1 diff -urNp linux-2.6.38.4/arch/alpha/include/asm/dma-mapping.h linux-2.6.38.4/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.38.4/arch/alpha/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
3 +++ linux-2.6.38.4/arch/alpha/include/asm/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
6 #include <linux/dma-attrs.h>
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
16 diff -urNp linux-2.6.38.4/arch/alpha/include/asm/elf.h linux-2.6.38.4/arch/alpha/include/asm/elf.h
17 --- linux-2.6.38.4/arch/alpha/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
18 +++ linux-2.6.38.4/arch/alpha/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.38.4/arch/alpha/include/asm/pgtable.h linux-2.6.38.4/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.38.4/arch/alpha/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
35 +++ linux-2.6.38.4/arch/alpha/include/asm/pgtable.h 2011-04-17 15:57:32.000000000 -0400
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.38.4/arch/alpha/kernel/module.c linux-2.6.38.4/arch/alpha/kernel/module.c
55 --- linux-2.6.38.4/arch/alpha/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
56 +++ linux-2.6.38.4/arch/alpha/kernel/module.c 2011-04-17 15:57:32.000000000 -0400
57 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
59 /* The small sections were sorted to the end of the segment.
60 The following should definitely cover them. */
61 - gp = (u64)me->module_core + me->core_size - 0x8000;
62 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
63 got = sechdrs[me->arch.gotsecindex].sh_addr;
65 for (i = 0; i < n; i++) {
66 diff -urNp linux-2.6.38.4/arch/alpha/kernel/osf_sys.c linux-2.6.38.4/arch/alpha/kernel/osf_sys.c
67 --- linux-2.6.38.4/arch/alpha/kernel/osf_sys.c 2011-03-14 21:20:32.000000000 -0400
68 +++ linux-2.6.38.4/arch/alpha/kernel/osf_sys.c 2011-04-17 15:57:32.000000000 -0400
69 @@ -1162,7 +1162,7 @@ arch_get_unmapped_area_1(unsigned long a
70 /* At this point: (!vma || addr < vma->vm_end). */
71 if (limit - len < addr)
73 - if (!vma || addr + len <= vma->vm_start)
74 + if (check_heap_stack_gap(vma, addr, len))
78 @@ -1198,6 +1198,10 @@ arch_get_unmapped_area(struct file *filp
79 merely specific addresses, but regions of memory -- perhaps
80 this feature should be incorporated into all ports? */
82 +#ifdef CONFIG_PAX_RANDMMAP
83 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
87 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
88 if (addr != (unsigned long) -ENOMEM)
89 @@ -1205,8 +1209,8 @@ arch_get_unmapped_area(struct file *filp
92 /* Next, try allocating at TASK_UNMAPPED_BASE. */
93 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
95 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
97 if (addr != (unsigned long) -ENOMEM)
100 diff -urNp linux-2.6.38.4/arch/alpha/kernel/pci_iommu.c linux-2.6.38.4/arch/alpha/kernel/pci_iommu.c
101 --- linux-2.6.38.4/arch/alpha/kernel/pci_iommu.c 2011-03-14 21:20:32.000000000 -0400
102 +++ linux-2.6.38.4/arch/alpha/kernel/pci_iommu.c 2011-04-17 15:57:32.000000000 -0400
103 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
107 -struct dma_map_ops alpha_pci_ops = {
108 +const struct dma_map_ops alpha_pci_ops = {
109 .alloc_coherent = alpha_pci_alloc_coherent,
110 .free_coherent = alpha_pci_free_coherent,
111 .map_page = alpha_pci_map_page,
112 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
113 .set_dma_mask = alpha_pci_set_mask,
116 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
117 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
118 EXPORT_SYMBOL(dma_ops);
119 diff -urNp linux-2.6.38.4/arch/alpha/kernel/pci-noop.c linux-2.6.38.4/arch/alpha/kernel/pci-noop.c
120 --- linux-2.6.38.4/arch/alpha/kernel/pci-noop.c 2011-03-14 21:20:32.000000000 -0400
121 +++ linux-2.6.38.4/arch/alpha/kernel/pci-noop.c 2011-04-17 15:57:32.000000000 -0400
122 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
126 -struct dma_map_ops alpha_noop_ops = {
127 +const struct dma_map_ops alpha_noop_ops = {
128 .alloc_coherent = alpha_noop_alloc_coherent,
129 .free_coherent = alpha_noop_free_coherent,
130 .map_page = alpha_noop_map_page,
131 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
132 .set_dma_mask = alpha_noop_set_mask,
135 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
136 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
137 EXPORT_SYMBOL(dma_ops);
139 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
140 diff -urNp linux-2.6.38.4/arch/alpha/mm/fault.c linux-2.6.38.4/arch/alpha/mm/fault.c
141 --- linux-2.6.38.4/arch/alpha/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
142 +++ linux-2.6.38.4/arch/alpha/mm/fault.c 2011-04-17 15:57:32.000000000 -0400
143 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
144 __reload_thread(pcb);
147 +#ifdef CONFIG_PAX_PAGEEXEC
149 + * PaX: decide what to do with offenders (regs->pc = fault address)
151 + * returns 1 when task should be killed
152 + * 2 when patched PLT trampoline was detected
153 + * 3 when unpatched PLT trampoline was detected
155 +static int pax_handle_fetch_fault(struct pt_regs *regs)
158 +#ifdef CONFIG_PAX_EMUPLT
161 + do { /* PaX: patched PLT emulation #1 */
162 + unsigned int ldah, ldq, jmp;
164 + err = get_user(ldah, (unsigned int *)regs->pc);
165 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
166 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
171 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
172 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
173 + jmp == 0x6BFB0000U)
175 + unsigned long r27, addr;
176 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
177 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
179 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
180 + err = get_user(r27, (unsigned long *)addr);
190 + do { /* PaX: patched PLT emulation #2 */
191 + unsigned int ldah, lda, br;
193 + err = get_user(ldah, (unsigned int *)regs->pc);
194 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
195 + err |= get_user(br, (unsigned int *)(regs->pc+8));
200 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
201 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
202 + (br & 0xFFE00000U) == 0xC3E00000U)
204 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
205 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
206 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
208 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
209 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
214 + do { /* PaX: unpatched PLT emulation */
217 + err = get_user(br, (unsigned int *)regs->pc);
219 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
220 + unsigned int br2, ldq, nop, jmp;
221 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
223 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
224 + err = get_user(br2, (unsigned int *)addr);
225 + err |= get_user(ldq, (unsigned int *)(addr+4));
226 + err |= get_user(nop, (unsigned int *)(addr+8));
227 + err |= get_user(jmp, (unsigned int *)(addr+12));
228 + err |= get_user(resolver, (unsigned long *)(addr+16));
233 + if (br2 == 0xC3600000U &&
234 + ldq == 0xA77B000CU &&
235 + nop == 0x47FF041FU &&
236 + jmp == 0x6B7B0000U)
238 + regs->r28 = regs->pc+4;
239 + regs->r27 = addr+16;
240 + regs->pc = resolver;
250 +void pax_report_insns(void *pc, void *sp)
254 + printk(KERN_ERR "PAX: bytes at PC: ");
255 + for (i = 0; i < 5; i++) {
257 + if (get_user(c, (unsigned int *)pc+i))
258 + printk(KERN_CONT "???????? ");
260 + printk(KERN_CONT "%08x ", c);
267 * This routine handles page faults. It determines the address,
268 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
270 si_code = SEGV_ACCERR;
272 - if (!(vma->vm_flags & VM_EXEC))
273 + if (!(vma->vm_flags & VM_EXEC)) {
275 +#ifdef CONFIG_PAX_PAGEEXEC
276 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
279 + up_read(&mm->mmap_sem);
280 + switch (pax_handle_fetch_fault(regs)) {
282 +#ifdef CONFIG_PAX_EMUPLT
289 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
290 + do_group_exit(SIGKILL);
297 /* Allow reads even for write-only mappings */
298 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
299 diff -urNp linux-2.6.38.4/arch/arm/include/asm/elf.h linux-2.6.38.4/arch/arm/include/asm/elf.h
300 --- linux-2.6.38.4/arch/arm/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
301 +++ linux-2.6.38.4/arch/arm/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
302 @@ -115,7 +115,14 @@ int dump_task_regs(struct task_struct *t
303 the loader. We need to make sure that it is out of the way of the program
304 that it will "exec", and that there is sufficient room for the brk. */
306 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
307 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
309 +#ifdef CONFIG_PAX_ASLR
310 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
312 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
313 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
316 /* When the program starts, a1 contains a pointer to a function to be
317 registered with atexit, as per the SVR4 ABI. A value of 0 means we
318 @@ -125,10 +132,6 @@ int dump_task_regs(struct task_struct *t
319 extern void elf_set_personality(const struct elf32_hdr *);
320 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
323 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
324 -#define arch_randomize_brk arch_randomize_brk
326 extern int vectors_user_mapping(void);
327 #define arch_setup_additional_pages(bprm, uses_interp) vectors_user_mapping()
328 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES
329 diff -urNp linux-2.6.38.4/arch/arm/include/asm/kmap_types.h linux-2.6.38.4/arch/arm/include/asm/kmap_types.h
330 --- linux-2.6.38.4/arch/arm/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
331 +++ linux-2.6.38.4/arch/arm/include/asm/kmap_types.h 2011-04-17 15:57:32.000000000 -0400
332 @@ -21,6 +21,7 @@ enum km_type {
340 diff -urNp linux-2.6.38.4/arch/arm/include/asm/uaccess.h linux-2.6.38.4/arch/arm/include/asm/uaccess.h
341 --- linux-2.6.38.4/arch/arm/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
342 +++ linux-2.6.38.4/arch/arm/include/asm/uaccess.h 2011-04-17 15:57:32.000000000 -0400
343 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
345 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
350 if (access_ok(VERIFY_READ, from, n))
351 n = __copy_from_user(to, from, n);
352 else /* security hole - plug it */
353 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
355 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
360 if (access_ok(VERIFY_WRITE, to, n))
361 n = __copy_to_user(to, from, n);
363 diff -urNp linux-2.6.38.4/arch/arm/kernel/kgdb.c linux-2.6.38.4/arch/arm/kernel/kgdb.c
364 --- linux-2.6.38.4/arch/arm/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
365 +++ linux-2.6.38.4/arch/arm/kernel/kgdb.c 2011-04-17 15:57:32.000000000 -0400
366 @@ -246,7 +246,7 @@ void kgdb_arch_exit(void)
367 * and we handle the normal undef case within the do_undefinstr
370 -struct kgdb_arch arch_kgdb_ops = {
371 +const struct kgdb_arch arch_kgdb_ops = {
373 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
374 #else /* ! __ARMEB__ */
375 diff -urNp linux-2.6.38.4/arch/arm/kernel/process.c linux-2.6.38.4/arch/arm/kernel/process.c
376 --- linux-2.6.38.4/arch/arm/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
377 +++ linux-2.6.38.4/arch/arm/kernel/process.c 2011-04-17 15:57:32.000000000 -0400
379 #include <linux/tick.h>
380 #include <linux/utsname.h>
381 #include <linux/uaccess.h>
382 -#include <linux/random.h>
383 #include <linux/hw_breakpoint.h>
385 #include <asm/cacheflush.h>
386 @@ -477,12 +476,6 @@ unsigned long get_wchan(struct task_stru
390 -unsigned long arch_randomize_brk(struct mm_struct *mm)
392 - unsigned long range_end = mm->brk + 0x02000000;
393 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
398 * The vectors page is always readable from user space for the
399 diff -urNp linux-2.6.38.4/arch/arm/mach-msm/last_radio_log.c linux-2.6.38.4/arch/arm/mach-msm/last_radio_log.c
400 --- linux-2.6.38.4/arch/arm/mach-msm/last_radio_log.c 2011-03-14 21:20:32.000000000 -0400
401 +++ linux-2.6.38.4/arch/arm/mach-msm/last_radio_log.c 2011-04-17 15:57:32.000000000 -0400
402 @@ -47,7 +47,7 @@ static ssize_t last_radio_log_read(struc
406 -static struct file_operations last_radio_log_fops = {
407 +static struct file_operations last_radio_log_fops = { /* cannot be const, see msm_init_last_radio_log */
408 .read = last_radio_log_read,
409 .llseek = default_llseek,
411 diff -urNp linux-2.6.38.4/arch/arm/mach-ux500/mbox-db5500.c linux-2.6.38.4/arch/arm/mach-ux500/mbox-db5500.c
412 --- linux-2.6.38.4/arch/arm/mach-ux500/mbox-db5500.c 2011-03-14 21:20:32.000000000 -0400
413 +++ linux-2.6.38.4/arch/arm/mach-ux500/mbox-db5500.c 2011-04-17 15:57:32.000000000 -0400
414 @@ -168,7 +168,7 @@ static ssize_t mbox_read_fifo(struct dev
415 return sprintf(buf, "0x%X\n", mbox_value);
418 -static DEVICE_ATTR(fifo, S_IWUGO | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
419 +static DEVICE_ATTR(fifo, S_IWUSR | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
421 static int mbox_show(struct seq_file *s, void *data)
423 diff -urNp linux-2.6.38.4/arch/arm/mm/fault.c linux-2.6.38.4/arch/arm/mm/fault.c
424 --- linux-2.6.38.4/arch/arm/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
425 +++ linux-2.6.38.4/arch/arm/mm/fault.c 2011-04-17 15:57:32.000000000 -0400
426 @@ -167,6 +167,13 @@ __do_user_fault(struct task_struct *tsk,
430 +#ifdef CONFIG_PAX_PAGEEXEC
431 + if (fsr & FSR_LNX_PF) {
432 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
433 + do_group_exit(SIGKILL);
437 tsk->thread.address = addr;
438 tsk->thread.error_code = fsr;
439 tsk->thread.trap_no = 14;
440 @@ -364,6 +371,33 @@ do_page_fault(unsigned long addr, unsign
442 #endif /* CONFIG_MMU */
444 +#ifdef CONFIG_PAX_PAGEEXEC
445 +void pax_report_insns(void *pc, void *sp)
449 + printk(KERN_ERR "PAX: bytes at PC: ");
450 + for (i = 0; i < 20; i++) {
452 + if (get_user(c, (__force unsigned char __user *)pc+i))
453 + printk(KERN_CONT "?? ");
455 + printk(KERN_CONT "%02x ", c);
459 + printk(KERN_ERR "PAX: bytes at SP-4: ");
460 + for (i = -1; i < 20; i++) {
462 + if (get_user(c, (__force unsigned long __user *)sp+i))
463 + printk(KERN_CONT "???????? ");
465 + printk(KERN_CONT "%08lx ", c);
472 * First Level Translation Fault Handler
474 diff -urNp linux-2.6.38.4/arch/arm/mm/mmap.c linux-2.6.38.4/arch/arm/mm/mmap.c
475 --- linux-2.6.38.4/arch/arm/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
476 +++ linux-2.6.38.4/arch/arm/mm/mmap.c 2011-04-17 15:57:32.000000000 -0400
477 @@ -64,6 +64,10 @@ arch_get_unmapped_area(struct file *filp
481 +#ifdef CONFIG_PAX_RANDMMAP
482 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
487 addr = COLOUR_ALIGN(addr, pgoff);
488 @@ -71,15 +75,14 @@ arch_get_unmapped_area(struct file *filp
489 addr = PAGE_ALIGN(addr);
491 vma = find_vma(mm, addr);
492 - if (TASK_SIZE - len >= addr &&
493 - (!vma || addr + len <= vma->vm_start))
494 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
497 if (len > mm->cached_hole_size) {
498 - start_addr = addr = mm->free_area_cache;
499 + start_addr = addr = mm->free_area_cache;
501 - start_addr = addr = TASK_UNMAPPED_BASE;
502 - mm->cached_hole_size = 0;
503 + start_addr = addr = mm->mmap_base;
504 + mm->cached_hole_size = 0;
506 /* 8 bits of randomness in 20 address space bits */
507 if (current->flags & PF_RANDOMIZE)
508 @@ -98,14 +101,14 @@ full_search:
509 * Start a new search - just in case we missed
512 - if (start_addr != TASK_UNMAPPED_BASE) {
513 - start_addr = addr = TASK_UNMAPPED_BASE;
514 + if (start_addr != mm->mmap_base) {
515 + start_addr = addr = mm->mmap_base;
516 mm->cached_hole_size = 0;
521 - if (!vma || addr + len <= vma->vm_start) {
522 + if (check_heap_stack_gap(vma, addr, len)) {
524 * Remember the place where we stopped the search:
526 diff -urNp linux-2.6.38.4/arch/avr32/include/asm/elf.h linux-2.6.38.4/arch/avr32/include/asm/elf.h
527 --- linux-2.6.38.4/arch/avr32/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
528 +++ linux-2.6.38.4/arch/avr32/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
529 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
530 the loader. We need to make sure that it is out of the way of the program
531 that it will "exec", and that there is sufficient room for the brk. */
533 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
534 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
536 +#ifdef CONFIG_PAX_ASLR
537 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
539 +#define PAX_DELTA_MMAP_LEN 15
540 +#define PAX_DELTA_STACK_LEN 15
543 /* This yields a mask that user programs can use to figure out what
544 instruction set this CPU supports. This could be done in user space,
545 diff -urNp linux-2.6.38.4/arch/avr32/include/asm/kmap_types.h linux-2.6.38.4/arch/avr32/include/asm/kmap_types.h
546 --- linux-2.6.38.4/arch/avr32/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
547 +++ linux-2.6.38.4/arch/avr32/include/asm/kmap_types.h 2011-04-17 15:57:32.000000000 -0400
548 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
558 diff -urNp linux-2.6.38.4/arch/avr32/mm/fault.c linux-2.6.38.4/arch/avr32/mm/fault.c
559 --- linux-2.6.38.4/arch/avr32/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
560 +++ linux-2.6.38.4/arch/avr32/mm/fault.c 2011-04-17 15:57:32.000000000 -0400
561 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
563 int exception_trace = 1;
565 +#ifdef CONFIG_PAX_PAGEEXEC
566 +void pax_report_insns(void *pc, void *sp)
570 + printk(KERN_ERR "PAX: bytes at PC: ");
571 + for (i = 0; i < 20; i++) {
573 + if (get_user(c, (unsigned char *)pc+i))
574 + printk(KERN_CONT "???????? ");
576 + printk(KERN_CONT "%02x ", c);
583 * This routine handles page faults. It determines the address and the
584 * problem, and then passes it off to one of the appropriate routines.
