diff -urNp linux-2.6.35.4/arch/x86/kernel/acpi/boot.c linux-2.6.35.4/arch/x86/kernel/acpi/boot.c
10008 --- linux-2.6.35.4/arch/x86/kernel/acpi/boot.c 2010-08-26 19:47:12.000000000 -0400
10009 +++ linux-2.6.35.4/arch/x86/kernel/acpi/boot.c 2010-09-17 20:12:09.000000000 -0400
10010 @@ -1472,7 +1472,7 @@ static struct dmi_system_id __initdata a
10011 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
10015 + { NULL, NULL, {{0, {0}}}, NULL}
10019 diff -urNp linux-2.6.35.4/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.35.4/arch/x86/kernel/acpi/realmode/wakeup.S
10020 --- linux-2.6.35.4/arch/x86/kernel/acpi/realmode/wakeup.S 2010-08-26 19:47:12.000000000 -0400
10021 +++ linux-2.6.35.4/arch/x86/kernel/acpi/realmode/wakeup.S 2010-09-17 20:12:09.000000000 -0400
10022 @@ -104,7 +104,7 @@ _start:
10026 - movl $0xc0000080, %ecx
10027 + mov $MSR_EFER, %ecx
10031 diff -urNp linux-2.6.35.4/arch/x86/kernel/acpi/sleep.c linux-2.6.35.4/arch/x86/kernel/acpi/sleep.c
10032 --- linux-2.6.35.4/arch/x86/kernel/acpi/sleep.c 2010-08-26 19:47:12.000000000 -0400
10033 +++ linux-2.6.35.4/arch/x86/kernel/acpi/sleep.c 2010-09-17 20:12:09.000000000 -0400
10034 @@ -11,11 +11,12 @@
10035 #include <linux/cpumask.h>
10036 #include <asm/segment.h>
10037 #include <asm/desc.h>
10038 +#include <asm/e820.h>
10040 #include "realmode/wakeup.h"
10043 -unsigned long acpi_wakeup_address;
10044 +unsigned long acpi_wakeup_address = 0x2000;
10045 unsigned long acpi_realmode_flags;
10047 /* address in low memory of the wakeup routine. */
10048 @@ -96,8 +97,12 @@ int acpi_save_state_mem(void)
10049 header->trampoline_segment = setup_trampoline() >> 4;
10051 stack_start.sp = temp_stack + sizeof(temp_stack);
10053 + pax_open_kernel();
10054 early_gdt_descr.address =
10055 (unsigned long)get_cpu_gdt_table(smp_processor_id());
10056 + pax_close_kernel();
10058 initial_gs = per_cpu_offset(smp_processor_id());
10060 initial_code = (unsigned long)wakeup_long64;
10061 diff -urNp linux-2.6.35.4/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.35.4/arch/x86/kernel/acpi/wakeup_32.S
10062 --- linux-2.6.35.4/arch/x86/kernel/acpi/wakeup_32.S 2010-08-26 19:47:12.000000000 -0400
10063 +++ linux-2.6.35.4/arch/x86/kernel/acpi/wakeup_32.S 2010-09-17 20:12:09.000000000 -0400
10064 @@ -30,13 +30,11 @@ wakeup_pmode_return:
10065 # and restore the stack ... but you need gdt for this to work
10066 movl saved_context_esp, %esp
10068 - movl %cs:saved_magic, %eax
10069 - cmpl $0x12345678, %eax
10070 + cmpl $0x12345678, saved_magic
10073 # jump to place where we left off
10074 - movl saved_eip, %eax
10080 diff -urNp linux-2.6.35.4/arch/x86/kernel/alternative.c linux-2.6.35.4/arch/x86/kernel/alternative.c
10081 --- linux-2.6.35.4/arch/x86/kernel/alternative.c 2010-08-26 19:47:12.000000000 -0400
10082 +++ linux-2.6.35.4/arch/x86/kernel/alternative.c 2010-09-17 20:12:09.000000000 -0400
10083 @@ -247,7 +247,7 @@ static void alternatives_smp_lock(const
10084 if (!*poff || ptr < text || ptr >= text_end)
10086 /* turn DS segment override prefix into lock prefix */
10087 - if (*ptr == 0x3e)
10088 + if (*ktla_ktva(ptr) == 0x3e)
10089 text_poke(ptr, ((unsigned char []){0xf0}), 1);
10091 mutex_unlock(&text_mutex);
10092 @@ -268,7 +268,7 @@ static void alternatives_smp_unlock(cons
10093 if (!*poff || ptr < text || ptr >= text_end)
10095 /* turn lock prefix into DS segment override prefix */
10096 - if (*ptr == 0xf0)
10097 + if (*ktla_ktva(ptr) == 0xf0)
10098 text_poke(ptr, ((unsigned char []){0x3E}), 1);
10100 mutex_unlock(&text_mutex);
10101 @@ -436,7 +436,7 @@ void __init_or_module apply_paravirt(str
10103 BUG_ON(p->len > MAX_PATCH_LEN);
10104 /* prep the buffer with the original instructions */
10105 - memcpy(insnbuf, p->instr, p->len);
10106 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
10107 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
10108 (unsigned long)p->instr, p->len);
10110 @@ -504,7 +504,7 @@ void __init alternative_instructions(voi
10112 free_init_pages("SMP alternatives",
10113 (unsigned long)__smp_locks,
10114 - (unsigned long)__smp_locks_end);
10115 + PAGE_ALIGN((unsigned long)__smp_locks_end));
10119 @@ -521,13 +521,17 @@ void __init alternative_instructions(voi
10120 * instructions. And on the local CPU you need to be protected again NMI or MCE
10121 * handlers seeing an inconsistent instruction while you patch.
10123 -static void *__init_or_module text_poke_early(void *addr, const void *opcode,
10124 +static void *__kprobes text_poke_early(void *addr, const void *opcode,
10127 unsigned long flags;
10128 local_irq_save(flags);
10129 - memcpy(addr, opcode, len);
10131 + pax_open_kernel();
10132 + memcpy(ktla_ktva(addr), opcode, len);
10134 + pax_close_kernel();
10136 local_irq_restore(flags);
10137 /* Could also do a CLFLUSH here to speed up CPU recovery; but
10138 that causes hangs on some VIA CPUs. */
10139 @@ -549,36 +553,22 @@ static void *__init_or_module text_poke_
10141 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
10143 - unsigned long flags;
10145 + unsigned char *vaddr = ktla_ktva(addr);
10146 struct page *pages[2];
10150 if (!core_kernel_text((unsigned long)addr)) {
10151 - pages[0] = vmalloc_to_page(addr);
10152 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
10153 + pages[0] = vmalloc_to_page(vaddr);
10154 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10156 - pages[0] = virt_to_page(addr);
10157 + pages[0] = virt_to_page(vaddr);
10158 WARN_ON(!PageReserved(pages[0]));
10159 - pages[1] = virt_to_page(addr + PAGE_SIZE);
10160 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
10163 - local_irq_save(flags);
10164 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
10166 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
10167 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
10168 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10169 - clear_fixmap(FIX_TEXT_POKE0);
10171 - clear_fixmap(FIX_TEXT_POKE1);
10172 - local_flush_tlb();
10174 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
10175 - that causes hangs on some VIA CPUs. */
10176 + text_poke_early(addr, opcode, len);
10177 for (i = 0; i < len; i++)
10178 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10179 - local_irq_restore(flags);
10180 + BUG_ON(((char *)vaddr)[i] != ((char *)opcode)[i]);
10184 diff -urNp linux-2.6.35.4/arch/x86/kernel/amd_iommu.c linux-2.6.35.4/arch/x86/kernel/amd_iommu.c
10185 --- linux-2.6.35.4/arch/x86/kernel/amd_iommu.c 2010-08-26 19:47:12.000000000 -0400
10186 +++ linux-2.6.35.4/arch/x86/kernel/amd_iommu.c 2010-09-17 20:12:09.000000000 -0400
10187 @@ -2284,7 +2284,7 @@ static void prealloc_protection_domains(
10191 -static struct dma_map_ops amd_iommu_dma_ops = {
10192 +static const struct dma_map_ops amd_iommu_dma_ops = {
10193 .alloc_coherent = alloc_coherent,
10194 .free_coherent = free_coherent,
10195 .map_page = map_page,
10196 diff -urNp linux-2.6.35.4/arch/x86/kernel/apic/io_apic.c linux-2.6.35.4/arch/x86/kernel/apic/io_apic.c
10197 --- linux-2.6.35.4/arch/x86/kernel/apic/io_apic.c 2010-08-26 19:47:12.000000000 -0400
10198 +++ linux-2.6.35.4/arch/x86/kernel/apic/io_apic.c 2010-09-17 20:12:09.000000000 -0400
10199 @@ -691,7 +691,7 @@ struct IO_APIC_route_entry **alloc_ioapi
10200 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
10202 if (!ioapic_entries)
10206 for (apic = 0; apic < nr_ioapics; apic++) {
10207 ioapic_entries[apic] =
10208 @@ -708,7 +708,7 @@ nomem:
10209 kfree(ioapic_entries[apic]);
10210 kfree(ioapic_entries);
10217 @@ -1118,7 +1118,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
10219 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10221 -void lock_vector_lock(void)
10222 +void lock_vector_lock(void) __acquires(vector_lock)
10224 /* Used to the online set of cpus does not change
10225 * during assign_irq_vector.
10226 @@ -1126,7 +1126,7 @@ void lock_vector_lock(void)
10227 raw_spin_lock(&vector_lock);
10230 -void unlock_vector_lock(void)
10231 +void unlock_vector_lock(void) __releases(vector_lock)
10233 raw_spin_unlock(&vector_lock);
10235 diff -urNp linux-2.6.35.4/arch/x86/kernel/apm_32.c linux-2.6.35.4/arch/x86/kernel/apm_32.c
10236 --- linux-2.6.35.4/arch/x86/kernel/apm_32.c 2010-08-26 19:47:12.000000000 -0400
10237 +++ linux-2.6.35.4/arch/x86/kernel/apm_32.c 2010-09-17 20:12:09.000000000 -0400
10238 @@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
10239 * This is for buggy BIOS's that refer to (real mode) segment 0x40
10240 * even though they are called in protected mode.
10242 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
10243 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
10244 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
10246 static const char driver_version[] = "1.16ac"; /* no spaces */
10247 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
10249 gdt = get_cpu_gdt_table(cpu);
10250 save_desc_40 = gdt[0x40 / 8];
10252 + pax_open_kernel();
10253 gdt[0x40 / 8] = bad_bios_desc;
10254 + pax_close_kernel();
10256 apm_irq_save(flags);
10258 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
10260 APM_DO_RESTORE_SEGS;
10261 apm_irq_restore(flags);
10263 + pax_open_kernel();
10264 gdt[0x40 / 8] = save_desc_40;
10265 + pax_close_kernel();
10269 return call->eax & 0xff;
10270 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
10272 gdt = get_cpu_gdt_table(cpu);
10273 save_desc_40 = gdt[0x40 / 8];
10275 + pax_open_kernel();
10276 gdt[0x40 / 8] = bad_bios_desc;
10277 + pax_close_kernel();
10279 apm_irq_save(flags);
10281 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
10283 APM_DO_RESTORE_SEGS;
10284 apm_irq_restore(flags);
10286 + pax_open_kernel();
10287 gdt[0x40 / 8] = save_desc_40;
10288 + pax_close_kernel();
10293 @@ -975,7 +989,7 @@ recalc:
10295 static void apm_power_off(void)
10297 - unsigned char po_bios_call[] = {
10298 + const unsigned char po_bios_call[] = {
10299 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
10300 0x8e, 0xd0, /* movw ax,ss */
10301 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
10302 @@ -1931,7 +1945,10 @@ static const struct file_operations apm_
10303 static struct miscdevice apm_device = {
10314 @@ -2252,7 +2269,7 @@ static struct dmi_system_id __initdata a
10315 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
10319 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
10323 @@ -2355,12 +2372,15 @@ static int __init apm_init(void)
10324 * code to that CPU.
10326 gdt = get_cpu_gdt_table(0);
10328 + pax_open_kernel();
10329 set_desc_base(&gdt[APM_CS >> 3],
10330 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
10331 set_desc_base(&gdt[APM_CS_16 >> 3],
10332 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
10333 set_desc_base(&gdt[APM_DS >> 3],
10334 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
10335 + pax_close_kernel();
10337 proc_create("apm", 0, NULL, &apm_file_ops);
10339 diff -urNp linux-2.6.35.4/arch/x86/kernel/asm-offsets_32.c linux-2.6.35.4/arch/x86/kernel/asm-offsets_32.c
10340 --- linux-2.6.35.4/arch/x86/kernel/asm-offsets_32.c 2010-08-26 19:47:12.000000000 -0400
10341 +++ linux-2.6.35.4/arch/x86/kernel/asm-offsets_32.c 2010-09-17 20:12:09.000000000 -0400
10342 @@ -115,6 +115,11 @@ void foo(void)
10343 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
10344 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10345 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10347 +#ifdef CONFIG_PAX_KERNEXEC
10348 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10354 diff -urNp linux-2.6.35.4/arch/x86/kernel/asm-offsets_64.c linux-2.6.35.4/arch/x86/kernel/asm-offsets_64.c
10355 --- linux-2.6.35.4/arch/x86/kernel/asm-offsets_64.c 2010-08-26 19:47:12.000000000 -0400
10356 +++ linux-2.6.35.4/arch/x86/kernel/asm-offsets_64.c 2010-09-17 20:12:09.000000000 -0400
10357 @@ -63,6 +63,18 @@ int main(void)
10358 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10359 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
10360 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
10362 +#ifdef CONFIG_PAX_KERNEXEC
10363 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10364 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10367 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10368 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
10369 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
10370 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
10376 @@ -115,6 +127,7 @@ int main(void)
10380 + DEFINE(TSS_size, sizeof(struct tss_struct));
10381 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
10383 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
10384 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/common.c linux-2.6.35.4/arch/x86/kernel/cpu/common.c
10385 --- linux-2.6.35.4/arch/x86/kernel/cpu/common.c 2010-08-26 19:47:12.000000000 -0400
10386 +++ linux-2.6.35.4/arch/x86/kernel/cpu/common.c 2010-09-17 20:12:09.000000000 -0400
10387 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
10389 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
10391 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
10392 -#ifdef CONFIG_X86_64
10394 - * We need valid kernel segments for data and code in long mode too
10395 - * IRET will check the segment types kkeil 2000/10/28
10396 - * Also sysret mandates a special GDT layout
10398 - * TLS descriptors are currently at a different place compared to i386.
10399 - * Hopefully nobody expects them at a fixed place (Wine?)
10401 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
10402 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
10403 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
10404 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
10405 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
10406 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
10408 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
10409 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10410 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
10411 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
10413 - * Segments used for calling PnP BIOS have byte granularity.
10414 - * They code segments and data segments have fixed 64k limits,
10415 - * the transfer segment sizes are set at run time.
10417 - /* 32-bit code */
10418 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10419 - /* 16-bit code */
10420 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10421 - /* 16-bit data */
10422 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
10423 - /* 16-bit data */
10424 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
10425 - /* 16-bit data */
10426 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
10428 - * The APM segments have byte granularity and their bases
10429 - * are set at run time. All have 64k limits.
10431 - /* 32-bit code */
10432 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10433 - /* 16-bit code */
10434 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10436 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
10438 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10439 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10440 - GDT_STACK_CANARY_INIT
10443 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
10445 static int __init x86_xsave_setup(char *s)
10447 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
10448 @@ -344,7 +290,7 @@ void switch_to_new_gdt(int cpu)
10450 struct desc_ptr gdt_descr;
10452 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
10453 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10454 gdt_descr.size = GDT_SIZE - 1;
10455 load_gdt(&gdt_descr);
10456 /* Reload the per-cpu base */
10457 @@ -802,6 +748,10 @@ static void __cpuinit identify_cpu(struc
10458 /* Filter out anything that depends on CPUID levels we don't have */
10459 filter_cpuid_features(c, true);
10461 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
10462 + setup_clear_cpu_cap(X86_FEATURE_SEP);
10465 /* If the model name is still unset, do table lookup. */
10466 if (!c->x86_model_id[0]) {
10468 @@ -1117,7 +1067,7 @@ void __cpuinit cpu_init(void)
10471 cpu = stack_smp_processor_id();
10472 - t = &per_cpu(init_tss, cpu);
10473 + t = init_tss + cpu;
10474 oist = &per_cpu(orig_ist, cpu);
10477 @@ -1143,7 +1093,7 @@ void __cpuinit cpu_init(void)
10478 switch_to_new_gdt(cpu);
10479 loadsegment(fs, 0);
10481 - load_idt((const struct desc_ptr *)&idt_descr);
10482 + load_idt(&idt_descr);
10484 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
10486 @@ -1205,7 +1155,7 @@ void __cpuinit cpu_init(void)
10488 int cpu = smp_processor_id();
10489 struct task_struct *curr = current;
10490 - struct tss_struct *t = &per_cpu(init_tss, cpu);
10491 + struct tss_struct *t = init_tss + cpu;
10492 struct thread_struct *thread = &curr->thread;
10494 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
10495 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
10496 --- linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-08-26 19:47:12.000000000 -0400
10497 +++ linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-09-17 20:12:09.000000000 -0400
10498 @@ -484,7 +484,7 @@ static const struct dmi_system_id sw_any
10499 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
10503 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
10506 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
10507 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
10508 --- linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-08-26 19:47:12.000000000 -0400
10509 +++ linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-09-17 20:12:09.000000000 -0400
10510 @@ -226,7 +226,7 @@ static struct cpu_model models[] =
10511 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
10512 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
10515 + { NULL, NULL, 0, NULL}
10519 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/intel.c linux-2.6.35.4/arch/x86/kernel/cpu/intel.c
10520 --- linux-2.6.35.4/arch/x86/kernel/cpu/intel.c 2010-08-26 19:47:12.000000000 -0400
10521 +++ linux-2.6.35.4/arch/x86/kernel/cpu/intel.c 2010-09-17 20:12:09.000000000 -0400
10522 @@ -160,7 +160,7 @@ static void __cpuinit trap_init_f00f_bug
10523 * Update the IDT descriptor and reload the IDT so that
10524 * it uses the read-only mapped virtual address.
10526 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
10527 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
10528 load_idt(&idt_descr);
10531 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/Makefile linux-2.6.35.4/arch/x86/kernel/cpu/Makefile
10532 --- linux-2.6.35.4/arch/x86/kernel/cpu/Makefile 2010-08-26 19:47:12.000000000 -0400
10533 +++ linux-2.6.35.4/arch/x86/kernel/cpu/Makefile 2010-09-17 20:12:09.000000000 -0400
10534 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
10535 CFLAGS_REMOVE_perf_event.o = -pg
10538 -# Make sure load_percpu_segment has no stackprotector
10539 -nostackp := $(call cc-option, -fno-stack-protector)
10540 -CFLAGS_common.o := $(nostackp)
10542 obj-y := intel_cacheinfo.o addon_cpuid_features.o
10543 obj-y += proc.o capflags.o powerflags.o common.o
10544 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
10545 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.35.4/arch/x86/kernel/cpu/mcheck/mce.c
10546 --- linux-2.6.35.4/arch/x86/kernel/cpu/mcheck/mce.c 2010-08-26 19:47:12.000000000 -0400
10547 +++ linux-2.6.35.4/arch/x86/kernel/cpu/mcheck/mce.c 2010-09-17 20:12:09.000000000 -0400
10548 @@ -219,7 +219,7 @@ static void print_mce(struct mce *m)
10549 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
10552 - if (m->cs == __KERNEL_CS)
10553 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
10554 print_symbol("{%s}", m->ip);
10557 @@ -1471,14 +1471,14 @@ void __cpuinit mcheck_cpu_init(struct cp
10560 static DEFINE_SPINLOCK(mce_state_lock);
10561 -static int open_count; /* #times opened */
10562 +static atomic_t open_count; /* #times opened */
10563 static int open_exclu; /* already open exclusive? */
10565 static int mce_open(struct inode *inode, struct file *file)
10567 spin_lock(&mce_state_lock);
10569 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
10570 + if (open_exclu || (atomic_read(&open_count) && (file->f_flags & O_EXCL))) {
10571 spin_unlock(&mce_state_lock);
10574 @@ -1486,7 +1486,7 @@ static int mce_open(struct inode *inode,
10576 if (file->f_flags & O_EXCL)
10579 + atomic_inc(&open_count);
10581 spin_unlock(&mce_state_lock);
10583 @@ -1497,7 +1497,7 @@ static int mce_release(struct inode *ino
10585 spin_lock(&mce_state_lock);
10588 + atomic_dec(&open_count);
10591 spin_unlock(&mce_state_lock);
10592 @@ -1683,6 +1683,7 @@ static struct miscdevice mce_log_device
10596 + {NULL, NULL}, NULL, NULL
10600 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/generic.c
10601 --- linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/generic.c 2010-08-26 19:47:12.000000000 -0400
10602 +++ linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/generic.c 2010-09-17 20:12:09.000000000 -0400
10603 @@ -28,7 +28,7 @@ static struct fixed_range_block fixed_ra
10604 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
10605 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
10606 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
10611 static unsigned long smp_changes_mask;
10612 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/main.c
10613 --- linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/main.c 2010-08-26 19:47:12.000000000 -0400
10614 +++ linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/main.c 2010-09-17 20:12:09.000000000 -0400
10615 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(mtrr_mutex);
10616 u64 size_or_mask, size_and_mask;
10617 static bool mtrr_aps_delayed_init;
10619 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
10620 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
10622 const struct mtrr_ops *mtrr_if;
10624 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/mtrr.h
10625 --- linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-08-26 19:47:12.000000000 -0400
10626 +++ linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-09-17 20:12:09.000000000 -0400
10627 @@ -12,19 +12,19 @@
10628 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
10632 - u32 use_intel_if;
10633 - void (*set)(unsigned int reg, unsigned long base,
10634 + const u32 vendor;
10635 + const u32 use_intel_if;
10636 + void (* const set)(unsigned int reg, unsigned long base,
10637 unsigned long size, mtrr_type type);
10638 - void (*set_all)(void);
10639 + void (* const set_all)(void);
10641 - void (*get)(unsigned int reg, unsigned long *base,
10642 + void (* const get)(unsigned int reg, unsigned long *base,
10643 unsigned long *size, mtrr_type *type);
10644 - int (*get_free_region)(unsigned long base, unsigned long size,
10645 + int (* const get_free_region)(unsigned long base, unsigned long size,
10647 - int (*validate_add_page)(unsigned long base, unsigned long size,
10648 + int (* const validate_add_page)(unsigned long base, unsigned long size,
10649 unsigned int type);
10650 - int (*have_wrcomb)(void);
10651 + int (* const have_wrcomb)(void);
10654 extern int generic_get_free_region(unsigned long base, unsigned long size,
10655 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.35.4/arch/x86/kernel/cpu/perfctr-watchdog.c
10656 --- linux-2.6.35.4/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-08-26 19:47:12.000000000 -0400
10657 +++ linux-2.6.35.4/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-09-17 20:12:09.000000000 -0400
10658 @@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
10660 /* Interface defining a CPU specific perfctr watchdog */
10662 - int (*reserve)(void);
10663 - void (*unreserve)(void);
10664 - int (*setup)(unsigned nmi_hz);
10665 - void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10666 - void (*stop)(void);
10667 + int (* const reserve)(void);
10668 + void (* const unreserve)(void);
10669 + int (* const setup)(unsigned nmi_hz);
10670 + void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10671 + void (* const stop)(void);
10675 @@ -634,6 +634,7 @@ static const struct wd_ops p4_wd_ops = {
10676 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
10677 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
10679 +/* cannot be const, see probe_nmi_watchdog */
10680 static struct wd_ops intel_arch_wd_ops;
10682 static int setup_intel_arch_watchdog(unsigned nmi_hz)
10683 @@ -686,6 +687,7 @@ static int setup_intel_arch_watchdog(uns
10687 +/* cannot be const */
10688 static struct wd_ops intel_arch_wd_ops __read_mostly = {
10689 .reserve = single_msr_reserve,
10690 .unreserve = single_msr_unreserve,
10691 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/perf_event.c linux-2.6.35.4/arch/x86/kernel/cpu/perf_event.c
10692 --- linux-2.6.35.4/arch/x86/kernel/cpu/perf_event.c 2010-08-26 19:47:12.000000000 -0400
10693 +++ linux-2.6.35.4/arch/x86/kernel/cpu/perf_event.c 2010-09-17 20:12:09.000000000 -0400
10694 @@ -1685,7 +1685,7 @@ perf_callchain_user(struct pt_regs *regs
10697 callchain_store(entry, frame.return_address);
10698 - fp = frame.next_frame;
10699 + fp = (__force const void __user *)frame.next_frame;
10703 diff -urNp linux-2.6.35.4/arch/x86/kernel/crash.c linux-2.6.35.4/arch/x86/kernel/crash.c
10704 --- linux-2.6.35.4/arch/x86/kernel/crash.c 2010-08-26 19:47:12.000000000 -0400
10705 +++ linux-2.6.35.4/arch/x86/kernel/crash.c 2010-09-17 20:12:09.000000000 -0400
10706 @@ -40,7 +40,7 @@ static void kdump_nmi_callback(int cpu,
10709 #ifdef CONFIG_X86_32
10710 - if (!user_mode_vm(regs)) {
10711 + if (!user_mode(regs)) {
10712 crash_fixup_ss_esp(&fixed_regs, regs);
10713 regs = &fixed_regs;
10715 diff -urNp linux-2.6.35.4/arch/x86/kernel/doublefault_32.c linux-2.6.35.4/arch/x86/kernel/doublefault_32.c
10716 --- linux-2.6.35.4/arch/x86/kernel/doublefault_32.c 2010-08-26 19:47:12.000000000 -0400
10717 +++ linux-2.6.35.4/arch/x86/kernel/doublefault_32.c 2010-09-17 20:12:09.000000000 -0400
10720 #define DOUBLEFAULT_STACKSIZE (1024)
10721 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
10722 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
10723 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
10725 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
10727 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
10728 unsigned long gdt, tss;
10730 store_gdt(&gdt_desc);
10731 - gdt = gdt_desc.address;
10732 + gdt = (unsigned long)gdt_desc.address;
10734 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
10736 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
10737 /* 0x2 bit is always set */
10738 .flags = X86_EFLAGS_SF | 0x2,
10741 + .es = __KERNEL_DS,
10745 + .ds = __KERNEL_DS,
10746 .fs = __KERNEL_PERCPU,
10748 .__cr3 = __pa_nodebug(swapper_pg_dir),
10749 diff -urNp linux-2.6.35.4/arch/x86/kernel/dumpstack_32.c linux-2.6.35.4/arch/x86/kernel/dumpstack_32.c
10750 --- linux-2.6.35.4/arch/x86/kernel/dumpstack_32.c 2010-08-26 19:47:12.000000000 -0400
10751 +++ linux-2.6.35.4/arch/x86/kernel/dumpstack_32.c 2010-09-17 20:12:09.000000000 -0400
10752 @@ -107,11 +107,12 @@ void show_registers(struct pt_regs *regs
10753 * When in-kernel, we also print out the stack and code at the
10754 * time of the fault..
10756 - if (!user_mode_vm(regs)) {
10757 + if (!user_mode(regs)) {
10758 unsigned int code_prologue = code_bytes * 43 / 64;
10759 unsigned int code_len = code_bytes;
10762 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
10764 printk(KERN_EMERG "Stack:\n");
10765 show_stack_log_lvl(NULL, regs, ®s->sp,
10766 @@ -119,10 +120,10 @@ void show_registers(struct pt_regs *regs
10768 printk(KERN_EMERG "Code: ");
10770 - ip = (u8 *)regs->ip - code_prologue;
10771 + ip = (u8 *)regs->ip - code_prologue + cs_base;
10772 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
10773 /* try starting at IP */
10774 - ip = (u8 *)regs->ip;
10775 + ip = (u8 *)regs->ip + cs_base;
10776 code_len = code_len - code_prologue + 1;
10778 for (i = 0; i < code_len; i++, ip++) {
10779 @@ -131,7 +132,7 @@ void show_registers(struct pt_regs *regs
10780 printk(" Bad EIP value.");
10783 - if (ip == (u8 *)regs->ip)
10784 + if (ip == (u8 *)regs->ip + cs_base)
10785 printk("<%02x> ", c);
10787 printk("%02x ", c);
10788 @@ -144,6 +145,7 @@ int is_valid_bugaddr(unsigned long ip)
10790 unsigned short ud2;
10792 + ip = ktla_ktva(ip);
10793 if (ip < PAGE_OFFSET)
10795 if (probe_kernel_address((unsigned short *)ip, ud2))
10796 diff -urNp linux-2.6.35.4/arch/x86/kernel/dumpstack.c linux-2.6.35.4/arch/x86/kernel/dumpstack.c
10797 --- linux-2.6.35.4/arch/x86/kernel/dumpstack.c 2010-08-26 19:47:12.000000000 -0400
10798 +++ linux-2.6.35.4/arch/x86/kernel/dumpstack.c 2010-09-17 20:12:09.000000000 -0400
10799 @@ -207,7 +207,7 @@ void dump_stack(void)
10802 printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
10803 - current->pid, current->comm, current->xid, print_tainted(),
10804 + task_pid_nr(current), current->comm, cuttent->xid, print_tainted(),
10805 init_utsname()->release,
10806 (int)strcspn(init_utsname()->version, " "),
10807 init_utsname()->version);
10808 @@ -263,7 +263,7 @@ void __kprobes oops_end(unsigned long fl
10809 panic("Fatal exception in interrupt");
10811 panic("Fatal exception");
10813 + do_group_exit(signr);
10816 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
10817 @@ -290,7 +290,7 @@ int __kprobes __die(const char *str, str
10819 show_registers(regs);
10820 #ifdef CONFIG_X86_32
10821 - if (user_mode_vm(regs)) {
10822 + if (user_mode(regs)) {
10824 ss = regs->ss & 0xffff;
10826 @@ -318,7 +318,7 @@ void die(const char *str, struct pt_regs
10827 unsigned long flags = oops_begin();
10830 - if (!user_mode_vm(regs))
10831 + if (!user_mode(regs))
10832 report_bug(regs->ip, regs);
10834 if (__die(str, regs, err))
10835 diff -urNp linux-2.6.35.4/arch/x86/kernel/efi_32.c linux-2.6.35.4/arch/x86/kernel/efi_32.c
10836 --- linux-2.6.35.4/arch/x86/kernel/efi_32.c 2010-08-26 19:47:12.000000000 -0400
10837 +++ linux-2.6.35.4/arch/x86/kernel/efi_32.c 2010-09-17 20:12:09.000000000 -0400
10838 @@ -38,70 +38,38 @@
10841 static unsigned long efi_rt_eflags;
10842 -static pgd_t efi_bak_pg_dir_pointer[2];
10843 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
10845 -void efi_call_phys_prelog(void)
10846 +void __init efi_call_phys_prelog(void)
10848 - unsigned long cr4;
10849 - unsigned long temp;
10850 struct desc_ptr gdt_descr;
10852 local_irq_save(efi_rt_eflags);
10855 - * If I don't have PAE, I should just duplicate two entries in page
10856 - * directory. If I have PAE, I just need to duplicate one entry in
10857 - * page directory.
10859 - cr4 = read_cr4_safe();
10861 - if (cr4 & X86_CR4_PAE) {
10862 - efi_bak_pg_dir_pointer[0].pgd =
10863 - swapper_pg_dir[pgd_index(0)].pgd;
10864 - swapper_pg_dir[0].pgd =
10865 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10867 - efi_bak_pg_dir_pointer[0].pgd =
10868 - swapper_pg_dir[pgd_index(0)].pgd;
10869 - efi_bak_pg_dir_pointer[1].pgd =
10870 - swapper_pg_dir[pgd_index(0x400000)].pgd;
10871 - swapper_pg_dir[pgd_index(0)].pgd =
10872 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10873 - temp = PAGE_OFFSET + 0x400000;
10874 - swapper_pg_dir[pgd_index(0x400000)].pgd =
10875 - swapper_pg_dir[pgd_index(temp)].pgd;
10877 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
10878 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
10879 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
10882 * After the lock is released, the original page table is restored.
10886 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
10887 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
10888 gdt_descr.size = GDT_SIZE - 1;
10889 load_gdt(&gdt_descr);
10892 -void efi_call_phys_epilog(void)
10893 +void __init efi_call_phys_epilog(void)
10895 - unsigned long cr4;
10896 struct desc_ptr gdt_descr;
10898 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
10899 + gdt_descr.address = get_cpu_gdt_table(0);
10900 gdt_descr.size = GDT_SIZE - 1;
10901 load_gdt(&gdt_descr);
10903 - cr4 = read_cr4_safe();
10905 - if (cr4 & X86_CR4_PAE) {
10906 - swapper_pg_dir[pgd_index(0)].pgd =
10907 - efi_bak_pg_dir_pointer[0].pgd;
10909 - swapper_pg_dir[pgd_index(0)].pgd =
10910 - efi_bak_pg_dir_pointer[0].pgd;
10911 - swapper_pg_dir[pgd_index(0x400000)].pgd =
10912 - efi_bak_pg_dir_pointer[1].pgd;
10914 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
10917 * After the lock is released, the original page table is restored.
10918 diff -urNp linux-2.6.35.4/arch/x86/kernel/efi_stub_32.S linux-2.6.35.4/arch/x86/kernel/efi_stub_32.S
10919 --- linux-2.6.35.4/arch/x86/kernel/efi_stub_32.S 2010-08-26 19:47:12.000000000 -0400
10920 +++ linux-2.6.35.4/arch/x86/kernel/efi_stub_32.S 2010-09-17 20:12:09.000000000 -0400
10924 #include <linux/linkage.h>
10925 +#include <linux/init.h>
10926 #include <asm/page_types.h>
10930 * service functions will comply with gcc calling convention, too.
10935 ENTRY(efi_call_phys)
10937 * 0. The function can only be called in Linux kernel. So CS has been
10938 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
10939 * The mapping of lower virtual memory has been created in prelog and
10943 - subl $__PAGE_OFFSET, %edx
10945 + jmp 1f-__PAGE_OFFSET
10949 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
10950 * parameter 2, ..., param n. To make things easy, we save the return
10951 * address of efi_call_phys in a global variable.
10954 - movl %edx, saved_return_addr
10955 - /* get the function pointer into ECX*/
10957 - movl %ecx, efi_rt_function_ptr
10959 - subl $__PAGE_OFFSET, %edx
10961 + popl (saved_return_addr)
10962 + popl (efi_rt_function_ptr)
10965 * 3. Clear PG bit in %CR0.
10966 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
10968 * 5. Call the physical function.
10971 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
10975 * 6. After EFI runtime service returns, control will return to
10976 * following instruction. We'd better readjust stack pointer first.
10977 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
10979 orl $0x80000000, %edx
10985 * 8. Now restore the virtual mode from flat mode by
10986 * adding EIP with PAGE_OFFSET.
10990 + jmp 1f+__PAGE_OFFSET
10994 * 9. Balance the stack. And because EAX contain the return value,
10995 * we'd better not clobber it.
10997 - leal efi_rt_function_ptr, %edx
10998 - movl (%edx), %ecx
11000 + pushl (efi_rt_function_ptr)
11003 - * 10. Push the saved return address onto the stack and return.
11004 + * 10. Return to the saved return address.
11006 - leal saved_return_addr, %edx
11007 - movl (%edx), %ecx
11010 + jmpl *(saved_return_addr)
11011 ENDPROC(efi_call_phys)
11018 efi_rt_function_ptr:
11019 diff -urNp linux-2.6.35.4/arch/x86/kernel/entry_32.S linux-2.6.35.4/arch/x86/kernel/entry_32.S
11020 --- linux-2.6.35.4/arch/x86/kernel/entry_32.S 2010-08-26 19:47:12.000000000 -0400
11021 +++ linux-2.6.35.4/arch/x86/kernel/entry_32.S 2010-09-17 20:12:09.000000000 -0400
11022 @@ -192,7 +192,67 @@
11024 #endif /* CONFIG_X86_32_LAZY_GS */
11027 +.macro PAX_EXIT_KERNEL
11028 +#ifdef CONFIG_PAX_KERNEXEC
11029 +#ifdef CONFIG_PARAVIRT
11030 + push %eax; push %ecx;
11033 + cmp $__KERNEXEC_KERNEL_CS, %esi
11035 +#ifdef CONFIG_PARAVIRT
11036 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
11042 + ljmp $__KERNEL_CS, $1f
11044 +#ifdef CONFIG_PARAVIRT
11046 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
11051 +#ifdef CONFIG_PARAVIRT
11052 + pop %ecx; pop %eax
11057 +.macro PAX_ENTER_KERNEL
11058 +#ifdef CONFIG_PAX_KERNEXEC
11059 +#ifdef CONFIG_PARAVIRT
11060 + push %eax; push %ecx;
11061 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
11069 + cmp $__KERNEL_CS, %esi
11071 + ljmp $__KERNEL_CS, $3f
11072 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
11074 +#ifdef CONFIG_PARAVIRT
11076 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
11081 +#ifdef CONFIG_PARAVIRT
11082 + pop %ecx; pop %eax
11087 +.macro __SAVE_ALL _DS
11091 @@ -225,7 +285,7 @@
11093 CFI_ADJUST_CFA_OFFSET 4
11094 CFI_REL_OFFSET ebx, 0
11095 - movl $(__USER_DS), %edx
11099 movl $(__KERNEL_PERCPU), %edx
11100 @@ -233,6 +293,15 @@
11105 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
11106 + __SAVE_ALL __KERNEL_DS
11109 + __SAVE_ALL __USER_DS
11113 .macro RESTORE_INT_REGS
11115 CFI_ADJUST_CFA_OFFSET -4
11116 @@ -357,7 +426,15 @@ check_userspace:
11117 movb PT_CS(%esp), %al
11118 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
11119 cmpl $USER_RPL, %eax
11121 +#ifdef CONFIG_PAX_KERNEXEC
11122 + jae resume_userspace
11125 + jmp resume_kernel
11127 jb resume_kernel # not returning to v8086 or userspace
11130 ENTRY(resume_userspace)
11132 @@ -423,10 +500,9 @@ sysenter_past_esp:
11133 /*CFI_REL_OFFSET cs, 0*/
11135 * Push current_thread_info()->sysenter_return to the stack.
11136 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
11137 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
11139 - pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
11140 + GET_THREAD_INFO(%ebp)
11141 + pushl TI_sysenter_return(%ebp)
11142 CFI_ADJUST_CFA_OFFSET 4
11143 CFI_REL_OFFSET eip, 0
11145 @@ -439,9 +515,19 @@ sysenter_past_esp:
11146 * Load the potential sixth argument from user stack.
11147 * Careful about security.
11149 + movl PT_OLDESP(%esp),%ebp
11151 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11152 + mov PT_OLDSS(%esp),%ds
11153 +1: movl %ds:(%ebp),%ebp
11157 cmpl $__PAGE_OFFSET-3,%ebp
11159 1: movl (%ebp),%ebp
11162 movl %ebp,PT_EBP(%esp)
11163 .section __ex_table,"a"
11165 @@ -464,12 +550,23 @@ sysenter_do_call:
11166 testl $_TIF_ALLWORK_MASK, %ecx
11170 +#ifdef CONFIG_PAX_RANDKSTACK
11172 + CFI_ADJUST_CFA_OFFSET 4
11173 + call pax_randomize_kstack
11175 + CFI_ADJUST_CFA_OFFSET -4
11178 /* if something modifies registers it must also disable sysexit */
11179 movl PT_EIP(%esp), %edx
11180 movl PT_OLDESP(%esp), %ecx
11183 1: mov PT_FS(%esp), %fs
11184 +2: mov PT_DS(%esp), %ds
11185 +3: mov PT_ES(%esp), %es
11187 ENABLE_INTERRUPTS_SYSEXIT
11189 @@ -513,11 +610,17 @@ sysexit_audit:
11192 .pushsection .fixup,"ax"
11193 -2: movl $0,PT_FS(%esp)
11194 +4: movl $0,PT_FS(%esp)
11196 +5: movl $0,PT_DS(%esp)
11198 +6: movl $0,PT_ES(%esp)
11200 .section __ex_table,"a"
11208 ENDPROC(ia32_sysenter_target)
11209 @@ -551,6 +654,10 @@ syscall_exit:
11210 testl $_TIF_ALLWORK_MASK, %ecx # current->work
11211 jne syscall_exit_work
11213 +#ifdef CONFIG_PAX_RANDKSTACK
11214 + call pax_randomize_kstack
11219 restore_all_notrace:
11220 @@ -615,7 +722,13 @@ ldt_ss:
11221 mov PT_OLDESP(%esp), %eax /* load userspace esp */
11222 mov %dx, %ax /* eax: new kernel esp */
11223 sub %eax, %edx /* offset (low word is 0) */
11224 - PER_CPU(gdt_page, %ebx)
11226 + movl PER_CPU_VAR(cpu_number), %ebx
11227 + shll $PAGE_SHIFT_asm, %ebx
11228 + addl $cpu_gdt_table, %ebx
11230 + movl $cpu_gdt_table, %ebx
11233 mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
11234 mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
11235 @@ -655,25 +768,19 @@ work_resched:
11237 work_notifysig: # deal with pending signals and
11238 # notify-resume requests
11241 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
11243 - jne work_notifysig_v86 # returning to kernel-space or
11244 + jz 1f # returning to kernel-space or
11247 - call do_notify_resume
11248 - jmp resume_userspace_sig
11251 -work_notifysig_v86:
11252 pushl %ecx # save ti_flags for do_notify_resume
11253 CFI_ADJUST_CFA_OFFSET 4
11254 call save_v86_state # %eax contains pt_regs pointer
11256 CFI_ADJUST_CFA_OFFSET -4
11263 call do_notify_resume
11264 @@ -708,6 +815,10 @@ END(syscall_exit_work)
11266 RING0_INT_FRAME # can't unwind into user space anyway
11268 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11272 GET_THREAD_INFO(%ebp)
11273 movl $-EFAULT,PT_EAX(%esp)
11274 jmp resume_userspace
11275 @@ -791,7 +902,13 @@ ptregs_clone:
11276 * normal stack and adjusts ESP with the matching offset.
11278 /* fixup the stack */
11279 - PER_CPU(gdt_page, %ebx)
11281 + movl PER_CPU_VAR(cpu_number), %ebx
11282 + shll $PAGE_SHIFT_asm, %ebx
11283 + addl $cpu_gdt_table, %ebx
11285 + movl $cpu_gdt_table, %ebx
11287 mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
11288 mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
11290 @@ -1273,7 +1390,6 @@ return_to_handler:
11294 -.section .rodata,"a"
11295 #include "syscall_table_32.S"
11297 syscall_table_size=(.-sys_call_table)
11298 @@ -1330,9 +1446,12 @@ error_code:
11299 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
11302 - movl $(__USER_DS), %ecx
11303 + movl $(__KERNEL_DS), %ecx
11310 movl %esp,%eax # pt_regs pointer
11312 @@ -1426,6 +1545,9 @@ nmi_stack_correct:
11313 xorl %edx,%edx # zero error code
11314 movl %esp,%eax # pt_regs pointer
11319 jmp restore_all_notrace
11322 @@ -1466,6 +1588,9 @@ nmi_espfix_stack:
11323 FIXUP_ESPFIX_STACK # %eax == %esp
11324 xorl %edx,%edx # zero error code
11330 lss 12+4(%esp), %esp # back to espfix stack
11331 CFI_ADJUST_CFA_OFFSET -24
11332 diff -urNp linux-2.6.35.4/arch/x86/kernel/entry_64.S linux-2.6.35.4/arch/x86/kernel/entry_64.S
11333 --- linux-2.6.35.4/arch/x86/kernel/entry_64.S 2010-08-26 19:47:12.000000000 -0400
11334 +++ linux-2.6.35.4/arch/x86/kernel/entry_64.S 2010-09-17 20:12:09.000000000 -0400
11336 #include <asm/paravirt.h>
11337 #include <asm/ftrace.h>
11338 #include <asm/percpu.h>
11339 +#include <asm/pgtable.h>
11341 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
11342 #include <linux/elf-em.h>
11343 @@ -174,6 +175,189 @@ ENTRY(native_usergs_sysret64)
11344 ENDPROC(native_usergs_sysret64)
11345 #endif /* CONFIG_PARAVIRT */
11347 + .macro ljmpq sel, off
11348 +#if defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
11349 + .byte 0x48; ljmp *1234f(%rip)
11350 + .pushsection .rodata
11352 + 1234: .quad \off; .word \sel
11361 +ENTRY(pax_enter_kernel)
11363 +#ifdef CONFIG_PAX_KERNEXEC
11366 +#ifdef CONFIG_PARAVIRT
11367 + PV_SAVE_REGS(CLBR_RDI)
11374 + cmp $__KERNEL_CS,%edi
11376 + ljmpq __KERNEL_CS,3f
11377 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
11378 +2: SET_RDI_INTO_CR0
11381 +#ifdef CONFIG_PARAVIRT
11382 + PV_RESTORE_REGS(CLBR_RDI)
11389 +ENDPROC(pax_enter_kernel)
11391 +ENTRY(pax_exit_kernel)
11393 +#ifdef CONFIG_PAX_KERNEXEC
11396 +#ifdef CONFIG_PARAVIRT
11397 + PV_SAVE_REGS(CLBR_RDI)
11401 + cmp $__KERNEXEC_KERNEL_CS,%edi
11405 + ljmpq __KERNEL_CS,1f
11406 +1: SET_RDI_INTO_CR0
11409 +#ifdef CONFIG_PARAVIRT
11410 + PV_RESTORE_REGS(CLBR_RDI);
11417 +ENDPROC(pax_exit_kernel)
11419 +ENTRY(pax_enter_kernel_user)
11421 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11425 +#ifdef CONFIG_PARAVIRT
11426 + PV_SAVE_REGS(CLBR_RDI)
11431 + add $__START_KERNEL_map,%rbx
11432 + sub phys_base(%rip),%rbx
11434 +#ifdef CONFIG_PARAVIRT
11436 + cmpl $0, pv_info+PARAVIRT_enabled
11439 + .rept USER_PGD_PTRS
11440 + mov i*8(%rbx),%rsi
11442 + lea i*8(%rbx),%rdi
11443 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11451 + .rept USER_PGD_PTRS
11452 + movb $0,i*8(%rbx)
11456 +#ifdef CONFIG_PARAVIRT
11461 +#ifdef CONFIG_PAX_KERNEXEC
11467 +#ifdef CONFIG_PARAVIRT
11468 + PV_RESTORE_REGS(CLBR_RDI)
11476 +ENDPROC(pax_enter_kernel_user)
11478 +ENTRY(pax_exit_kernel_user)
11480 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11483 +#ifdef CONFIG_PARAVIRT
11485 + PV_SAVE_REGS(CLBR_RDI)
11488 +#ifdef CONFIG_PAX_KERNEXEC
11495 + add $__START_KERNEL_map,%rdi
11496 + sub phys_base(%rip),%rdi
11498 +#ifdef CONFIG_PARAVIRT
11499 + cmpl $0, pv_info+PARAVIRT_enabled
11503 + .rept USER_PGD_PTRS
11504 + mov i*8(%rbx),%rsi
11506 + lea i*8(%rbx),%rdi
11507 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11515 + .rept USER_PGD_PTRS
11516 + movb $0x67,i*8(%rdi)
11520 +#ifdef CONFIG_PARAVIRT
11521 +2: PV_RESTORE_REGS(CLBR_RDI)
11529 +ENDPROC(pax_exit_kernel_user)
11531 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
11532 #ifdef CONFIG_TRACE_IRQFLAGS
11533 @@ -317,7 +501,7 @@ ENTRY(save_args)
11534 leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */
11535 movq_cfi rbp, 8 /* push %rbp */
11536 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
11537 - testl $3, CS(%rdi)
11538 + testb $3, CS(%rdi)
11542 @@ -409,7 +593,7 @@ ENTRY(ret_from_fork)
11546 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11547 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11548 je int_ret_from_sys_call
11550 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
11551 @@ -468,6 +652,11 @@ ENTRY(system_call_after_swapgs)
11553 movq %rsp,PER_CPU_VAR(old_rsp)
11554 movq PER_CPU_VAR(kernel_stack),%rsp
11556 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11557 + call pax_enter_kernel_user
11561 * No need to follow this irqs off/on section - it's straight
11563 @@ -502,6 +691,11 @@ sysret_check:
11568 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11569 + call pax_exit_kernel_user
11573 * sysretq will re-enable interrupts:
11575 @@ -613,7 +807,7 @@ tracesys:
11576 GLOBAL(int_ret_from_sys_call)
11577 DISABLE_INTERRUPTS(CLBR_NONE)
11579 - testl $3,CS-ARGOFFSET(%rsp)
11580 + testb $3,CS-ARGOFFSET(%rsp)
11581 je retint_restore_args
11582 movl $_TIF_ALLWORK_MASK,%edi
11583 /* edi: mask to check */
11584 @@ -800,6 +994,16 @@ END(interrupt)
11585 CFI_ADJUST_CFA_OFFSET 10*8
11588 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11589 + testb $3, CS(%rdi)
11591 + call pax_enter_kernel
11593 +1: call pax_enter_kernel_user
11596 + call pax_enter_kernel
11601 @@ -826,7 +1030,7 @@ ret_from_intr:
11602 CFI_ADJUST_CFA_OFFSET -8
11604 GET_THREAD_INFO(%rcx)
11605 - testl $3,CS-ARGOFFSET(%rsp)
11606 + testb $3,CS-ARGOFFSET(%rsp)
11609 /* Interrupt came from user space */
11610 @@ -848,12 +1052,18 @@ retint_swapgs: /* return to user-space
11611 * The iretq could re-enable interrupts:
11613 DISABLE_INTERRUPTS(CLBR_ANY)
11615 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11616 + call pax_exit_kernel_user
11623 retint_restore_args: /* return to kernel space */
11624 DISABLE_INTERRUPTS(CLBR_ANY)
11625 + call pax_exit_kernel
11627 * The iretq could re-enable interrupts:
11629 @@ -1040,6 +1250,16 @@ ENTRY(\sym)
11630 CFI_ADJUST_CFA_OFFSET 15*8
11633 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11634 + testb $3, CS(%rsp)
11636 + call pax_enter_kernel
11638 +1: call pax_enter_kernel_user
11641 + call pax_enter_kernel
11643 movq %rsp,%rdi /* pt_regs pointer */
11644 xorl %esi,%esi /* no error code */
11646 @@ -1057,6 +1277,16 @@ ENTRY(\sym)
11650 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11651 + testb $3, CS(%rsp)
11653 + call pax_enter_kernel
11655 +1: call pax_enter_kernel_user
11658 + call pax_enter_kernel
11660 movq %rsp,%rdi /* pt_regs pointer */
11661 xorl %esi,%esi /* no error code */
11663 @@ -1074,9 +1304,24 @@ ENTRY(\sym)
11667 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11668 + testb $3, CS(%rsp)
11670 + call pax_enter_kernel
11672 +1: call pax_enter_kernel_user
11675 + call pax_enter_kernel
11677 movq %rsp,%rdi /* pt_regs pointer */
11678 xorl %esi,%esi /* no error code */
11679 - PER_CPU(init_tss, %r12)
11681 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
11682 + lea init_tss(%r12), %r12
11684 + lea init_tss(%rip), %r12
11686 subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
11688 addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
11689 @@ -1093,6 +1338,16 @@ ENTRY(\sym)
11690 CFI_ADJUST_CFA_OFFSET 15*8
11693 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11694 + testb $3, CS(%rsp)
11696 + call pax_enter_kernel
11698 +1: call pax_enter_kernel_user
11701 + call pax_enter_kernel
11703 movq %rsp,%rdi /* pt_regs pointer */
11704 movq ORIG_RAX(%rsp),%rsi /* get error code */
11705 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11706 @@ -1112,6 +1367,16 @@ ENTRY(\sym)
11710 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11711 + testb $3, CS(%rsp)
11713 + call pax_enter_kernel
11715 +1: call pax_enter_kernel_user
11718 + call pax_enter_kernel
11720 movq %rsp,%rdi /* pt_regs pointer */
11721 movq ORIG_RAX(%rsp),%rsi /* get error code */
11722 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11723 @@ -1370,14 +1635,27 @@ ENTRY(paranoid_exit)
11725 testl %ebx,%ebx /* swapgs needed? */
11726 jnz paranoid_restore
11727 - testl $3,CS(%rsp)
11728 + testb $3,CS(%rsp)
11729 jnz paranoid_userspace
11730 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11731 + call pax_exit_kernel
11732 + TRACE_IRQS_IRETQ 0
11733 + SWAPGS_UNSAFE_STACK
11738 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11739 + call pax_exit_kernel_user
11741 + call pax_exit_kernel
11744 SWAPGS_UNSAFE_STACK
11748 + call pax_exit_kernel
11752 @@ -1435,7 +1713,7 @@ ENTRY(error_entry)
11753 movq_cfi r14, R14+8
11754 movq_cfi r15, R15+8
11756 - testl $3,CS+8(%rsp)
11757 + testb $3,CS+8(%rsp)
11758 je error_kernelspace
11761 @@ -1499,6 +1777,16 @@ ENTRY(nmi)
11762 CFI_ADJUST_CFA_OFFSET 15*8
11765 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11766 + testb $3, CS(%rsp)
11768 + call pax_enter_kernel
11770 +1: call pax_enter_kernel_user
11773 + call pax_enter_kernel
11775 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
11778 @@ -1509,11 +1797,12 @@ ENTRY(nmi)
11779 DISABLE_INTERRUPTS(CLBR_NONE)
11780 testl %ebx,%ebx /* swapgs needed? */
11782 - testl $3,CS(%rsp)
11783 + testb $3,CS(%rsp)
11786 SWAPGS_UNSAFE_STACK
11788 + call pax_exit_kernel
11792 diff -urNp linux-2.6.35.4/arch/x86/kernel/ftrace.c linux-2.6.35.4/arch/x86/kernel/ftrace.c
11793 --- linux-2.6.35.4/arch/x86/kernel/ftrace.c 2010-08-26 19:47:12.000000000 -0400
11794 +++ linux-2.6.35.4/arch/x86/kernel/ftrace.c 2010-09-17 20:12:09.000000000 -0400
11795 @@ -174,7 +174,9 @@ void ftrace_nmi_enter(void)
11797 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
11799 + pax_open_kernel();
11801 + pax_close_kernel();
11802 atomic_inc(&nmi_update_count);
11804 /* Must have previous changes seen before executions */
11805 @@ -260,7 +262,7 @@ do_ftrace_mod_code(unsigned long ip, voi
11809 -static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
11810 +static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
11812 static unsigned char *ftrace_nop_replace(void)
11814 @@ -273,6 +275,8 @@ ftrace_modify_code(unsigned long ip, uns
11816 unsigned char replaced[MCOUNT_INSN_SIZE];
11818 + ip = ktla_ktva(ip);
11821 * Note: Due to modules and __init, code can
11822 * disappear and change, we need to protect against faulting
11823 @@ -329,7 +333,7 @@ int ftrace_update_ftrace_func(ftrace_fun
11824 unsigned char old[MCOUNT_INSN_SIZE], *new;
11827 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
11828 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
11829 new = ftrace_call_replace(ip, (unsigned long)func);
11830 ret = ftrace_modify_code(ip, old, new);
11832 @@ -382,15 +386,15 @@ int __init ftrace_dyn_arch_init(void *da
11835 pr_info("converting mcount calls to 0f 1f 44 00 00\n");
11836 - memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
11837 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
11840 pr_info("converting mcount calls to 66 66 66 66 90\n");
11841 - memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
11842 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
11845 pr_info("converting mcount calls to jmp . + 5\n");
11846 - memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
11847 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
11851 @@ -411,6 +415,8 @@ static int ftrace_mod_jmp(unsigned long
11853 unsigned char code[MCOUNT_INSN_SIZE];
11855 + ip = ktla_ktva(ip);
11857 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
11860 diff -urNp linux-2.6.35.4/arch/x86/kernel/head32.c linux-2.6.35.4/arch/x86/kernel/head32.c
11861 --- linux-2.6.35.4/arch/x86/kernel/head32.c 2010-08-26 19:47:12.000000000 -0400
11862 +++ linux-2.6.35.4/arch/x86/kernel/head32.c 2010-09-17 20:12:09.000000000 -0400
11864 #include <asm/apic.h>
11865 #include <asm/io_apic.h>
11866 #include <asm/bios_ebda.h>
11867 +#include <asm/boot.h>
11869 static void __init i386_default_early_setup(void)
11871 @@ -40,7 +41,7 @@ void __init i386_start_kernel(void)
11875 - reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11876 + reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11878 #ifdef CONFIG_BLK_DEV_INITRD
11879 /* Reserve INITRD */
11880 diff -urNp linux-2.6.35.4/arch/x86/kernel/head_32.S linux-2.6.35.4/arch/x86/kernel/head_32.S
11881 --- linux-2.6.35.4/arch/x86/kernel/head_32.S 2010-08-26 19:47:12.000000000 -0400
11882 +++ linux-2.6.35.4/arch/x86/kernel/head_32.S 2010-09-17 20:12:09.000000000 -0400
11884 /* Physical address */
11885 #define pa(X) ((X) - __PAGE_OFFSET)
11887 +#ifdef CONFIG_PAX_KERNEXEC
11890 +#define ta(X) ((X) - __PAGE_OFFSET)
11894 * References to members of the new_cpu_data structure.
11897 * and small than max_low_pfn, otherwise will waste some page table entries
11900 -#if PTRS_PER_PMD > 1
11901 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
11903 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
11905 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
11907 /* Enough space to fit pagetables for the low memory linear map */
11908 MAPPING_BEYOND_END = \
11909 @@ -75,6 +77,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
11910 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
11913 + * Real beginning of normal "text" segment
11919 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
11920 * %esi points to the real-mode code as a 32-bit pointer.
11921 * CS and DS must be 4 GB flat segments, but we don't depend on
11922 @@ -82,6 +90,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
11927 +#ifdef CONFIG_PAX_KERNEXEC
11929 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
11930 +.fill PAGE_SIZE-5,1,0xcc
11934 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
11935 us to not reload segments */
11936 @@ -99,6 +114,55 @@ ENTRY(startup_32)
11941 + movl $pa(cpu_gdt_table),%edi
11942 + movl $__per_cpu_load,%eax
11943 + movw %ax,__KERNEL_PERCPU + 2(%edi)
11945 + movb %al,__KERNEL_PERCPU + 4(%edi)
11946 + movb %ah,__KERNEL_PERCPU + 7(%edi)
11947 + movl $__per_cpu_end - 1,%eax
11948 + subl $__per_cpu_start,%eax
11949 + movw %ax,__KERNEL_PERCPU + 0(%edi)
11952 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11953 + movl $NR_CPUS,%ecx
11954 + movl $pa(cpu_gdt_table),%edi
11956 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
11957 + addl $PAGE_SIZE_asm,%edi
11961 +#ifdef CONFIG_PAX_KERNEXEC
11962 + movl $pa(boot_gdt),%edi
11963 + movl $__LOAD_PHYSICAL_ADDR,%eax
11964 + movw %ax,__BOOT_CS + 2(%edi)
11966 + movb %al,__BOOT_CS + 4(%edi)
11967 + movb %ah,__BOOT_CS + 7(%edi)
11970 + ljmp $(__BOOT_CS),$1f
11973 + movl $NR_CPUS,%ecx
11974 + movl $pa(cpu_gdt_table),%edi
11975 + addl $__PAGE_OFFSET,%eax
11977 + movw %ax,__KERNEL_CS + 2(%edi)
11978 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
11980 + movb %al,__KERNEL_CS + 4(%edi)
11981 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
11982 + movb %ah,__KERNEL_CS + 7(%edi)
11983 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
11985 + addl $PAGE_SIZE_asm,%edi
11990 * Clear BSS first so that there are no surprises...
11992 @@ -142,9 +206,7 @@ ENTRY(startup_32)
11993 cmpl $num_subarch_entries, %eax
11996 - movl pa(subarch_entries)(,%eax,4), %eax
11997 - subl $__PAGE_OFFSET, %eax
11999 + jmp *pa(subarch_entries)(,%eax,4)
12003 @@ -156,10 +218,10 @@ WEAK(xen_entry)
12007 - .long default_entry /* normal x86/PC */
12008 - .long lguest_entry /* lguest hypervisor */
12009 - .long xen_entry /* Xen hypervisor */
12010 - .long default_entry /* Moorestown MID */
12011 + .long ta(default_entry) /* normal x86/PC */
12012 + .long ta(lguest_entry) /* lguest hypervisor */
12013 + .long ta(xen_entry) /* Xen hypervisor */
12014 + .long ta(default_entry) /* Moorestown MID */
12015 num_subarch_entries = (. - subarch_entries) / 4
12017 #endif /* CONFIG_PARAVIRT */
12018 @@ -220,8 +282,11 @@ default_entry:
12019 movl %eax, pa(max_pfn_mapped)
12021 /* Do early initialization of the fixmap area */
12022 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
12023 - movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
12024 +#ifdef CONFIG_COMPAT_VDSO
12025 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
12027 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
12029 #else /* Not PAE */
12031 page_pde_offset = (__PAGE_OFFSET >> 20);
12032 @@ -251,8 +316,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
12033 movl %eax, pa(max_pfn_mapped)
12035 /* Do early initialization of the fixmap area */
12036 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
12037 - movl %eax,pa(swapper_pg_dir+0xffc)
12038 +#ifdef CONFIG_COMPAT_VDSO
12039 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
12041 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
12046 @@ -299,6 +367,7 @@ ENTRY(startup_32_smp)
12050 +#ifdef CONFIG_X86_PAE
12051 testb $X86_CR4_PAE, %al # check if PAE is enabled
12054 @@ -323,6 +392,9 @@ ENTRY(startup_32_smp)
12055 /* Make changes effective */
12058 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
12064 @@ -348,9 +420,7 @@ ENTRY(startup_32_smp)
12068 - jz 1f /* Initial CPU cleans BSS */
12071 + jnz checkCPUtype /* Initial CPU cleans BSS */
12072 #endif /* CONFIG_SMP */
12075 @@ -428,7 +498,7 @@ is386: movl $2,%ecx # set MP
12076 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
12077 movl %eax,%ss # after changing gdt.
12079 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
12080 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
12084 @@ -442,8 +512,11 @@ is386: movl $2,%ecx # set MP
12088 - movl $gdt_page,%eax
12089 + movl $cpu_gdt_table,%eax
12090 movl $stack_canary,%ecx
12092 + addl $__per_cpu_load,%ecx
12094 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
12096 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
12097 @@ -461,10 +534,6 @@ is386: movl $2,%ecx # set MP
12101 - cmpb $0,%cl # the first CPU calls start_kernel
12103 - movl (stack_start), %esp
12105 #endif /* CONFIG_SMP */
12106 jmp *(initial_code)
12108 @@ -550,22 +619,22 @@ early_page_fault:
12113 #ifdef CONFIG_PRINTK
12114 + cmpl $1,%ss:early_recursion_flag
12116 + incl %ss:early_recursion_flag
12119 movl $(__KERNEL_DS),%eax
12122 - cmpl $2,early_recursion_flag
12124 - incl early_recursion_flag
12127 pushl %edx /* trapno */
12136 @@ -573,8 +642,11 @@ hlt_loop:
12137 /* This is the default interrupt "handler" :-) */
12141 #ifdef CONFIG_PRINTK
12142 + cmpl $2,%ss:early_recursion_flag
12144 + incl %ss:early_recursion_flag
12149 @@ -583,9 +655,6 @@ ignore_int:
12150 movl $(__KERNEL_DS),%eax
12153 - cmpl $2,early_recursion_flag
12155 - incl early_recursion_flag
12159 @@ -612,27 +681,38 @@ ENTRY(initial_code)
12163 -__PAGE_ALIGNED_BSS
12164 - .align PAGE_SIZE_asm
12165 #ifdef CONFIG_X86_PAE
12166 +.section .swapper_pg_pmd,"a",@progbits
12168 .fill 1024*KPMDS,4,0
12170 +.section .swapper_pg_dir,"a",@progbits
12171 ENTRY(swapper_pg_dir)
12178 +.section .empty_zero_page,"a",@progbits
12179 ENTRY(empty_zero_page)
12183 + * The IDT has to be page-aligned to simplify the Pentium
12184 + * F0 0F bug workaround.. We have a special link segment
12187 +.section .idt,"a",@progbits
12192 * This starts the data section.
12194 #ifdef CONFIG_X86_PAE
12195 -__PAGE_ALIGNED_DATA
12196 - /* Page-aligned for the benefit of paravirt? */
12197 - .align PAGE_SIZE_asm
12198 +.section .swapper_pg_dir,"a",@progbits
12200 ENTRY(swapper_pg_dir)
12201 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
12203 @@ -651,15 +731,24 @@ ENTRY(swapper_pg_dir)
12204 # error "Kernel PMDs should be 1, 2 or 3"
12206 .align PAGE_SIZE_asm /* needs to be page-sized too */
12208 +#ifdef CONFIG_PAX_PER_CPU_PGD
12219 - .long init_thread_union+THREAD_SIZE
12220 + .long init_thread_union+THREAD_SIZE-8
12225 +.section .rodata,"a",@progbits
12226 early_recursion_flag:
12229 @@ -695,7 +784,7 @@ fault_msg:
12230 .word 0 # 32 bit align gdt_desc.address
12233 - .long boot_gdt - __PAGE_OFFSET
12234 + .long pa(boot_gdt)
12236 .word 0 # 32-bit align idt_desc.address
12238 @@ -706,7 +795,7 @@ idt_descr:
12239 .word 0 # 32 bit align gdt_desc.address
12240 ENTRY(early_gdt_descr)
12241 .word GDT_ENTRIES*8-1
12242 - .long gdt_page /* Overwritten for secondary CPUs */
12243 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
12246 * The boot_gdt must mirror the equivalent in setup.S and is
12247 @@ -715,5 +804,65 @@ ENTRY(early_gdt_descr)
12248 .align L1_CACHE_BYTES
12250 .fill GDT_ENTRY_BOOT_CS,8,0
12251 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
12252 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
12253 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
12254 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
12256 + .align PAGE_SIZE_asm
12257 +ENTRY(cpu_gdt_table)
12259 + .quad 0x0000000000000000 /* NULL descriptor */
12260 + .quad 0x0000000000000000 /* 0x0b reserved */
12261 + .quad 0x0000000000000000 /* 0x13 reserved */
12262 + .quad 0x0000000000000000 /* 0x1b reserved */
12264 +#ifdef CONFIG_PAX_KERNEXEC
12265 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
12267 + .quad 0x0000000000000000 /* 0x20 unused */
12270 + .quad 0x0000000000000000 /* 0x28 unused */
12271 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
12272 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
12273 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
12274 + .quad 0x0000000000000000 /* 0x4b reserved */
12275 + .quad 0x0000000000000000 /* 0x53 reserved */
12276 + .quad 0x0000000000000000 /* 0x5b reserved */
12278 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
12279 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
12280 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
12281 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
12283 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
12284 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
12287 + * Segments used for calling PnP BIOS have byte granularity.
12288 + * The code segments and data segments have fixed 64k limits,
12289 + * the transfer segment sizes are set at run time.
12291 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
12292 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
12293 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
12294 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
12295 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
12298 + * The APM segments have byte granularity and their bases
12299 + * are set at run time. All have 64k limits.
12301 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
12302 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
12303 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
12305 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
12306 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
12307 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
12308 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
12309 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
12310 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
12312 + /* Be sure this is zeroed to avoid false validations in Xen */
12313 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
12315 diff -urNp linux-2.6.35.4/arch/x86/kernel/head_64.S linux-2.6.35.4/arch/x86/kernel/head_64.S
12316 --- linux-2.6.35.4/arch/x86/kernel/head_64.S 2010-08-26 19:47:12.000000000 -0400
12317 +++ linux-2.6.35.4/arch/x86/kernel/head_64.S 2010-09-17 20:12:09.000000000 -0400
12319 #include <asm/cache.h>
12320 #include <asm/processor-flags.h>
12321 #include <asm/percpu.h>
12322 +#include <asm/cpufeature.h>
12324 #ifdef CONFIG_PARAVIRT
12325 #include <asm/asm-offsets.h>
12326 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
12327 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
12328 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
12329 L3_START_KERNEL = pud_index(__START_KERNEL_map)
12330 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
12331 +L3_VMALLOC_START = pud_index(VMALLOC_START)
12332 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
12333 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
12337 @@ -85,35 +90,22 @@ startup_64:
12339 addq %rbp, init_level4_pgt + 0(%rip)
12340 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
12341 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
12342 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
12343 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
12345 addq %rbp, level3_ident_pgt + 0(%rip)
12346 +#ifndef CONFIG_XEN
12347 + addq %rbp, level3_ident_pgt + 8(%rip)
12350 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
12351 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
12352 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
12354 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12355 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
12356 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
12358 - /* Add an Identity mapping if I am above 1G */
12359 - leaq _text(%rip), %rdi
12360 - andq $PMD_PAGE_MASK, %rdi
12363 - shrq $PUD_SHIFT, %rax
12364 - andq $(PTRS_PER_PUD - 1), %rax
12365 - jz ident_complete
12367 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
12368 - leaq level3_ident_pgt(%rip), %rbx
12369 - movq %rdx, 0(%rbx, %rax, 8)
12372 - shrq $PMD_SHIFT, %rax
12373 - andq $(PTRS_PER_PMD - 1), %rax
12374 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
12375 - leaq level2_spare_pgt(%rip), %rbx
12376 - movq %rdx, 0(%rbx, %rax, 8)
12378 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12379 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
12382 * Fixup the kernel text+data virtual addresses. Note that
12383 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
12384 * after the boot processor executes this code.
12387 - /* Enable PAE mode and PGE */
12388 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
12389 + /* Enable PAE mode and PSE/PGE */
12390 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
12393 /* Setup early boot stage 4 level pagetables. */
12394 @@ -184,9 +176,14 @@ ENTRY(secondary_startup_64)
12395 movl $MSR_EFER, %ecx
12397 btsl $_EFER_SCE, %eax /* Enable System Call */
12398 - btl $20,%edi /* No Execute supported? */
12399 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
12401 btsl $_EFER_NX, %eax
12402 + leaq init_level4_pgt(%rip), %rdi
12403 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
12404 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
12405 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
12406 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
12407 1: wrmsr /* Make changes effective */
12410 @@ -271,7 +268,7 @@ ENTRY(secondary_startup_64)
12414 - .section ".init.text","ax"
12416 #ifdef CONFIG_EARLY_PRINTK
12417 .globl early_idt_handlers
12418 early_idt_handlers:
12419 @@ -316,18 +313,23 @@ ENTRY(early_idt_handler)
12420 #endif /* EARLY_PRINTK */
12425 #ifdef CONFIG_EARLY_PRINTK
12427 early_recursion_flag:
12431 + .section .rodata,"a",@progbits
12433 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
12436 -#endif /* CONFIG_EARLY_PRINTK */
12438 +#endif /* CONFIG_EARLY_PRINTK */
12440 + .section .rodata,"a",@progbits
12441 #define NEXT_PAGE(name) \
12442 .balign PAGE_SIZE; \
12444 @@ -351,13 +353,36 @@ NEXT_PAGE(init_level4_pgt)
12445 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12446 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
12447 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12448 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
12449 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
12450 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
12451 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12452 .org init_level4_pgt + L4_START_KERNEL*8, 0
12453 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
12454 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
12456 +#ifdef CONFIG_PAX_PER_CPU_PGD
12457 +NEXT_PAGE(cpu_pgd)
12463 NEXT_PAGE(level3_ident_pgt)
12464 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12468 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
12472 +NEXT_PAGE(level3_vmalloc_pgt)
12475 +NEXT_PAGE(level3_vmemmap_pgt)
12476 + .fill L3_VMEMMAP_START,8,0
12477 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12479 NEXT_PAGE(level3_kernel_pgt)
12480 .fill L3_START_KERNEL,8,0
12481 @@ -365,20 +390,23 @@ NEXT_PAGE(level3_kernel_pgt)
12482 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
12483 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12485 +NEXT_PAGE(level2_vmemmap_pgt)
12488 NEXT_PAGE(level2_fixmap_pgt)
12490 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12491 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
12494 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
12495 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
12498 -NEXT_PAGE(level1_fixmap_pgt)
12499 +NEXT_PAGE(level1_vsyscall_pgt)
12502 -NEXT_PAGE(level2_ident_pgt)
12503 - /* Since I easily can, map the first 1G.
12504 + /* Since I easily can, map the first 2G.
12505 * Don't set NX because code runs from these pages.
12507 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
12508 +NEXT_PAGE(level2_ident_pgt)
12509 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
12511 NEXT_PAGE(level2_kernel_pgt)
12513 @@ -391,33 +419,55 @@ NEXT_PAGE(level2_kernel_pgt)
12514 * If you want to increase this then increase MODULES_VADDR
12517 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
12518 - KERNEL_IMAGE_SIZE/PMD_SIZE)
12520 -NEXT_PAGE(level2_spare_pgt)
12522 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
12529 +ENTRY(cpu_gdt_table)
12531 + .quad 0x0000000000000000 /* NULL descriptor */
12532 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
12533 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
12534 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
12535 + .quad 0x00cffb000000ffff /* __USER32_CS */
12536 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
12537 + .quad 0x00affb000000ffff /* __USER_CS */
12539 +#ifdef CONFIG_PAX_KERNEXEC
12540 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
12542 + .quad 0x0 /* unused */
12545 + .quad 0,0 /* TSS */
12546 + .quad 0,0 /* LDT */
12547 + .quad 0,0,0 /* three TLS descriptors */
12548 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
12549 + /* asm/segment.h:GDT_ENTRIES must match this */
12551 + /* zero the remaining page */
12552 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
12556 .globl early_gdt_descr
12558 .word GDT_ENTRIES*8-1
12559 early_gdt_descr_base:
12560 - .quad INIT_PER_CPU_VAR(gdt_page)
12561 + .quad cpu_gdt_table
12564 /* This must match the first entry in level2_kernel_pgt */
12565 .quad 0x0000000000000000
12567 #include "../../x86/xen/xen-head.S"
12569 - .section .bss, "aw", @nobits
12571 + .section .rodata,"a",@progbits
12572 .align L1_CACHE_BYTES
12574 - .skip IDT_ENTRIES * 16
12579 diff -urNp linux-2.6.35.4/arch/x86/kernel/i386_ksyms_32.c linux-2.6.35.4/arch/x86/kernel/i386_ksyms_32.c
12580 --- linux-2.6.35.4/arch/x86/kernel/i386_ksyms_32.c 2010-08-26 19:47:12.000000000 -0400
12581 +++ linux-2.6.35.4/arch/x86/kernel/i386_ksyms_32.c 2010-09-17 20:12:09.000000000 -0400
12582 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
12583 EXPORT_SYMBOL(cmpxchg8b_emu);
12586 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
12588 /* Networking helper routines. */
12589 EXPORT_SYMBOL(csum_partial_copy_generic);
12590 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
12591 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
12593 EXPORT_SYMBOL(__get_user_1);
12594 EXPORT_SYMBOL(__get_user_2);
12595 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
12597 EXPORT_SYMBOL(csum_partial);
12598 EXPORT_SYMBOL(empty_zero_page);
12600 +#ifdef CONFIG_PAX_KERNEXEC
12601 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
12603 diff -urNp linux-2.6.35.4/arch/x86/kernel/init_task.c linux-2.6.35.4/arch/x86/kernel/init_task.c
12604 --- linux-2.6.35.4/arch/x86/kernel/init_task.c 2010-08-26 19:47:12.000000000 -0400
12605 +++ linux-2.6.35.4/arch/x86/kernel/init_task.c 2010-09-17 20:12:09.000000000 -0400
12606 @@ -38,5 +38,5 @@ EXPORT_SYMBOL(init_task);
12607 * section. Since TSS's are completely CPU-local, we want them
12608 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
12610 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
12612 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
12613 +EXPORT_SYMBOL(init_tss);
12614 diff -urNp linux-2.6.35.4/arch/x86/kernel/ioport.c linux-2.6.35.4/arch/x86/kernel/ioport.c
12615 --- linux-2.6.35.4/arch/x86/kernel/ioport.c 2010-08-26 19:47:12.000000000 -0400
12616 +++ linux-2.6.35.4/arch/x86/kernel/ioport.c 2010-09-17 20:12:37.000000000 -0400
12618 #include <linux/sched.h>
12619 #include <linux/kernel.h>
12620 #include <linux/capability.h>
12621 +#include <linux/security.h>
12622 #include <linux/errno.h>
12623 #include <linux/types.h>
12624 #include <linux/ioport.h>
12625 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
12627 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
12629 +#ifdef CONFIG_GRKERNSEC_IO
12630 + if (turn_on && grsec_disable_privio) {
12631 + gr_handle_ioperm();
12635 if (turn_on && !capable(CAP_SYS_RAWIO))
12638 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
12639 * because the ->io_bitmap_max value must match the bitmap
12642 - tss = &per_cpu(init_tss, get_cpu());
12643 + tss = init_tss + get_cpu();
12645 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
12647 @@ -112,6 +119,12 @@ long sys_iopl(unsigned int level, struct
12649 /* Trying to gain more privileges? */
12651 +#ifdef CONFIG_GRKERNSEC_IO
12652 + if (grsec_disable_privio) {
12653 + gr_handle_iopl();
12657 if (!capable(CAP_SYS_RAWIO))
12660 diff -urNp linux-2.6.35.4/arch/x86/kernel/irq_32.c linux-2.6.35.4/arch/x86/kernel/irq_32.c
12661 --- linux-2.6.35.4/arch/x86/kernel/irq_32.c 2010-08-26 19:47:12.000000000 -0400
12662 +++ linux-2.6.35.4/arch/x86/kernel/irq_32.c 2010-09-17 20:12:09.000000000 -0400
12663 @@ -94,7 +94,7 @@ execute_on_irq_stack(int overflow, struc
12666 /* build the stack frame on the IRQ stack */
12667 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12668 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12669 irqctx->tinfo.task = curctx->tinfo.task;
12670 irqctx->tinfo.previous_esp = current_stack_pointer;
12672 @@ -175,7 +175,7 @@ asmlinkage void do_softirq(void)
12673 irqctx->tinfo.previous_esp = current_stack_pointer;
12675 /* build the stack frame on the softirq stack */
12676 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12677 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12679 call_on_stack(__do_softirq, isp);
12681 diff -urNp linux-2.6.35.4/arch/x86/kernel/kgdb.c linux-2.6.35.4/arch/x86/kernel/kgdb.c
12682 --- linux-2.6.35.4/arch/x86/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
12683 +++ linux-2.6.35.4/arch/x86/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
12684 @@ -77,7 +77,7 @@ void pt_regs_to_gdb_regs(unsigned long *
12685 gdb_regs[GDB_CS] = regs->cs;
12686 gdb_regs[GDB_FS] = 0xFFFF;
12687 gdb_regs[GDB_GS] = 0xFFFF;
12688 - if (user_mode_vm(regs)) {
12689 + if (user_mode(regs)) {
12690 gdb_regs[GDB_SS] = regs->ss;
12691 gdb_regs[GDB_SP] = regs->sp;
12693 @@ -720,7 +720,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
12697 -struct kgdb_arch arch_kgdb_ops = {
12698 +const struct kgdb_arch arch_kgdb_ops = {
12699 /* Breakpoint instruction: */
12700 .gdb_bpt_instr = { 0xcc },
12701 .flags = KGDB_HW_BREAKPOINT,
12702 diff -urNp linux-2.6.35.4/arch/x86/kernel/kprobes.c linux-2.6.35.4/arch/x86/kernel/kprobes.c
12703 --- linux-2.6.35.4/arch/x86/kernel/kprobes.c 2010-08-26 19:47:12.000000000 -0400
12704 +++ linux-2.6.35.4/arch/x86/kernel/kprobes.c 2010-09-17 20:12:09.000000000 -0400
12705 @@ -114,9 +114,12 @@ static void __kprobes __synthesize_relat
12707 } __attribute__((packed)) *insn;
12709 - insn = (struct __arch_relative_insn *)from;
12710 + insn = (struct __arch_relative_insn *)(ktla_ktva(from));
12712 + pax_open_kernel();
12713 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
12715 + pax_close_kernel();
12718 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
12719 @@ -315,7 +318,9 @@ static int __kprobes __copy_instruction(
12722 insn_get_length(&insn);
12723 + pax_open_kernel();
12724 memcpy(dest, insn.kaddr, insn.length);
12725 + pax_close_kernel();
12727 #ifdef CONFIG_X86_64
12728 if (insn_rip_relative(&insn)) {
12729 @@ -339,7 +344,9 @@ static int __kprobes __copy_instruction(
12731 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
12732 disp = (u8 *) dest + insn_offset_displacement(&insn);
12733 + pax_open_kernel();
12734 *(s32 *) disp = (s32) newdisp;
12735 + pax_close_kernel();
12738 return insn.length;
12739 @@ -353,12 +360,12 @@ static void __kprobes arch_copy_kprobe(s
12741 __copy_instruction(p->ainsn.insn, p->addr, 0);
12743 - if (can_boost(p->addr))
12744 + if (can_boost(ktla_ktva(p->addr)))
12745 p->ainsn.boostable = 0;
12747 p->ainsn.boostable = -1;
12749 - p->opcode = *p->addr;
12750 + p->opcode = *(ktla_ktva(p->addr));
12753 int __kprobes arch_prepare_kprobe(struct kprobe *p)
12754 @@ -475,7 +482,7 @@ static void __kprobes setup_singlestep(s
12755 * nor set current_kprobe, because it doesn't use single
12758 - regs->ip = (unsigned long)p->ainsn.insn;
12759 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12760 preempt_enable_no_resched();
12763 @@ -494,7 +501,7 @@ static void __kprobes setup_singlestep(s
12764 if (p->opcode == BREAKPOINT_INSTRUCTION)
12765 regs->ip = (unsigned long)p->addr;
12767 - regs->ip = (unsigned long)p->ainsn.insn;
12768 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12772 @@ -573,7 +580,7 @@ static int __kprobes kprobe_handler(stru
12773 setup_singlestep(p, regs, kcb, 0);
12776 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
12777 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
12779 * The breakpoint instruction was removed right
12780 * after we hit it. Another cpu has removed
12781 @@ -799,7 +806,7 @@ static void __kprobes resume_execution(s
12782 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
12784 unsigned long *tos = stack_addr(regs);
12785 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
12786 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
12787 unsigned long orig_ip = (unsigned long)p->addr;
12788 kprobe_opcode_t *insn = p->ainsn.insn;
12790 @@ -982,7 +989,7 @@ int __kprobes kprobe_exceptions_notify(s
12791 struct die_args *args = data;
12792 int ret = NOTIFY_DONE;
12794 - if (args->regs && user_mode_vm(args->regs))
12795 + if (args->regs && user_mode(args->regs))
12799 diff -urNp linux-2.6.35.4/arch/x86/kernel/ldt.c linux-2.6.35.4/arch/x86/kernel/ldt.c
12800 --- linux-2.6.35.4/arch/x86/kernel/ldt.c 2010-08-26 19:47:12.000000000 -0400
12801 +++ linux-2.6.35.4/arch/x86/kernel/ldt.c 2010-09-17 20:12:09.000000000 -0400
12802 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
12807 + load_LDT_nolock(pc);
12808 if (!cpumask_equal(mm_cpumask(current->mm),
12809 cpumask_of(smp_processor_id())))
12810 smp_call_function(flush_ldt, current->mm, 1);
12814 + load_LDT_nolock(pc);
12818 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
12821 for (i = 0; i < old->size; i++)
12822 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
12823 + write_ldt_entry(new->ldt, i, old->ldt + i);
12827 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
12828 retval = copy_ldt(&mm->context, &old_mm->context);
12829 mutex_unlock(&old_mm->context.lock);
12832 + if (tsk == current) {
12833 + mm->context.vdso = ~0UL;
12835 +#ifdef CONFIG_X86_32
12836 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
12837 + mm->context.user_cs_base = 0UL;
12838 + mm->context.user_cs_limit = ~0UL;
12840 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
12841 + cpus_clear(mm->context.cpu_user_cs_mask);
12852 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
12856 +#ifdef CONFIG_PAX_SEGMEXEC
12857 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
12863 fill_ldt(&ldt, &ldt_info);
12866 diff -urNp linux-2.6.35.4/arch/x86/kernel/machine_kexec_32.c linux-2.6.35.4/arch/x86/kernel/machine_kexec_32.c
12867 --- linux-2.6.35.4/arch/x86/kernel/machine_kexec_32.c 2010-08-26 19:47:12.000000000 -0400
12868 +++ linux-2.6.35.4/arch/x86/kernel/machine_kexec_32.c 2010-09-17 20:12:09.000000000 -0400
12870 #include <asm/cacheflush.h>
12871 #include <asm/debugreg.h>
12873 -static void set_idt(void *newidt, __u16 limit)
12874 +static void set_idt(struct desc_struct *newidt, __u16 limit)
12876 struct desc_ptr curidt;
12878 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
12882 -static void set_gdt(void *newgdt, __u16 limit)
12883 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
12885 struct desc_ptr curgdt;
12887 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
12890 control_page = page_address(image->control_code_page);
12891 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
12892 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
12894 relocate_kernel_ptr = control_page;
12895 page_list[PA_CONTROL_PAGE] = __pa(control_page);
12896 diff -urNp linux-2.6.35.4/arch/x86/kernel/microcode_amd.c linux-2.6.35.4/arch/x86/kernel/microcode_amd.c
12897 --- linux-2.6.35.4/arch/x86/kernel/microcode_amd.c 2010-08-26 19:47:12.000000000 -0400
12898 +++ linux-2.6.35.4/arch/x86/kernel/microcode_amd.c 2010-09-17 20:12:09.000000000 -0400
12899 @@ -331,7 +331,7 @@ static void microcode_fini_cpu_amd(int c
12903 -static struct microcode_ops microcode_amd_ops = {
12904 +static const struct microcode_ops microcode_amd_ops = {
12905 .request_microcode_user = request_microcode_user,
12906 .request_microcode_fw = request_microcode_fw,
12907 .collect_cpu_info = collect_cpu_info_amd,
12908 @@ -339,7 +339,7 @@ static struct microcode_ops microcode_am
12909 .microcode_fini_cpu = microcode_fini_cpu_amd,
12912 -struct microcode_ops * __init init_amd_microcode(void)
12913 +const struct microcode_ops * __init init_amd_microcode(void)
12915 return µcode_amd_ops;
12917 diff -urNp linux-2.6.35.4/arch/x86/kernel/microcode_core.c linux-2.6.35.4/arch/x86/kernel/microcode_core.c
12918 --- linux-2.6.35.4/arch/x86/kernel/microcode_core.c 2010-08-26 19:47:12.000000000 -0400
12919 +++ linux-2.6.35.4/arch/x86/kernel/microcode_core.c 2010-09-17 20:12:09.000000000 -0400
12920 @@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
12922 #define MICROCODE_VERSION "2.00"
12924 -static struct microcode_ops *microcode_ops;
12925 +static const struct microcode_ops *microcode_ops;
12929 diff -urNp linux-2.6.35.4/arch/x86/kernel/microcode_intel.c linux-2.6.35.4/arch/x86/kernel/microcode_intel.c
12930 --- linux-2.6.35.4/arch/x86/kernel/microcode_intel.c 2010-08-26 19:47:12.000000000 -0400
12931 +++ linux-2.6.35.4/arch/x86/kernel/microcode_intel.c 2010-09-17 20:12:09.000000000 -0400
12932 @@ -446,13 +446,13 @@ static enum ucode_state request_microcod
12934 static int get_ucode_user(void *to, const void *from, size_t n)
12936 - return copy_from_user(to, from, n);
12937 + return copy_from_user(to, (__force const void __user *)from, n);
12940 static enum ucode_state
12941 request_microcode_user(int cpu, const void __user *buf, size_t size)
12943 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
12944 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
12947 static void microcode_fini_cpu(int cpu)
12948 @@ -463,7 +463,7 @@ static void microcode_fini_cpu(int cpu)
12952 -static struct microcode_ops microcode_intel_ops = {
12953 +static const struct microcode_ops microcode_intel_ops = {
12954 .request_microcode_user = request_microcode_user,
12955 .request_microcode_fw = request_microcode_fw,
12956 .collect_cpu_info = collect_cpu_info,
12957 @@ -471,7 +471,7 @@ static struct microcode_ops microcode_in
12958 .microcode_fini_cpu = microcode_fini_cpu,
12961 -struct microcode_ops * __init init_intel_microcode(void)
12962 +const struct microcode_ops * __init init_intel_microcode(void)
12964 return µcode_intel_ops;
12966 diff -urNp linux-2.6.35.4/arch/x86/kernel/module.c linux-2.6.35.4/arch/x86/kernel/module.c
12967 --- linux-2.6.35.4/arch/x86/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
12968 +++ linux-2.6.35.4/arch/x86/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
12970 #define DEBUGP(fmt...)
12973 -void *module_alloc(unsigned long size)
12974 +static void *__module_alloc(unsigned long size, pgprot_t prot)
12976 struct vm_struct *area;
12978 @@ -49,8 +49,18 @@ void *module_alloc(unsigned long size)
12982 - return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
12983 - PAGE_KERNEL_EXEC);
12984 + return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
12987 +void *module_alloc(unsigned long size)
12990 +#ifdef CONFIG_PAX_KERNEXEC
12991 + return __module_alloc(size, PAGE_KERNEL);
12993 + return __module_alloc(size, PAGE_KERNEL_EXEC);
12998 /* Free memory returned from module_alloc */
12999 @@ -59,6 +69,40 @@ void module_free(struct module *mod, voi
13000 vfree(module_region);
13003 +#ifdef CONFIG_PAX_KERNEXEC
13004 +#ifdef CONFIG_X86_32
13005 +void *module_alloc_exec(unsigned long size)
13007 + struct vm_struct *area;
13012 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
13013 + return area ? area->addr : NULL;
13015 +EXPORT_SYMBOL(module_alloc_exec);
13017 +void module_free_exec(struct module *mod, void *module_region)
13019 + vunmap(module_region);
13021 +EXPORT_SYMBOL(module_free_exec);
13023 +void module_free_exec(struct module *mod, void *module_region)
13025 + module_free(mod, module_region);
13027 +EXPORT_SYMBOL(module_free_exec);
13029 +void *module_alloc_exec(unsigned long size)
13031 + return __module_alloc(size, PAGE_KERNEL_RX);
13033 +EXPORT_SYMBOL(module_alloc_exec);
13037 /* We don't need anything special. */
13038 int module_frob_arch_sections(Elf_Ehdr *hdr,
13040 @@ -78,14 +122,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13042 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
13044 - uint32_t *location;
13045 + uint32_t *plocation, location;
13047 DEBUGP("Applying relocate section %u to %u\n", relsec,
13048 sechdrs[relsec].sh_info);
13049 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
13050 /* This is where to make the change */
13051 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
13052 - + rel[i].r_offset;
13053 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
13054 + location = (uint32_t)plocation;
13055 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
13056 + plocation = ktla_ktva((void *)plocation);
13057 /* This is the symbol it is referring to. Note that all
13058 undefined symbols have been resolved. */
13059 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
13060 @@ -94,11 +140,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13061 switch (ELF32_R_TYPE(rel[i].r_info)) {
13063 /* We add the value into the location given */
13064 - *location += sym->st_value;
13065 + pax_open_kernel();
13066 + *plocation += sym->st_value;
13067 + pax_close_kernel();
13070 /* Add the value, subtract its postition */
13071 - *location += sym->st_value - (uint32_t)location;
13072 + pax_open_kernel();
13073 + *plocation += sym->st_value - location;
13074 + pax_close_kernel();
13077 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
13078 @@ -154,21 +204,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
13079 case R_X86_64_NONE:
13082 + pax_open_kernel();
13084 + pax_close_kernel();
13087 + pax_open_kernel();
13089 + pax_close_kernel();
13090 if (val != *(u32 *)loc)
13094 + pax_open_kernel();
13096 + pax_close_kernel();
13097 if ((s64)val != *(s32 *)loc)
13100 case R_X86_64_PC32:
13102 + pax_open_kernel();
13104 + pax_close_kernel();
13107 if ((s64)val != *(s32 *)loc)
13109 diff -urNp linux-2.6.35.4/arch/x86/kernel/paravirt.c linux-2.6.35.4/arch/x86/kernel/paravirt.c
13110 --- linux-2.6.35.4/arch/x86/kernel/paravirt.c 2010-08-26 19:47:12.000000000 -0400
13111 +++ linux-2.6.35.4/arch/x86/kernel/paravirt.c 2010-09-17 20:12:09.000000000 -0400
13112 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
13113 * corresponding structure. */
13114 static void *get_call_destination(u8 type)
13116 - struct paravirt_patch_template tmpl = {
13117 + const struct paravirt_patch_template tmpl = {
13118 .pv_init_ops = pv_init_ops,
13119 .pv_time_ops = pv_time_ops,
13120 .pv_cpu_ops = pv_cpu_ops,
13121 @@ -145,14 +145,14 @@ unsigned paravirt_patch_default(u8 type,
13122 if (opfunc == NULL)
13123 /* If there's no function, patch it with a ud2a (BUG) */
13124 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
13125 - else if (opfunc == _paravirt_nop)
13126 + else if (opfunc == (void *)_paravirt_nop)
13127 /* If the operation is a nop, then nop the callsite */
13128 ret = paravirt_patch_nop();
13130 /* identity functions just return their single argument */
13131 - else if (opfunc == _paravirt_ident_32)
13132 + else if (opfunc == (void *)_paravirt_ident_32)
13133 ret = paravirt_patch_ident_32(insnbuf, len);
13134 - else if (opfunc == _paravirt_ident_64)
13135 + else if (opfunc == (void *)_paravirt_ident_64)
13136 ret = paravirt_patch_ident_64(insnbuf, len);
13138 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
13139 @@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
13140 if (insn_len > len || start == NULL)
13143 - memcpy(insnbuf, start, insn_len);
13144 + memcpy(insnbuf, ktla_ktva(start), insn_len);
13148 @@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
13152 -struct pv_info pv_info = {
13153 +struct pv_info pv_info __read_only = {
13154 .name = "bare hardware",
13155 .paravirt_enabled = 0,
13157 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
13160 -struct pv_init_ops pv_init_ops = {
13161 +struct pv_init_ops pv_init_ops __read_only = {
13162 .patch = native_patch,
13165 -struct pv_time_ops pv_time_ops = {
13166 +struct pv_time_ops pv_time_ops __read_only = {
13167 .sched_clock = native_sched_clock,
13170 -struct pv_irq_ops pv_irq_ops = {
13171 +struct pv_irq_ops pv_irq_ops __read_only = {
13172 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
13173 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
13174 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
13175 @@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
13179 -struct pv_cpu_ops pv_cpu_ops = {
13180 +struct pv_cpu_ops pv_cpu_ops __read_only = {
13181 .cpuid = native_cpuid,
13182 .get_debugreg = native_get_debugreg,
13183 .set_debugreg = native_set_debugreg,
13184 @@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
13185 .end_context_switch = paravirt_nop,
13188 -struct pv_apic_ops pv_apic_ops = {
13189 +struct pv_apic_ops pv_apic_ops __read_only = {
13190 #ifdef CONFIG_X86_LOCAL_APIC
13191 .startup_ipi_hook = paravirt_nop,
13193 @@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
13194 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
13197 -struct pv_mmu_ops pv_mmu_ops = {
13198 +struct pv_mmu_ops pv_mmu_ops __read_only = {
13200 .read_cr2 = native_read_cr2,
13201 .write_cr2 = native_write_cr2,
13202 @@ -463,6 +463,12 @@ struct pv_mmu_ops pv_mmu_ops = {
13205 .set_fixmap = native_set_fixmap,
13207 +#ifdef CONFIG_PAX_KERNEXEC
13208 + .pax_open_kernel = native_pax_open_kernel,
13209 + .pax_close_kernel = native_pax_close_kernel,
13214 EXPORT_SYMBOL_GPL(pv_time_ops);
13215 diff -urNp linux-2.6.35.4/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.35.4/arch/x86/kernel/paravirt-spinlocks.c
13216 --- linux-2.6.35.4/arch/x86/kernel/paravirt-spinlocks.c 2010-08-26 19:47:12.000000000 -0400
13217 +++ linux-2.6.35.4/arch/x86/kernel/paravirt-spinlocks.c 2010-09-17 20:12:09.000000000 -0400
13218 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
13219 arch_spin_lock(lock);
13222 -struct pv_lock_ops pv_lock_ops = {
13223 +struct pv_lock_ops pv_lock_ops __read_only = {
13225 .spin_is_locked = __ticket_spin_is_locked,
13226 .spin_is_contended = __ticket_spin_is_contended,
13227 diff -urNp linux-2.6.35.4/arch/x86/kernel/pci-calgary_64.c linux-2.6.35.4/arch/x86/kernel/pci-calgary_64.c
13228 --- linux-2.6.35.4/arch/x86/kernel/pci-calgary_64.c 2010-08-26 19:47:12.000000000 -0400
13229 +++ linux-2.6.35.4/arch/x86/kernel/pci-calgary_64.c 2010-09-17 20:12:09.000000000 -0400
13230 @@ -475,7 +475,7 @@ static void calgary_free_coherent(struct
13231 free_pages((unsigned long)vaddr, get_order(size));
13234 -static struct dma_map_ops calgary_dma_ops = {
13235 +static const struct dma_map_ops calgary_dma_ops = {
13236 .alloc_coherent = calgary_alloc_coherent,
13237 .free_coherent = calgary_free_coherent,
13238 .map_sg = calgary_map_sg,
13239 diff -urNp linux-2.6.35.4/arch/x86/kernel/pci-dma.c linux-2.6.35.4/arch/x86/kernel/pci-dma.c
13240 --- linux-2.6.35.4/arch/x86/kernel/pci-dma.c 2010-08-26 19:47:12.000000000 -0400
13241 +++ linux-2.6.35.4/arch/x86/kernel/pci-dma.c 2010-09-17 20:12:09.000000000 -0400
13244 static int forbid_dac __read_mostly;
13246 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
13247 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
13248 EXPORT_SYMBOL(dma_ops);
13250 static int iommu_sac_force __read_mostly;
13251 @@ -248,7 +248,7 @@ early_param("iommu", iommu_setup);
13253 int dma_supported(struct device *dev, u64 mask)
13255 - struct dma_map_ops *ops = get_dma_ops(dev);
13256 + const struct dma_map_ops *ops = get_dma_ops(dev);
13259 if (mask > 0xffffffff && forbid_dac > 0) {
13260 diff -urNp linux-2.6.35.4/arch/x86/kernel/pci-gart_64.c linux-2.6.35.4/arch/x86/kernel/pci-gart_64.c
13261 --- linux-2.6.35.4/arch/x86/kernel/pci-gart_64.c 2010-08-26 19:47:12.000000000 -0400
13262 +++ linux-2.6.35.4/arch/x86/kernel/pci-gart_64.c 2010-09-17 20:12:09.000000000 -0400
13263 @@ -699,7 +699,7 @@ static __init int init_k8_gatt(struct ag
13267 -static struct dma_map_ops gart_dma_ops = {
13268 +static const struct dma_map_ops gart_dma_ops = {
13269 .map_sg = gart_map_sg,
13270 .unmap_sg = gart_unmap_sg,
13271 .map_page = gart_map_page,
13272 diff -urNp linux-2.6.35.4/arch/x86/kernel/pci-nommu.c linux-2.6.35.4/arch/x86/kernel/pci-nommu.c
13273 --- linux-2.6.35.4/arch/x86/kernel/pci-nommu.c 2010-08-26 19:47:12.000000000 -0400
13274 +++ linux-2.6.35.4/arch/x86/kernel/pci-nommu.c 2010-09-17 20:12:09.000000000 -0400
13275 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
13276 flush_write_buffers();
13279 -struct dma_map_ops nommu_dma_ops = {
13280 +const struct dma_map_ops nommu_dma_ops = {
13281 .alloc_coherent = dma_generic_alloc_coherent,
13282 .free_coherent = nommu_free_coherent,
13283 .map_sg = nommu_map_sg,
13284 diff -urNp linux-2.6.35.4/arch/x86/kernel/pci-swiotlb.c linux-2.6.35.4/arch/x86/kernel/pci-swiotlb.c
13285 --- linux-2.6.35.4/arch/x86/kernel/pci-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
13286 +++ linux-2.6.35.4/arch/x86/kernel/pci-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
13287 @@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
13288 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
13291 -static struct dma_map_ops swiotlb_dma_ops = {
13292 +static const struct dma_map_ops swiotlb_dma_ops = {
13293 .mapping_error = swiotlb_dma_mapping_error,
13294 .alloc_coherent = x86_swiotlb_alloc_coherent,
13295 .free_coherent = swiotlb_free_coherent,
13296 diff -urNp linux-2.6.35.4/arch/x86/kernel/process_32.c linux-2.6.35.4/arch/x86/kernel/process_32.c
13297 --- linux-2.6.35.4/arch/x86/kernel/process_32.c 2010-08-26 19:47:12.000000000 -0400
13298 +++ linux-2.6.35.4/arch/x86/kernel/process_32.c 2010-09-17 20:12:09.000000000 -0400
13299 @@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
13300 unsigned long thread_saved_pc(struct task_struct *tsk)
13302 return ((unsigned long *)tsk->thread.sp)[3];
13303 +//XXX return tsk->thread.eip;
13307 @@ -126,7 +127,7 @@ void __show_regs(struct pt_regs *regs, i
13309 unsigned short ss, gs;
13311 - if (user_mode_vm(regs)) {
13312 + if (user_mode(regs)) {
13314 ss = regs->ss & 0xffff;
13315 gs = get_user_gs(regs);
13316 @@ -196,7 +197,7 @@ int copy_thread(unsigned long clone_flag
13317 struct task_struct *tsk;
13320 - childregs = task_pt_regs(p);
13321 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
13322 *childregs = *regs;
13324 childregs->sp = sp;
13325 @@ -230,6 +231,7 @@ int copy_thread(unsigned long clone_flag
13326 * Set a new TLS for the child thread?
13328 if (clone_flags & CLONE_SETTLS)
13329 +//XXX needs set_fs()?
13330 err = do_set_thread_area(p, -1,
13331 (struct user_desc __user *)childregs->si, 0);
13333 @@ -293,7 +295,7 @@ __switch_to(struct task_struct *prev_p,
13334 struct thread_struct *prev = &prev_p->thread,
13335 *next = &next_p->thread;
13336 int cpu = smp_processor_id();
13337 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13338 + struct tss_struct *tss = init_tss + cpu;
13341 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
13342 @@ -328,6 +330,11 @@ __switch_to(struct task_struct *prev_p,
13344 lazy_save_gs(prev->gs);
13346 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13347 + if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
13348 + __set_fs(task_thread_info(next_p)->addr_limit, cpu);
13352 * Load the per-thread Thread-Local Storage descriptor.
13354 @@ -404,3 +411,27 @@ unsigned long get_wchan(struct task_stru
13358 +#ifdef CONFIG_PAX_RANDKSTACK
13359 +asmlinkage void pax_randomize_kstack(void)
13361 + struct thread_struct *thread = ¤t->thread;
13362 + unsigned long time;
13364 + if (!randomize_va_space)
13369 + /* P4 seems to return a 0 LSB, ignore it */
13370 +#ifdef CONFIG_MPENTIUM4
13378 + thread->sp0 ^= time;
13379 + load_sp0(init_tss + smp_processor_id(), thread);
13382 diff -urNp linux-2.6.35.4/arch/x86/kernel/process_64.c linux-2.6.35.4/arch/x86/kernel/process_64.c
13383 --- linux-2.6.35.4/arch/x86/kernel/process_64.c 2010-08-26 19:47:12.000000000 -0400
13384 +++ linux-2.6.35.4/arch/x86/kernel/process_64.c 2010-09-17 20:12:09.000000000 -0400
13385 @@ -87,7 +87,7 @@ static void __exit_idle(void)
13386 void exit_idle(void)
13388 /* idle loop has pid 0 */
13389 - if (current->pid)
13390 + if (task_pid_nr(current))
13394 @@ -375,7 +375,7 @@ __switch_to(struct task_struct *prev_p,
13395 struct thread_struct *prev = &prev_p->thread;
13396 struct thread_struct *next = &next_p->thread;
13397 int cpu = smp_processor_id();
13398 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13399 + struct tss_struct *tss = init_tss + cpu;
13400 unsigned fsindex, gsindex;
13403 @@ -528,12 +528,11 @@ unsigned long get_wchan(struct task_stru
13404 if (!p || p == current || p->state == TASK_RUNNING)
13406 stack = (unsigned long)task_stack_page(p);
13407 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
13408 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
13410 fp = *(u64 *)(p->thread.sp);
13412 - if (fp < (unsigned long)stack ||
13413 - fp >= (unsigned long)stack+THREAD_SIZE)
13414 + if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
13416 ip = *(u64 *)(fp+8);
13417 if (!in_sched_functions(ip))
13418 diff -urNp linux-2.6.35.4/arch/x86/kernel/process.c linux-2.6.35.4/arch/x86/kernel/process.c
13419 --- linux-2.6.35.4/arch/x86/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
13420 +++ linux-2.6.35.4/arch/x86/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
13421 @@ -73,7 +73,7 @@ void exit_thread(void)
13422 unsigned long *bp = t->io_bitmap_ptr;
13425 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
13426 + struct tss_struct *tss = init_tss + get_cpu();
13428 t->io_bitmap_ptr = NULL;
13429 clear_thread_flag(TIF_IO_BITMAP);
13430 @@ -117,6 +117,9 @@ void flush_thread(void)
13432 struct task_struct *tsk = current;
13434 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR)
13435 + loadsegment(gs, 0);
13437 flush_ptrace_hw_breakpoint(tsk);
13438 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
13440 @@ -279,8 +282,8 @@ int kernel_thread(int (*fn)(void *), voi
13441 regs.di = (unsigned long) arg;
13443 #ifdef CONFIG_X86_32
13444 - regs.ds = __USER_DS;
13445 - regs.es = __USER_DS;
13446 + regs.ds = __KERNEL_DS;
13447 + regs.es = __KERNEL_DS;
13448 regs.fs = __KERNEL_PERCPU;
13449 regs.gs = __KERNEL_STACK_CANARY;
13451 @@ -689,17 +692,3 @@ static int __init idle_setup(char *str)
13454 early_param("idle", idle_setup);
13456 -unsigned long arch_align_stack(unsigned long sp)
13458 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
13459 - sp -= get_random_int() % 8192;
13460 - return sp & ~0xf;
13463 -unsigned long arch_randomize_brk(struct mm_struct *mm)
13465 - unsigned long range_end = mm->brk + 0x02000000;
13466 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
13469 diff -urNp linux-2.6.35.4/arch/x86/kernel/ptrace.c linux-2.6.35.4/arch/x86/kernel/ptrace.c
13470 --- linux-2.6.35.4/arch/x86/kernel/ptrace.c 2010-08-26 19:47:12.000000000 -0400
13471 +++ linux-2.6.35.4/arch/x86/kernel/ptrace.c 2010-09-17 20:12:09.000000000 -0400
13472 @@ -804,7 +804,7 @@ static const struct user_regset_view use
13473 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
13476 - unsigned long __user *datap = (unsigned long __user *)data;
13477 + unsigned long __user *datap = (__force unsigned long __user *)data;
13480 /* read the word at location addr in the USER area. */
13481 @@ -891,14 +891,14 @@ long arch_ptrace(struct task_struct *chi
13484 ret = do_get_thread_area(child, addr,
13485 - (struct user_desc __user *) data);
13486 + (__force struct user_desc __user *) data);
13489 case PTRACE_SET_THREAD_AREA:
13492 ret = do_set_thread_area(child, addr,
13493 - (struct user_desc __user *) data, 0);
13494 + (__force struct user_desc __user *) data, 0);
13498 @@ -1315,7 +1315,7 @@ static void fill_sigtrap_info(struct tas
13499 memset(info, 0, sizeof(*info));
13500 info->si_signo = SIGTRAP;
13501 info->si_code = si_code;
13502 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
13503 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
13506 void user_single_step_siginfo(struct task_struct *tsk,
13507 diff -urNp linux-2.6.35.4/arch/x86/kernel/reboot.c linux-2.6.35.4/arch/x86/kernel/reboot.c
13508 --- linux-2.6.35.4/arch/x86/kernel/reboot.c 2010-08-26 19:47:12.000000000 -0400
13509 +++ linux-2.6.35.4/arch/x86/kernel/reboot.c 2010-09-17 20:12:09.000000000 -0400
13510 @@ -33,7 +33,7 @@ void (*pm_power_off)(void);
13511 EXPORT_SYMBOL(pm_power_off);
13513 static const struct desc_ptr no_idt = {};
13514 -static int reboot_mode;
13515 +static unsigned short reboot_mode;
13516 enum reboot_type reboot_type = BOOT_KBD;
13519 @@ -284,7 +284,7 @@ static struct dmi_system_id __initdata r
13520 DMI_MATCH(DMI_BOARD_NAME, "P4S800"),
13524 + { NULL, NULL, {{0, {0}}}, NULL}
13527 static int __init reboot_init(void)
13528 @@ -300,12 +300,12 @@ core_initcall(reboot_init);
13529 controller to pulse the CPU reset line, which is more thorough, but
13530 doesn't work with at least one type of 486 motherboard. It is easy
13531 to stop this code working; hence the copious comments. */
13532 -static const unsigned long long
13533 -real_mode_gdt_entries [3] =
13534 +static struct desc_struct
13535 +real_mode_gdt_entries [3] __read_only =
13537 - 0x0000000000000000ULL, /* Null descriptor */
13538 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
13539 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
13540 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
13541 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
13542 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
13545 static const struct desc_ptr
13546 @@ -354,7 +354,7 @@ static const unsigned char jump_to_bios
13547 * specified by the code and length parameters.
13548 * We assume that length will aways be less that 100!
13550 -void machine_real_restart(const unsigned char *code, int length)
13551 +void machine_real_restart(const unsigned char *code, unsigned int length)
13553 local_irq_disable();
13555 @@ -374,8 +374,8 @@ void machine_real_restart(const unsigned
13556 /* Remap the kernel at virtual address zero, as well as offset zero
13557 from the kernel segment. This assumes the kernel segment starts at
13558 virtual address PAGE_OFFSET. */
13559 - memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13560 - sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
13561 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13562 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
13565 * Use `swapper_pg_dir' as our page directory.
13566 @@ -387,16 +387,15 @@ void machine_real_restart(const unsigned
13567 boot)". This seems like a fairly standard thing that gets set by
13568 REBOOT.COM programs, and the previous reset routine did this
13570 - *((unsigned short *)0x472) = reboot_mode;
13571 + *(unsigned short *)(__va(0x472)) = reboot_mode;
13573 /* For the switch to real mode, copy some code to low memory. It has
13574 to be in the first 64k because it is running in 16-bit mode, and it
13575 has to have the same physical and virtual address, because it turns
13576 off paging. Copy it near the end of the first page, out of the way
13577 of BIOS variables. */
13578 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
13579 - real_mode_switch, sizeof (real_mode_switch));
13580 - memcpy((void *)(0x1000 - 100), code, length);
13581 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
13582 + memcpy(__va(0x1000 - 100), code, length);
13584 /* Set up the IDT for real mode. */
13585 load_idt(&real_mode_idt);
13586 diff -urNp linux-2.6.35.4/arch/x86/kernel/setup.c linux-2.6.35.4/arch/x86/kernel/setup.c
13587 --- linux-2.6.35.4/arch/x86/kernel/setup.c 2010-08-26 19:47:12.000000000 -0400
13588 +++ linux-2.6.35.4/arch/x86/kernel/setup.c 2010-09-17 20:12:09.000000000 -0400
13589 @@ -704,7 +704,7 @@ static void __init trim_bios_range(void)
13590 * area (640->1Mb) as ram even though it is not.
13593 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
13594 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
13595 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
13598 @@ -791,14 +791,14 @@ void __init setup_arch(char **cmdline_p)
13600 if (!boot_params.hdr.root_flags)
13601 root_mountflags &= ~MS_RDONLY;
13602 - init_mm.start_code = (unsigned long) _text;
13603 - init_mm.end_code = (unsigned long) _etext;
13604 + init_mm.start_code = ktla_ktva((unsigned long) _text);
13605 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
13606 init_mm.end_data = (unsigned long) _edata;
13607 init_mm.brk = _brk_end;
13609 - code_resource.start = virt_to_phys(_text);
13610 - code_resource.end = virt_to_phys(_etext)-1;
13611 - data_resource.start = virt_to_phys(_etext);
13612 + code_resource.start = virt_to_phys(ktla_ktva(_text));
13613 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
13614 + data_resource.start = virt_to_phys(_sdata);
13615 data_resource.end = virt_to_phys(_edata)-1;
13616 bss_resource.start = virt_to_phys(&__bss_start);
13617 bss_resource.end = virt_to_phys(&__bss_stop)-1;
13618 diff -urNp linux-2.6.35.4/arch/x86/kernel/setup_percpu.c linux-2.6.35.4/arch/x86/kernel/setup_percpu.c
13619 --- linux-2.6.35.4/arch/x86/kernel/setup_percpu.c 2010-08-26 19:47:12.000000000 -0400
13620 +++ linux-2.6.35.4/arch/x86/kernel/setup_percpu.c 2010-09-17 20:12:09.000000000 -0400
13621 @@ -21,19 +21,17 @@
13622 #include <asm/cpu.h>
13623 #include <asm/stackprotector.h>
13626 DEFINE_PER_CPU(int, cpu_number);
13627 EXPORT_PER_CPU_SYMBOL(cpu_number);
13630 -#ifdef CONFIG_X86_64
13631 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
13633 -#define BOOT_PERCPU_OFFSET 0
13636 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
13637 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
13639 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
13640 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
13641 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
13643 EXPORT_SYMBOL(__per_cpu_offset);
13644 @@ -161,10 +159,10 @@ static inline void setup_percpu_segment(
13646 #ifdef CONFIG_X86_32
13647 struct desc_struct gdt;
13648 + unsigned long base = per_cpu_offset(cpu);
13650 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
13651 - 0x2 | DESCTYPE_S, 0x8);
13653 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
13654 + 0x83 | DESCTYPE_S, 0xC);
13655 write_gdt_entry(get_cpu_gdt_table(cpu),
13656 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
13658 @@ -213,6 +211,11 @@ void __init setup_per_cpu_areas(void)
13659 /* alrighty, percpu areas up and running */
13660 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
13661 for_each_possible_cpu(cpu) {
13662 +#ifdef CONFIG_CC_STACKPROTECTOR
13663 +#ifdef CONFIG_x86_32
13664 + unsigned long canary = per_cpu(stack_canary, cpu);
13667 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
13668 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
13669 per_cpu(cpu_number, cpu) = cpu;
13670 @@ -249,6 +252,12 @@ void __init setup_per_cpu_areas(void)
13671 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
13674 +#ifdef CONFIG_CC_STACKPROTECTOR
13675 +#ifdef CONFIG_x86_32
13676 + if (cpu == boot_cpu_id)
13677 + per_cpu(stack_canary, cpu) = canary;
13681 * Up to this point, the boot CPU has been using .init.data
13682 * area. Reload any changed state for the boot CPU.
13683 diff -urNp linux-2.6.35.4/arch/x86/kernel/signal.c linux-2.6.35.4/arch/x86/kernel/signal.c
13684 --- linux-2.6.35.4/arch/x86/kernel/signal.c 2010-08-26 19:47:12.000000000 -0400
13685 +++ linux-2.6.35.4/arch/x86/kernel/signal.c 2010-09-17 20:12:09.000000000 -0400
13686 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
13687 * Align the stack pointer according to the i386 ABI,
13688 * i.e. so that on function entry ((sp + 4) & 15) == 0.
13690 - sp = ((sp + 4) & -16ul) - 4;
13691 + sp = ((sp - 12) & -16ul) - 4;
13692 #else /* !CONFIG_X86_32 */
13693 sp = round_down(sp, 16) - 8;
13695 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
13696 * Return an always-bogus address instead so we will die with SIGSEGV.
13698 if (onsigstack && !likely(on_sig_stack(sp)))
13699 - return (void __user *)-1L;
13700 + return (__force void __user *)-1L;
13702 /* save i387 state */
13703 if (used_math() && save_i387_xstate(*fpstate) < 0)
13704 - return (void __user *)-1L;
13705 + return (__force void __user *)-1L;
13707 return (void __user *)sp;
13709 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
13712 if (current->mm->context.vdso)
13713 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13714 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13716 - restorer = &frame->retcode;
13717 + restorer = (void __user *)&frame->retcode;
13718 if (ka->sa.sa_flags & SA_RESTORER)
13719 restorer = ka->sa.sa_restorer;
13721 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
13722 * reasons and because gdb uses it as a signature to notice
13723 * signal handler stack frames.
13725 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
13726 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
13730 @@ -378,7 +378,7 @@ static int __setup_rt_frame(int sig, str
13731 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
13733 /* Set up to return from userspace. */
13734 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13735 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13736 if (ka->sa.sa_flags & SA_RESTORER)
13737 restorer = ka->sa.sa_restorer;
13738 put_user_ex(restorer, &frame->pretcode);
13739 @@ -390,7 +390,7 @@ static int __setup_rt_frame(int sig, str
13740 * reasons and because gdb uses it as a signature to notice
13741 * signal handler stack frames.
13743 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
13744 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
13745 } put_user_catch(err);
13748 @@ -780,7 +780,7 @@ static void do_signal(struct pt_regs *re
13749 * X86_32: vm86 regs switched out by assembly code before reaching
13750 * here, so testing against kernel CS suffices.
13752 - if (!user_mode(regs))
13753 + if (!user_mode_novm(regs))
13756 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
13757 diff -urNp linux-2.6.35.4/arch/x86/kernel/smpboot.c linux-2.6.35.4/arch/x86/kernel/smpboot.c
13758 --- linux-2.6.35.4/arch/x86/kernel/smpboot.c 2010-08-26 19:47:12.000000000 -0400
13759 +++ linux-2.6.35.4/arch/x86/kernel/smpboot.c 2010-09-17 20:12:09.000000000 -0400
13760 @@ -780,7 +780,11 @@ do_rest:
13761 (unsigned long)task_stack_page(c_idle.idle) -
13762 KERNEL_STACK_OFFSET + THREAD_SIZE;
13765 + pax_open_kernel();
13766 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
13767 + pax_close_kernel();
13769 initial_code = (unsigned long)start_secondary;
13770 stack_start.sp = (void *) c_idle.idle->thread.sp;
13772 @@ -920,6 +924,12 @@ int __cpuinit native_cpu_up(unsigned int
13774 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
13776 +#ifdef CONFIG_PAX_PER_CPU_PGD
13777 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
13778 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13779 + KERNEL_PGD_PTRS);
13782 #ifdef CONFIG_X86_32
13783 /* init low mem mapping */
13784 clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13785 diff -urNp linux-2.6.35.4/arch/x86/kernel/step.c linux-2.6.35.4/arch/x86/kernel/step.c
13786 --- linux-2.6.35.4/arch/x86/kernel/step.c 2010-08-26 19:47:12.000000000 -0400
13787 +++ linux-2.6.35.4/arch/x86/kernel/step.c 2010-09-17 20:12:09.000000000 -0400
13788 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
13789 struct desc_struct *desc;
13790 unsigned long base;
13795 mutex_lock(&child->mm->context.lock);
13796 - if (unlikely((seg >> 3) >= child->mm->context.size))
13797 + if (unlikely(seg >= child->mm->context.size))
13798 addr = -1L; /* bogus selector, access would fault */
13800 desc = child->mm->context.ldt + seg;
13801 @@ -53,6 +53,9 @@ static int is_setting_trap_flag(struct t
13802 unsigned char opcode[15];
13803 unsigned long addr = convert_ip_to_linear(child, regs);
13805 + if (addr == -EINVAL)
13808 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
13809 for (i = 0; i < copied; i++) {
13810 switch (opcode[i]) {
13811 @@ -74,7 +77,7 @@ static int is_setting_trap_flag(struct t
13813 #ifdef CONFIG_X86_64
13814 case 0x40 ... 0x4f:
13815 - if (regs->cs != __USER_CS)
13816 + if ((regs->cs & 0xffff) != __USER_CS)
13817 /* 32-bit mode: register increment */
13819 /* 64-bit mode: REX prefix */
13820 diff -urNp linux-2.6.35.4/arch/x86/kernel/syscall_table_32.S linux-2.6.35.4/arch/x86/kernel/syscall_table_32.S
13821 --- linux-2.6.35.4/arch/x86/kernel/syscall_table_32.S 2010-08-26 19:47:12.000000000 -0400
13822 +++ linux-2.6.35.4/arch/x86/kernel/syscall_table_32.S 2010-09-17 20:12:09.000000000 -0400
13824 +.section .rodata,"a",@progbits
13825 ENTRY(sys_call_table)
13826 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
13828 diff -urNp linux-2.6.35.4/arch/x86/kernel/sys_i386_32.c linux-2.6.35.4/arch/x86/kernel/sys_i386_32.c
13829 --- linux-2.6.35.4/arch/x86/kernel/sys_i386_32.c 2010-08-26 19:47:12.000000000 -0400
13830 +++ linux-2.6.35.4/arch/x86/kernel/sys_i386_32.c 2010-09-17 20:12:09.000000000 -0400
13831 @@ -24,6 +24,224 @@
13833 #include <asm/syscalls.h>
13835 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
13837 + unsigned long pax_task_size = TASK_SIZE;
13839 +#ifdef CONFIG_PAX_SEGMEXEC
13840 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
13841 + pax_task_size = SEGMEXEC_TASK_SIZE;
13844 + if (len > pax_task_size || addr > pax_task_size - len)
13851 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
13852 + unsigned long len, unsigned long pgoff, unsigned long flags)
13854 + struct mm_struct *mm = current->mm;
13855 + struct vm_area_struct *vma;
13856 + unsigned long start_addr, pax_task_size = TASK_SIZE;
13858 +#ifdef CONFIG_PAX_SEGMEXEC
13859 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
13860 + pax_task_size = SEGMEXEC_TASK_SIZE;
13863 + if (len > pax_task_size)
13866 + if (flags & MAP_FIXED)
13869 +#ifdef CONFIG_PAX_RANDMMAP
13870 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13874 + addr = PAGE_ALIGN(addr);
13875 + if (pax_task_size - len >= addr) {
13876 + vma = find_vma(mm, addr);
13877 + if (check_heap_stack_gap(vma, addr, len))
13881 + if (len > mm->cached_hole_size) {
13882 + start_addr = addr = mm->free_area_cache;
13884 + start_addr = addr = mm->mmap_base;
13885 + mm->cached_hole_size = 0;
13888 +#ifdef CONFIG_PAX_PAGEEXEC
13889 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
13890 + start_addr = 0x00110000UL;
13892 +#ifdef CONFIG_PAX_RANDMMAP
13893 + if (mm->pax_flags & MF_PAX_RANDMMAP)
13894 + start_addr += mm->delta_mmap & 0x03FFF000UL;
13897 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
13898 + start_addr = addr = mm->mmap_base;
13900 + addr = start_addr;
13905 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
13906 + /* At this point: (!vma || addr < vma->vm_end). */
13907 + if (pax_task_size - len < addr) {
13909 + * Start a new search - just in case we missed
13912 + if (start_addr != mm->mmap_base) {
13913 + start_addr = addr = mm->mmap_base;
13914 + mm->cached_hole_size = 0;
13915 + goto full_search;
13919 + if (check_heap_stack_gap(vma, addr, len))
13921 + if (addr + mm->cached_hole_size < vma->vm_start)
13922 + mm->cached_hole_size = vma->vm_start - addr;
13923 + addr = vma->vm_end;
13924 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
13925 + start_addr = addr = mm->mmap_base;
13926 + mm->cached_hole_size = 0;
13927 + goto full_search;
13932 + * Remember the place where we stopped the search:
13934 + mm->free_area_cache = addr + len;
13939 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
13940 + const unsigned long len, const unsigned long pgoff,
13941 + const unsigned long flags)
13943 + struct vm_area_struct *vma;
13944 + struct mm_struct *mm = current->mm;
13945 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
13947 +#ifdef CONFIG_PAX_SEGMEXEC
13948 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
13949 + pax_task_size = SEGMEXEC_TASK_SIZE;
13952 + /* requested length too big for entire address space */
13953 + if (len > pax_task_size)
13956 + if (flags & MAP_FIXED)
13959 +#ifdef CONFIG_PAX_PAGEEXEC
13960 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
13964 +#ifdef CONFIG_PAX_RANDMMAP
13965 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13968 + /* requesting a specific address */
13970 + addr = PAGE_ALIGN(addr);
13971 + if (pax_task_size - len >= addr) {
13972 + vma = find_vma(mm, addr);
13973 + if (check_heap_stack_gap(vma, addr, len))
13978 + /* check if free_area_cache is useful for us */
13979 + if (len <= mm->cached_hole_size) {
13980 + mm->cached_hole_size = 0;
13981 + mm->free_area_cache = mm->mmap_base;
13984 + /* either no address requested or can't fit in requested address hole */
13985 + addr = mm->free_area_cache;
13987 + /* make sure it can fit in the remaining address space */
13988 + if (addr > len) {
13989 + vma = find_vma(mm, addr-len);
13990 + if (check_heap_stack_gap(vma, addr - len, len))
13991 + /* remember the address as a hint for next time */
13992 + return (mm->free_area_cache = addr-len);
13995 + if (mm->mmap_base < len)
13998 + addr = mm->mmap_base-len;
14002 + * Lookup failure means no vma is above this address,
14003 + * else if new region fits below vma->vm_start,
14004 + * return with success:
14006 + vma = find_vma(mm, addr);
14007 + if (check_heap_stack_gap(vma, addr, len))
14008 + /* remember the address as a hint for next time */
14009 + return (mm->free_area_cache = addr);
14011 + /* remember the largest hole we saw so far */
14012 + if (addr + mm->cached_hole_size < vma->vm_start)
14013 + mm->cached_hole_size = vma->vm_start - addr;
14015 + /* try just below the current vma->vm_start */
14016 + addr = vma->vm_start-len;
14017 + } while (len < vma->vm_start);
14021 + * A failed mmap() very likely causes application failure,
14022 + * so fall back to the bottom-up function here. This scenario
14023 + * can happen with large stack limits and large mmap()
14027 +#ifdef CONFIG_PAX_SEGMEXEC
14028 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14029 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
14033 + mm->mmap_base = TASK_UNMAPPED_BASE;
14035 +#ifdef CONFIG_PAX_RANDMMAP
14036 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14037 + mm->mmap_base += mm->delta_mmap;
14040 + mm->free_area_cache = mm->mmap_base;
14041 + mm->cached_hole_size = ~0UL;
14042 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14044 + * Restore the topdown base:
14046 + mm->mmap_base = base;
14047 + mm->free_area_cache = base;
14048 + mm->cached_hole_size = ~0UL;
14054 * Do a system call from kernel instead of calling sys_execve so we
14055 * end up with proper pt_regs.
14056 diff -urNp linux-2.6.35.4/arch/x86/kernel/sys_x86_64.c linux-2.6.35.4/arch/x86/kernel/sys_x86_64.c
14057 --- linux-2.6.35.4/arch/x86/kernel/sys_x86_64.c 2010-08-26 19:47:12.000000000 -0400
14058 +++ linux-2.6.35.4/arch/x86/kernel/sys_x86_64.c 2010-09-17 20:12:09.000000000 -0400
14059 @@ -32,8 +32,8 @@ out:
14063 -static void find_start_end(unsigned long flags, unsigned long *begin,
14064 - unsigned long *end)
14065 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
14066 + unsigned long *begin, unsigned long *end)
14068 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
14069 unsigned long new_begin;
14070 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
14071 *begin = new_begin;
14074 - *begin = TASK_UNMAPPED_BASE;
14075 + *begin = mm->mmap_base;
14079 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
14080 if (flags & MAP_FIXED)
14083 - find_start_end(flags, &begin, &end);
14084 + find_start_end(mm, flags, &begin, &end);
14089 +#ifdef CONFIG_PAX_RANDMMAP
14090 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14094 addr = PAGE_ALIGN(addr);
14095 vma = find_vma(mm, addr);
14096 - if (end - len >= addr &&
14097 - (!vma || addr + len <= vma->vm_start))
14098 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
14101 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
14102 @@ -106,7 +109,7 @@ full_search:
14106 - if (!vma || addr + len <= vma->vm_start) {
14107 + if (check_heap_stack_gap(vma, addr, len)) {
14109 * Remember the place where we stopped the search:
14111 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
14113 struct vm_area_struct *vma;
14114 struct mm_struct *mm = current->mm;
14115 - unsigned long addr = addr0;
14116 + unsigned long base = mm->mmap_base, addr = addr0;
14118 /* requested length too big for entire address space */
14119 if (len > TASK_SIZE)
14120 @@ -141,12 +144,15 @@ arch_get_unmapped_area_topdown(struct fi
14121 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
14124 +#ifdef CONFIG_PAX_RANDMMAP
14125 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14128 /* requesting a specific address */
14130 addr = PAGE_ALIGN(addr);
14131 vma = find_vma(mm, addr);
14132 - if (TASK_SIZE - len >= addr &&
14133 - (!vma || addr + len <= vma->vm_start))
14134 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
14138 @@ -162,7 +168,7 @@ arch_get_unmapped_area_topdown(struct fi
14139 /* make sure it can fit in the remaining address space */
14141 vma = find_vma(mm, addr-len);
14142 - if (!vma || addr <= vma->vm_start)
14143 + if (check_heap_stack_gap(vma, addr - len, len))
14144 /* remember the address as a hint for next time */
14145 return mm->free_area_cache = addr-len;
14147 @@ -179,7 +185,7 @@ arch_get_unmapped_area_topdown(struct fi
14148 * return with success:
14150 vma = find_vma(mm, addr);
14151 - if (!vma || addr+len <= vma->vm_start)
14152 + if (check_heap_stack_gap(vma, addr, len))
14153 /* remember the address as a hint for next time */
14154 return mm->free_area_cache = addr;
14156 @@ -198,13 +204,21 @@ bottomup:
14157 * can happen with large stack limits and large mmap()
14160 + mm->mmap_base = TASK_UNMAPPED_BASE;
14162 +#ifdef CONFIG_PAX_RANDMMAP
14163 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14164 + mm->mmap_base += mm->delta_mmap;
14167 + mm->free_area_cache = mm->mmap_base;
14168 mm->cached_hole_size = ~0UL;
14169 - mm->free_area_cache = TASK_UNMAPPED_BASE;
14170 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14172 * Restore the topdown base:
14174 - mm->free_area_cache = mm->mmap_base;
14175 + mm->mmap_base = base;
14176 + mm->free_area_cache = base;
14177 mm->cached_hole_size = ~0UL;
14180 diff -urNp linux-2.6.35.4/arch/x86/kernel/time.c linux-2.6.35.4/arch/x86/kernel/time.c
14181 --- linux-2.6.35.4/arch/x86/kernel/time.c 2010-08-26 19:47:12.000000000 -0400
14182 +++ linux-2.6.35.4/arch/x86/kernel/time.c 2010-09-17 20:12:09.000000000 -0400
14183 @@ -26,17 +26,13 @@
14187 -#ifdef CONFIG_X86_64
14188 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
14191 unsigned long profile_pc(struct pt_regs *regs)
14193 unsigned long pc = instruction_pointer(regs);
14195 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
14196 + if (!user_mode(regs) && in_lock_functions(pc)) {
14197 #ifdef CONFIG_FRAME_POINTER
14198 - return *(unsigned long *)(regs->bp + sizeof(long));
14199 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
14201 unsigned long *sp =
14202 (unsigned long *)kernel_stack_pointer(regs);
14203 @@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
14204 * or above a saved flags. Eflags has bits 22-31 zero,
14205 * kernel addresses don't.
14208 +#ifdef CONFIG_PAX_KERNEXEC
14209 + return ktla_ktva(sp[0]);
14221 diff -urNp linux-2.6.35.4/arch/x86/kernel/tls.c linux-2.6.35.4/arch/x86/kernel/tls.c
14222 --- linux-2.6.35.4/arch/x86/kernel/tls.c 2010-08-26 19:47:12.000000000 -0400
14223 +++ linux-2.6.35.4/arch/x86/kernel/tls.c 2010-09-17 20:12:09.000000000 -0400
14224 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
14225 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
14228 +#ifdef CONFIG_PAX_SEGMEXEC
14229 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
14233 set_tls_desc(p, idx, &info, 1);
14236 diff -urNp linux-2.6.35.4/arch/x86/kernel/trampoline_32.S linux-2.6.35.4/arch/x86/kernel/trampoline_32.S
14237 --- linux-2.6.35.4/arch/x86/kernel/trampoline_32.S 2010-08-26 19:47:12.000000000 -0400
14238 +++ linux-2.6.35.4/arch/x86/kernel/trampoline_32.S 2010-09-17 20:12:09.000000000 -0400
14240 #include <asm/segment.h>
14241 #include <asm/page_types.h>
14243 +#ifdef CONFIG_PAX_KERNEXEC
14246 +#define ta(X) ((X) - __PAGE_OFFSET)
14249 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
14252 @@ -60,7 +66,7 @@ r_base = .
14253 inc %ax # protected mode (PE) bit
14254 lmsw %ax # into protected mode
14255 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
14256 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
14257 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
14259 # These need to be in the same 64K segment as the above;
14260 # hence we don't use the boot_gdt_descr defined in head.S
14261 diff -urNp linux-2.6.35.4/arch/x86/kernel/traps.c linux-2.6.35.4/arch/x86/kernel/traps.c
14262 --- linux-2.6.35.4/arch/x86/kernel/traps.c 2010-08-26 19:47:12.000000000 -0400
14263 +++ linux-2.6.35.4/arch/x86/kernel/traps.c 2010-09-17 20:12:09.000000000 -0400
14264 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
14266 /* Do we ignore FPU interrupts ? */
14267 char ignore_fpu_irq;
14270 - * The IDT has to be page-aligned to simplify the Pentium
14271 - * F0 0F bug workaround.
14273 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
14276 DECLARE_BITMAP(used_vectors, NR_VECTORS);
14277 @@ -110,13 +104,13 @@ static inline void preempt_conditional_c
14280 static void __kprobes
14281 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
14282 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
14283 long error_code, siginfo_t *info)
14285 struct task_struct *tsk = current;
14287 #ifdef CONFIG_X86_32
14288 - if (regs->flags & X86_VM_MASK) {
14289 + if (v8086_mode(regs)) {
14291 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
14292 * On nmi (interrupt 2), do_trap should not be called.
14293 @@ -127,7 +121,7 @@ do_trap(int trapnr, int signr, char *str
14297 - if (!user_mode(regs))
14298 + if (!user_mode_novm(regs))
14301 #ifdef CONFIG_X86_32
14302 @@ -150,7 +144,7 @@ trap_signal:
14303 printk_ratelimit()) {
14305 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
14306 - tsk->comm, tsk->pid, str,
14307 + tsk->comm, task_pid_nr(tsk), str,
14308 regs->ip, regs->sp, error_code);
14309 print_vma_addr(" in ", regs->ip);
14311 @@ -167,8 +161,20 @@ kernel_trap:
14312 if (!fixup_exception(regs)) {
14313 tsk->thread.error_code = error_code;
14314 tsk->thread.trap_no = trapnr;
14316 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14317 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
14318 + str = "PAX: suspicious stack segment fault";
14321 die(str, regs, error_code);
14324 +#ifdef CONFIG_PAX_REFCOUNT
14326 + pax_report_refcount_overflow(regs);
14331 #ifdef CONFIG_X86_32
14332 @@ -257,14 +263,30 @@ do_general_protection(struct pt_regs *re
14333 conditional_sti(regs);
14335 #ifdef CONFIG_X86_32
14336 - if (regs->flags & X86_VM_MASK)
14337 + if (v8086_mode(regs))
14342 - if (!user_mode(regs))
14343 + if (!user_mode_novm(regs))
14346 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
14347 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
14348 + struct mm_struct *mm = tsk->mm;
14349 + unsigned long limit;
14351 + down_write(&mm->mmap_sem);
14352 + limit = mm->context.user_cs_limit;
14353 + if (limit < TASK_SIZE) {
14354 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
14355 + up_write(&mm->mmap_sem);
14358 + up_write(&mm->mmap_sem);
14362 tsk->thread.error_code = error_code;
14363 tsk->thread.trap_no = 13;
14365 @@ -297,6 +319,13 @@ gp_in_kernel:
14366 if (notify_die(DIE_GPF, "general protection fault", regs,
14367 error_code, 13, SIGSEGV) == NOTIFY_STOP)
14370 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14371 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
14372 + die("PAX: suspicious general protection fault", regs, error_code);
14376 die("general protection fault", regs, error_code);
14379 @@ -565,7 +594,7 @@ dotraplinkage void __kprobes do_debug(st
14380 /* It's safe to allow irq's after DR6 has been saved */
14381 preempt_conditional_sti(regs);
14383 - if (regs->flags & X86_VM_MASK) {
14384 + if (v8086_mode(regs)) {
14385 handle_vm86_trap((struct kernel_vm86_regs *) regs,
14388 @@ -578,7 +607,7 @@ dotraplinkage void __kprobes do_debug(st
14389 * We already checked v86 mode above, so we can check for kernel mode
14390 * by just checking the CPL of CS.
14392 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
14393 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
14394 tsk->thread.debugreg6 &= ~DR_STEP;
14395 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
14396 regs->flags &= ~X86_EFLAGS_TF;
14397 @@ -607,7 +636,7 @@ void math_error(struct pt_regs *regs, in
14399 conditional_sti(regs);
14401 - if (!user_mode_vm(regs))
14402 + if (!user_mode(regs))
14404 if (!fixup_exception(regs)) {
14405 task->thread.error_code = error_code;
14406 diff -urNp linux-2.6.35.4/arch/x86/kernel/tsc.c linux-2.6.35.4/arch/x86/kernel/tsc.c
14407 --- linux-2.6.35.4/arch/x86/kernel/tsc.c 2010-08-26 19:47:12.000000000 -0400
14408 +++ linux-2.6.35.4/arch/x86/kernel/tsc.c 2010-09-17 20:12:09.000000000 -0400
14409 @@ -795,7 +795,7 @@ static struct dmi_system_id __initdata b
14410 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
14414 + { NULL, NULL, {{0, {0}}}, NULL}
14417 static void __init check_system_tsc_reliable(void)
14418 diff -urNp linux-2.6.35.4/arch/x86/kernel/vm86_32.c linux-2.6.35.4/arch/x86/kernel/vm86_32.c
14419 --- linux-2.6.35.4/arch/x86/kernel/vm86_32.c 2010-08-26 19:47:12.000000000 -0400
14420 +++ linux-2.6.35.4/arch/x86/kernel/vm86_32.c 2010-09-17 20:12:37.000000000 -0400
14422 #include <linux/ptrace.h>
14423 #include <linux/audit.h>
14424 #include <linux/stddef.h>
14425 +#include <linux/grsecurity.h>
14427 #include <asm/uaccess.h>
14428 #include <asm/io.h>
14429 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
14433 - tss = &per_cpu(init_tss, get_cpu());
14434 + tss = init_tss + get_cpu();
14435 current->thread.sp0 = current->thread.saved_sp0;
14436 current->thread.sysenter_cs = __KERNEL_CS;
14437 load_sp0(tss, ¤t->thread);
14438 @@ -207,6 +208,13 @@ int sys_vm86old(struct vm86_struct __use
14439 struct task_struct *tsk;
14440 int tmp, ret = -EPERM;
14442 +#ifdef CONFIG_GRKERNSEC_VM86
14443 + if (!capable(CAP_SYS_RAWIO)) {
14444 + gr_handle_vm86();
14450 if (tsk->thread.saved_sp0)
14452 @@ -237,6 +245,14 @@ int sys_vm86(unsigned long cmd, unsigned
14454 struct vm86plus_struct __user *v86;
14456 +#ifdef CONFIG_GRKERNSEC_VM86
14457 + if (!capable(CAP_SYS_RAWIO)) {
14458 + gr_handle_vm86();
14466 case VM86_REQUEST_IRQ:
14467 @@ -323,7 +339,7 @@ static void do_sys_vm86(struct kernel_vm
14468 tsk->thread.saved_fs = info->regs32->fs;
14469 tsk->thread.saved_gs = get_user_gs(info->regs32);
14471 - tss = &per_cpu(init_tss, get_cpu());
14472 + tss = init_tss + get_cpu();
14473 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
14475 tsk->thread.sysenter_cs = 0;
14476 @@ -528,7 +544,7 @@ static void do_int(struct kernel_vm86_re
14477 goto cannot_handle;
14478 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
14479 goto cannot_handle;
14480 - intr_ptr = (unsigned long __user *) (i << 2);
14481 + intr_ptr = (__force unsigned long __user *) (i << 2);
14482 if (get_user(segoffs, intr_ptr))
14483 goto cannot_handle;
14484 if ((segoffs >> 16) == BIOSSEG)
14485 diff -urNp linux-2.6.35.4/arch/x86/kernel/vmi_32.c linux-2.6.35.4/arch/x86/kernel/vmi_32.c
14486 --- linux-2.6.35.4/arch/x86/kernel/vmi_32.c 2010-08-26 19:47:12.000000000 -0400
14487 +++ linux-2.6.35.4/arch/x86/kernel/vmi_32.c 2010-09-17 20:12:09.000000000 -0400
14488 @@ -46,12 +46,17 @@ typedef u32 __attribute__((regparm(1)))
14489 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
14491 #define call_vrom_func(rom,func) \
14492 - (((VROMFUNC *)(rom->func))())
14493 + (((VROMFUNC *)(ktva_ktla(rom.func)))())
14495 #define call_vrom_long_func(rom,func,arg) \
14496 - (((VROMLONGFUNC *)(rom->func)) (arg))
14498 + u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
14499 + struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
14500 + __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
14504 -static struct vrom_header *vmi_rom;
14505 +static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
14506 static int disable_pge;
14507 static int disable_pse;
14508 static int disable_sep;
14509 @@ -78,10 +83,10 @@ static struct {
14510 void (*set_initial_ap_state)(int, int);
14511 void (*halt)(void);
14512 void (*set_lazy_mode)(int mode);
14514 +} vmi_ops __read_only;
14516 /* Cached VMI operations */
14517 -struct vmi_timer_ops vmi_timer_ops;
14518 +struct vmi_timer_ops vmi_timer_ops __read_only;
14521 * VMI patching routines.
14522 @@ -96,7 +101,7 @@ struct vmi_timer_ops vmi_timer_ops;
14523 static inline void patch_offset(void *insnbuf,
14524 unsigned long ip, unsigned long dest)
14526 - *(unsigned long *)(insnbuf+1) = dest-ip-5;
14527 + *(unsigned long *)(insnbuf+1) = dest-ip-5;
14530 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
14531 @@ -104,6 +109,7 @@ static unsigned patch_internal(int call,
14534 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
14536 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
14537 switch(rel->type) {
14538 case VMI_RELOCATION_CALL_REL:
14539 @@ -382,13 +388,13 @@ static void vmi_set_pud(pud_t *pudp, pud
14541 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
14543 - const pte_t pte = { .pte = 0 };
14544 + const pte_t pte = __pte(0ULL);
14545 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
14548 static void vmi_pmd_clear(pmd_t *pmd)
14550 - const pte_t pte = { .pte = 0 };
14551 + const pte_t pte = __pte(0ULL);
14552 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
14555 @@ -416,8 +422,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
14556 ap.ss = __KERNEL_DS;
14557 ap.esp = (unsigned long) start_esp;
14559 - ap.ds = __USER_DS;
14560 - ap.es = __USER_DS;
14561 + ap.ds = __KERNEL_DS;
14562 + ap.es = __KERNEL_DS;
14563 ap.fs = __KERNEL_PERCPU;
14564 ap.gs = __KERNEL_STACK_CANARY;
14566 @@ -464,6 +470,18 @@ static void vmi_leave_lazy_mmu(void)
14567 paravirt_leave_lazy_mmu();
14570 +#ifdef CONFIG_PAX_KERNEXEC
14571 +static unsigned long vmi_pax_open_kernel(void)
14576 +static unsigned long vmi_pax_close_kernel(void)
14582 static inline int __init check_vmi_rom(struct vrom_header *rom)
14584 struct pci_header *pci;
14585 @@ -476,6 +494,10 @@ static inline int __init check_vmi_rom(s
14587 if (rom->vrom_signature != VMI_SIGNATURE)
14589 + if (rom->rom_length * 512 > sizeof(*rom)) {
14590 + printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
14593 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
14594 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
14595 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
14596 @@ -540,7 +562,7 @@ static inline int __init probe_vmi_rom(v
14597 struct vrom_header *romstart;
14598 romstart = (struct vrom_header *)isa_bus_to_virt(base);
14599 if (check_vmi_rom(romstart)) {
14600 - vmi_rom = romstart;
14601 + vmi_rom = *romstart;
14605 @@ -816,6 +838,11 @@ static inline int __init activate_vmi(vo
14607 para_fill(pv_irq_ops.safe_halt, Halt);
14609 +#ifdef CONFIG_PAX_KERNEXEC
14610 + pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
14611 + pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
14615 * Alternative instruction rewriting doesn't happen soon enough
14616 * to convert VMI_IRET to a call instead of a jump; so we have
14617 @@ -833,16 +860,16 @@ static inline int __init activate_vmi(vo
14619 void __init vmi_init(void)
14622 + if (!vmi_rom.rom_signature)
14625 - check_vmi_rom(vmi_rom);
14626 + check_vmi_rom(&vmi_rom);
14628 /* In case probing for or validating the ROM failed, basil */
14630 + if (!vmi_rom.rom_signature)
14633 - reserve_top_address(-vmi_rom->virtual_top);
14634 + reserve_top_address(-vmi_rom.virtual_top);
14636 #ifdef CONFIG_X86_IO_APIC
14637 /* This is virtual hardware; timer routing is wired correctly */
14638 @@ -854,7 +881,7 @@ void __init vmi_activate(void)
14640 unsigned long flags;
14643 + if (!vmi_rom.rom_signature)
14646 local_irq_save(flags);
14647 diff -urNp linux-2.6.35.4/arch/x86/kernel/vmlinux.lds.S linux-2.6.35.4/arch/x86/kernel/vmlinux.lds.S
14648 --- linux-2.6.35.4/arch/x86/kernel/vmlinux.lds.S 2010-08-26 19:47:12.000000000 -0400
14649 +++ linux-2.6.35.4/arch/x86/kernel/vmlinux.lds.S 2010-09-17 20:12:09.000000000 -0400
14651 #include <asm/page_types.h>
14652 #include <asm/cache.h>
14653 #include <asm/boot.h>
14654 +#include <asm/segment.h>
14656 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14657 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
14659 +#define __KERNEL_TEXT_OFFSET 0
14662 #undef i386 /* in case the preprocessor is a 32bit one */
14664 @@ -34,13 +41,13 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
14665 #ifdef CONFIG_X86_32
14667 ENTRY(phys_startup_32)
14668 -jiffies = jiffies_64;
14670 OUTPUT_ARCH(i386:x86-64)
14671 ENTRY(phys_startup_64)
14672 -jiffies_64 = jiffies;
14675 +jiffies = jiffies_64;
14677 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
14679 * On 64-bit, align RODATA to 2MB so that even with CONFIG_DEBUG_RODATA
14680 @@ -69,31 +76,46 @@ jiffies_64 = jiffies;
14683 text PT_LOAD FLAGS(5); /* R_E */
14684 - data PT_LOAD FLAGS(7); /* RWE */
14685 +#ifdef CONFIG_X86_32
14686 + module PT_LOAD FLAGS(5); /* R_E */
14689 + rodata PT_LOAD FLAGS(5); /* R_E */
14691 + rodata PT_LOAD FLAGS(4); /* R__ */
14693 + data PT_LOAD FLAGS(6); /* RW_ */
14694 #ifdef CONFIG_X86_64
14695 user PT_LOAD FLAGS(5); /* R_E */
14697 + init.begin PT_LOAD FLAGS(6); /* RW_ */
14699 percpu PT_LOAD FLAGS(6); /* RW_ */
14701 + text.init PT_LOAD FLAGS(5); /* R_E */
14702 + text.exit PT_LOAD FLAGS(5); /* R_E */
14703 init PT_LOAD FLAGS(7); /* RWE */
14705 note PT_NOTE FLAGS(0); /* ___ */
14710 #ifdef CONFIG_X86_32
14711 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
14712 - phys_startup_32 = startup_32 - LOAD_OFFSET;
14713 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
14715 - . = __START_KERNEL;
14716 - phys_startup_64 = startup_64 - LOAD_OFFSET;
14717 + . = __START_KERNEL;
14720 /* Text and read-only data */
14721 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
14723 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14724 /* bootstrapping code */
14725 +#ifdef CONFIG_X86_32
14726 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14728 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14730 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14733 #ifdef CONFIG_X86_32
14734 . = ALIGN(PAGE_SIZE);
14735 @@ -108,13 +130,50 @@ SECTIONS
14739 - /* End of text section */
14743 - NOTES :text :note
14744 + . += __KERNEL_TEXT_OFFSET;
14746 +#ifdef CONFIG_X86_32
14747 + . = ALIGN(PAGE_SIZE);
14748 + .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
14752 + . = ALIGN(PAGE_SIZE);
14753 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
14755 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
14756 + MODULES_EXEC_VADDR = .;
14758 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
14759 + . = ALIGN(HPAGE_SIZE);
14760 + MODULES_EXEC_END = . - 1;
14766 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
14767 + /* End of text section */
14768 + _etext = . - __KERNEL_TEXT_OFFSET;
14771 +#ifdef CONFIG_X86_32
14772 + . = ALIGN(PAGE_SIZE);
14773 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
14775 + . = ALIGN(PAGE_SIZE);
14776 + *(.empty_zero_page)
14777 + *(.swapper_pg_pmd)
14778 + *(.swapper_pg_dir)
14782 + . = ALIGN(PAGE_SIZE);
14783 + NOTES :rodata :note
14785 - EXCEPTION_TABLE(16) :text = 0x9090
14786 + EXCEPTION_TABLE(16) :rodata
14788 X64_ALIGN_DEBUG_RODATA_BEGIN
14790 @@ -122,16 +181,20 @@ SECTIONS
14793 .data : AT(ADDR(.data) - LOAD_OFFSET) {
14795 +#ifdef CONFIG_PAX_KERNEXEC
14796 + . = ALIGN(HPAGE_SIZE);
14798 + . = ALIGN(PAGE_SIZE);
14801 /* Start of data section */
14805 INIT_TASK_DATA(THREAD_SIZE)
14807 -#ifdef CONFIG_X86_32
14808 - /* 32 bit has nosave before _edata */
14812 PAGE_ALIGNED_DATA(PAGE_SIZE)
14814 @@ -194,12 +257,6 @@ SECTIONS
14816 vgetcpu_mode = VVIRT(.vgetcpu_mode);
14818 - . = ALIGN(L1_CACHE_BYTES);
14819 - .jiffies : AT(VLOAD(.jiffies)) {
14822 - jiffies = VVIRT(.jiffies);
14824 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
14827 @@ -215,12 +272,19 @@ SECTIONS
14828 #endif /* CONFIG_X86_64 */
14830 /* Init code and data - will be freed after init */
14831 - . = ALIGN(PAGE_SIZE);
14832 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
14835 +#ifdef CONFIG_PAX_KERNEXEC
14836 + . = ALIGN(HPAGE_SIZE);
14838 + . = ALIGN(PAGE_SIZE);
14841 __init_begin = .; /* paired with __init_end */
14845 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
14848 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
14849 * output PHDR, so the next output section - .init.text - should
14850 @@ -229,12 +293,27 @@ SECTIONS
14851 PERCPU_VADDR(0, :percpu)
14854 - INIT_TEXT_SECTION(PAGE_SIZE)
14855 -#ifdef CONFIG_X86_64
14858 + . = ALIGN(PAGE_SIZE);
14860 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
14861 + VMLINUX_SYMBOL(_sinittext) = .;
14863 + VMLINUX_SYMBOL(_einittext) = .;
14864 + . = ALIGN(PAGE_SIZE);
14868 + * .exit.text is discard at runtime, not link time, to deal with
14869 + * references from .altinstructions and .eh_frame
14871 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14875 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
14877 - INIT_DATA_SECTION(16)
14878 + . = ALIGN(PAGE_SIZE);
14879 + INIT_DATA_SECTION(16) :init
14881 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
14882 __x86_cpu_dev_start = .;
14883 @@ -260,19 +339,11 @@ SECTIONS
14884 *(.altinstr_replacement)
14888 - * .exit.text is discard at runtime, not link time, to deal with
14889 - * references from .altinstructions and .eh_frame
14891 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
14895 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
14899 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
14900 +#ifndef CONFIG_SMP
14904 @@ -291,16 +362,10 @@ SECTIONS
14905 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
14908 - . = ALIGN(PAGE_SIZE);
14909 __smp_locks_end = .;
14910 + . = ALIGN(PAGE_SIZE);
14913 -#ifdef CONFIG_X86_64
14914 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
14920 . = ALIGN(PAGE_SIZE);
14921 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
14922 @@ -316,6 +381,7 @@ SECTIONS
14924 . += 64 * 1024; /* 64k alignment slop space */
14925 *(.brk_reservation) /* areas brk users have reserved */
14926 + . = ALIGN(HPAGE_SIZE);
14930 @@ -342,13 +408,12 @@ SECTIONS
14931 * for the boot processor.
14933 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
14934 -INIT_PER_CPU(gdt_page);
14935 INIT_PER_CPU(irq_stack_union);
14938 * Build-time check on the image size:
14940 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
14941 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
14942 "kernel image bigger than KERNEL_IMAGE_SIZE");
14945 diff -urNp linux-2.6.35.4/arch/x86/kernel/vsyscall_64.c linux-2.6.35.4/arch/x86/kernel/vsyscall_64.c
14946 --- linux-2.6.35.4/arch/x86/kernel/vsyscall_64.c 2010-08-26 19:47:12.000000000 -0400
14947 +++ linux-2.6.35.4/arch/x86/kernel/vsyscall_64.c 2010-09-17 20:12:09.000000000 -0400
14948 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
14950 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
14951 /* copy vsyscall data */
14952 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
14953 vsyscall_gtod_data.clock.vread = clock->vread;
14954 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
14955 vsyscall_gtod_data.clock.mask = clock->mask;
14956 @@ -203,7 +204,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
14957 We do this here because otherwise user space would do it on
14958 its own in a likely inferior way (no access to jiffies).
14959 If you don't like it pass NULL. */
14960 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
14961 + if (tcache && tcache->blob[0] == (j = jiffies)) {
14962 p = tcache->blob[1];
14963 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
14964 /* Load per CPU data from RDTSCP */
14965 diff -urNp linux-2.6.35.4/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.35.4/arch/x86/kernel/x8664_ksyms_64.c
14966 --- linux-2.6.35.4/arch/x86/kernel/x8664_ksyms_64.c 2010-08-26 19:47:12.000000000 -0400
14967 +++ linux-2.6.35.4/arch/x86/kernel/x8664_ksyms_64.c 2010-09-17 20:12:09.000000000 -0400
14968 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
14969 EXPORT_SYMBOL(copy_user_generic_string);
14970 EXPORT_SYMBOL(copy_user_generic_unrolled);
14971 EXPORT_SYMBOL(__copy_user_nocache);
14972 -EXPORT_SYMBOL(_copy_from_user);
14973 -EXPORT_SYMBOL(_copy_to_user);
14975 EXPORT_SYMBOL(copy_page);
14976 EXPORT_SYMBOL(clear_page);
14977 diff -urNp linux-2.6.35.4/arch/x86/kernel/xsave.c linux-2.6.35.4/arch/x86/kernel/xsave.c
14978 --- linux-2.6.35.4/arch/x86/kernel/xsave.c 2010-08-26 19:47:12.000000000 -0400
14979 +++ linux-2.6.35.4/arch/x86/kernel/xsave.c 2010-09-17 20:12:09.000000000 -0400
14980 @@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_
14981 fx_sw_user->xstate_size > fx_sw_user->extended_size)
14984 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
14985 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
14986 fx_sw_user->extended_size -
14987 FP_XSTATE_MAGIC2_SIZE));
14989 @@ -196,7 +196,7 @@ fx_only:
14990 * the other extended state.
14992 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
14993 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
14994 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
14998 @@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf
15000 err = restore_user_xstate(buf);
15002 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
15003 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
15005 if (unlikely(err)) {
15007 diff -urNp linux-2.6.35.4/arch/x86/kvm/emulate.c linux-2.6.35.4/arch/x86/kvm/emulate.c
15008 --- linux-2.6.35.4/arch/x86/kvm/emulate.c 2010-08-26 19:47:12.000000000 -0400
15009 +++ linux-2.6.35.4/arch/x86/kvm/emulate.c 2010-09-17 20:12:09.000000000 -0400
15010 @@ -88,11 +88,11 @@
15011 #define Src2CL (1<<29)
15012 #define Src2ImmByte (2<<29)
15013 #define Src2One (3<<29)
15014 -#define Src2Imm16 (4<<29)
15015 -#define Src2Mem16 (5<<29) /* Used for Ep encoding. First argument has to be
15016 +#define Src2Imm16 (4U<<29)
15017 +#define Src2Mem16 (5U<<29) /* Used for Ep encoding. First argument has to be
15018 in memory and second argument is located
15019 immediately after the first one in memory. */
15020 -#define Src2Mask (7<<29)
15021 +#define Src2Mask (7U<<29)
15024 Group1_80, Group1_81, Group1_82, Group1_83,
15025 @@ -446,6 +446,7 @@ static u32 group2_table[] = {
15027 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
15029 + unsigned long _tmp; \
15030 __asm__ __volatile__ ( \
15031 _PRE_EFLAGS("0", "4", "2") \
15032 _op _suffix " %"_x"3,%1; " \
15033 @@ -459,8 +460,6 @@ static u32 group2_table[] = {
15034 /* Raw emulation: instruction has two explicit operands. */
15035 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
15037 - unsigned long _tmp; \
15039 switch ((_dst).bytes) { \
15041 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
15042 @@ -476,7 +475,6 @@ static u32 group2_table[] = {
15044 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
15046 - unsigned long _tmp; \
15047 switch ((_dst).bytes) { \
15049 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
15050 diff -urNp linux-2.6.35.4/arch/x86/kvm/lapic.c linux-2.6.35.4/arch/x86/kvm/lapic.c
15051 --- linux-2.6.35.4/arch/x86/kvm/lapic.c 2010-08-26 19:47:12.000000000 -0400
15052 +++ linux-2.6.35.4/arch/x86/kvm/lapic.c 2010-09-17 20:12:09.000000000 -0400
15054 #define APIC_BUS_CYCLE_NS 1
15056 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
15057 -#define apic_debug(fmt, arg...)
15058 +#define apic_debug(fmt, arg...) do {} while (0)
15060 #define APIC_LVT_NUM 6
15061 /* 14 is the version for Xeon and Pentium 8.4.8*/
15062 diff -urNp linux-2.6.35.4/arch/x86/kvm/svm.c linux-2.6.35.4/arch/x86/kvm/svm.c
15063 --- linux-2.6.35.4/arch/x86/kvm/svm.c 2010-08-26 19:47:12.000000000 -0400
15064 +++ linux-2.6.35.4/arch/x86/kvm/svm.c 2010-09-17 20:12:09.000000000 -0400
15065 @@ -2796,7 +2796,11 @@ static void reload_tss(struct kvm_vcpu *
15066 int cpu = raw_smp_processor_id();
15068 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
15070 + pax_open_kernel();
15071 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
15072 + pax_close_kernel();
15077 @@ -3337,7 +3341,7 @@ static void svm_fpu_deactivate(struct kv
15078 update_cr0_intercept(svm);
15081 -static struct kvm_x86_ops svm_x86_ops = {
15082 +static const struct kvm_x86_ops svm_x86_ops = {
15083 .cpu_has_kvm_support = has_svm,
15084 .disabled_by_bios = is_disabled,
15085 .hardware_setup = svm_hardware_setup,
15086 diff -urNp linux-2.6.35.4/arch/x86/kvm/vmx.c linux-2.6.35.4/arch/x86/kvm/vmx.c
15087 --- linux-2.6.35.4/arch/x86/kvm/vmx.c 2010-08-26 19:47:12.000000000 -0400
15088 +++ linux-2.6.35.4/arch/x86/kvm/vmx.c 2010-09-17 20:12:09.000000000 -0400
15089 @@ -653,7 +653,11 @@ static void reload_tss(void)
15091 native_store_gdt(&gdt);
15092 descs = (void *)gdt.address;
15094 + pax_open_kernel();
15095 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
15096 + pax_close_kernel();
15101 @@ -1550,8 +1554,11 @@ static __init int hardware_setup(void)
15102 if (!cpu_has_vmx_flexpriority())
15103 flexpriority_enabled = 0;
15105 - if (!cpu_has_vmx_tpr_shadow())
15106 - kvm_x86_ops->update_cr8_intercept = NULL;
15107 + if (!cpu_has_vmx_tpr_shadow()) {
15108 + pax_open_kernel();
15109 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
15110 + pax_close_kernel();
15113 if (enable_ept && !cpu_has_vmx_ept_2m_page())
15114 kvm_disable_largepages();
15115 @@ -2533,7 +2540,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
15116 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
15118 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
15119 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
15120 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
15121 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
15122 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
15123 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
15124 @@ -3909,6 +3916,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
15125 "jmp .Lkvm_vmx_return \n\t"
15126 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
15127 ".Lkvm_vmx_return: "
15129 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15130 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
15131 + ".Lkvm_vmx_return2: "
15134 /* Save guest registers, load host registers, keep flags */
15135 "xchg %0, (%%"R"sp) \n\t"
15136 "mov %%"R"ax, %c[rax](%0) \n\t"
15137 @@ -3955,8 +3968,13 @@ static void vmx_vcpu_run(struct kvm_vcpu
15138 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
15140 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
15142 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15143 + ,[cs]"i"(__KERNEL_CS)
15147 - , R"bx", R"di", R"si"
15148 + , R"ax", R"bx", R"di", R"si"
15149 #ifdef CONFIG_X86_64
15150 , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
15152 @@ -3970,7 +3988,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
15153 if (vmx->rmode.irq.pending)
15154 fixup_rmode_irq(vmx);
15156 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
15157 + asm("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
15160 vmx_complete_interrupts(vmx);
15161 @@ -4191,7 +4209,7 @@ static void vmx_set_supported_cpuid(u32
15165 -static struct kvm_x86_ops vmx_x86_ops = {
15166 +static const struct kvm_x86_ops vmx_x86_ops = {
15167 .cpu_has_kvm_support = cpu_has_kvm_support,
15168 .disabled_by_bios = vmx_disabled_by_bios,
15169 .hardware_setup = hardware_setup,
15170 diff -urNp linux-2.6.35.4/arch/x86/kvm/x86.c linux-2.6.35.4/arch/x86/kvm/x86.c
15171 --- linux-2.6.35.4/arch/x86/kvm/x86.c 2010-08-26 19:47:12.000000000 -0400
15172 +++ linux-2.6.35.4/arch/x86/kvm/x86.c 2010-09-17 20:12:09.000000000 -0400
15173 @@ -86,7 +86,7 @@ static void update_cr8_intercept(struct
15174 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
15175 struct kvm_cpuid_entry2 __user *entries);
15177 -struct kvm_x86_ops *kvm_x86_ops;
15178 +const struct kvm_x86_ops *kvm_x86_ops;
15179 EXPORT_SYMBOL_GPL(kvm_x86_ops);
15181 int ignore_msrs = 0;
15182 @@ -112,38 +112,38 @@ static struct kvm_shared_msrs_global __r
15183 static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
15185 struct kvm_stats_debugfs_item debugfs_entries[] = {
15186 - { "pf_fixed", VCPU_STAT(pf_fixed) },
15187 - { "pf_guest", VCPU_STAT(pf_guest) },
15188 - { "tlb_flush", VCPU_STAT(tlb_flush) },
15189 - { "invlpg", VCPU_STAT(invlpg) },
15190 - { "exits", VCPU_STAT(exits) },
15191 - { "io_exits", VCPU_STAT(io_exits) },
15192 - { "mmio_exits", VCPU_STAT(mmio_exits) },
15193 - { "signal_exits", VCPU_STAT(signal_exits) },
15194 - { "irq_window", VCPU_STAT(irq_window_exits) },
15195 - { "nmi_window", VCPU_STAT(nmi_window_exits) },
15196 - { "halt_exits", VCPU_STAT(halt_exits) },
15197 - { "halt_wakeup", VCPU_STAT(halt_wakeup) },
15198 - { "hypercalls", VCPU_STAT(hypercalls) },
15199 - { "request_irq", VCPU_STAT(request_irq_exits) },
15200 - { "irq_exits", VCPU_STAT(irq_exits) },
15201 - { "host_state_reload", VCPU_STAT(host_state_reload) },
15202 - { "efer_reload", VCPU_STAT(efer_reload) },
15203 - { "fpu_reload", VCPU_STAT(fpu_reload) },
15204 - { "insn_emulation", VCPU_STAT(insn_emulation) },
15205 - { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
15206 - { "irq_injections", VCPU_STAT(irq_injections) },
15207 - { "nmi_injections", VCPU_STAT(nmi_injections) },
15208 - { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
15209 - { "mmu_pte_write", VM_STAT(mmu_pte_write) },
15210 - { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
15211 - { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
15212 - { "mmu_flooded", VM_STAT(mmu_flooded) },
15213 - { "mmu_recycled", VM_STAT(mmu_recycled) },
15214 - { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
15215 - { "mmu_unsync", VM_STAT(mmu_unsync) },
15216 - { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
15217 - { "largepages", VM_STAT(lpages) },
15218 + { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
15219 + { "pf_guest", VCPU_STAT(pf_guest), NULL },
15220 + { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
15221 + { "invlpg", VCPU_STAT(invlpg), NULL },
15222 + { "exits", VCPU_STAT(exits), NULL },
15223 + { "io_exits", VCPU_STAT(io_exits), NULL },
15224 + { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
15225 + { "signal_exits", VCPU_STAT(signal_exits), NULL },
15226 + { "irq_window", VCPU_STAT(irq_window_exits), NULL },
15227 + { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
15228 + { "halt_exits", VCPU_STAT(halt_exits), NULL },
15229 + { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
15230 + { "hypercalls", VCPU_STAT(hypercalls), NULL },
15231 + { "request_irq", VCPU_STAT(request_irq_exits), NULL },
15232 + { "irq_exits", VCPU_STAT(irq_exits), NULL },
15233 + { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
15234 + { "efer_reload", VCPU_STAT(efer_reload), NULL },
15235 + { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
15236 + { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
15237 + { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
15238 + { "irq_injections", VCPU_STAT(irq_injections), NULL },
15239 + { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
15240 + { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
15241 + { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
15242 + { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
15243 + { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
15244 + { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
15245 + { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
15246 + { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
15247 + { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
15248 + { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
15249 + { "largepages", VM_STAT(lpages), NULL },
15253 @@ -1672,6 +1672,8 @@ long kvm_arch_dev_ioctl(struct file *fil
15254 if (n < msr_list.nmsrs)
15257 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
15259 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
15260 num_msrs_to_save * sizeof(u32)))
15262 @@ -2103,7 +2105,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
15263 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
15264 struct kvm_interrupt *irq)
15266 - if (irq->irq < 0 || irq->irq >= 256)
15267 + if (irq->irq >= 256)
15269 if (irqchip_in_kernel(vcpu->kvm))
15271 @@ -4070,10 +4072,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
15273 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
15275 -int kvm_arch_init(void *opaque)
15276 +int kvm_arch_init(const void *opaque)
15279 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
15280 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
15283 printk(KERN_ERR "kvm: already loaded the other module\n");
15284 diff -urNp linux-2.6.35.4/arch/x86/lib/checksum_32.S linux-2.6.35.4/arch/x86/lib/checksum_32.S
15285 --- linux-2.6.35.4/arch/x86/lib/checksum_32.S 2010-08-26 19:47:12.000000000 -0400
15286 +++ linux-2.6.35.4/arch/x86/lib/checksum_32.S 2010-09-17 20:12:09.000000000 -0400
15288 #include <linux/linkage.h>
15289 #include <asm/dwarf2.h>
15290 #include <asm/errno.h>
15292 +#include <asm/segment.h>
15295 * computes a partial checksum, e.g. for TCP/UDP fragments
15297 @@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
15302 -ENTRY(csum_partial_copy_generic)
15304 +ENTRY(csum_partial_copy_generic_to_user)
15306 + pushl $(__USER_DS)
15307 + CFI_ADJUST_CFA_OFFSET 4
15309 + CFI_ADJUST_CFA_OFFSET -4
15310 + jmp csum_partial_copy_generic
15312 +ENTRY(csum_partial_copy_generic_from_user)
15313 + pushl $(__USER_DS)
15314 + CFI_ADJUST_CFA_OFFSET 4
15316 + CFI_ADJUST_CFA_OFFSET -4
15318 +ENTRY(csum_partial_copy_generic)
15320 CFI_ADJUST_CFA_OFFSET 4
15322 @@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
15324 SRC(1: movw (%esi), %bx )
15326 -DST( movw %bx, (%edi) )
15327 +DST( movw %bx, %es:(%edi) )
15331 @@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
15332 SRC(1: movl (%esi), %ebx )
15333 SRC( movl 4(%esi), %edx )
15335 -DST( movl %ebx, (%edi) )
15336 +DST( movl %ebx, %es:(%edi) )
15338 -DST( movl %edx, 4(%edi) )
15339 +DST( movl %edx, %es:4(%edi) )
15341 SRC( movl 8(%esi), %ebx )
15342 SRC( movl 12(%esi), %edx )
15344 -DST( movl %ebx, 8(%edi) )
15345 +DST( movl %ebx, %es:8(%edi) )
15347 -DST( movl %edx, 12(%edi) )
15348 +DST( movl %edx, %es:12(%edi) )
15350 SRC( movl 16(%esi), %ebx )
15351 SRC( movl 20(%esi), %edx )
15353 -DST( movl %ebx, 16(%edi) )
15354 +DST( movl %ebx, %es:16(%edi) )
15356 -DST( movl %edx, 20(%edi) )
15357 +DST( movl %edx, %es:20(%edi) )
15359 SRC( movl 24(%esi), %ebx )
15360 SRC( movl 28(%esi), %edx )
15362 -DST( movl %ebx, 24(%edi) )
15363 +DST( movl %ebx, %es:24(%edi) )
15365 -DST( movl %edx, 28(%edi) )
15366 +DST( movl %edx, %es:28(%edi) )
15370 @@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
15371 shrl $2, %edx # This clears CF
15372 SRC(3: movl (%esi), %ebx )
15374 -DST( movl %ebx, (%edi) )
15375 +DST( movl %ebx, %es:(%edi) )
15379 @@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
15381 SRC( movw (%esi), %cx )
15383 -DST( movw %cx, (%edi) )
15384 +DST( movw %cx, %es:(%edi) )
15388 SRC(5: movb (%esi), %cl )
15389 -DST( movb %cl, (%edi) )
15390 +DST( movb %cl, %es:(%edi) )
15394 @@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
15397 movl ARGBASE+20(%esp), %ebx # src_err_ptr
15398 - movl $-EFAULT, (%ebx)
15399 + movl $-EFAULT, %ss:(%ebx)
15401 # zero the complete destination - computing the rest
15403 @@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
15406 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15407 - movl $-EFAULT,(%ebx)
15408 + movl $-EFAULT,%ss:(%ebx)
15414 + CFI_ADJUST_CFA_OFFSET 4
15416 + CFI_ADJUST_CFA_OFFSET -4
15418 + CFI_ADJUST_CFA_OFFSET 4
15420 + CFI_ADJUST_CFA_OFFSET -4
15422 CFI_ADJUST_CFA_OFFSET -4
15424 @@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
15425 CFI_ADJUST_CFA_OFFSET -4
15428 -ENDPROC(csum_partial_copy_generic)
15429 +ENDPROC(csum_partial_copy_generic_to_user)
15433 /* Version for PentiumII/PPro */
15435 #define ROUND1(x) \
15437 SRC(movl x(%esi), %ebx ) ; \
15438 addl %ebx, %eax ; \
15439 - DST(movl %ebx, x(%edi) ) ;
15440 + DST(movl %ebx, %es:x(%edi)) ;
15444 SRC(movl x(%esi), %ebx ) ; \
15445 adcl %ebx, %eax ; \
15446 - DST(movl %ebx, x(%edi) ) ;
15447 + DST(movl %ebx, %es:x(%edi)) ;
15451 -ENTRY(csum_partial_copy_generic)
15453 +ENTRY(csum_partial_copy_generic_to_user)
15455 + pushl $(__USER_DS)
15456 + CFI_ADJUST_CFA_OFFSET 4
15458 + CFI_ADJUST_CFA_OFFSET -4
15459 + jmp csum_partial_copy_generic
15461 +ENTRY(csum_partial_copy_generic_from_user)
15462 + pushl $(__USER_DS)
15463 + CFI_ADJUST_CFA_OFFSET 4
15465 + CFI_ADJUST_CFA_OFFSET -4
15467 +ENTRY(csum_partial_copy_generic)
15469 CFI_ADJUST_CFA_OFFSET 4
15470 CFI_REL_OFFSET ebx, 0
15471 @@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
15475 - lea 3f(%ebx,%ebx), %ebx
15476 + lea 3f(%ebx,%ebx,2), %ebx
15480 @@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
15482 SRC( movw (%esi), %dx )
15484 -DST( movw %dx, (%edi) )
15485 +DST( movw %dx, %es:(%edi) )
15490 SRC( movb (%esi), %dl )
15491 -DST( movb %dl, (%edi) )
15492 +DST( movb %dl, %es:(%edi) )
15496 .section .fixup, "ax"
15497 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
15498 - movl $-EFAULT, (%ebx)
15499 + movl $-EFAULT, %ss:(%ebx)
15500 # zero the complete destination (computing the rest is too much work)
15501 movl ARGBASE+8(%esp),%edi # dst
15502 movl ARGBASE+12(%esp),%ecx # len
15503 @@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
15506 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15507 - movl $-EFAULT, (%ebx)
15508 + movl $-EFAULT, %ss:(%ebx)
15513 + CFI_ADJUST_CFA_OFFSET 4
15515 + CFI_ADJUST_CFA_OFFSET -4
15517 + CFI_ADJUST_CFA_OFFSET 4
15519 + CFI_ADJUST_CFA_OFFSET -4
15521 CFI_ADJUST_CFA_OFFSET -4
15523 @@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
15527 -ENDPROC(csum_partial_copy_generic)
15528 +ENDPROC(csum_partial_copy_generic_to_user)
15532 diff -urNp linux-2.6.35.4/arch/x86/lib/clear_page_64.S linux-2.6.35.4/arch/x86/lib/clear_page_64.S
15533 --- linux-2.6.35.4/arch/x86/lib/clear_page_64.S 2010-08-26 19:47:12.000000000 -0400
15534 +++ linux-2.6.35.4/arch/x86/lib/clear_page_64.S 2010-09-17 20:12:09.000000000 -0400
15535 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
15537 #include <asm/cpufeature.h>
15539 - .section .altinstr_replacement,"ax"
15540 + .section .altinstr_replacement,"a"
15541 1: .byte 0xeb /* jmp <disp8> */
15542 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
15544 diff -urNp linux-2.6.35.4/arch/x86/lib/copy_page_64.S linux-2.6.35.4/arch/x86/lib/copy_page_64.S
15545 --- linux-2.6.35.4/arch/x86/lib/copy_page_64.S 2010-08-26 19:47:12.000000000 -0400
15546 +++ linux-2.6.35.4/arch/x86/lib/copy_page_64.S 2010-09-17 20:12:09.000000000 -0400
15547 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
15549 #include <asm/cpufeature.h>
15551 - .section .altinstr_replacement,"ax"
15552 + .section .altinstr_replacement,"a"
15553 1: .byte 0xeb /* jmp <disp8> */
15554 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
15556 diff -urNp linux-2.6.35.4/arch/x86/lib/copy_user_64.S linux-2.6.35.4/arch/x86/lib/copy_user_64.S
15557 --- linux-2.6.35.4/arch/x86/lib/copy_user_64.S 2010-08-26 19:47:12.000000000 -0400
15558 +++ linux-2.6.35.4/arch/x86/lib/copy_user_64.S 2010-09-17 20:12:09.000000000 -0400
15559 @@ -15,13 +15,14 @@
15560 #include <asm/asm-offsets.h>
15561 #include <asm/thread_info.h>
15562 #include <asm/cpufeature.h>
15563 +#include <asm/pgtable.h>
15565 .macro ALTERNATIVE_JUMP feature,orig,alt
15567 .byte 0xe9 /* 32bit jump */
15568 .long \orig-1f /* by default jump to orig */
15570 - .section .altinstr_replacement,"ax"
15571 + .section .altinstr_replacement,"a"
15572 2: .byte 0xe9 /* near jump with 32bit immediate */
15573 .long \alt-1b /* offset */ /* or alternatively to alt */
15575 @@ -64,37 +65,13 @@
15579 -/* Standard copy_to_user with segment limit checking */
15580 -ENTRY(_copy_to_user)
15582 - GET_THREAD_INFO(%rax)
15586 - cmpq TI_addr_limit(%rax),%rcx
15588 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15590 -ENDPROC(_copy_to_user)
15592 -/* Standard copy_from_user with segment limit checking */
15593 -ENTRY(_copy_from_user)
15595 - GET_THREAD_INFO(%rax)
15599 - cmpq TI_addr_limit(%rax),%rcx
15600 - jae bad_from_user
15601 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15603 -ENDPROC(_copy_from_user)
15605 .section .fixup,"ax"
15606 /* must zero dest */
15607 ENTRY(bad_from_user)
15615 diff -urNp linux-2.6.35.4/arch/x86/lib/copy_user_nocache_64.S linux-2.6.35.4/arch/x86/lib/copy_user_nocache_64.S
15616 --- linux-2.6.35.4/arch/x86/lib/copy_user_nocache_64.S 2010-08-26 19:47:12.000000000 -0400
15617 +++ linux-2.6.35.4/arch/x86/lib/copy_user_nocache_64.S 2010-09-17 20:12:09.000000000 -0400
15619 #include <asm/current.h>
15620 #include <asm/asm-offsets.h>
15621 #include <asm/thread_info.h>
15622 +#include <asm/pgtable.h>
15624 .macro ALIGN_DESTINATION
15625 #ifdef FIX_ALIGNMENT
15628 ENTRY(__copy_user_nocache)
15631 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15632 + mov $PAX_USER_SHADOW_BASE,%rcx
15640 jb 20f /* less then 8 bytes, go to byte copy loop */
15642 diff -urNp linux-2.6.35.4/arch/x86/lib/csum-wrappers_64.c linux-2.6.35.4/arch/x86/lib/csum-wrappers_64.c
15643 --- linux-2.6.35.4/arch/x86/lib/csum-wrappers_64.c 2010-08-26 19:47:12.000000000 -0400
15644 +++ linux-2.6.35.4/arch/x86/lib/csum-wrappers_64.c 2010-09-17 20:12:09.000000000 -0400
15645 @@ -52,6 +52,8 @@ csum_partial_copy_from_user(const void _
15649 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
15650 + src += PAX_USER_SHADOW_BASE;
15651 isum = csum_partial_copy_generic((__force const void *)src,
15652 dst, len, isum, errp, NULL);
15653 if (unlikely(*errp))
15654 @@ -105,6 +107,8 @@ csum_partial_copy_to_user(const void *sr
15658 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
15659 + dst += PAX_USER_SHADOW_BASE;
15660 return csum_partial_copy_generic(src, (void __force *)dst,
15661 len, isum, NULL, errp);
15663 diff -urNp linux-2.6.35.4/arch/x86/lib/getuser.S linux-2.6.35.4/arch/x86/lib/getuser.S
15664 --- linux-2.6.35.4/arch/x86/lib/getuser.S 2010-08-26 19:47:12.000000000 -0400
15665 +++ linux-2.6.35.4/arch/x86/lib/getuser.S 2010-09-17 20:12:09.000000000 -0400
15666 @@ -33,14 +33,38 @@
15667 #include <asm/asm-offsets.h>
15668 #include <asm/thread_info.h>
15669 #include <asm/asm.h>
15670 +#include <asm/segment.h>
15671 +#include <asm/pgtable.h>
15674 ENTRY(__get_user_1)
15677 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15678 + pushl $(__USER_DS)
15681 GET_THREAD_INFO(%_ASM_DX)
15682 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15685 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15686 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15687 + cmp %_ASM_DX,%_ASM_AX
15689 + add %_ASM_DX,%_ASM_AX
15695 1: movzb (%_ASM_AX),%edx
15697 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15705 @@ -49,11 +73,33 @@ ENDPROC(__get_user_1)
15706 ENTRY(__get_user_2)
15710 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15711 + pushl $(__USER_DS)
15715 GET_THREAD_INFO(%_ASM_DX)
15716 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15719 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15720 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15721 + cmp %_ASM_DX,%_ASM_AX
15723 + add %_ASM_DX,%_ASM_AX
15729 2: movzwl -1(%_ASM_AX),%edx
15731 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15739 @@ -62,11 +108,33 @@ ENDPROC(__get_user_2)
15740 ENTRY(__get_user_4)
15744 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15745 + pushl $(__USER_DS)
15749 GET_THREAD_INFO(%_ASM_DX)
15750 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15753 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15754 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15755 + cmp %_ASM_DX,%_ASM_AX
15757 + add %_ASM_DX,%_ASM_AX
15763 3: mov -3(%_ASM_AX),%edx
15765 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15773 @@ -80,6 +148,15 @@ ENTRY(__get_user_8)
15774 GET_THREAD_INFO(%_ASM_DX)
15775 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15778 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15779 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15780 + cmp %_ASM_DX,%_ASM_AX
15782 + add %_ASM_DX,%_ASM_AX
15786 4: movq -7(%_ASM_AX),%_ASM_DX
15789 @@ -89,6 +166,12 @@ ENDPROC(__get_user_8)
15794 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15800 mov $(-EFAULT),%_ASM_AX
15802 diff -urNp linux-2.6.35.4/arch/x86/lib/insn.c linux-2.6.35.4/arch/x86/lib/insn.c
15803 --- linux-2.6.35.4/arch/x86/lib/insn.c 2010-08-26 19:47:12.000000000 -0400
15804 +++ linux-2.6.35.4/arch/x86/lib/insn.c 2010-09-17 20:12:09.000000000 -0400
15806 #include <linux/string.h>
15807 #include <asm/inat.h>
15808 #include <asm/insn.h>
15809 +#include <asm/pgtable_types.h>
15811 #define get_next(t, insn) \
15812 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
15814 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
15816 memset(insn, 0, sizeof(*insn));
15817 - insn->kaddr = kaddr;
15818 - insn->next_byte = kaddr;
15819 + insn->kaddr = ktla_ktva(kaddr);
15820 + insn->next_byte = ktla_ktva(kaddr);
15821 insn->x86_64 = x86_64 ? 1 : 0;
15822 insn->opnd_bytes = 4;
15824 diff -urNp linux-2.6.35.4/arch/x86/lib/mmx_32.c linux-2.6.35.4/arch/x86/lib/mmx_32.c
15825 --- linux-2.6.35.4/arch/x86/lib/mmx_32.c 2010-08-26 19:47:12.000000000 -0400
15826 +++ linux-2.6.35.4/arch/x86/lib/mmx_32.c 2010-09-17 20:12:09.000000000 -0400
15827 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
15831 + unsigned long cr0;
15833 if (unlikely(in_interrupt()))
15834 return __memcpy(to, from, len);
15835 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
15836 kernel_fpu_begin();
15838 __asm__ __volatile__ (
15839 - "1: prefetch (%0)\n" /* This set is 28 bytes */
15840 - " prefetch 64(%0)\n"
15841 - " prefetch 128(%0)\n"
15842 - " prefetch 192(%0)\n"
15843 - " prefetch 256(%0)\n"
15844 + "1: prefetch (%1)\n" /* This set is 28 bytes */
15845 + " prefetch 64(%1)\n"
15846 + " prefetch 128(%1)\n"
15847 + " prefetch 192(%1)\n"
15848 + " prefetch 256(%1)\n"
15850 ".section .fixup, \"ax\"\n"
15851 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15854 +#ifdef CONFIG_PAX_KERNEXEC
15855 + " movl %%cr0, %0\n"
15856 + " movl %0, %%eax\n"
15857 + " andl $0xFFFEFFFF, %%eax\n"
15858 + " movl %%eax, %%cr0\n"
15861 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15863 +#ifdef CONFIG_PAX_KERNEXEC
15864 + " movl %0, %%cr0\n"
15869 _ASM_EXTABLE(1b, 3b)
15871 + : "=&r" (cr0) : "r" (from) : "ax");
15873 for ( ; i > 5; i--) {
15874 __asm__ __volatile__ (
15875 - "1: prefetch 320(%0)\n"
15876 - "2: movq (%0), %%mm0\n"
15877 - " movq 8(%0), %%mm1\n"
15878 - " movq 16(%0), %%mm2\n"
15879 - " movq 24(%0), %%mm3\n"
15880 - " movq %%mm0, (%1)\n"
15881 - " movq %%mm1, 8(%1)\n"
15882 - " movq %%mm2, 16(%1)\n"
15883 - " movq %%mm3, 24(%1)\n"
15884 - " movq 32(%0), %%mm0\n"
15885 - " movq 40(%0), %%mm1\n"
15886 - " movq 48(%0), %%mm2\n"
15887 - " movq 56(%0), %%mm3\n"
15888 - " movq %%mm0, 32(%1)\n"
15889 - " movq %%mm1, 40(%1)\n"
15890 - " movq %%mm2, 48(%1)\n"
15891 - " movq %%mm3, 56(%1)\n"
15892 + "1: prefetch 320(%1)\n"
15893 + "2: movq (%1), %%mm0\n"
15894 + " movq 8(%1), %%mm1\n"
15895 + " movq 16(%1), %%mm2\n"
15896 + " movq 24(%1), %%mm3\n"
15897 + " movq %%mm0, (%2)\n"
15898 + " movq %%mm1, 8(%2)\n"
15899 + " movq %%mm2, 16(%2)\n"
15900 + " movq %%mm3, 24(%2)\n"
15901 + " movq 32(%1), %%mm0\n"
15902 + " movq 40(%1), %%mm1\n"
15903 + " movq 48(%1), %%mm2\n"
15904 + " movq 56(%1), %%mm3\n"
15905 + " movq %%mm0, 32(%2)\n"
15906 + " movq %%mm1, 40(%2)\n"
15907 + " movq %%mm2, 48(%2)\n"
15908 + " movq %%mm3, 56(%2)\n"
15909 ".section .fixup, \"ax\"\n"
15910 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15913 +#ifdef CONFIG_PAX_KERNEXEC
15914 + " movl %%cr0, %0\n"
15915 + " movl %0, %%eax\n"
15916 + " andl $0xFFFEFFFF, %%eax\n"
15917 + " movl %%eax, %%cr0\n"
15920 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15922 +#ifdef CONFIG_PAX_KERNEXEC
15923 + " movl %0, %%cr0\n"
15928 _ASM_EXTABLE(1b, 3b)
15929 - : : "r" (from), "r" (to) : "memory");
15930 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
15934 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
15935 static void fast_copy_page(void *to, void *from)
15938 + unsigned long cr0;
15940 kernel_fpu_begin();
15942 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
15943 * but that is for later. -AV
15945 __asm__ __volatile__(
15946 - "1: prefetch (%0)\n"
15947 - " prefetch 64(%0)\n"
15948 - " prefetch 128(%0)\n"
15949 - " prefetch 192(%0)\n"
15950 - " prefetch 256(%0)\n"
15951 + "1: prefetch (%1)\n"
15952 + " prefetch 64(%1)\n"
15953 + " prefetch 128(%1)\n"
15954 + " prefetch 192(%1)\n"
15955 + " prefetch 256(%1)\n"
15957 ".section .fixup, \"ax\"\n"
15958 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15961 +#ifdef CONFIG_PAX_KERNEXEC
15962 + " movl %%cr0, %0\n"
15963 + " movl %0, %%eax\n"
15964 + " andl $0xFFFEFFFF, %%eax\n"
15965 + " movl %%eax, %%cr0\n"
15968 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15970 +#ifdef CONFIG_PAX_KERNEXEC
15971 + " movl %0, %%cr0\n"
15976 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
15977 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
15979 for (i = 0; i < (4096-320)/64; i++) {
15980 __asm__ __volatile__ (
15981 - "1: prefetch 320(%0)\n"
15982 - "2: movq (%0), %%mm0\n"
15983 - " movntq %%mm0, (%1)\n"
15984 - " movq 8(%0), %%mm1\n"
15985 - " movntq %%mm1, 8(%1)\n"
15986 - " movq 16(%0), %%mm2\n"
15987 - " movntq %%mm2, 16(%1)\n"
15988 - " movq 24(%0), %%mm3\n"
15989 - " movntq %%mm3, 24(%1)\n"
15990 - " movq 32(%0), %%mm4\n"
15991 - " movntq %%mm4, 32(%1)\n"
15992 - " movq 40(%0), %%mm5\n"
15993 - " movntq %%mm5, 40(%1)\n"
15994 - " movq 48(%0), %%mm6\n"
15995 - " movntq %%mm6, 48(%1)\n"
15996 - " movq 56(%0), %%mm7\n"
15997 - " movntq %%mm7, 56(%1)\n"
15998 + "1: prefetch 320(%1)\n"
15999 + "2: movq (%1), %%mm0\n"
16000 + " movntq %%mm0, (%2)\n"
16001 + " movq 8(%1), %%mm1\n"
16002 + " movntq %%mm1, 8(%2)\n"
16003 + " movq 16(%1), %%mm2\n"
16004 + " movntq %%mm2, 16(%2)\n"
16005 + " movq 24(%1), %%mm3\n"
16006 + " movntq %%mm3, 24(%2)\n"
16007 + " movq 32(%1), %%mm4\n"
16008 + " movntq %%mm4, 32(%2)\n"
16009 + " movq 40(%1), %%mm5\n"
16010 + " movntq %%mm5, 40(%2)\n"
16011 + " movq 48(%1), %%mm6\n"
16012 + " movntq %%mm6, 48(%2)\n"
16013 + " movq 56(%1), %%mm7\n"
16014 + " movntq %%mm7, 56(%2)\n"
16015 ".section .fixup, \"ax\"\n"
16016 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16019 +#ifdef CONFIG_PAX_KERNEXEC
16020 + " movl %%cr0, %0\n"
16021 + " movl %0, %%eax\n"
16022 + " andl $0xFFFEFFFF, %%eax\n"
16023 + " movl %%eax, %%cr0\n"
16026 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16028 +#ifdef CONFIG_PAX_KERNEXEC
16029 + " movl %0, %%cr0\n"
16034 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
16035 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16039 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
16040 static void fast_copy_page(void *to, void *from)
16043 + unsigned long cr0;
16045 kernel_fpu_begin();
16047 __asm__ __volatile__ (
16048 - "1: prefetch (%0)\n"
16049 - " prefetch 64(%0)\n"
16050 - " prefetch 128(%0)\n"
16051 - " prefetch 192(%0)\n"
16052 - " prefetch 256(%0)\n"
16053 + "1: prefetch (%1)\n"
16054 + " prefetch 64(%1)\n"
16055 + " prefetch 128(%1)\n"
16056 + " prefetch 192(%1)\n"
16057 + " prefetch 256(%1)\n"
16059 ".section .fixup, \"ax\"\n"
16060 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16063 +#ifdef CONFIG_PAX_KERNEXEC
16064 + " movl %%cr0, %0\n"
16065 + " movl %0, %%eax\n"
16066 + " andl $0xFFFEFFFF, %%eax\n"
16067 + " movl %%eax, %%cr0\n"
16070 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16072 +#ifdef CONFIG_PAX_KERNEXEC
16073 + " movl %0, %%cr0\n"
16078 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
16079 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
16081 for (i = 0; i < 4096/64; i++) {
16082 __asm__ __volatile__ (
16083 - "1: prefetch 320(%0)\n"
16084 - "2: movq (%0), %%mm0\n"
16085 - " movq 8(%0), %%mm1\n"
16086 - " movq 16(%0), %%mm2\n"
16087 - " movq 24(%0), %%mm3\n"
16088 - " movq %%mm0, (%1)\n"
16089 - " movq %%mm1, 8(%1)\n"
16090 - " movq %%mm2, 16(%1)\n"
16091 - " movq %%mm3, 24(%1)\n"
16092 - " movq 32(%0), %%mm0\n"
16093 - " movq 40(%0), %%mm1\n"
16094 - " movq 48(%0), %%mm2\n"
16095 - " movq 56(%0), %%mm3\n"
16096 - " movq %%mm0, 32(%1)\n"
16097 - " movq %%mm1, 40(%1)\n"
16098 - " movq %%mm2, 48(%1)\n"
16099 - " movq %%mm3, 56(%1)\n"
16100 + "1: prefetch 320(%1)\n"
16101 + "2: movq (%1), %%mm0\n"
16102 + " movq 8(%1), %%mm1\n"
16103 + " movq 16(%1), %%mm2\n"
16104 + " movq 24(%1), %%mm3\n"
16105 + " movq %%mm0, (%2)\n"
16106 + " movq %%mm1, 8(%2)\n"
16107 + " movq %%mm2, 16(%2)\n"
16108 + " movq %%mm3, 24(%2)\n"
16109 + " movq 32(%1), %%mm0\n"
16110 + " movq 40(%1), %%mm1\n"
16111 + " movq 48(%1), %%mm2\n"
16112 + " movq 56(%1), %%mm3\n"
16113 + " movq %%mm0, 32(%2)\n"
16114 + " movq %%mm1, 40(%2)\n"
16115 + " movq %%mm2, 48(%2)\n"
16116 + " movq %%mm3, 56(%2)\n"
16117 ".section .fixup, \"ax\"\n"
16118 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16121 +#ifdef CONFIG_PAX_KERNEXEC
16122 + " movl %%cr0, %0\n"
16123 + " movl %0, %%eax\n"
16124 + " andl $0xFFFEFFFF, %%eax\n"
16125 + " movl %%eax, %%cr0\n"
16128 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16130 +#ifdef CONFIG_PAX_KERNEXEC
16131 + " movl %0, %%cr0\n"
16136 _ASM_EXTABLE(1b, 3b)
16137 - : : "r" (from), "r" (to) : "memory");
16138 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16142 diff -urNp linux-2.6.35.4/arch/x86/lib/putuser.S linux-2.6.35.4/arch/x86/lib/putuser.S
16143 --- linux-2.6.35.4/arch/x86/lib/putuser.S 2010-08-26 19:47:12.000000000 -0400
16144 +++ linux-2.6.35.4/arch/x86/lib/putuser.S 2010-09-17 20:12:09.000000000 -0400
16146 #include <asm/thread_info.h>
16147 #include <asm/errno.h>
16148 #include <asm/asm.h>
16150 +#include <asm/segment.h>
16151 +#include <asm/pgtable.h>
16155 @@ -29,59 +30,162 @@
16156 * as they get called from within inline assembly.
16159 -#define ENTER CFI_STARTPROC ; \
16160 - GET_THREAD_INFO(%_ASM_BX)
16161 +#define ENTER CFI_STARTPROC
16162 #define EXIT ret ; \
16165 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16166 +#define _DEST %_ASM_CX,%_ASM_BX
16168 +#define _DEST %_ASM_CX
16172 ENTRY(__put_user_1)
16175 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16176 + pushl $(__USER_DS)
16179 + GET_THREAD_INFO(%_ASM_BX)
16180 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
16182 -1: movb %al,(%_ASM_CX)
16184 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16185 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16186 + cmp %_ASM_BX,%_ASM_CX
16194 +1: movb %al,(_DEST)
16196 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16203 ENDPROC(__put_user_1)
16205 ENTRY(__put_user_2)
16208 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16209 + pushl $(__USER_DS)
16212 + GET_THREAD_INFO(%_ASM_BX)
16213 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16215 cmp %_ASM_BX,%_ASM_CX
16217 -2: movw %ax,(%_ASM_CX)
16219 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16220 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16221 + cmp %_ASM_BX,%_ASM_CX
16229 +2: movw %ax,(_DEST)
16231 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16238 ENDPROC(__put_user_2)
16240 ENTRY(__put_user_4)
16243 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16244 + pushl $(__USER_DS)
16247 + GET_THREAD_INFO(%_ASM_BX)
16248 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16250 cmp %_ASM_BX,%_ASM_CX
16252 -3: movl %eax,(%_ASM_CX)
16254 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16255 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16256 + cmp %_ASM_BX,%_ASM_CX
16264 +3: movl %eax,(_DEST)
16266 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16273 ENDPROC(__put_user_4)
16275 ENTRY(__put_user_8)
16278 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16279 + pushl $(__USER_DS)
16282 + GET_THREAD_INFO(%_ASM_BX)
16283 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16285 cmp %_ASM_BX,%_ASM_CX
16287 -4: mov %_ASM_AX,(%_ASM_CX)
16289 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16290 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16291 + cmp %_ASM_BX,%_ASM_CX
16299 +4: mov %_ASM_AX,(_DEST)
16300 #ifdef CONFIG_X86_32
16301 -5: movl %edx,4(%_ASM_CX)
16302 +5: movl %edx,4(_DEST)
16305 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16312 ENDPROC(__put_user_8)
16317 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16325 diff -urNp linux-2.6.35.4/arch/x86/lib/usercopy_32.c linux-2.6.35.4/arch/x86/lib/usercopy_32.c
16326 --- linux-2.6.35.4/arch/x86/lib/usercopy_32.c 2010-08-26 19:47:12.000000000 -0400
16327 +++ linux-2.6.35.4/arch/x86/lib/usercopy_32.c 2010-09-17 20:12:09.000000000 -0400
16328 @@ -36,31 +36,38 @@ static inline int __movsl_is_ok(unsigned
16329 * Copy a null terminated string from userspace.
16332 -#define __do_strncpy_from_user(dst, src, count, res) \
16334 - int __d0, __d1, __d2; \
16336 - __asm__ __volatile__( \
16337 - " testl %1,%1\n" \
16341 - " testb %%al,%%al\n" \
16345 - "1: subl %1,%0\n" \
16347 - ".section .fixup,\"ax\"\n" \
16348 - "3: movl %5,%0\n" \
16351 - _ASM_EXTABLE(0b,3b) \
16352 - : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1), \
16354 - : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
16357 +static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
16359 + int __d0, __d1, __d2;
16360 + long res = -EFAULT;
16363 + __asm__ __volatile__(
16364 + " movw %w10,%%ds\n"
16369 + " testb %%al,%%al\n"
16373 + "1: subl %1,%0\n"
16377 + ".section .fixup,\"ax\"\n"
16378 + "3: movl %5,%0\n"
16381 + _ASM_EXTABLE(0b,3b)
16382 + : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1),
16384 + : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
16391 * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
16392 @@ -85,9 +92,7 @@ do { \
16394 __strncpy_from_user(char *dst, const char __user *src, long count)
16397 - __do_strncpy_from_user(dst, src, count, res);
16399 + return __do_strncpy_from_user(dst, src, count);
16401 EXPORT_SYMBOL(__strncpy_from_user);
16403 @@ -114,7 +119,7 @@ strncpy_from_user(char *dst, const char
16405 long res = -EFAULT;
16406 if (access_ok(VERIFY_READ, src, 1))
16407 - __do_strncpy_from_user(dst, src, count, res);
16408 + res = __do_strncpy_from_user(dst, src, count);
16411 EXPORT_SYMBOL(strncpy_from_user);
16412 @@ -123,24 +128,30 @@ EXPORT_SYMBOL(strncpy_from_user);
16416 -#define __do_clear_user(addr,size) \
16420 - __asm__ __volatile__( \
16421 - "0: rep; stosl\n" \
16422 - " movl %2,%0\n" \
16423 - "1: rep; stosb\n" \
16425 - ".section .fixup,\"ax\"\n" \
16426 - "3: lea 0(%2,%0,4),%0\n" \
16429 - _ASM_EXTABLE(0b,3b) \
16430 - _ASM_EXTABLE(1b,2b) \
16431 - : "=&c"(size), "=&D" (__d0) \
16432 - : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
16434 +static unsigned long __do_clear_user(void __user *addr, unsigned long size)
16439 + __asm__ __volatile__(
16440 + " movw %w6,%%es\n"
16441 + "0: rep; stosl\n"
16443 + "1: rep; stosb\n"
16447 + ".section .fixup,\"ax\"\n"
16448 + "3: lea 0(%2,%0,4),%0\n"
16451 + _ASM_EXTABLE(0b,3b)
16452 + _ASM_EXTABLE(1b,2b)
16453 + : "=&c"(size), "=&D" (__d0)
16454 + : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
16460 * clear_user: - Zero a block of memory in user space.
16461 @@ -157,7 +168,7 @@ clear_user(void __user *to, unsigned lon
16464 if (access_ok(VERIFY_WRITE, to, n))
16465 - __do_clear_user(to, n);
16466 + n = __do_clear_user(to, n);
16469 EXPORT_SYMBOL(clear_user);
16470 @@ -176,8 +187,7 @@ EXPORT_SYMBOL(clear_user);
16472 __clear_user(void __user *to, unsigned long n)
16474 - __do_clear_user(to, n);
16476 + return __do_clear_user(to, n);
16478 EXPORT_SYMBOL(__clear_user);
16480 @@ -200,14 +210,17 @@ long strnlen_user(const char __user *s,
16483 __asm__ __volatile__(
16484 + " movw %w8,%%es\n"
16487 - " andl %0,%%ecx\n"
16488 + " movl %0,%%ecx\n"
16489 "0: repne; scasb\n"
16496 ".section .fixup,\"ax\"\n"
16497 "2: xorl %%eax,%%eax\n"
16499 @@ -219,7 +232,7 @@ long strnlen_user(const char __user *s,
16502 :"=&r" (n), "=&D" (s), "=&a" (res), "=&c" (tmp)
16503 - :"0" (n), "1" (s), "2" (0), "3" (mask)
16504 + :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
16508 @@ -227,10 +240,121 @@ EXPORT_SYMBOL(strnlen_user);
16510 #ifdef CONFIG_X86_INTEL_USERCOPY
16511 static unsigned long
16512 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
16513 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
16516 + __asm__ __volatile__(
16517 + " movw %w6, %%es\n"
16518 + " .align 2,0x90\n"
16519 + "1: movl 32(%4), %%eax\n"
16520 + " cmpl $67, %0\n"
16522 + "2: movl 64(%4), %%eax\n"
16523 + " .align 2,0x90\n"
16524 + "3: movl 0(%4), %%eax\n"
16525 + "4: movl 4(%4), %%edx\n"
16526 + "5: movl %%eax, %%es:0(%3)\n"
16527 + "6: movl %%edx, %%es:4(%3)\n"
16528 + "7: movl 8(%4), %%eax\n"
16529 + "8: movl 12(%4),%%edx\n"
16530 + "9: movl %%eax, %%es:8(%3)\n"
16531 + "10: movl %%edx, %%es:12(%3)\n"
16532 + "11: movl 16(%4), %%eax\n"
16533 + "12: movl 20(%4), %%edx\n"
16534 + "13: movl %%eax, %%es:16(%3)\n"
16535 + "14: movl %%edx, %%es:20(%3)\n"
16536 + "15: movl 24(%4), %%eax\n"
16537 + "16: movl 28(%4), %%edx\n"
16538 + "17: movl %%eax, %%es:24(%3)\n"
16539 + "18: movl %%edx, %%es:28(%3)\n"
16540 + "19: movl 32(%4), %%eax\n"
16541 + "20: movl 36(%4), %%edx\n"
16542 + "21: movl %%eax, %%es:32(%3)\n"
16543 + "22: movl %%edx, %%es:36(%3)\n"
16544 + "23: movl 40(%4), %%eax\n"
16545 + "24: movl 44(%4), %%edx\n"
16546 + "25: movl %%eax, %%es:40(%3)\n"
16547 + "26: movl %%edx, %%es:44(%3)\n"
16548 + "27: movl 48(%4), %%eax\n"
16549 + "28: movl 52(%4), %%edx\n"
16550 + "29: movl %%eax, %%es:48(%3)\n"
16551 + "30: movl %%edx, %%es:52(%3)\n"
16552 + "31: movl 56(%4), %%eax\n"
16553 + "32: movl 60(%4), %%edx\n"
16554 + "33: movl %%eax, %%es:56(%3)\n"
16555 + "34: movl %%edx, %%es:60(%3)\n"
16556 + " addl $-64, %0\n"
16557 + " addl $64, %4\n"
16558 + " addl $64, %3\n"
16559 + " cmpl $63, %0\n"
16561 + "35: movl %0, %%eax\n"
16563 + " andl $3, %%eax\n"
16565 + "99: rep; movsl\n"
16566 + "36: movl %%eax, %0\n"
16567 + "37: rep; movsb\n"
16571 + ".section .fixup,\"ax\"\n"
16572 + "101: lea 0(%%eax,%0,4),%0\n"
16575 + ".section __ex_table,\"a\"\n"
16577 + " .long 1b,100b\n"
16578 + " .long 2b,100b\n"
16579 + " .long 3b,100b\n"
16580 + " .long 4b,100b\n"
16581 + " .long 5b,100b\n"
16582 + " .long 6b,100b\n"
16583 + " .long 7b,100b\n"
16584 + " .long 8b,100b\n"
16585 + " .long 9b,100b\n"
16586 + " .long 10b,100b\n"
16587 + " .long 11b,100b\n"
16588 + " .long 12b,100b\n"
16589 + " .long 13b,100b\n"
16590 + " .long 14b,100b\n"
16591 + " .long 15b,100b\n"
16592 + " .long 16b,100b\n"
16593 + " .long 17b,100b\n"
16594 + " .long 18b,100b\n"
16595 + " .long 19b,100b\n"
16596 + " .long 20b,100b\n"
16597 + " .long 21b,100b\n"
16598 + " .long 22b,100b\n"
16599 + " .long 23b,100b\n"
16600 + " .long 24b,100b\n"
16601 + " .long 25b,100b\n"
16602 + " .long 26b,100b\n"
16603 + " .long 27b,100b\n"
16604 + " .long 28b,100b\n"
16605 + " .long 29b,100b\n"
16606 + " .long 30b,100b\n"
16607 + " .long 31b,100b\n"
16608 + " .long 32b,100b\n"
16609 + " .long 33b,100b\n"
16610 + " .long 34b,100b\n"
16611 + " .long 35b,100b\n"
16612 + " .long 36b,100b\n"
16613 + " .long 37b,100b\n"
16614 + " .long 99b,101b\n"
16616 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
16617 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16618 + : "eax", "edx", "memory");
16622 +static unsigned long
16623 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
16626 __asm__ __volatile__(
16627 + " movw %w6, %%ds\n"
16629 "1: movl 32(%4), %%eax\n"
16631 @@ -239,36 +363,36 @@ __copy_user_intel(void __user *to, const
16633 "3: movl 0(%4), %%eax\n"
16634 "4: movl 4(%4), %%edx\n"
16635 - "5: movl %%eax, 0(%3)\n"
16636 - "6: movl %%edx, 4(%3)\n"
16637 + "5: movl %%eax, %%es:0(%3)\n"
16638 + "6: movl %%edx, %%es:4(%3)\n"
16639 "7: movl 8(%4), %%eax\n"
16640 "8: movl 12(%4),%%edx\n"
16641 - "9: movl %%eax, 8(%3)\n"
16642 - "10: movl %%edx, 12(%3)\n"
16643 + "9: movl %%eax, %%es:8(%3)\n"
16644 + "10: movl %%edx, %%es:12(%3)\n"
16645 "11: movl 16(%4), %%eax\n"
16646 "12: movl 20(%4), %%edx\n"
16647 - "13: movl %%eax, 16(%3)\n"
16648 - "14: movl %%edx, 20(%3)\n"
16649 + "13: movl %%eax, %%es:16(%3)\n"
16650 + "14: movl %%edx, %%es:20(%3)\n"
16651 "15: movl 24(%4), %%eax\n"
16652 "16: movl 28(%4), %%edx\n"
16653 - "17: movl %%eax, 24(%3)\n"
16654 - "18: movl %%edx, 28(%3)\n"
16655 + "17: movl %%eax, %%es:24(%3)\n"
16656 + "18: movl %%edx, %%es:28(%3)\n"
16657 "19: movl 32(%4), %%eax\n"
16658 "20: movl 36(%4), %%edx\n"
16659 - "21: movl %%eax, 32(%3)\n"
16660 - "22: movl %%edx, 36(%3)\n"
16661 + "21: movl %%eax, %%es:32(%3)\n"
16662 + "22: movl %%edx, %%es:36(%3)\n"
16663 "23: movl 40(%4), %%eax\n"
16664 "24: movl 44(%4), %%edx\n"
16665 - "25: movl %%eax, 40(%3)\n"
16666 - "26: movl %%edx, 44(%3)\n"
16667 + "25: movl %%eax, %%es:40(%3)\n"
16668 + "26: movl %%edx, %%es:44(%3)\n"
16669 "27: movl 48(%4), %%eax\n"
16670 "28: movl 52(%4), %%edx\n"
16671 - "29: movl %%eax, 48(%3)\n"
16672 - "30: movl %%edx, 52(%3)\n"
16673 + "29: movl %%eax, %%es:48(%3)\n"
16674 + "30: movl %%edx, %%es:52(%3)\n"
16675 "31: movl 56(%4), %%eax\n"
16676 "32: movl 60(%4), %%edx\n"
16677 - "33: movl %%eax, 56(%3)\n"
16678 - "34: movl %%edx, 60(%3)\n"
16679 + "33: movl %%eax, %%es:56(%3)\n"
16680 + "34: movl %%edx, %%es:60(%3)\n"
16684 @@ -282,6 +406,8 @@ __copy_user_intel(void __user *to, const
16685 "36: movl %%eax, %0\n"
16690 ".section .fixup,\"ax\"\n"
16691 "101: lea 0(%%eax,%0,4),%0\n"
16693 @@ -328,7 +454,7 @@ __copy_user_intel(void __user *to, const
16694 " .long 99b,101b\n"
16696 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16697 - : "1"(to), "2"(from), "0"(size)
16698 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16699 : "eax", "edx", "memory");
16702 @@ -338,6 +464,7 @@ __copy_user_zeroing_intel(void *to, cons
16705 __asm__ __volatile__(
16706 + " movw %w6, %%ds\n"
16708 "0: movl 32(%4), %%eax\n"
16710 @@ -346,36 +473,36 @@ __copy_user_zeroing_intel(void *to, cons
16712 "2: movl 0(%4), %%eax\n"
16713 "21: movl 4(%4), %%edx\n"
16714 - " movl %%eax, 0(%3)\n"
16715 - " movl %%edx, 4(%3)\n"
16716 + " movl %%eax, %%es:0(%3)\n"
16717 + " movl %%edx, %%es:4(%3)\n"
16718 "3: movl 8(%4), %%eax\n"
16719 "31: movl 12(%4),%%edx\n"
16720 - " movl %%eax, 8(%3)\n"
16721 - " movl %%edx, 12(%3)\n"
16722 + " movl %%eax, %%es:8(%3)\n"
16723 + " movl %%edx, %%es:12(%3)\n"
16724 "4: movl 16(%4), %%eax\n"
16725 "41: movl 20(%4), %%edx\n"
16726 - " movl %%eax, 16(%3)\n"
16727 - " movl %%edx, 20(%3)\n"
16728 + " movl %%eax, %%es:16(%3)\n"
16729 + " movl %%edx, %%es:20(%3)\n"
16730 "10: movl 24(%4), %%eax\n"
16731 "51: movl 28(%4), %%edx\n"
16732 - " movl %%eax, 24(%3)\n"
16733 - " movl %%edx, 28(%3)\n"
16734 + " movl %%eax, %%es:24(%3)\n"
16735 + " movl %%edx, %%es:28(%3)\n"
16736 "11: movl 32(%4), %%eax\n"
16737 "61: movl 36(%4), %%edx\n"
16738 - " movl %%eax, 32(%3)\n"
16739 - " movl %%edx, 36(%3)\n"
16740 + " movl %%eax, %%es:32(%3)\n"
16741 + " movl %%edx, %%es:36(%3)\n"
16742 "12: movl 40(%4), %%eax\n"
16743 "71: movl 44(%4), %%edx\n"
16744 - " movl %%eax, 40(%3)\n"
16745 - " movl %%edx, 44(%3)\n"
16746 + " movl %%eax, %%es:40(%3)\n"
16747 + " movl %%edx, %%es:44(%3)\n"
16748 "13: movl 48(%4), %%eax\n"
16749 "81: movl 52(%4), %%edx\n"
16750 - " movl %%eax, 48(%3)\n"
16751 - " movl %%edx, 52(%3)\n"
16752 + " movl %%eax, %%es:48(%3)\n"
16753 + " movl %%edx, %%es:52(%3)\n"
16754 "14: movl 56(%4), %%eax\n"
16755 "91: movl 60(%4), %%edx\n"
16756 - " movl %%eax, 56(%3)\n"
16757 - " movl %%edx, 60(%3)\n"
16758 + " movl %%eax, %%es:56(%3)\n"
16759 + " movl %%edx, %%es:60(%3)\n"
16763 @@ -389,6 +516,8 @@ __copy_user_zeroing_intel(void *to, cons
16769 ".section .fixup,\"ax\"\n"
16770 "9: lea 0(%%eax,%0,4),%0\n"
16772 @@ -423,7 +552,7 @@ __copy_user_zeroing_intel(void *to, cons
16775 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16776 - : "1"(to), "2"(from), "0"(size)
16777 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16778 : "eax", "edx", "memory");
16781 @@ -439,6 +568,7 @@ static unsigned long __copy_user_zeroing
16784 __asm__ __volatile__(
16785 + " movw %w6, %%ds\n"
16787 "0: movl 32(%4), %%eax\n"
16789 @@ -447,36 +577,36 @@ static unsigned long __copy_user_zeroing
16791 "2: movl 0(%4), %%eax\n"
16792 "21: movl 4(%4), %%edx\n"
16793 - " movnti %%eax, 0(%3)\n"
16794 - " movnti %%edx, 4(%3)\n"
16795 + " movnti %%eax, %%es:0(%3)\n"
16796 + " movnti %%edx, %%es:4(%3)\n"
16797 "3: movl 8(%4), %%eax\n"
16798 "31: movl 12(%4),%%edx\n"
16799 - " movnti %%eax, 8(%3)\n"
16800 - " movnti %%edx, 12(%3)\n"
16801 + " movnti %%eax, %%es:8(%3)\n"
16802 + " movnti %%edx, %%es:12(%3)\n"
16803 "4: movl 16(%4), %%eax\n"
16804 "41: movl 20(%4), %%edx\n"
16805 - " movnti %%eax, 16(%3)\n"
16806 - " movnti %%edx, 20(%3)\n"
16807 + " movnti %%eax, %%es:16(%3)\n"
16808 + " movnti %%edx, %%es:20(%3)\n"
16809 "10: movl 24(%4), %%eax\n"
16810 "51: movl 28(%4), %%edx\n"
16811 - " movnti %%eax, 24(%3)\n"
16812 - " movnti %%edx, 28(%3)\n"
16813 + " movnti %%eax, %%es:24(%3)\n"
16814 + " movnti %%edx, %%es:28(%3)\n"
16815 "11: movl 32(%4), %%eax\n"
16816 "61: movl 36(%4), %%edx\n"
16817 - " movnti %%eax, 32(%3)\n"
16818 - " movnti %%edx, 36(%3)\n"
16819 + " movnti %%eax, %%es:32(%3)\n"
16820 + " movnti %%edx, %%es:36(%3)\n"
16821 "12: movl 40(%4), %%eax\n"
16822 "71: movl 44(%4), %%edx\n"
16823 - " movnti %%eax, 40(%3)\n"
16824 - " movnti %%edx, 44(%3)\n"
16825 + " movnti %%eax, %%es:40(%3)\n"
16826 + " movnti %%edx, %%es:44(%3)\n"
16827 "13: movl 48(%4), %%eax\n"
16828 "81: movl 52(%4), %%edx\n"
16829 - " movnti %%eax, 48(%3)\n"
16830 - " movnti %%edx, 52(%3)\n"
16831 + " movnti %%eax, %%es:48(%3)\n"
16832 + " movnti %%edx, %%es:52(%3)\n"
16833 "14: movl 56(%4), %%eax\n"
16834 "91: movl 60(%4), %%edx\n"
16835 - " movnti %%eax, 56(%3)\n"
16836 - " movnti %%edx, 60(%3)\n"
16837 + " movnti %%eax, %%es:56(%3)\n"
16838 + " movnti %%edx, %%es:60(%3)\n"
16842 @@ -491,6 +621,8 @@ static unsigned long __copy_user_zeroing
16848 ".section .fixup,\"ax\"\n"
16849 "9: lea 0(%%eax,%0,4),%0\n"
16851 @@ -525,7 +657,7 @@ static unsigned long __copy_user_zeroing
16854 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16855 - : "1"(to), "2"(from), "0"(size)
16856 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16857 : "eax", "edx", "memory");
16860 @@ -536,6 +668,7 @@ static unsigned long __copy_user_intel_n
16863 __asm__ __volatile__(
16864 + " movw %w6, %%ds\n"
16866 "0: movl 32(%4), %%eax\n"
16868 @@ -544,36 +677,36 @@ static unsigned long __copy_user_intel_n
16870 "2: movl 0(%4), %%eax\n"
16871 "21: movl 4(%4), %%edx\n"
16872 - " movnti %%eax, 0(%3)\n"
16873 - " movnti %%edx, 4(%3)\n"
16874 + " movnti %%eax, %%es:0(%3)\n"
16875 + " movnti %%edx, %%es:4(%3)\n"
16876 "3: movl 8(%4), %%eax\n"
16877 "31: movl 12(%4),%%edx\n"
16878 - " movnti %%eax, 8(%3)\n"
16879 - " movnti %%edx, 12(%3)\n"
16880 + " movnti %%eax, %%es:8(%3)\n"
16881 + " movnti %%edx, %%es:12(%3)\n"
16882 "4: movl 16(%4), %%eax\n"
16883 "41: movl 20(%4), %%edx\n"
16884 - " movnti %%eax, 16(%3)\n"
16885 - " movnti %%edx, 20(%3)\n"
16886 + " movnti %%eax, %%es:16(%3)\n"
16887 + " movnti %%edx, %%es:20(%3)\n"
16888 "10: movl 24(%4), %%eax\n"
16889 "51: movl 28(%4), %%edx\n"
16890 - " movnti %%eax, 24(%3)\n"
16891 - " movnti %%edx, 28(%3)\n"
16892 + " movnti %%eax, %%es:24(%3)\n"
16893 + " movnti %%edx, %%es:28(%3)\n"
16894 "11: movl 32(%4), %%eax\n"
16895 "61: movl 36(%4), %%edx\n"
16896 - " movnti %%eax, 32(%3)\n"
16897 - " movnti %%edx, 36(%3)\n"
16898 + " movnti %%eax, %%es:32(%3)\n"
16899 + " movnti %%edx, %%es:36(%3)\n"
16900 "12: movl 40(%4), %%eax\n"
16901 "71: movl 44(%4), %%edx\n"
16902 - " movnti %%eax, 40(%3)\n"
16903 - " movnti %%edx, 44(%3)\n"
16904 + " movnti %%eax, %%es:40(%3)\n"
16905 + " movnti %%edx, %%es:44(%3)\n"
16906 "13: movl 48(%4), %%eax\n"
16907 "81: movl 52(%4), %%edx\n"
16908 - " movnti %%eax, 48(%3)\n"
16909 - " movnti %%edx, 52(%3)\n"
16910 + " movnti %%eax, %%es:48(%3)\n"
16911 + " movnti %%edx, %%es:52(%3)\n"
16912 "14: movl 56(%4), %%eax\n"
16913 "91: movl 60(%4), %%edx\n"
16914 - " movnti %%eax, 56(%3)\n"
16915 - " movnti %%edx, 60(%3)\n"
16916 + " movnti %%eax, %%es:56(%3)\n"
16917 + " movnti %%edx, %%es:60(%3)\n"
16921 @@ -588,6 +721,8 @@ static unsigned long __copy_user_intel_n
16927 ".section .fixup,\"ax\"\n"
16928 "9: lea 0(%%eax,%0,4),%0\n"
16930 @@ -616,7 +751,7 @@ static unsigned long __copy_user_intel_n
16933 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16934 - : "1"(to), "2"(from), "0"(size)
16935 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16936 : "eax", "edx", "memory");
16939 @@ -629,90 +764,146 @@ static unsigned long __copy_user_intel_n
16941 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
16942 unsigned long size);
16943 -unsigned long __copy_user_intel(void __user *to, const void *from,
16944 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
16945 + unsigned long size);
16946 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
16947 unsigned long size);
16948 unsigned long __copy_user_zeroing_intel_nocache(void *to,
16949 const void __user *from, unsigned long size);
16950 #endif /* CONFIG_X86_INTEL_USERCOPY */
16952 /* Generic arbitrary sized copy. */
16953 -#define __copy_user(to, from, size) \
16955 - int __d0, __d1, __d2; \
16956 - __asm__ __volatile__( \
16959 - " movl %1,%0\n" \
16961 - " andl $7,%0\n" \
16962 - " subl %0,%3\n" \
16963 - "4: rep; movsb\n" \
16964 - " movl %3,%0\n" \
16965 - " shrl $2,%0\n" \
16966 - " andl $3,%3\n" \
16967 - " .align 2,0x90\n" \
16968 - "0: rep; movsl\n" \
16969 - " movl %3,%0\n" \
16970 - "1: rep; movsb\n" \
16972 - ".section .fixup,\"ax\"\n" \
16973 - "5: addl %3,%0\n" \
16975 - "3: lea 0(%3,%0,4),%0\n" \
16978 - ".section __ex_table,\"a\"\n" \
16980 - " .long 4b,5b\n" \
16981 - " .long 0b,3b\n" \
16982 - " .long 1b,2b\n" \
16984 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
16985 - : "3"(size), "0"(size), "1"(to), "2"(from) \
16989 -#define __copy_user_zeroing(to, from, size) \
16991 - int __d0, __d1, __d2; \
16992 - __asm__ __volatile__( \
16995 - " movl %1,%0\n" \
16997 - " andl $7,%0\n" \
16998 - " subl %0,%3\n" \
16999 - "4: rep; movsb\n" \
17000 - " movl %3,%0\n" \
17001 - " shrl $2,%0\n" \
17002 - " andl $3,%3\n" \
17003 - " .align 2,0x90\n" \
17004 - "0: rep; movsl\n" \
17005 - " movl %3,%0\n" \
17006 - "1: rep; movsb\n" \
17008 - ".section .fixup,\"ax\"\n" \
17009 - "5: addl %3,%0\n" \
17011 - "3: lea 0(%3,%0,4),%0\n" \
17012 - "6: pushl %0\n" \
17013 - " pushl %%eax\n" \
17014 - " xorl %%eax,%%eax\n" \
17015 - " rep; stosb\n" \
17016 - " popl %%eax\n" \
17020 - ".section __ex_table,\"a\"\n" \
17022 - " .long 4b,5b\n" \
17023 - " .long 0b,3b\n" \
17024 - " .long 1b,6b\n" \
17026 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
17027 - : "3"(size), "0"(size), "1"(to), "2"(from) \
17030 +static unsigned long
17031 +__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
17033 + int __d0, __d1, __d2;
17035 + __asm__ __volatile__(
17036 + " movw %w8,%%es\n"
17043 + "4: rep; movsb\n"
17047 + " .align 2,0x90\n"
17048 + "0: rep; movsl\n"
17050 + "1: rep; movsb\n"
17054 + ".section .fixup,\"ax\"\n"
17055 + "5: addl %3,%0\n"
17057 + "3: lea 0(%3,%0,4),%0\n"
17060 + ".section __ex_table,\"a\"\n"
17066 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
17067 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
17072 +static unsigned long
17073 +__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
17075 + int __d0, __d1, __d2;
17077 + __asm__ __volatile__(
17078 + " movw %w8,%%ds\n"
17085 + "4: rep; movsb\n"
17089 + " .align 2,0x90\n"
17090 + "0: rep; movsl\n"
17092 + "1: rep; movsb\n"
17096 + ".section .fixup,\"ax\"\n"
17097 + "5: addl %3,%0\n"
17099 + "3: lea 0(%3,%0,4),%0\n"
17102 + ".section __ex_table,\"a\"\n"
17108 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
17109 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
17114 +static unsigned long
17115 +__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
17117 + int __d0, __d1, __d2;
17119 + __asm__ __volatile__(
17120 + " movw %w8,%%ds\n"
17127 + "4: rep; movsb\n"
17131 + " .align 2,0x90\n"
17132 + "0: rep; movsl\n"
17134 + "1: rep; movsb\n"
17138 + ".section .fixup,\"ax\"\n"
17139 + "5: addl %3,%0\n"
17141 + "3: lea 0(%3,%0,4),%0\n"
17144 + " xorl %%eax,%%eax\n"
17150 + ".section __ex_table,\"a\"\n"
17156 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
17157 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
17162 unsigned long __copy_to_user_ll(void __user *to, const void *from,
17164 @@ -775,9 +966,9 @@ survive:
17167 if (movsl_is_ok(to, from, n))
17168 - __copy_user(to, from, n);
17169 + n = __generic_copy_to_user(to, from, n);
17171 - n = __copy_user_intel(to, from, n);
17172 + n = __generic_copy_to_user_intel(to, from, n);
17175 EXPORT_SYMBOL(__copy_to_user_ll);
17176 @@ -786,7 +977,7 @@ unsigned long __copy_from_user_ll(void *
17179 if (movsl_is_ok(to, from, n))
17180 - __copy_user_zeroing(to, from, n);
17181 + n = __copy_user_zeroing(to, from, n);
17183 n = __copy_user_zeroing_intel(to, from, n);
17185 @@ -797,10 +988,9 @@ unsigned long __copy_from_user_ll_nozero
17188 if (movsl_is_ok(to, from, n))
17189 - __copy_user(to, from, n);
17190 + n = __generic_copy_from_user(to, from, n);
17192 - n = __copy_user_intel((void __user *)to,
17193 - (const void *)from, n);
17194 + n = __generic_copy_from_user_intel(to, from, n);
17197 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
17198 @@ -812,9 +1002,9 @@ unsigned long __copy_from_user_ll_nocach
17199 if (n > 64 && cpu_has_xmm2)
17200 n = __copy_user_zeroing_intel_nocache(to, from, n);
17202 - __copy_user_zeroing(to, from, n);
17203 + n = __copy_user_zeroing(to, from, n);
17205 - __copy_user_zeroing(to, from, n);
17206 + n = __copy_user_zeroing(to, from, n);
17210 @@ -827,65 +1017,53 @@ unsigned long __copy_from_user_ll_nocach
17211 if (n > 64 && cpu_has_xmm2)
17212 n = __copy_user_intel_nocache(to, from, n);
17214 - __copy_user(to, from, n);
17215 + n = __generic_copy_from_user(to, from, n);
17217 - __copy_user(to, from, n);
17218 + n = __generic_copy_from_user(to, from, n);
17222 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
17225 - * copy_to_user: - Copy a block of data into user space.
17226 - * @to: Destination address, in user space.
17227 - * @from: Source address, in kernel space.
17228 - * @n: Number of bytes to copy.
17230 - * Context: User context only. This function may sleep.
17232 - * Copy data from kernel space to user space.
17234 - * Returns number of bytes that could not be copied.
17235 - * On success, this will be zero.
17238 -copy_to_user(void __user *to, const void *from, unsigned long n)
17239 +void copy_from_user_overflow(void)
17241 - if (access_ok(VERIFY_WRITE, to, n))
17242 - n = __copy_to_user(to, from, n);
17244 + WARN(1, "Buffer overflow detected!\n");
17246 -EXPORT_SYMBOL(copy_to_user);
17247 +EXPORT_SYMBOL(copy_from_user_overflow);
17250 - * copy_from_user: - Copy a block of data from user space.
17251 - * @to: Destination address, in kernel space.
17252 - * @from: Source address, in user space.
17253 - * @n: Number of bytes to copy.
17255 - * Context: User context only. This function may sleep.
17257 - * Copy data from user space to kernel space.
17259 - * Returns number of bytes that could not be copied.
17260 - * On success, this will be zero.
17262 - * If some data could not be copied, this function will pad the copied
17263 - * data to the requested size using zero bytes.
17266 -_copy_from_user(void *to, const void __user *from, unsigned long n)
17267 +void copy_to_user_overflow(void)
17269 - if (access_ok(VERIFY_READ, from, n))
17270 - n = __copy_from_user(to, from, n);
17272 - memset(to, 0, n);
17274 + WARN(1, "Buffer overflow detected!\n");
17276 -EXPORT_SYMBOL(_copy_from_user);
17277 +EXPORT_SYMBOL(copy_to_user_overflow);
17279 -void copy_from_user_overflow(void)
17280 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17281 +void __set_fs(mm_segment_t x, int cpu)
17283 - WARN(1, "Buffer overflow detected!\n");
17284 + unsigned long limit = x.seg;
17285 + struct desc_struct d;
17287 + current_thread_info()->addr_limit = x;
17288 + if (unlikely(paravirt_enabled()))
17291 + if (likely(limit))
17292 + limit = (limit - 1UL) >> PAGE_SHIFT;
17293 + pack_descriptor(&d, 0UL, limit, 0xF3, 0xC);
17294 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, &d, DESCTYPE_S);
17296 -EXPORT_SYMBOL(copy_from_user_overflow);
17298 +void set_fs(mm_segment_t x)
17300 + __set_fs(x, get_cpu());
17303 +EXPORT_SYMBOL(copy_from_user);
17305 +void set_fs(mm_segment_t x)
17307 + current_thread_info()->addr_limit = x;
17311 +EXPORT_SYMBOL(set_fs);
17312 diff -urNp linux-2.6.35.4/arch/x86/lib/usercopy_64.c linux-2.6.35.4/arch/x86/lib/usercopy_64.c
17313 --- linux-2.6.35.4/arch/x86/lib/usercopy_64.c 2010-08-26 19:47:12.000000000 -0400
17314 +++ linux-2.6.35.4/arch/x86/lib/usercopy_64.c 2010-09-17 20:12:09.000000000 -0400
17315 @@ -42,6 +42,8 @@ long
17316 __strncpy_from_user(char *dst, const char __user *src, long count)
17319 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
17320 + src += PAX_USER_SHADOW_BASE;
17321 __do_strncpy_from_user(dst, src, count, res);
17324 @@ -65,6 +67,8 @@ unsigned long __clear_user(void __user *
17328 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
17329 + addr += PAX_USER_SHADOW_BASE;
17330 /* no memory constraint because it doesn't change any memory gcc knows
17333 @@ -151,10 +155,14 @@ EXPORT_SYMBOL(strlen_user);
17335 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
17337 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17338 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17339 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
17340 + to += PAX_USER_SHADOW_BASE;
17341 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
17342 + from += PAX_USER_SHADOW_BASE;
17343 return copy_user_generic((__force void *)to, (__force void *)from, len);
17349 EXPORT_SYMBOL(copy_in_user);
17351 diff -urNp linux-2.6.35.4/arch/x86/Makefile linux-2.6.35.4/arch/x86/Makefile
17352 --- linux-2.6.35.4/arch/x86/Makefile 2010-08-26 19:47:12.000000000 -0400
17353 +++ linux-2.6.35.4/arch/x86/Makefile 2010-09-17 20:12:09.000000000 -0400
17354 @@ -191,3 +191,12 @@ define archhelp
17355 echo ' FDARGS="..." arguments for the booted kernel'
17356 echo ' FDINITRD=file initrd for the booted kernel'
17361 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
17362 +*** Please upgrade your binutils to 2.18 or newer
17366 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
17367 diff -urNp linux-2.6.35.4/arch/x86/mm/extable.c linux-2.6.35.4/arch/x86/mm/extable.c
17368 --- linux-2.6.35.4/arch/x86/mm/extable.c 2010-08-26 19:47:12.000000000 -0400
17369 +++ linux-2.6.35.4/arch/x86/mm/extable.c 2010-09-17 20:12:09.000000000 -0400
17371 #include <linux/module.h>
17372 #include <linux/spinlock.h>
17373 +#include <linux/sort.h>
17374 #include <asm/uaccess.h>
17375 +#include <asm/pgtable.h>
17378 + * The exception table needs to be sorted so that the binary
17379 + * search that we use to find entries in it works properly.
17380 + * This is used both for the kernel exception table and for
17381 + * the exception tables of modules that get loaded.
17383 +static int cmp_ex(const void *a, const void *b)
17385 + const struct exception_table_entry *x = a, *y = b;
17387 + /* avoid overflow */
17388 + if (x->insn > y->insn)
17390 + if (x->insn < y->insn)
17395 +static void swap_ex(void *a, void *b, int size)
17397 + struct exception_table_entry t, *x = a, *y = b;
17401 + pax_open_kernel();
17404 + pax_close_kernel();
17407 +void sort_extable(struct exception_table_entry *start,
17408 + struct exception_table_entry *finish)
17410 + sort(start, finish - start, sizeof(struct exception_table_entry),
17411 + cmp_ex, swap_ex);
17414 +#ifdef CONFIG_MODULES
17416 + * If the exception table is sorted, any referring to the module init
17417 + * will be at the beginning or the end.
17419 +void trim_init_extable(struct module *m)
17421 + /*trim the beginning*/
17422 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
17424 + m->num_exentries--;
17427 + while (m->num_exentries &&
17428 + within_module_init(m->extable[m->num_exentries-1].insn, m))
17429 + m->num_exentries--;
17431 +#endif /* CONFIG_MODULES */
17433 int fixup_exception(struct pt_regs *regs)
17435 const struct exception_table_entry *fixup;
17437 #ifdef CONFIG_PNPBIOS
17438 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
17439 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
17440 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
17441 extern u32 pnp_bios_is_utter_crap;
17442 pnp_bios_is_utter_crap = 1;
17443 diff -urNp linux-2.6.35.4/arch/x86/mm/fault.c linux-2.6.35.4/arch/x86/mm/fault.c
17444 --- linux-2.6.35.4/arch/x86/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
17445 +++ linux-2.6.35.4/arch/x86/mm/fault.c 2010-09-17 20:12:37.000000000 -0400
17446 @@ -11,10 +11,19 @@
17447 #include <linux/kprobes.h> /* __kprobes, ... */
17448 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
17449 #include <linux/perf_event.h> /* perf_sw_event */
17450 +#include <linux/unistd.h>
17451 +#include <linux/compiler.h>
17453 #include <asm/traps.h> /* dotraplinkage, ... */
17454 #include <asm/pgalloc.h> /* pgd_*(), ... */
17455 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
17456 +#include <asm/vsyscall.h>
17457 +#include <asm/tlbflush.h>
17459 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17460 +#include <asm/stacktrace.h>
17461 +#include "../kernel/dumpstack.h"
17465 * Page fault error code bits:
17466 @@ -52,7 +61,7 @@ static inline int __kprobes notify_page_
17469 /* kprobe_running() needs smp_processor_id() */
17470 - if (kprobes_built_in() && !user_mode_vm(regs)) {
17471 + if (kprobes_built_in() && !user_mode(regs)) {
17473 if (kprobe_running() && kprobe_fault_handler(regs, 14))
17475 @@ -173,6 +182,30 @@ force_sig_info_fault(int si_signo, int s
17476 force_sig_info(si_signo, &info, tsk);
17479 +#ifdef CONFIG_PAX_EMUTRAMP
17480 +static int pax_handle_fetch_fault(struct pt_regs *regs);
17483 +#ifdef CONFIG_PAX_PAGEEXEC
17484 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
17490 + pgd = pgd_offset(mm, address);
17491 + if (!pgd_present(*pgd))
17493 + pud = pud_offset(pgd, address);
17494 + if (!pud_present(*pud))
17496 + pmd = pmd_offset(pud, address);
17497 + if (!pmd_present(*pmd))
17503 DEFINE_SPINLOCK(pgd_lock);
17504 LIST_HEAD(pgd_list);
17506 @@ -225,11 +258,24 @@ void vmalloc_sync_all(void)
17507 address += PMD_SIZE) {
17509 unsigned long flags;
17511 +#ifdef CONFIG_PAX_PER_CPU_PGD
17512 + unsigned long cpu;
17517 spin_lock_irqsave(&pgd_lock, flags);
17519 +#ifdef CONFIG_PAX_PER_CPU_PGD
17520 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17521 + pgd_t *pgd = get_cpu_pgd(cpu);
17523 list_for_each_entry(page, &pgd_list, lru) {
17524 - if (!vmalloc_sync_one(page_address(page), address))
17525 + pgd_t *pgd = page_address(page);
17528 + if (!vmalloc_sync_one(pgd, address))
17531 spin_unlock_irqrestore(&pgd_lock, flags);
17532 @@ -259,6 +305,11 @@ static noinline __kprobes int vmalloc_fa
17533 * an interrupt in the middle of a task switch..
17535 pgd_paddr = read_cr3();
17537 +#ifdef CONFIG_PAX_PER_CPU_PGD
17538 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
17541 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
17544 @@ -333,15 +384,27 @@ void vmalloc_sync_all(void)
17546 const pgd_t *pgd_ref = pgd_offset_k(address);
17547 unsigned long flags;
17549 +#ifdef CONFIG_PAX_PER_CPU_PGD
17550 + unsigned long cpu;
17555 if (pgd_none(*pgd_ref))
17558 spin_lock_irqsave(&pgd_lock, flags);
17560 +#ifdef CONFIG_PAX_PER_CPU_PGD
17561 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17562 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
17564 list_for_each_entry(page, &pgd_list, lru) {
17566 pgd = (pgd_t *)page_address(page) + pgd_index(address);
17569 if (pgd_none(*pgd))
17570 set_pgd(pgd, *pgd_ref);
17572 @@ -374,7 +437,14 @@ static noinline __kprobes int vmalloc_fa
17573 * happen within a race in page table update. In the later
17577 +#ifdef CONFIG_PAX_PER_CPU_PGD
17578 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
17579 + pgd = pgd_offset_cpu(smp_processor_id(), address);
17581 pgd = pgd_offset(current->active_mm, address);
17584 pgd_ref = pgd_offset_k(address);
17585 if (pgd_none(*pgd_ref))
17587 @@ -536,7 +606,7 @@ static int is_errata93(struct pt_regs *r
17588 static int is_errata100(struct pt_regs *regs, unsigned long address)
17590 #ifdef CONFIG_X86_64
17591 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
17592 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
17596 @@ -563,7 +633,7 @@ static int is_f00f_bug(struct pt_regs *r
17599 static const char nx_warning[] = KERN_CRIT
17600 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
17601 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
17604 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
17605 @@ -572,15 +642,26 @@ show_fault_oops(struct pt_regs *regs, un
17606 if (!oops_may_print())
17609 - if (error_code & PF_INSTR) {
17610 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
17611 unsigned int level;
17613 pte_t *pte = lookup_address(address, &level);
17615 if (pte && pte_present(*pte) && !pte_exec(*pte))
17616 - printk(nx_warning, current_uid());
17617 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
17620 +#ifdef CONFIG_PAX_KERNEXEC
17621 + if (init_mm.start_code <= address && address < init_mm.end_code) {
17622 + if (current->signal->curr_ip)
17623 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17624 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
17626 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17627 + current->comm, task_pid_nr(current), current_uid(), current_euid());
17631 printk(KERN_ALERT "BUG: unable to handle kernel ");
17632 if (address < PAGE_SIZE)
17633 printk(KERN_CONT "NULL pointer dereference");
17634 @@ -705,6 +786,68 @@ __bad_area_nosemaphore(struct pt_regs *r
17635 unsigned long address, int si_code)
17637 struct task_struct *tsk = current;
17638 + struct mm_struct *mm = tsk->mm;
17640 +#ifdef CONFIG_X86_64
17641 + if (mm && (error_code & PF_INSTR)) {
17642 + if (regs->ip == (unsigned long)vgettimeofday) {
17643 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
17645 + } else if (regs->ip == (unsigned long)vtime) {
17646 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
17648 + } else if (regs->ip == (unsigned long)vgetcpu) {
17649 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
17655 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17656 + if (mm && (error_code & PF_USER)) {
17657 + unsigned long ip = regs->ip;
17659 + if (v8086_mode(regs))
17660 + ip = ((regs->cs & 0xffff) << 4) + (regs->ip & 0xffff);
17663 + * It's possible to have interrupts off here:
17665 + local_irq_enable();
17667 +#ifdef CONFIG_PAX_PAGEEXEC
17668 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
17669 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && regs->ip == address))) {
17671 +#ifdef CONFIG_PAX_EMUTRAMP
17672 + switch (pax_handle_fetch_fault(regs)) {
17678 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17679 + do_group_exit(SIGKILL);
17683 +#ifdef CONFIG_PAX_SEGMEXEC
17684 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (regs->ip + SEGMEXEC_TASK_SIZE == address)) {
17686 +#ifdef CONFIG_PAX_EMUTRAMP
17687 + switch (pax_handle_fetch_fault(regs)) {
17693 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17694 + do_group_exit(SIGKILL);
17701 /* User mode accesses just cause a SIGSEGV */
17702 if (error_code & PF_USER) {
17703 @@ -851,6 +994,106 @@ static int spurious_fault_check(unsigned
17707 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17708 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
17713 + unsigned char pte_mask;
17715 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
17716 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
17719 + /* PaX: it's our fault, let's handle it if we can */
17721 + /* PaX: take a look at read faults before acquiring any locks */
17722 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
17723 + /* instruction fetch attempt from a protected page in user mode */
17724 + up_read(&mm->mmap_sem);
17726 +#ifdef CONFIG_PAX_EMUTRAMP
17727 + switch (pax_handle_fetch_fault(regs)) {
17733 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17734 + do_group_exit(SIGKILL);
17737 + pmd = pax_get_pmd(mm, address);
17738 + if (unlikely(!pmd))
17741 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
17742 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
17743 + pte_unmap_unlock(pte, ptl);
17747 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
17748 + /* write attempt to a protected page in user mode */
17749 + pte_unmap_unlock(pte, ptl);
17754 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
17756 + if (likely(address > get_limit(regs->cs)))
17759 + set_pte(pte, pte_mkread(*pte));
17760 + __flush_tlb_one(address);
17761 + pte_unmap_unlock(pte, ptl);
17762 + up_read(&mm->mmap_sem);
17766 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
17769 + * PaX: fill DTLB with user rights and retry
17771 + __asm__ __volatile__ (
17772 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17773 + "movw %w4,%%es\n"
17776 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
17778 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
17779 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
17780 + * page fault when examined during a TLB load attempt. this is true not only
17781 + * for PTEs holding a non-present entry but also present entries that will
17782 + * raise a page fault (such as those set up by PaX, or the copy-on-write
17783 + * mechanism). in effect it means that we do *not* need to flush the TLBs
17784 + * for our target pages since their PTEs are simply not in the TLBs at all.
17786 + * the best thing in omitting it is that we gain around 15-20% speed in the
17787 + * fast path of the page fault handler and can get rid of tracing since we
17788 + * can no longer flush unintended entries.
17792 + "testb $0,%%es:(%0)\n"
17794 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17799 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
17800 + : "memory", "cc");
17801 + pte_unmap_unlock(pte, ptl);
17802 + up_read(&mm->mmap_sem);
17808 * Handle a spurious fault caused by a stale TLB entry.
17810 @@ -917,6 +1160,9 @@ int show_unhandled_signals = 1;
17812 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
17814 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
17818 /* write, present and write, not present: */
17819 if (unlikely(!(vma->vm_flags & VM_WRITE)))
17820 @@ -950,17 +1196,31 @@ do_page_fault(struct pt_regs *regs, unsi
17822 struct vm_area_struct *vma;
17823 struct task_struct *tsk;
17824 - unsigned long address;
17825 struct mm_struct *mm;
17829 + /* Get the faulting address: */
17830 + unsigned long address = read_cr2();
17832 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17833 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
17834 + if (!search_exception_tables(regs->ip)) {
17835 + bad_area_nosemaphore(regs, error_code, address);
17838 + if (address < PAX_USER_SHADOW_BASE) {
17839 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
17840 + printk(KERN_ERR "PAX: faulting IP: %pS\n", (void *)regs->ip);
17841 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
17843 + address -= PAX_USER_SHADOW_BASE;
17850 - /* Get the faulting address: */
17851 - address = read_cr2();
17854 * Detect and handle instructions that would cause a page fault for
17855 * both a tracked kernel page and a userspace page.
17856 @@ -1020,7 +1280,7 @@ do_page_fault(struct pt_regs *regs, unsi
17857 * User-mode registers count as a user access even for any
17858 * potential system fault or CPU buglet:
17860 - if (user_mode_vm(regs)) {
17861 + if (user_mode(regs)) {
17862 local_irq_enable();
17863 error_code |= PF_USER;
17865 @@ -1074,6 +1334,11 @@ do_page_fault(struct pt_regs *regs, unsi
17869 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17870 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
17874 vma = find_vma(mm, address);
17875 if (unlikely(!vma)) {
17876 bad_area(regs, error_code, address);
17877 @@ -1085,18 +1350,24 @@ do_page_fault(struct pt_regs *regs, unsi
17878 bad_area(regs, error_code, address);
17881 - if (error_code & PF_USER) {
17883 - * Accessing the stack below %sp is always a bug.
17884 - * The large cushion allows instructions like enter
17885 - * and pusha to work. ("enter $65535, $31" pushes
17886 - * 32 pointers and then decrements %sp by 65535.)
17888 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
17889 - bad_area(regs, error_code, address);
17893 + * Accessing the stack below %sp is always a bug.
17894 + * The large cushion allows instructions like enter
17895 + * and pusha to work. ("enter $65535, $31" pushes
17896 + * 32 pointers and then decrements %sp by 65535.)
17898 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
17899 + bad_area(regs, error_code, address);
17903 +#ifdef CONFIG_PAX_SEGMEXEC
17904 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
17905 + bad_area(regs, error_code, address);
17910 if (unlikely(expand_stack(vma, address))) {
17911 bad_area(regs, error_code, address);
17913 @@ -1140,3 +1411,199 @@ good_area:
17915 up_read(&mm->mmap_sem);
17918 +#ifdef CONFIG_PAX_EMUTRAMP
17919 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
17923 + do { /* PaX: gcc trampoline emulation #1 */
17924 + unsigned char mov1, mov2;
17925 + unsigned short jmp;
17926 + unsigned int addr1, addr2;
17928 +#ifdef CONFIG_X86_64
17929 + if ((regs->ip + 11) >> 32)
17933 + err = get_user(mov1, (unsigned char __user *)regs->ip);
17934 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17935 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
17936 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17937 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
17942 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
17943 + regs->cx = addr1;
17944 + regs->ax = addr2;
17945 + regs->ip = addr2;
17950 + do { /* PaX: gcc trampoline emulation #2 */
17951 + unsigned char mov, jmp;
17952 + unsigned int addr1, addr2;
17954 +#ifdef CONFIG_X86_64
17955 + if ((regs->ip + 9) >> 32)
17959 + err = get_user(mov, (unsigned char __user *)regs->ip);
17960 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17961 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
17962 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17967 + if (mov == 0xB9 && jmp == 0xE9) {
17968 + regs->cx = addr1;
17969 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
17974 + return 1; /* PaX in action */
17977 +#ifdef CONFIG_X86_64
17978 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
17982 + do { /* PaX: gcc trampoline emulation #1 */
17983 + unsigned short mov1, mov2, jmp1;
17984 + unsigned char jmp2;
17985 + unsigned int addr1;
17986 + unsigned long addr2;
17988 + err = get_user(mov1, (unsigned short __user *)regs->ip);
17989 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
17990 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
17991 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
17992 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
17993 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
17998 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
17999 + regs->r11 = addr1;
18000 + regs->r10 = addr2;
18001 + regs->ip = addr1;
18006 + do { /* PaX: gcc trampoline emulation #2 */
18007 + unsigned short mov1, mov2, jmp1;
18008 + unsigned char jmp2;
18009 + unsigned long addr1, addr2;
18011 + err = get_user(mov1, (unsigned short __user *)regs->ip);
18012 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
18013 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
18014 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
18015 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
18016 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
18021 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
18022 + regs->r11 = addr1;
18023 + regs->r10 = addr2;
18024 + regs->ip = addr1;
18029 + return 1; /* PaX in action */
18034 + * PaX: decide what to do with offenders (regs->ip = fault address)
18036 + * returns 1 when task should be killed
18037 + * 2 when gcc trampoline was detected
18039 +static int pax_handle_fetch_fault(struct pt_regs *regs)
18041 + if (v8086_mode(regs))
18044 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
18047 +#ifdef CONFIG_X86_32
18048 + return pax_handle_fetch_fault_32(regs);
18050 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
18051 + return pax_handle_fetch_fault_32(regs);
18053 + return pax_handle_fetch_fault_64(regs);
18058 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18059 +void pax_report_insns(void *pc, void *sp)
18063 + printk(KERN_ERR "PAX: bytes at PC: ");
18064 + for (i = 0; i < 20; i++) {
18066 + if (get_user(c, (__force unsigned char __user *)pc+i))
18067 + printk(KERN_CONT "?? ");
18069 + printk(KERN_CONT "%02x ", c);
18073 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
18074 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
18076 + if (get_user(c, (__force unsigned long __user *)sp+i))
18077 +#ifdef CONFIG_X86_32
18078 + printk(KERN_CONT "???????? ");
18080 + printk(KERN_CONT "???????????????? ");
18083 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
18090 + * probe_kernel_write(): safely attempt to write to a location
18091 + * @dst: address to write to
18092 + * @src: pointer to the data that shall be written
18093 + * @size: size of the data chunk
18095 + * Safely write to address @dst from the buffer at @src. If a kernel fault
18096 + * happens, handle that and return -EFAULT.
18098 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
18101 + mm_segment_t old_fs = get_fs();
18103 + set_fs(KERNEL_DS);
18104 + pagefault_disable();
18105 + pax_open_kernel();
18106 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
18107 + pax_close_kernel();
18108 + pagefault_enable();
18111 + return ret ? -EFAULT : 0;
18113 diff -urNp linux-2.6.35.4/arch/x86/mm/gup.c linux-2.6.35.4/arch/x86/mm/gup.c
18114 --- linux-2.6.35.4/arch/x86/mm/gup.c 2010-08-26 19:47:12.000000000 -0400
18115 +++ linux-2.6.35.4/arch/x86/mm/gup.c 2010-09-17 20:12:09.000000000 -0400
18116 @@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
18118 len = (unsigned long) nr_pages << PAGE_SHIFT;
18120 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
18121 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
18122 (void __user *)start, len)))
18125 diff -urNp linux-2.6.35.4/arch/x86/mm/highmem_32.c linux-2.6.35.4/arch/x86/mm/highmem_32.c
18126 --- linux-2.6.35.4/arch/x86/mm/highmem_32.c 2010-08-26 19:47:12.000000000 -0400
18127 +++ linux-2.6.35.4/arch/x86/mm/highmem_32.c 2010-09-17 20:12:09.000000000 -0400
18128 @@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
18129 idx = type + KM_TYPE_NR*smp_processor_id();
18130 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
18131 BUG_ON(!pte_none(*(kmap_pte-idx)));
18133 + pax_open_kernel();
18134 set_pte(kmap_pte-idx, mk_pte(page, prot));
18135 + pax_close_kernel();
18137 return (void *)vaddr;
18139 diff -urNp linux-2.6.35.4/arch/x86/mm/hugetlbpage.c linux-2.6.35.4/arch/x86/mm/hugetlbpage.c
18140 --- linux-2.6.35.4/arch/x86/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
18141 +++ linux-2.6.35.4/arch/x86/mm/hugetlbpage.c 2010-09-17 20:12:09.000000000 -0400
18142 @@ -266,13 +266,18 @@ static unsigned long hugetlb_get_unmappe
18143 struct hstate *h = hstate_file(file);
18144 struct mm_struct *mm = current->mm;
18145 struct vm_area_struct *vma;
18146 - unsigned long start_addr;
18147 + unsigned long start_addr, pax_task_size = TASK_SIZE;
18149 +#ifdef CONFIG_PAX_SEGMEXEC
18150 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18151 + pax_task_size = SEGMEXEC_TASK_SIZE;
18154 if (len > mm->cached_hole_size) {
18155 - start_addr = mm->free_area_cache;
18156 + start_addr = mm->free_area_cache;
18158 - start_addr = TASK_UNMAPPED_BASE;
18159 - mm->cached_hole_size = 0;
18160 + start_addr = mm->mmap_base;
18161 + mm->cached_hole_size = 0;
18165 @@ -280,26 +285,27 @@ full_search:
18167 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
18168 /* At this point: (!vma || addr < vma->vm_end). */
18169 - if (TASK_SIZE - len < addr) {
18170 + if (pax_task_size - len < addr) {
18172 * Start a new search - just in case we missed
18175 - if (start_addr != TASK_UNMAPPED_BASE) {
18176 - start_addr = TASK_UNMAPPED_BASE;
18177 + if (start_addr != mm->mmap_base) {
18178 + start_addr = mm->mmap_base;
18179 mm->cached_hole_size = 0;
18184 - if (!vma || addr + len <= vma->vm_start) {
18185 - mm->free_area_cache = addr + len;
18188 + if (check_heap_stack_gap(vma, addr, len))
18190 if (addr + mm->cached_hole_size < vma->vm_start)
18191 mm->cached_hole_size = vma->vm_start - addr;
18192 addr = ALIGN(vma->vm_end, huge_page_size(h));
18195 + mm->free_area_cache = addr + len;
18199 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
18200 @@ -308,10 +314,9 @@ static unsigned long hugetlb_get_unmappe
18202 struct hstate *h = hstate_file(file);
18203 struct mm_struct *mm = current->mm;
18204 - struct vm_area_struct *vma, *prev_vma;
18205 - unsigned long base = mm->mmap_base, addr = addr0;
18206 + struct vm_area_struct *vma;
18207 + unsigned long base = mm->mmap_base, addr;
18208 unsigned long largest_hole = mm->cached_hole_size;
18209 - int first_time = 1;
18211 /* don't allow allocations above current base */
18212 if (mm->free_area_cache > base)
18213 @@ -321,7 +326,7 @@ static unsigned long hugetlb_get_unmappe
18215 mm->free_area_cache = base;
18219 /* make sure it can fit in the remaining address space */
18220 if (mm->free_area_cache < len)
18222 @@ -329,33 +334,27 @@ try_again:
18223 /* either no address requested or cant fit in requested address hole */
18224 addr = (mm->free_area_cache - len) & huge_page_mask(h);
18226 + vma = find_vma(mm, addr);
18228 * Lookup failure means no vma is above this address,
18229 * i.e. return with success:
18231 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
18235 * new region fits between prev_vma->vm_end and
18236 * vma->vm_start, use it:
18238 - if (addr + len <= vma->vm_start &&
18239 - (!prev_vma || (addr >= prev_vma->vm_end))) {
18240 + if (check_heap_stack_gap(vma, addr, len)) {
18241 /* remember the address as a hint for next time */
18242 - mm->cached_hole_size = largest_hole;
18243 - return (mm->free_area_cache = addr);
18245 - /* pull free_area_cache down to the first hole */
18246 - if (mm->free_area_cache == vma->vm_end) {
18247 - mm->free_area_cache = vma->vm_start;
18248 - mm->cached_hole_size = largest_hole;
18250 + mm->cached_hole_size = largest_hole;
18251 + return (mm->free_area_cache = addr);
18253 + /* pull free_area_cache down to the first hole */
18254 + if (mm->free_area_cache == vma->vm_end) {
18255 + mm->free_area_cache = vma->vm_start;
18256 + mm->cached_hole_size = largest_hole;
18259 /* remember the largest hole we saw so far */
18260 if (addr + largest_hole < vma->vm_start)
18261 - largest_hole = vma->vm_start - addr;
18262 + largest_hole = vma->vm_start - addr;
18264 /* try just below the current vma->vm_start */
18265 addr = (vma->vm_start - len) & huge_page_mask(h);
18266 @@ -363,22 +362,26 @@ try_again:
18270 - * if hint left us with no space for the requested
18271 - * mapping then try again:
18273 - if (first_time) {
18274 - mm->free_area_cache = base;
18275 - largest_hole = 0;
18280 * A failed mmap() very likely causes application failure,
18281 * so fall back to the bottom-up function here. This scenario
18282 * can happen with large stack limits and large mmap()
18285 - mm->free_area_cache = TASK_UNMAPPED_BASE;
18287 +#ifdef CONFIG_PAX_SEGMEXEC
18288 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18289 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
18293 + mm->mmap_base = TASK_UNMAPPED_BASE;
18295 +#ifdef CONFIG_PAX_RANDMMAP
18296 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18297 + mm->mmap_base += mm->delta_mmap;
18300 + mm->free_area_cache = mm->mmap_base;
18301 mm->cached_hole_size = ~0UL;
18302 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
18303 len, pgoff, flags);
18304 @@ -386,6 +389,7 @@ fail:
18306 * Restore the topdown base:
18308 + mm->mmap_base = base;
18309 mm->free_area_cache = base;
18310 mm->cached_hole_size = ~0UL;
18312 @@ -399,10 +403,17 @@ hugetlb_get_unmapped_area(struct file *f
18313 struct hstate *h = hstate_file(file);
18314 struct mm_struct *mm = current->mm;
18315 struct vm_area_struct *vma;
18316 + unsigned long pax_task_size = TASK_SIZE;
18318 if (len & ~huge_page_mask(h))
18320 - if (len > TASK_SIZE)
18322 +#ifdef CONFIG_PAX_SEGMEXEC
18323 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18324 + pax_task_size = SEGMEXEC_TASK_SIZE;
18327 + if (len > pax_task_size)
18330 if (flags & MAP_FIXED) {
18331 @@ -414,8 +425,7 @@ hugetlb_get_unmapped_area(struct file *f
18333 addr = ALIGN(addr, huge_page_size(h));
18334 vma = find_vma(mm, addr);
18335 - if (TASK_SIZE - len >= addr &&
18336 - (!vma || addr + len <= vma->vm_start))
18337 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
18340 if (mm->get_unmapped_area == arch_get_unmapped_area)
18341 diff -urNp linux-2.6.35.4/arch/x86/mm/init_32.c linux-2.6.35.4/arch/x86/mm/init_32.c
18342 --- linux-2.6.35.4/arch/x86/mm/init_32.c 2010-08-26 19:47:12.000000000 -0400
18343 +++ linux-2.6.35.4/arch/x86/mm/init_32.c 2010-09-17 20:12:09.000000000 -0400
18344 @@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
18348 - * Creates a middle page table and puts a pointer to it in the
18349 - * given global directory entry. This only returns the gd entry
18350 - * in non-PAE compilation mode, since the middle layer is folded.
18352 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
18355 - pmd_t *pmd_table;
18357 -#ifdef CONFIG_X86_PAE
18358 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
18359 - if (after_bootmem)
18360 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
18362 - pmd_table = (pmd_t *)alloc_low_page();
18363 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
18364 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
18365 - pud = pud_offset(pgd, 0);
18366 - BUG_ON(pmd_table != pmd_offset(pud, 0));
18368 - return pmd_table;
18371 - pud = pud_offset(pgd, 0);
18372 - pmd_table = pmd_offset(pud, 0);
18374 - return pmd_table;
18378 * Create a page table and place a pointer to it in a middle page
18381 @@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
18382 page_table = (pte_t *)alloc_low_page();
18384 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
18385 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18386 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
18388 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
18390 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
18393 return pte_offset_kernel(pmd, 0);
18396 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
18399 + pmd_t *pmd_table;
18401 + pud = pud_offset(pgd, 0);
18402 + pmd_table = pmd_offset(pud, 0);
18404 + return pmd_table;
18407 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
18409 int pgd_idx = pgd_index(vaddr);
18410 @@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
18411 int pgd_idx, pmd_idx;
18412 unsigned long vaddr;
18418 @@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
18419 pgd = pgd_base + pgd_idx;
18421 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
18422 - pmd = one_md_table_init(pgd);
18423 - pmd = pmd + pmd_index(vaddr);
18424 + pud = pud_offset(pgd, vaddr);
18425 + pmd = pmd_offset(pud, vaddr);
18427 +#ifdef CONFIG_X86_PAE
18428 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18431 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
18432 pmd++, pmd_idx++) {
18433 pte = page_table_kmap_check(one_page_table_init(pmd),
18434 @@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
18438 -static inline int is_kernel_text(unsigned long addr)
18439 +static inline int is_kernel_text(unsigned long start, unsigned long end)
18441 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
18444 + if ((start > ktla_ktva((unsigned long)_etext) ||
18445 + end <= ktla_ktva((unsigned long)_stext)) &&
18446 + (start > ktla_ktva((unsigned long)_einittext) ||
18447 + end <= ktla_ktva((unsigned long)_sinittext)) &&
18449 +#ifdef CONFIG_ACPI_SLEEP
18450 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
18453 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
18459 @@ -244,9 +244,10 @@ kernel_physical_mapping_init(unsigned lo
18460 unsigned long last_map_addr = end;
18461 unsigned long start_pfn, end_pfn;
18462 pgd_t *pgd_base = swapper_pg_dir;
18463 - int pgd_idx, pmd_idx, pte_ofs;
18464 + unsigned int pgd_idx, pmd_idx, pte_ofs;
18470 unsigned pages_2m, pages_4k;
18471 @@ -279,8 +280,13 @@ repeat:
18473 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18474 pgd = pgd_base + pgd_idx;
18475 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
18476 - pmd = one_md_table_init(pgd);
18477 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
18478 + pud = pud_offset(pgd, 0);
18479 + pmd = pmd_offset(pud, 0);
18481 +#ifdef CONFIG_X86_PAE
18482 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18485 if (pfn >= end_pfn)
18487 @@ -292,14 +298,13 @@ repeat:
18489 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
18490 pmd++, pmd_idx++) {
18491 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
18492 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
18495 * Map with big pages if possible, otherwise
18496 * create normal page tables:
18499 - unsigned int addr2;
18500 pgprot_t prot = PAGE_KERNEL_LARGE;
18502 * first pass will use the same initial
18503 @@ -309,11 +314,7 @@ repeat:
18504 __pgprot(PTE_IDENT_ATTR |
18507 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
18508 - PAGE_OFFSET + PAGE_SIZE-1;
18510 - if (is_kernel_text(addr) ||
18511 - is_kernel_text(addr2))
18512 + if (is_kernel_text(address, address + PMD_SIZE))
18513 prot = PAGE_KERNEL_LARGE_EXEC;
18516 @@ -330,7 +331,7 @@ repeat:
18517 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18519 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
18520 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
18521 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
18522 pgprot_t prot = PAGE_KERNEL;
18524 * first pass will use the same initial
18525 @@ -338,7 +339,7 @@ repeat:
18527 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
18529 - if (is_kernel_text(addr))
18530 + if (is_kernel_text(address, address + PAGE_SIZE))
18531 prot = PAGE_KERNEL_EXEC;
18534 @@ -491,7 +492,7 @@ void __init native_pagetable_setup_start
18536 pud = pud_offset(pgd, va);
18537 pmd = pmd_offset(pud, va);
18538 - if (!pmd_present(*pmd))
18539 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
18542 pte = pte_offset_kernel(pmd, va);
18543 @@ -543,9 +544,7 @@ void __init early_ioremap_page_table_ran
18545 static void __init pagetable_init(void)
18547 - pgd_t *pgd_base = swapper_pg_dir;
18549 - permanent_kmaps_init(pgd_base);
18550 + permanent_kmaps_init(swapper_pg_dir);
18553 #ifdef CONFIG_ACPI_SLEEP
18554 @@ -553,12 +552,12 @@ static void __init pagetable_init(void)
18555 * ACPI suspend needs this for resume, because things like the intel-agp
18556 * driver might have split up a kernel 4MB mapping.
18558 -char swsusp_pg_dir[PAGE_SIZE]
18559 +pgd_t swsusp_pg_dir[PTRS_PER_PGD]
18560 __attribute__ ((aligned(PAGE_SIZE)));
18562 static inline void save_pg_dir(void)
18564 - memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
18565 + clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
18567 #else /* !CONFIG_ACPI_SLEEP */
18568 static inline void save_pg_dir(void)
18569 @@ -590,7 +589,7 @@ void zap_low_mappings(bool early)
18573 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18574 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18575 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18577 /* user-defined highmem size */
18578 @@ -781,7 +780,7 @@ void __init setup_bootmem_allocator(void
18579 * Initialize the boot-time allocator (with low memory only):
18581 bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
18582 - bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
18583 + bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
18585 if (bootmap == -1L)
18586 panic("Cannot find bootmem map of size %ld\n", bootmap_size);
18587 @@ -871,6 +870,12 @@ void __init mem_init(void)
18591 +#ifdef CONFIG_PAX_PER_CPU_PGD
18592 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18593 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18594 + KERNEL_PGD_PTRS);
18597 #ifdef CONFIG_FLATMEM
18600 @@ -888,7 +893,7 @@ void __init mem_init(void)
18601 set_highmem_pages_init();
18603 codesize = (unsigned long) &_etext - (unsigned long) &_text;
18604 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
18605 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
18606 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
18608 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
18609 @@ -929,10 +934,10 @@ void __init mem_init(void)
18610 ((unsigned long)&__init_end -
18611 (unsigned long)&__init_begin) >> 10,
18613 - (unsigned long)&_etext, (unsigned long)&_edata,
18614 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
18615 + (unsigned long)&_sdata, (unsigned long)&_edata,
18616 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
18618 - (unsigned long)&_text, (unsigned long)&_etext,
18619 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
18620 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
18623 @@ -1013,6 +1018,7 @@ void set_kernel_text_rw(void)
18624 if (!kernel_set_to_readonly)
18627 + start = ktla_ktva(start);
18628 pr_debug("Set kernel text: %lx - %lx for read write\n",
18629 start, start+size);
18631 @@ -1027,6 +1033,7 @@ void set_kernel_text_ro(void)
18632 if (!kernel_set_to_readonly)
18635 + start = ktla_ktva(start);
18636 pr_debug("Set kernel text: %lx - %lx for read only\n",
18637 start, start+size);
18639 @@ -1038,6 +1045,7 @@ void mark_rodata_ro(void)
18640 unsigned long start = PFN_ALIGN(_text);
18641 unsigned long size = PFN_ALIGN(_etext) - start;
18643 + start = ktla_ktva(start);
18644 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
18645 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
18647 diff -urNp linux-2.6.35.4/arch/x86/mm/init_64.c linux-2.6.35.4/arch/x86/mm/init_64.c
18648 --- linux-2.6.35.4/arch/x86/mm/init_64.c 2010-08-26 19:47:12.000000000 -0400
18649 +++ linux-2.6.35.4/arch/x86/mm/init_64.c 2010-09-17 20:12:09.000000000 -0400
18651 #include <asm/numa.h>
18652 #include <asm/cacheflush.h>
18653 #include <asm/init.h>
18654 -#include <linux/bootmem.h>
18656 static unsigned long dma_reserve __initdata;
18658 @@ -74,7 +73,7 @@ early_param("gbpages", parse_direct_gbpa
18659 * around without checking the pgd every time.
18662 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
18663 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
18664 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18666 int force_personality32;
18667 @@ -165,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
18668 pmd = fill_pmd(pud, vaddr);
18669 pte = fill_pte(pmd, vaddr);
18671 + pax_open_kernel();
18672 set_pte(pte, new_pte);
18673 + pax_close_kernel();
18676 * It's enough to flush this one mapping.
18677 @@ -224,14 +225,12 @@ static void __init __init_extra_mapping(
18678 pgd = pgd_offset_k((unsigned long)__va(phys));
18679 if (pgd_none(*pgd)) {
18680 pud = (pud_t *) spp_getpage();
18681 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
18683 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
18685 pud = pud_offset(pgd, (unsigned long)__va(phys));
18686 if (pud_none(*pud)) {
18687 pmd = (pmd_t *) spp_getpage();
18688 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
18690 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
18692 pmd = pmd_offset(pud, phys);
18693 BUG_ON(!pmd_none(*pmd));
18694 @@ -680,6 +679,12 @@ void __init mem_init(void)
18698 +#ifdef CONFIG_PAX_PER_CPU_PGD
18699 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18700 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18701 + KERNEL_PGD_PTRS);
18704 /* clear_bss() already clear the empty_zero_page */
18707 @@ -886,8 +891,8 @@ int kern_addr_valid(unsigned long addr)
18708 static struct vm_area_struct gate_vma = {
18709 .vm_start = VSYSCALL_START,
18710 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
18711 - .vm_page_prot = PAGE_READONLY_EXEC,
18712 - .vm_flags = VM_READ | VM_EXEC
18713 + .vm_page_prot = PAGE_READONLY,
18714 + .vm_flags = VM_READ
18717 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
18718 @@ -921,7 +926,7 @@ int in_gate_area_no_task(unsigned long a
18720 const char *arch_vma_name(struct vm_area_struct *vma)
18722 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
18723 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
18725 if (vma == &gate_vma)
18726 return "[vsyscall]";
18727 diff -urNp linux-2.6.35.4/arch/x86/mm/init.c linux-2.6.35.4/arch/x86/mm/init.c
18728 --- linux-2.6.35.4/arch/x86/mm/init.c 2010-08-26 19:47:12.000000000 -0400
18729 +++ linux-2.6.35.4/arch/x86/mm/init.c 2010-09-17 20:12:09.000000000 -0400
18730 @@ -70,11 +70,7 @@ static void __init find_early_table_spac
18731 * cause a hotspot and fill up ZONE_DMA. The page tables
18732 * need roughly 0.5KB per GB.
18734 -#ifdef CONFIG_X86_32
18739 + start = 0x100000;
18740 e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
18741 tables, PAGE_SIZE);
18742 if (e820_table_start == -1UL)
18743 @@ -321,7 +317,13 @@ unsigned long __init_refok init_memory_m
18745 int devmem_is_allowed(unsigned long pagenr)
18747 - if (pagenr <= 256)
18750 +#ifdef CONFIG_VM86
18751 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
18754 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
18756 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
18758 @@ -380,6 +382,88 @@ void free_init_pages(char *what, unsigne
18760 void free_initmem(void)
18763 +#ifdef CONFIG_PAX_KERNEXEC
18764 +#ifdef CONFIG_X86_32
18765 + /* PaX: limit KERNEL_CS to actual size */
18766 + unsigned long addr, limit;
18767 + struct desc_struct d;
18770 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
18771 + limit = (limit - 1UL) >> PAGE_SHIFT;
18773 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
18774 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
18775 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
18776 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
18779 + /* PaX: make KERNEL_CS read-only */
18780 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
18781 + if (!paravirt_enabled())
18782 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
18784 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
18785 + pgd = pgd_offset_k(addr);
18786 + pud = pud_offset(pgd, addr);
18787 + pmd = pmd_offset(pud, addr);
18788 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18791 +#ifdef CONFIG_X86_PAE
18792 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
18794 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
18795 + pgd = pgd_offset_k(addr);
18796 + pud = pud_offset(pgd, addr);
18797 + pmd = pmd_offset(pud, addr);
18798 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18803 +#ifdef CONFIG_MODULES
18804 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
18811 + unsigned long addr, end;
18813 + /* PaX: make kernel code/rodata read-only, rest non-executable */
18814 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
18815 + pgd = pgd_offset_k(addr);
18816 + pud = pud_offset(pgd, addr);
18817 + pmd = pmd_offset(pud, addr);
18818 + if (!pmd_present(*pmd))
18820 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
18821 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18823 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18826 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
18827 + end = addr + KERNEL_IMAGE_SIZE;
18828 + for (; addr < end; addr += PMD_SIZE) {
18829 + pgd = pgd_offset_k(addr);
18830 + pud = pud_offset(pgd, addr);
18831 + pmd = pmd_offset(pud, addr);
18832 + if (!pmd_present(*pmd))
18834 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
18835 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18837 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18844 free_init_pages("unused kernel memory",
18845 (unsigned long)(&__init_begin),
18846 (unsigned long)(&__init_end));
18847 diff -urNp linux-2.6.35.4/arch/x86/mm/iomap_32.c linux-2.6.35.4/arch/x86/mm/iomap_32.c
18848 --- linux-2.6.35.4/arch/x86/mm/iomap_32.c 2010-08-26 19:47:12.000000000 -0400
18849 +++ linux-2.6.35.4/arch/x86/mm/iomap_32.c 2010-09-17 20:12:09.000000000 -0400
18850 @@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
18851 debug_kmap_atomic(type);
18852 idx = type + KM_TYPE_NR * smp_processor_id();
18853 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
18855 + pax_open_kernel();
18856 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
18857 + pax_close_kernel();
18859 arch_flush_lazy_mmu_mode();
18861 return (void *)vaddr;
18862 diff -urNp linux-2.6.35.4/arch/x86/mm/ioremap.c linux-2.6.35.4/arch/x86/mm/ioremap.c
18863 --- linux-2.6.35.4/arch/x86/mm/ioremap.c 2010-08-26 19:47:12.000000000 -0400
18864 +++ linux-2.6.35.4/arch/x86/mm/ioremap.c 2010-09-17 20:12:09.000000000 -0400
18865 @@ -100,13 +100,10 @@ static void __iomem *__ioremap_caller(re
18867 * Don't allow anybody to remap normal RAM that we're using..
18869 - for (pfn = phys_addr >> PAGE_SHIFT;
18870 - (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
18873 + for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
18874 int is_ram = page_is_ram(pfn);
18876 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
18877 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
18879 WARN_ON_ONCE(is_ram);
18881 @@ -346,7 +343,7 @@ static int __init early_ioremap_debug_se
18882 early_param("early_ioremap_debug", early_ioremap_debug_setup);
18884 static __initdata int after_paging_init;
18885 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
18886 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
18888 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
18890 @@ -378,8 +375,7 @@ void __init early_ioremap_init(void)
18891 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
18893 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
18894 - memset(bm_pte, 0, sizeof(bm_pte));
18895 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
18896 + pmd_populate_user(&init_mm, pmd, bm_pte);
18899 * The boot-ioremap range spans multiple pmds, for which
18900 diff -urNp linux-2.6.35.4/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.35.4/arch/x86/mm/kmemcheck/kmemcheck.c
18901 --- linux-2.6.35.4/arch/x86/mm/kmemcheck/kmemcheck.c 2010-08-26 19:47:12.000000000 -0400
18902 +++ linux-2.6.35.4/arch/x86/mm/kmemcheck/kmemcheck.c 2010-09-17 20:12:09.000000000 -0400
18903 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
18904 * memory (e.g. tracked pages)? For now, we need this to avoid
18905 * invoking kmemcheck for PnP BIOS calls.
18907 - if (regs->flags & X86_VM_MASK)
18908 + if (v8086_mode(regs))
18910 - if (regs->cs != __KERNEL_CS)
18911 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
18914 pte = kmemcheck_pte_lookup(address);
18915 diff -urNp linux-2.6.35.4/arch/x86/mm/mmap.c linux-2.6.35.4/arch/x86/mm/mmap.c
18916 --- linux-2.6.35.4/arch/x86/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
18917 +++ linux-2.6.35.4/arch/x86/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
18918 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
18919 * Leave an at least ~128 MB hole with possible stack randomization.
18921 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
18922 -#define MAX_GAP (TASK_SIZE/6*5)
18923 +#define MAX_GAP (pax_task_size/6*5)
18926 * True on X86_32 or when emulating IA32 on X86_64
18927 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
18928 return rnd << PAGE_SHIFT;
18931 -static unsigned long mmap_base(void)
18932 +static unsigned long mmap_base(struct mm_struct *mm)
18934 unsigned long gap = rlimit(RLIMIT_STACK);
18935 + unsigned long pax_task_size = TASK_SIZE;
18937 +#ifdef CONFIG_PAX_SEGMEXEC
18938 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18939 + pax_task_size = SEGMEXEC_TASK_SIZE;
18944 else if (gap > MAX_GAP)
18947 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
18948 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
18952 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
18953 * does, but not when emulating X86_32
18955 -static unsigned long mmap_legacy_base(void)
18956 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
18958 - if (mmap_is_ia32())
18959 + if (mmap_is_ia32()) {
18961 +#ifdef CONFIG_PAX_SEGMEXEC
18962 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18963 + return SEGMEXEC_TASK_UNMAPPED_BASE;
18967 return TASK_UNMAPPED_BASE;
18970 return TASK_UNMAPPED_BASE + mmap_rnd();
18973 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
18974 void arch_pick_mmap_layout(struct mm_struct *mm)
18976 if (mmap_is_legacy()) {
18977 - mm->mmap_base = mmap_legacy_base();
18978 + mm->mmap_base = mmap_legacy_base(mm);
18980 +#ifdef CONFIG_PAX_RANDMMAP
18981 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18982 + mm->mmap_base += mm->delta_mmap;
18985 mm->get_unmapped_area = arch_get_unmapped_area;
18986 mm->unmap_area = arch_unmap_area;
18988 - mm->mmap_base = mmap_base();
18989 + mm->mmap_base = mmap_base(mm);
18991 +#ifdef CONFIG_PAX_RANDMMAP
18992 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18993 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
18996 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
18997 mm->unmap_area = arch_unmap_area_topdown;
18999 diff -urNp linux-2.6.35.4/arch/x86/mm/numa_32.c linux-2.6.35.4/arch/x86/mm/numa_32.c
19000 --- linux-2.6.35.4/arch/x86/mm/numa_32.c 2010-08-26 19:47:12.000000000 -0400
19001 +++ linux-2.6.35.4/arch/x86/mm/numa_32.c 2010-09-17 20:12:09.000000000 -0400
19002 @@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
19006 -extern unsigned long find_max_low_pfn(void);
19007 extern unsigned long highend_pfn, highstart_pfn;
19009 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
19010 diff -urNp linux-2.6.35.4/arch/x86/mm/pageattr.c linux-2.6.35.4/arch/x86/mm/pageattr.c
19011 --- linux-2.6.35.4/arch/x86/mm/pageattr.c 2010-08-26 19:47:12.000000000 -0400
19012 +++ linux-2.6.35.4/arch/x86/mm/pageattr.c 2010-09-17 20:12:09.000000000 -0400
19013 @@ -261,16 +261,17 @@ static inline pgprot_t static_protection
19014 * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
19016 if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
19017 - pgprot_val(forbidden) |= _PAGE_NX;
19018 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19021 * The kernel text needs to be executable for obvious reasons
19022 * Does not cover __inittext since that is gone later on. On
19023 * 64bit we do not enforce !NX on the low mapping
19025 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
19026 - pgprot_val(forbidden) |= _PAGE_NX;
19027 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
19028 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19030 +#ifdef CONFIG_DEBUG_RODATA
19032 * The .rodata section needs to be read-only. Using the pfn
19033 * catches all aliases.
19034 @@ -278,6 +279,7 @@ static inline pgprot_t static_protection
19035 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
19036 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
19037 pgprot_val(forbidden) |= _PAGE_RW;
19040 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
19042 @@ -316,6 +318,13 @@ static inline pgprot_t static_protection
19046 +#ifdef CONFIG_PAX_KERNEXEC
19047 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
19048 + pgprot_val(forbidden) |= _PAGE_RW;
19049 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19053 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
19056 @@ -368,23 +377,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
19057 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
19059 /* change init_mm */
19060 + pax_open_kernel();
19061 set_pte_atomic(kpte, pte);
19063 #ifdef CONFIG_X86_32
19064 if (!SHARED_KERNEL_PMD) {
19066 +#ifdef CONFIG_PAX_PER_CPU_PGD
19067 + unsigned long cpu;
19072 +#ifdef CONFIG_PAX_PER_CPU_PGD
19073 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
19074 + pgd_t *pgd = get_cpu_pgd(cpu);
19076 list_for_each_entry(page, &pgd_list, lru) {
19078 + pgd_t *pgd = (pgd_t *)page_address(page);
19084 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
19085 + pgd += pgd_index(address);
19086 pud = pud_offset(pgd, address);
19087 pmd = pmd_offset(pud, address);
19088 set_pte_atomic((pte_t *)pmd, pte);
19092 + pax_close_kernel();
19096 diff -urNp linux-2.6.35.4/arch/x86/mm/pageattr-test.c linux-2.6.35.4/arch/x86/mm/pageattr-test.c
19097 --- linux-2.6.35.4/arch/x86/mm/pageattr-test.c 2010-08-26 19:47:12.000000000 -0400
19098 +++ linux-2.6.35.4/arch/x86/mm/pageattr-test.c 2010-09-17 20:12:09.000000000 -0400
19099 @@ -36,7 +36,7 @@ enum {
19101 static int pte_testbit(pte_t pte)
19103 - return pte_flags(pte) & _PAGE_UNUSED1;
19104 + return pte_flags(pte) & _PAGE_CPA_TEST;
19107 struct split_state {
19108 diff -urNp linux-2.6.35.4/arch/x86/mm/pat.c linux-2.6.35.4/arch/x86/mm/pat.c
19109 --- linux-2.6.35.4/arch/x86/mm/pat.c 2010-08-26 19:47:12.000000000 -0400
19110 +++ linux-2.6.35.4/arch/x86/mm/pat.c 2010-09-17 20:12:09.000000000 -0400
19111 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
19114 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
19115 - current->comm, current->pid, start, end);
19116 + current->comm, task_pid_nr(current), start, end);
19120 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
19121 while (cursor < to) {
19122 if (!devmem_is_allowed(pfn)) {
19124 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
19125 - current->comm, from, to);
19126 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
19127 + current->comm, from, to, cursor);
19130 cursor += PAGE_SIZE;
19131 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
19133 "%s:%d ioremap_change_attr failed %s "
19135 - current->comm, current->pid,
19136 + current->comm, task_pid_nr(current),
19138 base, (unsigned long long)(base + size));
19140 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
19141 if (want_flags != flags) {
19142 printk(KERN_WARNING
19143 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
19144 - current->comm, current->pid,
19145 + current->comm, task_pid_nr(current),
19146 cattr_name(want_flags),
19147 (unsigned long long)paddr,
19148 (unsigned long long)(paddr + size),
19149 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
19150 free_memtype(paddr, paddr + size);
19151 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
19152 " for %Lx-%Lx, got %s\n",
19153 - current->comm, current->pid,
19154 + current->comm, task_pid_nr(current),
19155 cattr_name(want_flags),
19156 (unsigned long long)paddr,
19157 (unsigned long long)(paddr + size),
19158 diff -urNp linux-2.6.35.4/arch/x86/mm/pgtable_32.c linux-2.6.35.4/arch/x86/mm/pgtable_32.c
19159 --- linux-2.6.35.4/arch/x86/mm/pgtable_32.c 2010-08-26 19:47:12.000000000 -0400
19160 +++ linux-2.6.35.4/arch/x86/mm/pgtable_32.c 2010-09-17 20:12:09.000000000 -0400
19161 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
19164 pte = pte_offset_kernel(pmd, vaddr);
19166 + pax_open_kernel();
19167 if (pte_val(pteval))
19168 set_pte_at(&init_mm, vaddr, pte, pteval);
19170 pte_clear(&init_mm, vaddr, pte);
19171 + pax_close_kernel();
19174 * It's enough to flush this one mapping.
19175 diff -urNp linux-2.6.35.4/arch/x86/mm/pgtable.c linux-2.6.35.4/arch/x86/mm/pgtable.c
19176 --- linux-2.6.35.4/arch/x86/mm/pgtable.c 2010-08-26 19:47:12.000000000 -0400
19177 +++ linux-2.6.35.4/arch/x86/mm/pgtable.c 2010-09-17 20:12:09.000000000 -0400
19178 @@ -84,8 +84,59 @@ static inline void pgd_list_del(pgd_t *p
19179 list_del(&page->lru);
19182 -#define UNSHARED_PTRS_PER_PGD \
19183 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19184 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19185 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
19187 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19190 + *dst++ = __pgd((pgd_val(*src++) | _PAGE_NX) & ~_PAGE_USER);
19195 +#ifdef CONFIG_PAX_PER_CPU_PGD
19196 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19200 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19201 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
19209 +#ifdef CONFIG_PAX_PER_CPU_PGD
19210 +static inline void pgd_ctor(pgd_t *pgd) {}
19211 +static inline void pgd_dtor(pgd_t *pgd) {}
19212 +#ifdef CONFIG_X86_64
19213 +#define pxd_t pud_t
19214 +#define pyd_t pgd_t
19215 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
19216 +#define pxd_free(mm, pud) pud_free((mm), (pud))
19217 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
19218 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
19219 +#define PYD_SIZE PGDIR_SIZE
19221 +#define pxd_t pmd_t
19222 +#define pyd_t pud_t
19223 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19224 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
19225 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
19226 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19227 +#define PYD_SIZE PUD_SIZE
19230 +#define pxd_t pmd_t
19231 +#define pyd_t pud_t
19232 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19233 +#define pxd_free(mm, pmd) pmd_free((mm), (pmd))
19234 +#define pyd_populate(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
19235 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19236 +#define PYD_SIZE PUD_SIZE
19238 static void pgd_ctor(pgd_t *pgd)
19240 @@ -120,6 +171,7 @@ static void pgd_dtor(pgd_t *pgd)
19242 spin_unlock_irqrestore(&pgd_lock, flags);
19247 * List of all pgd's needed for non-PAE so it can invalidate entries
19248 @@ -132,7 +184,7 @@ static void pgd_dtor(pgd_t *pgd)
19252 -#ifdef CONFIG_X86_PAE
19253 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
19255 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
19256 * updating the top-level pagetable entries to guarantee the
19257 @@ -144,7 +196,7 @@ static void pgd_dtor(pgd_t *pgd)
19258 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
19259 * and initialize the kernel pmds here.
19261 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
19262 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19264 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
19266 @@ -163,36 +215,38 @@ void pud_populate(struct mm_struct *mm,
19267 if (mm == current->active_mm)
19268 write_cr3(read_cr3());
19270 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
19271 +#define PREALLOCATED_PXDS USER_PGD_PTRS
19272 #else /* !CONFIG_X86_PAE */
19274 /* No need to prepopulate any pagetable entries in non-PAE modes. */
19275 -#define PREALLOCATED_PMDS 0
19276 +#define PREALLOCATED_PXDS 0
19278 #endif /* CONFIG_X86_PAE */
19280 -static void free_pmds(pmd_t *pmds[])
19281 +static void free_pxds(pxd_t *pxds[])
19285 - for(i = 0; i < PREALLOCATED_PMDS; i++)
19287 - free_page((unsigned long)pmds[i]);
19288 + for(i = 0; i < PREALLOCATED_PXDS; i++)
19290 + free_page((unsigned long)pxds[i]);
19293 -static int preallocate_pmds(pmd_t *pmds[])
19294 +static int preallocate_pxds(pxd_t *pxds[])
19297 bool failed = false;
19299 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19300 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
19302 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19303 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
19316 @@ -205,51 +259,56 @@ static int preallocate_pmds(pmd_t *pmds[
19317 * preallocate which never got a corresponding vma will need to be
19320 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
19321 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
19325 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19326 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19327 pgd_t pgd = pgdp[i];
19329 if (pgd_val(pgd) != 0) {
19330 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
19331 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
19333 - pgdp[i] = native_make_pgd(0);
19334 + set_pgd(pgdp + i, native_make_pgd(0));
19336 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
19337 - pmd_free(mm, pmd);
19338 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
19339 + pxd_free(mm, pxd);
19344 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
19345 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
19349 unsigned long addr;
19352 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
19353 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
19356 - pud = pud_offset(pgd, 0);
19357 +#ifdef CONFIG_X86_64
19358 + pyd = pyd_offset(mm, 0L);
19360 + pyd = pyd_offset(pgd, 0L);
19363 - for (addr = i = 0; i < PREALLOCATED_PMDS;
19364 - i++, pud++, addr += PUD_SIZE) {
19365 - pmd_t *pmd = pmds[i];
19366 + for (addr = i = 0; i < PREALLOCATED_PXDS;
19367 + i++, pyd++, addr += PYD_SIZE) {
19368 + pxd_t *pxd = pxds[i];
19370 if (i >= KERNEL_PGD_BOUNDARY)
19371 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19372 - sizeof(pmd_t) * PTRS_PER_PMD);
19373 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19374 + sizeof(pxd_t) * PTRS_PER_PMD);
19376 - pud_populate(mm, pud, pmd);
19377 + pyd_populate(mm, pyd, pxd);
19381 pgd_t *pgd_alloc(struct mm_struct *mm)
19384 - pmd_t *pmds[PREALLOCATED_PMDS];
19385 + pxd_t *pxds[PREALLOCATED_PXDS];
19387 unsigned long flags;
19389 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
19390 @@ -259,11 +318,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19394 - if (preallocate_pmds(pmds) != 0)
19395 + if (preallocate_pxds(pxds) != 0)
19398 if (paravirt_pgd_alloc(mm) != 0)
19399 - goto out_free_pmds;
19400 + goto out_free_pxds;
19403 * Make sure that pre-populating the pmds is atomic with
19404 @@ -273,14 +332,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19405 spin_lock_irqsave(&pgd_lock, flags);
19408 - pgd_prepopulate_pmd(mm, pgd, pmds);
19409 + pgd_prepopulate_pxd(mm, pgd, pxds);
19411 spin_unlock_irqrestore(&pgd_lock, flags);
19420 free_page((unsigned long)pgd);
19422 @@ -289,7 +348,7 @@ out:
19424 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
19426 - pgd_mop_up_pmds(mm, pgd);
19427 + pgd_mop_up_pxds(mm, pgd);
19429 paravirt_pgd_free(mm, pgd);
19430 free_page((unsigned long)pgd);
19431 diff -urNp linux-2.6.35.4/arch/x86/mm/setup_nx.c linux-2.6.35.4/arch/x86/mm/setup_nx.c
19432 --- linux-2.6.35.4/arch/x86/mm/setup_nx.c 2010-08-26 19:47:12.000000000 -0400
19433 +++ linux-2.6.35.4/arch/x86/mm/setup_nx.c 2010-09-17 20:12:09.000000000 -0400
19435 #include <asm/pgtable.h>
19436 #include <asm/proto.h>
19438 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19439 static int disable_nx __cpuinitdata;
19441 +#ifndef CONFIG_PAX_PAGEEXEC
19445 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
19448 early_param("noexec", noexec_setup);
19453 void __cpuinit x86_configure_nx(void)
19455 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19456 if (cpu_has_nx && !disable_nx)
19457 __supported_pte_mask |= _PAGE_NX;
19460 __supported_pte_mask &= ~_PAGE_NX;
19463 diff -urNp linux-2.6.35.4/arch/x86/mm/tlb.c linux-2.6.35.4/arch/x86/mm/tlb.c
19464 --- linux-2.6.35.4/arch/x86/mm/tlb.c 2010-08-26 19:47:12.000000000 -0400
19465 +++ linux-2.6.35.4/arch/x86/mm/tlb.c 2010-09-17 20:12:09.000000000 -0400
19467 #include <asm/uv/uv.h>
19469 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
19470 - = { &init_mm, 0, };
19471 + = { &init_mm, 0 };
19474 * Smarter SMP flushing macros.
19475 @@ -62,7 +62,11 @@ void leave_mm(int cpu)
19477 cpumask_clear_cpu(cpu,
19478 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
19480 +#ifndef CONFIG_PAX_PER_CPU_PGD
19481 load_cr3(swapper_pg_dir);
19485 EXPORT_SYMBOL_GPL(leave_mm);
19487 diff -urNp linux-2.6.35.4/arch/x86/oprofile/backtrace.c linux-2.6.35.4/arch/x86/oprofile/backtrace.c
19488 --- linux-2.6.35.4/arch/x86/oprofile/backtrace.c 2010-08-26 19:47:12.000000000 -0400
19489 +++ linux-2.6.35.4/arch/x86/oprofile/backtrace.c 2010-09-17 20:12:09.000000000 -0400
19490 @@ -58,7 +58,7 @@ static struct frame_head *dump_user_back
19491 struct frame_head bufhead[2];
19493 /* Also check accessibility of one struct frame_head beyond */
19494 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
19495 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
19497 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
19499 @@ -78,7 +78,7 @@ x86_backtrace(struct pt_regs * const reg
19501 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
19503 - if (!user_mode_vm(regs)) {
19504 + if (!user_mode(regs)) {
19505 unsigned long stack = kernel_stack_pointer(regs);
19507 dump_trace(NULL, regs, (unsigned long *)stack, 0,
19508 diff -urNp linux-2.6.35.4/arch/x86/oprofile/op_model_p4.c linux-2.6.35.4/arch/x86/oprofile/op_model_p4.c
19509 --- linux-2.6.35.4/arch/x86/oprofile/op_model_p4.c 2010-08-26 19:47:12.000000000 -0400
19510 +++ linux-2.6.35.4/arch/x86/oprofile/op_model_p4.c 2010-09-17 20:12:09.000000000 -0400
19511 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
19515 -static int inline addr_increment(void)
19516 +static inline int addr_increment(void)
19519 return smp_num_siblings == 2 ? 2 : 1;
19520 diff -urNp linux-2.6.35.4/arch/x86/pci/common.c linux-2.6.35.4/arch/x86/pci/common.c
19521 --- linux-2.6.35.4/arch/x86/pci/common.c 2010-08-26 19:47:12.000000000 -0400
19522 +++ linux-2.6.35.4/arch/x86/pci/common.c 2010-09-17 20:12:09.000000000 -0400
19523 @@ -32,8 +32,8 @@ int noioapicreroute = 1;
19524 int pcibios_last_bus = -1;
19525 unsigned long pirq_table_addr;
19526 struct pci_bus *pci_root_bus;
19527 -struct pci_raw_ops *raw_pci_ops;
19528 -struct pci_raw_ops *raw_pci_ext_ops;
19529 +const struct pci_raw_ops *raw_pci_ops;
19530 +const struct pci_raw_ops *raw_pci_ext_ops;
19532 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
19533 int reg, int len, u32 *val)
19534 @@ -365,7 +365,7 @@ static const struct dmi_system_id __devi
19535 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
19539 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
19542 void __init dmi_check_pciprobe(void)
19543 diff -urNp linux-2.6.35.4/arch/x86/pci/direct.c linux-2.6.35.4/arch/x86/pci/direct.c
19544 --- linux-2.6.35.4/arch/x86/pci/direct.c 2010-08-26 19:47:12.000000000 -0400
19545 +++ linux-2.6.35.4/arch/x86/pci/direct.c 2010-09-17 20:12:09.000000000 -0400
19546 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
19548 #undef PCI_CONF1_ADDRESS
19550 -struct pci_raw_ops pci_direct_conf1 = {
19551 +const struct pci_raw_ops pci_direct_conf1 = {
19552 .read = pci_conf1_read,
19553 .write = pci_conf1_write,
19555 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
19557 #undef PCI_CONF2_ADDRESS
19559 -struct pci_raw_ops pci_direct_conf2 = {
19560 +const struct pci_raw_ops pci_direct_conf2 = {
19561 .read = pci_conf2_read,
19562 .write = pci_conf2_write,
19564 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
19565 * This should be close to trivial, but it isn't, because there are buggy
19566 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
19568 -static int __init pci_sanity_check(struct pci_raw_ops *o)
19569 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
19573 diff -urNp linux-2.6.35.4/arch/x86/pci/fixup.c linux-2.6.35.4/arch/x86/pci/fixup.c
19574 --- linux-2.6.35.4/arch/x86/pci/fixup.c 2010-08-26 19:47:12.000000000 -0400
19575 +++ linux-2.6.35.4/arch/x86/pci/fixup.c 2010-09-17 20:12:09.000000000 -0400
19576 @@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
19577 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
19581 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19585 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
19586 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
19590 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19593 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
19594 diff -urNp linux-2.6.35.4/arch/x86/pci/irq.c linux-2.6.35.4/arch/x86/pci/irq.c
19595 --- linux-2.6.35.4/arch/x86/pci/irq.c 2010-08-26 19:47:12.000000000 -0400
19596 +++ linux-2.6.35.4/arch/x86/pci/irq.c 2010-09-17 20:12:09.000000000 -0400
19597 @@ -542,7 +542,7 @@ static __init int intel_router_probe(str
19598 static struct pci_device_id __initdata pirq_440gx[] = {
19599 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
19600 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
19602 + { PCI_DEVICE(0, 0) }
19605 /* 440GX has a proprietary PIRQ router -- don't use it */
19606 @@ -1113,7 +1113,7 @@ static struct dmi_system_id __initdata p
19607 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
19611 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19614 void __init pcibios_irq_init(void)
19615 diff -urNp linux-2.6.35.4/arch/x86/pci/mmconfig_32.c linux-2.6.35.4/arch/x86/pci/mmconfig_32.c
19616 --- linux-2.6.35.4/arch/x86/pci/mmconfig_32.c 2010-08-26 19:47:12.000000000 -0400
19617 +++ linux-2.6.35.4/arch/x86/pci/mmconfig_32.c 2010-09-17 20:12:09.000000000 -0400
19618 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
19622 -static struct pci_raw_ops pci_mmcfg = {
19623 +static const struct pci_raw_ops pci_mmcfg = {
19624 .read = pci_mmcfg_read,
19625 .write = pci_mmcfg_write,
19627 diff -urNp linux-2.6.35.4/arch/x86/pci/mmconfig_64.c linux-2.6.35.4/arch/x86/pci/mmconfig_64.c
19628 --- linux-2.6.35.4/arch/x86/pci/mmconfig_64.c 2010-08-26 19:47:12.000000000 -0400
19629 +++ linux-2.6.35.4/arch/x86/pci/mmconfig_64.c 2010-09-17 20:12:09.000000000 -0400
19630 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
19634 -static struct pci_raw_ops pci_mmcfg = {
19635 +static const struct pci_raw_ops pci_mmcfg = {
19636 .read = pci_mmcfg_read,
19637 .write = pci_mmcfg_write,
19639 diff -urNp linux-2.6.35.4/arch/x86/pci/numaq_32.c linux-2.6.35.4/arch/x86/pci/numaq_32.c
19640 --- linux-2.6.35.4/arch/x86/pci/numaq_32.c 2010-08-26 19:47:12.000000000 -0400
19641 +++ linux-2.6.35.4/arch/x86/pci/numaq_32.c 2010-09-17 20:12:09.000000000 -0400
19642 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
19644 #undef PCI_CONF1_MQ_ADDRESS
19646 -static struct pci_raw_ops pci_direct_conf1_mq = {
19647 +static const struct pci_raw_ops pci_direct_conf1_mq = {
19648 .read = pci_conf1_mq_read,
19649 .write = pci_conf1_mq_write
19651 diff -urNp linux-2.6.35.4/arch/x86/pci/olpc.c linux-2.6.35.4/arch/x86/pci/olpc.c
19652 --- linux-2.6.35.4/arch/x86/pci/olpc.c 2010-08-26 19:47:12.000000000 -0400
19653 +++ linux-2.6.35.4/arch/x86/pci/olpc.c 2010-09-17 20:12:09.000000000 -0400
19654 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
19658 -static struct pci_raw_ops pci_olpc_conf = {
19659 +static const struct pci_raw_ops pci_olpc_conf = {
19660 .read = pci_olpc_read,
19661 .write = pci_olpc_write,
19663 diff -urNp linux-2.6.35.4/arch/x86/pci/pcbios.c linux-2.6.35.4/arch/x86/pci/pcbios.c
19664 --- linux-2.6.35.4/arch/x86/pci/pcbios.c 2010-08-26 19:47:12.000000000 -0400
19665 +++ linux-2.6.35.4/arch/x86/pci/pcbios.c 2010-09-17 20:12:09.000000000 -0400
19666 @@ -57,50 +57,93 @@ union bios32 {
19668 unsigned long address;
19669 unsigned short segment;
19670 -} bios32_indirect = { 0, __KERNEL_CS };
19671 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
19674 * Returns the entry point for the given service, NULL on error
19677 -static unsigned long bios32_service(unsigned long service)
19678 +static unsigned long __devinit bios32_service(unsigned long service)
19680 unsigned char return_code; /* %al */
19681 unsigned long address; /* %ebx */
19682 unsigned long length; /* %ecx */
19683 unsigned long entry; /* %edx */
19684 unsigned long flags;
19685 + struct desc_struct d, *gdt;
19687 local_irq_save(flags);
19688 - __asm__("lcall *(%%edi); cld"
19690 + gdt = get_cpu_gdt_table(smp_processor_id());
19692 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
19693 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19694 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
19695 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19697 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
19698 : "=a" (return_code),
19704 - "D" (&bios32_indirect));
19705 + "D" (&bios32_indirect),
19706 + "r"(__PCIBIOS_DS)
19709 + pax_open_kernel();
19710 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
19711 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
19712 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
19713 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
19714 + pax_close_kernel();
19716 local_irq_restore(flags);
19718 switch (return_code) {
19720 - return address + entry;
19721 - case 0x80: /* Not present */
19722 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19724 - default: /* Shouldn't happen */
19725 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19726 - service, return_code);
19729 + unsigned char flags;
19731 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
19732 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
19733 + printk(KERN_WARNING "bios32_service: not valid\n");
19736 + address = address + PAGE_OFFSET;
19737 + length += 16UL; /* some BIOSs underreport this... */
19739 + if (length >= 64*1024*1024) {
19740 + length >>= PAGE_SHIFT;
19744 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
19745 + gdt = get_cpu_gdt_table(cpu);
19746 + pack_descriptor(&d, address, length, 0x9b, flags);
19747 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19748 + pack_descriptor(&d, address, length, 0x93, flags);
19749 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19753 + case 0x80: /* Not present */
19754 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19756 + default: /* Shouldn't happen */
19757 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19758 + service, return_code);
19764 unsigned long address;
19765 unsigned short segment;
19766 -} pci_indirect = { 0, __KERNEL_CS };
19767 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
19769 -static int pci_bios_present;
19770 +static int pci_bios_present __read_only;
19772 static int __devinit check_pcibios(void)
19774 @@ -109,11 +152,13 @@ static int __devinit check_pcibios(void)
19775 unsigned long flags, pcibios_entry;
19777 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
19778 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
19779 + pci_indirect.address = pcibios_entry;
19781 local_irq_save(flags);
19783 - "lcall *(%%edi); cld\n\t"
19784 + __asm__("movw %w6, %%ds\n\t"
19785 + "lcall *%%ss:(%%edi); cld\n\t"
19791 @@ -122,7 +167,8 @@ static int __devinit check_pcibios(void)
19794 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
19795 - "D" (&pci_indirect)
19796 + "D" (&pci_indirect),
19797 + "r" (__PCIBIOS_DS)
19799 local_irq_restore(flags);
19801 @@ -166,7 +212,10 @@ static int pci_bios_read(unsigned int se
19805 - __asm__("lcall *(%%esi); cld\n\t"
19806 + __asm__("movw %w6, %%ds\n\t"
19807 + "lcall *%%ss:(%%esi); cld\n\t"
19813 @@ -175,7 +224,8 @@ static int pci_bios_read(unsigned int se
19814 : "1" (PCIBIOS_READ_CONFIG_BYTE),
19817 - "S" (&pci_indirect));
19818 + "S" (&pci_indirect),
19819 + "r" (__PCIBIOS_DS));
19821 * Zero-extend the result beyond 8 bits, do not trust the
19822 * BIOS having done it:
19823 @@ -183,7 +233,10 @@ static int pci_bios_read(unsigned int se
19827 - __asm__("lcall *(%%esi); cld\n\t"
19828 + __asm__("movw %w6, %%ds\n\t"
19829 + "lcall *%%ss:(%%esi); cld\n\t"
19835 @@ -192,7 +245,8 @@ static int pci_bios_read(unsigned int se
19836 : "1" (PCIBIOS_READ_CONFIG_WORD),
19839 - "S" (&pci_indirect));
19840 + "S" (&pci_indirect),
19841 + "r" (__PCIBIOS_DS));
19843 * Zero-extend the result beyond 16 bits, do not trust the
19844 * BIOS having done it:
19845 @@ -200,7 +254,10 @@ static int pci_bios_read(unsigned int se
19849 - __asm__("lcall *(%%esi); cld\n\t"
19850 + __asm__("movw %w6, %%ds\n\t"
19851 + "lcall *%%ss:(%%esi); cld\n\t"
19857 @@ -209,7 +266,8 @@ static int pci_bios_read(unsigned int se
19858 : "1" (PCIBIOS_READ_CONFIG_DWORD),
19861 - "S" (&pci_indirect));
19862 + "S" (&pci_indirect),
19863 + "r" (__PCIBIOS_DS));
19867 @@ -232,7 +290,10 @@ static int pci_bios_write(unsigned int s
19871 - __asm__("lcall *(%%esi); cld\n\t"
19872 + __asm__("movw %w6, %%ds\n\t"
19873 + "lcall *%%ss:(%%esi); cld\n\t"
19879 @@ -241,10 +302,14 @@ static int pci_bios_write(unsigned int s
19883 - "S" (&pci_indirect));
19884 + "S" (&pci_indirect),
19885 + "r" (__PCIBIOS_DS));
19888 - __asm__("lcall *(%%esi); cld\n\t"
19889 + __asm__("movw %w6, %%ds\n\t"
19890 + "lcall *%%ss:(%%esi); cld\n\t"
19896 @@ -253,10 +318,14 @@ static int pci_bios_write(unsigned int s
19900 - "S" (&pci_indirect));
19901 + "S" (&pci_indirect),
19902 + "r" (__PCIBIOS_DS));
19905 - __asm__("lcall *(%%esi); cld\n\t"
19906 + __asm__("movw %w6, %%ds\n\t"
19907 + "lcall *%%ss:(%%esi); cld\n\t"
19913 @@ -265,7 +334,8 @@ static int pci_bios_write(unsigned int s
19917 - "S" (&pci_indirect));
19918 + "S" (&pci_indirect),
19919 + "r" (__PCIBIOS_DS));
19923 @@ -279,7 +349,7 @@ static int pci_bios_write(unsigned int s
19924 * Function table for BIOS32 access
19927 -static struct pci_raw_ops pci_bios_access = {
19928 +static const struct pci_raw_ops pci_bios_access = {
19929 .read = pci_bios_read,
19930 .write = pci_bios_write
19932 @@ -288,7 +358,7 @@ static struct pci_raw_ops pci_bios_acces
19933 * Try to find PCI BIOS.
19936 -static struct pci_raw_ops * __devinit pci_find_bios(void)
19937 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
19939 union bios32 *check;
19941 @@ -369,10 +439,13 @@ struct irq_routing_table * pcibios_get_i
19943 DBG("PCI: Fetching IRQ routing table... ");
19944 __asm__("push %%es\n\t"
19945 + "movw %w8, %%ds\n\t"
19948 - "lcall *(%%esi); cld\n\t"
19949 + "lcall *%%ss:(%%esi); cld\n\t"
19956 @@ -383,7 +456,8 @@ struct irq_routing_table * pcibios_get_i
19959 "S" (&pci_indirect),
19962 + "r" (__PCIBIOS_DS)
19964 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
19966 @@ -407,7 +481,10 @@ int pcibios_set_irq_routing(struct pci_d
19970 - __asm__("lcall *(%%esi); cld\n\t"
19971 + __asm__("movw %w5, %%ds\n\t"
19972 + "lcall *%%ss:(%%esi); cld\n\t"
19978 @@ -415,7 +492,8 @@ int pcibios_set_irq_routing(struct pci_d
19979 : "0" (PCIBIOS_SET_PCI_HW_INT),
19980 "b" ((dev->bus->number << 8) | dev->devfn),
19981 "c" ((irq << 8) | (pin + 10)),
19982 - "S" (&pci_indirect));
19983 + "S" (&pci_indirect),
19984 + "r" (__PCIBIOS_DS));
19985 return !(ret & 0xff00);
19987 EXPORT_SYMBOL(pcibios_set_irq_routing);
19988 diff -urNp linux-2.6.35.4/arch/x86/power/cpu.c linux-2.6.35.4/arch/x86/power/cpu.c
19989 --- linux-2.6.35.4/arch/x86/power/cpu.c 2010-08-26 19:47:12.000000000 -0400
19990 +++ linux-2.6.35.4/arch/x86/power/cpu.c 2010-09-17 20:12:09.000000000 -0400
19991 @@ -129,7 +129,7 @@ static void do_fpu_end(void)
19992 static void fix_processor_context(void)
19994 int cpu = smp_processor_id();
19995 - struct tss_struct *t = &per_cpu(init_tss, cpu);
19996 + struct tss_struct *t = init_tss + cpu;
19998 set_tss_desc(cpu, t); /*
19999 * This just modifies memory; should not be
20000 @@ -139,7 +139,9 @@ static void fix_processor_context(void)
20003 #ifdef CONFIG_X86_64
20004 + pax_open_kernel();
20005 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
20006 + pax_close_kernel();
20008 syscall_init(); /* This sets MSR_*STAR and related */
20010 diff -urNp linux-2.6.35.4/arch/x86/vdso/Makefile linux-2.6.35.4/arch/x86/vdso/Makefile
20011 --- linux-2.6.35.4/arch/x86/vdso/Makefile 2010-08-26 19:47:12.000000000 -0400
20012 +++ linux-2.6.35.4/arch/x86/vdso/Makefile 2010-09-17 20:12:09.000000000 -0400
20013 @@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
20014 $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
20015 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
20017 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
20018 +VDSO_LDFLAGS = -fPIC -shared --no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
20022 diff -urNp linux-2.6.35.4/arch/x86/vdso/vclock_gettime.c linux-2.6.35.4/arch/x86/vdso/vclock_gettime.c
20023 --- linux-2.6.35.4/arch/x86/vdso/vclock_gettime.c 2010-08-26 19:47:12.000000000 -0400
20024 +++ linux-2.6.35.4/arch/x86/vdso/vclock_gettime.c 2010-09-17 20:12:09.000000000 -0400
20025 @@ -22,24 +22,48 @@
20026 #include <asm/hpet.h>
20027 #include <asm/unistd.h>
20028 #include <asm/io.h>
20029 +#include <asm/fixmap.h>
20030 #include "vextern.h"
20032 #define gtod vdso_vsyscall_gtod_data
20034 +notrace noinline long __vdso_fallback_time(long *t)
20037 + asm volatile("syscall"
20039 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
20043 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
20046 asm("syscall" : "=a" (ret) :
20047 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
20048 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
20052 +notrace static inline cycle_t __vdso_vread_hpet(void)
20054 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
20057 +notrace static inline cycle_t __vdso_vread_tsc(void)
20059 + cycle_t ret = (cycle_t)vget_cycles();
20061 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
20064 notrace static inline long vgetns(void)
20067 - cycles_t (*vread)(void);
20068 - vread = gtod->clock.vread;
20069 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
20070 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
20071 + v = __vdso_vread_tsc();
20073 + v = __vdso_vread_hpet();
20074 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
20075 return (v * gtod->clock.mult) >> gtod->clock.shift;
20078 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
20080 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
20082 - if (likely(gtod->sysctl_enabled))
20083 + if (likely(gtod->sysctl_enabled &&
20084 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20085 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20087 case CLOCK_REALTIME:
20088 if (likely(gtod->clock.vread))
20089 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
20090 int clock_gettime(clockid_t, struct timespec *)
20091 __attribute__((weak, alias("__vdso_clock_gettime")));
20093 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20094 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
20097 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
20098 + asm("syscall" : "=a" (ret) :
20099 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
20103 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20105 + if (likely(gtod->sysctl_enabled &&
20106 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20107 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20109 if (likely(tv != NULL)) {
20110 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
20111 offsetof(struct timespec, tv_nsec) ||
20112 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
20116 - asm("syscall" : "=a" (ret) :
20117 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
20119 + return __vdso_fallback_gettimeofday(tv, tz);
20121 int gettimeofday(struct timeval *, struct timezone *)
20122 __attribute__((weak, alias("__vdso_gettimeofday")));
20123 diff -urNp linux-2.6.35.4/arch/x86/vdso/vdso32-setup.c linux-2.6.35.4/arch/x86/vdso/vdso32-setup.c
20124 --- linux-2.6.35.4/arch/x86/vdso/vdso32-setup.c 2010-08-26 19:47:12.000000000 -0400
20125 +++ linux-2.6.35.4/arch/x86/vdso/vdso32-setup.c 2010-09-17 20:12:09.000000000 -0400
20127 #include <asm/tlbflush.h>
20128 #include <asm/vdso.h>
20129 #include <asm/proto.h>
20130 +#include <asm/mman.h>
20134 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
20135 void enable_sep_cpu(void)
20137 int cpu = get_cpu();
20138 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
20139 + struct tss_struct *tss = init_tss + cpu;
20141 if (!boot_cpu_has(X86_FEATURE_SEP)) {
20143 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
20144 gate_vma.vm_start = FIXADDR_USER_START;
20145 gate_vma.vm_end = FIXADDR_USER_END;
20146 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
20147 - gate_vma.vm_page_prot = __P101;
20148 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
20150 * Make sure the vDSO gets into every core dump.
20151 * Dumping its contents makes post-mortem fully interpretable later
20152 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
20154 addr = VDSO_HIGH_BASE;
20156 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
20157 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
20158 if (IS_ERR_VALUE(addr)) {
20164 - current->mm->context.vdso = (void *)addr;
20165 + current->mm->context.vdso = addr;
20167 if (compat_uses_vma || !compat) {
20169 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
20172 current_thread_info()->sysenter_return =
20173 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20174 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20178 - current->mm->context.vdso = NULL;
20179 + current->mm->context.vdso = 0;
20181 up_write(&mm->mmap_sem);
20183 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
20185 const char *arch_vma_name(struct vm_area_struct *vma)
20187 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
20188 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
20191 +#ifdef CONFIG_PAX_SEGMEXEC
20192 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
20199 @@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
20200 struct mm_struct *mm = tsk->mm;
20202 /* Check to see if this task was created in compat vdso mode */
20203 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
20204 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
20208 diff -urNp linux-2.6.35.4/arch/x86/vdso/vdso.lds.S linux-2.6.35.4/arch/x86/vdso/vdso.lds.S
20209 --- linux-2.6.35.4/arch/x86/vdso/vdso.lds.S 2010-08-26 19:47:12.000000000 -0400
20210 +++ linux-2.6.35.4/arch/x86/vdso/vdso.lds.S 2010-09-17 20:12:09.000000000 -0400
20211 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
20212 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
20213 #include "vextern.h"
20216 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
20217 +VEXTERN(fallback_gettimeofday)
20218 +VEXTERN(fallback_time)
20221 diff -urNp linux-2.6.35.4/arch/x86/vdso/vextern.h linux-2.6.35.4/arch/x86/vdso/vextern.h
20222 --- linux-2.6.35.4/arch/x86/vdso/vextern.h 2010-08-26 19:47:12.000000000 -0400
20223 +++ linux-2.6.35.4/arch/x86/vdso/vextern.h 2010-09-17 20:12:09.000000000 -0400
20225 put into vextern.h and be referenced as a pointer with vdso prefix.
20226 The main kernel later fills in the values. */
20229 VEXTERN(vgetcpu_mode)
20230 VEXTERN(vsyscall_gtod_data)
20231 diff -urNp linux-2.6.35.4/arch/x86/vdso/vma.c linux-2.6.35.4/arch/x86/vdso/vma.c
20232 --- linux-2.6.35.4/arch/x86/vdso/vma.c 2010-08-26 19:47:12.000000000 -0400
20233 +++ linux-2.6.35.4/arch/x86/vdso/vma.c 2010-09-17 20:12:09.000000000 -0400
20234 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
20238 - if (memcmp(vbase, "\177ELF", 4)) {
20239 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
20240 printk("VDSO: I'm broken; not ELF\n");
20243 @@ -67,6 +67,7 @@ static int __init init_vdso_vars(void)
20244 *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
20245 #include "vextern.h"
20251 @@ -117,7 +118,7 @@ int arch_setup_additional_pages(struct l
20255 - current->mm->context.vdso = (void *)addr;
20256 + current->mm->context.vdso = addr;
20258 ret = install_special_mapping(mm, addr, vdso_size,
20260 @@ -125,7 +126,7 @@ int arch_setup_additional_pages(struct l
20264 - current->mm->context.vdso = NULL;
20265 + current->mm->context.vdso = 0;
20269 @@ -133,10 +134,3 @@ up_fail:
20270 up_write(&mm->mmap_sem);
20274 -static __init int vdso_setup(char *s)
20276 - vdso_enabled = simple_strtoul(s, NULL, 0);
20279 -__setup("vdso=", vdso_setup);
20280 diff -urNp linux-2.6.35.4/arch/x86/xen/enlighten.c linux-2.6.35.4/arch/x86/xen/enlighten.c
20281 --- linux-2.6.35.4/arch/x86/xen/enlighten.c 2010-08-26 19:47:12.000000000 -0400
20282 +++ linux-2.6.35.4/arch/x86/xen/enlighten.c 2010-09-17 20:12:09.000000000 -0400
20283 @@ -74,8 +74,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
20285 struct shared_info xen_dummy_shared_info;
20287 -void *xen_initial_gdt;
20290 * Point at some empty memory to start with. We map the real shared_info
20291 * page as soon as fixmap is up and running.
20292 @@ -551,7 +549,7 @@ static void xen_write_idt_entry(gate_des
20296 - start = __get_cpu_var(idt_desc).address;
20297 + start = (unsigned long)__get_cpu_var(idt_desc).address;
20298 end = start + __get_cpu_var(idt_desc).size + 1;
20301 @@ -1103,7 +1101,17 @@ asmlinkage void __init xen_start_kernel(
20302 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
20304 /* Work out if we support NX */
20305 - x86_configure_nx();
20306 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
20307 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
20308 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
20311 + __supported_pte_mask |= _PAGE_NX;
20312 + rdmsr(MSR_EFER, l, h);
20314 + wrmsr(MSR_EFER, l, h);
20318 xen_setup_features();
20320 @@ -1134,13 +1142,6 @@ asmlinkage void __init xen_start_kernel(
20322 machine_ops = xen_machine_ops;
20325 - * The only reliable way to retain the initial address of the
20326 - * percpu gdt_page is to remember it here, so we can go and
20327 - * mark it RW later, when the initial percpu area is freed.
20329 - xen_initial_gdt = &per_cpu(gdt_page, 0);
20333 pgd = (pgd_t *)xen_start_info->pt_base;
20334 diff -urNp linux-2.6.35.4/arch/x86/xen/mmu.c linux-2.6.35.4/arch/x86/xen/mmu.c
20335 --- linux-2.6.35.4/arch/x86/xen/mmu.c 2010-08-26 19:47:12.000000000 -0400
20336 +++ linux-2.6.35.4/arch/x86/xen/mmu.c 2010-09-17 20:12:09.000000000 -0400
20337 @@ -1694,6 +1694,8 @@ __init pgd_t *xen_setup_kernel_pagetable
20338 convert_pfn_mfn(init_level4_pgt);
20339 convert_pfn_mfn(level3_ident_pgt);
20340 convert_pfn_mfn(level3_kernel_pgt);
20341 + convert_pfn_mfn(level3_vmalloc_pgt);
20342 + convert_pfn_mfn(level3_vmemmap_pgt);
20344 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
20345 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
20346 @@ -1712,7 +1714,10 @@ __init pgd_t *xen_setup_kernel_pagetable
20347 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
20348 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
20349 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
20350 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
20351 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
20352 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
20353 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
20354 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
20355 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
20357 diff -urNp linux-2.6.35.4/arch/x86/xen/smp.c linux-2.6.35.4/arch/x86/xen/smp.c
20358 --- linux-2.6.35.4/arch/x86/xen/smp.c 2010-08-26 19:47:12.000000000 -0400
20359 +++ linux-2.6.35.4/arch/x86/xen/smp.c 2010-09-17 20:12:09.000000000 -0400
20360 @@ -169,11 +169,6 @@ static void __init xen_smp_prepare_boot_
20362 BUG_ON(smp_processor_id() != 0);
20363 native_smp_prepare_boot_cpu();
20365 - /* We've switched to the "real" per-cpu gdt, so make sure the
20366 - old memory can be recycled */
20367 - make_lowmem_page_readwrite(xen_initial_gdt);
20369 xen_setup_vcpu_info_placement();
20372 @@ -233,8 +228,8 @@ cpu_initialize_context(unsigned int cpu,
20373 gdt = get_cpu_gdt_table(cpu);
20375 ctxt->flags = VGCF_IN_KERNEL;
20376 - ctxt->user_regs.ds = __USER_DS;
20377 - ctxt->user_regs.es = __USER_DS;
20378 + ctxt->user_regs.ds = __KERNEL_DS;
20379 + ctxt->user_regs.es = __KERNEL_DS;
20380 ctxt->user_regs.ss = __KERNEL_DS;
20381 #ifdef CONFIG_X86_32
20382 ctxt->user_regs.fs = __KERNEL_PERCPU;
20383 diff -urNp linux-2.6.35.4/arch/x86/xen/xen-head.S linux-2.6.35.4/arch/x86/xen/xen-head.S
20384 --- linux-2.6.35.4/arch/x86/xen/xen-head.S 2010-08-26 19:47:12.000000000 -0400
20385 +++ linux-2.6.35.4/arch/x86/xen/xen-head.S 2010-09-17 20:12:09.000000000 -0400
20386 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
20387 #ifdef CONFIG_X86_32
20388 mov %esi,xen_start_info
20389 mov $init_thread_union+THREAD_SIZE,%esp
20391 + movl $cpu_gdt_table,%edi
20392 + movl $__per_cpu_load,%eax
20393 + movw %ax,__KERNEL_PERCPU + 2(%edi)
20395 + movb %al,__KERNEL_PERCPU + 4(%edi)
20396 + movb %ah,__KERNEL_PERCPU + 7(%edi)
20397 + movl $__per_cpu_end - 1,%eax
20398 + subl $__per_cpu_start,%eax
20399 + movw %ax,__KERNEL_PERCPU + 0(%edi)
20402 mov %rsi,xen_start_info
20403 mov $init_thread_union+THREAD_SIZE,%rsp
20404 diff -urNp linux-2.6.35.4/arch/x86/xen/xen-ops.h linux-2.6.35.4/arch/x86/xen/xen-ops.h
20405 --- linux-2.6.35.4/arch/x86/xen/xen-ops.h 2010-08-26 19:47:12.000000000 -0400
20406 +++ linux-2.6.35.4/arch/x86/xen/xen-ops.h 2010-09-17 20:12:09.000000000 -0400
20408 extern const char xen_hypervisor_callback[];
20409 extern const char xen_failsafe_callback[];
20411 -extern void *xen_initial_gdt;
20414 void xen_copy_trap_info(struct trap_info *traps);
20416 diff -urNp linux-2.6.35.4/block/blk-iopoll.c linux-2.6.35.4/block/blk-iopoll.c
20417 --- linux-2.6.35.4/block/blk-iopoll.c 2010-08-26 19:47:12.000000000 -0400
20418 +++ linux-2.6.35.4/block/blk-iopoll.c 2010-09-17 20:12:09.000000000 -0400
20419 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
20421 EXPORT_SYMBOL(blk_iopoll_complete);
20423 -static void blk_iopoll_softirq(struct softirq_action *h)
20424 +static void blk_iopoll_softirq(void)
20426 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
20427 int rearm = 0, budget = blk_iopoll_budget;
20428 diff -urNp linux-2.6.35.4/block/blk-map.c linux-2.6.35.4/block/blk-map.c
20429 --- linux-2.6.35.4/block/blk-map.c 2010-08-26 19:47:12.000000000 -0400
20430 +++ linux-2.6.35.4/block/blk-map.c 2010-09-17 20:12:09.000000000 -0400
20431 @@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
20432 * direct dma. else, set up kernel bounce buffers
20434 uaddr = (unsigned long) ubuf;
20435 - if (blk_rq_aligned(q, ubuf, len) && !map_data)
20436 + if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
20437 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
20439 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
20440 @@ -297,7 +297,7 @@ int blk_rq_map_kern(struct request_queue
20444 - do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
20445 + do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
20447 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
20449 diff -urNp linux-2.6.35.4/block/blk-softirq.c linux-2.6.35.4/block/blk-softirq.c
20450 --- linux-2.6.35.4/block/blk-softirq.c 2010-08-26 19:47:12.000000000 -0400
20451 +++ linux-2.6.35.4/block/blk-softirq.c 2010-09-17 20:12:09.000000000 -0400
20452 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
20453 * Softirq action handler - move entries to local list and loop over them
20454 * while passing them to the queue registered handler.
20456 -static void blk_done_softirq(struct softirq_action *h)
20457 +static void blk_done_softirq(void)
20459 struct list_head *cpu_list, local_list;
20461 diff -urNp linux-2.6.35.4/crypto/lrw.c linux-2.6.35.4/crypto/lrw.c
20462 --- linux-2.6.35.4/crypto/lrw.c 2010-08-26 19:47:12.000000000 -0400
20463 +++ linux-2.6.35.4/crypto/lrw.c 2010-09-17 20:12:09.000000000 -0400
20464 @@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
20465 struct priv *ctx = crypto_tfm_ctx(parent);
20466 struct crypto_cipher *child = ctx->child;
20468 - be128 tmp = { 0 };
20469 + be128 tmp = { 0, 0 };
20470 int bsize = crypto_cipher_blocksize(child);
20472 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
20473 diff -urNp linux-2.6.35.4/Documentation/dontdiff linux-2.6.35.4/Documentation/dontdiff
20474 --- linux-2.6.35.4/Documentation/dontdiff 2010-08-26 19:47:12.000000000 -0400
20475 +++ linux-2.6.35.4/Documentation/dontdiff 2010-09-17 20:12:09.000000000 -0400
20495 @@ -49,11 +52,16 @@
20512 @@ -76,7 +84,10 @@ btfixupprep
20523 @@ -100,19 +111,22 @@ fore200e_mkfirm
20538 initramfs_data.cpio
20539 +initramfs_data.cpio.bz2
20540 initramfs_data.cpio.gz
20547 @@ -136,10 +150,13 @@ mkboot
20561 @@ -151,7 +168,9 @@ parse.h
20571 @@ -160,12 +179,14 @@ qconf
20586 @@ -189,14 +210,20 @@ version.h*
20607 diff -urNp linux-2.6.35.4/Documentation/filesystems/sysfs.txt linux-2.6.35.4/Documentation/filesystems/sysfs.txt
20608 --- linux-2.6.35.4/Documentation/filesystems/sysfs.txt 2010-08-26 19:47:12.000000000 -0400
20609 +++ linux-2.6.35.4/Documentation/filesystems/sysfs.txt 2010-09-17 20:12:09.000000000 -0400
20610 @@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
20611 show and store methods of the attribute owners.
20614 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
20615 - ssize_t (*store)(struct kobject *, struct attribute *, const char *);
20616 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
20617 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *);
20620 [ Subsystems should have already defined a struct kobj_type as a
20621 diff -urNp linux-2.6.35.4/Documentation/kernel-parameters.txt linux-2.6.35.4/Documentation/kernel-parameters.txt
20622 --- linux-2.6.35.4/Documentation/kernel-parameters.txt 2010-08-26 19:47:12.000000000 -0400
20623 +++ linux-2.6.35.4/Documentation/kernel-parameters.txt 2010-09-17 20:12:09.000000000 -0400
20624 @@ -1910,6 +1910,12 @@ and is between 256 and 4096 characters.
20625 the specified number of seconds. This is to be used if
20626 your oopses keep scrolling off the screen.
20628 + pax_nouderef [X86-32] disables UDEREF. Most likely needed under certain
20629 + virtualization environments that don't cope well with the
20630 + expand down segment used by UDEREF on X86-32.
20632 + pax_softmode= [X86-32] 0/1 to disable/enable PaX softmode on boot already.
20637 diff -urNp linux-2.6.35.4/drivers/acpi/battery.c linux-2.6.35.4/drivers/acpi/battery.c
20638 --- linux-2.6.35.4/drivers/acpi/battery.c 2010-08-26 19:47:12.000000000 -0400
20639 +++ linux-2.6.35.4/drivers/acpi/battery.c 2010-09-17 20:12:09.000000000 -0400
20640 @@ -810,7 +810,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
20643 static struct battery_file {
20644 - struct file_operations ops;
20645 + const struct file_operations ops;
20648 } acpi_battery_file[] = {
20649 diff -urNp linux-2.6.35.4/drivers/acpi/blacklist.c linux-2.6.35.4/drivers/acpi/blacklist.c
20650 --- linux-2.6.35.4/drivers/acpi/blacklist.c 2010-08-26 19:47:12.000000000 -0400
20651 +++ linux-2.6.35.4/drivers/acpi/blacklist.c 2010-09-17 20:12:09.000000000 -0400
20652 @@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
20653 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
20654 "Incorrect _ADR", 1},
20657 + {"", "", 0, NULL, all_versions, NULL, 0}
20660 #if CONFIG_ACPI_BLACKLIST_YEAR
20661 diff -urNp linux-2.6.35.4/drivers/acpi/dock.c linux-2.6.35.4/drivers/acpi/dock.c
20662 --- linux-2.6.35.4/drivers/acpi/dock.c 2010-08-26 19:47:12.000000000 -0400
20663 +++ linux-2.6.35.4/drivers/acpi/dock.c 2010-09-17 20:12:09.000000000 -0400
20664 @@ -77,7 +77,7 @@ struct dock_dependent_device {
20665 struct list_head list;
20666 struct list_head hotplug_list;
20667 acpi_handle handle;
20668 - struct acpi_dock_ops *ops;
20669 + const struct acpi_dock_ops *ops;
20673 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
20674 * the dock driver after _DCK is executed.
20677 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
20678 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
20681 struct dock_dependent_device *dd;
20682 diff -urNp linux-2.6.35.4/drivers/acpi/osl.c linux-2.6.35.4/drivers/acpi/osl.c
20683 --- linux-2.6.35.4/drivers/acpi/osl.c 2010-08-26 19:47:12.000000000 -0400
20684 +++ linux-2.6.35.4/drivers/acpi/osl.c 2010-09-17 20:12:09.000000000 -0400
20685 @@ -523,6 +523,8 @@ acpi_os_read_memory(acpi_physical_addres
20686 void __iomem *virt_addr;
20688 virt_addr = ioremap(phys_addr, width);
20690 + return AE_NO_MEMORY;
20694 @@ -551,6 +553,8 @@ acpi_os_write_memory(acpi_physical_addre
20695 void __iomem *virt_addr;
20697 virt_addr = ioremap(phys_addr, width);
20699 + return AE_NO_MEMORY;
20703 diff -urNp linux-2.6.35.4/drivers/acpi/power_meter.c linux-2.6.35.4/drivers/acpi/power_meter.c
20704 --- linux-2.6.35.4/drivers/acpi/power_meter.c 2010-08-26 19:47:12.000000000 -0400
20705 +++ linux-2.6.35.4/drivers/acpi/power_meter.c 2010-09-17 20:12:09.000000000 -0400
20706 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
20713 mutex_lock(&resource->lock);
20714 resource->trip[attr->index - 7] = temp;
20715 diff -urNp linux-2.6.35.4/drivers/acpi/proc.c linux-2.6.35.4/drivers/acpi/proc.c
20716 --- linux-2.6.35.4/drivers/acpi/proc.c 2010-08-26 19:47:12.000000000 -0400
20717 +++ linux-2.6.35.4/drivers/acpi/proc.c 2010-09-17 20:12:09.000000000 -0400
20718 @@ -391,20 +391,15 @@ acpi_system_write_wakeup_device(struct f
20719 size_t count, loff_t * ppos)
20721 struct list_head *node, *next;
20723 - char str[5] = "";
20724 - unsigned int len = count;
20725 + char strbuf[5] = {0};
20726 struct acpi_device *found_dev = NULL;
20735 - if (copy_from_user(strbuf, buffer, len))
20736 + if (copy_from_user(strbuf, buffer, count))
20738 - strbuf[len] = '\0';
20739 - sscanf(strbuf, "%s", str);
20740 + strbuf[count] = '\0';
20742 mutex_lock(&acpi_device_lock);
20743 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
20744 @@ -413,7 +408,7 @@ acpi_system_write_wakeup_device(struct f
20745 if (!dev->wakeup.flags.valid)
20748 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
20749 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
20750 dev->wakeup.state.enabled =
20751 dev->wakeup.state.enabled ? 0 : 1;
20753 diff -urNp linux-2.6.35.4/drivers/acpi/processor_driver.c linux-2.6.35.4/drivers/acpi/processor_driver.c
20754 --- linux-2.6.35.4/drivers/acpi/processor_driver.c 2010-08-26 19:47:12.000000000 -0400
20755 +++ linux-2.6.35.4/drivers/acpi/processor_driver.c 2010-09-17 20:12:09.000000000 -0400
20756 @@ -586,7 +586,7 @@ static int __cpuinit acpi_processor_add(
20760 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
20761 + BUG_ON(pr->id >= nr_cpu_ids);
20765 diff -urNp linux-2.6.35.4/drivers/acpi/processor_idle.c linux-2.6.35.4/drivers/acpi/processor_idle.c
20766 --- linux-2.6.35.4/drivers/acpi/processor_idle.c 2010-08-26 19:47:12.000000000 -0400
20767 +++ linux-2.6.35.4/drivers/acpi/processor_idle.c 2010-09-17 20:12:09.000000000 -0400
20768 @@ -124,7 +124,7 @@ static struct dmi_system_id __cpuinitdat
20769 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
20770 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
20773 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
20777 diff -urNp linux-2.6.35.4/drivers/acpi/sleep.c linux-2.6.35.4/drivers/acpi/sleep.c
20778 --- linux-2.6.35.4/drivers/acpi/sleep.c 2010-08-26 19:47:12.000000000 -0400
20779 +++ linux-2.6.35.4/drivers/acpi/sleep.c 2010-09-17 20:12:09.000000000 -0400
20780 @@ -318,7 +318,7 @@ static int acpi_suspend_state_valid(susp
20784 -static struct platform_suspend_ops acpi_suspend_ops = {
20785 +static const struct platform_suspend_ops acpi_suspend_ops = {
20786 .valid = acpi_suspend_state_valid,
20787 .begin = acpi_suspend_begin,
20788 .prepare_late = acpi_pm_prepare,
20789 @@ -346,7 +346,7 @@ static int acpi_suspend_begin_old(suspen
20790 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
20793 -static struct platform_suspend_ops acpi_suspend_ops_old = {
20794 +static const struct platform_suspend_ops acpi_suspend_ops_old = {
20795 .valid = acpi_suspend_state_valid,
20796 .begin = acpi_suspend_begin_old,
20797 .prepare_late = acpi_pm_freeze,
20798 @@ -478,7 +478,7 @@ static void acpi_pm_thaw(void)
20799 acpi_enable_all_runtime_gpes();
20802 -static struct platform_hibernation_ops acpi_hibernation_ops = {
20803 +static const struct platform_hibernation_ops acpi_hibernation_ops = {
20804 .begin = acpi_hibernation_begin,
20805 .end = acpi_pm_end,
20806 .pre_snapshot = acpi_hibernation_pre_snapshot,
20807 @@ -528,7 +528,7 @@ static int acpi_hibernation_pre_snapshot
20808 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
20811 -static struct platform_hibernation_ops acpi_hibernation_ops_old = {
20812 +static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
20813 .begin = acpi_hibernation_begin_old,
20814 .end = acpi_pm_end,
20815 .pre_snapshot = acpi_hibernation_pre_snapshot_old,
20816 diff -urNp linux-2.6.35.4/drivers/acpi/video.c linux-2.6.35.4/drivers/acpi/video.c
20817 --- linux-2.6.35.4/drivers/acpi/video.c 2010-08-26 19:47:12.000000000 -0400
20818 +++ linux-2.6.35.4/drivers/acpi/video.c 2010-09-17 20:12:09.000000000 -0400
20819 @@ -363,7 +363,7 @@ static int acpi_video_set_brightness(str
20820 vd->brightness->levels[request_level]);
20823 -static struct backlight_ops acpi_backlight_ops = {
20824 +static const struct backlight_ops acpi_backlight_ops = {
20825 .get_brightness = acpi_video_get_brightness,
20826 .update_status = acpi_video_set_brightness,
20828 diff -urNp linux-2.6.35.4/drivers/ata/ahci.c linux-2.6.35.4/drivers/ata/ahci.c
20829 --- linux-2.6.35.4/drivers/ata/ahci.c 2010-08-26 19:47:12.000000000 -0400
20830 +++ linux-2.6.35.4/drivers/ata/ahci.c 2010-09-17 20:12:09.000000000 -0400
20831 @@ -89,17 +89,17 @@ static int ahci_pci_device_suspend(struc
20832 static int ahci_pci_device_resume(struct pci_dev *pdev);
20835 -static struct ata_port_operations ahci_vt8251_ops = {
20836 +static const struct ata_port_operations ahci_vt8251_ops = {
20837 .inherits = &ahci_ops,
20838 .hardreset = ahci_vt8251_hardreset,
20841 -static struct ata_port_operations ahci_p5wdh_ops = {
20842 +static const struct ata_port_operations ahci_p5wdh_ops = {
20843 .inherits = &ahci_ops,
20844 .hardreset = ahci_p5wdh_hardreset,
20847 -static struct ata_port_operations ahci_sb600_ops = {
20848 +static const struct ata_port_operations ahci_sb600_ops = {
20849 .inherits = &ahci_ops,
20850 .softreset = ahci_sb600_softreset,
20851 .pmp_softreset = ahci_sb600_softreset,
20852 @@ -370,7 +370,7 @@ static const struct pci_device_id ahci_p
20853 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
20854 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
20856 - { } /* terminate list */
20857 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20861 diff -urNp linux-2.6.35.4/drivers/ata/ahci.h linux-2.6.35.4/drivers/ata/ahci.h
20862 --- linux-2.6.35.4/drivers/ata/ahci.h 2010-08-26 19:47:12.000000000 -0400
20863 +++ linux-2.6.35.4/drivers/ata/ahci.h 2010-09-17 20:12:09.000000000 -0400
20864 @@ -298,7 +298,7 @@ struct ahci_host_priv {
20865 extern int ahci_ignore_sss;
20867 extern struct scsi_host_template ahci_sht;
20868 -extern struct ata_port_operations ahci_ops;
20869 +extern const struct ata_port_operations ahci_ops;
20871 void ahci_save_initial_config(struct device *dev,
20872 struct ahci_host_priv *hpriv,
20873 diff -urNp linux-2.6.35.4/drivers/ata/ata_generic.c linux-2.6.35.4/drivers/ata/ata_generic.c
20874 --- linux-2.6.35.4/drivers/ata/ata_generic.c 2010-08-26 19:47:12.000000000 -0400
20875 +++ linux-2.6.35.4/drivers/ata/ata_generic.c 2010-09-17 20:12:09.000000000 -0400
20876 @@ -104,7 +104,7 @@ static struct scsi_host_template generic
20877 ATA_BMDMA_SHT(DRV_NAME),
20880 -static struct ata_port_operations generic_port_ops = {
20881 +static const struct ata_port_operations generic_port_ops = {
20882 .inherits = &ata_bmdma_port_ops,
20883 .cable_detect = ata_cable_unknown,
20884 .set_mode = generic_set_mode,
20885 diff -urNp linux-2.6.35.4/drivers/ata/ata_piix.c linux-2.6.35.4/drivers/ata/ata_piix.c
20886 --- linux-2.6.35.4/drivers/ata/ata_piix.c 2010-08-26 19:47:12.000000000 -0400
20887 +++ linux-2.6.35.4/drivers/ata/ata_piix.c 2010-09-17 20:12:09.000000000 -0400
20888 @@ -302,7 +302,7 @@ static const struct pci_device_id piix_p
20889 { 0x8086, 0x1c08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
20890 /* SATA Controller IDE (CPT) */
20891 { 0x8086, 0x1c09, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
20892 - { } /* terminate list */
20893 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20896 static struct pci_driver piix_pci_driver = {
20897 @@ -320,12 +320,12 @@ static struct scsi_host_template piix_sh
20898 ATA_BMDMA_SHT(DRV_NAME),
20901 -static struct ata_port_operations piix_sata_ops = {
20902 +static const struct ata_port_operations piix_sata_ops = {
20903 .inherits = &ata_bmdma32_port_ops,
20904 .sff_irq_check = piix_irq_check,
20907 -static struct ata_port_operations piix_pata_ops = {
20908 +static const struct ata_port_operations piix_pata_ops = {
20909 .inherits = &piix_sata_ops,
20910 .cable_detect = ata_cable_40wire,
20911 .set_piomode = piix_set_piomode,
20912 @@ -333,18 +333,18 @@ static struct ata_port_operations piix_p
20913 .prereset = piix_pata_prereset,
20916 -static struct ata_port_operations piix_vmw_ops = {
20917 +static const struct ata_port_operations piix_vmw_ops = {
20918 .inherits = &piix_pata_ops,
20919 .bmdma_status = piix_vmw_bmdma_status,
20922 -static struct ata_port_operations ich_pata_ops = {
20923 +static const struct ata_port_operations ich_pata_ops = {
20924 .inherits = &piix_pata_ops,
20925 .cable_detect = ich_pata_cable_detect,
20926 .set_dmamode = ich_set_dmamode,
20929 -static struct ata_port_operations piix_sidpr_sata_ops = {
20930 +static const struct ata_port_operations piix_sidpr_sata_ops = {
20931 .inherits = &piix_sata_ops,
20932 .hardreset = sata_std_hardreset,
20933 .scr_read = piix_sidpr_scr_read,
20934 @@ -620,7 +620,7 @@ static const struct ich_laptop ich_lapto
20935 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
20936 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
20943 @@ -1112,7 +1112,7 @@ static int piix_broken_suspend(void)
20947 - { } /* terminate list */
20948 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
20950 static const char *oemstrs[] = {
20952 diff -urNp linux-2.6.35.4/drivers/ata/libahci.c linux-2.6.35.4/drivers/ata/libahci.c
20953 --- linux-2.6.35.4/drivers/ata/libahci.c 2010-08-26 19:47:12.000000000 -0400
20954 +++ linux-2.6.35.4/drivers/ata/libahci.c 2010-09-17 20:12:09.000000000 -0400
20955 @@ -149,7 +149,7 @@ struct scsi_host_template ahci_sht = {
20957 EXPORT_SYMBOL_GPL(ahci_sht);
20959 -struct ata_port_operations ahci_ops = {
20960 +const struct ata_port_operations ahci_ops = {
20961 .inherits = &sata_pmp_port_ops,
20963 .qc_defer = ahci_pmp_qc_defer,
20964 diff -urNp linux-2.6.35.4/drivers/ata/libata-acpi.c linux-2.6.35.4/drivers/ata/libata-acpi.c
20965 --- linux-2.6.35.4/drivers/ata/libata-acpi.c 2010-08-26 19:47:12.000000000 -0400
20966 +++ linux-2.6.35.4/drivers/ata/libata-acpi.c 2010-09-17 20:12:09.000000000 -0400
20967 @@ -224,12 +224,12 @@ static void ata_acpi_dev_uevent(acpi_han
20968 ata_acpi_uevent(dev->link->ap, dev, event);
20971 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20972 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20973 .handler = ata_acpi_dev_notify_dock,
20974 .uevent = ata_acpi_dev_uevent,
20977 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20978 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20979 .handler = ata_acpi_ap_notify_dock,
20980 .uevent = ata_acpi_ap_uevent,
20982 diff -urNp linux-2.6.35.4/drivers/ata/libata-core.c linux-2.6.35.4/drivers/ata/libata-core.c
20983 --- linux-2.6.35.4/drivers/ata/libata-core.c 2010-08-26 19:47:12.000000000 -0400
20984 +++ linux-2.6.35.4/drivers/ata/libata-core.c 2010-09-17 20:12:09.000000000 -0400
20985 @@ -901,7 +901,7 @@ static const struct ata_xfer_ent {
20986 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
20987 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
20988 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
20994 @@ -3073,7 +3073,7 @@ static const struct ata_timing ata_timin
20995 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
20996 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
20999 + { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
21002 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
21003 @@ -4323,7 +4323,7 @@ static const struct ata_blacklist_entry
21004 { "PIONEER DVD-RW DVRTD08", "1.00", ATA_HORKAGE_NOSETXFER },
21008 + { NULL, NULL, 0 }
21011 static int strn_pattern_cmp(const char *patt, const char *name, int wildchar)
21012 @@ -5869,7 +5869,7 @@ static void ata_host_stop(struct device
21016 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
21017 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
21019 static DEFINE_SPINLOCK(lock);
21020 const struct ata_port_operations *cur;
21021 @@ -5881,6 +5881,7 @@ static void ata_finalize_port_ops(struct
21025 + pax_open_kernel();
21027 for (cur = ops->inherits; cur; cur = cur->inherits) {
21028 void **inherit = (void **)cur;
21029 @@ -5894,8 +5895,9 @@ static void ata_finalize_port_ops(struct
21033 - ops->inherits = NULL;
21034 + ((struct ata_port_operations *)ops)->inherits = NULL;
21036 + pax_close_kernel();
21037 spin_unlock(&lock);
21040 @@ -5992,7 +5994,7 @@ int ata_host_start(struct ata_host *host
21042 /* KILLME - the only user left is ipr */
21043 void ata_host_init(struct ata_host *host, struct device *dev,
21044 - unsigned long flags, struct ata_port_operations *ops)
21045 + unsigned long flags, const struct ata_port_operations *ops)
21047 spin_lock_init(&host->lock);
21049 @@ -6642,7 +6644,7 @@ static void ata_dummy_error_handler(stru
21053 -struct ata_port_operations ata_dummy_port_ops = {
21054 +const struct ata_port_operations ata_dummy_port_ops = {
21055 .qc_prep = ata_noop_qc_prep,
21056 .qc_issue = ata_dummy_qc_issue,
21057 .error_handler = ata_dummy_error_handler,
21058 diff -urNp linux-2.6.35.4/drivers/ata/libata-eh.c linux-2.6.35.4/drivers/ata/libata-eh.c
21059 --- linux-2.6.35.4/drivers/ata/libata-eh.c 2010-08-26 19:47:12.000000000 -0400
21060 +++ linux-2.6.35.4/drivers/ata/libata-eh.c 2010-09-17 20:12:09.000000000 -0400
21061 @@ -3680,7 +3680,7 @@ void ata_do_eh(struct ata_port *ap, ata_
21063 void ata_std_error_handler(struct ata_port *ap)
21065 - struct ata_port_operations *ops = ap->ops;
21066 + const struct ata_port_operations *ops = ap->ops;
21067 ata_reset_fn_t hardreset = ops->hardreset;
21069 /* ignore built-in hardreset if SCR access is not available */
21070 diff -urNp linux-2.6.35.4/drivers/ata/libata-pmp.c linux-2.6.35.4/drivers/ata/libata-pmp.c
21071 --- linux-2.6.35.4/drivers/ata/libata-pmp.c 2010-08-26 19:47:12.000000000 -0400
21072 +++ linux-2.6.35.4/drivers/ata/libata-pmp.c 2010-09-17 20:12:09.000000000 -0400
21073 @@ -868,7 +868,7 @@ static int sata_pmp_handle_link_fail(str
21075 static int sata_pmp_eh_recover(struct ata_port *ap)
21077 - struct ata_port_operations *ops = ap->ops;
21078 + const struct ata_port_operations *ops = ap->ops;
21079 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
21080 struct ata_link *pmp_link = &ap->link;
21081 struct ata_device *pmp_dev = pmp_link->device;
21082 diff -urNp linux-2.6.35.4/drivers/ata/pata_acpi.c linux-2.6.35.4/drivers/ata/pata_acpi.c
21083 --- linux-2.6.35.4/drivers/ata/pata_acpi.c 2010-08-26 19:47:12.000000000 -0400
21084 +++ linux-2.6.35.4/drivers/ata/pata_acpi.c 2010-09-17 20:12:09.000000000 -0400
21085 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
21086 ATA_BMDMA_SHT(DRV_NAME),
21089 -static struct ata_port_operations pacpi_ops = {
21090 +static const struct ata_port_operations pacpi_ops = {
21091 .inherits = &ata_bmdma_port_ops,
21092 .qc_issue = pacpi_qc_issue,
21093 .cable_detect = pacpi_cable_detect,
21094 diff -urNp linux-2.6.35.4/drivers/ata/pata_ali.c linux-2.6.35.4/drivers/ata/pata_ali.c
21095 --- linux-2.6.35.4/drivers/ata/pata_ali.c 2010-08-26 19:47:12.000000000 -0400
21096 +++ linux-2.6.35.4/drivers/ata/pata_ali.c 2010-09-17 20:12:09.000000000 -0400
21097 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
21098 * Port operations for PIO only ALi
21101 -static struct ata_port_operations ali_early_port_ops = {
21102 +static const struct ata_port_operations ali_early_port_ops = {
21103 .inherits = &ata_sff_port_ops,
21104 .cable_detect = ata_cable_40wire,
21105 .set_piomode = ali_set_piomode,
21106 @@ -380,7 +380,7 @@ static const struct ata_port_operations
21107 * Port operations for DMA capable ALi without cable
21110 -static struct ata_port_operations ali_20_port_ops = {
21111 +static const struct ata_port_operations ali_20_port_ops = {
21112 .inherits = &ali_dma_base_ops,
21113 .cable_detect = ata_cable_40wire,
21114 .mode_filter = ali_20_filter,
21115 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
21117 * Port operations for DMA capable ALi with cable detect
21119 -static struct ata_port_operations ali_c2_port_ops = {
21120 +static const struct ata_port_operations ali_c2_port_ops = {
21121 .inherits = &ali_dma_base_ops,
21122 .check_atapi_dma = ali_check_atapi_dma,
21123 .cable_detect = ali_c2_cable_detect,
21124 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
21126 * Port operations for DMA capable ALi with cable detect
21128 -static struct ata_port_operations ali_c4_port_ops = {
21129 +static const struct ata_port_operations ali_c4_port_ops = {
21130 .inherits = &ali_dma_base_ops,
21131 .check_atapi_dma = ali_check_atapi_dma,
21132 .cable_detect = ali_c2_cable_detect,
21133 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
21135 * Port operations for DMA capable ALi with cable detect and LBA48
21137 -static struct ata_port_operations ali_c5_port_ops = {
21138 +static const struct ata_port_operations ali_c5_port_ops = {
21139 .inherits = &ali_dma_base_ops,
21140 .check_atapi_dma = ali_check_atapi_dma,
21141 .dev_config = ali_warn_atapi_dma,
21142 diff -urNp linux-2.6.35.4/drivers/ata/pata_amd.c linux-2.6.35.4/drivers/ata/pata_amd.c
21143 --- linux-2.6.35.4/drivers/ata/pata_amd.c 2010-08-26 19:47:12.000000000 -0400
21144 +++ linux-2.6.35.4/drivers/ata/pata_amd.c 2010-09-17 20:12:09.000000000 -0400
21145 @@ -397,28 +397,28 @@ static const struct ata_port_operations
21146 .prereset = amd_pre_reset,
21149 -static struct ata_port_operations amd33_port_ops = {
21150 +static const struct ata_port_operations amd33_port_ops = {
21151 .inherits = &amd_base_port_ops,
21152 .cable_detect = ata_cable_40wire,
21153 .set_piomode = amd33_set_piomode,
21154 .set_dmamode = amd33_set_dmamode,
21157 -static struct ata_port_operations amd66_port_ops = {
21158 +static const struct ata_port_operations amd66_port_ops = {
21159 .inherits = &amd_base_port_ops,
21160 .cable_detect = ata_cable_unknown,
21161 .set_piomode = amd66_set_piomode,
21162 .set_dmamode = amd66_set_dmamode,
21165 -static struct ata_port_operations amd100_port_ops = {
21166 +static const struct ata_port_operations amd100_port_ops = {
21167 .inherits = &amd_base_port_ops,
21168 .cable_detect = ata_cable_unknown,
21169 .set_piomode = amd100_set_piomode,
21170 .set_dmamode = amd100_set_dmamode,
21173 -static struct ata_port_operations amd133_port_ops = {
21174 +static const struct ata_port_operations amd133_port_ops = {
21175 .inherits = &amd_base_port_ops,
21176 .cable_detect = amd_cable_detect,
21177 .set_piomode = amd133_set_piomode,
21178 @@ -433,13 +433,13 @@ static const struct ata_port_operations
21179 .host_stop = nv_host_stop,
21182 -static struct ata_port_operations nv100_port_ops = {
21183 +static const struct ata_port_operations nv100_port_ops = {
21184 .inherits = &nv_base_port_ops,
21185 .set_piomode = nv100_set_piomode,
21186 .set_dmamode = nv100_set_dmamode,
21189 -static struct ata_port_operations nv133_port_ops = {
21190 +static const struct ata_port_operations nv133_port_ops = {
21191 .inherits = &nv_base_port_ops,
21192 .set_piomode = nv133_set_piomode,
21193 .set_dmamode = nv133_set_dmamode,
21194 diff -urNp linux-2.6.35.4/drivers/ata/pata_artop.c linux-2.6.35.4/drivers/ata/pata_artop.c
21195 --- linux-2.6.35.4/drivers/ata/pata_artop.c 2010-08-26 19:47:12.000000000 -0400
21196 +++ linux-2.6.35.4/drivers/ata/pata_artop.c 2010-09-17 20:12:09.000000000 -0400
21197 @@ -311,7 +311,7 @@ static struct scsi_host_template artop_s
21198 ATA_BMDMA_SHT(DRV_NAME),
21201 -static struct ata_port_operations artop6210_ops = {
21202 +static const struct ata_port_operations artop6210_ops = {
21203 .inherits = &ata_bmdma_port_ops,
21204 .cable_detect = ata_cable_40wire,
21205 .set_piomode = artop6210_set_piomode,
21206 @@ -320,7 +320,7 @@ static struct ata_port_operations artop6
21207 .qc_defer = artop6210_qc_defer,
21210 -static struct ata_port_operations artop6260_ops = {
21211 +static const struct ata_port_operations artop6260_ops = {
21212 .inherits = &ata_bmdma_port_ops,
21213 .cable_detect = artop6260_cable_detect,
21214 .set_piomode = artop6260_set_piomode,
21215 diff -urNp linux-2.6.35.4/drivers/ata/pata_at32.c linux-2.6.35.4/drivers/ata/pata_at32.c
21216 --- linux-2.6.35.4/drivers/ata/pata_at32.c 2010-08-26 19:47:12.000000000 -0400
21217 +++ linux-2.6.35.4/drivers/ata/pata_at32.c 2010-09-17 20:12:09.000000000 -0400
21218 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
21219 ATA_PIO_SHT(DRV_NAME),
21222 -static struct ata_port_operations at32_port_ops = {
21223 +static const struct ata_port_operations at32_port_ops = {
21224 .inherits = &ata_sff_port_ops,
21225 .cable_detect = ata_cable_40wire,
21226 .set_piomode = pata_at32_set_piomode,
21227 diff -urNp linux-2.6.35.4/drivers/ata/pata_at91.c linux-2.6.35.4/drivers/ata/pata_at91.c
21228 --- linux-2.6.35.4/drivers/ata/pata_at91.c 2010-08-26 19:47:12.000000000 -0400
21229 +++ linux-2.6.35.4/drivers/ata/pata_at91.c 2010-09-17 20:12:09.000000000 -0400
21230 @@ -196,7 +196,7 @@ static struct scsi_host_template pata_at
21231 ATA_PIO_SHT(DRV_NAME),
21234 -static struct ata_port_operations pata_at91_port_ops = {
21235 +static const struct ata_port_operations pata_at91_port_ops = {
21236 .inherits = &ata_sff_port_ops,
21238 .sff_data_xfer = pata_at91_data_xfer_noirq,
21239 diff -urNp linux-2.6.35.4/drivers/ata/pata_atiixp.c linux-2.6.35.4/drivers/ata/pata_atiixp.c
21240 --- linux-2.6.35.4/drivers/ata/pata_atiixp.c 2010-08-26 19:47:12.000000000 -0400
21241 +++ linux-2.6.35.4/drivers/ata/pata_atiixp.c 2010-09-17 20:12:09.000000000 -0400
21242 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
21243 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21246 -static struct ata_port_operations atiixp_port_ops = {
21247 +static const struct ata_port_operations atiixp_port_ops = {
21248 .inherits = &ata_bmdma_port_ops,
21250 .qc_prep = ata_bmdma_dumb_qc_prep,
21251 diff -urNp linux-2.6.35.4/drivers/ata/pata_atp867x.c linux-2.6.35.4/drivers/ata/pata_atp867x.c
21252 --- linux-2.6.35.4/drivers/ata/pata_atp867x.c 2010-08-26 19:47:12.000000000 -0400
21253 +++ linux-2.6.35.4/drivers/ata/pata_atp867x.c 2010-09-17 20:12:09.000000000 -0400
21254 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
21255 ATA_BMDMA_SHT(DRV_NAME),
21258 -static struct ata_port_operations atp867x_ops = {
21259 +static const struct ata_port_operations atp867x_ops = {
21260 .inherits = &ata_bmdma_port_ops,
21261 .cable_detect = atp867x_cable_detect,
21262 .set_piomode = atp867x_set_piomode,
21263 diff -urNp linux-2.6.35.4/drivers/ata/pata_bf54x.c linux-2.6.35.4/drivers/ata/pata_bf54x.c
21264 --- linux-2.6.35.4/drivers/ata/pata_bf54x.c 2010-08-26 19:47:12.000000000 -0400
21265 +++ linux-2.6.35.4/drivers/ata/pata_bf54x.c 2010-09-17 20:12:09.000000000 -0400
21266 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
21267 .dma_boundary = ATA_DMA_BOUNDARY,
21270 -static struct ata_port_operations bfin_pata_ops = {
21271 +static const struct ata_port_operations bfin_pata_ops = {
21272 .inherits = &ata_bmdma_port_ops,
21274 .set_piomode = bfin_set_piomode,
21275 diff -urNp linux-2.6.35.4/drivers/ata/pata_cmd640.c linux-2.6.35.4/drivers/ata/pata_cmd640.c
21276 --- linux-2.6.35.4/drivers/ata/pata_cmd640.c 2010-08-26 19:47:12.000000000 -0400
21277 +++ linux-2.6.35.4/drivers/ata/pata_cmd640.c 2010-09-17 20:12:09.000000000 -0400
21278 @@ -165,7 +165,7 @@ static struct scsi_host_template cmd640_
21279 ATA_PIO_SHT(DRV_NAME),
21282 -static struct ata_port_operations cmd640_port_ops = {
21283 +static const struct ata_port_operations cmd640_port_ops = {
21284 .inherits = &ata_sff_port_ops,
21285 /* In theory xfer_noirq is not needed once we kill the prefetcher */
21286 .sff_data_xfer = ata_sff_data_xfer_noirq,
21287 diff -urNp linux-2.6.35.4/drivers/ata/pata_cmd64x.c linux-2.6.35.4/drivers/ata/pata_cmd64x.c
21288 --- linux-2.6.35.4/drivers/ata/pata_cmd64x.c 2010-08-26 19:47:12.000000000 -0400
21289 +++ linux-2.6.35.4/drivers/ata/pata_cmd64x.c 2010-09-17 20:12:09.000000000 -0400
21290 @@ -274,18 +274,18 @@ static const struct ata_port_operations
21291 .set_dmamode = cmd64x_set_dmamode,
21294 -static struct ata_port_operations cmd64x_port_ops = {
21295 +static const struct ata_port_operations cmd64x_port_ops = {
21296 .inherits = &cmd64x_base_ops,
21297 .cable_detect = ata_cable_40wire,
21300 -static struct ata_port_operations cmd646r1_port_ops = {
21301 +static const struct ata_port_operations cmd646r1_port_ops = {
21302 .inherits = &cmd64x_base_ops,
21303 .bmdma_stop = cmd646r1_bmdma_stop,
21304 .cable_detect = ata_cable_40wire,
21307 -static struct ata_port_operations cmd648_port_ops = {
21308 +static const struct ata_port_operations cmd648_port_ops = {
21309 .inherits = &cmd64x_base_ops,
21310 .bmdma_stop = cmd648_bmdma_stop,
21311 .cable_detect = cmd648_cable_detect,
21312 diff -urNp linux-2.6.35.4/drivers/ata/pata_cs5520.c linux-2.6.35.4/drivers/ata/pata_cs5520.c
21313 --- linux-2.6.35.4/drivers/ata/pata_cs5520.c 2010-08-26 19:47:12.000000000 -0400
21314 +++ linux-2.6.35.4/drivers/ata/pata_cs5520.c 2010-09-17 20:12:09.000000000 -0400
21315 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
21316 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21319 -static struct ata_port_operations cs5520_port_ops = {
21320 +static const struct ata_port_operations cs5520_port_ops = {
21321 .inherits = &ata_bmdma_port_ops,
21322 .qc_prep = ata_bmdma_dumb_qc_prep,
21323 .cable_detect = ata_cable_40wire,
21324 diff -urNp linux-2.6.35.4/drivers/ata/pata_cs5530.c linux-2.6.35.4/drivers/ata/pata_cs5530.c
21325 --- linux-2.6.35.4/drivers/ata/pata_cs5530.c 2010-08-26 19:47:12.000000000 -0400
21326 +++ linux-2.6.35.4/drivers/ata/pata_cs5530.c 2010-09-17 20:12:09.000000000 -0400
21327 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
21328 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21331 -static struct ata_port_operations cs5530_port_ops = {
21332 +static const struct ata_port_operations cs5530_port_ops = {
21333 .inherits = &ata_bmdma_port_ops,
21335 .qc_prep = ata_bmdma_dumb_qc_prep,
21336 diff -urNp linux-2.6.35.4/drivers/ata/pata_cs5535.c linux-2.6.35.4/drivers/ata/pata_cs5535.c
21337 --- linux-2.6.35.4/drivers/ata/pata_cs5535.c 2010-08-26 19:47:12.000000000 -0400
21338 +++ linux-2.6.35.4/drivers/ata/pata_cs5535.c 2010-09-17 20:12:09.000000000 -0400
21339 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
21340 ATA_BMDMA_SHT(DRV_NAME),
21343 -static struct ata_port_operations cs5535_port_ops = {
21344 +static const struct ata_port_operations cs5535_port_ops = {
21345 .inherits = &ata_bmdma_port_ops,
21346 .cable_detect = cs5535_cable_detect,
21347 .set_piomode = cs5535_set_piomode,
21348 diff -urNp linux-2.6.35.4/drivers/ata/pata_cs5536.c linux-2.6.35.4/drivers/ata/pata_cs5536.c
21349 --- linux-2.6.35.4/drivers/ata/pata_cs5536.c 2010-08-26 19:47:12.000000000 -0400
21350 +++ linux-2.6.35.4/drivers/ata/pata_cs5536.c 2010-09-17 20:12:09.000000000 -0400
21351 @@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
21352 ATA_BMDMA_SHT(DRV_NAME),
21355 -static struct ata_port_operations cs5536_port_ops = {
21356 +static const struct ata_port_operations cs5536_port_ops = {
21357 .inherits = &ata_bmdma32_port_ops,
21358 .cable_detect = cs5536_cable_detect,
21359 .set_piomode = cs5536_set_piomode,
21360 diff -urNp linux-2.6.35.4/drivers/ata/pata_cypress.c linux-2.6.35.4/drivers/ata/pata_cypress.c
21361 --- linux-2.6.35.4/drivers/ata/pata_cypress.c 2010-08-26 19:47:12.000000000 -0400
21362 +++ linux-2.6.35.4/drivers/ata/pata_cypress.c 2010-09-17 20:12:09.000000000 -0400
21363 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
21364 ATA_BMDMA_SHT(DRV_NAME),
21367 -static struct ata_port_operations cy82c693_port_ops = {
21368 +static const struct ata_port_operations cy82c693_port_ops = {
21369 .inherits = &ata_bmdma_port_ops,
21370 .cable_detect = ata_cable_40wire,
21371 .set_piomode = cy82c693_set_piomode,
21372 diff -urNp linux-2.6.35.4/drivers/ata/pata_efar.c linux-2.6.35.4/drivers/ata/pata_efar.c
21373 --- linux-2.6.35.4/drivers/ata/pata_efar.c 2010-08-26 19:47:12.000000000 -0400
21374 +++ linux-2.6.35.4/drivers/ata/pata_efar.c 2010-09-17 20:12:09.000000000 -0400
21375 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
21376 ATA_BMDMA_SHT(DRV_NAME),
21379 -static struct ata_port_operations efar_ops = {
21380 +static const struct ata_port_operations efar_ops = {
21381 .inherits = &ata_bmdma_port_ops,
21382 .cable_detect = efar_cable_detect,
21383 .set_piomode = efar_set_piomode,
21384 diff -urNp linux-2.6.35.4/drivers/ata/pata_hpt366.c linux-2.6.35.4/drivers/ata/pata_hpt366.c
21385 --- linux-2.6.35.4/drivers/ata/pata_hpt366.c 2010-08-26 19:47:12.000000000 -0400
21386 +++ linux-2.6.35.4/drivers/ata/pata_hpt366.c 2010-09-17 20:12:09.000000000 -0400
21387 @@ -269,7 +269,7 @@ static struct scsi_host_template hpt36x_
21388 * Configuration for HPT366/68
21391 -static struct ata_port_operations hpt366_port_ops = {
21392 +static const struct ata_port_operations hpt366_port_ops = {
21393 .inherits = &ata_bmdma_port_ops,
21394 .cable_detect = hpt36x_cable_detect,
21395 .mode_filter = hpt366_filter,
21396 diff -urNp linux-2.6.35.4/drivers/ata/pata_hpt37x.c linux-2.6.35.4/drivers/ata/pata_hpt37x.c
21397 --- linux-2.6.35.4/drivers/ata/pata_hpt37x.c 2010-08-26 19:47:12.000000000 -0400
21398 +++ linux-2.6.35.4/drivers/ata/pata_hpt37x.c 2010-09-17 20:12:09.000000000 -0400
21399 @@ -564,7 +564,7 @@ static struct scsi_host_template hpt37x_
21400 * Configuration for HPT370
21403 -static struct ata_port_operations hpt370_port_ops = {
21404 +static const struct ata_port_operations hpt370_port_ops = {
21405 .inherits = &ata_bmdma_port_ops,
21407 .bmdma_stop = hpt370_bmdma_stop,
21408 @@ -580,7 +580,7 @@ static struct ata_port_operations hpt370
21409 * Configuration for HPT370A. Close to 370 but less filters
21412 -static struct ata_port_operations hpt370a_port_ops = {
21413 +static const struct ata_port_operations hpt370a_port_ops = {
21414 .inherits = &hpt370_port_ops,
21415 .mode_filter = hpt370a_filter,
21417 @@ -590,7 +590,7 @@ static struct ata_port_operations hpt370
21418 * and DMA mode setting functionality.
21421 -static struct ata_port_operations hpt372_port_ops = {
21422 +static const struct ata_port_operations hpt372_port_ops = {
21423 .inherits = &ata_bmdma_port_ops,
21425 .bmdma_stop = hpt37x_bmdma_stop,
21426 @@ -606,7 +606,7 @@ static struct ata_port_operations hpt372
21427 * but we have a different cable detection procedure for function 1.
21430 -static struct ata_port_operations hpt374_fn1_port_ops = {
21431 +static const struct ata_port_operations hpt374_fn1_port_ops = {
21432 .inherits = &hpt372_port_ops,
21433 .cable_detect = hpt374_fn1_cable_detect,
21434 .prereset = hpt37x_pre_reset,
21435 diff -urNp linux-2.6.35.4/drivers/ata/pata_hpt3x2n.c linux-2.6.35.4/drivers/ata/pata_hpt3x2n.c
21436 --- linux-2.6.35.4/drivers/ata/pata_hpt3x2n.c 2010-08-26 19:47:12.000000000 -0400
21437 +++ linux-2.6.35.4/drivers/ata/pata_hpt3x2n.c 2010-09-17 20:12:09.000000000 -0400
21438 @@ -331,7 +331,7 @@ static struct scsi_host_template hpt3x2n
21439 * Configuration for HPT3x2n.
21442 -static struct ata_port_operations hpt3x2n_port_ops = {
21443 +static const struct ata_port_operations hpt3x2n_port_ops = {
21444 .inherits = &ata_bmdma_port_ops,
21446 .bmdma_stop = hpt3x2n_bmdma_stop,
21447 diff -urNp linux-2.6.35.4/drivers/ata/pata_hpt3x3.c linux-2.6.35.4/drivers/ata/pata_hpt3x3.c
21448 --- linux-2.6.35.4/drivers/ata/pata_hpt3x3.c 2010-08-26 19:47:12.000000000 -0400
21449 +++ linux-2.6.35.4/drivers/ata/pata_hpt3x3.c 2010-09-17 20:12:09.000000000 -0400
21450 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
21451 ATA_BMDMA_SHT(DRV_NAME),
21454 -static struct ata_port_operations hpt3x3_port_ops = {
21455 +static const struct ata_port_operations hpt3x3_port_ops = {
21456 .inherits = &ata_bmdma_port_ops,
21457 .cable_detect = ata_cable_40wire,
21458 .set_piomode = hpt3x3_set_piomode,
21459 diff -urNp linux-2.6.35.4/drivers/ata/pata_icside.c linux-2.6.35.4/drivers/ata/pata_icside.c
21460 --- linux-2.6.35.4/drivers/ata/pata_icside.c 2010-08-26 19:47:12.000000000 -0400
21461 +++ linux-2.6.35.4/drivers/ata/pata_icside.c 2010-09-17 20:12:09.000000000 -0400
21462 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
21466 -static struct ata_port_operations pata_icside_port_ops = {
21467 +static const struct ata_port_operations pata_icside_port_ops = {
21468 .inherits = &ata_bmdma_port_ops,
21469 /* no need to build any PRD tables for DMA */
21470 .qc_prep = ata_noop_qc_prep,
21471 diff -urNp linux-2.6.35.4/drivers/ata/pata_isapnp.c linux-2.6.35.4/drivers/ata/pata_isapnp.c
21472 --- linux-2.6.35.4/drivers/ata/pata_isapnp.c 2010-08-26 19:47:12.000000000 -0400
21473 +++ linux-2.6.35.4/drivers/ata/pata_isapnp.c 2010-09-17 20:12:09.000000000 -0400
21474 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
21475 ATA_PIO_SHT(DRV_NAME),
21478 -static struct ata_port_operations isapnp_port_ops = {
21479 +static const struct ata_port_operations isapnp_port_ops = {
21480 .inherits = &ata_sff_port_ops,
21481 .cable_detect = ata_cable_40wire,
21484 -static struct ata_port_operations isapnp_noalt_port_ops = {
21485 +static const struct ata_port_operations isapnp_noalt_port_ops = {
21486 .inherits = &ata_sff_port_ops,
21487 .cable_detect = ata_cable_40wire,
21488 /* No altstatus so we don't want to use the lost interrupt poll */
21489 diff -urNp linux-2.6.35.4/drivers/ata/pata_it8213.c linux-2.6.35.4/drivers/ata/pata_it8213.c
21490 --- linux-2.6.35.4/drivers/ata/pata_it8213.c 2010-08-26 19:47:12.000000000 -0400
21491 +++ linux-2.6.35.4/drivers/ata/pata_it8213.c 2010-09-17 20:12:09.000000000 -0400
21492 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
21496 -static struct ata_port_operations it8213_ops = {
21497 +static const struct ata_port_operations it8213_ops = {
21498 .inherits = &ata_bmdma_port_ops,
21499 .cable_detect = it8213_cable_detect,
21500 .set_piomode = it8213_set_piomode,
21501 diff -urNp linux-2.6.35.4/drivers/ata/pata_it821x.c linux-2.6.35.4/drivers/ata/pata_it821x.c
21502 --- linux-2.6.35.4/drivers/ata/pata_it821x.c 2010-08-26 19:47:12.000000000 -0400
21503 +++ linux-2.6.35.4/drivers/ata/pata_it821x.c 2010-09-17 20:12:09.000000000 -0400
21504 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
21505 ATA_BMDMA_SHT(DRV_NAME),
21508 -static struct ata_port_operations it821x_smart_port_ops = {
21509 +static const struct ata_port_operations it821x_smart_port_ops = {
21510 .inherits = &ata_bmdma_port_ops,
21512 .check_atapi_dma= it821x_check_atapi_dma,
21513 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
21514 .port_start = it821x_port_start,
21517 -static struct ata_port_operations it821x_passthru_port_ops = {
21518 +static const struct ata_port_operations it821x_passthru_port_ops = {
21519 .inherits = &ata_bmdma_port_ops,
21521 .check_atapi_dma= it821x_check_atapi_dma,
21522 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
21523 .port_start = it821x_port_start,
21526 -static struct ata_port_operations it821x_rdc_port_ops = {
21527 +static const struct ata_port_operations it821x_rdc_port_ops = {
21528 .inherits = &ata_bmdma_port_ops,
21530 .check_atapi_dma= it821x_check_atapi_dma,
21531 diff -urNp linux-2.6.35.4/drivers/ata/pata_ixp4xx_cf.c linux-2.6.35.4/drivers/ata/pata_ixp4xx_cf.c
21532 --- linux-2.6.35.4/drivers/ata/pata_ixp4xx_cf.c 2010-08-26 19:47:12.000000000 -0400
21533 +++ linux-2.6.35.4/drivers/ata/pata_ixp4xx_cf.c 2010-09-17 20:12:09.000000000 -0400
21534 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
21535 ATA_PIO_SHT(DRV_NAME),
21538 -static struct ata_port_operations ixp4xx_port_ops = {
21539 +static const struct ata_port_operations ixp4xx_port_ops = {
21540 .inherits = &ata_sff_port_ops,
21541 .sff_data_xfer = ixp4xx_mmio_data_xfer,
21542 .cable_detect = ata_cable_40wire,
21543 diff -urNp linux-2.6.35.4/drivers/ata/pata_jmicron.c linux-2.6.35.4/drivers/ata/pata_jmicron.c
21544 --- linux-2.6.35.4/drivers/ata/pata_jmicron.c 2010-08-26 19:47:12.000000000 -0400
21545 +++ linux-2.6.35.4/drivers/ata/pata_jmicron.c 2010-09-17 20:12:09.000000000 -0400
21546 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
21547 ATA_BMDMA_SHT(DRV_NAME),
21550 -static struct ata_port_operations jmicron_ops = {
21551 +static const struct ata_port_operations jmicron_ops = {
21552 .inherits = &ata_bmdma_port_ops,
21553 .prereset = jmicron_pre_reset,
21555 diff -urNp linux-2.6.35.4/drivers/ata/pata_legacy.c linux-2.6.35.4/drivers/ata/pata_legacy.c
21556 --- linux-2.6.35.4/drivers/ata/pata_legacy.c 2010-08-26 19:47:12.000000000 -0400
21557 +++ linux-2.6.35.4/drivers/ata/pata_legacy.c 2010-09-17 20:12:09.000000000 -0400
21558 @@ -113,7 +113,7 @@ struct legacy_probe {
21560 struct legacy_controller {
21562 - struct ata_port_operations *ops;
21563 + const struct ata_port_operations *ops;
21564 unsigned int pio_mask;
21565 unsigned int flags;
21566 unsigned int pflags;
21567 @@ -230,12 +230,12 @@ static const struct ata_port_operations
21568 * pio_mask as well.