585 @@ -156,6 +173,16 @@ bad_area:
586 up_read(&mm->mmap_sem);
588 if (user_mode(regs)) {
590 +#ifdef CONFIG_PAX_PAGEEXEC
591 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
592 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
593 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
594 + do_group_exit(SIGKILL);
599 if (exception_trace && printk_ratelimit())
600 printk("%s%s[%d]: segfault at %08lx pc %08lx "
601 "sp %08lx ecr %lu\n",
602 diff -urNp linux-2.6.38.4/arch/blackfin/kernel/kgdb.c linux-2.6.38.4/arch/blackfin/kernel/kgdb.c
603 --- linux-2.6.38.4/arch/blackfin/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
604 +++ linux-2.6.38.4/arch/blackfin/kernel/kgdb.c 2011-04-17 15:57:32.000000000 -0400
605 @@ -420,7 +420,7 @@ int kgdb_arch_handle_exception(int vecto
606 return -1; /* this means that we do not want to exit from the handler */
609 -struct kgdb_arch arch_kgdb_ops = {
610 +const struct kgdb_arch arch_kgdb_ops = {
611 .gdb_bpt_instr = {0xa1},
613 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
614 diff -urNp linux-2.6.38.4/arch/blackfin/mm/maccess.c linux-2.6.38.4/arch/blackfin/mm/maccess.c
615 --- linux-2.6.38.4/arch/blackfin/mm/maccess.c 2011-03-14 21:20:32.000000000 -0400
616 +++ linux-2.6.38.4/arch/blackfin/mm/maccess.c 2011-04-17 15:57:32.000000000 -0400
617 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
618 return bfin_mem_access_type(addr, size);
621 -long probe_kernel_read(void *dst, void *src, size_t size)
622 +long probe_kernel_read(void *dst, const void *src, size_t size)
624 unsigned long lsrc = (unsigned long)src;
626 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
630 -long probe_kernel_write(void *dst, void *src, size_t size)
631 +long probe_kernel_write(void *dst, const void *src, size_t size)
633 unsigned long ldst = (unsigned long)dst;
635 diff -urNp linux-2.6.38.4/arch/frv/include/asm/kmap_types.h linux-2.6.38.4/arch/frv/include/asm/kmap_types.h
636 --- linux-2.6.38.4/arch/frv/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
637 +++ linux-2.6.38.4/arch/frv/include/asm/kmap_types.h 2011-04-17 15:57:32.000000000 -0400
638 @@ -23,6 +23,7 @@ enum km_type {
646 diff -urNp linux-2.6.38.4/arch/frv/mm/elf-fdpic.c linux-2.6.38.4/arch/frv/mm/elf-fdpic.c
647 --- linux-2.6.38.4/arch/frv/mm/elf-fdpic.c 2011-03-14 21:20:32.000000000 -0400
648 +++ linux-2.6.38.4/arch/frv/mm/elf-fdpic.c 2011-04-17 15:57:32.000000000 -0400
649 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
651 addr = PAGE_ALIGN(addr);
652 vma = find_vma(current->mm, addr);
653 - if (TASK_SIZE - len >= addr &&
654 - (!vma || addr + len <= vma->vm_start))
655 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
659 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
660 for (; vma; vma = vma->vm_next) {
663 - if (addr + len <= vma->vm_start)
664 + if (check_heap_stack_gap(vma, addr, len))
668 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
669 for (; vma; vma = vma->vm_next) {
672 - if (addr + len <= vma->vm_start)
673 + if (check_heap_stack_gap(vma, addr, len))
677 diff -urNp linux-2.6.38.4/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.38.4/arch/ia64/hp/common/hwsw_iommu.c
678 --- linux-2.6.38.4/arch/ia64/hp/common/hwsw_iommu.c 2011-03-14 21:20:32.000000000 -0400
679 +++ linux-2.6.38.4/arch/ia64/hp/common/hwsw_iommu.c 2011-04-17 15:57:32.000000000 -0400
681 #include <linux/swiotlb.h>
682 #include <asm/machvec.h>
684 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
685 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
687 /* swiotlb declarations & definitions: */
688 extern int swiotlb_late_init_with_default_size (size_t size);
689 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
690 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
693 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
694 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
696 if (use_swiotlb(dev))
697 return &swiotlb_dma_ops;
698 diff -urNp linux-2.6.38.4/arch/ia64/hp/common/sba_iommu.c linux-2.6.38.4/arch/ia64/hp/common/sba_iommu.c
699 --- linux-2.6.38.4/arch/ia64/hp/common/sba_iommu.c 2011-03-14 21:20:32.000000000 -0400
700 +++ linux-2.6.38.4/arch/ia64/hp/common/sba_iommu.c 2011-04-17 15:57:32.000000000 -0400
701 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
705 -extern struct dma_map_ops swiotlb_dma_ops;
706 +extern const struct dma_map_ops swiotlb_dma_ops;
710 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
712 __setup("sbapagesize=",sba_page_override);
714 -struct dma_map_ops sba_dma_ops = {
715 +const struct dma_map_ops sba_dma_ops = {
716 .alloc_coherent = sba_alloc_coherent,
717 .free_coherent = sba_free_coherent,
718 .map_page = sba_map_page,
719 diff -urNp linux-2.6.38.4/arch/ia64/include/asm/dma-mapping.h linux-2.6.38.4/arch/ia64/include/asm/dma-mapping.h
720 --- linux-2.6.38.4/arch/ia64/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
721 +++ linux-2.6.38.4/arch/ia64/include/asm/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
724 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
726 -extern struct dma_map_ops *dma_ops;
727 +extern const struct dma_map_ops *dma_ops;
728 extern struct ia64_machine_vector ia64_mv;
729 extern void set_iommu_machvec(void);
731 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
732 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
733 dma_addr_t *daddr, gfp_t gfp)
735 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
736 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
739 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
740 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
741 static inline void dma_free_coherent(struct device *dev, size_t size,
742 void *caddr, dma_addr_t daddr)
744 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
745 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
746 debug_dma_free_coherent(dev, size, caddr, daddr);
747 ops->free_coherent(dev, size, caddr, daddr);
749 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
751 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
753 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
754 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
755 return ops->mapping_error(dev, daddr);
758 static inline int dma_supported(struct device *dev, u64 mask)
760 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
761 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
762 return ops->dma_supported(dev, mask);
765 diff -urNp linux-2.6.38.4/arch/ia64/include/asm/elf.h linux-2.6.38.4/arch/ia64/include/asm/elf.h
766 --- linux-2.6.38.4/arch/ia64/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
767 +++ linux-2.6.38.4/arch/ia64/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
770 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
772 +#ifdef CONFIG_PAX_ASLR
773 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
775 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
776 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
779 #define PT_IA_64_UNWIND 0x70000001
781 /* IA-64 relocations: */
782 diff -urNp linux-2.6.38.4/arch/ia64/include/asm/machvec.h linux-2.6.38.4/arch/ia64/include/asm/machvec.h
783 --- linux-2.6.38.4/arch/ia64/include/asm/machvec.h 2011-03-14 21:20:32.000000000 -0400
784 +++ linux-2.6.38.4/arch/ia64/include/asm/machvec.h 2011-04-17 15:57:32.000000000 -0400
785 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
786 /* DMA-mapping interface: */
787 typedef void ia64_mv_dma_init (void);
788 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
789 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
790 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
793 * WARNING: The legacy I/O space is _architected_. Platforms are
794 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
795 # endif /* CONFIG_IA64_GENERIC */
797 extern void swiotlb_dma_init(void);
798 -extern struct dma_map_ops *dma_get_ops(struct device *);
799 +extern const struct dma_map_ops *dma_get_ops(struct device *);
802 * Define default versions so we can extend machvec for new platforms without having
803 diff -urNp linux-2.6.38.4/arch/ia64/include/asm/pgtable.h linux-2.6.38.4/arch/ia64/include/asm/pgtable.h
804 --- linux-2.6.38.4/arch/ia64/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
805 +++ linux-2.6.38.4/arch/ia64/include/asm/pgtable.h 2011-04-17 15:57:32.000000000 -0400
807 * David Mosberger-Tang <davidm@hpl.hp.com>
811 +#include <linux/const.h>
812 #include <asm/mman.h>
813 #include <asm/page.h>
814 #include <asm/processor.h>
816 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
817 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
818 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
820 +#ifdef CONFIG_PAX_PAGEEXEC
821 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
822 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
823 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
825 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
826 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
827 +# define PAGE_COPY_NOEXEC PAGE_COPY
830 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
831 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
832 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
833 diff -urNp linux-2.6.38.4/arch/ia64/include/asm/spinlock.h linux-2.6.38.4/arch/ia64/include/asm/spinlock.h
834 --- linux-2.6.38.4/arch/ia64/include/asm/spinlock.h 2011-03-14 21:20:32.000000000 -0400
835 +++ linux-2.6.38.4/arch/ia64/include/asm/spinlock.h 2011-04-17 15:57:32.000000000 -0400
836 @@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
837 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
839 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
840 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
841 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
844 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
845 diff -urNp linux-2.6.38.4/arch/ia64/include/asm/uaccess.h linux-2.6.38.4/arch/ia64/include/asm/uaccess.h
846 --- linux-2.6.38.4/arch/ia64/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
847 +++ linux-2.6.38.4/arch/ia64/include/asm/uaccess.h 2011-04-17 15:57:32.000000000 -0400
848 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
849 const void *__cu_from = (from); \
850 long __cu_len = (n); \
852 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
853 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
854 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
857 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
858 long __cu_len = (n); \
860 __chk_user_ptr(__cu_from); \
861 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
862 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
863 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
866 diff -urNp linux-2.6.38.4/arch/ia64/kernel/dma-mapping.c linux-2.6.38.4/arch/ia64/kernel/dma-mapping.c
867 --- linux-2.6.38.4/arch/ia64/kernel/dma-mapping.c 2011-03-14 21:20:32.000000000 -0400
868 +++ linux-2.6.38.4/arch/ia64/kernel/dma-mapping.c 2011-04-17 15:57:32.000000000 -0400
870 /* Set this to 1 if there is a HW IOMMU in the system */
871 int iommu_detected __read_mostly;
873 -struct dma_map_ops *dma_ops;
874 +const struct dma_map_ops *dma_ops;
875 EXPORT_SYMBOL(dma_ops);
877 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
878 @@ -16,7 +16,7 @@ static int __init dma_init(void)
880 fs_initcall(dma_init);
882 -struct dma_map_ops *dma_get_ops(struct device *dev)
883 +const struct dma_map_ops *dma_get_ops(struct device *dev)
887 diff -urNp linux-2.6.38.4/arch/ia64/kernel/module.c linux-2.6.38.4/arch/ia64/kernel/module.c
888 --- linux-2.6.38.4/arch/ia64/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
889 +++ linux-2.6.38.4/arch/ia64/kernel/module.c 2011-04-17 15:57:32.000000000 -0400
890 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
892 module_free (struct module *mod, void *module_region)
894 - if (mod && mod->arch.init_unw_table &&
895 - module_region == mod->module_init) {
896 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
897 unw_remove_unwind_table(mod->arch.init_unw_table);
898 mod->arch.init_unw_table = NULL;
900 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
904 +in_init_rx (const struct module *mod, uint64_t addr)
906 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
910 +in_init_rw (const struct module *mod, uint64_t addr)
912 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
916 in_init (const struct module *mod, uint64_t addr)
918 - return addr - (uint64_t) mod->module_init < mod->init_size;
919 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
923 +in_core_rx (const struct module *mod, uint64_t addr)
925 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
929 +in_core_rw (const struct module *mod, uint64_t addr)
931 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
935 in_core (const struct module *mod, uint64_t addr)
937 - return addr - (uint64_t) mod->module_core < mod->core_size;
938 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
942 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
946 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
947 + if (in_init_rx(mod, val))
948 + val -= (uint64_t) mod->module_init_rx;
949 + else if (in_init_rw(mod, val))
950 + val -= (uint64_t) mod->module_init_rw;
951 + else if (in_core_rx(mod, val))
952 + val -= (uint64_t) mod->module_core_rx;
953 + else if (in_core_rw(mod, val))
954 + val -= (uint64_t) mod->module_core_rw;
958 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
959 * addresses have been selected...
962 - if (mod->core_size > MAX_LTOFF)
963 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
965 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
966 * at the end of the module.
968 - gp = mod->core_size - MAX_LTOFF / 2;
969 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
971 - gp = mod->core_size / 2;
972 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
973 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
974 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
976 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
978 diff -urNp linux-2.6.38.4/arch/ia64/kernel/pci-dma.c linux-2.6.38.4/arch/ia64/kernel/pci-dma.c
979 --- linux-2.6.38.4/arch/ia64/kernel/pci-dma.c 2011-03-14 21:20:32.000000000 -0400
980 +++ linux-2.6.38.4/arch/ia64/kernel/pci-dma.c 2011-04-17 15:57:32.000000000 -0400
981 @@ -43,7 +43,7 @@ struct device fallback_dev = {
982 .dma_mask = &fallback_dev.coherent_dma_mask,
985 -extern struct dma_map_ops intel_dma_ops;
986 +extern const struct dma_map_ops intel_dma_ops;
988 static int __init pci_iommu_init(void)
990 diff -urNp linux-2.6.38.4/arch/ia64/kernel/pci-swiotlb.c linux-2.6.38.4/arch/ia64/kernel/pci-swiotlb.c
991 --- linux-2.6.38.4/arch/ia64/kernel/pci-swiotlb.c 2011-03-14 21:20:32.000000000 -0400
992 +++ linux-2.6.38.4/arch/ia64/kernel/pci-swiotlb.c 2011-04-17 15:57:32.000000000 -0400
993 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
994 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
997 -struct dma_map_ops swiotlb_dma_ops = {
998 +const struct dma_map_ops swiotlb_dma_ops = {
999 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1000 .free_coherent = swiotlb_free_coherent,
1001 .map_page = swiotlb_map_page,
1002 diff -urNp linux-2.6.38.4/arch/ia64/kernel/sys_ia64.c linux-2.6.38.4/arch/ia64/kernel/sys_ia64.c
1003 --- linux-2.6.38.4/arch/ia64/kernel/sys_ia64.c 2011-03-14 21:20:32.000000000 -0400
1004 +++ linux-2.6.38.4/arch/ia64/kernel/sys_ia64.c 2011-04-17 15:57:32.000000000 -0400
1005 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1006 if (REGION_NUMBER(addr) == RGN_HPAGE)
1010 +#ifdef CONFIG_PAX_RANDMMAP
1011 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1012 + addr = mm->free_area_cache;
1017 addr = mm->free_area_cache;
1019 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1020 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1021 /* At this point: (!vma || addr < vma->vm_end). */
1022 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1023 - if (start_addr != TASK_UNMAPPED_BASE) {
1024 + if (start_addr != mm->mmap_base) {
1025 /* Start a new search --- just in case we missed some holes. */
1026 - addr = TASK_UNMAPPED_BASE;
1027 + addr = mm->mmap_base;
1032 - if (!vma || addr + len <= vma->vm_start) {
1033 + if (check_heap_stack_gap(vma, addr, len)) {
1034 /* Remember the address where we stopped this search: */
1035 mm->free_area_cache = addr + len;
1037 diff -urNp linux-2.6.38.4/arch/ia64/kernel/vmlinux.lds.S linux-2.6.38.4/arch/ia64/kernel/vmlinux.lds.S
1038 --- linux-2.6.38.4/arch/ia64/kernel/vmlinux.lds.S 2011-03-14 21:20:32.000000000 -0400
1039 +++ linux-2.6.38.4/arch/ia64/kernel/vmlinux.lds.S 2011-04-17 15:57:32.000000000 -0400
1040 @@ -199,7 +199,7 @@ SECTIONS {
1042 . = ALIGN(PERCPU_PAGE_SIZE);
1043 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1044 - __phys_per_cpu_start = __per_cpu_load;
1045 + __phys_per_cpu_start = per_cpu_load;
1047 * ensure percpu data fits
1048 * into percpu page size
1049 diff -urNp linux-2.6.38.4/arch/ia64/mm/fault.c linux-2.6.38.4/arch/ia64/mm/fault.c
1050 --- linux-2.6.38.4/arch/ia64/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
1051 +++ linux-2.6.38.4/arch/ia64/mm/fault.c 2011-04-17 15:57:32.000000000 -0400
1052 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1053 return pte_present(pte);
1056 +#ifdef CONFIG_PAX_PAGEEXEC
1057 +void pax_report_insns(void *pc, void *sp)
1061 + printk(KERN_ERR "PAX: bytes at PC: ");
1062 + for (i = 0; i < 8; i++) {
1064 + if (get_user(c, (unsigned int *)pc+i))
1065 + printk(KERN_CONT "???????? ");
1067 + printk(KERN_CONT "%08x ", c);
1074 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1076 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1077 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1078 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1080 - if ((vma->vm_flags & mask) != mask)
1081 + if ((vma->vm_flags & mask) != mask) {
1083 +#ifdef CONFIG_PAX_PAGEEXEC
1084 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1085 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1088 + up_read(&mm->mmap_sem);
1089 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1090 + do_group_exit(SIGKILL);
1099 * If for any reason at all we couldn't handle the fault, make
1100 * sure we exit gracefully rather than endlessly redo the
1101 diff -urNp linux-2.6.38.4/arch/ia64/mm/hugetlbpage.c linux-2.6.38.4/arch/ia64/mm/hugetlbpage.c
1102 --- linux-2.6.38.4/arch/ia64/mm/hugetlbpage.c 2011-03-14 21:20:32.000000000 -0400
1103 +++ linux-2.6.38.4/arch/ia64/mm/hugetlbpage.c 2011-04-17 15:57:32.000000000 -0400
1104 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1105 /* At this point: (!vmm || addr < vmm->vm_end). */
1106 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1108 - if (!vmm || (addr + len) <= vmm->vm_start)
1109 + if (check_heap_stack_gap(vmm, addr, len))
1111 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1113 diff -urNp linux-2.6.38.4/arch/ia64/mm/init.c linux-2.6.38.4/arch/ia64/mm/init.c
1114 --- linux-2.6.38.4/arch/ia64/mm/init.c 2011-03-14 21:20:32.000000000 -0400
1115 +++ linux-2.6.38.4/arch/ia64/mm/init.c 2011-04-17 15:57:32.000000000 -0400
1116 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1117 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1118 vma->vm_end = vma->vm_start + PAGE_SIZE;
1119 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1121 +#ifdef CONFIG_PAX_PAGEEXEC
1122 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1123 + vma->vm_flags &= ~VM_EXEC;
1125 +#ifdef CONFIG_PAX_MPROTECT
1126 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1127 + vma->vm_flags &= ~VM_MAYEXEC;
1133 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1134 down_write(¤t->mm->mmap_sem);
1135 if (insert_vm_struct(current->mm, vma)) {
1136 diff -urNp linux-2.6.38.4/arch/ia64/sn/pci/pci_dma.c linux-2.6.38.4/arch/ia64/sn/pci/pci_dma.c
1137 --- linux-2.6.38.4/arch/ia64/sn/pci/pci_dma.c 2011-03-14 21:20:32.000000000 -0400
1138 +++ linux-2.6.38.4/arch/ia64/sn/pci/pci_dma.c 2011-04-17 15:57:32.000000000 -0400
1139 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1143 -static struct dma_map_ops sn_dma_ops = {
1144 +static const struct dma_map_ops sn_dma_ops = {
1145 .alloc_coherent = sn_dma_alloc_coherent,
1146 .free_coherent = sn_dma_free_coherent,
1147 .map_page = sn_dma_map_page,
1148 diff -urNp linux-2.6.38.4/arch/m32r/lib/usercopy.c linux-2.6.38.4/arch/m32r/lib/usercopy.c
1149 --- linux-2.6.38.4/arch/m32r/lib/usercopy.c 2011-03-14 21:20:32.000000000 -0400
1150 +++ linux-2.6.38.4/arch/m32r/lib/usercopy.c 2011-04-17 15:57:32.000000000 -0400
1153 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1159 if (access_ok(VERIFY_WRITE, to, n))
1160 __copy_user(to,from,n);
1161 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1163 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1169 if (access_ok(VERIFY_READ, from, n))
1170 __copy_user_zeroing(to,from,n);
1171 diff -urNp linux-2.6.38.4/arch/microblaze/include/asm/device.h linux-2.6.38.4/arch/microblaze/include/asm/device.h
1172 --- linux-2.6.38.4/arch/microblaze/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
1173 +++ linux-2.6.38.4/arch/microblaze/include/asm/device.h 2011-04-17 15:57:32.000000000 -0400
1174 @@ -13,7 +13,7 @@ struct device_node;
1176 struct dev_archdata {
1177 /* DMA operations on that device */
1178 - struct dma_map_ops *dma_ops;
1179 + const struct dma_map_ops *dma_ops;
1183 diff -urNp linux-2.6.38.4/arch/microblaze/include/asm/dma-mapping.h linux-2.6.38.4/arch/microblaze/include/asm/dma-mapping.h
1184 --- linux-2.6.38.4/arch/microblaze/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
1185 +++ linux-2.6.38.4/arch/microblaze/include/asm/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
1186 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
1187 return 0xfffffffful;
1190 -extern struct dma_map_ops *dma_ops;
1191 +extern const struct dma_map_ops *dma_ops;
1194 * Available generic sets of operations
1196 -extern struct dma_map_ops dma_direct_ops;
1197 +extern const struct dma_map_ops dma_direct_ops;
1199 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1200 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1202 /* We don't handle the NULL dev case for ISA for now. We could
1203 * do it via an out of line call but it is not needed for now. The
1204 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
1205 return dev->archdata.dma_ops;
1208 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1209 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1211 dev->archdata.dma_ops = ops;
1214 static inline int dma_supported(struct device *dev, u64 mask)
1216 - struct dma_map_ops *ops = get_dma_ops(dev);
1217 + const struct dma_map_ops *ops = get_dma_ops(dev);
1221 @@ -81,7 +81,7 @@ static inline int dma_supported(struct d
1223 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1225 - struct dma_map_ops *ops = get_dma_ops(dev);
1226 + const struct dma_map_ops *ops = get_dma_ops(dev);
1228 if (unlikely(ops == NULL))
1230 @@ -97,7 +97,7 @@ static inline int dma_set_mask(struct de
1232 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1234 - struct dma_map_ops *ops = get_dma_ops(dev);
1235 + const struct dma_map_ops *ops = get_dma_ops(dev);
1236 if (ops->mapping_error)
1237 return ops->mapping_error(dev, dma_addr);
1239 @@ -110,7 +110,7 @@ static inline int dma_mapping_error(stru
1240 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1241 dma_addr_t *dma_handle, gfp_t flag)
1243 - struct dma_map_ops *ops = get_dma_ops(dev);
1244 + const struct dma_map_ops *ops = get_dma_ops(dev);
1248 @@ -124,7 +124,7 @@ static inline void *dma_alloc_coherent(s
1249 static inline void dma_free_coherent(struct device *dev, size_t size,
1250 void *cpu_addr, dma_addr_t dma_handle)
1252 - struct dma_map_ops *ops = get_dma_ops(dev);
1253 + const struct dma_map_ops *ops = get_dma_ops(dev);
1256 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
1257 diff -urNp linux-2.6.38.4/arch/microblaze/include/asm/pci.h linux-2.6.38.4/arch/microblaze/include/asm/pci.h
1258 --- linux-2.6.38.4/arch/microblaze/include/asm/pci.h 2011-03-14 21:20:32.000000000 -0400
1259 +++ linux-2.6.38.4/arch/microblaze/include/asm/pci.h 2011-04-17 15:57:32.000000000 -0400
1260 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
1264 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1265 -extern struct dma_map_ops *get_pci_dma_ops(void);
1266 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1267 +extern const struct dma_map_ops *get_pci_dma_ops(void);
1268 #else /* CONFIG_PCI */
1269 #define set_pci_dma_ops(d)
1270 #define get_pci_dma_ops() NULL
1271 diff -urNp linux-2.6.38.4/arch/microblaze/kernel/dma.c linux-2.6.38.4/arch/microblaze/kernel/dma.c
1272 --- linux-2.6.38.4/arch/microblaze/kernel/dma.c 2011-03-14 21:20:32.000000000 -0400
1273 +++ linux-2.6.38.4/arch/microblaze/kernel/dma.c 2011-04-17 15:57:32.000000000 -0400
1274 @@ -133,7 +133,7 @@ static inline void dma_direct_unmap_page
1275 __dma_sync_page(dma_address, 0 , size, direction);
1278 -struct dma_map_ops dma_direct_ops = {
1279 +const struct dma_map_ops dma_direct_ops = {
1280 .alloc_coherent = dma_direct_alloc_coherent,
1281 .free_coherent = dma_direct_free_coherent,
1282 .map_sg = dma_direct_map_sg,
1283 diff -urNp linux-2.6.38.4/arch/microblaze/kernel/kgdb.c linux-2.6.38.4/arch/microblaze/kernel/kgdb.c
1284 --- linux-2.6.38.4/arch/microblaze/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
1285 +++ linux-2.6.38.4/arch/microblaze/kernel/kgdb.c 2011-04-17 15:57:32.000000000 -0400
1286 @@ -141,10 +141,11 @@ void kgdb_arch_exit(void)
1290 -struct kgdb_arch arch_kgdb_ops = {
1291 +const struct kgdb_arch arch_kgdb_ops = {
1292 #ifdef __MICROBLAZEEL__
1293 .gdb_bpt_instr = {0x18, 0x00, 0x0c, 0xba}, /* brki r16, 0x18 */
1296 .gdb_bpt_instr = {0xba, 0x0c, 0x00, 0x18}, /* brki r16, 0x18 */
1299 diff -urNp linux-2.6.38.4/arch/microblaze/pci/pci-common.c linux-2.6.38.4/arch/microblaze/pci/pci-common.c
1300 --- linux-2.6.38.4/arch/microblaze/pci/pci-common.c 2011-03-14 21:20:32.000000000 -0400
1301 +++ linux-2.6.38.4/arch/microblaze/pci/pci-common.c 2011-04-17 15:57:32.000000000 -0400
1302 @@ -47,14 +47,14 @@ resource_size_t isa_mem_base;
1303 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
1304 unsigned int pci_flags;
1306 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1307 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1309 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
1310 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
1312 pci_dma_ops = dma_ops;
1315 -struct dma_map_ops *get_pci_dma_ops(void)
1316 +const struct dma_map_ops *get_pci_dma_ops(void)
1320 diff -urNp linux-2.6.38.4/arch/mips/cavium-octeon/dma-octeon.c linux-2.6.38.4/arch/mips/cavium-octeon/dma-octeon.c
1321 --- linux-2.6.38.4/arch/mips/cavium-octeon/dma-octeon.c 2011-03-14 21:20:32.000000000 -0400
1322 +++ linux-2.6.38.4/arch/mips/cavium-octeon/dma-octeon.c 2011-04-17 15:57:32.000000000 -0400
1323 @@ -202,7 +202,7 @@ static phys_addr_t octeon_unity_dma_to_p
1326 struct octeon_dma_map_ops {
1327 - struct dma_map_ops dma_map_ops;
1328 + const struct dma_map_ops dma_map_ops;
1329 dma_addr_t (*phys_to_dma)(struct device *dev, phys_addr_t paddr);
1330 phys_addr_t (*dma_to_phys)(struct device *dev, dma_addr_t daddr);
1332 @@ -324,7 +324,7 @@ static struct octeon_dma_map_ops _octeon
1336 -struct dma_map_ops *octeon_pci_dma_map_ops;
1337 +const struct dma_map_ops *octeon_pci_dma_map_ops;
1339 void __init octeon_pci_dma_init(void)
1341 diff -urNp linux-2.6.38.4/arch/mips/include/asm/device.h linux-2.6.38.4/arch/mips/include/asm/device.h
1342 --- linux-2.6.38.4/arch/mips/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
1343 +++ linux-2.6.38.4/arch/mips/include/asm/device.h 2011-04-17 15:57:32.000000000 -0400
1344 @@ -10,7 +10,7 @@ struct dma_map_ops;
1346 struct dev_archdata {
1347 /* DMA operations on that device */
1348 - struct dma_map_ops *dma_ops;
1349 + const struct dma_map_ops *dma_ops;
1352 struct pdev_archdata {
1353 diff -urNp linux-2.6.38.4/arch/mips/include/asm/dma-mapping.h linux-2.6.38.4/arch/mips/include/asm/dma-mapping.h
1354 --- linux-2.6.38.4/arch/mips/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
1355 +++ linux-2.6.38.4/arch/mips/include/asm/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
1358 #include <dma-coherence.h>
1360 -extern struct dma_map_ops *mips_dma_map_ops;
1361 +extern const struct dma_map_ops *mips_dma_map_ops;
1363 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1364 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1366 if (dev && dev->archdata.dma_ops)
1367 return dev->archdata.dma_ops;
1368 @@ -31,13 +31,13 @@ static inline void dma_mark_clean(void *
1370 static inline int dma_supported(struct device *dev, u64 mask)
1372 - struct dma_map_ops *ops = get_dma_ops(dev);
1373 + const struct dma_map_ops *ops = get_dma_ops(dev);
1374 return ops->dma_supported(dev, mask);
1377 static inline int dma_mapping_error(struct device *dev, u64 mask)
1379 - struct dma_map_ops *ops = get_dma_ops(dev);
1380 + const struct dma_map_ops *ops = get_dma_ops(dev);
1381 return ops->mapping_error(dev, mask);
1384 @@ -59,7 +59,7 @@ static inline void *dma_alloc_coherent(s
1385 dma_addr_t *dma_handle, gfp_t gfp)
1388 - struct dma_map_ops *ops = get_dma_ops(dev);
1389 + const struct dma_map_ops *ops = get_dma_ops(dev);
1391 ret = ops->alloc_coherent(dev, size, dma_handle, gfp);
1393 @@ -71,7 +71,7 @@ static inline void *dma_alloc_coherent(s
1394 static inline void dma_free_coherent(struct device *dev, size_t size,
1395 void *vaddr, dma_addr_t dma_handle)
1397 - struct dma_map_ops *ops = get_dma_ops(dev);
1398 + const struct dma_map_ops *ops = get_dma_ops(dev);
1400 ops->free_coherent(dev, size, vaddr, dma_handle);
1402 diff -urNp linux-2.6.38.4/arch/mips/include/asm/elf.h linux-2.6.38.4/arch/mips/include/asm/elf.h
1403 --- linux-2.6.38.4/arch/mips/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
1404 +++ linux-2.6.38.4/arch/mips/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
1405 @@ -372,13 +372,16 @@ extern const char *__elf_platform;
1406 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1409 +#ifdef CONFIG_PAX_ASLR
1410 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1412 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1413 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1416 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1417 struct linux_binprm;
1418 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1422 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1423 -#define arch_randomize_brk arch_randomize_brk
1425 #endif /* _ASM_ELF_H */
1426 diff -urNp linux-2.6.38.4/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h linux-2.6.38.4/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h
1427 --- linux-2.6.38.4/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-03-14 21:20:32.000000000 -0400
1428 +++ linux-2.6.38.4/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-04-17 15:57:32.000000000 -0400
1429 @@ -66,7 +66,7 @@ dma_addr_t phys_to_dma(struct device *de
1430 phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr);
1433 -extern struct dma_map_ops *octeon_pci_dma_map_ops;
1434 +extern const struct dma_map_ops *octeon_pci_dma_map_ops;
1435 extern char *octeon_swiotlb;
1437 #endif /* __ASM_MACH_CAVIUM_OCTEON_DMA_COHERENCE_H */
1438 diff -urNp linux-2.6.38.4/arch/mips/include/asm/page.h linux-2.6.38.4/arch/mips/include/asm/page.h
1439 --- linux-2.6.38.4/arch/mips/include/asm/page.h 2011-03-14 21:20:32.000000000 -0400
1440 +++ linux-2.6.38.4/arch/mips/include/asm/page.h 2011-04-17 15:57:32.000000000 -0400
1441 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1442 #ifdef CONFIG_CPU_MIPS32
1443 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1444 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1445 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1446 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1448 typedef struct { unsigned long long pte; } pte_t;
1449 #define pte_val(x) ((x).pte)
1450 diff -urNp linux-2.6.38.4/arch/mips/include/asm/system.h linux-2.6.38.4/arch/mips/include/asm/system.h
1451 --- linux-2.6.38.4/arch/mips/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
1452 +++ linux-2.6.38.4/arch/mips/include/asm/system.h 2011-04-17 15:57:32.000000000 -0400
1453 @@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
1455 #define __ARCH_WANT_UNLOCKED_CTXSW
1457 -extern unsigned long arch_align_stack(unsigned long sp);
1458 +#define arch_align_stack(x) ((x) & ~0xfUL)
1460 #endif /* _ASM_SYSTEM_H */
1461 diff -urNp linux-2.6.38.4/arch/mips/kernel/binfmt_elfn32.c linux-2.6.38.4/arch/mips/kernel/binfmt_elfn32.c
1462 --- linux-2.6.38.4/arch/mips/kernel/binfmt_elfn32.c 2011-03-14 21:20:32.000000000 -0400
1463 +++ linux-2.6.38.4/arch/mips/kernel/binfmt_elfn32.c 2011-04-17 15:57:32.000000000 -0400
1464 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1465 #undef ELF_ET_DYN_BASE
1466 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1468 +#ifdef CONFIG_PAX_ASLR
1469 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1471 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1472 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1475 #include <asm/processor.h>
1476 #include <linux/module.h>
1477 #include <linux/elfcore.h>
1478 diff -urNp linux-2.6.38.4/arch/mips/kernel/binfmt_elfo32.c linux-2.6.38.4/arch/mips/kernel/binfmt_elfo32.c
1479 --- linux-2.6.38.4/arch/mips/kernel/binfmt_elfo32.c 2011-03-14 21:20:32.000000000 -0400
1480 +++ linux-2.6.38.4/arch/mips/kernel/binfmt_elfo32.c 2011-04-17 15:57:32.000000000 -0400
1481 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1482 #undef ELF_ET_DYN_BASE
1483 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1485 +#ifdef CONFIG_PAX_ASLR
1486 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1488 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1489 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1492 #include <asm/processor.h>
1495 diff -urNp linux-2.6.38.4/arch/mips/kernel/kgdb.c linux-2.6.38.4/arch/mips/kernel/kgdb.c
1496 --- linux-2.6.38.4/arch/mips/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
1497 +++ linux-2.6.38.4/arch/mips/kernel/kgdb.c 2011-04-17 15:57:32.000000000 -0400
1498 @@ -351,7 +351,7 @@ int kgdb_arch_handle_exception(int vecto
1502 -struct kgdb_arch arch_kgdb_ops;
1503 +struct kgdb_arch arch_kgdb_ops; /* cannot be const, see kgdb_arch_init */
1506 * We use kgdb_early_setup so that functions we need to call now don't
1507 diff -urNp linux-2.6.38.4/arch/mips/kernel/process.c linux-2.6.38.4/arch/mips/kernel/process.c
1508 --- linux-2.6.38.4/arch/mips/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
1509 +++ linux-2.6.38.4/arch/mips/kernel/process.c 2011-04-17 15:57:32.000000000 -0400
1510 @@ -473,15 +473,3 @@ unsigned long get_wchan(struct task_stru
1516 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1517 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1519 -unsigned long arch_align_stack(unsigned long sp)
1521 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1522 - sp -= get_random_int() & ~PAGE_MASK;
1524 - return sp & ALMASK;
1526 diff -urNp linux-2.6.38.4/arch/mips/kernel/syscall.c linux-2.6.38.4/arch/mips/kernel/syscall.c
1527 --- linux-2.6.38.4/arch/mips/kernel/syscall.c 2011-03-14 21:20:32.000000000 -0400
1528 +++ linux-2.6.38.4/arch/mips/kernel/syscall.c 2011-04-17 15:57:32.000000000 -0400
1529 @@ -108,14 +108,18 @@ unsigned long arch_get_unmapped_area(str
1531 if (filp || (flags & MAP_SHARED))
1534 +#ifdef CONFIG_PAX_RANDMMAP
1535 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1540 addr = COLOUR_ALIGN(addr, pgoff);
1542 addr = PAGE_ALIGN(addr);
1543 vmm = find_vma(current->mm, addr);
1544 - if (task_size - len >= addr &&
1545 - (!vmm || addr + len <= vmm->vm_start))
1546 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1549 addr = current->mm->mmap_base;
1550 @@ -128,7 +132,7 @@ unsigned long arch_get_unmapped_area(str
1551 /* At this point: (!vmm || addr < vmm->vm_end). */
1552 if (task_size - len < addr)
1554 - if (!vmm || addr + len <= vmm->vm_start)
1555 + if (check_heap_stack_gap(vmm, addr, len))
1559 @@ -168,19 +172,6 @@ static inline unsigned long brk_rnd(void
1563 -unsigned long arch_randomize_brk(struct mm_struct *mm)
1565 - unsigned long base = mm->brk;
1566 - unsigned long ret;
1568 - ret = PAGE_ALIGN(base + brk_rnd());
1570 - if (ret < mm->brk)
1576 SYSCALL_DEFINE6(mips_mmap, unsigned long, addr, unsigned long, len,
1577 unsigned long, prot, unsigned long, flags, unsigned long,
1579 diff -urNp linux-2.6.38.4/arch/mips/mm/dma-default.c linux-2.6.38.4/arch/mips/mm/dma-default.c
1580 --- linux-2.6.38.4/arch/mips/mm/dma-default.c 2011-03-14 21:20:32.000000000 -0400
1581 +++ linux-2.6.38.4/arch/mips/mm/dma-default.c 2011-04-17 15:57:32.000000000 -0400
1582 @@ -300,7 +300,7 @@ void dma_cache_sync(struct device *dev,
1584 EXPORT_SYMBOL(dma_cache_sync);
1586 -static struct dma_map_ops mips_default_dma_map_ops = {
1587 +static const struct dma_map_ops mips_default_dma_map_ops = {
1588 .alloc_coherent = mips_dma_alloc_coherent,
1589 .free_coherent = mips_dma_free_coherent,
1590 .map_page = mips_dma_map_page,
1591 @@ -315,7 +315,7 @@ static struct dma_map_ops mips_default_d
1592 .dma_supported = mips_dma_supported
1595 -struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
1596 +const struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
1597 EXPORT_SYMBOL(mips_dma_map_ops);
1599 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1600 diff -urNp linux-2.6.38.4/arch/mips/mm/fault.c linux-2.6.38.4/arch/mips/mm/fault.c
1601 --- linux-2.6.38.4/arch/mips/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
1602 +++ linux-2.6.38.4/arch/mips/mm/fault.c 2011-04-17 15:57:32.000000000 -0400
1604 #include <asm/highmem.h> /* For VMALLOC_END */
1605 #include <linux/kdebug.h>
1607 +#ifdef CONFIG_PAX_PAGEEXEC
1608 +void pax_report_insns(void *pc, void *sp)
1612 + printk(KERN_ERR "PAX: bytes at PC: ");
1613 + for (i = 0; i < 5; i++) {
1615 + if (get_user(c, (unsigned int *)pc+i))
1616 + printk(KERN_CONT "???????? ");
1618 + printk(KERN_CONT "%08x ", c);
1625 * This routine handles page faults. It determines the address,
1626 * and the problem, and then passes it off to one of the appropriate
1627 diff -urNp linux-2.6.38.4/arch/parisc/include/asm/elf.h linux-2.6.38.4/arch/parisc/include/asm/elf.h
1628 --- linux-2.6.38.4/arch/parisc/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
1629 +++ linux-2.6.38.4/arch/parisc/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
1630 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1632 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1634 +#ifdef CONFIG_PAX_ASLR
1635 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1637 +#define PAX_DELTA_MMAP_LEN 16
1638 +#define PAX_DELTA_STACK_LEN 16
1641 /* This yields a mask that user programs can use to figure out what
1642 instruction set this CPU supports. This could be done in user space,
1643 but it's not easy, and we've already done it here. */
1644 diff -urNp linux-2.6.38.4/arch/parisc/include/asm/pgtable.h linux-2.6.38.4/arch/parisc/include/asm/pgtable.h
1645 --- linux-2.6.38.4/arch/parisc/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
1646 +++ linux-2.6.38.4/arch/parisc/include/asm/pgtable.h 2011-04-17 15:57:32.000000000 -0400
1647 @@ -209,6 +209,17 @@ struct vm_area_struct;
1648 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1649 #define PAGE_COPY PAGE_EXECREAD
1650 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1652 +#ifdef CONFIG_PAX_PAGEEXEC
1653 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1654 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1655 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1657 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1658 +# define PAGE_COPY_NOEXEC PAGE_COPY
1659 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1662 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1663 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1664 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1665 diff -urNp linux-2.6.38.4/arch/parisc/kernel/module.c linux-2.6.38.4/arch/parisc/kernel/module.c
1666 --- linux-2.6.38.4/arch/parisc/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
1667 +++ linux-2.6.38.4/arch/parisc/kernel/module.c 2011-04-17 15:57:32.000000000 -0400
1670 /* three functions to determine where in the module core
1671 * or init pieces the location is */
1672 +static inline int in_init_rx(struct module *me, void *loc)
1674 + return (loc >= me->module_init_rx &&
1675 + loc < (me->module_init_rx + me->init_size_rx));
1678 +static inline int in_init_rw(struct module *me, void *loc)
1680 + return (loc >= me->module_init_rw &&
1681 + loc < (me->module_init_rw + me->init_size_rw));
1684 static inline int in_init(struct module *me, void *loc)
1686 - return (loc >= me->module_init &&
1687 - loc <= (me->module_init + me->init_size));
1688 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1691 +static inline int in_core_rx(struct module *me, void *loc)
1693 + return (loc >= me->module_core_rx &&
1694 + loc < (me->module_core_rx + me->core_size_rx));
1697 +static inline int in_core_rw(struct module *me, void *loc)
1699 + return (loc >= me->module_core_rw &&
1700 + loc < (me->module_core_rw + me->core_size_rw));
1703 static inline int in_core(struct module *me, void *loc)
1705 - return (loc >= me->module_core &&
1706 - loc <= (me->module_core + me->core_size));
1707 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1710 static inline int in_local(struct module *me, void *loc)
1711 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
1714 /* align things a bit */
1715 - me->core_size = ALIGN(me->core_size, 16);
1716 - me->arch.got_offset = me->core_size;
1717 - me->core_size += gots * sizeof(struct got_entry);
1719 - me->core_size = ALIGN(me->core_size, 16);
1720 - me->arch.fdesc_offset = me->core_size;
1721 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1722 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1723 + me->arch.got_offset = me->core_size_rw;
1724 + me->core_size_rw += gots * sizeof(struct got_entry);
1726 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1727 + me->arch.fdesc_offset = me->core_size_rw;
1728 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1730 me->arch.got_max = gots;
1731 me->arch.fdesc_max = fdescs;
1732 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
1736 - got = me->module_core + me->arch.got_offset;
1737 + got = me->module_core_rw + me->arch.got_offset;
1738 for (i = 0; got[i].addr; i++)
1739 if (got[i].addr == value)
1741 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
1743 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1745 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1746 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1749 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1750 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
1752 /* Create new one */
1753 fdesc->addr = value;
1754 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1755 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1756 return (Elf_Addr)fdesc;
1758 #endif /* CONFIG_64BIT */
1759 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
1761 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1762 end = table + sechdrs[me->arch.unwind_section].sh_size;
1763 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1764 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1766 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1767 me->arch.unwind_section, table, end, gp);
1768 diff -urNp linux-2.6.38.4/arch/parisc/kernel/sys_parisc.c linux-2.6.38.4/arch/parisc/kernel/sys_parisc.c
1769 --- linux-2.6.38.4/arch/parisc/kernel/sys_parisc.c 2011-03-14 21:20:32.000000000 -0400
1770 +++ linux-2.6.38.4/arch/parisc/kernel/sys_parisc.c 2011-04-17 15:57:32.000000000 -0400
1771 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1772 /* At this point: (!vma || addr < vma->vm_end). */
1773 if (TASK_SIZE - len < addr)
1775 - if (!vma || addr + len <= vma->vm_start)
1776 + if (check_heap_stack_gap(vma, addr, len))
1780 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1781 /* At this point: (!vma || addr < vma->vm_end). */
1782 if (TASK_SIZE - len < addr)
1784 - if (!vma || addr + len <= vma->vm_start)
1785 + if (check_heap_stack_gap(vma, addr, len))
1787 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1788 if (addr < vma->vm_end) /* handle wraparound */
1789 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1790 if (flags & MAP_FIXED)
1793 - addr = TASK_UNMAPPED_BASE;
1794 + addr = current->mm->mmap_base;
1797 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1798 diff -urNp linux-2.6.38.4/arch/parisc/kernel/traps.c linux-2.6.38.4/arch/parisc/kernel/traps.c
1799 --- linux-2.6.38.4/arch/parisc/kernel/traps.c 2011-03-14 21:20:32.000000000 -0400
1800 +++ linux-2.6.38.4/arch/parisc/kernel/traps.c 2011-04-17 15:57:32.000000000 -0400
1801 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1803 down_read(¤t->mm->mmap_sem);
1804 vma = find_vma(current->mm,regs->iaoq[0]);
1805 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1806 - && (vma->vm_flags & VM_EXEC)) {
1808 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1809 fault_address = regs->iaoq[0];
1810 fault_space = regs->iasq[0];
1812 diff -urNp linux-2.6.38.4/arch/parisc/mm/fault.c linux-2.6.38.4/arch/parisc/mm/fault.c
1813 --- linux-2.6.38.4/arch/parisc/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
1814 +++ linux-2.6.38.4/arch/parisc/mm/fault.c 2011-04-17 15:57:32.000000000 -0400
1816 #include <linux/sched.h>
1817 #include <linux/interrupt.h>
1818 #include <linux/module.h>
1819 +#include <linux/unistd.h>
1821 #include <asm/uaccess.h>
1822 #include <asm/traps.h>
1823 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1824 static unsigned long
1825 parisc_acctyp(unsigned long code, unsigned int inst)
1827 - if (code == 6 || code == 16)
1828 + if (code == 6 || code == 7 || code == 16)
1831 switch (inst & 0xf0000000) {
1832 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1836 +#ifdef CONFIG_PAX_PAGEEXEC
1838 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1840 + * returns 1 when task should be killed
1841 + * 2 when rt_sigreturn trampoline was detected
1842 + * 3 when unpatched PLT trampoline was detected
1844 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1847 +#ifdef CONFIG_PAX_EMUPLT
1850 + do { /* PaX: unpatched PLT emulation */
1851 + unsigned int bl, depwi;
1853 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1854 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1859 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1860 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1862 + err = get_user(ldw, (unsigned int *)addr);
1863 + err |= get_user(bv, (unsigned int *)(addr+4));
1864 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1869 + if (ldw == 0x0E801096U &&
1870 + bv == 0xEAC0C000U &&
1871 + ldw2 == 0x0E881095U)
1873 + unsigned int resolver, map;
1875 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1876 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1880 + regs->gr[20] = instruction_pointer(regs)+8;
1881 + regs->gr[21] = map;
1882 + regs->gr[22] = resolver;
1883 + regs->iaoq[0] = resolver | 3UL;
1884 + regs->iaoq[1] = regs->iaoq[0] + 4;
1891 +#ifdef CONFIG_PAX_EMUTRAMP
1893 +#ifndef CONFIG_PAX_EMUSIGRT
1894 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1898 + do { /* PaX: rt_sigreturn emulation */
1899 + unsigned int ldi1, ldi2, bel, nop;
1901 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1902 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1903 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1904 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1909 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1910 + ldi2 == 0x3414015AU &&
1911 + bel == 0xE4008200U &&
1912 + nop == 0x08000240U)
1914 + regs->gr[25] = (ldi1 & 2) >> 1;
1915 + regs->gr[20] = __NR_rt_sigreturn;
1916 + regs->gr[31] = regs->iaoq[1] + 16;
1917 + regs->sr[0] = regs->iasq[1];
1918 + regs->iaoq[0] = 0x100UL;
1919 + regs->iaoq[1] = regs->iaoq[0] + 4;
1920 + regs->iasq[0] = regs->sr[2];
1921 + regs->iasq[1] = regs->sr[2];
1930 +void pax_report_insns(void *pc, void *sp)
1934 + printk(KERN_ERR "PAX: bytes at PC: ");
1935 + for (i = 0; i < 5; i++) {
1937 + if (get_user(c, (unsigned int *)pc+i))
1938 + printk(KERN_CONT "???????? ");
1940 + printk(KERN_CONT "%08x ", c);
1946 int fixup_exception(struct pt_regs *regs)
1948 const struct exception_table_entry *fix;
1949 @@ -192,8 +303,33 @@ good_area:
1951 acc_type = parisc_acctyp(code,regs->iir);
1953 - if ((vma->vm_flags & acc_type) != acc_type)
1954 + if ((vma->vm_flags & acc_type) != acc_type) {
1956 +#ifdef CONFIG_PAX_PAGEEXEC
1957 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1958 + (address & ~3UL) == instruction_pointer(regs))
1960 + up_read(&mm->mmap_sem);
1961 + switch (pax_handle_fetch_fault(regs)) {
1963 +#ifdef CONFIG_PAX_EMUPLT
1968 +#ifdef CONFIG_PAX_EMUTRAMP
1974 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1975 + do_group_exit(SIGKILL);
1983 * If for any reason at all we couldn't handle the fault, make
1984 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/device.h linux-2.6.38.4/arch/powerpc/include/asm/device.h
1985 --- linux-2.6.38.4/arch/powerpc/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
1986 +++ linux-2.6.38.4/arch/powerpc/include/asm/device.h 2011-04-17 15:57:32.000000000 -0400
1987 @@ -17,7 +17,7 @@ struct device_node;
1989 struct dev_archdata {
1990 /* DMA operations on that device */
1991 - struct dma_map_ops *dma_ops;
1992 + const struct dma_map_ops *dma_ops;
1995 * When an iommu is in use, dma_data is used as a ptr to the base of the
1996 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/dma-mapping.h linux-2.6.38.4/arch/powerpc/include/asm/dma-mapping.h
1997 --- linux-2.6.38.4/arch/powerpc/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
1998 +++ linux-2.6.38.4/arch/powerpc/include/asm/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
1999 @@ -66,12 +66,13 @@ static inline unsigned long device_to_ma
2001 * Available generic sets of operations
2003 +/* cannot be const */
2005 -extern struct dma_map_ops dma_iommu_ops;
2006 +extern const struct dma_map_ops dma_iommu_ops;
2008 -extern struct dma_map_ops dma_direct_ops;
2009 +extern const struct dma_map_ops dma_direct_ops;
2011 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2012 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2014 /* We don't handle the NULL dev case for ISA for now. We could
2015 * do it via an out of line call but it is not needed for now. The
2016 @@ -84,7 +85,7 @@ static inline struct dma_map_ops *get_dm
2017 return dev->archdata.dma_ops;
2020 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2021 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2023 dev->archdata.dma_ops = ops;
2025 @@ -118,7 +119,7 @@ static inline void set_dma_offset(struct
2027 static inline int dma_supported(struct device *dev, u64 mask)
2029 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2030 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2032 if (unlikely(dma_ops == NULL))
2034 @@ -132,7 +133,7 @@ extern int dma_set_mask(struct device *d
2035 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2036 dma_addr_t *dma_handle, gfp_t flag)
2038 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2039 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2043 @@ -147,7 +148,7 @@ static inline void *dma_alloc_coherent(s
2044 static inline void dma_free_coherent(struct device *dev, size_t size,
2045 void *cpu_addr, dma_addr_t dma_handle)
2047 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2048 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2052 @@ -158,7 +159,7 @@ static inline void dma_free_coherent(str
2054 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2056 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2057 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2059 if (dma_ops->mapping_error)
2060 return dma_ops->mapping_error(dev, dma_addr);
2061 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/elf.h linux-2.6.38.4/arch/powerpc/include/asm/elf.h
2062 --- linux-2.6.38.4/arch/powerpc/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
2063 +++ linux-2.6.38.4/arch/powerpc/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
2064 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2065 the loader. We need to make sure that it is out of the way of the program
2066 that it will "exec", and that there is sufficient room for the brk. */
2068 -extern unsigned long randomize_et_dyn(unsigned long base);
2069 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2070 +#define ELF_ET_DYN_BASE (0x20000000)
2072 +#ifdef CONFIG_PAX_ASLR
2073 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2075 +#ifdef __powerpc64__
2076 +#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
2077 +#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
2079 +#define PAX_DELTA_MMAP_LEN 15
2080 +#define PAX_DELTA_STACK_LEN 15
2085 * Our registers are always unsigned longs, whether we're a 32 bit
2086 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
2087 (0x7ff >> (PAGE_SHIFT - 12)) : \
2088 (0x3ffff >> (PAGE_SHIFT - 12)))
2090 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2091 -#define arch_randomize_brk arch_randomize_brk
2093 #endif /* __KERNEL__ */
2096 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/iommu.h linux-2.6.38.4/arch/powerpc/include/asm/iommu.h
2097 --- linux-2.6.38.4/arch/powerpc/include/asm/iommu.h 2011-03-14 21:20:32.000000000 -0400
2098 +++ linux-2.6.38.4/arch/powerpc/include/asm/iommu.h 2011-04-17 15:57:32.000000000 -0400
2099 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2100 extern void iommu_init_early_dart(void);
2101 extern void iommu_init_early_pasemi(void);
2104 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2107 extern void pci_iommu_init(void);
2108 extern void pci_direct_iommu_init(void);
2109 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/kmap_types.h linux-2.6.38.4/arch/powerpc/include/asm/kmap_types.h
2110 --- linux-2.6.38.4/arch/powerpc/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
2111 +++ linux-2.6.38.4/arch/powerpc/include/asm/kmap_types.h 2011-04-17 15:57:32.000000000 -0400
2112 @@ -27,6 +27,7 @@ enum km_type {
2120 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/page_64.h linux-2.6.38.4/arch/powerpc/include/asm/page_64.h
2121 --- linux-2.6.38.4/arch/powerpc/include/asm/page_64.h 2011-03-14 21:20:32.000000000 -0400
2122 +++ linux-2.6.38.4/arch/powerpc/include/asm/page_64.h 2011-04-17 15:57:32.000000000 -0400
2123 @@ -172,15 +172,18 @@ do { \
2124 * stack by default, so in the absense of a PT_GNU_STACK program header
2125 * we turn execute permission off.