21571 -static struct ata_port_operations simple_port_ops = {
21572 +static const struct ata_port_operations simple_port_ops = {
21573 .inherits = &legacy_base_port_ops,
21574 .sff_data_xfer = ata_sff_data_xfer_noirq,
21577 -static struct ata_port_operations legacy_port_ops = {
21578 +static const struct ata_port_operations legacy_port_ops = {
21579 .inherits = &legacy_base_port_ops,
21580 .sff_data_xfer = ata_sff_data_xfer_noirq,
21581 .set_mode = legacy_set_mode,
21582 @@ -331,7 +331,7 @@ static unsigned int pdc_data_xfer_vlb(st
21586 -static struct ata_port_operations pdc20230_port_ops = {
21587 +static const struct ata_port_operations pdc20230_port_ops = {
21588 .inherits = &legacy_base_port_ops,
21589 .set_piomode = pdc20230_set_piomode,
21590 .sff_data_xfer = pdc_data_xfer_vlb,
21591 @@ -364,7 +364,7 @@ static void ht6560a_set_piomode(struct a
21592 ioread8(ap->ioaddr.status_addr);
21595 -static struct ata_port_operations ht6560a_port_ops = {
21596 +static const struct ata_port_operations ht6560a_port_ops = {
21597 .inherits = &legacy_base_port_ops,
21598 .set_piomode = ht6560a_set_piomode,
21600 @@ -407,7 +407,7 @@ static void ht6560b_set_piomode(struct a
21601 ioread8(ap->ioaddr.status_addr);
21604 -static struct ata_port_operations ht6560b_port_ops = {
21605 +static const struct ata_port_operations ht6560b_port_ops = {
21606 .inherits = &legacy_base_port_ops,
21607 .set_piomode = ht6560b_set_piomode,
21609 @@ -506,7 +506,7 @@ static void opti82c611a_set_piomode(stru
21613 -static struct ata_port_operations opti82c611a_port_ops = {
21614 +static const struct ata_port_operations opti82c611a_port_ops = {
21615 .inherits = &legacy_base_port_ops,
21616 .set_piomode = opti82c611a_set_piomode,
21618 @@ -616,7 +616,7 @@ static unsigned int opti82c46x_qc_issue(
21619 return ata_sff_qc_issue(qc);
21622 -static struct ata_port_operations opti82c46x_port_ops = {
21623 +static const struct ata_port_operations opti82c46x_port_ops = {
21624 .inherits = &legacy_base_port_ops,
21625 .set_piomode = opti82c46x_set_piomode,
21626 .qc_issue = opti82c46x_qc_issue,
21627 @@ -778,20 +778,20 @@ static int qdi_port(struct platform_devi
21631 -static struct ata_port_operations qdi6500_port_ops = {
21632 +static const struct ata_port_operations qdi6500_port_ops = {
21633 .inherits = &legacy_base_port_ops,
21634 .set_piomode = qdi6500_set_piomode,
21635 .qc_issue = qdi_qc_issue,
21636 .sff_data_xfer = vlb32_data_xfer,
21639 -static struct ata_port_operations qdi6580_port_ops = {
21640 +static const struct ata_port_operations qdi6580_port_ops = {
21641 .inherits = &legacy_base_port_ops,
21642 .set_piomode = qdi6580_set_piomode,
21643 .sff_data_xfer = vlb32_data_xfer,
21646 -static struct ata_port_operations qdi6580dp_port_ops = {
21647 +static const struct ata_port_operations qdi6580dp_port_ops = {
21648 .inherits = &legacy_base_port_ops,
21649 .set_piomode = qdi6580dp_set_piomode,
21650 .qc_issue = qdi_qc_issue,
21651 @@ -863,7 +863,7 @@ static int winbond_port(struct platform_
21655 -static struct ata_port_operations winbond_port_ops = {
21656 +static const struct ata_port_operations winbond_port_ops = {
21657 .inherits = &legacy_base_port_ops,
21658 .set_piomode = winbond_set_piomode,
21659 .sff_data_xfer = vlb32_data_xfer,
21660 @@ -986,7 +986,7 @@ static __init int legacy_init_one(struct
21661 int pio_modes = controller->pio_mask;
21662 unsigned long io = probe->port;
21663 u32 mask = (1 << probe->slot);
21664 - struct ata_port_operations *ops = controller->ops;
21665 + const struct ata_port_operations *ops = controller->ops;
21666 struct legacy_data *ld = &legacy_data[probe->slot];
21667 struct ata_host *host = NULL;
21668 struct ata_port *ap;
21669 diff -urNp linux-2.6.35.4/drivers/ata/pata_macio.c linux-2.6.35.4/drivers/ata/pata_macio.c
21670 --- linux-2.6.35.4/drivers/ata/pata_macio.c 2010-08-26 19:47:12.000000000 -0400
21671 +++ linux-2.6.35.4/drivers/ata/pata_macio.c 2010-09-17 20:12:09.000000000 -0400
21672 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
21673 .slave_configure = pata_macio_slave_config,
21676 -static struct ata_port_operations pata_macio_ops = {
21677 +static const struct ata_port_operations pata_macio_ops = {
21678 .inherits = &ata_bmdma_port_ops,
21680 .freeze = pata_macio_freeze,
21681 .set_piomode = pata_macio_set_timings,
21682 .set_dmamode = pata_macio_set_timings,
21683 diff -urNp linux-2.6.35.4/drivers/ata/pata_marvell.c linux-2.6.35.4/drivers/ata/pata_marvell.c
21684 --- linux-2.6.35.4/drivers/ata/pata_marvell.c 2010-08-26 19:47:12.000000000 -0400
21685 +++ linux-2.6.35.4/drivers/ata/pata_marvell.c 2010-09-17 20:12:09.000000000 -0400
21686 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
21687 ATA_BMDMA_SHT(DRV_NAME),
21690 -static struct ata_port_operations marvell_ops = {
21691 +static const struct ata_port_operations marvell_ops = {
21692 .inherits = &ata_bmdma_port_ops,
21693 .cable_detect = marvell_cable_detect,
21694 .prereset = marvell_pre_reset,
21695 diff -urNp linux-2.6.35.4/drivers/ata/pata_mpc52xx.c linux-2.6.35.4/drivers/ata/pata_mpc52xx.c
21696 --- linux-2.6.35.4/drivers/ata/pata_mpc52xx.c 2010-08-26 19:47:12.000000000 -0400
21697 +++ linux-2.6.35.4/drivers/ata/pata_mpc52xx.c 2010-09-17 20:12:09.000000000 -0400
21698 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
21699 ATA_PIO_SHT(DRV_NAME),
21702 -static struct ata_port_operations mpc52xx_ata_port_ops = {
21703 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
21704 .inherits = &ata_sff_port_ops,
21705 .sff_dev_select = mpc52xx_ata_dev_select,
21706 .set_piomode = mpc52xx_ata_set_piomode,
21707 diff -urNp linux-2.6.35.4/drivers/ata/pata_mpiix.c linux-2.6.35.4/drivers/ata/pata_mpiix.c
21708 --- linux-2.6.35.4/drivers/ata/pata_mpiix.c 2010-08-26 19:47:12.000000000 -0400
21709 +++ linux-2.6.35.4/drivers/ata/pata_mpiix.c 2010-09-17 20:12:09.000000000 -0400
21710 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
21711 ATA_PIO_SHT(DRV_NAME),
21714 -static struct ata_port_operations mpiix_port_ops = {
21715 +static const struct ata_port_operations mpiix_port_ops = {
21716 .inherits = &ata_sff_port_ops,
21717 .qc_issue = mpiix_qc_issue,
21718 .cable_detect = ata_cable_40wire,
21719 diff -urNp linux-2.6.35.4/drivers/ata/pata_netcell.c linux-2.6.35.4/drivers/ata/pata_netcell.c
21720 --- linux-2.6.35.4/drivers/ata/pata_netcell.c 2010-08-26 19:47:12.000000000 -0400
21721 +++ linux-2.6.35.4/drivers/ata/pata_netcell.c 2010-09-17 20:12:09.000000000 -0400
21722 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
21723 ATA_BMDMA_SHT(DRV_NAME),
21726 -static struct ata_port_operations netcell_ops = {
21727 +static const struct ata_port_operations netcell_ops = {
21728 .inherits = &ata_bmdma_port_ops,
21729 .cable_detect = ata_cable_80wire,
21730 .read_id = netcell_read_id,
21731 diff -urNp linux-2.6.35.4/drivers/ata/pata_ninja32.c linux-2.6.35.4/drivers/ata/pata_ninja32.c
21732 --- linux-2.6.35.4/drivers/ata/pata_ninja32.c 2010-08-26 19:47:12.000000000 -0400
21733 +++ linux-2.6.35.4/drivers/ata/pata_ninja32.c 2010-09-17 20:12:09.000000000 -0400
21734 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
21735 ATA_BMDMA_SHT(DRV_NAME),
21738 -static struct ata_port_operations ninja32_port_ops = {
21739 +static const struct ata_port_operations ninja32_port_ops = {
21740 .inherits = &ata_bmdma_port_ops,
21741 .sff_dev_select = ninja32_dev_select,
21742 .cable_detect = ata_cable_40wire,
21743 diff -urNp linux-2.6.35.4/drivers/ata/pata_ns87410.c linux-2.6.35.4/drivers/ata/pata_ns87410.c
21744 --- linux-2.6.35.4/drivers/ata/pata_ns87410.c 2010-08-26 19:47:12.000000000 -0400
21745 +++ linux-2.6.35.4/drivers/ata/pata_ns87410.c 2010-09-17 20:12:09.000000000 -0400
21746 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
21747 ATA_PIO_SHT(DRV_NAME),
21750 -static struct ata_port_operations ns87410_port_ops = {
21751 +static const struct ata_port_operations ns87410_port_ops = {
21752 .inherits = &ata_sff_port_ops,
21753 .qc_issue = ns87410_qc_issue,
21754 .cable_detect = ata_cable_40wire,
21755 diff -urNp linux-2.6.35.4/drivers/ata/pata_ns87415.c linux-2.6.35.4/drivers/ata/pata_ns87415.c
21756 --- linux-2.6.35.4/drivers/ata/pata_ns87415.c 2010-08-26 19:47:12.000000000 -0400
21757 +++ linux-2.6.35.4/drivers/ata/pata_ns87415.c 2010-09-17 20:12:09.000000000 -0400
21758 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
21760 #endif /* 87560 SuperIO Support */
21762 -static struct ata_port_operations ns87415_pata_ops = {
21763 +static const struct ata_port_operations ns87415_pata_ops = {
21764 .inherits = &ata_bmdma_port_ops,
21766 .check_atapi_dma = ns87415_check_atapi_dma,
21767 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
21770 #if defined(CONFIG_SUPERIO)
21771 -static struct ata_port_operations ns87560_pata_ops = {
21772 +static const struct ata_port_operations ns87560_pata_ops = {
21773 .inherits = &ns87415_pata_ops,
21774 .sff_tf_read = ns87560_tf_read,
21775 .sff_check_status = ns87560_check_status,
21776 diff -urNp linux-2.6.35.4/drivers/ata/pata_octeon_cf.c linux-2.6.35.4/drivers/ata/pata_octeon_cf.c
21777 --- linux-2.6.35.4/drivers/ata/pata_octeon_cf.c 2010-08-26 19:47:12.000000000 -0400
21778 +++ linux-2.6.35.4/drivers/ata/pata_octeon_cf.c 2010-09-17 20:12:09.000000000 -0400
21779 @@ -782,6 +782,7 @@ static unsigned int octeon_cf_qc_issue(s
21783 +/* cannot be const */
21784 static struct ata_port_operations octeon_cf_ops = {
21785 .inherits = &ata_sff_port_ops,
21786 .check_atapi_dma = octeon_cf_check_atapi_dma,
21787 diff -urNp linux-2.6.35.4/drivers/ata/pata_oldpiix.c linux-2.6.35.4/drivers/ata/pata_oldpiix.c
21788 --- linux-2.6.35.4/drivers/ata/pata_oldpiix.c 2010-08-26 19:47:12.000000000 -0400
21789 +++ linux-2.6.35.4/drivers/ata/pata_oldpiix.c 2010-09-17 20:12:09.000000000 -0400
21790 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
21791 ATA_BMDMA_SHT(DRV_NAME),
21794 -static struct ata_port_operations oldpiix_pata_ops = {
21795 +static const struct ata_port_operations oldpiix_pata_ops = {
21796 .inherits = &ata_bmdma_port_ops,
21797 .qc_issue = oldpiix_qc_issue,
21798 .cable_detect = ata_cable_40wire,
21799 diff -urNp linux-2.6.35.4/drivers/ata/pata_opti.c linux-2.6.35.4/drivers/ata/pata_opti.c
21800 --- linux-2.6.35.4/drivers/ata/pata_opti.c 2010-08-26 19:47:12.000000000 -0400
21801 +++ linux-2.6.35.4/drivers/ata/pata_opti.c 2010-09-17 20:12:09.000000000 -0400
21802 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
21803 ATA_PIO_SHT(DRV_NAME),
21806 -static struct ata_port_operations opti_port_ops = {
21807 +static const struct ata_port_operations opti_port_ops = {
21808 .inherits = &ata_sff_port_ops,
21809 .cable_detect = ata_cable_40wire,
21810 .set_piomode = opti_set_piomode,
21811 diff -urNp linux-2.6.35.4/drivers/ata/pata_optidma.c linux-2.6.35.4/drivers/ata/pata_optidma.c
21812 --- linux-2.6.35.4/drivers/ata/pata_optidma.c 2010-08-26 19:47:12.000000000 -0400
21813 +++ linux-2.6.35.4/drivers/ata/pata_optidma.c 2010-09-17 20:12:09.000000000 -0400
21814 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
21815 ATA_BMDMA_SHT(DRV_NAME),
21818 -static struct ata_port_operations optidma_port_ops = {
21819 +static const struct ata_port_operations optidma_port_ops = {
21820 .inherits = &ata_bmdma_port_ops,
21821 .cable_detect = ata_cable_40wire,
21822 .set_piomode = optidma_set_pio_mode,
21823 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
21824 .prereset = optidma_pre_reset,
21827 -static struct ata_port_operations optiplus_port_ops = {
21828 +static const struct ata_port_operations optiplus_port_ops = {
21829 .inherits = &optidma_port_ops,
21830 .set_piomode = optiplus_set_pio_mode,
21831 .set_dmamode = optiplus_set_dma_mode,
21832 diff -urNp linux-2.6.35.4/drivers/ata/pata_palmld.c linux-2.6.35.4/drivers/ata/pata_palmld.c
21833 --- linux-2.6.35.4/drivers/ata/pata_palmld.c 2010-08-26 19:47:12.000000000 -0400
21834 +++ linux-2.6.35.4/drivers/ata/pata_palmld.c 2010-09-17 20:12:09.000000000 -0400
21835 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
21836 ATA_PIO_SHT(DRV_NAME),
21839 -static struct ata_port_operations palmld_port_ops = {
21840 +static const struct ata_port_operations palmld_port_ops = {
21841 .inherits = &ata_sff_port_ops,
21842 .sff_data_xfer = ata_sff_data_xfer_noirq,
21843 .cable_detect = ata_cable_40wire,
21844 diff -urNp linux-2.6.35.4/drivers/ata/pata_pcmcia.c linux-2.6.35.4/drivers/ata/pata_pcmcia.c
21845 --- linux-2.6.35.4/drivers/ata/pata_pcmcia.c 2010-08-26 19:47:12.000000000 -0400
21846 +++ linux-2.6.35.4/drivers/ata/pata_pcmcia.c 2010-09-17 20:12:09.000000000 -0400
21847 @@ -153,14 +153,14 @@ static struct scsi_host_template pcmcia_
21848 ATA_PIO_SHT(DRV_NAME),
21851 -static struct ata_port_operations pcmcia_port_ops = {
21852 +static const struct ata_port_operations pcmcia_port_ops = {
21853 .inherits = &ata_sff_port_ops,
21854 .sff_data_xfer = ata_sff_data_xfer_noirq,
21855 .cable_detect = ata_cable_40wire,
21856 .set_mode = pcmcia_set_mode,
21859 -static struct ata_port_operations pcmcia_8bit_port_ops = {
21860 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
21861 .inherits = &ata_sff_port_ops,
21862 .sff_data_xfer = ata_data_xfer_8bit,
21863 .cable_detect = ata_cable_40wire,
21864 @@ -243,7 +243,7 @@ static int pcmcia_init_one(struct pcmcia
21865 unsigned long io_base, ctl_base;
21866 void __iomem *io_addr, *ctl_addr;
21868 - struct ata_port_operations *ops = &pcmcia_port_ops;
21869 + const struct ata_port_operations *ops = &pcmcia_port_ops;
21871 /* Set up attributes in order to probe card and get resources */
21872 pdev->io.Attributes1 = IO_DATA_PATH_WIDTH_AUTO;
21873 diff -urNp linux-2.6.35.4/drivers/ata/pata_pdc2027x.c linux-2.6.35.4/drivers/ata/pata_pdc2027x.c
21874 --- linux-2.6.35.4/drivers/ata/pata_pdc2027x.c 2010-08-26 19:47:12.000000000 -0400
21875 +++ linux-2.6.35.4/drivers/ata/pata_pdc2027x.c 2010-09-17 20:12:09.000000000 -0400
21876 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
21877 ATA_BMDMA_SHT(DRV_NAME),
21880 -static struct ata_port_operations pdc2027x_pata100_ops = {
21881 +static const struct ata_port_operations pdc2027x_pata100_ops = {
21882 .inherits = &ata_bmdma_port_ops,
21883 .check_atapi_dma = pdc2027x_check_atapi_dma,
21884 .cable_detect = pdc2027x_cable_detect,
21885 .prereset = pdc2027x_prereset,
21888 -static struct ata_port_operations pdc2027x_pata133_ops = {
21889 +static const struct ata_port_operations pdc2027x_pata133_ops = {
21890 .inherits = &pdc2027x_pata100_ops,
21891 .mode_filter = pdc2027x_mode_filter,
21892 .set_piomode = pdc2027x_set_piomode,
21893 diff -urNp linux-2.6.35.4/drivers/ata/pata_pdc202xx_old.c linux-2.6.35.4/drivers/ata/pata_pdc202xx_old.c
21894 --- linux-2.6.35.4/drivers/ata/pata_pdc202xx_old.c 2010-08-26 19:47:12.000000000 -0400
21895 +++ linux-2.6.35.4/drivers/ata/pata_pdc202xx_old.c 2010-09-17 20:12:09.000000000 -0400
21896 @@ -274,7 +274,7 @@ static struct scsi_host_template pdc202x
21897 ATA_BMDMA_SHT(DRV_NAME),
21900 -static struct ata_port_operations pdc2024x_port_ops = {
21901 +static const struct ata_port_operations pdc2024x_port_ops = {
21902 .inherits = &ata_bmdma_port_ops,
21904 .cable_detect = ata_cable_40wire,
21905 @@ -284,7 +284,7 @@ static struct ata_port_operations pdc202
21906 .sff_exec_command = pdc202xx_exec_command,
21909 -static struct ata_port_operations pdc2026x_port_ops = {
21910 +static const struct ata_port_operations pdc2026x_port_ops = {
21911 .inherits = &pdc2024x_port_ops,
21913 .check_atapi_dma = pdc2026x_check_atapi_dma,
21914 diff -urNp linux-2.6.35.4/drivers/ata/pata_piccolo.c linux-2.6.35.4/drivers/ata/pata_piccolo.c
21915 --- linux-2.6.35.4/drivers/ata/pata_piccolo.c 2010-08-26 19:47:12.000000000 -0400
21916 +++ linux-2.6.35.4/drivers/ata/pata_piccolo.c 2010-09-17 20:12:09.000000000 -0400
21917 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
21918 ATA_BMDMA_SHT(DRV_NAME),
21921 -static struct ata_port_operations tosh_port_ops = {
21922 +static const struct ata_port_operations tosh_port_ops = {
21923 .inherits = &ata_bmdma_port_ops,
21924 .cable_detect = ata_cable_unknown,
21925 .set_piomode = tosh_set_piomode,
21926 diff -urNp linux-2.6.35.4/drivers/ata/pata_platform.c linux-2.6.35.4/drivers/ata/pata_platform.c
21927 --- linux-2.6.35.4/drivers/ata/pata_platform.c 2010-08-26 19:47:12.000000000 -0400
21928 +++ linux-2.6.35.4/drivers/ata/pata_platform.c 2010-09-17 20:12:09.000000000 -0400
21929 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
21930 ATA_PIO_SHT(DRV_NAME),
21933 -static struct ata_port_operations pata_platform_port_ops = {
21934 +static const struct ata_port_operations pata_platform_port_ops = {
21935 .inherits = &ata_sff_port_ops,
21936 .sff_data_xfer = ata_sff_data_xfer_noirq,
21937 .cable_detect = ata_cable_unknown,
21938 diff -urNp linux-2.6.35.4/drivers/ata/pata_qdi.c linux-2.6.35.4/drivers/ata/pata_qdi.c
21939 --- linux-2.6.35.4/drivers/ata/pata_qdi.c 2010-08-26 19:47:12.000000000 -0400
21940 +++ linux-2.6.35.4/drivers/ata/pata_qdi.c 2010-09-17 20:12:09.000000000 -0400
21941 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
21942 ATA_PIO_SHT(DRV_NAME),
21945 -static struct ata_port_operations qdi6500_port_ops = {
21946 +static const struct ata_port_operations qdi6500_port_ops = {
21947 .inherits = &ata_sff_port_ops,
21948 .qc_issue = qdi_qc_issue,
21949 .sff_data_xfer = qdi_data_xfer,
21950 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
21951 .set_piomode = qdi6500_set_piomode,
21954 -static struct ata_port_operations qdi6580_port_ops = {
21955 +static const struct ata_port_operations qdi6580_port_ops = {
21956 .inherits = &qdi6500_port_ops,
21957 .set_piomode = qdi6580_set_piomode,
21959 diff -urNp linux-2.6.35.4/drivers/ata/pata_radisys.c linux-2.6.35.4/drivers/ata/pata_radisys.c
21960 --- linux-2.6.35.4/drivers/ata/pata_radisys.c 2010-08-26 19:47:12.000000000 -0400
21961 +++ linux-2.6.35.4/drivers/ata/pata_radisys.c 2010-09-17 20:12:09.000000000 -0400
21962 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
21963 ATA_BMDMA_SHT(DRV_NAME),
21966 -static struct ata_port_operations radisys_pata_ops = {
21967 +static const struct ata_port_operations radisys_pata_ops = {
21968 .inherits = &ata_bmdma_port_ops,
21969 .qc_issue = radisys_qc_issue,
21970 .cable_detect = ata_cable_unknown,
21971 diff -urNp linux-2.6.35.4/drivers/ata/pata_rb532_cf.c linux-2.6.35.4/drivers/ata/pata_rb532_cf.c
21972 --- linux-2.6.35.4/drivers/ata/pata_rb532_cf.c 2010-08-26 19:47:12.000000000 -0400
21973 +++ linux-2.6.35.4/drivers/ata/pata_rb532_cf.c 2010-09-17 20:12:09.000000000 -0400
21974 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
21975 return IRQ_HANDLED;
21978 -static struct ata_port_operations rb532_pata_port_ops = {
21979 +static const struct ata_port_operations rb532_pata_port_ops = {
21980 .inherits = &ata_sff_port_ops,
21981 .sff_data_xfer = ata_sff_data_xfer32,
21983 diff -urNp linux-2.6.35.4/drivers/ata/pata_rdc.c linux-2.6.35.4/drivers/ata/pata_rdc.c
21984 --- linux-2.6.35.4/drivers/ata/pata_rdc.c 2010-08-26 19:47:12.000000000 -0400
21985 +++ linux-2.6.35.4/drivers/ata/pata_rdc.c 2010-09-17 20:12:09.000000000 -0400
21986 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
21987 pci_write_config_byte(dev, 0x48, udma_enable);
21990 -static struct ata_port_operations rdc_pata_ops = {
21991 +static const struct ata_port_operations rdc_pata_ops = {
21992 .inherits = &ata_bmdma32_port_ops,
21993 .cable_detect = rdc_pata_cable_detect,
21994 .set_piomode = rdc_set_piomode,
21995 diff -urNp linux-2.6.35.4/drivers/ata/pata_rz1000.c linux-2.6.35.4/drivers/ata/pata_rz1000.c
21996 --- linux-2.6.35.4/drivers/ata/pata_rz1000.c 2010-08-26 19:47:12.000000000 -0400
21997 +++ linux-2.6.35.4/drivers/ata/pata_rz1000.c 2010-09-17 20:12:09.000000000 -0400
21998 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
21999 ATA_PIO_SHT(DRV_NAME),
22002 -static struct ata_port_operations rz1000_port_ops = {
22003 +static const struct ata_port_operations rz1000_port_ops = {
22004 .inherits = &ata_sff_port_ops,
22005 .cable_detect = ata_cable_40wire,
22006 .set_mode = rz1000_set_mode,
22007 diff -urNp linux-2.6.35.4/drivers/ata/pata_sc1200.c linux-2.6.35.4/drivers/ata/pata_sc1200.c
22008 --- linux-2.6.35.4/drivers/ata/pata_sc1200.c 2010-08-26 19:47:12.000000000 -0400
22009 +++ linux-2.6.35.4/drivers/ata/pata_sc1200.c 2010-09-17 20:12:09.000000000 -0400
22010 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
22011 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
22014 -static struct ata_port_operations sc1200_port_ops = {
22015 +static const struct ata_port_operations sc1200_port_ops = {
22016 .inherits = &ata_bmdma_port_ops,
22017 .qc_prep = ata_bmdma_dumb_qc_prep,
22018 .qc_issue = sc1200_qc_issue,
22019 diff -urNp linux-2.6.35.4/drivers/ata/pata_scc.c linux-2.6.35.4/drivers/ata/pata_scc.c
22020 --- linux-2.6.35.4/drivers/ata/pata_scc.c 2010-08-26 19:47:12.000000000 -0400
22021 +++ linux-2.6.35.4/drivers/ata/pata_scc.c 2010-09-17 20:12:09.000000000 -0400
22022 @@ -927,7 +927,7 @@ static struct scsi_host_template scc_sht
22023 ATA_BMDMA_SHT(DRV_NAME),
22026 -static struct ata_port_operations scc_pata_ops = {
22027 +static const struct ata_port_operations scc_pata_ops = {
22028 .inherits = &ata_bmdma_port_ops,
22030 .set_piomode = scc_set_piomode,
22031 diff -urNp linux-2.6.35.4/drivers/ata/pata_sch.c linux-2.6.35.4/drivers/ata/pata_sch.c
22032 --- linux-2.6.35.4/drivers/ata/pata_sch.c 2010-08-26 19:47:12.000000000 -0400
22033 +++ linux-2.6.35.4/drivers/ata/pata_sch.c 2010-09-17 20:12:09.000000000 -0400
22034 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
22035 ATA_BMDMA_SHT(DRV_NAME),
22038 -static struct ata_port_operations sch_pata_ops = {
22039 +static const struct ata_port_operations sch_pata_ops = {
22040 .inherits = &ata_bmdma_port_ops,
22041 .cable_detect = ata_cable_unknown,
22042 .set_piomode = sch_set_piomode,
22043 diff -urNp linux-2.6.35.4/drivers/ata/pata_serverworks.c linux-2.6.35.4/drivers/ata/pata_serverworks.c
22044 --- linux-2.6.35.4/drivers/ata/pata_serverworks.c 2010-08-26 19:47:12.000000000 -0400
22045 +++ linux-2.6.35.4/drivers/ata/pata_serverworks.c 2010-09-17 20:12:09.000000000 -0400
22046 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
22047 ATA_BMDMA_SHT(DRV_NAME),
22050 -static struct ata_port_operations serverworks_osb4_port_ops = {
22051 +static const struct ata_port_operations serverworks_osb4_port_ops = {
22052 .inherits = &ata_bmdma_port_ops,
22053 .cable_detect = serverworks_cable_detect,
22054 .mode_filter = serverworks_osb4_filter,
22055 @@ -308,7 +308,7 @@ static struct ata_port_operations server
22056 .set_dmamode = serverworks_set_dmamode,
22059 -static struct ata_port_operations serverworks_csb_port_ops = {
22060 +static const struct ata_port_operations serverworks_csb_port_ops = {
22061 .inherits = &serverworks_osb4_port_ops,
22062 .mode_filter = serverworks_csb_filter,
22064 diff -urNp linux-2.6.35.4/drivers/ata/pata_sil680.c linux-2.6.35.4/drivers/ata/pata_sil680.c
22065 --- linux-2.6.35.4/drivers/ata/pata_sil680.c 2010-08-26 19:47:12.000000000 -0400
22066 +++ linux-2.6.35.4/drivers/ata/pata_sil680.c 2010-09-17 20:12:09.000000000 -0400
22067 @@ -214,8 +214,7 @@ static struct scsi_host_template sil680_
22068 ATA_BMDMA_SHT(DRV_NAME),
22072 -static struct ata_port_operations sil680_port_ops = {
22073 +static const struct ata_port_operations sil680_port_ops = {
22074 .inherits = &ata_bmdma32_port_ops,
22075 .sff_exec_command = sil680_sff_exec_command,
22076 .cable_detect = sil680_cable_detect,
22077 diff -urNp linux-2.6.35.4/drivers/ata/pata_sis.c linux-2.6.35.4/drivers/ata/pata_sis.c
22078 --- linux-2.6.35.4/drivers/ata/pata_sis.c 2010-08-26 19:47:12.000000000 -0400
22079 +++ linux-2.6.35.4/drivers/ata/pata_sis.c 2010-09-17 20:12:09.000000000 -0400
22080 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
22081 ATA_BMDMA_SHT(DRV_NAME),
22084 -static struct ata_port_operations sis_133_for_sata_ops = {
22085 +static const struct ata_port_operations sis_133_for_sata_ops = {
22086 .inherits = &ata_bmdma_port_ops,
22087 .set_piomode = sis_133_set_piomode,
22088 .set_dmamode = sis_133_set_dmamode,
22089 .cable_detect = sis_133_cable_detect,
22092 -static struct ata_port_operations sis_base_ops = {
22093 +static const struct ata_port_operations sis_base_ops = {
22094 .inherits = &ata_bmdma_port_ops,
22095 .prereset = sis_pre_reset,
22098 -static struct ata_port_operations sis_133_ops = {
22099 +static const struct ata_port_operations sis_133_ops = {
22100 .inherits = &sis_base_ops,
22101 .set_piomode = sis_133_set_piomode,
22102 .set_dmamode = sis_133_set_dmamode,
22103 .cable_detect = sis_133_cable_detect,
22106 -static struct ata_port_operations sis_133_early_ops = {
22107 +static const struct ata_port_operations sis_133_early_ops = {
22108 .inherits = &sis_base_ops,
22109 .set_piomode = sis_100_set_piomode,
22110 .set_dmamode = sis_133_early_set_dmamode,
22111 .cable_detect = sis_66_cable_detect,
22114 -static struct ata_port_operations sis_100_ops = {
22115 +static const struct ata_port_operations sis_100_ops = {
22116 .inherits = &sis_base_ops,
22117 .set_piomode = sis_100_set_piomode,
22118 .set_dmamode = sis_100_set_dmamode,
22119 .cable_detect = sis_66_cable_detect,
22122 -static struct ata_port_operations sis_66_ops = {
22123 +static const struct ata_port_operations sis_66_ops = {
22124 .inherits = &sis_base_ops,
22125 .set_piomode = sis_old_set_piomode,
22126 .set_dmamode = sis_66_set_dmamode,
22127 .cable_detect = sis_66_cable_detect,
22130 -static struct ata_port_operations sis_old_ops = {
22131 +static const struct ata_port_operations sis_old_ops = {
22132 .inherits = &sis_base_ops,
22133 .set_piomode = sis_old_set_piomode,
22134 .set_dmamode = sis_old_set_dmamode,
22135 diff -urNp linux-2.6.35.4/drivers/ata/pata_sl82c105.c linux-2.6.35.4/drivers/ata/pata_sl82c105.c
22136 --- linux-2.6.35.4/drivers/ata/pata_sl82c105.c 2010-08-26 19:47:12.000000000 -0400
22137 +++ linux-2.6.35.4/drivers/ata/pata_sl82c105.c 2010-09-17 20:12:09.000000000 -0400
22138 @@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
22139 ATA_BMDMA_SHT(DRV_NAME),
22142 -static struct ata_port_operations sl82c105_port_ops = {
22143 +static const struct ata_port_operations sl82c105_port_ops = {
22144 .inherits = &ata_bmdma_port_ops,
22145 .qc_defer = sl82c105_qc_defer,
22146 .bmdma_start = sl82c105_bmdma_start,
22147 diff -urNp linux-2.6.35.4/drivers/ata/pata_triflex.c linux-2.6.35.4/drivers/ata/pata_triflex.c
22148 --- linux-2.6.35.4/drivers/ata/pata_triflex.c 2010-08-26 19:47:12.000000000 -0400
22149 +++ linux-2.6.35.4/drivers/ata/pata_triflex.c 2010-09-17 20:12:09.000000000 -0400
22150 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
22151 ATA_BMDMA_SHT(DRV_NAME),
22154 -static struct ata_port_operations triflex_port_ops = {
22155 +static const struct ata_port_operations triflex_port_ops = {
22156 .inherits = &ata_bmdma_port_ops,
22157 .bmdma_start = triflex_bmdma_start,
22158 .bmdma_stop = triflex_bmdma_stop,
22159 diff -urNp linux-2.6.35.4/drivers/ata/pata_via.c linux-2.6.35.4/drivers/ata/pata_via.c
22160 --- linux-2.6.35.4/drivers/ata/pata_via.c 2010-08-26 19:47:12.000000000 -0400
22161 +++ linux-2.6.35.4/drivers/ata/pata_via.c 2010-09-17 20:12:09.000000000 -0400
22162 @@ -439,7 +439,7 @@ static struct scsi_host_template via_sht
22163 ATA_BMDMA_SHT(DRV_NAME),
22166 -static struct ata_port_operations via_port_ops = {
22167 +static const struct ata_port_operations via_port_ops = {
22168 .inherits = &ata_bmdma_port_ops,
22169 .cable_detect = via_cable_detect,
22170 .set_piomode = via_set_piomode,
22171 @@ -450,7 +450,7 @@ static struct ata_port_operations via_po
22172 .mode_filter = via_mode_filter,
22175 -static struct ata_port_operations via_port_ops_noirq = {
22176 +static const struct ata_port_operations via_port_ops_noirq = {
22177 .inherits = &via_port_ops,
22178 .sff_data_xfer = ata_sff_data_xfer_noirq,
22180 diff -urNp linux-2.6.35.4/drivers/ata/pata_winbond.c linux-2.6.35.4/drivers/ata/pata_winbond.c
22181 --- linux-2.6.35.4/drivers/ata/pata_winbond.c 2010-08-26 19:47:12.000000000 -0400
22182 +++ linux-2.6.35.4/drivers/ata/pata_winbond.c 2010-09-17 20:12:09.000000000 -0400
22183 @@ -125,7 +125,7 @@ static struct scsi_host_template winbond
22184 ATA_PIO_SHT(DRV_NAME),
22187 -static struct ata_port_operations winbond_port_ops = {
22188 +static const struct ata_port_operations winbond_port_ops = {
22189 .inherits = &ata_sff_port_ops,
22190 .sff_data_xfer = winbond_data_xfer,
22191 .cable_detect = ata_cable_40wire,
22192 diff -urNp linux-2.6.35.4/drivers/ata/pdc_adma.c linux-2.6.35.4/drivers/ata/pdc_adma.c
22193 --- linux-2.6.35.4/drivers/ata/pdc_adma.c 2010-08-26 19:47:12.000000000 -0400
22194 +++ linux-2.6.35.4/drivers/ata/pdc_adma.c 2010-09-17 20:12:09.000000000 -0400
22195 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
22196 .dma_boundary = ADMA_DMA_BOUNDARY,
22199 -static struct ata_port_operations adma_ata_ops = {
22200 +static const struct ata_port_operations adma_ata_ops = {
22201 .inherits = &ata_sff_port_ops,
22203 .lost_interrupt = ATA_OP_NULL,
22204 diff -urNp linux-2.6.35.4/drivers/ata/sata_fsl.c linux-2.6.35.4/drivers/ata/sata_fsl.c
22205 --- linux-2.6.35.4/drivers/ata/sata_fsl.c 2010-08-26 19:47:12.000000000 -0400
22206 +++ linux-2.6.35.4/drivers/ata/sata_fsl.c 2010-09-17 20:12:09.000000000 -0400
22207 @@ -1261,7 +1261,7 @@ static struct scsi_host_template sata_fs
22208 .dma_boundary = ATA_DMA_BOUNDARY,
22211 -static struct ata_port_operations sata_fsl_ops = {
22212 +static const struct ata_port_operations sata_fsl_ops = {
22213 .inherits = &sata_pmp_port_ops,
22215 .qc_defer = ata_std_qc_defer,
22216 diff -urNp linux-2.6.35.4/drivers/ata/sata_inic162x.c linux-2.6.35.4/drivers/ata/sata_inic162x.c
22217 --- linux-2.6.35.4/drivers/ata/sata_inic162x.c 2010-08-26 19:47:12.000000000 -0400
22218 +++ linux-2.6.35.4/drivers/ata/sata_inic162x.c 2010-09-17 20:12:09.000000000 -0400
22219 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
22223 -static struct ata_port_operations inic_port_ops = {
22224 +static const struct ata_port_operations inic_port_ops = {
22225 .inherits = &sata_port_ops,
22227 .check_atapi_dma = inic_check_atapi_dma,
22228 diff -urNp linux-2.6.35.4/drivers/ata/sata_mv.c linux-2.6.35.4/drivers/ata/sata_mv.c
22229 --- linux-2.6.35.4/drivers/ata/sata_mv.c 2010-08-26 19:47:12.000000000 -0400
22230 +++ linux-2.6.35.4/drivers/ata/sata_mv.c 2010-09-17 20:12:09.000000000 -0400
22231 @@ -663,7 +663,7 @@ static struct scsi_host_template mv6_sht
22232 .dma_boundary = MV_DMA_BOUNDARY,
22235 -static struct ata_port_operations mv5_ops = {
22236 +static const struct ata_port_operations mv5_ops = {
22237 .inherits = &ata_sff_port_ops,
22239 .lost_interrupt = ATA_OP_NULL,
22240 @@ -683,7 +683,7 @@ static struct ata_port_operations mv5_op
22241 .port_stop = mv_port_stop,
22244 -static struct ata_port_operations mv6_ops = {
22245 +static const struct ata_port_operations mv6_ops = {
22246 .inherits = &ata_bmdma_port_ops,
22248 .lost_interrupt = ATA_OP_NULL,
22249 @@ -717,7 +717,7 @@ static struct ata_port_operations mv6_op
22250 .port_stop = mv_port_stop,
22253 -static struct ata_port_operations mv_iie_ops = {
22254 +static const struct ata_port_operations mv_iie_ops = {
22255 .inherits = &mv6_ops,
22256 .dev_config = ATA_OP_NULL,
22257 .qc_prep = mv_qc_prep_iie,
22258 diff -urNp linux-2.6.35.4/drivers/ata/sata_nv.c linux-2.6.35.4/drivers/ata/sata_nv.c
22259 --- linux-2.6.35.4/drivers/ata/sata_nv.c 2010-08-26 19:47:12.000000000 -0400
22260 +++ linux-2.6.35.4/drivers/ata/sata_nv.c 2010-09-17 20:12:09.000000000 -0400
22261 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
22262 * cases. Define nv_hardreset() which only kicks in for post-boot
22263 * probing and use it for all variants.
22265 -static struct ata_port_operations nv_generic_ops = {
22266 +static const struct ata_port_operations nv_generic_ops = {
22267 .inherits = &ata_bmdma_port_ops,
22268 .lost_interrupt = ATA_OP_NULL,
22269 .scr_read = nv_scr_read,
22270 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
22271 .hardreset = nv_hardreset,
22274 -static struct ata_port_operations nv_nf2_ops = {
22275 +static const struct ata_port_operations nv_nf2_ops = {
22276 .inherits = &nv_generic_ops,
22277 .freeze = nv_nf2_freeze,
22278 .thaw = nv_nf2_thaw,
22281 -static struct ata_port_operations nv_ck804_ops = {
22282 +static const struct ata_port_operations nv_ck804_ops = {
22283 .inherits = &nv_generic_ops,
22284 .freeze = nv_ck804_freeze,
22285 .thaw = nv_ck804_thaw,
22286 .host_stop = nv_ck804_host_stop,
22289 -static struct ata_port_operations nv_adma_ops = {
22290 +static const struct ata_port_operations nv_adma_ops = {
22291 .inherits = &nv_ck804_ops,
22293 .check_atapi_dma = nv_adma_check_atapi_dma,
22294 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
22295 .host_stop = nv_adma_host_stop,
22298 -static struct ata_port_operations nv_swncq_ops = {
22299 +static const struct ata_port_operations nv_swncq_ops = {
22300 .inherits = &nv_generic_ops,
22302 .qc_defer = ata_std_qc_defer,
22303 diff -urNp linux-2.6.35.4/drivers/ata/sata_promise.c linux-2.6.35.4/drivers/ata/sata_promise.c
22304 --- linux-2.6.35.4/drivers/ata/sata_promise.c 2010-08-26 19:47:12.000000000 -0400
22305 +++ linux-2.6.35.4/drivers/ata/sata_promise.c 2010-09-17 20:12:09.000000000 -0400
22306 @@ -196,7 +196,7 @@ static const struct ata_port_operations
22307 .error_handler = pdc_error_handler,
22310 -static struct ata_port_operations pdc_sata_ops = {
22311 +static const struct ata_port_operations pdc_sata_ops = {
22312 .inherits = &pdc_common_ops,
22313 .cable_detect = pdc_sata_cable_detect,
22314 .freeze = pdc_sata_freeze,
22315 @@ -209,14 +209,14 @@ static struct ata_port_operations pdc_sa
22317 /* First-generation chips need a more restrictive ->check_atapi_dma op,
22318 and ->freeze/thaw that ignore the hotplug controls. */
22319 -static struct ata_port_operations pdc_old_sata_ops = {
22320 +static const struct ata_port_operations pdc_old_sata_ops = {
22321 .inherits = &pdc_sata_ops,
22322 .freeze = pdc_freeze,
22324 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
22327 -static struct ata_port_operations pdc_pata_ops = {
22328 +static const struct ata_port_operations pdc_pata_ops = {
22329 .inherits = &pdc_common_ops,
22330 .cable_detect = pdc_pata_cable_detect,
22331 .freeze = pdc_freeze,
22332 diff -urNp linux-2.6.35.4/drivers/ata/sata_qstor.c linux-2.6.35.4/drivers/ata/sata_qstor.c
22333 --- linux-2.6.35.4/drivers/ata/sata_qstor.c 2010-08-26 19:47:12.000000000 -0400
22334 +++ linux-2.6.35.4/drivers/ata/sata_qstor.c 2010-09-17 20:12:09.000000000 -0400
22335 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
22336 .dma_boundary = QS_DMA_BOUNDARY,
22339 -static struct ata_port_operations qs_ata_ops = {
22340 +static const struct ata_port_operations qs_ata_ops = {
22341 .inherits = &ata_sff_port_ops,
22343 .check_atapi_dma = qs_check_atapi_dma,
22344 diff -urNp linux-2.6.35.4/drivers/ata/sata_sil24.c linux-2.6.35.4/drivers/ata/sata_sil24.c
22345 --- linux-2.6.35.4/drivers/ata/sata_sil24.c 2010-08-26 19:47:12.000000000 -0400
22346 +++ linux-2.6.35.4/drivers/ata/sata_sil24.c 2010-09-17 20:12:09.000000000 -0400
22347 @@ -389,7 +389,7 @@ static struct scsi_host_template sil24_s
22348 .dma_boundary = ATA_DMA_BOUNDARY,
22351 -static struct ata_port_operations sil24_ops = {
22352 +static const struct ata_port_operations sil24_ops = {
22353 .inherits = &sata_pmp_port_ops,
22355 .qc_defer = sil24_qc_defer,
22356 diff -urNp linux-2.6.35.4/drivers/ata/sata_sil.c linux-2.6.35.4/drivers/ata/sata_sil.c
22357 --- linux-2.6.35.4/drivers/ata/sata_sil.c 2010-08-26 19:47:12.000000000 -0400
22358 +++ linux-2.6.35.4/drivers/ata/sata_sil.c 2010-09-17 20:12:09.000000000 -0400
22359 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
22360 .sg_tablesize = ATA_MAX_PRD
22363 -static struct ata_port_operations sil_ops = {
22364 +static const struct ata_port_operations sil_ops = {
22365 .inherits = &ata_bmdma32_port_ops,
22366 .dev_config = sil_dev_config,
22367 .set_mode = sil_set_mode,
22368 diff -urNp linux-2.6.35.4/drivers/ata/sata_sis.c linux-2.6.35.4/drivers/ata/sata_sis.c
22369 --- linux-2.6.35.4/drivers/ata/sata_sis.c 2010-08-26 19:47:12.000000000 -0400
22370 +++ linux-2.6.35.4/drivers/ata/sata_sis.c 2010-09-17 20:12:09.000000000 -0400
22371 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
22372 ATA_BMDMA_SHT(DRV_NAME),
22375 -static struct ata_port_operations sis_ops = {
22376 +static const struct ata_port_operations sis_ops = {
22377 .inherits = &ata_bmdma_port_ops,
22378 .scr_read = sis_scr_read,
22379 .scr_write = sis_scr_write,
22380 diff -urNp linux-2.6.35.4/drivers/ata/sata_svw.c linux-2.6.35.4/drivers/ata/sata_svw.c
22381 --- linux-2.6.35.4/drivers/ata/sata_svw.c 2010-08-26 19:47:12.000000000 -0400
22382 +++ linux-2.6.35.4/drivers/ata/sata_svw.c 2010-09-17 20:12:09.000000000 -0400
22383 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
22387 -static struct ata_port_operations k2_sata_ops = {
22388 +static const struct ata_port_operations k2_sata_ops = {
22389 .inherits = &ata_bmdma_port_ops,
22390 .sff_tf_load = k2_sata_tf_load,
22391 .sff_tf_read = k2_sata_tf_read,
22392 diff -urNp linux-2.6.35.4/drivers/ata/sata_sx4.c linux-2.6.35.4/drivers/ata/sata_sx4.c
22393 --- linux-2.6.35.4/drivers/ata/sata_sx4.c 2010-08-26 19:47:12.000000000 -0400
22394 +++ linux-2.6.35.4/drivers/ata/sata_sx4.c 2010-09-17 20:12:09.000000000 -0400
22395 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
22398 /* TODO: inherit from base port_ops after converting to new EH */
22399 -static struct ata_port_operations pdc_20621_ops = {
22400 +static const struct ata_port_operations pdc_20621_ops = {
22401 .inherits = &ata_sff_port_ops,
22403 .check_atapi_dma = pdc_check_atapi_dma,
22404 diff -urNp linux-2.6.35.4/drivers/ata/sata_uli.c linux-2.6.35.4/drivers/ata/sata_uli.c
22405 --- linux-2.6.35.4/drivers/ata/sata_uli.c 2010-08-26 19:47:12.000000000 -0400
22406 +++ linux-2.6.35.4/drivers/ata/sata_uli.c 2010-09-17 20:12:09.000000000 -0400
22407 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
22408 ATA_BMDMA_SHT(DRV_NAME),
22411 -static struct ata_port_operations uli_ops = {
22412 +static const struct ata_port_operations uli_ops = {
22413 .inherits = &ata_bmdma_port_ops,
22414 .scr_read = uli_scr_read,
22415 .scr_write = uli_scr_write,
22416 diff -urNp linux-2.6.35.4/drivers/ata/sata_via.c linux-2.6.35.4/drivers/ata/sata_via.c
22417 --- linux-2.6.35.4/drivers/ata/sata_via.c 2010-08-26 19:47:12.000000000 -0400
22418 +++ linux-2.6.35.4/drivers/ata/sata_via.c 2010-09-17 20:12:09.000000000 -0400
22419 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
22420 ATA_BMDMA_SHT(DRV_NAME),
22423 -static struct ata_port_operations svia_base_ops = {
22424 +static const struct ata_port_operations svia_base_ops = {
22425 .inherits = &ata_bmdma_port_ops,
22426 .sff_tf_load = svia_tf_load,
22429 -static struct ata_port_operations vt6420_sata_ops = {
22430 +static const struct ata_port_operations vt6420_sata_ops = {
22431 .inherits = &svia_base_ops,
22432 .freeze = svia_noop_freeze,
22433 .prereset = vt6420_prereset,
22434 .bmdma_start = vt6420_bmdma_start,
22437 -static struct ata_port_operations vt6421_pata_ops = {
22438 +static const struct ata_port_operations vt6421_pata_ops = {
22439 .inherits = &svia_base_ops,
22440 .cable_detect = vt6421_pata_cable_detect,
22441 .set_piomode = vt6421_set_pio_mode,
22442 .set_dmamode = vt6421_set_dma_mode,
22445 -static struct ata_port_operations vt6421_sata_ops = {
22446 +static const struct ata_port_operations vt6421_sata_ops = {
22447 .inherits = &svia_base_ops,
22448 .scr_read = svia_scr_read,
22449 .scr_write = svia_scr_write,
22452 -static struct ata_port_operations vt8251_ops = {
22453 +static const struct ata_port_operations vt8251_ops = {
22454 .inherits = &svia_base_ops,
22455 .hardreset = sata_std_hardreset,
22456 .scr_read = vt8251_scr_read,
22457 diff -urNp linux-2.6.35.4/drivers/ata/sata_vsc.c linux-2.6.35.4/drivers/ata/sata_vsc.c
22458 --- linux-2.6.35.4/drivers/ata/sata_vsc.c 2010-08-26 19:47:12.000000000 -0400
22459 +++ linux-2.6.35.4/drivers/ata/sata_vsc.c 2010-09-17 20:12:09.000000000 -0400
22460 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
22464 -static struct ata_port_operations vsc_sata_ops = {
22465 +static const struct ata_port_operations vsc_sata_ops = {
22466 .inherits = &ata_bmdma_port_ops,
22467 /* The IRQ handling is not quite standard SFF behaviour so we
22468 cannot use the default lost interrupt handler */
22469 diff -urNp linux-2.6.35.4/drivers/atm/adummy.c linux-2.6.35.4/drivers/atm/adummy.c
22470 --- linux-2.6.35.4/drivers/atm/adummy.c 2010-08-26 19:47:12.000000000 -0400
22471 +++ linux-2.6.35.4/drivers/atm/adummy.c 2010-09-17 20:12:09.000000000 -0400
22472 @@ -78,7 +78,7 @@ adummy_send(struct atm_vcc *vcc, struct
22473 vcc->pop(vcc, skb);
22475 dev_kfree_skb_any(skb);
22476 - atomic_inc(&vcc->stats->tx);
22477 + atomic_inc_unchecked(&vcc->stats->tx);
22481 diff -urNp linux-2.6.35.4/drivers/atm/ambassador.c linux-2.6.35.4/drivers/atm/ambassador.c
22482 --- linux-2.6.35.4/drivers/atm/ambassador.c 2010-08-26 19:47:12.000000000 -0400
22483 +++ linux-2.6.35.4/drivers/atm/ambassador.c 2010-09-17 20:12:09.000000000 -0400
22484 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
22485 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
22488 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22489 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22491 // free the descriptor
22493 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
22494 dump_skb ("<<<", vc, skb);
22497 - atomic_inc(&atm_vcc->stats->rx);
22498 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22499 __net_timestamp(skb);
22500 // end of our responsability
22501 atm_vcc->push (atm_vcc, skb);
22502 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
22504 PRINTK (KERN_INFO, "dropped over-size frame");
22505 // should we count this?
22506 - atomic_inc(&atm_vcc->stats->rx_drop);
22507 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22511 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
22514 if (check_area (skb->data, skb->len)) {
22515 - atomic_inc(&atm_vcc->stats->tx_err);
22516 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
22517 return -ENOMEM; // ?
22520 diff -urNp linux-2.6.35.4/drivers/atm/atmtcp.c linux-2.6.35.4/drivers/atm/atmtcp.c
22521 --- linux-2.6.35.4/drivers/atm/atmtcp.c 2010-08-26 19:47:12.000000000 -0400
22522 +++ linux-2.6.35.4/drivers/atm/atmtcp.c 2010-09-17 20:12:09.000000000 -0400
22523 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
22524 if (vcc->pop) vcc->pop(vcc,skb);
22525 else dev_kfree_skb(skb);
22526 if (dev_data) return 0;
22527 - atomic_inc(&vcc->stats->tx_err);
22528 + atomic_inc_unchecked(&vcc->stats->tx_err);
22531 size = skb->len+sizeof(struct atmtcp_hdr);
22532 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
22534 if (vcc->pop) vcc->pop(vcc,skb);
22535 else dev_kfree_skb(skb);
22536 - atomic_inc(&vcc->stats->tx_err);
22537 + atomic_inc_unchecked(&vcc->stats->tx_err);
22540 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
22541 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
22542 if (vcc->pop) vcc->pop(vcc,skb);
22543 else dev_kfree_skb(skb);
22544 out_vcc->push(out_vcc,new_skb);
22545 - atomic_inc(&vcc->stats->tx);
22546 - atomic_inc(&out_vcc->stats->rx);
22547 + atomic_inc_unchecked(&vcc->stats->tx);
22548 + atomic_inc_unchecked(&out_vcc->stats->rx);
22552 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
22553 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
22554 read_unlock(&vcc_sklist_lock);
22556 - atomic_inc(&vcc->stats->tx_err);
22557 + atomic_inc_unchecked(&vcc->stats->tx_err);
22560 skb_pull(skb,sizeof(struct atmtcp_hdr));
22561 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
22562 __net_timestamp(new_skb);
22563 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
22564 out_vcc->push(out_vcc,new_skb);
22565 - atomic_inc(&vcc->stats->tx);
22566 - atomic_inc(&out_vcc->stats->rx);
22567 + atomic_inc_unchecked(&vcc->stats->tx);
22568 + atomic_inc_unchecked(&out_vcc->stats->rx);
22570 if (vcc->pop) vcc->pop(vcc,skb);
22571 else dev_kfree_skb(skb);
22572 diff -urNp linux-2.6.35.4/drivers/atm/eni.c linux-2.6.35.4/drivers/atm/eni.c
22573 --- linux-2.6.35.4/drivers/atm/eni.c 2010-08-26 19:47:12.000000000 -0400
22574 +++ linux-2.6.35.4/drivers/atm/eni.c 2010-09-17 20:12:09.000000000 -0400
22575 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
22576 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
22579 - atomic_inc(&vcc->stats->rx_err);
22580 + atomic_inc_unchecked(&vcc->stats->rx_err);
22583 length = ATM_CELL_SIZE-1; /* no HEC */
22584 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22588 - atomic_inc(&vcc->stats->rx_err);
22589 + atomic_inc_unchecked(&vcc->stats->rx_err);
22592 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
22593 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22594 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
22595 vcc->dev->number,vcc->vci,length,size << 2,descr);
22597 - atomic_inc(&vcc->stats->rx_err);
22598 + atomic_inc_unchecked(&vcc->stats->rx_err);
22601 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
22602 @@ -771,7 +771,7 @@ rx_dequeued++;
22603 vcc->push(vcc,skb);
22606 - atomic_inc(&vcc->stats->rx);
22607 + atomic_inc_unchecked(&vcc->stats->rx);
22609 wake_up(&eni_dev->rx_wait);
22611 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
22613 if (vcc->pop) vcc->pop(vcc,skb);
22614 else dev_kfree_skb_irq(skb);
22615 - atomic_inc(&vcc->stats->tx);
22616 + atomic_inc_unchecked(&vcc->stats->tx);
22617 wake_up(&eni_dev->tx_wait);
22620 diff -urNp linux-2.6.35.4/drivers/atm/firestream.c linux-2.6.35.4/drivers/atm/firestream.c
22621 --- linux-2.6.35.4/drivers/atm/firestream.c 2010-08-26 19:47:12.000000000 -0400
22622 +++ linux-2.6.35.4/drivers/atm/firestream.c 2010-09-17 20:12:09.000000000 -0400
22623 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
22627 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22628 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22630 fs_dprintk (FS_DEBUG_TXMEM, "i");
22631 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
22632 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
22634 skb_put (skb, qe->p1 & 0xffff);
22635 ATM_SKB(skb)->vcc = atm_vcc;
22636 - atomic_inc(&atm_vcc->stats->rx);
22637 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22638 __net_timestamp(skb);
22639 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
22640 atm_vcc->push (atm_vcc, skb);
22641 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
22645 - atomic_inc(&atm_vcc->stats->rx_drop);
22646 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22648 case 0x1f: /* Reassembly abort: no buffers. */
22649 /* Silently increment error counter. */
22651 - atomic_inc(&atm_vcc->stats->rx_drop);
22652 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22654 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
22655 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
22656 diff -urNp linux-2.6.35.4/drivers/atm/fore200e.c linux-2.6.35.4/drivers/atm/fore200e.c
22657 --- linux-2.6.35.4/drivers/atm/fore200e.c 2010-08-26 19:47:12.000000000 -0400
22658 +++ linux-2.6.35.4/drivers/atm/fore200e.c 2010-09-17 20:12:09.000000000 -0400
22659 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
22661 /* check error condition */
22662 if (*entry->status & STATUS_ERROR)
22663 - atomic_inc(&vcc->stats->tx_err);
22664 + atomic_inc_unchecked(&vcc->stats->tx_err);
22666 - atomic_inc(&vcc->stats->tx);
22667 + atomic_inc_unchecked(&vcc->stats->tx);
22671 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
22673 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
22675 - atomic_inc(&vcc->stats->rx_drop);
22676 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22680 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
22682 dev_kfree_skb_any(skb);
22684 - atomic_inc(&vcc->stats->rx_drop);
22685 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22689 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22691 vcc->push(vcc, skb);
22692 - atomic_inc(&vcc->stats->rx);
22693 + atomic_inc_unchecked(&vcc->stats->rx);
22695 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22697 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
22698 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
22699 fore200e->atm_dev->number,
22700 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
22701 - atomic_inc(&vcc->stats->rx_err);
22702 + atomic_inc_unchecked(&vcc->stats->rx_err);
22706 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
22710 - atomic_inc(&vcc->stats->tx_err);
22711 + atomic_inc_unchecked(&vcc->stats->tx_err);
22713 fore200e->tx_sat++;
22714 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
22715 diff -urNp linux-2.6.35.4/drivers/atm/he.c linux-2.6.35.4/drivers/atm/he.c
22716 --- linux-2.6.35.4/drivers/atm/he.c 2010-08-26 19:47:12.000000000 -0400
22717 +++ linux-2.6.35.4/drivers/atm/he.c 2010-09-17 20:12:09.000000000 -0400
22718 @@ -1770,7 +1770,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22720 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
22721 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
22722 - atomic_inc(&vcc->stats->rx_drop);
22723 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22724 goto return_host_buffers;
22727 @@ -1803,7 +1803,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22728 RBRQ_LEN_ERR(he_dev->rbrq_head)
22730 vcc->vpi, vcc->vci);
22731 - atomic_inc(&vcc->stats->rx_err);
22732 + atomic_inc_unchecked(&vcc->stats->rx_err);
22733 goto return_host_buffers;
22736 @@ -1862,7 +1862,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22737 vcc->push(vcc, skb);
22738 spin_lock(&he_dev->global_lock);
22740 - atomic_inc(&vcc->stats->rx);
22741 + atomic_inc_unchecked(&vcc->stats->rx);
22743 return_host_buffers:
22745 @@ -2207,7 +2207,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
22746 tpd->vcc->pop(tpd->vcc, tpd->skb);
22748 dev_kfree_skb_any(tpd->skb);
22749 - atomic_inc(&tpd->vcc->stats->tx_err);
22750 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
22752 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
22754 @@ -2619,7 +2619,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22755 vcc->pop(vcc, skb);
22757 dev_kfree_skb_any(skb);
22758 - atomic_inc(&vcc->stats->tx_err);
22759 + atomic_inc_unchecked(&vcc->stats->tx_err);
22763 @@ -2630,7 +2630,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22764 vcc->pop(vcc, skb);
22766 dev_kfree_skb_any(skb);
22767 - atomic_inc(&vcc->stats->tx_err);
22768 + atomic_inc_unchecked(&vcc->stats->tx_err);
22772 @@ -2642,7 +2642,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22773 vcc->pop(vcc, skb);
22775 dev_kfree_skb_any(skb);
22776 - atomic_inc(&vcc->stats->tx_err);
22777 + atomic_inc_unchecked(&vcc->stats->tx_err);
22778 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22781 @@ -2684,7 +2684,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22782 vcc->pop(vcc, skb);
22784 dev_kfree_skb_any(skb);
22785 - atomic_inc(&vcc->stats->tx_err);
22786 + atomic_inc_unchecked(&vcc->stats->tx_err);
22787 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22790 @@ -2715,7 +2715,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22791 __enqueue_tpd(he_dev, tpd, cid);
22792 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22794 - atomic_inc(&vcc->stats->tx);
22795 + atomic_inc_unchecked(&vcc->stats->tx);
22799 diff -urNp linux-2.6.35.4/drivers/atm/horizon.c linux-2.6.35.4/drivers/atm/horizon.c
22800 --- linux-2.6.35.4/drivers/atm/horizon.c 2010-08-26 19:47:12.000000000 -0400
22801 +++ linux-2.6.35.4/drivers/atm/horizon.c 2010-09-17 20:12:09.000000000 -0400
22802 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
22804 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
22806 - atomic_inc(&vcc->stats->rx);
22807 + atomic_inc_unchecked(&vcc->stats->rx);
22808 __net_timestamp(skb);
22809 // end of our responsability
22810 vcc->push (vcc, skb);
22811 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
22812 dev->tx_iovec = NULL;
22815 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22816 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22819 hrz_kfree_skb (skb);
22820 diff -urNp linux-2.6.35.4/drivers/atm/idt77252.c linux-2.6.35.4/drivers/atm/idt77252.c
22821 --- linux-2.6.35.4/drivers/atm/idt77252.c 2010-08-26 19:47:12.000000000 -0400
22822 +++ linux-2.6.35.4/drivers/atm/idt77252.c 2010-09-17 20:12:09.000000000 -0400
22823 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
22825 dev_kfree_skb(skb);
22827 - atomic_inc(&vcc->stats->tx);
22828 + atomic_inc_unchecked(&vcc->stats->tx);
22831 atomic_dec(&scq->used);
22832 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
22833 if ((sb = dev_alloc_skb(64)) == NULL) {
22834 printk("%s: Can't allocate buffers for aal0.\n",
22836 - atomic_add(i, &vcc->stats->rx_drop);
22837 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
22840 if (!atm_charge(vcc, sb->truesize)) {
22841 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
22843 - atomic_add(i - 1, &vcc->stats->rx_drop);
22844 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
22848 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
22849 ATM_SKB(sb)->vcc = vcc;
22850 __net_timestamp(sb);
22851 vcc->push(vcc, sb);
22852 - atomic_inc(&vcc->stats->rx);
22853 + atomic_inc_unchecked(&vcc->stats->rx);
22855 cell += ATM_CELL_PAYLOAD;
22857 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
22859 card->name, len, rpp->len, readl(SAR_REG_CDC));
22860 recycle_rx_pool_skb(card, rpp);
22861 - atomic_inc(&vcc->stats->rx_err);
22862 + atomic_inc_unchecked(&vcc->stats->rx_err);
22865 if (stat & SAR_RSQE_CRC) {
22866 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
22867 recycle_rx_pool_skb(card, rpp);
22868 - atomic_inc(&vcc->stats->rx_err);
22869 + atomic_inc_unchecked(&vcc->stats->rx_err);
22872 if (skb_queue_len(&rpp->queue) > 1) {
22873 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
22874 RXPRINTK("%s: Can't alloc RX skb.\n",
22876 recycle_rx_pool_skb(card, rpp);
22877 - atomic_inc(&vcc->stats->rx_err);
22878 + atomic_inc_unchecked(&vcc->stats->rx_err);
22881 if (!atm_charge(vcc, skb->truesize)) {
22882 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
22883 __net_timestamp(skb);
22885 vcc->push(vcc, skb);
22886 - atomic_inc(&vcc->stats->rx);
22887 + atomic_inc_unchecked(&vcc->stats->rx);
22891 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
22892 __net_timestamp(skb);
22894 vcc->push(vcc, skb);
22895 - atomic_inc(&vcc->stats->rx);
22896 + atomic_inc_unchecked(&vcc->stats->rx);
22898 if (skb->truesize > SAR_FB_SIZE_3)
22899 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
22900 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
22901 if (vcc->qos.aal != ATM_AAL0) {
22902 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
22903 card->name, vpi, vci);
22904 - atomic_inc(&vcc->stats->rx_drop);
22905 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22909 if ((sb = dev_alloc_skb(64)) == NULL) {
22910 printk("%s: Can't allocate buffers for AAL0.\n",
22912 - atomic_inc(&vcc->stats->rx_err);
22913 + atomic_inc_unchecked(&vcc->stats->rx_err);
22917 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
22918 ATM_SKB(sb)->vcc = vcc;
22919 __net_timestamp(sb);
22920 vcc->push(vcc, sb);
22921 - atomic_inc(&vcc->stats->rx);
22922 + atomic_inc_unchecked(&vcc->stats->rx);
22925 skb_pull(queue, 64);
22926 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22929 printk("%s: NULL connection in send().\n", card->name);
22930 - atomic_inc(&vcc->stats->tx_err);
22931 + atomic_inc_unchecked(&vcc->stats->tx_err);
22932 dev_kfree_skb(skb);
22935 if (!test_bit(VCF_TX, &vc->flags)) {
22936 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
22937 - atomic_inc(&vcc->stats->tx_err);
22938 + atomic_inc_unchecked(&vcc->stats->tx_err);
22939 dev_kfree_skb(skb);
22942 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22945 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
22946 - atomic_inc(&vcc->stats->tx_err);
22947 + atomic_inc_unchecked(&vcc->stats->tx_err);
22948 dev_kfree_skb(skb);
22952 if (skb_shinfo(skb)->nr_frags != 0) {
22953 printk("%s: No scatter-gather yet.\n", card->name);
22954 - atomic_inc(&vcc->stats->tx_err);
22955 + atomic_inc_unchecked(&vcc->stats->tx_err);
22956 dev_kfree_skb(skb);
22959 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22961 err = queue_skb(card, vc, skb, oam);
22963 - atomic_inc(&vcc->stats->tx_err);
22964 + atomic_inc_unchecked(&vcc->stats->tx_err);
22965 dev_kfree_skb(skb);
22968 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
22969 skb = dev_alloc_skb(64);
22971 printk("%s: Out of memory in send_oam().\n", card->name);
22972 - atomic_inc(&vcc->stats->tx_err);
22973 + atomic_inc_unchecked(&vcc->stats->tx_err);
22976 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
22977 diff -urNp linux-2.6.35.4/drivers/atm/iphase.c linux-2.6.35.4/drivers/atm/iphase.c
22978 --- linux-2.6.35.4/drivers/atm/iphase.c 2010-08-26 19:47:12.000000000 -0400
22979 +++ linux-2.6.35.4/drivers/atm/iphase.c 2010-09-17 20:12:09.000000000 -0400
22980 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
22981 status = (u_short) (buf_desc_ptr->desc_mode);
22982 if (status & (RX_CER | RX_PTE | RX_OFL))
22984 - atomic_inc(&vcc->stats->rx_err);
22985 + atomic_inc_unchecked(&vcc->stats->rx_err);
22986 IF_ERR(printk("IA: bad packet, dropping it");)
22987 if (status & RX_CER) {
22988 IF_ERR(printk(" cause: packet CRC error\n");)
22989 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
22990 len = dma_addr - buf_addr;
22991 if (len > iadev->rx_buf_sz) {
22992 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
22993 - atomic_inc(&vcc->stats->rx_err);
22994 + atomic_inc_unchecked(&vcc->stats->rx_err);
22995 goto out_free_desc;
22998 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
22999 ia_vcc = INPH_IA_VCC(vcc);
23000 if (ia_vcc == NULL)
23002 - atomic_inc(&vcc->stats->rx_err);
23003 + atomic_inc_unchecked(&vcc->stats->rx_err);
23004 dev_kfree_skb_any(skb);
23005 atm_return(vcc, atm_guess_pdu2truesize(len));
23007 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
23008 if ((length > iadev->rx_buf_sz) || (length >
23009 (skb->len - sizeof(struct cpcs_trailer))))
23011 - atomic_inc(&vcc->stats->rx_err);
23012 + atomic_inc_unchecked(&vcc->stats->rx_err);
23013 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
23014 length, skb->len);)
23015 dev_kfree_skb_any(skb);
23016 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
23018 IF_RX(printk("rx_dle_intr: skb push");)
23019 vcc->push(vcc,skb);
23020 - atomic_inc(&vcc->stats->rx);
23021 + atomic_inc_unchecked(&vcc->stats->rx);
23022 iadev->rx_pkt_cnt++;
23025 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
23027 struct k_sonet_stats *stats;
23028 stats = &PRIV(_ia_dev[board])->sonet_stats;
23029 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
23030 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
23031 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
23032 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
23033 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
23034 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
23035 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
23036 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
23037 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
23038 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
23039 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
23040 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
23041 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
23042 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
23043 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
23044 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
23045 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
23046 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
23048 ia_cmds.status = 0;
23050 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
23051 if ((desc == 0) || (desc > iadev->num_tx_desc))
23053 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
23054 - atomic_inc(&vcc->stats->tx);
23055 + atomic_inc_unchecked(&vcc->stats->tx);
23057 vcc->pop(vcc, skb);
23059 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
23060 ATM_DESC(skb) = vcc->vci;
23061 skb_queue_tail(&iadev->tx_dma_q, skb);
23063 - atomic_inc(&vcc->stats->tx);
23064 + atomic_inc_unchecked(&vcc->stats->tx);
23065 iadev->tx_pkt_cnt++;
23066 /* Increment transaction counter */
23067 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
23070 /* add flow control logic */
23071 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
23072 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
23073 if (iavcc->vc_desc_cnt > 10) {
23074 vcc->tx_quota = vcc->tx_quota * 3 / 4;
23075 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
23076 diff -urNp linux-2.6.35.4/drivers/atm/lanai.c linux-2.6.35.4/drivers/atm/lanai.c
23077 --- linux-2.6.35.4/drivers/atm/lanai.c 2010-08-26 19:47:12.000000000 -0400
23078 +++ linux-2.6.35.4/drivers/atm/lanai.c 2010-09-17 20:12:09.000000000 -0400
23079 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
23080 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
23081 lanai_endtx(lanai, lvcc);
23082 lanai_free_skb(lvcc->tx.atmvcc, skb);
23083 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
23084 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
23087 /* Try to fill the buffer - don't call unless there is backlog */
23088 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
23089 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
23090 __net_timestamp(skb);
23091 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
23092 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
23093 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
23095 lvcc->rx.buf.ptr = end;
23096 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
23097 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
23098 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
23099 "vcc %d\n", lanai->number, (unsigned int) s, vci);
23100 lanai->stats.service_rxnotaal5++;
23101 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23102 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23105 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
23106 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
23108 read_unlock(&vcc_sklist_lock);
23109 DPRINTK("got trashed rx pdu on vci %d\n", vci);
23110 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23111 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23112 lvcc->stats.x.aal5.service_trash++;
23113 bytes = (SERVICE_GET_END(s) * 16) -
23114 (((unsigned long) lvcc->rx.buf.ptr) -
23115 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
23117 if (s & SERVICE_STREAM) {
23118 read_unlock(&vcc_sklist_lock);
23119 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23120 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23121 lvcc->stats.x.aal5.service_stream++;
23122 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
23123 "PDU on VCI %d!\n", lanai->number, vci);
23124 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
23127 DPRINTK("got rx crc error on vci %d\n", vci);
23128 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23129 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23130 lvcc->stats.x.aal5.service_rxcrc++;
23131 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
23132 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
23133 diff -urNp linux-2.6.35.4/drivers/atm/nicstar.c linux-2.6.35.4/drivers/atm/nicstar.c
23134 --- linux-2.6.35.4/drivers/atm/nicstar.c 2010-08-26 19:47:12.000000000 -0400
23135 +++ linux-2.6.35.4/drivers/atm/nicstar.c 2010-09-17 20:12:09.000000000 -0400
23136 @@ -1722,7 +1722,7 @@ static int ns_send(struct atm_vcc *vcc,
23137 if ((vc = (vc_map *) vcc->dev_data) == NULL)
23139 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
23140 - atomic_inc(&vcc->stats->tx_err);
23141 + atomic_inc_unchecked(&vcc->stats->tx_err);
23142 dev_kfree_skb_any(skb);
23145 @@ -1730,7 +1730,7 @@ static int ns_send(struct atm_vcc *vcc,
23148 printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
23149 - atomic_inc(&vcc->stats->tx_err);
23150 + atomic_inc_unchecked(&vcc->stats->tx_err);
23151 dev_kfree_skb_any(skb);
23154 @@ -1738,7 +1738,7 @@ static int ns_send(struct atm_vcc *vcc,
23155 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
23157 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
23158 - atomic_inc(&vcc->stats->tx_err);
23159 + atomic_inc_unchecked(&vcc->stats->tx_err);
23160 dev_kfree_skb_any(skb);
23163 @@ -1746,7 +1746,7 @@ static int ns_send(struct atm_vcc *vcc,
23164 if (skb_shinfo(skb)->nr_frags != 0)
23166 printk("nicstar%d: No scatter-gather yet.\n", card->index);
23167 - atomic_inc(&vcc->stats->tx_err);
23168 + atomic_inc_unchecked(&vcc->stats->tx_err);
23169 dev_kfree_skb_any(skb);
23172 @@ -1791,11 +1791,11 @@ static int ns_send(struct atm_vcc *vcc,
23174 if (push_scqe(card, vc, scq, &scqe, skb) != 0)
23176 - atomic_inc(&vcc->stats->tx_err);
23177 + atomic_inc_unchecked(&vcc->stats->tx_err);
23178 dev_kfree_skb_any(skb);
23181 - atomic_inc(&vcc->stats->tx);
23182 + atomic_inc_unchecked(&vcc->stats->tx);
23186 @@ -2110,14 +2110,14 @@ static void dequeue_rx(ns_dev *card, ns_
23188 printk("nicstar%d: Can't allocate buffers for aal0.\n",
23190 - atomic_add(i,&vcc->stats->rx_drop);
23191 + atomic_add_unchecked(i,&vcc->stats->rx_drop);
23194 if (!atm_charge(vcc, sb->truesize))
23196 RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
23198 - atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
23199 + atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
23200 dev_kfree_skb_any(sb);
23203 @@ -2132,7 +2132,7 @@ static void dequeue_rx(ns_dev *card, ns_
23204 ATM_SKB(sb)->vcc = vcc;
23205 __net_timestamp(sb);
23206 vcc->push(vcc, sb);
23207 - atomic_inc(&vcc->stats->rx);
23208 + atomic_inc_unchecked(&vcc->stats->rx);
23209 cell += ATM_CELL_PAYLOAD;
23212 @@ -2151,7 +2151,7 @@ static void dequeue_rx(ns_dev *card, ns_
23215 printk("nicstar%d: Out of iovec buffers.\n", card->index);
23216 - atomic_inc(&vcc->stats->rx_drop);
23217 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23218 recycle_rx_buf(card, skb);
23221 @@ -2181,7 +2181,7 @@ static void dequeue_rx(ns_dev *card, ns_
23222 else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
23224 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
23225 - atomic_inc(&vcc->stats->rx_err);
23226 + atomic_inc_unchecked(&vcc->stats->rx_err);
23227 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
23228 NS_SKB(iovb)->iovcnt = 0;
23230 @@ -2201,7 +2201,7 @@ static void dequeue_rx(ns_dev *card, ns_
23231 printk("nicstar%d: Expected a small buffer, and this is not one.\n",
23233 which_list(card, skb);
23234 - atomic_inc(&vcc->stats->rx_err);
23235 + atomic_inc_unchecked(&vcc->stats->rx_err);
23236 recycle_rx_buf(card, skb);
23238 recycle_iov_buf(card, iovb);
23239 @@ -2215,7 +2215,7 @@ static void dequeue_rx(ns_dev *card, ns_
23240 printk("nicstar%d: Expected a large buffer, and this is not one.\n",
23242 which_list(card, skb);
23243 - atomic_inc(&vcc->stats->rx_err);
23244 + atomic_inc_unchecked(&vcc->stats->rx_err);
23245 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23246 NS_SKB(iovb)->iovcnt);
23248 @@ -2239,7 +2239,7 @@ static void dequeue_rx(ns_dev *card, ns_
23249 printk(" - PDU size mismatch.\n");
23252 - atomic_inc(&vcc->stats->rx_err);
23253 + atomic_inc_unchecked(&vcc->stats->rx_err);
23254 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23255 NS_SKB(iovb)->iovcnt);
23257 @@ -2255,7 +2255,7 @@ static void dequeue_rx(ns_dev *card, ns_
23258 if (!atm_charge(vcc, skb->truesize))
23260 push_rxbufs(card, skb);
23261 - atomic_inc(&vcc->stats->rx_drop);
23262 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23266 @@ -2267,7 +2267,7 @@ static void dequeue_rx(ns_dev *card, ns_
23267 ATM_SKB(skb)->vcc = vcc;
23268 __net_timestamp(skb);
23269 vcc->push(vcc, skb);
23270 - atomic_inc(&vcc->stats->rx);
23271 + atomic_inc_unchecked(&vcc->stats->rx);
23274 else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
23275 @@ -2282,7 +2282,7 @@ static void dequeue_rx(ns_dev *card, ns_
23276 if (!atm_charge(vcc, sb->truesize))
23278 push_rxbufs(card, sb);
23279 - atomic_inc(&vcc->stats->rx_drop);
23280 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23284 @@ -2294,7 +2294,7 @@ static void dequeue_rx(ns_dev *card, ns_
23285 ATM_SKB(sb)->vcc = vcc;
23286 __net_timestamp(sb);
23287 vcc->push(vcc, sb);
23288 - atomic_inc(&vcc->stats->rx);
23289 + atomic_inc_unchecked(&vcc->stats->rx);
23292 push_rxbufs(card, skb);
23293 @@ -2305,7 +2305,7 @@ static void dequeue_rx(ns_dev *card, ns_
23294 if (!atm_charge(vcc, skb->truesize))
23296 push_rxbufs(card, skb);
23297 - atomic_inc(&vcc->stats->rx_drop);
23298 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23302 @@ -2319,7 +2319,7 @@ static void dequeue_rx(ns_dev *card, ns_
23303 ATM_SKB(skb)->vcc = vcc;
23304 __net_timestamp(skb);
23305 vcc->push(vcc, skb);
23306 - atomic_inc(&vcc->stats->rx);
23307 + atomic_inc_unchecked(&vcc->stats->rx);
23310 push_rxbufs(card, sb);
23311 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev *card, ns_
23314 printk("nicstar%d: Out of huge buffers.\n", card->index);
23315 - atomic_inc(&vcc->stats->rx_drop);
23316 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23317 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23318 NS_SKB(iovb)->iovcnt);
23320 @@ -2392,7 +2392,7 @@ static void dequeue_rx(ns_dev *card, ns_
23323 dev_kfree_skb_any(hb);
23324 - atomic_inc(&vcc->stats->rx_drop);
23325 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23329 @@ -2426,7 +2426,7 @@ static void dequeue_rx(ns_dev *card, ns_
23330 #endif /* NS_USE_DESTRUCTORS */
23331 __net_timestamp(hb);
23332 vcc->push(vcc, hb);
23333 - atomic_inc(&vcc->stats->rx);
23334 + atomic_inc_unchecked(&vcc->stats->rx);
23338 diff -urNp linux-2.6.35.4/drivers/atm/solos-pci.c linux-2.6.35.4/drivers/atm/solos-pci.c
23339 --- linux-2.6.35.4/drivers/atm/solos-pci.c 2010-08-26 19:47:12.000000000 -0400
23340 +++ linux-2.6.35.4/drivers/atm/solos-pci.c 2010-09-17 20:12:09.000000000 -0400
23341 @@ -715,7 +715,7 @@ void solos_bh(unsigned long card_arg)
23343 atm_charge(vcc, skb->truesize);
23344 vcc->push(vcc, skb);
23345 - atomic_inc(&vcc->stats->rx);
23346 + atomic_inc_unchecked(&vcc->stats->rx);
23350 @@ -1023,7 +1023,7 @@ static uint32_t fpga_tx(struct solos_car
23351 vcc = SKB_CB(oldskb)->vcc;
23354 - atomic_inc(&vcc->stats->tx);
23355 + atomic_inc_unchecked(&vcc->stats->tx);
23356 solos_pop(vcc, oldskb);
23358 dev_kfree_skb_irq(oldskb);
23359 diff -urNp linux-2.6.35.4/drivers/atm/suni.c linux-2.6.35.4/drivers/atm/suni.c
23360 --- linux-2.6.35.4/drivers/atm/suni.c 2010-08-26 19:47:12.000000000 -0400
23361 +++ linux-2.6.35.4/drivers/atm/suni.c 2010-09-17 20:12:09.000000000 -0400
23362 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
23365 #define ADD_LIMITED(s,v) \
23366 - atomic_add((v),&stats->s); \
23367 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
23368 + atomic_add_unchecked((v),&stats->s); \
23369 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
23372 static void suni_hz(unsigned long from_timer)
23373 diff -urNp linux-2.6.35.4/drivers/atm/uPD98402.c linux-2.6.35.4/drivers/atm/uPD98402.c
23374 --- linux-2.6.35.4/drivers/atm/uPD98402.c 2010-08-26 19:47:12.000000000 -0400
23375 +++ linux-2.6.35.4/drivers/atm/uPD98402.c 2010-09-17 20:12:09.000000000 -0400
23376 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
23377 struct sonet_stats tmp;
23380 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23381 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23382 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
23383 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
23384 if (zero && !error) {
23385 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
23388 #define ADD_LIMITED(s,v) \
23389 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
23390 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
23391 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23392 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
23393 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
23394 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23397 static void stat_event(struct atm_dev *dev)
23398 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
23399 if (reason & uPD98402_INT_PFM) stat_event(dev);
23400 if (reason & uPD98402_INT_PCO) {
23401 (void) GET(PCOCR); /* clear interrupt cause */
23402 - atomic_add(GET(HECCT),
23403 + atomic_add_unchecked(GET(HECCT),
23404 &PRIV(dev)->sonet_stats.uncorr_hcs);
23406 if ((reason & uPD98402_INT_RFO) &&
23407 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
23408 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
23409 uPD98402_INT_LOS),PIMR); /* enable them */
23410 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
23411 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23412 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
23413 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
23414 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23415 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
23416 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
23420 diff -urNp linux-2.6.35.4/drivers/atm/zatm.c linux-2.6.35.4/drivers/atm/zatm.c
23421 --- linux-2.6.35.4/drivers/atm/zatm.c 2010-08-26 19:47:12.000000000 -0400
23422 +++ linux-2.6.35.4/drivers/atm/zatm.c 2010-09-17 20:12:09.000000000 -0400
23423 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23426 dev_kfree_skb_irq(skb);
23427 - if (vcc) atomic_inc(&vcc->stats->rx_err);
23428 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
23431 if (!atm_charge(vcc,skb->truesize)) {
23432 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23434 ATM_SKB(skb)->vcc = vcc;
23435 vcc->push(vcc,skb);
23436 - atomic_inc(&vcc->stats->rx);
23437 + atomic_inc_unchecked(&vcc->stats->rx);
23439 zout(pos & 0xffff,MTA(mbx));
23440 #if 0 /* probably a stupid idea */
23441 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
23442 skb_queue_head(&zatm_vcc->backlog,skb);
23445 - atomic_inc(&vcc->stats->tx);
23446 + atomic_inc_unchecked(&vcc->stats->tx);
23447 wake_up(&zatm_vcc->tx_wait);
23450 diff -urNp linux-2.6.35.4/drivers/char/agp/frontend.c linux-2.6.35.4/drivers/char/agp/frontend.c
23451 --- linux-2.6.35.4/drivers/char/agp/frontend.c 2010-08-26 19:47:12.000000000 -0400
23452 +++ linux-2.6.35.4/drivers/char/agp/frontend.c 2010-09-17 20:12:09.000000000 -0400
23453 @@ -818,7 +818,7 @@ static int agpioc_reserve_wrap(struct ag
23454 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
23457 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
23458 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
23461 client = agp_find_client_by_pid(reserve.pid);
23462 diff -urNp linux-2.6.35.4/drivers/char/agp/intel-agp.c linux-2.6.35.4/drivers/char/agp/intel-agp.c
23463 --- linux-2.6.35.4/drivers/char/agp/intel-agp.c 2010-08-26 19:47:12.000000000 -0400
23464 +++ linux-2.6.35.4/drivers/char/agp/intel-agp.c 2010-09-17 20:12:09.000000000 -0400
23465 @@ -1036,7 +1036,7 @@ static struct pci_device_id agp_intel_pc
23466 ID(PCI_DEVICE_ID_INTEL_IRONLAKE_MC2_HB),
23467 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_HB),
23468 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_M_HB),
23470 + { 0, 0, 0, 0, 0, 0, 0 }
23473 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
23474 diff -urNp linux-2.6.35.4/drivers/char/hpet.c linux-2.6.35.4/drivers/char/hpet.c
23475 --- linux-2.6.35.4/drivers/char/hpet.c 2010-08-26 19:47:12.000000000 -0400
23476 +++ linux-2.6.35.4/drivers/char/hpet.c 2010-09-17 20:12:09.000000000 -0400
23477 @@ -429,7 +429,7 @@ static int hpet_release(struct inode *in
23481 -static int hpet_ioctl_common(struct hpet_dev *, int, unsigned long, int);
23482 +static int hpet_ioctl_common(struct hpet_dev *, unsigned int, unsigned long, int);
23484 static long hpet_ioctl(struct file *file, unsigned int cmd,
23486 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
23490 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg, int kernel)
23491 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg, int kernel)
23493 struct hpet_timer __iomem *timer;
23494 struct hpet __iomem *hpet;
23495 @@ -998,7 +998,7 @@ static struct acpi_driver hpet_acpi_driv
23499 -static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
23500 +static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
23502 static int __init hpet_init(void)
23504 diff -urNp linux-2.6.35.4/drivers/char/hvc_console.h linux-2.6.35.4/drivers/char/hvc_console.h
23505 --- linux-2.6.35.4/drivers/char/hvc_console.h 2010-08-26 19:47:12.000000000 -0400
23506 +++ linux-2.6.35.4/drivers/char/hvc_console.h 2010-09-17 20:12:09.000000000 -0400
23507 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
23508 /* register a vterm for hvc tty operation (module_init or hotplug add) */
23509 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
23510 const struct hv_ops *ops, int outbuf_size);
23512 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
23513 extern int hvc_remove(struct hvc_struct *hp);
23515 diff -urNp linux-2.6.35.4/drivers/char/hvcs.c linux-2.6.35.4/drivers/char/hvcs.c
23516 --- linux-2.6.35.4/drivers/char/hvcs.c 2010-08-26 19:47:12.000000000 -0400
23517 +++ linux-2.6.35.4/drivers/char/hvcs.c 2010-09-17 20:12:09.000000000 -0400
23518 @@ -270,7 +270,7 @@ struct hvcs_struct {
23519 unsigned int index;
23521 struct tty_struct *tty;
23523 + atomic_t open_count;
23526 * Used to tell the driver kernel_thread what operations need to take
23527 @@ -420,7 +420,7 @@ static ssize_t hvcs_vterm_state_store(st
23529 spin_lock_irqsave(&hvcsd->lock, flags);
23531 - if (hvcsd->open_count > 0) {
23532 + if (atomic_read(&hvcsd->open_count) > 0) {
23533 spin_unlock_irqrestore(&hvcsd->lock, flags);
23534 printk(KERN_INFO "HVCS: vterm state unchanged. "
23535 "The hvcs device node is still in use.\n");
23536 @@ -1136,7 +1136,7 @@ static int hvcs_open(struct tty_struct *
23537 if ((retval = hvcs_partner_connect(hvcsd)))
23538 goto error_release;
23540 - hvcsd->open_count = 1;
23541 + atomic_set(&hvcsd->open_count, 1);
23543 tty->driver_data = hvcsd;
23545 @@ -1170,7 +1170,7 @@ fast_open:
23547 spin_lock_irqsave(&hvcsd->lock, flags);
23548 kref_get(&hvcsd->kref);
23549 - hvcsd->open_count++;
23550 + atomic_inc(&hvcsd->open_count);
23551 hvcsd->todo_mask |= HVCS_SCHED_READ;
23552 spin_unlock_irqrestore(&hvcsd->lock, flags);
23554 @@ -1214,7 +1214,7 @@ static void hvcs_close(struct tty_struct
23555 hvcsd = tty->driver_data;
23557 spin_lock_irqsave(&hvcsd->lock, flags);
23558 - if (--hvcsd->open_count == 0) {
23559 + if (atomic_dec_and_test(&hvcsd->open_count)) {
23561 vio_disable_interrupts(hvcsd->vdev);
23563 @@ -1240,10 +1240,10 @@ static void hvcs_close(struct tty_struct
23564 free_irq(irq, hvcsd);
23565 kref_put(&hvcsd->kref, destroy_hvcs_struct);
23567 - } else if (hvcsd->open_count < 0) {
23568 + } else if (atomic_read(&hvcsd->open_count) < 0) {
23569 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
23570 " is missmanaged.\n",
23571 - hvcsd->vdev->unit_address, hvcsd->open_count);
23572 + hvcsd->vdev->unit_address, atomic_read(&hvcsd->open_count));
23575 spin_unlock_irqrestore(&hvcsd->lock, flags);
23576 @@ -1259,7 +1259,7 @@ static void hvcs_hangup(struct tty_struc
23578 spin_lock_irqsave(&hvcsd->lock, flags);
23579 /* Preserve this so that we know how many kref refs to put */
23580 - temp_open_count = hvcsd->open_count;
23581 + temp_open_count = atomic_read(&hvcsd->open_count);
23584 * Don't kref put inside the spinlock because the destruction
23585 @@ -1274,7 +1274,7 @@ static void hvcs_hangup(struct tty_struc
23586 hvcsd->tty->driver_data = NULL;
23589 - hvcsd->open_count = 0;
23590 + atomic_set(&hvcsd->open_count, 0);
23592 /* This will drop any buffered data on the floor which is OK in a hangup
23594 @@ -1345,7 +1345,7 @@ static int hvcs_write(struct tty_struct
23595 * the middle of a write operation? This is a crummy place to do this
23596 * but we want to keep it all in the spinlock.
23598 - if (hvcsd->open_count <= 0) {
23599 + if (atomic_read(&hvcsd->open_count) <= 0) {
23600 spin_unlock_irqrestore(&hvcsd->lock, flags);
23603 @@ -1419,7 +1419,7 @@ static int hvcs_write_room(struct tty_st
23605 struct hvcs_struct *hvcsd = tty->driver_data;
23607 - if (!hvcsd || hvcsd->open_count <= 0)
23608 + if (!hvcsd || atomic_read(&hvcsd->open_count) <= 0)
23611 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
23612 diff -urNp linux-2.6.35.4/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.35.4/drivers/char/ipmi/ipmi_msghandler.c
23613 --- linux-2.6.35.4/drivers/char/ipmi/ipmi_msghandler.c 2010-08-26 19:47:12.000000000 -0400
23614 +++ linux-2.6.35.4/drivers/char/ipmi/ipmi_msghandler.c 2010-09-17 20:12:09.000000000 -0400
23615 @@ -414,7 +414,7 @@ struct ipmi_smi {
23616 struct proc_dir_entry *proc_dir;
23617 char proc_dir_name[10];
23619 - atomic_t stats[IPMI_NUM_STATS];
23620 + atomic_unchecked_t stats[IPMI_NUM_STATS];
23623 * run_to_completion duplicate of smb_info, smi_info
23624 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
23627 #define ipmi_inc_stat(intf, stat) \
23628 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
23629 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
23630 #define ipmi_get_stat(intf, stat) \
23631 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
23632 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
23634 static int is_lan_addr(struct ipmi_addr *addr)
23636 @@ -2817,7 +2817,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
23637 INIT_LIST_HEAD(&intf->cmd_rcvrs);
23638 init_waitqueue_head(&intf->waitq);
23639 for (i = 0; i < IPMI_NUM_STATS; i++)
23640 - atomic_set(&intf->stats[i], 0);
23641 + atomic_set_unchecked(&intf->stats[i], 0);
23643 intf->proc_dir = NULL;
23645 diff -urNp linux-2.6.35.4/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.35.4/drivers/char/ipmi/ipmi_si_intf.c
23646 --- linux-2.6.35.4/drivers/char/ipmi/ipmi_si_intf.c 2010-08-26 19:47:12.000000000 -0400
23647 +++ linux-2.6.35.4/drivers/char/ipmi/ipmi_si_intf.c 2010-09-17 20:12:09.000000000 -0400
23648 @@ -286,7 +286,7 @@ struct smi_info {
23649 unsigned char slave_addr;
23651 /* Counters and things for the proc filesystem. */
23652 - atomic_t stats[SI_NUM_STATS];
23653 + atomic_unchecked_t stats[SI_NUM_STATS];
23655 struct task_struct *thread;
23657 @@ -294,9 +294,9 @@ struct smi_info {
23660 #define smi_inc_stat(smi, stat) \
23661 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
23662 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
23663 #define smi_get_stat(smi, stat) \
23664 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
23665 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
23667 #define SI_MAX_PARMS 4
23669 @@ -3143,7 +3143,7 @@ static int try_smi_init(struct smi_info
23670 atomic_set(&new_smi->req_events, 0);
23671 new_smi->run_to_completion = 0;
23672 for (i = 0; i < SI_NUM_STATS; i++)
23673 - atomic_set(&new_smi->stats[i], 0);
23674 + atomic_set_unchecked(&new_smi->stats[i], 0);
23676 new_smi->interrupt_disabled = 1;
23677 atomic_set(&new_smi->stop_operation, 0);
23678 diff -urNp linux-2.6.35.4/drivers/char/keyboard.c linux-2.6.35.4/drivers/char/keyboard.c
23679 --- linux-2.6.35.4/drivers/char/keyboard.c 2010-08-26 19:47:12.000000000 -0400
23680 +++ linux-2.6.35.4/drivers/char/keyboard.c 2010-09-17 20:12:37.000000000 -0400
23681 @@ -640,6 +640,16 @@ static void k_spec(struct vc_data *vc, u
23682 kbd->kbdmode == VC_MEDIUMRAW) &&
23683 value != KVAL(K_SAK))
23684 return; /* SAK is allowed even in raw mode */
23686 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
23688 + void *func = fn_handler[value];
23689 + if (func == fn_show_state || func == fn_show_ptregs ||
23690 + func == fn_show_mem)
23695 fn_handler[value](vc);
23698 @@ -1392,7 +1402,7 @@ static const struct input_device_id kbd_
23699 .evbit = { BIT_MASK(EV_SND) },
23702 - { }, /* Terminating entry */
23703 + { 0 }, /* Terminating entry */
23706 MODULE_DEVICE_TABLE(input, kbd_ids);
23707 diff -urNp linux-2.6.35.4/drivers/char/mem.c linux-2.6.35.4/drivers/char/mem.c
23708 --- linux-2.6.35.4/drivers/char/mem.c 2010-08-26 19:47:12.000000000 -0400
23709 +++ linux-2.6.35.4/drivers/char/mem.c 2010-09-17 20:12:37.000000000 -0400
23711 #include <linux/raw.h>
23712 #include <linux/tty.h>
23713 #include <linux/capability.h>
23714 +#include <linux/security.h>
23715 #include <linux/ptrace.h>
23716 #include <linux/device.h>
23717 #include <linux/highmem.h>
23719 # include <linux/efi.h>
23722 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23723 +extern struct file_operations grsec_fops;
23726 static inline unsigned long size_inside_page(unsigned long start,
23727 unsigned long size)
23729 @@ -120,6 +125,7 @@ static ssize_t read_mem(struct file *fil
23731 while (count > 0) {
23732 unsigned long remaining;
23735 sz = size_inside_page(p, count);
23737 @@ -135,7 +141,23 @@ static ssize_t read_mem(struct file *fil
23741 - remaining = copy_to_user(buf, ptr, sz);
23742 +#ifdef CONFIG_PAX_USERCOPY
23743 + temp = kmalloc(sz, GFP_KERNEL);
23745 + unxlate_dev_mem_ptr(p, ptr);
23748 + memcpy(temp, ptr, sz);
23753 + remaining = copy_to_user(buf, temp, sz);
23755 +#ifdef CONFIG_PAX_USERCOPY
23759 unxlate_dev_mem_ptr(p, ptr);
23762 @@ -161,6 +183,11 @@ static ssize_t write_mem(struct file *fi
23763 if (!valid_phys_addr_range(p, count))
23766 +#ifdef CONFIG_GRKERNSEC_KMEM
23767 + gr_handle_mem_write();
23773 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
23774 @@ -316,6 +343,11 @@ static int mmap_mem(struct file *file, s
23775 &vma->vm_page_prot))
23778 +#ifdef CONFIG_GRKERNSEC_KMEM
23779 + if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
23783 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
23785 vma->vm_page_prot);
23786 @@ -398,9 +430,8 @@ static ssize_t read_kmem(struct file *fi
23787 size_t count, loff_t *ppos)
23789 unsigned long p = *ppos;
23790 - ssize_t low_count, read, sz;
23791 + ssize_t low_count, read, sz, err = 0;
23792 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
23796 if (p < (unsigned long) high_memory) {
23797 @@ -422,6 +453,8 @@ static ssize_t read_kmem(struct file *fi
23800 while (low_count > 0) {
23803 sz = size_inside_page(p, low_count);
23806 @@ -431,7 +464,22 @@ static ssize_t read_kmem(struct file *fi
23808 kbuf = xlate_dev_kmem_ptr((char *)p);
23810 - if (copy_to_user(buf, kbuf, sz))
23811 +#ifdef CONFIG_PAX_USERCOPY
23812 + temp = kmalloc(sz, GFP_KERNEL);
23815 + memcpy(temp, kbuf, sz);
23820 + err = copy_to_user(buf, temp, sz);
23822 +#ifdef CONFIG_PAX_USERCOPY
23830 @@ -530,6 +578,11 @@ static ssize_t write_kmem(struct file *f
23831 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
23834 +#ifdef CONFIG_GRKERNSEC_KMEM
23835 + gr_handle_kmem_write();
23839 if (p < (unsigned long) high_memory) {
23840 unsigned long to_write = min_t(unsigned long, count,
23841 (unsigned long)high_memory - p);
23842 @@ -731,6 +784,16 @@ static loff_t memory_lseek(struct file *
23844 static int open_port(struct inode * inode, struct file * filp)
23846 +#ifdef CONFIG_GRKERNSEC_KMEM
23847 + gr_handle_open_port();
23851 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23854 +static int open_mem(struct inode * inode, struct file * filp)
23856 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23859 @@ -738,7 +801,6 @@ static int open_port(struct inode * inod
23860 #define full_lseek null_lseek
23861 #define write_zero write_null
23862 #define read_full read_zero
23863 -#define open_mem open_port
23864 #define open_kmem open_mem
23865 #define open_oldmem open_mem
23867 @@ -854,6 +916,9 @@ static const struct memdev {
23868 #ifdef CONFIG_CRASH_DUMP
23869 [12] = { "oldmem", 0, &oldmem_fops, NULL },
23871 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23872 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
23876 static int memory_open(struct inode *inode, struct file *filp)
23877 diff -urNp linux-2.6.35.4/drivers/char/n_tty.c linux-2.6.35.4/drivers/char/n_tty.c
23878 --- linux-2.6.35.4/drivers/char/n_tty.c 2010-08-26 19:47:12.000000000 -0400
23879 +++ linux-2.6.35.4/drivers/char/n_tty.c 2010-09-17 20:12:09.000000000 -0400
23880 @@ -2105,6 +2105,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
23882 *ops = tty_ldisc_N_TTY;
23884 - ops->refcount = ops->flags = 0;
23885 + atomic_set(&ops->refcount, 0);
23888 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
23889 diff -urNp linux-2.6.35.4/drivers/char/nvram.c linux-2.6.35.4/drivers/char/nvram.c
23890 --- linux-2.6.35.4/drivers/char/nvram.c 2010-08-26 19:47:12.000000000 -0400
23891 +++ linux-2.6.35.4/drivers/char/nvram.c 2010-09-17 20:12:09.000000000 -0400
23892 @@ -245,7 +245,7 @@ static ssize_t nvram_read(struct file *f
23894 spin_unlock_irq(&rtc_lock);
23896 - if (copy_to_user(buf, contents, tmp - contents))
23897 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
23901 @@ -434,7 +434,10 @@ static const struct file_operations nvra
23902 static struct miscdevice nvram_dev = {
23912 static int __init nvram_init(void)
23913 diff -urNp linux-2.6.35.4/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.35.4/drivers/char/pcmcia/ipwireless/tty.c
23914 --- linux-2.6.35.4/drivers/char/pcmcia/ipwireless/tty.c 2010-08-26 19:47:12.000000000 -0400
23915 +++ linux-2.6.35.4/drivers/char/pcmcia/ipwireless/tty.c 2010-09-17 20:12:09.000000000 -0400
23916 @@ -51,7 +51,7 @@ struct ipw_tty {
23918 struct ipw_network *network;
23919 struct tty_struct *linux_tty;
23921 + atomic_t open_count;
23922 unsigned int control_lines;
23923 struct mutex ipw_tty_mutex;
23924 int tx_bytes_queued;
23925 @@ -127,10 +127,10 @@ static int ipw_open(struct tty_struct *l
23926 mutex_unlock(&tty->ipw_tty_mutex);
23929 - if (tty->open_count == 0)
23930 + if (atomic_read(&tty->open_count) == 0)
23931 tty->tx_bytes_queued = 0;
23933 - tty->open_count++;
23934 + atomic_inc(&tty->open_count);
23936 tty->linux_tty = linux_tty;
23937 linux_tty->driver_data = tty;
23938 @@ -146,9 +146,7 @@ static int ipw_open(struct tty_struct *l
23940 static void do_ipw_close(struct ipw_tty *tty)
23942 - tty->open_count--;
23944 - if (tty->open_count == 0) {
23945 + if (atomic_dec_return(&tty->open_count) == 0) {
23946 struct tty_struct *linux_tty = tty->linux_tty;
23948 if (linux_tty != NULL) {
23949 @@ -169,7 +167,7 @@ static void ipw_hangup(struct tty_struct
23952 mutex_lock(&tty->ipw_tty_mutex);
23953 - if (tty->open_count == 0) {
23954 + if (atomic_read(&tty->open_count) == 0) {
23955 mutex_unlock(&tty->ipw_tty_mutex);
23958 @@ -198,7 +196,7 @@ void ipwireless_tty_received(struct ipw_
23962 - if (!tty->open_count) {
23963 + if (!atomic_read(&tty->open_count)) {
23964 mutex_unlock(&tty->ipw_tty_mutex);
23967 @@ -240,7 +238,7 @@ static int ipw_write(struct tty_struct *
23970 mutex_lock(&tty->ipw_tty_mutex);
23971 - if (!tty->open_count) {
23972 + if (!atomic_read(&tty->open_count)) {
23973 mutex_unlock(&tty->ipw_tty_mutex);
23976 @@ -280,7 +278,7 @@ static int ipw_write_room(struct tty_str
23980 - if (!tty->open_count)
23981 + if (!atomic_read(&tty->open_count))
23984 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
23985 @@ -322,7 +320,7 @@ static int ipw_chars_in_buffer(struct tt
23989 - if (!tty->open_count)
23990 + if (!atomic_read(&tty->open_count))
23993 return tty->tx_bytes_queued;
23994 @@ -403,7 +401,7 @@ static int ipw_tiocmget(struct tty_struc
23998 - if (!tty->open_count)
23999 + if (!atomic_read(&tty->open_count))
24002 return get_control_lines(tty);
24003 @@ -419,7 +417,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
24007 - if (!tty->open_count)
24008 + if (!atomic_read(&tty->open_count))
24011 return set_control_lines(tty, set, clear);
24012 @@ -433,7 +431,7 @@ static int ipw_ioctl(struct tty_struct *
24016 - if (!tty->open_count)
24017 + if (!atomic_read(&tty->open_count))
24020 /* FIXME: Exactly how is the tty object locked here .. */
24021 @@ -582,7 +580,7 @@ void ipwireless_tty_free(struct ipw_tty
24022 against a parallel ioctl etc */
24023 mutex_lock(&ttyj->ipw_tty_mutex);
24025 - while (ttyj->open_count)
24026 + while (atomic_read(&ttyj->open_count))
24027 do_ipw_close(ttyj);
24028 ipwireless_disassociate_network_ttys(network,
24029 ttyj->channel_idx);
24030 diff -urNp linux-2.6.35.4/drivers/char/pty.c linux-2.6.35.4/drivers/char/pty.c
24031 --- linux-2.6.35.4/drivers/char/pty.c 2010-08-26 19:47:12.000000000 -0400
24032 +++ linux-2.6.35.4/drivers/char/pty.c 2010-09-17 20:12:09.000000000 -0400
24033 @@ -677,7 +677,18 @@ static int ptmx_open(struct inode *inode
24037 -static struct file_operations ptmx_fops;
24038 +static const struct file_operations ptmx_fops = {
24039 + .llseek = no_llseek,
24040 + .read = tty_read,
24041 + .write = tty_write,
24042 + .poll = tty_poll,
24043 + .unlocked_ioctl = tty_ioctl,
24044 + .compat_ioctl = tty_compat_ioctl,
24045 + .open = ptmx_open,
24046 + .release = tty_release,
24047 + .fasync = tty_fasync,
24051 static void __init unix98_pty_init(void)
24053 @@ -731,9 +742,6 @@ static void __init unix98_pty_init(void)
24054 register_sysctl_table(pty_root_table);
24056 /* Now create the /dev/ptmx special device */
24057 - tty_default_fops(&ptmx_fops);
24058 - ptmx_fops.open = ptmx_open;
24060 cdev_init(&ptmx_cdev, &ptmx_fops);
24061 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
24062 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
24063 diff -urNp linux-2.6.35.4/drivers/char/random.c linux-2.6.35.4/drivers/char/random.c
24064 --- linux-2.6.35.4/drivers/char/random.c 2010-08-26 19:47:12.000000000 -0400
24065 +++ linux-2.6.35.4/drivers/char/random.c 2010-09-17 20:24:41.000000000 -0400
24066 @@ -254,8 +254,13 @@
24068 * Configuration information
24070 +#ifdef CONFIG_GRKERNSEC_RANDNET
24071 +#define INPUT_POOL_WORDS 512
24072 +#define OUTPUT_POOL_WORDS 128
24074 #define INPUT_POOL_WORDS 128
24075 #define OUTPUT_POOL_WORDS 32
24077 #define SEC_XFER_SIZE 512
24078 #define EXTRACT_SIZE 10
24080 @@ -293,10 +298,17 @@ static struct poolinfo {
24082 int tap1, tap2, tap3, tap4, tap5;
24083 } poolinfo_table[] = {
24084 +#ifdef CONFIG_GRKERNSEC_RANDNET
24085 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
24086 + { 512, 411, 308, 208, 104, 1 },
24087 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
24088 + { 128, 103, 76, 51, 25, 1 },
24090 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
24091 { 128, 103, 76, 51, 25, 1 },
24092 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
24093 { 32, 26, 20, 14, 7, 1 },
24096 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
24097 { 2048, 1638, 1231, 819, 411, 1 },
24098 @@ -902,7 +914,7 @@ static ssize_t extract_entropy_user(stru
24100 extract_buf(r, tmp);
24101 i = min_t(int, nbytes, EXTRACT_SIZE);
24102 - if (copy_to_user(buf, tmp, i)) {
24103 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
24107 @@ -1205,7 +1217,7 @@ EXPORT_SYMBOL(generate_random_uuid);
24108 #include <linux/sysctl.h>
24110 static int min_read_thresh = 8, min_write_thresh;
24111 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
24112 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
24113 static int max_write_thresh = INPUT_POOL_WORDS * 32;
24114 static char sysctl_bootid[16];
24116 diff -urNp linux-2.6.35.4/drivers/char/sonypi.c linux-2.6.35.4/drivers/char/sonypi.c
24117 --- linux-2.6.35.4/drivers/char/sonypi.c 2010-08-26 19:47:12.000000000 -0400
24118 +++ linux-2.6.35.4/drivers/char/sonypi.c 2010-09-17 20:12:09.000000000 -0400
24119 @@ -491,7 +491,7 @@ static struct sonypi_device {
24120 spinlock_t fifo_lock;
24121 wait_queue_head_t fifo_proc_list;
24122 struct fasync_struct *fifo_async;
24124 + atomic_t open_count;
24126 struct input_dev *input_jog_dev;
24127 struct input_dev *input_key_dev;
24128 @@ -898,7 +898,7 @@ static int sonypi_misc_fasync(int fd, st
24129 static int sonypi_misc_release(struct inode *inode, struct file *file)
24131 mutex_lock(&sonypi_device.lock);
24132 - sonypi_device.open_count--;
24133 + atomic_dec(&sonypi_device.open_count);
24134 mutex_unlock(&sonypi_device.lock);
24137 @@ -907,9 +907,9 @@ static int sonypi_misc_open(struct inode
24139 mutex_lock(&sonypi_device.lock);
24140 /* Flush input queue on first open */
24141 - if (!sonypi_device.open_count)
24142 + if (!atomic_read(&sonypi_device.open_count))
24143 kfifo_reset(&sonypi_device.fifo);
24144 - sonypi_device.open_count++;
24145 + atomic_inc(&sonypi_device.open_count);
24146 mutex_unlock(&sonypi_device.lock);
24149 diff -urNp linux-2.6.35.4/drivers/char/tpm/tpm_bios.c linux-2.6.35.4/drivers/char/tpm/tpm_bios.c
24150 --- linux-2.6.35.4/drivers/char/tpm/tpm_bios.c 2010-08-26 19:47:12.000000000 -0400
24151 +++ linux-2.6.35.4/drivers/char/tpm/tpm_bios.c 2010-09-17 20:12:09.000000000 -0400
24152 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
24155 if ((event->event_type == 0 && event->event_size == 0) ||
24156 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
24157 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
24161 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
24164 if ((event->event_type == 0 && event->event_size == 0) ||
24165 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
24166 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
24170 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
24173 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
24174 - seq_putc(m, data[i]);
24175 + if (!seq_putc(m, data[i]))
24180 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
24181 log->bios_event_log_end = log->bios_event_log + len;
24183 virt = acpi_os_map_memory(start, len);
24185 + kfree(log->bios_event_log);
24186 + log->bios_event_log = NULL;
24190 memcpy(log->bios_event_log, virt, len);
24192 diff -urNp linux-2.6.35.4/drivers/char/tty_io.c linux-2.6.35.4/drivers/char/tty_io.c
24193 --- linux-2.6.35.4/drivers/char/tty_io.c 2010-08-26 19:47:12.000000000 -0400
24194 +++ linux-2.6.35.4/drivers/char/tty_io.c 2010-09-17 20:12:09.000000000 -0400
24195 @@ -136,20 +136,10 @@ LIST_HEAD(tty_drivers); /* linked list
24196 DEFINE_MUTEX(tty_mutex);
24197 EXPORT_SYMBOL(tty_mutex);
24199 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
24200 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
24201 ssize_t redirected_tty_write(struct file *, const char __user *,
24203 -static unsigned int tty_poll(struct file *, poll_table *);
24204 static int tty_open(struct inode *, struct file *);
24205 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
24206 -#ifdef CONFIG_COMPAT
24207 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
24208 - unsigned long arg);
24210 -#define tty_compat_ioctl NULL
24212 -static int tty_fasync(int fd, struct file *filp, int on);
24213 static void release_tty(struct tty_struct *tty, int idx);
24214 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
24215 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
24216 @@ -871,7 +861,7 @@ EXPORT_SYMBOL(start_tty);
24217 * read calls may be outstanding in parallel.
24220 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
24221 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
24225 @@ -899,6 +889,8 @@ static ssize_t tty_read(struct file *fil
24229 +EXPORT_SYMBOL(tty_read);
24231 void tty_write_unlock(struct tty_struct *tty)
24233 mutex_unlock(&tty->atomic_write_lock);
24234 @@ -1048,7 +1040,7 @@ void tty_write_message(struct tty_struct
24235 * write method will not be invoked in parallel for each device.
24238 -static ssize_t tty_write(struct file *file, const char __user *buf,
24239 +ssize_t tty_write(struct file *file, const char __user *buf,
24240 size_t count, loff_t *ppos)
24242 struct tty_struct *tty;
24243 @@ -1075,6 +1067,8 @@ static ssize_t tty_write(struct file *fi
24247 +EXPORT_SYMBOL(tty_write);
24249 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
24250 size_t count, loff_t *ppos)
24252 @@ -1897,6 +1891,8 @@ got_driver:
24256 +EXPORT_SYMBOL(tty_release);
24259 * tty_poll - check tty status
24260 * @filp: file being polled
24261 @@ -1909,7 +1905,7 @@ got_driver:
24262 * may be re-entered freely by other callers.
24265 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
24266 +unsigned int tty_poll(struct file *filp, poll_table *wait)
24268 struct tty_struct *tty;
24269 struct tty_ldisc *ld;
24270 @@ -1926,7 +1922,9 @@ static unsigned int tty_poll(struct file
24274 -static int tty_fasync(int fd, struct file *filp, int on)
24275 +EXPORT_SYMBOL(tty_poll);
24277 +int tty_fasync(int fd, struct file *filp, int on)
24279 struct tty_struct *tty;
24280 unsigned long flags;
24281 @@ -1970,6 +1968,8 @@ out:
24285 +EXPORT_SYMBOL(tty_fasync);
24288 * tiocsti - fake input character
24289 * @tty: tty to fake input into
24290 @@ -2602,8 +2602,10 @@ long tty_ioctl(struct file *file, unsign
24294 +EXPORT_SYMBOL(tty_ioctl);
24296 #ifdef CONFIG_COMPAT
24297 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
24298 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
24301 struct inode *inode = file->f_dentry->d_inode;
24302 @@ -2627,6 +2629,9 @@ static long tty_compat_ioctl(struct file
24307 +EXPORT_SYMBOL(tty_compat_ioctl);
24312 @@ -3070,11 +3075,6 @@ struct tty_struct *get_current_tty(void)
24314 EXPORT_SYMBOL_GPL(get_current_tty);
24316 -void tty_default_fops(struct file_operations *fops)
24318 - *fops = tty_fops;
24322 * Initialize the console device. This is called *early*, so
24323 * we can't necessarily depend on lots of kernel help here.
24324 diff -urNp linux-2.6.35.4/drivers/char/tty_ldisc.c linux-2.6.35.4/drivers/char/tty_ldisc.c
24325 --- linux-2.6.35.4/drivers/char/tty_ldisc.c 2010-08-26 19:47:12.000000000 -0400
24326 +++ linux-2.6.35.4/drivers/char/tty_ldisc.c 2010-09-17 20:12:09.000000000 -0400
24327 @@ -75,7 +75,7 @@ static void put_ldisc(struct tty_ldisc *
24328 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
24329 struct tty_ldisc_ops *ldo = ld->ops;
24332 + atomic_dec(&ldo->refcount);
24333 module_put(ldo->owner);
24334 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24336 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
24337 spin_lock_irqsave(&tty_ldisc_lock, flags);
24338 tty_ldiscs[disc] = new_ldisc;
24339 new_ldisc->num = disc;
24340 - new_ldisc->refcount = 0;
24341 + atomic_set(&new_ldisc->refcount, 0);
24342 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24345 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
24348 spin_lock_irqsave(&tty_ldisc_lock, flags);
24349 - if (tty_ldiscs[disc]->refcount)
24350 + if (atomic_read(&tty_ldiscs[disc]->refcount))
24353 tty_ldiscs[disc] = NULL;
24354 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
24356 ret = ERR_PTR(-EAGAIN);
24357 if (try_module_get(ldops->owner)) {
24358 - ldops->refcount++;
24359 + atomic_inc(&ldops->refcount);
24363 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
24364 unsigned long flags;
24366 spin_lock_irqsave(&tty_ldisc_lock, flags);
24367 - ldops->refcount--;
24368 + atomic_dec(&ldops->refcount);
24369 module_put(ldops->owner);
24370 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24372 diff -urNp linux-2.6.35.4/drivers/char/vt_ioctl.c linux-2.6.35.4/drivers/char/vt_ioctl.c
24373 --- linux-2.6.35.4/drivers/char/vt_ioctl.c 2010-08-26 19:47:12.000000000 -0400
24374 +++ linux-2.6.35.4/drivers/char/vt_ioctl.c 2010-09-17 20:12:37.000000000 -0400
24375 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
24376 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
24379 - if (!capable(CAP_SYS_TTY_CONFIG))
24384 key_map = key_maps[s];
24385 @@ -224,8 +221,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
24386 val = (i ? K_HOLE : K_NOSUCHMAP);
24387 return put_user(val, &user_kbe->kb_value);
24389 + if (!capable(CAP_SYS_TTY_CONFIG))
24395 if (!i && v == K_NOSUCHMAP) {
24396 /* deallocate map */
24397 key_map = key_maps[s];
24398 @@ -325,9 +326,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
24402 - if (!capable(CAP_SYS_TTY_CONFIG))
24405 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
24408 @@ -361,6 +359,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
24410 return ((p && *p) ? -EOVERFLOW : 0);
24412 + if (!capable(CAP_SYS_TTY_CONFIG))
24418 diff -urNp linux-2.6.35.4/drivers/cpuidle/sysfs.c linux-2.6.35.4/drivers/cpuidle/sysfs.c
24419 --- linux-2.6.35.4/drivers/cpuidle/sysfs.c 2010-08-26 19:47:12.000000000 -0400
24420 +++ linux-2.6.35.4/drivers/cpuidle/sysfs.c 2010-09-17 20:12:09.000000000 -0400
24421 @@ -300,7 +300,7 @@ static struct kobj_type ktype_state_cpui
24422 .release = cpuidle_state_sysfs_release,
24425 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24426 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24428 kobject_put(&device->kobjs[i]->kobj);
24429 wait_for_completion(&device->kobjs[i]->kobj_unregister);
24430 diff -urNp linux-2.6.35.4/drivers/edac/edac_core.h linux-2.6.35.4/drivers/edac/edac_core.h
24431 --- linux-2.6.35.4/drivers/edac/edac_core.h 2010-08-26 19:47:12.000000000 -0400
24432 +++ linux-2.6.35.4/drivers/edac/edac_core.h 2010-09-17 20:12:09.000000000 -0400
24433 @@ -100,11 +100,11 @@ extern const char *edac_mem_types[];
24435 #else /* !CONFIG_EDAC_DEBUG */
24437 -#define debugf0( ... )
24438 -#define debugf1( ... )
24439 -#define debugf2( ... )
24440 -#define debugf3( ... )
24441 -#define debugf4( ... )
24442 +#define debugf0( ... ) do {} while (0)
24443 +#define debugf1( ... ) do {} while (0)
24444 +#define debugf2( ... ) do {} while (0)
24445 +#define debugf3( ... ) do {} while (0)
24446 +#define debugf4( ... ) do {} while (0)
24448 #endif /* !CONFIG_EDAC_DEBUG */
24450 diff -urNp linux-2.6.35.4/drivers/edac/edac_mc_sysfs.c linux-2.6.35.4/drivers/edac/edac_mc_sysfs.c
24451 --- linux-2.6.35.4/drivers/edac/edac_mc_sysfs.c 2010-08-26 19:47:12.000000000 -0400
24452 +++ linux-2.6.35.4/drivers/edac/edac_mc_sysfs.c 2010-09-17 20:12:09.000000000 -0400
24453 @@ -776,7 +776,7 @@ static void edac_inst_grp_release(struct
24456 /* Intermediate show/store table */
24457 -static struct sysfs_ops inst_grp_ops = {
24458 +static const struct sysfs_ops inst_grp_ops = {
24459 .show = inst_grp_show,
24460 .store = inst_grp_store
24462 diff -urNp linux-2.6.35.4/drivers/firewire/core-cdev.c linux-2.6.35.4/drivers/firewire/core-cdev.c
24463 --- linux-2.6.35.4/drivers/firewire/core-cdev.c 2010-08-26 19:47:12.000000000 -0400
24464 +++ linux-2.6.35.4/drivers/firewire/core-cdev.c 2010-09-17 20:12:09.000000000 -0400
24465 @@ -1195,8 +1195,7 @@ static int init_iso_resource(struct clie
24468 if ((request->channels == 0 && request->bandwidth == 0) ||
24469 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
24470 - request->bandwidth < 0)
24471 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
24474 r = kmalloc(sizeof(*r), GFP_KERNEL);
24475 diff -urNp linux-2.6.35.4/drivers/firmware/dmi_scan.c linux-2.6.35.4/drivers/firmware/dmi_scan.c
24476 --- linux-2.6.35.4/drivers/firmware/dmi_scan.c 2010-08-26 19:47:12.000000000 -0400
24477 +++ linux-2.6.35.4/drivers/firmware/dmi_scan.c 2010-09-17 20:12:09.000000000 -0400
24478 @@ -387,11 +387,6 @@ void __init dmi_scan_machine(void)
24483 - * no iounmap() for that ioremap(); it would be a no-op, but
24484 - * it's so early in setup that sucker gets confused into doing
24485 - * what it shouldn't if we actually call it.
24487 p = dmi_ioremap(0xF0000, 0x10000);
24490 diff -urNp linux-2.6.35.4/drivers/gpu/drm/drm_drv.c linux-2.6.35.4/drivers/gpu/drm/drm_drv.c
24491 --- linux-2.6.35.4/drivers/gpu/drm/drm_drv.c 2010-08-26 19:47:12.000000000 -0400
24492 +++ linux-2.6.35.4/drivers/gpu/drm/drm_drv.c 2010-09-17 20:12:09.000000000 -0400
24493 @@ -449,7 +449,7 @@ long drm_ioctl(struct file *filp,
24495 dev = file_priv->minor->dev;
24496 atomic_inc(&dev->ioctl_count);
24497 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
24498 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
24499 ++file_priv->ioctl_count;
24501 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
24502 diff -urNp linux-2.6.35.4/drivers/gpu/drm/drm_fops.c linux-2.6.35.4/drivers/gpu/drm/drm_fops.c
24503 --- linux-2.6.35.4/drivers/gpu/drm/drm_fops.c 2010-08-26 19:47:12.000000000 -0400
24504 +++ linux-2.6.35.4/drivers/gpu/drm/drm_fops.c 2010-09-17 20:12:09.000000000 -0400
24505 @@ -67,7 +67,7 @@ static int drm_setup(struct drm_device *
24508 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
24509 - atomic_set(&dev->counts[i], 0);
24510 + atomic_set_unchecked(&dev->counts[i], 0);
24512 dev->sigdata.lock = NULL;
24514 @@ -131,9 +131,9 @@ int drm_open(struct inode *inode, struct
24516 retcode = drm_open_helper(inode, filp, dev);
24518 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
24519 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
24520 spin_lock(&dev->count_lock);
24521 - if (!dev->open_count++) {
24522 + if (atomic_inc_return(&dev->open_count) == 1) {
24523 spin_unlock(&dev->count_lock);
24524 retcode = drm_setup(dev);
24526 @@ -474,7 +474,7 @@ int drm_release(struct inode *inode, str
24530 - DRM_DEBUG("open_count = %d\n", dev->open_count);
24531 + DRM_DEBUG("open_count = %d\n", atomic_read(&dev->open_count));
24533 if (dev->driver->preclose)
24534 dev->driver->preclose(dev, file_priv);
24535 @@ -486,7 +486,7 @@ int drm_release(struct inode *inode, str
24536 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
24537 task_pid_nr(current),
24538 (long)old_encode_dev(file_priv->minor->device),
24539 - dev->open_count);
24540 + atomic_read(&dev->open_count));
24542 /* if the master has gone away we can't do anything with the lock */
24543 if (file_priv->minor->master)
24544 @@ -567,9 +567,9 @@ int drm_release(struct inode *inode, str
24545 * End inline drm_release
24548 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
24549 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
24550 spin_lock(&dev->count_lock);
24551 - if (!--dev->open_count) {
24552 + if (atomic_dec_and_test(&dev->open_count)) {
24553 if (atomic_read(&dev->ioctl_count)) {
24554 DRM_ERROR("Device busy: %d\n",
24555 atomic_read(&dev->ioctl_count));
24556 diff -urNp linux-2.6.35.4/drivers/gpu/drm/drm_ioctl.c linux-2.6.35.4/drivers/gpu/drm/drm_ioctl.c
24557 --- linux-2.6.35.4/drivers/gpu/drm/drm_ioctl.c 2010-08-26 19:47:12.000000000 -0400
24558 +++ linux-2.6.35.4/drivers/gpu/drm/drm_ioctl.c 2010-09-17 20:12:09.000000000 -0400
24559 @@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
24560 stats->data[i].value =
24561 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
24563 - stats->data[i].value = atomic_read(&dev->counts[i]);
24564 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
24565 stats->data[i].type = dev->types[i];
24568 diff -urNp linux-2.6.35.4/drivers/gpu/drm/drm_lock.c linux-2.6.35.4/drivers/gpu/drm/drm_lock.c
24569 --- linux-2.6.35.4/drivers/gpu/drm/drm_lock.c 2010-08-26 19:47:12.000000000 -0400
24570 +++ linux-2.6.35.4/drivers/gpu/drm/drm_lock.c 2010-09-17 20:12:09.000000000 -0400
24571 @@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
24572 if (drm_lock_take(&master->lock, lock->context)) {
24573 master->lock.file_priv = file_priv;
24574 master->lock.lock_time = jiffies;
24575 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
24576 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
24577 break; /* Got lock */
24580 @@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
24584 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
24585 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
24587 /* kernel_context_switch isn't used by any of the x86 drm
24588 * modules but is required by the Sparc driver.
24589 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i810/i810_dma.c linux-2.6.35.4/drivers/gpu/drm/i810/i810_dma.c
24590 --- linux-2.6.35.4/drivers/gpu/drm/i810/i810_dma.c 2010-08-26 19:47:12.000000000 -0400
24591 +++ linux-2.6.35.4/drivers/gpu/drm/i810/i810_dma.c 2010-09-17 20:12:09.000000000 -0400
24592 @@ -953,8 +953,8 @@ static int i810_dma_vertex(struct drm_de
24593 dma->buflist[vertex->idx],
24594 vertex->discard, vertex->used);
24596 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24597 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24598 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24599 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24600 sarea_priv->last_enqueue = dev_priv->counter - 1;
24601 sarea_priv->last_dispatch = (int)hw_status[5];
24603 @@ -1116,8 +1116,8 @@ static int i810_dma_mc(struct drm_device
24604 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
24607 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24608 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24609 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24610 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24611 sarea_priv->last_enqueue = dev_priv->counter - 1;
24612 sarea_priv->last_dispatch = (int)hw_status[5];
24614 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7017.c
24615 --- linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7017.c 2010-08-26 19:47:12.000000000 -0400
24616 +++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7017.c 2010-09-17 20:12:09.000000000 -0400
24617 @@ -402,7 +402,7 @@ static void ch7017_destroy(struct intel_
24621 -struct intel_dvo_dev_ops ch7017_ops = {
24622 +const struct intel_dvo_dev_ops ch7017_ops = {
24623 .init = ch7017_init,
24624 .detect = ch7017_detect,
24625 .mode_valid = ch7017_mode_valid,
24626 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7xxx.c
24627 --- linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-08-26 19:47:12.000000000 -0400
24628 +++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-09-17 20:12:09.000000000 -0400
24629 @@ -322,7 +322,7 @@ static void ch7xxx_destroy(struct intel_
24633 -struct intel_dvo_dev_ops ch7xxx_ops = {
24634 +const struct intel_dvo_dev_ops ch7xxx_ops = {
24635 .init = ch7xxx_init,
24636 .detect = ch7xxx_detect,
24637 .mode_valid = ch7xxx_mode_valid,
24638 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo.h linux-2.6.35.4/drivers/gpu/drm/i915/dvo.h
24639 --- linux-2.6.35.4/drivers/gpu/drm/i915/dvo.h 2010-08-26 19:47:12.000000000 -0400
24640 +++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo.h 2010-09-17 20:12:09.000000000 -0400
24641 @@ -125,23 +125,23 @@ struct intel_dvo_dev_ops {
24643 * \return singly-linked list of modes or NULL if no modes found.
24645 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
24646 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
24649 * Clean up driver-specific bits of the output
24651 - void (*destroy) (struct intel_dvo_device *dvo);
24652 + void (* const destroy) (struct intel_dvo_device *dvo);
24655 * Debugging hook to dump device registers to log file
24657 - void (*dump_regs)(struct intel_dvo_device *dvo);
24658 + void (* const dump_regs)(struct intel_dvo_device *dvo);
24661 -extern struct intel_dvo_dev_ops sil164_ops;
24662 -extern struct intel_dvo_dev_ops ch7xxx_ops;
24663 -extern struct intel_dvo_dev_ops ivch_ops;
24664 -extern struct intel_dvo_dev_ops tfp410_ops;
24665 -extern struct intel_dvo_dev_ops ch7017_ops;
24666 +extern const struct intel_dvo_dev_ops sil164_ops;
24667 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
24668 +extern const struct intel_dvo_dev_ops ivch_ops;
24669 +extern const struct intel_dvo_dev_ops tfp410_ops;
24670 +extern const struct intel_dvo_dev_ops ch7017_ops;
24672 #endif /* _INTEL_DVO_H */
24673 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ivch.c
24674 --- linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ivch.c 2010-08-26 19:47:12.000000000 -0400
24675 +++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ivch.c 2010-09-17 20:12:09.000000000 -0400
24676 @@ -412,7 +412,7 @@ static void ivch_destroy(struct intel_dv
24680 -struct intel_dvo_dev_ops ivch_ops= {
24681 +const struct intel_dvo_dev_ops ivch_ops= {
24684 .mode_valid = ivch_mode_valid,
24685 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.35.4/drivers/gpu/drm/i915/dvo_sil164.c
24686 --- linux-2.6.35.4/drivers/gpu/drm/i915/dvo_sil164.c 2010-08-26 19:47:12.000000000 -0400
24687 +++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo_sil164.c 2010-09-17 20:12:09.000000000 -0400
24688 @@ -254,7 +254,7 @@ static void sil164_destroy(struct intel_
24692 -struct intel_dvo_dev_ops sil164_ops = {
24693 +const struct intel_dvo_dev_ops sil164_ops = {
24694 .init = sil164_init,
24695 .detect = sil164_detect,
24696 .mode_valid = sil164_mode_valid,
24697 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.35.4/drivers/gpu/drm/i915/dvo_tfp410.c
24698 --- linux-2.6.35.4/drivers/gpu/drm/i915/dvo_tfp410.c 2010-08-26 19:47:12.000000000 -0400
24699 +++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo_tfp410.c 2010-09-17 20:12:09.000000000 -0400
24700 @@ -295,7 +295,7 @@ static void tfp410_destroy(struct intel_
24704 -struct intel_dvo_dev_ops tfp410_ops = {
24705 +const struct intel_dvo_dev_ops tfp410_ops = {
24706 .init = tfp410_init,
24707 .detect = tfp410_detect,
24708 .mode_valid = tfp410_mode_valid,
24709 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/i915_dma.c linux-2.6.35.4/drivers/gpu/drm/i915/i915_dma.c
24710 --- linux-2.6.35.4/drivers/gpu/drm/i915/i915_dma.c 2010-08-26 19:47:12.000000000 -0400
24711 +++ linux-2.6.35.4/drivers/gpu/drm/i915/i915_dma.c 2010-09-17 20:12:09.000000000 -0400
24712 @@ -1342,7 +1342,7 @@ static bool i915_switcheroo_can_switch(s
24715 spin_lock(&dev->count_lock);
24716 - can_switch = (dev->open_count == 0);
24717 + can_switch = (atomic_read(&dev->open_count) == 0);
24718 spin_unlock(&dev->count_lock);
24721 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/i915_drv.c linux-2.6.35.4/drivers/gpu/drm/i915/i915_drv.c
24722 --- linux-2.6.35.4/drivers/gpu/drm/i915/i915_drv.c 2010-08-26 19:47:12.000000000 -0400
24723 +++ linux-2.6.35.4/drivers/gpu/drm/i915/i915_drv.c 2010-09-17 20:12:09.000000000 -0400
24724 @@ -491,7 +491,7 @@ const struct dev_pm_ops i915_pm_ops = {
24725 .restore = i915_pm_resume,
24728 -static struct vm_operations_struct i915_gem_vm_ops = {
24729 +static const struct vm_operations_struct i915_gem_vm_ops = {
24730 .fault = i915_gem_fault,
24731 .open = drm_gem_vm_open,
24732 .close = drm_gem_vm_close,
24733 diff -urNp linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_backlight.c linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_backlight.c
24734 --- linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-08-26 19:47:12.000000000 -0400
24735 +++ linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-09-17 20:12:09.000000000 -0400
24736 @@ -58,7 +58,7 @@ static int nv40_set_intensity(struct bac
24740 -static struct backlight_ops nv40_bl_ops = {
24741 +static const struct backlight_ops nv40_bl_ops = {
24742 .options = BL_CORE_SUSPENDRESUME,
24743 .get_brightness = nv40_get_intensity,
24744 .update_status = nv40_set_intensity,
24745 @@ -81,7 +81,7 @@ static int nv50_set_intensity(struct bac
24749 -static struct backlight_ops nv50_bl_ops = {
24750 +static const struct backlight_ops nv50_bl_ops = {
24751 .options = BL_CORE_SUSPENDRESUME,
24752 .get_brightness = nv50_get_intensity,
24753 .update_status = nv50_set_intensity,
24754 diff -urNp linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_state.c
24755 --- linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_state.c 2010-08-26 19:47:12.000000000 -0400
24756 +++ linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_state.c 2010-09-17 20:12:09.000000000 -0400
24757 @@ -395,7 +395,7 @@ static bool nouveau_switcheroo_can_switc
24760 spin_lock(&dev->count_lock);
24761 - can_switch = (dev->open_count == 0);
24762 + can_switch = (atomic_read(&dev->open_count) == 0);
24763 spin_unlock(&dev->count_lock);
24766 diff -urNp linux-2.6.35.4/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.35.4/drivers/gpu/drm/radeon/mkregtable.c
24767 --- linux-2.6.35.4/drivers/gpu/drm/radeon/mkregtable.c 2010-08-26 19:47:12.000000000 -0400
24768 +++ linux-2.6.35.4/drivers/gpu/drm/radeon/mkregtable.c 2010-09-17 20:12:09.000000000 -0400
24769 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
24771 regmatch_t match[4];
24779 struct offset *offset;
24780 char last_reg_s[10];
24782 + unsigned long last_reg;
24785 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
24786 diff -urNp linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_device.c
24787 --- linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_device.c 2010-08-26 19:47:12.000000000 -0400
24788 +++ linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_device.c 2010-09-17 20:12:09.000000000 -0400
24789 @@ -562,7 +562,7 @@ static bool radeon_switcheroo_can_switch
24792 spin_lock(&dev->count_lock);
24793 - can_switch = (dev->open_count == 0);
24794 + can_switch = (atomic_read(&dev->open_count) == 0);
24795 spin_unlock(&dev->count_lock);
24798 diff -urNp linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_display.c
24799 --- linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_display.c 2010-08-26 19:47:12.000000000 -0400
24800 +++ linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_display.c 2010-09-17 20:12:09.000000000 -0400
24801 @@ -559,7 +559,7 @@ static void radeon_compute_pll_legacy(st
24803 if (pll->flags & RADEON_PLL_PREFER_CLOSEST_LOWER) {
24804 error = freq - current_freq;
24805 - error = error < 0 ? 0xffffffff : error;
24806 + error = (int32_t)error < 0 ? 0xffffffff : error;
24808 error = abs(current_freq - freq);
24809 vco_diff = abs(vco - best_vco);
24810 diff -urNp linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_state.c
24811 --- linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_state.c 2010-08-26 19:47:12.000000000 -0400
24812 +++ linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_state.c 2010-09-17 20:12:09.000000000 -0400
24813 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
24814 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
24815 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
24817 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24818 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24819 sarea_priv->nbox * sizeof(depth_boxes[0])))
24822 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
24824 drm_radeon_private_t *dev_priv = dev->dev_private;
24825 drm_radeon_getparam_t *param = data;
24829 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
24831 diff -urNp linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_ttm.c
24832 --- linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_ttm.c 2010-08-26 19:47:12.000000000 -0400
24833 +++ linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_ttm.c 2010-09-17 20:12:09.000000000 -0400
24834 @@ -601,8 +601,9 @@ void radeon_ttm_fini(struct radeon_devic
24835 DRM_INFO("radeon: ttm finalized\n");
24838 -static struct vm_operations_struct radeon_ttm_vm_ops;
24839 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
24840 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
24841 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
24842 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
24844 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24846 @@ -610,17 +611,22 @@ static int radeon_ttm_fault(struct vm_ar
24847 struct radeon_device *rdev;
24850 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
24851 - if (bo == NULL) {
24852 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
24854 return VM_FAULT_NOPAGE;
24856 rdev = radeon_get_rdev(bo->bdev);
24857 mutex_lock(&rdev->vram_mutex);
24858 - r = ttm_vm_ops->fault(vma, vmf);
24859 + r = ttm_bo_vm_fault(vma, vmf);
24860 mutex_unlock(&rdev->vram_mutex);
24864 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
24865 + .fault = radeon_ttm_fault,
24866 + .open = ttm_bo_vm_open,
24867 + .close = ttm_bo_vm_close
24870 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
24872 struct drm_file *file_priv;
24873 @@ -633,18 +639,11 @@ int radeon_mmap(struct file *filp, struc
24875 file_priv = (struct drm_file *)filp->private_data;
24876 rdev = file_priv->minor->dev->dev_private;
24877 - if (rdev == NULL) {
24881 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
24882 - if (unlikely(r != 0)) {
24886 - if (unlikely(ttm_vm_ops == NULL)) {
24887 - ttm_vm_ops = vma->vm_ops;
24888 - radeon_ttm_vm_ops = *ttm_vm_ops;
24889 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
24891 vma->vm_ops = &radeon_ttm_vm_ops;
24894 diff -urNp linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo.c
24895 --- linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo.c 2010-08-26 19:47:12.000000000 -0400
24896 +++ linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo.c 2010-09-17 20:12:09.000000000 -0400
24898 #include <linux/module.h>
24900 #define TTM_ASSERT_LOCKED(param)
24901 -#define TTM_DEBUG(fmt, arg...)
24902 +#define TTM_DEBUG(fmt, arg...) do {} while (0)
24903 #define TTM_BO_HASH_ORDER 13
24905 static int ttm_bo_setup_vm(struct ttm_buffer_object *bo);
24906 diff -urNp linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo_vm.c
24907 --- linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-08-26 19:47:12.000000000 -0400
24908 +++ linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-09-17 20:12:09.000000000 -0400
24909 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
24913 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24914 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24916 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
24917 vma->vm_private_data;
24918 - struct ttm_bo_device *bdev = bo->bdev;
24919 + struct ttm_bo_device *bdev;
24920 unsigned long page_offset;
24921 unsigned long page_last;
24923 @@ -84,6 +84,10 @@ static int ttm_bo_vm_fault(struct vm_are
24924 unsigned long address = (unsigned long)vmf->virtual_address;
24925 int retval = VM_FAULT_NOPAGE;
24928 + return VM_FAULT_NOPAGE;
24932 * Work around locking order reversal in fault / nopfn
24933 * between mmap_sem and bo_reserve: Perform a trylock operation
24934 @@ -213,7 +217,7 @@ out_unlock:
24938 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
24939 +void ttm_bo_vm_open(struct vm_area_struct *vma)
24941 struct ttm_buffer_object *bo =
24942 (struct ttm_buffer_object *)vma->vm_private_data;
24943 @@ -221,7 +225,7 @@ static void ttm_bo_vm_open(struct vm_are
24944 (void)ttm_bo_reference(bo);
24947 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
24948 +void ttm_bo_vm_close(struct vm_area_struct *vma)
24950 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
24952 diff -urNp linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_global.c linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_global.c
24953 --- linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_global.c 2010-08-26 19:47:12.000000000 -0400
24954 +++ linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_global.c 2010-09-17 20:12:09.000000000 -0400
24956 struct ttm_global_item {
24957 struct mutex mutex;
24960 + atomic_t refcount;
24963 static struct ttm_global_item glob[TTM_GLOBAL_NUM];
24964 @@ -49,7 +49,7 @@ void ttm_global_init(void)
24965 struct ttm_global_item *item = &glob[i];
24966 mutex_init(&item->mutex);
24967 item->object = NULL;
24968 - item->refcount = 0;
24969 + atomic_set(&item->refcount, 0);
24973 @@ -59,7 +59,7 @@ void ttm_global_release(void)
24974 for (i = 0; i < TTM_GLOBAL_NUM; ++i) {
24975 struct ttm_global_item *item = &glob[i];
24976 BUG_ON(item->object != NULL);
24977 - BUG_ON(item->refcount != 0);
24978 + BUG_ON(atomic_read(&item->refcount) != 0);
24982 @@ -70,7 +70,7 @@ int ttm_global_item_ref(struct ttm_globa
24985 mutex_lock(&item->mutex);
24986 - if (item->refcount == 0) {
24987 + if (atomic_read(&item->refcount) == 0) {
24988 item->object = kzalloc(ref->size, GFP_KERNEL);
24989 if (unlikely(item->object == NULL)) {
24991 @@ -83,7 +83,7 @@ int ttm_global_item_ref(struct ttm_globa
24995 - ++item->refcount;
24996 + atomic_inc(&item->refcount);
24997 ref->object = item->object;
24998 object = item->object;
24999 mutex_unlock(&item->mutex);
25000 @@ -100,9 +100,9 @@ void ttm_global_item_unref(struct ttm_gl
25001 struct ttm_global_item *item = &glob[ref->global_type];
25003 mutex_lock(&item->mutex);
25004 - BUG_ON(item->refcount == 0);
25005 + BUG_ON(atomic_read(&item->refcount) == 0);
25006 BUG_ON(ref->object != item->object);
25007 - if (--item->refcount == 0) {
25008 + if (atomic_dec_and_test(&item->refcount)) {
25010 item->object = NULL;
25012 diff -urNp linux-2.6.35.4/drivers/hid/usbhid/hiddev.c linux-2.6.35.4/drivers/hid/usbhid/hiddev.c
25013 --- linux-2.6.35.4/drivers/hid/usbhid/hiddev.c 2010-08-26 19:47:12.000000000 -0400
25014 +++ linux-2.6.35.4/drivers/hid/usbhid/hiddev.c 2010-09-17 20:12:09.000000000 -0400
25015 @@ -616,7 +616,7 @@ static long hiddev_ioctl(struct file *fi
25016 return put_user(HID_VERSION, (int __user *)arg);
25018 case HIDIOCAPPLICATION:
25019 - if (arg < 0 || arg >= hid->maxapplication)
25020 + if (arg >= hid->maxapplication)
25023 for (i = 0; i < hid->maxcollection; i++)
25024 diff -urNp linux-2.6.35.4/drivers/hwmon/k8temp.c linux-2.6.35.4/drivers/hwmon/k8temp.c
25025 --- linux-2.6.35.4/drivers/hwmon/k8temp.c 2010-08-26 19:47:12.000000000 -0400
25026 +++ linux-2.6.35.4/drivers/hwmon/k8temp.c 2010-09-17 20:12:09.000000000 -0400
25027 @@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
25029 static const struct pci_device_id k8temp_ids[] = {
25030 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
25032 + { 0, 0, 0, 0, 0, 0, 0 },
25035 MODULE_DEVICE_TABLE(pci, k8temp_ids);
25036 diff -urNp linux-2.6.35.4/drivers/hwmon/sis5595.c linux-2.6.35.4/drivers/hwmon/sis5595.c
25037 --- linux-2.6.35.4/drivers/hwmon/sis5595.c 2010-08-26 19:47:12.000000000 -0400
25038 +++ linux-2.6.35.4/drivers/hwmon/sis5595.c 2010-09-17 20:12:09.000000000 -0400
25039 @@ -699,7 +699,7 @@ static struct sis5595_data *sis5595_upda
25041 static const struct pci_device_id sis5595_pci_ids[] = {
25042 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
25044 + { 0, 0, 0, 0, 0, 0, 0 }
25047 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
25048 diff -urNp linux-2.6.35.4/drivers/hwmon/via686a.c linux-2.6.35.4/drivers/hwmon/via686a.c
25049 --- linux-2.6.35.4/drivers/hwmon/via686a.c 2010-08-26 19:47:12.000000000 -0400
25050 +++ linux-2.6.35.4/drivers/hwmon/via686a.c 2010-09-17 20:12:09.000000000 -0400
25051 @@ -769,7 +769,7 @@ static struct via686a_data *via686a_upda
25053 static const struct pci_device_id via686a_pci_ids[] = {
25054 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
25056 + { 0, 0, 0, 0, 0, 0, 0 }
25059 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
25060 diff -urNp linux-2.6.35.4/drivers/hwmon/vt8231.c linux-2.6.35.4/drivers/hwmon/vt8231.c
25061 --- linux-2.6.35.4/drivers/hwmon/vt8231.c 2010-08-26 19:47:12.000000000 -0400
25062 +++ linux-2.6.35.4/drivers/hwmon/vt8231.c 2010-09-17 20:12:09.000000000 -0400
25063 @@ -699,7 +699,7 @@ static struct platform_driver vt8231_dri
25065 static const struct pci_device_id vt8231_pci_ids[] = {
25066 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
25068 + { 0, 0, 0, 0, 0, 0, 0 }
25071 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
25072 diff -urNp linux-2.6.35.4/drivers/hwmon/w83791d.c linux-2.6.35.4/drivers/hwmon/w83791d.c
25073 --- linux-2.6.35.4/drivers/hwmon/w83791d.c 2010-08-26 19:47:12.000000000 -0400
25074 +++ linux-2.6.35.4/drivers/hwmon/w83791d.c 2010-09-17 20:12:09.000000000 -0400
25075 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
25076 struct i2c_board_info *info);
25077 static int w83791d_remove(struct i2c_client *client);
25079 -static int w83791d_read(struct i2c_client *client, u8 register);
25080 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
25081 +static int w83791d_read(struct i2c_client *client, u8 reg);
25082 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
25083 static struct w83791d_data *w83791d_update_device(struct device *dev);
25086 diff -urNp linux-2.6.35.4/drivers/i2c/busses/i2c-i801.c linux-2.6.35.4/drivers/i2c/busses/i2c-i801.c
25087 --- linux-2.6.35.4/drivers/i2c/busses/i2c-i801.c 2010-08-26 19:47:12.000000000 -0400
25088 +++ linux-2.6.35.4/drivers/i2c/busses/i2c-i801.c 2010-09-17 20:12:09.000000000 -0400
25089 @@ -592,7 +592,7 @@ static const struct pci_device_id i801_i
25090 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_5) },
25091 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PCH_SMBUS) },
25092 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CPT_SMBUS) },
25094 + { 0, 0, 0, 0, 0, 0, 0 }
25097 MODULE_DEVICE_TABLE(pci, i801_ids);
25098 diff -urNp linux-2.6.35.4/drivers/i2c/busses/i2c-piix4.c linux-2.6.35.4/drivers/i2c/busses/i2c-piix4.c
25099 --- linux-2.6.35.4/drivers/i2c/busses/i2c-piix4.c 2010-08-26 19:47:12.000000000 -0400
25100 +++ linux-2.6.35.4/drivers/i2c/busses/i2c-piix4.c 2010-09-17 20:12:09.000000000 -0400
25101 @@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
25103 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
25106 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25109 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
25110 @@ -491,7 +491,7 @@ static const struct pci_device_id piix4_
25111 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
25112 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
25113 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
25115 + { 0, 0, 0, 0, 0, 0, 0 }
25118 MODULE_DEVICE_TABLE (pci, piix4_ids);
25119 diff -urNp linux-2.6.35.4/drivers/i2c/busses/i2c-sis630.c linux-2.6.35.4/drivers/i2c/busses/i2c-sis630.c
25120 --- linux-2.6.35.4/drivers/i2c/busses/i2c-sis630.c 2010-08-26 19:47:12.000000000 -0400
25121 +++ linux-2.6.35.4/drivers/i2c/busses/i2c-sis630.c 2010-09-17 20:12:09.000000000 -0400
25122 @@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
25123 static const struct pci_device_id sis630_ids[] __devinitconst = {
25124 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
25125 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
25127 + { 0, 0, 0, 0, 0, 0, 0 }
25130 MODULE_DEVICE_TABLE (pci, sis630_ids);
25131 diff -urNp linux-2.6.35.4/drivers/i2c/busses/i2c-sis96x.c linux-2.6.35.4/drivers/i2c/busses/i2c-sis96x.c
25132 --- linux-2.6.35.4/drivers/i2c/busses/i2c-sis96x.c 2010-08-26 19:47:12.000000000 -0400
25133 +++ linux-2.6.35.4/drivers/i2c/busses/i2c-sis96x.c 2010-09-17 20:12:09.000000000 -0400
25134 @@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
25136 static const struct pci_device_id sis96x_ids[] = {
25137 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
25139 + { 0, 0, 0, 0, 0, 0, 0 }
25142 MODULE_DEVICE_TABLE (pci, sis96x_ids);
25143 diff -urNp linux-2.6.35.4/drivers/ide/ide-cd.c linux-2.6.35.4/drivers/ide/ide-cd.c
25144 --- linux-2.6.35.4/drivers/ide/ide-cd.c 2010-08-26 19:47:12.000000000 -0400
25145 +++ linux-2.6.35.4/drivers/ide/ide-cd.c 2010-09-17 20:12:09.000000000 -0400
25146 @@ -774,7 +774,7 @@ static void cdrom_do_block_pc(ide_drive_
25147 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
25148 if ((unsigned long)buf & alignment
25149 || blk_rq_bytes(rq) & q->dma_pad_mask
25150 - || object_is_on_stack(buf))
25151 + || object_starts_on_stack(buf))
25155 diff -urNp linux-2.6.35.4/drivers/ieee1394/dv1394.c linux-2.6.35.4/drivers/ieee1394/dv1394.c
25156 --- linux-2.6.35.4/drivers/ieee1394/dv1394.c 2010-08-26 19:47:12.000000000 -0400
25157 +++ linux-2.6.35.4/drivers/ieee1394/dv1394.c 2010-09-17 20:12:09.000000000 -0400
25158 @@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
25159 based upon DIF section and sequence
25162 -static void inline
25163 +static inline void
25164 frame_put_packet (struct frame *f, struct packet *p)
25166 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
25167 @@ -2179,7 +2179,7 @@ static const struct ieee1394_device_id d
25168 .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
25169 .version = AVC_SW_VERSION_ENTRY & 0xffffff
25172 + { 0, 0, 0, 0, 0, 0 }
25175 MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
25176 diff -urNp linux-2.6.35.4/drivers/ieee1394/eth1394.c linux-2.6.35.4/drivers/ieee1394/eth1394.c
25177 --- linux-2.6.35.4/drivers/ieee1394/eth1394.c 2010-08-26 19:47:12.000000000 -0400
25178 +++ linux-2.6.35.4/drivers/ieee1394/eth1394.c 2010-09-17 20:12:09.000000000 -0400
25179 @@ -446,7 +446,7 @@ static const struct ieee1394_device_id e
25180 .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
25181 .version = ETHER1394_GASP_VERSION,
25184 + { 0, 0, 0, 0, 0, 0 }
25187 MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
25188 diff -urNp linux-2.6.35.4/drivers/ieee1394/hosts.c linux-2.6.35.4/drivers/ieee1394/hosts.c
25189 --- linux-2.6.35.4/drivers/ieee1394/hosts.c 2010-08-26 19:47:12.000000000 -0400
25190 +++ linux-2.6.35.4/drivers/ieee1394/hosts.c 2010-09-17 20:12:09.000000000 -0400
25191 @@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
25194 static struct hpsb_host_driver dummy_driver = {
25196 .transmit_packet = dummy_transmit_packet,
25197 .devctl = dummy_devctl,
25198 .isoctl = dummy_isoctl
25199 diff -urNp linux-2.6.35.4/drivers/ieee1394/ohci1394.c linux-2.6.35.4/drivers/ieee1394/ohci1394.c
25200 --- linux-2.6.35.4/drivers/ieee1394/ohci1394.c 2010-08-26 19:47:12.000000000 -0400
25201 +++ linux-2.6.35.4/drivers/ieee1394/ohci1394.c 2010-09-17 20:12:09.000000000 -0400
25202 @@ -148,9 +148,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
25203 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
25205 /* Module Parameters */
25206 -static int phys_dma = 1;
25207 +static int phys_dma;
25208 module_param(phys_dma, int, 0444);
25209 -MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
25210 +MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
25212 static void dma_trm_tasklet(unsigned long data);
25213 static void dma_trm_reset(struct dma_trm_ctx *d);
25214 @@ -3445,7 +3445,7 @@ static struct pci_device_id ohci1394_pci
25215 .subvendor = PCI_ANY_ID,
25216 .subdevice = PCI_ANY_ID,
25219 + { 0, 0, 0, 0, 0, 0, 0 },
25222 MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
25223 diff -urNp linux-2.6.35.4/drivers/ieee1394/raw1394.c linux-2.6.35.4/drivers/ieee1394/raw1394.c
25224 --- linux-2.6.35.4/drivers/ieee1394/raw1394.c 2010-08-26 19:47:12.000000000 -0400
25225 +++ linux-2.6.35.4/drivers/ieee1394/raw1394.c 2010-09-17 20:12:09.000000000 -0400
25226 @@ -3002,7 +3002,7 @@ static const struct ieee1394_device_id r
25227 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
25228 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
25229 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
25231 + { 0, 0, 0, 0, 0, 0 }
25234 MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
25235 diff -urNp linux-2.6.35.4/drivers/ieee1394/sbp2.c linux-2.6.35.4/drivers/ieee1394/sbp2.c
25236 --- linux-2.6.35.4/drivers/ieee1394/sbp2.c 2010-08-26 19:47:12.000000000 -0400
25237 +++ linux-2.6.35.4/drivers/ieee1394/sbp2.c 2010-09-17 20:12:09.000000000 -0400
25238 @@ -289,7 +289,7 @@ static const struct ieee1394_device_id s
25239 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
25240 .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
25241 .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
25243 + { 0, 0, 0, 0, 0, 0 }
25245 MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
25247 @@ -2110,7 +2110,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
25248 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
25249 MODULE_LICENSE("GPL");
25251 -static int sbp2_module_init(void)
25252 +static int __init sbp2_module_init(void)
25256 diff -urNp linux-2.6.35.4/drivers/ieee1394/video1394.c linux-2.6.35.4/drivers/ieee1394/video1394.c
25257 --- linux-2.6.35.4/drivers/ieee1394/video1394.c 2010-08-26 19:47:12.000000000 -0400
25258 +++ linux-2.6.35.4/drivers/ieee1394/video1394.c 2010-09-17 20:12:09.000000000 -0400
25259 @@ -1312,7 +1312,7 @@ static const struct ieee1394_device_id v
25260 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
25261 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
25264 + { 0, 0, 0, 0, 0, 0 }
25267 MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
25268 diff -urNp linux-2.6.35.4/drivers/infiniband/core/cm.c linux-2.6.35.4/drivers/infiniband/core/cm.c
25269 --- linux-2.6.35.4/drivers/infiniband/core/cm.c 2010-08-26 19:47:12.000000000 -0400
25270 +++ linux-2.6.35.4/drivers/infiniband/core/cm.c 2010-09-17 20:12:09.000000000 -0400
25271 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
25273 struct cm_counter_group {
25274 struct kobject obj;
25275 - atomic_long_t counter[CM_ATTR_COUNT];
25276 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
25279 struct cm_counter_attribute {
25280 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
25281 struct ib_mad_send_buf *msg = NULL;
25284 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25285 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25286 counter[CM_REQ_COUNTER]);
25288 /* Quick state check to discard duplicate REQs. */
25289 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
25293 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25294 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25295 counter[CM_REP_COUNTER]);
25296 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
25298 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
25299 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
25300 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
25301 spin_unlock_irq(&cm_id_priv->lock);
25302 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25303 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25304 counter[CM_RTU_COUNTER]);
25307 @@ -2111,7 +2111,7 @@ static int cm_dreq_handler(struct cm_wor
25308 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
25309 dreq_msg->local_comm_id);
25311 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25312 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25313 counter[CM_DREQ_COUNTER]);
25314 cm_issue_drep(work->port, work->mad_recv_wc);
25316 @@ -2132,7 +2132,7 @@ static int cm_dreq_handler(struct cm_wor
25317 case IB_CM_MRA_REP_RCVD:
25319 case IB_CM_TIMEWAIT:
25320 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25321 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25322 counter[CM_DREQ_COUNTER]);
25323 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25325 @@ -2146,7 +2146,7 @@ static int cm_dreq_handler(struct cm_wor
25328 case IB_CM_DREQ_RCVD:
25329 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25330 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25331 counter[CM_DREQ_COUNTER]);
25334 @@ -2502,7 +2502,7 @@ static int cm_mra_handler(struct cm_work
25335 ib_modify_mad(cm_id_priv->av.port->mad_agent,
25336 cm_id_priv->msg, timeout)) {
25337 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
25338 - atomic_long_inc(&work->port->
25339 + atomic_long_inc_unchecked(&work->port->
25340 counter_group[CM_RECV_DUPLICATES].
25341 counter[CM_MRA_COUNTER]);
25343 @@ -2511,7 +2511,7 @@ static int cm_mra_handler(struct cm_work
25345 case IB_CM_MRA_REQ_RCVD:
25346 case IB_CM_MRA_REP_RCVD:
25347 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25348 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25349 counter[CM_MRA_COUNTER]);
25352 @@ -2673,7 +2673,7 @@ static int cm_lap_handler(struct cm_work
25353 case IB_CM_LAP_IDLE:
25355 case IB_CM_MRA_LAP_SENT:
25356 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25357 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25358 counter[CM_LAP_COUNTER]);
25359 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25361 @@ -2689,7 +2689,7 @@ static int cm_lap_handler(struct cm_work
25364 case IB_CM_LAP_RCVD:
25365 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25366 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25367 counter[CM_LAP_COUNTER]);
25370 @@ -2973,7 +2973,7 @@ static int cm_sidr_req_handler(struct cm
25371 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
25372 if (cur_cm_id_priv) {
25373 spin_unlock_irq(&cm.lock);
25374 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25375 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25376 counter[CM_SIDR_REQ_COUNTER]);
25377 goto out; /* Duplicate message. */
25379 @@ -3184,10 +3184,10 @@ static void cm_send_handler(struct ib_ma
25380 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
25383 - atomic_long_add(1 + msg->retries,
25384 + atomic_long_add_unchecked(1 + msg->retries,
25385 &port->counter_group[CM_XMIT].counter[attr_index]);
25387 - atomic_long_add(msg->retries,
25388 + atomic_long_add_unchecked(msg->retries,
25389 &port->counter_group[CM_XMIT_RETRIES].
25390 counter[attr_index]);
25392 @@ -3397,7 +3397,7 @@ static void cm_recv_handler(struct ib_ma
25395 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
25396 - atomic_long_inc(&port->counter_group[CM_RECV].
25397 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
25398 counter[attr_id - CM_ATTR_ID_OFFSET]);
25400 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
25401 @@ -3595,7 +3595,7 @@ static ssize_t cm_show_counter(struct ko
25402 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
25404 return sprintf(buf, "%ld\n",
25405 - atomic_long_read(&group->counter[cm_attr->index]));
25406 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
25409 static const struct sysfs_ops cm_counter_ops = {
25410 diff -urNp linux-2.6.35.4/drivers/infiniband/hw/qib/qib.h linux-2.6.35.4/drivers/infiniband/hw/qib/qib.h
25411 --- linux-2.6.35.4/drivers/infiniband/hw/qib/qib.h 2010-08-26 19:47:12.000000000 -0400
25412 +++ linux-2.6.35.4/drivers/infiniband/hw/qib/qib.h 2010-09-17 20:12:09.000000000 -0400
25414 #include <linux/completion.h>
25415 #include <linux/kref.h>
25416 #include <linux/sched.h>
25417 +#include <linux/slab.h>
25419 #include "qib_common.h"
25420 #include "qib_verbs.h"
25421 diff -urNp linux-2.6.35.4/drivers/input/keyboard/atkbd.c linux-2.6.35.4/drivers/input/keyboard/atkbd.c
25422 --- linux-2.6.35.4/drivers/input/keyboard/atkbd.c 2010-08-26 19:47:12.000000000 -0400
25423 +++ linux-2.6.35.4/drivers/input/keyboard/atkbd.c 2010-09-17 20:12:09.000000000 -0400
25424 @@ -1240,7 +1240,7 @@ static struct serio_device_id atkbd_seri
25426 .extra = SERIO_ANY,
25432 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
25433 diff -urNp linux-2.6.35.4/drivers/input/mouse/lifebook.c linux-2.6.35.4/drivers/input/mouse/lifebook.c
25434 --- linux-2.6.35.4/drivers/input/mouse/lifebook.c 2010-08-26 19:47:12.000000000 -0400
25435 +++ linux-2.6.35.4/drivers/input/mouse/lifebook.c 2010-09-17 20:12:09.000000000 -0400
25436 @@ -123,7 +123,7 @@ static const struct dmi_system_id __init
25437 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
25441 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
25444 void __init lifebook_module_init(void)
25445 diff -urNp linux-2.6.35.4/drivers/input/mouse/psmouse-base.c linux-2.6.35.4/drivers/input/mouse/psmouse-base.c
25446 --- linux-2.6.35.4/drivers/input/mouse/psmouse-base.c 2010-08-26 19:47:12.000000000 -0400
25447 +++ linux-2.6.35.4/drivers/input/mouse/psmouse-base.c 2010-09-17 20:12:09.000000000 -0400
25448 @@ -1460,7 +1460,7 @@ static struct serio_device_id psmouse_se
25450 .extra = SERIO_ANY,
25456 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
25457 diff -urNp linux-2.6.35.4/drivers/input/mouse/synaptics.c linux-2.6.35.4/drivers/input/mouse/synaptics.c
25458 --- linux-2.6.35.4/drivers/input/mouse/synaptics.c 2010-08-26 19:47:12.000000000 -0400
25459 +++ linux-2.6.35.4/drivers/input/mouse/synaptics.c 2010-09-17 20:12:09.000000000 -0400
25460 @@ -476,7 +476,7 @@ static void synaptics_process_packet(str
25463 if (SYN_MODEL_PEN(priv->model_id))
25464 - ; /* Nothing, treat a pen as a single finger */
25465 + break; /* Nothing, treat a pen as a single finger */
25468 if (SYN_CAP_PALMDETECT(priv->capabilities))
25469 @@ -701,7 +701,6 @@ static const struct dmi_system_id __init
25470 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
25471 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
25476 /* Toshiba Portege M300 */
25477 @@ -710,9 +709,8 @@ static const struct dmi_system_id __init
25478 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
25479 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
25484 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25488 diff -urNp linux-2.6.35.4/drivers/input/mousedev.c linux-2.6.35.4/drivers/input/mousedev.c
25489 --- linux-2.6.35.4/drivers/input/mousedev.c 2010-08-26 19:47:12.000000000 -0400
25490 +++ linux-2.6.35.4/drivers/input/mousedev.c 2010-09-17 20:12:09.000000000 -0400
25491 @@ -754,7 +754,7 @@ static ssize_t mousedev_read(struct file
25493 spin_unlock_irq(&client->packet_lock);
25495 - if (copy_to_user(buffer, data, count))
25496 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
25500 @@ -1051,7 +1051,7 @@ static struct input_handler mousedev_han
25502 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
25503 static struct miscdevice psaux_mouse = {
25504 - PSMOUSE_MINOR, "psaux", &mousedev_fops
25505 + PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
25507 static int psaux_registered;
25509 diff -urNp linux-2.6.35.4/drivers/input/serio/i8042-x86ia64io.h linux-2.6.35.4/drivers/input/serio/i8042-x86ia64io.h
25510 --- linux-2.6.35.4/drivers/input/serio/i8042-x86ia64io.h 2010-08-26 19:47:12.000000000 -0400
25511 +++ linux-2.6.35.4/drivers/input/serio/i8042-x86ia64io.h 2010-09-17 20:12:09.000000000 -0400
25512 @@ -183,7 +183,7 @@ static const struct dmi_system_id __init
25513 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
25517 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25521 @@ -413,7 +413,7 @@ static const struct dmi_system_id __init
25522 DMI_MATCH(DMI_PRODUCT_VERSION, "0100"),
25526 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25529 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
25530 @@ -487,7 +487,7 @@ static const struct dmi_system_id __init
25531 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
25535 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25539 @@ -506,7 +506,7 @@ static const struct dmi_system_id __init
25540 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
25544 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25547 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
25548 @@ -530,7 +530,7 @@ static const struct dmi_system_id __init
25549 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
25553 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25557 @@ -604,7 +604,7 @@ static const struct dmi_system_id __init
25558 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
25562 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25565 #endif /* CONFIG_X86 */
25566 diff -urNp linux-2.6.35.4/drivers/input/serio/serio_raw.c linux-2.6.35.4/drivers/input/serio/serio_raw.c
25567 --- linux-2.6.35.4/drivers/input/serio/serio_raw.c 2010-08-26 19:47:12.000000000 -0400
25568 +++ linux-2.6.35.4/drivers/input/serio/serio_raw.c 2010-09-17 20:12:09.000000000 -0400
25569 @@ -376,7 +376,7 @@ static struct serio_device_id serio_raw_
25571 .extra = SERIO_ANY,
25577 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
25578 diff -urNp linux-2.6.35.4/drivers/isdn/gigaset/common.c linux-2.6.35.4/drivers/isdn/gigaset/common.c
25579 --- linux-2.6.35.4/drivers/isdn/gigaset/common.c 2010-08-26 19:47:12.000000000 -0400
25580 +++ linux-2.6.35.4/drivers/isdn/gigaset/common.c 2010-09-17 20:12:09.000000000 -0400
25581 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
25582 cs->commands_pending = 0;
25583 cs->cur_at_seq = 0;
25585 - cs->open_count = 0;
25586 + atomic_set(&cs->open_count, 0);
25589 cs->tty_dev = NULL;
25590 diff -urNp linux-2.6.35.4/drivers/isdn/gigaset/gigaset.h linux-2.6.35.4/drivers/isdn/gigaset/gigaset.h
25591 --- linux-2.6.35.4/drivers/isdn/gigaset/gigaset.h 2010-08-26 19:47:12.000000000 -0400
25592 +++ linux-2.6.35.4/drivers/isdn/gigaset/gigaset.h 2010-09-17 20:12:09.000000000 -0400
25593 @@ -442,7 +442,7 @@ struct cardstate {
25594 spinlock_t cmdlock;
25595 unsigned curlen, cmdbytes;
25597 - unsigned open_count;
25598 + atomic_t open_count;
25599 struct tty_struct *tty;
25600 struct tasklet_struct if_wake_tasklet;
25601 unsigned control_state;
25602 diff -urNp linux-2.6.35.4/drivers/isdn/gigaset/interface.c linux-2.6.35.4/drivers/isdn/gigaset/interface.c
25603 --- linux-2.6.35.4/drivers/isdn/gigaset/interface.c 2010-08-26 19:47:12.000000000 -0400
25604 +++ linux-2.6.35.4/drivers/isdn/gigaset/interface.c 2010-09-17 20:12:09.000000000 -0400
25605 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
25606 return -ERESTARTSYS;
25607 tty->driver_data = cs;
25609 - ++cs->open_count;
25611 - if (cs->open_count == 1) {
25612 + if (atomic_inc_return(&cs->open_count) == 1) {
25613 spin_lock_irqsave(&cs->lock, flags);
25615 spin_unlock_irqrestore(&cs->lock, flags);
25616 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
25618 if (!cs->connected)
25619 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25620 - else if (!cs->open_count)
25621 + else if (!atomic_read(&cs->open_count))
25622 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25624 - if (!--cs->open_count) {
25625 + if (!atomic_dec_return(&cs->open_count)) {
25626 spin_lock_irqsave(&cs->lock, flags);
25628 spin_unlock_irqrestore(&cs->lock, flags);
25629 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
25630 if (!cs->connected) {
25631 gig_dbg(DEBUG_IF, "not connected");
25633 - } else if (!cs->open_count)
25634 + } else if (!atomic_read(&cs->open_count))
25635 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25638 @@ -355,7 +353,7 @@ static int if_write(struct tty_struct *t
25639 if (!cs->connected) {
25640 gig_dbg(DEBUG_IF, "not connected");
25642 - } else if (!cs->open_count)
25643 + } else if (!atomic_read(&cs->open_count))
25644 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25645 else if (cs->mstate != MS_LOCKED) {
25646 dev_warn(cs->dev, "can't write to unlocked device\n");
25647 @@ -389,7 +387,7 @@ static int if_write_room(struct tty_stru
25648 if (!cs->connected) {
25649 gig_dbg(DEBUG_IF, "not connected");
25651 - } else if (!cs->open_count)
25652 + } else if (!atomic_read(&cs->open_count))
25653 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25654 else if (cs->mstate != MS_LOCKED) {
25655 dev_warn(cs->dev, "can't write to unlocked device\n");
25656 @@ -419,7 +417,7 @@ static int if_chars_in_buffer(struct tty
25658 if (!cs->connected)
25659 gig_dbg(DEBUG_IF, "not connected");
25660 - else if (!cs->open_count)
25661 + else if (!atomic_read(&cs->open_count))
25662 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25663 else if (cs->mstate != MS_LOCKED)
25664 dev_warn(cs->dev, "can't write to unlocked device\n");
25665 @@ -447,7 +445,7 @@ static void if_throttle(struct tty_struc
25667 if (!cs->connected)
25668 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25669 - else if (!cs->open_count)
25670 + else if (!atomic_read(&cs->open_count))
25671 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25673 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25674 @@ -471,7 +469,7 @@ static void if_unthrottle(struct tty_str
25676 if (!cs->connected)
25677 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25678 - else if (!cs->open_count)
25679 + else if (!atomic_read(&cs->open_count))
25680 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25682 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25683 @@ -502,7 +500,7 @@ static void if_set_termios(struct tty_st
25687 - if (!cs->open_count) {
25688 + if (!atomic_read(&cs->open_count)) {
25689 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25692 diff -urNp linux-2.6.35.4/drivers/isdn/hardware/avm/b1.c linux-2.6.35.4/drivers/isdn/hardware/avm/b1.c
25693 --- linux-2.6.35.4/drivers/isdn/hardware/avm/b1.c 2010-08-26 19:47:12.000000000 -0400
25694 +++ linux-2.6.35.4/drivers/isdn/hardware/avm/b1.c 2010-09-17 20:12:37.000000000 -0400
25695 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
25698 if (t4file->user) {
25699 - if (copy_from_user(buf, dp, left))
25700 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
25703 memcpy(buf, dp, left);
25704 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
25707 if (config->user) {
25708 - if (copy_from_user(buf, dp, left))
25709 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
25712 memcpy(buf, dp, left);
25713 diff -urNp linux-2.6.35.4/drivers/isdn/icn/icn.c linux-2.6.35.4/drivers/isdn/icn/icn.c
25714 --- linux-2.6.35.4/drivers/isdn/icn/icn.c 2010-08-26 19:47:12.000000000 -0400
25715 +++ linux-2.6.35.4/drivers/isdn/icn/icn.c 2010-09-17 20:12:37.000000000 -0400
25716 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
25720 - if (copy_from_user(msg, buf, count))
25721 + if (count > sizeof(msg) || copy_from_user(msg, buf, count))
25724 memcpy(msg, buf, count);
25725 diff -urNp linux-2.6.35.4/drivers/lguest/core.c linux-2.6.35.4/drivers/lguest/core.c
25726 --- linux-2.6.35.4/drivers/lguest/core.c 2010-08-26 19:47:12.000000000 -0400
25727 +++ linux-2.6.35.4/drivers/lguest/core.c 2010-09-17 20:12:09.000000000 -0400
25728 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
25729 * it's worked so far. The end address needs +1 because __get_vm_area
25730 * allocates an extra guard page, so we need space for that.
25733 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
25734 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25735 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
25736 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25738 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25739 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
25740 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25743 if (!switcher_vma) {
25745 printk("lguest: could not map switcher pages high\n");
25746 diff -urNp linux-2.6.35.4/drivers/macintosh/via-pmu-backlight.c linux-2.6.35.4/drivers/macintosh/via-pmu-backlight.c
25747 --- linux-2.6.35.4/drivers/macintosh/via-pmu-backlight.c 2010-08-26 19:47:12.000000000 -0400
25748 +++ linux-2.6.35.4/drivers/macintosh/via-pmu-backlight.c 2010-09-17 20:12:09.000000000 -0400
25751 #define MAX_PMU_LEVEL 0xFF
25753 -static struct backlight_ops pmu_backlight_data;
25754 +static const struct backlight_ops pmu_backlight_data;
25755 static DEFINE_SPINLOCK(pmu_backlight_lock);
25756 static int sleeping, uses_pmu_bl;
25757 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
25758 @@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
25759 return bd->props.brightness;
25762 -static struct backlight_ops pmu_backlight_data = {
25763 +static const struct backlight_ops pmu_backlight_data = {
25764 .get_brightness = pmu_backlight_get_brightness,
25765 .update_status = pmu_backlight_update_status,
25767 diff -urNp linux-2.6.35.4/drivers/macintosh/via-pmu.c linux-2.6.35.4/drivers/macintosh/via-pmu.c
25768 --- linux-2.6.35.4/drivers/macintosh/via-pmu.c 2010-08-26 19:47:12.000000000 -0400
25769 +++ linux-2.6.35.4/drivers/macintosh/via-pmu.c 2010-09-17 20:12:09.000000000 -0400
25770 @@ -2254,7 +2254,7 @@ static int pmu_sleep_valid(suspend_state
25771 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
25774 -static struct platform_suspend_ops pmu_pm_ops = {
25775 +static const struct platform_suspend_ops pmu_pm_ops = {
25776 .enter = powerbook_sleep,
25777 .valid = pmu_sleep_valid,
25779 diff -urNp linux-2.6.35.4/drivers/md/bitmap.c linux-2.6.35.4/drivers/md/bitmap.c
25780 --- linux-2.6.35.4/drivers/md/bitmap.c 2010-08-26 19:47:12.000000000 -0400
25781 +++ linux-2.6.35.4/drivers/md/bitmap.c 2010-09-17 20:12:09.000000000 -0400
25784 # define PRINTK(x...) printk(KERN_DEBUG x)
25786 -# define PRINTK(x...)
25787 +# define PRINTK(x...) do {} while (0)
25791 diff -urNp linux-2.6.35.4/drivers/md/dm-table.c linux-2.6.35.4/drivers/md/dm-table.c
25792 --- linux-2.6.35.4/drivers/md/dm-table.c 2010-08-26 19:47:12.000000000 -0400
25793 +++ linux-2.6.35.4/drivers/md/dm-table.c 2010-09-17 20:12:09.000000000 -0400
25794 @@ -363,7 +363,7 @@ static int device_area_is_invalid(struct
25798 - if ((start >= dev_size) || (start + len > dev_size)) {
25799 + if ((start >= dev_size) || (len > dev_size - start)) {
25800 DMWARN("%s: %s too small for target: "
25801 "start=%llu, len=%llu, dev_size=%llu",
25802 dm_device_name(ti->table->md), bdevname(bdev, b),
25803 diff -urNp linux-2.6.35.4/drivers/md/md.c linux-2.6.35.4/drivers/md/md.c
25804 --- linux-2.6.35.4/drivers/md/md.c 2010-08-26 19:47:12.000000000 -0400
25805 +++ linux-2.6.35.4/drivers/md/md.c 2010-09-17 20:12:09.000000000 -0400
25806 @@ -6352,7 +6352,7 @@ static int md_seq_show(struct seq_file *
25807 chunk_kb ? "KB" : "B");
25808 if (bitmap->file) {
25809 seq_printf(seq, ", file: ");
25810 - seq_path(seq, &bitmap->file->f_path, " \t\n");
25811 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
25814 seq_printf(seq, "\n");
25815 @@ -6446,7 +6446,7 @@ static int is_mddev_idle(mddev_t *mddev,
25816 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
25817 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
25818 (int)part_stat_read(&disk->part0, sectors[1]) -
25819 - atomic_read(&disk->sync_io);
25820 + atomic_read_unchecked(&disk->sync_io);
25821 /* sync IO will cause sync_io to increase before the disk_stats
25822 * as sync_io is counted when a request starts, and
25823 * disk_stats is counted when it completes.
25824 diff -urNp linux-2.6.35.4/drivers/md/md.h linux-2.6.35.4/drivers/md/md.h
25825 --- linux-2.6.35.4/drivers/md/md.h 2010-08-26 19:47:12.000000000 -0400
25826 +++ linux-2.6.35.4/drivers/md/md.h 2010-09-17 20:12:09.000000000 -0400
25827 @@ -334,7 +334,7 @@ static inline void rdev_dec_pending(mdk_
25829 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
25831 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25832 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25835 struct mdk_personality
25836 diff -urNp linux-2.6.35.4/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.35.4/drivers/media/dvb/dvb-core/dvbdev.c
25837 --- linux-2.6.35.4/drivers/media/dvb/dvb-core/dvbdev.c 2010-08-26 19:47:12.000000000 -0400
25838 +++ linux-2.6.35.4/drivers/media/dvb/dvb-core/dvbdev.c 2010-09-17 20:12:09.000000000 -0400
25839 @@ -196,6 +196,7 @@ int dvb_register_device(struct dvb_adapt
25840 const struct dvb_device *template, void *priv, int type)
25842 struct dvb_device *dvbdev;
25843 + /* cannot be const, see this function */
25844 struct file_operations *dvbdevfops;
25845 struct device *clsdev;
25847 diff -urNp linux-2.6.35.4/drivers/media/radio/radio-cadet.c linux-2.6.35.4/drivers/media/radio/radio-cadet.c
25848 --- linux-2.6.35.4/drivers/media/radio/radio-cadet.c 2010-08-26 19:47:12.000000000 -0400
25849 +++ linux-2.6.35.4/drivers/media/radio/radio-cadet.c 2010-09-17 20:12:37.000000000 -0400
25850 @@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
25851 while (i < count && dev->rdsin != dev->rdsout)
25852 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
25854 - if (copy_to_user(data, readbuf, i))
25855 + if (i > sizeof(readbuf) || copy_to_user(data, readbuf, i))
25859 diff -urNp linux-2.6.35.4/drivers/message/fusion/mptbase.c linux-2.6.35.4/drivers/message/fusion/mptbase.c
25860 --- linux-2.6.35.4/drivers/message/fusion/mptbase.c 2010-08-26 19:47:12.000000000 -0400
25861 +++ linux-2.6.35.4/drivers/message/fusion/mptbase.c 2010-09-17 20:12:37.000000000 -0400
25862 @@ -6715,8 +6715,14 @@ procmpt_iocinfo_read(char *buf, char **s
25863 len += sprintf(buf+len, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
25864 len += sprintf(buf+len, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
25866 +#ifdef CONFIG_GRKERNSEC_HIDESYM
25867 + len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
25870 len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
25871 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
25875 * Rounding UP to nearest 4-kB boundary here...
25877 diff -urNp linux-2.6.35.4/drivers/message/fusion/mptdebug.h linux-2.6.35.4/drivers/message/fusion/mptdebug.h
25878 --- linux-2.6.35.4/drivers/message/fusion/mptdebug.h 2010-08-26 19:47:12.000000000 -0400
25879 +++ linux-2.6.35.4/drivers/message/fusion/mptdebug.h 2010-09-17 20:12:09.000000000 -0400
25884 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
25885 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
25889 diff -urNp linux-2.6.35.4/drivers/message/fusion/mptsas.c linux-2.6.35.4/drivers/message/fusion/mptsas.c
25890 --- linux-2.6.35.4/drivers/message/fusion/mptsas.c 2010-08-26 19:47:12.000000000 -0400
25891 +++ linux-2.6.35.4/drivers/message/fusion/mptsas.c 2010-09-17 20:12:09.000000000 -0400
25892 @@ -437,6 +437,23 @@ mptsas_is_end_device(struct mptsas_devin
25896 +static inline void
25897 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25899 + if (phy_info->port_details) {
25900 + phy_info->port_details->rphy = rphy;
25901 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25902 + ioc->name, rphy));
25906 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25907 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25908 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25909 + ioc->name, rphy, rphy->dev.release));
25915 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
25916 @@ -475,23 +492,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
25920 -static inline void
25921 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25923 - if (phy_info->port_details) {
25924 - phy_info->port_details->rphy = rphy;
25925 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25926 - ioc->name, rphy));
25930 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25931 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25932 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25933 - ioc->name, rphy, rphy->dev.release));
25937 static inline struct sas_port *
25938 mptsas_get_port(struct mptsas_phyinfo *phy_info)
25940 diff -urNp linux-2.6.35.4/drivers/message/i2o/i2o_proc.c linux-2.6.35.4/drivers/message/i2o/i2o_proc.c
25941 --- linux-2.6.35.4/drivers/message/i2o/i2o_proc.c 2010-08-26 19:47:12.000000000 -0400
25942 +++ linux-2.6.35.4/drivers/message/i2o/i2o_proc.c 2010-09-17 20:12:09.000000000 -0400
25943 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
25944 "Array Controller Device"
25947 -static char *chtostr(u8 * chars, int n)
25951 - return strncat(tmp, (char *)chars, n);
25954 static int i2o_report_query_status(struct seq_file *seq, int block_status,
25957 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
25959 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
25960 seq_printf(seq, "%-#8x", ddm_table.module_id);
25961 - seq_printf(seq, "%-29s",
25962 - chtostr(ddm_table.module_name_version, 28));
25963 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
25964 seq_printf(seq, "%9d ", ddm_table.data_size);
25965 seq_printf(seq, "%8d", ddm_table.code_size);
25967 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
25969 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
25970 seq_printf(seq, "%-#8x", dst->module_id);
25971 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
25972 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
25973 + seq_printf(seq, "%-.28s", dst->module_name_version);
25974 + seq_printf(seq, "%-.8s", dst->date);
25975 seq_printf(seq, "%8d ", dst->module_size);
25976 seq_printf(seq, "%8d ", dst->mpb_size);
25977 seq_printf(seq, "0x%04x", dst->module_flags);
25978 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
25979 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
25980 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
25981 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
25982 - seq_printf(seq, "Vendor info : %s\n",
25983 - chtostr((u8 *) (work32 + 2), 16));
25984 - seq_printf(seq, "Product info : %s\n",
25985 - chtostr((u8 *) (work32 + 6), 16));
25986 - seq_printf(seq, "Description : %s\n",
25987 - chtostr((u8 *) (work32 + 10), 16));
25988 - seq_printf(seq, "Product rev. : %s\n",
25989 - chtostr((u8 *) (work32 + 14), 8));
25990 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
25991 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
25992 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
25993 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
25995 seq_printf(seq, "Serial number : ");
25996 print_serial_number(seq, (u8 *) (work32 + 16),
25997 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
26000 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
26001 - seq_printf(seq, "Module name : %s\n",
26002 - chtostr(result.module_name, 24));
26003 - seq_printf(seq, "Module revision : %s\n",
26004 - chtostr(result.module_rev, 8));
26005 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
26006 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
26008 seq_printf(seq, "Serial number : ");
26009 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
26010 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
26014 - seq_printf(seq, "Device name : %s\n",
26015 - chtostr(result.device_name, 64));
26016 - seq_printf(seq, "Service name : %s\n",
26017 - chtostr(result.service_name, 64));
26018 - seq_printf(seq, "Physical name : %s\n",
26019 - chtostr(result.physical_location, 64));
26020 - seq_printf(seq, "Instance number : %s\n",
26021 - chtostr(result.instance_number, 4));
26022 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
26023 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
26024 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
26025 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
26029 diff -urNp linux-2.6.35.4/drivers/mfd/janz-cmodio.c linux-2.6.35.4/drivers/mfd/janz-cmodio.c
26030 --- linux-2.6.35.4/drivers/mfd/janz-cmodio.c 2010-08-26 19:47:12.000000000 -0400
26031 +++ linux-2.6.35.4/drivers/mfd/janz-cmodio.c 2010-09-17 20:12:09.000000000 -0400
26034 #include <linux/kernel.h>
26035 #include <linux/module.h>
26036 +#include <linux/slab.h>
26037 #include <linux/init.h>
26038 #include <linux/pci.h>
26039 #include <linux/interrupt.h>
26040 diff -urNp linux-2.6.35.4/drivers/misc/kgdbts.c linux-2.6.35.4/drivers/misc/kgdbts.c
26041 --- linux-2.6.35.4/drivers/misc/kgdbts.c 2010-08-26 19:47:12.000000000 -0400
26042 +++ linux-2.6.35.4/drivers/misc/kgdbts.c 2010-09-17 20:12:09.000000000 -0400
26043 @@ -118,7 +118,7 @@
26045 #define MAX_CONFIG_LEN 40
26047 -static struct kgdb_io kgdbts_io_ops;
26048 +static const struct kgdb_io kgdbts_io_ops;
26049 static char get_buf[BUFMAX];
26050 static int get_buf_cnt;
26051 static char put_buf[BUFMAX];
26052 @@ -1114,7 +1114,7 @@ static void kgdbts_post_exp_handler(void
26053 module_put(THIS_MODULE);
26056 -static struct kgdb_io kgdbts_io_ops = {
26057 +static const struct kgdb_io kgdbts_io_ops = {
26059 .read_char = kgdbts_get_char,
26060 .write_char = kgdbts_put_char,
26061 diff -urNp linux-2.6.35.4/drivers/misc/sgi-gru/gruhandles.c linux-2.6.35.4/drivers/misc/sgi-gru/gruhandles.c
26062 --- linux-2.6.35.4/drivers/misc/sgi-gru/gruhandles.c 2010-08-26 19:47:12.000000000 -0400
26063 +++ linux-2.6.35.4/drivers/misc/sgi-gru/gruhandles.c 2010-09-17 20:12:09.000000000 -0400
26064 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
26065 unsigned long nsec;
26067 nsec = CLKS2NSEC(clks);
26068 - atomic_long_inc(&mcs_op_statistics[op].count);
26069 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
26070 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
26071 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
26072 if (mcs_op_statistics[op].max < nsec)
26073 mcs_op_statistics[op].max = nsec;
26075 diff -urNp linux-2.6.35.4/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.35.4/drivers/misc/sgi-gru/gruprocfs.c
26076 --- linux-2.6.35.4/drivers/misc/sgi-gru/gruprocfs.c 2010-08-26 19:47:12.000000000 -0400
26077 +++ linux-2.6.35.4/drivers/misc/sgi-gru/gruprocfs.c 2010-09-17 20:12:09.000000000 -0400
26080 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
26082 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
26083 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
26085 - unsigned long val = atomic_long_read(v);
26086 + unsigned long val = atomic_long_read_unchecked(v);
26088 seq_printf(s, "%16lu %s\n", val, id);
26090 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
26092 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
26093 for (op = 0; op < mcsop_last; op++) {
26094 - count = atomic_long_read(&mcs_op_statistics[op].count);
26095 - total = atomic_long_read(&mcs_op_statistics[op].total);
26096 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
26097 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
26098 max = mcs_op_statistics[op].max;
26099 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
26100 count ? total / count : 0, max);
26101 diff -urNp linux-2.6.35.4/drivers/misc/sgi-gru/grutables.h linux-2.6.35.4/drivers/misc/sgi-gru/grutables.h
26102 --- linux-2.6.35.4/drivers/misc/sgi-gru/grutables.h 2010-08-26 19:47:12.000000000 -0400
26103 +++ linux-2.6.35.4/drivers/misc/sgi-gru/grutables.h 2010-09-17 20:12:09.000000000 -0400
26104 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
26107 struct gru_stats_s {
26108 - atomic_long_t vdata_alloc;
26109 - atomic_long_t vdata_free;
26110 - atomic_long_t gts_alloc;
26111 - atomic_long_t gts_free;
26112 - atomic_long_t gms_alloc;
26113 - atomic_long_t gms_free;
26114 - atomic_long_t gts_double_allocate;
26115 - atomic_long_t assign_context;
26116 - atomic_long_t assign_context_failed;
26117 - atomic_long_t free_context;
26118 - atomic_long_t load_user_context;
26119 - atomic_long_t load_kernel_context;
26120 - atomic_long_t lock_kernel_context;
26121 - atomic_long_t unlock_kernel_context;
26122 - atomic_long_t steal_user_context;
26123 - atomic_long_t steal_kernel_context;
26124 - atomic_long_t steal_context_failed;
26125 - atomic_long_t nopfn;
26126 - atomic_long_t asid_new;
26127 - atomic_long_t asid_next;
26128 - atomic_long_t asid_wrap;
26129 - atomic_long_t asid_reuse;
26130 - atomic_long_t intr;
26131 - atomic_long_t intr_cbr;
26132 - atomic_long_t intr_tfh;
26133 - atomic_long_t intr_spurious;
26134 - atomic_long_t intr_mm_lock_failed;
26135 - atomic_long_t call_os;
26136 - atomic_long_t call_os_wait_queue;
26137 - atomic_long_t user_flush_tlb;
26138 - atomic_long_t user_unload_context;
26139 - atomic_long_t user_exception;
26140 - atomic_long_t set_context_option;
26141 - atomic_long_t check_context_retarget_intr;
26142 - atomic_long_t check_context_unload;
26143 - atomic_long_t tlb_dropin;
26144 - atomic_long_t tlb_preload_page;
26145 - atomic_long_t tlb_dropin_fail_no_asid;
26146 - atomic_long_t tlb_dropin_fail_upm;
26147 - atomic_long_t tlb_dropin_fail_invalid;
26148 - atomic_long_t tlb_dropin_fail_range_active;
26149 - atomic_long_t tlb_dropin_fail_idle;
26150 - atomic_long_t tlb_dropin_fail_fmm;
26151 - atomic_long_t tlb_dropin_fail_no_exception;
26152 - atomic_long_t tfh_stale_on_fault;
26153 - atomic_long_t mmu_invalidate_range;
26154 - atomic_long_t mmu_invalidate_page;
26155 - atomic_long_t flush_tlb;
26156 - atomic_long_t flush_tlb_gru;
26157 - atomic_long_t flush_tlb_gru_tgh;
26158 - atomic_long_t flush_tlb_gru_zero_asid;
26160 - atomic_long_t copy_gpa;
26161 - atomic_long_t read_gpa;
26163 - atomic_long_t mesq_receive;
26164 - atomic_long_t mesq_receive_none;
26165 - atomic_long_t mesq_send;
26166 - atomic_long_t mesq_send_failed;
26167 - atomic_long_t mesq_noop;
26168 - atomic_long_t mesq_send_unexpected_error;
26169 - atomic_long_t mesq_send_lb_overflow;
26170 - atomic_long_t mesq_send_qlimit_reached;
26171 - atomic_long_t mesq_send_amo_nacked;
26172 - atomic_long_t mesq_send_put_nacked;
26173 - atomic_long_t mesq_page_overflow;
26174 - atomic_long_t mesq_qf_locked;
26175 - atomic_long_t mesq_qf_noop_not_full;
26176 - atomic_long_t mesq_qf_switch_head_failed;
26177 - atomic_long_t mesq_qf_unexpected_error;
26178 - atomic_long_t mesq_noop_unexpected_error;
26179 - atomic_long_t mesq_noop_lb_overflow;
26180 - atomic_long_t mesq_noop_qlimit_reached;
26181 - atomic_long_t mesq_noop_amo_nacked;
26182 - atomic_long_t mesq_noop_put_nacked;
26183 - atomic_long_t mesq_noop_page_overflow;
26184 + atomic_long_unchecked_t vdata_alloc;
26185 + atomic_long_unchecked_t vdata_free;
26186 + atomic_long_unchecked_t gts_alloc;
26187 + atomic_long_unchecked_t gts_free;
26188 + atomic_long_unchecked_t gms_alloc;
26189 + atomic_long_unchecked_t gms_free;
26190 + atomic_long_unchecked_t gts_double_allocate;
26191 + atomic_long_unchecked_t assign_context;
26192 + atomic_long_unchecked_t assign_context_failed;
26193 + atomic_long_unchecked_t free_context;
26194 + atomic_long_unchecked_t load_user_context;
26195 + atomic_long_unchecked_t load_kernel_context;
26196 + atomic_long_unchecked_t lock_kernel_context;
26197 + atomic_long_unchecked_t unlock_kernel_context;
26198 + atomic_long_unchecked_t steal_user_context;
26199 + atomic_long_unchecked_t steal_kernel_context;
26200 + atomic_long_unchecked_t steal_context_failed;
26201 + atomic_long_unchecked_t nopfn;
26202 + atomic_long_unchecked_t asid_new;
26203 + atomic_long_unchecked_t asid_next;
26204 + atomic_long_unchecked_t asid_wrap;
26205 + atomic_long_unchecked_t asid_reuse;
26206 + atomic_long_unchecked_t intr;
26207 + atomic_long_unchecked_t intr_cbr;
26208 + atomic_long_unchecked_t intr_tfh;
26209 + atomic_long_unchecked_t intr_spurious;
26210 + atomic_long_unchecked_t intr_mm_lock_failed;
26211 + atomic_long_unchecked_t call_os;
26212 + atomic_long_unchecked_t call_os_wait_queue;
26213 + atomic_long_unchecked_t user_flush_tlb;
26214 + atomic_long_unchecked_t user_unload_context;
26215 + atomic_long_unchecked_t user_exception;
26216 + atomic_long_unchecked_t set_context_option;
26217 + atomic_long_unchecked_t check_context_retarget_intr;
26218 + atomic_long_unchecked_t check_context_unload;
26219 + atomic_long_unchecked_t tlb_dropin;
26220 + atomic_long_unchecked_t tlb_preload_page;
26221 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
26222 + atomic_long_unchecked_t tlb_dropin_fail_upm;
26223 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
26224 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
26225 + atomic_long_unchecked_t tlb_dropin_fail_idle;
26226 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
26227 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
26228 + atomic_long_unchecked_t tfh_stale_on_fault;
26229 + atomic_long_unchecked_t mmu_invalidate_range;
26230 + atomic_long_unchecked_t mmu_invalidate_page;
26231 + atomic_long_unchecked_t flush_tlb;
26232 + atomic_long_unchecked_t flush_tlb_gru;
26233 + atomic_long_unchecked_t flush_tlb_gru_tgh;
26234 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
26236 + atomic_long_unchecked_t copy_gpa;
26237 + atomic_long_unchecked_t read_gpa;
26239 + atomic_long_unchecked_t mesq_receive;
26240 + atomic_long_unchecked_t mesq_receive_none;
26241 + atomic_long_unchecked_t mesq_send;
26242 + atomic_long_unchecked_t mesq_send_failed;
26243 + atomic_long_unchecked_t mesq_noop;
26244 + atomic_long_unchecked_t mesq_send_unexpected_error;
26245 + atomic_long_unchecked_t mesq_send_lb_overflow;
26246 + atomic_long_unchecked_t mesq_send_qlimit_reached;
26247 + atomic_long_unchecked_t mesq_send_amo_nacked;
26248 + atomic_long_unchecked_t mesq_send_put_nacked;
26249 + atomic_long_unchecked_t mesq_page_overflow;
26250 + atomic_long_unchecked_t mesq_qf_locked;
26251 + atomic_long_unchecked_t mesq_qf_noop_not_full;
26252 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
26253 + atomic_long_unchecked_t mesq_qf_unexpected_error;
26254 + atomic_long_unchecked_t mesq_noop_unexpected_error;
26255 + atomic_long_unchecked_t mesq_noop_lb_overflow;
26256 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
26257 + atomic_long_unchecked_t mesq_noop_amo_nacked;
26258 + atomic_long_unchecked_t mesq_noop_put_nacked;
26259 + atomic_long_unchecked_t mesq_noop_page_overflow;
26263 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
26264 tghop_invalidate, mcsop_last};
26266 struct mcs_op_statistic {
26267 - atomic_long_t count;
26268 - atomic_long_t total;
26269 + atomic_long_unchecked_t count;
26270 + atomic_long_unchecked_t total;
26274 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
26276 #define STAT(id) do { \
26277 if (gru_options & OPT_STATS) \
26278 - atomic_long_inc(&gru_stats.id); \
26279 + atomic_long_inc_unchecked(&gru_stats.id); \
26282 #ifdef CONFIG_SGI_GRU_DEBUG
26283 diff -urNp linux-2.6.35.4/drivers/mtd/devices/doc2000.c linux-2.6.35.4/drivers/mtd/devices/doc2000.c
26284 --- linux-2.6.35.4/drivers/mtd/devices/doc2000.c 2010-08-26 19:47:12.000000000 -0400
26285 +++ linux-2.6.35.4/drivers/mtd/devices/doc2000.c 2010-09-17 20:12:09.000000000 -0400
26286 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
26288 /* The ECC will not be calculated correctly if less than 512 is written */
26290 - if (len != 0x200 && eccbuf)
26291 + if (len != 0x200)
26292 printk(KERN_WARNING
26293 "ECC needs a full sector write (adr: %lx size %lx)\n",
26294 (long) to, (long) len);
26295 diff -urNp linux-2.6.35.4/drivers/mtd/devices/doc2001.c linux-2.6.35.4/drivers/mtd/devices/doc2001.c
26296 --- linux-2.6.35.4/drivers/mtd/devices/doc2001.c 2010-08-26 19:47:12.000000000 -0400
26297 +++ linux-2.6.35.4/drivers/mtd/devices/doc2001.c 2010-09-17 20:12:09.000000000 -0400
26298 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
26299 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
26301 /* Don't allow read past end of device */
26302 - if (from >= this->totlen)
26303 + if (from >= this->totlen || !len)
26306 /* Don't allow a single read to cross a 512-byte block boundary */
26307 diff -urNp linux-2.6.35.4/drivers/mtd/nand/denali.c linux-2.6.35.4/drivers/mtd/nand/denali.c
26308 --- linux-2.6.35.4/drivers/mtd/nand/denali.c 2010-08-26 19:47:12.000000000 -0400
26309 +++ linux-2.6.35.4/drivers/mtd/nand/denali.c 2010-09-17 20:12:09.000000000 -0400
26311 #include <linux/pci.h>
26312 #include <linux/mtd/mtd.h>
26313 #include <linux/module.h>
26314 +#include <linux/slab.h>
26316 #include "denali.h"
26318 diff -urNp linux-2.6.35.4/drivers/mtd/ubi/build.c linux-2.6.35.4/drivers/mtd/ubi/build.c
26319 --- linux-2.6.35.4/drivers/mtd/ubi/build.c 2010-08-26 19:47:12.000000000 -0400
26320 +++ linux-2.6.35.4/drivers/mtd/ubi/build.c 2010-09-17 20:12:09.000000000 -0400
26321 @@ -1282,7 +1282,7 @@ module_exit(ubi_exit);
26322 static int __init bytes_str_to_int(const char *str)
26325 - unsigned long result;
26326 + unsigned long result, scale = 1;
26328 result = simple_strtoul(str, &endp, 0);
26329 if (str == endp || result >= INT_MAX) {
26330 @@ -1293,11 +1293,11 @@ static int __init bytes_str_to_int(const
26342 if (endp[1] == 'i' && endp[2] == 'B')
26345 @@ -1308,7 +1308,13 @@ static int __init bytes_str_to_int(const
26350 + if ((intoverflow_t)result*scale >= INT_MAX) {
26351 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
26356 + return result*scale;
26360 diff -urNp linux-2.6.35.4/drivers/net/cxgb3/cxgb3_main.c linux-2.6.35.4/drivers/net/cxgb3/cxgb3_main.c
26361 --- linux-2.6.35.4/drivers/net/cxgb3/cxgb3_main.c 2010-08-26 19:47:12.000000000 -0400
26362 +++ linux-2.6.35.4/drivers/net/cxgb3/cxgb3_main.c 2010-09-17 20:12:37.000000000 -0400
26363 @@ -2296,6 +2296,8 @@ static int cxgb_extension_ioctl(struct n
26364 case CHELSIO_GET_QSET_NUM:{
26365 struct ch_reg edata;
26367 + memset(&edata, 0, sizeof(edata));
26369 edata.cmd = CHELSIO_GET_QSET_NUM;
26370 edata.val = pi->nqsets;
26371 if (copy_to_user(useraddr, &edata, sizeof(edata)))
26372 diff -urNp linux-2.6.35.4/drivers/net/e1000e/82571.c linux-2.6.35.4/drivers/net/e1000e/82571.c
26373 --- linux-2.6.35.4/drivers/net/e1000e/82571.c 2010-08-26 19:47:12.000000000 -0400
26374 +++ linux-2.6.35.4/drivers/net/e1000e/82571.c 2010-09-17 20:12:09.000000000 -0400
26375 @@ -207,6 +207,7 @@ static s32 e1000_init_mac_params_82571(s
26377 struct e1000_hw *hw = &adapter->hw;
26378 struct e1000_mac_info *mac = &hw->mac;
26379 + /* cannot be const */
26380 struct e1000_mac_operations *func = &mac->ops;
26383 @@ -1703,7 +1704,7 @@ static void e1000_clear_hw_cntrs_82571(s
26387 -static struct e1000_mac_operations e82571_mac_ops = {
26388 +static const struct e1000_mac_operations e82571_mac_ops = {
26389 /* .check_mng_mode: mac type dependent */
26390 /* .check_for_link: media type dependent */
26391 .id_led_init = e1000e_id_led_init,
26392 @@ -1725,7 +1726,7 @@ static struct e1000_mac_operations e8257
26393 .read_mac_addr = e1000_read_mac_addr_82571,
26396 -static struct e1000_phy_operations e82_phy_ops_igp = {
26397 +static const struct e1000_phy_operations e82_phy_ops_igp = {
26398 .acquire = e1000_get_hw_semaphore_82571,
26399 .check_polarity = e1000_check_polarity_igp,
26400 .check_reset_block = e1000e_check_reset_block_generic,
26401 @@ -1743,7 +1744,7 @@ static struct e1000_phy_operations e82_p
26402 .cfg_on_link_up = NULL,
26405 -static struct e1000_phy_operations e82_phy_ops_m88 = {
26406 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
26407 .acquire = e1000_get_hw_semaphore_82571,
26408 .check_polarity = e1000_check_polarity_m88,
26409 .check_reset_block = e1000e_check_reset_block_generic,
26410 @@ -1761,7 +1762,7 @@ static struct e1000_phy_operations e82_p
26411 .cfg_on_link_up = NULL,
26414 -static struct e1000_phy_operations e82_phy_ops_bm = {
26415 +static const struct e1000_phy_operations e82_phy_ops_bm = {
26416 .acquire = e1000_get_hw_semaphore_82571,
26417 .check_polarity = e1000_check_polarity_m88,
26418 .check_reset_block = e1000e_check_reset_block_generic,
26419 @@ -1779,7 +1780,7 @@ static struct e1000_phy_operations e82_p
26420 .cfg_on_link_up = NULL,
26423 -static struct e1000_nvm_operations e82571_nvm_ops = {
26424 +static const struct e1000_nvm_operations e82571_nvm_ops = {
26425 .acquire = e1000_acquire_nvm_82571,
26426 .read = e1000e_read_nvm_eerd,
26427 .release = e1000_release_nvm_82571,
26428 diff -urNp linux-2.6.35.4/drivers/net/e1000e/e1000.h linux-2.6.35.4/drivers/net/e1000e/e1000.h
26429 --- linux-2.6.35.4/drivers/net/e1000e/e1000.h 2010-08-26 19:47:12.000000000 -0400
26430 +++ linux-2.6.35.4/drivers/net/e1000e/e1000.h 2010-09-17 20:12:09.000000000 -0400
26431 @@ -377,9 +377,9 @@ struct e1000_info {
26433 u32 max_hw_frame_size;
26434 s32 (*get_variants)(struct e1000_adapter *);
26435 - struct e1000_mac_operations *mac_ops;
26436 - struct e1000_phy_operations *phy_ops;
26437 - struct e1000_nvm_operations *nvm_ops;
26438 + const struct e1000_mac_operations *mac_ops;
26439 + const struct e1000_phy_operations *phy_ops;
26440 + const struct e1000_nvm_operations *nvm_ops;
26443 /* hardware capability, feature, and workaround flags */
26444 diff -urNp linux-2.6.35.4/drivers/net/e1000e/es2lan.c linux-2.6.35.4/drivers/net/e1000e/es2lan.c
26445 --- linux-2.6.35.4/drivers/net/e1000e/es2lan.c 2010-08-26 19:47:12.000000000 -0400
26446 +++ linux-2.6.35.4/drivers/net/e1000e/es2lan.c 2010-09-17 20:12:09.000000000 -0400
26447 @@ -205,6 +205,7 @@ static s32 e1000_init_mac_params_80003es
26449 struct e1000_hw *hw = &adapter->hw;
26450 struct e1000_mac_info *mac = &hw->mac;
26451 + /* cannot be const */
26452 struct e1000_mac_operations *func = &mac->ops;
26454 /* Set media type */
26455 @@ -1431,7 +1432,7 @@ static void e1000_clear_hw_cntrs_80003es
26459 -static struct e1000_mac_operations es2_mac_ops = {
26460 +static const struct e1000_mac_operations es2_mac_ops = {
26461 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
26462 .id_led_init = e1000e_id_led_init,
26463 .check_mng_mode = e1000e_check_mng_mode_generic,
26464 @@ -1453,7 +1454,7 @@ static struct e1000_mac_operations es2_m
26465 .setup_led = e1000e_setup_led_generic,
26468 -static struct e1000_phy_operations es2_phy_ops = {
26469 +static const struct e1000_phy_operations es2_phy_ops = {
26470 .acquire = e1000_acquire_phy_80003es2lan,
26471 .check_polarity = e1000_check_polarity_m88,
26472 .check_reset_block = e1000e_check_reset_block_generic,
26473 @@ -1471,7 +1472,7 @@ static struct e1000_phy_operations es2_p
26474 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
26477 -static struct e1000_nvm_operations es2_nvm_ops = {
26478 +static const struct e1000_nvm_operations es2_nvm_ops = {
26479 .acquire = e1000_acquire_nvm_80003es2lan,
26480 .read = e1000e_read_nvm_eerd,
26481 .release = e1000_release_nvm_80003es2lan,
26482 diff -urNp linux-2.6.35.4/drivers/net/e1000e/hw.h linux-2.6.35.4/drivers/net/e1000e/hw.h
26483 --- linux-2.6.35.4/drivers/net/e1000e/hw.h 2010-08-26 19:47:12.000000000 -0400
26484 +++ linux-2.6.35.4/drivers/net/e1000e/hw.h 2010-09-17 20:12:09.000000000 -0400
26485 @@ -791,13 +791,13 @@ struct e1000_phy_operations {
26487 /* Function pointers for the NVM. */
26488 struct e1000_nvm_operations {
26489 - s32 (*acquire)(struct e1000_hw *);
26490 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26491 - void (*release)(struct e1000_hw *);
26492 - s32 (*update)(struct e1000_hw *);
26493 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
26494 - s32 (*validate)(struct e1000_hw *);
26495 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26496 + s32 (* const acquire)(struct e1000_hw *);
26497 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26498 + void (* const release)(struct e1000_hw *);
26499 + s32 (* const update)(struct e1000_hw *);
26500 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
26501 + s32 (* const validate)(struct e1000_hw *);
26502 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26505 struct e1000_mac_info {
26506 @@ -877,6 +877,7 @@ struct e1000_phy_info {
26509 struct e1000_nvm_info {
26510 + /* cannot be const */
26511 struct e1000_nvm_operations ops;
26513 enum e1000_nvm_type type;
26514 diff -urNp linux-2.6.35.4/drivers/net/e1000e/ich8lan.c linux-2.6.35.4/drivers/net/e1000e/ich8lan.c
26515 --- linux-2.6.35.4/drivers/net/e1000e/ich8lan.c 2010-08-26 19:47:12.000000000 -0400
26516 +++ linux-2.6.35.4/drivers/net/e1000e/ich8lan.c 2010-09-17 20:12:09.000000000 -0400
26517 @@ -3388,7 +3388,7 @@ static void e1000_clear_hw_cntrs_ich8lan
26521 -static struct e1000_mac_operations ich8_mac_ops = {
26522 +static const struct e1000_mac_operations ich8_mac_ops = {
26523 .id_led_init = e1000e_id_led_init,
26524 .check_mng_mode = e1000_check_mng_mode_ich8lan,
26525 .check_for_link = e1000_check_for_copper_link_ich8lan,
26526 @@ -3407,7 +3407,7 @@ static struct e1000_mac_operations ich8_
26527 /* id_led_init dependent on mac type */
26530 -static struct e1000_phy_operations ich8_phy_ops = {
26531 +static const struct e1000_phy_operations ich8_phy_ops = {
26532 .acquire = e1000_acquire_swflag_ich8lan,
26533 .check_reset_block = e1000_check_reset_block_ich8lan,
26535 @@ -3421,7 +3421,7 @@ static struct e1000_phy_operations ich8_
26536 .write_reg = e1000e_write_phy_reg_igp,
26539 -static struct e1000_nvm_operations ich8_nvm_ops = {
26540 +static const struct e1000_nvm_operations ich8_nvm_ops = {
26541 .acquire = e1000_acquire_nvm_ich8lan,
26542 .read = e1000_read_nvm_ich8lan,
26543 .release = e1000_release_nvm_ich8lan,
26544 diff -urNp linux-2.6.35.4/drivers/net/eql.c linux-2.6.35.4/drivers/net/eql.c
26545 --- linux-2.6.35.4/drivers/net/eql.c 2010-08-26 19:47:12.000000000 -0400
26546 +++ linux-2.6.35.4/drivers/net/eql.c 2010-09-17 20:12:37.000000000 -0400
26547 @@ -555,6 +555,8 @@ static int eql_g_master_cfg(struct net_d
26549 master_config_t mc;
26551 + memset(&mc, 0, sizeof(mc));
26553 if (eql_is_master(dev)) {
26554 eql = netdev_priv(dev);
26555 mc.max_slaves = eql->max_slaves;
26556 diff -urNp linux-2.6.35.4/drivers/net/igb/e1000_82575.c linux-2.6.35.4/drivers/net/igb/e1000_82575.c
26557 --- linux-2.6.35.4/drivers/net/igb/e1000_82575.c 2010-08-26 19:47:12.000000000 -0400
26558 +++ linux-2.6.35.4/drivers/net/igb/e1000_82575.c 2010-09-17 20:12:09.000000000 -0400
26559 @@ -1597,7 +1597,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
26563 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
26564 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
26565 .init_hw = igb_init_hw_82575,
26566 .check_for_link = igb_check_for_link_82575,
26567 .rar_set = igb_rar_set,
26568 @@ -1605,13 +1605,13 @@ static struct e1000_mac_operations e1000
26569 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
26572 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
26573 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
26574 .acquire = igb_acquire_phy_82575,
26575 .get_cfg_done = igb_get_cfg_done_82575,
26576 .release = igb_release_phy_82575,
26579 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26580 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26581 .acquire = igb_acquire_nvm_82575,
26582 .read = igb_read_nvm_eerd,
26583 .release = igb_release_nvm_82575,
26584 diff -urNp linux-2.6.35.4/drivers/net/igb/e1000_hw.h linux-2.6.35.4/drivers/net/igb/e1000_hw.h
26585 --- linux-2.6.35.4/drivers/net/igb/e1000_hw.h 2010-08-26 19:47:12.000000000 -0400
26586 +++ linux-2.6.35.4/drivers/net/igb/e1000_hw.h 2010-09-17 20:12:09.000000000 -0400
26587 @@ -323,17 +323,17 @@ struct e1000_phy_operations {
26590 struct e1000_nvm_operations {
26591 - s32 (*acquire)(struct e1000_hw *);
26592 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26593 - void (*release)(struct e1000_hw *);
26594 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26595 + s32 (* const acquire)(struct e1000_hw *);
26596 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26597 + void (* const release)(struct e1000_hw *);
26598 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26601 struct e1000_info {
26602 s32 (*get_invariants)(struct e1000_hw *);
26603 - struct e1000_mac_operations *mac_ops;
26604 - struct e1000_phy_operations *phy_ops;
26605 - struct e1000_nvm_operations *nvm_ops;
26606 + const struct e1000_mac_operations *mac_ops;
26607 + const struct e1000_phy_operations *phy_ops;
26608 + const struct e1000_nvm_operations *nvm_ops;
26611 extern const struct e1000_info e1000_82575_info;
26612 @@ -412,6 +412,7 @@ struct e1000_phy_info {
26615 struct e1000_nvm_info {
26616 + /* cannot be const */
26617 struct e1000_nvm_operations ops;
26619 enum e1000_nvm_type type;
26620 diff -urNp linux-2.6.35.4/drivers/net/irda/vlsi_ir.c linux-2.6.35.4/drivers/net/irda/vlsi_ir.c
26621 --- linux-2.6.35.4/drivers/net/irda/vlsi_ir.c 2010-08-26 19:47:12.000000000 -0400
26622 +++ linux-2.6.35.4/drivers/net/irda/vlsi_ir.c 2010-09-17 20:12:09.000000000 -0400
26623 @@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
26624 /* no race - tx-ring already empty */
26625 vlsi_set_baud(idev, iobase);
26626 netif_wake_queue(ndev);
26631 /* keep the speed change pending like it would
26632 * for any len>0 packet. tx completion interrupt
26633 * will apply it when the tx ring becomes empty.
26636 spin_unlock_irqrestore(&idev->lock, flags);
26637 dev_kfree_skb_any(skb);
26638 return NETDEV_TX_OK;
26639 diff -urNp linux-2.6.35.4/drivers/net/pcnet32.c linux-2.6.35.4/drivers/net/pcnet32.c
26640 --- linux-2.6.35.4/drivers/net/pcnet32.c 2010-08-26 19:47:12.000000000 -0400
26641 +++ linux-2.6.35.4/drivers/net/pcnet32.c 2010-09-17 20:12:09.000000000 -0400
26642 @@ -82,7 +82,7 @@ static int cards_found;
26644 * VLB I/O addresses
26646 -static unsigned int pcnet32_portlist[] __initdata =
26647 +static unsigned int pcnet32_portlist[] __devinitdata =
26648 { 0x300, 0x320, 0x340, 0x360, 0 };
26650 static int pcnet32_debug;
26651 diff -urNp linux-2.6.35.4/drivers/net/ppp_generic.c linux-2.6.35.4/drivers/net/ppp_generic.c
26652 --- linux-2.6.35.4/drivers/net/ppp_generic.c 2010-08-26 19:47:12.000000000 -0400
26653 +++ linux-2.6.35.4/drivers/net/ppp_generic.c 2010-09-17 20:12:09.000000000 -0400
26654 @@ -992,7 +992,6 @@ ppp_net_ioctl(struct net_device *dev, st
26655 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
26656 struct ppp_stats stats;
26657 struct ppp_comp_stats cstats;
26661 case SIOCGPPPSTATS:
26662 @@ -1014,8 +1013,7 @@ ppp_net_ioctl(struct net_device *dev, st
26666 - vers = PPP_VERSION;
26667 - if (copy_to_user(addr, vers, strlen(vers) + 1))
26668 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
26672 diff -urNp linux-2.6.35.4/drivers/net/tg3.c linux-2.6.35.4/drivers/net/tg3.c
26673 --- linux-2.6.35.4/drivers/net/tg3.c 2010-08-26 19:47:12.000000000 -0400
26674 +++ linux-2.6.35.4/drivers/net/tg3.c 2010-09-17 20:12:09.000000000 -0400
26675 @@ -12410,7 +12410,7 @@ static void __devinit tg3_read_vpd(struc
26676 cnt = pci_read_vpd(tp->pdev, pos,
26677 TG3_NVM_VPD_LEN - pos,
26679 - if (cnt == -ETIMEDOUT || -EINTR)
26680 + if (cnt == -ETIMEDOUT || cnt == -EINTR)
26683 goto out_not_found;
26684 diff -urNp linux-2.6.35.4/drivers/net/tg3.h linux-2.6.35.4/drivers/net/tg3.h
26685 --- linux-2.6.35.4/drivers/net/tg3.h 2010-08-26 19:47:12.000000000 -0400
26686 +++ linux-2.6.35.4/drivers/net/tg3.h 2010-09-17 20:12:09.000000000 -0400
26687 @@ -130,6 +130,7 @@
26688 #define CHIPREV_ID_5750_A0 0x4000
26689 #define CHIPREV_ID_5750_A1 0x4001
26690 #define CHIPREV_ID_5750_A3 0x4003
26691 +#define CHIPREV_ID_5750_C1 0x4201
26692 #define CHIPREV_ID_5750_C2 0x4202
26693 #define CHIPREV_ID_5752_A0_HW 0x5000
26694 #define CHIPREV_ID_5752_A0 0x6000
26695 diff -urNp linux-2.6.35.4/drivers/net/tulip/de4x5.c linux-2.6.35.4/drivers/net/tulip/de4x5.c
26696 --- linux-2.6.35.4/drivers/net/tulip/de4x5.c 2010-08-26 19:47:12.000000000 -0400
26697 +++ linux-2.6.35.4/drivers/net/tulip/de4x5.c 2010-09-17 20:12:37.000000000 -0400
26698 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
26699 for (i=0; i<ETH_ALEN; i++) {
26700 tmp.addr[i] = dev->dev_addr[i];
26702 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26703 + if (ioc->len > sizeof(tmp.addr) || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26706 case DE4X5_SET_HWADDR: /* Set the hardware address */
26707 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
26708 spin_lock_irqsave(&lp->lock, flags);
26709 memcpy(&statbuf, &lp->pktStats, ioc->len);
26710 spin_unlock_irqrestore(&lp->lock, flags);
26711 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
26712 + if (ioc->len > sizeof(statbuf) || copy_to_user(ioc->data, &statbuf, ioc->len))
26716 @@ -5474,7 +5474,7 @@ de4x5_ioctl(struct net_device *dev, stru
26717 tmp.lval[6] = inl(DE4X5_STRR); j+=4;
26718 tmp.lval[7] = inl(DE4X5_SIGR); j+=4;
26720 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26721 + if (copy_to_user(ioc->data, tmp.lval, ioc->len)) return -EFAULT;
26724 #define DE4X5_DUMP 0x0f /* Dump the DE4X5 Status */
26725 diff -urNp linux-2.6.35.4/drivers/net/usb/hso.c linux-2.6.35.4/drivers/net/usb/hso.c
26726 --- linux-2.6.35.4/drivers/net/usb/hso.c 2010-08-26 19:47:12.000000000 -0400
26727 +++ linux-2.6.35.4/drivers/net/usb/hso.c 2010-09-17 20:12:37.000000000 -0400
26728 @@ -258,7 +258,7 @@ struct hso_serial {
26730 /* from usb_serial_port */
26731 struct tty_struct *tty;
26733 + atomic_t open_count;
26734 spinlock_t serial_lock;
26736 int (*write_data) (struct hso_serial *serial);
26737 @@ -1201,7 +1201,7 @@ static void put_rxbuf_data_and_resubmit_
26740 urb = serial->rx_urb[0];
26741 - if (serial->open_count > 0) {
26742 + if (atomic_read(&serial->open_count) > 0) {
26743 count = put_rxbuf_data(urb, serial);
26746 @@ -1237,7 +1237,7 @@ static void hso_std_serial_read_bulk_cal
26747 DUMP1(urb->transfer_buffer, urb->actual_length);
26749 /* Anyone listening? */
26750 - if (serial->open_count == 0)
26751 + if (atomic_read(&serial->open_count) == 0)
26755 @@ -1332,8 +1332,7 @@ static int hso_serial_open(struct tty_st
26756 spin_unlock_irq(&serial->serial_lock);
26758 /* check for port already opened, if not set the termios */
26759 - serial->open_count++;
26760 - if (serial->open_count == 1) {
26761 + if (atomic_inc_return(&serial->open_count) == 1) {
26762 serial->rx_state = RX_IDLE;
26763 /* Force default termio settings */
26764 _hso_serial_set_termios(tty, NULL);
26765 @@ -1345,7 +1344,7 @@ static int hso_serial_open(struct tty_st
26766 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
26768 hso_stop_serial_device(serial->parent);
26769 - serial->open_count--;
26770 + atomic_dec(&serial->open_count);
26771 kref_put(&serial->parent->ref, hso_serial_ref_free);
26774 @@ -1382,10 +1381,10 @@ static void hso_serial_close(struct tty_
26776 /* reset the rts and dtr */
26777 /* do the actual close */
26778 - serial->open_count--;
26779 + atomic_dec(&serial->open_count);
26781 - if (serial->open_count <= 0) {
26782 - serial->open_count = 0;
26783 + if (atomic_read(&serial->open_count) <= 0) {
26784 + atomic_set(&serial->open_count, 0);
26785 spin_lock_irq(&serial->serial_lock);
26786 if (serial->tty == tty) {
26787 serial->tty->driver_data = NULL;
26788 @@ -1467,7 +1466,7 @@ static void hso_serial_set_termios(struc
26790 /* the actual setup */
26791 spin_lock_irqsave(&serial->serial_lock, flags);
26792 - if (serial->open_count)
26793 + if (atomic_read(&serial->open_count))
26794 _hso_serial_set_termios(tty, old);
26796 tty->termios = old;
26797 @@ -1655,6 +1654,9 @@ static int hso_get_count(struct hso_seri
26802 + memset(&icount, 0, sizeof(icount));
26804 spin_lock_irq(&serial->serial_lock);
26805 memcpy(&cnow, &tiocmget->icount, sizeof(struct uart_icount));
26806 spin_unlock_irq(&serial->serial_lock);
26807 @@ -1929,7 +1931,7 @@ static void intr_callback(struct urb *ur
26808 D1("Pending read interrupt on port %d\n", i);
26809 spin_lock(&serial->serial_lock);
26810 if (serial->rx_state == RX_IDLE &&
26811 - serial->open_count > 0) {
26812 + atomic_read(&serial->open_count) > 0) {
26813 /* Setup and send a ctrl req read on
26815 if (!serial->rx_urb_filled[0]) {
26816 @@ -3119,7 +3121,7 @@ static int hso_resume(struct usb_interfa
26817 /* Start all serial ports */
26818 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
26819 if (serial_table[i] && (serial_table[i]->interface == iface)) {
26820 - if (dev2ser(serial_table[i])->open_count) {
26821 + if (atomic_read(&dev2ser(serial_table[i])->open_count)) {
26823 hso_start_serial_device(serial_table[i], GFP_NOIO);
26824 hso_kick_transmit(dev2ser(serial_table[i]));
26825 diff -urNp linux-2.6.35.4/drivers/net/wireless/b43/debugfs.c linux-2.6.35.4/drivers/net/wireless/b43/debugfs.c
26826 --- linux-2.6.35.4/drivers/net/wireless/b43/debugfs.c 2010-08-26 19:47:12.000000000 -0400
26827 +++ linux-2.6.35.4/drivers/net/wireless/b43/debugfs.c 2010-09-17 20:12:09.000000000 -0400
26828 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
26829 struct b43_debugfs_fops {
26830 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
26831 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
26832 - struct file_operations fops;
26833 + const struct file_operations fops;
26834 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
26835 size_t file_struct_offset;
26837 diff -urNp linux-2.6.35.4/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.35.4/drivers/net/wireless/b43legacy/debugfs.c
26838 --- linux-2.6.35.4/drivers/net/wireless/b43legacy/debugfs.c 2010-08-26 19:47:12.000000000 -0400
26839 +++ linux-2.6.35.4/drivers/net/wireless/b43legacy/debugfs.c 2010-09-17 20:12:09.000000000 -0400
26840 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
26841 struct b43legacy_debugfs_fops {
26842 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
26843 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
26844 - struct file_operations fops;
26845 + const struct file_operations fops;
26846 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
26847 size_t file_struct_offset;
26848 /* Take wl->irq_lock before calling read/write? */
26849 diff -urNp linux-2.6.35.4/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.35.4/drivers/net/wireless/iwlwifi/iwl-debug.h
26850 --- linux-2.6.35.4/drivers/net/wireless/iwlwifi/iwl-debug.h 2010-08-26 19:47:12.000000000 -0400
26851 +++ linux-2.6.35.4/drivers/net/wireless/iwlwifi/iwl-debug.h 2010-09-17 20:12:09.000000000 -0400
26852 @@ -68,8 +68,8 @@ do {
26856 -#define IWL_DEBUG(__priv, level, fmt, args...)
26857 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
26858 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
26859 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
26860 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
26863 diff -urNp linux-2.6.35.4/drivers/net/wireless/libertas/debugfs.c linux-2.6.35.4/drivers/net/wireless/libertas/debugfs.c
26864 --- linux-2.6.35.4/drivers/net/wireless/libertas/debugfs.c 2010-08-26 19:47:12.000000000 -0400
26865 +++ linux-2.6.35.4/drivers/net/wireless/libertas/debugfs.c 2010-09-17 20:12:09.000000000 -0400
26866 @@ -718,7 +718,7 @@ out_unlock:
26867 struct lbs_debugfs_files {
26870 - struct file_operations fops;
26871 + const struct file_operations fops;
26874 static const struct lbs_debugfs_files debugfs_files[] = {
26875 diff -urNp linux-2.6.35.4/drivers/net/wireless/rndis_wlan.c linux-2.6.35.4/drivers/net/wireless/rndis_wlan.c
26876 --- linux-2.6.35.4/drivers/net/wireless/rndis_wlan.c 2010-08-26 19:47:12.000000000 -0400
26877 +++ linux-2.6.35.4/drivers/net/wireless/rndis_wlan.c 2010-09-17 20:12:09.000000000 -0400
26878 @@ -1235,7 +1235,7 @@ static int set_rts_threshold(struct usbn
26880 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
26882 - if (rts_threshold < 0 || rts_threshold > 2347)
26883 + if (rts_threshold > 2347)
26884 rts_threshold = 2347;
26886 tmp = cpu_to_le32(rts_threshold);
26887 diff -urNp linux-2.6.35.4/drivers/oprofile/buffer_sync.c linux-2.6.35.4/drivers/oprofile/buffer_sync.c
26888 --- linux-2.6.35.4/drivers/oprofile/buffer_sync.c 2010-08-26 19:47:12.000000000 -0400
26889 +++ linux-2.6.35.4/drivers/oprofile/buffer_sync.c 2010-09-17 20:12:09.000000000 -0400
26890 @@ -341,7 +341,7 @@ static void add_data(struct op_entry *en
26891 if (cookie == NO_COOKIE)
26893 if (cookie == INVALID_COOKIE) {
26894 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26895 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26898 if (cookie != last_cookie) {
26899 @@ -385,14 +385,14 @@ add_sample(struct mm_struct *mm, struct
26900 /* add userspace sample */
26903 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
26904 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
26908 cookie = lookup_dcookie(mm, s->eip, &offset);
26910 if (cookie == INVALID_COOKIE) {
26911 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26912 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26916 @@ -561,7 +561,7 @@ void sync_buffer(int cpu)
26917 /* ignore backtraces if failed to add a sample */
26918 if (state == sb_bt_start) {
26919 state = sb_bt_ignore;
26920 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
26921 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
26925 diff -urNp linux-2.6.35.4/drivers/oprofile/event_buffer.c linux-2.6.35.4/drivers/oprofile/event_buffer.c
26926 --- linux-2.6.35.4/drivers/oprofile/event_buffer.c 2010-08-26 19:47:12.000000000 -0400
26927 +++ linux-2.6.35.4/drivers/oprofile/event_buffer.c 2010-09-17 20:12:09.000000000 -0400
26928 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
26931 if (buffer_pos == buffer_size) {
26932 - atomic_inc(&oprofile_stats.event_lost_overflow);
26933 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
26937 diff -urNp linux-2.6.35.4/drivers/oprofile/oprof.c linux-2.6.35.4/drivers/oprofile/oprof.c
26938 --- linux-2.6.35.4/drivers/oprofile/oprof.c 2010-08-26 19:47:12.000000000 -0400
26939 +++ linux-2.6.35.4/drivers/oprofile/oprof.c 2010-09-17 20:12:09.000000000 -0400
26940 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
26941 if (oprofile_ops.switch_events())
26944 - atomic_inc(&oprofile_stats.multiplex_counter);
26945 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
26946 start_switch_worker();
26949 diff -urNp linux-2.6.35.4/drivers/oprofile/oprofilefs.c linux-2.6.35.4/drivers/oprofile/oprofilefs.c
26950 --- linux-2.6.35.4/drivers/oprofile/oprofilefs.c 2010-08-26 19:47:12.000000000 -0400
26951 +++ linux-2.6.35.4/drivers/oprofile/oprofilefs.c 2010-09-17 20:12:09.000000000 -0400
26952 @@ -187,7 +187,7 @@ static const struct file_operations atom
26955 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
26956 - char const *name, atomic_t *val)
26957 + char const *name, atomic_unchecked_t *val)
26959 struct dentry *d = __oprofilefs_create_file(sb, root, name,
26960 &atomic_ro_fops, 0444);
26961 diff -urNp linux-2.6.35.4/drivers/oprofile/oprofile_stats.c linux-2.6.35.4/drivers/oprofile/oprofile_stats.c
26962 --- linux-2.6.35.4/drivers/oprofile/oprofile_stats.c 2010-08-26 19:47:12.000000000 -0400
26963 +++ linux-2.6.35.4/drivers/oprofile/oprofile_stats.c 2010-09-17 20:12:09.000000000 -0400
26964 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
26965 cpu_buf->sample_invalid_eip = 0;
26968 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
26969 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
26970 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
26971 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
26972 - atomic_set(&oprofile_stats.multiplex_counter, 0);
26973 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
26974 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
26975 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
26976 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
26977 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
26981 diff -urNp linux-2.6.35.4/drivers/oprofile/oprofile_stats.h linux-2.6.35.4/drivers/oprofile/oprofile_stats.h
26982 --- linux-2.6.35.4/drivers/oprofile/oprofile_stats.h 2010-08-26 19:47:12.000000000 -0400
26983 +++ linux-2.6.35.4/drivers/oprofile/oprofile_stats.h 2010-09-17 20:12:09.000000000 -0400
26984 @@ -13,11 +13,11 @@
26985 #include <asm/atomic.h>
26987 struct oprofile_stat_struct {
26988 - atomic_t sample_lost_no_mm;
26989 - atomic_t sample_lost_no_mapping;
26990 - atomic_t bt_lost_no_mapping;
26991 - atomic_t event_lost_overflow;
26992 - atomic_t multiplex_counter;
26993 + atomic_unchecked_t sample_lost_no_mm;
26994 + atomic_unchecked_t sample_lost_no_mapping;
26995 + atomic_unchecked_t bt_lost_no_mapping;
26996 + atomic_unchecked_t event_lost_overflow;
26997 + atomic_unchecked_t multiplex_counter;
27000 extern struct oprofile_stat_struct oprofile_stats;
27001 diff -urNp linux-2.6.35.4/drivers/parport/procfs.c linux-2.6.35.4/drivers/parport/procfs.c
27002 --- linux-2.6.35.4/drivers/parport/procfs.c 2010-08-26 19:47:12.000000000 -0400
27003 +++ linux-2.6.35.4/drivers/parport/procfs.c 2010-09-17 20:12:37.000000000 -0400
27004 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
27008 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
27009 + return (len > sizeof(buffer) || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
27012 #ifdef CONFIG_PARPORT_1284
27013 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
27017 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
27018 + return (len > sizeof(buffer) || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
27020 #endif /* IEEE1284.3 support. */
27022 diff -urNp linux-2.6.35.4/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.35.4/drivers/pci/hotplug/acpiphp_glue.c
27023 --- linux-2.6.35.4/drivers/pci/hotplug/acpiphp_glue.c 2010-08-26 19:47:12.000000000 -0400
27024 +++ linux-2.6.35.4/drivers/pci/hotplug/acpiphp_glue.c 2010-09-17 20:12:09.000000000 -0400
27025 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
27029 -static struct acpi_dock_ops acpiphp_dock_ops = {
27030 +static const struct acpi_dock_ops acpiphp_dock_ops = {
27031 .handler = handle_hotplug_event_func,
27034 diff -urNp linux-2.6.35.4/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.35.4/drivers/pci/hotplug/cpqphp_nvram.c
27035 --- linux-2.6.35.4/drivers/pci/hotplug/cpqphp_nvram.c 2010-08-26 19:47:12.000000000 -0400
27036 +++ linux-2.6.35.4/drivers/pci/hotplug/cpqphp_nvram.c 2010-09-17 20:12:09.000000000 -0400
27037 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
27039 void compaq_nvram_init (void __iomem *rom_start)
27042 +#ifndef CONFIG_PAX_KERNEXEC
27044 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
27048 dbg("int15 entry = %p\n", compaq_int15_entry_point);
27050 /* initialize our int15 lock */
27051 diff -urNp linux-2.6.35.4/drivers/pci/intel-iommu.c linux-2.6.35.4/drivers/pci/intel-iommu.c
27052 --- linux-2.6.35.4/drivers/pci/intel-iommu.c 2010-08-26 19:47:12.000000000 -0400
27053 +++ linux-2.6.35.4/drivers/pci/intel-iommu.c 2010-09-17 20:12:09.000000000 -0400
27054 @@ -2938,7 +2938,7 @@ static int intel_mapping_error(struct de
27058 -struct dma_map_ops intel_dma_ops = {
27059 +const struct dma_map_ops intel_dma_ops = {
27060 .alloc_coherent = intel_alloc_coherent,
27061 .free_coherent = intel_free_coherent,
27062 .map_sg = intel_map_sg,
27063 diff -urNp linux-2.6.35.4/drivers/pci/pcie/portdrv_pci.c linux-2.6.35.4/drivers/pci/pcie/portdrv_pci.c
27064 --- linux-2.6.35.4/drivers/pci/pcie/portdrv_pci.c 2010-08-26 19:47:12.000000000 -0400
27065 +++ linux-2.6.35.4/drivers/pci/pcie/portdrv_pci.c 2010-09-17 20:12:09.000000000 -0400
27066 @@ -250,7 +250,7 @@ static void pcie_portdrv_err_resume(stru
27067 static const struct pci_device_id port_pci_ids[] = { {
27068 /* handle any PCI-Express port */
27069 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
27070 - }, { /* end: all zeroes */ }
27071 + }, { 0, 0, 0, 0, 0, 0, 0 }
27073 MODULE_DEVICE_TABLE(pci, port_pci_ids);
27075 diff -urNp linux-2.6.35.4/drivers/pci/probe.c linux-2.6.35.4/drivers/pci/probe.c
27076 --- linux-2.6.35.4/drivers/pci/probe.c 2010-08-26 19:47:12.000000000 -0400
27077 +++ linux-2.6.35.4/drivers/pci/probe.c 2010-09-17 20:12:09.000000000 -0400
27078 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
27082 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
27083 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
27084 struct device_attribute *attr,
27087 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
27090 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
27091 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
27092 struct device_attribute *attr,
27095 diff -urNp linux-2.6.35.4/drivers/pci/proc.c linux-2.6.35.4/drivers/pci/proc.c
27096 --- linux-2.6.35.4/drivers/pci/proc.c 2010-08-26 19:47:12.000000000 -0400
27097 +++ linux-2.6.35.4/drivers/pci/proc.c 2010-09-17 20:12:37.000000000 -0400
27098 @@ -481,7 +481,16 @@ static const struct file_operations proc
27099 static int __init pci_proc_init(void)
27101 struct pci_dev *dev = NULL;
27103 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
27104 +#ifdef CONFIG_GRKERNSEC_PROC_USER
27105 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
27106 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
27107 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
27110 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
27112 proc_create("devices", 0, proc_bus_pci_dir,
27113 &proc_bus_pci_dev_operations);
27114 proc_initialized = 1;
27115 diff -urNp linux-2.6.35.4/drivers/pcmcia/pcmcia_ioctl.c linux-2.6.35.4/drivers/pcmcia/pcmcia_ioctl.c
27116 --- linux-2.6.35.4/drivers/pcmcia/pcmcia_ioctl.c 2010-08-26 19:47:12.000000000 -0400
27117 +++ linux-2.6.35.4/drivers/pcmcia/pcmcia_ioctl.c 2010-09-17 20:12:09.000000000 -0400
27118 @@ -850,7 +850,7 @@ static int ds_ioctl(struct file *file, u
27122 - buf = kmalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
27123 + buf = kzalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
27127 diff -urNp linux-2.6.35.4/drivers/pcmcia/ti113x.h linux-2.6.35.4/drivers/pcmcia/ti113x.h
27128 --- linux-2.6.35.4/drivers/pcmcia/ti113x.h 2010-08-26 19:47:12.000000000 -0400
27129 +++ linux-2.6.35.4/drivers/pcmcia/ti113x.h 2010-09-17 20:12:09.000000000 -0400
27130 @@ -936,7 +936,7 @@ static struct pci_device_id ene_tune_tbl
27131 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
27132 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
27135 + { 0, 0, 0, 0, 0, 0, 0 }
27138 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
27139 diff -urNp linux-2.6.35.4/drivers/pcmcia/yenta_socket.c linux-2.6.35.4/drivers/pcmcia/yenta_socket.c
27140 --- linux-2.6.35.4/drivers/pcmcia/yenta_socket.c 2010-08-26 19:47:12.000000000 -0400
27141 +++ linux-2.6.35.4/drivers/pcmcia/yenta_socket.c 2010-09-17 20:12:09.000000000 -0400
27142 @@ -1428,7 +1428,7 @@ static struct pci_device_id yenta_table[
27144 /* match any cardbus bridge */
27145 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
27146 - { /* all zeroes */ }
27147 + { 0, 0, 0, 0, 0, 0, 0 }
27149 MODULE_DEVICE_TABLE(pci, yenta_table);
27151 diff -urNp linux-2.6.35.4/drivers/platform/x86/acer-wmi.c linux-2.6.35.4/drivers/platform/x86/acer-wmi.c
27152 --- linux-2.6.35.4/drivers/platform/x86/acer-wmi.c 2010-08-26 19:47:12.000000000 -0400
27153 +++ linux-2.6.35.4/drivers/platform/x86/acer-wmi.c 2010-09-17 20:12:09.000000000 -0400
27154 @@ -916,7 +916,7 @@ static int update_bl_status(struct backl
27158 -static struct backlight_ops acer_bl_ops = {
27159 +static const struct backlight_ops acer_bl_ops = {
27160 .get_brightness = read_brightness,
27161 .update_status = update_bl_status,
27163 diff -urNp linux-2.6.35.4/drivers/platform/x86/asus_acpi.c linux-2.6.35.4/drivers/platform/x86/asus_acpi.c
27164 --- linux-2.6.35.4/drivers/platform/x86/asus_acpi.c 2010-08-26 19:47:12.000000000 -0400
27165 +++ linux-2.6.35.4/drivers/platform/x86/asus_acpi.c 2010-09-17 20:12:09.000000000 -0400
27166 @@ -1464,7 +1464,7 @@ static int asus_hotk_remove(struct acpi_
27170 -static struct backlight_ops asus_backlight_data = {
27171 +static const struct backlight_ops asus_backlight_data = {
27172 .get_brightness = read_brightness,
27173 .update_status = set_brightness_status,
27175 diff -urNp linux-2.6.35.4/drivers/platform/x86/asus-laptop.c linux-2.6.35.4/drivers/platform/x86/asus-laptop.c
27176 --- linux-2.6.35.4/drivers/platform/x86/asus-laptop.c 2010-08-26 19:47:12.000000000 -0400
27177 +++ linux-2.6.35.4/drivers/platform/x86/asus-laptop.c 2010-09-17 20:12:09.000000000 -0400
27178 @@ -224,7 +224,6 @@ struct asus_laptop {
27179 struct asus_led gled;
27180 struct asus_led kled;
27181 struct workqueue_struct *led_workqueue;
27183 int wireless_status;
27186 @@ -621,7 +620,7 @@ static int update_bl_status(struct backl
27187 return asus_lcd_set(asus, value);
27190 -static struct backlight_ops asusbl_ops = {
27191 +static const struct backlight_ops asusbl_ops = {
27192 .get_brightness = asus_read_brightness,
27193 .update_status = update_bl_status,
27195 diff -urNp linux-2.6.35.4/drivers/platform/x86/compal-laptop.c linux-2.6.35.4/drivers/platform/x86/compal-laptop.c
27196 --- linux-2.6.35.4/drivers/platform/x86/compal-laptop.c 2010-08-26 19:47:12.000000000 -0400
27197 +++ linux-2.6.35.4/drivers/platform/x86/compal-laptop.c 2010-09-17 20:12:09.000000000 -0400
27198 @@ -168,7 +168,7 @@ static int bl_update_status(struct backl
27199 return set_lcd_level(b->props.brightness);
27202 -static struct backlight_ops compalbl_ops = {
27203 +static const struct backlight_ops compalbl_ops = {
27204 .get_brightness = bl_get_brightness,
27205 .update_status = bl_update_status,
27207 diff -urNp linux-2.6.35.4/drivers/platform/x86/dell-laptop.c linux-2.6.35.4/drivers/platform/x86/dell-laptop.c
27208 --- linux-2.6.35.4/drivers/platform/x86/dell-laptop.c 2010-08-26 19:47:12.000000000 -0400
27209 +++ linux-2.6.35.4/drivers/platform/x86/dell-laptop.c 2010-09-17 20:12:09.000000000 -0400
27210 @@ -469,7 +469,7 @@ out:
27211 return buffer->output[1];
27214 -static struct backlight_ops dell_ops = {
27215 +static const struct backlight_ops dell_ops = {
27216 .get_brightness = dell_get_intensity,
27217 .update_status = dell_send_intensity,
27219 diff -urNp linux-2.6.35.4/drivers/platform/x86/eeepc-laptop.c linux-2.6.35.4/drivers/platform/x86/eeepc-laptop.c
27220 --- linux-2.6.35.4/drivers/platform/x86/eeepc-laptop.c 2010-08-26 19:47:12.000000000 -0400
27221 +++ linux-2.6.35.4/drivers/platform/x86/eeepc-laptop.c 2010-09-17 20:12:09.000000000 -0400
27222 @@ -1114,7 +1114,7 @@ static int update_bl_status(struct backl
27223 return set_brightness(bd, bd->props.brightness);
27226 -static struct backlight_ops eeepcbl_ops = {
27227 +static const struct backlight_ops eeepcbl_ops = {
27228 .get_brightness = read_brightness,
27229 .update_status = update_bl_status,
27231 diff -urNp linux-2.6.35.4/drivers/platform/x86/fujitsu-laptop.c linux-2.6.35.4/drivers/platform/x86/fujitsu-laptop.c
27232 --- linux-2.6.35.4/drivers/platform/x86/fujitsu-laptop.c 2010-08-26 19:47:12.000000000 -0400
27233 +++ linux-2.6.35.4/drivers/platform/x86/fujitsu-laptop.c 2010-09-17 20:12:09.000000000 -0400
27234 @@ -437,7 +437,7 @@ static int bl_update_status(struct backl
27238 -static struct backlight_ops fujitsubl_ops = {
27239 +static const struct backlight_ops fujitsubl_ops = {
27240 .get_brightness = bl_get_brightness,
27241 .update_status = bl_update_status,
27243 diff -urNp linux-2.6.35.4/drivers/platform/x86/sony-laptop.c linux-2.6.35.4/drivers/platform/x86/sony-laptop.c
27244 --- linux-2.6.35.4/drivers/platform/x86/sony-laptop.c 2010-08-26 19:47:12.000000000 -0400
27245 +++ linux-2.6.35.4/drivers/platform/x86/sony-laptop.c 2010-09-17 20:12:09.000000000 -0400
27246 @@ -857,7 +857,7 @@ static int sony_backlight_get_brightness
27249 static struct backlight_device *sony_backlight_device;
27250 -static struct backlight_ops sony_backlight_ops = {
27251 +static const struct backlight_ops sony_backlight_ops = {
27252 .update_status = sony_backlight_update_status,
27253 .get_brightness = sony_backlight_get_brightness,
27255 diff -urNp linux-2.6.35.4/drivers/platform/x86/thinkpad_acpi.c linux-2.6.35.4/drivers/platform/x86/thinkpad_acpi.c
27256 --- linux-2.6.35.4/drivers/platform/x86/thinkpad_acpi.c 2010-08-26 19:47:12.000000000 -0400
27257 +++ linux-2.6.35.4/drivers/platform/x86/thinkpad_acpi.c 2010-09-17 20:12:09.000000000 -0400
27258 @@ -6142,7 +6142,7 @@ static void tpacpi_brightness_notify_cha
27259 BACKLIGHT_UPDATE_HOTKEY);
27262 -static struct backlight_ops ibm_backlight_data = {
27263 +static const struct backlight_ops ibm_backlight_data = {
27264 .get_brightness = brightness_get,
27265 .update_status = brightness_update_status,
27267 diff -urNp linux-2.6.35.4/drivers/platform/x86/toshiba_acpi.c linux-2.6.35.4/drivers/platform/x86/toshiba_acpi.c
27268 --- linux-2.6.35.4/drivers/platform/x86/toshiba_acpi.c 2010-08-26 19:47:12.000000000 -0400
27269 +++ linux-2.6.35.4/drivers/platform/x86/toshiba_acpi.c 2010-09-17 20:12:09.000000000 -0400
27270 @@ -741,7 +741,7 @@ static acpi_status remove_device(void)
27274 -static struct backlight_ops toshiba_backlight_data = {
27275 +static const struct backlight_ops toshiba_backlight_data = {
27276 .get_brightness = get_lcd,
27277 .update_status = set_lcd_status,
27279 diff -urNp linux-2.6.35.4/drivers/pnp/pnpbios/bioscalls.c linux-2.6.35.4/drivers/pnp/pnpbios/bioscalls.c
27280 --- linux-2.6.35.4/drivers/pnp/pnpbios/bioscalls.c 2010-08-26 19:47:12.000000000 -0400
27281 +++ linux-2.6.35.4/drivers/pnp/pnpbios/bioscalls.c 2010-09-17 20:12:09.000000000 -0400
27282 @@ -59,7 +59,7 @@ do { \
27283 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
27286 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
27287 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
27288 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
27291 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
27294 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
27296 + pax_open_kernel();
27297 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
27298 + pax_close_kernel();
27300 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
27301 spin_lock_irqsave(&pnp_bios_lock, flags);
27302 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
27304 spin_unlock_irqrestore(&pnp_bios_lock, flags);
27306 + pax_open_kernel();
27307 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
27308 + pax_close_kernel();
27312 /* If we get here and this is set then the PnP BIOS faulted on us. */
27313 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
27317 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
27318 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
27322 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
27323 pnp_bios_callpoint.offset = header->fields.pm16offset;
27324 pnp_bios_callpoint.segment = PNP_CS16;
27326 + pax_open_kernel();
27328 for_each_possible_cpu(i) {
27329 struct desc_struct *gdt = get_cpu_gdt_table(i);
27331 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
27332 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
27333 (unsigned long)__va(header->fields.pm16dseg));
27336 + pax_close_kernel();
27338 diff -urNp linux-2.6.35.4/drivers/pnp/quirks.c linux-2.6.35.4/drivers/pnp/quirks.c
27339 --- linux-2.6.35.4/drivers/pnp/quirks.c 2010-08-26 19:47:12.000000000 -0400
27340 +++ linux-2.6.35.4/drivers/pnp/quirks.c 2010-09-17 20:12:09.000000000 -0400
27341 @@ -322,7 +322,7 @@ static struct pnp_fixup pnp_fixups[] = {
27342 /* PnP resources that might overlap PCI BARs */
27343 {"PNP0c01", quirk_system_pci_resources},
27344 {"PNP0c02", quirk_system_pci_resources},
27349 void pnp_fixup_device(struct pnp_dev *dev)
27350 diff -urNp linux-2.6.35.4/drivers/pnp/resource.c linux-2.6.35.4/drivers/pnp/resource.c
27351 --- linux-2.6.35.4/drivers/pnp/resource.c 2010-08-26 19:47:12.000000000 -0400
27352 +++ linux-2.6.35.4/drivers/pnp/resource.c 2010-09-17 20:12:09.000000000 -0400
27353 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
27356 /* check if the resource is valid */
27357 - if (*irq < 0 || *irq > 15)
27361 /* check if the resource is reserved */
27362 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
27365 /* check if the resource is valid */
27366 - if (*dma < 0 || *dma == 4 || *dma > 7)
27367 + if (*dma == 4 || *dma > 7)
27370 /* check if the resource is reserved */
27371 diff -urNp linux-2.6.35.4/drivers/s390/cio/qdio_debug.c linux-2.6.35.4/drivers/s390/cio/qdio_debug.c
27372 --- linux-2.6.35.4/drivers/s390/cio/qdio_debug.c 2010-08-26 19:47:12.000000000 -0400
27373 +++ linux-2.6.35.4/drivers/s390/cio/qdio_debug.c 2010-09-17 20:12:09.000000000 -0400
27374 @@ -233,7 +233,7 @@ static int qperf_seq_open(struct inode *
27375 filp->f_path.dentry->d_inode->i_private);
27378 -static struct file_operations debugfs_perf_fops = {
27379 +static const struct file_operations debugfs_perf_fops = {
27380 .owner = THIS_MODULE,
27381 .open = qperf_seq_open,
27383 diff -urNp linux-2.6.35.4/drivers/scsi/ipr.c linux-2.6.35.4/drivers/scsi/ipr.c
27384 --- linux-2.6.35.4/drivers/scsi/ipr.c 2010-08-26 19:47:12.000000000 -0400
27385 +++ linux-2.6.35.4/drivers/scsi/ipr.c 2010-09-17 20:12:09.000000000 -0400
27386 @@ -6091,7 +6091,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
27390 -static struct ata_port_operations ipr_sata_ops = {
27391 +static const struct ata_port_operations ipr_sata_ops = {
27392 .phy_reset = ipr_ata_phy_reset,
27393 .hardreset = ipr_sata_reset,
27394 .post_internal_cmd = ipr_ata_post_internal,
27395 diff -urNp linux-2.6.35.4/drivers/scsi/libfc/fc_exch.c linux-2.6.35.4/drivers/scsi/libfc/fc_exch.c
27396 --- linux-2.6.35.4/drivers/scsi/libfc/fc_exch.c 2010-08-26 19:47:12.000000000 -0400
27397 +++ linux-2.6.35.4/drivers/scsi/libfc/fc_exch.c 2010-09-17 20:12:09.000000000 -0400
27398 @@ -100,12 +100,12 @@ struct fc_exch_mgr {
27399 * all together if not used XXX
27402 - atomic_t no_free_exch;
27403 - atomic_t no_free_exch_xid;
27404 - atomic_t xid_not_found;
27405 - atomic_t xid_busy;
27406 - atomic_t seq_not_found;
27407 - atomic_t non_bls_resp;
27408 + atomic_unchecked_t no_free_exch;
27409 + atomic_unchecked_t no_free_exch_xid;
27410 + atomic_unchecked_t xid_not_found;
27411 + atomic_unchecked_t xid_busy;
27412 + atomic_unchecked_t seq_not_found;
27413 + atomic_unchecked_t non_bls_resp;
27416 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
27417 @@ -671,7 +671,7 @@ static struct fc_exch *fc_exch_em_alloc(
27418 /* allocate memory for exchange */
27419 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
27421 - atomic_inc(&mp->stats.no_free_exch);
27422 + atomic_inc_unchecked(&mp->stats.no_free_exch);
27425 memset(ep, 0, sizeof(*ep));
27426 @@ -719,7 +719,7 @@ out:
27429 spin_unlock_bh(&pool->lock);
27430 - atomic_inc(&mp->stats.no_free_exch_xid);
27431 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
27432 mempool_free(ep, mp->ep_pool);
27435 @@ -864,7 +864,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27436 xid = ntohs(fh->fh_ox_id); /* we originated exch */
27437 ep = fc_exch_find(mp, xid);
27439 - atomic_inc(&mp->stats.xid_not_found);
27440 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27441 reject = FC_RJT_OX_ID;
27444 @@ -894,7 +894,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27445 ep = fc_exch_find(mp, xid);
27446 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
27448 - atomic_inc(&mp->stats.xid_busy);
27449 + atomic_inc_unchecked(&mp->stats.xid_busy);
27450 reject = FC_RJT_RX_ID;
27453 @@ -905,7 +905,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27455 xid = ep->xid; /* get our XID */
27457 - atomic_inc(&mp->stats.xid_not_found);
27458 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27459 reject = FC_RJT_RX_ID; /* XID not found */
27462 @@ -922,7 +922,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27465 if (sp->id != fh->fh_seq_id) {
27466 - atomic_inc(&mp->stats.seq_not_found);
27467 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27468 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
27471 @@ -1303,22 +1303,22 @@ static void fc_exch_recv_seq_resp(struct
27473 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
27475 - atomic_inc(&mp->stats.xid_not_found);
27476 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27479 if (ep->esb_stat & ESB_ST_COMPLETE) {
27480 - atomic_inc(&mp->stats.xid_not_found);
27481 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27484 if (ep->rxid == FC_XID_UNKNOWN)
27485 ep->rxid = ntohs(fh->fh_rx_id);
27486 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
27487 - atomic_inc(&mp->stats.xid_not_found);
27488 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27491 if (ep->did != ntoh24(fh->fh_s_id) &&
27492 ep->did != FC_FID_FLOGI) {
27493 - atomic_inc(&mp->stats.xid_not_found);
27494 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27498 @@ -1327,7 +1327,7 @@ static void fc_exch_recv_seq_resp(struct
27499 sp->ssb_stat |= SSB_ST_RESP;
27500 sp->id = fh->fh_seq_id;
27501 } else if (sp->id != fh->fh_seq_id) {
27502 - atomic_inc(&mp->stats.seq_not_found);
27503 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27507 @@ -1390,9 +1390,9 @@ static void fc_exch_recv_resp(struct fc_
27508 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
27511 - atomic_inc(&mp->stats.xid_not_found);
27512 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27514 - atomic_inc(&mp->stats.non_bls_resp);
27515 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
27519 diff -urNp linux-2.6.35.4/drivers/scsi/libsas/sas_ata.c linux-2.6.35.4/drivers/scsi/libsas/sas_ata.c
27520 --- linux-2.6.35.4/drivers/scsi/libsas/sas_ata.c 2010-08-26 19:47:12.000000000 -0400
27521 +++ linux-2.6.35.4/drivers/scsi/libsas/sas_ata.c 2010-09-17 20:12:09.000000000 -0400
27522 @@ -344,7 +344,7 @@ static int sas_ata_scr_read(struct ata_l
27526 -static struct ata_port_operations sas_sata_ops = {
27527 +static const struct ata_port_operations sas_sata_ops = {
27528 .phy_reset = sas_ata_phy_reset,
27529 .post_internal_cmd = sas_ata_post_internal,
27530 .qc_prep = ata_noop_qc_prep,
27531 diff -urNp linux-2.6.35.4/drivers/scsi/mpt2sas/mpt2sas_debug.h linux-2.6.35.4/drivers/scsi/mpt2sas/mpt2sas_debug.h
27532 --- linux-2.6.35.4/drivers/scsi/mpt2sas/mpt2sas_debug.h 2010-08-26 19:47:12.000000000 -0400
27533 +++ linux-2.6.35.4/drivers/scsi/mpt2sas/mpt2sas_debug.h 2010-09-17 20:12:09.000000000 -0400
27538 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
27539 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
27540 #endif /* CONFIG_SCSI_MPT2SAS_LOGGING */
27543 diff -urNp linux-2.6.35.4/drivers/scsi/qla2xxx/qla_os.c linux-2.6.35.4/drivers/scsi/qla2xxx/qla_os.c
27544 --- linux-2.6.35.4/drivers/scsi/qla2xxx/qla_os.c 2010-08-26 19:47:12.000000000 -0400
27545 +++ linux-2.6.35.4/drivers/scsi/qla2xxx/qla_os.c 2010-09-17 20:12:09.000000000 -0400
27546 @@ -3899,7 +3899,7 @@ static struct pci_driver qla2xxx_pci_dri
27547 .err_handler = &qla2xxx_err_handler,
27550 -static struct file_operations apidev_fops = {
27551 +static const struct file_operations apidev_fops = {
27552 .owner = THIS_MODULE,
27555 diff -urNp linux-2.6.35.4/drivers/scsi/scsi_logging.h linux-2.6.35.4/drivers/scsi/scsi_logging.h
27556 --- linux-2.6.35.4/drivers/scsi/scsi_logging.h 2010-08-26 19:47:12.000000000 -0400
27557 +++ linux-2.6.35.4/drivers/scsi/scsi_logging.h 2010-09-17 20:12:09.000000000 -0400
27558 @@ -51,7 +51,7 @@ do { \
27562 -#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
27563 +#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
27564 #endif /* CONFIG_SCSI_LOGGING */
27567 diff -urNp linux-2.6.35.4/drivers/scsi/sg.c linux-2.6.35.4/drivers/scsi/sg.c
27568 --- linux-2.6.35.4/drivers/scsi/sg.c 2010-08-26 19:47:12.000000000 -0400
27569 +++ linux-2.6.35.4/drivers/scsi/sg.c 2010-09-17 20:12:09.000000000 -0400
27570 @@ -2302,7 +2302,7 @@ struct sg_proc_leaf {
27571 const struct file_operations * fops;
27574 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
27575 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
27576 {"allow_dio", &adio_fops},
27577 {"debug", &debug_fops},
27578 {"def_reserved_size", &dressz_fops},
27579 @@ -2317,7 +2317,7 @@ sg_proc_init(void)
27582 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
27583 - struct sg_proc_leaf * leaf;
27584 + const struct sg_proc_leaf * leaf;
27586 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
27588 diff -urNp linux-2.6.35.4/drivers/serial/8250_pci.c linux-2.6.35.4/drivers/serial/8250_pci.c
27589 --- linux-2.6.35.4/drivers/serial/8250_pci.c 2010-08-26 19:47:12.000000000 -0400
27590 +++ linux-2.6.35.4/drivers/serial/8250_pci.c 2010-09-17 20:12:09.000000000 -0400
27591 @@ -3777,7 +3777,7 @@ static struct pci_device_id serial_pci_t
27592 PCI_ANY_ID, PCI_ANY_ID,
27593 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
27594 0xffff00, pbn_default },
27596 + { 0, 0, 0, 0, 0, 0, 0 }
27599 static struct pci_driver serial_pci_driver = {
27600 diff -urNp linux-2.6.35.4/drivers/serial/kgdboc.c linux-2.6.35.4/drivers/serial/kgdboc.c
27601 --- linux-2.6.35.4/drivers/serial/kgdboc.c 2010-08-26 19:47:12.000000000 -0400
27602 +++ linux-2.6.35.4/drivers/serial/kgdboc.c 2010-09-17 20:12:09.000000000 -0400
27605 #define MAX_CONFIG_LEN 40
27607 -static struct kgdb_io kgdboc_io_ops;
27608 +static struct kgdb_io kgdboc_io_ops;
27610 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
27611 static int configured = -1;
27612 diff -urNp linux-2.6.35.4/drivers/staging/comedi/comedi_fops.c linux-2.6.35.4/drivers/staging/comedi/comedi_fops.c
27613 --- linux-2.6.35.4/drivers/staging/comedi/comedi_fops.c 2010-08-26 19:47:12.000000000 -0400
27614 +++ linux-2.6.35.4/drivers/staging/comedi/comedi_fops.c 2010-09-17 20:12:09.000000000 -0400
27615 @@ -1425,7 +1425,7 @@ static void comedi_unmap(struct vm_area_
27616 mutex_unlock(&dev->mutex);
27619 -static struct vm_operations_struct comedi_vm_ops = {
27620 +static const struct vm_operations_struct comedi_vm_ops = {
27621 .close = comedi_unmap,
27624 diff -urNp linux-2.6.35.4/drivers/staging/dream/pmem.c linux-2.6.35.4/drivers/staging/dream/pmem.c
27625 --- linux-2.6.35.4/drivers/staging/dream/pmem.c 2010-08-26 19:47:12.000000000 -0400
27626 +++ linux-2.6.35.4/drivers/staging/dream/pmem.c 2010-09-17 20:12:09.000000000 -0400
27627 @@ -175,7 +175,7 @@ static int pmem_mmap(struct file *, stru
27628 static int pmem_open(struct inode *, struct file *);
27629 static long pmem_ioctl(struct file *, unsigned int, unsigned long);
27631 -struct file_operations pmem_fops = {
27632 +const struct file_operations pmem_fops = {
27633 .release = pmem_release,
27636 @@ -1201,7 +1201,7 @@ static ssize_t debug_read(struct file *f
27637 return simple_read_from_buffer(buf, count, ppos, buffer, n);
27640 -static struct file_operations debug_fops = {
27641 +static const struct file_operations debug_fops = {
27642 .read = debug_read,
27643 .open = debug_open,
27645 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.35.4/drivers/staging/dream/qdsp5/adsp_driver.c
27646 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/adsp_driver.c 2010-08-26 19:47:12.000000000 -0400
27647 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/adsp_driver.c 2010-09-17 20:12:09.000000000 -0400
27648 @@ -577,7 +577,7 @@ static struct adsp_device *inode_to_devi
27649 static dev_t adsp_devno;
27650 static struct class *adsp_class;
27652 -static struct file_operations adsp_fops = {
27653 +static const struct file_operations adsp_fops = {
27654 .owner = THIS_MODULE,
27656 .unlocked_ioctl = adsp_ioctl,
27657 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_aac.c
27658 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_aac.c 2010-08-26 19:47:12.000000000 -0400
27659 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_aac.c 2010-09-17 20:12:09.000000000 -0400
27660 @@ -1023,7 +1023,7 @@ done:
27664 -static struct file_operations audio_aac_fops = {
27665 +static const struct file_operations audio_aac_fops = {
27666 .owner = THIS_MODULE,
27667 .open = audio_open,
27668 .release = audio_release,
27669 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_amrnb.c
27670 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-08-26 19:47:12.000000000 -0400
27671 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-09-17 20:12:09.000000000 -0400
27672 @@ -834,7 +834,7 @@ done:
27676 -static struct file_operations audio_amrnb_fops = {
27677 +static const struct file_operations audio_amrnb_fops = {
27678 .owner = THIS_MODULE,
27679 .open = audamrnb_open,
27680 .release = audamrnb_release,
27681 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_evrc.c
27682 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_evrc.c 2010-08-26 19:47:12.000000000 -0400
27683 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_evrc.c 2010-09-17 20:12:09.000000000 -0400
27684 @@ -806,7 +806,7 @@ dma_fail:
27688 -static struct file_operations audio_evrc_fops = {
27689 +static const struct file_operations audio_evrc_fops = {
27690 .owner = THIS_MODULE,
27691 .open = audevrc_open,
27692 .release = audevrc_release,
27693 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_in.c
27694 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_in.c 2010-08-26 19:47:12.000000000 -0400
27695 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_in.c 2010-09-17 20:12:09.000000000 -0400
27696 @@ -914,7 +914,7 @@ static int audpre_open(struct inode *ino
27700 -static struct file_operations audio_fops = {
27701 +static const struct file_operations audio_fops = {
27702 .owner = THIS_MODULE,
27703 .open = audio_in_open,
27704 .release = audio_in_release,
27705 @@ -923,7 +923,7 @@ static struct file_operations audio_fops
27706 .unlocked_ioctl = audio_in_ioctl,
27709 -static struct file_operations audpre_fops = {
27710 +static const struct file_operations audpre_fops = {
27711 .owner = THIS_MODULE,
27712 .open = audpre_open,
27713 .unlocked_ioctl = audpre_ioctl,
27714 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_mp3.c
27715 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_mp3.c 2010-08-26 19:47:12.000000000 -0400
27716 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_mp3.c 2010-09-17 20:12:09.000000000 -0400
27717 @@ -941,7 +941,7 @@ done:
27721 -static struct file_operations audio_mp3_fops = {
27722 +static const struct file_operations audio_mp3_fops = {
27723 .owner = THIS_MODULE,
27724 .open = audio_open,
27725 .release = audio_release,
27726 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_out.c
27727 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_out.c 2010-08-26 19:47:12.000000000 -0400
27728 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_out.c 2010-09-17 20:12:09.000000000 -0400
27729 @@ -800,7 +800,7 @@ static int audpp_open(struct inode *inod
27733 -static struct file_operations audio_fops = {
27734 +static const struct file_operations audio_fops = {
27735 .owner = THIS_MODULE,
27736 .open = audio_open,
27737 .release = audio_release,
27738 @@ -809,7 +809,7 @@ static struct file_operations audio_fops
27739 .unlocked_ioctl = audio_ioctl,
27742 -static struct file_operations audpp_fops = {
27743 +static const struct file_operations audpp_fops = {
27744 .owner = THIS_MODULE,
27745 .open = audpp_open,
27746 .unlocked_ioctl = audpp_ioctl,
27747 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_qcelp.c
27748 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-08-26 19:47:12.000000000 -0400
27749 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-09-17 20:12:09.000000000 -0400
27750 @@ -817,7 +817,7 @@ err:
27754 -static struct file_operations audio_qcelp_fops = {
27755 +static const struct file_operations audio_qcelp_fops = {
27756 .owner = THIS_MODULE,
27757 .open = audqcelp_open,
27758 .release = audqcelp_release,
27759 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/snd.c linux-2.6.35.4/drivers/staging/dream/qdsp5/snd.c
27760 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/snd.c 2010-08-26 19:47:12.000000000 -0400
27761 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/snd.c 2010-09-17 20:12:09.000000000 -0400
27762 @@ -242,7 +242,7 @@ err:
27766 -static struct file_operations snd_fops = {
27767 +static const struct file_operations snd_fops = {
27768 .owner = THIS_MODULE,
27770 .release = snd_release,
27771 diff -urNp linux-2.6.35.4/drivers/staging/dt3155/dt3155_drv.c linux-2.6.35.4/drivers/staging/dt3155/dt3155_drv.c
27772 --- linux-2.6.35.4/drivers/staging/dt3155/dt3155_drv.c 2010-08-26 19:47:12.000000000 -0400
27773 +++ linux-2.6.35.4/drivers/staging/dt3155/dt3155_drv.c 2010-09-17 20:12:09.000000000 -0400
27774 @@ -853,7 +853,7 @@ dt3155_unlocked_ioctl(struct file *file,
27775 * needed by init_module
27777 *****************************************************/
27778 -static struct file_operations dt3155_fops = {
27779 +static const struct file_operations dt3155_fops = {
27780 .read = dt3155_read,
27781 .unlocked_ioctl = dt3155_unlocked_ioctl,
27782 .mmap = dt3155_mmap,
27783 diff -urNp linux-2.6.35.4/drivers/staging/go7007/go7007-v4l2.c linux-2.6.35.4/drivers/staging/go7007/go7007-v4l2.c
27784 --- linux-2.6.35.4/drivers/staging/go7007/go7007-v4l2.c 2010-08-26 19:47:12.000000000 -0400
27785 +++ linux-2.6.35.4/drivers/staging/go7007/go7007-v4l2.c 2010-09-17 20:12:09.000000000 -0400
27786 @@ -1673,7 +1673,7 @@ static int go7007_vm_fault(struct vm_are
27790 -static struct vm_operations_struct go7007_vm_ops = {
27791 +static const struct vm_operations_struct go7007_vm_ops = {
27792 .open = go7007_vm_open,
27793 .close = go7007_vm_close,
27794 .fault = go7007_vm_fault,
27795 diff -urNp linux-2.6.35.4/drivers/staging/hv/hv.c linux-2.6.35.4/drivers/staging/hv/hv.c
27796 --- linux-2.6.35.4/drivers/staging/hv/hv.c 2010-08-26 19:47:12.000000000 -0400
27797 +++ linux-2.6.35.4/drivers/staging/hv/hv.c 2010-09-17 20:12:09.000000000 -0400
27798 @@ -162,7 +162,7 @@ static u64 HvDoHypercall(u64 Control, vo
27799 u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
27800 u32 outputAddressHi = outputAddress >> 32;
27801 u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
27802 - volatile void *hypercallPage = gHvContext.HypercallPage;
27803 + volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
27805 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
27806 Control, Input, Output);
27807 diff -urNp linux-2.6.35.4/drivers/staging/msm/msm_fb_bl.c linux-2.6.35.4/drivers/staging/msm/msm_fb_bl.c
27808 --- linux-2.6.35.4/drivers/staging/msm/msm_fb_bl.c 2010-08-26 19:47:12.000000000 -0400
27809 +++ linux-2.6.35.4/drivers/staging/msm/msm_fb_bl.c 2010-09-17 20:12:09.000000000 -0400
27810 @@ -42,7 +42,7 @@ static int msm_fb_bl_update_status(struc
27814 -static struct backlight_ops msm_fb_bl_ops = {
27815 +static const struct backlight_ops msm_fb_bl_ops = {
27816 .get_brightness = msm_fb_bl_get_brightness,
27817 .update_status = msm_fb_bl_update_status,
27819 diff -urNp linux-2.6.35.4/drivers/staging/panel/panel.c linux-2.6.35.4/drivers/staging/panel/panel.c
27820 --- linux-2.6.35.4/drivers/staging/panel/panel.c 2010-08-26 19:47:12.000000000 -0400
27821 +++ linux-2.6.35.4/drivers/staging/panel/panel.c 2010-09-17 20:12:09.000000000 -0400
27822 @@ -1304,7 +1304,7 @@ static int lcd_release(struct inode *ino
27826 -static struct file_operations lcd_fops = {
27827 +static const struct file_operations lcd_fops = {
27828 .write = lcd_write,
27830 .release = lcd_release,
27831 @@ -1564,7 +1564,7 @@ static int keypad_release(struct inode *
27835 -static struct file_operations keypad_fops = {
27836 +static const struct file_operations keypad_fops = {
27837 .read = keypad_read, /* read */
27838 .open = keypad_open, /* open */
27839 .release = keypad_release, /* close */
27840 diff -urNp linux-2.6.35.4/drivers/staging/phison/phison.c linux-2.6.35.4/drivers/staging/phison/phison.c
27841 --- linux-2.6.35.4/drivers/staging/phison/phison.c 2010-08-26 19:47:12.000000000 -0400
27842 +++ linux-2.6.35.4/drivers/staging/phison/phison.c 2010-09-17 20:12:09.000000000 -0400
27843 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
27844 ATA_BMDMA_SHT(DRV_NAME),
27847 -static struct ata_port_operations phison_ops = {
27848 +static const struct ata_port_operations phison_ops = {
27849 .inherits = &ata_bmdma_port_ops,
27850 .prereset = phison_pre_reset,
27852 diff -urNp linux-2.6.35.4/drivers/staging/pohmelfs/inode.c linux-2.6.35.4/drivers/staging/pohmelfs/inode.c
27853 --- linux-2.6.35.4/drivers/staging/pohmelfs/inode.c 2010-08-26 19:47:12.000000000 -0400
27854 +++ linux-2.6.35.4/drivers/staging/pohmelfs/inode.c 2010-09-17 20:12:09.000000000 -0400
27855 @@ -1846,7 +1846,7 @@ static int pohmelfs_fill_super(struct su
27856 mutex_init(&psb->mcache_lock);
27857 psb->mcache_root = RB_ROOT;
27858 psb->mcache_timeout = msecs_to_jiffies(5000);
27859 - atomic_long_set(&psb->mcache_gen, 0);
27860 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
27862 psb->trans_max_pages = 100;
27864 diff -urNp linux-2.6.35.4/drivers/staging/pohmelfs/mcache.c linux-2.6.35.4/drivers/staging/pohmelfs/mcache.c
27865 --- linux-2.6.35.4/drivers/staging/pohmelfs/mcache.c 2010-08-26 19:47:12.000000000 -0400
27866 +++ linux-2.6.35.4/drivers/staging/pohmelfs/mcache.c 2010-09-17 20:12:09.000000000 -0400
27867 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
27871 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
27872 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
27874 mutex_lock(&psb->mcache_lock);
27875 err = pohmelfs_mcache_insert(psb, m);
27876 diff -urNp linux-2.6.35.4/drivers/staging/pohmelfs/netfs.h linux-2.6.35.4/drivers/staging/pohmelfs/netfs.h
27877 --- linux-2.6.35.4/drivers/staging/pohmelfs/netfs.h 2010-08-26 19:47:12.000000000 -0400
27878 +++ linux-2.6.35.4/drivers/staging/pohmelfs/netfs.h 2010-09-17 20:12:09.000000000 -0400
27879 @@ -571,7 +571,7 @@ struct pohmelfs_config;
27880 struct pohmelfs_sb {
27881 struct rb_root mcache_root;
27882 struct mutex mcache_lock;
27883 - atomic_long_t mcache_gen;
27884 + atomic_long_unchecked_t mcache_gen;
27885 unsigned long mcache_timeout;
27888 diff -urNp linux-2.6.35.4/drivers/staging/ramzswap/ramzswap_drv.c linux-2.6.35.4/drivers/staging/ramzswap/ramzswap_drv.c
27889 --- linux-2.6.35.4/drivers/staging/ramzswap/ramzswap_drv.c 2010-08-26 19:47:12.000000000 -0400
27890 +++ linux-2.6.35.4/drivers/staging/ramzswap/ramzswap_drv.c 2010-09-17 20:12:09.000000000 -0400
27891 @@ -693,7 +693,7 @@ void ramzswap_slot_free_notify(struct bl
27895 -static struct block_device_operations ramzswap_devops = {
27896 +static const struct block_device_operations ramzswap_devops = {
27897 .ioctl = ramzswap_ioctl,
27898 .swap_slot_free_notify = ramzswap_slot_free_notify,
27899 .owner = THIS_MODULE
27900 diff -urNp linux-2.6.35.4/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.35.4/drivers/staging/rtl8192u/ieee80211/proc.c
27901 --- linux-2.6.35.4/drivers/staging/rtl8192u/ieee80211/proc.c 2010-08-26 19:47:12.000000000 -0400
27902 +++ linux-2.6.35.4/drivers/staging/rtl8192u/ieee80211/proc.c 2010-09-17 20:12:09.000000000 -0400
27903 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
27904 return seq_open(file, &crypto_seq_ops);
27907 -static struct file_operations proc_crypto_ops = {
27908 +static const struct file_operations proc_crypto_ops = {
27909 .open = crypto_info_open,
27911 .llseek = seq_lseek,
27912 diff -urNp linux-2.6.35.4/drivers/staging/samsung-laptop/samsung-laptop.c linux-2.6.35.4/drivers/staging/samsung-laptop/samsung-laptop.c
27913 --- linux-2.6.35.4/drivers/staging/samsung-laptop/samsung-laptop.c 2010-08-26 19:47:12.000000000 -0400
27914 +++ linux-2.6.35.4/drivers/staging/samsung-laptop/samsung-laptop.c 2010-09-17 20:12:09.000000000 -0400
27915 @@ -269,7 +269,7 @@ static int update_status(struct backligh
27919 -static struct backlight_ops backlight_ops = {
27920 +static const struct backlight_ops backlight_ops = {
27921 .get_brightness = get_brightness,
27922 .update_status = update_status,
27924 diff -urNp linux-2.6.35.4/drivers/staging/sep/sep_driver.c linux-2.6.35.4/drivers/staging/sep/sep_driver.c
27925 --- linux-2.6.35.4/drivers/staging/sep/sep_driver.c 2010-08-26 19:47:12.000000000 -0400
27926 +++ linux-2.6.35.4/drivers/staging/sep/sep_driver.c 2010-09-17 20:12:09.000000000 -0400
27927 @@ -2637,7 +2637,7 @@ static struct pci_driver sep_pci_driver
27928 static dev_t sep_devno;
27930 /* the files operations structure of the driver */
27931 -static struct file_operations sep_file_operations = {
27932 +static const struct file_operations sep_file_operations = {
27933 .owner = THIS_MODULE,
27934 .unlocked_ioctl = sep_ioctl,
27936 diff -urNp linux-2.6.35.4/drivers/staging/vme/devices/vme_user.c linux-2.6.35.4/drivers/staging/vme/devices/vme_user.c
27937 --- linux-2.6.35.4/drivers/staging/vme/devices/vme_user.c 2010-08-26 19:47:12.000000000 -0400
27938 +++ linux-2.6.35.4/drivers/staging/vme/devices/vme_user.c 2010-09-17 20:12:09.000000000 -0400
27939 @@ -136,7 +136,7 @@ static long vme_user_unlocked_ioctl(stru
27940 static int __init vme_user_probe(struct device *, int, int);
27941 static int __exit vme_user_remove(struct device *, int, int);
27943 -static struct file_operations vme_user_fops = {
27944 +static const struct file_operations vme_user_fops = {
27945 .open = vme_user_open,
27946 .release = vme_user_release,
27947 .read = vme_user_read,
27948 diff -urNp linux-2.6.35.4/drivers/usb/atm/usbatm.c linux-2.6.35.4/drivers/usb/atm/usbatm.c
27949 --- linux-2.6.35.4/drivers/usb/atm/usbatm.c 2010-08-26 19:47:12.000000000 -0400
27950 +++ linux-2.6.35.4/drivers/usb/atm/usbatm.c 2010-09-17 20:12:09.000000000 -0400
27951 @@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
27952 if (printk_ratelimit())
27953 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
27954 __func__, vpi, vci);
27955 - atomic_inc(&vcc->stats->rx_err);
27956 + atomic_inc_unchecked(&vcc->stats->rx_err);
27960 @@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
27961 if (length > ATM_MAX_AAL5_PDU) {
27962 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
27963 __func__, length, vcc);
27964 - atomic_inc(&vcc->stats->rx_err);
27965 + atomic_inc_unchecked(&vcc->stats->rx_err);
27969 @@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
27970 if (sarb->len < pdu_length) {
27971 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
27972 __func__, pdu_length, sarb->len, vcc);
27973 - atomic_inc(&vcc->stats->rx_err);
27974 + atomic_inc_unchecked(&vcc->stats->rx_err);
27978 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
27979 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
27981 - atomic_inc(&vcc->stats->rx_err);
27982 + atomic_inc_unchecked(&vcc->stats->rx_err);
27986 @@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
27987 if (printk_ratelimit())
27988 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
27990 - atomic_inc(&vcc->stats->rx_drop);
27991 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27995 @@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
27997 vcc->push(vcc, skb);
27999 - atomic_inc(&vcc->stats->rx);
28000 + atomic_inc_unchecked(&vcc->stats->rx);
28004 @@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
28005 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
28007 usbatm_pop(vcc, skb);
28008 - atomic_inc(&vcc->stats->tx);
28009 + atomic_inc_unchecked(&vcc->stats->tx);
28011 skb = skb_dequeue(&instance->sndqueue);
28013 @@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
28015 return sprintf(page,
28016 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
28017 - atomic_read(&atm_dev->stats.aal5.tx),
28018 - atomic_read(&atm_dev->stats.aal5.tx_err),
28019 - atomic_read(&atm_dev->stats.aal5.rx),
28020 - atomic_read(&atm_dev->stats.aal5.rx_err),
28021 - atomic_read(&atm_dev->stats.aal5.rx_drop));
28022 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
28023 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
28024 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
28025 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
28026 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
28029 if (instance->disconnected)
28030 diff -urNp linux-2.6.35.4/drivers/usb/class/cdc-acm.c linux-2.6.35.4/drivers/usb/class/cdc-acm.c
28031 --- linux-2.6.35.4/drivers/usb/class/cdc-acm.c 2010-08-26 19:47:12.000000000 -0400
28032 +++ linux-2.6.35.4/drivers/usb/class/cdc-acm.c 2010-09-17 20:12:09.000000000 -0400
28033 @@ -1619,7 +1619,7 @@ static const struct usb_device_id acm_id
28034 { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
28035 USB_CDC_ACM_PROTO_AT_CDMA) },
28038 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
28041 MODULE_DEVICE_TABLE(usb, acm_ids);
28042 diff -urNp linux-2.6.35.4/drivers/usb/class/cdc-wdm.c linux-2.6.35.4/drivers/usb/class/cdc-wdm.c
28043 --- linux-2.6.35.4/drivers/usb/class/cdc-wdm.c 2010-08-26 19:47:12.000000000 -0400
28044 +++ linux-2.6.35.4/drivers/usb/class/cdc-wdm.c 2010-09-17 20:12:09.000000000 -0400
28045 @@ -342,7 +342,7 @@ static ssize_t wdm_write
28049 - if (!file->f_flags && O_NONBLOCK)
28050 + if (!(file->f_flags & O_NONBLOCK))
28051 r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
28054 diff -urNp linux-2.6.35.4/drivers/usb/class/usblp.c linux-2.6.35.4/drivers/usb/class/usblp.c
28055 --- linux-2.6.35.4/drivers/usb/class/usblp.c 2010-08-26 19:47:12.000000000 -0400
28056 +++ linux-2.6.35.4/drivers/usb/class/usblp.c 2010-09-17 20:12:09.000000000 -0400
28057 @@ -226,7 +226,7 @@ static const struct quirk_printer_struct
28058 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
28059 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
28060 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
28065 static int usblp_wwait(struct usblp *usblp, int nonblock);
28066 @@ -1398,7 +1398,7 @@ static const struct usb_device_id usblp_
28067 { USB_INTERFACE_INFO(7, 1, 2) },
28068 { USB_INTERFACE_INFO(7, 1, 3) },
28069 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
28070 - { } /* Terminating entry */
28071 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28074 MODULE_DEVICE_TABLE (usb, usblp_ids);
28075 diff -urNp linux-2.6.35.4/drivers/usb/core/hcd.c linux-2.6.35.4/drivers/usb/core/hcd.c
28076 --- linux-2.6.35.4/drivers/usb/core/hcd.c 2010-08-26 19:47:12.000000000 -0400
28077 +++ linux-2.6.35.4/drivers/usb/core/hcd.c 2010-09-17 20:12:09.000000000 -0400
28078 @@ -2381,7 +2381,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
28080 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
28082 -struct usb_mon_operations *mon_ops;
28083 +const struct usb_mon_operations *mon_ops;
28086 * The registration is unlocked.
28087 @@ -2391,7 +2391,7 @@ struct usb_mon_operations *mon_ops;
28088 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
28091 -int usb_mon_register (struct usb_mon_operations *ops)
28092 +int usb_mon_register (const struct usb_mon_operations *ops)
28096 diff -urNp linux-2.6.35.4/drivers/usb/core/hub.c linux-2.6.35.4/drivers/usb/core/hub.c
28097 --- linux-2.6.35.4/drivers/usb/core/hub.c 2010-08-26 19:47:12.000000000 -0400
28098 +++ linux-2.6.35.4/drivers/usb/core/hub.c 2010-09-17 20:12:09.000000000 -0400
28099 @@ -3453,7 +3453,7 @@ static const struct usb_device_id hub_id
28100 .bDeviceClass = USB_CLASS_HUB},
28101 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
28102 .bInterfaceClass = USB_CLASS_HUB},
28103 - { } /* Terminating entry */
28104 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28107 MODULE_DEVICE_TABLE (usb, hub_id_table);
28108 diff -urNp linux-2.6.35.4/drivers/usb/core/message.c linux-2.6.35.4/drivers/usb/core/message.c
28109 --- linux-2.6.35.4/drivers/usb/core/message.c 2010-08-26 19:47:12.000000000 -0400
28110 +++ linux-2.6.35.4/drivers/usb/core/message.c 2010-09-17 20:12:09.000000000 -0400
28111 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
28112 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
28114 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
28116 - smallbuf = kmalloc(++len, GFP_NOIO);
28118 + smallbuf = kmalloc(len, GFP_NOIO);
28121 memcpy(smallbuf, buf, len);
28122 diff -urNp linux-2.6.35.4/drivers/usb/early/ehci-dbgp.c linux-2.6.35.4/drivers/usb/early/ehci-dbgp.c
28123 --- linux-2.6.35.4/drivers/usb/early/ehci-dbgp.c 2010-08-26 19:47:12.000000000 -0400
28124 +++ linux-2.6.35.4/drivers/usb/early/ehci-dbgp.c 2010-09-17 20:12:09.000000000 -0400
28125 @@ -1026,6 +1026,7 @@ static void kgdbdbgp_write_char(u8 chr)
28126 early_dbgp_write(NULL, &chr, 1);
28129 +/* cannot be const, see kgdbdbgp_parse_config() */
28130 static struct kgdb_io kgdbdbgp_io_ops = {
28131 .name = "kgdbdbgp",
28132 .read_char = kgdbdbgp_read_char,
28133 diff -urNp linux-2.6.35.4/drivers/usb/host/ehci-pci.c linux-2.6.35.4/drivers/usb/host/ehci-pci.c
28134 --- linux-2.6.35.4/drivers/usb/host/ehci-pci.c 2010-08-26 19:47:12.000000000 -0400
28135 +++ linux-2.6.35.4/drivers/usb/host/ehci-pci.c 2010-09-17 20:12:09.000000000 -0400
28136 @@ -419,7 +419,7 @@ static const struct pci_device_id pci_id
28137 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
28138 .driver_data = (unsigned long) &ehci_pci_hc_driver,
28140 - { /* end: all zeroes */ }
28141 + { 0, 0, 0, 0, 0, 0, 0 }
28143 MODULE_DEVICE_TABLE(pci, pci_ids);
28145 diff -urNp linux-2.6.35.4/drivers/usb/host/uhci-hcd.c linux-2.6.35.4/drivers/usb/host/uhci-hcd.c
28146 --- linux-2.6.35.4/drivers/usb/host/uhci-hcd.c 2010-08-26 19:47:12.000000000 -0400
28147 +++ linux-2.6.35.4/drivers/usb/host/uhci-hcd.c 2010-09-17 20:12:09.000000000 -0400
28148 @@ -941,7 +941,7 @@ static const struct pci_device_id uhci_p
28149 /* handle any USB UHCI controller */
28150 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
28151 .driver_data = (unsigned long) &uhci_driver,
28152 - }, { /* end: all zeroes */ }
28153 + }, { 0, 0, 0, 0, 0, 0, 0 }
28156 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
28157 diff -urNp linux-2.6.35.4/drivers/usb/mon/mon_main.c linux-2.6.35.4/drivers/usb/mon/mon_main.c
28158 --- linux-2.6.35.4/drivers/usb/mon/mon_main.c 2010-08-26 19:47:12.000000000 -0400
28159 +++ linux-2.6.35.4/drivers/usb/mon/mon_main.c 2010-09-17 20:12:09.000000000 -0400
28160 @@ -240,7 +240,7 @@ static struct notifier_block mon_nb = {
28164 -static struct usb_mon_operations mon_ops_0 = {
28165 +static const struct usb_mon_operations mon_ops_0 = {
28166 .urb_submit = mon_submit,
28167 .urb_submit_error = mon_submit_error,
28168 .urb_complete = mon_complete,
28169 diff -urNp linux-2.6.35.4/drivers/usb/storage/debug.h linux-2.6.35.4/drivers/usb/storage/debug.h
28170 --- linux-2.6.35.4/drivers/usb/storage/debug.h 2010-08-26 19:47:12.000000000 -0400
28171 +++ linux-2.6.35.4/drivers/usb/storage/debug.h 2010-09-17 20:12:09.000000000 -0400
28172 @@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
28173 #define US_DEBUGPX(x...) printk( x )
28174 #define US_DEBUG(x) x
28176 -#define US_DEBUGP(x...)
28177 -#define US_DEBUGPX(x...)
28178 -#define US_DEBUG(x)
28179 +#define US_DEBUGP(x...) do {} while (0)
28180 +#define US_DEBUGPX(x...) do {} while (0)
28181 +#define US_DEBUG(x) do {} while (0)
28185 diff -urNp linux-2.6.35.4/drivers/usb/storage/usb.c linux-2.6.35.4/drivers/usb/storage/usb.c
28186 --- linux-2.6.35.4/drivers/usb/storage/usb.c 2010-08-26 19:47:12.000000000 -0400
28187 +++ linux-2.6.35.4/drivers/usb/storage/usb.c 2010-09-17 20:12:09.000000000 -0400
28188 @@ -122,7 +122,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
28190 static struct us_unusual_dev us_unusual_dev_list[] = {
28191 # include "unusual_devs.h"
28192 - { } /* Terminating entry */
28193 + { NULL, NULL, 0, 0, NULL } /* Terminating entry */
28197 diff -urNp linux-2.6.35.4/drivers/usb/storage/usual-tables.c linux-2.6.35.4/drivers/usb/storage/usual-tables.c
28198 --- linux-2.6.35.4/drivers/usb/storage/usual-tables.c 2010-08-26 19:47:12.000000000 -0400
28199 +++ linux-2.6.35.4/drivers/usb/storage/usual-tables.c 2010-09-17 20:12:09.000000000 -0400
28202 struct usb_device_id usb_storage_usb_ids[] = {
28203 # include "unusual_devs.h"
28204 - { } /* Terminating entry */
28205 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28207 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
28209 diff -urNp linux-2.6.35.4/drivers/uwb/wlp/messages.c linux-2.6.35.4/drivers/uwb/wlp/messages.c
28210 --- linux-2.6.35.4/drivers/uwb/wlp/messages.c 2010-08-26 19:47:12.000000000 -0400
28211 +++ linux-2.6.35.4/drivers/uwb/wlp/messages.c 2010-09-17 20:12:09.000000000 -0400
28212 @@ -920,7 +920,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
28213 size_t len = skb->len;
28216 - struct wlp_nonce enonce, rnonce;
28217 + struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
28218 enum wlp_assc_error assc_err;
28219 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
28220 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
28221 diff -urNp linux-2.6.35.4/drivers/vhost/vhost.c linux-2.6.35.4/drivers/vhost/vhost.c
28222 --- linux-2.6.35.4/drivers/vhost/vhost.c 2010-08-26 19:47:12.000000000 -0400
28223 +++ linux-2.6.35.4/drivers/vhost/vhost.c 2010-09-17 20:12:09.000000000 -0400
28224 @@ -357,7 +357,7 @@ static int init_used(struct vhost_virtqu
28225 return get_user(vq->last_used_idx, &used->idx);
28228 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
28229 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
28231 struct file *eventfp, *filep = NULL,
28232 *pollstart = NULL, *pollstop = NULL;
28233 diff -urNp linux-2.6.35.4/drivers/video/atmel_lcdfb.c linux-2.6.35.4/drivers/video/atmel_lcdfb.c
28234 --- linux-2.6.35.4/drivers/video/atmel_lcdfb.c 2010-08-26 19:47:12.000000000 -0400
28235 +++ linux-2.6.35.4/drivers/video/atmel_lcdfb.c 2010-09-17 20:12:09.000000000 -0400
28236 @@ -111,7 +111,7 @@ static int atmel_bl_get_brightness(struc
28237 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
28240 -static struct backlight_ops atmel_lcdc_bl_ops = {
28241 +static const struct backlight_ops atmel_lcdc_bl_ops = {
28242 .update_status = atmel_bl_update_status,
28243 .get_brightness = atmel_bl_get_brightness,
28245 diff -urNp linux-2.6.35.4/drivers/video/aty/aty128fb.c linux-2.6.35.4/drivers/video/aty/aty128fb.c
28246 --- linux-2.6.35.4/drivers/video/aty/aty128fb.c 2010-08-26 19:47:12.000000000 -0400
28247 +++ linux-2.6.35.4/drivers/video/aty/aty128fb.c 2010-09-17 20:12:09.000000000 -0400
28248 @@ -1786,7 +1786,7 @@ static int aty128_bl_get_brightness(stru
28249 return bd->props.brightness;
28252 -static struct backlight_ops aty128_bl_data = {
28253 +static const struct backlight_ops aty128_bl_data = {
28254 .get_brightness = aty128_bl_get_brightness,
28255 .update_status = aty128_bl_update_status,
28257 diff -urNp linux-2.6.35.4/drivers/video/aty/atyfb_base.c linux-2.6.35.4/drivers/video/aty/atyfb_base.c
28258 --- linux-2.6.35.4/drivers/video/aty/atyfb_base.c 2010-08-26 19:47:12.000000000 -0400
28259 +++ linux-2.6.35.4/drivers/video/aty/atyfb_base.c 2010-09-17 20:12:09.000000000 -0400
28260 @@ -2221,7 +2221,7 @@ static int aty_bl_get_brightness(struct
28261 return bd->props.brightness;
28264 -static struct backlight_ops aty_bl_data = {
28265 +static const struct backlight_ops aty_bl_data = {
28266 .get_brightness = aty_bl_get_brightness,
28267 .update_status = aty_bl_update_status,
28269 diff -urNp linux-2.6.35.4/drivers/video/aty/radeon_backlight.c linux-2.6.35.4/drivers/video/aty/radeon_backlight.c
28270 --- linux-2.6.35.4/drivers/video/aty/radeon_backlight.c 2010-08-26 19:47:12.000000000 -0400
28271 +++ linux-2.6.35.4/drivers/video/aty/radeon_backlight.c 2010-09-17 20:12:09.000000000 -0400
28272 @@ -128,7 +128,7 @@ static int radeon_bl_get_brightness(stru
28273 return bd->props.brightness;
28276 -static struct backlight_ops radeon_bl_data = {
28277 +static const struct backlight_ops radeon_bl_data = {
28278 .get_brightness = radeon_bl_get_brightness,
28279 .update_status = radeon_bl_update_status,
28281 diff -urNp linux-2.6.35.4/drivers/video/backlight/88pm860x_bl.c linux-2.6.35.4/drivers/video/backlight/88pm860x_bl.c
28282 --- linux-2.6.35.4/drivers/video/backlight/88pm860x_bl.c 2010-08-26 19:47:12.000000000 -0400
28283 +++ linux-2.6.35.4/drivers/video/backlight/88pm860x_bl.c 2010-09-17 20:12:09.000000000 -0400
28284 @@ -155,7 +155,7 @@ out:
28288 -static struct backlight_ops pm860x_backlight_ops = {
28289 +static const struct backlight_ops pm860x_backlight_ops = {
28290 .options = BL_CORE_SUSPENDRESUME,
28291 .update_status = pm860x_backlight_update_status,
28292 .get_brightness = pm860x_backlight_get_brightness,
28293 diff -urNp linux-2.6.35.4/drivers/video/backlight/max8925_bl.c linux-2.6.35.4/drivers/video/backlight/max8925_bl.c
28294 --- linux-2.6.35.4/drivers/video/backlight/max8925_bl.c 2010-08-26 19:47:12.000000000 -0400
28295 +++ linux-2.6.35.4/drivers/video/backlight/max8925_bl.c 2010-09-17 20:12:09.000000000 -0400
28296 @@ -92,7 +92,7 @@ static int max8925_backlight_get_brightn
28300 -static struct backlight_ops max8925_backlight_ops = {
28301 +static const struct backlight_ops max8925_backlight_ops = {
28302 .options = BL_CORE_SUSPENDRESUME,
28303 .update_status = max8925_backlight_update_status,
28304 .get_brightness = max8925_backlight_get_brightness,
28305 diff -urNp linux-2.6.35.4/drivers/video/fbcmap.c linux-2.6.35.4/drivers/video/fbcmap.c
28306 --- linux-2.6.35.4/drivers/video/fbcmap.c 2010-08-26 19:47:12.000000000 -0400
28307 +++ linux-2.6.35.4/drivers/video/fbcmap.c 2010-09-17 20:12:09.000000000 -0400
28308 @@ -266,8 +266,7 @@ int fb_set_user_cmap(struct fb_cmap_user
28312 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
28313 - !info->fbops->fb_setcmap)) {
28314 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
28318 diff -urNp linux-2.6.35.4/drivers/video/fbmem.c linux-2.6.35.4/drivers/video/fbmem.c
28319 --- linux-2.6.35.4/drivers/video/fbmem.c 2010-08-26 19:47:12.000000000 -0400
28320 +++ linux-2.6.35.4/drivers/video/fbmem.c 2010-09-17 20:12:09.000000000 -0400
28321 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
28322 image->dx += image->width + 8;
28324 } else if (rotate == FB_ROTATE_UD) {
28325 - for (x = 0; x < num && image->dx >= 0; x++) {
28326 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
28327 info->fbops->fb_imageblit(info, image);
28328 image->dx -= image->width + 8;
28330 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
28331 image->dy += image->height + 8;
28333 } else if (rotate == FB_ROTATE_CCW) {
28334 - for (x = 0; x < num && image->dy >= 0; x++) {
28335 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
28336 info->fbops->fb_imageblit(info, image);
28337 image->dy -= image->height + 8;
28339 @@ -1119,7 +1119,7 @@ static long do_fb_ioctl(struct fb_info *
28341 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
28343 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
28344 + if (con2fb.framebuffer >= FB_MAX)
28346 if (!registered_fb[con2fb.framebuffer])
28347 request_module("fb%d", con2fb.framebuffer);
28348 diff -urNp linux-2.6.35.4/drivers/video/fbmon.c linux-2.6.35.4/drivers/video/fbmon.c
28349 --- linux-2.6.35.4/drivers/video/fbmon.c 2010-08-26 19:47:12.000000000 -0400
28350 +++ linux-2.6.35.4/drivers/video/fbmon.c 2010-09-17 20:12:09.000000000 -0400
28353 #define DPRINTK(fmt, args...) printk(fmt,## args)
28355 -#define DPRINTK(fmt, args...)
28356 +#define DPRINTK(fmt, args...) do {} while (0)
28359 #define FBMON_FIX_HEADER 1
28360 diff -urNp linux-2.6.35.4/drivers/video/i810/i810_accel.c linux-2.6.35.4/drivers/video/i810/i810_accel.c
28361 --- linux-2.6.35.4/drivers/video/i810/i810_accel.c 2010-08-26 19:47:12.000000000 -0400
28362 +++ linux-2.6.35.4/drivers/video/i810/i810_accel.c 2010-09-17 20:12:09.000000000 -0400
28363 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
28366 printk("ringbuffer lockup!!!\n");
28367 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
28368 i810_report_error(mmio);
28369 par->dev_flags |= LOCKUP;
28370 info->pixmap.scan_align = 1;
28371 diff -urNp linux-2.6.35.4/drivers/video/i810/i810_main.c linux-2.6.35.4/drivers/video/i810/i810_main.c
28372 --- linux-2.6.35.4/drivers/video/i810/i810_main.c 2010-08-26 19:47:12.000000000 -0400
28373 +++ linux-2.6.35.4/drivers/video/i810/i810_main.c 2010-09-17 20:12:09.000000000 -0400
28374 @@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
28375 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
28376 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
28377 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
28379 + { 0, 0, 0, 0, 0, 0, 0 },
28382 static struct pci_driver i810fb_driver = {
28383 diff -urNp linux-2.6.35.4/drivers/video/modedb.c linux-2.6.35.4/drivers/video/modedb.c
28384 --- linux-2.6.35.4/drivers/video/modedb.c 2010-08-26 19:47:12.000000000 -0400
28385 +++ linux-2.6.35.4/drivers/video/modedb.c 2010-09-17 20:12:09.000000000 -0400
28386 @@ -40,240 +40,240 @@ static const struct fb_videomode modedb[
28388 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
28389 NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
28390 - 0, FB_VMODE_NONINTERLACED
28391 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28393 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
28394 NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
28395 - 0, FB_VMODE_NONINTERLACED
28396 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28398 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
28399 NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
28400 - 0, FB_VMODE_NONINTERLACED
28401 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28403 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
28404 NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
28405 - 0, FB_VMODE_INTERLACED
28406 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28408 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
28409 NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
28410 - FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28411 + FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28413 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
28414 NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
28415 - 0, FB_VMODE_NONINTERLACED
28416 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28418 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
28419 NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
28420 - 0, FB_VMODE_NONINTERLACED
28421 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28423 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
28424 NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
28425 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28426 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28428 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
28429 NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
28430 - 0, FB_VMODE_NONINTERLACED
28431 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28433 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
28434 NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
28435 - 0, FB_VMODE_INTERLACED
28436 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28438 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
28439 NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
28440 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28441 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28443 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
28444 NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
28445 - 0, FB_VMODE_NONINTERLACED
28446 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28448 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
28449 NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
28450 - 0, FB_VMODE_NONINTERLACED
28451 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28453 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
28454 NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
28455 - 0, FB_VMODE_NONINTERLACED
28456 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28458 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
28459 NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
28460 - 0, FB_VMODE_NONINTERLACED
28461 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28463 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
28464 NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
28465 - 0, FB_VMODE_NONINTERLACED
28466 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28468 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
28469 NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
28470 - 0, FB_VMODE_INTERLACED
28471 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28473 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
28474 NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
28475 - 0, FB_VMODE_NONINTERLACED
28476 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28478 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
28479 NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
28480 - 0, FB_VMODE_NONINTERLACED
28481 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28483 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
28484 NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
28485 - 0, FB_VMODE_NONINTERLACED
28486 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28488 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
28489 NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
28490 - 0, FB_VMODE_NONINTERLACED
28491 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28493 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
28494 NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
28495 - 0, FB_VMODE_NONINTERLACED
28496 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28498 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
28499 NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
28500 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28501 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28503 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
28504 NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
28505 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28506 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28508 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
28509 NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
28510 - 0, FB_VMODE_NONINTERLACED
28511 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28513 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
28514 NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
28515 - 0, FB_VMODE_NONINTERLACED
28516 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28518 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
28519 NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
28520 - 0, FB_VMODE_NONINTERLACED
28521 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28523 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
28524 NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
28525 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28526 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28528 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
28529 NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
28530 - 0, FB_VMODE_NONINTERLACED
28531 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28533 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
28534 NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
28535 - 0, FB_VMODE_NONINTERLACED
28536 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28538 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
28539 NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
28540 - 0, FB_VMODE_NONINTERLACED
28541 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28543 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
28544 NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
28545 - 0, FB_VMODE_NONINTERLACED
28546 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28548 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
28549 NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
28550 - 0, FB_VMODE_NONINTERLACED
28551 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28553 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
28554 NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
28555 - 0, FB_VMODE_NONINTERLACED
28556 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28558 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
28559 NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
28560 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28561 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28563 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
28564 NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
28565 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28566 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28568 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
28569 NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
28570 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28571 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28573 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
28574 NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
28575 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28576 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28578 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
28579 NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
28580 - 0, FB_VMODE_NONINTERLACED
28581 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28583 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
28584 NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
28585 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28586 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28588 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
28589 NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
28590 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28591 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28593 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
28594 NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
28595 - 0, FB_VMODE_NONINTERLACED
28596 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28598 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
28599 NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
28600 - 0, FB_VMODE_NONINTERLACED
28601 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28603 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
28604 NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
28605 - 0, FB_VMODE_DOUBLE
28606 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28608 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
28609 NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
28610 - 0, FB_VMODE_DOUBLE
28611 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28613 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
28614 NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
28615 - 0, FB_VMODE_DOUBLE
28616 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28618 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
28619 NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
28620 - 0, FB_VMODE_DOUBLE
28621 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28623 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
28624 NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
28625 - 0, FB_VMODE_DOUBLE
28626 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28628 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
28629 NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
28630 - 0, FB_VMODE_DOUBLE
28631 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28633 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
28634 NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
28635 - 0, FB_VMODE_DOUBLE
28636 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28638 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
28639 NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
28640 - 0, FB_VMODE_DOUBLE
28641 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28643 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
28644 NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
28645 - 0, FB_VMODE_DOUBLE
28646 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28648 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
28649 NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
28650 - 0, FB_VMODE_DOUBLE
28651 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28653 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
28654 NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
28655 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28656 - FB_VMODE_NONINTERLACED
28657 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28659 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
28660 NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
28661 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28662 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28664 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
28665 NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
28666 - 0, FB_VMODE_NONINTERLACED
28667 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28669 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
28670 NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
28671 - 0, FB_VMODE_NONINTERLACED
28672 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28674 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28675 NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5,
28676 - 0, FB_VMODE_INTERLACED
28677 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28679 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28680 NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5,
28681 - 0, FB_VMODE_INTERLACED
28682 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28686 diff -urNp linux-2.6.35.4/drivers/video/nvidia/nv_backlight.c linux-2.6.35.4/drivers/video/nvidia/nv_backlight.c
28687 --- linux-2.6.35.4/drivers/video/nvidia/nv_backlight.c 2010-08-26 19:47:12.000000000 -0400
28688 +++ linux-2.6.35.4/drivers/video/nvidia/nv_backlight.c 2010-09-17 20:12:09.000000000 -0400
28689 @@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
28690 return bd->props.brightness;
28693 -static struct backlight_ops nvidia_bl_ops = {
28694 +static const struct backlight_ops nvidia_bl_ops = {
28695 .get_brightness = nvidia_bl_get_brightness,
28696 .update_status = nvidia_bl_update_status,
28698 diff -urNp linux-2.6.35.4/drivers/video/omap2/displays/panel-taal.c linux-2.6.35.4/drivers/video/omap2/displays/panel-taal.c
28699 --- linux-2.6.35.4/drivers/video/omap2/displays/panel-taal.c 2010-08-26 19:47:12.000000000 -0400
28700 +++ linux-2.6.35.4/drivers/video/omap2/displays/panel-taal.c 2010-09-17 20:12:09.000000000 -0400
28701 @@ -319,7 +319,7 @@ static int taal_bl_get_intensity(struct
28705 -static struct backlight_ops taal_bl_ops = {
28706 +static const struct backlight_ops taal_bl_ops = {
28707 .get_brightness = taal_bl_get_intensity,
28708 .update_status = taal_bl_update_status,
28710 diff -urNp linux-2.6.35.4/drivers/video/riva/fbdev.c linux-2.6.35.4/drivers/video/riva/fbdev.c
28711 --- linux-2.6.35.4/drivers/video/riva/fbdev.c 2010-08-26 19:47:12.000000000 -0400
28712 +++ linux-2.6.35.4/drivers/video/riva/fbdev.c 2010-09-17 20:12:09.000000000 -0400
28713 @@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
28714 return bd->props.brightness;
28717 -static struct backlight_ops riva_bl_ops = {
28718 +static const struct backlight_ops riva_bl_ops = {
28719 .get_brightness = riva_bl_get_brightness,
28720 .update_status = riva_bl_update_status,
28722 diff -urNp linux-2.6.35.4/drivers/video/uvesafb.c linux-2.6.35.4/drivers/video/uvesafb.c
28723 --- linux-2.6.35.4/drivers/video/uvesafb.c 2010-08-26 19:47:12.000000000 -0400
28724 +++ linux-2.6.35.4/drivers/video/uvesafb.c 2010-09-17 20:12:09.000000000 -0400
28726 #include <linux/io.h>
28727 #include <linux/mutex.h>
28728 #include <linux/slab.h>
28729 +#include <linux/moduleloader.h>
28730 #include <video/edid.h>
28731 #include <video/uvesafb.h>
28733 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
28737 - return call_usermodehelper(v86d_path, argv, envp, 1);
28738 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
28742 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
28743 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
28744 par->pmi_setpal = par->ypan = 0;
28747 +#ifdef CONFIG_PAX_KERNEXEC
28748 +#ifdef CONFIG_MODULES
28749 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
28751 + if (!par->pmi_code) {
28752 + par->pmi_setpal = par->ypan = 0;
28757 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
28758 + task->t.regs.edi);
28760 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28761 + pax_open_kernel();
28762 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
28763 + pax_close_kernel();
28765 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
28766 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
28768 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
28769 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
28772 printk(KERN_INFO "uvesafb: protected mode interface info at "
28774 (u16)task->t.regs.es, (u16)task->t.regs.edi);
28775 @@ -1800,6 +1823,11 @@ out:
28776 if (par->vbe_modes)
28777 kfree(par->vbe_modes);
28779 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28780 + if (par->pmi_code)
28781 + module_free_exec(NULL, par->pmi_code);
28784 framebuffer_release(info);
28787 @@ -1826,6 +1854,12 @@ static int uvesafb_remove(struct platfor
28788 kfree(par->vbe_state_orig);
28789 if (par->vbe_state_saved)
28790 kfree(par->vbe_state_saved);
28792 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28793 + if (par->pmi_code)
28794 + module_free_exec(NULL, par->pmi_code);
28799 framebuffer_release(info);
28800 diff -urNp linux-2.6.35.4/drivers/video/vesafb.c linux-2.6.35.4/drivers/video/vesafb.c
28801 --- linux-2.6.35.4/drivers/video/vesafb.c 2010-08-26 19:47:12.000000000 -0400
28802 +++ linux-2.6.35.4/drivers/video/vesafb.c 2010-09-17 20:12:09.000000000 -0400
28806 #include <linux/module.h>
28807 +#include <linux/moduleloader.h>
28808 #include <linux/kernel.h>
28809 #include <linux/errno.h>
28810 #include <linux/string.h>
28811 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
28812 static int vram_total __initdata; /* Set total amount of memory */
28813 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
28814 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
28815 -static void (*pmi_start)(void) __read_mostly;
28816 -static void (*pmi_pal) (void) __read_mostly;
28817 +static void (*pmi_start)(void) __read_only;
28818 +static void (*pmi_pal) (void) __read_only;
28819 static int depth __read_mostly;
28820 static int vga_compat __read_mostly;
28821 /* --------------------------------------------------------------------- */
28822 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
28823 unsigned int size_vmode;
28824 unsigned int size_remap;
28825 unsigned int size_total;
28826 + void *pmi_code = NULL;
28828 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
28830 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
28831 size_remap = size_total;
28832 vesafb_fix.smem_len = size_remap;
28835 - screen_info.vesapm_seg = 0;
28838 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
28839 printk(KERN_WARNING
28840 "vesafb: cannot reserve video memory at 0x%lx\n",
28841 @@ -319,9 +317,21 @@ static int __init vesafb_probe(struct pl
28842 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
28843 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
28847 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28848 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
28850 +#elif !defined(CONFIG_PAX_KERNEXEC)
28855 + screen_info.vesapm_seg = 0;
28857 if (screen_info.vesapm_seg) {
28858 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
28859 - screen_info.vesapm_seg,screen_info.vesapm_off);
28860 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
28861 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
28864 if (screen_info.vesapm_seg < 0xc000)
28865 @@ -329,9 +339,25 @@ static int __init vesafb_probe(struct pl
28867 if (ypan || pmi_setpal) {
28868 unsigned short *pmi_base;
28869 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
28870 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
28871 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
28873 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
28875 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28876 + pax_open_kernel();
28877 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
28879 + pmi_code = pmi_base;
28882 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
28883 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
28885 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28886 + pmi_start = ktva_ktla(pmi_start);
28887 + pmi_pal = ktva_ktla(pmi_pal);
28888 + pax_close_kernel();
28891 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
28893 printk(KERN_INFO "vesafb: pmi: ports = ");
28894 @@ -473,6 +499,11 @@ static int __init vesafb_probe(struct pl
28895 info->node, info->fix.id);
28899 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28900 + module_free_exec(NULL, pmi_code);
28903 if (info->screen_base)
28904 iounmap(info->screen_base);
28905 framebuffer_release(info);
28906 diff -urNp linux-2.6.35.4/fs/9p/vfs_inode.c linux-2.6.35.4/fs/9p/vfs_inode.c
28907 --- linux-2.6.35.4/fs/9p/vfs_inode.c 2010-08-26 19:47:12.000000000 -0400
28908 +++ linux-2.6.35.4/fs/9p/vfs_inode.c 2010-09-17 20:12:09.000000000 -0400
28909 @@ -1087,7 +1087,7 @@ static void *v9fs_vfs_follow_link(struct
28911 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
28913 - char *s = nd_get_link(nd);
28914 + const char *s = nd_get_link(nd);
28916 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
28917 IS_ERR(s) ? "<error>" : s);
28918 diff -urNp linux-2.6.35.4/fs/aio.c linux-2.6.35.4/fs/aio.c
28919 --- linux-2.6.35.4/fs/aio.c 2010-08-26 19:47:12.000000000 -0400
28920 +++ linux-2.6.35.4/fs/aio.c 2010-09-17 20:12:09.000000000 -0400
28921 @@ -130,7 +130,7 @@ static int aio_setup_ring(struct kioctx
28922 size += sizeof(struct io_event) * nr_events;
28923 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
28925 - if (nr_pages < 0)
28926 + if (nr_pages <= 0)
28929 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
28930 diff -urNp linux-2.6.35.4/fs/attr.c linux-2.6.35.4/fs/attr.c
28931 --- linux-2.6.35.4/fs/attr.c 2010-08-26 19:47:12.000000000 -0400
28932 +++ linux-2.6.35.4/fs/attr.c 2010-09-17 20:12:37.000000000 -0400
28933 @@ -82,6 +82,7 @@ int inode_newsize_ok(const struct inode
28934 unsigned long limit;
28936 limit = rlimit(RLIMIT_FSIZE);
28937 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
28938 if (limit != RLIM_INFINITY && offset > limit)
28940 if (offset > inode->i_sb->s_maxbytes)
28941 diff -urNp linux-2.6.35.4/fs/autofs/root.c linux-2.6.35.4/fs/autofs/root.c
28942 --- linux-2.6.35.4/fs/autofs/root.c 2010-08-26 19:47:12.000000000 -0400
28943 +++ linux-2.6.35.4/fs/autofs/root.c 2010-09-17 20:12:09.000000000 -0400
28944 @@ -301,7 +301,8 @@ static int autofs_root_symlink(struct in
28945 set_bit(n,sbi->symlink_bitmap);
28946 sl = &sbi->symlink[n];
28947 sl->len = strlen(symname);
28948 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
28949 + slsize = sl->len+1;
28950 + sl->data = kmalloc(slsize, GFP_KERNEL);
28952 clear_bit(n,sbi->symlink_bitmap);
28954 diff -urNp linux-2.6.35.4/fs/autofs4/symlink.c linux-2.6.35.4/fs/autofs4/symlink.c
28955 --- linux-2.6.35.4/fs/autofs4/symlink.c 2010-08-26 19:47:12.000000000 -0400
28956 +++ linux-2.6.35.4/fs/autofs4/symlink.c 2010-09-17 20:12:09.000000000 -0400
28958 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
28960 struct autofs_info *ino = autofs4_dentry_ino(dentry);
28961 - nd_set_link(nd, (char *)ino->u.symlink);
28962 + nd_set_link(nd, ino->u.symlink);
28966 diff -urNp linux-2.6.35.4/fs/befs/linuxvfs.c linux-2.6.35.4/fs/befs/linuxvfs.c
28967 --- linux-2.6.35.4/fs/befs/linuxvfs.c 2010-08-26 19:47:12.000000000 -0400
28968 +++ linux-2.6.35.4/fs/befs/linuxvfs.c 2010-09-17 20:12:09.000000000 -0400
28969 @@ -493,7 +493,7 @@ static void befs_put_link(struct dentry
28971 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
28972 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
28973 - char *link = nd_get_link(nd);
28974 + const char *link = nd_get_link(nd);
28978 diff -urNp linux-2.6.35.4/fs/binfmt_aout.c linux-2.6.35.4/fs/binfmt_aout.c
28979 --- linux-2.6.35.4/fs/binfmt_aout.c 2010-08-26 19:47:12.000000000 -0400
28980 +++ linux-2.6.35.4/fs/binfmt_aout.c 2010-09-17 20:12:37.000000000 -0400
28982 #include <linux/string.h>
28983 #include <linux/fs.h>
28984 #include <linux/file.h>
28985 +#include <linux/security.h>
28986 #include <linux/stat.h>
28987 #include <linux/fcntl.h>
28988 #include <linux/ptrace.h>
28989 @@ -97,10 +98,12 @@ static int aout_core_dump(struct coredum
28991 /* If the size of the dump file exceeds the rlimit, then see what would happen
28992 if we wrote the stack, but not the data area. */
28993 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
28994 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
28997 /* Make sure we have enough room to write the stack and data areas. */
28998 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
28999 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
29002 @@ -238,6 +241,8 @@ static int load_aout_binary(struct linux
29003 rlim = rlimit(RLIMIT_DATA);
29004 if (rlim >= RLIM_INFINITY)
29007 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
29008 if (ex.a_data + ex.a_bss > rlim)
29011 @@ -266,6 +271,27 @@ static int load_aout_binary(struct linux
29012 install_exec_creds(bprm);
29013 current->flags &= ~PF_FORKNOEXEC;
29015 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29016 + current->mm->pax_flags = 0UL;
29019 +#ifdef CONFIG_PAX_PAGEEXEC
29020 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
29021 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
29023 +#ifdef CONFIG_PAX_EMUTRAMP
29024 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
29025 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
29028 +#ifdef CONFIG_PAX_MPROTECT
29029 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
29030 + current->mm->pax_flags |= MF_PAX_MPROTECT;
29036 if (N_MAGIC(ex) == OMAGIC) {
29037 unsigned long text_addr, map_size;
29039 @@ -338,7 +364,7 @@ static int load_aout_binary(struct linux
29041 down_write(¤t->mm->mmap_sem);
29042 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
29043 - PROT_READ | PROT_WRITE | PROT_EXEC,
29044 + PROT_READ | PROT_WRITE,
29045 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
29046 fd_offset + ex.a_text);
29047 up_write(¤t->mm->mmap_sem);
29048 diff -urNp linux-2.6.35.4/fs/binfmt_elf.c linux-2.6.35.4/fs/binfmt_elf.c
29049 --- linux-2.6.35.4/fs/binfmt_elf.c 2010-08-26 19:47:12.000000000 -0400
29050 +++ linux-2.6.35.4/fs/binfmt_elf.c 2010-09-17 20:12:37.000000000 -0400
29051 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
29052 #define elf_core_dump NULL
29055 +#ifdef CONFIG_PAX_MPROTECT
29056 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
29059 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
29060 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
29062 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
29063 .load_binary = load_elf_binary,
29064 .load_shlib = load_elf_library,
29065 .core_dump = elf_core_dump,
29067 +#ifdef CONFIG_PAX_MPROTECT
29068 + .handle_mprotect= elf_handle_mprotect,
29071 .min_coredump = ELF_EXEC_PAGESIZE,
29074 @@ -78,6 +87,8 @@ static struct linux_binfmt elf_format =
29076 static int set_brk(unsigned long start, unsigned long end)
29078 + unsigned long e = end;
29080 start = ELF_PAGEALIGN(start);
29081 end = ELF_PAGEALIGN(end);
29083 @@ -88,7 +99,7 @@ static int set_brk(unsigned long start,
29084 if (BAD_ADDR(addr))
29087 - current->mm->start_brk = current->mm->brk = end;
29088 + current->mm->start_brk = current->mm->brk = e;
29092 @@ -149,7 +160,7 @@ create_elf_tables(struct linux_binprm *b
29093 elf_addr_t __user *u_rand_bytes;
29094 const char *k_platform = ELF_PLATFORM;
29095 const char *k_base_platform = ELF_BASE_PLATFORM;
29096 - unsigned char k_rand_bytes[16];
29097 + u32 k_rand_bytes[4];
29099 elf_addr_t *elf_info;
29101 @@ -196,8 +207,12 @@ create_elf_tables(struct linux_binprm *b
29102 * Generate 16 random bytes for userspace PRNG seeding.
29104 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
29105 - u_rand_bytes = (elf_addr_t __user *)
29106 - STACK_ALLOC(p, sizeof(k_rand_bytes));
29107 + srandom32(k_rand_bytes[0] ^ random32());
29108 + srandom32(k_rand_bytes[1] ^ random32());
29109 + srandom32(k_rand_bytes[2] ^ random32());
29110 + srandom32(k_rand_bytes[3] ^ random32());
29111 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
29112 + u_rand_bytes = (elf_addr_t __user *) p;
29113 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
29116 @@ -386,10 +401,10 @@ static unsigned long load_elf_interp(str
29118 struct elf_phdr *elf_phdata;
29119 struct elf_phdr *eppnt;
29120 - unsigned long load_addr = 0;
29121 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
29122 int load_addr_set = 0;
29123 unsigned long last_bss = 0, elf_bss = 0;
29124 - unsigned long error = ~0UL;
29125 + unsigned long error = -EINVAL;
29126 unsigned long total_size;
29127 int retval, i, size;
29129 @@ -435,6 +450,11 @@ static unsigned long load_elf_interp(str
29133 +#ifdef CONFIG_PAX_SEGMEXEC
29134 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
29135 + pax_task_size = SEGMEXEC_TASK_SIZE;
29138 eppnt = elf_phdata;
29139 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
29140 if (eppnt->p_type == PT_LOAD) {
29141 @@ -478,8 +498,8 @@ static unsigned long load_elf_interp(str
29142 k = load_addr + eppnt->p_vaddr;
29144 eppnt->p_filesz > eppnt->p_memsz ||
29145 - eppnt->p_memsz > TASK_SIZE ||
29146 - TASK_SIZE - eppnt->p_memsz < k) {
29147 + eppnt->p_memsz > pax_task_size ||
29148 + pax_task_size - eppnt->p_memsz < k) {
29152 @@ -533,6 +553,177 @@ out:
29156 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
29157 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
29159 + unsigned long pax_flags = 0UL;
29161 +#ifdef CONFIG_PAX_PAGEEXEC
29162 + if (elf_phdata->p_flags & PF_PAGEEXEC)
29163 + pax_flags |= MF_PAX_PAGEEXEC;
29166 +#ifdef CONFIG_PAX_SEGMEXEC
29167 + if (elf_phdata->p_flags & PF_SEGMEXEC)
29168 + pax_flags |= MF_PAX_SEGMEXEC;
29171 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29172 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29173 + if ((__supported_pte_mask & _PAGE_NX))
29174 + pax_flags &= ~MF_PAX_SEGMEXEC;
29176 + pax_flags &= ~MF_PAX_PAGEEXEC;
29180 +#ifdef CONFIG_PAX_EMUTRAMP
29181 + if (elf_phdata->p_flags & PF_EMUTRAMP)
29182 + pax_flags |= MF_PAX_EMUTRAMP;
29185 +#ifdef CONFIG_PAX_MPROTECT
29186 + if (elf_phdata->p_flags & PF_MPROTECT)
29187 + pax_flags |= MF_PAX_MPROTECT;
29190 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29191 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
29192 + pax_flags |= MF_PAX_RANDMMAP;
29195 + return pax_flags;
29199 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29200 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
29202 + unsigned long pax_flags = 0UL;
29204 +#ifdef CONFIG_PAX_PAGEEXEC
29205 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
29206 + pax_flags |= MF_PAX_PAGEEXEC;
29209 +#ifdef CONFIG_PAX_SEGMEXEC
29210 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
29211 + pax_flags |= MF_PAX_SEGMEXEC;
29214 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29215 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29216 + if ((__supported_pte_mask & _PAGE_NX))
29217 + pax_flags &= ~MF_PAX_SEGMEXEC;
29219 + pax_flags &= ~MF_PAX_PAGEEXEC;
29223 +#ifdef CONFIG_PAX_EMUTRAMP
29224 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
29225 + pax_flags |= MF_PAX_EMUTRAMP;
29228 +#ifdef CONFIG_PAX_MPROTECT
29229 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
29230 + pax_flags |= MF_PAX_MPROTECT;
29233 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29234 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
29235 + pax_flags |= MF_PAX_RANDMMAP;
29238 + return pax_flags;
29242 +#ifdef CONFIG_PAX_EI_PAX
29243 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
29245 + unsigned long pax_flags = 0UL;
29247 +#ifdef CONFIG_PAX_PAGEEXEC
29248 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
29249 + pax_flags |= MF_PAX_PAGEEXEC;
29252 +#ifdef CONFIG_PAX_SEGMEXEC
29253 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
29254 + pax_flags |= MF_PAX_SEGMEXEC;
29257 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29258 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29259 + if ((__supported_pte_mask & _PAGE_NX))
29260 + pax_flags &= ~MF_PAX_SEGMEXEC;
29262 + pax_flags &= ~MF_PAX_PAGEEXEC;
29266 +#ifdef CONFIG_PAX_EMUTRAMP
29267 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
29268 + pax_flags |= MF_PAX_EMUTRAMP;
29271 +#ifdef CONFIG_PAX_MPROTECT
29272 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
29273 + pax_flags |= MF_PAX_MPROTECT;
29276 +#ifdef CONFIG_PAX_ASLR
29277 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
29278 + pax_flags |= MF_PAX_RANDMMAP;
29281 + return pax_flags;
29285 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29286 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
29288 + unsigned long pax_flags = 0UL;
29290 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29294 +#ifdef CONFIG_PAX_EI_PAX
29295 + pax_flags = pax_parse_ei_pax(elf_ex);
29298 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29299 + for (i = 0UL; i < elf_ex->e_phnum; i++)
29300 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
29301 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
29302 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
29303 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
29304 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
29305 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
29308 +#ifdef CONFIG_PAX_SOFTMODE
29309 + if (pax_softmode)
29310 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
29314 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
29319 + if (0 > pax_check_flags(&pax_flags))
29322 + current->mm->pax_flags = pax_flags;
29328 * These are the functions used to load ELF style executables and shared
29329 * libraries. There is no binary dependent code anywhere else.
29330 @@ -549,6 +740,11 @@ static unsigned long randomize_stack_top
29332 unsigned int random_variable = 0;
29334 +#ifdef CONFIG_PAX_RANDUSTACK
29335 + if (randomize_va_space)
29336 + return stack_top - current->mm->delta_stack;
29339 if ((current->flags & PF_RANDOMIZE) &&
29340 !(current->personality & ADDR_NO_RANDOMIZE)) {
29341 random_variable = get_random_int() & STACK_RND_MASK;
29342 @@ -567,7 +763,7 @@ static int load_elf_binary(struct linux_
29343 unsigned long load_addr = 0, load_bias = 0;
29344 int load_addr_set = 0;
29345 char * elf_interpreter = NULL;
29346 - unsigned long error;
29347 + unsigned long error = 0;
29348 struct elf_phdr *elf_ppnt, *elf_phdata;
29349 unsigned long elf_bss, elf_brk;
29351 @@ -577,11 +773,11 @@ static int load_elf_binary(struct linux_
29352 unsigned long start_code, end_code, start_data, end_data;
29353 unsigned long reloc_func_desc = 0;
29354 int executable_stack = EXSTACK_DEFAULT;
29355 - unsigned long def_flags = 0;
29357 struct elfhdr elf_ex;
29358 struct elfhdr interp_elf_ex;
29360 + unsigned long pax_task_size = TASK_SIZE;
29362 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
29364 @@ -719,11 +915,80 @@ static int load_elf_binary(struct linux_
29366 /* OK, This is the point of no return */
29367 current->flags &= ~PF_FORKNOEXEC;
29368 - current->mm->def_flags = def_flags;
29370 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29371 + current->mm->pax_flags = 0UL;
29374 +#ifdef CONFIG_PAX_DLRESOLVE
29375 + current->mm->call_dl_resolve = 0UL;
29378 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
29379 + current->mm->call_syscall = 0UL;
29382 +#ifdef CONFIG_PAX_ASLR
29383 + current->mm->delta_mmap = 0UL;
29384 + current->mm->delta_stack = 0UL;
29387 + current->mm->def_flags = 0;
29389 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29390 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
29391 + send_sig(SIGKILL, current, 0);
29392 + goto out_free_dentry;
29396 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
29397 + pax_set_initial_flags(bprm);
29398 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
29399 + if (pax_set_initial_flags_func)
29400 + (pax_set_initial_flags_func)(bprm);
29403 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
29404 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
29405 + current->mm->context.user_cs_limit = PAGE_SIZE;
29406 + current->mm->def_flags |= VM_PAGEEXEC;
29410 +#ifdef CONFIG_PAX_SEGMEXEC
29411 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
29412 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
29413 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
29414 + pax_task_size = SEGMEXEC_TASK_SIZE;
29418 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
29419 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29420 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
29425 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
29426 may depend on the personality. */
29427 SET_PERSONALITY(loc->elf_ex);
29429 +#ifdef CONFIG_PAX_ASLR
29430 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
29431 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
29432 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
29436 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
29437 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29438 + executable_stack = EXSTACK_DISABLE_X;
29439 + current->personality &= ~READ_IMPLIES_EXEC;
29443 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
29444 current->personality |= READ_IMPLIES_EXEC;
29446 @@ -805,6 +1070,20 @@ static int load_elf_binary(struct linux_
29448 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
29451 +#ifdef CONFIG_PAX_RANDMMAP
29452 + /* PaX: randomize base address at the default exe base if requested */
29453 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
29454 +#ifdef CONFIG_SPARC64
29455 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
29457 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
29459 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
29460 + elf_flags |= MAP_FIXED;
29466 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
29467 @@ -837,9 +1116,9 @@ static int load_elf_binary(struct linux_
29468 * allowed task size. Note that p_filesz must always be
29469 * <= p_memsz so it is only necessary to check p_memsz.
29471 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29472 - elf_ppnt->p_memsz > TASK_SIZE ||
29473 - TASK_SIZE - elf_ppnt->p_memsz < k) {
29474 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29475 + elf_ppnt->p_memsz > pax_task_size ||
29476 + pax_task_size - elf_ppnt->p_memsz < k) {
29477 /* set_brk can never work. Avoid overflows. */
29478 send_sig(SIGKILL, current, 0);
29480 @@ -867,6 +1146,11 @@ static int load_elf_binary(struct linux_
29481 start_data += load_bias;
29482 end_data += load_bias;
29484 +#ifdef CONFIG_PAX_RANDMMAP
29485 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
29486 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
29489 /* Calling set_brk effectively mmaps the pages that we need
29490 * for the bss and break sections. We must do this before
29491 * mapping in the interpreter, to make sure it doesn't wind
29492 @@ -878,9 +1162,11 @@ static int load_elf_binary(struct linux_
29493 goto out_free_dentry;
29495 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
29496 - send_sig(SIGSEGV, current, 0);
29497 - retval = -EFAULT; /* Nobody gets to see this, but.. */
29498 - goto out_free_dentry;
29500 + * This bss-zeroing can fail if the ELF
29501 + * file specifies odd protections. So
29502 + * we don't check the return value
29506 if (elf_interpreter) {
29507 @@ -1091,7 +1377,7 @@ out:
29508 * Decide what to dump of a segment, part, all or none.
29510 static unsigned long vma_dump_size(struct vm_area_struct *vma,
29511 - unsigned long mm_flags)
29512 + unsigned long mm_flags, long signr)
29514 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
29516 @@ -1125,7 +1411,7 @@ static unsigned long vma_dump_size(struc
29517 if (vma->vm_file == NULL)
29520 - if (FILTER(MAPPED_PRIVATE))
29521 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
29525 @@ -1347,9 +1633,9 @@ static void fill_auxv_note(struct memelf
29527 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
29532 - while (auxv[i - 2] != AT_NULL);
29533 + } while (auxv[i - 2] != AT_NULL);
29534 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
29537 @@ -1855,14 +2141,14 @@ static void fill_extnum_info(struct elfh
29540 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
29541 - unsigned long mm_flags)
29542 + struct coredump_params *cprm)
29544 struct vm_area_struct *vma;
29547 for (vma = first_vma(current, gate_vma); vma != NULL;
29548 vma = next_vma(vma, gate_vma))
29549 - size += vma_dump_size(vma, mm_flags);
29550 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29554 @@ -1956,7 +2242,7 @@ static int elf_core_dump(struct coredump
29556 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
29558 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
29559 + offset += elf_core_vma_data_size(gate_vma, cprm);
29560 offset += elf_core_extra_data_size();
29563 @@ -1970,10 +2256,12 @@ static int elf_core_dump(struct coredump
29566 size += sizeof(*elf);
29567 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29568 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
29571 size += sizeof(*phdr4note);
29572 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29573 if (size > cprm->limit
29574 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
29576 @@ -1987,7 +2275,7 @@ static int elf_core_dump(struct coredump
29577 phdr.p_offset = offset;
29578 phdr.p_vaddr = vma->vm_start;
29580 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
29581 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29582 phdr.p_memsz = vma->vm_end - vma->vm_start;
29583 offset += phdr.p_filesz;
29584 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
29585 @@ -1998,6 +2286,7 @@ static int elf_core_dump(struct coredump
29586 phdr.p_align = ELF_EXEC_PAGESIZE;
29588 size += sizeof(phdr);
29589 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29590 if (size > cprm->limit
29591 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
29593 @@ -2022,7 +2311,7 @@ static int elf_core_dump(struct coredump
29594 unsigned long addr;
29597 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
29598 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29600 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
29602 @@ -2031,6 +2320,7 @@ static int elf_core_dump(struct coredump
29603 page = get_dump_page(addr);
29605 void *kaddr = kmap(page);
29606 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
29607 stop = ((size += PAGE_SIZE) > cprm->limit) ||
29608 !dump_write(cprm->file, kaddr,
29610 @@ -2048,6 +2338,7 @@ static int elf_core_dump(struct coredump
29612 if (e_phnum == PN_XNUM) {
29613 size += sizeof(*shdr4extnum);
29614 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29615 if (size > cprm->limit
29616 || !dump_write(cprm->file, shdr4extnum,
29617 sizeof(*shdr4extnum)))
29618 @@ -2068,6 +2359,97 @@ out:
29620 #endif /* CONFIG_ELF_CORE */
29622 +#ifdef CONFIG_PAX_MPROTECT
29623 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
29624 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
29625 + * we'll remove VM_MAYWRITE for good on RELRO segments.
29627 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
29628 + * basis because we want to allow the common case and not the special ones.
29630 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
29632 + struct elfhdr elf_h;
29633 + struct elf_phdr elf_p;
29635 + unsigned long oldflags;
29636 + bool is_textrel_rw, is_textrel_rx, is_relro;
29638 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
29641 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
29642 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
29644 +#ifdef CONFIG_PAX_ELFRELOCS
29645 + /* possible TEXTREL */
29646 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
29647 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
29649 + is_textrel_rw = false;
29650 + is_textrel_rx = false;
29653 + /* possible RELRO */
29654 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
29656 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
29659 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
29660 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
29662 +#ifdef CONFIG_PAX_ETEXECRELOCS
29663 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29665 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
29668 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29669 + !elf_check_arch(&elf_h) ||
29670 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
29671 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
29674 + for (i = 0UL; i < elf_h.e_phnum; i++) {
29675 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
29677 + switch (elf_p.p_type) {
29679 + if (!is_textrel_rw && !is_textrel_rx)
29682 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
29685 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
29687 + if (dyn.d_tag == DT_NULL)
29689 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
29690 + gr_log_textrel(vma);
29691 + if (is_textrel_rw)
29692 + vma->vm_flags |= VM_MAYWRITE;
29694 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
29695 + vma->vm_flags &= ~VM_MAYWRITE;
29702 + case PT_GNU_RELRO:
29705 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
29706 + vma->vm_flags &= ~VM_MAYWRITE;
29713 static int __init init_elf_binfmt(void)
29715 return register_binfmt(&elf_format);
29716 diff -urNp linux-2.6.35.4/fs/binfmt_flat.c linux-2.6.35.4/fs/binfmt_flat.c
29717 --- linux-2.6.35.4/fs/binfmt_flat.c 2010-08-26 19:47:12.000000000 -0400
29718 +++ linux-2.6.35.4/fs/binfmt_flat.c 2010-09-17 20:12:09.000000000 -0400
29719 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
29720 realdatastart = (unsigned long) -ENOMEM;
29721 printk("Unable to allocate RAM for process data, errno %d\n",
29722 (int)-realdatastart);
29723 + down_write(¤t->mm->mmap_sem);
29724 do_munmap(current->mm, textpos, text_len);
29725 + up_write(¤t->mm->mmap_sem);
29726 ret = realdatastart;
29729 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
29731 if (IS_ERR_VALUE(result)) {
29732 printk("Unable to read data+bss, errno %d\n", (int)-result);
29733 + down_write(¤t->mm->mmap_sem);
29734 do_munmap(current->mm, textpos, text_len);
29735 do_munmap(current->mm, realdatastart, len);
29736 + up_write(¤t->mm->mmap_sem);
29740 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
29742 if (IS_ERR_VALUE(result)) {
29743 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
29744 + down_write(¤t->mm->mmap_sem);
29745 do_munmap(current->mm, textpos, text_len + data_len + extra +
29746 MAX_SHARED_LIBS * sizeof(unsigned long));
29747 + up_write(¤t->mm->mmap_sem);
29751 diff -urNp linux-2.6.35.4/fs/binfmt_misc.c linux-2.6.35.4/fs/binfmt_misc.c
29752 --- linux-2.6.35.4/fs/binfmt_misc.c 2010-08-26 19:47:12.000000000 -0400
29753 +++ linux-2.6.35.4/fs/binfmt_misc.c 2010-09-17 20:12:09.000000000 -0400
29754 @@ -693,7 +693,7 @@ static int bm_fill_super(struct super_bl
29755 static struct tree_descr bm_files[] = {
29756 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
29757 [3] = {"register", &bm_register_operations, S_IWUSR},
29758 - /* last one */ {""}
29759 + /* last one */ {"", NULL, 0}
29761 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
29763 diff -urNp linux-2.6.35.4/fs/bio.c linux-2.6.35.4/fs/bio.c
29764 --- linux-2.6.35.4/fs/bio.c 2010-08-26 19:47:12.000000000 -0400
29765 +++ linux-2.6.35.4/fs/bio.c 2010-09-17 20:12:09.000000000 -0400
29766 @@ -1213,7 +1213,7 @@ static void bio_copy_kern_endio(struct b
29767 const int read = bio_data_dir(bio) == READ;
29768 struct bio_map_data *bmd = bio->bi_private;
29770 - char *p = bmd->sgvecs[0].iov_base;
29771 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
29773 __bio_for_each_segment(bvec, bio, i, 0) {
29774 char *addr = page_address(bvec->bv_page);
29775 diff -urNp linux-2.6.35.4/fs/block_dev.c linux-2.6.35.4/fs/block_dev.c
29776 --- linux-2.6.35.4/fs/block_dev.c 2010-08-26 19:47:12.000000000 -0400
29777 +++ linux-2.6.35.4/fs/block_dev.c 2010-09-17 20:12:09.000000000 -0400
29778 @@ -647,7 +647,7 @@ static bool bd_may_claim(struct block_de
29779 else if (bdev->bd_contains == bdev)
29780 return true; /* is a whole device which isn't held */
29782 - else if (whole->bd_holder == bd_claim)
29783 + else if (whole->bd_holder == (void *)bd_claim)
29784 return true; /* is a partition of a device that is being partitioned */
29785 else if (whole->bd_holder != NULL)
29786 return false; /* is a partition of a held device */
29787 diff -urNp linux-2.6.35.4/fs/btrfs/ctree.c linux-2.6.35.4/fs/btrfs/ctree.c
29788 --- linux-2.6.35.4/fs/btrfs/ctree.c 2010-08-26 19:47:12.000000000 -0400
29789 +++ linux-2.6.35.4/fs/btrfs/ctree.c 2010-09-17 20:12:09.000000000 -0400
29790 @@ -3763,7 +3763,6 @@ setup_items_for_insert(struct btrfs_tran
29794 - struct btrfs_disk_key disk_key;
29795 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
29796 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
29798 diff -urNp linux-2.6.35.4/fs/btrfs/disk-io.c linux-2.6.35.4/fs/btrfs/disk-io.c
29799 --- linux-2.6.35.4/fs/btrfs/disk-io.c 2010-08-26 19:47:12.000000000 -0400
29800 +++ linux-2.6.35.4/fs/btrfs/disk-io.c 2010-09-17 20:12:09.000000000 -0400
29802 #include "tree-log.h"
29803 #include "free-space-cache.h"
29805 -static struct extent_io_ops btree_extent_io_ops;
29806 +static const struct extent_io_ops btree_extent_io_ops;
29807 static void end_workqueue_fn(struct btrfs_work *work);
29808 static void free_fs_root(struct btrfs_root *root);
29810 @@ -2597,7 +2597,7 @@ out:
29814 -static struct extent_io_ops btree_extent_io_ops = {
29815 +static const struct extent_io_ops btree_extent_io_ops = {
29816 .write_cache_pages_lock_hook = btree_lock_page_hook,
29817 .readpage_end_io_hook = btree_readpage_end_io_hook,
29818 .submit_bio_hook = btree_submit_bio_hook,
29819 diff -urNp linux-2.6.35.4/fs/btrfs/extent_io.h linux-2.6.35.4/fs/btrfs/extent_io.h
29820 --- linux-2.6.35.4/fs/btrfs/extent_io.h 2010-08-26 19:47:12.000000000 -0400
29821 +++ linux-2.6.35.4/fs/btrfs/extent_io.h 2010-09-17 20:12:09.000000000 -0400
29822 @@ -51,36 +51,36 @@ typedef int (extent_submit_bio_hook_t)(s
29823 struct bio *bio, int mirror_num,
29824 unsigned long bio_flags, u64 bio_offset);
29825 struct extent_io_ops {
29826 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
29827 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
29828 u64 start, u64 end, int *page_started,
29829 unsigned long *nr_written);
29830 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
29831 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
29832 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
29833 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
29834 extent_submit_bio_hook_t *submit_bio_hook;
29835 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
29836 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
29837 size_t size, struct bio *bio,
29838 unsigned long bio_flags);
29839 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
29840 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
29841 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
29842 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
29843 u64 start, u64 end,
29844 struct extent_state *state);
29845 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
29846 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
29847 u64 start, u64 end,
29848 struct extent_state *state);
29849 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
29850 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
29851 struct extent_state *state);
29852 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
29853 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
29854 struct extent_state *state, int uptodate);
29855 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
29856 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
29858 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
29859 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
29861 - int (*merge_extent_hook)(struct inode *inode,
29862 + int (* const merge_extent_hook)(struct inode *inode,
29863 struct extent_state *new,
29864 struct extent_state *other);
29865 - int (*split_extent_hook)(struct inode *inode,
29866 + int (* const split_extent_hook)(struct inode *inode,
29867 struct extent_state *orig, u64 split);
29868 - int (*write_cache_pages_lock_hook)(struct page *page);
29869 + int (* const write_cache_pages_lock_hook)(struct page *page);
29872 struct extent_io_tree {
29873 @@ -90,7 +90,7 @@ struct extent_io_tree {
29876 spinlock_t buffer_lock;
29877 - struct extent_io_ops *ops;
29878 + const struct extent_io_ops *ops;
29881 struct extent_state {
29882 diff -urNp linux-2.6.35.4/fs/btrfs/free-space-cache.c linux-2.6.35.4/fs/btrfs/free-space-cache.c
29883 --- linux-2.6.35.4/fs/btrfs/free-space-cache.c 2010-08-26 19:47:12.000000000 -0400
29884 +++ linux-2.6.35.4/fs/btrfs/free-space-cache.c 2010-09-17 20:12:09.000000000 -0400
29885 @@ -1075,8 +1075,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
29888 if (entry->bytes < bytes || entry->offset < min_start) {
29889 - struct rb_node *node;
29891 node = rb_next(&entry->offset_index);
29894 @@ -1227,7 +1225,7 @@ again:
29896 while (entry->bitmap || found_bitmap ||
29897 (!entry->bitmap && entry->bytes < min_bytes)) {
29898 - struct rb_node *node = rb_next(&entry->offset_index);
29899 + node = rb_next(&entry->offset_index);
29901 if (entry->bitmap && entry->bytes > bytes + empty_size) {
29902 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
29903 diff -urNp linux-2.6.35.4/fs/btrfs/inode.c linux-2.6.35.4/fs/btrfs/inode.c
29904 --- linux-2.6.35.4/fs/btrfs/inode.c 2010-08-26 19:47:12.000000000 -0400
29905 +++ linux-2.6.35.4/fs/btrfs/inode.c 2010-09-17 20:12:09.000000000 -0400
29906 @@ -64,7 +64,7 @@ static const struct inode_operations btr
29907 static const struct address_space_operations btrfs_aops;
29908 static const struct address_space_operations btrfs_symlink_aops;
29909 static const struct file_operations btrfs_dir_file_operations;
29910 -static struct extent_io_ops btrfs_extent_io_ops;
29911 +static const struct extent_io_ops btrfs_extent_io_ops;
29913 static struct kmem_cache *btrfs_inode_cachep;
29914 struct kmem_cache *btrfs_trans_handle_cachep;
29915 @@ -6958,7 +6958,7 @@ static const struct file_operations btrf
29916 .fsync = btrfs_sync_file,
29919 -static struct extent_io_ops btrfs_extent_io_ops = {
29920 +static const struct extent_io_ops btrfs_extent_io_ops = {
29921 .fill_delalloc = run_delalloc_range,
29922 .submit_bio_hook = btrfs_submit_bio_hook,
29923 .merge_bio_hook = btrfs_merge_bio_hook,
29924 diff -urNp linux-2.6.35.4/fs/buffer.c linux-2.6.35.4/fs/buffer.c
29925 --- linux-2.6.35.4/fs/buffer.c 2010-08-26 19:47:12.000000000 -0400
29926 +++ linux-2.6.35.4/fs/buffer.c 2010-09-17 20:12:37.000000000 -0400
29928 #include <linux/percpu.h>
29929 #include <linux/slab.h>
29930 #include <linux/capability.h>
29931 +#include <linux/security.h>
29932 #include <linux/blkdev.h>
29933 #include <linux/file.h>
29934 #include <linux/quotaops.h>
29935 diff -urNp linux-2.6.35.4/fs/cachefiles/bind.c linux-2.6.35.4/fs/cachefiles/bind.c
29936 --- linux-2.6.35.4/fs/cachefiles/bind.c 2010-08-26 19:47:12.000000000 -0400
29937 +++ linux-2.6.35.4/fs/cachefiles/bind.c 2010-09-17 20:12:09.000000000 -0400
29938 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
29941 /* start by checking things over */
29942 - ASSERT(cache->fstop_percent >= 0 &&
29943 - cache->fstop_percent < cache->fcull_percent &&
29944 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
29945 cache->fcull_percent < cache->frun_percent &&
29946 cache->frun_percent < 100);
29948 - ASSERT(cache->bstop_percent >= 0 &&
29949 - cache->bstop_percent < cache->bcull_percent &&
29950 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
29951 cache->bcull_percent < cache->brun_percent &&
29952 cache->brun_percent < 100);
29954 diff -urNp linux-2.6.35.4/fs/cachefiles/daemon.c linux-2.6.35.4/fs/cachefiles/daemon.c
29955 --- linux-2.6.35.4/fs/cachefiles/daemon.c 2010-08-26 19:47:12.000000000 -0400
29956 +++ linux-2.6.35.4/fs/cachefiles/daemon.c 2010-09-17 20:12:09.000000000 -0400
29957 @@ -195,7 +195,7 @@ static ssize_t cachefiles_daemon_read(st
29961 - if (copy_to_user(_buffer, buffer, n) != 0)
29962 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
29966 @@ -221,7 +221,7 @@ static ssize_t cachefiles_daemon_write(s
29967 if (test_bit(CACHEFILES_DEAD, &cache->flags))
29970 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
29971 + if (datalen > PAGE_SIZE - 1)
29972 return -EOPNOTSUPP;
29974 /* drag the command string into the kernel so we can parse it */
29975 @@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struc
29976 if (args[0] != '%' || args[1] != '\0')
29979 - if (fstop < 0 || fstop >= cache->fcull_percent)
29980 + if (fstop >= cache->fcull_percent)
29981 return cachefiles_daemon_range_error(cache, args);
29983 cache->fstop_percent = fstop;
29984 @@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struc
29985 if (args[0] != '%' || args[1] != '\0')
29988 - if (bstop < 0 || bstop >= cache->bcull_percent)
29989 + if (bstop >= cache->bcull_percent)
29990 return cachefiles_daemon_range_error(cache, args);
29992 cache->bstop_percent = bstop;
29993 diff -urNp linux-2.6.35.4/fs/cachefiles/rdwr.c linux-2.6.35.4/fs/cachefiles/rdwr.c
29994 --- linux-2.6.35.4/fs/cachefiles/rdwr.c 2010-08-26 19:47:12.000000000 -0400
29995 +++ linux-2.6.35.4/fs/cachefiles/rdwr.c 2010-09-17 20:12:09.000000000 -0400
29996 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
29999 ret = file->f_op->write(
30000 - file, (const void __user *) data, len, &pos);
30001 + file, (__force const void __user *) data, len, &pos);
30005 diff -urNp linux-2.6.35.4/fs/cifs/cifs_uniupr.h linux-2.6.35.4/fs/cifs/cifs_uniupr.h
30006 --- linux-2.6.35.4/fs/cifs/cifs_uniupr.h 2010-08-26 19:47:12.000000000 -0400
30007 +++ linux-2.6.35.4/fs/cifs/cifs_uniupr.h 2010-09-17 20:12:09.000000000 -0400
30008 @@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
30009 {0x0490, 0x04cc, UniCaseRangeU0490},
30010 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
30011 {0xff40, 0xff5a, UniCaseRangeUff40},
30017 diff -urNp linux-2.6.35.4/fs/cifs/link.c linux-2.6.35.4/fs/cifs/link.c
30018 --- linux-2.6.35.4/fs/cifs/link.c 2010-08-26 19:47:12.000000000 -0400
30019 +++ linux-2.6.35.4/fs/cifs/link.c 2010-09-17 20:12:09.000000000 -0400
30020 @@ -216,7 +216,7 @@ cifs_symlink(struct inode *inode, struct
30022 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
30024 - char *p = nd_get_link(nd);
30025 + const char *p = nd_get_link(nd);
30029 diff -urNp linux-2.6.35.4/fs/compat_binfmt_elf.c linux-2.6.35.4/fs/compat_binfmt_elf.c
30030 --- linux-2.6.35.4/fs/compat_binfmt_elf.c 2010-08-26 19:47:12.000000000 -0400
30031 +++ linux-2.6.35.4/fs/compat_binfmt_elf.c 2010-09-17 20:12:09.000000000 -0400
30032 @@ -30,11 +30,13 @@
30038 #define elfhdr elf32_hdr
30039 #define elf_phdr elf32_phdr
30040 #define elf_shdr elf32_shdr
30041 #define elf_note elf32_note
30042 +#define elf_dyn Elf32_Dyn
30043 #define elf_addr_t Elf32_Addr
30046 diff -urNp linux-2.6.35.4/fs/compat.c linux-2.6.35.4/fs/compat.c
30047 --- linux-2.6.35.4/fs/compat.c 2010-08-26 19:47:12.000000000 -0400
30048 +++ linux-2.6.35.4/fs/compat.c 2010-09-17 20:12:37.000000000 -0400
30049 @@ -1433,14 +1433,12 @@ static int compat_copy_strings(int argc,
30050 if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
30053 -#ifdef CONFIG_STACK_GROWSUP
30054 ret = expand_stack_downwards(bprm->vma, pos);
30056 /* We've exceed the stack rlimit. */
30061 ret = get_user_pages(current, bprm->mm, pos,
30062 1, 1, 1, &page, NULL);
30064 @@ -1486,6 +1484,11 @@ int compat_do_execve(char * filename,
30065 compat_uptr_t __user *envp,
30066 struct pt_regs * regs)
30068 +#ifdef CONFIG_GRKERNSEC
30069 + struct file *old_exec_file;
30070 + struct acl_subject_label *old_acl;
30071 + struct rlimit old_rlim[RLIM_NLIMITS];
30073 struct linux_binprm *bprm;
30075 struct files_struct *displaced;
30076 @@ -1522,6 +1525,14 @@ int compat_do_execve(char * filename,
30077 bprm->filename = filename;
30078 bprm->interp = filename;
30080 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30081 + retval = -EAGAIN;
30082 + if (gr_handle_nproc())
30084 + retval = -EACCES;
30085 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
30088 retval = bprm_mm_init(bprm);
30091 @@ -1551,9 +1562,40 @@ int compat_do_execve(char * filename,
30095 + if (!gr_tpe_allow(file)) {
30096 + retval = -EACCES;
30100 + if (gr_check_crash_exec(file)) {
30101 + retval = -EACCES;
30105 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30107 + gr_handle_exec_args(bprm, (char __user * __user *)argv);
30109 +#ifdef CONFIG_GRKERNSEC
30110 + old_acl = current->acl;
30111 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30112 + old_exec_file = current->exec_file;
30114 + current->exec_file = file;
30117 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30118 + bprm->unsafe & LSM_UNSAFE_SHARE);
30122 retval = search_binary_handler(bprm, regs);
30126 +#ifdef CONFIG_GRKERNSEC
30127 + if (old_exec_file)
30128 + fput(old_exec_file);
30131 /* execve succeeded */
30132 current->fs->in_exec = 0;
30133 @@ -1564,6 +1606,14 @@ int compat_do_execve(char * filename,
30134 put_files_struct(displaced);
30138 +#ifdef CONFIG_GRKERNSEC
30139 + current->acl = old_acl;
30140 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30141 + fput(current->exec_file);
30142 + current->exec_file = old_exec_file;
30148 diff -urNp linux-2.6.35.4/fs/debugfs/inode.c linux-2.6.35.4/fs/debugfs/inode.c
30149 --- linux-2.6.35.4/fs/debugfs/inode.c 2010-08-26 19:47:12.000000000 -0400
30150 +++ linux-2.6.35.4/fs/debugfs/inode.c 2010-09-17 20:12:09.000000000 -0400
30151 @@ -129,7 +129,7 @@ static inline int debugfs_positive(struc
30153 static int debug_fill_super(struct super_block *sb, void *data, int silent)
30155 - static struct tree_descr debug_files[] = {{""}};
30156 + static struct tree_descr debug_files[] = {{"", NULL, 0}};
30158 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
30160 diff -urNp linux-2.6.35.4/fs/dlm/lockspace.c linux-2.6.35.4/fs/dlm/lockspace.c
30161 --- linux-2.6.35.4/fs/dlm/lockspace.c 2010-08-26 19:47:12.000000000 -0400
30162 +++ linux-2.6.35.4/fs/dlm/lockspace.c 2010-09-17 20:12:09.000000000 -0400
30163 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
30167 -static struct kset_uevent_ops dlm_uevent_ops = {
30168 +static const struct kset_uevent_ops dlm_uevent_ops = {
30169 .uevent = dlm_uevent,
30172 diff -urNp linux-2.6.35.4/fs/ecryptfs/inode.c linux-2.6.35.4/fs/ecryptfs/inode.c
30173 --- linux-2.6.35.4/fs/ecryptfs/inode.c 2010-08-26 19:47:12.000000000 -0400
30174 +++ linux-2.6.35.4/fs/ecryptfs/inode.c 2010-09-17 20:12:09.000000000 -0400
30175 @@ -658,7 +658,7 @@ static int ecryptfs_readlink_lower(struc
30178 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
30179 - (char __user *)lower_buf,
30180 + (__force char __user *)lower_buf,
30184 @@ -704,7 +704,7 @@ static void *ecryptfs_follow_link(struct
30188 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
30189 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
30193 @@ -719,7 +719,7 @@ out:
30195 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
30197 - char *buf = nd_get_link(nd);
30198 + const char *buf = nd_get_link(nd);
30199 if (!IS_ERR(buf)) {
30200 /* Free the char* */
30202 diff -urNp linux-2.6.35.4/fs/ecryptfs/miscdev.c linux-2.6.35.4/fs/ecryptfs/miscdev.c
30203 --- linux-2.6.35.4/fs/ecryptfs/miscdev.c 2010-08-26 19:47:12.000000000 -0400
30204 +++ linux-2.6.35.4/fs/ecryptfs/miscdev.c 2010-09-17 20:12:09.000000000 -0400
30205 @@ -328,7 +328,7 @@ check_list:
30206 goto out_unlock_msg_ctx;
30208 if (msg_ctx->msg) {
30209 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
30210 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
30211 goto out_unlock_msg_ctx;
30212 i += packet_length_size;
30213 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
30214 diff -urNp linux-2.6.35.4/fs/exec.c linux-2.6.35.4/fs/exec.c
30215 --- linux-2.6.35.4/fs/exec.c 2010-08-26 19:47:12.000000000 -0400
30216 +++ linux-2.6.35.4/fs/exec.c 2010-09-17 20:12:37.000000000 -0400
30217 @@ -55,12 +55,24 @@
30218 #include <linux/fsnotify.h>
30219 #include <linux/fs_struct.h>
30220 #include <linux/pipe_fs_i.h>
30221 +#include <linux/random.h>
30222 +#include <linux/seq_file.h>
30224 +#ifdef CONFIG_PAX_REFCOUNT
30225 +#include <linux/kallsyms.h>
30226 +#include <linux/kdebug.h>
30229 #include <asm/uaccess.h>
30230 #include <asm/mmu_context.h>
30231 #include <asm/tlb.h>
30232 #include "internal.h"
30234 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
30235 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
30236 +EXPORT_SYMBOL(pax_set_initial_flags_func);
30240 char core_pattern[CORENAME_MAX_SIZE] = "core";
30241 unsigned int core_pipe_limit;
30242 @@ -114,7 +126,7 @@ SYSCALL_DEFINE1(uselib, const char __use
30245 file = do_filp_open(AT_FDCWD, tmp,
30246 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
30247 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
30248 MAY_READ | MAY_EXEC | MAY_OPEN);
30250 error = PTR_ERR(file);
30251 @@ -162,18 +174,10 @@ static struct page *get_arg_page(struct
30257 -#ifdef CONFIG_STACK_GROWSUP
30259 - ret = expand_stack_downwards(bprm->vma, pos);
30264 - ret = get_user_pages(current, bprm->mm, pos,
30265 - 1, write, 1, &page, NULL);
30267 + if (0 > expand_stack_downwards(bprm->vma, pos))
30269 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
30273 @@ -246,6 +250,11 @@ static int __bprm_mm_init(struct linux_b
30274 vma->vm_end = STACK_TOP_MAX;
30275 vma->vm_start = vma->vm_end - PAGE_SIZE;
30276 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
30278 +#ifdef CONFIG_PAX_SEGMEXEC
30279 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
30282 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
30283 INIT_LIST_HEAD(&vma->anon_vma_chain);
30284 err = insert_vm_struct(mm, vma);
30285 @@ -255,6 +264,12 @@ static int __bprm_mm_init(struct linux_b
30286 mm->stack_vm = mm->total_vm = 1;
30287 up_write(&mm->mmap_sem);
30288 bprm->p = vma->vm_end - sizeof(void *);
30290 +#ifdef CONFIG_PAX_RANDUSTACK
30291 + if (randomize_va_space)
30292 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
30297 up_write(&mm->mmap_sem);
30298 @@ -476,7 +491,7 @@ int copy_strings_kernel(int argc,char **
30300 mm_segment_t oldfs = get_fs();
30302 - r = copy_strings(argc, (char __user * __user *)argv, bprm);
30303 + r = copy_strings(argc, (__force char __user * __user *)argv, bprm);
30307 @@ -506,7 +521,8 @@ static int shift_arg_pages(struct vm_are
30308 unsigned long new_end = old_end - shift;
30309 struct mmu_gather *tlb;
30311 - BUG_ON(new_start > new_end);
30312 + if (new_start >= new_end || new_start < mmap_min_addr)
30316 * ensure there are no vmas between where we want to go
30317 @@ -515,6 +531,10 @@ static int shift_arg_pages(struct vm_are
30318 if (vma != find_vma(mm, new_start))
30321 +#ifdef CONFIG_PAX_SEGMEXEC
30322 + BUG_ON(pax_find_mirror_vma(vma));
30326 * cover the whole range: [new_start, old_end)
30328 @@ -605,8 +625,28 @@ int setup_arg_pages(struct linux_binprm
30329 bprm->exec -= stack_shift;
30331 down_write(&mm->mmap_sem);
30333 + /* Move stack pages down in memory. */
30334 + if (stack_shift) {
30335 + ret = shift_arg_pages(vma, stack_shift);
30340 vm_flags = VM_STACK_FLAGS;
30342 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30343 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30344 + vm_flags &= ~VM_EXEC;
30346 +#ifdef CONFIG_PAX_MPROTECT
30347 + if (mm->pax_flags & MF_PAX_MPROTECT)
30348 + vm_flags &= ~VM_MAYEXEC;
30355 * Adjust stack execute permissions; explicitly enable for
30356 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
30357 @@ -625,13 +665,6 @@ int setup_arg_pages(struct linux_binprm
30359 BUG_ON(prev != vma);
30361 - /* Move stack pages down in memory. */
30362 - if (stack_shift) {
30363 - ret = shift_arg_pages(vma, stack_shift);
30368 /* mprotect_fixup is overkill to remove the temporary stack flags */
30369 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
30371 @@ -671,7 +704,7 @@ struct file *open_exec(const char *name)
30374 file = do_filp_open(AT_FDCWD, name,
30375 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
30376 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
30377 MAY_EXEC | MAY_OPEN);
30380 @@ -708,7 +741,7 @@ int kernel_read(struct file *file, loff_
30383 /* The cast to a user pointer is valid due to the set_fs() */
30384 - result = vfs_read(file, (void __user *)addr, count, &pos);
30385 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
30389 @@ -1125,7 +1158,7 @@ int check_unsafe_exec(struct linux_binpr
30393 - if (p->fs->users > n_fs) {
30394 + if (atomic_read(&p->fs->users) > n_fs) {
30395 bprm->unsafe |= LSM_UNSAFE_SHARE;
30398 @@ -1321,6 +1354,11 @@ int do_execve(char * filename,
30399 char __user *__user *envp,
30400 struct pt_regs * regs)
30402 +#ifdef CONFIG_GRKERNSEC
30403 + struct file *old_exec_file;
30404 + struct acl_subject_label *old_acl;
30405 + struct rlimit old_rlim[RLIM_NLIMITS];
30407 struct linux_binprm *bprm;
30409 struct files_struct *displaced;
30410 @@ -1357,6 +1395,18 @@ int do_execve(char * filename,
30411 bprm->filename = filename;
30412 bprm->interp = filename;
30414 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30416 + if (gr_handle_nproc()) {
30417 + retval = -EAGAIN;
30421 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
30422 + retval = -EACCES;
30426 retval = bprm_mm_init(bprm);
30429 @@ -1386,10 +1436,41 @@ int do_execve(char * filename,
30433 + if (!gr_tpe_allow(file)) {
30434 + retval = -EACCES;
30438 + if (gr_check_crash_exec(file)) {
30439 + retval = -EACCES;
30443 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30445 + gr_handle_exec_args(bprm, argv);
30447 +#ifdef CONFIG_GRKERNSEC
30448 + old_acl = current->acl;
30449 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30450 + old_exec_file = current->exec_file;
30452 + current->exec_file = file;
30455 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30456 + bprm->unsafe & LSM_UNSAFE_SHARE);
30460 current->flags &= ~PF_KTHREAD;
30461 retval = search_binary_handler(bprm,regs);
30465 +#ifdef CONFIG_GRKERNSEC
30466 + if (old_exec_file)
30467 + fput(old_exec_file);
30470 /* execve succeeded */
30471 current->fs->in_exec = 0;
30472 @@ -1400,6 +1481,14 @@ int do_execve(char * filename,
30473 put_files_struct(displaced);
30477 +#ifdef CONFIG_GRKERNSEC
30478 + current->acl = old_acl;
30479 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30480 + fput(current->exec_file);
30481 + current->exec_file = old_exec_file;
30487 @@ -1563,6 +1652,225 @@ out:
30491 +int pax_check_flags(unsigned long *flags)
30495 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
30496 + if (*flags & MF_PAX_SEGMEXEC)
30498 + *flags &= ~MF_PAX_SEGMEXEC;
30499 + retval = -EINVAL;
30503 + if ((*flags & MF_PAX_PAGEEXEC)
30505 +#ifdef CONFIG_PAX_PAGEEXEC
30506 + && (*flags & MF_PAX_SEGMEXEC)
30511 + *flags &= ~MF_PAX_PAGEEXEC;
30512 + retval = -EINVAL;
30515 + if ((*flags & MF_PAX_MPROTECT)
30517 +#ifdef CONFIG_PAX_MPROTECT
30518 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30523 + *flags &= ~MF_PAX_MPROTECT;
30524 + retval = -EINVAL;
30527 + if ((*flags & MF_PAX_EMUTRAMP)
30529 +#ifdef CONFIG_PAX_EMUTRAMP
30530 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30535 + *flags &= ~MF_PAX_EMUTRAMP;
30536 + retval = -EINVAL;
30542 +EXPORT_SYMBOL(pax_check_flags);
30544 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30545 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
30547 + struct task_struct *tsk = current;
30548 + struct mm_struct *mm = current->mm;
30549 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
30550 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
30551 + char *path_exec = NULL;
30552 + char *path_fault = NULL;
30553 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
30555 + if (buffer_exec && buffer_fault) {
30556 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
30558 + down_read(&mm->mmap_sem);
30560 + while (vma && (!vma_exec || !vma_fault)) {
30561 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
30563 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
30565 + vma = vma->vm_next;
30568 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
30569 + if (IS_ERR(path_exec))
30570 + path_exec = "<path too long>";
30572 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
30575 + path_exec = buffer_exec;
30577 + path_exec = "<path too long>";
30581 + start = vma_fault->vm_start;
30582 + end = vma_fault->vm_end;
30583 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
30584 + if (vma_fault->vm_file) {
30585 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
30586 + if (IS_ERR(path_fault))
30587 + path_fault = "<path too long>";
30589 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
30590 + if (path_fault) {
30592 + path_fault = buffer_fault;
30594 + path_fault = "<path too long>";
30597 + path_fault = "<anonymous mapping>";
30599 + up_read(&mm->mmap_sem);
30601 + if (tsk->signal->curr_ip)
30602 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
30604 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
30605 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
30606 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
30607 + task_uid(tsk), task_euid(tsk), pc, sp);
30608 + free_page((unsigned long)buffer_exec);
30609 + free_page((unsigned long)buffer_fault);
30610 + pax_report_insns(pc, sp);
30611 + do_coredump(SIGKILL, SIGKILL, regs);
30615 +#ifdef CONFIG_PAX_REFCOUNT
30616 +void pax_report_refcount_overflow(struct pt_regs *regs)
30618 + if (current->signal->curr_ip)
30619 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
30620 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
30622 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
30623 + current->comm, task_pid_nr(current), current_uid(), current_euid());
30624 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
30626 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
30630 +#ifdef CONFIG_PAX_USERCOPY
30631 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
30632 +struct stack_frame {
30633 + struct stack_frame *next_frame;
30634 + unsigned long return_address;
30638 +/* 0: not at all, 1: fully, 2: fully inside frame,
30639 + -1: partially (implies an error) */
30641 +int object_is_on_stack(const void *obj, unsigned long len)
30643 + const void *stack = task_stack_page(current);
30644 + const void *stackend = stack + THREAD_SIZE;
30646 + if (obj + len < obj)
30649 + if (stack <= obj && obj + len <= stackend) {
30650 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
30651 + void *frame = __builtin_frame_address(2);
30652 + void *oldframe = __builtin_frame_address(1);
30654 + bottom ----------------------------------------------> top
30655 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
30656 + ^----------------^
30657 + allow copies only within here
30660 + /* if obj + len extends past the last frame, this
30661 + check won't pass and the next frame will be 0,
30662 + causing us to bail out and correctly report
30663 + the copy as invalid
30665 + if (obj + len <= frame) {
30666 + if (obj >= (oldframe + (2 * sizeof(void *))))
30671 + oldframe = frame;
30672 + frame = ((struct stack_frame *)frame)->next_frame;
30680 + if (obj + len <= stack || stackend <= obj)
30687 +void pax_report_leak_to_user(const void *ptr, unsigned long len)
30689 + if (current->signal->curr_ip)
30690 + printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n",
30691 + ¤t->signal->curr_ip, ptr, len);
30693 + printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
30695 + do_group_exit(SIGKILL);
30698 +void pax_report_overflow_from_user(const void *ptr, unsigned long len)
30700 + if (current->signal->curr_ip)
30701 + printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n",
30702 + ¤t->signal->curr_ip, ptr, len);
30704 + printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
30706 + do_group_exit(SIGKILL);
30710 static int zap_process(struct task_struct *start, int exit_code)
30712 struct task_struct *t;
30713 @@ -1773,17 +2081,17 @@ static void wait_for_dump_helpers(struct
30714 pipe = file->f_path.dentry->d_inode->i_pipe;
30719 + atomic_inc(&pipe->readers);
30720 + atomic_dec(&pipe->writers);
30722 - while ((pipe->readers > 1) && (!signal_pending(current))) {
30723 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
30724 wake_up_interruptible_sync(&pipe->wait);
30725 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
30731 + atomic_dec(&pipe->readers);
30732 + atomic_inc(&pipe->writers);
30736 @@ -1891,6 +2199,10 @@ void do_coredump(long signr, int exit_co
30738 clear_thread_flag(TIF_SIGPENDING);
30740 + if (signr == SIGKILL || signr == SIGILL)
30741 + gr_handle_brute_attach(current);
30742 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
30745 * lock_kernel() because format_corename() is controlled by sysctl, which
30746 * uses lock_kernel()
30747 diff -urNp linux-2.6.35.4/fs/ext2/balloc.c linux-2.6.35.4/fs/ext2/balloc.c
30748 --- linux-2.6.35.4/fs/ext2/balloc.c 2010-08-26 19:47:12.000000000 -0400
30749 +++ linux-2.6.35.4/fs/ext2/balloc.c 2010-09-17 20:12:37.000000000 -0400
30750 @@ -1193,7 +1193,7 @@ static int ext2_has_free_blocks(struct e
30752 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
30753 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
30754 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
30755 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
30756 sbi->s_resuid != current_fsuid() &&
30757 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
30759 diff -urNp linux-2.6.35.4/fs/ext2/xattr.c linux-2.6.35.4/fs/ext2/xattr.c
30760 --- linux-2.6.35.4/fs/ext2/xattr.c 2010-08-26 19:47:12.000000000 -0400
30761 +++ linux-2.6.35.4/fs/ext2/xattr.c 2010-09-17 20:12:09.000000000 -0400
30766 -# define ea_idebug(f...)
30767 -# define ea_bdebug(f...)
30768 +# define ea_idebug(inode, f...) do {} while (0)
30769 +# define ea_bdebug(bh, f...) do {} while (0)
30772 static int ext2_xattr_set2(struct inode *, struct buffer_head *,
30773 diff -urNp linux-2.6.35.4/fs/ext3/balloc.c linux-2.6.35.4/fs/ext3/balloc.c
30774 --- linux-2.6.35.4/fs/ext3/balloc.c 2010-08-26 19:47:12.000000000 -0400
30775 +++ linux-2.6.35.4/fs/ext3/balloc.c 2010-09-17 20:12:37.000000000 -0400
30776 @@ -1422,7 +1422,7 @@ static int ext3_has_free_blocks(struct e
30778 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
30779 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
30780 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
30781 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
30782 sbi->s_resuid != current_fsuid() &&
30783 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
30785 diff -urNp linux-2.6.35.4/fs/ext3/namei.c linux-2.6.35.4/fs/ext3/namei.c
30786 --- linux-2.6.35.4/fs/ext3/namei.c 2010-08-26 19:47:12.000000000 -0400
30787 +++ linux-2.6.35.4/fs/ext3/namei.c 2010-09-17 20:12:09.000000000 -0400
30788 @@ -1168,7 +1168,7 @@ static struct ext3_dir_entry_2 *do_split
30789 char *data1 = (*bh)->b_data, *data2;
30790 unsigned split, move, size;
30791 struct ext3_dir_entry_2 *de = NULL, *de2;
30795 bh2 = ext3_append (handle, dir, &newblock, &err);
30797 diff -urNp linux-2.6.35.4/fs/ext3/xattr.c linux-2.6.35.4/fs/ext3/xattr.c
30798 --- linux-2.6.35.4/fs/ext3/xattr.c 2010-08-26 19:47:12.000000000 -0400
30799 +++ linux-2.6.35.4/fs/ext3/xattr.c 2010-09-17 20:12:09.000000000 -0400
30804 -# define ea_idebug(f...)
30805 -# define ea_bdebug(f...)
30806 +# define ea_idebug(f...) do {} while (0)
30807 +# define ea_bdebug(f...) do {} while (0)
30810 static void ext3_xattr_cache_insert(struct buffer_head *);
30811 diff -urNp linux-2.6.35.4/fs/ext4/balloc.c linux-2.6.35.4/fs/ext4/balloc.c
30812 --- linux-2.6.35.4/fs/ext4/balloc.c 2010-08-26 19:47:12.000000000 -0400
30813 +++ linux-2.6.35.4/fs/ext4/balloc.c 2010-09-17 20:12:37.000000000 -0400
30814 @@ -522,7 +522,7 @@ int ext4_has_free_blocks(struct ext4_sb_
30815 /* Hm, nope. Are (enough) root reserved blocks available? */
30816 if (sbi->s_resuid == current_fsuid() ||
30817 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
30818 - capable(CAP_SYS_RESOURCE)) {
30819 + capable_nolog(CAP_SYS_RESOURCE)) {
30820 if (free_blocks >= (nblocks + dirty_blocks))
30823 diff -urNp linux-2.6.35.4/fs/ext4/namei.c linux-2.6.35.4/fs/ext4/namei.c
30824 --- linux-2.6.35.4/fs/ext4/namei.c 2010-08-26 19:47:12.000000000 -0400
30825 +++ linux-2.6.35.4/fs/ext4/namei.c 2010-09-17 20:12:09.000000000 -0400
30826 @@ -1197,7 +1197,7 @@ static struct ext4_dir_entry_2 *do_split
30827 char *data1 = (*bh)->b_data, *data2;
30828 unsigned split, move, size;
30829 struct ext4_dir_entry_2 *de = NULL, *de2;
30833 bh2 = ext4_append (handle, dir, &newblock, &err);
30835 diff -urNp linux-2.6.35.4/fs/ext4/xattr.c linux-2.6.35.4/fs/ext4/xattr.c
30836 --- linux-2.6.35.4/fs/ext4/xattr.c 2010-08-26 19:47:12.000000000 -0400
30837 +++ linux-2.6.35.4/fs/ext4/xattr.c 2010-09-17 20:12:09.000000000 -0400
30842 -# define ea_idebug(f...)
30843 -# define ea_bdebug(f...)
30844 +# define ea_idebug(inode, f...) do {} while (0)
30845 +# define ea_bdebug(bh, f...) do {} while (0)
30848 static void ext4_xattr_cache_insert(struct buffer_head *);
30849 diff -urNp linux-2.6.35.4/fs/fcntl.c linux-2.6.35.4/fs/fcntl.c
30850 --- linux-2.6.35.4/fs/fcntl.c 2010-08-26 19:47:12.000000000 -0400
30851 +++ linux-2.6.35.4/fs/fcntl.c 2010-09-17 20:12:37.000000000 -0400
30852 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
30856 + if (gr_handle_chroot_fowner(pid, type))
30858 + if (gr_check_protected_task_fowner(pid, type))
30861 f_modown(filp, pid, type, force);
30864 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
30867 case F_DUPFD_CLOEXEC:
30868 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
30869 if (arg >= rlimit(RLIMIT_NOFILE))
30871 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
30872 diff -urNp linux-2.6.35.4/fs/fifo.c linux-2.6.35.4/fs/fifo.c
30873 --- linux-2.6.35.4/fs/fifo.c 2010-08-26 19:47:12.000000000 -0400
30874 +++ linux-2.6.35.4/fs/fifo.c 2010-09-17 20:12:09.000000000 -0400
30875 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
30877 filp->f_op = &read_pipefifo_fops;
30879 - if (pipe->readers++ == 0)
30880 + if (atomic_inc_return(&pipe->readers) == 1)
30881 wake_up_partner(inode);
30883 - if (!pipe->writers) {
30884 + if (!atomic_read(&pipe->writers)) {
30885 if ((filp->f_flags & O_NONBLOCK)) {
30886 /* suppress POLLHUP until we have
30888 @@ -82,15 +82,15 @@ static int fifo_open(struct inode *inode
30889 * errno=ENXIO when there is no process reading the FIFO.
30892 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
30893 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
30896 filp->f_op = &write_pipefifo_fops;
30898 - if (!pipe->writers++)
30899 + if (atomic_inc_return(&pipe->writers) == 1)
30900 wake_up_partner(inode);
30902 - if (!pipe->readers) {
30903 + if (!atomic_read(&pipe->readers)) {
30904 wait_for_partner(inode, &pipe->r_counter);
30905 if (signal_pending(current))
30907 @@ -106,11 +106,11 @@ static int fifo_open(struct inode *inode
30909 filp->f_op = &rdwr_pipefifo_fops;
30913 + atomic_inc(&pipe->readers);
30914 + atomic_inc(&pipe->writers);
30917 - if (pipe->readers == 1 || pipe->writers == 1)
30918 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
30919 wake_up_partner(inode);
30922 @@ -124,19 +124,19 @@ static int fifo_open(struct inode *inode
30926 - if (!--pipe->readers)
30927 + if (atomic_dec_and_test(&pipe->readers))
30928 wake_up_interruptible(&pipe->wait);
30929 ret = -ERESTARTSYS;
30933 - if (!--pipe->writers)
30934 + if (atomic_dec_and_test(&pipe->writers))
30935 wake_up_interruptible(&pipe->wait);
30936 ret = -ERESTARTSYS;
30940 - if (!pipe->readers && !pipe->writers)
30941 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
30942 free_pipe_info(inode);
30945 diff -urNp linux-2.6.35.4/fs/file.c linux-2.6.35.4/fs/file.c
30946 --- linux-2.6.35.4/fs/file.c 2010-08-26 19:47:12.000000000 -0400
30947 +++ linux-2.6.35.4/fs/file.c 2010-09-17 20:12:37.000000000 -0400
30949 #include <linux/slab.h>
30950 #include <linux/vmalloc.h>
30951 #include <linux/file.h>
30952 +#include <linux/security.h>
30953 #include <linux/fdtable.h>
30954 #include <linux/bitops.h>
30955 #include <linux/interrupt.h>
30956 @@ -257,6 +258,7 @@ int expand_files(struct files_struct *fi
30957 * N.B. For clone tasks sharing a files structure, this test
30958 * will limit the total number of files that can be opened.
30960 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
30961 if (nr >= rlimit(RLIMIT_NOFILE))
30964 diff -urNp linux-2.6.35.4/fs/fs_struct.c linux-2.6.35.4/fs/fs_struct.c
30965 --- linux-2.6.35.4/fs/fs_struct.c 2010-08-26 19:47:12.000000000 -0400
30966 +++ linux-2.6.35.4/fs/fs_struct.c 2010-09-17 20:12:37.000000000 -0400
30968 #include <linux/slab.h>
30969 #include <linux/fs_struct.h>
30970 #include <linux/vserver/global.h>
30971 +#include <linux/grsecurity.h>
30974 * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
30975 @@ -17,6 +18,7 @@ void set_fs_root(struct fs_struct *fs, s
30976 old_root = fs->root;
30979 + gr_set_chroot_entries(current, path);
30980 write_unlock(&fs->lock);
30981 if (old_root.dentry)
30982 path_put(&old_root);
30983 @@ -56,6 +58,7 @@ void chroot_fs_refs(struct path *old_roo
30984 && fs->root.mnt == old_root->mnt) {
30985 path_get(new_root);
30986 fs->root = *new_root;
30987 + gr_set_chroot_entries(p, new_root);
30990 if (fs->pwd.dentry == old_root->dentry
30991 @@ -89,7 +92,8 @@ void exit_fs(struct task_struct *tsk)
30993 write_lock(&fs->lock);
30995 - kill = !--fs->users;
30996 + gr_clear_chroot_entries(tsk);
30997 + kill = !atomic_dec_return(&fs->users);
30998 write_unlock(&fs->lock);
31001 @@ -102,7 +106,7 @@ struct fs_struct *copy_fs_struct(struct
31002 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
31003 /* We don't need to lock fs - think why ;-) */
31006 + atomic_set(&fs->users, 1);
31008 rwlock_init(&fs->lock);
31009 fs->umask = old->umask;
31010 @@ -127,8 +131,9 @@ int unshare_fs_struct(void)
31012 task_lock(current);
31013 write_lock(&fs->lock);
31014 - kill = !--fs->users;
31015 + kill = !atomic_dec_return(&fs->users);
31016 current->fs = new_fs;
31017 + gr_set_chroot_entries(current, &new_fs->root);
31018 write_unlock(&fs->lock);
31019 task_unlock(current);
31021 @@ -147,7 +152,7 @@ EXPORT_SYMBOL(current_umask);
31023 /* to be mentioned only in INIT_TASK */
31024 struct fs_struct init_fs = {
31026 + .users = ATOMIC_INIT(1),
31027 .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
31030 @@ -162,12 +167,13 @@ void daemonize_fs_struct(void)
31031 task_lock(current);
31033 write_lock(&init_fs.lock);
31035 + atomic_inc(&init_fs.users);
31036 write_unlock(&init_fs.lock);
31038 write_lock(&fs->lock);
31039 current->fs = &init_fs;
31040 - kill = !--fs->users;
31041 + gr_set_chroot_entries(current, ¤t->fs->root);
31042 + kill = !atomic_dec_return(&fs->users);
31043 write_unlock(&fs->lock);
31045 task_unlock(current);
31046 diff -urNp linux-2.6.35.4/fs/fuse/control.c linux-2.6.35.4/fs/fuse/control.c
31047 --- linux-2.6.35.4/fs/fuse/control.c 2010-08-26 19:47:12.000000000 -0400
31048 +++ linux-2.6.35.4/fs/fuse/control.c 2010-09-17 20:12:09.000000000 -0400
31049 @@ -293,7 +293,7 @@ void fuse_ctl_remove_conn(struct fuse_co
31051 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
31053 - struct tree_descr empty_descr = {""};
31054 + struct tree_descr empty_descr = {"", NULL, 0};
31055 struct fuse_conn *fc;
31058 diff -urNp linux-2.6.35.4/fs/fuse/cuse.c linux-2.6.35.4/fs/fuse/cuse.c
31059 --- linux-2.6.35.4/fs/fuse/cuse.c 2010-08-26 19:47:12.000000000 -0400
31060 +++ linux-2.6.35.4/fs/fuse/cuse.c 2010-09-17 20:12:09.000000000 -0400
31061 @@ -529,8 +529,18 @@ static int cuse_channel_release(struct i
31065 -static struct file_operations cuse_channel_fops; /* initialized during init */
31067 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
31068 + .owner = THIS_MODULE,
31069 + .llseek = no_llseek,
31070 + .read = do_sync_read,
31071 + .aio_read = fuse_dev_read,
31072 + .write = do_sync_write,
31073 + .aio_write = fuse_dev_write,
31074 + .poll = fuse_dev_poll,
31075 + .open = cuse_channel_open,
31076 + .release = cuse_channel_release,
31077 + .fasync = fuse_dev_fasync,
31080 /**************************************************************************
31081 * Misc stuff and module initializatiion
31082 @@ -576,12 +586,6 @@ static int __init cuse_init(void)
31083 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
31084 INIT_LIST_HEAD(&cuse_conntbl[i]);
31086 - /* inherit and extend fuse_dev_operations */
31087 - cuse_channel_fops = fuse_dev_operations;
31088 - cuse_channel_fops.owner = THIS_MODULE;
31089 - cuse_channel_fops.open = cuse_channel_open;
31090 - cuse_channel_fops.release = cuse_channel_release;
31092 cuse_class = class_create(THIS_MODULE, "cuse");
31093 if (IS_ERR(cuse_class))
31094 return PTR_ERR(cuse_class);
31095 diff -urNp linux-2.6.35.4/fs/fuse/dev.c linux-2.6.35.4/fs/fuse/dev.c
31096 --- linux-2.6.35.4/fs/fuse/dev.c 2010-08-26 19:47:12.000000000 -0400
31097 +++ linux-2.6.35.4/fs/fuse/dev.c 2010-09-17 20:12:09.000000000 -0400
31098 @@ -1031,7 +1031,7 @@ static ssize_t fuse_dev_do_read(struct f
31102 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31103 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31104 unsigned long nr_segs, loff_t pos)
31106 struct fuse_copy_state cs;
31107 @@ -1045,6 +1045,8 @@ static ssize_t fuse_dev_read(struct kioc
31108 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
31111 +EXPORT_SYMBOL_GPL(fuse_dev_read);
31113 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
31114 struct pipe_buffer *buf)
31116 @@ -1088,7 +1090,7 @@ static ssize_t fuse_dev_splice_read(stru
31120 - if (!pipe->readers) {
31121 + if (!atomic_read(&pipe->readers)) {
31122 send_sig(SIGPIPE, current, 0);
31125 @@ -1387,7 +1389,7 @@ static ssize_t fuse_dev_do_write(struct
31129 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31130 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31131 unsigned long nr_segs, loff_t pos)
31133 struct fuse_copy_state cs;
31134 @@ -1400,6 +1402,8 @@ static ssize_t fuse_dev_write(struct kio
31135 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
31138 +EXPORT_SYMBOL_GPL(fuse_dev_write);
31140 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
31141 struct file *out, loff_t *ppos,
31142 size_t len, unsigned int flags)
31143 @@ -1478,7 +1482,7 @@ out:
31147 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31148 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31150 unsigned mask = POLLOUT | POLLWRNORM;
31151 struct fuse_conn *fc = fuse_get_conn(file);
31152 @@ -1497,6 +1501,8 @@ static unsigned fuse_dev_poll(struct fil
31156 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
31159 * Abort all requests on the given list (pending or processing)
31161 @@ -1604,7 +1610,7 @@ int fuse_dev_release(struct inode *inode
31163 EXPORT_SYMBOL_GPL(fuse_dev_release);
31165 -static int fuse_dev_fasync(int fd, struct file *file, int on)
31166 +int fuse_dev_fasync(int fd, struct file *file, int on)
31168 struct fuse_conn *fc = fuse_get_conn(file);
31170 @@ -1614,6 +1620,8 @@ static int fuse_dev_fasync(int fd, struc
31171 return fasync_helper(fd, file, on, &fc->fasync);
31174 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
31176 const struct file_operations fuse_dev_operations = {
31177 .owner = THIS_MODULE,
31178 .llseek = no_llseek,
31179 diff -urNp linux-2.6.35.4/fs/fuse/dir.c linux-2.6.35.4/fs/fuse/dir.c
31180 --- linux-2.6.35.4/fs/fuse/dir.c 2010-08-26 19:47:12.000000000 -0400
31181 +++ linux-2.6.35.4/fs/fuse/dir.c 2010-09-17 20:12:09.000000000 -0400
31182 @@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
31186 -static void free_link(char *link)
31187 +static void free_link(const char *link)
31190 free_page((unsigned long) link);
31191 diff -urNp linux-2.6.35.4/fs/fuse/fuse_i.h linux-2.6.35.4/fs/fuse/fuse_i.h
31192 --- linux-2.6.35.4/fs/fuse/fuse_i.h 2010-08-26 19:47:12.000000000 -0400
31193 +++ linux-2.6.35.4/fs/fuse/fuse_i.h 2010-09-17 20:12:09.000000000 -0400
31194 @@ -524,6 +524,16 @@ extern const struct file_operations fuse
31196 extern const struct dentry_operations fuse_dentry_operations;
31198 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31199 + unsigned long nr_segs, loff_t pos);
31201 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31202 + unsigned long nr_segs, loff_t pos);
31204 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
31206 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
31209 * Inode to nodeid comparison.