2127 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2128 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2129 +#define VM_STACK_DEFAULT_FLAGS32 \
2130 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2131 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2133 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2134 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2136 +#ifndef CONFIG_PAX_PAGEEXEC
2137 #define VM_STACK_DEFAULT_FLAGS \
2138 (is_32bit_task() ? \
2139 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2142 #include <asm-generic/getorder.h>
2144 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/page.h linux-2.6.38.4/arch/powerpc/include/asm/page.h
2145 --- linux-2.6.38.4/arch/powerpc/include/asm/page.h 2011-03-14 21:20:32.000000000 -0400
2146 +++ linux-2.6.38.4/arch/powerpc/include/asm/page.h 2011-04-17 15:57:32.000000000 -0400
2147 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
2148 * and needs to be executable. This means the whole heap ends
2149 * up being executable.
2151 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2152 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2153 +#define VM_DATA_DEFAULT_FLAGS32 \
2154 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2155 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2157 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2158 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2159 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
2160 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2163 +#define ktla_ktva(addr) (addr)
2164 +#define ktva_ktla(addr) (addr)
2166 #ifndef __ASSEMBLY__
2168 #undef STRICT_MM_TYPECHECKS
2169 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/pci.h linux-2.6.38.4/arch/powerpc/include/asm/pci.h
2170 --- linux-2.6.38.4/arch/powerpc/include/asm/pci.h 2011-03-14 21:20:32.000000000 -0400
2171 +++ linux-2.6.38.4/arch/powerpc/include/asm/pci.h 2011-04-17 15:57:32.000000000 -0400
2172 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2176 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2177 -extern struct dma_map_ops *get_pci_dma_ops(void);
2178 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2179 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2180 #else /* CONFIG_PCI */
2181 #define set_pci_dma_ops(d)
2182 #define get_pci_dma_ops() NULL
2183 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/pgtable.h linux-2.6.38.4/arch/powerpc/include/asm/pgtable.h
2184 --- linux-2.6.38.4/arch/powerpc/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
2185 +++ linux-2.6.38.4/arch/powerpc/include/asm/pgtable.h 2011-04-17 15:57:32.000000000 -0400
2187 #define _ASM_POWERPC_PGTABLE_H
2190 +#include <linux/const.h>
2191 #ifndef __ASSEMBLY__
2192 #include <asm/processor.h> /* For TASK_SIZE */
2193 #include <asm/mmu.h>
2194 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/pte-hash32.h linux-2.6.38.4/arch/powerpc/include/asm/pte-hash32.h
2195 --- linux-2.6.38.4/arch/powerpc/include/asm/pte-hash32.h 2011-03-14 21:20:32.000000000 -0400
2196 +++ linux-2.6.38.4/arch/powerpc/include/asm/pte-hash32.h 2011-04-17 15:57:32.000000000 -0400
2198 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2199 #define _PAGE_USER 0x004 /* usermode access allowed */
2200 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2201 +#define _PAGE_EXEC _PAGE_GUARDED
2202 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2203 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2204 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2205 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/reg.h linux-2.6.38.4/arch/powerpc/include/asm/reg.h
2206 --- linux-2.6.38.4/arch/powerpc/include/asm/reg.h 2011-04-18 17:27:13.000000000 -0400
2207 +++ linux-2.6.38.4/arch/powerpc/include/asm/reg.h 2011-04-17 15:57:32.000000000 -0400
2209 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2210 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2211 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2212 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2213 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2214 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2215 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2216 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/swiotlb.h linux-2.6.38.4/arch/powerpc/include/asm/swiotlb.h
2217 --- linux-2.6.38.4/arch/powerpc/include/asm/swiotlb.h 2011-03-14 21:20:32.000000000 -0400
2218 +++ linux-2.6.38.4/arch/powerpc/include/asm/swiotlb.h 2011-04-17 15:57:32.000000000 -0400
2221 #include <linux/swiotlb.h>
2223 -extern struct dma_map_ops swiotlb_dma_ops;
2224 +extern const struct dma_map_ops swiotlb_dma_ops;
2226 static inline void dma_mark_clean(void *addr, size_t size) {}
2228 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/system.h linux-2.6.38.4/arch/powerpc/include/asm/system.h
2229 --- linux-2.6.38.4/arch/powerpc/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
2230 +++ linux-2.6.38.4/arch/powerpc/include/asm/system.h 2011-04-17 15:57:32.000000000 -0400
2231 @@ -533,7 +533,7 @@ __cmpxchg_local(volatile void *ptr, unsi
2232 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
2235 -extern unsigned long arch_align_stack(unsigned long sp);
2236 +#define arch_align_stack(x) ((x) & ~0xfUL)
2238 /* Used in very early kernel initialization. */
2239 extern unsigned long reloc_offset(void);
2240 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/uaccess.h linux-2.6.38.4/arch/powerpc/include/asm/uaccess.h
2241 --- linux-2.6.38.4/arch/powerpc/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
2242 +++ linux-2.6.38.4/arch/powerpc/include/asm/uaccess.h 2011-04-17 15:57:32.000000000 -0400
2244 #define VERIFY_READ 0
2245 #define VERIFY_WRITE 1
2247 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2250 * The fs value determines whether argument validity checking should be
2251 * performed or not. If get_fs() == USER_DS, checking is performed, with
2252 @@ -327,52 +329,6 @@ do { \
2253 extern unsigned long __copy_tofrom_user(void __user *to,
2254 const void __user *from, unsigned long size);
2256 -#ifndef __powerpc64__
2258 -static inline unsigned long copy_from_user(void *to,
2259 - const void __user *from, unsigned long n)
2261 - unsigned long over;
2263 - if (access_ok(VERIFY_READ, from, n))
2264 - return __copy_tofrom_user((__force void __user *)to, from, n);
2265 - if ((unsigned long)from < TASK_SIZE) {
2266 - over = (unsigned long)from + n - TASK_SIZE;
2267 - return __copy_tofrom_user((__force void __user *)to, from,
2273 -static inline unsigned long copy_to_user(void __user *to,
2274 - const void *from, unsigned long n)
2276 - unsigned long over;
2278 - if (access_ok(VERIFY_WRITE, to, n))
2279 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2280 - if ((unsigned long)to < TASK_SIZE) {
2281 - over = (unsigned long)to + n - TASK_SIZE;
2282 - return __copy_tofrom_user(to, (__force void __user *)from,
2288 -#else /* __powerpc64__ */
2290 -#define __copy_in_user(to, from, size) \
2291 - __copy_tofrom_user((to), (from), (size))
2293 -extern unsigned long copy_from_user(void *to, const void __user *from,
2295 -extern unsigned long copy_to_user(void __user *to, const void *from,
2297 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2300 -#endif /* __powerpc64__ */
2302 static inline unsigned long __copy_from_user_inatomic(void *to,
2303 const void __user *from, unsigned long n)
2305 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2310 + if (!__builtin_constant_p(n))
2311 + check_object_size(to, n, false);
2313 return __copy_tofrom_user((__force void __user *)to, from, n);
2316 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2321 + if (!__builtin_constant_p(n))
2322 + check_object_size(from, n, true);
2324 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2327 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2328 return __copy_to_user_inatomic(to, from, size);
2331 +#ifndef __powerpc64__
2333 +static inline unsigned long __must_check copy_from_user(void *to,
2334 + const void __user *from, unsigned long n)
2336 + unsigned long over;
2341 + if (access_ok(VERIFY_READ, from, n)) {
2342 + if (!__builtin_constant_p(n))
2343 + check_object_size(to, n, false);
2344 + return __copy_tofrom_user((__force void __user *)to, from, n);
2346 + if ((unsigned long)from < TASK_SIZE) {
2347 + over = (unsigned long)from + n - TASK_SIZE;
2348 + if (!__builtin_constant_p(n - over))
2349 + check_object_size(to, n - over, false);
2350 + return __copy_tofrom_user((__force void __user *)to, from,
2356 +static inline unsigned long __must_check copy_to_user(void __user *to,
2357 + const void *from, unsigned long n)
2359 + unsigned long over;
2364 + if (access_ok(VERIFY_WRITE, to, n)) {
2365 + if (!__builtin_constant_p(n))
2366 + check_object_size(from, n, true);
2367 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2369 + if ((unsigned long)to < TASK_SIZE) {
2370 + over = (unsigned long)to + n - TASK_SIZE;
2371 + if (!__builtin_constant_p(n))
2372 + check_object_size(from, n - over, true);
2373 + return __copy_tofrom_user(to, (__force void __user *)from,
2379 +#else /* __powerpc64__ */
2381 +#define __copy_in_user(to, from, size) \
2382 + __copy_tofrom_user((to), (from), (size))
2384 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2386 + if ((long)n < 0 || n > INT_MAX)
2389 + if (!__builtin_constant_p(n))
2390 + check_object_size(to, n, false);
2392 + if (likely(access_ok(VERIFY_READ, from, n)))
2393 + n = __copy_from_user(to, from, n);
2399 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2401 + if ((long)n < 0 || n > INT_MAX)
2404 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2405 + if (!__builtin_constant_p(n))
2406 + check_object_size(from, n, true);
2407 + n = __copy_to_user(to, from, n);
2412 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2415 +#endif /* __powerpc64__ */
2417 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2419 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2420 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/dma.c linux-2.6.38.4/arch/powerpc/kernel/dma.c
2421 --- linux-2.6.38.4/arch/powerpc/kernel/dma.c 2011-03-14 21:20:32.000000000 -0400
2422 +++ linux-2.6.38.4/arch/powerpc/kernel/dma.c 2011-04-17 15:57:32.000000000 -0400
2423 @@ -136,7 +136,7 @@ static inline void dma_direct_sync_singl
2427 -struct dma_map_ops dma_direct_ops = {
2428 +const struct dma_map_ops dma_direct_ops = {
2429 .alloc_coherent = dma_direct_alloc_coherent,
2430 .free_coherent = dma_direct_free_coherent,
2431 .map_sg = dma_direct_map_sg,
2432 @@ -157,7 +157,7 @@ EXPORT_SYMBOL(dma_direct_ops);
2434 int dma_set_mask(struct device *dev, u64 dma_mask)
2436 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2437 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2439 if (ppc_md.dma_set_mask)
2440 return ppc_md.dma_set_mask(dev, dma_mask);
2441 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/dma-iommu.c linux-2.6.38.4/arch/powerpc/kernel/dma-iommu.c
2442 --- linux-2.6.38.4/arch/powerpc/kernel/dma-iommu.c 2011-03-14 21:20:32.000000000 -0400
2443 +++ linux-2.6.38.4/arch/powerpc/kernel/dma-iommu.c 2011-04-17 15:57:32.000000000 -0400
2444 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2447 /* We support DMA to/from any memory page via the iommu */
2448 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2449 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2451 struct iommu_table *tbl = get_iommu_table_base(dev);
2453 @@ -90,7 +90,7 @@ static int dma_iommu_dma_supported(struc
2457 -struct dma_map_ops dma_iommu_ops = {
2458 +struct dma_map_ops dma_iommu_ops = { /* cannot be const, see arch/powerpc/platforms/cell/iommu.c */
2459 .alloc_coherent = dma_iommu_alloc_coherent,
2460 .free_coherent = dma_iommu_free_coherent,
2461 .map_sg = dma_iommu_map_sg,
2462 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.38.4/arch/powerpc/kernel/dma-swiotlb.c
2463 --- linux-2.6.38.4/arch/powerpc/kernel/dma-swiotlb.c 2011-03-14 21:20:32.000000000 -0400
2464 +++ linux-2.6.38.4/arch/powerpc/kernel/dma-swiotlb.c 2011-04-17 15:57:32.000000000 -0400
2465 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2466 * map_page, and unmap_page on highmem, use normal dma_ops
2467 * for everything else.
2469 -struct dma_map_ops swiotlb_dma_ops = {
2470 +const struct dma_map_ops swiotlb_dma_ops = {
2471 .alloc_coherent = dma_direct_alloc_coherent,
2472 .free_coherent = dma_direct_free_coherent,
2473 .map_sg = swiotlb_map_sg_attrs,
2474 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/exceptions-64e.S linux-2.6.38.4/arch/powerpc/kernel/exceptions-64e.S
2475 --- linux-2.6.38.4/arch/powerpc/kernel/exceptions-64e.S 2011-03-14 21:20:32.000000000 -0400
2476 +++ linux-2.6.38.4/arch/powerpc/kernel/exceptions-64e.S 2011-04-17 15:57:32.000000000 -0400
2477 @@ -495,6 +495,7 @@ storage_fault_common:
2480 addi r3,r1,STACK_FRAME_OVERHEAD
2484 ld r14,PACA_EXGEN+EX_R14(r13)
2485 @@ -504,8 +505,7 @@ storage_fault_common:
2488 b .ret_from_except_lite
2492 addi r3,r1,STACK_FRAME_OVERHEAD
2495 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/exceptions-64s.S linux-2.6.38.4/arch/powerpc/kernel/exceptions-64s.S
2496 --- linux-2.6.38.4/arch/powerpc/kernel/exceptions-64s.S 2011-03-14 21:20:32.000000000 -0400
2497 +++ linux-2.6.38.4/arch/powerpc/kernel/exceptions-64s.S 2011-04-17 15:57:32.000000000 -0400
2498 @@ -848,10 +848,10 @@ handle_page_fault:
2501 addi r3,r1,STACK_FRAME_OVERHEAD
2508 addi r3,r1,STACK_FRAME_OVERHEAD
2510 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/ibmebus.c linux-2.6.38.4/arch/powerpc/kernel/ibmebus.c
2511 --- linux-2.6.38.4/arch/powerpc/kernel/ibmebus.c 2011-03-14 21:20:32.000000000 -0400
2512 +++ linux-2.6.38.4/arch/powerpc/kernel/ibmebus.c 2011-04-17 15:57:32.000000000 -0400
2513 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
2517 -static struct dma_map_ops ibmebus_dma_ops = {
2518 +static const struct dma_map_ops ibmebus_dma_ops = {
2519 .alloc_coherent = ibmebus_alloc_coherent,
2520 .free_coherent = ibmebus_free_coherent,
2521 .map_sg = ibmebus_map_sg,
2522 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/kgdb.c linux-2.6.38.4/arch/powerpc/kernel/kgdb.c
2523 --- linux-2.6.38.4/arch/powerpc/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
2524 +++ linux-2.6.38.4/arch/powerpc/kernel/kgdb.c 2011-04-17 15:57:32.000000000 -0400
2525 @@ -422,7 +422,7 @@ int kgdb_arch_handle_exception(int vecto
2529 -struct kgdb_arch arch_kgdb_ops = {
2530 +const struct kgdb_arch arch_kgdb_ops = {
2531 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2534 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/module_32.c linux-2.6.38.4/arch/powerpc/kernel/module_32.c
2535 --- linux-2.6.38.4/arch/powerpc/kernel/module_32.c 2011-03-14 21:20:32.000000000 -0400
2536 +++ linux-2.6.38.4/arch/powerpc/kernel/module_32.c 2011-04-17 15:57:32.000000000 -0400
2537 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2538 me->arch.core_plt_section = i;
2540 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2541 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2542 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2546 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2548 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2549 /* Init, or core PLT? */
2550 - if (location >= mod->module_core
2551 - && location < mod->module_core + mod->core_size)
2552 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2553 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2554 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2556 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2557 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2558 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2560 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2564 /* Find this entry, or if that fails, the next avail. entry */
2565 while (entry->jump[0]) {
2566 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/module.c linux-2.6.38.4/arch/powerpc/kernel/module.c
2567 --- linux-2.6.38.4/arch/powerpc/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
2568 +++ linux-2.6.38.4/arch/powerpc/kernel/module.c 2011-04-17 15:57:32.000000000 -0400
2571 LIST_HEAD(module_bug_list);
2573 +#ifdef CONFIG_PAX_KERNEXEC
2574 void *module_alloc(unsigned long size)
2579 + return vmalloc(size);
2582 +void *module_alloc_exec(unsigned long size)
2584 +void *module_alloc(unsigned long size)
2591 return vmalloc_exec(size);
2594 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2595 vfree(module_region);
2598 +#ifdef CONFIG_PAX_KERNEXEC
2599 +void module_free_exec(struct module *mod, void *module_region)
2601 + module_free(mod, module_region);
2605 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2606 const Elf_Shdr *sechdrs,
2608 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/pci-common.c linux-2.6.38.4/arch/powerpc/kernel/pci-common.c
2609 --- linux-2.6.38.4/arch/powerpc/kernel/pci-common.c 2011-03-14 21:20:32.000000000 -0400
2610 +++ linux-2.6.38.4/arch/powerpc/kernel/pci-common.c 2011-04-17 15:57:32.000000000 -0400
2611 @@ -52,14 +52,14 @@ resource_size_t isa_mem_base;
2612 unsigned int ppc_pci_flags = 0;
2615 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2616 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2618 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2619 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2621 pci_dma_ops = dma_ops;
2624 -struct dma_map_ops *get_pci_dma_ops(void)
2625 +const struct dma_map_ops *get_pci_dma_ops(void)
2629 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/process.c linux-2.6.38.4/arch/powerpc/kernel/process.c
2630 --- linux-2.6.38.4/arch/powerpc/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
2631 +++ linux-2.6.38.4/arch/powerpc/kernel/process.c 2011-04-17 15:57:32.000000000 -0400
2632 @@ -655,8 +655,8 @@ void show_regs(struct pt_regs * regs)
2633 * Lookup NIP late so we have the best change of getting the
2634 * above info out without failing
2636 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2637 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2638 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2639 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2641 show_stack(current, (unsigned long *) regs->gpr[1]);
2642 if (!user_mode(regs))
2643 @@ -1146,10 +1146,10 @@ void show_stack(struct task_struct *tsk,
2645 ip = stack[STACK_FRAME_LR_SAVE];
2646 if (!firstframe || ip != lr) {
2647 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2648 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2649 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2650 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2653 (void *)current->ret_stack[curr_frame].ret);
2656 @@ -1169,7 +1169,7 @@ void show_stack(struct task_struct *tsk,
2657 struct pt_regs *regs = (struct pt_regs *)
2658 (sp + STACK_FRAME_OVERHEAD);
2660 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
2661 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
2662 regs->trap, (void *)regs->nip, (void *)lr);
2665 @@ -1244,58 +1244,3 @@ void thread_info_cache_init(void)
2668 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2670 -unsigned long arch_align_stack(unsigned long sp)
2672 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2673 - sp -= get_random_int() & ~PAGE_MASK;
2677 -static inline unsigned long brk_rnd(void)
2679 - unsigned long rnd = 0;
2681 - /* 8MB for 32bit, 1GB for 64bit */
2682 - if (is_32bit_task())
2683 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2685 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2687 - return rnd << PAGE_SHIFT;
2690 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2692 - unsigned long base = mm->brk;
2693 - unsigned long ret;
2695 -#ifdef CONFIG_PPC_STD_MMU_64
2697 - * If we are using 1TB segments and we are allowed to randomise
2698 - * the heap, we can put it above 1TB so it is backed by a 1TB
2699 - * segment. Otherwise the heap will be in the bottom 1TB
2700 - * which always uses 256MB segments and this may result in a
2701 - * performance penalty.
2703 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2704 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2707 - ret = PAGE_ALIGN(base + brk_rnd());
2709 - if (ret < mm->brk)
2715 -unsigned long randomize_et_dyn(unsigned long base)
2717 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2724 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/signal_32.c linux-2.6.38.4/arch/powerpc/kernel/signal_32.c
2725 --- linux-2.6.38.4/arch/powerpc/kernel/signal_32.c 2011-03-14 21:20:32.000000000 -0400
2726 +++ linux-2.6.38.4/arch/powerpc/kernel/signal_32.c 2011-04-17 15:57:32.000000000 -0400
2727 @@ -858,7 +858,7 @@ int handle_rt_signal32(unsigned long sig
2728 /* Save user registers on the stack */
2729 frame = &rt_sf->uc.uc_mcontext;
2731 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2732 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2733 if (save_user_regs(regs, frame, 0, 1))
2735 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2736 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/signal_64.c linux-2.6.38.4/arch/powerpc/kernel/signal_64.c
2737 --- linux-2.6.38.4/arch/powerpc/kernel/signal_64.c 2011-03-14 21:20:32.000000000 -0400
2738 +++ linux-2.6.38.4/arch/powerpc/kernel/signal_64.c 2011-04-17 15:57:32.000000000 -0400
2739 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2740 current->thread.fpscr.val = 0;
2742 /* Set up to return from userspace. */
2743 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2744 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2745 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2747 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2748 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/vdso.c linux-2.6.38.4/arch/powerpc/kernel/vdso.c
2749 --- linux-2.6.38.4/arch/powerpc/kernel/vdso.c 2011-03-14 21:20:32.000000000 -0400
2750 +++ linux-2.6.38.4/arch/powerpc/kernel/vdso.c 2011-04-17 15:57:32.000000000 -0400
2752 #include <asm/firmware.h>
2753 #include <asm/vdso.h>
2754 #include <asm/vdso_datapage.h>
2755 +#include <asm/mman.h>
2759 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2760 vdso_base = VDSO32_MBASE;
2763 - current->mm->context.vdso_base = 0;
2764 + current->mm->context.vdso_base = ~0UL;
2766 /* vDSO has a problem and was disabled, just don't "enable" it for the
2768 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2769 vdso_base = get_unmapped_area(NULL, vdso_base,
2770 (vdso_pages << PAGE_SHIFT) +
2771 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2773 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2774 if (IS_ERR_VALUE(vdso_base)) {
2777 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/vio.c linux-2.6.38.4/arch/powerpc/kernel/vio.c
2778 --- linux-2.6.38.4/arch/powerpc/kernel/vio.c 2011-03-14 21:20:32.000000000 -0400
2779 +++ linux-2.6.38.4/arch/powerpc/kernel/vio.c 2011-04-17 15:57:32.000000000 -0400
2780 @@ -605,11 +605,12 @@ static int vio_dma_iommu_dma_supported(s
2781 return dma_iommu_ops.dma_supported(dev, mask);
2784 -struct dma_map_ops vio_dma_mapping_ops = {
2785 +const struct dma_map_ops vio_dma_mapping_ops = {
2786 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2787 .free_coherent = vio_dma_iommu_free_coherent,
2788 .map_sg = vio_dma_iommu_map_sg,
2789 .unmap_sg = vio_dma_iommu_unmap_sg,
2790 + .dma_supported = dma_iommu_dma_supported,
2791 .map_page = vio_dma_iommu_map_page,
2792 .unmap_page = vio_dma_iommu_unmap_page,
2793 .dma_supported = vio_dma_iommu_dma_supported,
2794 diff -urNp linux-2.6.38.4/arch/powerpc/lib/usercopy_64.c linux-2.6.38.4/arch/powerpc/lib/usercopy_64.c
2795 --- linux-2.6.38.4/arch/powerpc/lib/usercopy_64.c 2011-03-14 21:20:32.000000000 -0400
2796 +++ linux-2.6.38.4/arch/powerpc/lib/usercopy_64.c 2011-04-17 15:57:32.000000000 -0400
2798 #include <linux/module.h>
2799 #include <asm/uaccess.h>
2801 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2803 - if (likely(access_ok(VERIFY_READ, from, n)))
2804 - n = __copy_from_user(to, from, n);
2810 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2812 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2813 - n = __copy_to_user(to, from, n);
2817 unsigned long copy_in_user(void __user *to, const void __user *from,
2820 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2824 -EXPORT_SYMBOL(copy_from_user);
2825 -EXPORT_SYMBOL(copy_to_user);
2826 EXPORT_SYMBOL(copy_in_user);
2828 diff -urNp linux-2.6.38.4/arch/powerpc/mm/fault.c linux-2.6.38.4/arch/powerpc/mm/fault.c
2829 --- linux-2.6.38.4/arch/powerpc/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
2830 +++ linux-2.6.38.4/arch/powerpc/mm/fault.c 2011-04-17 15:57:32.000000000 -0400
2832 #include <linux/kdebug.h>
2833 #include <linux/perf_event.h>
2834 #include <linux/magic.h>
2835 +#include <linux/slab.h>
2836 +#include <linux/pagemap.h>
2837 +#include <linux/compiler.h>
2838 +#include <linux/unistd.h>
2840 #include <asm/firmware.h>
2841 #include <asm/page.h>
2843 #include <asm/tlbflush.h>
2844 #include <asm/siginfo.h>
2845 #include <mm/mmu_decl.h>
2846 +#include <asm/ptrace.h>
2848 #ifdef CONFIG_KPROBES
2849 static inline int notify_page_fault(struct pt_regs *regs)
2850 @@ -65,6 +70,33 @@ static inline int notify_page_fault(stru
2854 +#ifdef CONFIG_PAX_PAGEEXEC
2856 + * PaX: decide what to do with offenders (regs->nip = fault address)
2858 + * returns 1 when task should be killed
2860 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2865 +void pax_report_insns(void *pc, void *sp)
2869 + printk(KERN_ERR "PAX: bytes at PC: ");
2870 + for (i = 0; i < 5; i++) {
2872 + if (get_user(c, (unsigned int __user *)pc+i))
2873 + printk(KERN_CONT "???????? ");
2875 + printk(KERN_CONT "%08x ", c);
2882 * Check whether the instruction at regs->nip is a store using
2883 * an update addressing form which will update r1.