31211 diff -urNp linux-2.6.35.4/fs/hfs/inode.c linux-2.6.35.4/fs/hfs/inode.c
31212 --- linux-2.6.35.4/fs/hfs/inode.c 2010-08-26 19:47:12.000000000 -0400
31213 +++ linux-2.6.35.4/fs/hfs/inode.c 2010-09-17 20:12:09.000000000 -0400
31214 @@ -423,7 +423,7 @@ int hfs_write_inode(struct inode *inode,
31216 if (S_ISDIR(main_inode->i_mode)) {
31217 if (fd.entrylength < sizeof(struct hfs_cat_dir))
31220 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31221 sizeof(struct hfs_cat_dir));
31222 if (rec.type != HFS_CDR_DIR ||
31223 @@ -444,7 +444,7 @@ int hfs_write_inode(struct inode *inode,
31224 sizeof(struct hfs_cat_file));
31226 if (fd.entrylength < sizeof(struct hfs_cat_file))
31229 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31230 sizeof(struct hfs_cat_file));
31231 if (rec.type != HFS_CDR_FIL ||
31232 diff -urNp linux-2.6.35.4/fs/hfsplus/inode.c linux-2.6.35.4/fs/hfsplus/inode.c
31233 --- linux-2.6.35.4/fs/hfsplus/inode.c 2010-08-26 19:47:12.000000000 -0400
31234 +++ linux-2.6.35.4/fs/hfsplus/inode.c 2010-09-17 20:12:09.000000000 -0400
31235 @@ -406,7 +406,7 @@ int hfsplus_cat_read_inode(struct inode
31236 struct hfsplus_cat_folder *folder = &entry.folder;
31238 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
31241 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31242 sizeof(struct hfsplus_cat_folder));
31243 hfsplus_get_perms(inode, &folder->permissions, 1);
31244 @@ -423,7 +423,7 @@ int hfsplus_cat_read_inode(struct inode
31245 struct hfsplus_cat_file *file = &entry.file;
31247 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
31250 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31251 sizeof(struct hfsplus_cat_file));
31253 @@ -479,7 +479,7 @@ int hfsplus_cat_write_inode(struct inode
31254 struct hfsplus_cat_folder *folder = &entry.folder;
31256 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
31259 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31260 sizeof(struct hfsplus_cat_folder));
31261 /* simple node checks? */
31262 @@ -501,7 +501,7 @@ int hfsplus_cat_write_inode(struct inode
31263 struct hfsplus_cat_file *file = &entry.file;
31265 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
31268 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31269 sizeof(struct hfsplus_cat_file));
31270 hfsplus_inode_write_fork(inode, &file->data_fork);
31271 diff -urNp linux-2.6.35.4/fs/hugetlbfs/inode.c linux-2.6.35.4/fs/hugetlbfs/inode.c
31272 --- linux-2.6.35.4/fs/hugetlbfs/inode.c 2010-08-26 19:47:12.000000000 -0400
31273 +++ linux-2.6.35.4/fs/hugetlbfs/inode.c 2010-09-17 20:12:37.000000000 -0400
31274 @@ -908,7 +908,7 @@ static struct file_system_type hugetlbfs
31275 .kill_sb = kill_litter_super,
31278 -static struct vfsmount *hugetlbfs_vfsmount;
31279 +struct vfsmount *hugetlbfs_vfsmount;
31281 static int can_do_hugetlb_shm(void)
31283 diff -urNp linux-2.6.35.4/fs/ioctl.c linux-2.6.35.4/fs/ioctl.c
31284 --- linux-2.6.35.4/fs/ioctl.c 2010-08-26 19:47:12.000000000 -0400
31285 +++ linux-2.6.35.4/fs/ioctl.c 2010-09-17 20:12:09.000000000 -0400
31286 @@ -97,7 +97,7 @@ int fiemap_fill_next_extent(struct fiema
31287 u64 phys, u64 len, u32 flags)
31289 struct fiemap_extent extent;
31290 - struct fiemap_extent *dest = fieinfo->fi_extents_start;
31291 + struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
31293 /* only count the extents */
31294 if (fieinfo->fi_extents_max == 0) {
31295 @@ -207,7 +207,7 @@ static int ioctl_fiemap(struct file *fil
31297 fieinfo.fi_flags = fiemap.fm_flags;
31298 fieinfo.fi_extents_max = fiemap.fm_extent_count;
31299 - fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
31300 + fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
31302 if (fiemap.fm_extent_count != 0 &&
31303 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
31304 @@ -220,7 +220,7 @@ static int ioctl_fiemap(struct file *fil
31305 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
31306 fiemap.fm_flags = fieinfo.fi_flags;
31307 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
31308 - if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
31309 + if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
31313 diff -urNp linux-2.6.35.4/fs/jffs2/debug.h linux-2.6.35.4/fs/jffs2/debug.h
31314 --- linux-2.6.35.4/fs/jffs2/debug.h 2010-08-26 19:47:12.000000000 -0400
31315 +++ linux-2.6.35.4/fs/jffs2/debug.h 2010-09-17 20:12:09.000000000 -0400
31316 @@ -52,13 +52,13 @@
31317 #if CONFIG_JFFS2_FS_DEBUG > 0
31321 +#define D1(x) do {} while (0);
31324 #if CONFIG_JFFS2_FS_DEBUG > 1
31328 +#define D2(x) do {} while (0);
31331 /* The prefixes of JFFS2 messages */
31332 @@ -114,73 +114,73 @@
31333 #ifdef JFFS2_DBG_READINODE_MESSAGES
31334 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31336 -#define dbg_readinode(fmt, ...)
31337 +#define dbg_readinode(fmt, ...) do {} while (0)
31339 #ifdef JFFS2_DBG_READINODE2_MESSAGES
31340 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31342 -#define dbg_readinode2(fmt, ...)
31343 +#define dbg_readinode2(fmt, ...) do {} while (0)
31346 /* Fragtree build debugging messages */
31347 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
31348 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31350 -#define dbg_fragtree(fmt, ...)
31351 +#define dbg_fragtree(fmt, ...) do {} while (0)
31353 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
31354 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31356 -#define dbg_fragtree2(fmt, ...)
31357 +#define dbg_fragtree2(fmt, ...) do {} while (0)
31360 /* Directory entry list manilulation debugging messages */
31361 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
31362 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31364 -#define dbg_dentlist(fmt, ...)
31365 +#define dbg_dentlist(fmt, ...) do {} while (0)
31368 /* Print the messages about manipulating node_refs */
31369 #ifdef JFFS2_DBG_NODEREF_MESSAGES
31370 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31372 -#define dbg_noderef(fmt, ...)
31373 +#define dbg_noderef(fmt, ...) do {} while (0)
31376 /* Manipulations with the list of inodes (JFFS2 inocache) */
31377 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
31378 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31380 -#define dbg_inocache(fmt, ...)
31381 +#define dbg_inocache(fmt, ...) do {} while (0)
31384 /* Summary debugging messages */
31385 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
31386 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31388 -#define dbg_summary(fmt, ...)
31389 +#define dbg_summary(fmt, ...) do {} while (0)
31392 /* File system build messages */
31393 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
31394 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31396 -#define dbg_fsbuild(fmt, ...)
31397 +#define dbg_fsbuild(fmt, ...) do {} while (0)
31400 /* Watch the object allocations */
31401 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
31402 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31404 -#define dbg_memalloc(fmt, ...)
31405 +#define dbg_memalloc(fmt, ...) do {} while (0)
31408 /* Watch the XATTR subsystem */
31409 #ifdef JFFS2_DBG_XATTR_MESSAGES
31410 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31412 -#define dbg_xattr(fmt, ...)
31413 +#define dbg_xattr(fmt, ...) do {} while (0)
31416 /* "Sanity" checks */
31417 diff -urNp linux-2.6.35.4/fs/jffs2/erase.c linux-2.6.35.4/fs/jffs2/erase.c
31418 --- linux-2.6.35.4/fs/jffs2/erase.c 2010-08-26 19:47:12.000000000 -0400
31419 +++ linux-2.6.35.4/fs/jffs2/erase.c 2010-09-17 20:12:09.000000000 -0400
31420 @@ -438,7 +438,8 @@ static void jffs2_mark_erased_block(stru
31421 struct jffs2_unknown_node marker = {
31422 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
31423 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31424 - .totlen = cpu_to_je32(c->cleanmarker_size)
31425 + .totlen = cpu_to_je32(c->cleanmarker_size),
31426 + .hdr_crc = cpu_to_je32(0)
31429 jffs2_prealloc_raw_node_refs(c, jeb, 1);
31430 diff -urNp linux-2.6.35.4/fs/jffs2/summary.h linux-2.6.35.4/fs/jffs2/summary.h
31431 --- linux-2.6.35.4/fs/jffs2/summary.h 2010-08-26 19:47:12.000000000 -0400
31432 +++ linux-2.6.35.4/fs/jffs2/summary.h 2010-09-17 20:12:09.000000000 -0400
31433 @@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
31435 #define jffs2_sum_active() (0)
31436 #define jffs2_sum_init(a) (0)
31437 -#define jffs2_sum_exit(a)
31438 -#define jffs2_sum_disable_collecting(a)
31439 +#define jffs2_sum_exit(a) do {} while (0)
31440 +#define jffs2_sum_disable_collecting(a) do {} while (0)
31441 #define jffs2_sum_is_disabled(a) (0)
31442 -#define jffs2_sum_reset_collected(a)
31443 +#define jffs2_sum_reset_collected(a) do {} while (0)
31444 #define jffs2_sum_add_kvec(a,b,c,d) (0)
31445 -#define jffs2_sum_move_collected(a,b)
31446 +#define jffs2_sum_move_collected(a,b) do {} while (0)
31447 #define jffs2_sum_write_sumnode(a) (0)
31448 -#define jffs2_sum_add_padding_mem(a,b)
31449 -#define jffs2_sum_add_inode_mem(a,b,c)
31450 -#define jffs2_sum_add_dirent_mem(a,b,c)
31451 -#define jffs2_sum_add_xattr_mem(a,b,c)
31452 -#define jffs2_sum_add_xref_mem(a,b,c)
31453 +#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
31454 +#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
31455 +#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
31456 +#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
31457 +#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
31458 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
31460 #endif /* CONFIG_JFFS2_SUMMARY */
31461 diff -urNp linux-2.6.35.4/fs/jffs2/wbuf.c linux-2.6.35.4/fs/jffs2/wbuf.c
31462 --- linux-2.6.35.4/fs/jffs2/wbuf.c 2010-08-26 19:47:12.000000000 -0400
31463 +++ linux-2.6.35.4/fs/jffs2/wbuf.c 2010-09-17 20:12:09.000000000 -0400
31464 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
31466 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
31467 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31468 - .totlen = constant_cpu_to_je32(8)
31469 + .totlen = constant_cpu_to_je32(8),
31470 + .hdr_crc = constant_cpu_to_je32(0)
31474 diff -urNp linux-2.6.35.4/fs/lockd/svc.c linux-2.6.35.4/fs/lockd/svc.c
31475 --- linux-2.6.35.4/fs/lockd/svc.c 2010-08-26 19:47:12.000000000 -0400
31476 +++ linux-2.6.35.4/fs/lockd/svc.c 2010-09-17 20:12:09.000000000 -0400
31479 static struct svc_program nlmsvc_program;
31481 -struct nlmsvc_binding * nlmsvc_ops;
31482 +const struct nlmsvc_binding * nlmsvc_ops;
31483 EXPORT_SYMBOL_GPL(nlmsvc_ops);
31485 static DEFINE_MUTEX(nlmsvc_mutex);
31486 diff -urNp linux-2.6.35.4/fs/locks.c linux-2.6.35.4/fs/locks.c
31487 --- linux-2.6.35.4/fs/locks.c 2010-08-26 19:47:12.000000000 -0400
31488 +++ linux-2.6.35.4/fs/locks.c 2010-09-17 20:12:09.000000000 -0400
31489 @@ -2008,16 +2008,16 @@ void locks_remove_flock(struct file *fil
31492 if (filp->f_op && filp->f_op->flock) {
31493 - struct file_lock fl = {
31494 + struct file_lock flock = {
31495 .fl_pid = current->tgid,
31497 .fl_flags = FL_FLOCK,
31498 .fl_type = F_UNLCK,
31499 .fl_end = OFFSET_MAX,
31501 - filp->f_op->flock(filp, F_SETLKW, &fl);
31502 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
31503 - fl.fl_ops->fl_release_private(&fl);
31504 + filp->f_op->flock(filp, F_SETLKW, &flock);
31505 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
31506 + flock.fl_ops->fl_release_private(&flock);
31510 diff -urNp linux-2.6.35.4/fs/namei.c linux-2.6.35.4/fs/namei.c
31511 --- linux-2.6.35.4/fs/namei.c 2010-08-26 19:47:12.000000000 -0400
31512 +++ linux-2.6.35.4/fs/namei.c 2010-09-17 20:12:37.000000000 -0400
31513 @@ -548,7 +548,7 @@ __do_follow_link(struct path *path, stru
31514 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
31515 error = PTR_ERR(*p);
31517 - char *s = nd_get_link(nd);
31518 + const char *s = nd_get_link(nd);
31521 error = __vfs_follow_link(nd, s);
31522 @@ -581,6 +581,13 @@ static inline int do_follow_link(struct
31523 err = security_inode_follow_link(path->dentry, nd);
31527 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
31528 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
31533 current->link_count++;
31534 current->total_link_count++;
31536 @@ -965,11 +972,18 @@ return_reval:
31540 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
31541 + path_put(&nd->path);
31546 path_put_conditional(&next, nd);
31549 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
31552 path_put(&nd->path);
31555 @@ -1506,12 +1520,19 @@ static int __open_namei_create(struct na
31557 struct dentry *dir = nd->path.dentry;
31559 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, open_flag, mode)) {
31564 if (!IS_POSIXACL(dir->d_inode))
31565 mode &= ~current_umask();
31566 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
31569 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
31571 + gr_handle_create(path->dentry, nd->path.mnt);
31573 mutex_unlock(&dir->d_inode->i_mutex);
31574 dput(nd->path.dentry);
31575 @@ -1614,6 +1635,7 @@ static struct file *do_last(struct namei
31576 int mode, const char *pathname)
31578 struct dentry *dir = nd->path.dentry;
31579 + int flag = open_to_namei_flags(open_flag);
31581 int error = -EISDIR;
31583 @@ -1662,6 +1684,22 @@ static struct file *do_last(struct namei
31585 path_to_nameidata(path, nd);
31586 audit_inode(pathname, nd->path.dentry);
31588 + if (gr_handle_rofs_blockwrite(nd->path.dentry, nd->path.mnt, acc_mode)) {
31593 + if (gr_handle_rawio(nd->path.dentry->d_inode)) {
31598 + if (!gr_acl_handle_open(nd->path.dentry, nd->path.mnt, flag)) {
31606 @@ -1714,6 +1752,24 @@ static struct file *do_last(struct namei
31608 * It already exists.
31611 + if (gr_handle_rofs_blockwrite(path->dentry, nd->path.mnt, acc_mode)) {
31613 + goto exit_mutex_unlock;
31615 + if (gr_handle_rawio(path->dentry->d_inode)) {
31617 + goto exit_mutex_unlock;
31619 + if (!gr_acl_handle_open(path->dentry, nd->path.mnt, flag)) {
31621 + goto exit_mutex_unlock;
31623 + if (gr_handle_fifo(path->dentry, nd->path.mnt, dir, flag, acc_mode)) {
31625 + goto exit_mutex_unlock;
31628 mutex_unlock(&dir->d_inode->i_mutex);
31629 audit_inode(pathname, path->dentry);
31631 @@ -2034,6 +2090,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
31632 error = may_mknod(mode);
31636 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
31641 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
31646 error = mnt_want_write(nd.path.mnt);
31649 @@ -2054,6 +2121,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
31652 mnt_drop_write(nd.path.mnt);
31655 + gr_handle_create(dentry, nd.path.mnt);
31659 @@ -2106,6 +2176,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
31660 if (IS_ERR(dentry))
31663 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
31668 if (!IS_POSIXACL(nd.path.dentry->d_inode))
31669 mode &= ~current_umask();
31670 error = mnt_want_write(nd.path.mnt);
31671 @@ -2117,6 +2192,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
31672 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
31674 mnt_drop_write(nd.path.mnt);
31677 + gr_handle_create(dentry, nd.path.mnt);
31682 @@ -2198,6 +2277,8 @@ static long do_rmdir(int dfd, const char
31684 struct dentry *dentry;
31685 struct nameidata nd;
31686 + ino_t saved_ino = 0;
31687 + dev_t saved_dev = 0;
31689 error = user_path_parent(dfd, pathname, &nd, &name);
31691 @@ -2222,6 +2303,19 @@ static long do_rmdir(int dfd, const char
31692 error = PTR_ERR(dentry);
31693 if (IS_ERR(dentry))
31696 + if (dentry->d_inode != NULL) {
31697 + if (dentry->d_inode->i_nlink <= 1) {
31698 + saved_ino = dentry->d_inode->i_ino;
31699 + saved_dev = dentry->d_inode->i_sb->s_dev;
31702 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
31708 error = mnt_want_write(nd.path.mnt);
31711 @@ -2229,6 +2323,8 @@ static long do_rmdir(int dfd, const char
31714 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
31715 + if (!error && (saved_dev || saved_ino))
31716 + gr_handle_delete(saved_ino, saved_dev);
31718 mnt_drop_write(nd.path.mnt);
31720 @@ -2291,6 +2387,8 @@ static long do_unlinkat(int dfd, const c
31721 struct dentry *dentry;
31722 struct nameidata nd;
31723 struct inode *inode = NULL;
31724 + ino_t saved_ino = 0;
31725 + dev_t saved_dev = 0;
31727 error = user_path_parent(dfd, pathname, &nd, &name);
31729 @@ -2310,8 +2408,19 @@ static long do_unlinkat(int dfd, const c
31730 if (nd.last.name[nd.last.len])
31732 inode = dentry->d_inode;
31735 + if (inode->i_nlink <= 1) {
31736 + saved_ino = inode->i_ino;
31737 + saved_dev = inode->i_sb->s_dev;
31740 atomic_inc(&inode->i_count);
31742 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
31747 error = mnt_want_write(nd.path.mnt);
31750 @@ -2319,6 +2428,8 @@ static long do_unlinkat(int dfd, const c
31753 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
31754 + if (!error && (saved_ino || saved_dev))
31755 + gr_handle_delete(saved_ino, saved_dev);
31757 mnt_drop_write(nd.path.mnt);
31759 @@ -2396,6 +2507,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
31760 if (IS_ERR(dentry))
31763 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
31768 error = mnt_want_write(nd.path.mnt);
31771 @@ -2403,6 +2519,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
31773 goto out_drop_write;
31774 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
31776 + gr_handle_create(dentry, nd.path.mnt);
31778 mnt_drop_write(nd.path.mnt);
31780 @@ -2495,6 +2613,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
31781 error = PTR_ERR(new_dentry);
31782 if (IS_ERR(new_dentry))
31785 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
31786 + old_path.dentry->d_inode,
31787 + old_path.dentry->d_inode->i_mode, to)) {
31792 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
31793 + old_path.dentry, old_path.mnt, to)) {
31798 error = mnt_want_write(nd.path.mnt);
31801 @@ -2502,6 +2634,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
31803 goto out_drop_write;
31804 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
31806 + gr_handle_create(new_dentry, nd.path.mnt);
31808 mnt_drop_write(nd.path.mnt);
31810 @@ -2735,6 +2869,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
31811 if (new_dentry == trap)
31814 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
31815 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
31820 error = mnt_want_write(oldnd.path.mnt);
31823 @@ -2744,6 +2884,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
31825 error = vfs_rename(old_dir->d_inode, old_dentry,
31826 new_dir->d_inode, new_dentry);
31828 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
31829 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
31831 mnt_drop_write(oldnd.path.mnt);
31833 diff -urNp linux-2.6.35.4/fs/namespace.c linux-2.6.35.4/fs/namespace.c
31834 --- linux-2.6.35.4/fs/namespace.c 2010-08-26 19:47:12.000000000 -0400
31835 +++ linux-2.6.35.4/fs/namespace.c 2010-09-17 20:21:58.000000000 -0400
31836 @@ -1099,6 +1099,9 @@ static int do_umount(struct vfsmount *mn
31837 if (!(sb->s_flags & MS_RDONLY))
31838 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
31839 up_write(&sb->s_umount);
31841 + gr_log_remount(mnt->mnt_devname, retval);
31846 @@ -1118,6 +1121,9 @@ static int do_umount(struct vfsmount *mn
31847 spin_unlock(&vfsmount_lock);
31848 up_write(&namespace_sem);
31849 release_mounts(&umount_list);
31851 + gr_log_unmount(mnt->mnt_devname, retval);
31856 @@ -1988,6 +1994,16 @@ long do_mount(char *dev_name, char *dir_
31857 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
31860 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
31865 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
31870 if (flags & MS_REMOUNT)
31871 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
31873 @@ -2002,6 +2018,9 @@ long do_mount(char *dev_name, char *dir_
31874 dev_name, data_page);
31878 + gr_log_mount(dev_name, dir_name, retval);
31883 @@ -2208,6 +2227,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
31887 + if (gr_handle_chroot_pivot()) {
31893 read_lock(¤t->fs->lock);
31894 root = current->fs->root;
31895 path_get(¤t->fs->root);
31896 diff -urNp linux-2.6.35.4/fs/nfs/inode.c linux-2.6.35.4/fs/nfs/inode.c
31897 --- linux-2.6.35.4/fs/nfs/inode.c 2010-08-26 19:47:12.000000000 -0400
31898 +++ linux-2.6.35.4/fs/nfs/inode.c 2010-09-17 20:12:09.000000000 -0400
31899 @@ -915,16 +915,16 @@ static int nfs_size_need_update(const st
31900 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
31903 -static atomic_long_t nfs_attr_generation_counter;
31904 +static atomic_long_unchecked_t nfs_attr_generation_counter;
31906 static unsigned long nfs_read_attr_generation_counter(void)
31908 - return atomic_long_read(&nfs_attr_generation_counter);
31909 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
31912 unsigned long nfs_inc_attr_generation_counter(void)
31914 - return atomic_long_inc_return(&nfs_attr_generation_counter);
31915 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
31918 void nfs_fattr_init(struct nfs_fattr *fattr)
31919 diff -urNp linux-2.6.35.4/fs/nfs/nfs4proc.c linux-2.6.35.4/fs/nfs/nfs4proc.c
31920 --- linux-2.6.35.4/fs/nfs/nfs4proc.c 2010-08-26 19:47:12.000000000 -0400
31921 +++ linux-2.6.35.4/fs/nfs/nfs4proc.c 2010-09-17 20:12:09.000000000 -0400
31922 @@ -1166,7 +1166,7 @@ static int _nfs4_do_open_reclaim(struct
31923 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
31925 struct nfs_server *server = NFS_SERVER(state->inode);
31926 - struct nfs4_exception exception = { };
31927 + struct nfs4_exception exception = {0, 0};
31930 err = _nfs4_do_open_reclaim(ctx, state);
31931 @@ -1208,7 +1208,7 @@ static int _nfs4_open_delegation_recall(
31933 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
31935 - struct nfs4_exception exception = { };
31936 + struct nfs4_exception exception = {0, 0};
31937 struct nfs_server *server = NFS_SERVER(state->inode);
31940 @@ -1581,7 +1581,7 @@ static int _nfs4_open_expired(struct nfs
31941 static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
31943 struct nfs_server *server = NFS_SERVER(state->inode);
31944 - struct nfs4_exception exception = { };
31945 + struct nfs4_exception exception = {0, 0};
31949 @@ -1697,7 +1697,7 @@ out_err:
31951 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
31953 - struct nfs4_exception exception = { };
31954 + struct nfs4_exception exception = {0, 0};
31955 struct nfs4_state *res;
31958 @@ -1788,7 +1788,7 @@ static int nfs4_do_setattr(struct inode
31959 struct nfs4_state *state)
31961 struct nfs_server *server = NFS_SERVER(inode);
31962 - struct nfs4_exception exception = { };
31963 + struct nfs4_exception exception = {0, 0};
31966 err = nfs4_handle_exception(server,
31967 @@ -2166,7 +2166,7 @@ static int _nfs4_server_capabilities(str
31969 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
31971 - struct nfs4_exception exception = { };
31972 + struct nfs4_exception exception = {0, 0};
31975 err = nfs4_handle_exception(server,
31976 @@ -2200,7 +2200,7 @@ static int _nfs4_lookup_root(struct nfs_
31977 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
31978 struct nfs_fsinfo *info)
31980 - struct nfs4_exception exception = { };
31981 + struct nfs4_exception exception = {0, 0};
31984 err = nfs4_handle_exception(server,
31985 @@ -2289,7 +2289,7 @@ static int _nfs4_proc_getattr(struct nfs
31987 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
31989 - struct nfs4_exception exception = { };
31990 + struct nfs4_exception exception = {0, 0};
31993 err = nfs4_handle_exception(server,
31994 @@ -2377,7 +2377,7 @@ static int nfs4_proc_lookupfh(struct nfs
31995 struct qstr *name, struct nfs_fh *fhandle,
31996 struct nfs_fattr *fattr)
31998 - struct nfs4_exception exception = { };
31999 + struct nfs4_exception exception = {0, 0};
32002 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
32003 @@ -2406,7 +2406,7 @@ static int _nfs4_proc_lookup(struct inod
32005 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
32007 - struct nfs4_exception exception = { };
32008 + struct nfs4_exception exception = {0, 0};
32011 err = nfs4_handle_exception(NFS_SERVER(dir),
32012 @@ -2473,7 +2473,7 @@ static int _nfs4_proc_access(struct inod
32014 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
32016 - struct nfs4_exception exception = { };
32017 + struct nfs4_exception exception = {0, 0};
32020 err = nfs4_handle_exception(NFS_SERVER(inode),
32021 @@ -2529,7 +2529,7 @@ static int _nfs4_proc_readlink(struct in
32022 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
32023 unsigned int pgbase, unsigned int pglen)
32025 - struct nfs4_exception exception = { };
32026 + struct nfs4_exception exception = {0, 0};
32029 err = nfs4_handle_exception(NFS_SERVER(inode),
32030 @@ -2625,7 +2625,7 @@ out:
32032 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
32034 - struct nfs4_exception exception = { };
32035 + struct nfs4_exception exception = {0, 0};
32038 err = nfs4_handle_exception(NFS_SERVER(dir),
32039 @@ -2700,7 +2700,7 @@ out:
32040 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
32041 struct inode *new_dir, struct qstr *new_name)
32043 - struct nfs4_exception exception = { };
32044 + struct nfs4_exception exception = {0, 0};
32047 err = nfs4_handle_exception(NFS_SERVER(old_dir),
32048 @@ -2749,7 +2749,7 @@ out:
32050 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
32052 - struct nfs4_exception exception = { };
32053 + struct nfs4_exception exception = {0, 0};
32056 err = nfs4_handle_exception(NFS_SERVER(inode),
32057 @@ -2841,7 +2841,7 @@ out:
32058 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
32059 struct page *page, unsigned int len, struct iattr *sattr)
32061 - struct nfs4_exception exception = { };
32062 + struct nfs4_exception exception = {0, 0};
32065 err = nfs4_handle_exception(NFS_SERVER(dir),
32066 @@ -2872,7 +2872,7 @@ out:
32067 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
32068 struct iattr *sattr)
32070 - struct nfs4_exception exception = { };
32071 + struct nfs4_exception exception = {0, 0};
32074 err = nfs4_handle_exception(NFS_SERVER(dir),
32075 @@ -2921,7 +2921,7 @@ static int _nfs4_proc_readdir(struct den
32076 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
32077 u64 cookie, struct page *page, unsigned int count, int plus)
32079 - struct nfs4_exception exception = { };
32080 + struct nfs4_exception exception = {0, 0};
32083 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
32084 @@ -2969,7 +2969,7 @@ out:
32085 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
32086 struct iattr *sattr, dev_t rdev)
32088 - struct nfs4_exception exception = { };
32089 + struct nfs4_exception exception = {0, 0};
32092 err = nfs4_handle_exception(NFS_SERVER(dir),
32093 @@ -3001,7 +3001,7 @@ static int _nfs4_proc_statfs(struct nfs_
32095 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
32097 - struct nfs4_exception exception = { };
32098 + struct nfs4_exception exception = {0, 0};
32101 err = nfs4_handle_exception(server,
32102 @@ -3032,7 +3032,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
32104 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
32106 - struct nfs4_exception exception = { };
32107 + struct nfs4_exception exception = {0, 0};
32111 @@ -3078,7 +3078,7 @@ static int _nfs4_proc_pathconf(struct nf
32112 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
32113 struct nfs_pathconf *pathconf)
32115 - struct nfs4_exception exception = { };
32116 + struct nfs4_exception exception = {0, 0};
32120 @@ -3399,7 +3399,7 @@ out_free:
32122 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
32124 - struct nfs4_exception exception = { };
32125 + struct nfs4_exception exception = {0, 0};
32128 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
32129 @@ -3455,7 +3455,7 @@ static int __nfs4_proc_set_acl(struct in
32131 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
32133 - struct nfs4_exception exception = { };
32134 + struct nfs4_exception exception = {0, 0};
32137 err = nfs4_handle_exception(NFS_SERVER(inode),
32138 @@ -3745,7 +3745,7 @@ out:
32139 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
32141 struct nfs_server *server = NFS_SERVER(inode);
32142 - struct nfs4_exception exception = { };
32143 + struct nfs4_exception exception = {0, 0};
32146 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
32147 @@ -3818,7 +3818,7 @@ out:
32149 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32151 - struct nfs4_exception exception = { };
32152 + struct nfs4_exception exception = {0, 0};
32156 @@ -4232,7 +4232,7 @@ static int _nfs4_do_setlk(struct nfs4_st
32157 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
32159 struct nfs_server *server = NFS_SERVER(state->inode);
32160 - struct nfs4_exception exception = { };
32161 + struct nfs4_exception exception = {0, 0};
32165 @@ -4250,7 +4250,7 @@ static int nfs4_lock_reclaim(struct nfs4
32166 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
32168 struct nfs_server *server = NFS_SERVER(state->inode);
32169 - struct nfs4_exception exception = { };
32170 + struct nfs4_exception exception = {0, 0};
32173 err = nfs4_set_lock_state(state, request);
32174 @@ -4315,7 +4315,7 @@ out:
32176 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32178 - struct nfs4_exception exception = { };
32179 + struct nfs4_exception exception = {0, 0};
32183 @@ -4375,7 +4375,7 @@ nfs4_proc_lock(struct file *filp, int cm
32184 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
32186 struct nfs_server *server = NFS_SERVER(state->inode);
32187 - struct nfs4_exception exception = { };
32188 + struct nfs4_exception exception = {0, 0};
32191 err = nfs4_set_lock_state(state, fl);
32192 diff -urNp linux-2.6.35.4/fs/nfsd/lockd.c linux-2.6.35.4/fs/nfsd/lockd.c
32193 --- linux-2.6.35.4/fs/nfsd/lockd.c 2010-08-26 19:47:12.000000000 -0400
32194 +++ linux-2.6.35.4/fs/nfsd/lockd.c 2010-09-17 20:12:09.000000000 -0400
32195 @@ -61,7 +61,7 @@ nlm_fclose(struct file *filp)
32199 -static struct nlmsvc_binding nfsd_nlm_ops = {
32200 +static const struct nlmsvc_binding nfsd_nlm_ops = {
32201 .fopen = nlm_fopen, /* open file for locking */
32202 .fclose = nlm_fclose, /* close file */
32204 diff -urNp linux-2.6.35.4/fs/nfsd/nfsctl.c linux-2.6.35.4/fs/nfsd/nfsctl.c
32205 --- linux-2.6.35.4/fs/nfsd/nfsctl.c 2010-08-26 19:47:12.000000000 -0400
32206 +++ linux-2.6.35.4/fs/nfsd/nfsctl.c 2010-09-17 20:12:09.000000000 -0400
32207 @@ -163,7 +163,7 @@ static int export_features_open(struct i
32208 return single_open(file, export_features_show, NULL);
32211 -static struct file_operations export_features_operations = {
32212 +static const struct file_operations export_features_operations = {
32213 .open = export_features_open,
32215 .llseek = seq_lseek,
32216 diff -urNp linux-2.6.35.4/fs/nfsd/vfs.c linux-2.6.35.4/fs/nfsd/vfs.c
32217 --- linux-2.6.35.4/fs/nfsd/vfs.c 2010-08-26 19:47:12.000000000 -0400
32218 +++ linux-2.6.35.4/fs/nfsd/vfs.c 2010-09-17 20:12:09.000000000 -0400
32219 @@ -933,7 +933,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
32223 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
32224 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
32228 @@ -1056,7 +1056,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
32230 /* Write the data. */
32231 oldfs = get_fs(); set_fs(KERNEL_DS);
32232 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
32233 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
32237 @@ -1541,7 +1541,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
32240 oldfs = get_fs(); set_fs(KERNEL_DS);
32241 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
32242 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
32246 diff -urNp linux-2.6.35.4/fs/nls/nls_base.c linux-2.6.35.4/fs/nls/nls_base.c
32247 --- linux-2.6.35.4/fs/nls/nls_base.c 2010-08-26 19:47:12.000000000 -0400
32248 +++ linux-2.6.35.4/fs/nls/nls_base.c 2010-09-17 20:12:09.000000000 -0400
32249 @@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
32250 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
32251 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
32252 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
32253 - {0, /* end of table */}
32254 + {0, 0, 0, 0, 0, /* end of table */}
32257 #define UNICODE_MAX 0x0010ffff
32258 diff -urNp linux-2.6.35.4/fs/ntfs/file.c linux-2.6.35.4/fs/ntfs/file.c
32259 --- linux-2.6.35.4/fs/ntfs/file.c 2010-08-26 19:47:12.000000000 -0400
32260 +++ linux-2.6.35.4/fs/ntfs/file.c 2010-09-17 20:12:09.000000000 -0400
32261 @@ -2223,6 +2223,6 @@ const struct inode_operations ntfs_file_
32262 #endif /* NTFS_RW */
32265 -const struct file_operations ntfs_empty_file_ops = {};
32266 +const struct file_operations ntfs_empty_file_ops __read_only;
32268 -const struct inode_operations ntfs_empty_inode_ops = {};
32269 +const struct inode_operations ntfs_empty_inode_ops __read_only;
32270 diff -urNp linux-2.6.35.4/fs/ocfs2/localalloc.c linux-2.6.35.4/fs/ocfs2/localalloc.c
32271 --- linux-2.6.35.4/fs/ocfs2/localalloc.c 2010-08-26 19:47:12.000000000 -0400
32272 +++ linux-2.6.35.4/fs/ocfs2/localalloc.c 2010-09-17 20:12:09.000000000 -0400
32273 @@ -1307,7 +1307,7 @@ static int ocfs2_local_alloc_slide_windo
32277 - atomic_inc(&osb->alloc_stats.moves);
32278 + atomic_inc_unchecked(&osb->alloc_stats.moves);
32282 diff -urNp linux-2.6.35.4/fs/ocfs2/ocfs2.h linux-2.6.35.4/fs/ocfs2/ocfs2.h
32283 --- linux-2.6.35.4/fs/ocfs2/ocfs2.h 2010-08-26 19:47:12.000000000 -0400
32284 +++ linux-2.6.35.4/fs/ocfs2/ocfs2.h 2010-09-17 20:12:09.000000000 -0400
32285 @@ -223,11 +223,11 @@ enum ocfs2_vol_state
32287 struct ocfs2_alloc_stats
32290 - atomic_t local_data;
32291 - atomic_t bitmap_data;
32292 - atomic_t bg_allocs;
32293 - atomic_t bg_extends;
32294 + atomic_unchecked_t moves;
32295 + atomic_unchecked_t local_data;
32296 + atomic_unchecked_t bitmap_data;
32297 + atomic_unchecked_t bg_allocs;
32298 + atomic_unchecked_t bg_extends;
32301 enum ocfs2_local_alloc_state
32302 diff -urNp linux-2.6.35.4/fs/ocfs2/suballoc.c linux-2.6.35.4/fs/ocfs2/suballoc.c
32303 --- linux-2.6.35.4/fs/ocfs2/suballoc.c 2010-08-26 19:47:12.000000000 -0400
32304 +++ linux-2.6.35.4/fs/ocfs2/suballoc.c 2010-09-17 20:12:09.000000000 -0400
32305 @@ -856,7 +856,7 @@ static int ocfs2_reserve_suballoc_bits(s
32306 mlog_errno(status);
32309 - atomic_inc(&osb->alloc_stats.bg_extends);
32310 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
32312 /* You should never ask for this much metadata */
32313 BUG_ON(bits_wanted >
32314 @@ -1968,7 +1968,7 @@ int ocfs2_claim_metadata(handle_t *handl
32315 mlog_errno(status);
32318 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32319 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32321 *suballoc_loc = res.sr_bg_blkno;
32322 *suballoc_bit_start = res.sr_bit_offset;
32323 @@ -2045,7 +2045,7 @@ int ocfs2_claim_new_inode(handle_t *hand
32324 mlog_errno(status);
32327 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32328 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32330 BUG_ON(res.sr_bits != 1);
32332 @@ -2150,7 +2150,7 @@ int __ocfs2_claim_clusters(handle_t *han
32336 - atomic_inc(&osb->alloc_stats.local_data);
32337 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
32339 if (min_clusters > (osb->bitmap_cpg - 1)) {
32340 /* The only paths asking for contiguousness
32341 @@ -2176,7 +2176,7 @@ int __ocfs2_claim_clusters(handle_t *han
32342 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
32344 res.sr_bit_offset);
32345 - atomic_inc(&osb->alloc_stats.bitmap_data);
32346 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
32347 *num_clusters = res.sr_bits;
32350 diff -urNp linux-2.6.35.4/fs/ocfs2/super.c linux-2.6.35.4/fs/ocfs2/super.c
32351 --- linux-2.6.35.4/fs/ocfs2/super.c 2010-08-26 19:47:12.000000000 -0400
32352 +++ linux-2.6.35.4/fs/ocfs2/super.c 2010-09-17 20:12:09.000000000 -0400
32353 @@ -293,11 +293,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
32354 "%10s => GlobalAllocs: %d LocalAllocs: %d "
32355 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
32357 - atomic_read(&osb->alloc_stats.bitmap_data),
32358 - atomic_read(&osb->alloc_stats.local_data),
32359 - atomic_read(&osb->alloc_stats.bg_allocs),
32360 - atomic_read(&osb->alloc_stats.moves),
32361 - atomic_read(&osb->alloc_stats.bg_extends));
32362 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
32363 + atomic_read_unchecked(&osb->alloc_stats.local_data),
32364 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
32365 + atomic_read_unchecked(&osb->alloc_stats.moves),
32366 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
32368 out += snprintf(buf + out, len - out,
32369 "%10s => State: %u Descriptor: %llu Size: %u bits "
32370 @@ -2047,11 +2047,11 @@ static int ocfs2_initialize_super(struct
32371 spin_lock_init(&osb->osb_xattr_lock);
32372 ocfs2_init_steal_slots(osb);
32374 - atomic_set(&osb->alloc_stats.moves, 0);
32375 - atomic_set(&osb->alloc_stats.local_data, 0);
32376 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
32377 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
32378 - atomic_set(&osb->alloc_stats.bg_extends, 0);
32379 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
32380 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
32381 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
32382 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
32383 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
32385 /* Copy the blockcheck stats from the superblock probe */
32386 osb->osb_ecc_stats = *stats;
32387 diff -urNp linux-2.6.35.4/fs/ocfs2/symlink.c linux-2.6.35.4/fs/ocfs2/symlink.c
32388 --- linux-2.6.35.4/fs/ocfs2/symlink.c 2010-08-26 19:47:12.000000000 -0400
32389 +++ linux-2.6.35.4/fs/ocfs2/symlink.c 2010-09-17 20:12:09.000000000 -0400
32390 @@ -148,7 +148,7 @@ bail:
32392 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
32394 - char *link = nd_get_link(nd);
32395 + const char *link = nd_get_link(nd);
32399 diff -urNp linux-2.6.35.4/fs/open.c linux-2.6.35.4/fs/open.c
32400 --- linux-2.6.35.4/fs/open.c 2010-08-26 19:47:12.000000000 -0400
32401 +++ linux-2.6.35.4/fs/open.c 2010-09-17 20:12:37.000000000 -0400
32402 @@ -42,6 +42,9 @@ int do_truncate(struct dentry *dentry, l
32406 + if (filp && !gr_acl_handle_truncate(dentry, filp->f_path.mnt))
32409 newattrs.ia_size = length;
32410 newattrs.ia_valid = ATTR_SIZE | time_attrs;
32412 @@ -345,6 +348,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
32413 if (__mnt_is_readonly(path.mnt))
32416 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
32422 @@ -371,6 +377,8 @@ SYSCALL_DEFINE1(chdir, const char __user
32426 + gr_log_chdir(path.dentry, path.mnt);
32428 set_fs_pwd(current->fs, &path);
32431 @@ -397,6 +405,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
32434 error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
32436 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
32440 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
32443 set_fs_pwd(current->fs, &file->f_path);
32445 @@ -425,7 +440,18 @@ SYSCALL_DEFINE1(chroot, const char __use
32449 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
32450 + goto dput_and_out;
32452 + if (gr_handle_chroot_caps(&path)) {
32454 + goto dput_and_out;
32457 set_fs_root(current->fs, &path);
32459 + gr_handle_chroot_chdir(&path);
32464 @@ -453,6 +479,12 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
32465 err = mnt_want_write_file(file);
32469 + if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
32471 + goto out_drop_write;
32474 mutex_lock(&inode->i_mutex);
32475 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
32477 @@ -464,6 +496,7 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
32478 err = notify_change(dentry, &newattrs);
32480 mutex_unlock(&inode->i_mutex);
32482 mnt_drop_write(file->f_path.mnt);
32485 @@ -486,17 +519,30 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
32486 error = mnt_want_write(path.mnt);
32490 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
32492 + goto out_drop_write;
32495 mutex_lock(&inode->i_mutex);
32496 error = security_path_chmod(path.dentry, path.mnt, mode);
32499 if (mode == (mode_t) -1)
32500 mode = inode->i_mode;
32502 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
32507 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
32508 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
32509 error = notify_change(path.dentry, &newattrs);
32511 mutex_unlock(&inode->i_mutex);
32513 mnt_drop_write(path.mnt);
32516 @@ -515,6 +561,9 @@ static int chown_common(struct path *pat
32518 struct iattr newattrs;
32520 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
32523 newattrs.ia_valid = ATTR_CTIME;
32524 if (user != (uid_t) -1) {
32525 newattrs.ia_valid |= ATTR_UID;
32526 diff -urNp linux-2.6.35.4/fs/pipe.c linux-2.6.35.4/fs/pipe.c
32527 --- linux-2.6.35.4/fs/pipe.c 2010-08-26 19:47:12.000000000 -0400
32528 +++ linux-2.6.35.4/fs/pipe.c 2010-09-17 20:12:37.000000000 -0400
32529 @@ -420,9 +420,9 @@ redo:
32531 if (bufs) /* More to do? */
32533 - if (!pipe->writers)
32534 + if (!atomic_read(&pipe->writers))
32536 - if (!pipe->waiting_writers) {
32537 + if (!atomic_read(&pipe->waiting_writers)) {
32538 /* syscall merging: Usually we must not sleep
32539 * if O_NONBLOCK is set, or if we got some data.
32540 * But if a writer sleeps in kernel space, then
32541 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
32542 mutex_lock(&inode->i_mutex);
32543 pipe = inode->i_pipe;
32545 - if (!pipe->readers) {
32546 + if (!atomic_read(&pipe->readers)) {
32547 send_sig(SIGPIPE, current, 0);
32550 @@ -530,7 +530,7 @@ redo1:
32554 - if (!pipe->readers) {
32555 + if (!atomic_read(&pipe->readers)) {
32556 send_sig(SIGPIPE, current, 0);
32559 @@ -616,9 +616,9 @@ redo2:
32560 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
32563 - pipe->waiting_writers++;
32564 + atomic_inc(&pipe->waiting_writers);
32566 - pipe->waiting_writers--;
32567 + atomic_dec(&pipe->waiting_writers);
32570 mutex_unlock(&inode->i_mutex);
32571 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
32573 if (filp->f_mode & FMODE_READ) {
32574 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
32575 - if (!pipe->writers && filp->f_version != pipe->w_counter)
32576 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
32580 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
32581 * Most Unices do not set POLLERR for FIFOs but on Linux they
32582 * behave exactly like pipes for poll().
32584 - if (!pipe->readers)
32585 + if (!atomic_read(&pipe->readers))
32589 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
32591 mutex_lock(&inode->i_mutex);
32592 pipe = inode->i_pipe;
32593 - pipe->readers -= decr;
32594 - pipe->writers -= decw;
32595 + atomic_sub(decr, &pipe->readers);
32596 + atomic_sub(decw, &pipe->writers);
32598 - if (!pipe->readers && !pipe->writers) {
32599 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
32600 free_pipe_info(inode);
32602 wake_up_interruptible_sync(&pipe->wait);
32603 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
32605 if (inode->i_pipe) {
32607 - inode->i_pipe->readers++;
32608 + atomic_inc(&inode->i_pipe->readers);
32611 mutex_unlock(&inode->i_mutex);
32612 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
32614 if (inode->i_pipe) {
32616 - inode->i_pipe->writers++;
32617 + atomic_inc(&inode->i_pipe->writers);
32620 mutex_unlock(&inode->i_mutex);
32621 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
32622 if (inode->i_pipe) {
32624 if (filp->f_mode & FMODE_READ)
32625 - inode->i_pipe->readers++;
32626 + atomic_inc(&inode->i_pipe->readers);
32627 if (filp->f_mode & FMODE_WRITE)
32628 - inode->i_pipe->writers++;
32629 + atomic_inc(&inode->i_pipe->writers);
32632 mutex_unlock(&inode->i_mutex);
32633 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
32634 inode->i_pipe = NULL;
32637 -static struct vfsmount *pipe_mnt __read_mostly;
32638 +struct vfsmount *pipe_mnt __read_mostly;
32641 * pipefs_dname() is called from d_path().
32642 @@ -959,7 +959,8 @@ static struct inode * get_pipe_inode(voi
32644 inode->i_pipe = pipe;
32646 - pipe->readers = pipe->writers = 1;
32647 + atomic_set(&pipe->readers, 1);
32648 + atomic_set(&pipe->writers, 1);
32649 inode->i_fop = &rdwr_pipefifo_fops;
32652 diff -urNp linux-2.6.35.4/fs/proc/array.c linux-2.6.35.4/fs/proc/array.c
32653 --- linux-2.6.35.4/fs/proc/array.c 2010-08-26 19:47:12.000000000 -0400
32654 +++ linux-2.6.35.4/fs/proc/array.c 2010-09-17 20:12:37.000000000 -0400
32655 @@ -337,6 +337,21 @@ static void task_cpus_allowed(struct seq
32656 seq_printf(m, "\n");
32659 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
32660 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
32663 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
32664 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
32665 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
32666 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
32667 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
32668 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
32670 + seq_printf(m, "PaX:\t-----\n");
32674 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
32675 struct pid *pid, struct task_struct *task)
32677 @@ -357,9 +372,20 @@ int proc_pid_status(struct seq_file *m,
32678 task_show_regs(m, task);
32680 task_context_switch_counts(m, task);
32682 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
32683 + task_pax(m, task);
32689 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32690 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
32691 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
32692 + _mm->pax_flags & MF_PAX_SEGMEXEC))
32695 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
32696 struct pid *pid, struct task_struct *task, int whole)
32698 @@ -452,6 +478,19 @@ static int do_task_stat(struct seq_file
32699 gtime = task->gtime;
32702 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32703 + if (PAX_RAND_FLAGS(mm)) {
32709 +#ifdef CONFIG_GRKERNSEC_HIDESYM
32715 /* scale priority and nice values from timeslices to -20..20 */
32716 /* to make it look like a "normal" Unix priority/nice value */
32717 priority = task_prio(task);
32718 @@ -492,9 +531,15 @@ static int do_task_stat(struct seq_file
32720 mm ? get_mm_rss(mm) : 0,
32722 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32723 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
32724 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
32725 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
32727 mm ? mm->start_code : 0,
32728 mm ? mm->end_code : 0,
32729 (permitted && mm) ? mm->start_stack : 0,
32733 /* The signal information here is obsolete.
32734 @@ -547,3 +592,10 @@ int proc_pid_statm(struct seq_file *m, s
32739 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
32740 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
32742 + return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
32745 diff -urNp linux-2.6.35.4/fs/proc/base.c linux-2.6.35.4/fs/proc/base.c
32746 --- linux-2.6.35.4/fs/proc/base.c 2010-08-26 19:47:12.000000000 -0400
32747 +++ linux-2.6.35.4/fs/proc/base.c 2010-09-17 20:12:37.000000000 -0400
32748 @@ -103,6 +103,22 @@ struct pid_entry {
32752 +struct getdents_callback {
32753 + struct linux_dirent __user * current_dir;
32754 + struct linux_dirent __user * previous;
32755 + struct file * file;
32760 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
32761 + loff_t offset, u64 ino, unsigned int d_type)
32763 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
32764 + buf->error = -EINVAL;
32768 #define NOD(NAME, MODE, IOP, FOP, OP) { \
32770 .len = sizeof(NAME) - 1, \
32771 @@ -202,6 +218,9 @@ static int check_mem_permission(struct t
32772 if (task == current)
32775 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
32779 * If current is actively ptrace'ing, and would also be
32780 * permitted to freshly attach with ptrace now, permit it.
32781 @@ -249,6 +268,9 @@ static int proc_pid_cmdline(struct task_
32783 goto out_mm; /* Shh! No looking before we're done */
32785 + if (gr_acl_handle_procpidmem(task))
32788 len = mm->arg_end - mm->arg_start;
32790 if (len > PAGE_SIZE)
32791 @@ -276,12 +298,26 @@ out:
32795 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32796 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
32797 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
32798 + _mm->pax_flags & MF_PAX_SEGMEXEC))
32801 static int proc_pid_auxv(struct task_struct *task, char *buffer)
32804 struct mm_struct *mm = get_task_mm(task);
32806 unsigned int nwords = 0;
32808 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32809 + if (PAX_RAND_FLAGS(mm)) {
32817 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
32818 @@ -317,7 +353,7 @@ static int proc_pid_wchan(struct task_st
32820 #endif /* CONFIG_KALLSYMS */
32822 -#ifdef CONFIG_STACKTRACE
32823 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
32825 #define MAX_STACK_TRACE_DEPTH 64
32827 @@ -511,7 +547,7 @@ static int proc_pid_limits(struct task_s
32831 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
32832 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
32833 static int proc_pid_syscall(struct task_struct *task, char *buffer)
32836 @@ -920,6 +956,9 @@ static ssize_t environ_read(struct file
32840 + if (gr_acl_handle_procpidmem(task))
32843 if (!ptrace_may_access(task, PTRACE_MODE_READ))
32846 @@ -1514,7 +1553,11 @@ static struct inode *proc_pid_make_inode
32848 cred = __task_cred(task);
32849 inode->i_uid = cred->euid;
32850 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32851 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
32853 inode->i_gid = cred->egid;
32857 security_task_to_inode(task, inode);
32858 @@ -1532,6 +1575,9 @@ static int pid_getattr(struct vfsmount *
32859 struct inode *inode = dentry->d_inode;
32860 struct task_struct *task;
32861 const struct cred *cred;
32862 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32863 + const struct cred *tmpcred = current_cred();
32866 generic_fillattr(inode, stat);
32868 @@ -1539,12 +1585,34 @@ static int pid_getattr(struct vfsmount *
32871 task = pid_task(proc_pid(inode), PIDTYPE_PID);
32873 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
32874 + rcu_read_unlock();
32879 + cred = __task_cred(task);
32880 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32881 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
32882 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32883 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
32887 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
32888 +#ifdef CONFIG_GRKERNSEC_PROC_USER
32889 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
32890 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32891 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
32893 task_dumpable(task)) {
32894 - cred = __task_cred(task);
32895 stat->uid = cred->euid;
32896 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32897 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
32899 stat->gid = cred->egid;
32904 @@ -1576,11 +1644,20 @@ static int pid_revalidate(struct dentry
32907 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
32908 +#ifdef CONFIG_GRKERNSEC_PROC_USER
32909 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
32910 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32911 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
32913 task_dumpable(task)) {
32915 cred = __task_cred(task);
32916 inode->i_uid = cred->euid;
32917 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32918 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
32920 inode->i_gid = cred->egid;
32925 @@ -1701,7 +1778,8 @@ static int proc_fd_info(struct inode *in
32926 int fd = proc_fd(inode);
32929 - files = get_files_struct(task);
32930 + if (!gr_acl_handle_procpidmem(task))
32931 + files = get_files_struct(task);
32932 put_task_struct(task);
32935 @@ -1953,12 +2031,22 @@ static const struct file_operations proc
32936 static int proc_fd_permission(struct inode *inode, int mask)
32939 + struct task_struct *task;
32941 rv = generic_permission(inode, mask, NULL);
32945 if (task_pid(current) == proc_pid(inode))
32948 + task = get_proc_task(inode);
32949 + if (task == NULL)
32952 + if (gr_acl_handle_procpidmem(task))
32955 + put_task_struct(task);
32960 @@ -2067,6 +2155,9 @@ static struct dentry *proc_pident_lookup
32964 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
32968 * Yes, it does not scale. And it should not. Don't add
32969 * new entries into /proc/<tgid>/ without very good reasons.
32970 @@ -2111,6 +2202,9 @@ static int proc_pident_readdir(struct fi
32974 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
32980 @@ -2380,7 +2474,7 @@ static void *proc_self_follow_link(struc
32981 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
32984 - char *s = nd_get_link(nd);
32985 + const char *s = nd_get_link(nd);
32989 @@ -2580,7 +2674,7 @@ static const struct pid_entry tgid_base_
32990 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
32992 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
32993 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
32994 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
32995 INF("syscall", S_IRUSR, proc_pid_syscall),
32997 INF("cmdline", S_IRUGO, proc_pid_cmdline),
32998 @@ -2608,7 +2702,7 @@ static const struct pid_entry tgid_base_
32999 #ifdef CONFIG_KALLSYMS
33000 INF("wchan", S_IRUGO, proc_pid_wchan),
33002 -#ifdef CONFIG_STACKTRACE
33003 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33004 ONE("stack", S_IRUSR, proc_pid_stack),
33006 #ifdef CONFIG_SCHEDSTATS
33007 @@ -2638,6 +2732,9 @@ static const struct pid_entry tgid_base_
33008 INF("io", S_IRUGO, proc_tgid_io_accounting),
33010 ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
33011 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33012 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
33016 static int proc_tgid_base_readdir(struct file * filp,
33017 @@ -2762,7 +2859,14 @@ static struct dentry *proc_pid_instantia
33021 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33022 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
33023 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33024 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33025 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
33027 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
33029 inode->i_op = &proc_tgid_base_inode_operations;
33030 inode->i_fop = &proc_tgid_base_operations;
33031 inode->i_flags|=S_IMMUTABLE;
33032 @@ -2804,7 +2908,11 @@ struct dentry *proc_pid_lookup(struct in
33036 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33037 + goto out_put_task;
33039 result = proc_pid_instantiate(dir, dentry, task, NULL);
33041 put_task_struct(task);
33044 @@ -2869,6 +2977,11 @@ int proc_pid_readdir(struct file * filp,
33046 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
33047 struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
33048 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33049 + const struct cred *tmpcred = current_cred();
33050 + const struct cred *itercred;
33052 + filldir_t __filldir = filldir;
33053 struct tgid_iter iter;
33054 struct pid_namespace *ns;
33056 @@ -2887,8 +3000,27 @@ int proc_pid_readdir(struct file * filp,
33057 for (iter = next_tgid(ns, iter);
33059 iter.tgid += 1, iter = next_tgid(ns, iter)) {
33060 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33062 + itercred = __task_cred(iter.task);
33064 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
33065 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33066 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
33067 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33068 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
33073 + __filldir = &gr_fake_filldir;
33075 + __filldir = filldir;
33076 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33077 + rcu_read_unlock();
33079 filp->f_pos = iter.tgid + TGID_OFFSET;
33080 if (!vx_proc_task_visible(iter.task))
33082 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
33083 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
33084 put_task_struct(iter.task);
33085 @@ -2915,7 +3047,7 @@ static const struct pid_entry tid_base_s
33086 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
33088 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33089 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33090 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33091 INF("syscall", S_IRUSR, proc_pid_syscall),
33093 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33094 @@ -2942,7 +3074,7 @@ static const struct pid_entry tid_base_s
33095 #ifdef CONFIG_KALLSYMS
33096 INF("wchan", S_IRUGO, proc_pid_wchan),
33098 -#ifdef CONFIG_STACKTRACE
33099 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33100 ONE("stack", S_IRUSR, proc_pid_stack),
33102 #ifdef CONFIG_SCHEDSTATS
33103 diff -urNp linux-2.6.35.4/fs/proc/cmdline.c linux-2.6.35.4/fs/proc/cmdline.c
33104 --- linux-2.6.35.4/fs/proc/cmdline.c 2010-08-26 19:47:12.000000000 -0400
33105 +++ linux-2.6.35.4/fs/proc/cmdline.c 2010-09-17 20:12:37.000000000 -0400
33106 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
33108 static int __init proc_cmdline_init(void)
33110 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33111 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
33113 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
33117 module_init(proc_cmdline_init);
33118 diff -urNp linux-2.6.35.4/fs/proc/devices.c linux-2.6.35.4/fs/proc/devices.c
33119 --- linux-2.6.35.4/fs/proc/devices.c 2010-08-26 19:47:12.000000000 -0400
33120 +++ linux-2.6.35.4/fs/proc/devices.c 2010-09-17 20:12:37.000000000 -0400
33121 @@ -64,7 +64,11 @@ static const struct file_operations proc
33123 static int __init proc_devices_init(void)
33125 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33126 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
33128 proc_create("devices", 0, NULL, &proc_devinfo_operations);
33132 module_init(proc_devices_init);
33133 diff -urNp linux-2.6.35.4/fs/proc/inode.c linux-2.6.35.4/fs/proc/inode.c
33134 --- linux-2.6.35.4/fs/proc/inode.c 2010-08-26 19:47:12.000000000 -0400
33135 +++ linux-2.6.35.4/fs/proc/inode.c 2010-09-17 20:12:37.000000000 -0400
33136 @@ -435,7 +435,11 @@ struct inode *proc_get_inode(struct supe
33138 inode->i_mode = de->mode;
33139 inode->i_uid = de->uid;
33140 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33141 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33143 inode->i_gid = de->gid;
33147 inode->i_size = de->size;
33148 diff -urNp linux-2.6.35.4/fs/proc/internal.h linux-2.6.35.4/fs/proc/internal.h
33149 --- linux-2.6.35.4/fs/proc/internal.h 2010-08-26 19:47:12.000000000 -0400
33150 +++ linux-2.6.35.4/fs/proc/internal.h 2010-09-17 20:12:37.000000000 -0400
33151 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
33152 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
33153 struct pid *pid, struct task_struct *task);
33155 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33156 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
33158 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
33160 extern const struct file_operations proc_maps_operations;
33161 diff -urNp linux-2.6.35.4/fs/proc/Kconfig linux-2.6.35.4/fs/proc/Kconfig
33162 --- linux-2.6.35.4/fs/proc/Kconfig 2010-08-26 19:47:12.000000000 -0400
33163 +++ linux-2.6.35.4/fs/proc/Kconfig 2010-09-17 20:12:37.000000000 -0400
33164 @@ -30,12 +30,12 @@ config PROC_FS
33167 bool "/proc/kcore support" if !ARM
33168 - depends on PROC_FS && MMU
33169 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
33172 bool "/proc/vmcore support (EXPERIMENTAL)"
33173 - depends on PROC_FS && CRASH_DUMP
33175 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
33178 Exports the dump image of crashed kernel in ELF format.
33180 @@ -59,8 +59,8 @@ config PROC_SYSCTL
33183 config PROC_PAGE_MONITOR
33185 - depends on PROC_FS && MMU
33187 + depends on PROC_FS && MMU && !GRKERNSEC
33188 bool "Enable /proc page monitoring" if EMBEDDED
33190 Various /proc files exist to monitor process memory utilization:
33191 diff -urNp linux-2.6.35.4/fs/proc/kcore.c linux-2.6.35.4/fs/proc/kcore.c
33192 --- linux-2.6.35.4/fs/proc/kcore.c 2010-08-26 19:47:12.000000000 -0400
33193 +++ linux-2.6.35.4/fs/proc/kcore.c 2010-09-17 20:12:37.000000000 -0400
33194 @@ -478,9 +478,10 @@ read_kcore(struct file *file, char __use
33195 * the addresses in the elf_phdr on our list.
33197 start = kc_offset_to_vaddr(*fpos - elf_buflen);
33198 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
33199 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
33200 + if (tsz > buflen)
33205 struct kcore_list *m;
33207 @@ -509,20 +510,18 @@ read_kcore(struct file *file, char __use
33210 if (kern_addr_valid(start)) {
33214 - n = copy_to_user(buffer, (char *)start, tsz);
33216 - * We cannot distingush between fault on source
33217 - * and fault on destination. When this happens
33218 - * we clear too and hope it will trigger the
33222 - if (clear_user(buffer + tsz - n,
33224 + elf_buf = kmalloc(tsz, GFP_KERNEL);
33227 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
33228 + if (copy_to_user(buffer, elf_buf, tsz)) {
33235 if (clear_user(buffer, tsz))
33237 @@ -542,6 +541,9 @@ read_kcore(struct file *file, char __use
33239 static int open_kcore(struct inode *inode, struct file *filp)
33241 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
33244 if (!capable(CAP_SYS_RAWIO))
33246 if (kcore_need_update)
33247 diff -urNp linux-2.6.35.4/fs/proc/meminfo.c linux-2.6.35.4/fs/proc/meminfo.c
33248 --- linux-2.6.35.4/fs/proc/meminfo.c 2010-08-26 19:47:12.000000000 -0400
33249 +++ linux-2.6.35.4/fs/proc/meminfo.c 2010-09-17 20:12:09.000000000 -0400
33250 @@ -149,7 +149,7 @@ static int meminfo_proc_show(struct seq_
33252 vmi.largest_chunk >> 10
33253 #ifdef CONFIG_MEMORY_FAILURE
33254 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
33255 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
33259 diff -urNp linux-2.6.35.4/fs/proc/nommu.c linux-2.6.35.4/fs/proc/nommu.c
33260 --- linux-2.6.35.4/fs/proc/nommu.c 2010-08-26 19:47:12.000000000 -0400
33261 +++ linux-2.6.35.4/fs/proc/nommu.c 2010-09-17 20:12:09.000000000 -0400
33262 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
33265 seq_printf(m, "%*c", len, ' ');
33266 - seq_path(m, &file->f_path, "");
33267 + seq_path(m, &file->f_path, "\n\\");
33271 diff -urNp linux-2.6.35.4/fs/proc/proc_net.c linux-2.6.35.4/fs/proc/proc_net.c
33272 --- linux-2.6.35.4/fs/proc/proc_net.c 2010-08-26 19:47:12.000000000 -0400
33273 +++ linux-2.6.35.4/fs/proc/proc_net.c 2010-09-17 20:12:37.000000000 -0400
33274 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
33275 struct task_struct *task;
33276 struct nsproxy *ns;
33277 struct net *net = NULL;
33278 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33279 + const struct cred *cred = current_cred();
33282 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33285 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33286 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
33291 task = pid_task(proc_pid(dir), PIDTYPE_PID);
33292 diff -urNp linux-2.6.35.4/fs/proc/proc_sysctl.c linux-2.6.35.4/fs/proc/proc_sysctl.c
33293 --- linux-2.6.35.4/fs/proc/proc_sysctl.c 2010-08-26 19:47:12.000000000 -0400
33294 +++ linux-2.6.35.4/fs/proc/proc_sysctl.c 2010-09-17 20:12:37.000000000 -0400
33296 #include <linux/security.h>
33297 #include "internal.h"
33299 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
33301 static const struct dentry_operations proc_sys_dentry_operations;
33302 static const struct file_operations proc_sys_file_operations;
33303 static const struct inode_operations proc_sys_inode_operations;
33304 @@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
33308 + if (gr_handle_sysctl(p, MAY_EXEC))
33311 err = ERR_PTR(-ENOMEM);
33312 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
33314 @@ -228,6 +233,9 @@ static int scan(struct ctl_table_header
33315 if (*pos < file->f_pos)
33318 + if (gr_handle_sysctl(table, 0))
33321 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
33324 @@ -344,6 +352,9 @@ static int proc_sys_getattr(struct vfsmo
33326 return PTR_ERR(head);
33328 + if (table && gr_handle_sysctl(table, MAY_EXEC))
33331 generic_fillattr(inode, stat);
33333 stat->mode = (stat->mode & S_IFMT) | table->mode;
33334 diff -urNp linux-2.6.35.4/fs/proc/root.c linux-2.6.35.4/fs/proc/root.c
33335 --- linux-2.6.35.4/fs/proc/root.c 2010-08-26 19:47:12.000000000 -0400
33336 +++ linux-2.6.35.4/fs/proc/root.c 2010-09-17 20:12:37.000000000 -0400
33337 @@ -133,7 +133,15 @@ void __init proc_root_init(void)
33338 #ifdef CONFIG_PROC_DEVICETREE
33339 proc_device_tree_init();
33341 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33342 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33343 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
33344 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33345 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
33348 proc_mkdir("bus", NULL);
33353 diff -urNp linux-2.6.35.4/fs/proc/task_mmu.c linux-2.6.35.4/fs/proc/task_mmu.c
33354 --- linux-2.6.35.4/fs/proc/task_mmu.c 2010-08-26 19:47:12.000000000 -0400
33355 +++ linux-2.6.35.4/fs/proc/task_mmu.c 2010-09-17 20:12:37.000000000 -0400
33356 @@ -49,8 +49,13 @@ void task_mem(struct seq_file *m, struct
33357 "VmExe:\t%8lu kB\n"
33358 "VmLib:\t%8lu kB\n"
33359 "VmPTE:\t%8lu kB\n"
33360 - "VmSwap:\t%8lu kB\n",
33361 - hiwater_vm << (PAGE_SHIFT-10),
33362 + "VmSwap:\t%8lu kB\n"
33364 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
33365 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
33368 + ,hiwater_vm << (PAGE_SHIFT-10),
33369 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
33370 mm->locked_vm << (PAGE_SHIFT-10),
33371 hiwater_rss << (PAGE_SHIFT-10),
33372 @@ -58,7 +63,13 @@ void task_mem(struct seq_file *m, struct
33373 data << (PAGE_SHIFT-10),
33374 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
33375 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
33376 - swap << (PAGE_SHIFT-10));
33377 + swap << (PAGE_SHIFT-10)
33379 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
33380 + , mm->context.user_cs_base, mm->context.user_cs_limit
33386 unsigned long task_vsize(struct mm_struct *mm)
33387 @@ -203,6 +214,12 @@ static int do_maps_open(struct inode *in
33391 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33392 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33393 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33394 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33397 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
33399 struct mm_struct *mm = vma->vm_mm;
33400 @@ -210,7 +227,6 @@ static void show_map_vma(struct seq_file
33401 int flags = vma->vm_flags;
33402 unsigned long ino = 0;
33403 unsigned long long pgoff = 0;
33404 - unsigned long start;
33408 @@ -221,19 +237,24 @@ static void show_map_vma(struct seq_file
33409 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
33412 - /* We don't show the stack guard page in /proc/maps */
33413 - start = vma->vm_start;
33414 - if (vma->vm_flags & VM_GROWSDOWN)
33415 - start += PAGE_SIZE;
33417 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
33419 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33420 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
33421 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
33426 flags & VM_READ ? 'r' : '-',
33427 flags & VM_WRITE ? 'w' : '-',
33428 flags & VM_EXEC ? 'x' : '-',
33429 flags & VM_MAYSHARE ? 's' : 'p',
33430 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33431 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
33435 MAJOR(dev), MINOR(dev), ino, &len);
33438 @@ -242,16 +263,16 @@ static void show_map_vma(struct seq_file
33441 pad_len_spaces(m, len);
33442 - seq_path(m, &file->f_path, "\n");
33443 + seq_path(m, &file->f_path, "\n\\");
33445 const char *name = arch_vma_name(vma);
33448 - if (vma->vm_start <= mm->start_brk &&
33449 - vma->vm_end >= mm->brk) {
33450 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
33452 - } else if (vma->vm_start <= mm->start_stack &&
33453 - vma->vm_end >= mm->start_stack) {
33454 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
33455 + (vma->vm_start <= mm->start_stack &&
33456 + vma->vm_end >= mm->start_stack)) {
33460 @@ -393,11 +414,16 @@ static int show_smap(struct seq_file *m,
33463 memset(&mss, 0, sizeof mss);
33465 - /* mmap_sem is held in m_start */
33466 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
33467 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
33469 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33470 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
33473 + /* mmap_sem is held in m_start */
33474 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
33475 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
33476 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33479 show_map_vma(m, vma);
33482 @@ -412,7 +438,11 @@ static int show_smap(struct seq_file *m,
33484 "KernelPageSize: %8lu kB\n"
33485 "MMUPageSize: %8lu kB\n",
33486 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33487 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
33489 (vma->vm_end - vma->vm_start) >> 10,
33491 mss.resident >> 10,
33492 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
33493 mss.shared_clean >> 10,
33494 diff -urNp linux-2.6.35.4/fs/proc/task_nommu.c linux-2.6.35.4/fs/proc/task_nommu.c
33495 --- linux-2.6.35.4/fs/proc/task_nommu.c 2010-08-26 19:47:12.000000000 -0400
33496 +++ linux-2.6.35.4/fs/proc/task_nommu.c 2010-09-17 20:12:09.000000000 -0400
33497 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
33499 bytes += kobjsize(mm);
33501 - if (current->fs && current->fs->users > 1)
33502 + if (current->fs && atomic_read(¤t->fs->users) > 1)
33503 sbytes += kobjsize(current->fs);
33505 bytes += kobjsize(current->fs);
33506 @@ -165,7 +165,7 @@ static int nommu_vma_show(struct seq_fil
33509 pad_len_spaces(m, len);
33510 - seq_path(m, &file->f_path, "");
33511 + seq_path(m, &file->f_path, "\n\\");
33513 if (vma->vm_start <= mm->start_stack &&
33514 vma->vm_end >= mm->start_stack) {
33515 diff -urNp linux-2.6.35.4/fs/readdir.c linux-2.6.35.4/fs/readdir.c
33516 --- linux-2.6.35.4/fs/readdir.c 2010-08-26 19:47:12.000000000 -0400
33517 +++ linux-2.6.35.4/fs/readdir.c 2010-09-17 20:12:37.000000000 -0400
33519 #include <linux/security.h>
33520 #include <linux/syscalls.h>
33521 #include <linux/unistd.h>
33522 +#include <linux/namei.h>
33524 #include <asm/uaccess.h>
33526 @@ -67,6 +68,7 @@ struct old_linux_dirent {
33528 struct readdir_callback {
33529 struct old_linux_dirent __user * dirent;
33530 + struct file * file;
33534 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
33535 buf->result = -EOVERFLOW;
33539 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
33543 dirent = buf->dirent;
33544 if (!access_ok(VERIFY_WRITE, dirent,
33545 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
33548 buf.dirent = dirent;
33551 error = vfs_readdir(file, fillonedir, &buf);
33553 @@ -142,6 +149,7 @@ struct linux_dirent {
33554 struct getdents_callback {
33555 struct linux_dirent __user * current_dir;
33556 struct linux_dirent __user * previous;
33557 + struct file * file;
33561 @@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
33562 buf->error = -EOVERFLOW;
33566 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
33569 dirent = buf->previous;
33571 if (__put_user(offset, &dirent->d_off))
33572 @@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
33573 buf.previous = NULL;
33578 error = vfs_readdir(file, filldir, &buf);
33580 @@ -228,6 +241,7 @@ out:
33581 struct getdents_callback64 {
33582 struct linux_dirent64 __user * current_dir;
33583 struct linux_dirent64 __user * previous;
33584 + struct file *file;
33588 @@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
33589 buf->error = -EINVAL; /* only used if we fail.. */
33590 if (reclen > buf->count)
33593 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
33596 dirent = buf->previous;
33598 if (__put_user(offset, &dirent->d_off))
33599 @@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
33601 buf.current_dir = dirent;
33602 buf.previous = NULL;
33607 diff -urNp linux-2.6.35.4/fs/reiserfs/do_balan.c linux-2.6.35.4/fs/reiserfs/do_balan.c
33608 --- linux-2.6.35.4/fs/reiserfs/do_balan.c 2010-08-26 19:47:12.000000000 -0400
33609 +++ linux-2.6.35.4/fs/reiserfs/do_balan.c 2010-09-17 20:12:09.000000000 -0400
33610 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
33614 - atomic_inc(&(fs_generation(tb->tb_sb)));
33615 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
33616 do_balance_starts(tb);
33618 /* balance leaf returns 0 except if combining L R and S into
33619 diff -urNp linux-2.6.35.4/fs/reiserfs/item_ops.c linux-2.6.35.4/fs/reiserfs/item_ops.c
33620 --- linux-2.6.35.4/fs/reiserfs/item_ops.c 2010-08-26 19:47:12.000000000 -0400
33621 +++ linux-2.6.35.4/fs/reiserfs/item_ops.c 2010-09-17 20:12:09.000000000 -0400
33622 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
33623 vi->vi_index, vi->vi_type, vi->vi_ih);
33626 -static struct item_operations stat_data_ops = {
33627 +static const struct item_operations stat_data_ops = {
33628 .bytes_number = sd_bytes_number,
33629 .decrement_key = sd_decrement_key,
33630 .is_left_mergeable = sd_is_left_mergeable,
33631 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
33632 vi->vi_index, vi->vi_type, vi->vi_ih);
33635 -static struct item_operations direct_ops = {
33636 +static const struct item_operations direct_ops = {
33637 .bytes_number = direct_bytes_number,
33638 .decrement_key = direct_decrement_key,
33639 .is_left_mergeable = direct_is_left_mergeable,
33640 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
33641 vi->vi_index, vi->vi_type, vi->vi_ih);
33644 -static struct item_operations indirect_ops = {
33645 +static const struct item_operations indirect_ops = {
33646 .bytes_number = indirect_bytes_number,
33647 .decrement_key = indirect_decrement_key,
33648 .is_left_mergeable = indirect_is_left_mergeable,
33649 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
33653 -static struct item_operations direntry_ops = {
33654 +static const struct item_operations direntry_ops = {
33655 .bytes_number = direntry_bytes_number,
33656 .decrement_key = direntry_decrement_key,
33657 .is_left_mergeable = direntry_is_left_mergeable,
33658 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
33659 "Invalid item type observed, run fsck ASAP");
33662 -static struct item_operations errcatch_ops = {
33663 +static const struct item_operations errcatch_ops = {
33664 errcatch_bytes_number,
33665 errcatch_decrement_key,
33666 errcatch_is_left_mergeable,
33667 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
33668 #error Item types must use disk-format assigned values.
33671 -struct item_operations *item_ops[TYPE_ANY + 1] = {
33672 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
33676 diff -urNp linux-2.6.35.4/fs/reiserfs/procfs.c linux-2.6.35.4/fs/reiserfs/procfs.c
33677 --- linux-2.6.35.4/fs/reiserfs/procfs.c 2010-08-26 19:47:12.000000000 -0400
33678 +++ linux-2.6.35.4/fs/reiserfs/procfs.c 2010-09-17 20:12:09.000000000 -0400
33679 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
33680 "SMALL_TAILS " : "NO_TAILS ",
33681 replay_only(sb) ? "REPLAY_ONLY " : "",
33682 convert_reiserfs(sb) ? "CONV " : "",
33683 - atomic_read(&r->s_generation_counter),
33684 + atomic_read_unchecked(&r->s_generation_counter),
33685 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
33686 SF(s_do_balance), SF(s_unneeded_left_neighbor),
33687 SF(s_good_search_by_key_reada), SF(s_bmaps),
33688 diff -urNp linux-2.6.35.4/fs/select.c linux-2.6.35.4/fs/select.c
33689 --- linux-2.6.35.4/fs/select.c 2010-08-26 19:47:12.000000000 -0400
33690 +++ linux-2.6.35.4/fs/select.c 2010-09-17 20:12:37.000000000 -0400
33692 #include <linux/module.h>
33693 #include <linux/slab.h>
33694 #include <linux/poll.h>
33695 +#include <linux/security.h>
33696 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
33697 #include <linux/file.h>
33698 #include <linux/fdtable.h>
33699 @@ -838,6 +839,7 @@ int do_sys_poll(struct pollfd __user *uf
33700 struct poll_list *walk = head;
33701 unsigned long todo = nfds;
33703 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
33704 if (nfds > rlimit(RLIMIT_NOFILE))
33707 diff -urNp linux-2.6.35.4/fs/seq_file.c linux-2.6.35.4/fs/seq_file.c
33708 --- linux-2.6.35.4/fs/seq_file.c 2010-08-26 19:47:12.000000000 -0400
33709 +++ linux-2.6.35.4/fs/seq_file.c 2010-09-17 20:12:09.000000000 -0400
33710 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
33714 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
33715 + m->size = PAGE_SIZE;
33716 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
33720 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
33724 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
33726 + m->buf = kmalloc(m->size, GFP_KERNEL);
33727 return !m->buf ? -ENOMEM : -EAGAIN;
33730 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
33731 m->version = file->f_version;
33732 /* grab buffer if we didn't have one */
33734 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
33735 + m->size = PAGE_SIZE;
33736 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
33740 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
33744 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
33746 + m->buf = kmalloc(m->size, GFP_KERNEL);
33750 diff -urNp linux-2.6.35.4/fs/smbfs/symlink.c linux-2.6.35.4/fs/smbfs/symlink.c
33751 --- linux-2.6.35.4/fs/smbfs/symlink.c 2010-08-26 19:47:12.000000000 -0400
33752 +++ linux-2.6.35.4/fs/smbfs/symlink.c 2010-09-17 20:12:09.000000000 -0400
33753 @@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
33755 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
33757 - char *s = nd_get_link(nd);
33758 + const char *s = nd_get_link(nd);
33762 diff -urNp linux-2.6.35.4/fs/splice.c linux-2.6.35.4/fs/splice.c
33763 --- linux-2.6.35.4/fs/splice.c 2010-08-26 19:47:12.000000000 -0400
33764 +++ linux-2.6.35.4/fs/splice.c 2010-09-17 20:12:09.000000000 -0400
33765 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
33769 - if (!pipe->readers) {
33770 + if (!atomic_read(&pipe->readers)) {
33771 send_sig(SIGPIPE, current, 0);
33774 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
33778 - pipe->waiting_writers++;
33779 + atomic_inc(&pipe->waiting_writers);
33781 - pipe->waiting_writers--;
33782 + atomic_dec(&pipe->waiting_writers);
33786 @@ -566,7 +566,7 @@ static ssize_t kernel_readv(struct file
33789 /* The cast to a user pointer is valid due to the set_fs() */
33790 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
33791 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
33795 @@ -581,7 +581,7 @@ static ssize_t kernel_write(struct file
33798 /* The cast to a user pointer is valid due to the set_fs() */
33799 - res = vfs_write(file, (const char __user *)buf, count, &pos);
33800 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
33804 @@ -634,7 +634,7 @@ ssize_t default_file_splice_read(struct
33807 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
33808 - vec[i].iov_base = (void __user *) page_address(page);
33809 + vec[i].iov_base = (__force void __user *) page_address(page);
33810 vec[i].iov_len = this_len;
33811 spd.pages[i] = page;
33813 @@ -861,10 +861,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
33814 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
33816 while (!pipe->nrbufs) {
33817 - if (!pipe->writers)
33818 + if (!atomic_read(&pipe->writers))
33821 - if (!pipe->waiting_writers && sd->num_spliced)
33822 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
33825 if (sd->flags & SPLICE_F_NONBLOCK)
33826 @@ -1201,7 +1201,7 @@ ssize_t splice_direct_to_actor(struct fi
33827 * out of the pipe right after the splice_to_pipe(). So set
33828 * PIPE_READERS appropriately.
33830 - pipe->readers = 1;
33831 + atomic_set(&pipe->readers, 1);
33833 current->splice_pipe = pipe;
33835 @@ -1769,9 +1769,9 @@ static int ipipe_prep(struct pipe_inode_
33836 ret = -ERESTARTSYS;
33839 - if (!pipe->writers)
33840 + if (!atomic_read(&pipe->writers))
33842 - if (!pipe->waiting_writers) {
33843 + if (!atomic_read(&pipe->waiting_writers)) {
33844 if (flags & SPLICE_F_NONBLOCK) {
33847 @@ -1803,7 +1803,7 @@ static int opipe_prep(struct pipe_inode_
33850 while (pipe->nrbufs >= pipe->buffers) {
33851 - if (!pipe->readers) {
33852 + if (!atomic_read(&pipe->readers)) {
33853 send_sig(SIGPIPE, current, 0);
33856 @@ -1816,9 +1816,9 @@ static int opipe_prep(struct pipe_inode_
33857 ret = -ERESTARTSYS;
33860 - pipe->waiting_writers++;
33861 + atomic_inc(&pipe->waiting_writers);
33863 - pipe->waiting_writers--;
33864 + atomic_dec(&pipe->waiting_writers);
33868 @@ -1854,14 +1854,14 @@ retry:
33869 pipe_double_lock(ipipe, opipe);
33872 - if (!opipe->readers) {
33873 + if (!atomic_read(&opipe->readers)) {
33874 send_sig(SIGPIPE, current, 0);
33880 - if (!ipipe->nrbufs && !ipipe->writers)
33881 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
33885 @@ -1961,7 +1961,7 @@ static int link_pipe(struct pipe_inode_i
33886 pipe_double_lock(ipipe, opipe);
33889 - if (!opipe->readers) {
33890 + if (!atomic_read(&opipe->readers)) {
33891 send_sig(SIGPIPE, current, 0);
33894 @@ -2006,7 +2006,7 @@ static int link_pipe(struct pipe_inode_i
33895 * return EAGAIN if we have the potential of some data in the
33896 * future, otherwise just return 0
33898 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
33899 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
33902 pipe_unlock(ipipe);
33903 diff -urNp linux-2.6.35.4/fs/sysfs/symlink.c linux-2.6.35.4/fs/sysfs/symlink.c
33904 --- linux-2.6.35.4/fs/sysfs/symlink.c 2010-08-26 19:47:12.000000000 -0400
33905 +++ linux-2.6.35.4/fs/sysfs/symlink.c 2010-09-17 20:12:09.000000000 -0400
33906 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
33908 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
33910 - char *page = nd_get_link(nd);
33911 + const char *page = nd_get_link(nd);
33913 free_page((unsigned long)page);
33915 diff -urNp linux-2.6.35.4/fs/udf/misc.c linux-2.6.35.4/fs/udf/misc.c
33916 --- linux-2.6.35.4/fs/udf/misc.c 2010-08-26 19:47:12.000000000 -0400
33917 +++ linux-2.6.35.4/fs/udf/misc.c 2010-09-17 20:12:09.000000000 -0400
33918 @@ -142,8 +142,8 @@ struct genericFormat *udf_add_extendedat
33919 iinfo->i_lenEAttr += size;
33920 return (struct genericFormat *)&ea[offset];
33924 + if (loc & 0x02) {
33929 diff -urNp linux-2.6.35.4/fs/udf/udfdecl.h linux-2.6.35.4/fs/udf/udfdecl.h
33930 --- linux-2.6.35.4/fs/udf/udfdecl.h 2010-08-26 19:47:12.000000000 -0400
33931 +++ linux-2.6.35.4/fs/udf/udfdecl.h 2010-09-17 20:12:09.000000000 -0400
33932 @@ -26,7 +26,7 @@ do { \
33936 -#define udf_debug(f, a...) /**/
33937 +#define udf_debug(f, a...) do {} while (0)
33940 #define udf_info(f, a...) \
33941 diff -urNp linux-2.6.35.4/fs/utimes.c linux-2.6.35.4/fs/utimes.c
33942 --- linux-2.6.35.4/fs/utimes.c 2010-08-26 19:47:12.000000000 -0400
33943 +++ linux-2.6.35.4/fs/utimes.c 2010-09-17 20:12:37.000000000 -0400
33945 #include <linux/compiler.h>
33946 #include <linux/file.h>
33947 #include <linux/fs.h>
33948 +#include <linux/security.h>
33949 #include <linux/linkage.h>
33950 #include <linux/mount.h>
33951 #include <linux/namei.h>
33952 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
33953 goto mnt_drop_write_and_out;
33957 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
33959 + goto mnt_drop_write_and_out;
33962 mutex_lock(&inode->i_mutex);
33963 error = notify_change(path->dentry, &newattrs);
33964 mutex_unlock(&inode->i_mutex);
33965 diff -urNp linux-2.6.35.4/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.35.4/fs/xfs/linux-2.6/xfs_ioctl.c
33966 --- linux-2.6.35.4/fs/xfs/linux-2.6/xfs_ioctl.c 2010-08-26 19:47:12.000000000 -0400
33967 +++ linux-2.6.35.4/fs/xfs/linux-2.6/xfs_ioctl.c 2010-09-17 20:12:37.000000000 -0400
33968 @@ -136,7 +136,7 @@ xfs_find_handle(
33972 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
33973 + if (hsize > sizeof(handle) || copy_to_user(hreq->ohandle, &handle, hsize) ||
33974 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
33977 diff -urNp linux-2.6.35.4/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.35.4/fs/xfs/linux-2.6/xfs_iops.c
33978 --- linux-2.6.35.4/fs/xfs/linux-2.6/xfs_iops.c 2010-08-26 19:47:12.000000000 -0400
33979 +++ linux-2.6.35.4/fs/xfs/linux-2.6/xfs_iops.c 2010-09-17 20:12:09.000000000 -0400
33980 @@ -480,7 +480,7 @@ xfs_vn_put_link(
33981 struct nameidata *nd,
33984 - char *s = nd_get_link(nd);
33985 + const char *s = nd_get_link(nd);
33989 diff -urNp linux-2.6.35.4/fs/xfs/xfs_bmap.c linux-2.6.35.4/fs/xfs/xfs_bmap.c
33990 --- linux-2.6.35.4/fs/xfs/xfs_bmap.c 2010-08-26 19:47:12.000000000 -0400
33991 +++ linux-2.6.35.4/fs/xfs/xfs_bmap.c 2010-09-17 20:12:09.000000000 -0400
33992 @@ -296,7 +296,7 @@ xfs_bmap_validate_ret(
33996 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
33997 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
34001 diff -urNp linux-2.6.35.4/grsecurity/gracl_alloc.c linux-2.6.35.4/grsecurity/gracl_alloc.c
34002 --- linux-2.6.35.4/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
34003 +++ linux-2.6.35.4/grsecurity/gracl_alloc.c 2010-09-17 20:12:37.000000000 -0400
34005 +#include <linux/kernel.h>
34006 +#include <linux/mm.h>
34007 +#include <linux/slab.h>
34008 +#include <linux/vmalloc.h>
34009 +#include <linux/gracl.h>
34010 +#include <linux/grsecurity.h>
34012 +static unsigned long alloc_stack_next = 1;
34013 +static unsigned long alloc_stack_size = 1;
34014 +static void **alloc_stack;
34016 +static __inline__ int
34019 + if (alloc_stack_next == 1)
34022 + kfree(alloc_stack[alloc_stack_next - 2]);
34024 + alloc_stack_next--;
34029 +static __inline__ int
34030 +alloc_push(void *buf)
34032 + if (alloc_stack_next >= alloc_stack_size)
34035 + alloc_stack[alloc_stack_next - 1] = buf;
34037 + alloc_stack_next++;
34043 +acl_alloc(unsigned long len)
34045 + void *ret = NULL;
34047 + if (!len || len > PAGE_SIZE)
34050 + ret = kmalloc(len, GFP_KERNEL);
34053 + if (alloc_push(ret)) {
34064 +acl_alloc_num(unsigned long num, unsigned long len)
34066 + if (!len || (num > (PAGE_SIZE / len)))
34069 + return acl_alloc(num * len);
34073 +acl_free_all(void)
34075 + if (gr_acl_is_enabled() || !alloc_stack)
34078 + while (alloc_pop()) ;
34080 + if (alloc_stack) {
34081 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
34082 + kfree(alloc_stack);
34084 + vfree(alloc_stack);
34087 + alloc_stack = NULL;
34088 + alloc_stack_size = 1;
34089 + alloc_stack_next = 1;
34095 +acl_alloc_stack_init(unsigned long size)
34097 + if ((size * sizeof (void *)) <= PAGE_SIZE)
34099 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
34101 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
34103 + alloc_stack_size = size;
34105 + if (!alloc_stack)
34110 diff -urNp linux-2.6.35.4/grsecurity/gracl.c linux-2.6.35.4/grsecurity/gracl.c
34111 --- linux-2.6.35.4/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
34112 +++ linux-2.6.35.4/grsecurity/gracl.c 2010-09-17 20:18:36.000000000 -0400
34114 +#include <linux/kernel.h>
34115 +#include <linux/module.h>
34116 +#include <linux/sched.h>
34117 +#include <linux/mm.h>
34118 +#include <linux/file.h>
34119 +#include <linux/fs.h>
34120 +#include <linux/namei.h>
34121 +#include <linux/mount.h>
34122 +#include <linux/tty.h>
34123 +#include <linux/proc_fs.h>
34124 +#include <linux/smp_lock.h>
34125 +#include <linux/slab.h>
34126 +#include <linux/vmalloc.h>
34127 +#include <linux/types.h>
34128 +#include <linux/sysctl.h>
34129 +#include <linux/netdevice.h>
34130 +#include <linux/ptrace.h>
34131 +#include <linux/gracl.h>
34132 +#include <linux/gralloc.h>
34133 +#include <linux/grsecurity.h>
34134 +#include <linux/grinternal.h>
34135 +#include <linux/pid_namespace.h>
34136 +#include <linux/fdtable.h>
34137 +#include <linux/percpu.h>
34139 +#include <asm/uaccess.h>
34140 +#include <asm/errno.h>
34141 +#include <asm/mman.h>
34143 +static struct acl_role_db acl_role_set;
34144 +static struct name_db name_set;
34145 +static struct inodev_db inodev_set;
34147 +/* for keeping track of userspace pointers used for subjects, so we
34148 + can share references in the kernel as well
34151 +static struct dentry *real_root;
34152 +static struct vfsmount *real_root_mnt;
34154 +static struct acl_subj_map_db subj_map_set;
34156 +static struct acl_role_label *default_role;
34158 +static struct acl_role_label *role_list;
34160 +static u16 acl_sp_role_value;
34162 +extern char *gr_shared_page[4];
34163 +static DECLARE_MUTEX(gr_dev_sem);
34164 +DEFINE_RWLOCK(gr_inode_lock);
34166 +struct gr_arg *gr_usermode;
34168 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
34170 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
34171 +extern void gr_clear_learn_entries(void);
34173 +#ifdef CONFIG_GRKERNSEC_RESLOG
34174 +extern void gr_log_resource(const struct task_struct *task,
34175 + const int res, const unsigned long wanted, const int gt);
34178 +unsigned char *gr_system_salt;
34179 +unsigned char *gr_system_sum;
34181 +static struct sprole_pw **acl_special_roles = NULL;
34182 +static __u16 num_sprole_pws = 0;
34184 +static struct acl_role_label *kernel_role = NULL;
34186 +static unsigned int gr_auth_attempts = 0;
34187 +static unsigned long gr_auth_expires = 0UL;
34189 +extern struct vfsmount *sock_mnt;
34190 +extern struct vfsmount *pipe_mnt;
34191 +extern struct vfsmount *shm_mnt;
34192 +#ifdef CONFIG_HUGETLBFS
34193 +extern struct vfsmount *hugetlbfs_vfsmount;
34196 +static struct acl_object_label *fakefs_obj;
34198 +extern int gr_init_uidset(void);
34199 +extern void gr_free_uidset(void);
34200 +extern void gr_remove_uid(uid_t uid);
34201 +extern int gr_find_uid(uid_t uid);
34203 +extern spinlock_t vfsmount_lock;
34206 +gr_acl_is_enabled(void)
34208 + return (gr_status & GR_READY);
34211 +char gr_roletype_to_char(void)
34213 + switch (current->role->roletype &
34214 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
34215 + GR_ROLE_SPECIAL)) {
34216 + case GR_ROLE_DEFAULT:
34218 + case GR_ROLE_USER:
34220 + case GR_ROLE_GROUP:
34222 + case GR_ROLE_SPECIAL:
34230 +gr_acl_tpe_check(void)
34232 + if (unlikely(!(gr_status & GR_READY)))
34234 + if (current->role->roletype & GR_ROLE_TPE)
34241 +gr_handle_rawio(const struct inode *inode)
34243 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
34244 + if (inode && S_ISBLK(inode->i_mode) &&
34245 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
34246 + !capable(CAP_SYS_RAWIO))
34253 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
34255 + if (likely(lena != lenb))
34258 + return !memcmp(a, b, lena);
34261 +static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
34262 + struct dentry *root, struct vfsmount *rootmnt,
34263 + char *buffer, int buflen)
34265 + char * end = buffer+buflen;
34269 + spin_lock(&vfsmount_lock);
34275 + /* Get '/' right */
34280 + struct dentry * parent;
34282 + if (dentry == root && vfsmnt == rootmnt)
34284 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
34285 + /* Global root? */
34286 + if (vfsmnt->mnt_parent == vfsmnt) {
34287 + goto global_root;
34289 + dentry = vfsmnt->mnt_mountpoint;
34290 + vfsmnt = vfsmnt->mnt_parent;
34293 + parent = dentry->d_parent;
34294 + prefetch(parent);
34295 + namelen = dentry->d_name.len;
34296 + buflen -= namelen + 1;
34300 + memcpy(end, dentry->d_name.name, namelen);
34307 + spin_unlock(&vfsmount_lock);
34311 + namelen = dentry->d_name.len;
34312 + buflen -= namelen;
34315 + retval -= namelen-1; /* hit the slash */
34316 + memcpy(retval, dentry->d_name.name, namelen);
34319 + retval = ERR_PTR(-ENAMETOOLONG);
34324 +gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
34325 + struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
34329 + retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
34330 + if (unlikely(IS_ERR(retval)))
34331 + retval = strcpy(buf, "<path too long>");
34332 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
34333 + retval[1] = '\0';
34339 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
34340 + char *buf, int buflen)
34344 + /* we can use real_root, real_root_mnt, because this is only called
34345 + by the RBAC system */
34346 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
34352 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
34353 + char *buf, int buflen)
34356 + struct dentry *root;
34357 + struct vfsmount *rootmnt;
34358 + struct task_struct *reaper = &init_task;
34360 + /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
34361 + read_lock(&reaper->fs->lock);
34362 + root = dget(reaper->fs->root.dentry);
34363 + rootmnt = mntget(reaper->fs->root.mnt);
34364 + read_unlock(&reaper->fs->lock);
34366 + spin_lock(&dcache_lock);
34367 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
34368 + spin_unlock(&dcache_lock);
34376 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
34379 + spin_lock(&dcache_lock);
34380 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
34382 + spin_unlock(&dcache_lock);
34387 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
34389 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
34394 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
34396 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
34401 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
34403 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
34408 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
34410 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
34415 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
34417 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
34422 +to_gr_audit(const __u32 reqmode)
34424 + /* masks off auditable permission flags, then shifts them to create
34425 + auditing flags, and adds the special case of append auditing if
34426 + we're requesting write */
34427 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
34430 +struct acl_subject_label *
34431 +lookup_subject_map(const struct acl_subject_label *userp)
34433 + unsigned int index = shash(userp, subj_map_set.s_size);
34434 + struct subject_map *match;
34436 + match = subj_map_set.s_hash[index];
34438 + while (match && match->user != userp)
34439 + match = match->next;
34441 + if (match != NULL)
34442 + return match->kernel;
34448 +insert_subj_map_entry(struct subject_map *subjmap)
34450 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
34451 + struct subject_map **curr;
34453 + subjmap->prev = NULL;
34455 + curr = &subj_map_set.s_hash[index];
34456 + if (*curr != NULL)
34457 + (*curr)->prev = subjmap;
34459 + subjmap->next = *curr;
34465 +static struct acl_role_label *
34466 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
34469 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
34470 + struct acl_role_label *match;
34471 + struct role_allowed_ip *ipp;
34474 + match = acl_role_set.r_hash[index];
34477 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
34478 + for (x = 0; x < match->domain_child_num; x++) {
34479 + if (match->domain_children[x] == uid)
34482 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
34484 + match = match->next;
34487 + if (match == NULL) {
34489 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
34490 + match = acl_role_set.r_hash[index];
34493 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
34494 + for (x = 0; x < match->domain_child_num; x++) {
34495 + if (match->domain_children[x] == gid)
34498 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
34500 + match = match->next;
34503 + if (match == NULL)
34504 + match = default_role;
34505 + if (match->allowed_ips == NULL)
34508 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
34510 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
34511 + (ntohl(ipp->addr) & ipp->netmask)))
34514 + match = default_role;
34516 + } else if (match->allowed_ips == NULL) {
34519 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
34521 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
34522 + (ntohl(ipp->addr) & ipp->netmask)))
34531 +struct acl_subject_label *
34532 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
34533 + const struct acl_role_label *role)
34535 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
34536 + struct acl_subject_label *match;
34538 + match = role->subj_hash[index];
34540 + while (match && (match->inode != ino || match->device != dev ||
34541 + (match->mode & GR_DELETED))) {
34542 + match = match->next;
34545 + if (match && !(match->mode & GR_DELETED))
34551 +struct acl_subject_label *
34552 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
34553 + const struct acl_role_label *role)
34555 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
34556 + struct acl_subject_label *match;
34558 + match = role->subj_hash[index];
34560 + while (match && (match->inode != ino || match->device != dev ||
34561 + !(match->mode & GR_DELETED))) {
34562 + match = match->next;
34565 + if (match && (match->mode & GR_DELETED))
34571 +static struct acl_object_label *
34572 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
34573 + const struct acl_subject_label *subj)
34575 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
34576 + struct acl_object_label *match;
34578 + match = subj->obj_hash[index];
34580 + while (match && (match->inode != ino || match->device != dev ||
34581 + (match->mode & GR_DELETED))) {
34582 + match = match->next;
34585 + if (match && !(match->mode & GR_DELETED))
34591 +static struct acl_object_label *
34592 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
34593 + const struct acl_subject_label *subj)
34595 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
34596 + struct acl_object_label *match;
34598 + match = subj->obj_hash[index];
34600 + while (match && (match->inode != ino || match->device != dev ||
34601 + !(match->mode & GR_DELETED))) {
34602 + match = match->next;
34605 + if (match && (match->mode & GR_DELETED))
34608 + match = subj->obj_hash[index];
34610 + while (match && (match->inode != ino || match->device != dev ||
34611 + (match->mode & GR_DELETED))) {
34612 + match = match->next;
34615 + if (match && !(match->mode & GR_DELETED))
34621 +static struct name_entry *
34622 +lookup_name_entry(const char *name)
34624 + unsigned int len = strlen(name);
34625 + unsigned int key = full_name_hash(name, len);
34626 + unsigned int index = key % name_set.n_size;
34627 + struct name_entry *match;
34629 + match = name_set.n_hash[index];
34631 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
34632 + match = match->next;
34637 +static struct name_entry *
34638 +lookup_name_entry_create(const char *name)
34640 + unsigned int len = strlen(name);
34641 + unsigned int key = full_name_hash(name, len);
34642 + unsigned int index = key % name_set.n_size;
34643 + struct name_entry *match;
34645 + match = name_set.n_hash[index];
34647 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
34648 + !match->deleted))
34649 + match = match->next;
34651 + if (match && match->deleted)
34654 + match = name_set.n_hash[index];
34656 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
34658 + match = match->next;
34660 + if (match && !match->deleted)
34666 +static struct inodev_entry *
34667 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
34669 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
34670 + struct inodev_entry *match;
34672 + match = inodev_set.i_hash[index];
34674 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
34675 + match = match->next;
34681 +insert_inodev_entry(struct inodev_entry *entry)
34683 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
34684 + inodev_set.i_size);
34685 + struct inodev_entry **curr;
34687 + entry->prev = NULL;
34689 + curr = &inodev_set.i_hash[index];
34690 + if (*curr != NULL)
34691 + (*curr)->prev = entry;
34693 + entry->next = *curr;
34700 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
34702 + unsigned int index =
34703 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
34704 + struct acl_role_label **curr;
34705 + struct acl_role_label *tmp;
34707 + curr = &acl_role_set.r_hash[index];
34709 + /* if role was already inserted due to domains and already has
34710 + a role in the same bucket as it attached, then we need to
34711 + combine these two buckets
34713 + if (role->next) {
34714 + tmp = role->next;
34715 + while (tmp->next)
34717 + tmp->next = *curr;
34719 + role->next = *curr;
34726 +insert_acl_role_label(struct acl_role_label *role)
34730 + if (role_list == NULL) {
34731 + role_list = role;
34732 + role->prev = NULL;
34734 + role->prev = role_list;
34735 + role_list = role;
34738 + /* used for hash chains */
34739 + role->next = NULL;
34741 + if (role->roletype & GR_ROLE_DOMAIN) {
34742 + for (i = 0; i < role->domain_child_num; i++)
34743 + __insert_acl_role_label(role, role->domain_children[i]);
34745 + __insert_acl_role_label(role, role->uidgid);
34749 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
34751 + struct name_entry **curr, *nentry;
34752 + struct inodev_entry *ientry;
34753 + unsigned int len = strlen(name);
34754 + unsigned int key = full_name_hash(name, len);
34755 + unsigned int index = key % name_set.n_size;
34757 + curr = &name_set.n_hash[index];
34759 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
34760 + curr = &((*curr)->next);
34762 + if (*curr != NULL)
34765 + nentry = acl_alloc(sizeof (struct name_entry));
34766 + if (nentry == NULL)
34768 + ientry = acl_alloc(sizeof (struct inodev_entry));
34769 + if (ientry == NULL)
34771 + ientry->nentry = nentry;
34773 + nentry->key = key;
34774 + nentry->name = name;
34775 + nentry->inode = inode;
34776 + nentry->device = device;
34777 + nentry->len = len;
34778 + nentry->deleted = deleted;
34780 + nentry->prev = NULL;
34781 + curr = &name_set.n_hash[index];
34782 + if (*curr != NULL)
34783 + (*curr)->prev = nentry;
34784 + nentry->next = *curr;
34787 + /* insert us into the table searchable by inode/dev */
34788 + insert_inodev_entry(ientry);
34794 +insert_acl_obj_label(struct acl_object_label *obj,
34795 + struct acl_subject_label *subj)
34797 + unsigned int index =
34798 + fhash(obj->inode, obj->device, subj->obj_hash_size);
34799 + struct acl_object_label **curr;
34802 + obj->prev = NULL;
34804 + curr = &subj->obj_hash[index];
34805 + if (*curr != NULL)
34806 + (*curr)->prev = obj;
34808 + obj->next = *curr;
34815 +insert_acl_subj_label(struct acl_subject_label *obj,
34816 + struct acl_role_label *role)
34818 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
34819 + struct acl_subject_label **curr;
34821 + obj->prev = NULL;
34823 + curr = &role->subj_hash[index];
34824 + if (*curr != NULL)
34825 + (*curr)->prev = obj;
34827 + obj->next = *curr;
34833 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
34836 +create_table(__u32 * len, int elementsize)
34838 + unsigned int table_sizes[] = {
34839 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
34840 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
34841 + 4194301, 8388593, 16777213, 33554393, 67108859
34843 + void *newtable = NULL;
34844 + unsigned int pwr = 0;
34846 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
34847 + table_sizes[pwr] <= *len)
34850 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
34853 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
34855 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
34857 + newtable = vmalloc(table_sizes[pwr] * elementsize);
34859 + *len = table_sizes[pwr];
34865 +init_variables(const struct gr_arg *arg)
34867 + struct task_struct *reaper = &init_task;
34868 + unsigned int stacksize;
34870 + subj_map_set.s_size = arg->role_db.num_subjects;
34871 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
34872 + name_set.n_size = arg->role_db.num_objects;
34873 + inodev_set.i_size = arg->role_db.num_objects;
34875 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
34876 + !name_set.n_size || !inodev_set.i_size)
34879 + if (!gr_init_uidset())
34882 + /* set up the stack that holds allocation info */
34884 + stacksize = arg->role_db.num_pointers + 5;
34886 + if (!acl_alloc_stack_init(stacksize))
34889 + /* grab reference for the real root dentry and vfsmount */
34890 + read_lock(&reaper->fs->lock);
34891 + real_root_mnt = mntget(reaper->fs->root.mnt);
34892 + real_root = dget(reaper->fs->root.dentry);
34893 + read_unlock(&reaper->fs->lock);
34895 + fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
34896 + if (fakefs_obj == NULL)
34898 + fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
34900 + subj_map_set.s_hash =
34901 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
34902 + acl_role_set.r_hash =
34903 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
34904 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
34905 + inodev_set.i_hash =
34906 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
34908 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
34909 + !name_set.n_hash || !inodev_set.i_hash)
34912 + memset(subj_map_set.s_hash, 0,
34913 + sizeof(struct subject_map *) * subj_map_set.s_size);
34914 + memset(acl_role_set.r_hash, 0,
34915 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
34916 + memset(name_set.n_hash, 0,
34917 + sizeof (struct name_entry *) * name_set.n_size);
34918 + memset(inodev_set.i_hash, 0,
34919 + sizeof (struct inodev_entry *) * inodev_set.i_size);
34924 +/* free information not needed after startup
34925 + currently contains user->kernel pointer mappings for subjects
34929 +free_init_variables(void)
34933 + if (subj_map_set.s_hash) {
34934 + for (i = 0; i < subj_map_set.s_size; i++) {
34935 + if (subj_map_set.s_hash[i]) {
34936 + kfree(subj_map_set.s_hash[i]);
34937 + subj_map_set.s_hash[i] = NULL;
34941 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
34943 + kfree(subj_map_set.s_hash);
34945 + vfree(subj_map_set.s_hash);
34952 +free_variables(void)
34954 + struct acl_subject_label *s;
34955 + struct acl_role_label *r;
34956 + struct task_struct *task, *task2;
34959 + gr_clear_learn_entries();
34961 + read_lock(&tasklist_lock);
34962 + do_each_thread(task2, task) {
34963 + task->acl_sp_role = 0;
34964 + task->acl_role_id = 0;
34965 + task->acl = NULL;
34966 + task->role = NULL;
34967 + } while_each_thread(task2, task);
34968 + read_unlock(&tasklist_lock);
34970 + /* release the reference to the real root dentry and vfsmount */
34973 + real_root = NULL;
34974 + if (real_root_mnt)
34975 + mntput(real_root_mnt);
34976 + real_root_mnt = NULL;
34978 + /* free all object hash tables */
34980 + FOR_EACH_ROLE_START(r)
34981 + if (r->subj_hash == NULL)
34983 + FOR_EACH_SUBJECT_START(r, s, x)
34984 + if (s->obj_hash == NULL)
34986 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
34987 + kfree(s->obj_hash);
34989 + vfree(s->obj_hash);
34990 + FOR_EACH_SUBJECT_END(s, x)
34991 + FOR_EACH_NESTED_SUBJECT_START(r, s)
34992 + if (s->obj_hash == NULL)
34994 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
34995 + kfree(s->obj_hash);
34997 + vfree(s->obj_hash);
34998 + FOR_EACH_NESTED_SUBJECT_END(s)
34999 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
35000 + kfree(r->subj_hash);
35002 + vfree(r->subj_hash);
35003 + r->subj_hash = NULL;
35005 + FOR_EACH_ROLE_END(r)
35009 + if (acl_role_set.r_hash) {
35010 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
35012 + kfree(acl_role_set.r_hash);
35014 + vfree(acl_role_set.r_hash);
35016 + if (name_set.n_hash) {
35017 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
35019 + kfree(name_set.n_hash);
35021 + vfree(name_set.n_hash);
35024 + if (inodev_set.i_hash) {
35025 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
35027 + kfree(inodev_set.i_hash);
35029 + vfree(inodev_set.i_hash);
35032 + gr_free_uidset();
35034 + memset(&name_set, 0, sizeof (struct name_db));
35035 + memset(&inodev_set, 0, sizeof (struct inodev_db));
35036 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
35037 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
35039 + default_role = NULL;
35040 + role_list = NULL;
35046 +count_user_objs(struct acl_object_label *userp)
35048 + struct acl_object_label o_tmp;
35052 + if (copy_from_user(&o_tmp, userp,
35053 + sizeof (struct acl_object_label)))
35056 + userp = o_tmp.prev;
35063 +static struct acl_subject_label *
35064 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
35067 +copy_user_glob(struct acl_object_label *obj)
35069 + struct acl_object_label *g_tmp, **guser;
35070 + unsigned int len;
35073 + if (obj->globbed == NULL)
35076 + guser = &obj->globbed;
35078 + g_tmp = (struct acl_object_label *)
35079 + acl_alloc(sizeof (struct acl_object_label));
35080 + if (g_tmp == NULL)
35083 + if (copy_from_user(g_tmp, *guser,
35084 + sizeof (struct acl_object_label)))
35087 + len = strnlen_user(g_tmp->filename, PATH_MAX);
35089 + if (!len || len >= PATH_MAX)
35092 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35095 + if (copy_from_user(tmp, g_tmp->filename, len))
35097 + tmp[len-1] = '\0';
35098 + g_tmp->filename = tmp;
35101 + guser = &(g_tmp->next);
35108 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
35109 + struct acl_role_label *role)
35111 + struct acl_object_label *o_tmp;
35112 + unsigned int len;
35117 + if ((o_tmp = (struct acl_object_label *)
35118 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
35121 + if (copy_from_user(o_tmp, userp,
35122 + sizeof (struct acl_object_label)))
35125 + userp = o_tmp->prev;
35127 + len = strnlen_user(o_tmp->filename, PATH_MAX);
35129 + if (!len || len >= PATH_MAX)
35132 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35135 + if (copy_from_user(tmp, o_tmp->filename, len))
35137 + tmp[len-1] = '\0';
35138 + o_tmp->filename = tmp;
35140 + insert_acl_obj_label(o_tmp, subj);
35141 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
35142 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
35145 + ret = copy_user_glob(o_tmp);
35149 + if (o_tmp->nested) {
35150 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
35151 + if (IS_ERR(o_tmp->nested))
35152 + return PTR_ERR(o_tmp->nested);
35154 + /* insert into nested subject list */
35155 + o_tmp->nested->next = role->hash->first;
35156 + role->hash->first = o_tmp->nested;
35164 +count_user_subjs(struct acl_subject_label *userp)
35166 + struct acl_subject_label s_tmp;
35170 + if (copy_from_user(&s_tmp, userp,
35171 + sizeof (struct acl_subject_label)))
35174 + userp = s_tmp.prev;
35175 + /* do not count nested subjects against this count, since
35176 + they are not included in the hash table, but are
35177 + attached to objects. We have already counted
35178 + the subjects in userspace for the allocation
35181 + if (!(s_tmp.mode & GR_NESTED))
35189 +copy_user_allowedips(struct acl_role_label *rolep)
35191 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
35193 + ruserip = rolep->allowed_ips;
35195 + while (ruserip) {
35198 + if ((rtmp = (struct role_allowed_ip *)
35199 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
35202 + if (copy_from_user(rtmp, ruserip,
35203 + sizeof (struct role_allowed_ip)))
35206 + ruserip = rtmp->prev;
35209 + rtmp->prev = NULL;
35210 + rolep->allowed_ips = rtmp;
35212 + rlast->next = rtmp;
35213 + rtmp->prev = rlast;
35217 + rtmp->next = NULL;
35224 +copy_user_transitions(struct acl_role_label *rolep)
35226 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
35228 + unsigned int len;
35231 + rusertp = rolep->transitions;
35233 + while (rusertp) {
35236 + if ((rtmp = (struct role_transition *)
35237 + acl_alloc(sizeof (struct role_transition))) == NULL)
35240 + if (copy_from_user(rtmp, rusertp,
35241 + sizeof (struct role_transition)))
35244 + rusertp = rtmp->prev;
35246 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
35248 + if (!len || len >= GR_SPROLE_LEN)
35251 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35254 + if (copy_from_user(tmp, rtmp->rolename, len))
35256 + tmp[len-1] = '\0';
35257 + rtmp->rolename = tmp;
35260 + rtmp->prev = NULL;
35261 + rolep->transitions = rtmp;
35263 + rlast->next = rtmp;
35264 + rtmp->prev = rlast;
35268 + rtmp->next = NULL;
35274 +static struct acl_subject_label *
35275 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
35277 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
35278 + unsigned int len;
35281 + struct acl_ip_label **i_tmp, *i_utmp2;
35282 + struct gr_hash_struct ghash;
35283 + struct subject_map *subjmap;
35284 + unsigned int i_num;
35287 + s_tmp = lookup_subject_map(userp);
35289 + /* we've already copied this subject into the kernel, just return
35290 + the reference to it, and don't copy it over again
35295 + if ((s_tmp = (struct acl_subject_label *)
35296 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
35297 + return ERR_PTR(-ENOMEM);
35299 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
35300 + if (subjmap == NULL)
35301 + return ERR_PTR(-ENOMEM);
35303 + subjmap->user = userp;
35304 + subjmap->kernel = s_tmp;
35305 + insert_subj_map_entry(subjmap);
35307 + if (copy_from_user(s_tmp, userp,
35308 + sizeof (struct acl_subject_label)))
35309 + return ERR_PTR(-EFAULT);
35311 + len = strnlen_user(s_tmp->filename, PATH_MAX);
35313 + if (!len || len >= PATH_MAX)
35314 + return ERR_PTR(-EINVAL);
35316 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35317 + return ERR_PTR(-ENOMEM);
35319 + if (copy_from_user(tmp, s_tmp->filename, len))
35320 + return ERR_PTR(-EFAULT);
35321 + tmp[len-1] = '\0';
35322 + s_tmp->filename = tmp;
35324 + if (!strcmp(s_tmp->filename, "/"))
35325 + role->root_label = s_tmp;
35327 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
35328 + return ERR_PTR(-EFAULT);
35330 + /* copy user and group transition tables */
35332 + if (s_tmp->user_trans_num) {
35335 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
35336 + if (uidlist == NULL)
35337 + return ERR_PTR(-ENOMEM);
35338 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
35339 + return ERR_PTR(-EFAULT);
35341 + s_tmp->user_transitions = uidlist;
35344 + if (s_tmp->group_trans_num) {
35347 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
35348 + if (gidlist == NULL)
35349 + return ERR_PTR(-ENOMEM);
35350 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
35351 + return ERR_PTR(-EFAULT);
35353 + s_tmp->group_transitions = gidlist;
35356 + /* set up object hash table */
35357 + num_objs = count_user_objs(ghash.first);
35359 + s_tmp->obj_hash_size = num_objs;
35360 + s_tmp->obj_hash =
35361 + (struct acl_object_label **)
35362 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
35364 + if (!s_tmp->obj_hash)
35365 + return ERR_PTR(-ENOMEM);
35367 + memset(s_tmp->obj_hash, 0,
35368 + s_tmp->obj_hash_size *
35369 + sizeof (struct acl_object_label *));
35371 + /* add in objects */
35372 + err = copy_user_objs(ghash.first, s_tmp, role);
35375 + return ERR_PTR(err);
35377 + /* set pointer for parent subject */
35378 + if (s_tmp->parent_subject) {
35379 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
35381 + if (IS_ERR(s_tmp2))
35384 + s_tmp->parent_subject = s_tmp2;
35387 + /* add in ip acls */
35389 + if (!s_tmp->ip_num) {
35390 + s_tmp->ips = NULL;
35395 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
35396 + sizeof (struct acl_ip_label *));
35399 + return ERR_PTR(-ENOMEM);
35401 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
35402 + *(i_tmp + i_num) =
35403 + (struct acl_ip_label *)
35404 + acl_alloc(sizeof (struct acl_ip_label));
35405 + if (!*(i_tmp + i_num))
35406 + return ERR_PTR(-ENOMEM);
35408 + if (copy_from_user
35409 + (&i_utmp2, s_tmp->ips + i_num,
35410 + sizeof (struct acl_ip_label *)))
35411 + return ERR_PTR(-EFAULT);
35413 + if (copy_from_user
35414 + (*(i_tmp + i_num), i_utmp2,
35415 + sizeof (struct acl_ip_label)))
35416 + return ERR_PTR(-EFAULT);
35418 + if ((*(i_tmp + i_num))->iface == NULL)
35421 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
35422 + if (!len || len >= IFNAMSIZ)
35423 + return ERR_PTR(-EINVAL);
35424 + tmp = acl_alloc(len);
35426 + return ERR_PTR(-ENOMEM);
35427 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
35428 + return ERR_PTR(-EFAULT);
35429 + (*(i_tmp + i_num))->iface = tmp;
35432 + s_tmp->ips = i_tmp;
35435 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
35436 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
35437 + return ERR_PTR(-ENOMEM);
35443 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
35445 + struct acl_subject_label s_pre;
35446 + struct acl_subject_label * ret;
35450 + if (copy_from_user(&s_pre, userp,
35451 + sizeof (struct acl_subject_label)))
35454 + /* do not add nested subjects here, add
35455 + while parsing objects
35458 + if (s_pre.mode & GR_NESTED) {
35459 + userp = s_pre.prev;
35463 + ret = do_copy_user_subj(userp, role);
35465 + err = PTR_ERR(ret);
35469 + insert_acl_subj_label(ret, role);
35471 + userp = s_pre.prev;
35478 +copy_user_acl(struct gr_arg *arg)
35480 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
35481 + struct sprole_pw *sptmp;
35482 + struct gr_hash_struct *ghash;
35483 + uid_t *domainlist;
35484 + unsigned int r_num;
35485 + unsigned int len;
35491 + /* we need a default and kernel role */
35492 + if (arg->role_db.num_roles < 2)
35495 + /* copy special role authentication info from userspace */
35497 + num_sprole_pws = arg->num_sprole_pws;
35498 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
35500 + if (!acl_special_roles) {
35505 + for (i = 0; i < num_sprole_pws; i++) {
35506 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
35511 + if (copy_from_user(sptmp, arg->sprole_pws + i,
35512 + sizeof (struct sprole_pw))) {
35518 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
35520 + if (!len || len >= GR_SPROLE_LEN) {
35525 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
35530 + if (copy_from_user(tmp, sptmp->rolename, len)) {
35534 + tmp[len-1] = '\0';
35535 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
35536 + printk(KERN_ALERT "Copying special role %s\n", tmp);
35538 + sptmp->rolename = tmp;
35539 + acl_special_roles[i] = sptmp;
35542 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
35544 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
35545 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
35552 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
35553 + sizeof (struct acl_role_label *))) {
35558 + if (copy_from_user(r_tmp, r_utmp2,
35559 + sizeof (struct acl_role_label))) {
35564 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
35566 + if (!len || len >= PATH_MAX) {
35571 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
35575 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
35579 + tmp[len-1] = '\0';
35580 + r_tmp->rolename = tmp;
35582 + if (!strcmp(r_tmp->rolename, "default")
35583 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
35584 + default_role = r_tmp;
35585 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
35586 + kernel_role = r_tmp;
35589 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
35593 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
35598 + r_tmp->hash = ghash;
35600 + num_subjs = count_user_subjs(r_tmp->hash->first);
35602 + r_tmp->subj_hash_size = num_subjs;
35603 + r_tmp->subj_hash =
35604 + (struct acl_subject_label **)
35605 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
35607 + if (!r_tmp->subj_hash) {
35612 + err = copy_user_allowedips(r_tmp);
35616 + /* copy domain info */
35617 + if (r_tmp->domain_children != NULL) {
35618 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
35619 + if (domainlist == NULL) {
35623 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
35627 + r_tmp->domain_children = domainlist;
35630 + err = copy_user_transitions(r_tmp);
35634 + memset(r_tmp->subj_hash, 0,
35635 + r_tmp->subj_hash_size *
35636 + sizeof (struct acl_subject_label *));
35638 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
35643 + /* set nested subject list to null */
35644 + r_tmp->hash->first = NULL;
35646 + insert_acl_role_label(r_tmp);
35651 + free_variables();
35658 +gracl_init(struct gr_arg *args)
35662 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
35663 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
35665 + if (init_variables(args)) {
35666 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
35668 + free_variables();
35672 + error = copy_user_acl(args);
35673 + free_init_variables();
35675 + free_variables();
35679 + if ((error = gr_set_acls(0))) {
35680 + free_variables();
35684 + pax_open_kernel();
35685 + gr_status |= GR_READY;
35686 + pax_close_kernel();
35692 +/* derived from glibc fnmatch() 0: match, 1: no match*/
35695 +glob_match(const char *p, const char *n)
35699 + while ((c = *p++) != '\0') {
35704 + else if (*n == '/')
35712 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
35715 + else if (c == '?') {
35725 + const char *endp;
35727 + if ((endp = strchr(n, '/')) == NULL)
35728 + endp = n + strlen(n);
35731 + for (--p; n < endp; ++n)
35732 + if (!glob_match(p, n))
35734 + } else if (c == '/') {
35735 + while (*n != '\0' && *n != '/')
35737 + if (*n == '/' && !glob_match(p, n + 1))
35740 + for (--p; n < endp; ++n)
35741 + if (*n == c && !glob_match(p, n))
35752 + if (*n == '\0' || *n == '/')
35755 + not = (*p == '!' || *p == '^');
35761 + unsigned char fn = (unsigned char)*n;
35771 + if (c == '-' && *p != ']') {
35772 + unsigned char cend = *p++;
35774 + if (cend == '\0')
35777 + if (cold <= fn && fn <= cend)
35791 + while (c != ']') {
35818 +static struct acl_object_label *
35819 +chk_glob_label(struct acl_object_label *globbed,
35820 + struct dentry *dentry, struct vfsmount *mnt, char **path)
35822 + struct acl_object_label *tmp;
35824 + if (*path == NULL)
35825 + *path = gr_to_filename_nolock(dentry, mnt);
35830 + if (!glob_match(tmp->filename, *path))
35838 +static struct acl_object_label *
35839 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
35840 + const ino_t curr_ino, const dev_t curr_dev,
35841 + const struct acl_subject_label *subj, char **path, const int checkglob)
35843 + struct acl_subject_label *tmpsubj;
35844 + struct acl_object_label *retval;
35845 + struct acl_object_label *retval2;
35847 + tmpsubj = (struct acl_subject_label *) subj;
35848 + read_lock(&gr_inode_lock);
35850 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
35852 + if (checkglob && retval->globbed) {
35853 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
35854 + (struct vfsmount *)orig_mnt, path);
35856 + retval = retval2;
35860 + } while ((tmpsubj = tmpsubj->parent_subject));
35861 + read_unlock(&gr_inode_lock);
35866 +static __inline__ struct acl_object_label *
35867 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
35868 + const struct dentry *curr_dentry,
35869 + const struct acl_subject_label *subj, char **path, const int checkglob)
35871 + return __full_lookup(orig_dentry, orig_mnt,
35872 + curr_dentry->d_inode->i_ino,
35873 + curr_dentry->d_inode->i_sb->s_dev, subj, path, checkglob);
35876 +static struct acl_object_label *
35877 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35878 + const struct acl_subject_label *subj, char *path, const int checkglob)
35880 + struct dentry *dentry = (struct dentry *) l_dentry;
35881 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
35882 + struct acl_object_label *retval;
35884 + spin_lock(&dcache_lock);
35886 + if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
35887 +#ifdef CONFIG_HUGETLBFS
35888 + mnt == hugetlbfs_vfsmount ||
35890 + /* ignore Eric Biederman */
35891 + IS_PRIVATE(l_dentry->d_inode))) {
35892 + retval = fakefs_obj;
35897 + if (dentry == real_root && mnt == real_root_mnt)
35900 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
35901 + if (mnt->mnt_parent == mnt)
35904 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
35905 + if (retval != NULL)
35908 + dentry = mnt->mnt_mountpoint;
35909 + mnt = mnt->mnt_parent;
35913 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
35914 + if (retval != NULL)
35917 + dentry = dentry->d_parent;
35920 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
35922 + if (retval == NULL)
35923 + retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
35925 + spin_unlock(&dcache_lock);
35929 +static __inline__ struct acl_object_label *
35930 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35931 + const struct acl_subject_label *subj)
35933 + char *path = NULL;
35934 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
35937 +static __inline__ struct acl_object_label *
35938 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35939 + const struct acl_subject_label *subj)
35941 + char *path = NULL;
35942 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 0);
35945 +static __inline__ struct acl_object_label *
35946 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35947 + const struct acl_subject_label *subj, char *path)
35949 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
35952 +static struct acl_subject_label *
35953 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35954 + const struct acl_role_label *role)
35956 + struct dentry *dentry = (struct dentry *) l_dentry;
35957 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
35958 + struct acl_subject_label *retval;
35960 + spin_lock(&dcache_lock);
35963 + if (dentry == real_root && mnt == real_root_mnt)
35965 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
35966 + if (mnt->mnt_parent == mnt)
35969 + read_lock(&gr_inode_lock);
35971 + lookup_acl_subj_label(dentry->d_inode->i_ino,
35972 + dentry->d_inode->i_sb->s_dev, role);
35973 + read_unlock(&gr_inode_lock);
35974 + if (retval != NULL)
35977 + dentry = mnt->mnt_mountpoint;
35978 + mnt = mnt->mnt_parent;
35982 + read_lock(&gr_inode_lock);
35983 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
35984 + dentry->d_inode->i_sb->s_dev, role);
35985 + read_unlock(&gr_inode_lock);
35986 + if (retval != NULL)
35989 + dentry = dentry->d_parent;
35992 + read_lock(&gr_inode_lock);
35993 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
35994 + dentry->d_inode->i_sb->s_dev, role);
35995 + read_unlock(&gr_inode_lock);
35997 + if (unlikely(retval == NULL)) {
35998 + read_lock(&gr_inode_lock);
35999 + retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
36000 + real_root->d_inode->i_sb->s_dev, role);
36001 + read_unlock(&gr_inode_lock);
36004 + spin_unlock(&dcache_lock);
36010 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
36012 + struct task_struct *task = current;
36013 + const struct cred *cred = current_cred();
36015 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
36016 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36017 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36018 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->curr_ip);
36024 +gr_log_learn_sysctl(const char *path, const __u32 mode)
36026 + struct task_struct *task = current;
36027 + const struct cred *cred = current_cred();
36029 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
36030 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36031 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36032 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->curr_ip);
36038 +gr_log_learn_id_change(const char type, const unsigned int real,
36039 + const unsigned int effective, const unsigned int fs)
36041 + struct task_struct *task = current;
36042 + const struct cred *cred = current_cred();
36044 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
36045 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36046 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36047 + type, real, effective, fs, &task->signal->curr_ip);
36053 +gr_check_link(const struct dentry * new_dentry,
36054 + const struct dentry * parent_dentry,
36055 + const struct vfsmount * parent_mnt,
36056 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
36058 + struct acl_object_label *obj;
36059 + __u32 oldmode, newmode;
36062 + if (unlikely(!(gr_status & GR_READY)))
36063 + return (GR_CREATE | GR_LINK);
36065 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
36066 + oldmode = obj->mode;
36068 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36069 + oldmode |= (GR_CREATE | GR_LINK);
36071 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
36072 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
36073 + needmode |= GR_SETID | GR_AUDIT_SETID;
36076 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
36077 + oldmode | needmode);
36079 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
36080 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
36081 + GR_INHERIT | GR_AUDIT_INHERIT);
36083 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
36086 + if ((oldmode & needmode) != needmode)
36089 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
36090 + if ((newmode & needmode) != needmode)
36093 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
36096 + needmode = oldmode;
36097 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
36098 + needmode |= GR_SETID;
36100 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
36101 + gr_log_learn(old_dentry, old_mnt, needmode);
36102 + return (GR_CREATE | GR_LINK);
36103 + } else if (newmode & GR_SUPPRESS)
36104 + return GR_SUPPRESS;
36110 +gr_search_file(const struct dentry * dentry, const __u32 mode,
36111 + const struct vfsmount * mnt)
36113 + __u32 retval = mode;
36114 + struct acl_subject_label *curracl;
36115 + struct acl_object_label *currobj;
36117 + if (unlikely(!(gr_status & GR_READY)))
36118 + return (mode & ~GR_AUDITS);
36120 + curracl = current->acl;
36122 + currobj = chk_obj_label(dentry, mnt, curracl);
36123 + retval = currobj->mode & mode;
36126 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
36127 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
36128 + __u32 new_mode = mode;
36130 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36132 + retval = new_mode;
36134 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
36135 + new_mode |= GR_INHERIT;
36137 + if (!(mode & GR_NOLEARN))
36138 + gr_log_learn(dentry, mnt, new_mode);
36145 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
36146 + const struct vfsmount * mnt, const __u32 mode)
36148 + struct name_entry *match;
36149 + struct acl_object_label *matchpo;
36150 + struct acl_subject_label *curracl;
36154 + if (unlikely(!(gr_status & GR_READY)))
36155 + return (mode & ~GR_AUDITS);
36157 + preempt_disable();
36158 + path = gr_to_filename_rbac(new_dentry, mnt);
36159 + match = lookup_name_entry_create(path);
36162 + goto check_parent;
36164 + curracl = current->acl;
36166 + read_lock(&gr_inode_lock);
36167 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
36168 + read_unlock(&gr_inode_lock);
36171 + if ((matchpo->mode & mode) !=
36172 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
36173 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
36174 + __u32 new_mode = mode;
36176 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36178 + gr_log_learn(new_dentry, mnt, new_mode);
36180 + preempt_enable();
36183 + preempt_enable();
36184 + return (matchpo->mode & mode);
36188 + curracl = current->acl;
36190 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
36191 + retval = matchpo->mode & mode;
36193 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
36194 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
36195 + __u32 new_mode = mode;
36197 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36199 + gr_log_learn(new_dentry, mnt, new_mode);
36200 + preempt_enable();
36204 + preempt_enable();
36209 +gr_check_hidden_task(const struct task_struct *task)
36211 + if (unlikely(!(gr_status & GR_READY)))
36214 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
36221 +gr_check_protected_task(const struct task_struct *task)
36223 + if (unlikely(!(gr_status & GR_READY) || !task))
36226 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
36227 + task->acl != current->acl)
36234 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
36236 + struct task_struct *p;
36239 + if (unlikely(!(gr_status & GR_READY) || !pid))
36242 + read_lock(&tasklist_lock);
36243 + do_each_pid_task(pid, type, p) {
36244 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
36245 + p->acl != current->acl) {
36249 + } while_each_pid_task(pid, type, p);
36251 + read_unlock(&tasklist_lock);
36257 +gr_copy_label(struct task_struct *tsk)
36259 + tsk->signal->used_accept = 0;
36260 + tsk->acl_sp_role = 0;
36261 + tsk->acl_role_id = current->acl_role_id;
36262 + tsk->acl = current->acl;
36263 + tsk->role = current->role;
36264 + tsk->signal->curr_ip = current->signal->curr_ip;
36265 + if (current->exec_file)
36266 + get_file(current->exec_file);
36267 + tsk->exec_file = current->exec_file;
36268 + tsk->is_writable = current->is_writable;
36269 + if (unlikely(current->signal->used_accept))
36270 + current->signal->curr_ip = 0;
36276 +gr_set_proc_res(struct task_struct *task)
36278 + struct acl_subject_label *proc;
36279 + unsigned short i;
36281 + proc = task->acl;
36283 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
36286 + for (i = 0; i < RLIM_NLIMITS; i++) {
36287 + if (!(proc->resmask & (1 << i)))
36290 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
36291 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
36298 +gr_check_user_change(int real, int effective, int fs)
36305 + int effectiveok = 0;
36308 + if (unlikely(!(gr_status & GR_READY)))
36311 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36312 + gr_log_learn_id_change('u', real, effective, fs);
36314 + num = current->acl->user_trans_num;
36315 + uidlist = current->acl->user_transitions;
36317 + if (uidlist == NULL)
36322 + if (effective == -1)
36327 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
36328 + for (i = 0; i < num; i++) {
36329 + curuid = (int)uidlist[i];
36330 + if (real == curuid)
36332 + if (effective == curuid)
36334 + if (fs == curuid)
36337 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
36338 + for (i = 0; i < num; i++) {
36339 + curuid = (int)uidlist[i];
36340 + if (real == curuid)
36342 + if (effective == curuid)
36344 + if (fs == curuid)
36347 + /* not in deny list */
36355 + if (realok && effectiveok && fsok)
36358 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
36364 +gr_check_group_change(int real, int effective, int fs)
36371 + int effectiveok = 0;
36374 + if (unlikely(!(gr_status & GR_READY)))
36377 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36378 + gr_log_learn_id_change('g', real, effective, fs);
36380 + num = current->acl->group_trans_num;
36381 + gidlist = current->acl->group_transitions;
36383 + if (gidlist == NULL)
36388 + if (effective == -1)
36393 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
36394 + for (i = 0; i < num; i++) {
36395 + curgid = (int)gidlist[i];
36396 + if (real == curgid)
36398 + if (effective == curgid)
36400 + if (fs == curgid)
36403 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
36404 + for (i = 0; i < num; i++) {
36405 + curgid = (int)gidlist[i];
36406 + if (real == curgid)
36408 + if (effective == curgid)
36410 + if (fs == curgid)
36413 + /* not in deny list */
36421 + if (realok && effectiveok && fsok)
36424 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
36430 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
36432 + struct acl_role_label *role = task->role;
36433 + struct acl_subject_label *subj = NULL;
36434 + struct acl_object_label *obj;
36435 + struct file *filp;
36437 + if (unlikely(!(gr_status & GR_READY)))
36440 + filp = task->exec_file;
36442 + /* kernel process, we'll give them the kernel role */
36443 + if (unlikely(!filp)) {
36444 + task->role = kernel_role;
36445 + task->acl = kernel_role->root_label;
36447 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
36448 + role = lookup_acl_role_label(task, uid, gid);
36450 + /* perform subject lookup in possibly new role
36451 + we can use this result below in the case where role == task->role
36453 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
36455 + /* if we changed uid/gid, but result in the same role
36456 + and are using inheritance, don't lose the inherited subject
36457 + if current subject is other than what normal lookup
36458 + would result in, we arrived via inheritance, don't
36461 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
36462 + (subj == task->acl)))
36463 + task->acl = subj;
36465 + task->role = role;
36467 + task->is_writable = 0;
36469 + /* ignore additional mmap checks for processes that are writable
36470 + by the default ACL */
36471 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
36472 + if (unlikely(obj->mode & GR_WRITE))
36473 + task->is_writable = 1;
36474 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
36475 + if (unlikely(obj->mode & GR_WRITE))
36476 + task->is_writable = 1;
36478 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36479 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
36482 + gr_set_proc_res(task);
36488 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
36489 + const int unsafe_share)
36491 + struct task_struct *task = current;
36492 + struct acl_subject_label *newacl;
36493 + struct acl_object_label *obj;
36496 + if (unlikely(!(gr_status & GR_READY)))
36499 + newacl = chk_subj_label(dentry, mnt, task->role);
36502 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
36503 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
36504 + !(task->role->roletype & GR_ROLE_GOD) &&
36505 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
36506 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
36507 + task_unlock(task);
36508 + if (unsafe_share)
36509 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
36511 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
36514 + task_unlock(task);
36516 + obj = chk_obj_label(dentry, mnt, task->acl);
36517 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
36519 + if (!(task->acl->mode & GR_INHERITLEARN) &&
36520 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
36522 + task->acl = obj->nested;
36524 + task->acl = newacl;
36525 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
36526 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
36528 + task->is_writable = 0;
36530 + /* ignore additional mmap checks for processes that are writable
36531 + by the default ACL */
36532 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
36533 + if (unlikely(obj->mode & GR_WRITE))
36534 + task->is_writable = 1;
36535 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
36536 + if (unlikely(obj->mode & GR_WRITE))
36537 + task->is_writable = 1;
36539 + gr_set_proc_res(task);
36541 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36542 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
36547 +/* always called with valid inodev ptr */
36549 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
36551 + struct acl_object_label *matchpo;
36552 + struct acl_subject_label *matchps;
36553 + struct acl_subject_label *subj;
36554 + struct acl_role_label *role;
36557 + FOR_EACH_ROLE_START(role)
36558 + FOR_EACH_SUBJECT_START(role, subj, x)
36559 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
36560 + matchpo->mode |= GR_DELETED;
36561 + FOR_EACH_SUBJECT_END(subj,x)
36562 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
36563 + if (subj->inode == ino && subj->device == dev)
36564 + subj->mode |= GR_DELETED;
36565 + FOR_EACH_NESTED_SUBJECT_END(subj)
36566 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
36567 + matchps->mode |= GR_DELETED;
36568 + FOR_EACH_ROLE_END(role)
36570 + inodev->nentry->deleted = 1;
36576 +gr_handle_delete(const ino_t ino, const dev_t dev)
36578 + struct inodev_entry *inodev;
36580 + if (unlikely(!(gr_status & GR_READY)))
36583 + write_lock(&gr_inode_lock);
36584 + inodev = lookup_inodev_entry(ino, dev);
36585 + if (inodev != NULL)
36586 + do_handle_delete(inodev, ino, dev);
36587 + write_unlock(&gr_inode_lock);
36593 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
36594 + const ino_t newinode, const dev_t newdevice,
36595 + struct acl_subject_label *subj)
36597 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
36598 + struct acl_object_label *match;
36600 + match = subj->obj_hash[index];
36602 + while (match && (match->inode != oldinode ||
36603 + match->device != olddevice ||
36604 + !(match->mode & GR_DELETED)))
36605 + match = match->next;
36607 + if (match && (match->inode == oldinode)
36608 + && (match->device == olddevice)
36609 + && (match->mode & GR_DELETED)) {
36610 + if (match->prev == NULL) {
36611 + subj->obj_hash[index] = match->next;
36612 + if (match->next != NULL)
36613 + match->next->prev = NULL;
36615 + match->prev->next = match->next;
36616 + if (match->next != NULL)
36617 + match->next->prev = match->prev;
36619 + match->prev = NULL;
36620 + match->next = NULL;
36621 + match->inode = newinode;
36622 + match->device = newdevice;
36623 + match->mode &= ~GR_DELETED;
36625 + insert_acl_obj_label(match, subj);
36632 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
36633 + const ino_t newinode, const dev_t newdevice,
36634 + struct acl_role_label *role)
36636 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
36637 + struct acl_subject_label *match;
36639 + match = role->subj_hash[index];
36641 + while (match && (match->inode != oldinode ||
36642 + match->device != olddevice ||
36643 + !(match->mode & GR_DELETED)))
36644 + match = match->next;
36646 + if (match && (match->inode == oldinode)
36647 + && (match->device == olddevice)
36648 + && (match->mode & GR_DELETED)) {
36649 + if (match->prev == NULL) {
36650 + role->subj_hash[index] = match->next;
36651 + if (match->next != NULL)
36652 + match->next->prev = NULL;
36654 + match->prev->next = match->next;
36655 + if (match->next != NULL)
36656 + match->next->prev = match->prev;
36658 + match->prev = NULL;
36659 + match->next = NULL;
36660 + match->inode = newinode;
36661 + match->device = newdevice;
36662 + match->mode &= ~GR_DELETED;
36664 + insert_acl_subj_label(match, role);
36671 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
36672 + const ino_t newinode, const dev_t newdevice)
36674 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
36675 + struct inodev_entry *match;
36677 + match = inodev_set.i_hash[index];
36679 + while (match && (match->nentry->inode != oldinode ||
36680 + match->nentry->device != olddevice || !match->nentry->deleted))
36681 + match = match->next;
36683 + if (match && (match->nentry->inode == oldinode)
36684 + && (match->nentry->device == olddevice) &&
36685 + match->nentry->deleted) {
36686 + if (match->prev == NULL) {
36687 + inodev_set.i_hash[index] = match->next;
36688 + if (match->next != NULL)
36689 + match->next->prev = NULL;
36691 + match->prev->next = match->next;
36692 + if (match->next != NULL)
36693 + match->next->prev = match->prev;
36695 + match->prev = NULL;
36696 + match->next = NULL;
36697 + match->nentry->inode = newinode;
36698 + match->nentry->device = newdevice;
36699 + match->nentry->deleted = 0;
36701 + insert_inodev_entry(match);
36708 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
36709 + const struct vfsmount *mnt)
36711 + struct acl_subject_label *subj;
36712 + struct acl_role_label *role;
36715 + FOR_EACH_ROLE_START(role)
36716 + update_acl_subj_label(matchn->inode, matchn->device,
36717 + dentry->d_inode->i_ino,
36718 + dentry->d_inode->i_sb->s_dev, role);
36720 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
36721 + if ((subj->inode == dentry->d_inode->i_ino) &&
36722 + (subj->device == dentry->d_inode->i_sb->s_dev)) {
36723 + subj->inode = dentry->d_inode->i_ino;
36724 + subj->device = dentry->d_inode->i_sb->s_dev;
36726 + FOR_EACH_NESTED_SUBJECT_END(subj)
36727 + FOR_EACH_SUBJECT_START(role, subj, x)
36728 + update_acl_obj_label(matchn->inode, matchn->device,
36729 + dentry->d_inode->i_ino,
36730 + dentry->d_inode->i_sb->s_dev, subj);
36731 + FOR_EACH_SUBJECT_END(subj,x)
36732 + FOR_EACH_ROLE_END(role)
36734 + update_inodev_entry(matchn->inode, matchn->device,
36735 + dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
36741 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
36743 + struct name_entry *matchn;
36745 + if (unlikely(!(gr_status & GR_READY)))
36748 + preempt_disable();
36749 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
36751 + if (unlikely((unsigned long)matchn)) {
36752 + write_lock(&gr_inode_lock);
36753 + do_handle_create(matchn, dentry, mnt);
36754 + write_unlock(&gr_inode_lock);
36756 + preempt_enable();
36762 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
36763 + struct dentry *old_dentry,
36764 + struct dentry *new_dentry,
36765 + struct vfsmount *mnt, const __u8 replace)
36767 + struct name_entry *matchn;
36768 + struct inodev_entry *inodev;
36770 + /* vfs_rename swaps the name and parent link for old_dentry and
36772 + at this point, old_dentry has the new name, parent link, and inode
36773 + for the renamed file
36774 + if a file is being replaced by a rename, new_dentry has the inode
36775 + and name for the replaced file
36778 + if (unlikely(!(gr_status & GR_READY)))
36781 + preempt_disable();
36782 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
36784 + /* we wouldn't have to check d_inode if it weren't for
36785 + NFS silly-renaming
36788 + write_lock(&gr_inode_lock);
36789 + if (unlikely(replace && new_dentry->d_inode)) {
36790 + inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
36791 + new_dentry->d_inode->i_sb->s_dev);
36792 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
36793 + do_handle_delete(inodev, new_dentry->d_inode->i_ino,
36794 + new_dentry->d_inode->i_sb->s_dev);
36797 + inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
36798 + old_dentry->d_inode->i_sb->s_dev);
36799 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
36800 + do_handle_delete(inodev, old_dentry->d_inode->i_ino,
36801 + old_dentry->d_inode->i_sb->s_dev);
36803 + if (unlikely((unsigned long)matchn))
36804 + do_handle_create(matchn, old_dentry, mnt);
36806 + write_unlock(&gr_inode_lock);
36807 + preempt_enable();
36813 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
36814 + unsigned char **sum)
36816 + struct acl_role_label *r;
36817 + struct role_allowed_ip *ipp;
36818 + struct role_transition *trans;
36822 + /* check transition table */
36824 + for (trans = current->role->transitions; trans; trans = trans->next) {
36825 + if (!strcmp(rolename, trans->rolename)) {
36834 + /* handle special roles that do not require authentication
36837 + FOR_EACH_ROLE_START(r)
36838 + if (!strcmp(rolename, r->rolename) &&
36839 + (r->roletype & GR_ROLE_SPECIAL)) {
36841 + if (r->allowed_ips != NULL) {
36842 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
36843 + if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
36844 + (ntohl(ipp->addr) & ipp->netmask))
36852 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
36853 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
36859 + FOR_EACH_ROLE_END(r)
36861 + for (i = 0; i < num_sprole_pws; i++) {
36862 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
36863 + *salt = acl_special_roles[i]->salt;
36864 + *sum = acl_special_roles[i]->sum;
36873 +assign_special_role(char *rolename)
36875 + struct acl_object_label *obj;
36876 + struct acl_role_label *r;
36877 + struct acl_role_label *assigned = NULL;
36878 + struct task_struct *tsk;
36879 + struct file *filp;
36881 + FOR_EACH_ROLE_START(r)
36882 + if (!strcmp(rolename, r->rolename) &&
36883 + (r->roletype & GR_ROLE_SPECIAL)) {
36887 + FOR_EACH_ROLE_END(r)
36892 + read_lock(&tasklist_lock);
36893 + read_lock(&grsec_exec_file_lock);
36895 + tsk = current->parent;
36899 + filp = tsk->exec_file;
36900 + if (filp == NULL)
36903 + tsk->is_writable = 0;
36905 + tsk->acl_sp_role = 1;
36906 + tsk->acl_role_id = ++acl_sp_role_value;
36907 + tsk->role = assigned;
36908 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
36910 + /* ignore additional mmap checks for processes that are writable
36911 + by the default ACL */
36912 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
36913 + if (unlikely(obj->mode & GR_WRITE))
36914 + tsk->is_writable = 1;
36915 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
36916 + if (unlikely(obj->mode & GR_WRITE))
36917 + tsk->is_writable = 1;
36919 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36920 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
36924 + read_unlock(&grsec_exec_file_lock);
36925 + read_unlock(&tasklist_lock);
36929 +int gr_check_secure_terminal(struct task_struct *task)
36931 + struct task_struct *p, *p2, *p3;
36932 + struct files_struct *files;
36933 + struct fdtable *fdt;
36934 + struct file *our_file = NULL, *file;
36937 + if (task->signal->tty == NULL)
36940 + files = get_files_struct(task);
36941 + if (files != NULL) {
36943 + fdt = files_fdtable(files);
36944 + for (i=0; i < fdt->max_fds; i++) {
36945 + file = fcheck_files(files, i);
36946 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
36951 + rcu_read_unlock();
36952 + put_files_struct(files);
36955 + if (our_file == NULL)
36958 + read_lock(&tasklist_lock);
36959 + do_each_thread(p2, p) {
36960 + files = get_files_struct(p);
36961 + if (files == NULL ||
36962 + (p->signal && p->signal->tty == task->signal->tty)) {
36963 + if (files != NULL)
36964 + put_files_struct(files);
36968 + fdt = files_fdtable(files);
36969 + for (i=0; i < fdt->max_fds; i++) {
36970 + file = fcheck_files(files, i);
36971 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
36972 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
36974 + while (p3->pid > 0) {
36981 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
36982 + gr_handle_alertkill(p);
36983 + rcu_read_unlock();
36984 + put_files_struct(files);
36985 + read_unlock(&tasklist_lock);
36990 + rcu_read_unlock();
36991 + put_files_struct(files);
36992 + } while_each_thread(p2, p);
36993 + read_unlock(&tasklist_lock);
37000 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
37002 + struct gr_arg_wrapper uwrap;
37003 + unsigned char *sprole_salt = NULL;
37004 + unsigned char *sprole_sum = NULL;
37005 + int error = sizeof (struct gr_arg_wrapper);
37008 + down(&gr_dev_sem);
37010 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
37015 + if (count != sizeof (struct gr_arg_wrapper)) {
37016 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
37022 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
37023 + gr_auth_expires = 0;
37024 + gr_auth_attempts = 0;
37027 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
37032 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
37037 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
37042 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
37043 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
37044 + time_after(gr_auth_expires, get_seconds())) {
37049 + /* if non-root trying to do anything other than use a special role,
37050 + do not attempt authentication, do not count towards authentication
37054 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
37055 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
37061 + /* ensure pw and special role name are null terminated */
37063 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
37064 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
37067 + * We have our enough of the argument structure..(we have yet
37068 + * to copy_from_user the tables themselves) . Copy the tables
37069 + * only if we need them, i.e. for loading operations. */
37071 + switch (gr_usermode->mode) {
37073 + if (gr_status & GR_READY) {
37075 + if (!gr_check_secure_terminal(current))
37080 + case GR_SHUTDOWN:
37081 + if ((gr_status & GR_READY)
37082 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37083 + pax_open_kernel();
37084 + gr_status &= ~GR_READY;
37085 + pax_close_kernel();
37087 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
37088 + free_variables();
37089 + memset(gr_usermode, 0, sizeof (struct gr_arg));
37090 + memset(gr_system_salt, 0, GR_SALT_LEN);
37091 + memset(gr_system_sum, 0, GR_SHA_LEN);
37092 + } else if (gr_status & GR_READY) {
37093 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
37096 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
37101 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
37102 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
37104 + if (gr_status & GR_READY)
37108 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
37112 + if (!(gr_status & GR_READY)) {
37113 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
37115 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37118 + pax_open_kernel();
37119 + gr_status &= ~GR_READY;
37120 + pax_close_kernel();
37122 + free_variables();
37123 + if (!(error2 = gracl_init(gr_usermode))) {
37125 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
37129 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
37132 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
37137 + if (unlikely(!(gr_status & GR_READY))) {
37138 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
37143 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37144 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
37145 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
37146 + struct acl_subject_label *segvacl;
37148 + lookup_acl_subj_label(gr_usermode->segv_inode,
37149 + gr_usermode->segv_device,
37152 + segvacl->crashes = 0;
37153 + segvacl->expires = 0;
37155 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
37156 + gr_remove_uid(gr_usermode->segv_uid);
37159 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
37164 + case GR_SPROLEPAM:
37165 + if (unlikely(!(gr_status & GR_READY))) {
37166 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
37171 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
37172 + current->role->expires = 0;
37173 + current->role->auth_attempts = 0;
37176 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
37177 + time_after(current->role->expires, get_seconds())) {
37182 + if (lookup_special_role_auth
37183 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
37184 + && ((!sprole_salt && !sprole_sum)
37185 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
37187 + assign_special_role(gr_usermode->sp_role);
37188 + read_lock(&tasklist_lock);
37189 + if (current->parent)
37190 + p = current->parent->role->rolename;
37191 + read_unlock(&tasklist_lock);
37192 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
37193 + p, acl_sp_role_value);
37195 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
37197 + if(!(current->role->auth_attempts++))
37198 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
37203 + case GR_UNSPROLE:
37204 + if (unlikely(!(gr_status & GR_READY))) {
37205 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
37210 + if (current->role->roletype & GR_ROLE_SPECIAL) {
37214 + read_lock(&tasklist_lock);
37215 + if (current->parent) {
37216 + p = current->parent->role->rolename;
37217 + i = current->parent->acl_role_id;
37219 + read_unlock(&tasklist_lock);
37221 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
37229 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
37234 + if (error != -EPERM)
37237 + if(!(gr_auth_attempts++))
37238 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
37246 +gr_set_acls(const int type)
37248 + struct acl_object_label *obj;
37249 + struct task_struct *task, *task2;
37250 + struct file *filp;
37251 + struct acl_role_label *role = current->role;
37252 + __u16 acl_role_id = current->acl_role_id;
37253 + const struct cred *cred;
37255 + struct name_entry *nmatch;
37256 + struct acl_subject_label *tmpsubj;
37259 + read_lock(&tasklist_lock);
37260 + read_lock(&grsec_exec_file_lock);
37261 + do_each_thread(task2, task) {
37262 + /* check to see if we're called from the exit handler,
37263 + if so, only replace ACLs that have inherited the admin
37266 + if (type && (task->role != role ||
37267 + task->acl_role_id != acl_role_id))
37270 + task->acl_role_id = 0;
37271 + task->acl_sp_role = 0;
37273 + if ((filp = task->exec_file)) {
37274 + cred = __task_cred(task);
37275 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
37277 + /* the following is to apply the correct subject
37278 + on binaries running when the RBAC system
37279 + is enabled, when the binaries have been
37280 + replaced or deleted since their execution
37282 + when the RBAC system starts, the inode/dev
37283 + from exec_file will be one the RBAC system
37284 + is unaware of. It only knows the inode/dev
37285 + of the present file on disk, or the absence
37288 + preempt_disable();
37289 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
37291 + nmatch = lookup_name_entry(tmpname);
37292 + preempt_enable();
37295 + if (nmatch->deleted)
37296 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
37298 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
37299 + if (tmpsubj != NULL)
37300 + task->acl = tmpsubj;
37302 + if (tmpsubj == NULL)
37303 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
37306 + struct acl_subject_label *curr;
37307 + curr = task->acl;
37309 + task->is_writable = 0;
37310 + /* ignore additional mmap checks for processes that are writable
37311 + by the default ACL */
37312 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37313 + if (unlikely(obj->mode & GR_WRITE))
37314 + task->is_writable = 1;
37315 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
37316 + if (unlikely(obj->mode & GR_WRITE))
37317 + task->is_writable = 1;
37319 + gr_set_proc_res(task);
37321 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37322 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37325 + read_unlock(&grsec_exec_file_lock);
37326 + read_unlock(&tasklist_lock);
37327 + rcu_read_unlock();
37328 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
37332 + // it's a kernel process
37333 + task->role = kernel_role;
37334 + task->acl = kernel_role->root_label;
37335 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
37336 + task->acl->mode &= ~GR_PROCFIND;
37339 + } while_each_thread(task2, task);
37340 + read_unlock(&grsec_exec_file_lock);
37341 + read_unlock(&tasklist_lock);
37342 + rcu_read_unlock();
37348 +gr_learn_resource(const struct task_struct *task,
37349 + const int res, const unsigned long wanted, const int gt)
37351 + struct acl_subject_label *acl;
37352 + const struct cred *cred;
37354 + if (unlikely((gr_status & GR_READY) &&
37355 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
37356 + goto skip_reslog;
37358 +#ifdef CONFIG_GRKERNSEC_RESLOG
37359 + gr_log_resource(task, res, wanted, gt);
37363 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
37368 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
37369 + !(acl->resmask & (1 << (unsigned short) res))))
37372 + if (wanted >= acl->res[res].rlim_cur) {
37373 + unsigned long res_add;
37375 + res_add = wanted;
37378 + res_add += GR_RLIM_CPU_BUMP;
37380 + case RLIMIT_FSIZE:
37381 + res_add += GR_RLIM_FSIZE_BUMP;
37383 + case RLIMIT_DATA:
37384 + res_add += GR_RLIM_DATA_BUMP;
37386 + case RLIMIT_STACK:
37387 + res_add += GR_RLIM_STACK_BUMP;
37389 + case RLIMIT_CORE:
37390 + res_add += GR_RLIM_CORE_BUMP;
37393 + res_add += GR_RLIM_RSS_BUMP;
37395 + case RLIMIT_NPROC:
37396 + res_add += GR_RLIM_NPROC_BUMP;
37398 + case RLIMIT_NOFILE:
37399 + res_add += GR_RLIM_NOFILE_BUMP;
37401 + case RLIMIT_MEMLOCK:
37402 + res_add += GR_RLIM_MEMLOCK_BUMP;
37405 + res_add += GR_RLIM_AS_BUMP;
37407 + case RLIMIT_LOCKS:
37408 + res_add += GR_RLIM_LOCKS_BUMP;
37410 + case RLIMIT_SIGPENDING:
37411 + res_add += GR_RLIM_SIGPENDING_BUMP;
37413 + case RLIMIT_MSGQUEUE:
37414 + res_add += GR_RLIM_MSGQUEUE_BUMP;
37416 + case RLIMIT_NICE:
37417 + res_add += GR_RLIM_NICE_BUMP;
37419 + case RLIMIT_RTPRIO:
37420 + res_add += GR_RLIM_RTPRIO_BUMP;
37422 + case RLIMIT_RTTIME:
37423 + res_add += GR_RLIM_RTTIME_BUMP;
37427 + acl->res[res].rlim_cur = res_add;
37429 + if (wanted > acl->res[res].rlim_max)
37430 + acl->res[res].rlim_max = res_add;
37432 + /* only log the subject filename, since resource logging is supported for
37433 + single-subject learning only */
37435 + cred = __task_cred(task);
37436 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
37437 + task->role->roletype, cred->uid, cred->gid, acl->filename,
37438 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
37439 + "", (unsigned long) res, &task->signal->curr_ip);
37440 + rcu_read_unlock();
37446 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
37448 +pax_set_initial_flags(struct linux_binprm *bprm)
37450 + struct task_struct *task = current;
37451 + struct acl_subject_label *proc;
37452 + unsigned long flags;
37454 + if (unlikely(!(gr_status & GR_READY)))
37457 + flags = pax_get_flags(task);
37459 + proc = task->acl;
37461 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
37462 + flags &= ~MF_PAX_PAGEEXEC;
37463 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
37464 + flags &= ~MF_PAX_SEGMEXEC;
37465 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
37466 + flags &= ~MF_PAX_RANDMMAP;
37467 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
37468 + flags &= ~MF_PAX_EMUTRAMP;
37469 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
37470 + flags &= ~MF_PAX_MPROTECT;
37472 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
37473 + flags |= MF_PAX_PAGEEXEC;
37474 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
37475 + flags |= MF_PAX_SEGMEXEC;
37476 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
37477 + flags |= MF_PAX_RANDMMAP;
37478 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
37479 + flags |= MF_PAX_EMUTRAMP;
37480 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
37481 + flags |= MF_PAX_MPROTECT;
37483 + pax_set_flags(task, flags);
37489 +#ifdef CONFIG_SYSCTL
37490 +/* Eric Biederman likes breaking userland ABI and every inode-based security
37491 + system to save 35kb of memory */
37493 +/* we modify the passed in filename, but adjust it back before returning */
37494 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
37496 + struct name_entry *nmatch;
37497 + char *p, *lastp = NULL;
37498 + struct acl_object_label *obj = NULL, *tmp;
37499 + struct acl_subject_label *tmpsubj;
37502 + read_lock(&gr_inode_lock);
37504 + p = name + len - 1;
37506 + nmatch = lookup_name_entry(name);
37507 + if (lastp != NULL)
37510 + if (nmatch == NULL)
37511 + goto next_component;
37512 + tmpsubj = current->acl;
37514 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
37515 + if (obj != NULL) {
37516 + tmp = obj->globbed;
37518 + if (!glob_match(tmp->filename, name)) {
37526 + } while ((tmpsubj = tmpsubj->parent_subject));
37532 + while (*p != '/')
37544 + read_unlock(&gr_inode_lock);
37545 + /* obj returned will always be non-null */
37549 +/* returns 0 when allowing, non-zero on error
37550 + op of 0 is used for readdir, so we don't log the names of hidden files
37553 +gr_handle_sysctl(const struct ctl_table *table, const int op)
37555 + struct ctl_table *tmp;
37556 + const char *proc_sys = "/proc/sys";
37558 + struct acl_object_label *obj;
37559 + unsigned short len = 0, pos = 0, depth = 0, i;
37563 + if (unlikely(!(gr_status & GR_READY)))
37566 + /* for now, ignore operations on non-sysctl entries if it's not a
37568 + if (table->child != NULL && op != 0)
37572 + /* it's only a read if it's an entry, read on dirs is for readdir */
37573 + if (op & MAY_READ)
37575 + if (op & MAY_WRITE)
37576 + mode |= GR_WRITE;
37578 + preempt_disable();
37580 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
37582 + /* it's only a read/write if it's an actual entry, not a dir
37583 + (which are opened for readdir)
37586 + /* convert the requested sysctl entry into a pathname */
37588 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
37589 + len += strlen(tmp->procname);
37594 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
37599 + memset(path, 0, PAGE_SIZE);
37601 + memcpy(path, proc_sys, strlen(proc_sys));
37603 + pos += strlen(proc_sys);
37605 + for (; depth > 0; depth--) {
37608 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
37609 + if (depth == i) {
37610 + memcpy(path + pos, tmp->procname,
37611 + strlen(tmp->procname));
37612 + pos += strlen(tmp->procname);
37618 + obj = gr_lookup_by_name(path, pos);
37619 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
37621 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
37622 + ((err & mode) != mode))) {
37623 + __u32 new_mode = mode;
37625 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
37628 + gr_log_learn_sysctl(path, new_mode);
37629 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
37630 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
37632 + } else if (!(err & GR_FIND)) {
37634 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
37635 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
37636 + path, (mode & GR_READ) ? " reading" : "",
37637 + (mode & GR_WRITE) ? " writing" : "");
37639 + } else if ((err & mode) != mode) {
37641 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
37642 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
37643 + path, (mode & GR_READ) ? " reading" : "",
37644 + (mode & GR_WRITE) ? " writing" : "");
37650 + preempt_enable();
37657 +gr_handle_proc_ptrace(struct task_struct *task)
37659 + struct file *filp;
37660 + struct task_struct *tmp = task;
37661 + struct task_struct *curtemp = current;
37664 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
37665 + if (unlikely(!(gr_status & GR_READY)))
37669 + read_lock(&tasklist_lock);
37670 + read_lock(&grsec_exec_file_lock);
37671 + filp = task->exec_file;
37673 + while (tmp->pid > 0) {
37674 + if (tmp == curtemp)
37676 + tmp = tmp->parent;
37679 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
37680 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
37681 + read_unlock(&grsec_exec_file_lock);
37682 + read_unlock(&tasklist_lock);
37686 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
37687 + if (!(gr_status & GR_READY)) {
37688 + read_unlock(&grsec_exec_file_lock);
37689 + read_unlock(&tasklist_lock);
37694 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
37695 + read_unlock(&grsec_exec_file_lock);
37696 + read_unlock(&tasklist_lock);
37698 + if (retmode & GR_NOPTRACE)
37701 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
37702 + && (current->acl != task->acl || (current->acl != current->role->root_label
37703 + && current->pid != task->pid)))
37710 +gr_handle_ptrace(struct task_struct *task, const long request)
37712 + struct task_struct *tmp = task;
37713 + struct task_struct *curtemp = current;
37716 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
37717 + if (unlikely(!(gr_status & GR_READY)))
37721 + read_lock(&tasklist_lock);
37722 + while (tmp->pid > 0) {
37723 + if (tmp == curtemp)
37725 + tmp = tmp->parent;
37728 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
37729 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
37730 + read_unlock(&tasklist_lock);
37731 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
37734 + read_unlock(&tasklist_lock);
37736 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
37737 + if (!(gr_status & GR_READY))
37741 + read_lock(&grsec_exec_file_lock);
37742 + if (unlikely(!task->exec_file)) {
37743 + read_unlock(&grsec_exec_file_lock);
37747 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
37748 + read_unlock(&grsec_exec_file_lock);
37750 + if (retmode & GR_NOPTRACE) {
37751 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
37755 + if (retmode & GR_PTRACERD) {
37756 + switch (request) {
37757 + case PTRACE_POKETEXT:
37758 + case PTRACE_POKEDATA:
37759 + case PTRACE_POKEUSR:
37760 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
37761 + case PTRACE_SETREGS:
37762 + case PTRACE_SETFPREGS:
37765 + case PTRACE_SETFPXREGS:
37767 +#ifdef CONFIG_ALTIVEC
37768 + case PTRACE_SETVRREGS:
37774 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
37775 + !(current->role->roletype & GR_ROLE_GOD) &&
37776 + (current->acl != task->acl)) {
37777 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
37784 +static int is_writable_mmap(const struct file *filp)
37786 + struct task_struct *task = current;
37787 + struct acl_object_label *obj, *obj2;
37789 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
37790 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && filp->f_path.mnt != shm_mnt) {
37791 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37792 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
37793 + task->role->root_label);
37794 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
37795 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
37803 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
37807 + if (unlikely(!file || !(prot & PROT_EXEC)))
37810 + if (is_writable_mmap(file))
37814 + gr_search_file(file->f_path.dentry,
37815 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
37816 + file->f_path.mnt);
37818 + if (!gr_tpe_allow(file))
37821 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
37822 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37824 + } else if (unlikely(!(mode & GR_EXEC))) {
37826 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
37827 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37835 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
37839 + if (unlikely(!file || !(prot & PROT_EXEC)))
37842 + if (is_writable_mmap(file))
37846 + gr_search_file(file->f_path.dentry,
37847 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
37848 + file->f_path.mnt);
37850 + if (!gr_tpe_allow(file))
37853 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
37854 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37856 + } else if (unlikely(!(mode & GR_EXEC))) {
37858 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
37859 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37867 +gr_acl_handle_psacct(struct task_struct *task, const long code)
37869 + unsigned long runtime;
37870 + unsigned long cputime;
37871 + unsigned int wday, cday;
37875 + struct timespec timeval;
37877 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
37878 + !(task->acl->mode & GR_PROCACCT)))
37881 + do_posix_clock_monotonic_gettime(&timeval);
37882 + runtime = timeval.tv_sec - task->start_time.tv_sec;
37883 + wday = runtime / (3600 * 24);
37884 + runtime -= wday * (3600 * 24);
37885 + whr = runtime / 3600;
37886 + runtime -= whr * 3600;
37887 + wmin = runtime / 60;
37888 + runtime -= wmin * 60;
37891 + cputime = (task->utime + task->stime) / HZ;
37892 + cday = cputime / (3600 * 24);
37893 + cputime -= cday * (3600 * 24);
37894 + chr = cputime / 3600;
37895 + cputime -= chr * 3600;
37896 + cmin = cputime / 60;
37897 + cputime -= cmin * 60;
37900 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
37905 +void gr_set_kernel_label(struct task_struct *task)
37907 + if (gr_status & GR_READY) {
37908 + task->role = kernel_role;
37909 + task->acl = kernel_role->root_label;
37914 +#ifdef CONFIG_TASKSTATS
37915 +int gr_is_taskstats_denied(int pid)
37917 + struct task_struct *task;
37918 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37919 + const struct cred *cred;
37923 + /* restrict taskstats viewing to un-chrooted root users
37924 + who have the 'view' subject flag if the RBAC system is enabled
37928 + read_lock(&tasklist_lock);
37929 + task = find_task_by_vpid(pid);
37931 +#ifdef CONFIG_GRKERNSEC_CHROOT
37932 + if (proc_is_chrooted(task))
37935 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37936 + cred = __task_cred(task);
37937 +#ifdef CONFIG_GRKERNSEC_PROC_USER
37938 + if (cred->uid != 0)
37940 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37941 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
37945 + if (gr_status & GR_READY) {
37946 + if (!(task->acl->mode & GR_VIEW))
37952 + read_unlock(&tasklist_lock);
37953 + rcu_read_unlock();
37959 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
37961 + struct task_struct *task = current;
37962 + struct dentry *dentry = file->f_path.dentry;
37963 + struct vfsmount *mnt = file->f_path.mnt;
37964 + struct acl_object_label *obj, *tmp;
37965 + struct acl_subject_label *subj;
37966 + unsigned int bufsize;
37970 + if (unlikely(!(gr_status & GR_READY)))
37973 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37976 + /* ignore Eric Biederman */
37977 + if (IS_PRIVATE(dentry->d_inode))
37980 + subj = task->acl;
37982 + obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
37984 + return (obj->mode & GR_FIND) ? 1 : 0;
37985 + } while ((subj = subj->parent_subject));
37987 + /* this is purely an optimization since we're looking for an object
37988 + for the directory we're doing a readdir on
37989 + if it's possible for any globbed object to match the entry we're
37990 + filling into the directory, then the object we find here will be
37991 + an anchor point with attached globbed objects
37993 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
37994 + if (obj->globbed == NULL)
37995 + return (obj->mode & GR_FIND) ? 1 : 0;
37997 + is_not_root = ((obj->filename[0] == '/') &&
37998 + (obj->filename[1] == '\0')) ? 0 : 1;
37999 + bufsize = PAGE_SIZE - namelen - is_not_root;
38001 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
38002 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
38005 + preempt_disable();
38006 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
38009 + bufsize = strlen(path);
38011 + /* if base is "/", don't append an additional slash */
38013 + *(path + bufsize) = '/';
38014 + memcpy(path + bufsize + is_not_root, name, namelen);
38015 + *(path + bufsize + namelen + is_not_root) = '\0';
38017 + tmp = obj->globbed;
38019 + if (!glob_match(tmp->filename, path)) {
38020 + preempt_enable();
38021 + return (tmp->mode & GR_FIND) ? 1 : 0;
38025 + preempt_enable();
38026 + return (obj->mode & GR_FIND) ? 1 : 0;
38029 +EXPORT_SYMBOL(gr_learn_resource);
38030 +EXPORT_SYMBOL(gr_set_kernel_label);
38031 +#ifdef CONFIG_SECURITY
38032 +EXPORT_SYMBOL(gr_check_user_change);
38033 +EXPORT_SYMBOL(gr_check_group_change);
38036 diff -urNp linux-2.6.35.4/grsecurity/gracl_cap.c linux-2.6.35.4/grsecurity/gracl_cap.c
38037 --- linux-2.6.35.4/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
38038 +++ linux-2.6.35.4/grsecurity/gracl_cap.c 2010-09-17 20:12:37.000000000 -0400
38040 +#include <linux/kernel.h>
38041 +#include <linux/module.h>
38042 +#include <linux/sched.h>
38043 +#include <linux/gracl.h>
38044 +#include <linux/grsecurity.h>
38045 +#include <linux/grinternal.h>
38047 +static const char *captab_log[] = {
38049 + "CAP_DAC_OVERRIDE",
38050 + "CAP_DAC_READ_SEARCH",
38057 + "CAP_LINUX_IMMUTABLE",
38058 + "CAP_NET_BIND_SERVICE",
38059 + "CAP_NET_BROADCAST",
38064 + "CAP_SYS_MODULE",
38066 + "CAP_SYS_CHROOT",
38067 + "CAP_SYS_PTRACE",
38072 + "CAP_SYS_RESOURCE",
38074 + "CAP_SYS_TTY_CONFIG",
38077 + "CAP_AUDIT_WRITE",
38078 + "CAP_AUDIT_CONTROL",
38080 + "CAP_MAC_OVERRIDE",
38084 +EXPORT_SYMBOL(gr_is_capable);
38085 +EXPORT_SYMBOL(gr_is_capable_nolog);
38088 +gr_is_capable(const int cap)
38090 + struct task_struct *task = current;
38091 + const struct cred *cred = current_cred();
38092 + struct acl_subject_label *curracl;
38093 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
38094 + kernel_cap_t cap_audit = __cap_empty_set;
38096 + if (!gr_acl_is_enabled())
38099 + curracl = task->acl;
38101 + cap_drop = curracl->cap_lower;
38102 + cap_mask = curracl->cap_mask;
38103 + cap_audit = curracl->cap_invert_audit;
38105 + while ((curracl = curracl->parent_subject)) {
38106 + /* if the cap isn't specified in the current computed mask but is specified in the
38107 + current level subject, and is lowered in the current level subject, then add
38108 + it to the set of dropped capabilities
38109 + otherwise, add the current level subject's mask to the current computed mask
38111 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
38112 + cap_raise(cap_mask, cap);
38113 + if (cap_raised(curracl->cap_lower, cap))
38114 + cap_raise(cap_drop, cap);
38115 + if (cap_raised(curracl->cap_invert_audit, cap))
38116 + cap_raise(cap_audit, cap);
38120 + if (!cap_raised(cap_drop, cap)) {
38121 + if (cap_raised(cap_audit, cap))
38122 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
38126 + curracl = task->acl;
38128 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
38129 + && cap_raised(cred->cap_effective, cap)) {
38130 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
38131 + task->role->roletype, cred->uid,
38132 + cred->gid, task->exec_file ?
38133 + gr_to_filename(task->exec_file->f_path.dentry,
38134 + task->exec_file->f_path.mnt) : curracl->filename,
38135 + curracl->filename, 0UL,
38136 + 0UL, "", (unsigned long) cap, &task->signal->curr_ip);
38140 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
38141 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
38146 +gr_is_capable_nolog(const int cap)
38148 + struct acl_subject_label *curracl;
38149 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
38151 + if (!gr_acl_is_enabled())
38154 + curracl = current->acl;
38156 + cap_drop = curracl->cap_lower;
38157 + cap_mask = curracl->cap_mask;
38159 + while ((curracl = curracl->parent_subject)) {
38160 + /* if the cap isn't specified in the current computed mask but is specified in the
38161 + current level subject, and is lowered in the current level subject, then add
38162 + it to the set of dropped capabilities
38163 + otherwise, add the current level subject's mask to the current computed mask
38165 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
38166 + cap_raise(cap_mask, cap);
38167 + if (cap_raised(curracl->cap_lower, cap))
38168 + cap_raise(cap_drop, cap);
38172 + if (!cap_raised(cap_drop, cap))
38178 diff -urNp linux-2.6.35.4/grsecurity/gracl_fs.c linux-2.6.35.4/grsecurity/gracl_fs.c
38179 --- linux-2.6.35.4/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
38180 +++ linux-2.6.35.4/grsecurity/gracl_fs.c 2010-09-17 20:12:37.000000000 -0400
38182 +#include <linux/kernel.h>
38183 +#include <linux/sched.h>
38184 +#include <linux/types.h>
38185 +#include <linux/fs.h>
38186 +#include <linux/file.h>
38187 +#include <linux/stat.h>
38188 +#include <linux/grsecurity.h>
38189 +#include <linux/grinternal.h>
38190 +#include <linux/gracl.h>
38193 +gr_acl_handle_hidden_file(const struct dentry * dentry,
38194 + const struct vfsmount * mnt)
38198 + if (unlikely(!dentry->d_inode))
38202 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
38204 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
38205 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
38207 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
38208 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
38210 + } else if (unlikely(!(mode & GR_FIND)))
38217 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
38220 + __u32 reqmode = GR_FIND;
38223 + if (unlikely(!dentry->d_inode))
38226 + if (unlikely(fmode & O_APPEND))
38227 + reqmode |= GR_APPEND;
38228 + else if (unlikely(fmode & FMODE_WRITE))
38229 + reqmode |= GR_WRITE;
38230 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
38231 + reqmode |= GR_READ;
38232 + if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
38233 + reqmode &= ~GR_READ;
38235 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
38238 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38239 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
38240 + reqmode & GR_READ ? " reading" : "",
38241 + reqmode & GR_WRITE ? " writing" : reqmode &
38242 + GR_APPEND ? " appending" : "");
38245 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38247 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
38248 + reqmode & GR_READ ? " reading" : "",
38249 + reqmode & GR_WRITE ? " writing" : reqmode &
38250 + GR_APPEND ? " appending" : "");
38252 + } else if (unlikely((mode & reqmode) != reqmode))
38259 +gr_acl_handle_creat(const struct dentry * dentry,
38260 + const struct dentry * p_dentry,
38261 + const struct vfsmount * p_mnt, const int fmode,
38264 + __u32 reqmode = GR_WRITE | GR_CREATE;
38267 + if (unlikely(fmode & O_APPEND))
38268 + reqmode |= GR_APPEND;
38269 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
38270 + reqmode |= GR_READ;
38271 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
38272 + reqmode |= GR_SETID;
38275 + gr_check_create(dentry, p_dentry, p_mnt,
38276 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
38278 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38279 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
38280 + reqmode & GR_READ ? " reading" : "",
38281 + reqmode & GR_WRITE ? " writing" : reqmode &
38282 + GR_APPEND ? " appending" : "");
38285 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38287 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
38288 + reqmode & GR_READ ? " reading" : "",
38289 + reqmode & GR_WRITE ? " writing" : reqmode &
38290 + GR_APPEND ? " appending" : "");
38292 + } else if (unlikely((mode & reqmode) != reqmode))
38299 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
38302 + __u32 mode, reqmode = GR_FIND;
38304 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
38305 + reqmode |= GR_EXEC;
38306 + if (fmode & S_IWOTH)
38307 + reqmode |= GR_WRITE;
38308 + if (fmode & S_IROTH)
38309 + reqmode |= GR_READ;
38312 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
38315 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38316 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
38317 + reqmode & GR_READ ? " reading" : "",
38318 + reqmode & GR_WRITE ? " writing" : "",
38319 + reqmode & GR_EXEC ? " executing" : "");
38322 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38324 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
38325 + reqmode & GR_READ ? " reading" : "",
38326 + reqmode & GR_WRITE ? " writing" : "",
38327 + reqmode & GR_EXEC ? " executing" : "");
38329 + } else if (unlikely((mode & reqmode) != reqmode))
38335 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
38339 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
38341 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
38342 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
38344 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
38345 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
38347 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
38350 + return (reqmode);
38354 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
38356 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
38360 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
38362 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
38366 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
38368 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
38372 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
38374 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
38378 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
38381 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
38384 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
38385 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
38386 + GR_FCHMOD_ACL_MSG);
38388 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
38393 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
38396 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
38397 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
38398 + GR_CHMOD_ACL_MSG);
38400 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
38405 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
38407 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
38411 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
38413 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
38417 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
38419 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
38420 + GR_UNIXCONNECT_ACL_MSG);
38423 +/* hardlinks require at minimum create permission,
38424 + any additional privilege required is based on the
38425 + privilege of the file being linked to
38428 +gr_acl_handle_link(const struct dentry * new_dentry,
38429 + const struct dentry * parent_dentry,
38430 + const struct vfsmount * parent_mnt,
38431 + const struct dentry * old_dentry,
38432 + const struct vfsmount * old_mnt, const char *to)
38435 + __u32 needmode = GR_CREATE | GR_LINK;
38436 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
38439 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
38442 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
38443 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
38445 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
38446 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
38448 + } else if (unlikely((mode & needmode) != needmode))
38455 +gr_acl_handle_symlink(const struct dentry * new_dentry,
38456 + const struct dentry * parent_dentry,
38457 + const struct vfsmount * parent_mnt, const char *from)
38459 + __u32 needmode = GR_WRITE | GR_CREATE;
38463 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
38464 + GR_CREATE | GR_AUDIT_CREATE |
38465 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
38467 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
38468 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
38470 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
38471 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
38473 + } else if (unlikely((mode & needmode) != needmode))
38476 + return (GR_WRITE | GR_CREATE);
38479 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
38483 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
38485 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
38486 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
38488 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
38489 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
38491 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
38494 + return (reqmode);
38498 +gr_acl_handle_mknod(const struct dentry * new_dentry,
38499 + const struct dentry * parent_dentry,
38500 + const struct vfsmount * parent_mnt,
38503 + __u32 reqmode = GR_WRITE | GR_CREATE;
38504 + if (unlikely(mode & (S_ISUID | S_ISGID)))
38505 + reqmode |= GR_SETID;
38507 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
38508 + reqmode, GR_MKNOD_ACL_MSG);
38512 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
38513 + const struct dentry *parent_dentry,
38514 + const struct vfsmount *parent_mnt)
38516 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
38517 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
38520 +#define RENAME_CHECK_SUCCESS(old, new) \
38521 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
38522 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
38525 +gr_acl_handle_rename(struct dentry *new_dentry,
38526 + struct dentry *parent_dentry,
38527 + const struct vfsmount *parent_mnt,
38528 + struct dentry *old_dentry,
38529 + struct inode *old_parent_inode,
38530 + struct vfsmount *old_mnt, const char *newname)
38532 + __u32 comp1, comp2;
38535 + if (unlikely(!gr_acl_is_enabled()))
38538 + if (!new_dentry->d_inode) {
38539 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
38540 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
38541 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
38542 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
38543 + GR_DELETE | GR_AUDIT_DELETE |
38544 + GR_AUDIT_READ | GR_AUDIT_WRITE |
38545 + GR_SUPPRESS, old_mnt);
38547 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
38548 + GR_CREATE | GR_DELETE |
38549 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
38550 + GR_AUDIT_READ | GR_AUDIT_WRITE |
38551 + GR_SUPPRESS, parent_mnt);
38553 + gr_search_file(old_dentry,
38554 + GR_READ | GR_WRITE | GR_AUDIT_READ |
38555 + GR_DELETE | GR_AUDIT_DELETE |
38556 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
38559 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
38560 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
38561 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
38562 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
38563 + && !(comp2 & GR_SUPPRESS)) {
38564 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
38566 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
38573 +gr_acl_handle_exit(void)
38577 + struct file *exec_file;
38579 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
38580 + id = current->acl_role_id;
38581 + rolename = current->role->rolename;
38583 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
38586 + write_lock(&grsec_exec_file_lock);
38587 + exec_file = current->exec_file;
38588 + current->exec_file = NULL;
38589 + write_unlock(&grsec_exec_file_lock);
38596 +gr_acl_handle_procpidmem(const struct task_struct *task)
38598 + if (unlikely(!gr_acl_is_enabled()))
38601 + if (task != current && task->acl->mode & GR_PROTPROCFD)
38606 diff -urNp linux-2.6.35.4/grsecurity/gracl_ip.c linux-2.6.35.4/grsecurity/gracl_ip.c
38607 --- linux-2.6.35.4/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
38608 +++ linux-2.6.35.4/grsecurity/gracl_ip.c 2010-09-17 20:12:37.000000000 -0400
38610 +#include <linux/kernel.h>
38611 +#include <asm/uaccess.h>
38612 +#include <asm/errno.h>
38613 +#include <net/sock.h>
38614 +#include <linux/file.h>
38615 +#include <linux/fs.h>
38616 +#include <linux/net.h>
38617 +#include <linux/in.h>
38618 +#include <linux/skbuff.h>
38619 +#include <linux/ip.h>
38620 +#include <linux/udp.h>
38621 +#include <linux/smp_lock.h>
38622 +#include <linux/types.h>
38623 +#include <linux/sched.h>
38624 +#include <linux/netdevice.h>
38625 +#include <linux/inetdevice.h>
38626 +#include <linux/gracl.h>
38627 +#include <linux/grsecurity.h>
38628 +#include <linux/grinternal.h>
38630 +#define GR_BIND 0x01
38631 +#define GR_CONNECT 0x02
38632 +#define GR_INVERT 0x04
38633 +#define GR_BINDOVERRIDE 0x08
38634 +#define GR_CONNECTOVERRIDE 0x10
38636 +static const char * gr_protocols[256] = {
38637 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
38638 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
38639 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
38640 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
38641 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
38642 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
38643 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
38644 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
38645 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
38646 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
38647 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
38648 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
38649 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
38650 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
38651 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
38652 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
38653 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
38654 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
38655 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
38656 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
38657 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
38658 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
38659 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
38660 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
38661 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
38662 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
38663 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
38664 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
38665 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
38666 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
38667 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
38668 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
38671 +static const char * gr_socktypes[11] = {
38672 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
38673 + "unknown:7", "unknown:8", "unknown:9", "packet"
38677 +gr_proto_to_name(unsigned char proto)
38679 + return gr_protocols[proto];
38683 +gr_socktype_to_name(unsigned char type)
38685 + return gr_socktypes[type];
38689 +gr_search_socket(const int domain, const int type, const int protocol)
38691 + struct acl_subject_label *curr;
38692 + const struct cred *cred = current_cred();
38694 + if (unlikely(!gr_acl_is_enabled()))
38697 + if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
38698 + || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
38699 + goto exit; // let the kernel handle it
38701 + curr = current->acl;
38706 + if ((curr->ip_type & (1 << type)) &&
38707 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
38710 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
38711 + /* we don't place acls on raw sockets , and sometimes
38712 + dgram/ip sockets are opened for ioctl and not
38713 + bind/connect, so we'll fake a bind learn log */
38714 + if (type == SOCK_RAW || type == SOCK_PACKET) {
38715 + __u32 fakeip = 0;
38716 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
38717 + current->role->roletype, cred->uid,
38718 + cred->gid, current->exec_file ?
38719 + gr_to_filename(current->exec_file->f_path.dentry,
38720 + current->exec_file->f_path.mnt) :
38721 + curr->filename, curr->filename,
38722 + &fakeip, 0, type,
38723 + protocol, GR_CONNECT, ¤t->signal->curr_ip);
38724 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
38725 + __u32 fakeip = 0;
38726 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
38727 + current->role->roletype, cred->uid,
38728 + cred->gid, current->exec_file ?
38729 + gr_to_filename(current->exec_file->f_path.dentry,
38730 + current->exec_file->f_path.mnt) :
38731 + curr->filename, curr->filename,
38732 + &fakeip, 0, type,
38733 + protocol, GR_BIND, ¤t->signal->curr_ip);
38735 + /* we'll log when they use connect or bind */
38739 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
38740 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
38747 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
38749 + if ((ip->mode & mode) &&
38750 + (ip_port >= ip->low) &&
38751 + (ip_port <= ip->high) &&
38752 + ((ntohl(ip_addr) & our_netmask) ==
38753 + (ntohl(our_addr) & our_netmask))
38754 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
38755 + && (ip->type & (1 << type))) {
38756 + if (ip->mode & GR_INVERT)
38757 + return 2; // specifically denied
38759 + return 1; // allowed
38762 + return 0; // not specifically allowed, may continue parsing
38766 +gr_search_connectbind(const int full_mode, struct sock *sk,
38767 + struct sockaddr_in *addr, const int type)
38769 + char iface[IFNAMSIZ] = {0};
38770 + struct acl_subject_label *curr;
38771 + struct acl_ip_label *ip;
38772 + struct inet_sock *isk;
38773 + struct net_device *dev;
38774 + struct in_device *idev;
38777 + int mode = full_mode & (GR_BIND | GR_CONNECT);
38778 + __u32 ip_addr = 0;
38780 + __u32 our_netmask;
38782 + __u16 ip_port = 0;
38783 + const struct cred *cred = current_cred();
38785 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
38788 + curr = current->acl;
38789 + isk = inet_sk(sk);
38791 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
38792 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
38793 + addr->sin_addr.s_addr = curr->inaddr_any_override;
38794 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
38795 + struct sockaddr_in saddr;
38798 + saddr.sin_family = AF_INET;
38799 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
38800 + saddr.sin_port = isk->inet_sport;
38802 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
38806 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
38814 + ip_addr = addr->sin_addr.s_addr;
38815 + ip_port = ntohs(addr->sin_port);
38817 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
38818 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
38819 + current->role->roletype, cred->uid,
38820 + cred->gid, current->exec_file ?
38821 + gr_to_filename(current->exec_file->f_path.dentry,
38822 + current->exec_file->f_path.mnt) :
38823 + curr->filename, curr->filename,
38824 + &ip_addr, ip_port, type,
38825 + sk->sk_protocol, mode, ¤t->signal->curr_ip);
38829 + for (i = 0; i < curr->ip_num; i++) {
38830 + ip = *(curr->ips + i);
38831 + if (ip->iface != NULL) {
38832 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
38833 + p = strchr(iface, ':');
38836 + dev = dev_get_by_name(sock_net(sk), iface);
38839 + idev = in_dev_get(dev);
38840 + if (idev == NULL) {
38846 + if (!strcmp(ip->iface, ifa->ifa_label)) {
38847 + our_addr = ifa->ifa_address;
38848 + our_netmask = 0xffffffff;
38849 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
38851 + rcu_read_unlock();
38852 + in_dev_put(idev);
38855 + } else if (ret == 2) {
38856 + rcu_read_unlock();
38857 + in_dev_put(idev);
38862 + } endfor_ifa(idev);
38863 + rcu_read_unlock();
38864 + in_dev_put(idev);
38867 + our_addr = ip->addr;
38868 + our_netmask = ip->netmask;
38869 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
38872 + else if (ret == 2)
38878 + if (mode == GR_BIND)
38879 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
38880 + else if (mode == GR_CONNECT)
38881 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
38887 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
38889 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
38893 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
38895 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
38898 +int gr_search_listen(struct socket *sock)
38900 + struct sock *sk = sock->sk;
38901 + struct sockaddr_in addr;
38903 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
38904 + addr.sin_port = inet_sk(sk)->inet_sport;
38906 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
38909 +int gr_search_accept(struct socket *sock)
38911 + struct sock *sk = sock->sk;
38912 + struct sockaddr_in addr;
38914 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
38915 + addr.sin_port = inet_sk(sk)->inet_sport;
38917 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
38921 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
38924 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
38926 + struct sockaddr_in sin;
38927 + const struct inet_sock *inet = inet_sk(sk);
38929 + sin.sin_addr.s_addr = inet->inet_daddr;
38930 + sin.sin_port = inet->inet_dport;
38932 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
38937 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
38939 + struct sockaddr_in sin;
38941 + if (unlikely(skb->len < sizeof (struct udphdr)))
38942 + return 0; // skip this packet
38944 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
38945 + sin.sin_port = udp_hdr(skb)->source;
38947 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
38949 diff -urNp linux-2.6.35.4/grsecurity/gracl_learn.c linux-2.6.35.4/grsecurity/gracl_learn.c
38950 --- linux-2.6.35.4/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
38951 +++ linux-2.6.35.4/grsecurity/gracl_learn.c 2010-09-17 20:12:37.000000000 -0400
38953 +#include <linux/kernel.h>
38954 +#include <linux/mm.h>
38955 +#include <linux/sched.h>
38956 +#include <linux/poll.h>
38957 +#include <linux/smp_lock.h>
38958 +#include <linux/string.h>
38959 +#include <linux/file.h>
38960 +#include <linux/types.h>
38961 +#include <linux/vmalloc.h>
38962 +#include <linux/grinternal.h>
38964 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
38965 + size_t count, loff_t *ppos);
38966 +extern int gr_acl_is_enabled(void);
38968 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
38969 +static int gr_learn_attached;
38971 +/* use a 512k buffer */
38972 +#define LEARN_BUFFER_SIZE (512 * 1024)
38974 +static DEFINE_SPINLOCK(gr_learn_lock);
38975 +static DECLARE_MUTEX(gr_learn_user_sem);
38977 +/* we need to maintain two buffers, so that the kernel context of grlearn
38978 + uses a semaphore around the userspace copying, and the other kernel contexts
38979 + use a spinlock when copying into the buffer, since they cannot sleep
38981 +static char *learn_buffer;
38982 +static char *learn_buffer_user;
38983 +static int learn_buffer_len;
38984 +static int learn_buffer_user_len;
38987 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
38989 + DECLARE_WAITQUEUE(wait, current);
38990 + ssize_t retval = 0;
38992 + add_wait_queue(&learn_wait, &wait);
38993 + set_current_state(TASK_INTERRUPTIBLE);
38995 + down(&gr_learn_user_sem);
38996 + spin_lock(&gr_learn_lock);
38997 + if (learn_buffer_len)
38999 + spin_unlock(&gr_learn_lock);
39000 + up(&gr_learn_user_sem);
39001 + if (file->f_flags & O_NONBLOCK) {
39002 + retval = -EAGAIN;
39005 + if (signal_pending(current)) {
39006 + retval = -ERESTARTSYS;
39013 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
39014 + learn_buffer_user_len = learn_buffer_len;
39015 + retval = learn_buffer_len;
39016 + learn_buffer_len = 0;
39018 + spin_unlock(&gr_learn_lock);
39020 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
39021 + retval = -EFAULT;
39023 + up(&gr_learn_user_sem);
39025 + set_current_state(TASK_RUNNING);
39026 + remove_wait_queue(&learn_wait, &wait);
39030 +static unsigned int
39031 +poll_learn(struct file * file, poll_table * wait)
39033 + poll_wait(file, &learn_wait, wait);
39035 + if (learn_buffer_len)
39036 + return (POLLIN | POLLRDNORM);
39042 +gr_clear_learn_entries(void)
39046 + down(&gr_learn_user_sem);
39047 + if (learn_buffer != NULL) {
39048 + spin_lock(&gr_learn_lock);
39049 + tmp = learn_buffer;
39050 + learn_buffer = NULL;
39051 + spin_unlock(&gr_learn_lock);
39052 + vfree(learn_buffer);
39054 + if (learn_buffer_user != NULL) {
39055 + vfree(learn_buffer_user);
39056 + learn_buffer_user = NULL;
39058 + learn_buffer_len = 0;
39059 + up(&gr_learn_user_sem);
39065 +gr_add_learn_entry(const char *fmt, ...)
39068 + unsigned int len;
39070 + if (!gr_learn_attached)
39073 + spin_lock(&gr_learn_lock);
39075 + /* leave a gap at the end so we know when it's "full" but don't have to
39076 + compute the exact length of the string we're trying to append
39078 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
39079 + spin_unlock(&gr_learn_lock);
39080 + wake_up_interruptible(&learn_wait);
39083 + if (learn_buffer == NULL) {
39084 + spin_unlock(&gr_learn_lock);
39088 + va_start(args, fmt);
39089 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
39092 + learn_buffer_len += len + 1;
39094 + spin_unlock(&gr_learn_lock);
39095 + wake_up_interruptible(&learn_wait);
39101 +open_learn(struct inode *inode, struct file *file)
39103 + if (file->f_mode & FMODE_READ && gr_learn_attached)
39105 + if (file->f_mode & FMODE_READ) {
39107 + down(&gr_learn_user_sem);
39108 + if (learn_buffer == NULL)
39109 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
39110 + if (learn_buffer_user == NULL)
39111 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
39112 + if (learn_buffer == NULL) {
39113 + retval = -ENOMEM;
39116 + if (learn_buffer_user == NULL) {
39117 + retval = -ENOMEM;
39120 + learn_buffer_len = 0;
39121 + learn_buffer_user_len = 0;
39122 + gr_learn_attached = 1;
39124 + up(&gr_learn_user_sem);
39131 +close_learn(struct inode *inode, struct file *file)
39135 + if (file->f_mode & FMODE_READ) {
39136 + down(&gr_learn_user_sem);
39137 + if (learn_buffer != NULL) {
39138 + spin_lock(&gr_learn_lock);
39139 + tmp = learn_buffer;
39140 + learn_buffer = NULL;
39141 + spin_unlock(&gr_learn_lock);
39144 + if (learn_buffer_user != NULL) {
39145 + vfree(learn_buffer_user);
39146 + learn_buffer_user = NULL;
39148 + learn_buffer_len = 0;
39149 + learn_buffer_user_len = 0;
39150 + gr_learn_attached = 0;
39151 + up(&gr_learn_user_sem);
39157 +const struct file_operations grsec_fops = {
39158 + .read = read_learn,
39159 + .write = write_grsec_handler,
39160 + .open = open_learn,
39161 + .release = close_learn,
39162 + .poll = poll_learn,
39164 diff -urNp linux-2.6.35.4/grsecurity/gracl_res.c linux-2.6.35.4/grsecurity/gracl_res.c
39165 --- linux-2.6.35.4/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
39166 +++ linux-2.6.35.4/grsecurity/gracl_res.c 2010-09-17 20:12:37.000000000 -0400
39168 +#include <linux/kernel.h>
39169 +#include <linux/sched.h>
39170 +#include <linux/gracl.h>
39171 +#include <linux/grinternal.h>
39173 +static const char *restab_log[] = {
39174 + [RLIMIT_CPU] = "RLIMIT_CPU",
39175 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
39176 + [RLIMIT_DATA] = "RLIMIT_DATA",
39177 + [RLIMIT_STACK] = "RLIMIT_STACK",
39178 + [RLIMIT_CORE] = "RLIMIT_CORE",
39179 + [RLIMIT_RSS] = "RLIMIT_RSS",
39180 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
39181 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
39182 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
39183 + [RLIMIT_AS] = "RLIMIT_AS",
39184 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
39185 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
39186 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
39187 + [RLIMIT_NICE] = "RLIMIT_NICE",
39188 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
39189 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
39190 + [GR_CRASH_RES] = "RLIMIT_CRASH"
39194 +gr_log_resource(const struct task_struct *task,
39195 + const int res, const unsigned long wanted, const int gt)
39197 + const struct cred *cred;
39198 + unsigned long rlim;
39200 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
39203 + // not yet supported resource
39204 + if (unlikely(!restab_log[res]))
39207 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
39208 + rlim = task_rlimit_max(task, res);
39210 + rlim = task_rlimit(task, res);
39212 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
39216 + cred = __task_cred(task);
39218 + if (res == RLIMIT_NPROC &&
39219 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
39220 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
39221 + goto out_rcu_unlock;
39222 + else if (res == RLIMIT_MEMLOCK &&
39223 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
39224 + goto out_rcu_unlock;
39225 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
39226 + goto out_rcu_unlock;
39227 + rcu_read_unlock();
39229 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
39233 + rcu_read_unlock();
39236 diff -urNp linux-2.6.35.4/grsecurity/gracl_segv.c linux-2.6.35.4/grsecurity/gracl_segv.c
39237 --- linux-2.6.35.4/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
39238 +++ linux-2.6.35.4/grsecurity/gracl_segv.c 2010-09-17 20:12:37.000000000 -0400
39240 +#include <linux/kernel.h>
39241 +#include <linux/mm.h>
39242 +#include <asm/uaccess.h>
39243 +#include <asm/errno.h>
39244 +#include <asm/mman.h>
39245 +#include <net/sock.h>
39246 +#include <linux/file.h>
39247 +#include <linux/fs.h>
39248 +#include <linux/net.h>
39249 +#include <linux/in.h>
39250 +#include <linux/smp_lock.h>
39251 +#include <linux/slab.h>
39252 +#include <linux/types.h>
39253 +#include <linux/sched.h>
39254 +#include <linux/timer.h>
39255 +#include <linux/gracl.h>
39256 +#include <linux/grsecurity.h>
39257 +#include <linux/grinternal.h>
39259 +static struct crash_uid *uid_set;
39260 +static unsigned short uid_used;
39261 +static DEFINE_SPINLOCK(gr_uid_lock);
39262 +extern rwlock_t gr_inode_lock;
39263 +extern struct acl_subject_label *
39264 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
39265 + struct acl_role_label *role);
39266 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
39269 +gr_init_uidset(void)
39272 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
39275 + return uid_set ? 1 : 0;
39279 +gr_free_uidset(void)
39288 +gr_find_uid(const uid_t uid)
39290 + struct crash_uid *tmp = uid_set;
39292 + int low = 0, high = uid_used - 1, mid;
39294 + while (high >= low) {
39295 + mid = (low + high) >> 1;
39296 + buid = tmp[mid].uid;
39308 +static __inline__ void
39309 +gr_insertsort(void)
39311 + unsigned short i, j;
39312 + struct crash_uid index;
39314 + for (i = 1; i < uid_used; i++) {
39315 + index = uid_set[i];
39317 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
39318 + uid_set[j] = uid_set[j - 1];
39321 + uid_set[j] = index;
39327 +static __inline__ void
39328 +gr_insert_uid(const uid_t uid, const unsigned long expires)
39332 + if (uid_used == GR_UIDTABLE_MAX)
39335 + loc = gr_find_uid(uid);
39338 + uid_set[loc].expires = expires;
39342 + uid_set[uid_used].uid = uid;
39343 + uid_set[uid_used].expires = expires;
39352 +gr_remove_uid(const unsigned short loc)
39354 + unsigned short i;
39356 + for (i = loc + 1; i < uid_used; i++)
39357 + uid_set[i - 1] = uid_set[i];
39365 +gr_check_crash_uid(const uid_t uid)
39370 + if (unlikely(!gr_acl_is_enabled()))
39373 + spin_lock(&gr_uid_lock);
39374 + loc = gr_find_uid(uid);
39379 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
39380 + gr_remove_uid(loc);
39385 + spin_unlock(&gr_uid_lock);
39389 +static __inline__ int
39390 +proc_is_setxid(const struct cred *cred)
39392 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
39393 + cred->uid != cred->fsuid)
39395 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
39396 + cred->gid != cred->fsgid)
39401 +static __inline__ int
39402 +gr_fake_force_sig(int sig, struct task_struct *t)
39404 + unsigned long int flags;
39405 + int ret, blocked, ignored;
39406 + struct k_sigaction *action;
39408 + spin_lock_irqsave(&t->sighand->siglock, flags);
39409 + action = &t->sighand->action[sig-1];
39410 + ignored = action->sa.sa_handler == SIG_IGN;
39411 + blocked = sigismember(&t->blocked, sig);
39412 + if (blocked || ignored) {
39413 + action->sa.sa_handler = SIG_DFL;
39415 + sigdelset(&t->blocked, sig);
39416 + recalc_sigpending_and_wake(t);
39419 + if (action->sa.sa_handler == SIG_DFL)
39420 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
39421 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
39423 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
39429 +gr_handle_crash(struct task_struct *task, const int sig)
39431 + struct acl_subject_label *curr;
39432 + struct acl_subject_label *curr2;
39433 + struct task_struct *tsk, *tsk2;
39434 + const struct cred *cred;
39435 + const struct cred *cred2;
39437 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
39440 + if (unlikely(!gr_acl_is_enabled()))
39443 + curr = task->acl;
39445 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
39448 + if (time_before_eq(curr->expires, get_seconds())) {
39449 + curr->expires = 0;
39450 + curr->crashes = 0;
39455 + if (!curr->expires)
39456 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
39458 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
39459 + time_after(curr->expires, get_seconds())) {
39461 + cred = __task_cred(task);
39462 + if (cred->uid && proc_is_setxid(cred)) {
39463 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
39464 + spin_lock(&gr_uid_lock);
39465 + gr_insert_uid(cred->uid, curr->expires);
39466 + spin_unlock(&gr_uid_lock);
39467 + curr->expires = 0;
39468 + curr->crashes = 0;
39469 + read_lock(&tasklist_lock);
39470 + do_each_thread(tsk2, tsk) {
39471 + cred2 = __task_cred(tsk);
39472 + if (tsk != task && cred2->uid == cred->uid)
39473 + gr_fake_force_sig(SIGKILL, tsk);
39474 + } while_each_thread(tsk2, tsk);
39475 + read_unlock(&tasklist_lock);
39477 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
39478 + read_lock(&tasklist_lock);
39479 + do_each_thread(tsk2, tsk) {
39480 + if (likely(tsk != task)) {
39481 + curr2 = tsk->acl;
39483 + if (curr2->device == curr->device &&
39484 + curr2->inode == curr->inode)
39485 + gr_fake_force_sig(SIGKILL, tsk);
39487 + } while_each_thread(tsk2, tsk);
39488 + read_unlock(&tasklist_lock);
39490 + rcu_read_unlock();
39497 +gr_check_crash_exec(const struct file *filp)
39499 + struct acl_subject_label *curr;
39501 + if (unlikely(!gr_acl_is_enabled()))
39504 + read_lock(&gr_inode_lock);
39505 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
39506 + filp->f_path.dentry->d_inode->i_sb->s_dev,
39508 + read_unlock(&gr_inode_lock);
39510 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
39511 + (!curr->crashes && !curr->expires))
39514 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
39515 + time_after(curr->expires, get_seconds()))
39517 + else if (time_before_eq(curr->expires, get_seconds())) {
39518 + curr->crashes = 0;
39519 + curr->expires = 0;
39526 +gr_handle_alertkill(struct task_struct *task)
39528 + struct acl_subject_label *curracl;
39530 + struct task_struct *p, *p2;
39532 + if (unlikely(!gr_acl_is_enabled()))
39535 + curracl = task->acl;
39536 + curr_ip = task->signal->curr_ip;
39538 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
39539 + read_lock(&tasklist_lock);
39540 + do_each_thread(p2, p) {
39541 + if (p->signal->curr_ip == curr_ip)
39542 + gr_fake_force_sig(SIGKILL, p);
39543 + } while_each_thread(p2, p);
39544 + read_unlock(&tasklist_lock);
39545 + } else if (curracl->mode & GR_KILLPROC)
39546 + gr_fake_force_sig(SIGKILL, task);
39550 diff -urNp linux-2.6.35.4/grsecurity/gracl_shm.c linux-2.6.35.4/grsecurity/gracl_shm.c
39551 --- linux-2.6.35.4/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
39552 +++ linux-2.6.35.4/grsecurity/gracl_shm.c 2010-09-17 20:12:37.000000000 -0400
39554 +#include <linux/kernel.h>
39555 +#include <linux/mm.h>
39556 +#include <linux/sched.h>
39557 +#include <linux/file.h>
39558 +#include <linux/ipc.h>
39559 +#include <linux/gracl.h>
39560 +#include <linux/grsecurity.h>
39561 +#include <linux/grinternal.h>
39564 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
39565 + const time_t shm_createtime, const uid_t cuid, const int shmid)
39567 + struct task_struct *task;
39569 + if (!gr_acl_is_enabled())
39573 + read_lock(&tasklist_lock);
39575 + task = find_task_by_vpid(shm_cprid);
39577 + if (unlikely(!task))
39578 + task = find_task_by_vpid(shm_lapid);
39580 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
39581 + (task->pid == shm_lapid)) &&
39582 + (task->acl->mode & GR_PROTSHM) &&
39583 + (task->acl != current->acl))) {
39584 + read_unlock(&tasklist_lock);
39585 + rcu_read_unlock();
39586 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
39589 + read_unlock(&tasklist_lock);
39590 + rcu_read_unlock();
39594 diff -urNp linux-2.6.35.4/grsecurity/grsec_chdir.c linux-2.6.35.4/grsecurity/grsec_chdir.c
39595 --- linux-2.6.35.4/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
39596 +++ linux-2.6.35.4/grsecurity/grsec_chdir.c 2010-09-17 20:12:37.000000000 -0400
39598 +#include <linux/kernel.h>
39599 +#include <linux/sched.h>
39600 +#include <linux/fs.h>
39601 +#include <linux/file.h>
39602 +#include <linux/grsecurity.h>
39603 +#include <linux/grinternal.h>
39606 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
39608 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
39609 + if ((grsec_enable_chdir && grsec_enable_group &&
39610 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
39611 + !grsec_enable_group)) {
39612 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
39617 diff -urNp linux-2.6.35.4/grsecurity/grsec_chroot.c linux-2.6.35.4/grsecurity/grsec_chroot.c
39618 --- linux-2.6.35.4/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
39619 +++ linux-2.6.35.4/grsecurity/grsec_chroot.c 2010-09-17 20:12:37.000000000 -0400
39621 +#include <linux/kernel.h>
39622 +#include <linux/module.h>
39623 +#include <linux/sched.h>
39624 +#include <linux/file.h>
39625 +#include <linux/fs.h>
39626 +#include <linux/mount.h>
39627 +#include <linux/types.h>
39628 +#include <linux/pid_namespace.h>
39629 +#include <linux/grsecurity.h>
39630 +#include <linux/grinternal.h>
39632 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
39634 +#ifdef CONFIG_GRKERNSEC
39635 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
39636 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
39637 + task->gr_is_chrooted = 1;
39639 + task->gr_is_chrooted = 0;
39641 + task->gr_chroot_dentry = path->dentry;
39646 +void gr_clear_chroot_entries(struct task_struct *task)
39648 +#ifdef CONFIG_GRKERNSEC
39649 + task->gr_is_chrooted = 0;
39650 + task->gr_chroot_dentry = NULL;
39656 +gr_handle_chroot_unix(const pid_t pid)
39658 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
39659 + struct pid *spid = NULL;
39661 + if (unlikely(!grsec_enable_chroot_unix))
39664 + if (likely(!proc_is_chrooted(current)))
39668 + read_lock(&tasklist_lock);
39670 + spid = find_vpid(pid);
39672 + struct task_struct *p;
39673 + p = pid_task(spid, PIDTYPE_PID);
39674 + if (unlikely(!have_same_root(current, p))) {
39675 + read_unlock(&tasklist_lock);
39676 + rcu_read_unlock();
39677 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
39681 + read_unlock(&tasklist_lock);
39682 + rcu_read_unlock();
39688 +gr_handle_chroot_nice(void)
39690 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
39691 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
39692 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
39700 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
39702 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
39703 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
39704 + && proc_is_chrooted(current)) {
39705 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
39713 +gr_handle_chroot_rawio(const struct inode *inode)
39715 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
39716 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
39717 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
39724 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
39726 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
39727 + struct task_struct *p;
39729 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
39732 + read_lock(&tasklist_lock);
39733 + do_each_pid_task(pid, type, p) {
39734 + if (!have_same_root(current, p)) {
39738 + } while_each_pid_task(pid, type, p);
39740 + read_unlock(&tasklist_lock);
39747 +gr_pid_is_chrooted(struct task_struct *p)
39749 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
39750 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
39753 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
39754 + !have_same_root(current, p)) {
39761 +EXPORT_SYMBOL(gr_pid_is_chrooted);
39763 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
39764 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
39766 + struct dentry *dentry = (struct dentry *)u_dentry;
39767 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
39768 + struct dentry *realroot;
39769 + struct vfsmount *realrootmnt;
39770 + struct dentry *currentroot;
39771 + struct vfsmount *currentmnt;
39772 + struct task_struct *reaper = &init_task;
39775 + read_lock(&reaper->fs->lock);
39776 + realrootmnt = mntget(reaper->fs->root.mnt);
39777 + realroot = dget(reaper->fs->root.dentry);
39778 + read_unlock(&reaper->fs->lock);
39780 + read_lock(¤t->fs->lock);
39781 + currentmnt = mntget(current->fs->root.mnt);
39782 + currentroot = dget(current->fs->root.dentry);
39783 + read_unlock(¤t->fs->lock);
39785 + spin_lock(&dcache_lock);
39787 + if (unlikely((dentry == realroot && mnt == realrootmnt)
39788 + || (dentry == currentroot && mnt == currentmnt)))
39790 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
39791 + if (mnt->mnt_parent == mnt)
39793 + dentry = mnt->mnt_mountpoint;
39794 + mnt = mnt->mnt_parent;
39797 + dentry = dentry->d_parent;
39799 + spin_unlock(&dcache_lock);
39801 + dput(currentroot);
39802 + mntput(currentmnt);
39804 + /* access is outside of chroot */
39805 + if (dentry == realroot && mnt == realrootmnt)
39809 + mntput(realrootmnt);
39815 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
39817 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
39818 + if (!grsec_enable_chroot_fchdir)
39821 + if (!proc_is_chrooted(current))
39823 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
39824 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
39832 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
39833 + const time_t shm_createtime)
39835 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
39836 + struct pid *pid = NULL;
39837 + time_t starttime;
39839 + if (unlikely(!grsec_enable_chroot_shmat))
39842 + if (likely(!proc_is_chrooted(current)))
39846 + read_lock(&tasklist_lock);
39848 + pid = find_vpid(shm_cprid);
39850 + struct task_struct *p;
39851 + p = pid_task(pid, PIDTYPE_PID);
39852 + starttime = p->start_time.tv_sec;
39853 + if (unlikely(!have_same_root(current, p) &&
39854 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
39855 + read_unlock(&tasklist_lock);
39856 + rcu_read_unlock();
39857 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
39861 + pid = find_vpid(shm_lapid);
39863 + struct task_struct *p;
39864 + p = pid_task(pid, PIDTYPE_PID);
39865 + if (unlikely(!have_same_root(current, p))) {
39866 + read_unlock(&tasklist_lock);
39867 + rcu_read_unlock();
39868 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
39874 + read_unlock(&tasklist_lock);
39875 + rcu_read_unlock();
39881 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
39883 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
39884 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
39885 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
39891 +gr_handle_chroot_mknod(const struct dentry *dentry,
39892 + const struct vfsmount *mnt, const int mode)
39894 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
39895 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
39896 + proc_is_chrooted(current)) {
39897 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
39905 +gr_handle_chroot_mount(const struct dentry *dentry,
39906 + const struct vfsmount *mnt, const char *dev_name)
39908 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
39909 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
39910 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
39918 +gr_handle_chroot_pivot(void)
39920 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
39921 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
39922 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
39930 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
39932 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
39933 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
39934 + !gr_is_outside_chroot(dentry, mnt)) {
39935 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
39943 +gr_handle_chroot_caps(struct path *path)
39945 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
39946 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
39947 + (init_task.fs->root.dentry != path->dentry) &&
39948 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
39950 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
39951 + const struct cred *old = current_cred();
39952 + struct cred *new = prepare_creds();
39956 + new->cap_permitted = cap_drop(old->cap_permitted,
39958 + new->cap_inheritable = cap_drop(old->cap_inheritable,
39960 + new->cap_effective = cap_drop(old->cap_effective,
39963 + commit_creds(new);
39972 +gr_handle_chroot_sysctl(const int op)
39974 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
39975 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
39976 + proc_is_chrooted(current))
39983 +gr_handle_chroot_chdir(struct path *path)
39985 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
39986 + if (grsec_enable_chroot_chdir)
39987 + set_fs_pwd(current->fs, path);
39993 +gr_handle_chroot_chmod(const struct dentry *dentry,
39994 + const struct vfsmount *mnt, const int mode)
39996 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
39997 + if (grsec_enable_chroot_chmod &&
39998 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
39999 + proc_is_chrooted(current)) {
40000 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
40007 +#ifdef CONFIG_SECURITY
40008 +EXPORT_SYMBOL(gr_handle_chroot_caps);
40010 diff -urNp linux-2.6.35.4/grsecurity/grsec_disabled.c linux-2.6.35.4/grsecurity/grsec_disabled.c
40011 --- linux-2.6.35.4/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
40012 +++ linux-2.6.35.4/grsecurity/grsec_disabled.c 2010-09-17 20:12:37.000000000 -0400
40014 +#include <linux/kernel.h>
40015 +#include <linux/module.h>
40016 +#include <linux/sched.h>
40017 +#include <linux/file.h>
40018 +#include <linux/fs.h>
40019 +#include <linux/kdev_t.h>
40020 +#include <linux/net.h>
40021 +#include <linux/in.h>
40022 +#include <linux/ip.h>
40023 +#include <linux/skbuff.h>
40024 +#include <linux/sysctl.h>
40026 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
40028 +pax_set_initial_flags(struct linux_binprm *bprm)
40034 +#ifdef CONFIG_SYSCTL
40036 +gr_handle_sysctl(const struct ctl_table * table, const int op)
40042 +#ifdef CONFIG_TASKSTATS
40043 +int gr_is_taskstats_denied(int pid)
40050 +gr_acl_is_enabled(void)
40056 +gr_handle_rawio(const struct inode *inode)
40062 +gr_acl_handle_psacct(struct task_struct *task, const long code)
40068 +gr_handle_ptrace(struct task_struct *task, const long request)
40074 +gr_handle_proc_ptrace(struct task_struct *task)
40080 +gr_learn_resource(const struct task_struct *task,
40081 + const int res, const unsigned long wanted, const int gt)
40087 +gr_set_acls(const int type)
40093 +gr_check_hidden_task(const struct task_struct *tsk)
40099 +gr_check_protected_task(const struct task_struct *task)
40105 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
40111 +gr_copy_label(struct task_struct *tsk)
40117 +gr_set_pax_flags(struct task_struct *task)
40123 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
40124 + const int unsafe_share)
40130 +gr_handle_delete(const ino_t ino, const dev_t dev)
40136 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
40142 +gr_handle_crash(struct task_struct *task, const int sig)
40148 +gr_check_crash_exec(const struct file *filp)
40154 +gr_check_crash_uid(const uid_t uid)
40160 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
40161 + struct dentry *old_dentry,
40162 + struct dentry *new_dentry,
40163 + struct vfsmount *mnt, const __u8 replace)
40169 +gr_search_socket(const int family, const int type, const int protocol)
40175 +gr_search_connectbind(const int mode, const struct socket *sock,
40176 + const struct sockaddr_in *addr)
40182 +gr_is_capable(const int cap)
40188 +gr_is_capable_nolog(const int cap)
40194 +gr_handle_alertkill(struct task_struct *task)
40200 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
40206 +gr_acl_handle_hidden_file(const struct dentry * dentry,
40207 + const struct vfsmount * mnt)
40213 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
40220 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
40226 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
40232 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
40233 + unsigned int *vm_flags)
40239 +gr_acl_handle_truncate(const struct dentry * dentry,
40240 + const struct vfsmount * mnt)
40246 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
40252 +gr_acl_handle_access(const struct dentry * dentry,
40253 + const struct vfsmount * mnt, const int fmode)
40259 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
40266 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
40273 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
40279 +grsecurity_init(void)
40285 +gr_acl_handle_mknod(const struct dentry * new_dentry,
40286 + const struct dentry * parent_dentry,
40287 + const struct vfsmount * parent_mnt,
40294 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
40295 + const struct dentry * parent_dentry,
40296 + const struct vfsmount * parent_mnt)
40302 +gr_acl_handle_symlink(const struct dentry * new_dentry,
40303 + const struct dentry * parent_dentry,
40304 + const struct vfsmount * parent_mnt, const char *from)
40310 +gr_acl_handle_link(const struct dentry * new_dentry,
40311 + const struct dentry * parent_dentry,
40312 + const struct vfsmount * parent_mnt,
40313 + const struct dentry * old_dentry,
40314 + const struct vfsmount * old_mnt, const char *to)
40320 +gr_acl_handle_rename(const struct dentry *new_dentry,
40321 + const struct dentry *parent_dentry,
40322 + const struct vfsmount *parent_mnt,
40323 + const struct dentry *old_dentry,
40324 + const struct inode *old_parent_inode,
40325 + const struct vfsmount *old_mnt, const char *newname)
40331 +gr_acl_handle_filldir(const struct file *file, const char *name,
40332 + const int namelen, const ino_t ino)
40338 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40339 + const time_t shm_createtime, const uid_t cuid, const int shmid)
40345 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
40351 +gr_search_accept(const struct socket *sock)
40357 +gr_search_listen(const struct socket *sock)
40363 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
40369 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
40375 +gr_acl_handle_creat(const struct dentry * dentry,
40376 + const struct dentry * p_dentry,
40377 + const struct vfsmount * p_mnt, const int fmode,
40384 +gr_acl_handle_exit(void)
40390 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
40396 +gr_set_role_label(const uid_t uid, const gid_t gid)
40402 +gr_acl_handle_procpidmem(const struct task_struct *task)
40408 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
40414 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
40420 +gr_set_kernel_label(struct task_struct *task)
40426 +gr_check_user_change(int real, int effective, int fs)
40432 +gr_check_group_change(int real, int effective, int fs)
40437 +EXPORT_SYMBOL(gr_is_capable);
40438 +EXPORT_SYMBOL(gr_is_capable_nolog);
40439 +EXPORT_SYMBOL(gr_learn_resource);
40440 +EXPORT_SYMBOL(gr_set_kernel_label);
40441 +#ifdef CONFIG_SECURITY
40442 +EXPORT_SYMBOL(gr_check_user_change);
40443 +EXPORT_SYMBOL(gr_check_group_change);
40445 diff -urNp linux-2.6.35.4/grsecurity/grsec_exec.c linux-2.6.35.4/grsecurity/grsec_exec.c
40446 --- linux-2.6.35.4/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
40447 +++ linux-2.6.35.4/grsecurity/grsec_exec.c 2010-09-17 20:12:37.000000000 -0400
40449 +#include <linux/kernel.h>
40450 +#include <linux/sched.h>
40451 +#include <linux/file.h>
40452 +#include <linux/binfmts.h>
40453 +#include <linux/smp_lock.h>
40454 +#include <linux/fs.h>
40455 +#include <linux/types.h>
40456 +#include <linux/grdefs.h>
40457 +#include <linux/grinternal.h>
40458 +#include <linux/capability.h>
40460 +#include <asm/uaccess.h>
40462 +#ifdef CONFIG_GRKERNSEC_EXECLOG
40463 +static char gr_exec_arg_buf[132];
40464 +static DECLARE_MUTEX(gr_exec_arg_sem);
40468 +gr_handle_nproc(void)
40470 +#ifdef CONFIG_GRKERNSEC_EXECVE
40471 + const struct cred *cred = current_cred();
40472 + if (grsec_enable_execve && cred->user &&
40473 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
40474 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
40475 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
40483 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
40485 +#ifdef CONFIG_GRKERNSEC_EXECLOG
40486 + char *grarg = gr_exec_arg_buf;
40487 + unsigned int i, x, execlen = 0;
40490 + if (!((grsec_enable_execlog && grsec_enable_group &&
40491 + in_group_p(grsec_audit_gid))
40492 + || (grsec_enable_execlog && !grsec_enable_group)))
40495 + down(&gr_exec_arg_sem);
40496 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
40498 + if (unlikely(argv == NULL))
40501 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
40502 + const char __user *p;
40503 + unsigned int len;
40505 + if (copy_from_user(&p, argv + i, sizeof(p)))
40509 + len = strnlen_user(p, 128 - execlen);
40510 + if (len > 128 - execlen)
40511 + len = 128 - execlen;
40512 + else if (len > 0)
40514 + if (copy_from_user(grarg + execlen, p, len))
40517 + /* rewrite unprintable characters */
40518 + for (x = 0; x < len; x++) {
40519 + c = *(grarg + execlen + x);
40520 + if (c < 32 || c > 126)
40521 + *(grarg + execlen + x) = ' ';
40525 + *(grarg + execlen) = ' ';
40526 + *(grarg + execlen + 1) = '\0';
40531 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
40532 + bprm->file->f_path.mnt, grarg);
40533 + up(&gr_exec_arg_sem);
40537 diff -urNp linux-2.6.35.4/grsecurity/grsec_fifo.c linux-2.6.35.4/grsecurity/grsec_fifo.c
40538 --- linux-2.6.35.4/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
40539 +++ linux-2.6.35.4/grsecurity/grsec_fifo.c 2010-09-17 20:12:37.000000000 -0400
40541 +#include <linux/kernel.h>
40542 +#include <linux/sched.h>
40543 +#include <linux/fs.h>
40544 +#include <linux/file.h>
40545 +#include <linux/grinternal.h>
40548 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
40549 + const struct dentry *dir, const int flag, const int acc_mode)
40551 +#ifdef CONFIG_GRKERNSEC_FIFO
40552 + const struct cred *cred = current_cred();
40554 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
40555 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
40556 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
40557 + (cred->fsuid != dentry->d_inode->i_uid)) {
40558 + if (!generic_permission(dentry->d_inode, acc_mode, NULL))
40559 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
40565 diff -urNp linux-2.6.35.4/grsecurity/grsec_fork.c linux-2.6.35.4/grsecurity/grsec_fork.c
40566 --- linux-2.6.35.4/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
40567 +++ linux-2.6.35.4/grsecurity/grsec_fork.c 2010-09-17 20:12:37.000000000 -0400
40569 +#include <linux/kernel.h>
40570 +#include <linux/sched.h>
40571 +#include <linux/grsecurity.h>
40572 +#include <linux/grinternal.h>
40573 +#include <linux/errno.h>
40576 +gr_log_forkfail(const int retval)
40578 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
40579 + if (grsec_enable_forkfail && retval != -ERESTARTNOINTR)
40580 + gr_log_int(GR_DONT_AUDIT, GR_FAILFORK_MSG, retval);
40584 diff -urNp linux-2.6.35.4/grsecurity/grsec_init.c linux-2.6.35.4/grsecurity/grsec_init.c
40585 --- linux-2.6.35.4/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
40586 +++ linux-2.6.35.4/grsecurity/grsec_init.c 2010-09-17 20:12:37.000000000 -0400
40588 +#include <linux/kernel.h>
40589 +#include <linux/sched.h>
40590 +#include <linux/mm.h>
40591 +#include <linux/smp_lock.h>
40592 +#include <linux/gracl.h>
40593 +#include <linux/slab.h>
40594 +#include <linux/vmalloc.h>
40595 +#include <linux/percpu.h>
40596 +#include <linux/module.h>
40598 +int grsec_enable_link;
40599 +int grsec_enable_dmesg;
40600 +int grsec_enable_harden_ptrace;
40601 +int grsec_enable_fifo;
40602 +int grsec_enable_execve;
40603 +int grsec_enable_execlog;
40604 +int grsec_enable_signal;
40605 +int grsec_enable_forkfail;
40606 +int grsec_enable_audit_ptrace;
40607 +int grsec_enable_time;
40608 +int grsec_enable_audit_textrel;
40609 +int grsec_enable_group;
40610 +int grsec_audit_gid;
40611 +int grsec_enable_chdir;
40612 +int grsec_enable_mount;
40613 +int grsec_enable_rofs;
40614 +int grsec_enable_chroot_findtask;
40615 +int grsec_enable_chroot_mount;
40616 +int grsec_enable_chroot_shmat;
40617 +int grsec_enable_chroot_fchdir;
40618 +int grsec_enable_chroot_double;
40619 +int grsec_enable_chroot_pivot;
40620 +int grsec_enable_chroot_chdir;
40621 +int grsec_enable_chroot_chmod;
40622 +int grsec_enable_chroot_mknod;
40623 +int grsec_enable_chroot_nice;
40624 +int grsec_enable_chroot_execlog;
40625 +int grsec_enable_chroot_caps;
40626 +int grsec_enable_chroot_sysctl;
40627 +int grsec_enable_chroot_unix;
40628 +int grsec_enable_tpe;
40629 +int grsec_tpe_gid;
40630 +int grsec_enable_blackhole;
40631 +#ifdef CONFIG_IPV6_MODULE
40632 +EXPORT_SYMBOL(grsec_enable_blackhole);
40634 +int grsec_lastack_retries;
40635 +int grsec_enable_tpe_all;
40636 +int grsec_enable_tpe_invert;
40637 +int grsec_enable_socket_all;
40638 +int grsec_socket_all_gid;
40639 +int grsec_enable_socket_client;
40640 +int grsec_socket_client_gid;
40641 +int grsec_enable_socket_server;
40642 +int grsec_socket_server_gid;
40643 +int grsec_resource_logging;
40644 +int grsec_disable_privio;
40647 +DEFINE_SPINLOCK(grsec_alert_lock);
40648 +unsigned long grsec_alert_wtime = 0;
40649 +unsigned long grsec_alert_fyet = 0;
40651 +DEFINE_SPINLOCK(grsec_audit_lock);
40653 +DEFINE_RWLOCK(grsec_exec_file_lock);
40655 +char *gr_shared_page[4];
40657 +char *gr_alert_log_fmt;
40658 +char *gr_audit_log_fmt;
40659 +char *gr_alert_log_buf;
40660 +char *gr_audit_log_buf;
40662 +extern struct gr_arg *gr_usermode;
40663 +extern unsigned char *gr_system_salt;
40664 +extern unsigned char *gr_system_sum;
40667 +grsecurity_init(void)
40670 + /* create the per-cpu shared pages */
40673 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
40676 + for (j = 0; j < 4; j++) {
40677 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
40678 + if (gr_shared_page[j] == NULL) {
40679 + panic("Unable to allocate grsecurity shared page");
40684 + /* allocate log buffers */
40685 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
40686 + if (!gr_alert_log_fmt) {
40687 + panic("Unable to allocate grsecurity alert log format buffer");
40690 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
40691 + if (!gr_audit_log_fmt) {
40692 + panic("Unable to allocate grsecurity audit log format buffer");
40695 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
40696 + if (!gr_alert_log_buf) {
40697 + panic("Unable to allocate grsecurity alert log buffer");
40700 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
40701 + if (!gr_audit_log_buf) {
40702 + panic("Unable to allocate grsecurity audit log buffer");
40706 + /* allocate memory for authentication structure */
40707 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
40708 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
40709 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
40711 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
40712 + panic("Unable to allocate grsecurity authentication structure");
40717 +#ifdef CONFIG_GRKERNSEC_IO
40718 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
40719 + grsec_disable_privio = 1;
40720 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
40721 + grsec_disable_privio = 1;
40723 + grsec_disable_privio = 0;
40727 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
40728 + /* for backward compatibility, tpe_invert always defaults to on if
40729 + enabled in the kernel
40731 + grsec_enable_tpe_invert = 1;
40734 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
40735 +#ifndef CONFIG_GRKERNSEC_SYSCTL
40739 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
40740 + grsec_enable_audit_textrel = 1;
40742 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
40743 + grsec_enable_group = 1;
40744 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
40746 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
40747 + grsec_enable_chdir = 1;
40749 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
40750 + grsec_enable_harden_ptrace = 1;
40752 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
40753 + grsec_enable_mount = 1;
40755 +#ifdef CONFIG_GRKERNSEC_LINK
40756 + grsec_enable_link = 1;
40758 +#ifdef CONFIG_GRKERNSEC_DMESG
40759 + grsec_enable_dmesg = 1;
40761 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
40762 + grsec_enable_blackhole = 1;
40763 + grsec_lastack_retries = 4;
40765 +#ifdef CONFIG_GRKERNSEC_FIFO
40766 + grsec_enable_fifo = 1;
40768 +#ifdef CONFIG_GRKERNSEC_EXECVE
40769 + grsec_enable_execve = 1;
40771 +#ifdef CONFIG_GRKERNSEC_EXECLOG
40772 + grsec_enable_execlog = 1;
40774 +#ifdef CONFIG_GRKERNSEC_SIGNAL
40775 + grsec_enable_signal = 1;
40777 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
40778 + grsec_enable_forkfail = 1;
40780 +#ifdef CONFIG_GRKERNSEC_TIME
40781 + grsec_enable_time = 1;
40783 +#ifdef CONFIG_GRKERNSEC_RESLOG
40784 + grsec_resource_logging = 1;
40786 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40787 + grsec_enable_chroot_findtask = 1;
40789 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
40790 + grsec_enable_chroot_unix = 1;
40792 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
40793 + grsec_enable_chroot_mount = 1;
40795 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
40796 + grsec_enable_chroot_fchdir = 1;
40798 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
40799 + grsec_enable_chroot_shmat = 1;
40801 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
40802 + grsec_enable_audit_ptrace = 1;
40804 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
40805 + grsec_enable_chroot_double = 1;
40807 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
40808 + grsec_enable_chroot_pivot = 1;
40810 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
40811 + grsec_enable_chroot_chdir = 1;
40813 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
40814 + grsec_enable_chroot_chmod = 1;
40816 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
40817 + grsec_enable_chroot_mknod = 1;
40819 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40820 + grsec_enable_chroot_nice = 1;
40822 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
40823 + grsec_enable_chroot_execlog = 1;
40825 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
40826 + grsec_enable_chroot_caps = 1;
40828 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
40829 + grsec_enable_chroot_sysctl = 1;
40831 +#ifdef CONFIG_GRKERNSEC_TPE
40832 + grsec_enable_tpe = 1;
40833 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
40834 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
40835 + grsec_enable_tpe_all = 1;
40838 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
40839 + grsec_enable_socket_all = 1;
40840 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
40842 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
40843 + grsec_enable_socket_client = 1;
40844 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
40846 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
40847 + grsec_enable_socket_server = 1;
40848 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
40854 diff -urNp linux-2.6.35.4/grsecurity/grsec_link.c linux-2.6.35.4/grsecurity/grsec_link.c
40855 --- linux-2.6.35.4/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
40856 +++ linux-2.6.35.4/grsecurity/grsec_link.c 2010-09-17 20:12:37.000000000 -0400
40858 +#include <linux/kernel.h>
40859 +#include <linux/sched.h>
40860 +#include <linux/fs.h>
40861 +#include <linux/file.h>
40862 +#include <linux/grinternal.h>
40865 +gr_handle_follow_link(const struct inode *parent,
40866 + const struct inode *inode,
40867 + const struct dentry *dentry, const struct vfsmount *mnt)
40869 +#ifdef CONFIG_GRKERNSEC_LINK
40870 + const struct cred *cred = current_cred();
40872 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
40873 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
40874 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
40875 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
40883 +gr_handle_hardlink(const struct dentry *dentry,
40884 + const struct vfsmount *mnt,
40885 + struct inode *inode, const int mode, const char *to)
40887 +#ifdef CONFIG_GRKERNSEC_LINK
40888 + const struct cred *cred = current_cred();
40890 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
40891 + (!S_ISREG(mode) || (mode & S_ISUID) ||
40892 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
40893 + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
40894 + !capable(CAP_FOWNER) && cred->uid) {
40895 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
40901 diff -urNp linux-2.6.35.4/grsecurity/grsec_log.c linux-2.6.35.4/grsecurity/grsec_log.c
40902 --- linux-2.6.35.4/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
40903 +++ linux-2.6.35.4/grsecurity/grsec_log.c 2010-09-17 20:12:37.000000000 -0400
40905 +#include <linux/kernel.h>
40906 +#include <linux/sched.h>
40907 +#include <linux/file.h>
40908 +#include <linux/tty.h>
40909 +#include <linux/fs.h>
40910 +#include <linux/grinternal.h>
40912 +#ifdef CONFIG_TREE_PREEMPT_RCU
40913 +#define DISABLE_PREEMPT() preempt_disable()
40914 +#define ENABLE_PREEMPT() preempt_enable()
40916 +#define DISABLE_PREEMPT()
40917 +#define ENABLE_PREEMPT()
40920 +#define BEGIN_LOCKS(x) \
40921 + DISABLE_PREEMPT(); \
40922 + rcu_read_lock(); \
40923 + read_lock(&tasklist_lock); \
40924 + read_lock(&grsec_exec_file_lock); \
40925 + if (x != GR_DO_AUDIT) \
40926 + spin_lock(&grsec_alert_lock); \
40928 + spin_lock(&grsec_audit_lock)
40930 +#define END_LOCKS(x) \
40931 + if (x != GR_DO_AUDIT) \
40932 + spin_unlock(&grsec_alert_lock); \
40934 + spin_unlock(&grsec_audit_lock); \
40935 + read_unlock(&grsec_exec_file_lock); \
40936 + read_unlock(&tasklist_lock); \
40937 + rcu_read_unlock(); \
40938 + ENABLE_PREEMPT(); \
40939 + if (x == GR_DONT_AUDIT) \
40940 + gr_handle_alertkill(current)
40947 +extern char *gr_alert_log_fmt;
40948 +extern char *gr_audit_log_fmt;
40949 +extern char *gr_alert_log_buf;
40950 +extern char *gr_audit_log_buf;
40952 +static int gr_log_start(int audit)
40954 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
40955 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
40956 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
40958 + if (audit == GR_DO_AUDIT)
40961 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
40962 + grsec_alert_wtime = jiffies;
40963 + grsec_alert_fyet = 0;
40964 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
40965 + grsec_alert_fyet++;
40966 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
40967 + grsec_alert_wtime = jiffies;
40968 + grsec_alert_fyet++;
40969 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
40971 + } else return FLOODING;
40974 + memset(buf, 0, PAGE_SIZE);
40975 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
40976 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
40977 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
40978 + } else if (current->signal->curr_ip) {
40979 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
40980 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
40981 + } else if (gr_acl_is_enabled()) {
40982 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
40983 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
40985 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
40986 + strcpy(buf, fmt);
40989 + return NO_FLOODING;
40992 +static void gr_log_middle(int audit, const char *msg, va_list ap)
40993 + __attribute__ ((format (printf, 2, 0)));
40995 +static void gr_log_middle(int audit, const char *msg, va_list ap)
40997 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
40998 + unsigned int len = strlen(buf);
41000 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
41005 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
41006 + __attribute__ ((format (printf, 2, 3)));
41008 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
41010 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41011 + unsigned int len = strlen(buf);
41014 + va_start(ap, msg);
41015 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
41021 +static void gr_log_end(int audit)
41023 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41024 + unsigned int len = strlen(buf);
41026 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->parent)));
41027 + printk("%s\n", buf);
41032 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
41035 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
41036 + char *str1, *str2, *str3;
41039 + unsigned long ulong1, ulong2;
41040 + struct dentry *dentry;
41041 + struct vfsmount *mnt;
41042 + struct file *file;
41043 + struct task_struct *task;
41044 + const struct cred *cred, *pcred;
41047 + BEGIN_LOCKS(audit);
41048 + logtype = gr_log_start(audit);
41049 + if (logtype == FLOODING) {
41050 + END_LOCKS(audit);
41053 + va_start(ap, argtypes);
41054 + switch (argtypes) {
41055 + case GR_TTYSNIFF:
41056 + task = va_arg(ap, struct task_struct *);
41057 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
41059 + case GR_SYSCTL_HIDDEN:
41060 + str1 = va_arg(ap, char *);
41061 + gr_log_middle_varargs(audit, msg, result, str1);
41064 + dentry = va_arg(ap, struct dentry *);
41065 + mnt = va_arg(ap, struct vfsmount *);
41066 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
41068 + case GR_RBAC_STR:
41069 + dentry = va_arg(ap, struct dentry *);
41070 + mnt = va_arg(ap, struct vfsmount *);
41071 + str1 = va_arg(ap, char *);
41072 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
41074 + case GR_STR_RBAC:
41075 + str1 = va_arg(ap, char *);
41076 + dentry = va_arg(ap, struct dentry *);
41077 + mnt = va_arg(ap, struct vfsmount *);
41078 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
41080 + case GR_RBAC_MODE2:
41081 + dentry = va_arg(ap, struct dentry *);
41082 + mnt = va_arg(ap, struct vfsmount *);
41083 + str1 = va_arg(ap, char *);
41084 + str2 = va_arg(ap, char *);
41085 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
41087 + case GR_RBAC_MODE3:
41088 + dentry = va_arg(ap, struct dentry *);
41089 + mnt = va_arg(ap, struct vfsmount *);
41090 + str1 = va_arg(ap, char *);
41091 + str2 = va_arg(ap, char *);
41092 + str3 = va_arg(ap, char *);
41093 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
41095 + case GR_FILENAME:
41096 + dentry = va_arg(ap, struct dentry *);
41097 + mnt = va_arg(ap, struct vfsmount *);
41098 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
41100 + case GR_STR_FILENAME:
41101 + str1 = va_arg(ap, char *);
41102 + dentry = va_arg(ap, struct dentry *);
41103 + mnt = va_arg(ap, struct vfsmount *);
41104 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
41106 + case GR_FILENAME_STR:
41107 + dentry = va_arg(ap, struct dentry *);
41108 + mnt = va_arg(ap, struct vfsmount *);
41109 + str1 = va_arg(ap, char *);
41110 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
41112 + case GR_FILENAME_TWO_INT:
41113 + dentry = va_arg(ap, struct dentry *);
41114 + mnt = va_arg(ap, struct vfsmount *);
41115 + num1 = va_arg(ap, int);
41116 + num2 = va_arg(ap, int);
41117 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
41119 + case GR_FILENAME_TWO_INT_STR:
41120 + dentry = va_arg(ap, struct dentry *);
41121 + mnt = va_arg(ap, struct vfsmount *);
41122 + num1 = va_arg(ap, int);
41123 + num2 = va_arg(ap, int);
41124 + str1 = va_arg(ap, char *);
41125 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
41128 + file = va_arg(ap, struct file *);
41129 + ulong1 = va_arg(ap, unsigned long);
41130 + ulong2 = va_arg(ap, unsigned long);
41131 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
41134 + task = va_arg(ap, struct task_struct *);
41135 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
41137 + case GR_RESOURCE:
41138 + task = va_arg(ap, struct task_struct *);
41139 + cred = __task_cred(task);
41140 + pcred = __task_cred(task->parent);
41141 + ulong1 = va_arg(ap, unsigned long);
41142 + str1 = va_arg(ap, char *);
41143 + ulong2 = va_arg(ap, unsigned long);
41144 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41147 + task = va_arg(ap, struct task_struct *);
41148 + cred = __task_cred(task);
41149 + pcred = __task_cred(task->parent);
41150 + str1 = va_arg(ap, char *);
41151 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41154 + str1 = va_arg(ap, char *);
41155 + voidptr = va_arg(ap, void *);
41156 + gr_log_middle_varargs(audit, msg, str1, voidptr);
41159 + task = va_arg(ap, struct task_struct *);
41160 + cred = __task_cred(task);
41161 + pcred = __task_cred(task->parent);
41162 + num1 = va_arg(ap, int);
41163 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41166 + task = va_arg(ap, struct task_struct *);
41167 + cred = __task_cred(task);
41168 + pcred = __task_cred(task->parent);
41169 + ulong1 = va_arg(ap, unsigned long);
41170 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
41173 + task = va_arg(ap, struct task_struct *);
41174 + cred = __task_cred(task);
41175 + pcred = __task_cred(task->parent);
41176 + ulong1 = va_arg(ap, unsigned long);
41177 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
41181 + unsigned int wday, cday;
41185 + char cur_tty[64] = { 0 };
41186 + char parent_tty[64] = { 0 };
41188 + task = va_arg(ap, struct task_struct *);
41189 + wday = va_arg(ap, unsigned int);
41190 + cday = va_arg(ap, unsigned int);
41191 + whr = va_arg(ap, int);
41192 + chr = va_arg(ap, int);
41193 + wmin = va_arg(ap, int);
41194 + cmin = va_arg(ap, int);
41195 + wsec = va_arg(ap, int);
41196 + csec = va_arg(ap, int);
41197 + ulong1 = va_arg(ap, unsigned long);
41198 + cred = __task_cred(task);
41199 + pcred = __task_cred(task->parent);
41201 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, &task->parent->signal->curr_ip, tty_name(task->parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41205 + gr_log_middle(audit, msg, ap);
41208 + gr_log_end(audit);
41209 + END_LOCKS(audit);
41211 diff -urNp linux-2.6.35.4/grsecurity/grsec_mem.c linux-2.6.35.4/grsecurity/grsec_mem.c
41212 --- linux-2.6.35.4/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
41213 +++ linux-2.6.35.4/grsecurity/grsec_mem.c 2010-09-17 20:12:37.000000000 -0400
41215 +#include <linux/kernel.h>
41216 +#include <linux/sched.h>
41217 +#include <linux/mm.h>
41218 +#include <linux/mman.h>
41219 +#include <linux/grinternal.h>
41222 +gr_handle_ioperm(void)
41224 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
41229 +gr_handle_iopl(void)
41231 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
41236 +gr_handle_mem_write(void)
41238 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
41243 +gr_handle_kmem_write(void)
41245 + gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
41250 +gr_handle_open_port(void)
41252 + gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
41257 +gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
41259 + unsigned long start, end;
41262 + end = start + vma->vm_end - vma->vm_start;
41264 + if (start > end) {
41265 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
41269 + /* allowed ranges : ISA I/O BIOS */
41270 + if ((start >= __pa(high_memory))
41271 +#if defined(CONFIG_X86) || defined(CONFIG_PPC)
41272 + || (start >= 0x000a0000 && end <= 0x00100000)
41273 + || (start >= 0x00000000 && end <= 0x00001000)
41278 + if (vma->vm_flags & VM_WRITE) {
41279 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
41282 + vma->vm_flags &= ~VM_MAYWRITE;
41288 +gr_log_nonroot_mod_load(const char *modname)
41290 + gr_log_str(GR_DONT_AUDIT, GR_NONROOT_MODLOAD_MSG, modname);
41295 +gr_handle_vm86(void)
41297 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
41300 diff -urNp linux-2.6.35.4/grsecurity/grsec_mount.c linux-2.6.35.4/grsecurity/grsec_mount.c
41301 --- linux-2.6.35.4/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
41302 +++ linux-2.6.35.4/grsecurity/grsec_mount.c 2010-09-17 20:12:37.000000000 -0400
41304 +#include <linux/kernel.h>
41305 +#include <linux/sched.h>
41306 +#include <linux/mount.h>
41307 +#include <linux/grsecurity.h>
41308 +#include <linux/grinternal.h>
41311 +gr_log_remount(const char *devname, const int retval)
41313 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41314 + if (grsec_enable_mount && (retval >= 0))
41315 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
41321 +gr_log_unmount(const char *devname, const int retval)
41323 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41324 + if (grsec_enable_mount && (retval >= 0))
41325 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
41331 +gr_log_mount(const char *from, const char *to, const int retval)
41333 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41334 + if (grsec_enable_mount && (retval >= 0))
41335 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
41341 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
41343 +#ifdef CONFIG_GRKERNSEC_ROFS
41344 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
41345 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
41354 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
41356 +#ifdef CONFIG_GRKERNSEC_ROFS
41357 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
41358 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
41359 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
41366 diff -urNp linux-2.6.35.4/grsecurity/grsec_ptrace.c linux-2.6.35.4/grsecurity/grsec_ptrace.c
41367 --- linux-2.6.35.4/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
41368 +++ linux-2.6.35.4/grsecurity/grsec_ptrace.c 2010-09-17 20:12:37.000000000 -0400
41370 +#include <linux/kernel.h>
41371 +#include <linux/sched.h>
41372 +#include <linux/grinternal.h>
41373 +#include <linux/grsecurity.h>
41376 +gr_audit_ptrace(struct task_struct *task)
41378 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
41379 + if (grsec_enable_audit_ptrace)
41380 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
41384 diff -urNp linux-2.6.35.4/grsecurity/grsec_sig.c linux-2.6.35.4/grsecurity/grsec_sig.c
41385 --- linux-2.6.35.4/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
41386 +++ linux-2.6.35.4/grsecurity/grsec_sig.c 2010-09-17 20:12:37.000000000 -0400
41388 +#include <linux/kernel.h>
41389 +#include <linux/sched.h>
41390 +#include <linux/delay.h>
41391 +#include <linux/grsecurity.h>
41392 +#include <linux/grinternal.h>
41394 +char *signames[] = {
41395 + [SIGSEGV] = "Segmentation fault",
41396 + [SIGILL] = "Illegal instruction",
41397 + [SIGABRT] = "Abort",
41398 + [SIGBUS] = "Invalid alignment/Bus error"
41402 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
41404 +#ifdef CONFIG_GRKERNSEC_SIGNAL
41405 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
41406 + (sig == SIGABRT) || (sig == SIGBUS))) {
41407 + if (t->pid == current->pid) {
41408 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
41410 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
41418 +gr_handle_signal(const struct task_struct *p, const int sig)
41420 +#ifdef CONFIG_GRKERNSEC
41421 + if (current->pid > 1 && gr_check_protected_task(p)) {
41422 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
41424 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
41431 +void gr_handle_brute_attach(struct task_struct *p)
41433 +#ifdef CONFIG_GRKERNSEC_BRUTE
41434 + read_lock(&tasklist_lock);
41435 + read_lock(&grsec_exec_file_lock);
41436 + if (p->parent && p->parent->exec_file == p->exec_file)
41437 + p->parent->brute = 1;
41438 + read_unlock(&grsec_exec_file_lock);
41439 + read_unlock(&tasklist_lock);
41444 +void gr_handle_brute_check(void)
41446 +#ifdef CONFIG_GRKERNSEC_BRUTE
41447 + if (current->brute)
41448 + msleep(30 * 1000);
41453 diff -urNp linux-2.6.35.4/grsecurity/grsec_sock.c linux-2.6.35.4/grsecurity/grsec_sock.c
41454 --- linux-2.6.35.4/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
41455 +++ linux-2.6.35.4/grsecurity/grsec_sock.c 2010-09-17 20:12:37.000000000 -0400
41457 +#include <linux/kernel.h>
41458 +#include <linux/module.h>
41459 +#include <linux/sched.h>
41460 +#include <linux/file.h>
41461 +#include <linux/net.h>
41462 +#include <linux/in.h>
41463 +#include <linux/ip.h>
41464 +#include <net/sock.h>
41465 +#include <net/inet_sock.h>
41466 +#include <linux/grsecurity.h>
41467 +#include <linux/grinternal.h>
41468 +#include <linux/gracl.h>
41470 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
41471 +EXPORT_SYMBOL(gr_cap_rtnetlink);
41473 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
41474 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
41476 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
41477 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
41479 +#ifdef CONFIG_UNIX_MODULE
41480 +EXPORT_SYMBOL(gr_acl_handle_unix);
41481 +EXPORT_SYMBOL(gr_acl_handle_mknod);
41482 +EXPORT_SYMBOL(gr_handle_chroot_unix);
41483 +EXPORT_SYMBOL(gr_handle_create);
41486 +#ifdef CONFIG_GRKERNSEC
41487 +#define gr_conn_table_size 32749
41488 +struct conn_table_entry {
41489 + struct conn_table_entry *next;
41490 + struct signal_struct *sig;
41493 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
41494 +DEFINE_SPINLOCK(gr_conn_table_lock);
41496 +extern const char * gr_socktype_to_name(unsigned char type);
41497 +extern const char * gr_proto_to_name(unsigned char proto);
41499 +static __inline__ int
41500 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
41502 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
41505 +static __inline__ int
41506 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
41507 + __u16 sport, __u16 dport)
41509 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
41510 + sig->gr_sport == sport && sig->gr_dport == dport))
41516 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
41518 + struct conn_table_entry **match;
41519 + unsigned int index;
41521 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
41522 + sig->gr_sport, sig->gr_dport,
41523 + gr_conn_table_size);
41525 + newent->sig = sig;
41527 + match = &gr_conn_table[index];
41528 + newent->next = *match;
41534 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
41536 + struct conn_table_entry *match, *last = NULL;
41537 + unsigned int index;
41539 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
41540 + sig->gr_sport, sig->gr_dport,
41541 + gr_conn_table_size);
41543 + match = gr_conn_table[index];
41544 + while (match && !conn_match(match->sig,
41545 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
41546 + sig->gr_dport)) {
41548 + match = match->next;
41553 + last->next = match->next;
41555 + gr_conn_table[index] = NULL;
41562 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
41563 + __u16 sport, __u16 dport)
41565 + struct conn_table_entry *match;
41566 + unsigned int index;
41568 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
41570 + match = gr_conn_table[index];
41571 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
41572 + match = match->next;
41575 + return match->sig;
41582 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
41584 +#ifdef CONFIG_GRKERNSEC
41585 + struct signal_struct *sig = task->signal;
41586 + struct conn_table_entry *newent;
41588 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
41589 + if (newent == NULL)
41591 + /* no bh lock needed since we are called with bh disabled */
41592 + spin_lock(&gr_conn_table_lock);
41593 + gr_del_task_from_ip_table_nolock(sig);
41594 + sig->gr_saddr = inet->inet_rcv_saddr;
41595 + sig->gr_daddr = inet->inet_daddr;
41596 + sig->gr_sport = inet->inet_sport;
41597 + sig->gr_dport = inet->inet_dport;
41598 + gr_add_to_task_ip_table_nolock(sig, newent);
41599 + spin_unlock(&gr_conn_table_lock);
41604 +void gr_del_task_from_ip_table(struct task_struct *task)
41606 +#ifdef CONFIG_GRKERNSEC
41607 + spin_lock_bh(&gr_conn_table_lock);
41608 + gr_del_task_from_ip_table_nolock(task->signal);
41609 + spin_unlock_bh(&gr_conn_table_lock);
41615 +gr_attach_curr_ip(const struct sock *sk)
41617 +#ifdef CONFIG_GRKERNSEC
41618 + struct signal_struct *p, *set;
41619 + const struct inet_sock *inet = inet_sk(sk);
41621 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
41624 + set = current->signal;
41626 + spin_lock_bh(&gr_conn_table_lock);
41627 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
41628 + inet->inet_dport, inet->inet_sport);
41629 + if (unlikely(p != NULL)) {
41630 + set->curr_ip = p->curr_ip;
41631 + set->used_accept = 1;
41632 + gr_del_task_from_ip_table_nolock(p);
41633 + spin_unlock_bh(&gr_conn_table_lock);
41636 + spin_unlock_bh(&gr_conn_table_lock);
41638 + set->curr_ip = inet->inet_daddr;
41639 + set->used_accept = 1;
41645 +gr_handle_sock_all(const int family, const int type, const int protocol)
41647 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
41648 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
41649 + (family != AF_UNIX) && (family != AF_LOCAL)) {
41650 + gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
41658 +gr_handle_sock_server(const struct sockaddr *sck)
41660 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
41661 + if (grsec_enable_socket_server &&
41662 + in_group_p(grsec_socket_server_gid) &&
41663 + sck && (sck->sa_family != AF_UNIX) &&
41664 + (sck->sa_family != AF_LOCAL)) {
41665 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
41673 +gr_handle_sock_server_other(const struct sock *sck)
41675 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
41676 + if (grsec_enable_socket_server &&
41677 + in_group_p(grsec_socket_server_gid) &&
41678 + sck && (sck->sk_family != AF_UNIX) &&
41679 + (sck->sk_family != AF_LOCAL)) {
41680 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
41688 +gr_handle_sock_client(const struct sockaddr *sck)
41690 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
41691 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
41692 + sck && (sck->sa_family != AF_UNIX) &&
41693 + (sck->sa_family != AF_LOCAL)) {
41694 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
41702 +gr_cap_rtnetlink(struct sock *sock)
41704 +#ifdef CONFIG_GRKERNSEC
41705 + if (!gr_acl_is_enabled())
41706 + return current_cap();
41707 + else if (sock->sk_protocol == NETLINK_ISCSI &&
41708 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
41709 + gr_is_capable(CAP_SYS_ADMIN))
41710 + return current_cap();
41711 + else if (sock->sk_protocol == NETLINK_AUDIT &&
41712 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
41713 + gr_is_capable(CAP_AUDIT_WRITE) &&
41714 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
41715 + gr_is_capable(CAP_AUDIT_CONTROL))
41716 + return current_cap();
41717 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
41718 + ((sock->sk_protocol == NETLINK_ROUTE) ?
41719 + gr_is_capable_nolog(CAP_NET_ADMIN) :
41720 + gr_is_capable(CAP_NET_ADMIN)))
41721 + return current_cap();
41723 + return __cap_empty_set;
41725 + return current_cap();
41728 diff -urNp linux-2.6.35.4/grsecurity/grsec_sysctl.c linux-2.6.35.4/grsecurity/grsec_sysctl.c
41729 --- linux-2.6.35.4/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
41730 +++ linux-2.6.35.4/grsecurity/grsec_sysctl.c 2010-09-17 20:18:57.000000000 -0400
41732 +#include <linux/kernel.h>
41733 +#include <linux/sched.h>
41734 +#include <linux/sysctl.h>
41735 +#include <linux/grsecurity.h>
41736 +#include <linux/grinternal.h>
41739 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
41741 +#ifdef CONFIG_GRKERNSEC_SYSCTL
41742 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
41743 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
41750 +#ifdef CONFIG_GRKERNSEC_ROFS
41751 +static int __maybe_unused one = 1;
41754 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
41755 +struct ctl_table grsecurity_table[] = {
41756 +#ifdef CONFIG_GRKERNSEC_SYSCTL
41757 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
41758 +#ifdef CONFIG_GRKERNSEC_IO
41760 + .procname = "disable_priv_io",
41761 + .data = &grsec_disable_privio,
41762 + .maxlen = sizeof(int),
41764 + .proc_handler = &proc_dointvec,
41768 +#ifdef CONFIG_GRKERNSEC_LINK
41770 + .procname = "linking_restrictions",
41771 + .data = &grsec_enable_link,
41772 + .maxlen = sizeof(int),
41774 + .proc_handler = &proc_dointvec,
41777 +#ifdef CONFIG_GRKERNSEC_FIFO
41779 + .procname = "fifo_restrictions",
41780 + .data = &grsec_enable_fifo,
41781 + .maxlen = sizeof(int),
41783 + .proc_handler = &proc_dointvec,
41786 +#ifdef CONFIG_GRKERNSEC_EXECVE
41788 + .procname = "execve_limiting",
41789 + .data = &grsec_enable_execve,
41790 + .maxlen = sizeof(int),
41792 + .proc_handler = &proc_dointvec,
41795 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
41797 + .procname = "ip_blackhole",
41798 + .data = &grsec_enable_blackhole,
41799 + .maxlen = sizeof(int),
41801 + .proc_handler = &proc_dointvec,
41804 + .procname = "lastack_retries",
41805 + .data = &grsec_lastack_retries,
41806 + .maxlen = sizeof(int),
41808 + .proc_handler = &proc_dointvec,
41811 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41813 + .procname = "exec_logging",
41814 + .data = &grsec_enable_execlog,
41815 + .maxlen = sizeof(int),
41817 + .proc_handler = &proc_dointvec,
41820 +#ifdef CONFIG_GRKERNSEC_SIGNAL
41822 + .procname = "signal_logging",
41823 + .data = &grsec_enable_signal,
41824 + .maxlen = sizeof(int),
41826 + .proc_handler = &proc_dointvec,
41829 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
41831 + .procname = "forkfail_logging",
41832 + .data = &grsec_enable_forkfail,
41833 + .maxlen = sizeof(int),
41835 + .proc_handler = &proc_dointvec,
41838 +#ifdef CONFIG_GRKERNSEC_TIME
41840 + .procname = "timechange_logging",
41841 + .data = &grsec_enable_time,
41842 + .maxlen = sizeof(int),
41844 + .proc_handler = &proc_dointvec,
41847 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
41849 + .procname = "chroot_deny_shmat",
41850 + .data = &grsec_enable_chroot_shmat,
41851 + .maxlen = sizeof(int),
41853 + .proc_handler = &proc_dointvec,
41856 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
41858 + .procname = "chroot_deny_unix",
41859 + .data = &grsec_enable_chroot_unix,
41860 + .maxlen = sizeof(int),
41862 + .proc_handler = &proc_dointvec,
41865 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
41867 + .procname = "chroot_deny_mount",
41868 + .data = &grsec_enable_chroot_mount,
41869 + .maxlen = sizeof(int),
41871 + .proc_handler = &proc_dointvec,
41874 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
41876 + .procname = "chroot_deny_fchdir",
41877 + .data = &grsec_enable_chroot_fchdir,
41878 + .maxlen = sizeof(int),
41880 + .proc_handler = &proc_dointvec,
41883 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
41885 + .procname = "chroot_deny_chroot",
41886 + .data = &grsec_enable_chroot_double,
41887 + .maxlen = sizeof(int),
41889 + .proc_handler = &proc_dointvec,
41892 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
41894 + .procname = "chroot_deny_pivot",
41895 + .data = &grsec_enable_chroot_pivot,
41896 + .maxlen = sizeof(int),
41898 + .proc_handler = &proc_dointvec,
41901 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
41903 + .procname = "chroot_enforce_chdir",
41904 + .data = &grsec_enable_chroot_chdir,
41905 + .maxlen = sizeof(int),
41907 + .proc_handler = &proc_dointvec,
41910 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
41912 + .procname = "chroot_deny_chmod",
41913 + .data = &grsec_enable_chroot_chmod,
41914 + .maxlen = sizeof(int),
41916 + .proc_handler = &proc_dointvec,
41919 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
41921 + .procname = "chroot_deny_mknod",
41922 + .data = &grsec_enable_chroot_mknod,
41923 + .maxlen = sizeof(int),
41925 + .proc_handler = &proc_dointvec,
41928 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
41930 + .procname = "chroot_restrict_nice",
41931 + .data = &grsec_enable_chroot_nice,
41932 + .maxlen = sizeof(int),
41934 + .proc_handler = &proc_dointvec,
41937 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
41939 + .procname = "chroot_execlog",
41940 + .data = &grsec_enable_chroot_execlog,
41941 + .maxlen = sizeof(int),
41943 + .proc_handler = &proc_dointvec,
41946 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
41948 + .procname = "chroot_caps",
41949 + .data = &grsec_enable_chroot_caps,
41950 + .maxlen = sizeof(int),
41952 + .proc_handler = &proc_dointvec,
41955 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
41957 + .procname = "chroot_deny_sysctl",
41958 + .data = &grsec_enable_chroot_sysctl,
41959 + .maxlen = sizeof(int),
41961 + .proc_handler = &proc_dointvec,
41964 +#ifdef CONFIG_GRKERNSEC_TPE
41966 + .procname = "tpe",
41967 + .data = &grsec_enable_tpe,
41968 + .maxlen = sizeof(int),
41970 + .proc_handler = &proc_dointvec,
41973 + .procname = "tpe_gid",
41974 + .data = &grsec_tpe_gid,
41975 + .maxlen = sizeof(int),
41977 + .proc_handler = &proc_dointvec,
41980 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
41982 + .procname = "tpe_invert",
41983 + .data = &grsec_enable_tpe_invert,
41984 + .maxlen = sizeof(int),
41986 + .proc_handler = &proc_dointvec,
41989 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
41991 + .procname = "tpe_restrict_all",
41992 + .data = &grsec_enable_tpe_all,
41993 + .maxlen = sizeof(int),
41995 + .proc_handler = &proc_dointvec,
41998 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
42000 + .procname = "socket_all",
42001 + .data = &grsec_enable_socket_all,
42002 + .maxlen = sizeof(int),
42004 + .proc_handler = &proc_dointvec,
42007 + .procname = "socket_all_gid",
42008 + .data = &grsec_socket_all_gid,
42009 + .maxlen = sizeof(int),
42011 + .proc_handler = &proc_dointvec,
42014 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
42016 + .procname = "socket_client",
42017 + .data = &grsec_enable_socket_client,
42018 + .maxlen = sizeof(int),
42020 + .proc_handler = &proc_dointvec,
42023 + .procname = "socket_client_gid",
42024 + .data = &grsec_socket_client_gid,
42025 + .maxlen = sizeof(int),
42027 + .proc_handler = &proc_dointvec,
42030 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42032 + .procname = "socket_server",
42033 + .data = &grsec_enable_socket_server,
42034 + .maxlen = sizeof(int),
42036 + .proc_handler = &proc_dointvec,
42039 + .procname = "socket_server_gid",
42040 + .data = &grsec_socket_server_gid,
42041 + .maxlen = sizeof(int),
42043 + .proc_handler = &proc_dointvec,
42046 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
42048 + .procname = "audit_group",
42049 + .data = &grsec_enable_group,
42050 + .maxlen = sizeof(int),
42052 + .proc_handler = &proc_dointvec,
42055 + .procname = "audit_gid",
42056 + .data = &grsec_audit_gid,
42057 + .maxlen = sizeof(int),
42059 + .proc_handler = &proc_dointvec,
42062 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
42064 + .procname = "audit_chdir",
42065 + .data = &grsec_enable_chdir,
42066 + .maxlen = sizeof(int),
42068 + .proc_handler = &proc_dointvec,
42071 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42073 + .procname = "audit_mount",
42074 + .data = &grsec_enable_mount,
42075 + .maxlen = sizeof(int),
42077 + .proc_handler = &proc_dointvec,
42080 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42082 + .procname = "audit_textrel",
42083 + .data = &grsec_enable_audit_textrel,
42084 + .maxlen = sizeof(int),
42086 + .proc_handler = &proc_dointvec,
42089 +#ifdef CONFIG_GRKERNSEC_DMESG
42091 + .procname = "dmesg",
42092 + .data = &grsec_enable_dmesg,
42093 + .maxlen = sizeof(int),
42095 + .proc_handler = &proc_dointvec,
42098 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
42100 + .procname = "chroot_findtask",
42101 + .data = &grsec_enable_chroot_findtask,
42102 + .maxlen = sizeof(int),
42104 + .proc_handler = &proc_dointvec,
42107 +#ifdef CONFIG_GRKERNSEC_RESLOG
42109 + .procname = "resource_logging",
42110 + .data = &grsec_resource_logging,
42111 + .maxlen = sizeof(int),
42113 + .proc_handler = &proc_dointvec,
42116 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
42118 + .procname = "audit_ptrace",
42119 + .data = &grsec_enable_audit_ptrace,
42120 + .maxlen = sizeof(int),
42122 + .proc_handler = &proc_dointvec,
42125 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
42127 + .procname = "harden_ptrace",
42128 + .data = &grsec_enable_harden_ptrace,
42129 + .maxlen = sizeof(int),
42131 + .proc_handler = &proc_dointvec,
42135 + .procname = "grsec_lock",
42136 + .data = &grsec_lock,
42137 + .maxlen = sizeof(int),
42139 + .proc_handler = &proc_dointvec,
42142 +#ifdef CONFIG_GRKERNSEC_ROFS
42144 + .procname = "romount_protect",
42145 + .data = &grsec_enable_rofs,
42146 + .maxlen = sizeof(int),
42148 + .proc_handler = &proc_dointvec_minmax,
42156 diff -urNp linux-2.6.35.4/grsecurity/grsec_textrel.c linux-2.6.35.4/grsecurity/grsec_textrel.c
42157 --- linux-2.6.35.4/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500
42158 +++ linux-2.6.35.4/grsecurity/grsec_textrel.c 2010-09-17 20:12:37.000000000 -0400
42160 +#include <linux/kernel.h>
42161 +#include <linux/sched.h>
42162 +#include <linux/mm.h>
42163 +#include <linux/file.h>
42164 +#include <linux/grinternal.h>
42165 +#include <linux/grsecurity.h>
42168 +gr_log_textrel(struct vm_area_struct * vma)
42170 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42171 + if (grsec_enable_audit_textrel)
42172 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
42176 diff -urNp linux-2.6.35.4/grsecurity/grsec_time.c linux-2.6.35.4/grsecurity/grsec_time.c
42177 --- linux-2.6.35.4/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
42178 +++ linux-2.6.35.4/grsecurity/grsec_time.c 2010-09-17 20:12:37.000000000 -0400
42180 +#include <linux/kernel.h>
42181 +#include <linux/sched.h>
42182 +#include <linux/grinternal.h>
42185 +gr_log_timechange(void)
42187 +#ifdef CONFIG_GRKERNSEC_TIME
42188 + if (grsec_enable_time)
42189 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
42193 diff -urNp linux-2.6.35.4/grsecurity/grsec_tpe.c linux-2.6.35.4/grsecurity/grsec_tpe.c
42194 --- linux-2.6.35.4/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
42195 +++ linux-2.6.35.4/grsecurity/grsec_tpe.c 2010-09-17 20:12:37.000000000 -0400
42197 +#include <linux/kernel.h>
42198 +#include <linux/sched.h>
42199 +#include <linux/file.h>
42200 +#include <linux/fs.h>
42201 +#include <linux/grinternal.h>
42203 +extern int gr_acl_tpe_check(void);
42206 +gr_tpe_allow(const struct file *file)
42208 +#ifdef CONFIG_GRKERNSEC
42209 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
42210 + const struct cred *cred = current_cred();
42212 + if (cred->uid && ((grsec_enable_tpe &&
42213 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
42214 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
42215 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
42217 + in_group_p(grsec_tpe_gid)
42219 + ) || gr_acl_tpe_check()) &&
42220 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
42221 + (inode->i_mode & S_IWOTH))))) {
42222 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
42225 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
42226 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
42227 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
42228 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
42229 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
42236 diff -urNp linux-2.6.35.4/grsecurity/grsum.c linux-2.6.35.4/grsecurity/grsum.c
42237 --- linux-2.6.35.4/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
42238 +++ linux-2.6.35.4/grsecurity/grsum.c 2010-09-17 20:12:37.000000000 -0400
42240 +#include <linux/err.h>
42241 +#include <linux/kernel.h>
42242 +#include <linux/sched.h>
42243 +#include <linux/mm.h>
42244 +#include <linux/scatterlist.h>
42245 +#include <linux/crypto.h>
42246 +#include <linux/gracl.h>
42249 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
42250 +#error "crypto and sha256 must be built into the kernel"
42254 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
42257 + struct crypto_hash *tfm;
42258 + struct hash_desc desc;
42259 + struct scatterlist sg;
42260 + unsigned char temp_sum[GR_SHA_LEN];
42261 + volatile int retval = 0;
42262 + volatile int dummy = 0;
42265 + sg_init_table(&sg, 1);
42267 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
42268 + if (IS_ERR(tfm)) {
42269 + /* should never happen, since sha256 should be built in */
42276 + crypto_hash_init(&desc);
42279 + sg_set_buf(&sg, p, GR_SALT_LEN);
42280 + crypto_hash_update(&desc, &sg, sg.length);
42283 + sg_set_buf(&sg, p, strlen(p));
42285 + crypto_hash_update(&desc, &sg, sg.length);
42287 + crypto_hash_final(&desc, temp_sum);
42289 + memset(entry->pw, 0, GR_PW_LEN);
42291 + for (i = 0; i < GR_SHA_LEN; i++)
42292 + if (sum[i] != temp_sum[i])
42295 + dummy = 1; // waste a cycle
42297 + crypto_free_hash(tfm);
42301 diff -urNp linux-2.6.35.4/grsecurity/Kconfig linux-2.6.35.4/grsecurity/Kconfig
42302 --- linux-2.6.35.4/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
42303 +++ linux-2.6.35.4/grsecurity/Kconfig 2010-09-17 20:12:37.000000000 -0400
42306 +# grecurity configuration
42312 + bool "Grsecurity"
42314 + select CRYPTO_SHA256
42316 + If you say Y here, you will be able to configure many features
42317 + that will enhance the security of your system. It is highly
42318 + recommended that you say Y here and read through the help
42319 + for each option so that you fully understand the features and
42320 + can evaluate their usefulness for your machine.
42323 + prompt "Security Level"
42324 + depends on GRKERNSEC
42325 + default GRKERNSEC_CUSTOM
42327 +config GRKERNSEC_LOW
42329 + select GRKERNSEC_LINK
42330 + select GRKERNSEC_FIFO
42331 + select GRKERNSEC_EXECVE
42332 + select GRKERNSEC_RANDNET
42333 + select GRKERNSEC_DMESG
42334 + select GRKERNSEC_CHROOT
42335 + select GRKERNSEC_CHROOT_CHDIR
42338 + If you choose this option, several of the grsecurity options will
42339 + be enabled that will give you greater protection against a number
42340 + of attacks, while assuring that none of your software will have any
42341 + conflicts with the additional security measures. If you run a lot
42342 + of unusual software, or you are having problems with the higher
42343 + security levels, you should say Y here. With this option, the
42344 + following features are enabled:
42346 + - Linking restrictions
42347 + - FIFO restrictions
42348 + - Enforcing RLIMIT_NPROC on execve
42349 + - Restricted dmesg
42350 + - Enforced chdir("/") on chroot
42351 + - Runtime module disabling
42353 +config GRKERNSEC_MEDIUM
42356 + select PAX_EI_PAX
42357 + select PAX_PT_PAX_FLAGS
42358 + select PAX_HAVE_ACL_FLAGS
42359 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
42360 + select GRKERNSEC_CHROOT
42361 + select GRKERNSEC_CHROOT_SYSCTL
42362 + select GRKERNSEC_LINK
42363 + select GRKERNSEC_FIFO
42364 + select GRKERNSEC_EXECVE
42365 + select GRKERNSEC_DMESG
42366 + select GRKERNSEC_RANDNET
42367 + select GRKERNSEC_FORKFAIL
42368 + select GRKERNSEC_TIME
42369 + select GRKERNSEC_SIGNAL
42370 + select GRKERNSEC_CHROOT
42371 + select GRKERNSEC_CHROOT_UNIX
42372 + select GRKERNSEC_CHROOT_MOUNT
42373 + select GRKERNSEC_CHROOT_PIVOT
42374 + select GRKERNSEC_CHROOT_DOUBLE
42375 + select GRKERNSEC_CHROOT_CHDIR
42376 + select GRKERNSEC_CHROOT_MKNOD
42377 + select GRKERNSEC_PROC
42378 + select GRKERNSEC_PROC_USERGROUP
42379 + select PAX_RANDUSTACK
42381 + select PAX_RANDMMAP
42382 + select PAX_REFCOUNT if (X86 || SPARC64)
42383 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC) && (SLAB || SLUB || SLOB))
42386 + If you say Y here, several features in addition to those included
42387 + in the low additional security level will be enabled. These
42388 + features provide even more security to your system, though in rare
42389 + cases they may be incompatible with very old or poorly written
42390 + software. If you enable this option, make sure that your auth
42391 + service (identd) is running as gid 1001. With this option,
42392 + the following features (in addition to those provided in the
42393 + low additional security level) will be enabled:
42395 + - Failed fork logging
42396 + - Time change logging
42398 + - Deny mounts in chroot
42399 + - Deny double chrooting
42400 + - Deny sysctl writes in chroot
42401 + - Deny mknod in chroot
42402 + - Deny access to abstract AF_UNIX sockets out of chroot
42403 + - Deny pivot_root in chroot
42404 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
42405 + - /proc restrictions with special GID set to 10 (usually wheel)
42406 + - Address Space Layout Randomization (ASLR)
42407 + - Prevent exploitation of most refcount overflows
42408 + - Bounds checking of copying between the kernel and userland
42410 +config GRKERNSEC_HIGH
42412 + select GRKERNSEC_LINK
42413 + select GRKERNSEC_FIFO
42414 + select GRKERNSEC_EXECVE
42415 + select GRKERNSEC_DMESG
42416 + select GRKERNSEC_FORKFAIL
42417 + select GRKERNSEC_TIME
42418 + select GRKERNSEC_SIGNAL
42419 + select GRKERNSEC_CHROOT
42420 + select GRKERNSEC_CHROOT_SHMAT
42421 + select GRKERNSEC_CHROOT_UNIX
42422 + select GRKERNSEC_CHROOT_MOUNT
42423 + select GRKERNSEC_CHROOT_FCHDIR
42424 + select GRKERNSEC_CHROOT_PIVOT
42425 + select GRKERNSEC_CHROOT_DOUBLE
42426 + select GRKERNSEC_CHROOT_CHDIR
42427 + select GRKERNSEC_CHROOT_MKNOD
42428 + select GRKERNSEC_CHROOT_CAPS
42429 + select GRKERNSEC_CHROOT_SYSCTL
42430 + select GRKERNSEC_CHROOT_FINDTASK
42431 + select GRKERNSEC_PROC
42432 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
42433 + select GRKERNSEC_HIDESYM
42434 + select GRKERNSEC_BRUTE
42435 + select GRKERNSEC_PROC_USERGROUP
42436 + select GRKERNSEC_KMEM
42437 + select GRKERNSEC_RESLOG
42438 + select GRKERNSEC_RANDNET
42439 + select GRKERNSEC_PROC_ADD
42440 + select GRKERNSEC_CHROOT_CHMOD
42441 + select GRKERNSEC_CHROOT_NICE
42442 + select GRKERNSEC_AUDIT_MOUNT
42443 + select GRKERNSEC_MODHARDEN if (MODULES)
42444 + select GRKERNSEC_HARDEN_PTRACE
42445 + select GRKERNSEC_VM86 if (X86_32)
42447 + select PAX_RANDUSTACK
42449 + select PAX_RANDMMAP
42450 + select PAX_NOEXEC
42451 + select PAX_MPROTECT
42452 + select PAX_EI_PAX
42453 + select PAX_PT_PAX_FLAGS
42454 + select PAX_HAVE_ACL_FLAGS
42455 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
42456 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
42457 + select PAX_RANDKSTACK if (X86_TSC && !X86_64)
42458 + select PAX_SEGMEXEC if (X86_32)
42459 + select PAX_PAGEEXEC
42460 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
42461 + select PAX_EMUTRAMP if (PARISC)
42462 + select PAX_EMUSIGRT if (PARISC)
42463 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
42464 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
42465 + select PAX_REFCOUNT if (X86 || SPARC64)
42466 + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
42468 + If you say Y here, many of the features of grsecurity will be
42469 + enabled, which will protect you against many kinds of attacks
42470 + against your system. The heightened security comes at a cost
42471 + of an increased chance of incompatibilities with rare software
42472 + on your machine. Since this security level enables PaX, you should
42473 + view <http://pax.grsecurity.net> and read about the PaX
42474 + project. While you are there, download chpax and run it on
42475 + binaries that cause problems with PaX. Also remember that
42476 + since the /proc restrictions are enabled, you must run your
42477 + identd as gid 1001. This security level enables the following
42478 + features in addition to those listed in the low and medium
42481 + - Additional /proc restrictions
42482 + - Chmod restrictions in chroot
42483 + - No signals, ptrace, or viewing of processes outside of chroot
42484 + - Capability restrictions in chroot
42485 + - Deny fchdir out of chroot
42486 + - Priority restrictions in chroot
42487 + - Segmentation-based implementation of PaX
42488 + - Mprotect restrictions
42489 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
42490 + - Kernel stack randomization
42491 + - Mount/unmount/remount logging
42492 + - Kernel symbol hiding
42493 + - Prevention of memory exhaustion-based exploits
42494 + - Hardening of module auto-loading
42495 + - Ptrace restrictions
42496 + - Restricted vm86 mode
42498 +config GRKERNSEC_CUSTOM
42501 + If you say Y here, you will be able to configure every grsecurity
42502 + option, which allows you to enable many more features that aren't
42503 + covered in the basic security levels. These additional features
42504 + include TPE, socket restrictions, and the sysctl system for
42505 + grsecurity. It is advised that you read through the help for
42506 + each option to determine its usefulness in your situation.
42510 +menu "Address Space Protection"
42511 +depends on GRKERNSEC
42513 +config GRKERNSEC_KMEM
42514 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
42516 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
42517 + be written to via mmap or otherwise to modify the running kernel.
42518 + /dev/port will also not be allowed to be opened. If you have module
42519 + support disabled, enabling this will close up four ways that are
42520 + currently used to insert malicious code into the running kernel.
42521 + Even with all these features enabled, we still highly recommend that
42522 + you use the RBAC system, as it is still possible for an attacker to
42523 + modify the running kernel through privileged I/O granted by ioperm/iopl.
42524 + If you are not using XFree86, you may be able to stop this additional
42525 + case by enabling the 'Disable privileged I/O' option. Though nothing
42526 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
42527 + but only to video memory, which is the only writing we allow in this
42528 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
42529 + not be allowed to mprotect it with PROT_WRITE later.
42530 + It is highly recommended that you say Y here if you meet all the
42531 + conditions above.
42533 +config GRKERNSEC_VM86
42534 + bool "Restrict VM86 mode"
42535 + depends on X86_32
42538 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
42539 + make use of a special execution mode on 32bit x86 processors called
42540 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
42541 + video cards and will still work with this option enabled. The purpose
42542 + of the option is to prevent exploitation of emulation errors in
42543 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
42544 + Nearly all users should be able to enable this option.
42546 +config GRKERNSEC_IO
42547 + bool "Disable privileged I/O"
42550 + select RTC_INTF_DEV
42551 + select RTC_DRV_CMOS
42554 + If you say Y here, all ioperm and iopl calls will return an error.
42555 + Ioperm and iopl can be used to modify the running kernel.
42556 + Unfortunately, some programs need this access to operate properly,
42557 + the most notable of which are XFree86 and hwclock. hwclock can be
42558 + remedied by having RTC support in the kernel, so real-time
42559 + clock support is enabled if this option is enabled, to ensure
42560 + that hwclock operates correctly. XFree86 still will not
42561 + operate correctly with this option enabled, so DO NOT CHOOSE Y
42562 + IF YOU USE XFree86. If you use XFree86 and you still want to
42563 + protect your kernel against modification, use the RBAC system.
42565 +config GRKERNSEC_PROC_MEMMAP
42566 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
42567 + default y if (PAX_NOEXEC || PAX_ASLR)
42568 + depends on PAX_NOEXEC || PAX_ASLR
42570 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
42571 + give no information about the addresses of its mappings if
42572 + PaX features that rely on random addresses are enabled on the task.
42573 + If you use PaX it is greatly recommended that you say Y here as it
42574 + closes up a hole that makes the full ASLR useless for suid
42577 +config GRKERNSEC_BRUTE
42578 + bool "Deter exploit bruteforcing"
42580 + If you say Y here, attempts to bruteforce exploits against forking
42581 + daemons such as apache or sshd will be deterred. When a child of a
42582 + forking daemon is killed by PaX or crashes due to an illegal
42583 + instruction, the parent process will be delayed 30 seconds upon every
42584 + subsequent fork until the administrator is able to assess the
42585 + situation and restart the daemon. It is recommended that you also
42586 + enable signal logging in the auditing section so that logs are
42587 + generated when a process performs an illegal instruction.
42589 +config GRKERNSEC_MODHARDEN
42590 + bool "Harden module auto-loading"
42591 + depends on MODULES
42593 + If you say Y here, module auto-loading in response to use of some
42594 + feature implemented by an unloaded module will be restricted to
42595 + root users. Enabling this option helps defend against attacks
42596 + by unprivileged users who abuse the auto-loading behavior to
42597 + cause a vulnerable module to load that is then exploited.
42599 + If this option prevents a legitimate use of auto-loading for a
42600 + non-root user, the administrator can execute modprobe manually
42601 + with the exact name of the module mentioned in the alert log.
42602 + Alternatively, the administrator can add the module to the list
42603 + of modules loaded at boot by modifying init scripts.
42605 + Modification of init scripts will most likely be needed on
42606 + Ubuntu servers with encrypted home directory support enabled,
42607 + as the first non-root user logging in will cause the ecb(aes),
42608 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
42610 +config GRKERNSEC_HIDESYM
42611 + bool "Hide kernel symbols"
42613 + If you say Y here, getting information on loaded modules, and
42614 + displaying all kernel symbols through a syscall will be restricted
42615 + to users with CAP_SYS_MODULE. For software compatibility reasons,
42616 + /proc/kallsyms will be restricted to the root user. The RBAC
42617 + system can hide that entry even from root.
42619 + This option also prevents leaking of kernel addresses through
42620 + several /proc entries.
42622 + Note that this option is only effective provided the following
42623 + conditions are met:
42624 + 1) The kernel using grsecurity is not precompiled by some distribution
42625 + 2) You are using the RBAC system and hiding other files such as your
42626 + kernel image and System.map. Alternatively, enabling this option
42627 + causes the permissions on /boot, /lib/modules, and the kernel
42628 + source directory to change at compile time to prevent
42629 + reading by non-root users.
42630 + If the above conditions are met, this option will aid in providing a
42631 + useful protection against local kernel exploitation of overflows
42632 + and arbitrary read/write vulnerabilities.
42635 +menu "Role Based Access Control Options"
42636 +depends on GRKERNSEC
42638 +config GRKERNSEC_NO_RBAC
42639 + bool "Disable RBAC system"
42641 + If you say Y here, the /dev/grsec device will be removed from the kernel,
42642 + preventing the RBAC system from being enabled. You should only say Y
42643 + here if you have no intention of using the RBAC system, so as to prevent
42644 + an attacker with root access from misusing the RBAC system to hide files
42645 + and processes when loadable module support and /dev/[k]mem have been
42648 +config GRKERNSEC_ACL_HIDEKERN
42649 + bool "Hide kernel processes"
42651 + If you say Y here, all kernel threads will be hidden to all
42652 + processes but those whose subject has the "view hidden processes"
42655 +config GRKERNSEC_ACL_MAXTRIES
42656 + int "Maximum tries before password lockout"
42659 + This option enforces the maximum number of times a user can attempt
42660 + to authorize themselves with the grsecurity RBAC system before being
42661 + denied the ability to attempt authorization again for a specified time.
42662 + The lower the number, the harder it will be to brute-force a password.
42664 +config GRKERNSEC_ACL_TIMEOUT
42665 + int "Time to wait after max password tries, in seconds"
42668 + This option specifies the time the user must wait after attempting to
42669 + authorize to the RBAC system with the maximum number of invalid
42670 + passwords. The higher the number, the harder it will be to brute-force
42674 +menu "Filesystem Protections"
42675 +depends on GRKERNSEC
42677 +config GRKERNSEC_PROC
42678 + bool "Proc restrictions"
42680 + If you say Y here, the permissions of the /proc filesystem
42681 + will be altered to enhance system security and privacy. You MUST
42682 + choose either a user only restriction or a user and group restriction.
42683 + Depending upon the option you choose, you can either restrict users to
42684 + see only the processes they themselves run, or choose a group that can
42685 + view all processes and files normally restricted to root if you choose
42686 + the "restrict to user only" option. NOTE: If you're running identd as
42687 + a non-root user, you will have to run it as the group you specify here.
42689 +config GRKERNSEC_PROC_USER
42690 + bool "Restrict /proc to user only"
42691 + depends on GRKERNSEC_PROC
42693 + If you say Y here, non-root users will only be able to view their own
42694 + processes, and restricts them from viewing network-related information,
42695 + and viewing kernel symbol and module information.
42697 +config GRKERNSEC_PROC_USERGROUP
42698 + bool "Allow special group"
42699 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
42701 + If you say Y here, you will be able to select a group that will be
42702 + able to view all processes, network-related information, and
42703 + kernel and symbol information. This option is useful if you want
42704 + to run identd as a non-root user.
42706 +config GRKERNSEC_PROC_GID
42707 + int "GID for special group"
42708 + depends on GRKERNSEC_PROC_USERGROUP
42711 +config GRKERNSEC_PROC_ADD
42712 + bool "Additional restrictions"
42713 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
42715 + If you say Y here, additional restrictions will be placed on
42716 + /proc that keep normal users from viewing device information and
42717 + slabinfo information that could be useful for exploits.
42719 +config GRKERNSEC_LINK
42720 + bool "Linking restrictions"
42722 + If you say Y here, /tmp race exploits will be prevented, since users
42723 + will no longer be able to follow symlinks owned by other users in
42724 + world-writable +t directories (i.e. /tmp), unless the owner of the
42725 + symlink is the owner of the directory. users will also not be
42726 + able to hardlink to files they do not own. If the sysctl option is
42727 + enabled, a sysctl option with name "linking_restrictions" is created.
42729 +config GRKERNSEC_FIFO
42730 + bool "FIFO restrictions"
42732 + If you say Y here, users will not be able to write to FIFOs they don't
42733 + own in world-writable +t directories (i.e. /tmp), unless the owner of
42734 + the FIFO is the same owner of the directory it's held in. If the sysctl
42735 + option is enabled, a sysctl option with name "fifo_restrictions" is
42738 +config GRKERNSEC_ROFS
42739 + bool "Runtime read-only mount protection"
42741 + If you say Y here, a sysctl option with name "romount_protect" will
42742 + be created. By setting this option to 1 at runtime, filesystems
42743 + will be protected in the following ways:
42744 + * No new writable mounts will be allowed
42745 + * Existing read-only mounts won't be able to be remounted read/write
42746 + * Write operations will be denied on all block devices
42747 + This option acts independently of grsec_lock: once it is set to 1,
42748 + it cannot be turned off. Therefore, please be mindful of the resulting
42749 + behavior if this option is enabled in an init script on a read-only
42750 + filesystem. This feature is mainly intended for secure embedded systems.
42752 +config GRKERNSEC_CHROOT
42753 + bool "Chroot jail restrictions"
42755 + If you say Y here, you will be able to choose several options that will
42756 + make breaking out of a chrooted jail much more difficult. If you
42757 + encounter no software incompatibilities with the following options, it
42758 + is recommended that you enable each one.
42760 +config GRKERNSEC_CHROOT_MOUNT
42761 + bool "Deny mounts"
42762 + depends on GRKERNSEC_CHROOT
42764 + If you say Y here, processes inside a chroot will not be able to
42765 + mount or remount filesystems. If the sysctl option is enabled, a
42766 + sysctl option with name "chroot_deny_mount" is created.
42768 +config GRKERNSEC_CHROOT_DOUBLE
42769 + bool "Deny double-chroots"
42770 + depends on GRKERNSEC_CHROOT
42772 + If you say Y here, processes inside a chroot will not be able to chroot
42773 + again outside the chroot. This is a widely used method of breaking
42774 + out of a chroot jail and should not be allowed. If the sysctl
42775 + option is enabled, a sysctl option with name
42776 + "chroot_deny_chroot" is created.
42778 +config GRKERNSEC_CHROOT_PIVOT
42779 + bool "Deny pivot_root in chroot"
42780 + depends on GRKERNSEC_CHROOT
42782 + If you say Y here, processes inside a chroot will not be able to use
42783 + a function called pivot_root() that was introduced in Linux 2.3.41. It
42784 + works similar to chroot in that it changes the root filesystem. This
42785 + function could be misused in a chrooted process to attempt to break out
42786 + of the chroot, and therefore should not be allowed. If the sysctl
42787 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
42790 +config GRKERNSEC_CHROOT_CHDIR
42791 + bool "Enforce chdir(\"/\") on all chroots"
42792 + depends on GRKERNSEC_CHROOT
42794 + If you say Y here, the current working directory of all newly-chrooted
42795 + applications will be set to the the root directory of the chroot.
42796 + The man page on chroot(2) states:
42797 + Note that this call does not change the current working
42798 + directory, so that `.' can be outside the tree rooted at
42799 + `/'. In particular, the super-user can escape from a
42800 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
42802 + It is recommended that you say Y here, since it's not known to break
42803 + any software. If the sysctl option is enabled, a sysctl option with
42804 + name "chroot_enforce_chdir" is created.
42806 +config GRKERNSEC_CHROOT_CHMOD
42807 + bool "Deny (f)chmod +s"
42808 + depends on GRKERNSEC_CHROOT
42810 + If you say Y here, processes inside a chroot will not be able to chmod
42811 + or fchmod files to make them have suid or sgid bits. This protects
42812 + against another published method of breaking a chroot. If the sysctl
42813 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
42816 +config GRKERNSEC_CHROOT_FCHDIR
42817 + bool "Deny fchdir out of chroot"
42818 + depends on GRKERNSEC_CHROOT
42820 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
42821 + to a file descriptor of the chrooting process that points to a directory
42822 + outside the filesystem will be stopped. If the sysctl option
42823 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
42825 +config GRKERNSEC_CHROOT_MKNOD
42826 + bool "Deny mknod"
42827 + depends on GRKERNSEC_CHROOT
42829 + If you say Y here, processes inside a chroot will not be allowed to
42830 + mknod. The problem with using mknod inside a chroot is that it
42831 + would allow an attacker to create a device entry that is the same
42832 + as one on the physical root of your system, which could range from
42833 + anything from the console device to a device for your harddrive (which
42834 + they could then use to wipe the drive or steal data). It is recommended
42835 + that you say Y here, unless you run into software incompatibilities.
42836 + If the sysctl option is enabled, a sysctl option with name
42837 + "chroot_deny_mknod" is created.
42839 +config GRKERNSEC_CHROOT_SHMAT
42840 + bool "Deny shmat() out of chroot"
42841 + depends on GRKERNSEC_CHROOT
42843 + If you say Y here, processes inside a chroot will not be able to attach
42844 + to shared memory segments that were created outside of the chroot jail.
42845 + It is recommended that you say Y here. If the sysctl option is enabled,
42846 + a sysctl option with name "chroot_deny_shmat" is created.
42848 +config GRKERNSEC_CHROOT_UNIX
42849 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
42850 + depends on GRKERNSEC_CHROOT
42852 + If you say Y here, processes inside a chroot will not be able to
42853 + connect to abstract (meaning not belonging to a filesystem) Unix
42854 + domain sockets that were bound outside of a chroot. It is recommended
42855 + that you say Y here. If the sysctl option is enabled, a sysctl option
42856 + with name "chroot_deny_unix" is created.
42858 +config GRKERNSEC_CHROOT_FINDTASK
42859 + bool "Protect outside processes"
42860 + depends on GRKERNSEC_CHROOT
42862 + If you say Y here, processes inside a chroot will not be able to
42863 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
42864 + getsid, or view any process outside of the chroot. If the sysctl
42865 + option is enabled, a sysctl option with name "chroot_findtask" is
42868 +config GRKERNSEC_CHROOT_NICE
42869 + bool "Restrict priority changes"
42870 + depends on GRKERNSEC_CHROOT
42872 + If you say Y here, processes inside a chroot will not be able to raise
42873 + the priority of processes in the chroot, or alter the priority of
42874 + processes outside the chroot. This provides more security than simply
42875 + removing CAP_SYS_NICE from the process' capability set. If the
42876 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
42879 +config GRKERNSEC_CHROOT_SYSCTL
42880 + bool "Deny sysctl writes"
42881 + depends on GRKERNSEC_CHROOT
42883 + If you say Y here, an attacker in a chroot will not be able to
42884 + write to sysctl entries, either by sysctl(2) or through a /proc
42885 + interface. It is strongly recommended that you say Y here. If the
42886 + sysctl option is enabled, a sysctl option with name
42887 + "chroot_deny_sysctl" is created.
42889 +config GRKERNSEC_CHROOT_CAPS
42890 + bool "Capability restrictions"
42891 + depends on GRKERNSEC_CHROOT
42893 + If you say Y here, the capabilities on all root processes within a
42894 + chroot jail will be lowered to stop module insertion, raw i/o,
42895 + system and net admin tasks, rebooting the system, modifying immutable
42896 + files, modifying IPC owned by another, and changing the system time.
42897 + This is left an option because it can break some apps. Disable this
42898 + if your chrooted apps are having problems performing those kinds of
42899 + tasks. If the sysctl option is enabled, a sysctl option with
42900 + name "chroot_caps" is created.
42903 +menu "Kernel Auditing"
42904 +depends on GRKERNSEC
42906 +config GRKERNSEC_AUDIT_GROUP
42907 + bool "Single group for auditing"
42909 + If you say Y here, the exec, chdir, and (un)mount logging features
42910 + will only operate on a group you specify. This option is recommended
42911 + if you only want to watch certain users instead of having a large
42912 + amount of logs from the entire system. If the sysctl option is enabled,
42913 + a sysctl option with name "audit_group" is created.
42915 +config GRKERNSEC_AUDIT_GID
42916 + int "GID for auditing"
42917 + depends on GRKERNSEC_AUDIT_GROUP
42920 +config GRKERNSEC_EXECLOG
42921 + bool "Exec logging"
42923 + If you say Y here, all execve() calls will be logged (since the
42924 + other exec*() calls are frontends to execve(), all execution
42925 + will be logged). Useful for shell-servers that like to keep track
42926 + of their users. If the sysctl option is enabled, a sysctl option with
42927 + name "exec_logging" is created.
42928 + WARNING: This option when enabled will produce a LOT of logs, especially
42929 + on an active system.
42931 +config GRKERNSEC_RESLOG
42932 + bool "Resource logging"
42934 + If you say Y here, all attempts to overstep resource limits will
42935 + be logged with the resource name, the requested size, and the current
42936 + limit. It is highly recommended that you say Y here. If the sysctl
42937 + option is enabled, a sysctl option with name "resource_logging" is
42938 + created. If the RBAC system is enabled, the sysctl value is ignored.
42940 +config GRKERNSEC_CHROOT_EXECLOG
42941 + bool "Log execs within chroot"
42943 + If you say Y here, all executions inside a chroot jail will be logged
42944 + to syslog. This can cause a large amount of logs if certain
42945 + applications (eg. djb's daemontools) are installed on the system, and
42946 + is therefore left as an option. If the sysctl option is enabled, a
42947 + sysctl option with name "chroot_execlog" is created.
42949 +config GRKERNSEC_AUDIT_PTRACE
42950 + bool "Ptrace logging"
42952 + If you say Y here, all attempts to attach to a process via ptrace
42953 + will be logged. If the sysctl option is enabled, a sysctl option
42954 + with name "audit_ptrace" is created.
42956 +config GRKERNSEC_AUDIT_CHDIR
42957 + bool "Chdir logging"
42959 + If you say Y here, all chdir() calls will be logged. If the sysctl
42960 + option is enabled, a sysctl option with name "audit_chdir" is created.
42962 +config GRKERNSEC_AUDIT_MOUNT
42963 + bool "(Un)Mount logging"
42965 + If you say Y here, all mounts and unmounts will be logged. If the
42966 + sysctl option is enabled, a sysctl option with name "audit_mount" is
42969 +config GRKERNSEC_SIGNAL
42970 + bool "Signal logging"
42972 + If you say Y here, certain important signals will be logged, such as
42973 + SIGSEGV, which will as a result inform you of when a error in a program
42974 + occurred, which in some cases could mean a possible exploit attempt.
42975 + If the sysctl option is enabled, a sysctl option with name
42976 + "signal_logging" is created.
42978 +config GRKERNSEC_FORKFAIL
42979 + bool "Fork failure logging"
42981 + If you say Y here, all failed fork() attempts will be logged.
42982 + This could suggest a fork bomb, or someone attempting to overstep
42983 + their process limit. If the sysctl option is enabled, a sysctl option
42984 + with name "forkfail_logging" is created.
42986 +config GRKERNSEC_TIME
42987 + bool "Time change logging"
42989 + If you say Y here, any changes of the system clock will be logged.
42990 + If the sysctl option is enabled, a sysctl option with name
42991 + "timechange_logging" is created.
42993 +config GRKERNSEC_PROC_IPADDR
42994 + bool "/proc/<pid>/ipaddr support"
42996 + If you say Y here, a new entry will be added to each /proc/<pid>
42997 + directory that contains the IP address of the person using the task.
42998 + The IP is carried across local TCP and AF_UNIX stream sockets.
42999 + This information can be useful for IDS/IPSes to perform remote response
43000 + to a local attack. The entry is readable by only the owner of the
43001 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
43002 + the RBAC system), and thus does not create privacy concerns.
43004 +config GRKERNSEC_AUDIT_TEXTREL
43005 + bool 'ELF text relocations logging (READ HELP)'
43006 + depends on PAX_MPROTECT
43008 + If you say Y here, text relocations will be logged with the filename
43009 + of the offending library or binary. The purpose of the feature is
43010 + to help Linux distribution developers get rid of libraries and
43011 + binaries that need text relocations which hinder the future progress
43012 + of PaX. Only Linux distribution developers should say Y here, and
43013 + never on a production machine, as this option creates an information
43014 + leak that could aid an attacker in defeating the randomization of
43015 + a single memory region. If the sysctl option is enabled, a sysctl
43016 + option with name "audit_textrel" is created.
43020 +menu "Executable Protections"
43021 +depends on GRKERNSEC
43023 +config GRKERNSEC_EXECVE
43024 + bool "Enforce RLIMIT_NPROC on execs"
43026 + If you say Y here, users with a resource limit on processes will
43027 + have the value checked during execve() calls. The current system
43028 + only checks the system limit during fork() calls. If the sysctl option
43029 + is enabled, a sysctl option with name "execve_limiting" is created.
43031 +config GRKERNSEC_DMESG
43032 + bool "Dmesg(8) restriction"
43034 + If you say Y here, non-root users will not be able to use dmesg(8)
43035 + to view up to the last 4kb of messages in the kernel's log buffer.
43036 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
43039 +config GRKERNSEC_HARDEN_PTRACE
43040 + bool "Deter ptrace-based process snooping"
43042 + If you say Y here, TTY sniffers and other malicious monitoring
43043 + programs implemented through ptrace will be defeated. If you
43044 + have been using the RBAC system, this option has already been
43045 + enabled for several years for all users, with the ability to make
43046 + fine-grained exceptions.
43048 + This option only affects the ability of non-root users to ptrace
43049 + processes that are not a descendent of the ptracing process.
43050 + This means that strace ./binary and gdb ./binary will still work,
43051 + but attaching to arbitrary processes will not. If the sysctl
43052 + option is enabled, a sysctl option with name "harden_ptrace" is
43055 +config GRKERNSEC_TPE
43056 + bool "Trusted Path Execution (TPE)"
43058 + If you say Y here, you will be able to choose a gid to add to the
43059 + supplementary groups of users you want to mark as "untrusted."
43060 + These users will not be able to execute any files that are not in
43061 + root-owned directories writable only by root. If the sysctl option
43062 + is enabled, a sysctl option with name "tpe" is created.
43064 +config GRKERNSEC_TPE_ALL
43065 + bool "Partially restrict all non-root users"
43066 + depends on GRKERNSEC_TPE
43068 + If you say Y here, all non-root users will be covered under
43069 + a weaker TPE restriction. This is separate from, and in addition to,
43070 + the main TPE options that you have selected elsewhere. Thus, if a
43071 + "trusted" GID is chosen, this restriction applies to even that GID.
43072 + Under this restriction, all non-root users will only be allowed to
43073 + execute files in directories they own that are not group or
43074 + world-writable, or in directories owned by root and writable only by
43075 + root. If the sysctl option is enabled, a sysctl option with name
43076 + "tpe_restrict_all" is created.
43078 +config GRKERNSEC_TPE_INVERT
43079 + bool "Invert GID option"
43080 + depends on GRKERNSEC_TPE
43082 + If you say Y here, the group you specify in the TPE configuration will
43083 + decide what group TPE restrictions will be *disabled* for. This
43084 + option is useful if you want TPE restrictions to be applied to most
43085 + users on the system. If the sysctl option is enabled, a sysctl option
43086 + with name "tpe_invert" is created. Unlike other sysctl options, this
43087 + entry will default to on for backward-compatibility.
43089 +config GRKERNSEC_TPE_GID
43090 + int "GID for untrusted users"
43091 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
43094 + Setting this GID determines what group TPE restrictions will be
43095 + *enabled* for. If the sysctl option is enabled, a sysctl option
43096 + with name "tpe_gid" is created.
43098 +config GRKERNSEC_TPE_GID
43099 + int "GID for trusted users"
43100 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
43103 + Setting this GID determines what group TPE restrictions will be
43104 + *disabled* for. If the sysctl option is enabled, a sysctl option
43105 + with name "tpe_gid" is created.
43108 +menu "Network Protections"
43109 +depends on GRKERNSEC
43111 +config GRKERNSEC_RANDNET
43112 + bool "Larger entropy pools"
43114 + If you say Y here, the entropy pools used for many features of Linux
43115 + and grsecurity will be doubled in size. Since several grsecurity
43116 + features use additional randomness, it is recommended that you say Y
43117 + here. Saying Y here has a similar effect as modifying
43118 + /proc/sys/kernel/random/poolsize.
43120 +config GRKERNSEC_BLACKHOLE
43121 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
43123 + If you say Y here, neither TCP resets nor ICMP
43124 + destination-unreachable packets will be sent in response to packets
43125 + sent to ports for which no associated listening process exists.
43126 + This feature supports both IPV4 and IPV6 and exempts the
43127 + loopback interface from blackholing. Enabling this feature
43128 + makes a host more resilient to DoS attacks and reduces network
43129 + visibility against scanners.
43131 + The blackhole feature as-implemented is equivalent to the FreeBSD
43132 + blackhole feature, as it prevents RST responses to all packets, not
43133 + just SYNs. Under most application behavior this causes no
43134 + problems, but applications (like haproxy) may not close certain
43135 + connections in a way that cleanly terminates them on the remote
43136 + end, leaving the remote host in LAST_ACK state. Because of this
43137 + side-effect and to prevent intentional LAST_ACK DoSes, this
43138 + feature also adds automatic mitigation against such attacks.
43139 + The mitigation drastically reduces the amount of time a socket
43140 + can spend in LAST_ACK state. If you're using haproxy and not
43141 + all servers it connects to have this option enabled, consider
43142 + disabling this feature on the haproxy host.
43144 + If the sysctl option is enabled, two sysctl options with names
43145 + "ip_blackhole" and "lastack_retries" will be created.
43146 + While "ip_blackhole" takes the standard zero/non-zero on/off
43147 + toggle, "lastack_retries" uses the same kinds of values as
43148 + "tcp_retries1" and "tcp_retries2". The default value of 4
43149 + prevents a socket from lasting more than 45 seconds in LAST_ACK
43152 +config GRKERNSEC_SOCKET
43153 + bool "Socket restrictions"
43155 + If you say Y here, you will be able to choose from several options.
43156 + If you assign a GID on your system and add it to the supplementary
43157 + groups of users you want to restrict socket access to, this patch
43158 + will perform up to three things, based on the option(s) you choose.
43160 +config GRKERNSEC_SOCKET_ALL
43161 + bool "Deny any sockets to group"
43162 + depends on GRKERNSEC_SOCKET
43164 + If you say Y here, you will be able to choose a GID of whose users will
43165 + be unable to connect to other hosts from your machine or run server
43166 + applications from your machine. If the sysctl option is enabled, a
43167 + sysctl option with name "socket_all" is created.
43169 +config GRKERNSEC_SOCKET_ALL_GID
43170 + int "GID to deny all sockets for"
43171 + depends on GRKERNSEC_SOCKET_ALL
43174 + Here you can choose the GID to disable socket access for. Remember to
43175 + add the users you want socket access disabled for to the GID
43176 + specified here. If the sysctl option is enabled, a sysctl option
43177 + with name "socket_all_gid" is created.
43179 +config GRKERNSEC_SOCKET_CLIENT
43180 + bool "Deny client sockets to group"
43181 + depends on GRKERNSEC_SOCKET
43183 + If you say Y here, you will be able to choose a GID of whose users will
43184 + be unable to connect to other hosts from your machine, but will be
43185 + able to run servers. If this option is enabled, all users in the group
43186 + you specify will have to use passive mode when initiating ftp transfers
43187 + from the shell on your machine. If the sysctl option is enabled, a
43188 + sysctl option with name "socket_client" is created.
43190 +config GRKERNSEC_SOCKET_CLIENT_GID
43191 + int "GID to deny client sockets for"
43192 + depends on GRKERNSEC_SOCKET_CLIENT
43195 + Here you can choose the GID to disable client socket access for.
43196 + Remember to add the users you want client socket access disabled for to
43197 + the GID specified here. If the sysctl option is enabled, a sysctl
43198 + option with name "socket_client_gid" is created.
43200 +config GRKERNSEC_SOCKET_SERVER
43201 + bool "Deny server sockets to group"
43202 + depends on GRKERNSEC_SOCKET
43204 + If you say Y here, you will be able to choose a GID of whose users will
43205 + be unable to run server applications from your machine. If the sysctl
43206 + option is enabled, a sysctl option with name "socket_server" is created.
43208 +config GRKERNSEC_SOCKET_SERVER_GID
43209 + int "GID to deny server sockets for"
43210 + depends on GRKERNSEC_SOCKET_SERVER
43213 + Here you can choose the GID to disable server socket access for.
43214 + Remember to add the users you want server socket access disabled for to
43215 + the GID specified here. If the sysctl option is enabled, a sysctl
43216 + option with name "socket_server_gid" is created.
43219 +menu "Sysctl support"
43220 +depends on GRKERNSEC && SYSCTL
43222 +config GRKERNSEC_SYSCTL
43223 + bool "Sysctl support"
43225 + If you say Y here, you will be able to change the options that
43226 + grsecurity runs with at bootup, without having to recompile your
43227 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
43228 + to enable (1) or disable (0) various features. All the sysctl entries
43229 + are mutable until the "grsec_lock" entry is set to a non-zero value.
43230 + All features enabled in the kernel configuration are disabled at boot
43231 + if you do not say Y to the "Turn on features by default" option.
43232 + All options should be set at startup, and the grsec_lock entry should
43233 + be set to a non-zero value after all the options are set.
43234 + *THIS IS EXTREMELY IMPORTANT*
43236 +config GRKERNSEC_SYSCTL_DISTRO
43237 + bool "Extra sysctl support for distro makers (READ HELP)"
43238 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
43240 + If you say Y here, additional sysctl options will be created
43241 + for features that affect processes running as root. Therefore,
43242 + it is critical when using this option that the grsec_lock entry be
43243 + enabled after boot. Only distros with prebuilt kernel packages
43244 + with this option enabled that can ensure grsec_lock is enabled
43245 + after boot should use this option.
43246 + *Failure to set grsec_lock after boot makes all grsec features
43247 + this option covers useless*
43249 + Currently this option creates the following sysctl entries:
43250 + "Disable Privileged I/O": "disable_priv_io"
43252 +config GRKERNSEC_SYSCTL_ON
43253 + bool "Turn on features by default"
43254 + depends on GRKERNSEC_SYSCTL
43256 + If you say Y here, instead of having all features enabled in the
43257 + kernel configuration disabled at boot time, the features will be
43258 + enabled at boot time. It is recommended you say Y here unless
43259 + there is some reason you would want all sysctl-tunable features to
43260 + be disabled by default. As mentioned elsewhere, it is important
43261 + to enable the grsec_lock entry once you have finished modifying
43262 + the sysctl entries.
43265 +menu "Logging Options"
43266 +depends on GRKERNSEC
43268 +config GRKERNSEC_FLOODTIME
43269 + int "Seconds in between log messages (minimum)"
43272 + This option allows you to enforce the number of seconds between
43273 + grsecurity log messages. The default should be suitable for most
43274 + people, however, if you choose to change it, choose a value small enough
43275 + to allow informative logs to be produced, but large enough to
43276 + prevent flooding.
43278 +config GRKERNSEC_FLOODBURST
43279 + int "Number of messages in a burst (maximum)"
43282 + This option allows you to choose the maximum number of messages allowed
43283 + within the flood time interval you chose in a separate option. The
43284 + default should be suitable for most people, however if you find that
43285 + many of your logs are being interpreted as flooding, you may want to
43286 + raise this value.
43291 diff -urNp linux-2.6.35.4/grsecurity/Makefile linux-2.6.35.4/grsecurity/Makefile
43292 --- linux-2.6.35.4/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
43293 +++ linux-2.6.35.4/grsecurity/Makefile 2010-09-17 20:12:37.000000000 -0400
43295 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
43296 +# during 2001-2009 it has been completely redesigned by Brad Spengler
43297 +# into an RBAC system
43299 +# All code in this directory and various hooks inserted throughout the kernel
43300 +# are copyright Brad Spengler - Open Source Security, Inc., and released
43301 +# under the GPL v2 or higher
43303 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
43304 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
43305 + grsec_time.o grsec_tpe.o grsec_link.o grsec_textrel.o grsec_ptrace.o
43307 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
43308 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
43309 + gracl_learn.o grsec_log.o
43310 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
43312 +ifndef CONFIG_GRKERNSEC
43313 +obj-y += grsec_disabled.o
43316 +ifdef CONFIG_GRKERNSEC_HIDESYM
43317 +extra-y := grsec_hidesym.o
43318 +$(obj)/grsec_hidesym.o:
43319 + @-chmod -f 500 /boot
43320 + @-chmod -f 500 /lib/modules
43322 + @echo ' grsec: protected kernel image paths'
43324 diff -urNp linux-2.6.35.4/include/acpi/acoutput.h linux-2.6.35.4/include/acpi/acoutput.h
43325 --- linux-2.6.35.4/include/acpi/acoutput.h 2010-08-26 19:47:12.000000000 -0400
43326 +++ linux-2.6.35.4/include/acpi/acoutput.h 2010-09-17 20:12:09.000000000 -0400
43327 @@ -268,8 +268,8 @@
43328 * leaving no executable debug code!
43330 #define ACPI_FUNCTION_NAME(a)
43331 -#define ACPI_DEBUG_PRINT(pl)
43332 -#define ACPI_DEBUG_PRINT_RAW(pl)
43333 +#define ACPI_DEBUG_PRINT(pl) do {} while (0)
43334 +#define ACPI_DEBUG_PRINT_RAW(pl) do {} while (0)
43336 #endif /* ACPI_DEBUG_OUTPUT */
43338 diff -urNp linux-2.6.35.4/include/acpi/acpi_drivers.h linux-2.6.35.4/include/acpi/acpi_drivers.h
43339 --- linux-2.6.35.4/include/acpi/acpi_drivers.h 2010-08-26 19:47:12.000000000 -0400
43340 +++ linux-2.6.35.4/include/acpi/acpi_drivers.h 2010-09-17 20:12:09.000000000 -0400
43341 @@ -121,8 +121,8 @@ int acpi_processor_set_thermal_limit(acp
43343 -------------------------------------------------------------------------- */
43344 struct acpi_dock_ops {
43345 - acpi_notify_handler handler;
43346 - acpi_notify_handler uevent;
43347 + const acpi_notify_handler handler;
43348 + const acpi_notify_handler uevent;
43351 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
43352 @@ -130,7 +130,7 @@ extern int is_dock_device(acpi_handle ha
43353 extern int register_dock_notifier(struct notifier_block *nb);
43354 extern void unregister_dock_notifier(struct notifier_block *nb);
43355 extern int register_hotplug_dock_device(acpi_handle handle,
43356 - struct acpi_dock_ops *ops,
43357 + const struct acpi_dock_ops *ops,
43359 extern void unregister_hotplug_dock_device(acpi_handle handle);
43361 @@ -146,7 +146,7 @@ static inline void unregister_dock_notif
43364 static inline int register_hotplug_dock_device(acpi_handle handle,
43365 - struct acpi_dock_ops *ops,
43366 + const struct acpi_dock_ops *ops,
43370 diff -urNp linux-2.6.35.4/include/asm-generic/atomic-long.h linux-2.6.35.4/include/asm-generic/atomic-long.h
43371 --- linux-2.6.35.4/include/asm-generic/atomic-long.h 2010-08-26 19:47:12.000000000 -0400
43372 +++ linux-2.6.35.4/include/asm-generic/atomic-long.h 2010-09-17 20:12:09.000000000 -0400
43375 typedef atomic64_t atomic_long_t;
43377 +#ifdef CONFIG_PAX_REFCOUNT
43378 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
43380 +typedef atomic64_t atomic_long_unchecked_t;
43383 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
43385 static inline long atomic_long_read(atomic_long_t *l)
43386 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
43387 return (long)atomic64_read(v);
43390 +#ifdef CONFIG_PAX_REFCOUNT
43391 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
43393 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43395 + return (long)atomic64_read_unchecked(v);
43399 static inline void atomic_long_set(atomic_long_t *l, long i)
43401 atomic64_t *v = (atomic64_t *)l;
43402 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
43403 atomic64_set(v, i);
43406 +#ifdef CONFIG_PAX_REFCOUNT
43407 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
43409 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43411 + atomic64_set_unchecked(v, i);
43415 static inline void atomic_long_inc(atomic_long_t *l)
43417 atomic64_t *v = (atomic64_t *)l;
43418 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
43422 +#ifdef CONFIG_PAX_REFCOUNT
43423 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
43425 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43427 + atomic64_inc_unchecked(v);
43431 static inline void atomic_long_dec(atomic_long_t *l)
43433 atomic64_t *v = (atomic64_t *)l;
43434 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
43438 +#ifdef CONFIG_PAX_REFCOUNT
43439 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
43441 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43443 + atomic64_dec_unchecked(v);
43447 static inline void atomic_long_add(long i, atomic_long_t *l)
43449 atomic64_t *v = (atomic64_t *)l;
43450 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
43451 atomic64_add(i, v);
43454 +#ifdef CONFIG_PAX_REFCOUNT
43455 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
43457 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43459 + atomic64_add_unchecked(i, v);
43463 static inline void atomic_long_sub(long i, atomic_long_t *l)
43465 atomic64_t *v = (atomic64_t *)l;
43466 @@ -115,6 +166,15 @@ static inline long atomic_long_inc_retur
43467 return (long)atomic64_inc_return(v);
43470 +#ifdef CONFIG_PAX_REFCOUNT
43471 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
43473 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43475 + return (long)atomic64_inc_return_unchecked(v);
43479 static inline long atomic_long_dec_return(atomic_long_t *l)
43481 atomic64_t *v = (atomic64_t *)l;
43482 @@ -140,6 +200,12 @@ static inline long atomic_long_add_unles
43484 typedef atomic_t atomic_long_t;
43486 +#ifdef CONFIG_PAX_REFCOUNT
43487 +typedef atomic_unchecked_t atomic_long_unchecked_t;
43489 +typedef atomic_t atomic_long_unchecked_t;
43492 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
43493 static inline long atomic_long_read(atomic_long_t *l)
43495 @@ -148,6 +214,15 @@ static inline long atomic_long_read(atom
43496 return (long)atomic_read(v);
43499 +#ifdef CONFIG_PAX_REFCOUNT
43500 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
43502 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43504 + return (long)atomic_read_unchecked(v);
43508 static inline void atomic_long_set(atomic_long_t *l, long i)
43510 atomic_t *v = (atomic_t *)l;
43511 @@ -155,6 +230,15 @@ static inline void atomic_long_set(atomi
43515 +#ifdef CONFIG_PAX_REFCOUNT
43516 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
43518 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43520 + atomic_set_unchecked(v, i);
43524 static inline void atomic_long_inc(atomic_long_t *l)
43526 atomic_t *v = (atomic_t *)l;
43527 @@ -162,6 +246,15 @@ static inline void atomic_long_inc(atomi
43531 +#ifdef CONFIG_PAX_REFCOUNT
43532 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
43534 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43536 + atomic_inc_unchecked(v);
43540 static inline void atomic_long_dec(atomic_long_t *l)
43542 atomic_t *v = (atomic_t *)l;
43543 @@ -169,6 +262,15 @@ static inline void atomic_long_dec(atomi
43547 +#ifdef CONFIG_PAX_REFCOUNT
43548 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
43550 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43552 + atomic_dec_unchecked(v);
43556 static inline void atomic_long_add(long i, atomic_long_t *l)
43558 atomic_t *v = (atomic_t *)l;
43559 @@ -176,6 +278,15 @@ static inline void atomic_long_add(long
43563 +#ifdef CONFIG_PAX_REFCOUNT
43564 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
43566 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43568 + atomic_add_unchecked(i, v);
43572 static inline void atomic_long_sub(long i, atomic_long_t *l)
43574 atomic_t *v = (atomic_t *)l;
43575 @@ -232,6 +343,15 @@ static inline long atomic_long_inc_retur
43576 return (long)atomic_inc_return(v);
43579 +#ifdef CONFIG_PAX_REFCOUNT
43580 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
43582 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43584 + return (long)atomic_inc_return_unchecked(v);
43588 static inline long atomic_long_dec_return(atomic_long_t *l)
43590 atomic_t *v = (atomic_t *)l;
43591 @@ -255,4 +375,37 @@ static inline long atomic_long_add_unles
43593 #endif /* BITS_PER_LONG == 64 */
43595 +#ifdef CONFIG_PAX_REFCOUNT
43596 +static inline void pax_refcount_needs_these_functions(void)
43598 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
43599 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
43600 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
43601 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
43602 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
43603 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
43605 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
43606 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
43607 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
43608 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
43609 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
43610 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
43613 +#define atomic_read_unchecked(v) atomic_read(v)
43614 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
43615 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
43616 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
43617 +#define atomic_inc_unchecked(v) atomic_inc(v)
43618 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
43620 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
43621 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
43622 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
43623 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
43624 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
43625 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
43628 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
43629 diff -urNp linux-2.6.35.4/include/asm-generic/dma-mapping-common.h linux-2.6.35.4/include/asm-generic/dma-mapping-common.h
43630 --- linux-2.6.35.4/include/asm-generic/dma-mapping-common.h 2010-08-26 19:47:12.000000000 -0400
43631 +++ linux-2.6.35.4/include/asm-generic/dma-mapping-common.h 2010-09-17 20:12:09.000000000 -0400
43632 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
43633 enum dma_data_direction dir,
43634 struct dma_attrs *attrs)
43636 - struct dma_map_ops *ops = get_dma_ops(dev);
43637 + const struct dma_map_ops *ops = get_dma_ops(dev);
43640 kmemcheck_mark_initialized(ptr, size);
43641 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
43642 enum dma_data_direction dir,
43643 struct dma_attrs *attrs)
43645 - struct dma_map_ops *ops = get_dma_ops(dev);
43646 + const struct dma_map_ops *ops = get_dma_ops(dev);
43648 BUG_ON(!valid_dma_direction(dir));
43649 if (ops->unmap_page)
43650 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
43651 int nents, enum dma_data_direction dir,
43652 struct dma_attrs *attrs)
43654 - struct dma_map_ops *ops = get_dma_ops(dev);
43655 + const struct dma_map_ops *ops = get_dma_ops(dev);
43657 struct scatterlist *s;
43659 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
43660 int nents, enum dma_data_direction dir,
43661 struct dma_attrs *attrs)
43663 - struct dma_map_ops *ops = get_dma_ops(dev);
43664 + const struct dma_map_ops *ops = get_dma_ops(dev);
43666 BUG_ON(!valid_dma_direction(dir));
43667 debug_dma_unmap_sg(dev, sg, nents, dir);
43668 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
43669 size_t offset, size_t size,
43670 enum dma_data_direction dir)
43672 - struct dma_map_ops *ops = get_dma_ops(dev);
43673 + const struct dma_map_ops *ops = get_dma_ops(dev);
43676 kmemcheck_mark_initialized(page_address(page) + offset, size);
43677 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
43678 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
43679 size_t size, enum dma_data_direction dir)
43681 - struct dma_map_ops *ops = get_dma_ops(dev);
43682 + const struct dma_map_ops *ops = get_dma_ops(dev);
43684 BUG_ON(!valid_dma_direction(dir));
43685 if (ops->unmap_page)
43686 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
43688 enum dma_data_direction dir)
43690 - struct dma_map_ops *ops = get_dma_ops(dev);
43691 + const struct dma_map_ops *ops = get_dma_ops(dev);
43693 BUG_ON(!valid_dma_direction(dir));
43694 if (ops->sync_single_for_cpu)
43695 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
43696 dma_addr_t addr, size_t size,
43697 enum dma_data_direction dir)
43699 - struct dma_map_ops *ops = get_dma_ops(dev);
43700 + const struct dma_map_ops *ops = get_dma_ops(dev);
43702 BUG_ON(!valid_dma_direction(dir));
43703 if (ops->sync_single_for_device)
43704 @@ -139,7 +139,7 @@ static inline void
43705 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
43706 int nelems, enum dma_data_direction dir)
43708 - struct dma_map_ops *ops = get_dma_ops(dev);
43709 + const struct dma_map_ops *ops = get_dma_ops(dev);
43711 BUG_ON(!valid_dma_direction(dir));
43712 if (ops->sync_sg_for_cpu)
43713 @@ -151,7 +151,7 @@ static inline void
43714 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
43715 int nelems, enum dma_data_direction dir)
43717 - struct dma_map_ops *ops = get_dma_ops(dev);
43718 + const struct dma_map_ops *ops = get_dma_ops(dev);
43720 BUG_ON(!valid_dma_direction(dir));
43721 if (ops->sync_sg_for_device)
43722 diff -urNp linux-2.6.35.4/include/asm-generic/futex.h linux-2.6.35.4/include/asm-generic/futex.h
43723 --- linux-2.6.35.4/include/asm-generic/futex.h 2010-08-26 19:47:12.000000000 -0400
43724 +++ linux-2.6.35.4/include/asm-generic/futex.h 2010-09-17 20:12:09.000000000 -0400
43726 #include <asm/errno.h>
43729 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
43730 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
43732 int op = (encoded_op >> 28) & 7;
43733 int cmp = (encoded_op >> 24) & 15;
43734 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
43738 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
43739 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
43743 diff -urNp linux-2.6.35.4/include/asm-generic/int-l64.h linux-2.6.35.4/include/asm-generic/int-l64.h
43744 --- linux-2.6.35.4/include/asm-generic/int-l64.h 2010-08-26 19:47:12.000000000 -0400
43745 +++ linux-2.6.35.4/include/asm-generic/int-l64.h 2010-09-17 20:12:09.000000000 -0400
43746 @@ -46,6 +46,8 @@ typedef unsigned int u32;
43747 typedef signed long s64;
43748 typedef unsigned long u64;
43750 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
43753 #define U8_C(x) x ## U
43755 diff -urNp linux-2.6.35.4/include/asm-generic/int-ll64.h linux-2.6.35.4/include/asm-generic/int-ll64.h
43756 --- linux-2.6.35.4/include/asm-generic/int-ll64.h 2010-08-26 19:47:12.000000000 -0400
43757 +++ linux-2.6.35.4/include/asm-generic/int-ll64.h 2010-09-17 20:12:09.000000000 -0400
43758 @@ -51,6 +51,8 @@ typedef unsigned int u32;
43759 typedef signed long long s64;
43760 typedef unsigned long long u64;
43762 +typedef unsigned long long intoverflow_t;
43765 #define U8_C(x) x ## U
43767 diff -urNp linux-2.6.35.4/include/asm-generic/kmap_types.h linux-2.6.35.4/include/asm-generic/kmap_types.h
43768 --- linux-2.6.35.4/include/asm-generic/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
43769 +++ linux-2.6.35.4/include/asm-generic/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
43770 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
43772 KMAP_D(18) KM_NMI_PTE,
43774 +KMAP_D(20) KM_CLEARPAGE,
43776 * Remember to update debug_kmap_atomic() when adding new kmap types!
43778 -KMAP_D(20) KM_TYPE_NR
43779 +KMAP_D(21) KM_TYPE_NR
43783 diff -urNp linux-2.6.35.4/include/asm-generic/pgtable.h linux-2.6.35.4/include/asm-generic/pgtable.h
43784 --- linux-2.6.35.4/include/asm-generic/pgtable.h 2010-08-26 19:47:12.000000000 -0400
43785 +++ linux-2.6.35.4/include/asm-generic/pgtable.h 2010-09-17 20:12:09.000000000 -0400
43786 @@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
43787 unsigned long size);
43790 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
43791 +static inline unsigned long pax_open_kernel(void) { return 0; }
43794 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
43795 +static inline unsigned long pax_close_kernel(void) { return 0; }
43798 #endif /* !__ASSEMBLY__ */
43800 #endif /* _ASM_GENERIC_PGTABLE_H */
43801 diff -urNp linux-2.6.35.4/include/asm-generic/pgtable-nopmd.h linux-2.6.35.4/include/asm-generic/pgtable-nopmd.h
43802 --- linux-2.6.35.4/include/asm-generic/pgtable-nopmd.h 2010-08-26 19:47:12.000000000 -0400
43803 +++ linux-2.6.35.4/include/asm-generic/pgtable-nopmd.h 2010-09-17 20:12:09.000000000 -0400
43805 #ifndef _PGTABLE_NOPMD_H
43806 #define _PGTABLE_NOPMD_H
43808 -#ifndef __ASSEMBLY__
43810 #include <asm-generic/pgtable-nopud.h>
43814 #define __PAGETABLE_PMD_FOLDED
43816 +#define PMD_SHIFT PUD_SHIFT
43817 +#define PTRS_PER_PMD 1
43818 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
43819 +#define PMD_MASK (~(PMD_SIZE-1))
43821 +#ifndef __ASSEMBLY__
43826 * Having the pmd type consist of a pud gets the size right, and allows
43827 * us to conceptually access the pud entry that this pmd is folded into
43828 @@ -16,11 +21,6 @@ struct mm_struct;
43830 typedef struct { pud_t pud; } pmd_t;
43832 -#define PMD_SHIFT PUD_SHIFT
43833 -#define PTRS_PER_PMD 1
43834 -#define PMD_SIZE (1UL << PMD_SHIFT)
43835 -#define PMD_MASK (~(PMD_SIZE-1))
43838 * The "pud_xxx()" functions here are trivial for a folded two-level
43839 * setup: the pmd is never bad, and a pmd always exists (as it's folded
43840 diff -urNp linux-2.6.35.4/include/asm-generic/pgtable-nopud.h linux-2.6.35.4/include/asm-generic/pgtable-nopud.h
43841 --- linux-2.6.35.4/include/asm-generic/pgtable-nopud.h 2010-08-26 19:47:12.000000000 -0400
43842 +++ linux-2.6.35.4/include/asm-generic/pgtable-nopud.h 2010-09-17 20:12:09.000000000 -0400
43844 #ifndef _PGTABLE_NOPUD_H
43845 #define _PGTABLE_NOPUD_H
43847 -#ifndef __ASSEMBLY__
43849 #define __PAGETABLE_PUD_FOLDED
43851 +#define PUD_SHIFT PGDIR_SHIFT
43852 +#define PTRS_PER_PUD 1
43853 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
43854 +#define PUD_MASK (~(PUD_SIZE-1))
43856 +#ifndef __ASSEMBLY__
43859 * Having the pud type consist of a pgd gets the size right, and allows
43860 * us to conceptually access the pgd entry that this pud is folded into
43863 typedef struct { pgd_t pgd; } pud_t;
43865 -#define PUD_SHIFT PGDIR_SHIFT
43866 -#define PTRS_PER_PUD 1
43867 -#define PUD_SIZE (1UL << PUD_SHIFT)
43868 -#define PUD_MASK (~(PUD_SIZE-1))
43871 * The "pgd_xxx()" functions here are trivial for a folded two-level
43872 * setup: the pud is never bad, and a pud always exists (as it's folded
43873 diff -urNp linux-2.6.35.4/include/asm-generic/vmlinux.lds.h linux-2.6.35.4/include/asm-generic/vmlinux.lds.h
43874 --- linux-2.6.35.4/include/asm-generic/vmlinux.lds.h 2010-08-26 19:47:12.000000000 -0400
43875 +++ linux-2.6.35.4/include/asm-generic/vmlinux.lds.h 2010-09-17 20:12:09.000000000 -0400
43876 @@ -213,6 +213,7 @@
43877 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
43878 VMLINUX_SYMBOL(__start_rodata) = .; \
43879 *(.rodata) *(.rodata.*) \
43880 + *(.data..read_only) \
43881 *(__vermagic) /* Kernel version magic */ \
43882 *(__markers_strings) /* Markers: strings */ \
43883 *(__tracepoints_strings)/* Tracepoints: strings */ \
43884 @@ -670,22 +671,24 @@
43885 * section in the linker script will go there too. @phdr should have
43888 - * Note that this macros defines __per_cpu_load as an absolute symbol.
43889 + * Note that this macros defines per_cpu_load as an absolute symbol.
43890 * If there is no need to put the percpu section at a predetermined
43891 * address, use PERCPU().
43893 #define PERCPU_VADDR(vaddr, phdr) \
43894 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
43895 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
43896 + per_cpu_load = .; \
43897 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
43899 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
43900 VMLINUX_SYMBOL(__per_cpu_start) = .; \
43901 *(.data..percpu..first) \
43902 - *(.data..percpu..page_aligned) \
43904 + . = ALIGN(PAGE_SIZE); \
43905 + *(.data..percpu..page_aligned) \
43906 *(.data..percpu..shared_aligned) \
43907 VMLINUX_SYMBOL(__per_cpu_end) = .; \
43909 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
43910 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
43913 * PERCPU - define output section for percpu area, simple version
43914 diff -urNp linux-2.6.35.4/include/drm/drm_pciids.h linux-2.6.35.4/include/drm/drm_pciids.h
43915 --- linux-2.6.35.4/include/drm/drm_pciids.h 2010-08-26 19:47:12.000000000 -0400
43916 +++ linux-2.6.35.4/include/drm/drm_pciids.h 2010-09-17 20:12:09.000000000 -0400
43917 @@ -419,7 +419,7 @@
43918 {0x1002, 0x9713, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
43919 {0x1002, 0x9714, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
43920 {0x1002, 0x9715, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
43922 + {0, 0, 0, 0, 0, 0}
43924 #define r128_PCI_IDS \
43925 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43926 @@ -459,14 +459,14 @@
43927 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43928 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43929 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43931 + {0, 0, 0, 0, 0, 0}
43933 #define mga_PCI_IDS \
43934 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
43935 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
43936 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
43937 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
43939 + {0, 0, 0, 0, 0, 0}
43941 #define mach64_PCI_IDS \
43942 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43943 @@ -489,7 +489,7 @@
43944 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43945 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43946 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43948 + {0, 0, 0, 0, 0, 0}
43950 #define sisdrv_PCI_IDS \
43951 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43952 @@ -500,7 +500,7 @@
43953 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43954 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
43955 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
43957 + {0, 0, 0, 0, 0, 0}
43959 #define tdfx_PCI_IDS \
43960 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43961 @@ -509,7 +509,7 @@
43962 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43963 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43964 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43966 + {0, 0, 0, 0, 0, 0}
43968 #define viadrv_PCI_IDS \
43969 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43970 @@ -521,14 +521,14 @@
43971 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43972 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
43973 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
43975 + {0, 0, 0, 0, 0, 0}
43977 #define i810_PCI_IDS \
43978 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43979 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43980 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43981 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43983 + {0, 0, 0, 0, 0, 0}
43985 #define i830_PCI_IDS \
43986 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43987 @@ -536,11 +536,11 @@
43988 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43989 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43990 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43992 + {0, 0, 0, 0, 0, 0}
43994 #define gamma_PCI_IDS \
43995 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43997 + {0, 0, 0, 0, 0, 0}
43999 #define savage_PCI_IDS \
44000 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
44001 @@ -566,10 +566,10 @@
44002 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
44003 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
44004 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
44006 + {0, 0, 0, 0, 0, 0}
44008 #define ffb_PCI_IDS \
44010 + {0, 0, 0, 0, 0, 0}
44012 #define i915_PCI_IDS \
44013 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44014 @@ -603,4 +603,4 @@
44015 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44016 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44017 {0x8086, 0x0102, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44019 + {0, 0, 0, 0, 0, 0}
44020 diff -urNp linux-2.6.35.4/include/drm/drmP.h linux-2.6.35.4/include/drm/drmP.h
44021 --- linux-2.6.35.4/include/drm/drmP.h 2010-08-26 19:47:12.000000000 -0400
44022 +++ linux-2.6.35.4/include/drm/drmP.h 2010-09-17 20:12:09.000000000 -0400
44023 @@ -808,7 +808,7 @@ struct drm_driver {
44024 void (*vgaarb_irq)(struct drm_device *dev, bool state);
44026 /* Driver private ops for this object */
44027 - struct vm_operations_struct *gem_vm_ops;
44028 + const struct vm_operations_struct *gem_vm_ops;
44032 @@ -917,7 +917,7 @@ struct drm_device {
44034 /** \name Usage Counters */
44036 - int open_count; /**< Outstanding files open */
44037 + atomic_t open_count; /**< Outstanding files open */
44038 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
44039 atomic_t vma_count; /**< Outstanding vma areas open */
44040 int buf_use; /**< Buffers in use -- cannot alloc */
44041 @@ -928,7 +928,7 @@ struct drm_device {
44043 unsigned long counters;
44044 enum drm_stat_type types[15];
44045 - atomic_t counts[15];
44046 + atomic_unchecked_t counts[15];
44049 struct list_head filelist;
44050 diff -urNp linux-2.6.35.4/include/linux/a.out.h linux-2.6.35.4/include/linux/a.out.h
44051 --- linux-2.6.35.4/include/linux/a.out.h 2010-08-26 19:47:12.000000000 -0400
44052 +++ linux-2.6.35.4/include/linux/a.out.h 2010-09-17 20:12:09.000000000 -0400
44053 @@ -39,6 +39,14 @@ enum machine_type {
44054 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
44057 +/* Constants for the N_FLAGS field */
44058 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
44059 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
44060 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
44061 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
44062 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
44063 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
44065 #if !defined (N_MAGIC)
44066 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
44068 diff -urNp linux-2.6.35.4/include/linux/atmdev.h linux-2.6.35.4/include/linux/atmdev.h
44069 --- linux-2.6.35.4/include/linux/atmdev.h 2010-08-26 19:47:12.000000000 -0400
44070 +++ linux-2.6.35.4/include/linux/atmdev.h 2010-09-17 20:12:09.000000000 -0400
44071 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
44074 struct k_atm_aal_stats {
44075 -#define __HANDLE_ITEM(i) atomic_t i
44076 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
44078 #undef __HANDLE_ITEM
44080 diff -urNp linux-2.6.35.4/include/linux/binfmts.h linux-2.6.35.4/include/linux/binfmts.h
44081 --- linux-2.6.35.4/include/linux/binfmts.h 2010-08-26 19:47:12.000000000 -0400
44082 +++ linux-2.6.35.4/include/linux/binfmts.h 2010-09-17 20:12:09.000000000 -0400
44083 @@ -87,6 +87,7 @@ struct linux_binfmt {
44084 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
44085 int (*load_shlib)(struct file *);
44086 int (*core_dump)(struct coredump_params *cprm);
44087 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
44088 unsigned long min_coredump; /* minimal dump size */
44091 diff -urNp linux-2.6.35.4/include/linux/blkdev.h linux-2.6.35.4/include/linux/blkdev.h
44092 --- linux-2.6.35.4/include/linux/blkdev.h 2010-08-26 19:47:12.000000000 -0400
44093 +++ linux-2.6.35.4/include/linux/blkdev.h 2010-09-17 20:12:09.000000000 -0400
44094 @@ -1331,20 +1331,20 @@ static inline int blk_integrity_rq(struc
44095 #endif /* CONFIG_BLK_DEV_INTEGRITY */
44097 struct block_device_operations {
44098 - int (*open) (struct block_device *, fmode_t);
44099 - int (*release) (struct gendisk *, fmode_t);
44100 - int (*locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44101 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44102 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44103 - int (*direct_access) (struct block_device *, sector_t,
44104 + int (* const open) (struct block_device *, fmode_t);
44105 + int (* const release) (struct gendisk *, fmode_t);
44106 + int (* const locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44107 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44108 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44109 + int (* const direct_access) (struct block_device *, sector_t,
44110 void **, unsigned long *);
44111 - int (*media_changed) (struct gendisk *);
44112 - void (*unlock_native_capacity) (struct gendisk *);
44113 - int (*revalidate_disk) (struct gendisk *);
44114 - int (*getgeo)(struct block_device *, struct hd_geometry *);
44115 + int (* const media_changed) (struct gendisk *);
44116 + void (* const unlock_native_capacity) (struct gendisk *);
44117 + int (* const revalidate_disk) (struct gendisk *);
44118 + int (*const getgeo)(struct block_device *, struct hd_geometry *);
44119 /* this callback is with swap_lock and sometimes page table lock held */
44120 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
44121 - struct module *owner;
44122 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
44123 + struct module * const owner;
44126 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
44127 diff -urNp linux-2.6.35.4/include/linux/cache.h linux-2.6.35.4/include/linux/cache.h
44128 --- linux-2.6.35.4/include/linux/cache.h 2010-08-26 19:47:12.000000000 -0400
44129 +++ linux-2.6.35.4/include/linux/cache.h 2010-09-17 20:12:09.000000000 -0400
44131 #define __read_mostly
44134 +#ifndef __read_only
44135 +#define __read_only __read_mostly
44138 #ifndef ____cacheline_aligned
44139 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
44141 diff -urNp linux-2.6.35.4/include/linux/capability.h linux-2.6.35.4/include/linux/capability.h
44142 --- linux-2.6.35.4/include/linux/capability.h 2010-08-26 19:47:12.000000000 -0400
44143 +++ linux-2.6.35.4/include/linux/capability.h 2010-09-17 20:12:37.000000000 -0400
44144 @@ -561,6 +561,7 @@ extern const kernel_cap_t __cap_init_eff
44145 (security_real_capable_noaudit((t), (cap)) == 0)
44147 extern int capable(int cap);
44148 +int capable_nolog(int cap);
44150 /* audit system wants to get cap info from files as well */
44152 diff -urNp linux-2.6.35.4/include/linux/compat.h linux-2.6.35.4/include/linux/compat.h
44153 --- linux-2.6.35.4/include/linux/compat.h 2010-08-26 19:47:12.000000000 -0400
44154 +++ linux-2.6.35.4/include/linux/compat.h 2010-09-17 20:12:37.000000000 -0400
44155 @@ -360,5 +360,8 @@ extern ssize_t compat_rw_copy_check_uvec
44156 const struct compat_iovec __user *uvector, unsigned long nr_segs,
44157 unsigned long fast_segs, struct iovec *fast_pointer,
44158 struct iovec **ret_pointer);
44160 +extern void __user *compat_alloc_user_space(unsigned long len);
44162 #endif /* CONFIG_COMPAT */
44163 #endif /* _LINUX_COMPAT_H */
44164 diff -urNp linux-2.6.35.4/include/linux/compiler-gcc4.h linux-2.6.35.4/include/linux/compiler-gcc4.h
44165 --- linux-2.6.35.4/include/linux/compiler-gcc4.h 2010-08-26 19:47:12.000000000 -0400
44166 +++ linux-2.6.35.4/include/linux/compiler-gcc4.h 2010-09-17 20:12:09.000000000 -0400
44171 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
44172 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
44173 +#define __bos0(ptr) __bos((ptr), 0)
44174 +#define __bos1(ptr) __bos((ptr), 1)
44177 #if __GNUC_MINOR__ > 0
44178 diff -urNp linux-2.6.35.4/include/linux/compiler.h linux-2.6.35.4/include/linux/compiler.h
44179 --- linux-2.6.35.4/include/linux/compiler.h 2010-08-26 19:47:12.000000000 -0400
44180 +++ linux-2.6.35.4/include/linux/compiler.h 2010-09-17 20:12:09.000000000 -0400
44181 @@ -267,6 +267,22 @@ void ftrace_likely_update(struct ftrace_
44185 +#ifndef __alloc_size
44186 +#define __alloc_size
44201 /* Simple shorthand for a section definition */
44203 # define __section(S) __attribute__ ((__section__(#S)))
44204 diff -urNp linux-2.6.35.4/include/linux/decompress/mm.h linux-2.6.35.4/include/linux/decompress/mm.h
44205 --- linux-2.6.35.4/include/linux/decompress/mm.h 2010-08-26 19:47:12.000000000 -0400
44206 +++ linux-2.6.35.4/include/linux/decompress/mm.h 2010-09-17 20:12:09.000000000 -0400
44207 @@ -78,7 +78,7 @@ static void free(void *where)
44208 * warnings when not needed (indeed large_malloc / large_free are not
44209 * needed by inflate */
44211 -#define malloc(a) kmalloc(a, GFP_KERNEL)
44212 +#define malloc(a) kmalloc((a), GFP_KERNEL)
44213 #define free(a) kfree(a)
44215 #define large_malloc(a) vmalloc(a)
44216 diff -urNp linux-2.6.35.4/include/linux/dma-mapping.h linux-2.6.35.4/include/linux/dma-mapping.h
44217 --- linux-2.6.35.4/include/linux/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
44218 +++ linux-2.6.35.4/include/linux/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
44219 @@ -16,40 +16,40 @@ enum dma_data_direction {
44222 struct dma_map_ops {
44223 - void* (*alloc_coherent)(struct device *dev, size_t size,
44224 + void* (* const alloc_coherent)(struct device *dev, size_t size,
44225 dma_addr_t *dma_handle, gfp_t gfp);
44226 - void (*free_coherent)(struct device *dev, size_t size,
44227 + void (* const free_coherent)(struct device *dev, size_t size,
44228 void *vaddr, dma_addr_t dma_handle);
44229 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
44230 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
44231 unsigned long offset, size_t size,
44232 enum dma_data_direction dir,
44233 struct dma_attrs *attrs);
44234 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
44235 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
44236 size_t size, enum dma_data_direction dir,
44237 struct dma_attrs *attrs);
44238 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
44239 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
44240 int nents, enum dma_data_direction dir,
44241 struct dma_attrs *attrs);
44242 - void (*unmap_sg)(struct device *dev,
44243 + void (* const unmap_sg)(struct device *dev,
44244 struct scatterlist *sg, int nents,
44245 enum dma_data_direction dir,
44246 struct dma_attrs *attrs);
44247 - void (*sync_single_for_cpu)(struct device *dev,
44248 + void (* const sync_single_for_cpu)(struct device *dev,
44249 dma_addr_t dma_handle, size_t size,
44250 enum dma_data_direction dir);
44251 - void (*sync_single_for_device)(struct device *dev,
44252 + void (* const sync_single_for_device)(struct device *dev,
44253 dma_addr_t dma_handle, size_t size,
44254 enum dma_data_direction dir);
44255 - void (*sync_sg_for_cpu)(struct device *dev,
44256 + void (* const sync_sg_for_cpu)(struct device *dev,
44257 struct scatterlist *sg, int nents,
44258 enum dma_data_direction dir);
44259 - void (*sync_sg_for_device)(struct device *dev,
44260 + void (* const sync_sg_for_device)(struct device *dev,
44261 struct scatterlist *sg, int nents,
44262 enum dma_data_direction dir);
44263 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
44264 - int (*dma_supported)(struct device *dev, u64 mask);
44265 - int (*set_dma_mask)(struct device *dev, u64 mask);
44267 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
44268 + int (* const dma_supported)(struct device *dev, u64 mask);
44269 + int (* set_dma_mask)(struct device *dev, u64 mask);
44270 + const int is_phys;
44273 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
44274 diff -urNp linux-2.6.35.4/include/linux/elf.h linux-2.6.35.4/include/linux/elf.h
44275 --- linux-2.6.35.4/include/linux/elf.h 2010-08-26 19:47:12.000000000 -0400
44276 +++ linux-2.6.35.4/include/linux/elf.h 2010-09-17 20:12:09.000000000 -0400
44277 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
44278 #define PT_GNU_EH_FRAME 0x6474e550
44280 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
44281 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
44283 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
44285 +/* Constants for the e_flags field */
44286 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
44287 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
44288 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
44289 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
44290 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
44291 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
44294 * Extended Numbering
44295 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
44296 #define DT_DEBUG 21
44297 #define DT_TEXTREL 22
44298 #define DT_JMPREL 23
44299 +#define DT_FLAGS 30
44300 + #define DF_TEXTREL 0x00000004
44301 #define DT_ENCODING 32
44302 #define OLD_DT_LOOS 0x60000000
44303 #define DT_LOOS 0x6000000d
44304 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
44308 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
44309 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
44310 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
44311 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
44312 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
44313 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
44314 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
44315 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
44316 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
44317 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
44318 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
44319 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
44321 typedef struct elf32_phdr{
44323 Elf32_Off p_offset;
44324 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
44330 #define ELFMAG0 0x7f /* EI_MAG */
44331 #define ELFMAG1 'E'
44332 #define ELFMAG2 'L'
44333 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
44334 #define elf_note elf32_note
44335 #define elf_addr_t Elf32_Off
44336 #define Elf_Half Elf32_Half
44337 +#define elf_dyn Elf32_Dyn
44341 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
44342 #define elf_note elf64_note
44343 #define elf_addr_t Elf64_Off
44344 #define Elf_Half Elf64_Half
44345 +#define elf_dyn Elf64_Dyn
44349 diff -urNp linux-2.6.35.4/include/linux/fs.h linux-2.6.35.4/include/linux/fs.h
44350 --- linux-2.6.35.4/include/linux/fs.h 2010-08-26 19:47:12.000000000 -0400
44351 +++ linux-2.6.35.4/include/linux/fs.h 2010-09-17 20:12:37.000000000 -0400
44352 @@ -90,6 +90,11 @@ struct inodes_stat_t {
44353 /* Expect random access pattern */
44354 #define FMODE_RANDOM ((__force fmode_t)0x1000)
44356 +/* Hack for grsec so as not to require read permission simply to execute
44359 +#define FMODE_GREXEC ((__force fmode_t)0x2000)
44362 * The below are the various read and write types that we support. Some of
44363 * them include behavioral modifiers that send information down to the
44364 @@ -571,41 +576,41 @@ typedef int (*read_actor_t)(read_descrip
44365 unsigned long, unsigned long);
44367 struct address_space_operations {
44368 - int (*writepage)(struct page *page, struct writeback_control *wbc);
44369 - int (*readpage)(struct file *, struct page *);
44370 - void (*sync_page)(struct page *);
44371 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
44372 + int (* const readpage)(struct file *, struct page *);
44373 + void (* const sync_page)(struct page *);
44375 /* Write back some dirty pages from this mapping. */
44376 - int (*writepages)(struct address_space *, struct writeback_control *);
44377 + int (* const writepages)(struct address_space *, struct writeback_control *);
44379 /* Set a page dirty. Return true if this dirtied it */
44380 - int (*set_page_dirty)(struct page *page);
44381 + int (* const set_page_dirty)(struct page *page);
44383 - int (*readpages)(struct file *filp, struct address_space *mapping,
44384 + int (* const readpages)(struct file *filp, struct address_space *mapping,
44385 struct list_head *pages, unsigned nr_pages);
44387 - int (*write_begin)(struct file *, struct address_space *mapping,
44388 + int (* const write_begin)(struct file *, struct address_space *mapping,
44389 loff_t pos, unsigned len, unsigned flags,
44390 struct page **pagep, void **fsdata);
44391 - int (*write_end)(struct file *, struct address_space *mapping,
44392 + int (* const write_end)(struct file *, struct address_space *mapping,
44393 loff_t pos, unsigned len, unsigned copied,
44394 struct page *page, void *fsdata);
44396 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
44397 - sector_t (*bmap)(struct address_space *, sector_t);
44398 - void (*invalidatepage) (struct page *, unsigned long);
44399 - int (*releasepage) (struct page *, gfp_t);
44400 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
44401 + sector_t (* const bmap)(struct address_space *, sector_t);
44402 + void (* const invalidatepage) (struct page *, unsigned long);
44403 + int (* const releasepage) (struct page *, gfp_t);
44404 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
44405 loff_t offset, unsigned long nr_segs);
44406 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
44407 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
44408 void **, unsigned long *);
44409 /* migrate the contents of a page to the specified target */
44410 - int (*migratepage) (struct address_space *,
44411 + int (* const migratepage) (struct address_space *,
44412 struct page *, struct page *);
44413 - int (*launder_page) (struct page *);
44414 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
44415 + int (* const launder_page) (struct page *);
44416 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
44418 - int (*error_remove_page)(struct address_space *, struct page *);
44419 + int (* const error_remove_page)(struct address_space *, struct page *);
44423 @@ -1035,19 +1040,19 @@ static inline int file_check_writeable(s
44424 typedef struct files_struct *fl_owner_t;
44426 struct file_lock_operations {
44427 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
44428 - void (*fl_release_private)(struct file_lock *);
44429 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
44430 + void (* const fl_release_private)(struct file_lock *);
44433 struct lock_manager_operations {
44434 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
44435 - void (*fl_notify)(struct file_lock *); /* unblock callback */
44436 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
44437 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
44438 - void (*fl_release_private)(struct file_lock *);
44439 - void (*fl_break)(struct file_lock *);
44440 - int (*fl_mylease)(struct file_lock *, struct file_lock *);
44441 - int (*fl_change)(struct file_lock **, int);
44442 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
44443 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
44444 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
44445 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
44446 + void (* const fl_release_private)(struct file_lock *);
44447 + void (* const fl_break)(struct file_lock *);
44448 + int (* const fl_mylease)(struct file_lock *, struct file_lock *);
44449 + int (* const fl_change)(struct file_lock **, int);
44452 struct lock_manager {
44453 @@ -1440,7 +1445,7 @@ struct fiemap_extent_info {
44454 unsigned int fi_flags; /* Flags as passed from user */
44455 unsigned int fi_extents_mapped; /* Number of mapped extents */
44456 unsigned int fi_extents_max; /* Size of fiemap_extent array */
44457 - struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
44458 + struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
44461 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
44462 diff -urNp linux-2.6.35.4/include/linux/fs_struct.h linux-2.6.35.4/include/linux/fs_struct.h
44463 --- linux-2.6.35.4/include/linux/fs_struct.h 2010-08-26 19:47:12.000000000 -0400
44464 +++ linux-2.6.35.4/include/linux/fs_struct.h 2010-09-17 20:12:09.000000000 -0400
44466 #include <linux/path.h>
44474 diff -urNp linux-2.6.35.4/include/linux/genhd.h linux-2.6.35.4/include/linux/genhd.h
44475 --- linux-2.6.35.4/include/linux/genhd.h 2010-08-26 19:47:12.000000000 -0400
44476 +++ linux-2.6.35.4/include/linux/genhd.h 2010-09-17 20:12:09.000000000 -0400
44477 @@ -162,7 +162,7 @@ struct gendisk {
44479 struct timer_rand_state *random;
44481 - atomic_t sync_io; /* RAID */
44482 + atomic_unchecked_t sync_io; /* RAID */
44483 struct work_struct async_notify;
44484 #ifdef CONFIG_BLK_DEV_INTEGRITY
44485 struct blk_integrity *integrity;
44486 diff -urNp linux-2.6.35.4/include/linux/gracl.h linux-2.6.35.4/include/linux/gracl.h
44487 --- linux-2.6.35.4/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
44488 +++ linux-2.6.35.4/include/linux/gracl.h 2010-09-17 20:12:37.000000000 -0400
44493 +#include <linux/grdefs.h>
44494 +#include <linux/resource.h>
44495 +#include <linux/capability.h>
44496 +#include <linux/dcache.h>
44497 +#include <asm/resource.h>
44499 +/* Major status information */
44501 +#define GR_VERSION "grsecurity 2.2.0"
44502 +#define GRSECURITY_VERSION 0x2200
44513 + GR_SPROLEPAM = 8,
44516 +/* Password setup definitions
44517 + * kernel/grhash.c */
44520 + GR_SALT_LEN = 16,
44525 + GR_SPROLE_LEN = 64,
44528 +#define GR_NLIMITS 32
44530 +/* Begin Data Structures */
44532 +struct sprole_pw {
44533 + unsigned char *rolename;
44534 + unsigned char salt[GR_SALT_LEN];
44535 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
44538 +struct name_entry {
44545 + struct name_entry *prev;
44546 + struct name_entry *next;
44549 +struct inodev_entry {
44550 + struct name_entry *nentry;
44551 + struct inodev_entry *prev;
44552 + struct inodev_entry *next;
44555 +struct acl_role_db {
44556 + struct acl_role_label **r_hash;
44560 +struct inodev_db {
44561 + struct inodev_entry **i_hash;
44566 + struct name_entry **n_hash;
44570 +struct crash_uid {
44572 + unsigned long expires;
44575 +struct gr_hash_struct {
44577 + void **nametable;
44579 + __u32 table_size;
44584 +/* Userspace Grsecurity ACL data structures */
44586 +struct acl_subject_label {
44591 + kernel_cap_t cap_mask;
44592 + kernel_cap_t cap_lower;
44593 + kernel_cap_t cap_invert_audit;
44595 + struct rlimit res[GR_NLIMITS];
44598 + __u8 user_trans_type;
44599 + __u8 group_trans_type;
44600 + uid_t *user_transitions;
44601 + gid_t *group_transitions;
44602 + __u16 user_trans_num;
44603 + __u16 group_trans_num;
44605 + __u32 ip_proto[8];
44607 + struct acl_ip_label **ips;
44609 + __u32 inaddr_any_override;
44612 + unsigned long expires;
44614 + struct acl_subject_label *parent_subject;
44615 + struct gr_hash_struct *hash;
44616 + struct acl_subject_label *prev;
44617 + struct acl_subject_label *next;
44619 + struct acl_object_label **obj_hash;
44620 + __u32 obj_hash_size;
44624 +struct role_allowed_ip {
44628 + struct role_allowed_ip *prev;
44629 + struct role_allowed_ip *next;
44632 +struct role_transition {
44635 + struct role_transition *prev;
44636 + struct role_transition *next;
44639 +struct acl_role_label {
44644 + __u16 auth_attempts;
44645 + unsigned long expires;
44647 + struct acl_subject_label *root_label;
44648 + struct gr_hash_struct *hash;
44650 + struct acl_role_label *prev;
44651 + struct acl_role_label *next;
44653 + struct role_transition *transitions;
44654 + struct role_allowed_ip *allowed_ips;
44655 + uid_t *domain_children;
44656 + __u16 domain_child_num;
44658 + struct acl_subject_label **subj_hash;
44659 + __u32 subj_hash_size;
44662 +struct user_acl_role_db {
44663 + struct acl_role_label **r_table;
44664 + __u32 num_pointers; /* Number of allocations to track */
44665 + __u32 num_roles; /* Number of roles */
44666 + __u32 num_domain_children; /* Number of domain children */
44667 + __u32 num_subjects; /* Number of subjects */
44668 + __u32 num_objects; /* Number of objects */
44671 +struct acl_object_label {
44677 + struct acl_subject_label *nested;
44678 + struct acl_object_label *globbed;
44680 + /* next two structures not used */
44682 + struct acl_object_label *prev;
44683 + struct acl_object_label *next;
44686 +struct acl_ip_label {
44695 + /* next two structures not used */
44697 + struct acl_ip_label *prev;
44698 + struct acl_ip_label *next;
44702 + struct user_acl_role_db role_db;
44703 + unsigned char pw[GR_PW_LEN];
44704 + unsigned char salt[GR_SALT_LEN];
44705 + unsigned char sum[GR_SHA_LEN];
44706 + unsigned char sp_role[GR_SPROLE_LEN];
44707 + struct sprole_pw *sprole_pws;
44708 + dev_t segv_device;
44709 + ino_t segv_inode;
44711 + __u16 num_sprole_pws;
44715 +struct gr_arg_wrapper {
44716 + struct gr_arg *arg;
44721 +struct subject_map {
44722 + struct acl_subject_label *user;
44723 + struct acl_subject_label *kernel;
44724 + struct subject_map *prev;
44725 + struct subject_map *next;
44728 +struct acl_subj_map_db {
44729 + struct subject_map **s_hash;
44733 +/* End Data Structures Section */
44735 +/* Hash functions generated by empirical testing by Brad Spengler
44736 + Makes good use of the low bits of the inode. Generally 0-1 times
44737 + in loop for successful match. 0-3 for unsuccessful match.
44738 + Shift/add algorithm with modulus of table size and an XOR*/
44740 +static __inline__ unsigned int
44741 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
44743 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
44746 + static __inline__ unsigned int
44747 +shash(const struct acl_subject_label *userp, const unsigned int sz)
44749 + return ((const unsigned long)userp % sz);
44752 +static __inline__ unsigned int
44753 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
44755 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
44758 +static __inline__ unsigned int
44759 +nhash(const char *name, const __u16 len, const unsigned int sz)
44761 + return full_name_hash((const unsigned char *)name, len) % sz;
44764 +#define FOR_EACH_ROLE_START(role) \
44765 + role = role_list; \
44768 +#define FOR_EACH_ROLE_END(role) \
44769 + role = role->prev; \
44772 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
44775 + while (iter < role->subj_hash_size) { \
44776 + if (subj == NULL) \
44777 + subj = role->subj_hash[iter]; \
44778 + if (subj == NULL) { \
44783 +#define FOR_EACH_SUBJECT_END(subj,iter) \
44784 + subj = subj->next; \
44785 + if (subj == NULL) \
44790 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
44791 + subj = role->hash->first; \
44792 + while (subj != NULL) {
44794 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
44795 + subj = subj->next; \
44800 diff -urNp linux-2.6.35.4/include/linux/gralloc.h linux-2.6.35.4/include/linux/gralloc.h
44801 --- linux-2.6.35.4/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
44802 +++ linux-2.6.35.4/include/linux/gralloc.h 2010-09-17 20:12:37.000000000 -0400
44804 +#ifndef __GRALLOC_H
44805 +#define __GRALLOC_H
44807 +void acl_free_all(void);
44808 +int acl_alloc_stack_init(unsigned long size);
44809 +void *acl_alloc(unsigned long len);
44810 +void *acl_alloc_num(unsigned long num, unsigned long len);
44813 diff -urNp linux-2.6.35.4/include/linux/grdefs.h linux-2.6.35.4/include/linux/grdefs.h
44814 --- linux-2.6.35.4/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
44815 +++ linux-2.6.35.4/include/linux/grdefs.h 2010-09-17 20:12:37.000000000 -0400
44820 +/* Begin grsecurity status declarations */
44824 + GR_STATUS_INIT = 0x00 // disabled state
44827 +/* Begin ACL declarations */
44832 + GR_ROLE_USER = 0x0001,
44833 + GR_ROLE_GROUP = 0x0002,
44834 + GR_ROLE_DEFAULT = 0x0004,
44835 + GR_ROLE_SPECIAL = 0x0008,
44836 + GR_ROLE_AUTH = 0x0010,
44837 + GR_ROLE_NOPW = 0x0020,
44838 + GR_ROLE_GOD = 0x0040,
44839 + GR_ROLE_LEARN = 0x0080,
44840 + GR_ROLE_TPE = 0x0100,
44841 + GR_ROLE_DOMAIN = 0x0200,
44842 + GR_ROLE_PAM = 0x0400
44845 +/* ACL Subject and Object mode flags */
44847 + GR_DELETED = 0x80000000
44850 +/* ACL Object-only mode flags */
44852 + GR_READ = 0x00000001,
44853 + GR_APPEND = 0x00000002,
44854 + GR_WRITE = 0x00000004,
44855 + GR_EXEC = 0x00000008,
44856 + GR_FIND = 0x00000010,
44857 + GR_INHERIT = 0x00000020,
44858 + GR_SETID = 0x00000040,
44859 + GR_CREATE = 0x00000080,
44860 + GR_DELETE = 0x00000100,
44861 + GR_LINK = 0x00000200,
44862 + GR_AUDIT_READ = 0x00000400,
44863 + GR_AUDIT_APPEND = 0x00000800,
44864 + GR_AUDIT_WRITE = 0x00001000,
44865 + GR_AUDIT_EXEC = 0x00002000,
44866 + GR_AUDIT_FIND = 0x00004000,
44867 + GR_AUDIT_INHERIT= 0x00008000,
44868 + GR_AUDIT_SETID = 0x00010000,
44869 + GR_AUDIT_CREATE = 0x00020000,
44870 + GR_AUDIT_DELETE = 0x00040000,
44871 + GR_AUDIT_LINK = 0x00080000,
44872 + GR_PTRACERD = 0x00100000,
44873 + GR_NOPTRACE = 0x00200000,
44874 + GR_SUPPRESS = 0x00400000,
44875 + GR_NOLEARN = 0x00800000
44878 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
44879 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
44880 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
44882 +/* ACL subject-only mode flags */
44884 + GR_KILL = 0x00000001,
44885 + GR_VIEW = 0x00000002,
44886 + GR_PROTECTED = 0x00000004,
44887 + GR_LEARN = 0x00000008,
44888 + GR_OVERRIDE = 0x00000010,
44889 + /* just a placeholder, this mode is only used in userspace */
44890 + GR_DUMMY = 0x00000020,
44891 + GR_PROTSHM = 0x00000040,
44892 + GR_KILLPROC = 0x00000080,
44893 + GR_KILLIPPROC = 0x00000100,
44894 + /* just a placeholder, this mode is only used in userspace */
44895 + GR_NOTROJAN = 0x00000200,
44896 + GR_PROTPROCFD = 0x00000400,
44897 + GR_PROCACCT = 0x00000800,
44898 + GR_RELAXPTRACE = 0x00001000,
44899 + GR_NESTED = 0x00002000,
44900 + GR_INHERITLEARN = 0x00004000,
44901 + GR_PROCFIND = 0x00008000,
44902 + GR_POVERRIDE = 0x00010000,
44903 + GR_KERNELAUTH = 0x00020000,
44907 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
44908 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
44909 + GR_PAX_ENABLE_MPROTECT = 0x0004,
44910 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
44911 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
44912 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
44913 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
44914 + GR_PAX_DISABLE_MPROTECT = 0x0400,
44915 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
44916 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
44920 + GR_ID_USER = 0x01,
44921 + GR_ID_GROUP = 0x02,
44925 + GR_ID_ALLOW = 0x01,
44926 + GR_ID_DENY = 0x02,
44929 +#define GR_CRASH_RES 31
44930 +#define GR_UIDTABLE_MAX 500
44932 +/* begin resource learning section */
44934 + GR_RLIM_CPU_BUMP = 60,
44935 + GR_RLIM_FSIZE_BUMP = 50000,
44936 + GR_RLIM_DATA_BUMP = 10000,
44937 + GR_RLIM_STACK_BUMP = 1000,
44938 + GR_RLIM_CORE_BUMP = 10000,
44939 + GR_RLIM_RSS_BUMP = 500000,
44940 + GR_RLIM_NPROC_BUMP = 1,
44941 + GR_RLIM_NOFILE_BUMP = 5,
44942 + GR_RLIM_MEMLOCK_BUMP = 50000,
44943 + GR_RLIM_AS_BUMP = 500000,
44944 + GR_RLIM_LOCKS_BUMP = 2,
44945 + GR_RLIM_SIGPENDING_BUMP = 5,
44946 + GR_RLIM_MSGQUEUE_BUMP = 10000,
44947 + GR_RLIM_NICE_BUMP = 1,
44948 + GR_RLIM_RTPRIO_BUMP = 1,
44949 + GR_RLIM_RTTIME_BUMP = 1000000
44953 diff -urNp linux-2.6.35.4/include/linux/grinternal.h linux-2.6.35.4/include/linux/grinternal.h
44954 --- linux-2.6.35.4/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
44955 +++ linux-2.6.35.4/include/linux/grinternal.h 2010-09-17 20:12:37.000000000 -0400
44957 +#ifndef __GRINTERNAL_H
44958 +#define __GRINTERNAL_H
44960 +#ifdef CONFIG_GRKERNSEC
44962 +#include <linux/fs.h>
44963 +#include <linux/mnt_namespace.h>
44964 +#include <linux/nsproxy.h>
44965 +#include <linux/gracl.h>
44966 +#include <linux/grdefs.h>
44967 +#include <linux/grmsg.h>
44969 +void gr_add_learn_entry(const char *fmt, ...)
44970 + __attribute__ ((format (printf, 1, 2)));
44971 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
44972 + const struct vfsmount *mnt);
44973 +__u32 gr_check_create(const struct dentry *new_dentry,
44974 + const struct dentry *parent,
44975 + const struct vfsmount *mnt, const __u32 mode);
44976 +int gr_check_protected_task(const struct task_struct *task);
44977 +__u32 to_gr_audit(const __u32 reqmode);
44978 +int gr_set_acls(const int type);
44980 +int gr_acl_is_enabled(void);
44981 +char gr_roletype_to_char(void);
44983 +void gr_handle_alertkill(struct task_struct *task);
44984 +char *gr_to_filename(const struct dentry *dentry,
44985 + const struct vfsmount *mnt);
44986 +char *gr_to_filename1(const struct dentry *dentry,
44987 + const struct vfsmount *mnt);
44988 +char *gr_to_filename2(const struct dentry *dentry,
44989 + const struct vfsmount *mnt);
44990 +char *gr_to_filename3(const struct dentry *dentry,
44991 + const struct vfsmount *mnt);
44993 +extern int grsec_enable_harden_ptrace;
44994 +extern int grsec_enable_link;
44995 +extern int grsec_enable_fifo;
44996 +extern int grsec_enable_execve;
44997 +extern int grsec_enable_shm;
44998 +extern int grsec_enable_execlog;
44999 +extern int grsec_enable_signal;
45000 +extern int grsec_enable_audit_ptrace;
45001 +extern int grsec_enable_forkfail;
45002 +extern int grsec_enable_time;
45003 +extern int grsec_enable_rofs;
45004 +extern int grsec_enable_chroot_shmat;
45005 +extern int grsec_enable_chroot_findtask;
45006 +extern int grsec_enable_chroot_mount;
45007 +extern int grsec_enable_chroot_double;
45008 +extern int grsec_enable_chroot_pivot;
45009 +extern int grsec_enable_chroot_chdir;
45010 +extern int grsec_enable_chroot_chmod;
45011 +extern int grsec_enable_chroot_mknod;
45012 +extern int grsec_enable_chroot_fchdir;
45013 +extern int grsec_enable_chroot_nice;
45014 +extern int grsec_enable_chroot_execlog;
45015 +extern int grsec_enable_chroot_caps;
45016 +extern int grsec_enable_chroot_sysctl;
45017 +extern int grsec_enable_chroot_unix;
45018 +extern int grsec_enable_tpe;
45019 +extern int grsec_tpe_gid;
45020 +extern int grsec_enable_tpe_all;
45021 +extern int grsec_enable_tpe_invert;
45022 +extern int grsec_enable_socket_all;
45023 +extern int grsec_socket_all_gid;
45024 +extern int grsec_enable_socket_client;
45025 +extern int grsec_socket_client_gid;
45026 +extern int grsec_enable_socket_server;
45027 +extern int grsec_socket_server_gid;
45028 +extern int grsec_audit_gid;
45029 +extern int grsec_enable_group;
45030 +extern int grsec_enable_audit_textrel;
45031 +extern int grsec_enable_mount;
45032 +extern int grsec_enable_chdir;
45033 +extern int grsec_resource_logging;
45034 +extern int grsec_enable_blackhole;
45035 +extern int grsec_lastack_retries;
45036 +extern int grsec_lock;
45038 +extern spinlock_t grsec_alert_lock;
45039 +extern unsigned long grsec_alert_wtime;
45040 +extern unsigned long grsec_alert_fyet;
45042 +extern spinlock_t grsec_audit_lock;
45044 +extern rwlock_t grsec_exec_file_lock;
45046 +#define gr_task_fullpath(tsk) (tsk->exec_file ? \
45047 + gr_to_filename2(tsk->exec_file->f_path.dentry, \
45048 + tsk->exec_file->f_vfsmnt) : "/")
45050 +#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
45051 + gr_to_filename3(tsk->parent->exec_file->f_path.dentry, \
45052 + tsk->parent->exec_file->f_vfsmnt) : "/")
45054 +#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
45055 + gr_to_filename(tsk->exec_file->f_path.dentry, \
45056 + tsk->exec_file->f_vfsmnt) : "/")
45058 +#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
45059 + gr_to_filename1(tsk->parent->exec_file->f_path.dentry, \
45060 + tsk->parent->exec_file->f_vfsmnt) : "/")
45062 +#define proc_is_chrooted(tsk_a) (tsk_a->gr_is_chrooted)
45064 +#define have_same_root(tsk_a,tsk_b) (tsk_a->gr_chroot_dentry == tsk_b->gr_chroot_dentry)
45066 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), task->comm, \
45067 + task->pid, cred->uid, \
45068 + cred->euid, cred->gid, cred->egid, \
45069 + gr_parent_task_fullpath(task), \
45070 + task->parent->comm, task->parent->pid, \
45071 + pcred->uid, pcred->euid, \
45072 + pcred->gid, pcred->egid
45074 +#define GR_CHROOT_CAPS {{ \
45075 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
45076 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
45077 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
45078 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
45079 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
45080 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
45082 +#define security_learn(normal_msg,args...) \
45084 + read_lock(&grsec_exec_file_lock); \
45085 + gr_add_learn_entry(normal_msg "\n", ## args); \
45086 + read_unlock(&grsec_exec_file_lock); \
45092 + GR_DONT_AUDIT_GOOD
45103 + GR_SYSCTL_HIDDEN,
45106 + GR_ONE_INT_TWO_STR,
45111 + GR_FIVE_INT_TWO_STR,
45117 + GR_FILENAME_TWO_INT,
45118 + GR_FILENAME_TWO_INT_STR,
45130 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
45131 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
45132 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
45133 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
45134 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
45135 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
45136 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
45137 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
45138 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
45139 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
45140 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
45141 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
45142 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
45143 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
45144 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
45145 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
45146 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
45147 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
45148 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
45149 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
45150 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
45151 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
45152 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
45153 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
45154 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
45155 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
45156 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
45157 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
45158 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
45159 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
45160 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
45161 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
45163 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
45168 diff -urNp linux-2.6.35.4/include/linux/grmsg.h linux-2.6.35.4/include/linux/grmsg.h
45169 --- linux-2.6.35.4/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
45170 +++ linux-2.6.35.4/include/linux/grmsg.h 2010-09-17 20:12:37.000000000 -0400
45172 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
45173 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
45174 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
45175 +#define GR_STOPMOD_MSG "denied modification of module state by "
45176 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
45177 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
45178 +#define GR_IOPERM_MSG "denied use of ioperm() by "
45179 +#define GR_IOPL_MSG "denied use of iopl() by "
45180 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
45181 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
45182 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
45183 +#define GR_KMEM_MSG "denied write of /dev/kmem by "
45184 +#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
45185 +#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
45186 +#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
45187 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
45188 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
45189 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
45190 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
45191 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
45192 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
45193 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
45194 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
45195 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
45196 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
45197 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
45198 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
45199 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
45200 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
45201 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
45202 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
45203 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
45204 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
45205 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
45206 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
45207 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
45208 +#define GR_NPROC_MSG "denied overstep of process limit by "
45209 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
45210 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
45211 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
45212 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
45213 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
45214 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
45215 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
45216 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
45217 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
45218 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
45219 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
45220 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
45221 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
45222 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
45223 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
45224 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
45225 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
45226 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
45227 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
45228 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
45229 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
45230 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
45231 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
45232 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
45233 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
45234 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
45235 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
45236 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
45237 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
45238 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
45239 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
45240 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
45241 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
45242 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
45243 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
45244 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
45245 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
45246 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
45247 +#define GR_FAILFORK_MSG "failed fork with errno %d by "
45248 +#define GR_NICE_CHROOT_MSG "denied priority change by "
45249 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
45250 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
45251 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
45252 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
45253 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
45254 +#define GR_TIME_MSG "time set by "
45255 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
45256 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
45257 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
45258 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
45259 +#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
45260 +#define GR_BIND_MSG "denied bind() by "
45261 +#define GR_CONNECT_MSG "denied connect() by "
45262 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
45263 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
45264 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
45265 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
45266 +#define GR_CAP_ACL_MSG "use of %s denied for "
45267 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
45268 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
45269 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
45270 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
45271 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
45272 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
45273 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
45274 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
45275 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
45276 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
45277 +#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
45278 +#define GR_VM86_MSG "denied use of vm86 by "
45279 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
45280 diff -urNp linux-2.6.35.4/include/linux/grsecurity.h linux-2.6.35.4/include/linux/grsecurity.h
45281 --- linux-2.6.35.4/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
45282 +++ linux-2.6.35.4/include/linux/grsecurity.h 2010-09-17 20:12:37.000000000 -0400
45284 +#ifndef GR_SECURITY_H
45285 +#define GR_SECURITY_H
45286 +#include <linux/fs.h>
45287 +#include <linux/fs_struct.h>
45288 +#include <linux/binfmts.h>
45289 +#include <linux/gracl.h>
45291 +/* notify of brain-dead configs */
45292 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
45293 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
45295 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
45296 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
45298 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
45299 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
45301 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
45302 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
45304 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
45305 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
45308 +void gr_handle_brute_attach(struct task_struct *p);
45309 +void gr_handle_brute_check(void);
45311 +char gr_roletype_to_char(void);
45313 +int gr_check_user_change(int real, int effective, int fs);
45314 +int gr_check_group_change(int real, int effective, int fs);
45316 +void gr_del_task_from_ip_table(struct task_struct *p);
45318 +int gr_pid_is_chrooted(struct task_struct *p);
45319 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
45320 +int gr_handle_chroot_nice(void);
45321 +int gr_handle_chroot_sysctl(const int op);
45322 +int gr_handle_chroot_setpriority(struct task_struct *p,
45323 + const int niceval);
45324 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
45325 +int gr_handle_chroot_chroot(const struct dentry *dentry,
45326 + const struct vfsmount *mnt);
45327 +int gr_handle_chroot_caps(struct path *path);
45328 +void gr_handle_chroot_chdir(struct path *path);
45329 +int gr_handle_chroot_chmod(const struct dentry *dentry,
45330 + const struct vfsmount *mnt, const int mode);
45331 +int gr_handle_chroot_mknod(const struct dentry *dentry,
45332 + const struct vfsmount *mnt, const int mode);
45333 +int gr_handle_chroot_mount(const struct dentry *dentry,
45334 + const struct vfsmount *mnt,
45335 + const char *dev_name);
45336 +int gr_handle_chroot_pivot(void);
45337 +int gr_handle_chroot_unix(const pid_t pid);
45339 +int gr_handle_rawio(const struct inode *inode);
45340 +int gr_handle_nproc(void);
45342 +void gr_handle_ioperm(void);
45343 +void gr_handle_iopl(void);
45345 +int gr_tpe_allow(const struct file *file);
45347 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
45348 +void gr_clear_chroot_entries(struct task_struct *task);
45350 +void gr_log_forkfail(const int retval);
45351 +void gr_log_timechange(void);
45352 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
45353 +void gr_log_chdir(const struct dentry *dentry,
45354 + const struct vfsmount *mnt);
45355 +void gr_log_chroot_exec(const struct dentry *dentry,
45356 + const struct vfsmount *mnt);
45357 +void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
45358 +void gr_log_remount(const char *devname, const int retval);
45359 +void gr_log_unmount(const char *devname, const int retval);
45360 +void gr_log_mount(const char *from, const char *to, const int retval);
45361 +void gr_log_textrel(struct vm_area_struct *vma);
45363 +int gr_handle_follow_link(const struct inode *parent,
45364 + const struct inode *inode,
45365 + const struct dentry *dentry,
45366 + const struct vfsmount *mnt);
45367 +int gr_handle_fifo(const struct dentry *dentry,
45368 + const struct vfsmount *mnt,
45369 + const struct dentry *dir, const int flag,
45370 + const int acc_mode);
45371 +int gr_handle_hardlink(const struct dentry *dentry,
45372 + const struct vfsmount *mnt,
45373 + struct inode *inode,
45374 + const int mode, const char *to);
45376 +int gr_is_capable(const int cap);
45377 +int gr_is_capable_nolog(const int cap);
45378 +void gr_learn_resource(const struct task_struct *task, const int limit,
45379 + const unsigned long wanted, const int gt);
45380 +void gr_copy_label(struct task_struct *tsk);
45381 +void gr_handle_crash(struct task_struct *task, const int sig);
45382 +int gr_handle_signal(const struct task_struct *p, const int sig);
45383 +int gr_check_crash_uid(const uid_t uid);
45384 +int gr_check_protected_task(const struct task_struct *task);
45385 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
45386 +int gr_acl_handle_mmap(const struct file *file,
45387 + const unsigned long prot);
45388 +int gr_acl_handle_mprotect(const struct file *file,
45389 + const unsigned long prot);
45390 +int gr_check_hidden_task(const struct task_struct *tsk);
45391 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
45392 + const struct vfsmount *mnt);
45393 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
45394 + const struct vfsmount *mnt);
45395 +__u32 gr_acl_handle_access(const struct dentry *dentry,
45396 + const struct vfsmount *mnt, const int fmode);
45397 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
45398 + const struct vfsmount *mnt, mode_t mode);
45399 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
45400 + const struct vfsmount *mnt, mode_t mode);
45401 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
45402 + const struct vfsmount *mnt);
45403 +int gr_handle_ptrace(struct task_struct *task, const long request);
45404 +int gr_handle_proc_ptrace(struct task_struct *task);
45405 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
45406 + const struct vfsmount *mnt);
45407 +int gr_check_crash_exec(const struct file *filp);
45408 +int gr_acl_is_enabled(void);
45409 +void gr_set_kernel_label(struct task_struct *task);
45410 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
45411 + const gid_t gid);
45412 +int gr_set_proc_label(const struct dentry *dentry,
45413 + const struct vfsmount *mnt,
45414 + const int unsafe_share);
45415 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
45416 + const struct vfsmount *mnt);
45417 +__u32 gr_acl_handle_open(const struct dentry *dentry,
45418 + const struct vfsmount *mnt, const int fmode);
45419 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
45420 + const struct dentry *p_dentry,
45421 + const struct vfsmount *p_mnt, const int fmode,
45422 + const int imode);
45423 +void gr_handle_create(const struct dentry *dentry,
45424 + const struct vfsmount *mnt);
45425 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
45426 + const struct dentry *parent_dentry,
45427 + const struct vfsmount *parent_mnt,
45429 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
45430 + const struct dentry *parent_dentry,
45431 + const struct vfsmount *parent_mnt);
45432 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
45433 + const struct vfsmount *mnt);
45434 +void gr_handle_delete(const ino_t ino, const dev_t dev);
45435 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
45436 + const struct vfsmount *mnt);
45437 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
45438 + const struct dentry *parent_dentry,
45439 + const struct vfsmount *parent_mnt,
45440 + const char *from);
45441 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
45442 + const struct dentry *parent_dentry,
45443 + const struct vfsmount *parent_mnt,
45444 + const struct dentry *old_dentry,
45445 + const struct vfsmount *old_mnt, const char *to);
45446 +int gr_acl_handle_rename(struct dentry *new_dentry,
45447 + struct dentry *parent_dentry,
45448 + const struct vfsmount *parent_mnt,
45449 + struct dentry *old_dentry,
45450 + struct inode *old_parent_inode,
45451 + struct vfsmount *old_mnt, const char *newname);
45452 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
45453 + struct dentry *old_dentry,
45454 + struct dentry *new_dentry,
45455 + struct vfsmount *mnt, const __u8 replace);
45456 +__u32 gr_check_link(const struct dentry *new_dentry,
45457 + const struct dentry *parent_dentry,
45458 + const struct vfsmount *parent_mnt,
45459 + const struct dentry *old_dentry,
45460 + const struct vfsmount *old_mnt);
45461 +int gr_acl_handle_filldir(const struct file *file, const char *name,
45462 + const unsigned int namelen, const ino_t ino);
45464 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
45465 + const struct vfsmount *mnt);
45466 +void gr_acl_handle_exit(void);
45467 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
45468 +int gr_acl_handle_procpidmem(const struct task_struct *task);
45469 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
45470 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
45471 +void gr_audit_ptrace(struct task_struct *task);
45473 +#ifdef CONFIG_GRKERNSEC
45474 +void gr_log_nonroot_mod_load(const char *modname);
45475 +void gr_handle_vm86(void);
45476 +void gr_handle_mem_write(void);
45477 +void gr_handle_kmem_write(void);
45478 +void gr_handle_open_port(void);
45479 +int gr_handle_mem_mmap(const unsigned long offset,
45480 + struct vm_area_struct *vma);
45482 +extern int grsec_enable_dmesg;
45483 +extern int grsec_disable_privio;
45487 diff -urNp linux-2.6.35.4/include/linux/grsock.h linux-2.6.35.4/include/linux/grsock.h
45488 --- linux-2.6.35.4/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
45489 +++ linux-2.6.35.4/include/linux/grsock.h 2010-09-17 20:12:37.000000000 -0400
45491 +#ifndef __GRSOCK_H
45492 +#define __GRSOCK_H
45494 +extern void gr_attach_curr_ip(const struct sock *sk);
45495 +extern int gr_handle_sock_all(const int family, const int type,
45496 + const int protocol);
45497 +extern int gr_handle_sock_server(const struct sockaddr *sck);
45498 +extern int gr_handle_sock_server_other(const struct sock *sck);
45499 +extern int gr_handle_sock_client(const struct sockaddr *sck);
45500 +extern int gr_search_connect(struct socket * sock,
45501 + struct sockaddr_in * addr);
45502 +extern int gr_search_bind(struct socket * sock,
45503 + struct sockaddr_in * addr);
45504 +extern int gr_search_listen(struct socket * sock);
45505 +extern int gr_search_accept(struct socket * sock);
45506 +extern int gr_search_socket(const int domain, const int type,
45507 + const int protocol);
45510 diff -urNp linux-2.6.35.4/include/linux/highmem.h linux-2.6.35.4/include/linux/highmem.h
45511 --- linux-2.6.35.4/include/linux/highmem.h 2010-08-26 19:47:12.000000000 -0400
45512 +++ linux-2.6.35.4/include/linux/highmem.h 2010-09-17 20:12:09.000000000 -0400
45513 @@ -143,6 +143,18 @@ static inline void clear_highpage(struct
45514 kunmap_atomic(kaddr, KM_USER0);
45517 +static inline void sanitize_highpage(struct page *page)
45520 + unsigned long flags;
45522 + local_irq_save(flags);
45523 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
45524 + clear_page(kaddr);
45525 + kunmap_atomic(kaddr, KM_CLEARPAGE);
45526 + local_irq_restore(flags);
45529 static inline void zero_user_segments(struct page *page,
45530 unsigned start1, unsigned end1,
45531 unsigned start2, unsigned end2)
45532 diff -urNp linux-2.6.35.4/include/linux/interrupt.h linux-2.6.35.4/include/linux/interrupt.h
45533 --- linux-2.6.35.4/include/linux/interrupt.h 2010-08-26 19:47:12.000000000 -0400
45534 +++ linux-2.6.35.4/include/linux/interrupt.h 2010-09-17 20:12:09.000000000 -0400
45535 @@ -392,7 +392,7 @@ enum
45536 /* map softirq index to softirq name. update 'softirq_to_name' in
45537 * kernel/softirq.c when adding a new softirq.