2884 @@ -135,7 +167,7 @@ int __kprobes do_page_fault(struct pt_re
2885 * indicate errors in DSISR but can validly be set in SRR1.
2888 - error_code &= 0x48200000;
2889 + error_code &= 0x58200000;
2891 is_write = error_code & DSISR_ISSTORE;
2893 @@ -258,7 +290,7 @@ good_area:
2894 * "undefined". Of those that can be set, this is the only
2895 * one which seems bad.
2897 - if (error_code & 0x10000000)
2898 + if (error_code & DSISR_GUARDED)
2899 /* Guarded storage error. */
2901 #endif /* CONFIG_8xx */
2902 @@ -273,7 +305,7 @@ good_area:
2903 * processors use the same I/D cache coherency mechanism
2906 - if (error_code & DSISR_PROTFAULT)
2907 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2909 #endif /* CONFIG_PPC_STD_MMU */
2911 @@ -342,6 +374,23 @@ bad_area:
2912 bad_area_nosemaphore:
2913 /* User mode accesses cause a SIGSEGV */
2914 if (user_mode(regs)) {
2916 +#ifdef CONFIG_PAX_PAGEEXEC
2917 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2918 +#ifdef CONFIG_PPC_STD_MMU
2919 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2921 + if (is_exec && regs->nip == address) {
2923 + switch (pax_handle_fetch_fault(regs)) {
2926 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2927 + do_group_exit(SIGKILL);
2932 _exception(SIGSEGV, regs, code, address);
2935 diff -urNp linux-2.6.38.4/arch/powerpc/mm/mmap_64.c linux-2.6.38.4/arch/powerpc/mm/mmap_64.c
2936 --- linux-2.6.38.4/arch/powerpc/mm/mmap_64.c 2011-03-14 21:20:32.000000000 -0400
2937 +++ linux-2.6.38.4/arch/powerpc/mm/mmap_64.c 2011-04-17 15:57:32.000000000 -0400
2938 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2940 if (mmap_is_legacy()) {
2941 mm->mmap_base = TASK_UNMAPPED_BASE;
2943 +#ifdef CONFIG_PAX_RANDMMAP
2944 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2945 + mm->mmap_base += mm->delta_mmap;
2948 mm->get_unmapped_area = arch_get_unmapped_area;
2949 mm->unmap_area = arch_unmap_area;
2951 mm->mmap_base = mmap_base();
2953 +#ifdef CONFIG_PAX_RANDMMAP
2954 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2955 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2958 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2959 mm->unmap_area = arch_unmap_area_topdown;
2961 diff -urNp linux-2.6.38.4/arch/powerpc/mm/slice.c linux-2.6.38.4/arch/powerpc/mm/slice.c
2962 --- linux-2.6.38.4/arch/powerpc/mm/slice.c 2011-03-14 21:20:32.000000000 -0400
2963 +++ linux-2.6.38.4/arch/powerpc/mm/slice.c 2011-04-17 15:57:32.000000000 -0400
2964 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
2965 if ((mm->task_size - len) < addr)
2967 vma = find_vma(mm, addr);
2968 - return (!vma || (addr + len) <= vma->vm_start);
2969 + return check_heap_stack_gap(vma, addr, len);
2972 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
2973 @@ -256,7 +256,7 @@ full_search:
2974 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
2977 - if (!vma || addr + len <= vma->vm_start) {
2978 + if (check_heap_stack_gap(vma, addr, len)) {
2980 * Remember the place where we stopped the search:
2982 @@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
2986 - addr = mm->mmap_base;
2987 - while (addr > len) {
2988 + if (mm->mmap_base < len)
2991 + addr = mm->mmap_base - len;
2993 + while (!IS_ERR_VALUE(addr)) {
2994 /* Go down by chunk size */
2995 - addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
2996 + addr = _ALIGN_DOWN(addr, 1ul << pshift);
2998 /* Check for hit with different page size */
2999 mask = slice_range_to_mask(addr, len);
3000 @@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
3001 * return with success:
3003 vma = find_vma(mm, addr);
3004 - if (!vma || (addr + len) <= vma->vm_start) {
3005 + if (check_heap_stack_gap(vma, addr, len)) {
3006 /* remember the address as a hint for next time */
3008 mm->free_area_cache = addr;
3009 @@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
3010 mm->cached_hole_size = vma->vm_start - addr;
3012 /* try just below the current vma->vm_start */
3013 - addr = vma->vm_start;
3014 + addr = skip_heap_stack_gap(vma, len);
3018 @@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
3019 if (fixed && addr > (mm->task_size - len))
3022 +#ifdef CONFIG_PAX_RANDMMAP
3023 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
3027 /* If hint, make sure it matches our alignment restrictions */
3028 if (!fixed && addr) {
3029 addr = _ALIGN_UP(addr, 1ul << pshift);
3030 diff -urNp linux-2.6.38.4/arch/powerpc/platforms/cell/iommu.c linux-2.6.38.4/arch/powerpc/platforms/cell/iommu.c
3031 --- linux-2.6.38.4/arch/powerpc/platforms/cell/iommu.c 2011-03-14 21:20:32.000000000 -0400
3032 +++ linux-2.6.38.4/arch/powerpc/platforms/cell/iommu.c 2011-04-17 15:57:32.000000000 -0400
3033 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
3035 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
3037 -struct dma_map_ops dma_iommu_fixed_ops = {
3038 +const struct dma_map_ops dma_iommu_fixed_ops = {
3039 .alloc_coherent = dma_fixed_alloc_coherent,
3040 .free_coherent = dma_fixed_free_coherent,
3041 .map_sg = dma_fixed_map_sg,
3042 diff -urNp linux-2.6.38.4/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.38.4/arch/powerpc/platforms/ps3/system-bus.c
3043 --- linux-2.6.38.4/arch/powerpc/platforms/ps3/system-bus.c 2011-03-14 21:20:32.000000000 -0400
3044 +++ linux-2.6.38.4/arch/powerpc/platforms/ps3/system-bus.c 2011-04-17 15:57:32.000000000 -0400
3045 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
3046 return mask >= DMA_BIT_MASK(32);
3049 -static struct dma_map_ops ps3_sb_dma_ops = {
3050 +static const struct dma_map_ops ps3_sb_dma_ops = {
3051 .alloc_coherent = ps3_alloc_coherent,
3052 .free_coherent = ps3_free_coherent,
3053 .map_sg = ps3_sb_map_sg,
3054 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
3055 .unmap_page = ps3_unmap_page,
3058 -static struct dma_map_ops ps3_ioc0_dma_ops = {
3059 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
3060 .alloc_coherent = ps3_alloc_coherent,
3061 .free_coherent = ps3_free_coherent,
3062 .map_sg = ps3_ioc0_map_sg,
3063 diff -urNp linux-2.6.38.4/arch/powerpc/sysdev/ppc4xx_cpm.c linux-2.6.38.4/arch/powerpc/sysdev/ppc4xx_cpm.c
3064 --- linux-2.6.38.4/arch/powerpc/sysdev/ppc4xx_cpm.c 2011-03-14 21:20:32.000000000 -0400
3065 +++ linux-2.6.38.4/arch/powerpc/sysdev/ppc4xx_cpm.c 2011-04-17 15:57:32.000000000 -0400
3066 @@ -240,7 +240,7 @@ static int cpm_suspend_enter(suspend_sta
3070 -static struct platform_suspend_ops cpm_suspend_ops = {
3071 +static const struct platform_suspend_ops cpm_suspend_ops = {
3072 .valid = cpm_suspend_valid,
3073 .enter = cpm_suspend_enter,
3075 diff -urNp linux-2.6.38.4/arch/s390/include/asm/elf.h linux-2.6.38.4/arch/s390/include/asm/elf.h
3076 --- linux-2.6.38.4/arch/s390/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
3077 +++ linux-2.6.38.4/arch/s390/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
3078 @@ -162,8 +162,14 @@ extern unsigned int vdso_enabled;
3079 the loader. We need to make sure that it is out of the way of the program
3080 that it will "exec", and that there is sufficient room for the brk. */
3082 -extern unsigned long randomize_et_dyn(unsigned long base);
3083 -#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2))
3084 +#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
3086 +#ifdef CONFIG_PAX_ASLR
3087 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
3089 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3090 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3093 /* This yields a mask that user programs can use to figure out what
3094 instruction set this CPU supports. */
3095 @@ -222,7 +228,4 @@ struct linux_binprm;
3096 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
3097 int arch_setup_additional_pages(struct linux_binprm *, int);
3099 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
3100 -#define arch_randomize_brk arch_randomize_brk
3103 diff -urNp linux-2.6.38.4/arch/s390/include/asm/system.h linux-2.6.38.4/arch/s390/include/asm/system.h
3104 --- linux-2.6.38.4/arch/s390/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
3105 +++ linux-2.6.38.4/arch/s390/include/asm/system.h 2011-04-17 15:57:32.000000000 -0400
3106 @@ -449,7 +449,7 @@ extern void (*_machine_restart)(char *co
3107 extern void (*_machine_halt)(void);
3108 extern void (*_machine_power_off)(void);
3110 -extern unsigned long arch_align_stack(unsigned long sp);
3111 +#define arch_align_stack(x) ((x) & ~0xfUL)
3113 static inline int tprot(unsigned long addr)
3115 diff -urNp linux-2.6.38.4/arch/s390/include/asm/uaccess.h linux-2.6.38.4/arch/s390/include/asm/uaccess.h
3116 --- linux-2.6.38.4/arch/s390/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
3117 +++ linux-2.6.38.4/arch/s390/include/asm/uaccess.h 2011-04-17 15:57:32.000000000 -0400
3118 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
3119 copy_to_user(void __user *to, const void *from, unsigned long n)
3126 if (access_ok(VERIFY_WRITE, to, n))
3127 n = __copy_to_user(to, from, n);
3129 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
3130 static inline unsigned long __must_check
3131 __copy_from_user(void *to, const void __user *from, unsigned long n)
3136 if (__builtin_constant_p(n) && (n <= 256))
3137 return uaccess.copy_from_user_small(n, from, to);
3139 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
3140 unsigned int sz = __compiletime_object_size(to);
3147 if (unlikely(sz != -1 && sz < n)) {
3148 copy_from_user_overflow();
3150 diff -urNp linux-2.6.38.4/arch/s390/Kconfig linux-2.6.38.4/arch/s390/Kconfig
3151 --- linux-2.6.38.4/arch/s390/Kconfig 2011-03-14 21:20:32.000000000 -0400
3152 +++ linux-2.6.38.4/arch/s390/Kconfig 2011-04-17 15:57:32.000000000 -0400
3153 @@ -233,11 +233,9 @@ config S390_EXEC_PROTECT
3154 prompt "Data execute protection"
3156 This option allows to enable a buffer overflow protection for user
3157 - space programs and it also selects the addressing mode option above.
3158 - The kernel parameter noexec=on will enable this feature and also
3159 - switch the addressing modes, default is disabled. Enabling this (via
3160 - kernel parameter) on machines earlier than IBM System z9 this will
3161 - reduce system performance.
3163 + Enabling this (via kernel parameter) on machines earlier than IBM
3164 + System z9 this will reduce system performance.
3166 comment "Code generation options"
3168 diff -urNp linux-2.6.38.4/arch/s390/kernel/module.c linux-2.6.38.4/arch/s390/kernel/module.c
3169 --- linux-2.6.38.4/arch/s390/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
3170 +++ linux-2.6.38.4/arch/s390/kernel/module.c 2011-04-17 15:57:32.000000000 -0400
3171 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3173 /* Increase core size by size of got & plt and set start
3174 offsets for got and plt. */
3175 - me->core_size = ALIGN(me->core_size, 4);
3176 - me->arch.got_offset = me->core_size;
3177 - me->core_size += me->arch.got_size;
3178 - me->arch.plt_offset = me->core_size;
3179 - me->core_size += me->arch.plt_size;
3180 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3181 + me->arch.got_offset = me->core_size_rw;
3182 + me->core_size_rw += me->arch.got_size;
3183 + me->arch.plt_offset = me->core_size_rx;
3184 + me->core_size_rx += me->arch.plt_size;
3188 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3189 if (info->got_initialized == 0) {
3192 - gotent = me->module_core + me->arch.got_offset +
3193 + gotent = me->module_core_rw + me->arch.got_offset +
3196 info->got_initialized = 1;
3197 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3198 else if (r_type == R_390_GOTENT ||
3199 r_type == R_390_GOTPLTENT)
3200 *(unsigned int *) loc =
3201 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3202 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3203 else if (r_type == R_390_GOT64 ||
3204 r_type == R_390_GOTPLT64)
3205 *(unsigned long *) loc = val;
3206 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3207 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3208 if (info->plt_initialized == 0) {
3210 - ip = me->module_core + me->arch.plt_offset +
3211 + ip = me->module_core_rx + me->arch.plt_offset +
3213 #ifndef CONFIG_64BIT
3214 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3215 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3216 val - loc + 0xffffUL < 0x1ffffeUL) ||
3217 (r_type == R_390_PLT32DBL &&
3218 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3219 - val = (Elf_Addr) me->module_core +
3220 + val = (Elf_Addr) me->module_core_rx +
3221 me->arch.plt_offset +
3223 val += rela->r_addend - loc;
3224 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3225 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3226 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3227 val = val + rela->r_addend -
3228 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3229 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3230 if (r_type == R_390_GOTOFF16)
3231 *(unsigned short *) loc = val;
3232 else if (r_type == R_390_GOTOFF32)
3233 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3235 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3236 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3237 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3238 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3239 rela->r_addend - loc;
3240 if (r_type == R_390_GOTPC)
3241 *(unsigned int *) loc = val;
3242 diff -urNp linux-2.6.38.4/arch/s390/kernel/process.c linux-2.6.38.4/arch/s390/kernel/process.c
3243 --- linux-2.6.38.4/arch/s390/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
3244 +++ linux-2.6.38.4/arch/s390/kernel/process.c 2011-04-17 15:57:32.000000000 -0400
3245 @@ -334,39 +334,3 @@ unsigned long get_wchan(struct task_stru
3250 -unsigned long arch_align_stack(unsigned long sp)
3252 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
3253 - sp -= get_random_int() & ~PAGE_MASK;
3257 -static inline unsigned long brk_rnd(void)
3259 - /* 8MB for 32bit, 1GB for 64bit */
3260 - if (is_32bit_task())
3261 - return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
3263 - return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
3266 -unsigned long arch_randomize_brk(struct mm_struct *mm)
3268 - unsigned long ret = PAGE_ALIGN(mm->brk + brk_rnd());
3270 - if (ret < mm->brk)
3275 -unsigned long randomize_et_dyn(unsigned long base)
3277 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
3279 - if (!(current->flags & PF_RANDOMIZE))
3285 diff -urNp linux-2.6.38.4/arch/s390/kernel/setup.c linux-2.6.38.4/arch/s390/kernel/setup.c
3286 --- linux-2.6.38.4/arch/s390/kernel/setup.c 2011-03-14 21:20:32.000000000 -0400
3287 +++ linux-2.6.38.4/arch/s390/kernel/setup.c 2011-04-17 15:57:32.000000000 -0400
3288 @@ -281,7 +281,7 @@ static int __init early_parse_mem(char *
3290 early_param("mem", early_parse_mem);
3292 -unsigned int user_mode = HOME_SPACE_MODE;
3293 +unsigned int user_mode = SECONDARY_SPACE_MODE;
3294 EXPORT_SYMBOL_GPL(user_mode);
3296 static int set_amode_and_uaccess(unsigned long user_amode,
3297 @@ -310,17 +310,6 @@ static int set_amode_and_uaccess(unsigne
3302 - * Switch kernel/user addressing modes?
3304 -static int __init early_parse_switch_amode(char *p)
3306 - if (user_mode != SECONDARY_SPACE_MODE)
3307 - user_mode = PRIMARY_SPACE_MODE;
3310 -early_param("switch_amode", early_parse_switch_amode);
3312 static int __init early_parse_user_mode(char *p)
3314 if (p && strcmp(p, "primary") == 0)
3315 @@ -337,20 +326,6 @@ static int __init early_parse_user_mode(
3317 early_param("user_mode", early_parse_user_mode);
3319 -#ifdef CONFIG_S390_EXEC_PROTECT
3321 - * Enable execute protection?