45539 -extern char *softirq_to_name[NR_SOFTIRQS];
45540 +extern const char * const softirq_to_name[NR_SOFTIRQS];
45542 /* softirq mask and active fields moved to irq_cpustat_t in
45543 * asm/hardirq.h to get better cache usage. KAO
45544 @@ -400,12 +400,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
45546 struct softirq_action
45548 - void (*action)(struct softirq_action *);
45549 + void (*action)(void);
45552 asmlinkage void do_softirq(void);
45553 asmlinkage void __do_softirq(void);
45554 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
45555 +extern void open_softirq(int nr, void (*action)(void));
45556 extern void softirq_init(void);
45557 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
45558 extern void raise_softirq_irqoff(unsigned int nr);
45559 diff -urNp linux-2.6.35.4/include/linux/jbd2.h linux-2.6.35.4/include/linux/jbd2.h
45560 --- linux-2.6.35.4/include/linux/jbd2.h 2010-08-26 19:47:12.000000000 -0400
45561 +++ linux-2.6.35.4/include/linux/jbd2.h 2010-09-17 20:12:09.000000000 -0400
45562 @@ -67,7 +67,7 @@ extern u8 jbd2_journal_enable_debug;
45566 -#define jbd_debug(f, a...) /**/
45567 +#define jbd_debug(f, a...) do {} while (0)
45570 extern void *jbd2_alloc(size_t size, gfp_t flags);
45571 diff -urNp linux-2.6.35.4/include/linux/jbd.h linux-2.6.35.4/include/linux/jbd.h
45572 --- linux-2.6.35.4/include/linux/jbd.h 2010-08-26 19:47:12.000000000 -0400
45573 +++ linux-2.6.35.4/include/linux/jbd.h 2010-09-17 20:12:09.000000000 -0400
45574 @@ -67,7 +67,7 @@ extern u8 journal_enable_debug;
45578 -#define jbd_debug(f, a...) /**/
45579 +#define jbd_debug(f, a...) do {} while (0)
45582 static inline void *jbd_alloc(size_t size, gfp_t flags)
45583 diff -urNp linux-2.6.35.4/include/linux/kallsyms.h linux-2.6.35.4/include/linux/kallsyms.h
45584 --- linux-2.6.35.4/include/linux/kallsyms.h 2010-08-26 19:47:12.000000000 -0400
45585 +++ linux-2.6.35.4/include/linux/kallsyms.h 2010-09-17 20:12:37.000000000 -0400
45590 -#ifdef CONFIG_KALLSYMS
45591 +#ifndef __INCLUDED_BY_HIDESYM
45592 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45593 /* Lookup the address for a symbol. Returns 0 if not found. */
45594 unsigned long kallsyms_lookup_name(const char *name);
45596 @@ -92,6 +93,9 @@ static inline int lookup_symbol_attrs(un
45597 /* Stupid that this does nothing, but I didn't create this mess. */
45598 #define __print_symbol(fmt, addr)
45599 #endif /*CONFIG_KALLSYMS*/
45600 +#else /* when included by kallsyms.c, with HIDESYM enabled */
45601 +extern void __print_symbol(const char *fmt, unsigned long address);
45604 /* This macro allows us to keep printk typechecking */
45605 static void __check_printsym_format(const char *fmt, ...)
45606 diff -urNp linux-2.6.35.4/include/linux/kgdb.h linux-2.6.35.4/include/linux/kgdb.h
45607 --- linux-2.6.35.4/include/linux/kgdb.h 2010-08-26 19:47:12.000000000 -0400
45608 +++ linux-2.6.35.4/include/linux/kgdb.h 2010-09-17 20:12:09.000000000 -0400
45609 @@ -263,22 +263,22 @@ struct kgdb_arch {
45613 - int (*read_char) (void);
45614 - void (*write_char) (u8);
45615 - void (*flush) (void);
45616 - int (*init) (void);
45617 - void (*pre_exception) (void);
45618 - void (*post_exception) (void);
45619 + int (* const read_char) (void);
45620 + void (* const write_char) (u8);
45621 + void (* const flush) (void);
45622 + int (* const init) (void);
45623 + void (* const pre_exception) (void);
45624 + void (* const post_exception) (void);
45628 -extern struct kgdb_arch arch_kgdb_ops;
45629 +extern const struct kgdb_arch arch_kgdb_ops;
45631 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
45633 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
45634 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
45635 -extern struct kgdb_io *dbg_io_ops;
45636 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
45637 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
45638 +extern const struct kgdb_io *dbg_io_ops;
45640 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
45641 extern int kgdb_mem2hex(char *mem, char *buf, int count);
45642 diff -urNp linux-2.6.35.4/include/linux/kvm_host.h linux-2.6.35.4/include/linux/kvm_host.h
45643 --- linux-2.6.35.4/include/linux/kvm_host.h 2010-08-26 19:47:12.000000000 -0400
45644 +++ linux-2.6.35.4/include/linux/kvm_host.h 2010-09-17 20:12:09.000000000 -0400
45645 @@ -243,7 +243,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
45646 void vcpu_load(struct kvm_vcpu *vcpu);
45647 void vcpu_put(struct kvm_vcpu *vcpu);
45649 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
45650 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
45651 struct module *module);
45652 void kvm_exit(void);
45654 @@ -367,7 +367,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
45655 struct kvm_guest_debug *dbg);
45656 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
45658 -int kvm_arch_init(void *opaque);
45659 +int kvm_arch_init(const void *opaque);
45660 void kvm_arch_exit(void);
45662 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
45663 diff -urNp linux-2.6.35.4/include/linux/libata.h linux-2.6.35.4/include/linux/libata.h
45664 --- linux-2.6.35.4/include/linux/libata.h 2010-08-26 19:47:12.000000000 -0400
45665 +++ linux-2.6.35.4/include/linux/libata.h 2010-09-17 20:12:09.000000000 -0400
45666 @@ -64,11 +64,11 @@
45667 #ifdef ATA_VERBOSE_DEBUG
45668 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
45670 -#define VPRINTK(fmt, args...)
45671 +#define VPRINTK(fmt, args...) do {} while (0)
45672 #endif /* ATA_VERBOSE_DEBUG */
45674 -#define DPRINTK(fmt, args...)
45675 -#define VPRINTK(fmt, args...)
45676 +#define DPRINTK(fmt, args...) do {} while (0)
45677 +#define VPRINTK(fmt, args...) do {} while (0)
45678 #endif /* ATA_DEBUG */
45680 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
45681 @@ -523,11 +523,11 @@ struct ata_ioports {
45685 - struct device *dev;
45686 + struct device *dev;
45687 void __iomem * const *iomap;
45688 unsigned int n_ports;
45689 void *private_data;
45690 - struct ata_port_operations *ops;
45691 + const struct ata_port_operations *ops;
45692 unsigned long flags;
45693 #ifdef CONFIG_ATA_ACPI
45694 acpi_handle acpi_handle;
45695 @@ -709,7 +709,7 @@ struct ata_link {
45698 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
45699 - struct ata_port_operations *ops;
45700 + const struct ata_port_operations *ops;
45702 /* Flags owned by the EH context. Only EH should touch these once the
45704 @@ -894,7 +894,7 @@ struct ata_port_info {
45705 unsigned long pio_mask;
45706 unsigned long mwdma_mask;
45707 unsigned long udma_mask;
45708 - struct ata_port_operations *port_ops;
45709 + const struct ata_port_operations *port_ops;
45710 void *private_data;
45713 @@ -918,7 +918,7 @@ extern const unsigned long sata_deb_timi
45714 extern const unsigned long sata_deb_timing_hotplug[];
45715 extern const unsigned long sata_deb_timing_long[];
45717 -extern struct ata_port_operations ata_dummy_port_ops;
45718 +extern const struct ata_port_operations ata_dummy_port_ops;
45719 extern const struct ata_port_info ata_dummy_port_info;
45721 static inline const unsigned long *
45722 @@ -962,7 +962,7 @@ extern int ata_host_activate(struct ata_
45723 struct scsi_host_template *sht);
45724 extern void ata_host_detach(struct ata_host *host);
45725 extern void ata_host_init(struct ata_host *, struct device *,
45726 - unsigned long, struct ata_port_operations *);
45727 + unsigned long, const struct ata_port_operations *);
45728 extern int ata_scsi_detect(struct scsi_host_template *sht);
45729 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
45730 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
45731 diff -urNp linux-2.6.35.4/include/linux/lockd/bind.h linux-2.6.35.4/include/linux/lockd/bind.h
45732 --- linux-2.6.35.4/include/linux/lockd/bind.h 2010-08-26 19:47:12.000000000 -0400
45733 +++ linux-2.6.35.4/include/linux/lockd/bind.h 2010-09-17 20:12:09.000000000 -0400
45734 @@ -23,13 +23,13 @@ struct svc_rqst;
45735 * This is the set of functions for lockd->nfsd communication
45737 struct nlmsvc_binding {
45738 - __be32 (*fopen)(struct svc_rqst *,
45739 + __be32 (* const fopen)(struct svc_rqst *,
45742 - void (*fclose)(struct file *);
45743 + void (* const fclose)(struct file *);
45746 -extern struct nlmsvc_binding * nlmsvc_ops;
45747 +extern const struct nlmsvc_binding * nlmsvc_ops;
45750 * Similar to nfs_client_initdata, but without the NFS-specific
45751 diff -urNp linux-2.6.35.4/include/linux/mm.h linux-2.6.35.4/include/linux/mm.h
45752 --- linux-2.6.35.4/include/linux/mm.h 2010-08-26 19:47:12.000000000 -0400
45753 +++ linux-2.6.35.4/include/linux/mm.h 2010-09-17 20:12:09.000000000 -0400
45754 @@ -103,7 +103,14 @@ extern unsigned int kobjsize(const void
45756 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
45757 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
45759 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
45760 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
45761 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
45763 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
45766 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
45767 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
45769 @@ -1010,6 +1017,8 @@ struct shrinker {
45770 extern void register_shrinker(struct shrinker *);
45771 extern void unregister_shrinker(struct shrinker *);
45773 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
45775 int vma_wants_writenotify(struct vm_area_struct *vma);
45777 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
45778 @@ -1286,6 +1295,7 @@ out:
45781 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
45782 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
45784 extern unsigned long do_brk(unsigned long, unsigned long);
45786 @@ -1340,6 +1350,10 @@ extern struct vm_area_struct * find_vma(
45787 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
45788 struct vm_area_struct **pprev);
45790 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
45791 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
45792 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
45794 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
45795 NULL if none. Assume start_addr < end_addr. */
45796 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
45797 @@ -1356,7 +1370,6 @@ static inline unsigned long vma_pages(st
45798 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
45801 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
45802 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
45803 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
45804 unsigned long pfn, unsigned long size, pgprot_t);
45805 @@ -1463,10 +1476,16 @@ extern int unpoison_memory(unsigned long
45806 extern int sysctl_memory_failure_early_kill;
45807 extern int sysctl_memory_failure_recovery;
45808 extern void shake_page(struct page *p, int access);
45809 -extern atomic_long_t mce_bad_pages;
45810 +extern atomic_long_unchecked_t mce_bad_pages;
45811 extern int soft_offline_page(struct page *page, int flags);
45813 extern void dump_page(struct page *page);
45815 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
45816 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
45818 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
45821 #endif /* __KERNEL__ */
45822 #endif /* _LINUX_MM_H */
45823 diff -urNp linux-2.6.35.4/include/linux/mm_types.h linux-2.6.35.4/include/linux/mm_types.h
45824 --- linux-2.6.35.4/include/linux/mm_types.h 2010-08-26 19:47:12.000000000 -0400
45825 +++ linux-2.6.35.4/include/linux/mm_types.h 2010-09-17 20:12:09.000000000 -0400
45826 @@ -183,6 +183,8 @@ struct vm_area_struct {
45828 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
45831 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
45834 struct core_thread {
45835 @@ -310,6 +312,24 @@ struct mm_struct {
45836 #ifdef CONFIG_MMU_NOTIFIER
45837 struct mmu_notifier_mm *mmu_notifier_mm;
45840 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
45841 + unsigned long pax_flags;
45844 +#ifdef CONFIG_PAX_DLRESOLVE
45845 + unsigned long call_dl_resolve;
45848 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
45849 + unsigned long call_syscall;
45852 +#ifdef CONFIG_PAX_ASLR
45853 + unsigned long delta_mmap; /* randomized offset */
45854 + unsigned long delta_stack; /* randomized offset */
45859 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
45860 diff -urNp linux-2.6.35.4/include/linux/mmu_notifier.h linux-2.6.35.4/include/linux/mmu_notifier.h
45861 --- linux-2.6.35.4/include/linux/mmu_notifier.h 2010-08-26 19:47:12.000000000 -0400
45862 +++ linux-2.6.35.4/include/linux/mmu_notifier.h 2010-09-17 20:12:09.000000000 -0400
45863 @@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
45865 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
45869 struct vm_area_struct *___vma = __vma; \
45870 unsigned long ___address = __address; \
45871 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
45872 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
45873 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
45878 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
45879 diff -urNp linux-2.6.35.4/include/linux/mmzone.h linux-2.6.35.4/include/linux/mmzone.h
45880 --- linux-2.6.35.4/include/linux/mmzone.h 2010-08-26 19:47:12.000000000 -0400
45881 +++ linux-2.6.35.4/include/linux/mmzone.h 2010-09-17 20:12:09.000000000 -0400
45882 @@ -345,7 +345,7 @@ struct zone {
45883 unsigned long flags; /* zone flags, see below */
45885 /* Zone statistics */
45886 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
45887 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
45890 * prev_priority holds the scanning priority for this zone. It is
45891 diff -urNp linux-2.6.35.4/include/linux/mod_devicetable.h linux-2.6.35.4/include/linux/mod_devicetable.h
45892 --- linux-2.6.35.4/include/linux/mod_devicetable.h 2010-08-26 19:47:12.000000000 -0400
45893 +++ linux-2.6.35.4/include/linux/mod_devicetable.h 2010-09-17 20:12:09.000000000 -0400
45895 typedef unsigned long kernel_ulong_t;
45898 -#define PCI_ANY_ID (~0)
45899 +#define PCI_ANY_ID ((__u16)~0)
45901 struct pci_device_id {
45902 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
45903 @@ -131,7 +131,7 @@ struct usb_device_id {
45904 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
45905 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
45907 -#define HID_ANY_ID (~0)
45908 +#define HID_ANY_ID (~0U)
45910 struct hid_device_id {
45912 diff -urNp linux-2.6.35.4/include/linux/module.h linux-2.6.35.4/include/linux/module.h
45913 --- linux-2.6.35.4/include/linux/module.h 2010-08-26 19:47:12.000000000 -0400
45914 +++ linux-2.6.35.4/include/linux/module.h 2010-09-17 20:12:09.000000000 -0400
45915 @@ -297,16 +297,16 @@ struct module
45918 /* If this is non-NULL, vfree after init() returns */
45919 - void *module_init;
45920 + void *module_init_rx, *module_init_rw;
45922 /* Here is the actual code + data, vfree'd on unload. */
45923 - void *module_core;
45924 + void *module_core_rx, *module_core_rw;
45926 /* Here are the sizes of the init and core sections */
45927 - unsigned int init_size, core_size;
45928 + unsigned int init_size_rw, core_size_rw;
45930 /* The size of the executable code in each section. */
45931 - unsigned int init_text_size, core_text_size;
45932 + unsigned int init_size_rx, core_size_rx;
45934 /* Arch-specific module values */
45935 struct mod_arch_specific arch;
45936 @@ -408,16 +408,46 @@ bool is_module_address(unsigned long add
45937 bool is_module_percpu_address(unsigned long addr);
45938 bool is_module_text_address(unsigned long addr);
45940 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
45943 +#ifdef CONFIG_PAX_KERNEXEC
45944 + if (ktla_ktva(addr) >= (unsigned long)start &&
45945 + ktla_ktva(addr) < (unsigned long)start + size)
45949 + return ((void *)addr >= start && (void *)addr < start + size);
45952 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
45954 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
45957 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
45959 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
45962 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
45964 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
45967 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
45969 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
45972 static inline int within_module_core(unsigned long addr, struct module *mod)
45974 - return (unsigned long)mod->module_core <= addr &&
45975 - addr < (unsigned long)mod->module_core + mod->core_size;
45976 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
45979 static inline int within_module_init(unsigned long addr, struct module *mod)
45981 - return (unsigned long)mod->module_init <= addr &&
45982 - addr < (unsigned long)mod->module_init + mod->init_size;
45983 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
45986 /* Search for module by name: must hold module_mutex. */
45987 diff -urNp linux-2.6.35.4/include/linux/moduleloader.h linux-2.6.35.4/include/linux/moduleloader.h
45988 --- linux-2.6.35.4/include/linux/moduleloader.h 2010-08-26 19:47:12.000000000 -0400
45989 +++ linux-2.6.35.4/include/linux/moduleloader.h 2010-09-17 20:12:09.000000000 -0400
45990 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
45991 sections. Returns NULL on failure. */
45992 void *module_alloc(unsigned long size);
45994 +#ifdef CONFIG_PAX_KERNEXEC
45995 +void *module_alloc_exec(unsigned long size);
45997 +#define module_alloc_exec(x) module_alloc(x)
46000 /* Free memory returned from module_alloc. */
46001 void module_free(struct module *mod, void *module_region);
46003 +#ifdef CONFIG_PAX_KERNEXEC
46004 +void module_free_exec(struct module *mod, void *module_region);
46006 +#define module_free_exec(x, y) module_free((x), (y))
46009 /* Apply the given relocation to the (simplified) ELF. Return -error
46011 int apply_relocate(Elf_Shdr *sechdrs,
46012 diff -urNp linux-2.6.35.4/include/linux/namei.h linux-2.6.35.4/include/linux/namei.h
46013 --- linux-2.6.35.4/include/linux/namei.h 2010-08-26 19:47:12.000000000 -0400
46014 +++ linux-2.6.35.4/include/linux/namei.h 2010-09-17 20:12:09.000000000 -0400
46015 @@ -22,7 +22,7 @@ struct nameidata {
46016 unsigned int flags;
46019 - char *saved_names[MAX_NESTED_LINKS + 1];
46020 + const char *saved_names[MAX_NESTED_LINKS + 1];
46024 @@ -81,12 +81,12 @@ extern int follow_up(struct path *);
46025 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
46026 extern void unlock_rename(struct dentry *, struct dentry *);
46028 -static inline void nd_set_link(struct nameidata *nd, char *path)
46029 +static inline void nd_set_link(struct nameidata *nd, const char *path)
46031 nd->saved_names[nd->depth] = path;
46034 -static inline char *nd_get_link(struct nameidata *nd)
46035 +static inline const char *nd_get_link(const struct nameidata *nd)
46037 return nd->saved_names[nd->depth];
46039 diff -urNp linux-2.6.35.4/include/linux/oprofile.h linux-2.6.35.4/include/linux/oprofile.h
46040 --- linux-2.6.35.4/include/linux/oprofile.h 2010-08-26 19:47:12.000000000 -0400
46041 +++ linux-2.6.35.4/include/linux/oprofile.h 2010-09-17 20:12:09.000000000 -0400
46042 @@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
46043 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
46044 char const * name, ulong * val);
46046 -/** Create a file for read-only access to an atomic_t. */
46047 +/** Create a file for read-only access to an atomic_unchecked_t. */
46048 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
46049 - char const * name, atomic_t * val);
46050 + char const * name, atomic_unchecked_t * val);
46052 /** create a directory */
46053 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
46054 diff -urNp linux-2.6.35.4/include/linux/pipe_fs_i.h linux-2.6.35.4/include/linux/pipe_fs_i.h
46055 --- linux-2.6.35.4/include/linux/pipe_fs_i.h 2010-08-26 19:47:12.000000000 -0400
46056 +++ linux-2.6.35.4/include/linux/pipe_fs_i.h 2010-09-17 20:12:09.000000000 -0400
46057 @@ -45,9 +45,9 @@ struct pipe_buffer {
46058 struct pipe_inode_info {
46059 wait_queue_head_t wait;
46060 unsigned int nrbufs, curbuf, buffers;
46061 - unsigned int readers;
46062 - unsigned int writers;
46063 - unsigned int waiting_writers;
46064 + atomic_t readers;
46065 + atomic_t writers;
46066 + atomic_t waiting_writers;
46067 unsigned int r_counter;
46068 unsigned int w_counter;
46069 struct page *tmp_page;
46070 diff -urNp linux-2.6.35.4/include/linux/poison.h linux-2.6.35.4/include/linux/poison.h
46071 --- linux-2.6.35.4/include/linux/poison.h 2010-08-26 19:47:12.000000000 -0400
46072 +++ linux-2.6.35.4/include/linux/poison.h 2010-09-17 20:12:09.000000000 -0400
46074 * under normal circumstances, used to verify that nobody uses
46075 * non-initialized list entries.
46077 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
46078 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
46079 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
46080 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
46082 /********** include/linux/timer.h **********/
46084 diff -urNp linux-2.6.35.4/include/linux/proc_fs.h linux-2.6.35.4/include/linux/proc_fs.h
46085 --- linux-2.6.35.4/include/linux/proc_fs.h 2010-08-26 19:47:12.000000000 -0400
46086 +++ linux-2.6.35.4/include/linux/proc_fs.h 2010-09-17 20:12:37.000000000 -0400
46087 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
46088 return proc_create_data(name, mode, parent, proc_fops, NULL);
46091 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
46092 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
46094 +#ifdef CONFIG_GRKERNSEC_PROC_USER
46095 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
46096 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46097 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
46099 + return proc_create_data(name, mode, parent, proc_fops, NULL);
46104 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
46105 mode_t mode, struct proc_dir_entry *base,
46106 read_proc_t *read_proc, void * data)
46107 diff -urNp linux-2.6.35.4/include/linux/random.h linux-2.6.35.4/include/linux/random.h
46108 --- linux-2.6.35.4/include/linux/random.h 2010-08-26 19:47:12.000000000 -0400
46109 +++ linux-2.6.35.4/include/linux/random.h 2010-09-17 20:12:09.000000000 -0400
46110 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
46112 u32 prandom32(struct rnd_state *);
46114 +static inline unsigned long pax_get_random_long(void)
46116 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
46120 * Handle minimum values for seeds
46122 static inline u32 __seed(u32 x, u32 m)
46124 - return (x < m) ? x + m : x;
46125 + return (x <= m) ? x + m + 1 : x;
46129 diff -urNp linux-2.6.35.4/include/linux/reiserfs_fs.h linux-2.6.35.4/include/linux/reiserfs_fs.h
46130 --- linux-2.6.35.4/include/linux/reiserfs_fs.h 2010-08-26 19:47:12.000000000 -0400
46131 +++ linux-2.6.35.4/include/linux/reiserfs_fs.h 2010-09-17 20:12:09.000000000 -0400
46132 @@ -1404,7 +1404,7 @@ static inline loff_t max_reiserfs_offset
46133 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
46135 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
46136 -#define get_generation(s) atomic_read (&fs_generation(s))
46137 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
46138 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
46139 #define __fs_changed(gen,s) (gen != get_generation (s))
46140 #define fs_changed(gen,s) \
46141 @@ -1616,24 +1616,24 @@ static inline struct super_block *sb_fro
46144 struct item_operations {
46145 - int (*bytes_number) (struct item_head * ih, int block_size);
46146 - void (*decrement_key) (struct cpu_key *);
46147 - int (*is_left_mergeable) (struct reiserfs_key * ih,
46148 + int (* const bytes_number) (struct item_head * ih, int block_size);
46149 + void (* const decrement_key) (struct cpu_key *);
46150 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
46151 unsigned long bsize);
46152 - void (*print_item) (struct item_head *, char *item);
46153 - void (*check_item) (struct item_head *, char *item);
46154 + void (* const print_item) (struct item_head *, char *item);
46155 + void (* const check_item) (struct item_head *, char *item);
46157 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
46158 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
46159 int is_affected, int insert_size);
46160 - int (*check_left) (struct virtual_item * vi, int free,
46161 + int (* const check_left) (struct virtual_item * vi, int free,
46162 int start_skip, int end_skip);
46163 - int (*check_right) (struct virtual_item * vi, int free);
46164 - int (*part_size) (struct virtual_item * vi, int from, int to);
46165 - int (*unit_num) (struct virtual_item * vi);
46166 - void (*print_vi) (struct virtual_item * vi);
46167 + int (* const check_right) (struct virtual_item * vi, int free);
46168 + int (* const part_size) (struct virtual_item * vi, int from, int to);
46169 + int (* const unit_num) (struct virtual_item * vi);
46170 + void (* const print_vi) (struct virtual_item * vi);
46173 -extern struct item_operations *item_ops[TYPE_ANY + 1];
46174 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
46176 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
46177 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
46178 diff -urNp linux-2.6.35.4/include/linux/reiserfs_fs_sb.h linux-2.6.35.4/include/linux/reiserfs_fs_sb.h
46179 --- linux-2.6.35.4/include/linux/reiserfs_fs_sb.h 2010-08-26 19:47:12.000000000 -0400
46180 +++ linux-2.6.35.4/include/linux/reiserfs_fs_sb.h 2010-09-17 20:12:09.000000000 -0400
46181 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
46182 /* Comment? -Hans */
46183 wait_queue_head_t s_wait;
46184 /* To be obsoleted soon by per buffer seals.. -Hans */
46185 - atomic_t s_generation_counter; // increased by one every time the
46186 + atomic_unchecked_t s_generation_counter; // increased by one every time the
46187 // tree gets re-balanced
46188 unsigned long s_properties; /* File system properties. Currently holds
46189 on-disk FS format */
46190 diff -urNp linux-2.6.35.4/include/linux/rmap.h linux-2.6.35.4/include/linux/rmap.h
46191 --- linux-2.6.35.4/include/linux/rmap.h 2010-08-26 19:47:12.000000000 -0400
46192 +++ linux-2.6.35.4/include/linux/rmap.h 2010-09-17 20:12:09.000000000 -0400
46193 @@ -119,8 +119,8 @@ static inline void anon_vma_unlock(struc
46194 void anon_vma_init(void); /* create anon_vma_cachep */
46195 int anon_vma_prepare(struct vm_area_struct *);
46196 void unlink_anon_vmas(struct vm_area_struct *);
46197 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
46198 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
46199 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
46200 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
46201 void __anon_vma_link(struct vm_area_struct *);
46202 void anon_vma_free(struct anon_vma *);
46204 diff -urNp linux-2.6.35.4/include/linux/sched.h linux-2.6.35.4/include/linux/sched.h
46205 --- linux-2.6.35.4/include/linux/sched.h 2010-08-26 19:47:12.000000000 -0400
46206 +++ linux-2.6.35.4/include/linux/sched.h 2010-09-17 20:12:37.000000000 -0400
46207 @@ -100,6 +100,7 @@ struct robust_list_head;
46210 struct perf_event_context;
46211 +struct linux_binprm;
46214 * List of flags we want to share for kernel threads,
46215 @@ -381,10 +382,12 @@ struct user_namespace;
46216 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
46218 extern int sysctl_max_map_count;
46219 +extern unsigned long sysctl_heap_stack_gap;
46221 #include <linux/aio.h>
46224 +extern bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len);
46225 extern void arch_pick_mmap_layout(struct mm_struct *mm);
46226 extern unsigned long
46227 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
46228 @@ -628,6 +631,15 @@ struct signal_struct {
46229 struct tty_audit_buf *tty_audit_buf;
46232 +#ifdef CONFIG_GRKERNSEC
46238 + u8 used_accept:1;
46241 int oom_adj; /* OOM kill score adjustment (bit shift) */
46244 @@ -1166,7 +1178,7 @@ struct rcu_node;
46246 struct task_struct {
46247 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
46249 + struct thread_info *stack;
46251 unsigned int flags; /* per process flags, defined below */
46252 unsigned int ptrace;
46253 @@ -1274,8 +1286,8 @@ struct task_struct {
46254 struct list_head thread_group;
46256 struct completion *vfork_done; /* for vfork() */
46257 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
46258 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
46259 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
46260 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
46262 cputime_t utime, stime, utimescaled, stimescaled;
46264 @@ -1291,16 +1303,6 @@ struct task_struct {
46265 struct task_cputime cputime_expires;
46266 struct list_head cpu_timers[3];
46268 -/* process credentials */
46269 - const struct cred *real_cred; /* objective and real subjective task
46270 - * credentials (COW) */
46271 - const struct cred *cred; /* effective (overridable) subjective task
46272 - * credentials (COW) */
46273 - struct mutex cred_guard_mutex; /* guard against foreign influences on
46274 - * credential calculations
46275 - * (notably. ptrace) */
46276 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
46278 char comm[TASK_COMM_LEN]; /* executable name excluding path
46279 - access with [gs]et_task_comm (which lock
46280 it with task_lock())
46281 @@ -1384,6 +1386,15 @@ struct task_struct {
46282 int softirqs_enabled;
46283 int softirq_context;
46286 +/* process credentials */
46287 + const struct cred *real_cred; /* objective and real subjective task
46288 + * credentials (COW) */
46289 + struct mutex cred_guard_mutex; /* guard against foreign influences on
46290 + * credential calculations
46291 + * (notably. ptrace) */
46292 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
46294 #ifdef CONFIG_LOCKDEP
46295 # define MAX_LOCK_DEPTH 48UL
46296 u64 curr_chain_key;
46297 @@ -1404,6 +1415,9 @@ struct task_struct {
46299 struct backing_dev_info *backing_dev_info;
46301 + const struct cred *cred; /* effective (overridable) subjective task
46302 + * credentials (COW) */
46304 struct io_context *io_context;
46306 unsigned long ptrace_message;
46307 @@ -1469,6 +1483,20 @@ struct task_struct {
46308 unsigned long default_timer_slack_ns;
46310 struct list_head *scm_work_list;
46312 +#ifdef CONFIG_GRKERNSEC
46314 + struct dentry *gr_chroot_dentry;
46315 + struct acl_subject_label *acl;
46316 + struct acl_role_label *role;
46317 + struct file *exec_file;
46322 + u8 gr_is_chrooted;
46325 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
46326 /* Index of current stored address in ret_stack */
46327 int curr_ret_stack;
46328 @@ -1500,6 +1528,52 @@ struct task_struct {
46332 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
46333 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
46334 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
46335 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
46336 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
46337 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
46339 +#ifdef CONFIG_PAX_SOFTMODE
46340 +extern unsigned int pax_softmode;
46343 +extern int pax_check_flags(unsigned long *);
46345 +/* if tsk != current then task_lock must be held on it */
46346 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
46347 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
46349 + if (likely(tsk->mm))
46350 + return tsk->mm->pax_flags;
46355 +/* if tsk != current then task_lock must be held on it */
46356 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
46358 + if (likely(tsk->mm)) {
46359 + tsk->mm->pax_flags = flags;
46366 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
46367 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
46368 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
46369 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
46372 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
46373 +void pax_report_insns(void *pc, void *sp);
46374 +void pax_report_refcount_overflow(struct pt_regs *regs);
46375 +void pax_report_leak_to_user(const void *ptr, unsigned long len);
46376 +void pax_report_overflow_from_user(const void *ptr, unsigned long len);
46378 /* Future-safe accessor for struct task_struct's cpus_allowed. */
46379 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
46381 @@ -2101,7 +2175,7 @@ extern void __cleanup_sighand(struct sig
46382 extern void exit_itimers(struct signal_struct *);
46383 extern void flush_itimer_signals(void);
46385 -extern NORET_TYPE void do_group_exit(int);
46386 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
46388 extern void daemonize(const char *, ...);
46389 extern int allow_signal(int);
46390 @@ -2217,8 +2291,8 @@ static inline void unlock_task_sighand(s
46392 #ifndef __HAVE_THREAD_FUNCTIONS
46394 -#define task_thread_info(task) ((struct thread_info *)(task)->stack)
46395 -#define task_stack_page(task) ((task)->stack)
46396 +#define task_thread_info(task) ((task)->stack)
46397 +#define task_stack_page(task) ((void *)(task)->stack)
46399 static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
46401 @@ -2233,13 +2307,17 @@ static inline unsigned long *end_of_stac
46405 -static inline int object_is_on_stack(void *obj)
46406 +static inline int object_starts_on_stack(void *obj)
46408 - void *stack = task_stack_page(current);
46409 + const void *stack = task_stack_page(current);
46411 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
46414 +#ifdef CONFIG_PAX_USERCOPY
46415 +extern int object_is_on_stack(const void *obj, unsigned long len);
46418 extern void thread_info_cache_init(void);
46420 #ifdef CONFIG_DEBUG_STACK_USAGE
46421 diff -urNp linux-2.6.35.4/include/linux/screen_info.h linux-2.6.35.4/include/linux/screen_info.h
46422 --- linux-2.6.35.4/include/linux/screen_info.h 2010-08-26 19:47:12.000000000 -0400
46423 +++ linux-2.6.35.4/include/linux/screen_info.h 2010-09-17 20:12:09.000000000 -0400
46424 @@ -43,7 +43,8 @@ struct screen_info {
46425 __u16 pages; /* 0x32 */
46426 __u16 vesa_attributes; /* 0x34 */
46427 __u32 capabilities; /* 0x36 */
46428 - __u8 _reserved[6]; /* 0x3a */
46429 + __u16 vesapm_size; /* 0x3a */
46430 + __u8 _reserved[4]; /* 0x3c */
46431 } __attribute__((packed));
46433 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
46434 diff -urNp linux-2.6.35.4/include/linux/security.h linux-2.6.35.4/include/linux/security.h
46435 --- linux-2.6.35.4/include/linux/security.h 2010-08-26 19:47:12.000000000 -0400
46436 +++ linux-2.6.35.4/include/linux/security.h 2010-09-17 20:12:37.000000000 -0400
46438 #include <linux/key.h>
46439 #include <linux/xfrm.h>
46440 #include <linux/slab.h>
46441 +#include <linux/grsecurity.h>
46442 #include <net/flow.h>
46444 /* Maximum number of letters for an LSM name string */
46445 diff -urNp linux-2.6.35.4/include/linux/shm.h linux-2.6.35.4/include/linux/shm.h
46446 --- linux-2.6.35.4/include/linux/shm.h 2010-08-26 19:47:12.000000000 -0400
46447 +++ linux-2.6.35.4/include/linux/shm.h 2010-09-17 20:12:37.000000000 -0400
46448 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
46451 struct user_struct *mlock_user;
46452 +#ifdef CONFIG_GRKERNSEC
46453 + time_t shm_createtime;
46458 /* shm_mode upper byte flags */
46459 diff -urNp linux-2.6.35.4/include/linux/slab.h linux-2.6.35.4/include/linux/slab.h
46460 --- linux-2.6.35.4/include/linux/slab.h 2010-08-26 19:47:12.000000000 -0400
46461 +++ linux-2.6.35.4/include/linux/slab.h 2010-09-17 20:12:09.000000000 -0400
46464 #include <linux/gfp.h>
46465 #include <linux/types.h>
46466 +#include <linux/err.h>
46469 * Flags to pass to kmem_cache_create().
46470 @@ -87,10 +88,13 @@
46471 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
46472 * Both make kfree a no-op.
46474 -#define ZERO_SIZE_PTR ((void *)16)
46475 +#define ZERO_SIZE_PTR \
46477 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
46478 + (void *)(-MAX_ERRNO-1L); \
46481 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
46482 - (unsigned long)ZERO_SIZE_PTR)
46483 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
46486 * struct kmem_cache related prototypes
46487 @@ -144,6 +148,7 @@ void * __must_check krealloc(const void
46488 void kfree(const void *);
46489 void kzfree(const void *);
46490 size_t ksize(const void *);
46491 +void check_object_size(const void *ptr, unsigned long n, bool to);
46494 * Allocator specific definitions. These are mainly used to establish optimized
46495 @@ -334,4 +339,37 @@ static inline void *kzalloc_node(size_t
46497 void __init kmem_cache_init_late(void);
46499 +#define kmalloc(x, y) \
46501 + void *___retval; \
46502 + intoverflow_t ___x = (intoverflow_t)x; \
46503 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
46504 + ___retval = NULL; \
46506 + ___retval = kmalloc((size_t)___x, (y)); \
46510 +#define kmalloc_node(x, y, z) \
46512 + void *___retval; \
46513 + intoverflow_t ___x = (intoverflow_t)x; \
46514 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
46515 + ___retval = NULL; \
46517 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
46521 +#define kzalloc(x, y) \
46523 + void *___retval; \
46524 + intoverflow_t ___x = (intoverflow_t)x; \
46525 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
46526 + ___retval = NULL; \
46528 + ___retval = kzalloc((size_t)___x, (y)); \
46532 #endif /* _LINUX_SLAB_H */
46533 diff -urNp linux-2.6.35.4/include/linux/slub_def.h linux-2.6.35.4/include/linux/slub_def.h
46534 --- linux-2.6.35.4/include/linux/slub_def.h 2010-08-26 19:47:12.000000000 -0400
46535 +++ linux-2.6.35.4/include/linux/slub_def.h 2010-09-17 20:12:09.000000000 -0400
46536 @@ -79,7 +79,7 @@ struct kmem_cache {
46537 struct kmem_cache_order_objects max;
46538 struct kmem_cache_order_objects min;
46539 gfp_t allocflags; /* gfp flags to use on each alloc */
46540 - int refcount; /* Refcount for slab cache destroy */
46541 + atomic_t refcount; /* Refcount for slab cache destroy */
46542 void (*ctor)(void *);
46543 int inuse; /* Offset to metadata */
46544 int align; /* Alignment */
46545 diff -urNp linux-2.6.35.4/include/linux/sonet.h linux-2.6.35.4/include/linux/sonet.h
46546 --- linux-2.6.35.4/include/linux/sonet.h 2010-08-26 19:47:12.000000000 -0400
46547 +++ linux-2.6.35.4/include/linux/sonet.h 2010-09-17 20:12:09.000000000 -0400
46548 @@ -61,7 +61,7 @@ struct sonet_stats {
46549 #include <asm/atomic.h>
46551 struct k_sonet_stats {
46552 -#define __HANDLE_ITEM(i) atomic_t i
46553 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
46555 #undef __HANDLE_ITEM
46557 diff -urNp linux-2.6.35.4/include/linux/suspend.h linux-2.6.35.4/include/linux/suspend.h
46558 --- linux-2.6.35.4/include/linux/suspend.h 2010-08-26 19:47:12.000000000 -0400
46559 +++ linux-2.6.35.4/include/linux/suspend.h 2010-09-17 20:12:09.000000000 -0400
46560 @@ -104,15 +104,15 @@ typedef int __bitwise suspend_state_t;
46561 * which require special recovery actions in that situation.
46563 struct platform_suspend_ops {
46564 - int (*valid)(suspend_state_t state);
46565 - int (*begin)(suspend_state_t state);
46566 - int (*prepare)(void);
46567 - int (*prepare_late)(void);
46568 - int (*enter)(suspend_state_t state);
46569 - void (*wake)(void);
46570 - void (*finish)(void);
46571 - void (*end)(void);
46572 - void (*recover)(void);
46573 + int (* const valid)(suspend_state_t state);
46574 + int (* const begin)(suspend_state_t state);
46575 + int (* const prepare)(void);
46576 + int (* const prepare_late)(void);
46577 + int (* const enter)(suspend_state_t state);
46578 + void (* const wake)(void);
46579 + void (* const finish)(void);
46580 + void (* const end)(void);
46581 + void (* const recover)(void);
46584 #ifdef CONFIG_SUSPEND
46585 @@ -120,7 +120,7 @@ struct platform_suspend_ops {
46586 * suspend_set_ops - set platform dependent suspend operations
46587 * @ops: The new suspend operations to set.
46589 -extern void suspend_set_ops(struct platform_suspend_ops *ops);
46590 +extern void suspend_set_ops(const struct platform_suspend_ops *ops);
46591 extern int suspend_valid_only_mem(suspend_state_t state);
46594 @@ -145,7 +145,7 @@ extern int pm_suspend(suspend_state_t st
46595 #else /* !CONFIG_SUSPEND */
46596 #define suspend_valid_only_mem NULL
46598 -static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
46599 +static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
46600 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
46601 #endif /* !CONFIG_SUSPEND */
46603 @@ -215,16 +215,16 @@ extern void mark_free_pages(struct zone
46604 * platforms which require special recovery actions in that situation.
46606 struct platform_hibernation_ops {
46607 - int (*begin)(void);
46608 - void (*end)(void);
46609 - int (*pre_snapshot)(void);
46610 - void (*finish)(void);
46611 - int (*prepare)(void);
46612 - int (*enter)(void);
46613 - void (*leave)(void);
46614 - int (*pre_restore)(void);
46615 - void (*restore_cleanup)(void);
46616 - void (*recover)(void);
46617 + int (* const begin)(void);
46618 + void (* const end)(void);
46619 + int (* const pre_snapshot)(void);
46620 + void (* const finish)(void);
46621 + int (* const prepare)(void);
46622 + int (* const enter)(void);
46623 + void (* const leave)(void);
46624 + int (* const pre_restore)(void);
46625 + void (* const restore_cleanup)(void);
46626 + void (* const recover)(void);
46629 #ifdef CONFIG_HIBERNATION
46630 @@ -243,7 +243,7 @@ extern void swsusp_set_page_free(struct
46631 extern void swsusp_unset_page_free(struct page *);
46632 extern unsigned long get_safe_page(gfp_t gfp_mask);
46634 -extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
46635 +extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
46636 extern int hibernate(void);
46637 extern bool system_entering_hibernation(void);
46638 #else /* CONFIG_HIBERNATION */
46639 @@ -251,7 +251,7 @@ static inline int swsusp_page_is_forbidd
46640 static inline void swsusp_set_page_free(struct page *p) {}
46641 static inline void swsusp_unset_page_free(struct page *p) {}
46643 -static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
46644 +static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
46645 static inline int hibernate(void) { return -ENOSYS; }
46646 static inline bool system_entering_hibernation(void) { return false; }
46647 #endif /* CONFIG_HIBERNATION */
46648 diff -urNp linux-2.6.35.4/include/linux/sysctl.h linux-2.6.35.4/include/linux/sysctl.h
46649 --- linux-2.6.35.4/include/linux/sysctl.h 2010-08-26 19:47:12.000000000 -0400
46650 +++ linux-2.6.35.4/include/linux/sysctl.h 2010-09-17 20:12:09.000000000 -0400
46651 @@ -155,7 +155,11 @@ enum
46652 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
46656 +#ifdef CONFIG_PAX_SOFTMODE
46658 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
46662 /* CTL_VM names: */
46664 diff -urNp linux-2.6.35.4/include/linux/sysfs.h linux-2.6.35.4/include/linux/sysfs.h
46665 --- linux-2.6.35.4/include/linux/sysfs.h 2010-08-26 19:47:12.000000000 -0400
46666 +++ linux-2.6.35.4/include/linux/sysfs.h 2010-09-17 20:12:09.000000000 -0400
46667 @@ -115,8 +115,8 @@ struct bin_attribute {
46668 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
46671 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
46672 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
46673 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
46674 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
46677 struct sysfs_dirent;
46678 diff -urNp linux-2.6.35.4/include/linux/thread_info.h linux-2.6.35.4/include/linux/thread_info.h
46679 --- linux-2.6.35.4/include/linux/thread_info.h 2010-08-26 19:47:12.000000000 -0400
46680 +++ linux-2.6.35.4/include/linux/thread_info.h 2010-09-17 20:12:09.000000000 -0400
46681 @@ -23,7 +23,7 @@ struct restart_block {
46683 /* For futex_wait and futex_wait_requeue_pi */
46686 + u32 __user *uaddr;
46690 diff -urNp linux-2.6.35.4/include/linux/tty.h linux-2.6.35.4/include/linux/tty.h
46691 --- linux-2.6.35.4/include/linux/tty.h 2010-08-26 19:47:12.000000000 -0400
46692 +++ linux-2.6.35.4/include/linux/tty.h 2010-09-17 20:12:09.000000000 -0400
46694 #include <linux/tty_driver.h>
46695 #include <linux/tty_ldisc.h>
46696 #include <linux/mutex.h>
46697 +#include <linux/poll.h>
46699 #include <asm/system.h>
46701 @@ -453,7 +454,6 @@ extern int tty_perform_flush(struct tty_
46702 extern dev_t tty_devnum(struct tty_struct *tty);
46703 extern void proc_clear_tty(struct task_struct *p);
46704 extern struct tty_struct *get_current_tty(void);
46705 -extern void tty_default_fops(struct file_operations *fops);
46706 extern struct tty_struct *alloc_tty_struct(void);
46707 extern void free_tty_struct(struct tty_struct *tty);
46708 extern void initialize_tty_struct(struct tty_struct *tty,
46709 @@ -514,6 +514,18 @@ extern void tty_ldisc_begin(void);
46710 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
46711 extern void tty_ldisc_enable(struct tty_struct *tty);
46714 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
46715 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
46716 +extern unsigned int tty_poll(struct file *, poll_table *);
46717 +#ifdef CONFIG_COMPAT
46718 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
46719 + unsigned long arg);
46721 +#define tty_compat_ioctl NULL
46723 +extern int tty_release(struct inode *, struct file *);
46724 +extern int tty_fasync(int fd, struct file *filp, int on);
46727 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
46728 diff -urNp linux-2.6.35.4/include/linux/tty_ldisc.h linux-2.6.35.4/include/linux/tty_ldisc.h
46729 --- linux-2.6.35.4/include/linux/tty_ldisc.h 2010-08-26 19:47:12.000000000 -0400
46730 +++ linux-2.6.35.4/include/linux/tty_ldisc.h 2010-09-17 20:12:09.000000000 -0400
46731 @@ -147,7 +147,7 @@ struct tty_ldisc_ops {
46733 struct module *owner;
46736 + atomic_t refcount;
46740 diff -urNp linux-2.6.35.4/include/linux/types.h linux-2.6.35.4/include/linux/types.h
46741 --- linux-2.6.35.4/include/linux/types.h 2010-08-26 19:47:12.000000000 -0400
46742 +++ linux-2.6.35.4/include/linux/types.h 2010-09-17 20:12:09.000000000 -0400
46743 @@ -191,10 +191,26 @@ typedef struct {
46747 +#ifdef CONFIG_PAX_REFCOUNT
46750 +} atomic_unchecked_t;
46752 +typedef atomic_t atomic_unchecked_t;
46755 #ifdef CONFIG_64BIT
46760 +#ifdef CONFIG_PAX_REFCOUNT
46763 +} atomic64_unchecked_t;
46765 +typedef atomic64_t atomic64_unchecked_t;
46770 diff -urNp linux-2.6.35.4/include/linux/uaccess.h linux-2.6.35.4/include/linux/uaccess.h
46771 --- linux-2.6.35.4/include/linux/uaccess.h 2010-08-26 19:47:12.000000000 -0400
46772 +++ linux-2.6.35.4/include/linux/uaccess.h 2010-09-17 20:12:09.000000000 -0400
46773 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
46775 mm_segment_t old_fs = get_fs(); \
46777 - set_fs(KERNEL_DS); \
46778 pagefault_disable(); \
46779 + set_fs(KERNEL_DS); \
46780 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
46781 - pagefault_enable(); \
46783 + pagefault_enable(); \
46787 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
46788 * Safely read from address @src to the buffer at @dst. If a kernel fault
46789 * happens, handle that and return -EFAULT.
46791 -extern long probe_kernel_read(void *dst, void *src, size_t size);
46792 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
46793 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
46794 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
46797 * probe_kernel_write(): safely attempt to write to a location
46798 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
46799 * Safely write to address @dst from the buffer at @src. If a kernel fault
46800 * happens, handle that and return -EFAULT.
46802 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
46803 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
46804 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
46805 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
46807 #endif /* __LINUX_UACCESS_H__ */
46808 diff -urNp linux-2.6.35.4/include/linux/usb/hcd.h linux-2.6.35.4/include/linux/usb/hcd.h
46809 --- linux-2.6.35.4/include/linux/usb/hcd.h 2010-08-26 19:47:12.000000000 -0400
46810 +++ linux-2.6.35.4/include/linux/usb/hcd.h 2010-09-17 20:12:09.000000000 -0400
46811 @@ -559,7 +559,7 @@ struct usb_mon_operations {
46812 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
46815 -extern struct usb_mon_operations *mon_ops;
46816 +extern const struct usb_mon_operations *mon_ops;
46818 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
46820 @@ -581,7 +581,7 @@ static inline void usbmon_urb_complete(s
46821 (*mon_ops->urb_complete)(bus, urb, status);
46824 -int usb_mon_register(struct usb_mon_operations *ops);
46825 +int usb_mon_register(const struct usb_mon_operations *ops);
46826 void usb_mon_deregister(void);
46829 diff -urNp linux-2.6.35.4/include/linux/vmalloc.h linux-2.6.35.4/include/linux/vmalloc.h
46830 --- linux-2.6.35.4/include/linux/vmalloc.h 2010-08-26 19:47:12.000000000 -0400
46831 +++ linux-2.6.35.4/include/linux/vmalloc.h 2010-09-17 20:12:09.000000000 -0400
46832 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
46833 #define VM_MAP 0x00000004 /* vmap()ed pages */
46834 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
46835 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
46837 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
46838 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
46841 /* bits [20..32] reserved for arch specific ioremap internals */
46844 @@ -121,4 +126,81 @@ struct vm_struct **pcpu_get_vm_areas(con
46846 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
46848 +#define vmalloc(x) \
46850 + void *___retval; \
46851 + intoverflow_t ___x = (intoverflow_t)x; \
46852 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
46853 + ___retval = NULL; \
46855 + ___retval = vmalloc((unsigned long)___x); \
46859 +#define __vmalloc(x, y, z) \
46861 + void *___retval; \
46862 + intoverflow_t ___x = (intoverflow_t)x; \
46863 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
46864 + ___retval = NULL; \
46866 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
46870 +#define vmalloc_user(x) \
46872 + void *___retval; \
46873 + intoverflow_t ___x = (intoverflow_t)x; \
46874 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
46875 + ___retval = NULL; \
46877 + ___retval = vmalloc_user((unsigned long)___x); \
46881 +#define vmalloc_exec(x) \
46883 + void *___retval; \
46884 + intoverflow_t ___x = (intoverflow_t)x; \
46885 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
46886 + ___retval = NULL; \
46888 + ___retval = vmalloc_exec((unsigned long)___x); \
46892 +#define vmalloc_node(x, y) \
46894 + void *___retval; \
46895 + intoverflow_t ___x = (intoverflow_t)x; \
46896 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
46897 + ___retval = NULL; \
46899 + ___retval = vmalloc_node((unsigned long)___x, (y));\
46903 +#define vmalloc_32(x) \
46905 + void *___retval; \
46906 + intoverflow_t ___x = (intoverflow_t)x; \
46907 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
46908 + ___retval = NULL; \
46910 + ___retval = vmalloc_32((unsigned long)___x); \
46914 +#define vmalloc_32_user(x) \
46916 + void *___retval; \
46917 + intoverflow_t ___x = (intoverflow_t)x; \
46918 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
46919 + ___retval = NULL; \
46921 + ___retval = vmalloc_32_user((unsigned long)___x);\
46925 #endif /* _LINUX_VMALLOC_H */
46926 diff -urNp linux-2.6.35.4/include/linux/vmstat.h linux-2.6.35.4/include/linux/vmstat.h
46927 --- linux-2.6.35.4/include/linux/vmstat.h 2010-08-26 19:47:12.000000000 -0400
46928 +++ linux-2.6.35.4/include/linux/vmstat.h 2010-09-17 20:12:09.000000000 -0400
46929 @@ -140,18 +140,18 @@ static inline void vm_events_fold_cpu(in
46931 * Zone based page accounting with per cpu differentials.
46933 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
46934 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
46936 static inline void zone_page_state_add(long x, struct zone *zone,
46937 enum zone_stat_item item)
46939 - atomic_long_add(x, &zone->vm_stat[item]);
46940 - atomic_long_add(x, &vm_stat[item]);
46941 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
46942 + atomic_long_add_unchecked(x, &vm_stat[item]);
46945 static inline unsigned long global_page_state(enum zone_stat_item item)
46947 - long x = atomic_long_read(&vm_stat[item]);
46948 + long x = atomic_long_read_unchecked(&vm_stat[item]);
46952 @@ -162,7 +162,7 @@ static inline unsigned long global_page_
46953 static inline unsigned long zone_page_state(struct zone *zone,
46954 enum zone_stat_item item)
46956 - long x = atomic_long_read(&zone->vm_stat[item]);
46957 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
46961 @@ -246,8 +246,8 @@ static inline void __mod_zone_page_state
46963 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
46965 - atomic_long_inc(&zone->vm_stat[item]);
46966 - atomic_long_inc(&vm_stat[item]);
46967 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
46968 + atomic_long_inc_unchecked(&vm_stat[item]);
46971 static inline void __inc_zone_page_state(struct page *page,
46972 @@ -258,8 +258,8 @@ static inline void __inc_zone_page_state
46974 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
46976 - atomic_long_dec(&zone->vm_stat[item]);
46977 - atomic_long_dec(&vm_stat[item]);
46978 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
46979 + atomic_long_dec_unchecked(&vm_stat[item]);
46982 static inline void __dec_zone_page_state(struct page *page,
46983 diff -urNp linux-2.6.35.4/include/net/irda/ircomm_tty.h linux-2.6.35.4/include/net/irda/ircomm_tty.h
46984 --- linux-2.6.35.4/include/net/irda/ircomm_tty.h 2010-08-26 19:47:12.000000000 -0400
46985 +++ linux-2.6.35.4/include/net/irda/ircomm_tty.h 2010-09-17 20:12:09.000000000 -0400
46986 @@ -105,8 +105,8 @@ struct ircomm_tty_cb {
46987 unsigned short close_delay;
46988 unsigned short closing_wait; /* time to wait before closing */
46991 - int blocked_open; /* # of blocked opens */
46992 + atomic_t open_count;
46993 + atomic_t blocked_open; /* # of blocked opens */
46995 /* Protect concurent access to :
46996 * o self->open_count
46997 diff -urNp linux-2.6.35.4/include/net/neighbour.h linux-2.6.35.4/include/net/neighbour.h
46998 --- linux-2.6.35.4/include/net/neighbour.h 2010-08-26 19:47:12.000000000 -0400
46999 +++ linux-2.6.35.4/include/net/neighbour.h 2010-09-17 20:12:09.000000000 -0400
47000 @@ -116,12 +116,12 @@ struct neighbour {
47004 - void (*solicit)(struct neighbour *, struct sk_buff*);
47005 - void (*error_report)(struct neighbour *, struct sk_buff*);
47006 - int (*output)(struct sk_buff*);
47007 - int (*connected_output)(struct sk_buff*);
47008 - int (*hh_output)(struct sk_buff*);
47009 - int (*queue_xmit)(struct sk_buff*);
47010 + void (* const solicit)(struct neighbour *, struct sk_buff*);
47011 + void (* const error_report)(struct neighbour *, struct sk_buff*);
47012 + int (* const output)(struct sk_buff*);
47013 + int (* const connected_output)(struct sk_buff*);
47014 + int (* const hh_output)(struct sk_buff*);
47015 + int (* const queue_xmit)(struct sk_buff*);
47018 struct pneigh_entry {
47019 diff -urNp linux-2.6.35.4/include/net/sctp/sctp.h linux-2.6.35.4/include/net/sctp/sctp.h
47020 --- linux-2.6.35.4/include/net/sctp/sctp.h 2010-08-26 19:47:12.000000000 -0400
47021 +++ linux-2.6.35.4/include/net/sctp/sctp.h 2010-09-17 20:12:09.000000000 -0400
47022 @@ -305,8 +305,8 @@ extern int sctp_debug_flag;
47024 #else /* SCTP_DEBUG */
47026 -#define SCTP_DEBUG_PRINTK(whatever...)
47027 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
47028 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
47029 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
47030 #define SCTP_ENABLE_DEBUG
47031 #define SCTP_DISABLE_DEBUG
47032 #define SCTP_ASSERT(expr, str, func)
47033 diff -urNp linux-2.6.35.4/include/net/tcp.h linux-2.6.35.4/include/net/tcp.h
47034 --- linux-2.6.35.4/include/net/tcp.h 2010-08-26 19:47:12.000000000 -0400
47035 +++ linux-2.6.35.4/include/net/tcp.h 2010-09-17 20:12:09.000000000 -0400
47036 @@ -1404,6 +1404,7 @@ enum tcp_seq_states {
47037 struct tcp_seq_afinfo {
47039 sa_family_t family;
47040 + /* cannot be const */
47041 struct file_operations seq_fops;
47042 struct seq_operations seq_ops;
47044 diff -urNp linux-2.6.35.4/include/net/udp.h linux-2.6.35.4/include/net/udp.h
47045 --- linux-2.6.35.4/include/net/udp.h 2010-08-26 19:47:12.000000000 -0400
47046 +++ linux-2.6.35.4/include/net/udp.h 2010-09-17 20:12:09.000000000 -0400
47047 @@ -221,6 +221,7 @@ struct udp_seq_afinfo {
47049 sa_family_t family;
47050 struct udp_table *udp_table;
47051 + /* cannot be const */
47052 struct file_operations seq_fops;
47053 struct seq_operations seq_ops;
47055 diff -urNp linux-2.6.35.4/include/sound/ac97_codec.h linux-2.6.35.4/include/sound/ac97_codec.h
47056 --- linux-2.6.35.4/include/sound/ac97_codec.h 2010-08-26 19:47:12.000000000 -0400
47057 +++ linux-2.6.35.4/include/sound/ac97_codec.h 2010-09-17 20:12:09.000000000 -0400
47058 @@ -419,15 +419,15 @@
47061 struct snd_ac97_build_ops {
47062 - int (*build_3d) (struct snd_ac97 *ac97);
47063 - int (*build_specific) (struct snd_ac97 *ac97);
47064 - int (*build_spdif) (struct snd_ac97 *ac97);
47065 - int (*build_post_spdif) (struct snd_ac97 *ac97);
47066 + int (* const build_3d) (struct snd_ac97 *ac97);
47067 + int (* const build_specific) (struct snd_ac97 *ac97);
47068 + int (* const build_spdif) (struct snd_ac97 *ac97);
47069 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
47071 - void (*suspend) (struct snd_ac97 *ac97);
47072 - void (*resume) (struct snd_ac97 *ac97);
47073 + void (* const suspend) (struct snd_ac97 *ac97);
47074 + void (* const resume) (struct snd_ac97 *ac97);
47076 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
47077 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
47080 struct snd_ac97_bus_ops {
47081 @@ -477,7 +477,7 @@ struct snd_ac97_template {
47084 /* -- lowlevel (hardware) driver specific -- */
47085 - struct snd_ac97_build_ops * build_ops;
47086 + const struct snd_ac97_build_ops * build_ops;
47087 void *private_data;
47088 void (*private_free) (struct snd_ac97 *ac97);
47090 diff -urNp linux-2.6.35.4/include/trace/events/irq.h linux-2.6.35.4/include/trace/events/irq.h
47091 --- linux-2.6.35.4/include/trace/events/irq.h 2010-08-26 19:47:12.000000000 -0400
47092 +++ linux-2.6.35.4/include/trace/events/irq.h 2010-09-17 20:12:09.000000000 -0400
47095 TRACE_EVENT(irq_handler_entry,
47097 - TP_PROTO(int irq, struct irqaction *action),
47098 + TP_PROTO(int irq, const struct irqaction *action),
47100 TP_ARGS(irq, action),
47102 @@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
47104 TRACE_EVENT(irq_handler_exit,
47106 - TP_PROTO(int irq, struct irqaction *action, int ret),
47107 + TP_PROTO(int irq, const struct irqaction *action, int ret),
47109 TP_ARGS(irq, action, ret),
47111 @@ -84,7 +84,7 @@ TRACE_EVENT(irq_handler_exit,
47113 DECLARE_EVENT_CLASS(softirq,
47115 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
47116 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
47120 @@ -113,7 +113,7 @@ DECLARE_EVENT_CLASS(softirq,
47122 DEFINE_EVENT(softirq, softirq_entry,
47124 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
47125 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
47129 @@ -131,7 +131,7 @@ DEFINE_EVENT(softirq, softirq_entry,
47131 DEFINE_EVENT(softirq, softirq_exit,
47133 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
47134 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
47138 diff -urNp linux-2.6.35.4/include/video/uvesafb.h linux-2.6.35.4/include/video/uvesafb.h
47139 --- linux-2.6.35.4/include/video/uvesafb.h 2010-08-26 19:47:12.000000000 -0400
47140 +++ linux-2.6.35.4/include/video/uvesafb.h 2010-09-17 20:12:09.000000000 -0400
47141 @@ -177,6 +177,7 @@ struct uvesafb_par {
47142 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
47143 u8 pmi_setpal; /* PMI for palette changes */
47144 u16 *pmi_base; /* protected mode interface location */
47145 + u8 *pmi_code; /* protected mode code location */
47148 u8 *vbe_state_orig; /*
47149 diff -urNp linux-2.6.35.4/init/do_mounts.c linux-2.6.35.4/init/do_mounts.c
47150 --- linux-2.6.35.4/init/do_mounts.c 2010-08-26 19:47:12.000000000 -0400
47151 +++ linux-2.6.35.4/init/do_mounts.c 2010-09-17 20:12:09.000000000 -0400
47152 @@ -217,11 +217,11 @@ static void __init get_fs_names(char *pa
47154 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
47156 - int err = sys_mount(name, "/root", fs, flags, data);
47157 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
47161 - sys_chdir("/root");
47162 + sys_chdir((__force char __user *)"/root");
47163 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
47164 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
47165 current->fs->pwd.mnt->mnt_sb->s_type->name,
47166 @@ -312,18 +312,18 @@ void __init change_floppy(char *fmt, ...
47167 va_start(args, fmt);
47168 vsprintf(buf, fmt, args);
47170 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
47171 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
47173 sys_ioctl(fd, FDEJECT, 0);
47176 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
47177 - fd = sys_open("/dev/console", O_RDWR, 0);
47178 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
47180 sys_ioctl(fd, TCGETS, (long)&termios);
47181 termios.c_lflag &= ~ICANON;
47182 sys_ioctl(fd, TCSETSF, (long)&termios);
47183 - sys_read(fd, &c, 1);
47184 + sys_read(fd, (char __user *)&c, 1);
47185 termios.c_lflag |= ICANON;
47186 sys_ioctl(fd, TCSETSF, (long)&termios);
47188 @@ -417,6 +417,6 @@ void __init prepare_namespace(void)
47191 devtmpfs_mount("dev");
47192 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
47194 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
47195 + sys_chroot((__force char __user *)".");
47197 diff -urNp linux-2.6.35.4/init/do_mounts.h linux-2.6.35.4/init/do_mounts.h
47198 --- linux-2.6.35.4/init/do_mounts.h 2010-08-26 19:47:12.000000000 -0400
47199 +++ linux-2.6.35.4/init/do_mounts.h 2010-09-17 20:12:09.000000000 -0400
47200 @@ -15,15 +15,15 @@ extern int root_mountflags;
47202 static inline int create_dev(char *name, dev_t dev)
47204 - sys_unlink(name);
47205 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
47206 + sys_unlink((__force char __user *)name);
47207 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
47210 #if BITS_PER_LONG == 32
47211 static inline u32 bstat(char *name)
47213 struct stat64 stat;
47214 - if (sys_stat64(name, &stat) != 0)
47215 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
47217 if (!S_ISBLK(stat.st_mode))
47219 diff -urNp linux-2.6.35.4/init/do_mounts_initrd.c linux-2.6.35.4/init/do_mounts_initrd.c
47220 --- linux-2.6.35.4/init/do_mounts_initrd.c 2010-08-26 19:47:12.000000000 -0400
47221 +++ linux-2.6.35.4/init/do_mounts_initrd.c 2010-09-17 20:12:09.000000000 -0400
47222 @@ -43,13 +43,13 @@ static void __init handle_initrd(void)
47223 create_dev("/dev/root.old", Root_RAM0);
47224 /* mount initrd on rootfs' /root */
47225 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
47226 - sys_mkdir("/old", 0700);
47227 - root_fd = sys_open("/", 0, 0);
47228 - old_fd = sys_open("/old", 0, 0);
47229 + sys_mkdir((__force const char __user *)"/old", 0700);
47230 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
47231 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
47232 /* move initrd over / and chdir/chroot in initrd root */
47233 - sys_chdir("/root");
47234 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
47236 + sys_chdir((__force const char __user *)"/root");
47237 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
47238 + sys_chroot((__force const char __user *)".");
47241 * In case that a resume from disk is carried out by linuxrc or one of
47242 @@ -66,15 +66,15 @@ static void __init handle_initrd(void)
47244 /* move initrd to rootfs' /old */
47245 sys_fchdir(old_fd);
47246 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
47247 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
47248 /* switch root and cwd back to / of rootfs */
47249 sys_fchdir(root_fd);
47251 + sys_chroot((__force const char __user *)".");
47253 sys_close(root_fd);
47255 if (new_decode_dev(real_root_dev) == Root_RAM0) {
47256 - sys_chdir("/old");
47257 + sys_chdir((__force const char __user *)"/old");
47261 @@ -82,17 +82,17 @@ static void __init handle_initrd(void)
47264 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
47265 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
47266 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
47270 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
47271 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
47272 if (error == -ENOENT)
47273 printk("/initrd does not exist. Ignored.\n");
47275 printk("failed\n");
47276 printk(KERN_NOTICE "Unmounting old root\n");
47277 - sys_umount("/old", MNT_DETACH);
47278 + sys_umount((__force char __user *)"/old", MNT_DETACH);
47279 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
47282 @@ -115,11 +115,11 @@ int __init initrd_load(void)
47283 * mounted in the normal path.
47285 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
47286 - sys_unlink("/initrd.image");
47287 + sys_unlink((__force const char __user *)"/initrd.image");
47292 - sys_unlink("/initrd.image");
47293 + sys_unlink((__force const char __user *)"/initrd.image");
47296 diff -urNp linux-2.6.35.4/init/do_mounts_md.c linux-2.6.35.4/init/do_mounts_md.c
47297 --- linux-2.6.35.4/init/do_mounts_md.c 2010-08-26 19:47:12.000000000 -0400
47298 +++ linux-2.6.35.4/init/do_mounts_md.c 2010-09-17 20:12:09.000000000 -0400
47299 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
47300 partitioned ? "_d" : "", minor,
47301 md_setup_args[ent].device_names);
47303 - fd = sys_open(name, 0, 0);
47304 + fd = sys_open((__force char __user *)name, 0, 0);
47306 printk(KERN_ERR "md: open failed - cannot start "
47307 "array %s\n", name);
47308 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
47312 - fd = sys_open(name, 0, 0);
47313 + fd = sys_open((__force char __user *)name, 0, 0);
47314 sys_ioctl(fd, BLKRRPART, 0);
47317 @@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
47319 wait_for_device_probe();
47321 - fd = sys_open("/dev/md0", 0, 0);
47322 + fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
47324 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
47326 diff -urNp linux-2.6.35.4/init/initramfs.c linux-2.6.35.4/init/initramfs.c
47327 --- linux-2.6.35.4/init/initramfs.c 2010-08-26 19:47:12.000000000 -0400
47328 +++ linux-2.6.35.4/init/initramfs.c 2010-09-17 20:12:09.000000000 -0400
47329 @@ -74,7 +74,7 @@ static void __init free_hash(void)
47333 -static long __init do_utime(char __user *filename, time_t mtime)
47334 +static long __init do_utime(__force char __user *filename, time_t mtime)
47336 struct timespec t[2];
47338 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
47339 struct dir_entry *de, *tmp;
47340 list_for_each_entry_safe(de, tmp, &dir_list, list) {
47341 list_del(&de->list);
47342 - do_utime(de->name, de->mtime);
47343 + do_utime((__force char __user *)de->name, de->mtime);
47347 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
47349 char *old = find_link(major, minor, ino, mode, collected);
47351 - return (sys_link(old, collected) < 0) ? -1 : 1;
47352 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
47356 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
47360 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
47361 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
47362 if (S_ISDIR(st.st_mode))
47364 + sys_rmdir((__force char __user *)path);
47366 - sys_unlink(path);
47367 + sys_unlink((__force char __user *)path);
47371 @@ -305,7 +305,7 @@ static int __init do_name(void)
47372 int openflags = O_WRONLY|O_CREAT;
47374 openflags |= O_TRUNC;
47375 - wfd = sys_open(collected, openflags, mode);
47376 + wfd = sys_open((__force char __user *)collected, openflags, mode);
47379 sys_fchown(wfd, uid, gid);
47380 @@ -317,17 +317,17 @@ static int __init do_name(void)
47383 } else if (S_ISDIR(mode)) {
47384 - sys_mkdir(collected, mode);
47385 - sys_chown(collected, uid, gid);
47386 - sys_chmod(collected, mode);
47387 + sys_mkdir((__force char __user *)collected, mode);
47388 + sys_chown((__force char __user *)collected, uid, gid);
47389 + sys_chmod((__force char __user *)collected, mode);
47390 dir_add(collected, mtime);
47391 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
47392 S_ISFIFO(mode) || S_ISSOCK(mode)) {
47393 if (maybe_link() == 0) {
47394 - sys_mknod(collected, mode, rdev);
47395 - sys_chown(collected, uid, gid);
47396 - sys_chmod(collected, mode);
47397 - do_utime(collected, mtime);
47398 + sys_mknod((__force char __user *)collected, mode, rdev);
47399 + sys_chown((__force char __user *)collected, uid, gid);
47400 + sys_chmod((__force char __user *)collected, mode);
47401 + do_utime((__force char __user *)collected, mtime);
47405 @@ -336,15 +336,15 @@ static int __init do_name(void)
47406 static int __init do_copy(void)
47408 if (count >= body_len) {
47409 - sys_write(wfd, victim, body_len);
47410 + sys_write(wfd, (__force char __user *)victim, body_len);
47412 - do_utime(vcollected, mtime);
47413 + do_utime((__force char __user *)vcollected, mtime);
47419 - sys_write(wfd, victim, count);
47420 + sys_write(wfd, (__force char __user *)victim, count);
47424 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
47426 collected[N_ALIGN(name_len) + body_len] = '\0';
47427 clean_path(collected, 0);
47428 - sys_symlink(collected + N_ALIGN(name_len), collected);
47429 - sys_lchown(collected, uid, gid);
47430 - do_utime(collected, mtime);
47431 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
47432 + sys_lchown((__force char __user *)collected, uid, gid);
47433 + do_utime((__force char __user *)collected, mtime);
47435 next_state = Reset;
47437 diff -urNp linux-2.6.35.4/init/Kconfig linux-2.6.35.4/init/Kconfig
47438 --- linux-2.6.35.4/init/Kconfig 2010-08-26 19:47:12.000000000 -0400
47439 +++ linux-2.6.35.4/init/Kconfig 2010-09-17 20:12:09.000000000 -0400
47440 @@ -1063,7 +1063,7 @@ config SLUB_DEBUG
47443 bool "Disable heap randomization"
47447 Randomizing heap placement makes heap exploits harder, but it
47448 also breaks ancient binaries (including anything libc5 based).
47449 diff -urNp linux-2.6.35.4/init/main.c linux-2.6.35.4/init/main.c
47450 --- linux-2.6.35.4/init/main.c 2010-08-26 19:47:12.000000000 -0400
47451 +++ linux-2.6.35.4/init/main.c 2010-09-17 20:12:37.000000000 -0400
47452 @@ -98,6 +98,7 @@ static inline void mark_rodata_ro(void)
47454 extern void tc_init(void);
47456 +extern void grsecurity_init(void);
47458 enum system_states system_state __read_mostly;
47459 EXPORT_SYMBOL(system_state);
47460 @@ -200,6 +201,50 @@ static int __init set_reset_devices(char
47462 __setup("reset_devices", set_reset_devices);
47464 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
47465 +extern void pax_enter_kernel_user(void);
47466 +extern void pax_exit_kernel_user(void);
47467 +extern pgdval_t clone_pgd_mask;
47470 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
47471 +static int __init setup_pax_nouderef(char *str)
47473 +#ifdef CONFIG_X86_32
47474 + unsigned int cpu;
47476 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
47477 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
47478 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
47480 + asm("mov %0, %%ds" : : "r" (__KERNEL_DS) : "memory");
47481 + asm("mov %0, %%es" : : "r" (__KERNEL_DS) : "memory");
47482 + asm("mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
47485 + p = (char *)pax_enter_kernel_user;
47487 + p = (char *)pax_exit_kernel_user;
47489 + clone_pgd_mask = ~(pgdval_t)0UL;
47494 +early_param("pax_nouderef", setup_pax_nouderef);
47497 +#ifdef CONFIG_PAX_SOFTMODE
47498 +unsigned int pax_softmode;
47500 +static int __init setup_pax_softmode(char *str)
47502 + get_option(&str, &pax_softmode);
47505 +__setup("pax_softmode=", setup_pax_softmode);
47508 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
47509 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
47510 static const char *panic_later, *panic_param;
47511 @@ -725,52 +770,53 @@ int initcall_debug;
47512 core_param(initcall_debug, initcall_debug, bool, 0644);
47514 static char msgbuf[64];
47515 -static struct boot_trace_call call;
47516 -static struct boot_trace_ret ret;
47517 +static struct boot_trace_call trace_call;
47518 +static struct boot_trace_ret trace_ret;
47520 int do_one_initcall(initcall_t fn)
47522 int count = preempt_count();
47523 ktime_t calltime, delta, rettime;
47524 + const char *msg1 = "", *msg2 = "";
47526 if (initcall_debug) {
47527 - call.caller = task_pid_nr(current);
47528 - printk("calling %pF @ %i\n", fn, call.caller);
47529 + trace_call.caller = task_pid_nr(current);
47530 + printk("calling %pF @ %i\n", fn, trace_call.caller);
47531 calltime = ktime_get();
47532 - trace_boot_call(&call, fn);
47533 + trace_boot_call(&trace_call, fn);
47534 enable_boot_trace();
47537 - ret.result = fn();
47538 + trace_ret.result = fn();
47540 if (initcall_debug) {
47541 disable_boot_trace();
47542 rettime = ktime_get();
47543 delta = ktime_sub(rettime, calltime);
47544 - ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
47545 - trace_boot_ret(&ret, fn);
47546 + trace_ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
47547 + trace_boot_ret(&trace_ret, fn);
47548 printk("initcall %pF returned %d after %Ld usecs\n", fn,
47549 - ret.result, ret.duration);
47550 + trace_ret.result, trace_ret.duration);
47555 - if (ret.result && ret.result != -ENODEV && initcall_debug)
47556 - sprintf(msgbuf, "error code %d ", ret.result);
47557 + if (trace_ret.result && trace_ret.result != -ENODEV && initcall_debug)
47558 + sprintf(msgbuf, "error code %d ", trace_ret.result);
47560 if (preempt_count() != count) {
47561 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
47562 + msg1 = " preemption imbalance";
47563 preempt_count() = count;
47565 if (irqs_disabled()) {
47566 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
47567 + msg2 = " disabled interrupts";
47568 local_irq_enable();
47571 - printk("initcall %pF returned with %s\n", fn, msgbuf);
47572 + if (msgbuf[0] || *msg1 || *msg2) {
47573 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
47576 - return ret.result;
47577 + return trace_ret.result;
47581 @@ -902,7 +948,7 @@ static int __init kernel_init(void * unu
47584 /* Open the /dev/console on the rootfs, this should never fail */
47585 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
47586 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
47587 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
47590 @@ -915,11 +961,13 @@ static int __init kernel_init(void * unu
47591 if (!ramdisk_execute_command)
47592 ramdisk_execute_command = "/init";
47594 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
47595 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
47596 ramdisk_execute_command = NULL;
47597 prepare_namespace();
47600 + grsecurity_init();
47603 * Ok, we have completed the initial bootup, and
47604 * we're essentially up and running. Get rid of the
47605 diff -urNp linux-2.6.35.4/init/noinitramfs.c linux-2.6.35.4/init/noinitramfs.c
47606 --- linux-2.6.35.4/init/noinitramfs.c 2010-08-26 19:47:12.000000000 -0400
47607 +++ linux-2.6.35.4/init/noinitramfs.c 2010-09-17 20:12:09.000000000 -0400
47608 @@ -29,17 +29,17 @@ static int __init default_rootfs(void)
47612 - err = sys_mkdir("/dev", 0755);
47613 + err = sys_mkdir((const char __user *)"/dev", 0755);
47617 - err = sys_mknod((const char __user *) "/dev/console",
47618 + err = sys_mknod((__force const char __user *) "/dev/console",
47619 S_IFCHR | S_IRUSR | S_IWUSR,
47620 new_encode_dev(MKDEV(5, 1)));
47624 - err = sys_mkdir("/root", 0700);
47625 + err = sys_mkdir((const char __user *)"/root", 0700);
47629 diff -urNp linux-2.6.35.4/ipc/mqueue.c linux-2.6.35.4/ipc/mqueue.c
47630 --- linux-2.6.35.4/ipc/mqueue.c 2010-08-26 19:47:12.000000000 -0400
47631 +++ linux-2.6.35.4/ipc/mqueue.c 2010-09-17 20:12:37.000000000 -0400
47632 @@ -153,6 +153,7 @@ static struct inode *mqueue_get_inode(st
47633 mq_bytes = (mq_msg_tblsz +
47634 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
47636 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
47637 spin_lock(&mq_lock);
47638 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
47639 u->mq_bytes + mq_bytes >
47640 diff -urNp linux-2.6.35.4/ipc/shm.c linux-2.6.35.4/ipc/shm.c
47641 --- linux-2.6.35.4/ipc/shm.c 2010-08-26 19:47:12.000000000 -0400
47642 +++ linux-2.6.35.4/ipc/shm.c 2010-09-17 20:12:37.000000000 -0400
47643 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
47644 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
47647 +#ifdef CONFIG_GRKERNSEC
47648 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
47649 + const time_t shm_createtime, const uid_t cuid,
47650 + const int shmid);
47651 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
47652 + const time_t shm_createtime);
47655 void shm_init_ns(struct ipc_namespace *ns)
47657 ns->shm_ctlmax = SHMMAX;
47658 @@ -395,6 +403,14 @@ static int newseg(struct ipc_namespace *
47659 shp->shm_lprid = 0;
47660 shp->shm_atim = shp->shm_dtim = 0;
47661 shp->shm_ctim = get_seconds();
47662 +#ifdef CONFIG_GRKERNSEC
47664 + struct timespec timeval;
47665 + do_posix_clock_monotonic_gettime(&timeval);
47667 + shp->shm_createtime = timeval.tv_sec;
47670 shp->shm_segsz = size;
47671 shp->shm_nattch = 0;
47672 shp->shm_file = file;
47673 @@ -877,9 +893,21 @@ long do_shmat(int shmid, char __user *sh
47677 +#ifdef CONFIG_GRKERNSEC
47678 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
47679 + shp->shm_perm.cuid, shmid) ||
47680 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
47686 path = shp->shm_file->f_path;
47689 +#ifdef CONFIG_GRKERNSEC
47690 + shp->shm_lapid = current->pid;
47692 size = i_size_read(path.dentry->d_inode);
47695 diff -urNp linux-2.6.35.4/kernel/acct.c linux-2.6.35.4/kernel/acct.c
47696 --- linux-2.6.35.4/kernel/acct.c 2010-08-26 19:47:12.000000000 -0400
47697 +++ linux-2.6.35.4/kernel/acct.c 2010-09-17 20:12:09.000000000 -0400
47698 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
47700 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
47701 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
47702 - file->f_op->write(file, (char *)&ac,
47703 + file->f_op->write(file, (__force char __user *)&ac,
47704 sizeof(acct_t), &file->f_pos);
47705 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
47707 diff -urNp linux-2.6.35.4/kernel/capability.c linux-2.6.35.4/kernel/capability.c
47708 --- linux-2.6.35.4/kernel/capability.c 2010-08-26 19:47:12.000000000 -0400
47709 +++ linux-2.6.35.4/kernel/capability.c 2010-09-17 20:12:37.000000000 -0400
47710 @@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
47711 * before modification is attempted and the application
47714 + if (tocopy > ARRAY_SIZE(kdata))
47717 if (copy_to_user(dataptr, kdata, tocopy
47718 * sizeof(struct __user_cap_data_struct))) {
47720 @@ -306,10 +309,21 @@ int capable(int cap)
47724 - if (security_capable(cap) == 0) {
47725 + if (security_capable(cap) == 0 && gr_is_capable(cap)) {
47726 + current->flags |= PF_SUPERPRIV;
47732 +int capable_nolog(int cap)
47734 + if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
47735 current->flags |= PF_SUPERPRIV;
47741 EXPORT_SYMBOL(capable);
47742 +EXPORT_SYMBOL(capable_nolog);
47743 diff -urNp linux-2.6.35.4/kernel/compat.c linux-2.6.35.4/kernel/compat.c
47744 --- linux-2.6.35.4/kernel/compat.c 2010-08-26 19:47:12.000000000 -0400
47745 +++ linux-2.6.35.4/kernel/compat.c 2010-09-17 20:12:37.000000000 -0400
47748 #include <linux/linkage.h>
47749 #include <linux/compat.h>
47750 +#include <linux/module.h>
47751 #include <linux/errno.h>
47752 #include <linux/time.h>
47753 #include <linux/signal.h>
47754 @@ -1137,3 +1138,24 @@ compat_sys_sysinfo(struct compat_sysinfo
47760 + * Allocate user-space memory for the duration of a single system call,
47761 + * in order to marshall parameters inside a compat thunk.
47763 +void __user *compat_alloc_user_space(unsigned long len)
47765 + void __user *ptr;
47767 + /* If len would occupy more than half of the entire compat space... */
47768 + if (unlikely(len > (((compat_uptr_t)~0) >> 1)))
47771 + ptr = arch_compat_alloc_user_space(len);
47773 + if (unlikely(!access_ok(VERIFY_WRITE, ptr, len)))
47778 +EXPORT_SYMBOL_GPL(compat_alloc_user_space);
47779 diff -urNp linux-2.6.35.4/kernel/configs.c linux-2.6.35.4/kernel/configs.c
47780 --- linux-2.6.35.4/kernel/configs.c 2010-08-26 19:47:12.000000000 -0400
47781 +++ linux-2.6.35.4/kernel/configs.c 2010-09-17 20:12:37.000000000 -0400
47782 @@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
47783 struct proc_dir_entry *entry;
47785 /* create the current config file */
47786 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
47787 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
47788 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
47789 + &ikconfig_file_ops);
47790 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47791 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
47792 + &ikconfig_file_ops);
47795 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
47796 &ikconfig_file_ops);
47802 diff -urNp linux-2.6.35.4/kernel/cred.c linux-2.6.35.4/kernel/cred.c
47803 --- linux-2.6.35.4/kernel/cred.c 2010-08-26 19:47:12.000000000 -0400
47804 +++ linux-2.6.35.4/kernel/cred.c 2010-09-17 20:12:37.000000000 -0400
47805 @@ -489,6 +489,8 @@ int commit_creds(struct cred *new)
47807 get_cred(new); /* we will require a ref for the subj creds too */
47809 + gr_set_role_label(task, new->uid, new->gid);
47811 /* dumpability changes */
47812 if (old->euid != new->euid ||
47813 old->egid != new->egid ||
47814 diff -urNp linux-2.6.35.4/kernel/debug/debug_core.c linux-2.6.35.4/kernel/debug/debug_core.c
47815 --- linux-2.6.35.4/kernel/debug/debug_core.c 2010-08-26 19:47:12.000000000 -0400
47816 +++ linux-2.6.35.4/kernel/debug/debug_core.c 2010-09-17 20:12:09.000000000 -0400
47817 @@ -71,7 +71,7 @@ int kgdb_io_module_registered;
47818 /* Guard for recursive entry */
47819 static int exception_level;
47821 -struct kgdb_io *dbg_io_ops;
47822 +const struct kgdb_io *dbg_io_ops;
47823 static DEFINE_SPINLOCK(kgdb_registration_lock);
47825 /* kgdb console driver is loaded */
47826 @@ -871,7 +871,7 @@ static void kgdb_initial_breakpoint(void
47828 * Register it with the KGDB core.
47830 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
47831 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
47835 @@ -916,7 +916,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
47837 * Unregister it with the KGDB core.
47839 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
47840 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
47842 BUG_ON(kgdb_connected);
47844 diff -urNp linux-2.6.35.4/kernel/debug/kdb/kdb_main.c linux-2.6.35.4/kernel/debug/kdb/kdb_main.c
47845 --- linux-2.6.35.4/kernel/debug/kdb/kdb_main.c 2010-08-26 19:47:12.000000000 -0400
47846 +++ linux-2.6.35.4/kernel/debug/kdb/kdb_main.c 2010-09-17 20:12:09.000000000 -0400
47847 @@ -1872,7 +1872,7 @@ static int kdb_lsmod(int argc, const cha
47848 list_for_each_entry(mod, kdb_modules, list) {
47850 kdb_printf("%-20s%8u 0x%p ", mod->name,
47851 - mod->core_size, (void *)mod);
47852 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
47853 #ifdef CONFIG_MODULE_UNLOAD
47854 kdb_printf("%4d ", module_refcount(mod));
47856 @@ -1882,7 +1882,7 @@ static int kdb_lsmod(int argc, const cha
47857 kdb_printf(" (Loading)");
47859 kdb_printf(" (Live)");
47860 - kdb_printf(" 0x%p", mod->module_core);
47861 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
47863 #ifdef CONFIG_MODULE_UNLOAD
47865 diff -urNp linux-2.6.35.4/kernel/exit.c linux-2.6.35.4/kernel/exit.c
47866 --- linux-2.6.35.4/kernel/exit.c 2010-08-26 19:47:12.000000000 -0400
47867 +++ linux-2.6.35.4/kernel/exit.c 2010-09-17 20:13:49.000000000 -0400
47869 #include <asm/pgtable.h>
47870 #include <asm/mmu_context.h>
47872 +#ifdef CONFIG_GRKERNSEC
47873 +extern rwlock_t grsec_exec_file_lock;
47876 static void exit_mm(struct task_struct * tsk);
47878 static void __unhash_process(struct task_struct *p, bool group_dead)
47879 @@ -162,6 +166,8 @@ void release_task(struct task_struct * p
47880 struct task_struct *leader;
47883 + gr_del_task_from_ip_table(p);
47885 tracehook_prepare_release_task(p);
47886 /* don't need to get the RCU readlock here - the process is dead and
47887 * can't be modifying its own credentials. But shut RCU-lockdep up */
47888 @@ -331,11 +337,22 @@ static void reparent_to_kthreadd(void)
47890 write_lock_irq(&tasklist_lock);
47892 +#ifdef CONFIG_GRKERNSEC
47893 + write_lock(&grsec_exec_file_lock);
47894 + if (current->exec_file) {
47895 + fput(current->exec_file);
47896 + current->exec_file = NULL;
47898 + write_unlock(&grsec_exec_file_lock);
47901 ptrace_unlink(current);
47902 /* Reparent to init */
47903 current->real_parent = current->parent = kthreadd_task;
47904 list_move_tail(¤t->sibling, ¤t->real_parent->children);
47906 + gr_set_kernel_label(current);
47908 /* Set the exit signal to SIGCHLD so we signal init on exit */
47909 current->exit_signal = SIGCHLD;
47911 @@ -387,7 +404,7 @@ int allow_signal(int sig)
47912 * know it'll be handled, so that they don't get converted to
47913 * SIGKILL or just silently dropped.
47915 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
47916 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
47917 recalc_sigpending();
47918 spin_unlock_irq(¤t->sighand->siglock);
47920 @@ -423,6 +440,17 @@ void daemonize(const char *name, ...)
47921 vsnprintf(current->comm, sizeof(current->comm), name, args);
47924 +#ifdef CONFIG_GRKERNSEC
47925 + write_lock(&grsec_exec_file_lock);
47926 + if (current->exec_file) {
47927 + fput(current->exec_file);
47928 + current->exec_file = NULL;
47930 + write_unlock(&grsec_exec_file_lock);
47933 + gr_set_kernel_label(current);
47936 * If we were started as result of loading a module, close all of the
47937 * user space pages. We don't need them, and if we didn't close them
47938 @@ -960,6 +988,9 @@ NORET_TYPE void do_exit(long code)
47939 tsk->exit_code = code;
47940 taskstats_exit(tsk, group_dead);
47942 + gr_acl_handle_psacct(tsk, code);
47943 + gr_acl_handle_exit();
47948 diff -urNp linux-2.6.35.4/kernel/fork.c linux-2.6.35.4/kernel/fork.c
47949 --- linux-2.6.35.4/kernel/fork.c 2010-08-26 19:47:12.000000000 -0400
47950 +++ linux-2.6.35.4/kernel/fork.c 2010-09-17 20:12:37.000000000 -0400
47951 @@ -276,7 +276,7 @@ static struct task_struct *dup_task_stru
47952 *stackend = STACK_END_MAGIC; /* for overflow detection */
47954 #ifdef CONFIG_CC_STACKPROTECTOR
47955 - tsk->stack_canary = get_random_int();
47956 + tsk->stack_canary = pax_get_random_long();
47959 /* One for us, one for whoever does the "release_task()" (usually parent) */
47960 @@ -298,13 +298,78 @@ out:
47964 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
47966 + struct vm_area_struct *tmp;
47967 + unsigned long charge;
47968 + struct mempolicy *pol;
47969 + struct file *file;
47972 + if (mpnt->vm_flags & VM_ACCOUNT) {
47973 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
47974 + if (security_vm_enough_memory(len))
47978 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
47983 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
47984 + pol = mpol_dup(vma_policy(mpnt));
47986 + goto fail_nomem_policy;
47987 + vma_set_policy(tmp, pol);
47988 + if (anon_vma_fork(tmp, mpnt))
47989 + goto fail_nomem_anon_vma_fork;
47990 + tmp->vm_flags &= ~VM_LOCKED;
47991 + tmp->vm_next = NULL;
47992 + tmp->vm_mirror = NULL;
47993 + file = tmp->vm_file;
47995 + struct inode *inode = file->f_path.dentry->d_inode;
47996 + struct address_space *mapping = file->f_mapping;
47999 + if (tmp->vm_flags & VM_DENYWRITE)
48000 + atomic_dec(&inode->i_writecount);
48001 + spin_lock(&mapping->i_mmap_lock);
48002 + if (tmp->vm_flags & VM_SHARED)
48003 + mapping->i_mmap_writable++;
48004 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
48005 + flush_dcache_mmap_lock(mapping);
48006 + /* insert tmp into the share list, just after mpnt */
48007 + vma_prio_tree_add(tmp, mpnt);
48008 + flush_dcache_mmap_unlock(mapping);
48009 + spin_unlock(&mapping->i_mmap_lock);
48013 + * Clear hugetlb-related page reserves for children. This only
48014 + * affects MAP_PRIVATE mappings. Faults generated by the child
48015 + * are not guaranteed to succeed, even if read-only
48017 + if (is_vm_hugetlb_page(tmp))
48018 + reset_vma_resv_huge_pages(tmp);
48022 +fail_nomem_anon_vma_fork:
48024 +fail_nomem_policy:
48025 + kmem_cache_free(vm_area_cachep, tmp);
48027 + vm_unacct_memory(charge);
48031 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
48033 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
48034 struct rb_node **rb_link, *rb_parent;
48036 - unsigned long charge;
48037 - struct mempolicy *pol;
48039 down_write(&oldmm->mmap_sem);
48040 flush_cache_dup_mm(oldmm);
48041 @@ -316,8 +381,8 @@ static int dup_mmap(struct mm_struct *mm
48044 mm->mmap_cache = NULL;
48045 - mm->free_area_cache = oldmm->mmap_base;
48046 - mm->cached_hole_size = ~0UL;
48047 + mm->free_area_cache = oldmm->free_area_cache;
48048 + mm->cached_hole_size = oldmm->cached_hole_size;
48050 cpumask_clear(mm_cpumask(mm));
48051 mm->mm_rb = RB_ROOT;
48052 @@ -330,8 +395,6 @@ static int dup_mmap(struct mm_struct *mm
48055 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
48056 - struct file *file;
48058 if (mpnt->vm_flags & VM_DONTCOPY) {
48059 long pages = vma_pages(mpnt);
48060 mm->total_vm -= pages;
48061 @@ -339,56 +402,13 @@ static int dup_mmap(struct mm_struct *mm
48066 - if (mpnt->vm_flags & VM_ACCOUNT) {
48067 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
48068 - if (security_vm_enough_memory(len))
48072 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
48076 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
48077 - pol = mpol_dup(vma_policy(mpnt));
48078 - retval = PTR_ERR(pol);
48080 - goto fail_nomem_policy;
48081 - vma_set_policy(tmp, pol);
48082 - if (anon_vma_fork(tmp, mpnt))
48083 - goto fail_nomem_anon_vma_fork;
48084 - tmp->vm_flags &= ~VM_LOCKED;
48086 - tmp->vm_next = tmp->vm_prev = NULL;
48087 - file = tmp->vm_file;
48089 - struct inode *inode = file->f_path.dentry->d_inode;
48090 - struct address_space *mapping = file->f_mapping;
48093 - if (tmp->vm_flags & VM_DENYWRITE)
48094 - atomic_dec(&inode->i_writecount);
48095 - spin_lock(&mapping->i_mmap_lock);
48096 - if (tmp->vm_flags & VM_SHARED)
48097 - mapping->i_mmap_writable++;
48098 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
48099 - flush_dcache_mmap_lock(mapping);
48100 - /* insert tmp into the share list, just after mpnt */
48101 - vma_prio_tree_add(tmp, mpnt);
48102 - flush_dcache_mmap_unlock(mapping);
48103 - spin_unlock(&mapping->i_mmap_lock);
48104 + tmp = dup_vma(mm, mpnt);
48106 + retval = -ENOMEM;
48111 - * Clear hugetlb-related page reserves for children. This only
48112 - * affects MAP_PRIVATE mappings. Faults generated by the child
48113 - * are not guaranteed to succeed, even if read-only
48115 - if (is_vm_hugetlb_page(tmp))
48116 - reset_vma_resv_huge_pages(tmp);
48119 * Link in the new vma and copy the page table entries.
48122 @@ -409,6 +429,31 @@ static int dup_mmap(struct mm_struct *mm
48127 +#ifdef CONFIG_PAX_SEGMEXEC
48128 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
48129 + struct vm_area_struct *mpnt_m;
48131 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
48132 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
48134 + if (!mpnt->vm_mirror)
48137 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
48138 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
48139 + mpnt->vm_mirror = mpnt_m;
48141 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
48142 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
48143 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
48144 + mpnt->vm_mirror->vm_mirror = mpnt;
48151 /* a new mm has just been created */
48152 arch_dup_mmap(oldmm, mm);
48154 @@ -417,14 +462,6 @@ out:
48155 flush_tlb_mm(oldmm);
48156 up_write(&oldmm->mmap_sem);
48158 -fail_nomem_anon_vma_fork:
48160 -fail_nomem_policy:
48161 - kmem_cache_free(vm_area_cachep, tmp);
48163 - retval = -ENOMEM;
48164 - vm_unacct_memory(charge);
48168 static inline int mm_alloc_pgd(struct mm_struct * mm)
48169 @@ -760,13 +797,14 @@ static int copy_fs(unsigned long clone_f
48170 write_unlock(&fs->lock);
48174 + atomic_inc(&fs->users);
48175 write_unlock(&fs->lock);
48178 tsk->fs = copy_fs_struct(fs);
48181 + gr_set_chroot_entries(tsk, &tsk->fs->root);
48185 @@ -1019,10 +1057,13 @@ static struct task_struct *copy_process(
48187 if (!vx_nproc_avail(1))
48188 goto bad_fork_free;
48190 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
48192 if (atomic_read(&p->real_cred->user->processes) >=
48193 task_rlimit(p, RLIMIT_NPROC)) {
48194 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
48195 - p->real_cred->user != INIT_USER)
48196 + if (p->real_cred->user != INIT_USER &&
48197 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
48198 goto bad_fork_free;
48201 @@ -1176,6 +1217,8 @@ static struct task_struct *copy_process(
48202 goto bad_fork_free_pid;
48205 + gr_copy_label(p);
48207 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
48209 * Clear TID on mm_release()?
48210 @@ -1328,6 +1371,8 @@ bad_fork_cleanup_count:
48214 + gr_log_forkfail(retval);
48216 return ERR_PTR(retval);
48219 @@ -1433,6 +1478,8 @@ long do_fork(unsigned long clone_flags,
48220 if (clone_flags & CLONE_PARENT_SETTID)
48221 put_user(nr, parent_tidptr);
48223 + gr_handle_brute_check();
48225 if (clone_flags & CLONE_VFORK) {
48226 p->vfork_done = &vfork;
48227 init_completion(&vfork);
48228 @@ -1557,7 +1604,7 @@ static int unshare_fs(unsigned long unsh
48231 /* don't need lock here; in the worst case we'll do useless copy */
48232 - if (fs->users == 1)
48233 + if (atomic_read(&fs->users) == 1)
48236 *new_fsp = copy_fs_struct(fs);
48237 @@ -1680,7 +1727,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
48239 write_lock(&fs->lock);
48240 current->fs = new_fs;
48242 + gr_set_chroot_entries(current, ¤t->fs->root);
48243 + if (atomic_dec_return(&fs->users))
48247 diff -urNp linux-2.6.35.4/kernel/futex.c linux-2.6.35.4/kernel/futex.c
48248 --- linux-2.6.35.4/kernel/futex.c 2010-08-26 19:47:12.000000000 -0400
48249 +++ linux-2.6.35.4/kernel/futex.c 2010-09-17 20:12:37.000000000 -0400
48251 #include <linux/mount.h>
48252 #include <linux/pagemap.h>
48253 #include <linux/syscalls.h>
48254 +#include <linux/ptrace.h>
48255 #include <linux/signal.h>
48256 #include <linux/module.h>
48257 #include <linux/magic.h>
48258 @@ -221,6 +222,11 @@ get_futex_key(u32 __user *uaddr, int fsh
48262 +#ifdef CONFIG_PAX_SEGMEXEC
48263 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
48268 * The futex address must be "naturally" aligned.
48270 @@ -1843,7 +1849,7 @@ retry:
48272 restart = ¤t_thread_info()->restart_block;
48273 restart->fn = futex_wait_restart;
48274 - restart->futex.uaddr = (u32 *)uaddr;
48275 + restart->futex.uaddr = uaddr;
48276 restart->futex.val = val;
48277 restart->futex.time = abs_time->tv64;
48278 restart->futex.bitset = bitset;
48279 @@ -2376,7 +2382,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
48281 struct robust_list_head __user *head;
48283 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
48284 const struct cred *cred = current_cred(), *pcred;
48287 if (!futex_cmpxchg_enabled)
48289 @@ -2392,11 +2400,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
48293 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48294 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
48297 pcred = __task_cred(p);
48298 if (cred->euid != pcred->euid &&
48299 cred->euid != pcred->uid &&
48300 !capable(CAP_SYS_PTRACE))
48303 head = p->robust_list;
48306 @@ -2458,7 +2471,7 @@ retry:
48308 static inline int fetch_robust_entry(struct robust_list __user **entry,
48309 struct robust_list __user * __user *head,
48311 + unsigned int *pi)
48313 unsigned long uentry;
48315 diff -urNp linux-2.6.35.4/kernel/futex_compat.c linux-2.6.35.4/kernel/futex_compat.c
48316 --- linux-2.6.35.4/kernel/futex_compat.c 2010-08-26 19:47:12.000000000 -0400
48317 +++ linux-2.6.35.4/kernel/futex_compat.c 2010-09-17 20:12:37.000000000 -0400
48319 #include <linux/compat.h>
48320 #include <linux/nsproxy.h>
48321 #include <linux/futex.h>
48322 +#include <linux/ptrace.h>
48324 #include <asm/uaccess.h>
48326 @@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
48328 struct compat_robust_list_head __user *head;
48330 - const struct cred *cred = current_cred(), *pcred;
48331 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
48332 + const struct cred *cred = current_cred();
48333 + const struct cred *pcred;
48336 if (!futex_cmpxchg_enabled)
48338 @@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
48342 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48343 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
48346 pcred = __task_cred(p);
48347 if (cred->euid != pcred->euid &&
48348 cred->euid != pcred->uid &&
48349 !capable(CAP_SYS_PTRACE))
48352 head = p->compat_robust_list;
48355 diff -urNp linux-2.6.35.4/kernel/gcov/base.c linux-2.6.35.4/kernel/gcov/base.c
48356 --- linux-2.6.35.4/kernel/gcov/base.c 2010-08-26 19:47:12.000000000 -0400
48357 +++ linux-2.6.35.4/kernel/gcov/base.c 2010-09-17 20:12:09.000000000 -0400
48358 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
48361 #ifdef CONFIG_MODULES
48362 -static inline int within(void *addr, void *start, unsigned long size)
48364 - return ((addr >= start) && (addr < start + size));
48367 /* Update list and generate events when modules are unloaded. */
48368 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
48370 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
48372 /* Remove entries located in module from linked list. */
48373 for (info = gcov_info_head; info; info = info->next) {
48374 - if (within(info, mod->module_core, mod->core_size)) {
48375 + if (within_module_core_rw((unsigned long)info, mod)) {
48377 prev->next = info->next;
48379 diff -urNp linux-2.6.35.4/kernel/hrtimer.c linux-2.6.35.4/kernel/hrtimer.c
48380 --- linux-2.6.35.4/kernel/hrtimer.c 2010-08-26 19:47:12.000000000 -0400
48381 +++ linux-2.6.35.4/kernel/hrtimer.c 2010-09-17 20:12:09.000000000 -0400
48382 @@ -1398,7 +1398,7 @@ void hrtimer_peek_ahead_timers(void)
48383 local_irq_restore(flags);
48386 -static void run_hrtimer_softirq(struct softirq_action *h)
48387 +static void run_hrtimer_softirq(void)
48389 hrtimer_peek_ahead_timers();
48391 diff -urNp linux-2.6.35.4/kernel/kallsyms.c linux-2.6.35.4/kernel/kallsyms.c
48392 --- linux-2.6.35.4/kernel/kallsyms.c 2010-08-26 19:47:12.000000000 -0400
48393 +++ linux-2.6.35.4/kernel/kallsyms.c 2010-09-17 20:12:37.000000000 -0400
48395 * Changed the compression method from stem compression to "table lookup"
48396 * compression (see scripts/kallsyms.c for a more complete description)
48398 +#ifdef CONFIG_GRKERNSEC_HIDESYM
48399 +#define __INCLUDED_BY_HIDESYM 1
48401 #include <linux/kallsyms.h>
48402 #include <linux/module.h>
48403 #include <linux/init.h>
48404 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
48406 static inline int is_kernel_inittext(unsigned long addr)
48408 + if (system_state != SYSTEM_BOOTING)
48411 if (addr >= (unsigned long)_sinittext
48412 && addr <= (unsigned long)_einittext)
48417 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
48418 +#ifdef CONFIG_MODULES
48419 +static inline int is_module_text(unsigned long addr)
48421 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
48424 + addr = ktla_ktva(addr);
48425 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
48428 +static inline int is_module_text(unsigned long addr)
48435 static inline int is_kernel_text(unsigned long addr)
48437 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
48438 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
48440 static inline int is_kernel(unsigned long addr)
48443 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
48444 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
48447 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
48449 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
48453 return in_gate_area_no_task(addr);
48456 static int is_ksym_addr(unsigned long addr)
48459 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
48460 + if (is_module_text(addr))
48465 return is_kernel(addr);
48467 @@ -416,7 +455,6 @@ static unsigned long get_ksymbol_core(st
48469 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
48471 - iter->name[0] = '\0';
48472 iter->nameoff = get_symbol_offset(new_pos);
48473 iter->pos = new_pos;
48475 @@ -464,6 +502,11 @@ static int s_show(struct seq_file *m, vo
48477 struct kallsym_iter *iter = m->private;
48479 +#ifdef CONFIG_GRKERNSEC_HIDESYM
48480 + if (current_uid())
48484 /* Some debugging symbols have no name. Ignore them. */
48485 if (!iter->name[0])
48487 @@ -504,7 +547,7 @@ static int kallsyms_open(struct inode *i
48488 struct kallsym_iter *iter;
48491 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
48492 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
48495 reset_iter(iter, 0);
48496 diff -urNp linux-2.6.35.4/kernel/kmod.c linux-2.6.35.4/kernel/kmod.c
48497 --- linux-2.6.35.4/kernel/kmod.c 2010-08-26 19:47:12.000000000 -0400
48498 +++ linux-2.6.35.4/kernel/kmod.c 2010-09-17 20:12:37.000000000 -0400
48499 @@ -90,6 +90,18 @@ int __request_module(bool wait, const ch
48503 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
48504 + /* we could do a tighter check here, but some distros
48505 + are taking it upon themselves to remove CAP_SYS_MODULE
48506 + from even root-running apps which cause modules to be
48509 + if (current_uid()) {
48510 + gr_log_nonroot_mod_load(module_name);
48515 /* If modprobe needs a service that is in a module, we get a recursive
48516 * loop. Limit the number of running kmod threads to max_threads/2 or
48517 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
48518 diff -urNp linux-2.6.35.4/kernel/kprobes.c linux-2.6.35.4/kernel/kprobes.c
48519 --- linux-2.6.35.4/kernel/kprobes.c 2010-08-26 19:47:12.000000000 -0400
48520 +++ linux-2.6.35.4/kernel/kprobes.c 2010-09-17 20:12:09.000000000 -0400
48521 @@ -183,7 +183,7 @@ static kprobe_opcode_t __kprobes *__get_
48522 * kernel image and loaded module images reside. This is required
48523 * so x86_64 can correctly handle the %rip-relative fixups.
48525 - kip->insns = module_alloc(PAGE_SIZE);
48526 + kip->insns = module_alloc_exec(PAGE_SIZE);
48530 @@ -223,7 +223,7 @@ static int __kprobes collect_one_slot(st
48532 if (!list_is_singular(&kip->list)) {
48533 list_del(&kip->list);
48534 - module_free(NULL, kip->insns);
48535 + module_free_exec(NULL, kip->insns);
48539 @@ -1709,7 +1709,7 @@ static int __init init_kprobes(void)
48542 unsigned long offset = 0, size = 0;
48543 - char *modname, namebuf[128];
48544 + char *modname, namebuf[KSYM_NAME_LEN];
48545 const char *symbol_name;
48547 struct kprobe_blackpoint *kb;
48548 @@ -1835,7 +1835,7 @@ static int __kprobes show_kprobe_addr(st
48549 const char *sym = NULL;
48550 unsigned int i = *(loff_t *) v;
48551 unsigned long offset = 0;
48552 - char *modname, namebuf[128];
48553 + char *modname, namebuf[KSYM_NAME_LEN];
48555 head = &kprobe_table[i];
48557 diff -urNp linux-2.6.35.4/kernel/lockdep.c linux-2.6.35.4/kernel/lockdep.c
48558 --- linux-2.6.35.4/kernel/lockdep.c 2010-08-26 19:47:12.000000000 -0400
48559 +++ linux-2.6.35.4/kernel/lockdep.c 2010-09-17 20:12:09.000000000 -0400
48560 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
48561 end = (unsigned long) &_end,
48562 addr = (unsigned long) obj;
48564 +#ifdef CONFIG_PAX_KERNEXEC
48565 + start = ktla_ktva(start);
48571 @@ -696,6 +700,7 @@ register_lock_class(struct lockdep_map *
48572 if (!static_obj(lock->key)) {
48574 printk("INFO: trying to register non-static key.\n");
48575 + printk("lock:%pS key:%pS.\n", lock, lock->key);
48576 printk("the code is fine but needs lockdep annotation.\n");
48577 printk("turning off the locking correctness validator.\n");
48579 diff -urNp linux-2.6.35.4/kernel/lockdep_proc.c linux-2.6.35.4/kernel/lockdep_proc.c
48580 --- linux-2.6.35.4/kernel/lockdep_proc.c 2010-08-26 19:47:12.000000000 -0400
48581 +++ linux-2.6.35.4/kernel/lockdep_proc.c 2010-09-17 20:12:09.000000000 -0400
48582 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
48584 static void print_name(struct seq_file *m, struct lock_class *class)
48587 + char str[KSYM_NAME_LEN];
48588 const char *name = class->name;
48591 diff -urNp linux-2.6.35.4/kernel/module.c linux-2.6.35.4/kernel/module.c
48592 --- linux-2.6.35.4/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
48593 +++ linux-2.6.35.4/kernel/module.c 2010-09-17 20:12:37.000000000 -0400
48594 @@ -96,7 +96,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
48596 /* Bounds of module allocation, for speeding __module_address.
48597 * Protected by module_mutex. */
48598 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
48599 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
48600 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
48602 int register_module_notifier(struct notifier_block * nb)
48604 @@ -250,7 +251,7 @@ bool each_symbol(bool (*fn)(const struct
48607 list_for_each_entry_rcu(mod, &modules, list) {
48608 - struct symsearch arr[] = {
48609 + struct symsearch modarr[] = {
48610 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
48611 NOT_GPL_ONLY, false },
48612 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
48613 @@ -272,7 +273,7 @@ bool each_symbol(bool (*fn)(const struct
48617 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
48618 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
48622 @@ -383,7 +384,7 @@ static inline void __percpu *mod_percpu(
48623 static int percpu_modalloc(struct module *mod,
48624 unsigned long size, unsigned long align)
48626 - if (align > PAGE_SIZE) {
48627 + if (align-1 >= PAGE_SIZE) {
48628 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
48629 mod->name, align, PAGE_SIZE);
48631 @@ -1562,7 +1563,8 @@ static void free_module(struct module *m
48632 destroy_params(mod->kp, mod->num_kp);
48634 /* This may be NULL, but that's OK */
48635 - module_free(mod, mod->module_init);
48636 + module_free(mod, mod->module_init_rw);
48637 + module_free_exec(mod, mod->module_init_rx);
48639 percpu_modfree(mod);
48640 #if defined(CONFIG_MODULE_UNLOAD)
48641 @@ -1570,10 +1572,12 @@ static void free_module(struct module *m
48642 free_percpu(mod->refptr);
48644 /* Free lock-classes: */
48645 - lockdep_free_key_range(mod->module_core, mod->core_size);
48646 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
48647 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
48649 /* Finally, free the core (containing the module structure) */
48650 - module_free(mod, mod->module_core);
48651 + module_free_exec(mod, mod->module_core_rx);
48652 + module_free(mod, mod->module_core_rw);
48655 update_protections(current->mm);
48656 @@ -1670,7 +1674,9 @@ static int simplify_symbols(Elf_Shdr *se
48658 /* Ok if resolved. */
48659 if (ksym && !IS_ERR(ksym)) {
48660 + pax_open_kernel();
48661 sym[i].st_value = ksym->value;
48662 + pax_close_kernel();
48666 @@ -1690,7 +1696,9 @@ static int simplify_symbols(Elf_Shdr *se
48667 secbase = (unsigned long)mod_percpu(mod);
48669 secbase = sechdrs[sym[i].st_shndx].sh_addr;
48670 + pax_open_kernel();
48671 sym[i].st_value += secbase;
48672 + pax_close_kernel();
48676 @@ -1751,11 +1759,12 @@ static void layout_sections(struct modul
48677 || s->sh_entsize != ~0UL
48678 || strstarts(secstrings + s->sh_name, ".init"))
48680 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
48681 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
48682 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
48684 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
48685 DEBUGP("\t%s\n", secstrings + s->sh_name);
48688 - mod->core_text_size = mod->core_size;
48691 DEBUGP("Init section allocation order:\n");
48692 @@ -1768,12 +1777,13 @@ static void layout_sections(struct modul
48693 || s->sh_entsize != ~0UL
48694 || !strstarts(secstrings + s->sh_name, ".init"))
48696 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
48697 - | INIT_OFFSET_MASK);
48698 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
48699 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
48701 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
48702 + s->sh_entsize |= INIT_OFFSET_MASK;
48703 DEBUGP("\t%s\n", secstrings + s->sh_name);
48706 - mod->init_text_size = mod->init_size;
48710 @@ -1877,9 +1887,8 @@ static int is_exported(const char *name,
48713 static char elf_type(const Elf_Sym *sym,
48714 - Elf_Shdr *sechdrs,
48715 - const char *secstrings,
48716 - struct module *mod)
48717 + const Elf_Shdr *sechdrs,
48718 + const char *secstrings)
48720 if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
48721 if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
48722 @@ -1954,7 +1963,7 @@ static unsigned long layout_symtab(struc
48724 /* Put symbol section at end of init part of module. */
48725 symsect->sh_flags |= SHF_ALLOC;
48726 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
48727 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
48728 symindex) | INIT_OFFSET_MASK;
48729 DEBUGP("\t%s\n", secstrings + symsect->sh_name);
48731 @@ -1971,19 +1980,19 @@ static unsigned long layout_symtab(struc
48734 /* Append room for core symbols at end of core part. */
48735 - symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
48736 - mod->core_size = symoffs + ndst * sizeof(Elf_Sym);
48737 + symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
48738 + mod->core_size_rx = symoffs + ndst * sizeof(Elf_Sym);
48740 /* Put string table section at end of init part of module. */
48741 strsect->sh_flags |= SHF_ALLOC;
48742 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
48743 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
48744 strindex) | INIT_OFFSET_MASK;
48745 DEBUGP("\t%s\n", secstrings + strsect->sh_name);
48747 /* Append room for core symbols' strings at end of core part. */
48748 - *pstroffs = mod->core_size;
48749 + *pstroffs = mod->core_size_rx;
48750 __set_bit(0, strmap);
48751 - mod->core_size += bitmap_weight(strmap, strsect->sh_size);
48752 + mod->core_size_rx += bitmap_weight(strmap, strsect->sh_size);
48756 @@ -2007,12 +2016,14 @@ static void add_kallsyms(struct module *
48757 mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
48758 mod->strtab = (void *)sechdrs[strindex].sh_addr;
48760 + pax_open_kernel();
48762 /* Set types up while we still have access to sections. */
48763 for (i = 0; i < mod->num_symtab; i++)
48764 mod->symtab[i].st_info
48765 - = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
48766 + = elf_type(&mod->symtab[i], sechdrs, secstrings);
48768 - mod->core_symtab = dst = mod->module_core + symoffs;
48769 + mod->core_symtab = dst = mod->module_core_rx + symoffs;
48772 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
48773 @@ -2024,10 +2035,12 @@ static void add_kallsyms(struct module *
48775 mod->core_num_syms = ndst;
48777 - mod->core_strtab = s = mod->module_core + stroffs;
48778 + mod->core_strtab = s = mod->module_core_rx + stroffs;
48779 for (*s = 0, i = 1; i < sechdrs[strindex].sh_size; ++i)
48780 if (test_bit(i, strmap))
48781 *++s = mod->strtab[i];
48783 + pax_close_kernel();
48786 static inline unsigned long layout_symtab(struct module *mod,
48787 @@ -2070,17 +2083,33 @@ static void dynamic_debug_remove(struct
48788 ddebug_remove_module(debug->modname);
48791 -static void *module_alloc_update_bounds(unsigned long size)
48792 +static void *module_alloc_update_bounds_rw(unsigned long size)
48794 void *ret = module_alloc(size);
48797 mutex_lock(&module_mutex);
48798 /* Update module bounds. */
48799 - if ((unsigned long)ret < module_addr_min)
48800 - module_addr_min = (unsigned long)ret;
48801 - if ((unsigned long)ret + size > module_addr_max)
48802 - module_addr_max = (unsigned long)ret + size;
48803 + if ((unsigned long)ret < module_addr_min_rw)
48804 + module_addr_min_rw = (unsigned long)ret;
48805 + if ((unsigned long)ret + size > module_addr_max_rw)
48806 + module_addr_max_rw = (unsigned long)ret + size;
48807 + mutex_unlock(&module_mutex);
48812 +static void *module_alloc_update_bounds_rx(unsigned long size)
48814 + void *ret = module_alloc_exec(size);
48817 + mutex_lock(&module_mutex);
48818 + /* Update module bounds. */
48819 + if ((unsigned long)ret < module_addr_min_rx)
48820 + module_addr_min_rx = (unsigned long)ret;
48821 + if ((unsigned long)ret + size > module_addr_max_rx)
48822 + module_addr_max_rx = (unsigned long)ret + size;
48823 mutex_unlock(&module_mutex);
48826 @@ -2284,7 +2313,7 @@ static noinline struct module *load_modu
48827 secstrings, &stroffs, strmap);
48829 /* Do the allocs. */
48830 - ptr = module_alloc_update_bounds(mod->core_size);
48831 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
48833 * The pointer to this block is stored in the module structure
48834 * which is inside the block. Just mark it as not being a
48835 @@ -2295,23 +2324,47 @@ static noinline struct module *load_modu
48839 - memset(ptr, 0, mod->core_size);
48840 - mod->module_core = ptr;
48841 + memset(ptr, 0, mod->core_size_rw);
48842 + mod->module_core_rw = ptr;
48844 - ptr = module_alloc_update_bounds(mod->init_size);
48845 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
48847 * The pointer to this block is stored in the module structure
48848 * which is inside the block. This block doesn't need to be
48849 * scanned as it contains data and code that will be freed
48850 * after the module is initialized.
48852 - kmemleak_ignore(ptr);
48853 - if (!ptr && mod->init_size) {
48854 + kmemleak_not_leak(ptr);
48855 + if (!ptr && mod->init_size_rw) {
48857 + goto free_core_rw;
48859 + memset(ptr, 0, mod->init_size_rw);
48860 + mod->module_init_rw = ptr;
48862 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
48863 + kmemleak_not_leak(ptr);
48866 + goto free_init_rw;
48869 + pax_open_kernel();
48870 + memset(ptr, 0, mod->core_size_rx);
48871 + pax_close_kernel();
48872 + mod->module_core_rx = ptr;
48874 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
48875 + kmemleak_not_leak(ptr);
48876 + if (!ptr && mod->init_size_rx) {
48879 + goto free_core_rx;
48881 - memset(ptr, 0, mod->init_size);
48882 - mod->module_init = ptr;
48884 + pax_open_kernel();
48885 + memset(ptr, 0, mod->init_size_rx);
48886 + pax_close_kernel();
48887 + mod->module_init_rx = ptr;
48889 /* Transfer each section which specifies SHF_ALLOC */
48890 DEBUGP("final section addresses:\n");
48891 @@ -2321,17 +2374,41 @@ static noinline struct module *load_modu
48892 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
48895 - if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
48896 - dest = mod->module_init
48897 - + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
48899 - dest = mod->module_core + sechdrs[i].sh_entsize;
48900 + if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
48901 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
48902 + dest = mod->module_init_rw
48903 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
48905 + dest = mod->module_init_rx
48906 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
48908 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
48909 + dest = mod->module_core_rw + sechdrs[i].sh_entsize;
48911 + dest = mod->module_core_rx + sechdrs[i].sh_entsize;
48914 + if (sechdrs[i].sh_type != SHT_NOBITS) {
48916 - if (sechdrs[i].sh_type != SHT_NOBITS)
48917 - memcpy(dest, (void *)sechdrs[i].sh_addr,
48918 - sechdrs[i].sh_size);
48919 +#ifdef CONFIG_PAX_KERNEXEC
48920 + if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
48921 + pax_open_kernel();
48922 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
48923 + pax_close_kernel();
48927 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
48929 /* Update sh_addr to point to copy in image. */
48930 - sechdrs[i].sh_addr = (unsigned long)dest;
48932 +#ifdef CONFIG_PAX_KERNEXEC
48933 + if (sechdrs[i].sh_flags & SHF_EXECINSTR)
48934 + sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
48938 + sechdrs[i].sh_addr = (unsigned long)dest;
48939 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
48941 /* Module has been moved. */
48942 @@ -2342,7 +2419,7 @@ static noinline struct module *load_modu
48943 mod->refptr = alloc_percpu(struct module_ref);
48944 if (!mod->refptr) {
48947 + goto free_init_rx;
48950 /* Now we've moved module, initialize linked lists, etc. */
48951 @@ -2452,8 +2529,8 @@ static noinline struct module *load_modu
48953 /* Now do relocations. */
48954 for (i = 1; i < hdr->e_shnum; i++) {
48955 - const char *strtab = (char *)sechdrs[strindex].sh_addr;
48956 unsigned int info = sechdrs[i].sh_info;
48957 + strtab = (char *)sechdrs[strindex].sh_addr;
48959 /* Not a valid relocation section? */
48960 if (info >= hdr->e_shnum)
48961 @@ -2503,12 +2580,12 @@ static noinline struct module *load_modu
48962 * Do it before processing of module parameters, so the module
48963 * can provide parameter accessor functions of its own.
48965 - if (mod->module_init)
48966 - flush_icache_range((unsigned long)mod->module_init,
48967 - (unsigned long)mod->module_init
48968 - + mod->init_size);
48969 - flush_icache_range((unsigned long)mod->module_core,
48970 - (unsigned long)mod->module_core + mod->core_size);
48971 + if (mod->module_init_rx)
48972 + flush_icache_range((unsigned long)mod->module_init_rx,
48973 + (unsigned long)mod->module_init_rx
48974 + + mod->init_size_rx);
48975 + flush_icache_range((unsigned long)mod->module_core_rx,
48976 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
48980 @@ -2574,12 +2651,16 @@ static noinline struct module *load_modu
48982 module_unload_free(mod);
48983 #if defined(CONFIG_MODULE_UNLOAD)
48985 free_percpu(mod->refptr);
48988 - module_free(mod, mod->module_init);
48990 - module_free(mod, mod->module_core);
48991 + module_free_exec(mod, mod->module_init_rx);
48993 + module_free_exec(mod, mod->module_core_rx);
48995 + module_free(mod, mod->module_init_rw);
48997 + module_free(mod, mod->module_core_rw);
48998 /* mod will be freed with core. Don't access it beyond this line! */
49000 free_percpu(percpu);
49001 @@ -2669,10 +2750,12 @@ SYSCALL_DEFINE3(init_module, void __user
49002 mod->symtab = mod->core_symtab;
49003 mod->strtab = mod->core_strtab;
49005 - module_free(mod, mod->module_init);
49006 - mod->module_init = NULL;
49007 - mod->init_size = 0;
49008 - mod->init_text_size = 0;
49009 + module_free(mod, mod->module_init_rw);
49010 + module_free_exec(mod, mod->module_init_rx);
49011 + mod->module_init_rw = NULL;
49012 + mod->module_init_rx = NULL;
49013 + mod->init_size_rw = 0;
49014 + mod->init_size_rx = 0;
49015 mutex_unlock(&module_mutex);
49018 @@ -2703,10 +2786,16 @@ static const char *get_ksymbol(struct mo
49019 unsigned long nextval;
49021 /* At worse, next value is at end of module */
49022 - if (within_module_init(addr, mod))
49023 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
49024 + if (within_module_init_rx(addr, mod))
49025 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
49026 + else if (within_module_init_rw(addr, mod))
49027 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
49028 + else if (within_module_core_rx(addr, mod))
49029 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
49030 + else if (within_module_core_rw(addr, mod))
49031 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
49033 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
49036 /* Scan for closest preceeding symbol, and next symbol. (ELF
49037 starts real symbols at 1). */
49038 @@ -2952,7 +3041,7 @@ static int m_show(struct seq_file *m, vo
49041 seq_printf(m, "%s %u",
49042 - mod->name, mod->init_size + mod->core_size);
49043 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
49044 print_unload_info(m, mod);
49046 /* Informative for users. */
49047 @@ -2961,7 +3050,7 @@ static int m_show(struct seq_file *m, vo
49048 mod->state == MODULE_STATE_COMING ? "Loading":
49050 /* Used by oprofile and other similar tools. */
49051 - seq_printf(m, " 0x%p", mod->module_core);
49052 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
49056 @@ -2997,7 +3086,17 @@ static const struct file_operations proc
49058 static int __init proc_modules_init(void)
49060 +#ifndef CONFIG_GRKERNSEC_HIDESYM
49061 +#ifdef CONFIG_GRKERNSEC_PROC_USER
49062 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
49063 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49064 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
49066 proc_create("modules", 0, NULL, &proc_modules_operations);
49069 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
49073 module_init(proc_modules_init);
49074 @@ -3056,12 +3155,12 @@ struct module *__module_address(unsigned
49076 struct module *mod;
49078 - if (addr < module_addr_min || addr > module_addr_max)
49079 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
49080 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
49083 list_for_each_entry_rcu(mod, &modules, list)
49084 - if (within_module_core(addr, mod)
49085 - || within_module_init(addr, mod))
49086 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
49090 @@ -3095,11 +3194,20 @@ bool is_module_text_address(unsigned lon
49092 struct module *__module_text_address(unsigned long addr)
49094 - struct module *mod = __module_address(addr);
49095 + struct module *mod;
49097 +#ifdef CONFIG_X86_32
49098 + addr = ktla_ktva(addr);
49101 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
49104 + mod = __module_address(addr);
49107 /* Make sure it's within the text section. */
49108 - if (!within(addr, mod->module_init, mod->init_text_size)
49109 - && !within(addr, mod->module_core, mod->core_text_size))
49110 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
49114 diff -urNp linux-2.6.35.4/kernel/panic.c linux-2.6.35.4/kernel/panic.c
49115 --- linux-2.6.35.4/kernel/panic.c 2010-08-26 19:47:12.000000000 -0400
49116 +++ linux-2.6.35.4/kernel/panic.c 2010-09-17 20:12:09.000000000 -0400
49117 @@ -429,7 +429,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
49119 void __stack_chk_fail(void)
49121 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
49123 + panic("stack-protector: Kernel stack is corrupted in: %pS\n",
49124 __builtin_return_address(0));
49126 EXPORT_SYMBOL(__stack_chk_fail);
49127 diff -urNp linux-2.6.35.4/kernel/pid.c linux-2.6.35.4/kernel/pid.c
49128 --- linux-2.6.35.4/kernel/pid.c 2010-08-26 19:47:12.000000000 -0400
49129 +++ linux-2.6.35.4/kernel/pid.c 2010-09-17 20:12:37.000000000 -0400
49131 #include <linux/rculist.h>
49132 #include <linux/bootmem.h>
49133 #include <linux/hash.h>
49134 +#include <linux/security.h>
49135 #include <linux/pid_namespace.h>
49136 #include <linux/init_task.h>
49137 #include <linux/syscalls.h>
49138 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
49140 int pid_max = PID_MAX_DEFAULT;
49142 -#define RESERVED_PIDS 300
49143 +#define RESERVED_PIDS 500
49145 int pid_max_min = RESERVED_PIDS + 1;
49146 int pid_max_max = PID_MAX_LIMIT;
49147 @@ -382,7 +383,14 @@ EXPORT_SYMBOL(pid_task);
49149 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
49151 - return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
49152 + struct task_struct *task;
49154 + task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
49156 + if (gr_pid_is_chrooted(task))
49162 struct task_struct *find_task_by_vpid(pid_t vnr)
49163 diff -urNp linux-2.6.35.4/kernel/posix-cpu-timers.c linux-2.6.35.4/kernel/posix-cpu-timers.c
49164 --- linux-2.6.35.4/kernel/posix-cpu-timers.c 2010-08-26 19:47:12.000000000 -0400
49165 +++ linux-2.6.35.4/kernel/posix-cpu-timers.c 2010-09-17 20:12:37.000000000 -0400
49167 #include <linux/posix-timers.h>
49168 #include <linux/errno.h>
49169 #include <linux/math64.h>
49170 +#include <linux/security.h>
49171 #include <asm/uaccess.h>
49172 #include <linux/kernel_stat.h>
49173 #include <trace/events/timer.h>
49174 @@ -972,6 +973,7 @@ static void check_thread_timers(struct t
49175 unsigned long hard =
49176 ACCESS_ONCE(sig->rlim[RLIMIT_RTTIME].rlim_max);
49178 + gr_learn_resource(tsk, RLIMIT_RTTIME, tsk->rt.timeout * (USEC_PER_SEC/HZ), 1);
49179 if (hard != RLIM_INFINITY &&
49180 tsk->rt.timeout > DIV_ROUND_UP(hard, USEC_PER_SEC/HZ)) {
49182 @@ -1138,6 +1140,7 @@ static void check_process_timers(struct
49183 unsigned long hard =
49184 ACCESS_ONCE(sig->rlim[RLIMIT_CPU].rlim_max);
49186 + gr_learn_resource(tsk, RLIMIT_CPU, psecs, 0);
49187 if (psecs >= hard) {
49189 * At the hard limit, we just die.
49190 diff -urNp linux-2.6.35.4/kernel/power/hibernate.c linux-2.6.35.4/kernel/power/hibernate.c
49191 --- linux-2.6.35.4/kernel/power/hibernate.c 2010-08-26 19:47:12.000000000 -0400
49192 +++ linux-2.6.35.4/kernel/power/hibernate.c 2010-09-17 20:12:09.000000000 -0400
49193 @@ -50,14 +50,14 @@ enum {
49195 static int hibernation_mode = HIBERNATION_SHUTDOWN;
49197 -static struct platform_hibernation_ops *hibernation_ops;
49198 +static const struct platform_hibernation_ops *hibernation_ops;
49201 * hibernation_set_ops - set the global hibernate operations
49202 * @ops: the hibernation operations to use in subsequent hibernation transitions
49205 -void hibernation_set_ops(struct platform_hibernation_ops *ops)
49206 +void hibernation_set_ops(const struct platform_hibernation_ops *ops)
49208 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
49209 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
49210 diff -urNp linux-2.6.35.4/kernel/power/poweroff.c linux-2.6.35.4/kernel/power/poweroff.c
49211 --- linux-2.6.35.4/kernel/power/poweroff.c 2010-08-26 19:47:12.000000000 -0400
49212 +++ linux-2.6.35.4/kernel/power/poweroff.c 2010-09-17 20:12:09.000000000 -0400
49213 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
49214 .enable_mask = SYSRQ_ENABLE_BOOT,
49217 -static int pm_sysrq_init(void)
49218 +static int __init pm_sysrq_init(void)
49220 register_sysrq_key('o', &sysrq_poweroff_op);
49222 diff -urNp linux-2.6.35.4/kernel/power/process.c linux-2.6.35.4/kernel/power/process.c
49223 --- linux-2.6.35.4/kernel/power/process.c 2010-08-26 19:47:12.000000000 -0400
49224 +++ linux-2.6.35.4/kernel/power/process.c 2010-09-17 20:12:09.000000000 -0400
49225 @@ -38,12 +38,15 @@ static int try_to_freeze_tasks(bool sig_
49226 struct timeval start, end;
49227 u64 elapsed_csecs64;
49228 unsigned int elapsed_csecs;
49229 + bool timedout = false;
49231 do_gettimeofday(&start);
49233 end_time = jiffies + TIMEOUT;
49236 + if (time_after(jiffies, end_time))
49238 read_lock(&tasklist_lock);
49239 do_each_thread(g, p) {
49240 if (frozen(p) || !freezeable(p))
49241 @@ -58,12 +61,16 @@ static int try_to_freeze_tasks(bool sig_
49242 * It is "frozen enough". If the task does wake
49243 * up, it will immediately call try_to_freeze.
49245 - if (!task_is_stopped_or_traced(p) &&
49246 - !freezer_should_skip(p))
49247 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
49250 + printk(KERN_ERR "Task refusing to freeze:\n");
49251 + sched_show_task(p);
49254 } while_each_thread(g, p);
49255 read_unlock(&tasklist_lock);
49256 - if (!todo || time_after(jiffies, end_time))
49257 + if (!todo || timedout)
49261 diff -urNp linux-2.6.35.4/kernel/power/suspend.c linux-2.6.35.4/kernel/power/suspend.c
49262 --- linux-2.6.35.4/kernel/power/suspend.c 2010-08-26 19:47:12.000000000 -0400
49263 +++ linux-2.6.35.4/kernel/power/suspend.c 2010-09-17 20:12:09.000000000 -0400
49264 @@ -30,13 +30,13 @@ const char *const pm_states[PM_SUSPEND_M
49265 [PM_SUSPEND_MEM] = "mem",
49268 -static struct platform_suspend_ops *suspend_ops;
49269 +static const struct platform_suspend_ops *suspend_ops;
49272 * suspend_set_ops - Set the global suspend method table.
49273 * @ops: Pointer to ops structure.
49275 -void suspend_set_ops(struct platform_suspend_ops *ops)
49276 +void suspend_set_ops(const struct platform_suspend_ops *ops)
49278 mutex_lock(&pm_mutex);
49280 diff -urNp linux-2.6.35.4/kernel/printk.c linux-2.6.35.4/kernel/printk.c
49281 --- linux-2.6.35.4/kernel/printk.c 2010-08-26 19:47:12.000000000 -0400
49282 +++ linux-2.6.35.4/kernel/printk.c 2010-09-17 20:12:37.000000000 -0400
49283 @@ -266,6 +266,11 @@ int do_syslog(int type, char __user *buf
49287 +#ifdef CONFIG_GRKERNSEC_DMESG
49288 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
49292 error = security_syslog(type, from_file);
49295 diff -urNp linux-2.6.35.4/kernel/ptrace.c linux-2.6.35.4/kernel/ptrace.c
49296 --- linux-2.6.35.4/kernel/ptrace.c 2010-08-26 19:47:12.000000000 -0400
49297 +++ linux-2.6.35.4/kernel/ptrace.c 2010-09-17 20:12:37.000000000 -0400
49298 @@ -140,7 +140,7 @@ int __ptrace_may_access(struct task_stru
49299 cred->gid != tcred->egid ||
49300 cred->gid != tcred->sgid ||
49301 cred->gid != tcred->gid) &&
49302 - !capable(CAP_SYS_PTRACE)) {
49303 + !capable_nolog(CAP_SYS_PTRACE)) {
49307 @@ -148,7 +148,7 @@ int __ptrace_may_access(struct task_stru
49310 dumpable = get_dumpable(task->mm);
49311 - if (!dumpable && !capable(CAP_SYS_PTRACE))
49312 + if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
49315 return security_ptrace_access_check(task, mode);
49316 @@ -198,7 +198,7 @@ int ptrace_attach(struct task_struct *ta
49317 goto unlock_tasklist;
49319 task->ptrace = PT_PTRACED;
49320 - if (capable(CAP_SYS_PTRACE))
49321 + if (capable_nolog(CAP_SYS_PTRACE))
49322 task->ptrace |= PT_PTRACE_CAP;
49324 __ptrace_link(task, current);
49325 @@ -361,7 +361,7 @@ int ptrace_readdata(struct task_struct *
49329 - if (copy_to_user(dst, buf, retval))
49330 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
49334 @@ -572,18 +572,18 @@ int ptrace_request(struct task_struct *c
49335 ret = ptrace_setoptions(child, data);
49337 case PTRACE_GETEVENTMSG:
49338 - ret = put_user(child->ptrace_message, (unsigned long __user *) data);
49339 + ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
49342 case PTRACE_GETSIGINFO:
49343 ret = ptrace_getsiginfo(child, &siginfo);
49345 - ret = copy_siginfo_to_user((siginfo_t __user *) data,
49346 + ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
49350 case PTRACE_SETSIGINFO:
49351 - if (copy_from_user(&siginfo, (siginfo_t __user *) data,
49352 + if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
49356 @@ -703,14 +703,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
49360 + if (gr_handle_ptrace(child, request)) {
49362 + goto out_put_task_struct;
49365 if (request == PTRACE_ATTACH) {
49366 ret = ptrace_attach(child);
49368 * Some architectures need to do book-keeping after
49373 arch_ptrace_attach(child);
49374 + gr_audit_ptrace(child);
49376 goto out_put_task_struct;
49379 diff -urNp linux-2.6.35.4/kernel/rcutree.c linux-2.6.35.4/kernel/rcutree.c
49380 --- linux-2.6.35.4/kernel/rcutree.c 2010-08-26 19:47:12.000000000 -0400
49381 +++ linux-2.6.35.4/kernel/rcutree.c 2010-09-17 20:12:09.000000000 -0400
49382 @@ -1356,7 +1356,7 @@ __rcu_process_callbacks(struct rcu_state
49384 * Do softirq processing for the current CPU.
49386 -static void rcu_process_callbacks(struct softirq_action *unused)
49387 +static void rcu_process_callbacks(void)
49390 * Memory references from any prior RCU read-side critical sections
49391 diff -urNp linux-2.6.35.4/kernel/resource.c linux-2.6.35.4/kernel/resource.c
49392 --- linux-2.6.35.4/kernel/resource.c 2010-08-26 19:47:12.000000000 -0400
49393 +++ linux-2.6.35.4/kernel/resource.c 2010-09-17 20:12:37.000000000 -0400
49394 @@ -133,8 +133,18 @@ static const struct file_operations proc
49396 static int __init ioresources_init(void)
49398 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
49399 +#ifdef CONFIG_GRKERNSEC_PROC_USER
49400 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
49401 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
49402 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49403 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
49404 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
49407 proc_create("ioports", 0, NULL, &proc_ioports_operations);
49408 proc_create("iomem", 0, NULL, &proc_iomem_operations);
49412 __initcall(ioresources_init);
49413 diff -urNp linux-2.6.35.4/kernel/sched.c linux-2.6.35.4/kernel/sched.c
49414 --- linux-2.6.35.4/kernel/sched.c 2010-08-26 19:47:12.000000000 -0400
49415 +++ linux-2.6.35.4/kernel/sched.c 2010-09-17 20:12:37.000000000 -0400
49416 @@ -4266,6 +4266,8 @@ int can_nice(const struct task_struct *p
49417 /* convert nice value [19,-20] to rlimit style value [1,40] */
49418 int nice_rlim = 20 - nice;
49420 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
49422 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
49423 capable(CAP_SYS_NICE));
49425 @@ -4299,7 +4301,8 @@ SYSCALL_DEFINE1(nice, int, increment)
49429 - if (increment < 0 && !can_nice(current, nice))
49430 + if (increment < 0 && (!can_nice(current, nice) ||
49431 + gr_handle_chroot_nice()))
49432 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
49434 retval = security_task_setnice(current, nice);
49435 @@ -4446,6 +4449,7 @@ recheck:
49436 rlim_rtprio = task_rlimit(p, RLIMIT_RTPRIO);
49437 unlock_task_sighand(p, &flags);
49439 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
49440 /* can't set/change the rt policy */
49441 if (policy != p->policy && !rlim_rtprio)
49443 diff -urNp linux-2.6.35.4/kernel/sched_fair.c linux-2.6.35.4/kernel/sched_fair.c
49444 --- linux-2.6.35.4/kernel/sched_fair.c 2010-08-26 19:47:12.000000000 -0400
49445 +++ linux-2.6.35.4/kernel/sched_fair.c 2010-09-17 20:12:09.000000000 -0400
49446 @@ -3390,7 +3390,7 @@ out:
49447 * In CONFIG_NO_HZ case, the idle load balance owner will do the
49448 * rebalancing for all the cpus for whom scheduler ticks are stopped.
49450 -static void run_rebalance_domains(struct softirq_action *h)
49451 +static void run_rebalance_domains(void)
49453 int this_cpu = smp_processor_id();
49454 struct rq *this_rq = cpu_rq(this_cpu);
49455 diff -urNp linux-2.6.35.4/kernel/signal.c linux-2.6.35.4/kernel/signal.c
49456 --- linux-2.6.35.4/kernel/signal.c 2010-08-26 19:47:12.000000000 -0400
49457 +++ linux-2.6.35.4/kernel/signal.c 2010-09-17 20:20:18.000000000 -0400
49458 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
49460 int print_fatal_signals __read_mostly;
49462 -static void __user *sig_handler(struct task_struct *t, int sig)
49463 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
49465 return t->sighand->action[sig - 1].sa.sa_handler;
49468 -static int sig_handler_ignored(void __user *handler, int sig)
49469 +static int sig_handler_ignored(__sighandler_t handler, int sig)
49471 /* Is it explicitly or implicitly ignored? */
49472 return handler == SIG_IGN ||
49473 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
49474 static int sig_task_ignored(struct task_struct *t, int sig,
49475 int from_ancestor_ns)
49477 - void __user *handler;
49478 + __sighandler_t handler;
49480 handler = sig_handler(t, sig);
49482 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
49483 atomic_inc(&user->sigpending);
49486 + if (!override_rlimit)
49487 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
49489 if (override_rlimit ||
49490 atomic_read(&user->sigpending) <=
49491 task_rlimit(t, RLIMIT_SIGPENDING)) {
49492 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
49494 int unhandled_signal(struct task_struct *tsk, int sig)
49496 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
49497 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
49498 if (is_global_init(tsk))
49500 if (handler != SIG_IGN && handler != SIG_DFL)
49501 @@ -705,6 +705,10 @@ static int check_kill_permission(int sig
49502 sig, info, t, vx_task_xid(t), t->pid, current->xid);
49506 + if (gr_handle_signal(t, sig))
49510 return security_task_kill(t, info, sig, 0);
49512 @@ -1025,7 +1031,7 @@ __group_send_sig_info(int sig, struct si
49513 return send_signal(sig, info, p, 1);
49518 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
49520 return send_signal(sig, info, t, 0);
49521 @@ -1079,6 +1085,9 @@ force_sig_info(int sig, struct siginfo *
49522 ret = specific_send_sig_info(sig, info, t);
49523 spin_unlock_irqrestore(&t->sighand->siglock, flags);
49525 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
49526 + gr_handle_crash(t, sig);
49531 @@ -1136,8 +1145,11 @@ int group_send_sig_info(int sig, struct
49532 ret = check_kill_permission(sig, info, p);
49536 + if (!ret && sig) {
49537 ret = do_send_sig_info(sig, info, p, true);
49539 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
49544 diff -urNp linux-2.6.35.4/kernel/smp.c linux-2.6.35.4/kernel/smp.c
49545 --- linux-2.6.35.4/kernel/smp.c 2010-08-26 19:47:12.000000000 -0400
49546 +++ linux-2.6.35.4/kernel/smp.c 2010-09-17 20:12:09.000000000 -0400
49547 @@ -499,22 +499,22 @@ int smp_call_function(void (*func)(void
49549 EXPORT_SYMBOL(smp_call_function);
49551 -void ipi_call_lock(void)
49552 +void ipi_call_lock(void) __acquires(call_function.lock)
49554 raw_spin_lock(&call_function.lock);
49557 -void ipi_call_unlock(void)
49558 +void ipi_call_unlock(void) __releases(call_function.lock)
49560 raw_spin_unlock(&call_function.lock);
49563 -void ipi_call_lock_irq(void)
49564 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
49566 raw_spin_lock_irq(&call_function.lock);
49569 -void ipi_call_unlock_irq(void)
49570 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
49572 raw_spin_unlock_irq(&call_function.lock);
49574 diff -urNp linux-2.6.35.4/kernel/softirq.c linux-2.6.35.4/kernel/softirq.c
49575 --- linux-2.6.35.4/kernel/softirq.c 2010-08-26 19:47:12.000000000 -0400
49576 +++ linux-2.6.35.4/kernel/softirq.c 2010-09-17 20:12:09.000000000 -0400
49577 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
49579 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
49581 -char *softirq_to_name[NR_SOFTIRQS] = {
49582 +const char * const softirq_to_name[NR_SOFTIRQS] = {
49583 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
49584 "TASKLET", "SCHED", "HRTIMER", "RCU"
49586 @@ -190,7 +190,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
49588 asmlinkage void __do_softirq(void)
49590 - struct softirq_action *h;
49591 + const struct softirq_action *h;
49593 int max_restart = MAX_SOFTIRQ_RESTART;
49595 @@ -216,7 +216,7 @@ restart:
49596 kstat_incr_softirqs_this_cpu(h - softirq_vec);
49598 trace_softirq_entry(h, softirq_vec);
49601 trace_softirq_exit(h, softirq_vec);
49602 if (unlikely(prev_count != preempt_count())) {
49603 printk(KERN_ERR "huh, entered softirq %td %s %p"
49604 @@ -340,7 +340,7 @@ void raise_softirq(unsigned int nr)
49605 local_irq_restore(flags);
49608 -void open_softirq(int nr, void (*action)(struct softirq_action *))
49609 +void open_softirq(int nr, void (*action)(void))
49611 softirq_vec[nr].action = action;
49613 @@ -396,7 +396,7 @@ void __tasklet_hi_schedule_first(struct
49615 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
49617 -static void tasklet_action(struct softirq_action *a)
49618 +static void tasklet_action(void)
49620 struct tasklet_struct *list;
49622 @@ -431,7 +431,7 @@ static void tasklet_action(struct softir
49626 -static void tasklet_hi_action(struct softirq_action *a)
49627 +static void tasklet_hi_action(void)
49629 struct tasklet_struct *list;
49631 diff -urNp linux-2.6.35.4/kernel/sys.c linux-2.6.35.4/kernel/sys.c
49632 --- linux-2.6.35.4/kernel/sys.c 2010-08-26 19:47:12.000000000 -0400
49633 +++ linux-2.6.35.4/kernel/sys.c 2010-09-17 20:28:33.000000000 -0400
49634 @@ -134,6 +134,12 @@ static int set_one_prio(struct task_stru
49639 + if (gr_handle_chroot_setpriority(p, niceval)) {
49644 no_nice = security_task_setnice(p, niceval);
49647 @@ -511,6 +517,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
49651 + if (gr_check_group_change(new->gid, new->egid, -1))
49654 if (rgid != (gid_t) -1 ||
49655 (egid != (gid_t) -1 && egid != old->gid))
49656 new->sgid = new->egid;
49657 @@ -540,6 +549,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
49658 old = current_cred();
49662 + if (gr_check_group_change(gid, gid, gid))
49665 if (capable(CAP_SETGID))
49666 new->gid = new->egid = new->sgid = new->fsgid = gid;
49667 else if (gid == old->gid || gid == old->sgid)
49668 @@ -620,6 +633,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
49672 + if (gr_check_user_change(new->uid, new->euid, -1))
49675 if (new->uid != old->uid) {
49676 retval = set_user(new);
49678 @@ -664,6 +680,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
49679 old = current_cred();
49683 + if (gr_check_crash_uid(uid))
49685 + if (gr_check_user_change(uid, uid, uid))
49688 if (capable(CAP_SETUID)) {
49689 new->suid = new->uid = uid;
49690 if (uid != old->uid) {
49691 @@ -718,6 +740,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
49695 + if (gr_check_user_change(ruid, euid, -1))
49698 if (ruid != (uid_t) -1) {
49700 if (ruid != old->uid) {
49701 @@ -782,6 +807,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
49705 + if (gr_check_group_change(rgid, egid, -1))
49708 if (rgid != (gid_t) -1)
49710 if (egid != (gid_t) -1)
49711 @@ -828,6 +856,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
49712 old = current_cred();
49713 old_fsuid = old->fsuid;
49715 + if (gr_check_user_change(-1, -1, uid))
49718 if (uid == old->uid || uid == old->euid ||
49719 uid == old->suid || uid == old->fsuid ||
49720 capable(CAP_SETUID)) {
49721 @@ -838,6 +869,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
49729 @@ -864,12 +896,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
49730 if (gid == old->gid || gid == old->egid ||
49731 gid == old->sgid || gid == old->fsgid ||
49732 capable(CAP_SETGID)) {
49733 + if (gr_check_group_change(-1, -1, gid))
49736 if (gid != old_fsgid) {
49746 @@ -1491,7 +1527,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
49747 error = get_dumpable(me->mm);
49749 case PR_SET_DUMPABLE:
49750 - if (arg2 < 0 || arg2 > 1) {
49755 diff -urNp linux-2.6.35.4/kernel/sysctl.c linux-2.6.35.4/kernel/sysctl.c
49756 --- linux-2.6.35.4/kernel/sysctl.c 2010-08-26 19:47:12.000000000 -0400
49757 +++ linux-2.6.35.4/kernel/sysctl.c 2010-09-17 20:18:09.000000000 -0400
49761 #if defined(CONFIG_SYSCTL)
49762 +#include <linux/grsecurity.h>
49763 +#include <linux/grinternal.h>
49765 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
49766 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
49768 +extern int gr_handle_chroot_sysctl(const int op);
49770 /* External variables not in a header file. */
49771 extern int sysctl_overcommit_memory;
49772 @@ -185,6 +192,7 @@ static int sysrq_sysctl_handler(ctl_tabl
49776 +extern struct ctl_table grsecurity_table[];
49778 static struct ctl_table root_table[];
49779 static struct ctl_table_root sysctl_table_root;
49780 @@ -217,6 +225,20 @@ extern struct ctl_table epoll_table[];
49781 int sysctl_legacy_va_layout;
49784 +#ifdef CONFIG_PAX_SOFTMODE
49785 +static ctl_table pax_table[] = {
49787 + .procname = "softmode",
49788 + .data = &pax_softmode,
49789 + .maxlen = sizeof(unsigned int),
49791 + .proc_handler = &proc_dointvec,
49798 /* The default sysctl tables: */
49800 static struct ctl_table root_table[] = {
49801 @@ -269,6 +291,22 @@ static int max_extfrag_threshold = 1000;
49804 static struct ctl_table kern_table[] = {
49805 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
49807 + .procname = "grsecurity",
49809 + .child = grsecurity_table,
49813 +#ifdef CONFIG_PAX_SOFTMODE
49815 + .procname = "pax",
49817 + .child = pax_table,
49822 .procname = "sched_child_runs_first",
49823 .data = &sysctl_sched_child_runs_first,
49824 @@ -1171,6 +1209,13 @@ static struct ctl_table vm_table[] = {
49825 .proc_handler = proc_dointvec_minmax,
49829 + .procname = "heap_stack_gap",
49830 + .data = &sysctl_heap_stack_gap,
49831 + .maxlen = sizeof(sysctl_heap_stack_gap),
49833 + .proc_handler = proc_doulongvec_minmax,
49837 .procname = "nr_trim_pages",
49838 @@ -1686,6 +1731,16 @@ int sysctl_perm(struct ctl_table_root *r
49842 + if (table->parent != NULL && table->parent->procname != NULL &&
49843 + table->procname != NULL &&
49844 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
49846 + if (gr_handle_chroot_sysctl(op))
49848 + error = gr_handle_sysctl(table, op);
49852 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
49855 @@ -2201,6 +2256,8 @@ static int proc_put_long(void __user **b
49859 + if (len > sizeof(tmp))
49860 + len = sizeof(tmp);
49861 if (copy_to_user(*buf, tmp, len))
49864 diff -urNp linux-2.6.35.4/kernel/taskstats.c linux-2.6.35.4/kernel/taskstats.c
49865 --- linux-2.6.35.4/kernel/taskstats.c 2010-08-26 19:47:12.000000000 -0400
49866 +++ linux-2.6.35.4/kernel/taskstats.c 2010-09-17 20:12:37.000000000 -0400
49868 #include <linux/cgroup.h>
49869 #include <linux/fs.h>
49870 #include <linux/file.h>
49871 +#include <linux/grsecurity.h>
49872 #include <net/genetlink.h>
49873 #include <asm/atomic.h>
49875 +extern int gr_is_taskstats_denied(int pid);
49878 * Maximum length of a cpumask that can be specified in
49879 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
49880 @@ -432,6 +435,9 @@ static int taskstats_user_cmd(struct sk_
49882 cpumask_var_t mask;
49884 + if (gr_is_taskstats_denied(current->pid))
49887 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
49890 diff -urNp linux-2.6.35.4/kernel/time/tick-broadcast.c linux-2.6.35.4/kernel/time/tick-broadcast.c
49891 --- linux-2.6.35.4/kernel/time/tick-broadcast.c 2010-08-26 19:47:12.000000000 -0400
49892 +++ linux-2.6.35.4/kernel/time/tick-broadcast.c 2010-09-17 20:12:09.000000000 -0400
49893 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
49894 * then clear the broadcast bit.
49896 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
49897 - int cpu = smp_processor_id();
49898 + cpu = smp_processor_id();
49900 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
49901 tick_broadcast_clear_oneshot(cpu);
49902 diff -urNp linux-2.6.35.4/kernel/time/timer_list.c linux-2.6.35.4/kernel/time/timer_list.c
49903 --- linux-2.6.35.4/kernel/time/timer_list.c 2010-08-26 19:47:12.000000000 -0400
49904 +++ linux-2.6.35.4/kernel/time/timer_list.c 2010-09-17 20:12:37.000000000 -0400
49905 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
49907 static void print_name_offset(struct seq_file *m, void *sym)
49909 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49910 + SEQ_printf(m, "<%p>", NULL);
49912 char symname[KSYM_NAME_LEN];
49914 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
49915 SEQ_printf(m, "<%p>", sym);
49917 SEQ_printf(m, "%s", symname);
49922 @@ -112,7 +116,11 @@ next_one:
49924 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
49926 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49927 + SEQ_printf(m, " .base: %p\n", NULL);
49929 SEQ_printf(m, " .base: %p\n", base);
49931 SEQ_printf(m, " .index: %d\n",
49933 SEQ_printf(m, " .resolution: %Lu nsecs\n",
49934 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
49936 struct proc_dir_entry *pe;
49938 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
49939 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
49941 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
49946 diff -urNp linux-2.6.35.4/kernel/time/timer_stats.c linux-2.6.35.4/kernel/time/timer_stats.c
49947 --- linux-2.6.35.4/kernel/time/timer_stats.c 2010-08-26 19:47:12.000000000 -0400
49948 +++ linux-2.6.35.4/kernel/time/timer_stats.c 2010-09-17 20:12:37.000000000 -0400
49949 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
49951 static void print_name_offset(struct seq_file *m, unsigned long addr)
49953 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49954 + seq_printf(m, "<%p>", NULL);
49956 char symname[KSYM_NAME_LEN];
49958 if (lookup_symbol_name(addr, symname) < 0)
49959 seq_printf(m, "<%p>", (void *)addr);
49961 seq_printf(m, "%s", symname);
49965 static int tstats_show(struct seq_file *m, void *v)
49966 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
49968 struct proc_dir_entry *pe;
49970 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
49971 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
49973 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
49978 diff -urNp linux-2.6.35.4/kernel/time.c linux-2.6.35.4/kernel/time.c
49979 --- linux-2.6.35.4/kernel/time.c 2010-08-26 19:47:12.000000000 -0400
49980 +++ linux-2.6.35.4/kernel/time.c 2010-09-17 20:12:37.000000000 -0400
49981 @@ -94,6 +94,8 @@ SYSCALL_DEFINE1(stime, time_t __user *,
49984 vx_settimeofday(&tv);
49985 + gr_log_timechange();
49990 @@ -200,6 +203,8 @@ SYSCALL_DEFINE2(settimeofday, struct tim
49994 + gr_log_timechange();
49996 return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
49999 @@ -238,7 +243,7 @@ EXPORT_SYMBOL(current_fs_time);
50000 * Avoid unnecessary multiplications/divisions in the
50001 * two most common HZ cases:
50003 -unsigned int inline jiffies_to_msecs(const unsigned long j)
50004 +inline unsigned int jiffies_to_msecs(const unsigned long j)
50006 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
50007 return (MSEC_PER_SEC / HZ) * j;
50008 @@ -254,7 +259,7 @@ unsigned int inline jiffies_to_msecs(con
50010 EXPORT_SYMBOL(jiffies_to_msecs);
50012 -unsigned int inline jiffies_to_usecs(const unsigned long j)
50013 +inline unsigned int jiffies_to_usecs(const unsigned long j)
50015 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
50016 return (USEC_PER_SEC / HZ) * j;
50017 diff -urNp linux-2.6.35.4/kernel/timer.c linux-2.6.35.4/kernel/timer.c
50018 --- linux-2.6.35.4/kernel/timer.c 2010-08-26 19:47:12.000000000 -0400
50019 +++ linux-2.6.35.4/kernel/timer.c 2010-09-17 20:12:09.000000000 -0400
50020 @@ -1272,7 +1272,7 @@ void update_process_times(int user_tick)
50022 * This function runs timers and the timer-tq in bottom half context.
50024 -static void run_timer_softirq(struct softirq_action *h)
50025 +static void run_timer_softirq(void)
50027 struct tvec_base *base = __get_cpu_var(tvec_bases);
50029 diff -urNp linux-2.6.35.4/kernel/trace/ftrace.c linux-2.6.35.4/kernel/trace/ftrace.c
50030 --- linux-2.6.35.4/kernel/trace/ftrace.c 2010-08-26 19:47:12.000000000 -0400
50031 +++ linux-2.6.35.4/kernel/trace/ftrace.c 2010-09-17 20:12:09.000000000 -0400
50032 @@ -1101,13 +1101,18 @@ ftrace_code_disable(struct module *mod,
50036 + ret = ftrace_arch_code_modify_prepare();
50037 + FTRACE_WARN_ON(ret);
50041 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
50042 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
50044 ftrace_bug(ret, ip);
50045 rec->flags |= FTRACE_FL_FAILED;
50049 + return ret ? 0 : 1;
50053 diff -urNp linux-2.6.35.4/kernel/trace/ring_buffer.c linux-2.6.35.4/kernel/trace/ring_buffer.c
50054 --- linux-2.6.35.4/kernel/trace/ring_buffer.c 2010-08-26 19:47:12.000000000 -0400
50055 +++ linux-2.6.35.4/kernel/trace/ring_buffer.c 2010-09-17 20:12:09.000000000 -0400
50056 @@ -635,7 +635,7 @@ static struct list_head *rb_list_head(st
50057 * the reader page). But if the next page is a header page,
50058 * its flags will be non zero.
50062 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
50063 struct buffer_page *page, struct list_head *list)
50065 diff -urNp linux-2.6.35.4/kernel/trace/trace.c linux-2.6.35.4/kernel/trace/trace.c
50066 --- linux-2.6.35.4/kernel/trace/trace.c 2010-08-26 19:47:12.000000000 -0400
50067 +++ linux-2.6.35.4/kernel/trace/trace.c 2010-09-17 20:12:09.000000000 -0400
50068 @@ -3965,10 +3965,9 @@ static const struct file_operations trac
50072 -static struct dentry *d_tracer;
50074 struct dentry *tracing_init_dentry(void)
50076 + static struct dentry *d_tracer;
50080 @@ -3988,10 +3987,9 @@ struct dentry *tracing_init_dentry(void)
50084 -static struct dentry *d_percpu;
50086 struct dentry *tracing_dentry_percpu(void)
50088 + static struct dentry *d_percpu;
50090 struct dentry *d_tracer;
50092 diff -urNp linux-2.6.35.4/kernel/trace/trace_output.c linux-2.6.35.4/kernel/trace/trace_output.c
50093 --- linux-2.6.35.4/kernel/trace/trace_output.c 2010-08-26 19:47:12.000000000 -0400
50094 +++ linux-2.6.35.4/kernel/trace/trace_output.c 2010-09-17 20:12:09.000000000 -0400
50095 @@ -281,7 +281,7 @@ int trace_seq_path(struct trace_seq *s,
50097 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
50099 - p = mangle_path(s->buffer + s->len, p, "\n");
50100 + p = mangle_path(s->buffer + s->len, p, "\n\\");
50102 s->len = p - s->buffer;
50104 diff -urNp linux-2.6.35.4/kernel/trace/trace_stack.c linux-2.6.35.4/kernel/trace/trace_stack.c
50105 --- linux-2.6.35.4/kernel/trace/trace_stack.c 2010-08-26 19:47:12.000000000 -0400
50106 +++ linux-2.6.35.4/kernel/trace/trace_stack.c 2010-09-17 20:12:09.000000000 -0400
50107 @@ -50,7 +50,7 @@ static inline void check_stack(void)
50110 /* we do not handle interrupt stacks yet */
50111 - if (!object_is_on_stack(&this_size))
50112 + if (!object_starts_on_stack(&this_size))
50115 local_irq_save(flags);
50116 diff -urNp linux-2.6.35.4/lib/bug.c linux-2.6.35.4/lib/bug.c
50117 --- linux-2.6.35.4/lib/bug.c 2010-08-26 19:47:12.000000000 -0400
50118 +++ linux-2.6.35.4/lib/bug.c 2010-09-17 20:12:09.000000000 -0400
50119 @@ -135,6 +135,8 @@ enum bug_trap_type report_bug(unsigned l
50120 return BUG_TRAP_TYPE_NONE;
50122 bug = find_bug(bugaddr);
50124 + return BUG_TRAP_TYPE_NONE;
50126 printk(KERN_EMERG "------------[ cut here ]------------\n");
50128 diff -urNp linux-2.6.35.4/lib/debugobjects.c linux-2.6.35.4/lib/debugobjects.c
50129 --- linux-2.6.35.4/lib/debugobjects.c 2010-08-26 19:47:12.000000000 -0400
50130 +++ linux-2.6.35.4/lib/debugobjects.c 2010-09-17 20:12:09.000000000 -0400
50131 @@ -281,7 +281,7 @@ static void debug_object_is_on_stack(voi
50135 - is_on_stack = object_is_on_stack(addr);
50136 + is_on_stack = object_starts_on_stack(addr);
50137 if (is_on_stack == onstack)
50140 diff -urNp linux-2.6.35.4/lib/dma-debug.c linux-2.6.35.4/lib/dma-debug.c
50141 --- linux-2.6.35.4/lib/dma-debug.c 2010-08-26 19:47:12.000000000 -0400
50142 +++ linux-2.6.35.4/lib/dma-debug.c 2010-09-17 20:12:09.000000000 -0400
50143 @@ -861,7 +861,7 @@ out:
50145 static void check_for_stack(struct device *dev, void *addr)
50147 - if (object_is_on_stack(addr))
50148 + if (object_starts_on_stack(addr))
50149 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
50150 "stack [addr=%p]\n", addr);
50152 diff -urNp linux-2.6.35.4/lib/inflate.c linux-2.6.35.4/lib/inflate.c
50153 --- linux-2.6.35.4/lib/inflate.c 2010-08-26 19:47:12.000000000 -0400
50154 +++ linux-2.6.35.4/lib/inflate.c 2010-09-17 20:12:09.000000000 -0400
50155 @@ -267,7 +267,7 @@ static void free(void *where)
50156 malloc_ptr = free_mem_ptr;
50159 -#define malloc(a) kmalloc(a, GFP_KERNEL)
50160 +#define malloc(a) kmalloc((a), GFP_KERNEL)
50161 #define free(a) kfree(a)
50164 diff -urNp linux-2.6.35.4/lib/Kconfig.debug linux-2.6.35.4/lib/Kconfig.debug
50165 --- linux-2.6.35.4/lib/Kconfig.debug 2010-08-26 19:47:12.000000000 -0400
50166 +++ linux-2.6.35.4/lib/Kconfig.debug 2010-09-17 20:12:37.000000000 -0400
50167 @@ -970,7 +970,7 @@ config LATENCYTOP
50171 - depends on HAVE_LATENCYTOP_SUPPORT
50172 + depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
50174 Enable this option if you want to use the LatencyTOP tool
50175 to find out which userspace is blocking on what kernel operations.
50176 diff -urNp linux-2.6.35.4/lib/parser.c linux-2.6.35.4/lib/parser.c
50177 --- linux-2.6.35.4/lib/parser.c 2010-08-26 19:47:12.000000000 -0400
50178 +++ linux-2.6.35.4/lib/parser.c 2010-09-17 20:12:09.000000000 -0400
50179 @@ -129,7 +129,7 @@ static int match_number(substring_t *s,
50183 - buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
50184 + buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
50187 memcpy(buf, s->from, s->to - s->from);
50188 diff -urNp linux-2.6.35.4/lib/radix-tree.c linux-2.6.35.4/lib/radix-tree.c
50189 --- linux-2.6.35.4/lib/radix-tree.c 2010-08-26 19:47:12.000000000 -0400
50190 +++ linux-2.6.35.4/lib/radix-tree.c 2010-09-17 20:12:09.000000000 -0400
50191 @@ -80,7 +80,7 @@ struct radix_tree_preload {
50193 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
50195 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
50196 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
50198 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
50200 diff -urNp linux-2.6.35.4/localversion-grsec linux-2.6.35.4/localversion-grsec
50201 --- linux-2.6.35.4/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
50202 +++ linux-2.6.35.4/localversion-grsec 2010-09-17 20:12:37.000000000 -0400
50205 diff -urNp linux-2.6.35.4/Makefile linux-2.6.35.4/Makefile
50206 --- linux-2.6.35.4/Makefile 2010-08-26 19:47:12.000000000 -0400
50207 +++ linux-2.6.35.4/Makefile 2010-09-17 20:12:37.000000000 -0400
50208 @@ -230,8 +230,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
50212 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
50213 -HOSTCXXFLAGS = -O2
50214 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
50215 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
50217 # Decide whether to build built-in, modular, or both.
50218 # Normally, just do built-in.
50219 @@ -650,7 +650,7 @@ export mod_strip_cmd
50222 ifeq ($(KBUILD_EXTMOD),)
50223 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
50224 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
50226 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
50227 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
50228 diff -urNp linux-2.6.35.4/mm/bootmem.c linux-2.6.35.4/mm/bootmem.c
50229 --- linux-2.6.35.4/mm/bootmem.c 2010-08-26 19:47:12.000000000 -0400
50230 +++ linux-2.6.35.4/mm/bootmem.c 2010-09-17 20:12:09.000000000 -0400
50231 @@ -200,19 +200,30 @@ static void __init __free_pages_memory(u
50232 unsigned long __init free_all_memory_core_early(int nodeid)
50236 + u64 start, end, startrange, endrange;
50237 unsigned long count = 0;
50238 - struct range *range = NULL;
50239 + struct range *range = NULL, rangerange = { 0, 0 };
50242 nr_range = get_free_all_memory_range(&range, nodeid);
50243 + startrange = __pa(range) >> PAGE_SHIFT;
50244 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
50246 for (i = 0; i < nr_range; i++) {
50247 start = range[i].start;
50248 end = range[i].end;
50249 + if (start <= endrange && startrange < end) {
50250 + BUG_ON(rangerange.start | rangerange.end);
50251 + rangerange = range[i];
50254 count += end - start;
50255 __free_pages_memory(start, end);
50257 + start = rangerange.start;
50258 + end = rangerange.end;
50259 + count += end - start;
50260 + __free_pages_memory(start, end);
50264 diff -urNp linux-2.6.35.4/mm/filemap.c linux-2.6.35.4/mm/filemap.c
50265 --- linux-2.6.35.4/mm/filemap.c 2010-08-26 19:47:12.000000000 -0400
50266 +++ linux-2.6.35.4/mm/filemap.c 2010-09-17 20:12:37.000000000 -0400
50267 @@ -1640,7 +1640,7 @@ int generic_file_mmap(struct file * file
50268 struct address_space *mapping = file->f_mapping;
50270 if (!mapping->a_ops->readpage)
50273 file_accessed(file);
50274 vma->vm_ops = &generic_file_vm_ops;
50275 vma->vm_flags |= VM_CAN_NONLINEAR;
50276 @@ -2036,6 +2036,7 @@ inline int generic_write_checks(struct f
50277 *pos = i_size_read(inode);
50279 if (limit != RLIM_INFINITY) {
50280 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
50281 if (*pos >= limit) {
50282 send_sig(SIGXFSZ, current, 0);
50284 diff -urNp linux-2.6.35.4/mm/fremap.c linux-2.6.35.4/mm/fremap.c
50285 --- linux-2.6.35.4/mm/fremap.c 2010-08-26 19:47:12.000000000 -0400
50286 +++ linux-2.6.35.4/mm/fremap.c 2010-09-17 20:12:09.000000000 -0400
50287 @@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
50289 vma = find_vma(mm, start);
50291 +#ifdef CONFIG_PAX_SEGMEXEC
50292 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
50297 * Make sure the vma is shared, that it supports prefaulting,
50298 * and that the remapped range is valid and fully within
50299 @@ -221,7 +226,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
50301 * drop PG_Mlocked flag for over-mapped range
50303 - unsigned int saved_flags = vma->vm_flags;
50304 + unsigned long saved_flags = vma->vm_flags;
50305 munlock_vma_pages_range(vma, start, start + size);
50306 vma->vm_flags = saved_flags;
50308 diff -urNp linux-2.6.35.4/mm/highmem.c linux-2.6.35.4/mm/highmem.c
50309 --- linux-2.6.35.4/mm/highmem.c 2010-08-26 19:47:12.000000000 -0400
50310 +++ linux-2.6.35.4/mm/highmem.c 2010-09-17 20:12:09.000000000 -0400
50311 @@ -116,9 +116,10 @@ static void flush_all_zero_pkmaps(void)
50312 * So no dangers, even with speculative execution.
50314 page = pte_page(pkmap_page_table[i]);
50315 + pax_open_kernel();
50316 pte_clear(&init_mm, (unsigned long)page_address(page),
50317 &pkmap_page_table[i]);
50319 + pax_close_kernel();
50320 set_page_address(page, NULL);
50323 @@ -177,9 +178,11 @@ start:
50326 vaddr = PKMAP_ADDR(last_pkmap_nr);
50328 + pax_open_kernel();
50329 set_pte_at(&init_mm, vaddr,
50330 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
50332 + pax_close_kernel();
50333 pkmap_count[last_pkmap_nr] = 1;
50334 set_page_address(page, (void *)vaddr);
50336 diff -urNp linux-2.6.35.4/mm/hugetlb.c linux-2.6.35.4/mm/hugetlb.c
50337 --- linux-2.6.35.4/mm/hugetlb.c 2010-08-26 19:47:12.000000000 -0400
50338 +++ linux-2.6.35.4/mm/hugetlb.c 2010-09-17 20:12:09.000000000 -0400
50339 @@ -2272,6 +2272,26 @@ static int unmap_ref_private(struct mm_s
50343 +#ifdef CONFIG_PAX_SEGMEXEC
50344 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
50346 + struct mm_struct *mm = vma->vm_mm;
50347 + struct vm_area_struct *vma_m;
50348 + unsigned long address_m;
50351 + vma_m = pax_find_mirror_vma(vma);
50355 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50356 + address_m = address + SEGMEXEC_TASK_SIZE;
50357 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
50358 + get_page(page_m);
50359 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
50363 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
50364 unsigned long address, pte_t *ptep, pte_t pte,
50365 struct page *pagecache_page)
50366 @@ -2352,6 +2372,11 @@ retry_avoidcopy:
50367 huge_ptep_clear_flush(vma, address, ptep);
50368 set_huge_pte_at(mm, address, ptep,
50369 make_huge_pte(vma, new_page, 1));
50371 +#ifdef CONFIG_PAX_SEGMEXEC
50372 + pax_mirror_huge_pte(vma, address, new_page);
50375 /* Make the old page be freed below */
50376 new_page = old_page;
50378 @@ -2483,6 +2508,10 @@ retry:
50379 && (vma->vm_flags & VM_SHARED)));
50380 set_huge_pte_at(mm, address, ptep, new_pte);
50382 +#ifdef CONFIG_PAX_SEGMEXEC
50383 + pax_mirror_huge_pte(vma, address, page);
50386 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
50387 /* Optimization, do the COW without a second fault */
50388 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
50389 @@ -2511,6 +2540,28 @@ int hugetlb_fault(struct mm_struct *mm,
50390 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
50391 struct hstate *h = hstate_vma(vma);
50393 +#ifdef CONFIG_PAX_SEGMEXEC
50394 + struct vm_area_struct *vma_m;
50396 + vma_m = pax_find_mirror_vma(vma);
50398 + unsigned long address_m;
50400 + if (vma->vm_start > vma_m->vm_start) {
50401 + address_m = address;
50402 + address -= SEGMEXEC_TASK_SIZE;
50404 + h = hstate_vma(vma);
50406 + address_m = address + SEGMEXEC_TASK_SIZE;
50408 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
50409 + return VM_FAULT_OOM;
50410 + address_m &= HPAGE_MASK;
50411 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
50415 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
50417 return VM_FAULT_OOM;
50418 diff -urNp linux-2.6.35.4/mm/Kconfig linux-2.6.35.4/mm/Kconfig
50419 --- linux-2.6.35.4/mm/Kconfig 2010-08-26 19:47:12.000000000 -0400
50420 +++ linux-2.6.35.4/mm/Kconfig 2010-09-17 20:12:37.000000000 -0400
50421 @@ -240,7 +240,7 @@ config KSM
50422 config DEFAULT_MMAP_MIN_ADDR
50423 int "Low address space to protect from user allocation"
50428 This is the portion of low virtual memory which should be protected
50429 from userspace allocation. Keeping a user from writing to low pages
50430 diff -urNp linux-2.6.35.4/mm/maccess.c linux-2.6.35.4/mm/maccess.c
50431 --- linux-2.6.35.4/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
50432 +++ linux-2.6.35.4/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
50433 @@ -15,10 +15,10 @@
50434 * happens, handle that and return -EFAULT.
50437 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
50438 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
50439 __attribute__((alias("__probe_kernel_read")));
50441 -long __probe_kernel_read(void *dst, void *src, size_t size)
50442 +long __probe_kernel_read(void *dst, const void *src, size_t size)
50445 mm_segment_t old_fs = get_fs();
50446 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
50447 * Safely write to address @dst from the buffer at @src. If a kernel fault
50448 * happens, handle that and return -EFAULT.
50450 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
50451 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
50452 __attribute__((alias("__probe_kernel_write")));
50454 -long __probe_kernel_write(void *dst, void *src, size_t size)
50455 +long __probe_kernel_write(void *dst, const void *src, size_t size)
50458 mm_segment_t old_fs = get_fs();
50459 diff -urNp linux-2.6.35.4/mm/madvise.c linux-2.6.35.4/mm/madvise.c
50460 --- linux-2.6.35.4/mm/madvise.c 2010-08-26 19:47:12.000000000 -0400
50461 +++ linux-2.6.35.4/mm/madvise.c 2010-09-17 20:12:09.000000000 -0400
50462 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
50464 unsigned long new_flags = vma->vm_flags;
50466 +#ifdef CONFIG_PAX_SEGMEXEC
50467 + struct vm_area_struct *vma_m;
50470 switch (behavior) {
50472 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
50473 @@ -104,6 +108,13 @@ success:
50475 * vm_flags is protected by the mmap_sem held in write mode.
50478 +#ifdef CONFIG_PAX_SEGMEXEC
50479 + vma_m = pax_find_mirror_vma(vma);
50481 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
50484 vma->vm_flags = new_flags;
50487 @@ -162,6 +173,11 @@ static long madvise_dontneed(struct vm_a
50488 struct vm_area_struct ** prev,
50489 unsigned long start, unsigned long end)
50492 +#ifdef CONFIG_PAX_SEGMEXEC
50493 + struct vm_area_struct *vma_m;
50497 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
50499 @@ -174,6 +190,21 @@ static long madvise_dontneed(struct vm_a
50500 zap_page_range(vma, start, end - start, &details);
50502 zap_page_range(vma, start, end - start, NULL);
50504 +#ifdef CONFIG_PAX_SEGMEXEC
50505 + vma_m = pax_find_mirror_vma(vma);
50507 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
50508 + struct zap_details details = {
50509 + .nonlinear_vma = vma_m,
50510 + .last_index = ULONG_MAX,
50512 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
50514 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
50521 @@ -366,6 +397,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
50525 +#ifdef CONFIG_PAX_SEGMEXEC
50526 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
50527 + if (end > SEGMEXEC_TASK_SIZE)
50532 + if (end > TASK_SIZE)
50538 diff -urNp linux-2.6.35.4/mm/memory.c linux-2.6.35.4/mm/memory.c
50539 --- linux-2.6.35.4/mm/memory.c 2010-08-26 19:47:12.000000000 -0400
50540 +++ linux-2.6.35.4/mm/memory.c 2010-09-17 20:12:09.000000000 -0400
50541 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
50544 pmd = pmd_offset(pud, start);
50546 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
50548 pmd_free_tlb(tlb, pmd, start);
50553 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
50554 @@ -292,8 +296,12 @@ static inline void free_pud_range(struct
50557 pud = pud_offset(pgd, start);
50559 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
50561 pud_free_tlb(tlb, pud, start);
50567 @@ -1363,10 +1371,10 @@ int __get_user_pages(struct task_struct
50568 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
50572 + while (nr_pages) {
50573 struct vm_area_struct *vma;
50575 - vma = find_extend_vma(mm, start);
50576 + vma = find_vma(mm, start);
50577 if (!vma && in_gate_area(tsk, start)) {
50578 unsigned long pg = start & PAGE_MASK;
50579 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
50580 @@ -1418,7 +1426,7 @@ int __get_user_pages(struct task_struct
50585 + if (!vma || start < vma->vm_start ||
50586 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
50587 !(vm_flags & vma->vm_flags))
50588 return i ? : -EFAULT;
50589 @@ -1493,7 +1501,7 @@ int __get_user_pages(struct task_struct
50590 start += PAGE_SIZE;
50592 } while (nr_pages && start < vma->vm_end);
50593 - } while (nr_pages);
50598 @@ -2089,6 +2097,186 @@ static inline void cow_user_page(struct
50599 copy_user_highpage(dst, src, va, vma);
50602 +#ifdef CONFIG_PAX_SEGMEXEC
50603 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
50605 + struct mm_struct *mm = vma->vm_mm;
50607 + pte_t *pte, entry;
50609 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
50611 + if (!pte_present(entry)) {
50612 + if (!pte_none(entry)) {
50613 + BUG_ON(pte_file(entry));
50614 + free_swap_and_cache(pte_to_swp_entry(entry));
50615 + pte_clear_not_present_full(mm, address, pte, 0);
50618 + struct page *page;
50620 + flush_cache_page(vma, address, pte_pfn(entry));
50621 + entry = ptep_clear_flush(vma, address, pte);
50622 + BUG_ON(pte_dirty(entry));
50623 + page = vm_normal_page(vma, address, entry);
50625 + update_hiwater_rss(mm);
50626 + if (PageAnon(page))
50627 + dec_mm_counter_fast(mm, MM_ANONPAGES);
50629 + dec_mm_counter_fast(mm, MM_FILEPAGES);
50630 + page_remove_rmap(page);
50631 + page_cache_release(page);
50634 + pte_unmap_unlock(pte, ptl);
50637 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
50639 + * the ptl of the lower mapped page is held on entry and is not released on exit
50640 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
50642 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
50644 + struct mm_struct *mm = vma->vm_mm;
50645 + unsigned long address_m;
50646 + spinlock_t *ptl_m;
50647 + struct vm_area_struct *vma_m;
50649 + pte_t *pte_m, entry_m;
50651 + BUG_ON(!page_m || !PageAnon(page_m));
50653 + vma_m = pax_find_mirror_vma(vma);
50657 + BUG_ON(!PageLocked(page_m));
50658 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50659 + address_m = address + SEGMEXEC_TASK_SIZE;
50660 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
50661 + pte_m = pte_offset_map_nested(pmd_m, address_m);
50662 + ptl_m = pte_lockptr(mm, pmd_m);
50663 + if (ptl != ptl_m) {
50664 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
50665 + if (!pte_none(*pte_m))
50669 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
50670 + page_cache_get(page_m);
50671 + page_add_anon_rmap(page_m, vma_m, address_m);
50672 + inc_mm_counter_fast(mm, MM_ANONPAGES);
50673 + set_pte_at(mm, address_m, pte_m, entry_m);
50674 + update_mmu_cache(vma_m, address_m, entry_m);
50676 + if (ptl != ptl_m)
50677 + spin_unlock(ptl_m);
50678 + pte_unmap_nested(pte_m);
50679 + unlock_page(page_m);
50682 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
50684 + struct mm_struct *mm = vma->vm_mm;
50685 + unsigned long address_m;
50686 + spinlock_t *ptl_m;
50687 + struct vm_area_struct *vma_m;
50689 + pte_t *pte_m, entry_m;
50691 + BUG_ON(!page_m || PageAnon(page_m));
50693 + vma_m = pax_find_mirror_vma(vma);
50697 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50698 + address_m = address + SEGMEXEC_TASK_SIZE;
50699 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
50700 + pte_m = pte_offset_map_nested(pmd_m, address_m);
50701 + ptl_m = pte_lockptr(mm, pmd_m);
50702 + if (ptl != ptl_m) {
50703 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
50704 + if (!pte_none(*pte_m))
50708 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
50709 + page_cache_get(page_m);
50710 + page_add_file_rmap(page_m);
50711 + inc_mm_counter_fast(mm, MM_FILEPAGES);
50712 + set_pte_at(mm, address_m, pte_m, entry_m);
50713 + update_mmu_cache(vma_m, address_m, entry_m);
50715 + if (ptl != ptl_m)
50716 + spin_unlock(ptl_m);
50717 + pte_unmap_nested(pte_m);
50720 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
50722 + struct mm_struct *mm = vma->vm_mm;
50723 + unsigned long address_m;
50724 + spinlock_t *ptl_m;
50725 + struct vm_area_struct *vma_m;
50727 + pte_t *pte_m, entry_m;
50729 + vma_m = pax_find_mirror_vma(vma);
50733 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50734 + address_m = address + SEGMEXEC_TASK_SIZE;
50735 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
50736 + pte_m = pte_offset_map_nested(pmd_m, address_m);
50737 + ptl_m = pte_lockptr(mm, pmd_m);
50738 + if (ptl != ptl_m) {
50739 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
50740 + if (!pte_none(*pte_m))
50744 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
50745 + set_pte_at(mm, address_m, pte_m, entry_m);
50747 + if (ptl != ptl_m)
50748 + spin_unlock(ptl_m);
50749 + pte_unmap_nested(pte_m);
50752 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
50754 + struct page *page_m;
50757 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
50761 + page_m = vm_normal_page(vma, address, entry);
50763 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
50764 + else if (PageAnon(page_m)) {
50765 + if (pax_find_mirror_vma(vma)) {
50766 + pte_unmap_unlock(pte, ptl);
50767 + lock_page(page_m);
50768 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
50769 + if (pte_same(entry, *pte))
50770 + pax_mirror_anon_pte(vma, address, page_m, ptl);
50772 + unlock_page(page_m);
50775 + pax_mirror_file_pte(vma, address, page_m, ptl);
50778 + pte_unmap_unlock(pte, ptl);
50783 * This routine handles present pages, when users try to write
50784 * to a shared page. It is done by copying the page to a new address
50785 @@ -2275,6 +2463,12 @@ gotten:
50787 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
50788 if (likely(pte_same(*page_table, orig_pte))) {
50790 +#ifdef CONFIG_PAX_SEGMEXEC
50791 + if (pax_find_mirror_vma(vma))
50792 + BUG_ON(!trylock_page(new_page));
50796 if (!PageAnon(old_page)) {
50797 dec_mm_counter_fast(mm, MM_FILEPAGES);
50798 @@ -2326,6 +2520,10 @@ gotten:
50799 page_remove_rmap(old_page);
50802 +#ifdef CONFIG_PAX_SEGMEXEC
50803 + pax_mirror_anon_pte(vma, address, new_page, ptl);
50806 /* Free the old page.. */
50807 new_page = old_page;
50808 ret |= VM_FAULT_WRITE;
50809 @@ -2734,6 +2932,11 @@ static int do_swap_page(struct mm_struct
50811 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
50812 try_to_free_swap(page);
50814 +#ifdef CONFIG_PAX_SEGMEXEC
50815 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
50820 if (flags & FAULT_FLAG_WRITE) {
50821 @@ -2745,6 +2948,11 @@ static int do_swap_page(struct mm_struct
50823 /* No need to invalidate - it was non-present before */
50824 update_mmu_cache(vma, address, page_table);
50826 +#ifdef CONFIG_PAX_SEGMEXEC
50827 + pax_mirror_anon_pte(vma, address, page, ptl);
50831 pte_unmap_unlock(page_table, ptl);
50833 @@ -2760,33 +2968,6 @@ out_release:
50837 - * This is like a special single-page "expand_downwards()",
50838 - * except we must first make sure that 'address-PAGE_SIZE'
50839 - * doesn't hit another vma.
50841 - * The "find_vma()" will do the right thing even if we wrap
50843 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
50845 - address &= PAGE_MASK;
50846 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
50847 - struct vm_area_struct *prev = vma->vm_prev;
50850 - * Is there a mapping abutting this one below?
50852 - * That's only ok if it's the same stack mapping
50853 - * that has gotten split..
50855 - if (prev && prev->vm_end == address)
50856 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
50858 - expand_stack(vma, address - PAGE_SIZE);
50864 * We enter with non-exclusive mmap_sem (to exclude vma changes,
50865 * but allow concurrent faults), and pte mapped but not yet locked.
50866 * We return with mmap_sem still held, but pte unmapped and unlocked.
50867 @@ -2795,27 +2976,23 @@ static int do_anonymous_page(struct mm_s
50868 unsigned long address, pte_t *page_table, pmd_t *pmd,
50869 unsigned int flags)
50871 - struct page *page;
50872 + struct page *page = NULL;
50876 - pte_unmap(page_table);
50878 - /* Check if we need to add a guard page to the stack */
50879 - if (check_stack_guard_page(vma, address) < 0)
50880 - return VM_FAULT_SIGBUS;
50882 - /* Use the zero-page for reads */
50883 if (!(flags & FAULT_FLAG_WRITE)) {
50884 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
50885 vma->vm_page_prot));
50886 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
50887 + ptl = pte_lockptr(mm, pmd);
50889 if (!pte_none(*page_table))
50894 /* Allocate our own private page. */
50895 + pte_unmap(page_table);
50897 if (unlikely(anon_vma_prepare(vma)))
50899 page = alloc_zeroed_user_highpage_movable(vma, address);
50900 @@ -2834,6 +3011,11 @@ static int do_anonymous_page(struct mm_s
50901 if (!pte_none(*page_table))
50904 +#ifdef CONFIG_PAX_SEGMEXEC
50905 + if (pax_find_mirror_vma(vma))
50906 + BUG_ON(!trylock_page(page));
50909 inc_mm_counter_fast(mm, MM_ANONPAGES);
50910 page_add_new_anon_rmap(page, vma, address);
50912 @@ -2841,6 +3023,12 @@ setpte:
50914 /* No need to invalidate - it was non-present before */
50915 update_mmu_cache(vma, address, page_table);
50917 +#ifdef CONFIG_PAX_SEGMEXEC
50919 + pax_mirror_anon_pte(vma, address, page, ptl);
50923 pte_unmap_unlock(page_table, ptl);
50925 @@ -2983,6 +3171,12 @@ static int __do_fault(struct mm_struct *
50927 /* Only go through if we didn't race with anybody else... */
50928 if (likely(pte_same(*page_table, orig_pte))) {
50930 +#ifdef CONFIG_PAX_SEGMEXEC
50931 + if (anon && pax_find_mirror_vma(vma))
50932 + BUG_ON(!trylock_page(page));
50935 flush_icache_page(vma, page);
50936 entry = mk_pte(page, vma->vm_page_prot);
50937 if (flags & FAULT_FLAG_WRITE)
50938 @@ -3002,6 +3196,14 @@ static int __do_fault(struct mm_struct *
50940 /* no need to invalidate: a not-present page won't be cached */
50941 update_mmu_cache(vma, address, page_table);
50943 +#ifdef CONFIG_PAX_SEGMEXEC
50945 + pax_mirror_anon_pte(vma, address, page, ptl);
50947 + pax_mirror_file_pte(vma, address, page, ptl);
50952 mem_cgroup_uncharge_page(page);
50953 @@ -3149,6 +3351,12 @@ static inline int handle_pte_fault(struc
50954 if (flags & FAULT_FLAG_WRITE)
50955 flush_tlb_page(vma, address);
50958 +#ifdef CONFIG_PAX_SEGMEXEC
50959 + pax_mirror_pte(vma, address, pte, pmd, ptl);
50964 pte_unmap_unlock(pte, ptl);
50966 @@ -3165,6 +3373,10 @@ int handle_mm_fault(struct mm_struct *mm
50970 +#ifdef CONFIG_PAX_SEGMEXEC
50971 + struct vm_area_struct *vma_m;
50974 __set_current_state(TASK_RUNNING);
50976 count_vm_event(PGFAULT);
50977 @@ -3175,6 +3387,34 @@ int handle_mm_fault(struct mm_struct *mm
50978 if (unlikely(is_vm_hugetlb_page(vma)))
50979 return hugetlb_fault(mm, vma, address, flags);
50981 +#ifdef CONFIG_PAX_SEGMEXEC
50982 + vma_m = pax_find_mirror_vma(vma);
50984 + unsigned long address_m;
50989 + if (vma->vm_start > vma_m->vm_start) {
50990 + address_m = address;
50991 + address -= SEGMEXEC_TASK_SIZE;
50994 + address_m = address + SEGMEXEC_TASK_SIZE;
50996 + pgd_m = pgd_offset(mm, address_m);
50997 + pud_m = pud_alloc(mm, pgd_m, address_m);
50999 + return VM_FAULT_OOM;
51000 + pmd_m = pmd_alloc(mm, pud_m, address_m);
51002 + return VM_FAULT_OOM;
51003 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
51004 + return VM_FAULT_OOM;
51005 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
51009 pgd = pgd_offset(mm, address);
51010 pud = pud_alloc(mm, pgd, address);
51012 @@ -3272,7 +3512,7 @@ static int __init gate_vma_init(void)
51013 gate_vma.vm_start = FIXADDR_USER_START;
51014 gate_vma.vm_end = FIXADDR_USER_END;
51015 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
51016 - gate_vma.vm_page_prot = __P101;
51017 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
51019 * Make sure the vDSO gets into every core dump.
51020 * Dumping its contents makes post-mortem fully interpretable later
51021 diff -urNp linux-2.6.35.4/mm/memory-failure.c linux-2.6.35.4/mm/memory-failure.c
51022 --- linux-2.6.35.4/mm/memory-failure.c 2010-08-26 19:47:12.000000000 -0400
51023 +++ linux-2.6.35.4/mm/memory-failure.c 2010-09-17 20:12:09.000000000 -0400
51024 @@ -51,7 +51,7 @@ int sysctl_memory_failure_early_kill __r
51026 int sysctl_memory_failure_recovery __read_mostly = 1;
51028 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
51029 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
51031 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
51033 @@ -939,7 +939,7 @@ int __memory_failure(unsigned long pfn,
51037 - atomic_long_add(1, &mce_bad_pages);
51038 + atomic_long_add_unchecked(1, &mce_bad_pages);
51041 * We need/can do nothing about count=0 pages.
51042 @@ -1003,7 +1003,7 @@ int __memory_failure(unsigned long pfn,
51044 if (hwpoison_filter(p)) {
51045 if (TestClearPageHWPoison(p))
51046 - atomic_long_dec(&mce_bad_pages);
51047 + atomic_long_dec_unchecked(&mce_bad_pages);
51051 @@ -1096,7 +1096,7 @@ int unpoison_memory(unsigned long pfn)
51053 if (!get_page_unless_zero(page)) {
51054 if (TestClearPageHWPoison(p))
51055 - atomic_long_dec(&mce_bad_pages);
51056 + atomic_long_dec_unchecked(&mce_bad_pages);
51057 pr_debug("MCE: Software-unpoisoned free page %#lx\n", pfn);
51060 @@ -1110,7 +1110,7 @@ int unpoison_memory(unsigned long pfn)
51062 if (TestClearPageHWPoison(p)) {
51063 pr_debug("MCE: Software-unpoisoned page %#lx\n", pfn);
51064 - atomic_long_dec(&mce_bad_pages);
51065 + atomic_long_dec_unchecked(&mce_bad_pages);
51069 @@ -1291,7 +1291,7 @@ int soft_offline_page(struct page *page,
51073 - atomic_long_add(1, &mce_bad_pages);
51074 + atomic_long_add_unchecked(1, &mce_bad_pages);
51075 SetPageHWPoison(page);
51076 /* keep elevated page count for bad page */
51078 diff -urNp linux-2.6.35.4/mm/mempolicy.c linux-2.6.35.4/mm/mempolicy.c
51079 --- linux-2.6.35.4/mm/mempolicy.c 2010-08-26 19:47:12.000000000 -0400
51080 +++ linux-2.6.35.4/mm/mempolicy.c 2010-09-17 20:12:37.000000000 -0400
51081 @@ -642,6 +642,10 @@ static int mbind_range(struct mm_struct
51082 unsigned long vmstart;
51083 unsigned long vmend;
51085 +#ifdef CONFIG_PAX_SEGMEXEC
51086 + struct vm_area_struct *vma_m;
51089 vma = find_vma_prev(mm, start, &prev);
51090 if (!vma || vma->vm_start > start)
51092 @@ -672,6 +676,16 @@ static int mbind_range(struct mm_struct
51093 err = policy_vma(vma, new_pol);
51097 +#ifdef CONFIG_PAX_SEGMEXEC
51098 + vma_m = pax_find_mirror_vma(vma);
51100 + err = policy_vma(vma_m, new_pol);
51109 @@ -1098,6 +1112,17 @@ static long do_mbind(unsigned long start
51114 +#ifdef CONFIG_PAX_SEGMEXEC
51115 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
51116 + if (end > SEGMEXEC_TASK_SIZE)
51121 + if (end > TASK_SIZE)
51127 @@ -1303,6 +1328,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
51131 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51132 + if (mm != current->mm &&
51133 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
51140 * Check if this process has the right to modify the specified
51141 * process. The right exists if the process has administrative
51142 @@ -1312,8 +1345,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
51144 tcred = __task_cred(task);
51145 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
51146 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
51147 - !capable(CAP_SYS_NICE)) {
51148 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
51152 @@ -2564,7 +2596,7 @@ int show_numa_map(struct seq_file *m, vo
51155 seq_printf(m, " file=");
51156 - seq_path(m, &file->f_path, "\n\t= ");
51157 + seq_path(m, &file->f_path, "\n\t\\= ");
51158 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
51159 seq_printf(m, " heap");
51160 } else if (vma->vm_start <= mm->start_stack &&
51161 diff -urNp linux-2.6.35.4/mm/migrate.c linux-2.6.35.4/mm/migrate.c
51162 --- linux-2.6.35.4/mm/migrate.c 2010-08-26 19:47:12.000000000 -0400
51163 +++ linux-2.6.35.4/mm/migrate.c 2010-09-17 20:12:37.000000000 -0400
51164 @@ -1102,6 +1102,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
51168 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51169 + if (mm != current->mm &&
51170 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
51177 * Check if this process has the right to modify the specified
51178 * process. The right exists if the process has administrative
51179 @@ -1111,8 +1119,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
51181 tcred = __task_cred(task);
51182 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
51183 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
51184 - !capable(CAP_SYS_NICE)) {
51185 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
51189 diff -urNp linux-2.6.35.4/mm/mlock.c linux-2.6.35.4/mm/mlock.c
51190 --- linux-2.6.35.4/mm/mlock.c 2010-08-26 19:47:12.000000000 -0400
51191 +++ linux-2.6.35.4/mm/mlock.c 2010-09-17 20:12:37.000000000 -0400
51193 #include <linux/pagemap.h>
51194 #include <linux/mempolicy.h>
51195 #include <linux/syscalls.h>
51196 +#include <linux/security.h>
51197 #include <linux/sched.h>
51198 #include <linux/module.h>
51199 #include <linux/rmap.h>
51200 @@ -135,19 +136,6 @@ void munlock_vma_page(struct page *page)
51204 -/* Is the vma a continuation of the stack vma above it? */
51205 -static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
51207 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
51210 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
51212 - return (vma->vm_flags & VM_GROWSDOWN) &&
51213 - (vma->vm_start == addr) &&
51214 - !vma_stack_continue(vma->vm_prev, addr);
51218 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
51220 @@ -180,12 +168,6 @@ static long __mlock_vma_pages_range(stru
51221 if (vma->vm_flags & VM_WRITE)
51222 gup_flags |= FOLL_WRITE;
51224 - /* We don't try to access the guard page of a stack vma */
51225 - if (stack_guard_page(vma, start)) {
51226 - addr += PAGE_SIZE;
51230 while (nr_pages > 0) {
51233 @@ -451,6 +433,9 @@ static int do_mlock(unsigned long start,
51237 + if (end > TASK_SIZE)
51240 vma = find_vma_prev(current->mm, start, &prev);
51241 if (!vma || vma->vm_start > start)
51243 @@ -461,6 +446,11 @@ static int do_mlock(unsigned long start,
51244 for (nstart = start ; ; ) {
51245 unsigned int newflags;
51247 +#ifdef CONFIG_PAX_SEGMEXEC
51248 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
51252 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
51254 newflags = vma->vm_flags | VM_LOCKED;
51255 @@ -510,6 +500,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
51256 lock_limit >>= PAGE_SHIFT;
51258 /* check against resource limits */
51259 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
51260 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
51261 error = do_mlock(start, len, 1);
51262 up_write(¤t->mm->mmap_sem);
51263 @@ -531,17 +522,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
51264 static int do_mlockall(int flags)
51266 struct vm_area_struct * vma, * prev = NULL;
51267 - unsigned int def_flags = 0;
51269 if (flags & MCL_FUTURE)
51270 - def_flags = VM_LOCKED;
51271 - current->mm->def_flags = def_flags;
51272 + current->mm->def_flags |= VM_LOCKED;
51274 + current->mm->def_flags &= ~VM_LOCKED;
51275 if (flags == MCL_FUTURE)
51278 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
51279 - unsigned int newflags;
51280 + unsigned long newflags;
51282 +#ifdef CONFIG_PAX_SEGMEXEC
51283 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
51287 + BUG_ON(vma->vm_end > TASK_SIZE);
51288 newflags = vma->vm_flags | VM_LOCKED;
51289 if (!(flags & MCL_CURRENT))
51290 newflags &= ~VM_LOCKED;
51291 @@ -573,6 +570,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
51292 lock_limit >>= PAGE_SHIFT;
51295 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
51296 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
51297 capable(CAP_IPC_LOCK))
51298 ret = do_mlockall(flags);
51299 diff -urNp linux-2.6.35.4/mm/mmap.c linux-2.6.35.4/mm/mmap.c
51300 --- linux-2.6.35.4/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
51301 +++ linux-2.6.35.4/mm/mmap.c 2010-09-17 20:12:37.000000000 -0400
51303 #define arch_rebalance_pgtables(addr, len) (addr)
51306 +static inline void verify_mm_writelocked(struct mm_struct *mm)
51308 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
51309 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
51310 + up_read(&mm->mmap_sem);
51316 static void unmap_region(struct mm_struct *mm,
51317 struct vm_area_struct *vma, struct vm_area_struct *prev,
51318 unsigned long start, unsigned long end);
51319 @@ -69,22 +79,32 @@ static void unmap_region(struct mm_struc
51320 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
51323 -pgprot_t protection_map[16] = {
51324 +pgprot_t protection_map[16] __read_only = {
51325 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
51326 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
51329 pgprot_t vm_get_page_prot(unsigned long vm_flags)
51331 - return __pgprot(pgprot_val(protection_map[vm_flags &
51332 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
51333 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
51334 pgprot_val(arch_vm_get_page_prot(vm_flags)));
51336 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
51337 + if (!(__supported_pte_mask & _PAGE_NX) &&
51338 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
51339 + (vm_flags & (VM_READ | VM_WRITE)))
51340 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
51345 EXPORT_SYMBOL(vm_get_page_prot);
51347 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
51348 int sysctl_overcommit_ratio = 50; /* default is 50% */
51349 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
51350 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
51351 struct percpu_counter vm_committed_as;
51354 @@ -230,6 +250,7 @@ static struct vm_area_struct *remove_vma
51355 struct vm_area_struct *next = vma->vm_next;
51358 + BUG_ON(vma->vm_mirror);
51359 if (vma->vm_ops && vma->vm_ops->close)
51360 vma->vm_ops->close(vma);
51361 if (vma->vm_file) {
51362 @@ -266,6 +287,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
51363 * not page aligned -Ram Gupta
51365 rlim = rlimit(RLIMIT_DATA);
51366 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
51367 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
51368 (mm->end_data - mm->start_data) > rlim)
51370 @@ -695,6 +717,12 @@ static int
51371 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
51372 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
51375 +#ifdef CONFIG_PAX_SEGMEXEC
51376 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
51380 if (is_mergeable_vma(vma, file, vm_flags) &&
51381 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
51382 if (vma->vm_pgoff == vm_pgoff)
51383 @@ -714,6 +742,12 @@ static int
51384 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
51385 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
51388 +#ifdef CONFIG_PAX_SEGMEXEC
51389 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
51393 if (is_mergeable_vma(vma, file, vm_flags) &&
51394 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
51396 @@ -756,13 +790,20 @@ can_vma_merge_after(struct vm_area_struc
51397 struct vm_area_struct *vma_merge(struct mm_struct *mm,
51398 struct vm_area_struct *prev, unsigned long addr,
51399 unsigned long end, unsigned long vm_flags,
51400 - struct anon_vma *anon_vma, struct file *file,
51401 + struct anon_vma *anon_vma, struct file *file,
51402 pgoff_t pgoff, struct mempolicy *policy)
51404 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
51405 struct vm_area_struct *area, *next;
51408 +#ifdef CONFIG_PAX_SEGMEXEC
51409 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
51410 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
51412 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
51416 * We later require that vma->vm_flags == vm_flags,
51417 * so this tests vma->vm_flags & VM_SPECIAL, too.
51418 @@ -778,6 +819,15 @@ struct vm_area_struct *vma_merge(struct
51419 if (next && next->vm_end == end) /* cases 6, 7, 8 */
51420 next = next->vm_next;
51422 +#ifdef CONFIG_PAX_SEGMEXEC
51424 + prev_m = pax_find_mirror_vma(prev);
51426 + area_m = pax_find_mirror_vma(area);
51428 + next_m = pax_find_mirror_vma(next);
51432 * Can it merge with the predecessor?
51434 @@ -797,9 +847,24 @@ struct vm_area_struct *vma_merge(struct
51436 err = vma_adjust(prev, prev->vm_start,
51437 next->vm_end, prev->vm_pgoff, NULL);
51438 - } else /* cases 2, 5, 7 */
51440 +#ifdef CONFIG_PAX_SEGMEXEC
51441 + if (!err && prev_m)
51442 + err = vma_adjust(prev_m, prev_m->vm_start,
51443 + next_m->vm_end, prev_m->vm_pgoff, NULL);
51446 + } else { /* cases 2, 5, 7 */
51447 err = vma_adjust(prev, prev->vm_start,
51448 end, prev->vm_pgoff, NULL);
51450 +#ifdef CONFIG_PAX_SEGMEXEC
51451 + if (!err && prev_m)
51452 + err = vma_adjust(prev_m, prev_m->vm_start,
51453 + end_m, prev_m->vm_pgoff, NULL);
51460 @@ -812,12 +877,27 @@ struct vm_area_struct *vma_merge(struct
51461 mpol_equal(policy, vma_policy(next)) &&
51462 can_vma_merge_before(next, vm_flags,
51463 anon_vma, file, pgoff+pglen)) {
51464 - if (prev && addr < prev->vm_end) /* case 4 */
51465 + if (prev && addr < prev->vm_end) { /* case 4 */
51466 err = vma_adjust(prev, prev->vm_start,
51467 addr, prev->vm_pgoff, NULL);
51468 - else /* cases 3, 8 */
51470 +#ifdef CONFIG_PAX_SEGMEXEC
51471 + if (!err && prev_m)
51472 + err = vma_adjust(prev_m, prev_m->vm_start,
51473 + addr_m, prev_m->vm_pgoff, NULL);
51476 + } else { /* cases 3, 8 */
51477 err = vma_adjust(area, addr, next->vm_end,
51478 next->vm_pgoff - pglen, NULL);
51480 +#ifdef CONFIG_PAX_SEGMEXEC
51481 + if (!err && area_m)
51482 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
51483 + next_m->vm_pgoff - pglen, NULL);
51490 @@ -932,14 +1012,11 @@ none:
51491 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
51492 struct file *file, long pages)
51494 - const unsigned long stack_flags
51495 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
51498 mm->shared_vm += pages;
51499 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
51500 mm->exec_vm += pages;
51501 - } else if (flags & stack_flags)
51502 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
51503 mm->stack_vm += pages;
51504 if (flags & (VM_RESERVED|VM_IO))
51505 mm->reserved_vm += pages;
51506 @@ -966,7 +1043,7 @@ unsigned long do_mmap_pgoff(struct file
51507 * (the exception is when the underlying filesystem is noexec
51508 * mounted, in which case we dont add PROT_EXEC.)
51510 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
51511 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
51512 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
51515 @@ -992,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file
51516 /* Obtain the address to map to. we verify (or select) it and ensure
51517 * that it represents a valid section of the address space.
51519 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
51520 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
51521 if (addr & ~PAGE_MASK)
51524 @@ -1003,6 +1080,28 @@ unsigned long do_mmap_pgoff(struct file
51525 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
51526 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
51528 +#ifdef CONFIG_PAX_MPROTECT
51529 + if (mm->pax_flags & MF_PAX_MPROTECT) {
51530 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
51532 +#ifdef CONFIG_PAX_EMUPLT
51533 + vm_flags &= ~VM_EXEC;
51538 + if (!(vm_flags & VM_EXEC))
51539 + vm_flags &= ~VM_MAYEXEC;
51541 + vm_flags &= ~VM_MAYWRITE;
51545 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
51546 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
51547 + vm_flags &= ~VM_PAGEEXEC;
51550 if (flags & MAP_LOCKED)
51551 if (!can_do_mlock())
51553 @@ -1014,6 +1113,7 @@ unsigned long do_mmap_pgoff(struct file
51554 locked += mm->locked_vm;
51555 lock_limit = rlimit(RLIMIT_MEMLOCK);
51556 lock_limit >>= PAGE_SHIFT;
51557 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
51558 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
51561 @@ -1084,6 +1184,9 @@ unsigned long do_mmap_pgoff(struct file
51565 + if (!gr_acl_handle_mmap(file, prot))
51568 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
51570 EXPORT_SYMBOL(do_mmap_pgoff);
51571 @@ -1160,10 +1263,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
51573 int vma_wants_writenotify(struct vm_area_struct *vma)
51575 - unsigned int vm_flags = vma->vm_flags;
51576 + unsigned long vm_flags = vma->vm_flags;
51578 /* If it was private or non-writable, the write bit is already clear */
51579 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
51580 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
51583 /* The backer wishes to know when pages are first written to? */
51584 @@ -1212,14 +1315,24 @@ unsigned long mmap_region(struct file *f
51585 unsigned long charged = 0;
51586 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
51588 +#ifdef CONFIG_PAX_SEGMEXEC
51589 + struct vm_area_struct *vma_m = NULL;
51593 + * mm->mmap_sem is required to protect against another thread
51594 + * changing the mappings in case we sleep.
51596 + verify_mm_writelocked(mm);
51598 /* Clear old maps */
51601 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
51602 if (vma && vma->vm_start < addr + len) {
51603 if (do_munmap(mm, addr, len))
51605 - goto munmap_back;
51606 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
51607 + BUG_ON(vma && vma->vm_start < addr + len);
51610 /* Check against address space limit. */
51611 @@ -1268,6 +1381,16 @@ munmap_back:
51615 +#ifdef CONFIG_PAX_SEGMEXEC
51616 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
51617 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
51626 vma->vm_start = addr;
51627 vma->vm_end = addr + len;
51628 @@ -1291,6 +1414,19 @@ munmap_back:
51629 error = file->f_op->mmap(file, vma);
51631 goto unmap_and_free_vma;
51633 +#ifdef CONFIG_PAX_SEGMEXEC
51634 + if (vma_m && (vm_flags & VM_EXECUTABLE))
51635 + added_exe_file_vma(mm);
51638 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
51639 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
51640 + vma->vm_flags |= VM_PAGEEXEC;
51641 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
51645 if (vm_flags & VM_EXECUTABLE)
51646 added_exe_file_vma(mm);
51648 @@ -1326,6 +1462,11 @@ munmap_back:
51649 vma_link(mm, vma, prev, rb_link, rb_parent);
51650 file = vma->vm_file;
51652 +#ifdef CONFIG_PAX_SEGMEXEC
51654 + BUG_ON(pax_mirror_vma(vma_m, vma));
51657 /* Once vma denies write, undo our temporary denial count */
51658 if (correct_wcount)
51659 atomic_inc(&inode->i_writecount);
51660 @@ -1334,6 +1475,7 @@ out:
51662 mm->total_vm += len >> PAGE_SHIFT;
51663 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
51664 + track_exec_limit(mm, addr, addr + len, vm_flags);
51665 if (vm_flags & VM_LOCKED) {
51666 if (!mlock_vma_pages_range(vma, addr, addr + len))
51667 mm->locked_vm += (len >> PAGE_SHIFT);
51668 @@ -1351,6 +1493,12 @@ unmap_and_free_vma:
51669 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
51673 +#ifdef CONFIG_PAX_SEGMEXEC
51675 + kmem_cache_free(vm_area_cachep, vma_m);
51678 kmem_cache_free(vm_area_cachep, vma);
51681 @@ -1358,6 +1506,33 @@ unacct_error:
51685 +bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len)
51688 +#ifdef CONFIG_STACK_GROWSUP
51689 + if (addr > sysctl_heap_stack_gap)
51690 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
51692 + vma = find_vma(current->mm, 0);
51693 + if (vma && (vma->vm_flags & VM_GROWSUP))
51699 + if (addr + len > vma->vm_start)
51702 + if (vma->vm_flags & VM_GROWSDOWN)
51703 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
51704 +#ifdef CONFIG_STACK_GROWSUP
51705 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
51706 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
51712 /* Get an address range which is currently unmapped.
51713 * For shmat() with addr=0.
51715 @@ -1384,18 +1559,23 @@ arch_get_unmapped_area(struct file *filp
51716 if (flags & MAP_FIXED)
51719 +#ifdef CONFIG_PAX_RANDMMAP
51720 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
51724 addr = PAGE_ALIGN(addr);
51725 - vma = find_vma(mm, addr);
51726 - if (TASK_SIZE - len >= addr &&
51727 - (!vma || addr + len <= vma->vm_start))
51729 + if (TASK_SIZE - len >= addr) {
51730 + vma = find_vma(mm, addr);
51731 + if (check_heap_stack_gap(vma, addr, len))
51735 if (len > mm->cached_hole_size) {
51736 - start_addr = addr = mm->free_area_cache;
51737 + start_addr = addr = mm->free_area_cache;
51739 - start_addr = addr = TASK_UNMAPPED_BASE;
51740 - mm->cached_hole_size = 0;
51741 + start_addr = addr = mm->mmap_base;
51742 + mm->cached_hole_size = 0;
51746 @@ -1406,34 +1586,40 @@ full_search:
51747 * Start a new search - just in case we missed
51750 - if (start_addr != TASK_UNMAPPED_BASE) {
51751 - addr = TASK_UNMAPPED_BASE;
51752 - start_addr = addr;
51753 + if (start_addr != mm->mmap_base) {
51754 + start_addr = addr = mm->mmap_base;
51755 mm->cached_hole_size = 0;
51760 - if (!vma || addr + len <= vma->vm_start) {
51762 - * Remember the place where we stopped the search:
51764 - mm->free_area_cache = addr + len;
51767 + if (check_heap_stack_gap(vma, addr, len))
51769 if (addr + mm->cached_hole_size < vma->vm_start)
51770 mm->cached_hole_size = vma->vm_start - addr;
51771 addr = vma->vm_end;
51775 + * Remember the place where we stopped the search:
51777 + mm->free_area_cache = addr + len;
51782 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
51785 +#ifdef CONFIG_PAX_SEGMEXEC
51786 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
51791 * Is this a new hole at the lowest possible address?
51793 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
51794 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
51795 mm->free_area_cache = addr;
51796 mm->cached_hole_size = ~0UL;
51798 @@ -1451,7 +1637,7 @@ arch_get_unmapped_area_topdown(struct fi
51800 struct vm_area_struct *vma;
51801 struct mm_struct *mm = current->mm;
51802 - unsigned long addr = addr0;
51803 + unsigned long base = mm->mmap_base, addr = addr0;
51805 /* requested length too big for entire address space */
51806 if (len > TASK_SIZE)
51807 @@ -1460,13 +1646,18 @@ arch_get_unmapped_area_topdown(struct fi
51808 if (flags & MAP_FIXED)
51811 +#ifdef CONFIG_PAX_RANDMMAP
51812 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
51815 /* requesting a specific address */
51817 addr = PAGE_ALIGN(addr);
51818 - vma = find_vma(mm, addr);
51819 - if (TASK_SIZE - len >= addr &&
51820 - (!vma || addr + len <= vma->vm_start))
51822 + if (TASK_SIZE - len >= addr) {
51823 + vma = find_vma(mm, addr);
51824 + if (check_heap_stack_gap(vma, addr, len))
51829 /* check if free_area_cache is useful for us */
51830 @@ -1481,7 +1672,7 @@ arch_get_unmapped_area_topdown(struct fi
51831 /* make sure it can fit in the remaining address space */
51833 vma = find_vma(mm, addr-len);
51834 - if (!vma || addr <= vma->vm_start)
51835 + if (check_heap_stack_gap(vma, addr - len, len))
51836 /* remember the address as a hint for next time */
51837 return (mm->free_area_cache = addr-len);
51839 @@ -1498,7 +1689,7 @@ arch_get_unmapped_area_topdown(struct fi
51840 * return with success:
51842 vma = find_vma(mm, addr);
51843 - if (!vma || addr+len <= vma->vm_start)
51844 + if (check_heap_stack_gap(vma, addr, len))
51845 /* remember the address as a hint for next time */
51846 return (mm->free_area_cache = addr);
51848 @@ -1517,13 +1708,21 @@ bottomup:
51849 * can happen with large stack limits and large mmap()
51852 + mm->mmap_base = TASK_UNMAPPED_BASE;
51854 +#ifdef CONFIG_PAX_RANDMMAP
51855 + if (mm->pax_flags & MF_PAX_RANDMMAP)
51856 + mm->mmap_base += mm->delta_mmap;
51859 + mm->free_area_cache = mm->mmap_base;
51860 mm->cached_hole_size = ~0UL;
51861 - mm->free_area_cache = TASK_UNMAPPED_BASE;
51862 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
51864 * Restore the topdown base:
51866 - mm->free_area_cache = mm->mmap_base;
51867 + mm->mmap_base = base;
51868 + mm->free_area_cache = base;
51869 mm->cached_hole_size = ~0UL;
51872 @@ -1532,6 +1731,12 @@ bottomup:
51874 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
51877 +#ifdef CONFIG_PAX_SEGMEXEC
51878 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
51883 * Is this a new hole at the highest possible address?
51885 @@ -1539,8 +1744,10 @@ void arch_unmap_area_topdown(struct mm_s
51886 mm->free_area_cache = addr;
51888 /* dont allow allocations above current base */
51889 - if (mm->free_area_cache > mm->mmap_base)
51890 + if (mm->free_area_cache > mm->mmap_base) {
51891 mm->free_area_cache = mm->mmap_base;
51892 + mm->cached_hole_size = ~0UL;
51897 @@ -1648,6 +1855,34 @@ out:
51898 return prev ? prev->vm_next : vma;
51901 +#ifdef CONFIG_PAX_SEGMEXEC
51902 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
51904 + struct vm_area_struct *vma_m;
51906 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
51907 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
51908 + BUG_ON(vma->vm_mirror);
51911 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
51912 + vma_m = vma->vm_mirror;
51913 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
51914 + BUG_ON(vma->vm_file != vma_m->vm_file);
51915 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
51916 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
51917 + if (vma->anon_vma != vma_m->anon_vma) {
51918 + struct anon_vma_chain *avc, *avc_m;
51920 + avc = list_entry(vma->anon_vma_chain.prev, struct anon_vma_chain, same_vma);
51921 + avc_m = list_entry(vma_m->anon_vma_chain.prev, struct anon_vma_chain, same_vma);
51922 + BUG_ON(avc->anon_vma != avc_m->anon_vma);
51924 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
51930 * Verify that the stack growth is acceptable and
51931 * update accounting. This is shared with both the
51932 @@ -1664,6 +1899,7 @@ static int acct_stack_growth(struct vm_a
51935 /* Stack limit test */
51936 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
51937 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
51940 @@ -1674,6 +1910,7 @@ static int acct_stack_growth(struct vm_a
51941 locked = mm->locked_vm + grow;
51942 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
51943 limit >>= PAGE_SHIFT;
51944 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
51945 if (locked > limit && !capable(CAP_IPC_LOCK))
51948 @@ -1709,35 +1946,42 @@ static
51950 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
51953 + int error, locknext;
51955 if (!(vma->vm_flags & VM_GROWSUP))
51958 + /* Also guard against wrapping around to address 0. */
51959 + if (address < PAGE_ALIGN(address+1))
51960 + address = PAGE_ALIGN(address+1);
51965 * We must make sure the anon_vma is allocated
51966 * so that the anon_vma locking is not a noop.
51968 if (unlikely(anon_vma_prepare(vma)))
51970 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
51971 + if (locknext && anon_vma_prepare(vma->vm_next))
51973 anon_vma_lock(vma);
51975 + anon_vma_lock(vma->vm_next);
51978 * vma->vm_start/vm_end cannot change under us because the caller
51979 * is required to hold the mmap_sem in read mode. We need the
51980 - * anon_vma lock to serialize against concurrent expand_stacks.
51981 - * Also guard against wrapping around to address 0.
51982 + * anon_vma locks to serialize against concurrent expand_stacks
51983 + * and expand_upwards.
51985 - if (address < PAGE_ALIGN(address+4))
51986 - address = PAGE_ALIGN(address+4);
51988 - anon_vma_unlock(vma);
51993 /* Somebody else might have raced and expanded it already */
51994 - if (address > vma->vm_end) {
51995 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
51997 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
51998 unsigned long size, grow;
52000 size = address - vma->vm_start;
52001 @@ -1747,6 +1991,8 @@ int expand_upwards(struct vm_area_struct
52003 vma->vm_end = address;
52006 + anon_vma_unlock(vma->vm_next);
52007 anon_vma_unlock(vma);
52010 @@ -1758,7 +2004,8 @@ int expand_upwards(struct vm_area_struct
52011 static int expand_downwards(struct vm_area_struct *vma,
52012 unsigned long address)
52015 + int error, lockprev = 0;
52016 + struct vm_area_struct *prev;
52019 * We must make sure the anon_vma is allocated
52020 @@ -1772,6 +2019,15 @@ static int expand_downwards(struct vm_ar
52024 + prev = vma->vm_prev;
52025 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
52026 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
52028 + if (lockprev && anon_vma_prepare(prev))
52031 + anon_vma_lock(prev);
52033 anon_vma_lock(vma);
52036 @@ -1781,9 +2037,17 @@ static int expand_downwards(struct vm_ar
52039 /* Somebody else might have raced and expanded it already */
52040 - if (address < vma->vm_start) {
52041 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
52043 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
52044 unsigned long size, grow;
52046 +#ifdef CONFIG_PAX_SEGMEXEC
52047 + struct vm_area_struct *vma_m;
52049 + vma_m = pax_find_mirror_vma(vma);
52052 size = vma->vm_end - address;
52053 grow = (vma->vm_start - address) >> PAGE_SHIFT;
52055 @@ -1791,9 +2055,20 @@ static int expand_downwards(struct vm_ar
52057 vma->vm_start = address;
52058 vma->vm_pgoff -= grow;
52059 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
52061 +#ifdef CONFIG_PAX_SEGMEXEC
52063 + vma_m->vm_start -= grow << PAGE_SHIFT;
52064 + vma_m->vm_pgoff -= grow;
52070 anon_vma_unlock(vma);
52072 + anon_vma_unlock(prev);
52076 @@ -1867,6 +2142,13 @@ static void remove_vma_list(struct mm_st
52078 long nrpages = vma_pages(vma);
52080 +#ifdef CONFIG_PAX_SEGMEXEC
52081 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
52082 + vma = remove_vma(vma);
52087 mm->total_vm -= nrpages;
52088 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
52089 vma = remove_vma(vma);
52090 @@ -1912,6 +2194,16 @@ detach_vmas_to_be_unmapped(struct mm_str
52091 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
52092 vma->vm_prev = NULL;
52095 +#ifdef CONFIG_PAX_SEGMEXEC
52096 + if (vma->vm_mirror) {
52097 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
52098 + vma->vm_mirror->vm_mirror = NULL;
52099 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
52100 + vma->vm_mirror = NULL;
52104 rb_erase(&vma->vm_rb, &mm->mm_rb);
52107 @@ -1940,14 +2232,33 @@ static int __split_vma(struct mm_struct
52108 struct vm_area_struct *new;
52111 +#ifdef CONFIG_PAX_SEGMEXEC
52112 + struct vm_area_struct *vma_m, *new_m = NULL;
52113 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
52116 if (is_vm_hugetlb_page(vma) && (addr &
52117 ~(huge_page_mask(hstate_vma(vma)))))
52120 +#ifdef CONFIG_PAX_SEGMEXEC
52121 + vma_m = pax_find_mirror_vma(vma);
52124 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
52128 +#ifdef CONFIG_PAX_SEGMEXEC
52130 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
52132 + kmem_cache_free(vm_area_cachep, new);
52138 /* most fields are the same, copy all, and then fixup */
52141 @@ -1960,6 +2271,22 @@ static int __split_vma(struct mm_struct
52142 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
52145 +#ifdef CONFIG_PAX_SEGMEXEC
52148 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
52149 + new_m->vm_mirror = new;
52150 + new->vm_mirror = new_m;
52153 + new_m->vm_end = addr_m;
52155 + new_m->vm_start = addr_m;
52156 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
52161 pol = mpol_dup(vma_policy(vma));
52163 err = PTR_ERR(pol);
52164 @@ -1985,6 +2312,42 @@ static int __split_vma(struct mm_struct
52166 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
52168 +#ifdef CONFIG_PAX_SEGMEXEC
52169 + if (!err && vma_m) {
52170 + if (anon_vma_clone(new_m, vma_m))
52171 + goto out_free_mpol;
52174 + vma_set_policy(new_m, pol);
52176 + if (new_m->vm_file) {
52177 + get_file(new_m->vm_file);
52178 + if (vma_m->vm_flags & VM_EXECUTABLE)
52179 + added_exe_file_vma(mm);
52182 + if (new_m->vm_ops && new_m->vm_ops->open)
52183 + new_m->vm_ops->open(new_m);
52186 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
52187 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
52189 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
52192 + if (new_m->vm_ops && new_m->vm_ops->close)
52193 + new_m->vm_ops->close(new_m);
52194 + if (new_m->vm_file) {
52195 + if (vma_m->vm_flags & VM_EXECUTABLE)
52196 + removed_exe_file_vma(mm);
52197 + fput(new_m->vm_file);
52207 @@ -2000,6 +2363,15 @@ static int __split_vma(struct mm_struct
52212 +#ifdef CONFIG_PAX_SEGMEXEC
52214 + unlink_anon_vmas(new_m);
52215 + kmem_cache_free(vm_area_cachep, new_m);
52219 + unlink_anon_vmas(new);
52220 kmem_cache_free(vm_area_cachep, new);
52223 @@ -2012,6 +2384,15 @@ static int __split_vma(struct mm_struct
52224 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
52225 unsigned long addr, int new_below)
52228 +#ifdef CONFIG_PAX_SEGMEXEC
52229 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
52230 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
52231 + if (mm->map_count >= sysctl_max_map_count-1)
52236 if (mm->map_count >= sysctl_max_map_count)
52239 @@ -2023,11 +2404,30 @@ int split_vma(struct mm_struct *mm, stru
52240 * work. This now handles partial unmappings.
52241 * Jeremy Fitzhardinge <jeremy@goop.org>
52243 +#ifdef CONFIG_PAX_SEGMEXEC
52244 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
52246 + int ret = __do_munmap(mm, start, len);
52247 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
52250 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
52253 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
52255 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
52259 struct vm_area_struct *vma, *prev, *last;
52262 + * mm->mmap_sem is required to protect against another thread
52263 + * changing the mappings in case we sleep.
52265 + verify_mm_writelocked(mm);
52267 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
52270 @@ -2101,6 +2501,8 @@ int do_munmap(struct mm_struct *mm, unsi
52271 /* Fix up all other VM information */
52272 remove_vma_list(mm, vma);
52274 + track_exec_limit(mm, start, end, 0UL);
52279 @@ -2113,22 +2515,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
52281 profile_munmap(addr);
52283 +#ifdef CONFIG_PAX_SEGMEXEC
52284 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
52285 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
52289 down_write(&mm->mmap_sem);
52290 ret = do_munmap(mm, addr, len);
52291 up_write(&mm->mmap_sem);
52295 -static inline void verify_mm_writelocked(struct mm_struct *mm)
52297 -#ifdef CONFIG_DEBUG_VM
52298 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
52300 - up_read(&mm->mmap_sem);
52306 * this is really a simplified "do_mmap". it only handles
52307 * anonymous maps. eventually we may be able to do some
52308 @@ -2142,6 +2540,7 @@ unsigned long do_brk(unsigned long addr,
52309 struct rb_node ** rb_link, * rb_parent;
52310 pgoff_t pgoff = addr >> PAGE_SHIFT;
52312 + unsigned long charged;
52314 len = PAGE_ALIGN(len);
52316 @@ -2153,16 +2552,30 @@ unsigned long do_brk(unsigned long addr,
52318 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
52320 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
52321 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
52322 + flags &= ~VM_EXEC;
52324 +#ifdef CONFIG_PAX_MPROTECT
52325 + if (mm->pax_flags & MF_PAX_MPROTECT)
52326 + flags &= ~VM_MAYEXEC;
52332 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
52333 if (error & ~PAGE_MASK)
52336 + charged = len >> PAGE_SHIFT;
52339 * mlock MCL_FUTURE?
52341 if (mm->def_flags & VM_LOCKED) {
52342 unsigned long locked, lock_limit;
52343 - locked = len >> PAGE_SHIFT;
52344 + locked = charged;
52345 locked += mm->locked_vm;
52346 lock_limit = rlimit(RLIMIT_MEMLOCK);
52347 lock_limit >>= PAGE_SHIFT;
52348 @@ -2179,22 +2592,22 @@ unsigned long do_brk(unsigned long addr,
52350 * Clear old maps. this also does some error checking for us
52353 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
52354 if (vma && vma->vm_start < addr + len) {
52355 if (do_munmap(mm, addr, len))
52357 - goto munmap_back;
52358 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
52359 + BUG_ON(vma && vma->vm_start < addr + len);
52362 /* Check against address space limits *after* clearing old maps... */
52363 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
52364 + if (!may_expand_vm(mm, charged))
52367 if (mm->map_count > sysctl_max_map_count)
52370 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
52371 + if (security_vm_enough_memory(charged))
52374 /* Can we just expand an old private anonymous mapping? */
52375 @@ -2208,7 +2621,7 @@ unsigned long do_brk(unsigned long addr,
52377 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
52379 - vm_unacct_memory(len >> PAGE_SHIFT);
52380 + vm_unacct_memory(charged);
52384 @@ -2221,11 +2634,12 @@ unsigned long do_brk(unsigned long addr,
52385 vma->vm_page_prot = vm_get_page_prot(flags);
52386 vma_link(mm, vma, prev, rb_link, rb_parent);
52388 - mm->total_vm += len >> PAGE_SHIFT;
52389 + mm->total_vm += charged;
52390 if (flags & VM_LOCKED) {
52391 if (!mlock_vma_pages_range(vma, addr, addr + len))
52392 - mm->locked_vm += (len >> PAGE_SHIFT);
52393 + mm->locked_vm += charged;
52395 + track_exec_limit(mm, addr, addr + len, flags);
52399 @@ -2272,8 +2686,10 @@ void exit_mmap(struct mm_struct *mm)
52400 * Walk the list again, actually closing and freeing it,
52401 * with preemption enabled, without holding any MM locks.
52405 + vma->vm_mirror = NULL;
52406 vma = remove_vma(vma);
52409 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
52411 @@ -2287,6 +2703,10 @@ int insert_vm_struct(struct mm_struct *
52412 struct vm_area_struct * __vma, * prev;
52413 struct rb_node ** rb_link, * rb_parent;
52415 +#ifdef CONFIG_PAX_SEGMEXEC
52416 + struct vm_area_struct *vma_m = NULL;
52420 * The vm_pgoff of a purely anonymous vma should be irrelevant
52421 * until its first write fault, when page's anon_vma and index
52422 @@ -2309,7 +2729,22 @@ int insert_vm_struct(struct mm_struct *
52423 if ((vma->vm_flags & VM_ACCOUNT) &&
52424 security_vm_enough_memory_mm(mm, vma_pages(vma)))
52427 +#ifdef CONFIG_PAX_SEGMEXEC
52428 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
52429 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
52435 vma_link(mm, vma, prev, rb_link, rb_parent);
52437 +#ifdef CONFIG_PAX_SEGMEXEC
52439 + BUG_ON(pax_mirror_vma(vma_m, vma));
52445 @@ -2327,6 +2762,8 @@ struct vm_area_struct *copy_vma(struct v
52446 struct rb_node **rb_link, *rb_parent;
52447 struct mempolicy *pol;
52449 + BUG_ON(vma->vm_mirror);
52452 * If anonymous vma has not yet been faulted, update new pgoff
52453 * to match new location, to increase its chance of merging.
52454 @@ -2376,6 +2813,39 @@ struct vm_area_struct *copy_vma(struct v
52455 kmem_cache_free(vm_area_cachep, new_vma);
52459 +#ifdef CONFIG_PAX_SEGMEXEC
52460 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
52462 + struct vm_area_struct *prev_m;
52463 + struct rb_node **rb_link_m, *rb_parent_m;
52464 + struct mempolicy *pol_m;
52466 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
52467 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
52468 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
52470 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
52471 + if (anon_vma_clone(vma_m, vma))
52473 + pol_m = vma_policy(vma_m);
52475 + vma_set_policy(vma_m, pol_m);
52476 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
52477 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
52478 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
52479 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
52480 + if (vma_m->vm_file)
52481 + get_file(vma_m->vm_file);
52482 + if (vma_m->vm_ops && vma_m->vm_ops->open)
52483 + vma_m->vm_ops->open(vma_m);
52484 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
52485 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
52486 + vma_m->vm_mirror = vma;
52487 + vma->vm_mirror = vma_m;
52493 * Return true if the calling process may expand its vm space by the passed
52494 @@ -2387,7 +2857,7 @@ int may_expand_vm(struct mm_struct *mm,
52497 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
52499 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
52500 if (cur + npages > lim)
52503 @@ -2457,6 +2927,17 @@ int install_special_mapping(struct mm_st
52504 vma->vm_start = addr;
52505 vma->vm_end = addr + len;
52507 +#ifdef CONFIG_PAX_MPROTECT
52508 + if (mm->pax_flags & MF_PAX_MPROTECT) {
52509 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
52511 + if (!(vm_flags & VM_EXEC))
52512 + vm_flags &= ~VM_MAYEXEC;
52514 + vm_flags &= ~VM_MAYWRITE;
52518 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
52519 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
52521 diff -urNp linux-2.6.35.4/mm/mprotect.c linux-2.6.35.4/mm/mprotect.c
52522 --- linux-2.6.35.4/mm/mprotect.c 2010-08-26 19:47:12.000000000 -0400
52523 +++ linux-2.6.35.4/mm/mprotect.c 2010-09-17 20:12:37.000000000 -0400
52524 @@ -23,10 +23,16 @@
52525 #include <linux/mmu_notifier.h>
52526 #include <linux/migrate.h>
52527 #include <linux/perf_event.h>
52529 +#ifdef CONFIG_PAX_MPROTECT
52530 +#include <linux/elf.h>
52533 #include <asm/uaccess.h>
52534 #include <asm/pgtable.h>
52535 #include <asm/cacheflush.h>
52536 #include <asm/tlbflush.h>
52537 +#include <asm/mmu_context.h>
52539 #ifndef pgprot_modify
52540 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
52541 @@ -131,6 +137,48 @@ static void change_protection(struct vm_
52542 flush_tlb_range(vma, start, end);
52545 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
52546 +/* called while holding the mmap semaphor for writing except stack expansion */
52547 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
52549 + unsigned long oldlimit, newlimit = 0UL;
52551 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
52554 + spin_lock(&mm->page_table_lock);
52555 + oldlimit = mm->context.user_cs_limit;
52556 + if ((prot & VM_EXEC) && oldlimit < end)
52557 + /* USER_CS limit moved up */
52559 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
52560 + /* USER_CS limit moved down */
52561 + newlimit = start;
52564 + mm->context.user_cs_limit = newlimit;
52568 + cpus_clear(mm->context.cpu_user_cs_mask);
52569 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
52572 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
52574 + spin_unlock(&mm->page_table_lock);
52575 + if (newlimit == end) {
52576 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
52578 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
52579 + if (is_vm_hugetlb_page(vma))
52580 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
52582 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
52588 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
52589 unsigned long start, unsigned long end, unsigned long newflags)
52590 @@ -143,11 +191,29 @@ mprotect_fixup(struct vm_area_struct *vm
52592 int dirty_accountable = 0;
52594 +#ifdef CONFIG_PAX_SEGMEXEC
52595 + struct vm_area_struct *vma_m = NULL;
52596 + unsigned long start_m, end_m;
52598 + start_m = start + SEGMEXEC_TASK_SIZE;
52599 + end_m = end + SEGMEXEC_TASK_SIZE;
52602 if (newflags == oldflags) {
52607 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
52608 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
52610 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
52613 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
52618 * If we make a private mapping writable we increase our commit;
52619 * but (without finer accounting) cannot reduce our commit if we
52620 @@ -164,6 +230,42 @@ mprotect_fixup(struct vm_area_struct *vm
52624 +#ifdef CONFIG_PAX_SEGMEXEC
52625 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
52626 + if (start != vma->vm_start) {
52627 + error = split_vma(mm, vma, start, 1);
52630 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
52631 + *pprev = (*pprev)->vm_next;
52634 + if (end != vma->vm_end) {
52635 + error = split_vma(mm, vma, end, 0);
52640 + if (pax_find_mirror_vma(vma)) {
52641 + error = __do_munmap(mm, start_m, end_m - start_m);
52645 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
52650 + vma->vm_flags = newflags;
52651 + error = pax_mirror_vma(vma_m, vma);
52653 + vma->vm_flags = oldflags;
52661 * First try to merge with previous and/or next vma.
52663 @@ -194,9 +296,21 @@ success:
52664 * vm_flags and vm_page_prot are protected by the mmap_sem
52665 * held in write mode.
52668 +#ifdef CONFIG_PAX_SEGMEXEC
52669 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
52670 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
52673 vma->vm_flags = newflags;
52675 +#ifdef CONFIG_PAX_MPROTECT
52676 + if (mm->binfmt && mm->binfmt->handle_mprotect)
52677 + mm->binfmt->handle_mprotect(vma, newflags);
52680 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
52681 - vm_get_page_prot(newflags));
52682 + vm_get_page_prot(vma->vm_flags));
52684 if (vma_wants_writenotify(vma)) {
52685 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
52686 @@ -237,6 +351,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
52691 +#ifdef CONFIG_PAX_SEGMEXEC
52692 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
52693 + if (end > SEGMEXEC_TASK_SIZE)
52698 + if (end > TASK_SIZE)
52701 if (!arch_validate_prot(prot))
52704 @@ -244,7 +369,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
52706 * Does the application expect PROT_READ to imply PROT_EXEC:
52708 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
52709 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
52712 vm_flags = calc_vm_prot_bits(prot);
52713 @@ -276,6 +401,16 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
52714 if (start > vma->vm_start)
52717 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
52722 +#ifdef CONFIG_PAX_MPROTECT
52723 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
52724 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
52727 for (nstart = start ; ; ) {
52728 unsigned long newflags;
52730 @@ -300,6 +435,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
52733 perf_event_mmap(vma);
52735 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
52739 if (nstart < prev->vm_end)
52740 diff -urNp linux-2.6.35.4/mm/mremap.c linux-2.6.35.4/mm/mremap.c
52741 --- linux-2.6.35.4/mm/mremap.c 2010-08-26 19:47:12.000000000 -0400
52742 +++ linux-2.6.35.4/mm/mremap.c 2010-09-17 20:12:09.000000000 -0400
52743 @@ -113,6 +113,12 @@ static void move_ptes(struct vm_area_str
52745 pte = ptep_clear_flush(vma, old_addr, old_pte);
52746 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
52748 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
52749 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
52750 + pte = pte_exprotect(pte);
52753 set_pte_at(mm, new_addr, new_pte, pte);
52756 @@ -272,6 +278,11 @@ static struct vm_area_struct *vma_to_res
52757 if (is_vm_hugetlb_page(vma))
52760 +#ifdef CONFIG_PAX_SEGMEXEC
52761 + if (pax_find_mirror_vma(vma))
52765 /* We can't remap across vm area boundaries */
52766 if (old_len > vma->vm_end - addr)
52768 @@ -321,20 +332,23 @@ static unsigned long mremap_to(unsigned
52769 unsigned long ret = -EINVAL;
52770 unsigned long charged = 0;
52771 unsigned long map_flags;
52772 + unsigned long pax_task_size = TASK_SIZE;
52774 if (new_addr & ~PAGE_MASK)
52777 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
52778 +#ifdef CONFIG_PAX_SEGMEXEC
52779 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
52780 + pax_task_size = SEGMEXEC_TASK_SIZE;
52783 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
52786 /* Check if the location we're moving into overlaps the
52787 * old location at all, and fail if it does.
52789 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
52792 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
52793 + if (addr + old_len > new_addr && new_addr + new_len > addr)
52796 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
52797 @@ -406,6 +420,7 @@ unsigned long do_mremap(unsigned long ad
52798 struct vm_area_struct *vma;
52799 unsigned long ret = -EINVAL;
52800 unsigned long charged = 0;
52801 + unsigned long pax_task_size = TASK_SIZE;
52803 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
52805 @@ -424,6 +439,15 @@ unsigned long do_mremap(unsigned long ad
52809 +#ifdef CONFIG_PAX_SEGMEXEC
52810 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
52811 + pax_task_size = SEGMEXEC_TASK_SIZE;
52814 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
52815 + old_len > pax_task_size || addr > pax_task_size-old_len)
52818 if (flags & MREMAP_FIXED) {
52819 if (flags & MREMAP_MAYMOVE)
52820 ret = mremap_to(addr, old_len, new_addr, new_len);
52821 @@ -473,6 +497,7 @@ unsigned long do_mremap(unsigned long ad
52825 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
52829 @@ -499,7 +524,13 @@ unsigned long do_mremap(unsigned long ad
52830 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
52834 + map_flags = vma->vm_flags;
52835 ret = move_vma(vma, addr, old_len, new_len, new_addr);
52836 + if (!(ret & ~PAGE_MASK)) {
52837 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
52838 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
52842 if (ret & ~PAGE_MASK)
52843 diff -urNp linux-2.6.35.4/mm/nommu.c linux-2.6.35.4/mm/nommu.c
52844 --- linux-2.6.35.4/mm/nommu.c 2010-08-26 19:47:12.000000000 -0400
52845 +++ linux-2.6.35.4/mm/nommu.c 2010-09-17 20:12:09.000000000 -0400
52846 @@ -67,7 +67,6 @@ int sysctl_overcommit_memory = OVERCOMMI
52847 int sysctl_overcommit_ratio = 50; /* default is 50% */
52848 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
52849 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
52850 -int heap_stack_gap = 0;
52852 atomic_long_t mmap_pages_allocated;
52854 @@ -762,15 +761,6 @@ struct vm_area_struct *find_vma(struct m
52855 EXPORT_SYMBOL(find_vma);
52859 - * - we don't extend stack VMAs under NOMMU conditions
52861 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
52863 - return find_vma(mm, addr);
52867 * expand a stack to a given address
52868 * - not supported under NOMMU conditions
52870 @@ -1491,6 +1481,7 @@ int split_vma(struct mm_struct *mm, stru
52872 /* most fields are the same, copy all, and then fixup */
52874 + INIT_LIST_HEAD(&new->anon_vma_chain);
52875 *region = *vma->vm_region;
52876 new->vm_region = region;
52878 diff -urNp linux-2.6.35.4/mm/page_alloc.c linux-2.6.35.4/mm/page_alloc.c
52879 --- linux-2.6.35.4/mm/page_alloc.c 2010-08-26 19:47:12.000000000 -0400
52880 +++ linux-2.6.35.4/mm/page_alloc.c 2010-09-17 20:12:09.000000000 -0400
52881 @@ -641,6 +641,10 @@ static bool free_pages_prepare(struct pa
52885 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
52886 + unsigned long index = 1UL << order;
52889 trace_mm_page_free_direct(page, order);
52890 kmemcheck_free_shadow(page, order);
52892 @@ -659,6 +663,12 @@ static bool free_pages_prepare(struct pa
52893 debug_check_no_obj_freed(page_address(page),
52894 PAGE_SIZE << order);
52897 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
52898 + for (; index; --index)
52899 + sanitize_highpage(page + index - 1);
52902 arch_free_page(page, order);
52903 kernel_map_pages(page, 1 << order, 0);
52905 @@ -773,8 +783,10 @@ static int prep_new_page(struct page *pa
52906 arch_alloc_page(page, order);
52907 kernel_map_pages(page, 1 << order, 1);
52909 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
52910 if (gfp_flags & __GFP_ZERO)
52911 prep_zero_page(page, order, gfp_flags);
52914 if (order && (gfp_flags & __GFP_COMP))
52915 prep_compound_page(page, order);
52916 @@ -3973,7 +3985,7 @@ static void __init setup_usemap(struct p
52917 zone->pageblock_flags = alloc_bootmem_node(pgdat, usemapsize);
52920 -static void inline setup_usemap(struct pglist_data *pgdat,
52921 +static inline void setup_usemap(struct pglist_data *pgdat,
52922 struct zone *zone, unsigned long zonesize) {}
52923 #endif /* CONFIG_SPARSEMEM */
52925 diff -urNp linux-2.6.35.4/mm/percpu.c linux-2.6.35.4/mm/percpu.c
52926 --- linux-2.6.35.4/mm/percpu.c 2010-08-26 19:47:12.000000000 -0400
52927 +++ linux-2.6.35.4/mm/percpu.c 2010-09-17 20:12:09.000000000 -0400
52928 @@ -115,7 +115,7 @@ static unsigned int pcpu_first_unit_cpu
52929 static unsigned int pcpu_last_unit_cpu __read_mostly;
52931 /* the address of the first chunk which starts with the kernel static area */
52932 -void *pcpu_base_addr __read_mostly;
52933 +void *pcpu_base_addr __read_only;
52934 EXPORT_SYMBOL_GPL(pcpu_base_addr);
52936 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
52937 diff -urNp linux-2.6.35.4/mm/rmap.c linux-2.6.35.4/mm/rmap.c
52938 --- linux-2.6.35.4/mm/rmap.c 2010-08-26 19:47:12.000000000 -0400
52939 +++ linux-2.6.35.4/mm/rmap.c 2010-09-17 20:12:09.000000000 -0400
52940 @@ -116,6 +116,10 @@ int anon_vma_prepare(struct vm_area_stru
52941 struct anon_vma *anon_vma = vma->anon_vma;
52942 struct anon_vma_chain *avc;
52944 +#ifdef CONFIG_PAX_SEGMEXEC
52945 + struct anon_vma_chain *avc_m = NULL;
52949 if (unlikely(!anon_vma)) {
52950 struct mm_struct *mm = vma->vm_mm;
52951 @@ -125,6 +129,12 @@ int anon_vma_prepare(struct vm_area_stru
52955 +#ifdef CONFIG_PAX_SEGMEXEC
52956 + avc_m = anon_vma_chain_alloc();
52958 + goto out_enomem_free_avc;
52961 anon_vma = find_mergeable_anon_vma(vma);
52964 @@ -138,6 +148,21 @@ int anon_vma_prepare(struct vm_area_stru
52965 /* page_table_lock to protect against threads */
52966 spin_lock(&mm->page_table_lock);
52967 if (likely(!vma->anon_vma)) {
52969 +#ifdef CONFIG_PAX_SEGMEXEC
52970 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
52973 + BUG_ON(vma_m->anon_vma);
52974 + vma_m->anon_vma = anon_vma;
52975 + avc_m->anon_vma = anon_vma;
52976 + avc_m->vma = vma;
52977 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
52978 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
52983 vma->anon_vma = anon_vma;
52984 avc->anon_vma = anon_vma;
52986 @@ -151,12 +176,24 @@ int anon_vma_prepare(struct vm_area_stru
52988 if (unlikely(allocated))
52989 anon_vma_free(allocated);
52991 +#ifdef CONFIG_PAX_SEGMEXEC
52992 + if (unlikely(avc_m))
52993 + anon_vma_chain_free(avc_m);
52997 anon_vma_chain_free(avc);
53001 out_enomem_free_avc:
53003 +#ifdef CONFIG_PAX_SEGMEXEC
53005 + anon_vma_chain_free(avc_m);
53008 anon_vma_chain_free(avc);
53011 @@ -179,7 +216,7 @@ static void anon_vma_chain_link(struct v
53012 * Attach the anon_vmas from src to dst.
53013 * Returns 0 on success, -ENOMEM on failure.
53015 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
53016 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
53018 struct anon_vma_chain *avc, *pavc;
53020 @@ -201,7 +238,7 @@ int anon_vma_clone(struct vm_area_struct
53021 * the corresponding VMA in the parent process is attached to.
53022 * Returns 0 on success, non-zero on failure.
53024 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
53025 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
53027 struct anon_vma_chain *avc;
53028 struct anon_vma *anon_vma;
53029 diff -urNp linux-2.6.35.4/mm/shmem.c linux-2.6.35.4/mm/shmem.c
53030 --- linux-2.6.35.4/mm/shmem.c 2010-08-26 19:47:12.000000000 -0400
53031 +++ linux-2.6.35.4/mm/shmem.c 2010-09-17 20:12:37.000000000 -0400
53033 #include <linux/module.h>
53034 #include <linux/swap.h>
53036 -static struct vfsmount *shm_mnt;
53037 +struct vfsmount *shm_mnt;
53039 #ifdef CONFIG_SHMEM
53041 diff -urNp linux-2.6.35.4/mm/slab.c linux-2.6.35.4/mm/slab.c
53042 --- linux-2.6.35.4/mm/slab.c 2010-08-26 19:47:12.000000000 -0400
53043 +++ linux-2.6.35.4/mm/slab.c 2010-09-17 20:12:37.000000000 -0400
53044 @@ -285,7 +285,7 @@ struct kmem_list3 {
53045 * Need this for bootstrapping a per node allocator.
53047 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
53048 -struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
53049 +struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
53050 #define CACHE_CACHE 0
53051 #define SIZE_AC MAX_NUMNODES
53052 #define SIZE_L3 (2 * MAX_NUMNODES)
53053 @@ -535,7 +535,7 @@ static inline void *index_to_obj(struct
53054 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
53056 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
53057 - const struct slab *slab, void *obj)
53058 + const struct slab *slab, const void *obj)
53060 u32 offset = (obj - slab->s_mem);
53061 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
53062 @@ -561,14 +561,14 @@ struct cache_names {
53063 static struct cache_names __initdata cache_names[] = {
53064 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
53065 #include <linux/kmalloc_sizes.h>
53071 static struct arraycache_init initarray_cache __initdata =
53072 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
53073 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
53074 static struct arraycache_init initarray_generic =
53075 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
53076 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
53078 /* internal cache of cache description objs */
53079 static struct kmem_cache cache_cache = {
53080 @@ -4558,15 +4558,66 @@ static const struct file_operations proc
53082 static int __init slab_proc_init(void)
53084 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
53085 + mode_t gr_mode = S_IRUGO;
53087 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
53088 + gr_mode = S_IRUSR;
53091 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
53092 #ifdef CONFIG_DEBUG_SLAB_LEAK
53093 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
53094 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
53098 module_init(slab_proc_init);
53101 +void check_object_size(const void *ptr, unsigned long n, bool to)
53104 +#ifdef CONFIG_PAX_USERCOPY
53105 + struct kmem_cache *cachep;
53106 + struct slab *slabp;
53107 + struct page *page;
53108 + unsigned int objnr;
53109 + unsigned long offset;
53114 + if (ZERO_OR_NULL_PTR(ptr))
53117 + if (!virt_addr_valid(ptr))
53120 + page = virt_to_head_page(ptr);
53122 + if (!PageSlab(page)) {
53123 + if (object_is_on_stack(ptr, n) == -1)
53128 + cachep = page_get_cache(page);
53129 + slabp = page_get_slab(page);
53130 + objnr = obj_to_index(cachep, slabp, ptr);
53131 + BUG_ON(objnr >= cachep->num);
53132 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
53133 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
53138 + pax_report_leak_to_user(ptr, n);
53140 + pax_report_overflow_from_user(ptr, n);
53144 +EXPORT_SYMBOL(check_object_size);
53147 * ksize - get the actual amount of memory allocated for a given object
53148 * @objp: Pointer to the object
53149 diff -urNp linux-2.6.35.4/mm/slob.c linux-2.6.35.4/mm/slob.c
53150 --- linux-2.6.35.4/mm/slob.c 2010-08-26 19:47:12.000000000 -0400
53151 +++ linux-2.6.35.4/mm/slob.c 2010-09-17 20:12:09.000000000 -0400
53153 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
53154 * alloc_pages() directly, allocating compound pages so the page order
53155 * does not have to be separately tracked, and also stores the exact
53156 - * allocation size in page->private so that it can be used to accurately
53157 + * allocation size in slob_page->size so that it can be used to accurately
53158 * provide ksize(). These objects are detected in kfree() because slob_page()
53159 * is false for them.
53164 #include <linux/kernel.h>
53165 +#include <linux/sched.h>
53166 #include <linux/slab.h>
53167 #include <linux/mm.h>
53168 #include <linux/swap.h> /* struct reclaim_state */
53169 @@ -100,7 +101,8 @@ struct slob_page {
53170 unsigned long flags; /* mandatory */
53171 atomic_t _count; /* mandatory */
53172 slobidx_t units; /* free units left in page */
53173 - unsigned long pad[2];
53174 + unsigned long pad[1];
53175 + unsigned long size; /* size when >=PAGE_SIZE */
53176 slob_t *free; /* first free slob_t in page */
53177 struct list_head list; /* linked list of free pages */
53179 @@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
53181 static inline int is_slob_page(struct slob_page *sp)
53183 - return PageSlab((struct page *)sp);
53184 + return PageSlab((struct page *)sp) && !sp->size;
53187 static inline void set_slob_page(struct slob_page *sp)
53188 @@ -148,7 +150,7 @@ static inline void clear_slob_page(struc
53190 static inline struct slob_page *slob_page(const void *addr)
53192 - return (struct slob_page *)virt_to_page(addr);
53193 + return (struct slob_page *)virt_to_head_page(addr);
53197 @@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
53199 * Return the size of a slob block.
53201 -static slobidx_t slob_units(slob_t *s)
53202 +static slobidx_t slob_units(const slob_t *s)
53206 @@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
53208 * Return the next free slob block pointer after this one.
53210 -static slob_t *slob_next(slob_t *s)
53211 +static slob_t *slob_next(const slob_t *s)
53213 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
53215 @@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
53217 * Returns true if s is the last free block in its page.
53219 -static int slob_last(slob_t *s)
53220 +static int slob_last(const slob_t *s)
53222 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
53224 @@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
53228 + set_slob_page(page);
53229 return page_address(page);
53232 @@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
53236 - set_slob_page(sp);
53238 spin_lock_irqsave(&slob_lock, flags);
53239 sp->units = SLOB_UNITS(PAGE_SIZE);
53242 INIT_LIST_HEAD(&sp->list);
53243 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
53244 set_slob_page_free(sp, slob_list);
53245 @@ -467,10 +470,9 @@ out:
53246 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
53249 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
53250 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
53253 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53257 lockdep_trace_alloc(gfp);
53258 @@ -483,7 +485,10 @@ void *__kmalloc_node(size_t size, gfp_t
53263 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
53264 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
53265 + m[0].units = size;
53266 + m[1].units = align;
53267 ret = (void *)m + align;
53269 trace_kmalloc_node(_RET_IP_, ret,
53270 @@ -493,9 +498,9 @@ void *__kmalloc_node(size_t size, gfp_t
53272 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
53274 - struct page *page;
53275 - page = virt_to_page(ret);
53276 - page->private = size;
53277 + struct slob_page *sp;
53278 + sp = slob_page(ret);
53282 trace_kmalloc_node(_RET_IP_, ret,
53283 @@ -505,6 +510,13 @@ void *__kmalloc_node(size_t size, gfp_t
53284 kmemleak_alloc(ret, size, 1, gfp);
53288 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
53290 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53292 + return __kmalloc_node_align(size, gfp, node, align);
53294 EXPORT_SYMBOL(__kmalloc_node);
53296 void kfree(const void *block)
53297 @@ -520,13 +532,84 @@ void kfree(const void *block)
53298 sp = slob_page(block);
53299 if (is_slob_page(sp)) {
53300 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53301 - unsigned int *m = (unsigned int *)(block - align);
53302 - slob_free(m, *m + align);
53304 + slob_t *m = (slob_t *)(block - align);
53305 + slob_free(m, m[0].units + align);
53307 + clear_slob_page(sp);
53308 + free_slob_page(sp);
53310 put_page(&sp->page);
53313 EXPORT_SYMBOL(kfree);
53315 +void check_object_size(const void *ptr, unsigned long n, bool to)
53318 +#ifdef CONFIG_PAX_USERCOPY
53319 + struct slob_page *sp;
53320 + const slob_t *free;
53321 + const void *base;
53326 + if (ZERO_OR_NULL_PTR(ptr))
53329 + if (!virt_addr_valid(ptr))
53332 + sp = slob_page(ptr);
53333 + if (!PageSlab((struct page*)sp)) {
53334 + if (object_is_on_stack(ptr, n) == -1)
53340 + base = page_address(&sp->page);
53341 + if (base <= ptr && n <= sp->size - (ptr - base))
53346 + /* some tricky double walking to find the chunk */
53347 + base = (void *)((unsigned long)ptr & PAGE_MASK);
53350 + while (!slob_last(free) && (void *)free <= ptr) {
53351 + base = free + slob_units(free);
53352 + free = slob_next(free);
53355 + while (base < (void *)free) {
53356 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
53357 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
53360 + if (ptr < base + align)
53363 + offset = ptr - base - align;
53364 + if (offset < m) {
53365 + if (n <= m - offset)
53374 + pax_report_leak_to_user(ptr, n);
53376 + pax_report_overflow_from_user(ptr, n);
53380 +EXPORT_SYMBOL(check_object_size);
53382 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
53383 size_t ksize(const void *block)
53385 @@ -539,10 +622,10 @@ size_t ksize(const void *block)
53386 sp = slob_page(block);
53387 if (is_slob_page(sp)) {
53388 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53389 - unsigned int *m = (unsigned int *)(block - align);
53390 - return SLOB_UNITS(*m) * SLOB_UNIT;
53391 + slob_t *m = (slob_t *)(block - align);
53392 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
53394 - return sp->page.private;
53397 EXPORT_SYMBOL(ksize);
53399 @@ -597,17 +680,25 @@ void *kmem_cache_alloc_node(struct kmem_
53403 +#ifdef CONFIG_PAX_USERCOPY
53404 + b = __kmalloc_node_align(c->size, flags, node, c->align);
53406 if (c->size < PAGE_SIZE) {
53407 b = slob_alloc(c->size, flags, c->align, node);
53408 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
53409 SLOB_UNITS(c->size) * SLOB_UNIT,
53412 + struct slob_page *sp;
53414 b = slob_new_pages(flags, get_order(c->size), node);
53415 + sp = slob_page(b);
53416 + sp->size = c->size;
53417 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
53418 PAGE_SIZE << get_order(c->size),
53425 @@ -619,10 +710,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
53427 static void __kmem_cache_free(void *b, int size)
53429 - if (size < PAGE_SIZE)
53430 + struct slob_page *sp = slob_page(b);
53432 + if (is_slob_page(sp))
53433 slob_free(b, size);
53436 + clear_slob_page(sp);
53437 + free_slob_page(sp);
53439 slob_free_pages(b, get_order(size));
53443 static void kmem_rcu_free(struct rcu_head *head)
53444 @@ -635,15 +732,24 @@ static void kmem_rcu_free(struct rcu_hea
53446 void kmem_cache_free(struct kmem_cache *c, void *b)
53448 + int size = c->size;
53450 +#ifdef CONFIG_PAX_USERCOPY
53451 + if (size + c->align < PAGE_SIZE) {
53452 + size += c->align;
53457 kmemleak_free_recursive(b, c->flags);
53458 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
53459 struct slob_rcu *slob_rcu;
53460 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
53461 + slob_rcu = b + (size - sizeof(struct slob_rcu));
53462 INIT_RCU_HEAD(&slob_rcu->head);
53463 - slob_rcu->size = c->size;
53464 + slob_rcu->size = size;
53465 call_rcu(&slob_rcu->head, kmem_rcu_free);
53467 - __kmem_cache_free(b, c->size);
53468 + __kmem_cache_free(b, size);
53471 trace_kmem_cache_free(_RET_IP_, b);
53472 diff -urNp linux-2.6.35.4/mm/slub.c linux-2.6.35.4/mm/slub.c
53473 --- linux-2.6.35.4/mm/slub.c 2010-08-26 19:47:12.000000000 -0400
53474 +++ linux-2.6.35.4/mm/slub.c 2010-09-17 20:12:37.000000000 -0400
53475 @@ -1873,6 +1873,8 @@ void kmem_cache_free(struct kmem_cache *
53477 page = virt_to_head_page(x);
53479 + BUG_ON(!PageSlab(page));
53481 slab_free(s, page, x, _RET_IP_);
53483 trace_kmem_cache_free(_RET_IP_, x);
53484 @@ -1917,7 +1919,7 @@ static int slub_min_objects;
53485 * Merge control. If this is set then no merging of slab caches will occur.
53486 * (Could be removed. This was introduced to pacify the merge skeptics.)
53488 -static int slub_nomerge;
53489 +static int slub_nomerge = 1;
53492 * Calculate the order of allocation given an slab object size.
53493 @@ -2344,7 +2346,7 @@ static int kmem_cache_open(struct kmem_c
53494 * list to avoid pounding the page allocator excessively.
53496 set_min_partial(s, ilog2(s->size));
53498 + atomic_set(&s->refcount, 1);
53500 s->remote_node_defrag_ratio = 1000;
53502 @@ -2487,8 +2489,7 @@ static inline int kmem_cache_close(struc
53503 void kmem_cache_destroy(struct kmem_cache *s)
53505 down_write(&slub_lock);
53507 - if (!s->refcount) {
53508 + if (atomic_dec_and_test(&s->refcount)) {
53509 list_del(&s->list);
53510 up_write(&slub_lock);
53511 if (kmem_cache_close(s)) {
53512 @@ -2780,6 +2781,46 @@ void *__kmalloc_node(size_t size, gfp_t
53513 EXPORT_SYMBOL(__kmalloc_node);
53516 +void check_object_size(const void *ptr, unsigned long n, bool to)
53519 +#ifdef CONFIG_PAX_USERCOPY
53520 + struct page *page;
53521 + struct kmem_cache *s;
53522 + unsigned long offset;
53527 + if (ZERO_OR_NULL_PTR(ptr))
53530 + if (!virt_addr_valid(ptr))
53533 + page = get_object_page(ptr);
53536 + if (object_is_on_stack(ptr, n) == -1)
53542 + offset = (ptr - page_address(page)) % s->size;
53543 + if (offset <= s->objsize && n <= s->objsize - offset)
53548 + pax_report_leak_to_user(ptr, n);
53550 + pax_report_overflow_from_user(ptr, n);
53554 +EXPORT_SYMBOL(check_object_size);
53556 size_t ksize(const void *object)
53559 @@ -3049,7 +3090,7 @@ void __init kmem_cache_init(void)
53561 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
53562 sizeof(struct kmem_cache_node), GFP_NOWAIT);
53563 - kmalloc_caches[0].refcount = -1;
53564 + atomic_set(&kmalloc_caches[0].refcount, -1);
53567 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
53568 @@ -3158,7 +3199,7 @@ static int slab_unmergeable(struct kmem_
53570 * We may have set a slab to be unmergeable during bootstrap.
53572 - if (s->refcount < 0)
53573 + if (atomic_read(&s->refcount) < 0)
53577 @@ -3216,7 +3257,7 @@ struct kmem_cache *kmem_cache_create(con
53578 down_write(&slub_lock);
53579 s = find_mergeable(size, align, flags, name, ctor);
53582 + atomic_inc(&s->refcount);
53584 * Adjust the object sizes so that we clear
53585 * the complete object on kzalloc.
53586 @@ -3227,7 +3268,7 @@ struct kmem_cache *kmem_cache_create(con
53588 if (sysfs_slab_alias(s, name)) {
53589 down_write(&slub_lock);
53591 + atomic_dec(&s->refcount);
53592 up_write(&slub_lock);
53595 @@ -3953,7 +3994,7 @@ SLAB_ATTR_RO(ctor);
53597 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
53599 - return sprintf(buf, "%d\n", s->refcount - 1);
53600 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
53602 SLAB_ATTR_RO(aliases);
53604 @@ -4674,7 +4715,13 @@ static const struct file_operations proc
53606 static int __init slab_proc_init(void)
53608 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
53609 + mode_t gr_mode = S_IRUGO;
53611 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
53612 + gr_mode = S_IRUSR;
53615 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
53618 module_init(slab_proc_init);
53619 diff -urNp linux-2.6.35.4/mm/util.c linux-2.6.35.4/mm/util.c
53620 --- linux-2.6.35.4/mm/util.c 2010-08-26 19:47:12.000000000 -0400
53621 +++ linux-2.6.35.4/mm/util.c 2010-09-17 20:12:09.000000000 -0400
53622 @@ -245,6 +245,12 @@ EXPORT_SYMBOL(strndup_user);
53623 void arch_pick_mmap_layout(struct mm_struct *mm)
53625 mm->mmap_base = TASK_UNMAPPED_BASE;
53627 +#ifdef CONFIG_PAX_RANDMMAP
53628 + if (mm->pax_flags & MF_PAX_RANDMMAP)
53629 + mm->mmap_base += mm->delta_mmap;
53632 mm->get_unmapped_area = arch_get_unmapped_area;
53633 mm->unmap_area = arch_unmap_area;
53635 diff -urNp linux-2.6.35.4/mm/vmalloc.c linux-2.6.35.4/mm/vmalloc.c
53636 --- linux-2.6.35.4/mm/vmalloc.c 2010-08-26 19:47:12.000000000 -0400
53637 +++ linux-2.6.35.4/mm/vmalloc.c 2010-09-17 20:12:09.000000000 -0400
53638 @@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd,
53640 pte = pte_offset_kernel(pmd, addr);
53642 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
53643 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
53645 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
53646 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
53647 + BUG_ON(!pte_exec(*pte));
53648 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
53654 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
53655 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
53657 } while (pte++, addr += PAGE_SIZE, addr != end);
53660 @@ -92,6 +103,7 @@ static int vmap_pte_range(pmd_t *pmd, un
53661 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
53664 + int ret = -ENOMEM;
53667 * nr is a running index into the array which helps higher level
53668 @@ -101,17 +113,30 @@ static int vmap_pte_range(pmd_t *pmd, un
53669 pte = pte_alloc_kernel(pmd, addr);
53673 + pax_open_kernel();
53675 struct page *page = pages[*nr];
53677 - if (WARN_ON(!pte_none(*pte)))
53679 - if (WARN_ON(!page))
53681 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
53682 + if (pgprot_val(prot) & _PAGE_NX)
53685 + if (WARN_ON(!pte_none(*pte))) {
53689 + if (WARN_ON(!page)) {
53693 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
53695 } while (pte++, addr += PAGE_SIZE, addr != end);
53699 + pax_close_kernel();
53703 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
53704 @@ -192,11 +217,20 @@ int is_vmalloc_or_module_addr(const void
53705 * and fall back on vmalloc() if that fails. Others
53706 * just put it in the vmalloc space.
53708 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
53709 +#ifdef CONFIG_MODULES
53710 +#ifdef MODULES_VADDR
53711 unsigned long addr = (unsigned long)x;
53712 if (addr >= MODULES_VADDR && addr < MODULES_END)
53716 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
53717 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
53723 return is_vmalloc_addr(x);
53726 @@ -217,8 +251,14 @@ struct page *vmalloc_to_page(const void
53728 if (!pgd_none(*pgd)) {
53729 pud_t *pud = pud_offset(pgd, addr);
53731 + if (!pud_large(*pud))
53733 if (!pud_none(*pud)) {
53734 pmd_t *pmd = pmd_offset(pud, addr);
53736 + if (!pmd_large(*pmd))
53738 if (!pmd_none(*pmd)) {
53741 @@ -292,13 +332,13 @@ static void __insert_vmap_area(struct vm
53742 struct rb_node *tmp;
53745 - struct vmap_area *tmp;
53746 + struct vmap_area *varea;
53749 - tmp = rb_entry(parent, struct vmap_area, rb_node);
53750 - if (va->va_start < tmp->va_end)
53751 + varea = rb_entry(parent, struct vmap_area, rb_node);
53752 + if (va->va_start < varea->va_end)
53753 p = &(*p)->rb_left;
53754 - else if (va->va_end > tmp->va_start)
53755 + else if (va->va_end > varea->va_start)
53756 p = &(*p)->rb_right;
53759 @@ -1224,6 +1264,16 @@ static struct vm_struct *__get_vm_area_n
53760 struct vm_struct *area;
53762 BUG_ON(in_interrupt());
53764 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
53765 + if (flags & VM_KERNEXEC) {
53766 + if (start != VMALLOC_START || end != VMALLOC_END)
53768 + start = (unsigned long)MODULES_EXEC_VADDR;
53769 + end = (unsigned long)MODULES_EXEC_END;
53773 if (flags & VM_IOREMAP) {
53774 int bit = fls(size);
53776 @@ -1449,6 +1499,11 @@ void *vmap(struct page **pages, unsigned
53777 if (count > totalram_pages)
53780 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
53781 + if (!(pgprot_val(prot) & _PAGE_NX))
53782 + flags |= VM_KERNEXEC;
53785 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
53786 __builtin_return_address(0));
53788 @@ -1558,6 +1613,13 @@ static void *__vmalloc_node(unsigned lon
53789 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
53792 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
53793 + if (!(pgprot_val(prot) & _PAGE_NX))
53794 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
53795 + node, gfp_mask, caller);
53799 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
53800 VMALLOC_END, node, gfp_mask, caller);
53802 @@ -1576,6 +1638,7 @@ static void *__vmalloc_node(unsigned lon
53807 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
53809 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
53810 @@ -1592,6 +1655,7 @@ EXPORT_SYMBOL(__vmalloc);
53811 * For tight control over page level allocator and protection flags
53812 * use __vmalloc() instead.
53815 void *vmalloc(unsigned long size)
53817 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
53818 @@ -1606,6 +1670,7 @@ EXPORT_SYMBOL(vmalloc);
53819 * The resulting memory area is zeroed so it can be mapped to userspace
53820 * without leaking data.
53822 +#undef vmalloc_user
53823 void *vmalloc_user(unsigned long size)
53825 struct vm_struct *area;
53826 @@ -1633,6 +1698,7 @@ EXPORT_SYMBOL(vmalloc_user);
53827 * For tight control over page level allocator and protection flags
53828 * use __vmalloc() instead.
53830 +#undef vmalloc_node
53831 void *vmalloc_node(unsigned long size, int node)
53833 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
53834 @@ -1655,10 +1721,10 @@ EXPORT_SYMBOL(vmalloc_node);
53835 * For tight control over page level allocator and protection flags
53836 * use __vmalloc() instead.
53839 +#undef vmalloc_exec
53840 void *vmalloc_exec(unsigned long size)
53842 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
53843 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
53844 -1, __builtin_return_address(0));
53847 @@ -1677,6 +1743,7 @@ void *vmalloc_exec(unsigned long size)
53848 * Allocate enough 32bit PA addressable pages to cover @size from the
53849 * page level allocator and map them into contiguous kernel virtual space.
53852 void *vmalloc_32(unsigned long size)
53854 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
53855 @@ -1691,6 +1758,7 @@ EXPORT_SYMBOL(vmalloc_32);
53856 * The resulting memory area is 32bit addressable and zeroed so it can be
53857 * mapped to userspace without leaking data.
53859 +#undef vmalloc_32_user
53860 void *vmalloc_32_user(unsigned long size)
53862 struct vm_struct *area;
53863 diff -urNp linux-2.6.35.4/mm/vmstat.c linux-2.6.35.4/mm/vmstat.c
53864 --- linux-2.6.35.4/mm/vmstat.c 2010-08-26 19:47:12.000000000 -0400
53865 +++ linux-2.6.35.4/mm/vmstat.c 2010-09-17 20:12:37.000000000 -0400
53866 @@ -76,7 +76,7 @@ void vm_events_fold_cpu(int cpu)
53868 * vm_stat contains the global counters
53870 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
53871 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
53872 EXPORT_SYMBOL(vm_stat);
53875 @@ -315,7 +315,7 @@ void refresh_cpu_vm_stats(int cpu)
53876 v = p->vm_stat_diff[i];
53877 p->vm_stat_diff[i] = 0;
53878 local_irq_restore(flags);
53879 - atomic_long_add(v, &zone->vm_stat[i]);
53880 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
53881 global_diff[i] += v;
53883 /* 3 seconds idle till flush */
53884 @@ -353,7 +353,7 @@ void refresh_cpu_vm_stats(int cpu)
53886 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
53887 if (global_diff[i])
53888 - atomic_long_add(global_diff[i], &vm_stat[i]);
53889 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
53893 @@ -1038,10 +1038,16 @@ static int __init setup_vmstat(void)
53894 start_cpu_timer(cpu);
53896 #ifdef CONFIG_PROC_FS
53897 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
53898 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
53899 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
53900 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
53902 + mode_t gr_mode = S_IRUGO;
53903 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
53904 + gr_mode = S_IRUSR;
53906 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
53907 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
53908 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
53909 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
53914 diff -urNp linux-2.6.35.4/net/8021q/vlan.c linux-2.6.35.4/net/8021q/vlan.c
53915 --- linux-2.6.35.4/net/8021q/vlan.c 2010-08-26 19:47:12.000000000 -0400
53916 +++ linux-2.6.35.4/net/8021q/vlan.c 2010-09-17 20:12:09.000000000 -0400
53917 @@ -618,8 +618,7 @@ static int vlan_ioctl_handler(struct net
53919 if (!capable(CAP_NET_ADMIN))
53921 - if ((args.u.name_type >= 0) &&
53922 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
53923 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
53924 struct vlan_net *vn;
53926 vn = net_generic(net, vlan_net_id);
53927 diff -urNp linux-2.6.35.4/net/atm/atm_misc.c linux-2.6.35.4/net/atm/atm_misc.c
53928 --- linux-2.6.35.4/net/atm/atm_misc.c 2010-08-26 19:47:12.000000000 -0400
53929 +++ linux-2.6.35.4/net/atm/atm_misc.c 2010-09-17 20:12:09.000000000 -0400
53930 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
53931 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
53933 atm_return(vcc, truesize);
53934 - atomic_inc(&vcc->stats->rx_drop);
53935 + atomic_inc_unchecked(&vcc->stats->rx_drop);
53938 EXPORT_SYMBOL(atm_charge);
53939 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
53942 atm_return(vcc, guess);
53943 - atomic_inc(&vcc->stats->rx_drop);
53944 + atomic_inc_unchecked(&vcc->stats->rx_drop);
53947 EXPORT_SYMBOL(atm_alloc_charge);
53948 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
53950 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
53952 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
53953 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
53955 #undef __HANDLE_ITEM
53957 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
53959 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
53961 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
53962 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
53964 #undef __HANDLE_ITEM
53966 diff -urNp linux-2.6.35.4/net/atm/proc.c linux-2.6.35.4/net/atm/proc.c
53967 --- linux-2.6.35.4/net/atm/proc.c 2010-08-26 19:47:12.000000000 -0400
53968 +++ linux-2.6.35.4/net/atm/proc.c 2010-09-17 20:12:37.000000000 -0400
53969 @@ -44,9 +44,9 @@ static void add_stats(struct seq_file *s
53970 const struct k_atm_aal_stats *stats)
53972 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
53973 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
53974 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
53975 - atomic_read(&stats->rx_drop));
53976 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
53977 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
53978 + atomic_read_unchecked(&stats->rx_drop));
53981 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
53982 @@ -190,7 +190,12 @@ static void vcc_info(struct seq_file *se
53984 struct sock *sk = sk_atm(vcc);
53986 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53987 + seq_printf(seq, "%p ", NULL);
53989 seq_printf(seq, "%p ", vcc);
53993 seq_printf(seq, "Unassigned ");
53995 diff -urNp linux-2.6.35.4/net/atm/resources.c linux-2.6.35.4/net/atm/resources.c
53996 --- linux-2.6.35.4/net/atm/resources.c 2010-08-26 19:47:12.000000000 -0400
53997 +++ linux-2.6.35.4/net/atm/resources.c 2010-09-17 20:12:09.000000000 -0400
53998 @@ -159,7 +159,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
53999 static void copy_aal_stats(struct k_atm_aal_stats *from,
54000 struct atm_aal_stats *to)
54002 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
54003 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
54005 #undef __HANDLE_ITEM
54007 @@ -167,7 +167,7 @@ static void copy_aal_stats(struct k_atm_
54008 static void subtract_aal_stats(struct k_atm_aal_stats *from,
54009 struct atm_aal_stats *to)
54011 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
54012 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
54014 #undef __HANDLE_ITEM
54016 diff -urNp linux-2.6.35.4/net/bridge/br_stp_if.c linux-2.6.35.4/net/bridge/br_stp_if.c
54017 --- linux-2.6.35.4/net/bridge/br_stp_if.c 2010-08-26 19:47:12.000000000 -0400
54018 +++ linux-2.6.35.4/net/bridge/br_stp_if.c 2010-09-17 20:12:09.000000000 -0400
54019 @@ -145,7 +145,7 @@ static void br_stp_stop(struct net_bridg
54020 char *envp[] = { NULL };
54022 if (br->stp_enabled == BR_USER_STP) {
54023 - r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
54024 + r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
54025 br_info(br, "userspace STP stopped, return code %d\n", r);
54027 /* To start timers on any ports left in blocking */
54028 diff -urNp linux-2.6.35.4/net/bridge/netfilter/ebtables.c linux-2.6.35.4/net/bridge/netfilter/ebtables.c
54029 --- linux-2.6.35.4/net/bridge/netfilter/ebtables.c 2010-08-26 19:47:12.000000000 -0400
54030 +++ linux-2.6.35.4/net/bridge/netfilter/ebtables.c 2010-09-17 20:12:09.000000000 -0400
54031 @@ -1501,7 +1501,7 @@ static int do_ebt_get_ctl(struct sock *s
54032 tmp.valid_hooks = t->table->valid_hooks;
54034 mutex_unlock(&ebt_mutex);
54035 - if (copy_to_user(user, &tmp, *len) != 0){
54036 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
54037 BUGPRINT("c2u Didn't work\n");
54040 diff -urNp linux-2.6.35.4/net/core/dev.c linux-2.6.35.4/net/core/dev.c
54041 --- linux-2.6.35.4/net/core/dev.c 2010-08-26 19:47:12.000000000 -0400
54042 +++ linux-2.6.35.4/net/core/dev.c 2010-09-17 20:12:09.000000000 -0400
54043 @@ -2541,7 +2541,7 @@ int netif_rx_ni(struct sk_buff *skb)
54045 EXPORT_SYMBOL(netif_rx_ni);
54047 -static void net_tx_action(struct softirq_action *h)
54048 +static void net_tx_action(void)
54050 struct softnet_data *sd = &__get_cpu_var(softnet_data);
54052 @@ -3474,7 +3474,7 @@ void netif_napi_del(struct napi_struct *
54054 EXPORT_SYMBOL(netif_napi_del);
54056 -static void net_rx_action(struct softirq_action *h)
54057 +static void net_rx_action(void)
54059 struct softnet_data *sd = &__get_cpu_var(softnet_data);
54060 unsigned long time_limit = jiffies + 2;
54061 diff -urNp linux-2.6.35.4/net/core/net-sysfs.c linux-2.6.35.4/net/core/net-sysfs.c
54062 --- linux-2.6.35.4/net/core/net-sysfs.c 2010-08-26 19:47:12.000000000 -0400
54063 +++ linux-2.6.35.4/net/core/net-sysfs.c 2010-09-17 20:12:09.000000000 -0400
54064 @@ -511,7 +511,7 @@ static ssize_t rx_queue_attr_store(struc
54065 return attribute->store(queue, attribute, buf, count);
54068 -static struct sysfs_ops rx_queue_sysfs_ops = {
54069 +static const struct sysfs_ops rx_queue_sysfs_ops = {
54070 .show = rx_queue_attr_show,
54071 .store = rx_queue_attr_store,
54073 diff -urNp linux-2.6.35.4/net/core/sock.c linux-2.6.35.4/net/core/sock.c
54074 --- linux-2.6.35.4/net/core/sock.c 2010-08-26 19:47:12.000000000 -0400
54075 +++ linux-2.6.35.4/net/core/sock.c 2010-09-17 20:12:09.000000000 -0400
54076 @@ -915,7 +915,7 @@ int sock_getsockopt(struct socket *sock,
54080 - if (copy_to_user(optval, address, len))
54081 + if (len > sizeof(address) || copy_to_user(optval, address, len))
54085 @@ -948,7 +948,7 @@ int sock_getsockopt(struct socket *sock,
54089 - if (copy_to_user(optval, &v, len))
54090 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
54093 if (put_user(len, optlen))
54094 diff -urNp linux-2.6.35.4/net/dccp/ccids/ccid3.c linux-2.6.35.4/net/dccp/ccids/ccid3.c
54095 --- linux-2.6.35.4/net/dccp/ccids/ccid3.c 2010-08-26 19:47:12.000000000 -0400
54096 +++ linux-2.6.35.4/net/dccp/ccids/ccid3.c 2010-09-17 20:12:09.000000000 -0400
54098 static int ccid3_debug;
54099 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
54101 -#define ccid3_pr_debug(format, a...)
54102 +#define ccid3_pr_debug(format, a...) do {} while (0)
54106 diff -urNp linux-2.6.35.4/net/dccp/dccp.h linux-2.6.35.4/net/dccp/dccp.h
54107 --- linux-2.6.35.4/net/dccp/dccp.h 2010-08-26 19:47:12.000000000 -0400
54108 +++ linux-2.6.35.4/net/dccp/dccp.h 2010-09-17 20:12:09.000000000 -0400
54109 @@ -44,9 +44,9 @@ extern int dccp_debug;
54110 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
54111 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
54113 -#define dccp_pr_debug(format, a...)
54114 -#define dccp_pr_debug_cat(format, a...)
54115 -#define dccp_debug(format, a...)
54116 +#define dccp_pr_debug(format, a...) do {} while (0)
54117 +#define dccp_pr_debug_cat(format, a...) do {} while (0)
54118 +#define dccp_debug(format, a...) do {} while (0)
54121 extern struct inet_hashinfo dccp_hashinfo;
54122 diff -urNp linux-2.6.35.4/net/decnet/sysctl_net_decnet.c linux-2.6.35.4/net/decnet/sysctl_net_decnet.c
54123 --- linux-2.6.35.4/net/decnet/sysctl_net_decnet.c 2010-08-26 19:47:12.000000000 -0400
54124 +++ linux-2.6.35.4/net/decnet/sysctl_net_decnet.c 2010-09-17 20:12:37.000000000 -0400
54125 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
54127 if (len > *lenp) len = *lenp;
54129 - if (copy_to_user(buffer, addr, len))
54130 + if (len > sizeof(addr) || copy_to_user(buffer, addr, len))
54134 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
54136 if (len > *lenp) len = *lenp;
54138 - if (copy_to_user(buffer, devname, len))
54139 + if (len > sizeof(devname) || copy_to_user(buffer, devname, len))
54143 diff -urNp linux-2.6.35.4/net/ipv4/inet_hashtables.c linux-2.6.35.4/net/ipv4/inet_hashtables.c
54144 --- linux-2.6.35.4/net/ipv4/inet_hashtables.c 2010-08-26 19:47:12.000000000 -0400
54145 +++ linux-2.6.35.4/net/ipv4/inet_hashtables.c 2010-09-17 20:12:37.000000000 -0400
54146 @@ -18,11 +18,14 @@
54147 #include <linux/sched.h>
54148 #include <linux/slab.h>
54149 #include <linux/wait.h>
54150 +#include <linux/security.h>
54152 #include <net/inet_connection_sock.h>
54153 #include <net/inet_hashtables.h>
54154 #include <net/route.h>
54155 #include <net/ip.h>
54157 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
54160 * Allocate and initialize a new local port bind bucket.
54161 @@ -508,6 +511,8 @@ ok:
54162 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
54163 spin_unlock(&head->lock);
54165 + gr_update_task_in_ip_table(current, inet_sk(sk));
54168 inet_twsk_deschedule(tw, death_row);
54170 diff -urNp linux-2.6.35.4/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.35.4/net/ipv4/netfilter/nf_nat_snmp_basic.c
54171 --- linux-2.6.35.4/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-08-26 19:47:12.000000000 -0400
54172 +++ linux-2.6.35.4/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-09-17 20:12:09.000000000 -0400
54173 @@ -398,7 +398,7 @@ static unsigned char asn1_octets_decode(
54177 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
54178 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
54179 if (*octets == NULL) {
54180 if (net_ratelimit())
54181 pr_notice("OOM in bsalg (%d)\n", __LINE__);
54182 diff -urNp linux-2.6.35.4/net/ipv4/tcp_ipv4.c linux-2.6.35.4/net/ipv4/tcp_ipv4.c
54183 --- linux-2.6.35.4/net/ipv4/tcp_ipv4.c 2010-08-26 19:47:12.000000000 -0400
54184 +++ linux-2.6.35.4/net/ipv4/tcp_ipv4.c 2010-09-17 20:12:37.000000000 -0400
54186 int sysctl_tcp_tw_reuse __read_mostly;
54187 int sysctl_tcp_low_latency __read_mostly;
54189 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54190 +extern int grsec_enable_blackhole;
54193 #ifdef CONFIG_TCP_MD5SIG
54194 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
54195 @@ -1593,6 +1596,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
54199 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54200 + if (!grsec_enable_blackhole)
54202 tcp_v4_send_reset(rsk, skb);
54205 @@ -1654,12 +1660,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
54206 TCP_SKB_CB(skb)->sacked = 0;
54208 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
54211 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54214 goto no_tcp_socket;
54218 - if (sk->sk_state == TCP_TIME_WAIT)
54219 + if (sk->sk_state == TCP_TIME_WAIT) {
54220 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54226 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
54227 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
54228 @@ -1709,6 +1722,10 @@ no_tcp_socket:
54230 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
54232 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54233 + if (!grsec_enable_blackhole || (ret == 1 &&
54234 + (skb->dev->flags & IFF_LOOPBACK)))
54236 tcp_v4_send_reset(NULL, skb);
54239 @@ -2316,7 +2333,11 @@ static void get_openreq4(struct sock *sk
54240 0, /* non standard timer */
54241 0, /* open_requests have no inode */
54242 atomic_read(&sk->sk_refcnt),
54243 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54251 @@ -2366,7 +2387,12 @@ static void get_tcp4_sock(struct sock *s
54253 icsk->icsk_probes_out,
54255 - atomic_read(&sk->sk_refcnt), sk,
54256 + atomic_read(&sk->sk_refcnt),
54257 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54262 jiffies_to_clock_t(icsk->icsk_rto),
54263 jiffies_to_clock_t(icsk->icsk_ack.ato),
54264 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
54265 @@ -2394,7 +2420,13 @@ static void get_timewait4_sock(struct in
54266 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
54267 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
54268 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
54269 - atomic_read(&tw->tw_refcnt), tw, len);
54270 + atomic_read(&tw->tw_refcnt),
54271 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54280 diff -urNp linux-2.6.35.4/net/ipv4/tcp_minisocks.c linux-2.6.35.4/net/ipv4/tcp_minisocks.c
54281 --- linux-2.6.35.4/net/ipv4/tcp_minisocks.c 2010-08-26 19:47:12.000000000 -0400
54282 +++ linux-2.6.35.4/net/ipv4/tcp_minisocks.c 2010-09-17 20:12:37.000000000 -0400
54284 #include <net/inet_common.h>
54285 #include <net/xfrm.h>
54287 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54288 +extern int grsec_enable_blackhole;
54291 int sysctl_tcp_syncookies __read_mostly = 1;
54292 EXPORT_SYMBOL(sysctl_tcp_syncookies);
54294 @@ -700,6 +704,10 @@ listen_overflow:
54297 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
54299 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54300 + if (!grsec_enable_blackhole)
54302 if (!(flg & TCP_FLAG_RST))
54303 req->rsk_ops->send_reset(sk, skb);
54305 diff -urNp linux-2.6.35.4/net/ipv4/tcp_probe.c linux-2.6.35.4/net/ipv4/tcp_probe.c
54306 --- linux-2.6.35.4/net/ipv4/tcp_probe.c 2010-08-26 19:47:12.000000000 -0400
54307 +++ linux-2.6.35.4/net/ipv4/tcp_probe.c 2010-09-17 20:12:37.000000000 -0400
54308 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
54309 if (cnt + width >= len)
54312 - if (copy_to_user(buf + cnt, tbuf, width))
54313 + if (width > sizeof(tbuf) || copy_to_user(buf + cnt, tbuf, width))
54317 diff -urNp linux-2.6.35.4/net/ipv4/tcp_timer.c linux-2.6.35.4/net/ipv4/tcp_timer.c
54318 --- linux-2.6.35.4/net/ipv4/tcp_timer.c 2010-08-26 19:47:12.000000000 -0400
54319 +++ linux-2.6.35.4/net/ipv4/tcp_timer.c 2010-09-17 20:12:37.000000000 -0400
54321 #include <linux/gfp.h>
54322 #include <net/tcp.h>
54324 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54325 +extern int grsec_lastack_retries;
54328 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
54329 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
54330 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
54331 @@ -195,6 +199,13 @@ static int tcp_write_timeout(struct sock
54335 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54336 + if ((sk->sk_state == TCP_LAST_ACK) &&
54337 + (grsec_lastack_retries > 0) &&
54338 + (grsec_lastack_retries < retry_until))
54339 + retry_until = grsec_lastack_retries;
54342 if (retransmits_timed_out(sk, retry_until)) {
54343 /* Has it gone just too far? */
54345 diff -urNp linux-2.6.35.4/net/ipv4/udp.c linux-2.6.35.4/net/ipv4/udp.c
54346 --- linux-2.6.35.4/net/ipv4/udp.c 2010-08-26 19:47:12.000000000 -0400
54347 +++ linux-2.6.35.4/net/ipv4/udp.c 2010-09-17 20:12:37.000000000 -0400
54349 #include <linux/types.h>
54350 #include <linux/fcntl.h>
54351 #include <linux/module.h>
54352 +#include <linux/security.h>
54353 #include <linux/socket.h>
54354 #include <linux/sockios.h>
54355 #include <linux/igmp.h>
54356 @@ -107,6 +108,10 @@
54357 #include <net/xfrm.h>
54358 #include "udp_impl.h"
54360 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54361 +extern int grsec_enable_blackhole;
54364 struct udp_table udp_table __read_mostly;
54365 EXPORT_SYMBOL(udp_table);
54367 @@ -564,6 +569,9 @@ found:
54371 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
54372 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
54375 * This routine is called by the ICMP module when it gets some
54376 * sort of error condition. If err < 0 then the socket should
54377 @@ -832,9 +840,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
54378 dport = usin->sin_port;
54382 + err = gr_search_udp_sendmsg(sk, usin);
54386 if (sk->sk_state != TCP_ESTABLISHED)
54387 return -EDESTADDRREQ;
54389 + err = gr_search_udp_sendmsg(sk, NULL);
54393 daddr = inet->inet_daddr;
54394 dport = inet->inet_dport;
54395 /* Open fast path for connected socket.
54396 @@ -1141,6 +1158,10 @@ try_again:
54400 + err = gr_search_udp_recvmsg(sk, skb);
54404 ulen = skb->len - sizeof(struct udphdr);
54407 @@ -1582,6 +1603,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
54410 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
54411 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54412 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
54414 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
54417 @@ -2007,7 +2031,12 @@ static void udp4_format_sock(struct sock
54418 sk_wmem_alloc_get(sp),
54419 sk_rmem_alloc_get(sp),
54420 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
54421 - atomic_read(&sp->sk_refcnt), sp,
54422 + atomic_read(&sp->sk_refcnt),
54423 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54428 atomic_read(&sp->sk_drops), len);
54431 diff -urNp linux-2.6.35.4/net/ipv6/exthdrs.c linux-2.6.35.4/net/ipv6/exthdrs.c
54432 --- linux-2.6.35.4/net/ipv6/exthdrs.c 2010-08-26 19:47:12.000000000 -0400
54433 +++ linux-2.6.35.4/net/ipv6/exthdrs.c 2010-09-17 20:12:09.000000000 -0400
54434 @@ -636,7 +636,7 @@ static struct tlvtype_proc tlvprochopopt
54435 .type = IPV6_TLV_JUMBO,
54436 .func = ipv6_hop_jumbo,
54442 int ipv6_parse_hopopts(struct sk_buff *skb)
54443 diff -urNp linux-2.6.35.4/net/ipv6/raw.c linux-2.6.35.4/net/ipv6/raw.c
54444 --- linux-2.6.35.4/net/ipv6/raw.c 2010-08-26 19:47:12.000000000 -0400
54445 +++ linux-2.6.35.4/net/ipv6/raw.c 2010-09-17 20:12:09.000000000 -0400
54446 @@ -601,7 +601,7 @@ out:
54450 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
54451 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
54452 struct flowi *fl, struct rt6_info *rt,
54453 unsigned int flags)
54455 diff -urNp linux-2.6.35.4/net/ipv6/tcp_ipv6.c linux-2.6.35.4/net/ipv6/tcp_ipv6.c
54456 --- linux-2.6.35.4/net/ipv6/tcp_ipv6.c 2010-08-26 19:47:12.000000000 -0400
54457 +++ linux-2.6.35.4/net/ipv6/tcp_ipv6.c 2010-09-17 20:23:25.000000000 -0400
54458 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
54462 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54463 +extern int grsec_enable_blackhole;
54466 static void tcp_v6_hash(struct sock *sk)
54468 if (sk->sk_state != TCP_CLOSE) {
54469 @@ -1641,6 +1645,9 @@ static int tcp_v6_do_rcv(struct sock *sk
54473 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54474 + if (!grsec_enable_blackhole)
54476 tcp_v6_send_reset(sk, skb);
54479 @@ -1720,12 +1727,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
54480 TCP_SKB_CB(skb)->sacked = 0;
54482 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
54485 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54488 goto no_tcp_socket;
54492 - if (sk->sk_state == TCP_TIME_WAIT)
54493 + if (sk->sk_state == TCP_TIME_WAIT) {
54494 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54500 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
54501 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
54502 @@ -1773,6 +1788,10 @@ no_tcp_socket:
54504 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
54506 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54507 + if (!grsec_enable_blackhole || (ret == 1 &&
54508 + (skb->dev->flags & IFF_LOOPBACK)))
54510 tcp_v6_send_reset(NULL, skb);
54513 diff -urNp linux-2.6.35.4/net/ipv6/udp.c linux-2.6.35.4/net/ipv6/udp.c
54514 --- linux-2.6.35.4/net/ipv6/udp.c 2010-08-26 19:47:12.000000000 -0400
54515 +++ linux-2.6.35.4/net/ipv6/udp.c 2010-09-17 20:12:37.000000000 -0400
54517 #include <linux/seq_file.h>
54518 #include "udp_impl.h"
54520 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54521 +extern int grsec_enable_blackhole;
54524 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
54526 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
54527 @@ -756,6 +760,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
54528 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
54529 proto == IPPROTO_UDPLITE);
54531 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54532 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
54534 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
54537 diff -urNp linux-2.6.35.4/net/irda/ircomm/ircomm_tty.c linux-2.6.35.4/net/irda/ircomm/ircomm_tty.c
54538 --- linux-2.6.35.4/net/irda/ircomm/ircomm_tty.c 2010-08-26 19:47:12.000000000 -0400
54539 +++ linux-2.6.35.4/net/irda/ircomm/ircomm_tty.c 2010-09-17 20:12:09.000000000 -0400
54540 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
54541 add_wait_queue(&self->open_wait, &wait);
54543 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
54544 - __FILE__,__LINE__, tty->driver->name, self->open_count );
54545 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
54547 /* As far as I can see, we protect open_count - Jean II */
54548 spin_lock_irqsave(&self->spinlock, flags);
54549 if (!tty_hung_up_p(filp)) {
54551 - self->open_count--;
54552 + atomic_dec(&self->open_count);
54554 spin_unlock_irqrestore(&self->spinlock, flags);
54555 - self->blocked_open++;
54556 + atomic_inc(&self->blocked_open);
54559 if (tty->termios->c_cflag & CBAUD) {
54560 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
54563 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
54564 - __FILE__,__LINE__, tty->driver->name, self->open_count );
54565 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
54569 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
54571 /* ++ is not atomic, so this should be protected - Jean II */
54572 spin_lock_irqsave(&self->spinlock, flags);
54573 - self->open_count++;
54574 + atomic_inc(&self->open_count);
54575 spin_unlock_irqrestore(&self->spinlock, flags);
54577 - self->blocked_open--;
54578 + atomic_dec(&self->blocked_open);
54580 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
54581 - __FILE__,__LINE__, tty->driver->name, self->open_count);
54582 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count));
54585 self->flags |= ASYNC_NORMAL_ACTIVE;
54586 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
54588 /* ++ is not atomic, so this should be protected - Jean II */
54589 spin_lock_irqsave(&self->spinlock, flags);
54590 - self->open_count++;
54591 + atomic_inc(&self->open_count);
54593 tty->driver_data = self;
54595 spin_unlock_irqrestore(&self->spinlock, flags);
54597 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
54598 - self->line, self->open_count);
54599 + self->line, atomic_read(&self->open_count));
54601 /* Not really used by us, but lets do it anyway */
54602 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
54603 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
54607 - if ((tty->count == 1) && (self->open_count != 1)) {
54608 + if ((tty->count == 1) && (atomic_read(&self->open_count) != 1)) {
54610 * Uh, oh. tty->count is 1, which means that the tty
54611 * structure will be freed. state->count should always
54612 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
54614 IRDA_DEBUG(0, "%s(), bad serial port count; "
54615 "tty->count is 1, state->count is %d\n", __func__ ,
54616 - self->open_count);
54617 - self->open_count = 1;
54618 + atomic_read(&self->open_count));
54619 + atomic_set(&self->open_count, 1);
54622 - if (--self->open_count < 0) {
54623 + if (atomic_dec_return(&self->open_count) < 0) {
54624 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
54625 - __func__, self->line, self->open_count);
54626 - self->open_count = 0;
54627 + __func__, self->line, atomic_read(&self->open_count));
54628 + atomic_set(&self->open_count, 0);
54630 - if (self->open_count) {
54631 + if (atomic_read(&self->open_count)) {
54632 spin_unlock_irqrestore(&self->spinlock, flags);
54634 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
54635 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
54639 - if (self->blocked_open) {
54640 + if (atomic_read(&self->blocked_open)) {
54641 if (self->close_delay)
54642 schedule_timeout_interruptible(self->close_delay);
54643 wake_up_interruptible(&self->open_wait);
54644 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
54645 spin_lock_irqsave(&self->spinlock, flags);
54646 self->flags &= ~ASYNC_NORMAL_ACTIVE;
54648 - self->open_count = 0;
54649 + atomic_set(&self->open_count, 0);
54650 spin_unlock_irqrestore(&self->spinlock, flags);
54652 wake_up_interruptible(&self->open_wait);
54653 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
54656 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
54657 - seq_printf(m, "Open count: %d\n", self->open_count);
54658 + seq_printf(m, "Open count: %d\n", atomic_read(&self->open_count));
54659 seq_printf(m, "Max data size: %d\n", self->max_data_size);
54660 seq_printf(m, "Max header size: %d\n", self->max_header_size);
54662 diff -urNp linux-2.6.35.4/net/key/af_key.c linux-2.6.35.4/net/key/af_key.c
54663 --- linux-2.6.35.4/net/key/af_key.c 2010-08-26 19:47:12.000000000 -0400
54664 +++ linux-2.6.35.4/net/key/af_key.c 2010-09-17 20:12:37.000000000 -0400
54665 @@ -3644,7 +3644,11 @@ static int pfkey_seq_show(struct seq_fil
54666 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
54668 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
54669 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54674 atomic_read(&s->sk_refcnt),
54675 sk_rmem_alloc_get(s),
54676 sk_wmem_alloc_get(s),
54677 diff -urNp linux-2.6.35.4/net/mac80211/ieee80211_i.h linux-2.6.35.4/net/mac80211/ieee80211_i.h
54678 --- linux-2.6.35.4/net/mac80211/ieee80211_i.h 2010-08-26 19:47:12.000000000 -0400
54679 +++ linux-2.6.35.4/net/mac80211/ieee80211_i.h 2010-09-17 20:12:09.000000000 -0400
54680 @@ -649,7 +649,7 @@ struct ieee80211_local {
54681 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
54682 spinlock_t queue_stop_reason_lock;
54685 + atomic_t open_count;
54686 int monitors, cooked_mntrs;
54687 /* number of interfaces with corresponding FIF_ flags */
54688 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
54689 diff -urNp linux-2.6.35.4/net/mac80211/iface.c linux-2.6.35.4/net/mac80211/iface.c
54690 --- linux-2.6.35.4/net/mac80211/iface.c 2010-08-26 19:47:12.000000000 -0400
54691 +++ linux-2.6.35.4/net/mac80211/iface.c 2010-09-17 20:12:09.000000000 -0400
54692 @@ -183,7 +183,7 @@ static int ieee80211_open(struct net_dev
54696 - if (local->open_count == 0) {
54697 + if (atomic_read(&local->open_count) == 0) {
54698 res = drv_start(local);
54701 @@ -215,7 +215,7 @@ static int ieee80211_open(struct net_dev
54702 * Validate the MAC address for this device.
54704 if (!is_valid_ether_addr(dev->dev_addr)) {
54705 - if (!local->open_count)
54706 + if (!atomic_read(&local->open_count))
54708 return -EADDRNOTAVAIL;
54710 @@ -308,7 +308,7 @@ static int ieee80211_open(struct net_dev
54712 hw_reconf_flags |= __ieee80211_recalc_idle(local);
54714 - local->open_count++;
54715 + atomic_inc(&local->open_count);
54716 if (hw_reconf_flags) {
54717 ieee80211_hw_config(local, hw_reconf_flags);
54719 @@ -336,7 +336,7 @@ static int ieee80211_open(struct net_dev
54721 drv_remove_interface(local, &sdata->vif);
54723 - if (!local->open_count)
54724 + if (!atomic_read(&local->open_count))
54728 @@ -439,7 +439,7 @@ static int ieee80211_stop(struct net_dev
54729 WARN_ON(!list_empty(&sdata->u.ap.vlans));
54732 - local->open_count--;
54733 + atomic_dec(&local->open_count);
54735 switch (sdata->vif.type) {
54736 case NL80211_IFTYPE_AP_VLAN:
54737 @@ -542,7 +542,7 @@ static int ieee80211_stop(struct net_dev
54739 ieee80211_recalc_ps(local, -1);
54741 - if (local->open_count == 0) {
54742 + if (atomic_read(&local->open_count) == 0) {
54743 ieee80211_clear_tx_pending(local);
54744 ieee80211_stop_device(local);
54746 diff -urNp linux-2.6.35.4/net/mac80211/main.c linux-2.6.35.4/net/mac80211/main.c
54747 --- linux-2.6.35.4/net/mac80211/main.c 2010-08-26 19:47:12.000000000 -0400
54748 +++ linux-2.6.35.4/net/mac80211/main.c 2010-09-17 20:12:09.000000000 -0400
54749 @@ -148,7 +148,7 @@ int ieee80211_hw_config(struct ieee80211
54750 local->hw.conf.power_level = power;
54753 - if (changed && local->open_count) {
54754 + if (changed && atomic_read(&local->open_count)) {
54755 ret = drv_config(local, changed);
54758 diff -urNp linux-2.6.35.4/net/mac80211/pm.c linux-2.6.35.4/net/mac80211/pm.c
54759 --- linux-2.6.35.4/net/mac80211/pm.c 2010-08-26 19:47:12.000000000 -0400
54760 +++ linux-2.6.35.4/net/mac80211/pm.c 2010-09-17 20:12:09.000000000 -0400
54761 @@ -101,7 +101,7 @@ int __ieee80211_suspend(struct ieee80211
54764 /* stop hardware - this must stop RX */
54765 - if (local->open_count)
54766 + if (atomic_read(&local->open_count))
54767 ieee80211_stop_device(local);
54769 local->suspended = true;
54770 diff -urNp linux-2.6.35.4/net/mac80211/rate.c linux-2.6.35.4/net/mac80211/rate.c
54771 --- linux-2.6.35.4/net/mac80211/rate.c 2010-08-26 19:47:12.000000000 -0400
54772 +++ linux-2.6.35.4/net/mac80211/rate.c 2010-09-17 20:12:09.000000000 -0400
54773 @@ -355,7 +355,7 @@ int ieee80211_init_rate_ctrl_alg(struct
54777 - if (local->open_count)
54778 + if (atomic_read(&local->open_count))
54781 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
54782 diff -urNp linux-2.6.35.4/net/mac80211/rc80211_pid_debugfs.c linux-2.6.35.4/net/mac80211/rc80211_pid_debugfs.c
54783 --- linux-2.6.35.4/net/mac80211/rc80211_pid_debugfs.c 2010-08-26 19:47:12.000000000 -0400
54784 +++ linux-2.6.35.4/net/mac80211/rc80211_pid_debugfs.c 2010-09-17 20:12:09.000000000 -0400
54785 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
54787 spin_unlock_irqrestore(&events->lock, status);
54789 - if (copy_to_user(buf, pb, p))
54790 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
54794 diff -urNp linux-2.6.35.4/net/mac80211/tx.c linux-2.6.35.4/net/mac80211/tx.c
54795 --- linux-2.6.35.4/net/mac80211/tx.c 2010-08-26 19:47:12.000000000 -0400
54796 +++ linux-2.6.35.4/net/mac80211/tx.c 2010-09-17 20:12:09.000000000 -0400
54797 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
54798 return cpu_to_le16(dur);
54801 -static int inline is_ieee80211_device(struct ieee80211_local *local,
54802 +static inline int is_ieee80211_device(struct ieee80211_local *local,
54803 struct net_device *dev)
54805 return local == wdev_priv(dev->ieee80211_ptr);
54806 diff -urNp linux-2.6.35.4/net/mac80211/util.c linux-2.6.35.4/net/mac80211/util.c
54807 --- linux-2.6.35.4/net/mac80211/util.c 2010-08-26 19:47:12.000000000 -0400
54808 +++ linux-2.6.35.4/net/mac80211/util.c 2010-09-17 20:12:09.000000000 -0400
54809 @@ -1097,7 +1097,7 @@ int ieee80211_reconfig(struct ieee80211_
54810 local->resuming = true;
54812 /* restart hardware */
54813 - if (local->open_count) {
54814 + if (atomic_read(&local->open_count)) {
54816 * Upon resume hardware can sometimes be goofy due to
54817 * various platform / driver / bus issues, so restarting
54818 diff -urNp linux-2.6.35.4/net/netlink/af_netlink.c linux-2.6.35.4/net/netlink/af_netlink.c
54819 --- linux-2.6.35.4/net/netlink/af_netlink.c 2010-08-26 19:47:12.000000000 -0400
54820 +++ linux-2.6.35.4/net/netlink/af_netlink.c 2010-09-17 20:12:37.000000000 -0400
54821 @@ -2001,13 +2001,21 @@ static int netlink_seq_show(struct seq_f
54822 struct netlink_sock *nlk = nlk_sk(s);
54824 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
54825 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54832 nlk->groups ? (u32)nlk->groups[0] : 0,
54833 sk_rmem_alloc_get(s),
54834 sk_wmem_alloc_get(s),
54835 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54840 atomic_read(&s->sk_refcnt),
54841 atomic_read(&s->sk_drops),
54843 diff -urNp linux-2.6.35.4/net/packet/af_packet.c linux-2.6.35.4/net/packet/af_packet.c
54844 --- linux-2.6.35.4/net/packet/af_packet.c 2010-08-26 19:47:12.000000000 -0400
54845 +++ linux-2.6.35.4/net/packet/af_packet.c 2010-09-17 20:12:37.000000000 -0400
54846 @@ -2093,7 +2093,7 @@ static int packet_getsockopt(struct sock
54847 case PACKET_HDRLEN:
54848 if (len > sizeof(int))
54850 - if (copy_from_user(&val, optval, len))
54851 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
54855 @@ -2125,7 +2125,7 @@ static int packet_getsockopt(struct sock
54857 if (put_user(len, optlen))
54859 - if (copy_to_user(optval, data, len))
54860 + if (len > sizeof(st) || copy_to_user(optval, data, len))
54864 @@ -2604,7 +2604,11 @@ static int packet_seq_show(struct seq_fi
54867 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
54868 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54873 atomic_read(&s->sk_refcnt),
54876 diff -urNp linux-2.6.35.4/net/sctp/socket.c linux-2.6.35.4/net/sctp/socket.c
54877 --- linux-2.6.35.4/net/sctp/socket.c 2010-08-26 19:47:12.000000000 -0400
54878 +++ linux-2.6.35.4/net/sctp/socket.c 2010-09-17 20:12:09.000000000 -0400
54879 @@ -1483,7 +1483,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
54880 struct sctp_sndrcvinfo *sinfo;
54881 struct sctp_initmsg *sinit;
54882 sctp_assoc_t associd = 0;
54883 - sctp_cmsgs_t cmsgs = { NULL };
54884 + sctp_cmsgs_t cmsgs = { NULL, NULL };
54886 sctp_scope_t scope;
54888 @@ -4387,7 +4387,7 @@ static int sctp_getsockopt_peer_addrs(st
54889 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
54890 if (space_left < addrlen)
54892 - if (copy_to_user(to, &temp, addrlen))
54893 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
54897 diff -urNp linux-2.6.35.4/net/socket.c linux-2.6.35.4/net/socket.c
54898 --- linux-2.6.35.4/net/socket.c 2010-08-26 19:47:12.000000000 -0400
54899 +++ linux-2.6.35.4/net/socket.c 2010-09-17 20:12:37.000000000 -0400
54901 #include <linux/nsproxy.h>
54902 #include <linux/magic.h>
54903 #include <linux/slab.h>
54904 +#include <linux/in.h>
54906 #include <asm/uaccess.h>
54907 #include <asm/unistd.h>
54908 @@ -105,6 +106,8 @@
54909 #include <linux/sockios.h>
54910 #include <linux/atalk.h>
54912 +#include <linux/grsock.h>
54914 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
54915 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
54916 unsigned long nr_segs, loff_t pos);
54917 @@ -322,7 +325,7 @@ static int sockfs_get_sb(struct file_sys
54921 -static struct vfsmount *sock_mnt __read_mostly;
54922 +struct vfsmount *sock_mnt __read_mostly;
54924 static struct file_system_type sock_fs_type = {
54926 @@ -1291,6 +1294,16 @@ SYSCALL_DEFINE3(socket, int, family, int
54927 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
54928 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
54930 + if(!gr_search_socket(family, type, protocol)) {
54931 + retval = -EACCES;
54935 + if (gr_handle_sock_all(family, type, protocol)) {
54936 + retval = -EACCES;
54940 retval = sock_create(family, type, protocol, &sock);
54943 @@ -1403,6 +1416,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
54945 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
54947 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
54951 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
54955 err = security_socket_bind(sock,
54956 (struct sockaddr *)&address,
54958 @@ -1411,6 +1432,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
54959 (struct sockaddr *)
54960 &address, addrlen);
54963 fput_light(sock->file, fput_needed);
54966 @@ -1434,10 +1456,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
54967 if ((unsigned)backlog > somaxconn)
54968 backlog = somaxconn;
54970 + if (gr_handle_sock_server_other(sock->sk)) {
54975 + err = gr_search_listen(sock);
54979 err = security_socket_listen(sock, backlog);
54981 err = sock->ops->listen(sock, backlog);
54984 fput_light(sock->file, fput_needed);
54987 @@ -1480,6 +1512,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
54988 newsock->type = sock->type;
54989 newsock->ops = sock->ops;
54991 + if (gr_handle_sock_server_other(sock->sk)) {
54993 + sock_release(newsock);
54997 + err = gr_search_accept(sock);
54999 + sock_release(newsock);
55004 * We don't need try_module_get here, as the listening socket (sock)
55005 * has the protocol module (sock->ops->owner) held.
55006 @@ -1518,6 +1562,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
55007 fd_install(newfd, newfile);
55010 + gr_attach_curr_ip(newsock->sk);
55013 fput_light(sock->file, fput_needed);
55015 @@ -1550,6 +1596,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
55018 struct socket *sock;
55019 + struct sockaddr *sck;
55020 struct sockaddr_storage address;
55021 int err, fput_needed;
55023 @@ -1560,6 +1607,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
55027 + sck = (struct sockaddr *)&address;
55029 + if (gr_handle_sock_client(sck)) {
55034 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
55039 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
55041 diff -urNp linux-2.6.35.4/net/sunrpc/sched.c linux-2.6.35.4/net/sunrpc/sched.c
55042 --- linux-2.6.35.4/net/sunrpc/sched.c 2010-08-26 19:47:12.000000000 -0400
55043 +++ linux-2.6.35.4/net/sunrpc/sched.c 2010-09-17 20:12:09.000000000 -0400
55044 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
55046 static void rpc_task_set_debuginfo(struct rpc_task *task)
55048 - static atomic_t rpc_pid;
55049 + static atomic_unchecked_t rpc_pid;
55051 - task->tk_pid = atomic_inc_return(&rpc_pid);
55052 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
55055 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
55056 diff -urNp linux-2.6.35.4/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.35.4/net/sunrpc/xprtrdma/svc_rdma.c
55057 --- linux-2.6.35.4/net/sunrpc/xprtrdma/svc_rdma.c 2010-08-26 19:47:12.000000000 -0400
55058 +++ linux-2.6.35.4/net/sunrpc/xprtrdma/svc_rdma.c 2010-09-17 20:12:37.000000000 -0400
55059 @@ -106,7 +106,7 @@ static int read_reset_stat(ctl_table *ta
55063 - if (len && copy_to_user(buffer, str_buf, len))
55064 + if (len > sizeof(str_buf) || (len && copy_to_user(buffer, str_buf, len)))
55068 diff -urNp linux-2.6.35.4/net/sysctl_net.c linux-2.6.35.4/net/sysctl_net.c
55069 --- linux-2.6.35.4/net/sysctl_net.c 2010-08-26 19:47:12.000000000 -0400
55070 +++ linux-2.6.35.4/net/sysctl_net.c 2010-09-17 20:12:37.000000000 -0400
55071 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
55072 struct ctl_table *table)
55074 /* Allow network administrator to have same access as root. */
55075 - if (capable(CAP_NET_ADMIN)) {
55076 + if (capable_nolog(CAP_NET_ADMIN)) {
55077 int mode = (table->mode >> 6) & 7;
55078 return (mode << 6) | (mode << 3) | mode;
55080 diff -urNp linux-2.6.35.4/net/tipc/socket.c linux-2.6.35.4/net/tipc/socket.c
55081 --- linux-2.6.35.4/net/tipc/socket.c 2010-08-26 19:47:12.000000000 -0400
55082 +++ linux-2.6.35.4/net/tipc/socket.c 2010-09-17 20:12:09.000000000 -0400
55083 @@ -1451,8 +1451,9 @@ static int connect(struct socket *sock,
55088 - ; /* leave "res" unchanged */
55090 + /* leave "res" unchanged */
55092 sock->state = SS_DISCONNECTING;
55095 diff -urNp linux-2.6.35.4/net/unix/af_unix.c linux-2.6.35.4/net/unix/af_unix.c
55096 --- linux-2.6.35.4/net/unix/af_unix.c 2010-08-26 19:47:12.000000000 -0400
55097 +++ linux-2.6.35.4/net/unix/af_unix.c 2010-09-17 20:12:37.000000000 -0400
55098 @@ -736,6 +736,12 @@ static struct sock *unix_find_other(stru
55099 err = -ECONNREFUSED;
55100 if (!S_ISSOCK(inode->i_mode))
55103 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
55108 u = unix_find_socket_byinode(net, inode);
55111 @@ -756,6 +762,13 @@ static struct sock *unix_find_other(stru
55113 struct dentry *dentry;
55114 dentry = unix_sk(u)->dentry;
55116 + if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
55123 touch_atime(unix_sk(u)->mnt, dentry);
55125 @@ -841,11 +854,18 @@ static int unix_bind(struct socket *sock
55126 err = security_path_mknod(&nd.path, dentry, mode, 0);
55128 goto out_mknod_drop_write;
55129 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
55131 + goto out_mknod_drop_write;
55133 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
55134 out_mknod_drop_write:
55135 mnt_drop_write(nd.path.mnt);
55137 goto out_mknod_dput;
55139 + gr_handle_create(dentry, nd.path.mnt);
55141 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
55142 dput(nd.path.dentry);
55143 nd.path.dentry = dentry;
55144 @@ -863,6 +883,10 @@ out_mknod_drop_write:
55148 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
55149 + sk->sk_peercred.pid = current->pid;
55152 list = &unix_socket_table[addr->hash];
55154 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
55155 @@ -2161,7 +2185,11 @@ static int unix_seq_show(struct seq_file
55156 unix_state_lock(s);
55158 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
55159 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55164 atomic_read(&s->sk_refcnt),
55166 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
55167 diff -urNp linux-2.6.35.4/net/wireless/reg.c linux-2.6.35.4/net/wireless/reg.c
55168 --- linux-2.6.35.4/net/wireless/reg.c 2010-08-26 19:47:12.000000000 -0400
55169 +++ linux-2.6.35.4/net/wireless/reg.c 2010-09-17 20:12:09.000000000 -0400
55171 printk(KERN_DEBUG format , ## args); \
55174 -#define REG_DBG_PRINT(args...)
55175 +#define REG_DBG_PRINT(args...) do {} while (0)
55178 /* Receipt of information from last regulatory request */
55179 diff -urNp linux-2.6.35.4/net/wireless/wext-core.c linux-2.6.35.4/net/wireless/wext-core.c
55180 --- linux-2.6.35.4/net/wireless/wext-core.c 2010-08-26 19:47:12.000000000 -0400
55181 +++ linux-2.6.35.4/net/wireless/wext-core.c 2010-09-17 20:12:09.000000000 -0400
55182 @@ -744,8 +744,7 @@ static int ioctl_standard_iw_point(struc
55185 /* Support for very large requests */
55186 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
55187 - (user_length > descr->max_tokens)) {
55188 + if (user_length > descr->max_tokens) {
55189 /* Allow userspace to GET more than max so
55190 * we can support any size GET requests.
55191 * There is still a limit : -ENOMEM.
55192 diff -urNp linux-2.6.35.4/net/xfrm/xfrm_policy.c linux-2.6.35.4/net/xfrm/xfrm_policy.c
55193 --- linux-2.6.35.4/net/xfrm/xfrm_policy.c 2010-08-26 19:47:12.000000000 -0400
55194 +++ linux-2.6.35.4/net/xfrm/xfrm_policy.c 2010-09-17 20:12:09.000000000 -0400
55195 @@ -1502,7 +1502,7 @@ free_dst:
55201 xfrm_dst_alloc_copy(void **target, void *src, int size)
55204 @@ -1514,7 +1514,7 @@ xfrm_dst_alloc_copy(void **target, void
55210 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
55212 #ifdef CONFIG_XFRM_SUB_POLICY
55213 @@ -1526,7 +1526,7 @@ xfrm_dst_update_parent(struct dst_entry
55219 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
55221 #ifdef CONFIG_XFRM_SUB_POLICY
55222 diff -urNp linux-2.6.35.4/scripts/basic/fixdep.c linux-2.6.35.4/scripts/basic/fixdep.c
55223 --- linux-2.6.35.4/scripts/basic/fixdep.c 2010-08-26 19:47:12.000000000 -0400
55224 +++ linux-2.6.35.4/scripts/basic/fixdep.c 2010-09-17 20:12:09.000000000 -0400
55225 @@ -222,9 +222,9 @@ static void use_config(char *m, int slen
55227 static void parse_config_file(char *map, size_t len)
55229 - int *end = (int *) (map + len);
55230 + unsigned int *end = (unsigned int *) (map + len);
55231 /* start at +1, so that p can never be < map */
55232 - int *m = (int *) map + 1;
55233 + unsigned int *m = (unsigned int *) map + 1;
55236 for (; m < end; m++) {
55237 @@ -371,7 +371,7 @@ static void print_deps(void)
55238 static void traps(void)
55240 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
55241 - int *p = (int *)test;
55242 + unsigned int *p = (unsigned int *)test;
55244 if (*p != INT_CONF) {
55245 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
55246 diff -urNp linux-2.6.35.4/scripts/kallsyms.c linux-2.6.35.4/scripts/kallsyms.c
55247 --- linux-2.6.35.4/scripts/kallsyms.c 2010-08-26 19:47:12.000000000 -0400
55248 +++ linux-2.6.35.4/scripts/kallsyms.c 2010-09-17 20:12:09.000000000 -0400
55249 @@ -43,10 +43,10 @@ struct text_range {
55251 static unsigned long long _text;
55252 static struct text_range text_ranges[] = {
55253 - { "_stext", "_etext" },
55254 - { "_sinittext", "_einittext" },
55255 - { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
55256 - { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
55257 + { "_stext", "_etext", 0, 0 },
55258 + { "_sinittext", "_einittext", 0, 0 },
55259 + { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
55260 + { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
55262 #define text_range_text (&text_ranges[0])
55263 #define text_range_inittext (&text_ranges[1])
55264 diff -urNp linux-2.6.35.4/scripts/mod/file2alias.c linux-2.6.35.4/scripts/mod/file2alias.c
55265 --- linux-2.6.35.4/scripts/mod/file2alias.c 2010-08-26 19:47:12.000000000 -0400
55266 +++ linux-2.6.35.4/scripts/mod/file2alias.c 2010-09-17 20:12:09.000000000 -0400
55267 @@ -72,7 +72,7 @@ static void device_id_check(const char *
55268 unsigned long size, unsigned long id_size,
55274 if (size % id_size || size < id_size) {
55275 if (cross_build != 0)
55276 @@ -102,7 +102,7 @@ static void device_id_check(const char *
55277 /* USB is special because the bcdDevice can be matched against a numeric range */
55278 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
55279 static void do_usb_entry(struct usb_device_id *id,
55280 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
55281 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
55282 unsigned char range_lo, unsigned char range_hi,
55283 unsigned char max, struct module *mod)
55285 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
55286 for (i = 0; i < count; i++) {
55287 const char *id = (char *)devs[i].id;
55288 char acpi_id[sizeof(devs[0].id)];
55292 buf_printf(&mod->dev_table_buf,
55293 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
55294 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
55296 for (j = 0; j < PNP_MAX_DEVICES; j++) {
55297 const char *id = (char *)card->devs[j].id;
55299 + unsigned int i2, j2;
55303 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
55304 /* add an individual alias for every device entry */
55306 char acpi_id[sizeof(card->devs[0].id)];
55310 buf_printf(&mod->dev_table_buf,
55311 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
55312 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
55313 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
55317 + unsigned int i, j;
55319 sprintf(alias, "dmi*");
55321 diff -urNp linux-2.6.35.4/scripts/mod/modpost.c linux-2.6.35.4/scripts/mod/modpost.c
55322 --- linux-2.6.35.4/scripts/mod/modpost.c 2010-08-26 19:47:12.000000000 -0400
55323 +++ linux-2.6.35.4/scripts/mod/modpost.c 2010-09-17 20:12:09.000000000 -0400
55324 @@ -846,6 +846,7 @@ enum mismatch {
55325 ANY_INIT_TO_ANY_EXIT,
55326 ANY_EXIT_TO_ANY_INIT,
55327 EXPORT_TO_INIT_EXIT,
55331 struct sectioncheck {
55332 @@ -954,6 +955,12 @@ const struct sectioncheck sectioncheck[]
55333 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
55334 .mismatch = EXPORT_TO_INIT_EXIT,
55335 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
55337 +/* Do not reference code from writable data */
55339 + .fromsec = { DATA_SECTIONS, NULL },
55340 + .tosec = { TEXT_SECTIONS, NULL },
55341 + .mismatch = DATA_TO_TEXT
55345 @@ -1060,10 +1067,10 @@ static Elf_Sym *find_elf_symbol(struct e
55347 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
55349 - if (sym->st_value == addr)
55351 /* Find a symbol nearby - addr are maybe negative */
55352 d = sym->st_value - addr;
55356 d = addr - sym->st_value;
55357 if (d < distance) {
55358 @@ -1306,6 +1313,14 @@ static void report_sec_mismatch(const ch
55359 "or drop the export.\n",
55360 tosym, sec2annotation(tosec), sec2annotation(tosec), tosym);
55362 + case DATA_TO_TEXT:
55365 + "The variable %s references\n"
55366 + "the %s %s%s%s\n",
55367 + fromsym, to, sec2annotation(tosec), tosym, to_p);
55371 fprintf(stderr, "\n");
55373 @@ -1629,7 +1644,7 @@ void __attribute__((format(printf, 2, 3)
55377 -void buf_write(struct buffer *buf, const char *s, int len)
55378 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
55380 if (buf->size - buf->pos < len) {
55381 buf->size += len + SZ;
55382 @@ -1841,7 +1856,7 @@ static void write_if_changed(struct buff
55383 if (fstat(fileno(file), &st) < 0)
55386 - if (st.st_size != b->pos)
55387 + if (st.st_size != (off_t)b->pos)
55390 tmp = NOFAIL(malloc(b->pos));
55391 diff -urNp linux-2.6.35.4/scripts/mod/modpost.h linux-2.6.35.4/scripts/mod/modpost.h
55392 --- linux-2.6.35.4/scripts/mod/modpost.h 2010-08-26 19:47:12.000000000 -0400
55393 +++ linux-2.6.35.4/scripts/mod/modpost.h 2010-09-17 20:12:09.000000000 -0400
55394 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
55400 + unsigned int pos;
55401 + unsigned int size;
55404 void __attribute__((format(printf, 2, 3)))
55405 buf_printf(struct buffer *buf, const char *fmt, ...);
55408 -buf_write(struct buffer *buf, const char *s, int len);
55409 +buf_write(struct buffer *buf, const char *s, unsigned int len);
55412 struct module *next;
55413 diff -urNp linux-2.6.35.4/scripts/mod/sumversion.c linux-2.6.35.4/scripts/mod/sumversion.c
55414 --- linux-2.6.35.4/scripts/mod/sumversion.c 2010-08-26 19:47:12.000000000 -0400
55415 +++ linux-2.6.35.4/scripts/mod/sumversion.c 2010-09-17 20:12:09.000000000 -0400
55416 @@ -455,7 +455,7 @@ static void write_version(const char *fi
55420 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
55421 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
55422 warn("writing sum in %s failed: %s\n",
55423 filename, strerror(errno));
55425 diff -urNp linux-2.6.35.4/scripts/pnmtologo.c linux-2.6.35.4/scripts/pnmtologo.c
55426 --- linux-2.6.35.4/scripts/pnmtologo.c 2010-08-26 19:47:12.000000000 -0400
55427 +++ linux-2.6.35.4/scripts/pnmtologo.c 2010-09-17 20:12:09.000000000 -0400
55428 @@ -237,14 +237,14 @@ static void write_header(void)
55429 fprintf(out, " * Linux logo %s\n", logoname);
55430 fputs(" */\n\n", out);
55431 fputs("#include <linux/linux_logo.h>\n\n", out);
55432 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
55433 + fprintf(out, "static unsigned char %s_data[] = {\n",
55437 static void write_footer(void)
55439 fputs("\n};\n\n", out);
55440 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
55441 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
55442 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
55443 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
55444 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
55445 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
55446 fputs("\n};\n\n", out);
55448 /* write logo clut */
55449 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
55450 + fprintf(out, "static unsigned char %s_clut[] = {\n",
55453 for (i = 0; i < logo_clutsize; i++) {
55454 diff -urNp linux-2.6.35.4/security/commoncap.c linux-2.6.35.4/security/commoncap.c
55455 --- linux-2.6.35.4/security/commoncap.c 2010-08-26 19:47:12.000000000 -0400
55456 +++ linux-2.6.35.4/security/commoncap.c 2010-09-17 20:12:37.000000000 -0400
55458 #include <linux/securebits.h>
55459 #include <linux/syslog.h>
55460 #include <linux/vs_context.h>
55461 +#include <net/sock.h>
55464 * If a non-root user executes a setuid-root binary in
55465 @@ -51,9 +52,11 @@ static void warn_setuid_and_fcaps_mixed(
55469 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
55471 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
55473 - NETLINK_CB(skb).eff_cap = vx_mbcaps(current_cap());
55474 + NETLINK_CB(skb).eff_cap = vx_mbcaps(gr_cap_rtnetlink(sk));
55478 diff -urNp linux-2.6.35.4/security/integrity/ima/ima_api.c linux-2.6.35.4/security/integrity/ima/ima_api.c
55479 --- linux-2.6.35.4/security/integrity/ima/ima_api.c 2010-08-26 19:47:12.000000000 -0400
55480 +++ linux-2.6.35.4/security/integrity/ima/ima_api.c 2010-09-17 20:12:09.000000000 -0400
55481 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
55484 /* can overflow, only indicator */
55485 - atomic_long_inc(&ima_htable.violations);
55486 + atomic_long_inc_unchecked(&ima_htable.violations);
55488 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
55490 diff -urNp linux-2.6.35.4/security/integrity/ima/ima_fs.c linux-2.6.35.4/security/integrity/ima/ima_fs.c
55491 --- linux-2.6.35.4/security/integrity/ima/ima_fs.c 2010-08-26 19:47:12.000000000 -0400
55492 +++ linux-2.6.35.4/security/integrity/ima/ima_fs.c 2010-09-17 20:12:09.000000000 -0400
55493 @@ -28,12 +28,12 @@
55494 static int valid_policy = 1;
55495 #define TMPBUFLEN 12
55496 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
55497 - loff_t *ppos, atomic_long_t *val)
55498 + loff_t *ppos, atomic_long_unchecked_t *val)
55500 char tmpbuf[TMPBUFLEN];
55503 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
55504 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
55505 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
55508 diff -urNp linux-2.6.35.4/security/integrity/ima/ima.h linux-2.6.35.4/security/integrity/ima/ima.h
55509 --- linux-2.6.35.4/security/integrity/ima/ima.h 2010-08-26 19:47:12.000000000 -0400
55510 +++ linux-2.6.35.4/security/integrity/ima/ima.h 2010-09-17 20:12:09.000000000 -0400
55511 @@ -83,8 +83,8 @@ void ima_add_violation(struct inode *ino
55512 extern spinlock_t ima_queue_lock;
55514 struct ima_h_table {
55515 - atomic_long_t len; /* number of stored measurements in the list */
55516 - atomic_long_t violations;
55517 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
55518 + atomic_long_unchecked_t violations;
55519 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
55521 extern struct ima_h_table ima_htable;
55522 diff -urNp linux-2.6.35.4/security/integrity/ima/ima_queue.c linux-2.6.35.4/security/integrity/ima/ima_queue.c
55523 --- linux-2.6.35.4/security/integrity/ima/ima_queue.c 2010-08-26 19:47:12.000000000 -0400
55524 +++ linux-2.6.35.4/security/integrity/ima/ima_queue.c 2010-09-17 20:12:09.000000000 -0400
55525 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
55526 INIT_LIST_HEAD(&qe->later);
55527 list_add_tail_rcu(&qe->later, &ima_measurements);
55529 - atomic_long_inc(&ima_htable.len);
55530 + atomic_long_inc_unchecked(&ima_htable.len);
55531 key = ima_hash_key(entry->digest);
55532 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
55534 diff -urNp linux-2.6.35.4/security/Kconfig linux-2.6.35.4/security/Kconfig
55535 --- linux-2.6.35.4/security/Kconfig 2010-08-26 19:47:12.000000000 -0400
55536 +++ linux-2.6.35.4/security/Kconfig 2010-09-17 20:12:37.000000000 -0400
55539 menu "Security options"
55541 +source grsecurity/Kconfig
55545 + config PAX_PER_CPU_PGD
55548 + config TASK_SIZE_MAX_SHIFT
55550 + depends on X86_64
55551 + default 47 if !PAX_PER_CPU_PGD
55552 + default 42 if PAX_PER_CPU_PGD
55554 + config PAX_ENABLE_PAE
55556 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
55559 + bool "Enable various PaX features"
55560 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
55562 + This allows you to enable various PaX features. PaX adds
55563 + intrusion prevention mechanisms to the kernel that reduce
55564 + the risks posed by exploitable memory corruption bugs.
55566 +menu "PaX Control"
55569 +config PAX_SOFTMODE
55570 + bool 'Support soft mode'
55571 + select PAX_PT_PAX_FLAGS
55573 + Enabling this option will allow you to run PaX in soft mode, that
55574 + is, PaX features will not be enforced by default, only on executables
55575 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
55576 + is the only way to mark executables for soft mode use.
55578 + Soft mode can be activated by using the "pax_softmode=1" kernel command
55579 + line option on boot. Furthermore you can control various PaX features
55580 + at runtime via the entries in /proc/sys/kernel/pax.
55583 + bool 'Use legacy ELF header marking'
55585 + Enabling this option will allow you to control PaX features on
55586 + a per executable basis via the 'chpax' utility available at
55587 + http://pax.grsecurity.net/. The control flags will be read from
55588 + an otherwise reserved part of the ELF header. This marking has
55589 + numerous drawbacks (no support for soft-mode, toolchain does not
55590 + know about the non-standard use of the ELF header) therefore it
55591 + has been deprecated in favour of PT_PAX_FLAGS support.
55593 + If you have applications not marked by the PT_PAX_FLAGS ELF
55594 + program header then you MUST enable this option otherwise they
55595 + will not get any protection.
55597 + Note that if you enable PT_PAX_FLAGS marking support as well,
55598 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
55600 +config PAX_PT_PAX_FLAGS
55601 + bool 'Use ELF program header marking'
55603 + Enabling this option will allow you to control PaX features on
55604 + a per executable basis via the 'paxctl' utility available at
55605 + http://pax.grsecurity.net/. The control flags will be read from
55606 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
55607 + has the benefits of supporting both soft mode and being fully
55608 + integrated into the toolchain (the binutils patch is available
55609 + from http://pax.grsecurity.net).
55611 + If you have applications not marked by the PT_PAX_FLAGS ELF
55612 + program header then you MUST enable the EI_PAX marking support
55613 + otherwise they will not get any protection.
55615 + Note that if you enable the legacy EI_PAX marking support as well,
55616 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
55619 + prompt 'MAC system integration'
55620 + default PAX_HAVE_ACL_FLAGS
55622 + Mandatory Access Control systems have the option of controlling
55623 + PaX flags on a per executable basis, choose the method supported
55624 + by your particular system.
55626 + - "none": if your MAC system does not interact with PaX,
55627 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
55628 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
55630 + NOTE: this option is for developers/integrators only.
55632 + config PAX_NO_ACL_FLAGS
55635 + config PAX_HAVE_ACL_FLAGS
55638 + config PAX_HOOK_ACL_FLAGS
55644 +menu "Non-executable pages"
55648 + bool "Enforce non-executable pages"
55649 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
55651 + By design some architectures do not allow for protecting memory
55652 + pages against execution or even if they do, Linux does not make
55653 + use of this feature. In practice this means that if a page is
55654 + readable (such as the stack or heap) it is also executable.
55656 + There is a well known exploit technique that makes use of this
55657 + fact and a common programming mistake where an attacker can
55658 + introduce code of his choice somewhere in the attacked program's
55659 + memory (typically the stack or the heap) and then execute it.
55661 + If the attacked program was running with different (typically
55662 + higher) privileges than that of the attacker, then he can elevate
55663 + his own privilege level (e.g. get a root shell, write to files for
55664 + which he does not have write access to, etc).
55666 + Enabling this option will let you choose from various features
55667 + that prevent the injection and execution of 'foreign' code in
55670 + This will also break programs that rely on the old behaviour and
55671 + expect that dynamically allocated memory via the malloc() family
55672 + of functions is executable (which it is not). Notable examples
55673 + are the XFree86 4.x server, the java runtime and wine.
55675 +config PAX_PAGEEXEC
55676 + bool "Paging based non-executable pages"
55677 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
55678 + select S390_SWITCH_AMODE if S390
55679 + select S390_EXEC_PROTECT if S390
55681 + This implementation is based on the paging feature of the CPU.
55682 + On i386 without hardware non-executable bit support there is a
55683 + variable but usually low performance impact, however on Intel's
55684 + P4 core based CPUs it is very high so you should not enable this
55685 + for kernels meant to be used on such CPUs.
55687 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
55688 + with hardware non-executable bit support there is no performance
55689 + impact, on ppc the impact is negligible.
55691 + Note that several architectures require various emulations due to
55692 + badly designed userland ABIs, this will cause a performance impact
55693 + but will disappear as soon as userland is fixed. For example, ppc
55694 + userland MUST have been built with secure-plt by a recent toolchain.
55696 +config PAX_SEGMEXEC
55697 + bool "Segmentation based non-executable pages"
55698 + depends on PAX_NOEXEC && X86_32
55700 + This implementation is based on the segmentation feature of the
55701 + CPU and has a very small performance impact, however applications
55702 + will be limited to a 1.5 GB address space instead of the normal
55705 +config PAX_EMUTRAMP
55706 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
55707 + default y if PARISC
55709 + There are some programs and libraries that for one reason or
55710 + another attempt to execute special small code snippets from
55711 + non-executable memory pages. Most notable examples are the
55712 + signal handler return code generated by the kernel itself and
55713 + the GCC trampolines.
55715 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
55716 + such programs will no longer work under your kernel.
55718 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
55719 + utilities to enable trampoline emulation for the affected programs
55720 + yet still have the protection provided by the non-executable pages.
55722 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
55723 + your system will not even boot.
55725 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
55726 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
55727 + for the affected files.
55729 + NOTE: enabling this feature *may* open up a loophole in the
55730 + protection provided by non-executable pages that an attacker
55731 + could abuse. Therefore the best solution is to not have any
55732 + files on your system that would require this option. This can
55733 + be achieved by not using libc5 (which relies on the kernel
55734 + signal handler return code) and not using or rewriting programs
55735 + that make use of the nested function implementation of GCC.
55736 + Skilled users can just fix GCC itself so that it implements
55737 + nested function calls in a way that does not interfere with PaX.
55739 +config PAX_EMUSIGRT
55740 + bool "Automatically emulate sigreturn trampolines"
55741 + depends on PAX_EMUTRAMP && PARISC
55744 + Enabling this option will have the kernel automatically detect
55745 + and emulate signal return trampolines executing on the stack
55746 + that would otherwise lead to task termination.
55748 + This solution is intended as a temporary one for users with
55749 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
55750 + Modula-3 runtime, etc) or executables linked to such, basically
55751 + everything that does not specify its own SA_RESTORER function in
55752 + normal executable memory like glibc 2.1+ does.
55754 + On parisc you MUST enable this option, otherwise your system will
55757 + NOTE: this feature cannot be disabled on a per executable basis
55758 + and since it *does* open up a loophole in the protection provided
55759 + by non-executable pages, the best solution is to not have any
55760 + files on your system that would require this option.
55762 +config PAX_MPROTECT
55763 + bool "Restrict mprotect()"
55764 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
55766 + Enabling this option will prevent programs from
55767 + - changing the executable status of memory pages that were
55768 + not originally created as executable,
55769 + - making read-only executable pages writable again,
55770 + - creating executable pages from anonymous memory,
55771 + - making read-only-after-relocations (RELRO) data pages writable again.
55773 + You should say Y here to complete the protection provided by
55774 + the enforcement of non-executable pages.
55776 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
55777 + this feature on a per file basis.
55779 +config PAX_ELFRELOCS
55780 + bool "Allow ELF text relocations (read help)"
55781 + depends on PAX_MPROTECT
55784 + Non-executable pages and mprotect() restrictions are effective
55785 + in preventing the introduction of new executable code into an
55786 + attacked task's address space. There remain only two venues
55787 + for this kind of attack: if the attacker can execute already
55788 + existing code in the attacked task then he can either have it
55789 + create and mmap() a file containing his code or have it mmap()
55790 + an already existing ELF library that does not have position
55791 + independent code in it and use mprotect() on it to make it
55792 + writable and copy his code there. While protecting against
55793 + the former approach is beyond PaX, the latter can be prevented
55794 + by having only PIC ELF libraries on one's system (which do not
55795 + need to relocate their code). If you are sure this is your case,
55796 + as is the case with all modern Linux distributions, then leave
55797 + this option disabled. You should say 'n' here.
55799 +config PAX_ETEXECRELOCS
55800 + bool "Allow ELF ET_EXEC text relocations"
55801 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
55802 + select PAX_ELFRELOCS
55805 + On some architectures there are incorrectly created applications
55806 + that require text relocations and would not work without enabling
55807 + this option. If you are an alpha, ia64 or parisc user, you should
55808 + enable this option and disable it once you have made sure that
55809 + none of your applications need it.
55812 + bool "Automatically emulate ELF PLT"
55813 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
55816 + Enabling this option will have the kernel automatically detect
55817 + and emulate the Procedure Linkage Table entries in ELF files.
55818 + On some architectures such entries are in writable memory, and
55819 + become non-executable leading to task termination. Therefore
55820 + it is mandatory that you enable this option on alpha, parisc,
55821 + sparc and sparc64, otherwise your system would not even boot.
55823 + NOTE: this feature *does* open up a loophole in the protection
55824 + provided by the non-executable pages, therefore the proper
55825 + solution is to modify the toolchain to produce a PLT that does
55826 + not need to be writable.
55828 +config PAX_DLRESOLVE
55829 + bool 'Emulate old glibc resolver stub'
55830 + depends on PAX_EMUPLT && SPARC
55833 + This option is needed if userland has an old glibc (before 2.4)
55834 + that puts a 'save' instruction into the runtime generated resolver
55835 + stub that needs special emulation.
55837 +config PAX_KERNEXEC
55838 + bool "Enforce non-executable kernel pages"
55839 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
55840 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
55842 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
55843 + that is, enabling this option will make it harder to inject
55844 + and execute 'foreign' code in kernel memory itself.
55846 +config PAX_KERNEXEC_MODULE_TEXT
55847 + int "Minimum amount of memory reserved for module code"
55849 + depends on PAX_KERNEXEC && X86_32 && MODULES
55851 + Due to implementation details the kernel must reserve a fixed
55852 + amount of memory for module code at compile time that cannot be
55853 + changed at runtime. Here you can specify the minimum amount
55854 + in MB that will be reserved. Due to the same implementation
55855 + details this size will always be rounded up to the next 2/4 MB
55856 + boundary (depends on PAE) so the actually available memory for
55857 + module code will usually be more than this minimum.
55859 + The default 4 MB should be enough for most users but if you have
55860 + an excessive number of modules (e.g., most distribution configs
55861 + compile many drivers as modules) or use huge modules such as
55862 + nvidia's kernel driver, you will need to adjust this amount.
55863 + A good rule of thumb is to look at your currently loaded kernel
55864 + modules and add up their sizes.
55868 +menu "Address Space Layout Randomization"
55872 + bool "Address Space Layout Randomization"
55873 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
55875 + Many if not most exploit techniques rely on the knowledge of
55876 + certain addresses in the attacked program. The following options
55877 + will allow the kernel to apply a certain amount of randomization
55878 + to specific parts of the program thereby forcing an attacker to
55879 + guess them in most cases. Any failed guess will most likely crash
55880 + the attacked program which allows the kernel to detect such attempts
55881 + and react on them. PaX itself provides no reaction mechanisms,
55882 + instead it is strongly encouraged that you make use of Nergal's
55883 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
55884 + (http://www.grsecurity.net/) built-in crash detection features or
55885 + develop one yourself.
55887 + By saying Y here you can choose to randomize the following areas:
55888 + - top of the task's kernel stack
55889 + - top of the task's userland stack
55890 + - base address for mmap() requests that do not specify one
55891 + (this includes all libraries)
55892 + - base address of the main executable
55894 + It is strongly recommended to say Y here as address space layout
55895 + randomization has negligible impact on performance yet it provides
55896 + a very effective protection.
55898 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
55899 + this feature on a per file basis.
55901 +config PAX_RANDKSTACK
55902 + bool "Randomize kernel stack base"
55903 + depends on PAX_ASLR && X86_TSC && X86_32
55905 + By saying Y here the kernel will randomize every task's kernel
55906 + stack on every system call. This will not only force an attacker
55907 + to guess it but also prevent him from making use of possible
55908 + leaked information about it.
55910 + Since the kernel stack is a rather scarce resource, randomization
55911 + may cause unexpected stack overflows, therefore you should very
55912 + carefully test your system. Note that once enabled in the kernel
55913 + configuration, this feature cannot be disabled on a per file basis.
55915 +config PAX_RANDUSTACK
55916 + bool "Randomize user stack base"
55917 + depends on PAX_ASLR
55919 + By saying Y here the kernel will randomize every task's userland
55920 + stack. The randomization is done in two steps where the second
55921 + one may apply a big amount of shift to the top of the stack and
55922 + cause problems for programs that want to use lots of memory (more
55923 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
55924 + For this reason the second step can be controlled by 'chpax' or
55925 + 'paxctl' on a per file basis.
55927 +config PAX_RANDMMAP
55928 + bool "Randomize mmap() base"
55929 + depends on PAX_ASLR
55931 + By saying Y here the kernel will use a randomized base address for
55932 + mmap() requests that do not specify one themselves. As a result
55933 + all dynamically loaded libraries will appear at random addresses
55934 + and therefore be harder to exploit by a technique where an attacker
55935 + attempts to execute library code for his purposes (e.g. spawn a
55936 + shell from an exploited program that is running at an elevated
55937 + privilege level).
55939 + Furthermore, if a program is relinked as a dynamic ELF file, its
55940 + base address will be randomized as well, completing the full
55941 + randomization of the address space layout. Attacking such programs
55942 + becomes a guess game. You can find an example of doing this at
55943 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
55944 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
55946 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
55947 + feature on a per file basis.
55951 +menu "Miscellaneous hardening features"
55953 +config PAX_MEMORY_SANITIZE
55954 + bool "Sanitize all freed memory"
55956 + By saying Y here the kernel will erase memory pages as soon as they
55957 + are freed. This in turn reduces the lifetime of data stored in the
55958 + pages, making it less likely that sensitive information such as
55959 + passwords, cryptographic secrets, etc stay in memory for too long.
55961 + This is especially useful for programs whose runtime is short, long
55962 + lived processes and the kernel itself benefit from this as long as
55963 + they operate on whole memory pages and ensure timely freeing of pages
55964 + that may hold sensitive information.
55966 + The tradeoff is performance impact, on a single CPU system kernel
55967 + compilation sees a 3% slowdown, other systems and workloads may vary
55968 + and you are advised to test this feature on your expected workload
55969 + before deploying it.
55971 + Note that this feature does not protect data stored in live pages,
55972 + e.g., process memory swapped to disk may stay there for a long time.
55974 +config PAX_MEMORY_UDEREF
55975 + bool "Prevent invalid userland pointer dereference"
55976 + depends on X86 && !UML_X86 && !XEN
55977 + select PAX_PER_CPU_PGD if X86_64
55979 + By saying Y here the kernel will be prevented from dereferencing
55980 + userland pointers in contexts where the kernel expects only kernel
55981 + pointers. This is both a useful runtime debugging feature and a
55982 + security measure that prevents exploiting a class of kernel bugs.
55984 + The tradeoff is that some virtualization solutions may experience
55985 + a huge slowdown and therefore you should not enable this feature
55986 + for kernels meant to run in such environments. Whether a given VM
55987 + solution is affected or not is best determined by simply trying it
55988 + out, the performance impact will be obvious right on boot as this
55989 + mechanism engages from very early on. A good rule of thumb is that
55990 + VMs running on CPUs without hardware virtualization support (i.e.,
55991 + the majority of IA-32 CPUs) will likely experience the slowdown.
55993 +config PAX_REFCOUNT
55994 + bool "Prevent various kernel object reference counter overflows"
55995 + depends on GRKERNSEC && (X86 || SPARC64)
55997 + By saying Y here the kernel will detect and prevent overflowing
55998 + various (but not all) kinds of object reference counters. Such
55999 + overflows can normally occur due to bugs only and are often, if
56000 + not always, exploitable.
56002 + The tradeoff is that data structures protected by an overflowed
56003 + refcount will never be freed and therefore will leak memory. Note
56004 + that this leak also happens even without this protection but in
56005 + that case the overflow can eventually trigger the freeing of the
56006 + data structure while it is still being used elsewhere, resulting
56007 + in the exploitable situation that this feature prevents.
56009 + Since this has a negligible performance impact, you should enable
56012 +config PAX_USERCOPY
56013 + bool "Bounds check heap object copies between kernel and userland"
56014 + depends on X86 || PPC || SPARC
56015 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
56017 + By saying Y here the kernel will enforce the size of heap objects
56018 + when they are copied in either direction between the kernel and
56019 + userland, even if only a part of the heap object is copied.
56021 + Specifically, this checking prevents information leaking from the
56022 + kernel heap during kernel to userland copies (if the kernel heap
56023 + object is otherwise fully initialized) and prevents kernel heap
56024 + overflows during userland to kernel copies.
56026 + Note that the current implementation provides the strictest checks
56027 + for the SLUB allocator.
56029 + If frame pointers are enabled on x86, this option will also
56030 + restrict copies into and out of the kernel stack to local variables
56031 + within a single frame.
56033 + Since this has a negligible performance impact, you should enable
56041 bool "Enable access key retention support"
56043 @@ -124,7 +623,7 @@ config INTEL_TXT
56044 config LSM_MMAP_MIN_ADDR
56045 int "Low address space for LSM to protect from user allocation"
56046 depends on SECURITY && SECURITY_SELINUX
56050 This is the portion of low virtual memory which should be protected
56051 from userspace allocation. Keeping a user from writing to low pages
56052 diff -urNp linux-2.6.35.4/security/min_addr.c linux-2.6.35.4/security/min_addr.c
56053 --- linux-2.6.35.4/security/min_addr.c 2010-08-26 19:47:12.000000000 -0400
56054 +++ linux-2.6.35.4/security/min_addr.c 2010-09-17 20:12:37.000000000 -0400
56055 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
56057 static void update_mmap_min_addr(void)
56060 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
56061 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
56062 mmap_min_addr = dac_mmap_min_addr;
56063 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
56065 mmap_min_addr = dac_mmap_min_addr;
56071 diff -urNp linux-2.6.35.4/security/security.c linux-2.6.35.4/security/security.c
56072 --- linux-2.6.35.4/security/security.c 2010-08-26 19:47:12.000000000 -0400
56073 +++ linux-2.6.35.4/security/security.c 2010-09-17 20:12:37.000000000 -0400
56074 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
56075 /* things that live in capability.c */
56076 extern void __init security_fixup_ops(struct security_operations *ops);
56078 -static struct security_operations *security_ops;
56079 -static struct security_operations default_security_ops = {
56080 +static struct security_operations *security_ops __read_only;
56081 +static struct security_operations default_security_ops __read_only = {
56085 @@ -67,7 +67,9 @@ int __init security_init(void)
56087 void reset_security_ops(void)
56089 + pax_open_kernel();
56090 security_ops = &default_security_ops;
56091 + pax_close_kernel();
56094 /* Save user chosen LSM */
56095 diff -urNp linux-2.6.35.4/security/selinux/hooks.c linux-2.6.35.4/security/selinux/hooks.c
56096 --- linux-2.6.35.4/security/selinux/hooks.c 2010-08-26 19:47:12.000000000 -0400
56097 +++ linux-2.6.35.4/security/selinux/hooks.c 2010-09-17 20:12:37.000000000 -0400
56099 #define NUM_SEL_MNT_OPTS 5
56101 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
56102 -extern struct security_operations *security_ops;
56104 /* SECMARK reference count */
56105 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
56106 @@ -5428,7 +5427,7 @@ static int selinux_key_getsecurity(struc
56110 -static struct security_operations selinux_ops = {
56111 +static struct security_operations selinux_ops __read_only = {
56114 .ptrace_access_check = selinux_ptrace_access_check,
56115 diff -urNp linux-2.6.35.4/security/smack/smack_lsm.c linux-2.6.35.4/security/smack/smack_lsm.c
56116 --- linux-2.6.35.4/security/smack/smack_lsm.c 2010-08-26 19:47:12.000000000 -0400
56117 +++ linux-2.6.35.4/security/smack/smack_lsm.c 2010-09-17 20:12:09.000000000 -0400
56118 @@ -3064,7 +3064,7 @@ static int smack_inode_getsecctx(struct
56122 -struct security_operations smack_ops = {
56123 +struct security_operations smack_ops __read_only = {
56126 .ptrace_access_check = smack_ptrace_access_check,
56127 diff -urNp linux-2.6.35.4/security/tomoyo/tomoyo.c linux-2.6.35.4/security/tomoyo/tomoyo.c
56128 --- linux-2.6.35.4/security/tomoyo/tomoyo.c 2010-08-26 19:47:12.000000000 -0400
56129 +++ linux-2.6.35.4/security/tomoyo/tomoyo.c 2010-09-17 20:12:09.000000000 -0400
56130 @@ -235,7 +235,7 @@ static int tomoyo_sb_pivotroot(struct pa
56131 * tomoyo_security_ops is a "struct security_operations" which is used for
56132 * registering TOMOYO.
56134 -static struct security_operations tomoyo_security_ops = {
56135 +static struct security_operations tomoyo_security_ops __read_only = {
56137 .cred_alloc_blank = tomoyo_cred_alloc_blank,
56138 .cred_prepare = tomoyo_cred_prepare,
56139 diff -urNp linux-2.6.35.4/sound/aoa/codecs/onyx.c linux-2.6.35.4/sound/aoa/codecs/onyx.c
56140 --- linux-2.6.35.4/sound/aoa/codecs/onyx.c 2010-08-26 19:47:12.000000000 -0400
56141 +++ linux-2.6.35.4/sound/aoa/codecs/onyx.c 2010-09-17 20:12:09.000000000 -0400
56142 @@ -54,7 +54,7 @@ struct onyx {
56147 + atomic_t open_count;
56148 struct codec_info *codec_info;
56150 /* mutex serializes concurrent access to the device
56151 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
56152 struct onyx *onyx = cii->codec_data;
56154 mutex_lock(&onyx->mutex);
56155 - onyx->open_count++;
56156 + atomic_inc(&onyx->open_count);
56157 mutex_unlock(&onyx->mutex);
56160 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
56161 struct onyx *onyx = cii->codec_data;
56163 mutex_lock(&onyx->mutex);
56164 - onyx->open_count--;
56165 - if (!onyx->open_count)
56166 + if (atomic_dec_and_test(&onyx->open_count))
56167 onyx->spdif_locked = onyx->analog_locked = 0;
56168 mutex_unlock(&onyx->mutex);
56170 diff -urNp linux-2.6.35.4/sound/core/oss/pcm_oss.c linux-2.6.35.4/sound/core/oss/pcm_oss.c
56171 --- linux-2.6.35.4/sound/core/oss/pcm_oss.c 2010-08-26 19:47:12.000000000 -0400
56172 +++ linux-2.6.35.4/sound/core/oss/pcm_oss.c 2010-09-17 20:12:09.000000000 -0400
56173 @@ -2966,8 +2966,8 @@ static void snd_pcm_oss_proc_done(struct
56176 #else /* !CONFIG_SND_VERBOSE_PROCFS */
56177 -#define snd_pcm_oss_proc_init(pcm)
56178 -#define snd_pcm_oss_proc_done(pcm)
56179 +#define snd_pcm_oss_proc_init(pcm) do {} while (0)
56180 +#define snd_pcm_oss_proc_done(pcm) do {} while (0)
56181 #endif /* CONFIG_SND_VERBOSE_PROCFS */
56184 diff -urNp linux-2.6.35.4/sound/core/seq/seq_lock.h linux-2.6.35.4/sound/core/seq/seq_lock.h
56185 --- linux-2.6.35.4/sound/core/seq/seq_lock.h 2010-08-26 19:47:12.000000000 -0400
56186 +++ linux-2.6.35.4/sound/core/seq/seq_lock.h 2010-09-17 20:12:09.000000000 -0400
56187 @@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
56188 #else /* SMP || CONFIG_SND_DEBUG */
56190 typedef spinlock_t snd_use_lock_t; /* dummy */
56191 -#define snd_use_lock_init(lockp) /**/
56192 -#define snd_use_lock_use(lockp) /**/
56193 -#define snd_use_lock_free(lockp) /**/
56194 -#define snd_use_lock_sync(lockp) /**/
56195 +#define snd_use_lock_init(lockp) do {} while (0)
56196 +#define snd_use_lock_use(lockp) do {} while (0)
56197 +#define snd_use_lock_free(lockp) do {} while (0)
56198 +#define snd_use_lock_sync(lockp) do {} while (0)
56200 #endif /* SMP || CONFIG_SND_DEBUG */
56202 diff -urNp linux-2.6.35.4/sound/drivers/mts64.c linux-2.6.35.4/sound/drivers/mts64.c
56203 --- linux-2.6.35.4/sound/drivers/mts64.c 2010-08-26 19:47:12.000000000 -0400
56204 +++ linux-2.6.35.4/sound/drivers/mts64.c 2010-09-17 20:12:09.000000000 -0400
56205 @@ -66,7 +66,7 @@ struct mts64 {
56206 struct pardevice *pardev;
56207 int pardev_claimed;
56210 + atomic_t open_count;
56211 int current_midi_output_port;
56212 int current_midi_input_port;
56213 u8 mode[MTS64_NUM_INPUT_PORTS];
56214 @@ -696,7 +696,7 @@ static int snd_mts64_rawmidi_open(struct
56216 struct mts64 *mts = substream->rmidi->private_data;
56218 - if (mts->open_count == 0) {
56219 + if (atomic_read(&mts->open_count) == 0) {
56220 /* We don't need a spinlock here, because this is just called
56221 if the device has not been opened before.
56222 So there aren't any IRQs from the device */
56223 @@ -704,7 +704,7 @@ static int snd_mts64_rawmidi_open(struct
56227 - ++(mts->open_count);
56228 + atomic_inc(&mts->open_count);
56232 @@ -714,8 +714,7 @@ static int snd_mts64_rawmidi_close(struc
56233 struct mts64 *mts = substream->rmidi->private_data;
56234 unsigned long flags;
56236 - --(mts->open_count);
56237 - if (mts->open_count == 0) {
56238 + if (atomic_dec_return(&mts->open_count) == 0) {
56239 /* We need the spinlock_irqsave here because we can still
56240 have IRQs at this point */
56241 spin_lock_irqsave(&mts->lock, flags);
56242 @@ -724,8 +723,8 @@ static int snd_mts64_rawmidi_close(struc
56246 - } else if (mts->open_count < 0)
56247 - mts->open_count = 0;
56248 + } else if (atomic_read(&mts->open_count) < 0)
56249 + atomic_set(&mts->open_count, 0);
56253 diff -urNp linux-2.6.35.4/sound/drivers/portman2x4.c linux-2.6.35.4/sound/drivers/portman2x4.c
56254 --- linux-2.6.35.4/sound/drivers/portman2x4.c 2010-08-26 19:47:12.000000000 -0400
56255 +++ linux-2.6.35.4/sound/drivers/portman2x4.c 2010-09-17 20:12:09.000000000 -0400
56256 @@ -84,7 +84,7 @@ struct portman {
56257 struct pardevice *pardev;
56258 int pardev_claimed;
56261 + atomic_t open_count;
56262 int mode[PORTMAN_NUM_INPUT_PORTS];
56263 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
56265 diff -urNp linux-2.6.35.4/sound/oss/sb_audio.c linux-2.6.35.4/sound/oss/sb_audio.c
56266 --- linux-2.6.35.4/sound/oss/sb_audio.c 2010-08-26 19:47:12.000000000 -0400
56267 +++ linux-2.6.35.4/sound/oss/sb_audio.c 2010-09-17 20:12:09.000000000 -0400
56268 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
56269 buf16 = (signed short *)(localbuf + localoffs);
56272 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
56273 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
56274 if (copy_from_user(lbuf8,
56275 userbuf+useroffs + p,
56277 diff -urNp linux-2.6.35.4/sound/pci/ac97/ac97_codec.c linux-2.6.35.4/sound/pci/ac97/ac97_codec.c
56278 --- linux-2.6.35.4/sound/pci/ac97/ac97_codec.c 2010-08-26 19:47:12.000000000 -0400
56279 +++ linux-2.6.35.4/sound/pci/ac97/ac97_codec.c 2010-09-17 20:12:09.000000000 -0400
56280 @@ -1962,7 +1962,7 @@ static int snd_ac97_dev_disconnect(struc
56283 /* build_ops to do nothing */
56284 -static struct snd_ac97_build_ops null_build_ops;
56285 +static const struct snd_ac97_build_ops null_build_ops;
56287 #ifdef CONFIG_SND_AC97_POWER_SAVE
56288 static void do_update_power(struct work_struct *work)
56289 diff -urNp linux-2.6.35.4/sound/pci/ac97/ac97_patch.c linux-2.6.35.4/sound/pci/ac97/ac97_patch.c
56290 --- linux-2.6.35.4/sound/pci/ac97/ac97_patch.c 2010-08-26 19:47:12.000000000 -0400
56291 +++ linux-2.6.35.4/sound/pci/ac97/ac97_patch.c 2010-09-17 20:12:09.000000000 -0400
56292 @@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
56296 -static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
56297 +static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
56298 .build_spdif = patch_yamaha_ymf743_build_spdif,
56299 .build_3d = patch_yamaha_ymf7x3_3d,
56301 @@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
56305 -static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
56306 +static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
56307 .build_3d = patch_yamaha_ymf7x3_3d,
56308 .build_post_spdif = patch_yamaha_ymf753_post_spdif
56310 @@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
56314 -static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
56315 +static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
56316 .build_specific = patch_wolfson_wm9703_specific,
56319 @@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
56323 -static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
56324 +static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
56325 .build_specific = patch_wolfson_wm9704_specific,
56328 @@ -677,7 +677,7 @@ static int patch_wolfson_wm9711_specific
56332 -static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
56333 +static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
56334 .build_specific = patch_wolfson_wm9711_specific,
56337 @@ -871,7 +871,7 @@ static void patch_wolfson_wm9713_resume
56341 -static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
56342 +static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
56343 .build_specific = patch_wolfson_wm9713_specific,
56344 .build_3d = patch_wolfson_wm9713_3d,
56346 @@ -976,7 +976,7 @@ static int patch_sigmatel_stac97xx_speci
56350 -static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
56351 +static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
56352 .build_3d = patch_sigmatel_stac9700_3d,
56353 .build_specific = patch_sigmatel_stac97xx_specific
56355 @@ -1023,7 +1023,7 @@ static int patch_sigmatel_stac9708_speci
56356 return patch_sigmatel_stac97xx_specific(ac97);
56359 -static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
56360 +static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
56361 .build_3d = patch_sigmatel_stac9708_3d,
56362 .build_specific = patch_sigmatel_stac9708_specific
56364 @@ -1252,7 +1252,7 @@ static int patch_sigmatel_stac9758_speci
56368 -static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
56369 +static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
56370 .build_3d = patch_sigmatel_stac9700_3d,
56371 .build_specific = patch_sigmatel_stac9758_specific
56373 @@ -1327,7 +1327,7 @@ static int patch_cirrus_build_spdif(stru
56377 -static struct snd_ac97_build_ops patch_cirrus_ops = {
56378 +static const struct snd_ac97_build_ops patch_cirrus_ops = {
56379 .build_spdif = patch_cirrus_build_spdif
56382 @@ -1384,7 +1384,7 @@ static int patch_conexant_build_spdif(st
56386 -static struct snd_ac97_build_ops patch_conexant_ops = {
56387 +static const struct snd_ac97_build_ops patch_conexant_ops = {
56388 .build_spdif = patch_conexant_build_spdif
56391 @@ -1486,7 +1486,7 @@ static const struct snd_ac97_res_table a
56392 { AC97_VIDEO, 0x9f1f },
56393 { AC97_AUX, 0x9f1f },
56394 { AC97_PCM, 0x9f1f },
56395 - { } /* terminator */
56396 + { 0, 0 } /* terminator */
56399 static int patch_ad1819(struct snd_ac97 * ac97)
56400 @@ -1560,7 +1560,7 @@ static void patch_ad1881_chained(struct
56404 -static struct snd_ac97_build_ops patch_ad1881_build_ops = {
56405 +static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
56407 .resume = ad18xx_resume
56409 @@ -1647,7 +1647,7 @@ static int patch_ad1885_specific(struct
56413 -static struct snd_ac97_build_ops patch_ad1885_build_ops = {
56414 +static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
56415 .build_specific = &patch_ad1885_specific,
56417 .resume = ad18xx_resume
56418 @@ -1674,7 +1674,7 @@ static int patch_ad1886_specific(struct
56422 -static struct snd_ac97_build_ops patch_ad1886_build_ops = {
56423 +static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
56424 .build_specific = &patch_ad1886_specific,
56426 .resume = ad18xx_resume
56427 @@ -1881,7 +1881,7 @@ static int patch_ad1981a_specific(struct
56428 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
56431 -static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
56432 +static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
56433 .build_post_spdif = patch_ad198x_post_spdif,
56434 .build_specific = patch_ad1981a_specific,
56436 @@ -1936,7 +1936,7 @@ static int patch_ad1981b_specific(struct
56437 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
56440 -static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
56441 +static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
56442 .build_post_spdif = patch_ad198x_post_spdif,
56443 .build_specific = patch_ad1981b_specific,
56445 @@ -2075,7 +2075,7 @@ static int patch_ad1888_specific(struct
56446 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
56449 -static struct snd_ac97_build_ops patch_ad1888_build_ops = {
56450 +static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
56451 .build_post_spdif = patch_ad198x_post_spdif,
56452 .build_specific = patch_ad1888_specific,
56454 @@ -2124,7 +2124,7 @@ static int patch_ad1980_specific(struct
56455 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
56458 -static struct snd_ac97_build_ops patch_ad1980_build_ops = {
56459 +static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
56460 .build_post_spdif = patch_ad198x_post_spdif,
56461 .build_specific = patch_ad1980_specific,
56463 @@ -2239,7 +2239,7 @@ static int patch_ad1985_specific(struct
56464 ARRAY_SIZE(snd_ac97_ad1985_controls));
56467 -static struct snd_ac97_build_ops patch_ad1985_build_ops = {
56468 +static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
56469 .build_post_spdif = patch_ad198x_post_spdif,
56470 .build_specific = patch_ad1985_specific,
56472 @@ -2531,7 +2531,7 @@ static int patch_ad1986_specific(struct
56473 ARRAY_SIZE(snd_ac97_ad1985_controls));
56476 -static struct snd_ac97_build_ops patch_ad1986_build_ops = {
56477 +static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
56478 .build_post_spdif = patch_ad198x_post_spdif,
56479 .build_specific = patch_ad1986_specific,
56481 @@ -2636,7 +2636,7 @@ static int patch_alc650_specific(struct
56485 -static struct snd_ac97_build_ops patch_alc650_ops = {
56486 +static const struct snd_ac97_build_ops patch_alc650_ops = {
56487 .build_specific = patch_alc650_specific,
56488 .update_jacks = alc650_update_jacks
56490 @@ -2788,7 +2788,7 @@ static int patch_alc655_specific(struct
56494 -static struct snd_ac97_build_ops patch_alc655_ops = {
56495 +static const struct snd_ac97_build_ops patch_alc655_ops = {
56496 .build_specific = patch_alc655_specific,
56497 .update_jacks = alc655_update_jacks
56499 @@ -2900,7 +2900,7 @@ static int patch_alc850_specific(struct
56503 -static struct snd_ac97_build_ops patch_alc850_ops = {
56504 +static const struct snd_ac97_build_ops patch_alc850_ops = {
56505 .build_specific = patch_alc850_specific,
56506 .update_jacks = alc850_update_jacks
56508 @@ -2962,7 +2962,7 @@ static int patch_cm9738_specific(struct
56509 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
56512 -static struct snd_ac97_build_ops patch_cm9738_ops = {
56513 +static const struct snd_ac97_build_ops patch_cm9738_ops = {
56514 .build_specific = patch_cm9738_specific,
56515 .update_jacks = cm9738_update_jacks
56517 @@ -3053,7 +3053,7 @@ static int patch_cm9739_post_spdif(struc
56518 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
56521 -static struct snd_ac97_build_ops patch_cm9739_ops = {
56522 +static const struct snd_ac97_build_ops patch_cm9739_ops = {
56523 .build_specific = patch_cm9739_specific,
56524 .build_post_spdif = patch_cm9739_post_spdif,
56525 .update_jacks = cm9739_update_jacks
56526 @@ -3227,7 +3227,7 @@ static int patch_cm9761_specific(struct
56527 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
56530 -static struct snd_ac97_build_ops patch_cm9761_ops = {
56531 +static const struct snd_ac97_build_ops patch_cm9761_ops = {
56532 .build_specific = patch_cm9761_specific,
56533 .build_post_spdif = patch_cm9761_post_spdif,
56534 .update_jacks = cm9761_update_jacks
56535 @@ -3323,7 +3323,7 @@ static int patch_cm9780_specific(struct
56536 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
56539 -static struct snd_ac97_build_ops patch_cm9780_ops = {
56540 +static const struct snd_ac97_build_ops patch_cm9780_ops = {
56541 .build_specific = patch_cm9780_specific,
56542 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
56544 @@ -3443,7 +3443,7 @@ static int patch_vt1616_specific(struct
56548 -static struct snd_ac97_build_ops patch_vt1616_ops = {
56549 +static const struct snd_ac97_build_ops patch_vt1616_ops = {
56550 .build_specific = patch_vt1616_specific
56553 @@ -3797,7 +3797,7 @@ static int patch_it2646_specific(struct
56557 -static struct snd_ac97_build_ops patch_it2646_ops = {
56558 +static const struct snd_ac97_build_ops patch_it2646_ops = {
56559 .build_specific = patch_it2646_specific,
56560 .update_jacks = it2646_update_jacks
56562 @@ -3831,7 +3831,7 @@ static int patch_si3036_specific(struct
56566 -static struct snd_ac97_build_ops patch_si3036_ops = {
56567 +static const struct snd_ac97_build_ops patch_si3036_ops = {
56568 .build_specific = patch_si3036_specific,
56571 @@ -3864,7 +3864,7 @@ static struct snd_ac97_res_table lm4550_
56572 { AC97_AUX, 0x1f1f },
56573 { AC97_PCM, 0x1f1f },
56574 { AC97_REC_GAIN, 0x0f0f },
56575 - { } /* terminator */
56576 + { 0, 0 } /* terminator */
56579 static int patch_lm4550(struct snd_ac97 *ac97)
56580 @@ -3898,7 +3898,7 @@ static int patch_ucb1400_specific(struct
56584 -static struct snd_ac97_build_ops patch_ucb1400_ops = {
56585 +static const struct snd_ac97_build_ops patch_ucb1400_ops = {
56586 .build_specific = patch_ucb1400_specific,
56589 diff -urNp linux-2.6.35.4/sound/pci/ens1370.c linux-2.6.35.4/sound/pci/ens1370.c
56590 --- linux-2.6.35.4/sound/pci/ens1370.c 2010-08-26 19:47:12.000000000 -0400
56591 +++ linux-2.6.35.4/sound/pci/ens1370.c 2010-09-17 20:12:09.000000000 -0400
56592 @@ -452,7 +452,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_audio
56593 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
56594 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
56597 + { 0, 0, 0, 0, 0, 0, 0 }
56600 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
56601 diff -urNp linux-2.6.35.4/sound/pci/hda/patch_hdmi.c linux-2.6.35.4/sound/pci/hda/patch_hdmi.c
56602 --- linux-2.6.35.4/sound/pci/hda/patch_hdmi.c 2010-08-26 19:47:12.000000000 -0400
56603 +++ linux-2.6.35.4/sound/pci/hda/patch_hdmi.c 2010-09-17 20:12:09.000000000 -0400
56604 @@ -670,10 +670,10 @@ static void hdmi_non_intrinsic_event(str
56619 diff -urNp linux-2.6.35.4/sound/pci/intel8x0.c linux-2.6.35.4/sound/pci/intel8x0.c
56620 --- linux-2.6.35.4/sound/pci/intel8x0.c 2010-08-26 19:47:12.000000000 -0400
56621 +++ linux-2.6.35.4/sound/pci/intel8x0.c 2010-09-17 20:12:09.000000000 -0400
56622 @@ -444,7 +444,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
56623 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
56624 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
56625 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
56627 + { 0, 0, 0, 0, 0, 0, 0 }
56630 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
56631 @@ -2135,7 +2135,7 @@ static struct ac97_quirk ac97_quirks[] _
56632 .type = AC97_TUNE_HP_ONLY
56635 - { } /* terminator */
56636 + { 0, 0, 0, 0, NULL, 0 } /* terminator */
56639 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
56640 diff -urNp linux-2.6.35.4/sound/pci/intel8x0m.c linux-2.6.35.4/sound/pci/intel8x0m.c
56641 --- linux-2.6.35.4/sound/pci/intel8x0m.c 2010-08-26 19:47:12.000000000 -0400
56642 +++ linux-2.6.35.4/sound/pci/intel8x0m.c 2010-09-17 20:12:09.000000000 -0400
56643 @@ -239,7 +239,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
56644 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
56645 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
56648 + { 0, 0, 0, 0, 0, 0, 0 }
56651 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
56652 @@ -1264,7 +1264,7 @@ static struct shortname_table {
56653 { 0x5455, "ALi M5455" },
56654 { 0x746d, "AMD AMD8111" },
56660 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
56661 diff -urNp linux-2.6.35.4/usr/gen_init_cpio.c linux-2.6.35.4/usr/gen_init_cpio.c
56662 --- linux-2.6.35.4/usr/gen_init_cpio.c 2010-08-26 19:47:12.000000000 -0400
56663 +++ linux-2.6.35.4/usr/gen_init_cpio.c 2010-09-17 20:12:09.000000000 -0400
56664 @@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
56673 @@ -386,9 +386,10 @@ static char *cpio_replace_env(char *new_
56674 *env_var = *expanded = '\0';
56675 strncat(env_var, start + 2, end - start - 2);
56676 strncat(expanded, new_location, start - new_location);
56677 - strncat(expanded, getenv(env_var), PATH_MAX);
56678 - strncat(expanded, end + 1, PATH_MAX);
56679 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
56680 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
56681 strncpy(new_location, expanded, PATH_MAX);
56682 + new_location[PATH_MAX] = 0;
56686 diff -urNp linux-2.6.35.4/virt/kvm/kvm_main.c linux-2.6.35.4/virt/kvm/kvm_main.c
56687 --- linux-2.6.35.4/virt/kvm/kvm_main.c 2010-08-26 19:47:12.000000000 -0400
56688 +++ linux-2.6.35.4/virt/kvm/kvm_main.c 2010-09-17 20:12:09.000000000 -0400
56689 @@ -1284,6 +1284,7 @@ static int kvm_vcpu_release(struct inode
56693 +/* cannot be const */
56694 static struct file_operations kvm_vcpu_fops = {
56695 .release = kvm_vcpu_release,
56696 .unlocked_ioctl = kvm_vcpu_ioctl,
56697 @@ -1738,6 +1739,7 @@ static int kvm_vm_mmap(struct file *file
56701 +/* cannot be const */
56702 static struct file_operations kvm_vm_fops = {
56703 .release = kvm_vm_release,
56704 .unlocked_ioctl = kvm_vm_ioctl,
56705 @@ -1835,6 +1837,7 @@ out:
56709 +/* cannot be const */
56710 static struct file_operations kvm_chardev_ops = {
56711 .unlocked_ioctl = kvm_dev_ioctl,
56712 .compat_ioctl = kvm_dev_ioctl,
56713 @@ -1844,6 +1847,9 @@ static struct miscdevice kvm_dev = {
56722 static void hardware_enable(void *junk)
56723 @@ -2178,7 +2184,7 @@ static void kvm_sched_out(struct preempt
56724 kvm_arch_vcpu_put(vcpu);
56727 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
56728 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
56729 struct module *module)