3323 -static int __init early_parse_noexec(char *p)
3325 - if (!strncmp(p, "off", 3))
3327 - user_mode = SECONDARY_SPACE_MODE;
3330 -early_param("noexec", early_parse_noexec);
3331 -#endif /* CONFIG_S390_EXEC_PROTECT */
3333 static void setup_addressing_mode(void)
3335 if (user_mode == SECONDARY_SPACE_MODE) {
3336 diff -urNp linux-2.6.38.4/arch/s390/mm/maccess.c linux-2.6.38.4/arch/s390/mm/maccess.c
3337 --- linux-2.6.38.4/arch/s390/mm/maccess.c 2011-03-14 21:20:32.000000000 -0400
3338 +++ linux-2.6.38.4/arch/s390/mm/maccess.c 2011-04-17 15:57:32.000000000 -0400
3339 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
3340 return rc ? rc : count;
3343 -long probe_kernel_write(void *dst, void *src, size_t size)
3344 +long probe_kernel_write(void *dst, const void *src, size_t size)
3348 diff -urNp linux-2.6.38.4/arch/s390/mm/mmap.c linux-2.6.38.4/arch/s390/mm/mmap.c
3349 --- linux-2.6.38.4/arch/s390/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
3350 +++ linux-2.6.38.4/arch/s390/mm/mmap.c 2011-04-17 15:57:32.000000000 -0400
3351 @@ -91,10 +91,22 @@ void arch_pick_mmap_layout(struct mm_str
3353 if (mmap_is_legacy()) {
3354 mm->mmap_base = TASK_UNMAPPED_BASE;
3356 +#ifdef CONFIG_PAX_RANDMMAP
3357 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3358 + mm->mmap_base += mm->delta_mmap;
3361 mm->get_unmapped_area = arch_get_unmapped_area;
3362 mm->unmap_area = arch_unmap_area;
3364 mm->mmap_base = mmap_base();
3366 +#ifdef CONFIG_PAX_RANDMMAP
3367 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3368 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3371 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3372 mm->unmap_area = arch_unmap_area_topdown;
3374 @@ -166,10 +178,22 @@ void arch_pick_mmap_layout(struct mm_str
3376 if (mmap_is_legacy()) {
3377 mm->mmap_base = TASK_UNMAPPED_BASE;
3379 +#ifdef CONFIG_PAX_RANDMMAP
3380 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3381 + mm->mmap_base += mm->delta_mmap;
3384 mm->get_unmapped_area = s390_get_unmapped_area;
3385 mm->unmap_area = arch_unmap_area;
3387 mm->mmap_base = mmap_base();
3389 +#ifdef CONFIG_PAX_RANDMMAP
3390 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3391 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3394 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3395 mm->unmap_area = arch_unmap_area_topdown;
3397 diff -urNp linux-2.6.38.4/arch/score/include/asm/system.h linux-2.6.38.4/arch/score/include/asm/system.h
3398 --- linux-2.6.38.4/arch/score/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
3399 +++ linux-2.6.38.4/arch/score/include/asm/system.h 2011-04-17 15:57:32.000000000 -0400
3400 @@ -17,7 +17,7 @@ do { \
3401 #define finish_arch_switch(prev) do {} while (0)
3403 typedef void (*vi_handler_t)(void);
3404 -extern unsigned long arch_align_stack(unsigned long sp);
3405 +#define arch_align_stack(x) (x)
3407 #define mb() barrier()
3408 #define rmb() barrier()
3409 diff -urNp linux-2.6.38.4/arch/score/kernel/process.c linux-2.6.38.4/arch/score/kernel/process.c
3410 --- linux-2.6.38.4/arch/score/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
3411 +++ linux-2.6.38.4/arch/score/kernel/process.c 2011-04-17 15:57:32.000000000 -0400
3412 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
3414 return task_pt_regs(task)->cp0_epc;
3417 -unsigned long arch_align_stack(unsigned long sp)
3421 diff -urNp linux-2.6.38.4/arch/sh/include/asm/dma-mapping.h linux-2.6.38.4/arch/sh/include/asm/dma-mapping.h
3422 --- linux-2.6.38.4/arch/sh/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
3423 +++ linux-2.6.38.4/arch/sh/include/asm/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
3425 #ifndef __ASM_SH_DMA_MAPPING_H
3426 #define __ASM_SH_DMA_MAPPING_H
3428 -extern struct dma_map_ops *dma_ops;
3429 +extern const struct dma_map_ops *dma_ops;
3430 extern void no_iommu_init(void);
3432 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3433 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3437 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
3439 static inline int dma_supported(struct device *dev, u64 mask)
3441 - struct dma_map_ops *ops = get_dma_ops(dev);
3442 + const struct dma_map_ops *ops = get_dma_ops(dev);
3444 if (ops->dma_supported)
3445 return ops->dma_supported(dev, mask);
3446 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
3448 static inline int dma_set_mask(struct device *dev, u64 mask)
3450 - struct dma_map_ops *ops = get_dma_ops(dev);
3451 + const struct dma_map_ops *ops = get_dma_ops(dev);
3453 if (!dev->dma_mask || !dma_supported(dev, mask))
3455 @@ -44,7 +44,7 @@ void dma_cache_sync(struct device *dev,
3457 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3459 - struct dma_map_ops *ops = get_dma_ops(dev);
3460 + const struct dma_map_ops *ops = get_dma_ops(dev);
3462 if (ops->mapping_error)
3463 return ops->mapping_error(dev, dma_addr);
3464 @@ -55,7 +55,7 @@ static inline int dma_mapping_error(stru
3465 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3466 dma_addr_t *dma_handle, gfp_t gfp)
3468 - struct dma_map_ops *ops = get_dma_ops(dev);
3469 + const struct dma_map_ops *ops = get_dma_ops(dev);
3472 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3473 @@ -72,7 +72,7 @@ static inline void *dma_alloc_coherent(s
3474 static inline void dma_free_coherent(struct device *dev, size_t size,
3475 void *vaddr, dma_addr_t dma_handle)
3477 - struct dma_map_ops *ops = get_dma_ops(dev);
3478 + const struct dma_map_ops *ops = get_dma_ops(dev);
3480 if (dma_release_from_coherent(dev, get_order(size), vaddr))
3482 diff -urNp linux-2.6.38.4/arch/sh/kernel/dma-nommu.c linux-2.6.38.4/arch/sh/kernel/dma-nommu.c
3483 --- linux-2.6.38.4/arch/sh/kernel/dma-nommu.c 2011-03-14 21:20:32.000000000 -0400
3484 +++ linux-2.6.38.4/arch/sh/kernel/dma-nommu.c 2011-04-17 15:57:32.000000000 -0400
3485 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3489 -struct dma_map_ops nommu_dma_ops = {
3490 +const struct dma_map_ops nommu_dma_ops = {
3491 .alloc_coherent = dma_generic_alloc_coherent,
3492 .free_coherent = dma_generic_free_coherent,
3493 .map_page = nommu_map_page,
3494 diff -urNp linux-2.6.38.4/arch/sh/kernel/kgdb.c linux-2.6.38.4/arch/sh/kernel/kgdb.c
3495 --- linux-2.6.38.4/arch/sh/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
3496 +++ linux-2.6.38.4/arch/sh/kernel/kgdb.c 2011-04-17 15:57:32.000000000 -0400
3497 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
3498 unregister_die_notifier(&kgdb_notifier);
3501 -struct kgdb_arch arch_kgdb_ops = {
3502 +const struct kgdb_arch arch_kgdb_ops = {
3503 /* Breakpoint instruction: trapa #0x3c */
3504 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3505 .gdb_bpt_instr = { 0x3c, 0xc3 },
3506 diff -urNp linux-2.6.38.4/arch/sh/mm/consistent.c linux-2.6.38.4/arch/sh/mm/consistent.c
3507 --- linux-2.6.38.4/arch/sh/mm/consistent.c 2011-03-14 21:20:32.000000000 -0400
3508 +++ linux-2.6.38.4/arch/sh/mm/consistent.c 2011-04-17 15:57:32.000000000 -0400
3511 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3513 -struct dma_map_ops *dma_ops;
3514 +const struct dma_map_ops *dma_ops;
3515 EXPORT_SYMBOL(dma_ops);
3517 static int __init dma_init(void)
3518 diff -urNp linux-2.6.38.4/arch/sh/mm/mmap.c linux-2.6.38.4/arch/sh/mm/mmap.c
3519 --- linux-2.6.38.4/arch/sh/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
3520 +++ linux-2.6.38.4/arch/sh/mm/mmap.c 2011-04-17 15:57:32.000000000 -0400
3521 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3522 addr = PAGE_ALIGN(addr);
3524 vma = find_vma(mm, addr);
3525 - if (TASK_SIZE - len >= addr &&
3526 - (!vma || addr + len <= vma->vm_start))
3527 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3531 @@ -106,7 +105,7 @@ full_search:
3535 - if (likely(!vma || addr + len <= vma->vm_start)) {
3536 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3538 * Remember the place where we stopped the search:
3540 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3541 addr = PAGE_ALIGN(addr);
3543 vma = find_vma(mm, addr);
3544 - if (TASK_SIZE - len >= addr &&
3545 - (!vma || addr + len <= vma->vm_start))
3546 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3550 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3551 /* make sure it can fit in the remaining address space */
3552 if (likely(addr > len)) {
3553 vma = find_vma(mm, addr-len);
3554 - if (!vma || addr <= vma->vm_start) {
3555 + if (check_heap_stack_gap(vma, addr - len, len)) {
3556 /* remember the address as a hint for next time */
3557 return (mm->free_area_cache = addr-len);
3559 @@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
3560 if (unlikely(mm->mmap_base < len))
3563 - addr = mm->mmap_base-len;
3564 - if (do_colour_align)
3565 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3566 + addr = mm->mmap_base - len;
3569 + if (do_colour_align)
3570 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3572 * Lookup failure means no vma is above this address,
3573 * else if new region fits below vma->vm_start,
3574 * return with success:
3576 vma = find_vma(mm, addr);
3577 - if (likely(!vma || addr+len <= vma->vm_start)) {
3578 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3579 /* remember the address as a hint for next time */
3580 return (mm->free_area_cache = addr);
3582 @@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
3583 mm->cached_hole_size = vma->vm_start - addr;
3585 /* try just below the current vma->vm_start */
3586 - addr = vma->vm_start-len;
3587 - if (do_colour_align)
3588 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3589 - } while (likely(len < vma->vm_start));
3590 + addr = skip_heap_stack_gap(vma, len);
3591 + } while (!IS_ERR_VALUE(addr));
3595 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/atomic_64.h linux-2.6.38.4/arch/sparc/include/asm/atomic_64.h
3596 --- linux-2.6.38.4/arch/sparc/include/asm/atomic_64.h 2011-03-14 21:20:32.000000000 -0400
3597 +++ linux-2.6.38.4/arch/sparc/include/asm/atomic_64.h 2011-04-17 15:57:32.000000000 -0400
3599 #define ATOMIC64_INIT(i) { (i) }
3601 #define atomic_read(v) (*(volatile int *)&(v)->counter)
3602 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3604 + return v->counter;
3606 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
3607 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3609 + return v->counter;
3612 #define atomic_set(v, i) (((v)->counter) = i)
3613 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3617 #define atomic64_set(v, i) (((v)->counter) = i)
3618 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3623 extern void atomic_add(int, atomic_t *);
3624 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3625 extern void atomic64_add(long, atomic64_t *);
3626 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3627 extern void atomic_sub(int, atomic_t *);
3628 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3629 extern void atomic64_sub(long, atomic64_t *);
3630 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3632 extern int atomic_add_ret(int, atomic_t *);
3633 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3634 extern long atomic64_add_ret(long, atomic64_t *);
3635 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3636 extern int atomic_sub_ret(int, atomic_t *);
3637 extern long atomic64_sub_ret(long, atomic64_t *);
3639 @@ -33,12 +55,24 @@ extern long atomic64_sub_ret(long, atomi
3640 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3642 #define atomic_inc_return(v) atomic_add_ret(1, v)
3643 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3645 + return atomic_add_ret_unchecked(1, v);
3647 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3648 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3650 + return atomic64_add_ret_unchecked(1, v);
3653 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3654 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3656 #define atomic_add_return(i, v) atomic_add_ret(i, v)
3657 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
3659 + return atomic_add_ret_unchecked(i, v);
3661 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
3664 @@ -59,10 +93,26 @@ extern long atomic64_sub_ret(long, atomi
3665 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3667 #define atomic_inc(v) atomic_add(1, v)
3668 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3670 + atomic_add_unchecked(1, v);
3672 #define atomic64_inc(v) atomic64_add(1, v)
3673 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3675 + atomic64_add_unchecked(1, v);
3678 #define atomic_dec(v) atomic_sub(1, v)
3679 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3681 + atomic_sub_unchecked(1, v);
3683 #define atomic64_dec(v) atomic64_sub(1, v)
3684 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3686 + atomic64_sub_unchecked(1, v);
3689 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3690 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3691 @@ -72,17 +122,28 @@ extern long atomic64_sub_ret(long, atomi
3693 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3699 - if (unlikely(c == (u)))
3700 + if (unlikely(c == u))
3702 - old = atomic_cmpxchg((v), c, c + (a));
3704 + asm volatile("addcc %2, %0, %0\n"
3706 +#ifdef CONFIG_PAX_REFCOUNT
3711 + : "0" (c), "ir" (a)
3714 + old = atomic_cmpxchg(v, c, new);
3715 if (likely(old == c))
3723 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3724 @@ -93,17 +154,28 @@ static inline int atomic_add_unless(atom
3726 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3730 c = atomic64_read(v);
3732 - if (unlikely(c == (u)))
3733 + if (unlikely(c == u))
3735 - old = atomic64_cmpxchg((v), c, c + (a));
3737 + asm volatile("addcc %2, %0, %0\n"
3739 +#ifdef CONFIG_PAX_REFCOUNT
3744 + : "0" (c), "ir" (a)
3747 + old = atomic64_cmpxchg(v, c, new);
3748 if (likely(old == c))
3756 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3757 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/dma-mapping.h linux-2.6.38.4/arch/sparc/include/asm/dma-mapping.h
3758 --- linux-2.6.38.4/arch/sparc/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
3759 +++ linux-2.6.38.4/arch/sparc/include/asm/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
3760 @@ -12,10 +12,10 @@ extern int dma_supported(struct device *
3761 #define dma_alloc_noncoherent(d, s, h, f) dma_alloc_coherent(d, s, h, f)
3762 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3764 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3765 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3766 extern struct bus_type pci_bus_type;
3768 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3769 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3771 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3772 if (dev->bus == &pci_bus_type)
3773 @@ -29,7 +29,7 @@ static inline struct dma_map_ops *get_dm
3774 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3775 dma_addr_t *dma_handle, gfp_t flag)
3777 - struct dma_map_ops *ops = get_dma_ops(dev);
3778 + const struct dma_map_ops *ops = get_dma_ops(dev);
3781 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3782 @@ -40,7 +40,7 @@ static inline void *dma_alloc_coherent(s
3783 static inline void dma_free_coherent(struct device *dev, size_t size,
3784 void *cpu_addr, dma_addr_t dma_handle)
3786 - struct dma_map_ops *ops = get_dma_ops(dev);
3787 + const struct dma_map_ops *ops = get_dma_ops(dev);
3789 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3790 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3791 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/elf_32.h linux-2.6.38.4/arch/sparc/include/asm/elf_32.h
3792 --- linux-2.6.38.4/arch/sparc/include/asm/elf_32.h 2011-03-14 21:20:32.000000000 -0400
3793 +++ linux-2.6.38.4/arch/sparc/include/asm/elf_32.h 2011-04-17 15:57:32.000000000 -0400
3794 @@ -114,6 +114,13 @@ typedef struct {
3796 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3798 +#ifdef CONFIG_PAX_ASLR
3799 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3801 +#define PAX_DELTA_MMAP_LEN 16
3802 +#define PAX_DELTA_STACK_LEN 16
3805 /* This yields a mask that user programs can use to figure out what
3806 instruction set this cpu supports. This can NOT be done in userspace
3808 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/elf_64.h linux-2.6.38.4/arch/sparc/include/asm/elf_64.h
3809 --- linux-2.6.38.4/arch/sparc/include/asm/elf_64.h 2011-03-14 21:20:32.000000000 -0400
3810 +++ linux-2.6.38.4/arch/sparc/include/asm/elf_64.h 2011-04-17 15:57:32.000000000 -0400
3811 @@ -162,6 +162,12 @@ typedef struct {
3812 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3813 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3815 +#ifdef CONFIG_PAX_ASLR
3816 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3818 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3819 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3822 /* This yields a mask that user programs can use to figure out what
3823 instruction set this cpu supports. */
3824 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/pgtable_32.h linux-2.6.38.4/arch/sparc/include/asm/pgtable_32.h
3825 --- linux-2.6.38.4/arch/sparc/include/asm/pgtable_32.h 2011-03-14 21:20:32.000000000 -0400
3826 +++ linux-2.6.38.4/arch/sparc/include/asm/pgtable_32.h 2011-04-17 15:57:32.000000000 -0400
3827 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3828 BTFIXUPDEF_INT(page_none)
3829 BTFIXUPDEF_INT(page_copy)
3830 BTFIXUPDEF_INT(page_readonly)
3832 +#ifdef CONFIG_PAX_PAGEEXEC
3833 +BTFIXUPDEF_INT(page_shared_noexec)
3834 +BTFIXUPDEF_INT(page_copy_noexec)
3835 +BTFIXUPDEF_INT(page_readonly_noexec)
3838 BTFIXUPDEF_INT(page_kernel)
3840 #define PMD_SHIFT SUN4C_PMD_SHIFT
3841 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3842 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3843 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3845 +#ifdef CONFIG_PAX_PAGEEXEC
3846 +extern pgprot_t PAGE_SHARED_NOEXEC;
3847 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3848 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3850 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3851 +# define PAGE_COPY_NOEXEC PAGE_COPY
3852 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3855 extern unsigned long page_kernel;
3858 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.38.4/arch/sparc/include/asm/pgtsrmmu.h
3859 --- linux-2.6.38.4/arch/sparc/include/asm/pgtsrmmu.h 2011-03-14 21:20:32.000000000 -0400
3860 +++ linux-2.6.38.4/arch/sparc/include/asm/pgtsrmmu.h 2011-04-17 15:57:32.000000000 -0400
3861 @@ -115,6 +115,13 @@
3862 SRMMU_EXEC | SRMMU_REF)
3863 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3864 SRMMU_EXEC | SRMMU_REF)
3866 +#ifdef CONFIG_PAX_PAGEEXEC
3867 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3868 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3869 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3872 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3873 SRMMU_DIRTY | SRMMU_REF)
3875 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/spinlock_64.h linux-2.6.38.4/arch/sparc/include/asm/spinlock_64.h
3876 --- linux-2.6.38.4/arch/sparc/include/asm/spinlock_64.h 2011-03-14 21:20:32.000000000 -0400
3877 +++ linux-2.6.38.4/arch/sparc/include/asm/spinlock_64.h 2011-04-17 15:57:32.000000000 -0400
3878 @@ -99,7 +99,12 @@ static void inline arch_read_lock(arch_r
3879 __asm__ __volatile__ (
3880 "1: ldsw [%2], %0\n"
3882 -"4: add %0, 1, %1\n"
3883 +"4: addcc %0, 1, %1\n"
3885 +#ifdef CONFIG_PAX_REFCOUNT
3889 " cas [%2], %0, %1\n"
3891 " bne,pn %%icc, 1b\n"
3892 @@ -112,7 +117,7 @@ static void inline arch_read_lock(arch_r
3894 : "=&r" (tmp1), "=&r" (tmp2)
3897 + : "memory", "cc");
3900 static int inline arch_read_trylock(arch_rwlock_t *lock)
3901 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3902 "1: ldsw [%2], %0\n"
3903 " brlz,a,pn %0, 2f\n"
3906 +" addcc %0, 1, %1\n"
3908 +#ifdef CONFIG_PAX_REFCOUNT
3912 " cas [%2], %0, %1\n"
3914 " bne,pn %%icc, 1b\n"
3915 @@ -142,7 +152,12 @@ static void inline arch_read_unlock(arch
3917 __asm__ __volatile__(
3918 "1: lduw [%2], %0\n"
3920 +" subcc %0, 1, %1\n"
3922 +#ifdef CONFIG_PAX_REFCOUNT
3926 " cas [%2], %0, %1\n"
3928 " bne,pn %%xcc, 1b\n"
3929 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/uaccess_32.h linux-2.6.38.4/arch/sparc/include/asm/uaccess_32.h
3930 --- linux-2.6.38.4/arch/sparc/include/asm/uaccess_32.h 2011-03-14 21:20:32.000000000 -0400
3931 +++ linux-2.6.38.4/arch/sparc/include/asm/uaccess_32.h 2011-04-17 15:57:32.000000000 -0400
3932 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
3934 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3936 - if (n && __access_ok((unsigned long) to, n))
3940 + if (n && __access_ok((unsigned long) to, n)) {
3941 + if (!__builtin_constant_p(n))
3942 + check_object_size(from, n, true);
3943 return __copy_user(to, (__force void __user *) from, n);
3949 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3954 + if (!__builtin_constant_p(n))
3955 + check_object_size(from, n, true);
3957 return __copy_user(to, (__force void __user *) from, n);
3960 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
3962 - if (n && __access_ok((unsigned long) from, n))
3966 + if (n && __access_ok((unsigned long) from, n)) {
3967 + if (!__builtin_constant_p(n))
3968 + check_object_size(to, n, false);
3969 return __copy_user((__force void __user *) to, from, n);
3975 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3980 return __copy_user((__force void __user *) to, from, n);
3983 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/uaccess_64.h linux-2.6.38.4/arch/sparc/include/asm/uaccess_64.h
3984 --- linux-2.6.38.4/arch/sparc/include/asm/uaccess_64.h 2011-03-14 21:20:32.000000000 -0400
3985 +++ linux-2.6.38.4/arch/sparc/include/asm/uaccess_64.h 2011-04-17 15:57:32.000000000 -0400
3987 #include <linux/compiler.h>
3988 #include <linux/string.h>
3989 #include <linux/thread_info.h>
3990 +#include <linux/kernel.h>
3991 #include <asm/asi.h>
3992 #include <asm/system.h>
3993 #include <asm/spitfire.h>
3994 @@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
3995 static inline unsigned long __must_check
3996 copy_from_user(void *to, const void __user *from, unsigned long size)
3998 - unsigned long ret = ___copy_from_user(to, from, size);
3999 + unsigned long ret;
4001 + if ((long)size < 0 || size > INT_MAX)
4004 + if (!__builtin_constant_p(size))
4005 + check_object_size(to, size, false);
4007 + ret = ___copy_from_user(to, from, size);
4009 ret = copy_from_user_fixup(to, from, size);
4011 @@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
4012 static inline unsigned long __must_check
4013 copy_to_user(void __user *to, const void *from, unsigned long size)
4015 - unsigned long ret = ___copy_to_user(to, from, size);
4016 + unsigned long ret;
4018 + if ((long)size < 0 || size > INT_MAX)
4021 + if (!__builtin_constant_p(size))
4022 + check_object_size(from, size, true);
4024 + ret = ___copy_to_user(to, from, size);
4026 ret = copy_to_user_fixup(to, from, size);
4028 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/uaccess.h linux-2.6.38.4/arch/sparc/include/asm/uaccess.h
4029 --- linux-2.6.38.4/arch/sparc/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
4030 +++ linux-2.6.38.4/arch/sparc/include/asm/uaccess.h 2011-04-17 15:57:32.000000000 -0400
4032 #ifndef ___ASM_SPARC_UACCESS_H
4033 #define ___ASM_SPARC_UACCESS_H
4036 +#ifndef __ASSEMBLY__
4037 +#include <linux/types.h>
4038 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
4042 #if defined(__sparc__) && defined(__arch64__)
4043 #include <asm/uaccess_64.h>
4045 diff -urNp linux-2.6.38.4/arch/sparc/kernel/iommu.c linux-2.6.38.4/arch/sparc/kernel/iommu.c
4046 --- linux-2.6.38.4/arch/sparc/kernel/iommu.c 2011-04-22 19:20:59.000000000 -0400
4047 +++ linux-2.6.38.4/arch/sparc/kernel/iommu.c 2011-04-22 19:21:10.000000000 -0400
4048 @@ -824,7 +824,7 @@ static void dma_4u_sync_sg_for_cpu(struc
4049 spin_unlock_irqrestore(&iommu->lock, flags);
4052 -static struct dma_map_ops sun4u_dma_ops = {
4053 +static const struct dma_map_ops sun4u_dma_ops = {
4054 .alloc_coherent = dma_4u_alloc_coherent,
4055 .free_coherent = dma_4u_free_coherent,
4056 .map_page = dma_4u_map_page,
4057 @@ -835,7 +835,7 @@ static struct dma_map_ops sun4u_dma_ops
4058 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
4061 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4062 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4063 EXPORT_SYMBOL(dma_ops);
4065 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
4066 diff -urNp linux-2.6.38.4/arch/sparc/kernel/ioport.c linux-2.6.38.4/arch/sparc/kernel/ioport.c
4067 --- linux-2.6.38.4/arch/sparc/kernel/ioport.c 2011-03-14 21:20:32.000000000 -0400
4068 +++ linux-2.6.38.4/arch/sparc/kernel/ioport.c 2011-04-17 15:57:32.000000000 -0400
4069 @@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
4073 -struct dma_map_ops sbus_dma_ops = {
4074 +const struct dma_map_ops sbus_dma_ops = {
4075 .alloc_coherent = sbus_alloc_coherent,
4076 .free_coherent = sbus_free_coherent,
4077 .map_page = sbus_map_page,
4078 @@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
4079 .sync_sg_for_device = sbus_sync_sg_for_device,
4082 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
4083 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
4084 EXPORT_SYMBOL(dma_ops);
4086 static int __init sparc_register_ioport(void)
4087 @@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
4091 -struct dma_map_ops pci32_dma_ops = {
4092 +const struct dma_map_ops pci32_dma_ops = {
4093 .alloc_coherent = pci32_alloc_coherent,
4094 .free_coherent = pci32_free_coherent,
4095 .map_page = pci32_map_page,
4096 diff -urNp linux-2.6.38.4/arch/sparc/kernel/kgdb_32.c linux-2.6.38.4/arch/sparc/kernel/kgdb_32.c
4097 --- linux-2.6.38.4/arch/sparc/kernel/kgdb_32.c 2011-03-14 21:20:32.000000000 -0400
4098 +++ linux-2.6.38.4/arch/sparc/kernel/kgdb_32.c 2011-04-17 15:57:32.000000000 -0400
4099 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4100 regs->npc = regs->pc + 4;
4103 -struct kgdb_arch arch_kgdb_ops = {
4104 +const struct kgdb_arch arch_kgdb_ops = {
4105 /* Breakpoint instruction: ta 0x7d */
4106 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
4108 diff -urNp linux-2.6.38.4/arch/sparc/kernel/kgdb_64.c linux-2.6.38.4/arch/sparc/kernel/kgdb_64.c
4109 --- linux-2.6.38.4/arch/sparc/kernel/kgdb_64.c 2011-03-14 21:20:32.000000000 -0400
4110 +++ linux-2.6.38.4/arch/sparc/kernel/kgdb_64.c 2011-04-17 15:57:32.000000000 -0400
4111 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4112 regs->tnpc = regs->tpc + 4;
4115 -struct kgdb_arch arch_kgdb_ops = {
4116 +const struct kgdb_arch arch_kgdb_ops = {
4117 /* Breakpoint instruction: ta 0x72 */
4118 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
4120 diff -urNp linux-2.6.38.4/arch/sparc/kernel/Makefile linux-2.6.38.4/arch/sparc/kernel/Makefile
4121 --- linux-2.6.38.4/arch/sparc/kernel/Makefile 2011-03-14 21:20:32.000000000 -0400
4122 +++ linux-2.6.38.4/arch/sparc/kernel/Makefile 2011-04-17 15:57:32.000000000 -0400
4127 -ccflags-y := -Werror
4128 +#ccflags-y := -Werror
4130 extra-y := head_$(BITS).o
4131 extra-y += init_task.o
4132 diff -urNp linux-2.6.38.4/arch/sparc/kernel/pci_sun4v.c linux-2.6.38.4/arch/sparc/kernel/pci_sun4v.c
4133 --- linux-2.6.38.4/arch/sparc/kernel/pci_sun4v.c 2011-04-22 19:20:59.000000000 -0400
4134 +++ linux-2.6.38.4/arch/sparc/kernel/pci_sun4v.c 2011-04-22 19:21:10.000000000 -0400
4135 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
4136 spin_unlock_irqrestore(&iommu->lock, flags);
4139 -static struct dma_map_ops sun4v_dma_ops = {
4140 +static const struct dma_map_ops sun4v_dma_ops = {
4141 .alloc_coherent = dma_4v_alloc_coherent,
4142 .free_coherent = dma_4v_free_coherent,
4143 .map_page = dma_4v_map_page,
4144 diff -urNp linux-2.6.38.4/arch/sparc/kernel/process_32.c linux-2.6.38.4/arch/sparc/kernel/process_32.c
4145 --- linux-2.6.38.4/arch/sparc/kernel/process_32.c 2011-03-14 21:20:32.000000000 -0400
4146 +++ linux-2.6.38.4/arch/sparc/kernel/process_32.c 2011-04-17 15:57:32.000000000 -0400
4147 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
4148 rw->ins[4], rw->ins[5],
4151 - printk("%pS\n", (void *) rw->ins[7]);
4152 + printk("%pA\n", (void *) rw->ins[7]);
4153 rw = (struct reg_window32 *) rw->ins[6];
4155 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
4156 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
4158 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
4159 r->psr, r->pc, r->npc, r->y, print_tainted());
4160 - printk("PC: <%pS>\n", (void *) r->pc);
4161 + printk("PC: <%pA>\n", (void *) r->pc);
4162 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4163 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
4164 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
4165 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4166 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
4167 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
4168 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
4169 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
4171 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4172 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
4173 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
4174 rw = (struct reg_window32 *) fp;
4176 printk("[%08lx : ", pc);
4177 - printk("%pS ] ", (void *) pc);
4178 + printk("%pA ] ", (void *) pc);
4180 } while (++count < 16);
4182 diff -urNp linux-2.6.38.4/arch/sparc/kernel/process_64.c linux-2.6.38.4/arch/sparc/kernel/process_64.c
4183 --- linux-2.6.38.4/arch/sparc/kernel/process_64.c 2011-03-14 21:20:32.000000000 -0400
4184 +++ linux-2.6.38.4/arch/sparc/kernel/process_64.c 2011-04-17 15:57:32.000000000 -0400
4185 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
4186 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
4187 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
4188 if (regs->tstate & TSTATE_PRIV)
4189 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
4190 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
4193 void show_regs(struct pt_regs *regs)
4195 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
4196 regs->tpc, regs->tnpc, regs->y, print_tainted());
4197 - printk("TPC: <%pS>\n", (void *) regs->tpc);
4198 + printk("TPC: <%pA>\n", (void *) regs->tpc);
4199 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
4200 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
4202 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
4203 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
4204 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
4206 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
4207 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
4208 show_regwindow(regs);
4209 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
4211 @@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
4212 ((tp && tp->task) ? tp->task->pid : -1));
4214 if (gp->tstate & TSTATE_PRIV) {
4215 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
4216 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
4220 diff -urNp linux-2.6.38.4/arch/sparc/kernel/sys_sparc_32.c linux-2.6.38.4/arch/sparc/kernel/sys_sparc_32.c
4221 --- linux-2.6.38.4/arch/sparc/kernel/sys_sparc_32.c 2011-03-14 21:20:32.000000000 -0400
4222 +++ linux-2.6.38.4/arch/sparc/kernel/sys_sparc_32.c 2011-04-17 15:57:32.000000000 -0400
4223 @@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str
4224 if (ARCH_SUN4C && len > 0x20000000)
4227 - addr = TASK_UNMAPPED_BASE;
4228 + addr = current->mm->mmap_base;
4230 if (flags & MAP_SHARED)
4231 addr = COLOUR_ALIGN(addr);
4232 @@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(str
4234 if (TASK_SIZE - PAGE_SIZE - len < addr)
4236 - if (!vmm || addr + len <= vmm->vm_start)
4237 + if (check_heap_stack_gap(vmm, addr, len))
4240 if (flags & MAP_SHARED)
4241 diff -urNp linux-2.6.38.4/arch/sparc/kernel/sys_sparc_64.c linux-2.6.38.4/arch/sparc/kernel/sys_sparc_64.c
4242 --- linux-2.6.38.4/arch/sparc/kernel/sys_sparc_64.c 2011-03-14 21:20:32.000000000 -0400
4243 +++ linux-2.6.38.4/arch/sparc/kernel/sys_sparc_64.c 2011-04-17 15:57:32.000000000 -0400
4244 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
4245 /* We do not accept a shared mapping if it would violate
4246 * cache aliasing constraints.
4248 - if ((flags & MAP_SHARED) &&
4249 + if ((filp || (flags & MAP_SHARED)) &&
4250 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4253 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
4254 if (filp || (flags & MAP_SHARED))
4257 +#ifdef CONFIG_PAX_RANDMMAP
4258 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4263 addr = COLOUR_ALIGN(addr, pgoff);
4264 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
4265 addr = PAGE_ALIGN(addr);
4267 vma = find_vma(mm, addr);
4268 - if (task_size - len >= addr &&
4269 - (!vma || addr + len <= vma->vm_start))
4270 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4274 if (len > mm->cached_hole_size) {
4275 - start_addr = addr = mm->free_area_cache;
4276 + start_addr = addr = mm->free_area_cache;
4278 - start_addr = addr = TASK_UNMAPPED_BASE;
4279 + start_addr = addr = mm->mmap_base;
4280 mm->cached_hole_size = 0;
4283 @@ -174,14 +177,14 @@ full_search:
4284 vma = find_vma(mm, VA_EXCLUDE_END);
4286 if (unlikely(task_size < addr)) {
4287 - if (start_addr != TASK_UNMAPPED_BASE) {
4288 - start_addr = addr = TASK_UNMAPPED_BASE;
4289 + if (start_addr != mm->mmap_base) {
4290 + start_addr = addr = mm->mmap_base;
4291 mm->cached_hole_size = 0;
4296 - if (likely(!vma || addr + len <= vma->vm_start)) {
4297 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4299 * Remember the place where we stopped the search:
4301 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
4302 /* We do not accept a shared mapping if it would violate
4303 * cache aliasing constraints.
4305 - if ((flags & MAP_SHARED) &&
4306 + if ((filp || (flags & MAP_SHARED)) &&
4307 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4310 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
4311 addr = PAGE_ALIGN(addr);
4313 vma = find_vma(mm, addr);
4314 - if (task_size - len >= addr &&
4315 - (!vma || addr + len <= vma->vm_start))
4316 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4320 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
4321 /* make sure it can fit in the remaining address space */
4322 if (likely(addr > len)) {
4323 vma = find_vma(mm, addr-len);
4324 - if (!vma || addr <= vma->vm_start) {
4325 + if (check_heap_stack_gap(vma, addr - len, len)) {
4326 /* remember the address as a hint for next time */
4327 return (mm->free_area_cache = addr-len);
4329 @@ -267,18 +269,18 @@ arch_get_unmapped_area_topdown(struct fi
4330 if (unlikely(mm->mmap_base < len))
4333 - addr = mm->mmap_base-len;
4334 - if (do_color_align)
4335 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4336 + addr = mm->mmap_base - len;
4339 + if (do_color_align)
4340 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4342 * Lookup failure means no vma is above this address,
4343 * else if new region fits below vma->vm_start,
4344 * return with success:
4346 vma = find_vma(mm, addr);
4347 - if (likely(!vma || addr+len <= vma->vm_start)) {
4348 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4349 /* remember the address as a hint for next time */
4350 return (mm->free_area_cache = addr);
4352 @@ -288,10 +290,8 @@ arch_get_unmapped_area_topdown(struct fi
4353 mm->cached_hole_size = vma->vm_start - addr;
4355 /* try just below the current vma->vm_start */
4356 - addr = vma->vm_start-len;
4357 - if (do_color_align)
4358 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4359 - } while (likely(len < vma->vm_start));
4360 + addr = skip_heap_stack_gap(vma, len);
4361 + } while (!IS_ERR_VALUE(addr));
4365 @@ -385,6 +385,12 @@ void arch_pick_mmap_layout(struct mm_str
4366 gap == RLIM_INFINITY ||
4367 sysctl_legacy_va_layout) {
4368 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4370 +#ifdef CONFIG_PAX_RANDMMAP
4371 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4372 + mm->mmap_base += mm->delta_mmap;
4375 mm->get_unmapped_area = arch_get_unmapped_area;
4376 mm->unmap_area = arch_unmap_area;
4378 @@ -397,6 +403,12 @@ void arch_pick_mmap_layout(struct mm_str
4379 gap = (task_size / 6 * 5);
4381 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4383 +#ifdef CONFIG_PAX_RANDMMAP
4384 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4385 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4388 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4389 mm->unmap_area = arch_unmap_area_topdown;
4391 diff -urNp linux-2.6.38.4/arch/sparc/kernel/traps_32.c linux-2.6.38.4/arch/sparc/kernel/traps_32.c
4392 --- linux-2.6.38.4/arch/sparc/kernel/traps_32.c 2011-03-14 21:20:32.000000000 -0400
4393 +++ linux-2.6.38.4/arch/sparc/kernel/traps_32.c 2011-04-17 15:57:32.000000000 -0400
4394 @@ -76,7 +76,7 @@ void die_if_kernel(char *str, struct pt_
4396 (((unsigned long) rw) >= PAGE_OFFSET) &&
4397 !(((unsigned long) rw) & 0x7)) {
4398 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
4399 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
4400 (void *) rw->ins[7]);
4401 rw = (struct reg_window32 *)rw->ins[6];
4403 diff -urNp linux-2.6.38.4/arch/sparc/kernel/traps_64.c linux-2.6.38.4/arch/sparc/kernel/traps_64.c
4404 --- linux-2.6.38.4/arch/sparc/kernel/traps_64.c 2011-04-22 19:20:59.000000000 -0400
4405 +++ linux-2.6.38.4/arch/sparc/kernel/traps_64.c 2011-04-22 19:21:10.000000000 -0400
4406 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
4408 p->trapstack[i].tstate, p->trapstack[i].tpc,
4409 p->trapstack[i].tnpc, p->trapstack[i].tt);
4410 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
4411 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
4415 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
4418 if (regs->tstate & TSTATE_PRIV) {
4420 +#ifdef CONFIG_PAX_REFCOUNT
4422 + pax_report_refcount_overflow(regs);
4425 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4426 die_if_kernel(buffer, regs);
4428 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
4429 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4434 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4435 0, lvl, SIGTRAP) == NOTIFY_STOP)
4438 +#ifdef CONFIG_PAX_REFCOUNT
4440 + pax_report_refcount_overflow(regs);
4443 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4445 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4446 @@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
4447 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
4448 printk("%s" "ERROR(%d): ",
4449 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
4450 - printk("TPC<%pS>\n", (void *) regs->tpc);
4451 + printk("TPC<%pA>\n", (void *) regs->tpc);
4452 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
4453 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
4454 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
4455 @@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
4457 (type & 0x1) ? 'I' : 'D',
4459 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
4460 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
4461 panic("Irrecoverable Cheetah+ parity error.");
4464 @@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
4466 (type & 0x1) ? 'I' : 'D',
4468 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
4469 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
4472 struct sun4v_error_entry {
4473 @@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
4475 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
4477 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
4478 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
4479 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4480 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
4481 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
4482 (void *) regs->u_regs[UREG_I7]);
4483 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
4484 "pte[%lx] error[%lx]\n",
4485 @@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
4487 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
4489 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
4490 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
4491 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4492 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
4493 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
4494 (void *) regs->u_regs[UREG_I7]);
4495 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
4496 "pte[%lx] error[%lx]\n",
4497 @@ -2195,13 +2206,13 @@ void show_stack(struct task_struct *tsk,
4498 fp = (unsigned long)sf->fp + STACK_BIAS;
4501 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4502 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4503 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
4504 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
4505 int index = tsk->curr_ret_stack;
4506 if (tsk->ret_stack && index >= graph) {
4507 pc = tsk->ret_stack[index - graph].ret;
4508 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4509 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4513 @@ -2254,7 +2265,7 @@ void die_if_kernel(char *str, struct pt_
4516 kstack_valid(tp, (unsigned long) rw)) {
4517 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
4518 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
4519 (void *) rw->ins[7]);
4521 rw = kernel_stack_up(rw);
4522 diff -urNp linux-2.6.38.4/arch/sparc/kernel/unaligned_64.c linux-2.6.38.4/arch/sparc/kernel/unaligned_64.c
4523 --- linux-2.6.38.4/arch/sparc/kernel/unaligned_64.c 2011-03-14 21:20:32.000000000 -0400
4524 +++ linux-2.6.38.4/arch/sparc/kernel/unaligned_64.c 2011-04-17 15:57:32.000000000 -0400
4525 @@ -278,7 +278,7 @@ static void log_unaligned(struct pt_regs
4526 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
4528 if (__ratelimit(&ratelimit)) {
4529 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
4530 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
4531 regs->tpc, (void *) regs->tpc);
4534 diff -urNp linux-2.6.38.4/arch/sparc/lib/atomic_64.S linux-2.6.38.4/arch/sparc/lib/atomic_64.S
4535 --- linux-2.6.38.4/arch/sparc/lib/atomic_64.S 2011-03-14 21:20:32.000000000 -0400
4536 +++ linux-2.6.38.4/arch/sparc/lib/atomic_64.S 2011-04-17 15:57:32.000000000 -0400
4538 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4542 + addcc %g1, %o0, %g7
4544 +#ifdef CONFIG_PAX_REFCOUNT
4550 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4551 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4552 2: BACKOFF_SPIN(%o2, %o3, 1b)
4553 .size atomic_add, .-atomic_add
4555 + .globl atomic_add_unchecked
4556 + .type atomic_add_unchecked,#function
4557 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4558 + BACKOFF_SETUP(%o2)
4561 + cas [%o1], %g1, %g7
4567 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4568 + .size atomic_add_unchecked, .-atomic_add_unchecked
4571 .type atomic_sub,#function
4572 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4576 + subcc %g1, %o0, %g7
4578 +#ifdef CONFIG_PAX_REFCOUNT
4584 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4585 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4586 2: BACKOFF_SPIN(%o2, %o3, 1b)
4587 .size atomic_sub, .-atomic_sub
4589 + .globl atomic_sub_unchecked
4590 + .type atomic_sub_unchecked,#function
4591 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4592 + BACKOFF_SETUP(%o2)
4595 + cas [%o1], %g1, %g7
4601 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4602 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4604 .globl atomic_add_ret
4605 .type atomic_add_ret,#function
4606 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4610 + addcc %g1, %o0, %g7
4612 +#ifdef CONFIG_PAX_REFCOUNT
4618 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4619 @@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4620 2: BACKOFF_SPIN(%o2, %o3, 1b)
4621 .size atomic_add_ret, .-atomic_add_ret
4623 + .globl atomic_add_ret_unchecked
4624 + .type atomic_add_ret_unchecked,#function
4625 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4626 + BACKOFF_SETUP(%o2)
4628 + addcc %g1, %o0, %g7
4629 + cas [%o1], %g1, %g7
4636 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4637 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4639 .globl atomic_sub_ret
4640 .type atomic_sub_ret,#function
4641 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4645 + subcc %g1, %o0, %g7
4647 +#ifdef CONFIG_PAX_REFCOUNT
4653 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4654 @@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4655 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4659 + addcc %g1, %o0, %g7
4661 +#ifdef CONFIG_PAX_REFCOUNT
4665 casx [%o1], %g1, %g7
4667 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4668 @@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4669 2: BACKOFF_SPIN(%o2, %o3, 1b)
4670 .size atomic64_add, .-atomic64_add
4672 + .globl atomic64_add_unchecked
4673 + .type atomic64_add_unchecked,#function
4674 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4675 + BACKOFF_SETUP(%o2)
4677 + addcc %g1, %o0, %g7
4678 + casx [%o1], %g1, %g7
4684 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4685 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4688 .type atomic64_sub,#function
4689 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4693 + subcc %g1, %o0, %g7
4695 +#ifdef CONFIG_PAX_REFCOUNT
4699 casx [%o1], %g1, %g7
4701 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4702 @@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4703 2: BACKOFF_SPIN(%o2, %o3, 1b)
4704 .size atomic64_sub, .-atomic64_sub
4706 + .globl atomic64_sub_unchecked
4707 + .type atomic64_sub_unchecked,#function
4708 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4709 + BACKOFF_SETUP(%o2)
4711 + subcc %g1, %o0, %g7
4712 + casx [%o1], %g1, %g7
4718 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4719 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4721 .globl atomic64_add_ret
4722 .type atomic64_add_ret,#function
4723 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4727 + addcc %g1, %o0, %g7
4729 +#ifdef CONFIG_PAX_REFCOUNT
4733 casx [%o1], %g1, %g7
4735 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4736 @@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4737 2: BACKOFF_SPIN(%o2, %o3, 1b)
4738 .size atomic64_add_ret, .-atomic64_add_ret
4740 + .globl atomic64_add_ret_unchecked
4741 + .type atomic64_add_ret_unchecked,#function
4742 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4743 + BACKOFF_SETUP(%o2)
4745 + addcc %g1, %o0, %g7
4746 + casx [%o1], %g1, %g7
4753 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4754 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4756 .globl atomic64_sub_ret
4757 .type atomic64_sub_ret,#function
4758 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4762 + subcc %g1, %o0, %g7
4764 +#ifdef CONFIG_PAX_REFCOUNT
4768 casx [%o1], %g1, %g7
4770 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4771 diff -urNp linux-2.6.38.4/arch/sparc/lib/ksyms.c linux-2.6.38.4/arch/sparc/lib/ksyms.c
4772 --- linux-2.6.38.4/arch/sparc/lib/ksyms.c 2011-03-14 21:20:32.000000000 -0400
4773 +++ linux-2.6.38.4/arch/sparc/lib/ksyms.c 2011-04-17 15:57:32.000000000 -0400
4774 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
4776 /* Atomic counter implementation. */
4777 EXPORT_SYMBOL(atomic_add);
4778 +EXPORT_SYMBOL(atomic_add_unchecked);
4779 EXPORT_SYMBOL(atomic_add_ret);
4780 EXPORT_SYMBOL(atomic_sub);
4781 +EXPORT_SYMBOL(atomic_sub_unchecked);
4782 EXPORT_SYMBOL(atomic_sub_ret);
4783 EXPORT_SYMBOL(atomic64_add);
4784 +EXPORT_SYMBOL(atomic64_add_unchecked);
4785 EXPORT_SYMBOL(atomic64_add_ret);
4786 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4787 EXPORT_SYMBOL(atomic64_sub);
4788 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4789 EXPORT_SYMBOL(atomic64_sub_ret);
4791 /* Atomic bit operations. */
4792 diff -urNp linux-2.6.38.4/arch/sparc/Makefile linux-2.6.38.4/arch/sparc/Makefile
4793 --- linux-2.6.38.4/arch/sparc/Makefile 2011-03-14 21:20:32.000000000 -0400
4794 +++ linux-2.6.38.4/arch/sparc/Makefile 2011-04-17 15:57:32.000000000 -0400
4795 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4796 # Export what is needed by arch/sparc/boot/Makefile
4797 export VMLINUX_INIT VMLINUX_MAIN
4798 VMLINUX_INIT := $(head-y) $(init-y)
4799 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4800 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4801 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4802 VMLINUX_MAIN += $(drivers-y) $(net-y)
4804 diff -urNp linux-2.6.38.4/arch/sparc/mm/fault_32.c linux-2.6.38.4/arch/sparc/mm/fault_32.c
4805 --- linux-2.6.38.4/arch/sparc/mm/fault_32.c 2011-04-22 19:20:59.000000000 -0400
4806 +++ linux-2.6.38.4/arch/sparc/mm/fault_32.c 2011-04-22 19:21:10.000000000 -0400
4808 #include <linux/interrupt.h>
4809 #include <linux/module.h>
4810 #include <linux/kdebug.h>
4811 +#include <linux/slab.h>
4812 +#include <linux/pagemap.h>
4813 +#include <linux/compiler.h>
4815 #include <asm/system.h>
4816 #include <asm/page.h>
4817 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4818 return safe_compute_effective_address(regs, insn);
4821 +#ifdef CONFIG_PAX_PAGEEXEC
4822 +#ifdef CONFIG_PAX_DLRESOLVE
4823 +static void pax_emuplt_close(struct vm_area_struct *vma)
4825 + vma->vm_mm->call_dl_resolve = 0UL;
4828 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4830 + unsigned int *kaddr;
4832 + vmf->page = alloc_page(GFP_HIGHUSER);
4834 + return VM_FAULT_OOM;
4836 + kaddr = kmap(vmf->page);
4837 + memset(kaddr, 0, PAGE_SIZE);
4838 + kaddr[0] = 0x9DE3BFA8U; /* save */
4839 + flush_dcache_page(vmf->page);
4840 + kunmap(vmf->page);
4841 + return VM_FAULT_MAJOR;
4844 +static const struct vm_operations_struct pax_vm_ops = {
4845 + .close = pax_emuplt_close,
4846 + .fault = pax_emuplt_fault
4849 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4853 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4854 + vma->vm_mm = current->mm;
4855 + vma->vm_start = addr;
4856 + vma->vm_end = addr + PAGE_SIZE;
4857 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4858 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4859 + vma->vm_ops = &pax_vm_ops;
4861 + ret = insert_vm_struct(current->mm, vma);
4865 + ++current->mm->total_vm;
4871 + * PaX: decide what to do with offenders (regs->pc = fault address)
4873 + * returns 1 when task should be killed
4874 + * 2 when patched PLT trampoline was detected
4875 + * 3 when unpatched PLT trampoline was detected
4877 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4880 +#ifdef CONFIG_PAX_EMUPLT
4883 + do { /* PaX: patched PLT emulation #1 */
4884 + unsigned int sethi1, sethi2, jmpl;
4886 + err = get_user(sethi1, (unsigned int *)regs->pc);
4887 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4888 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4893 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4894 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4895 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4897 + unsigned int addr;
4899 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4900 + addr = regs->u_regs[UREG_G1];
4901 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4903 + regs->npc = addr+4;
4908 + { /* PaX: patched PLT emulation #2 */
4911 + err = get_user(ba, (unsigned int *)regs->pc);
4913 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4914 + unsigned int addr;
4916 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4918 + regs->npc = addr+4;
4923 + do { /* PaX: patched PLT emulation #3 */
4924 + unsigned int sethi, jmpl, nop;
4926 + err = get_user(sethi, (unsigned int *)regs->pc);
4927 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4928 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4933 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4934 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4935 + nop == 0x01000000U)
4937 + unsigned int addr;
4939 + addr = (sethi & 0x003FFFFFU) << 10;
4940 + regs->u_regs[UREG_G1] = addr;
4941 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4943 + regs->npc = addr+4;
4948 + do { /* PaX: unpatched PLT emulation step 1 */
4949 + unsigned int sethi, ba, nop;
4951 + err = get_user(sethi, (unsigned int *)regs->pc);
4952 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
4953 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4958 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4959 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4960 + nop == 0x01000000U)
4962 + unsigned int addr, save, call;
4964 + if ((ba & 0xFFC00000U) == 0x30800000U)
4965 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4967 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4969 + err = get_user(save, (unsigned int *)addr);
4970 + err |= get_user(call, (unsigned int *)(addr+4));
4971 + err |= get_user(nop, (unsigned int *)(addr+8));
4975 +#ifdef CONFIG_PAX_DLRESOLVE
4976 + if (save == 0x9DE3BFA8U &&
4977 + (call & 0xC0000000U) == 0x40000000U &&
4978 + nop == 0x01000000U)
4980 + struct vm_area_struct *vma;
4981 + unsigned long call_dl_resolve;
4983 + down_read(¤t->mm->mmap_sem);
4984 + call_dl_resolve = current->mm->call_dl_resolve;
4985 + up_read(¤t->mm->mmap_sem);
4986 + if (likely(call_dl_resolve))
4989 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4991 + down_write(¤t->mm->mmap_sem);
4992 + if (current->mm->call_dl_resolve) {
4993 + call_dl_resolve = current->mm->call_dl_resolve;
4994 + up_write(¤t->mm->mmap_sem);
4996 + kmem_cache_free(vm_area_cachep, vma);
5000 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5001 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5002 + up_write(¤t->mm->mmap_sem);
5004 + kmem_cache_free(vm_area_cachep, vma);
5008 + if (pax_insert_vma(vma, call_dl_resolve)) {
5009 + up_write(¤t->mm->mmap_sem);
5010 + kmem_cache_free(vm_area_cachep, vma);
5014 + current->mm->call_dl_resolve = call_dl_resolve;
5015 + up_write(¤t->mm->mmap_sem);
5018 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5019 + regs->pc = call_dl_resolve;
5020 + regs->npc = addr+4;
5025 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5026 + if ((save & 0xFFC00000U) == 0x05000000U &&
5027 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5028 + nop == 0x01000000U)
5030 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5031 + regs->u_regs[UREG_G2] = addr + 4;
5032 + addr = (save & 0x003FFFFFU) << 10;
5033 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5035 + regs->npc = addr+4;
5041 + do { /* PaX: unpatched PLT emulation step 2 */
5042 + unsigned int save, call, nop;
5044 + err = get_user(save, (unsigned int *)(regs->pc-4));
5045 + err |= get_user(call, (unsigned int *)regs->pc);
5046 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
5050 + if (save == 0x9DE3BFA8U &&
5051 + (call & 0xC0000000U) == 0x40000000U &&
5052 + nop == 0x01000000U)
5054 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
5056 + regs->u_regs[UREG_RETPC] = regs->pc;
5057 + regs->pc = dl_resolve;
5058 + regs->npc = dl_resolve+4;
5067 +void pax_report_insns(void *pc, void *sp)
5071 + printk(KERN_ERR "PAX: bytes at PC: ");
5072 + for (i = 0; i < 8; i++) {
5074 + if (get_user(c, (unsigned int *)pc+i))
5075 + printk(KERN_CONT "???????? ");
5077 + printk(KERN_CONT "%08x ", c);
5083 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
5086 @@ -281,6 +546,24 @@ good_area:
5087 if(!(vma->vm_flags & VM_WRITE))
5091 +#ifdef CONFIG_PAX_PAGEEXEC
5092 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
5093 + up_read(&mm->mmap_sem);
5094 + switch (pax_handle_fetch_fault(regs)) {
5096 +#ifdef CONFIG_PAX_EMUPLT
5103 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
5104 + do_group_exit(SIGKILL);
5108 /* Allow reads even for write-only mappings */
5109 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
5111 diff -urNp linux-2.6.38.4/arch/sparc/mm/fault_64.c linux-2.6.38.4/arch/sparc/mm/fault_64.c
5112 --- linux-2.6.38.4/arch/sparc/mm/fault_64.c 2011-03-14 21:20:32.000000000 -0400
5113 +++ linux-2.6.38.4/arch/sparc/mm/fault_64.c 2011-04-17 15:57:32.000000000 -0400
5115 #include <linux/kprobes.h>
5116 #include <linux/kdebug.h>
5117 #include <linux/percpu.h>
5118 +#include <linux/slab.h>
5119 +#include <linux/pagemap.h>
5120 +#include <linux/compiler.h>
5122 #include <asm/page.h>
5123 #include <asm/pgtable.h>
5124 @@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
5125 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
5127 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
5128 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
5129 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
5130 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
5132 unhandled_fault(regs->tpc, current, regs);
5133 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
5137 +#ifdef CONFIG_PAX_PAGEEXEC
5138 +#ifdef CONFIG_PAX_DLRESOLVE
5139 +static void pax_emuplt_close(struct vm_area_struct *vma)
5141 + vma->vm_mm->call_dl_resolve = 0UL;
5144 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5146 + unsigned int *kaddr;
5148 + vmf->page = alloc_page(GFP_HIGHUSER);
5150 + return VM_FAULT_OOM;
5152 + kaddr = kmap(vmf->page);
5153 + memset(kaddr, 0, PAGE_SIZE);
5154 + kaddr[0] = 0x9DE3BFA8U; /* save */
5155 + flush_dcache_page(vmf->page);
5156 + kunmap(vmf->page);
5157 + return VM_FAULT_MAJOR;
5160 +static const struct vm_operations_struct pax_vm_ops = {
5161 + .close = pax_emuplt_close,
5162 + .fault = pax_emuplt_fault
5165 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5169 + INIT_LIST_HEAD(&vma->anon_vma_chain);
5170 + vma->vm_mm = current->mm;
5171 + vma->vm_start = addr;
5172 + vma->vm_end = addr + PAGE_SIZE;
5173 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5174 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5175 + vma->vm_ops = &pax_vm_ops;
5177 + ret = insert_vm_struct(current->mm, vma);
5181 + ++current->mm->total_vm;
5187 + * PaX: decide what to do with offenders (regs->tpc = fault address)
5189 + * returns 1 when task should be killed
5190 + * 2 when patched PLT trampoline was detected
5191 + * 3 when unpatched PLT trampoline was detected
5193 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5196 +#ifdef CONFIG_PAX_EMUPLT
5199 + do { /* PaX: patched PLT emulation #1 */
5200 + unsigned int sethi1, sethi2, jmpl;
5202 + err = get_user(sethi1, (unsigned int *)regs->tpc);
5203 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
5204 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
5209 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5210 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5211 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5213 + unsigned long addr;
5215 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5216 + addr = regs->u_regs[UREG_G1];
5217 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5219 + if (test_thread_flag(TIF_32BIT))
5220 + addr &= 0xFFFFFFFFUL;
5223 + regs->tnpc = addr+4;
5228 + { /* PaX: patched PLT emulation #2 */
5231 + err = get_user(ba, (unsigned int *)regs->tpc);
5233 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5234 + unsigned long addr;
5236 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5238 + if (test_thread_flag(TIF_32BIT))
5239 + addr &= 0xFFFFFFFFUL;
5242 + regs->tnpc = addr+4;
5247 + do { /* PaX: patched PLT emulation #3 */
5248 + unsigned int sethi, jmpl, nop;
5250 + err = get_user(sethi, (unsigned int *)regs->tpc);
5251 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
5252 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5257 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5258 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5259 + nop == 0x01000000U)
5261 + unsigned long addr;
5263 + addr = (sethi & 0x003FFFFFU) << 10;
5264 + regs->u_regs[UREG_G1] = addr;
5265 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5267 + if (test_thread_flag(TIF_32BIT))
5268 + addr &= 0xFFFFFFFFUL;
5271 + regs->tnpc = addr+4;
5276 + do { /* PaX: patched PLT emulation #4 */
5277 + unsigned int sethi, mov1, call, mov2;
5279 + err = get_user(sethi, (unsigned int *)regs->tpc);
5280 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
5281 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
5282 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
5287 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5288 + mov1 == 0x8210000FU &&
5289 + (call & 0xC0000000U) == 0x40000000U &&
5290 + mov2 == 0x9E100001U)
5292 + unsigned long addr;
5294 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5295 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5297 + if (test_thread_flag(TIF_32BIT))
5298 + addr &= 0xFFFFFFFFUL;
5301 + regs->tnpc = addr+4;
5306 + do { /* PaX: patched PLT emulation #5 */
5307 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5309 + err = get_user(sethi, (unsigned int *)regs->tpc);
5310 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5311 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5312 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5313 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5314 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5315 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5316 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5321 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5322 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5323 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5324 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5325 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5326 + sllx == 0x83287020U &&
5327 + jmpl == 0x81C04005U &&
5328 + nop == 0x01000000U)
5330 + unsigned long addr;
5332 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5333 + regs->u_regs[UREG_G1] <<= 32;
5334 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5335 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5337 + regs->tnpc = addr+4;
5342 + do { /* PaX: patched PLT emulation #6 */
5343 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5345 + err = get_user(sethi, (unsigned int *)regs->tpc);
5346 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5347 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5348 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5349 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5350 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5351 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5356 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5357 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5358 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5359 + sllx == 0x83287020U &&
5360 + (or & 0xFFFFE000U) == 0x8A116000U &&
5361 + jmpl == 0x81C04005U &&
5362 + nop == 0x01000000U)
5364 + unsigned long addr;
5366 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5367 + regs->u_regs[UREG_G1] <<= 32;
5368 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5369 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5371 + regs->tnpc = addr+4;
5376 + do { /* PaX: unpatched PLT emulation step 1 */
5377 + unsigned int sethi, ba, nop;
5379 + err = get_user(sethi, (unsigned int *)regs->tpc);
5380 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5381 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5386 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5387 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5388 + nop == 0x01000000U)
5390 + unsigned long addr;
5391 + unsigned int save, call;
5392 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5394 + if ((ba & 0xFFC00000U) == 0x30800000U)
5395 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5397 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5399 + if (test_thread_flag(TIF_32BIT))
5400 + addr &= 0xFFFFFFFFUL;
5402 + err = get_user(save, (unsigned int *)addr);
5403 + err |= get_user(call, (unsigned int *)(addr+4));
5404 + err |= get_user(nop, (unsigned int *)(addr+8));
5408 +#ifdef CONFIG_PAX_DLRESOLVE
5409 + if (save == 0x9DE3BFA8U &&
5410 + (call & 0xC0000000U) == 0x40000000U &&
5411 + nop == 0x01000000U)
5413 + struct vm_area_struct *vma;
5414 + unsigned long call_dl_resolve;
5416 + down_read(¤t->mm->mmap_sem);
5417 + call_dl_resolve = current->mm->call_dl_resolve;
5418 + up_read(¤t->mm->mmap_sem);
5419 + if (likely(call_dl_resolve))
5422 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5424 + down_write(¤t->mm->mmap_sem);
5425 + if (current->mm->call_dl_resolve) {
5426 + call_dl_resolve = current->mm->call_dl_resolve;
5427 + up_write(¤t->mm->mmap_sem);
5429 + kmem_cache_free(vm_area_cachep, vma);
5433 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5434 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5435 + up_write(¤t->mm->mmap_sem);
5437 + kmem_cache_free(vm_area_cachep, vma);
5441 + if (pax_insert_vma(vma, call_dl_resolve)) {
5442 + up_write(¤t->mm->mmap_sem);
5443 + kmem_cache_free(vm_area_cachep, vma);
5447 + current->mm->call_dl_resolve = call_dl_resolve;
5448 + up_write(¤t->mm->mmap_sem);
5451 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5452 + regs->tpc = call_dl_resolve;
5453 + regs->tnpc = addr+4;
5458 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5459 + if ((save & 0xFFC00000U) == 0x05000000U &&
5460 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5461 + nop == 0x01000000U)
5463 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5464 + regs->u_regs[UREG_G2] = addr + 4;
5465 + addr = (save & 0x003FFFFFU) << 10;
5466 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5468 + if (test_thread_flag(TIF_32BIT))
5469 + addr &= 0xFFFFFFFFUL;
5472 + regs->tnpc = addr+4;
5476 + /* PaX: 64-bit PLT stub */
5477 + err = get_user(sethi1, (unsigned int *)addr);
5478 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5479 + err |= get_user(or1, (unsigned int *)(addr+8));
5480 + err |= get_user(or2, (unsigned int *)(addr+12));
5481 + err |= get_user(sllx, (unsigned int *)(addr+16));
5482 + err |= get_user(add, (unsigned int *)(addr+20));
5483 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5484 + err |= get_user(nop, (unsigned int *)(addr+28));
5488 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5489 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5490 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5491 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5492 + sllx == 0x89293020U &&
5493 + add == 0x8A010005U &&
5494 + jmpl == 0x89C14000U &&
5495 + nop == 0x01000000U)
5497 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5498 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5499 + regs->u_regs[UREG_G4] <<= 32;
5500 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5501 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5502 + regs->u_regs[UREG_G4] = addr + 24;
5503 + addr = regs->u_regs[UREG_G5];
5505 + regs->tnpc = addr+4;
5511 +#ifdef CONFIG_PAX_DLRESOLVE
5512 + do { /* PaX: unpatched PLT emulation step 2 */
5513 + unsigned int save, call, nop;
5515 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5516 + err |= get_user(call, (unsigned int *)regs->tpc);
5517 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5521 + if (save == 0x9DE3BFA8U &&
5522 + (call & 0xC0000000U) == 0x40000000U &&
5523 + nop == 0x01000000U)
5525 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5527 + if (test_thread_flag(TIF_32BIT))
5528 + dl_resolve &= 0xFFFFFFFFUL;
5530 + regs->u_regs[UREG_RETPC] = regs->tpc;
5531 + regs->tpc = dl_resolve;
5532 + regs->tnpc = dl_resolve+4;
5538 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5539 + unsigned int sethi, ba, nop;
5541 + err = get_user(sethi, (unsigned int *)regs->tpc);
5542 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5543 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5548 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5549 + (ba & 0xFFF00000U) == 0x30600000U &&
5550 + nop == 0x01000000U)
5552 + unsigned long addr;
5554 + addr = (sethi & 0x003FFFFFU) << 10;
5555 + regs->u_regs[UREG_G1] = addr;
5556 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5558 + if (test_thread_flag(TIF_32BIT))
5559 + addr &= 0xFFFFFFFFUL;
5562 + regs->tnpc = addr+4;
5572 +void pax_report_insns(void *pc, void *sp)
5576 + printk(KERN_ERR "PAX: bytes at PC: ");
5577 + for (i = 0; i < 8; i++) {
5579 + if (get_user(c, (unsigned int *)pc+i))
5580 + printk(KERN_CONT "???????? ");
5582 + printk(KERN_CONT "%08x ", c);
5588 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5590 struct mm_struct *mm = current->mm;
5591 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
5595 +#ifdef CONFIG_PAX_PAGEEXEC
5596 + /* PaX: detect ITLB misses on non-exec pages */
5597 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5598 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5600 + if (address != regs->tpc)
5603 + up_read(&mm->mmap_sem);
5604 + switch (pax_handle_fetch_fault(regs)) {
5606 +#ifdef CONFIG_PAX_EMUPLT
5613 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5614 + do_group_exit(SIGKILL);
5618 /* Pure DTLB misses do not tell us whether the fault causing
5619 * load/store/atomic was a write or not, it only says that there
5620 * was no match. So in such a case we (carefully) read the
5621 diff -urNp linux-2.6.38.4/arch/sparc/mm/hugetlbpage.c linux-2.6.38.4/arch/sparc/mm/hugetlbpage.c
5622 --- linux-2.6.38.4/arch/sparc/mm/hugetlbpage.c 2011-03-14 21:20:32.000000000 -0400
5623 +++ linux-2.6.38.4/arch/sparc/mm/hugetlbpage.c 2011-04-17 15:57:32.000000000 -0400
5624 @@ -68,7 +68,7 @@ full_search:
5628 - if (likely(!vma || addr + len <= vma->vm_start)) {
5629 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5631 * Remember the place where we stopped the search:
5633 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
5634 /* make sure it can fit in the remaining address space */
5635 if (likely(addr > len)) {
5636 vma = find_vma(mm, addr-len);
5637 - if (!vma || addr <= vma->vm_start) {
5638 + if (check_heap_stack_gap(vma, addr - len, len)) {
5639 /* remember the address as a hint for next time */
5640 return (mm->free_area_cache = addr-len);
5642 @@ -116,16 +116,17 @@ hugetlb_get_unmapped_area_topdown(struct
5643 if (unlikely(mm->mmap_base < len))
5646 - addr = (mm->mmap_base-len) & HPAGE_MASK;
5647 + addr = mm->mmap_base - len;
5650 + addr &= HPAGE_MASK;
5652 * Lookup failure means no vma is above this address,
5653 * else if new region fits below vma->vm_start,
5654 * return with success:
5656 vma = find_vma(mm, addr);
5657 - if (likely(!vma || addr+len <= vma->vm_start)) {
5658 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5659 /* remember the address as a hint for next time */
5660 return (mm->free_area_cache = addr);
5662 @@ -135,8 +136,8 @@ hugetlb_get_unmapped_area_topdown(struct
5663 mm->cached_hole_size = vma->vm_start - addr;
5665 /* try just below the current vma->vm_start */
5666 - addr = (vma->vm_start-len) & HPAGE_MASK;
5667 - } while (likely(len < vma->vm_start));
5668 + addr = skip_heap_stack_gap(vma, len);
5669 + } while (!IS_ERR_VALUE(addr));
5673 @@ -182,8 +183,7 @@ hugetlb_get_unmapped_area(struct file *f
5675 addr = ALIGN(addr, HPAGE_SIZE);
5676 vma = find_vma(mm, addr);
5677 - if (task_size - len >= addr &&
5678 - (!vma || addr + len <= vma->vm_start))
5679 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5682 if (mm->get_unmapped_area == arch_get_unmapped_area)
5683 diff -urNp linux-2.6.38.4/arch/sparc/mm/init_32.c linux-2.6.38.4/arch/sparc/mm/init_32.c
5684 --- linux-2.6.38.4/arch/sparc/mm/init_32.c 2011-03-14 21:20:32.000000000 -0400
5685 +++ linux-2.6.38.4/arch/sparc/mm/init_32.c 2011-04-17 15:57:32.000000000 -0400
5686 @@ -318,6 +318,9 @@ extern void device_scan(void);
5687 pgprot_t PAGE_SHARED __read_mostly;
5688 EXPORT_SYMBOL(PAGE_SHARED);
5690 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5691 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5693 void __init paging_init(void)
5695 switch(sparc_cpu_model) {
5696 @@ -346,17 +349,17 @@ void __init paging_init(void)
5698 /* Initialize the protection map with non-constant, MMU dependent values. */
5699 protection_map[0] = PAGE_NONE;
5700 - protection_map[1] = PAGE_READONLY;
5701 - protection_map[2] = PAGE_COPY;
5702 - protection_map[3] = PAGE_COPY;
5703 + protection_map[1] = PAGE_READONLY_NOEXEC;
5704 + protection_map[2] = PAGE_COPY_NOEXEC;
5705 + protection_map[3] = PAGE_COPY_NOEXEC;
5706 protection_map[4] = PAGE_READONLY;
5707 protection_map[5] = PAGE_READONLY;
5708 protection_map[6] = PAGE_COPY;
5709 protection_map[7] = PAGE_COPY;
5710 protection_map[8] = PAGE_NONE;
5711 - protection_map[9] = PAGE_READONLY;
5712 - protection_map[10] = PAGE_SHARED;
5713 - protection_map[11] = PAGE_SHARED;
5714 + protection_map[9] = PAGE_READONLY_NOEXEC;
5715 + protection_map[10] = PAGE_SHARED_NOEXEC;
5716 + protection_map[11] = PAGE_SHARED_NOEXEC;
5717 protection_map[12] = PAGE_READONLY;
5718 protection_map[13] = PAGE_READONLY;
5719 protection_map[14] = PAGE_SHARED;
5720 diff -urNp linux-2.6.38.4/arch/sparc/mm/Makefile linux-2.6.38.4/arch/sparc/mm/Makefile
5721 --- linux-2.6.38.4/arch/sparc/mm/Makefile 2011-03-14 21:20:32.000000000 -0400
5722 +++ linux-2.6.38.4/arch/sparc/mm/Makefile 2011-04-17 15:57:32.000000000 -0400
5727 -ccflags-y := -Werror
5728 +#ccflags-y := -Werror
5730 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5731 obj-y += fault_$(BITS).o
5732 diff -urNp linux-2.6.38.4/arch/sparc/mm/srmmu.c linux-2.6.38.4/arch/sparc/mm/srmmu.c
5733 --- linux-2.6.38.4/arch/sparc/mm/srmmu.c 2011-03-14 21:20:32.000000000 -0400
5734 +++ linux-2.6.38.4/arch/sparc/mm/srmmu.c 2011-04-17 15:57:32.000000000 -0400
5735 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
5736 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5737 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5738 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5740 +#ifdef CONFIG_PAX_PAGEEXEC
5741 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5742 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5743 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5746 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5747 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5749 diff -urNp linux-2.6.38.4/arch/um/include/asm/kmap_types.h linux-2.6.38.4/arch/um/include/asm/kmap_types.h
5750 --- linux-2.6.38.4/arch/um/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
5751 +++ linux-2.6.38.4/arch/um/include/asm/kmap_types.h 2011-04-17 15:57:32.000000000 -0400
5752 @@ -23,6 +23,7 @@ enum km_type {
5760 diff -urNp linux-2.6.38.4/arch/um/include/asm/page.h linux-2.6.38.4/arch/um/include/asm/page.h
5761 --- linux-2.6.38.4/arch/um/include/asm/page.h 2011-03-14 21:20:32.000000000 -0400
5762 +++ linux-2.6.38.4/arch/um/include/asm/page.h 2011-04-17 15:57:32.000000000 -0400
5764 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5765 #define PAGE_MASK (~(PAGE_SIZE-1))
5767 +#define ktla_ktva(addr) (addr)
5768 +#define ktva_ktla(addr) (addr)
5770 #ifndef __ASSEMBLY__
5773 diff -urNp linux-2.6.38.4/arch/um/kernel/process.c linux-2.6.38.4/arch/um/kernel/process.c
5774 --- linux-2.6.38.4/arch/um/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
5775 +++ linux-2.6.38.4/arch/um/kernel/process.c 2011-04-17 15:57:32.000000000 -0400
5776 @@ -404,22 +404,6 @@ int singlestepping(void * t)
5781 - * Only x86 and x86_64 have an arch_align_stack().
5782 - * All other arches have "#define arch_align_stack(x) (x)"
5783 - * in their asm/system.h
5784 - * As this is included in UML from asm-um/system-generic.h,
5785 - * we can use it to behave as the subarch does.
5787 -#ifndef arch_align_stack
5788 -unsigned long arch_align_stack(unsigned long sp)
5790 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
5791 - sp -= get_random_int() % 8192;
5796 unsigned long get_wchan(struct task_struct *p)
5798 unsigned long stack_page, sp, ip;
5799 diff -urNp linux-2.6.38.4/arch/um/sys-i386/syscalls.c linux-2.6.38.4/arch/um/sys-i386/syscalls.c
5800 --- linux-2.6.38.4/arch/um/sys-i386/syscalls.c 2011-03-14 21:20:32.000000000 -0400
5801 +++ linux-2.6.38.4/arch/um/sys-i386/syscalls.c 2011-04-17 15:57:32.000000000 -0400
5803 #include "asm/uaccess.h"
5804 #include "asm/unistd.h"
5806 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5808 + unsigned long pax_task_size = TASK_SIZE;
5810 +#ifdef CONFIG_PAX_SEGMEXEC
5811 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5812 + pax_task_size = SEGMEXEC_TASK_SIZE;
5815 + if (len > pax_task_size || addr > pax_task_size - len)
5822 * The prototype on i386 is:
5824 diff -urNp linux-2.6.38.4/arch/x86/boot/bitops.h linux-2.6.38.4/arch/x86/boot/bitops.h
5825 --- linux-2.6.38.4/arch/x86/boot/bitops.h 2011-03-14 21:20:32.000000000 -0400
5826 +++ linux-2.6.38.4/arch/x86/boot/bitops.h 2011-04-17 15:57:32.000000000 -0400
5827 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5829 const u32 *p = (const u32 *)addr;
5831 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5832 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5836 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5838 static inline void set_bit(int nr, void *addr)
5840 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5841 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5844 #endif /* BOOT_BITOPS_H */
5845 diff -urNp linux-2.6.38.4/arch/x86/boot/boot.h linux-2.6.38.4/arch/x86/boot/boot.h
5846 --- linux-2.6.38.4/arch/x86/boot/boot.h 2011-03-14 21:20:32.000000000 -0400
5847 +++ linux-2.6.38.4/arch/x86/boot/boot.h 2011-04-17 15:57:32.000000000 -0400
5848 @@ -85,7 +85,7 @@ static inline void io_delay(void)
5849 static inline u16 ds(void)
5852 - asm("movw %%ds,%0" : "=rm" (seg));
5853 + asm volatile("movw %%ds,%0" : "=rm" (seg));
5857 @@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
5858 static inline int memcmp(const void *s1, const void *s2, size_t len)
5861 - asm("repe; cmpsb; setnz %0"
5862 + asm volatile("repe; cmpsb; setnz %0"
5863 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5866 diff -urNp linux-2.6.38.4/arch/x86/boot/compressed/head_32.S linux-2.6.38.4/arch/x86/boot/compressed/head_32.S
5867 --- linux-2.6.38.4/arch/x86/boot/compressed/head_32.S 2011-03-14 21:20:32.000000000 -0400
5868 +++ linux-2.6.38.4/arch/x86/boot/compressed/head_32.S 2011-04-17 15:57:32.000000000 -0400
5869 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5873 - movl $LOAD_PHYSICAL_ADDR, %ebx
5874 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5877 /* Target address to relocate to for decompression */
5878 @@ -162,7 +162,7 @@ relocated:
5879 * and where it was actually loaded.
5882 - subl $LOAD_PHYSICAL_ADDR, %ebx
5883 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5884 jz 2f /* Nothing to be done if loaded at compiled addr. */
5886 * Process relocations.
5887 @@ -170,8 +170,7 @@ relocated:
5894 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5897 diff -urNp linux-2.6.38.4/arch/x86/boot/compressed/head_64.S linux-2.6.38.4/arch/x86/boot/compressed/head_64.S
5898 --- linux-2.6.38.4/arch/x86/boot/compressed/head_64.S 2011-03-14 21:20:32.000000000 -0400
5899 +++ linux-2.6.38.4/arch/x86/boot/compressed/head_64.S 2011-04-17 15:57:32.000000000 -0400
5900 @@ -91,7 +91,7 @@ ENTRY(startup_32)
5904 - movl $LOAD_PHYSICAL_ADDR, %ebx
5905 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5908 /* Target address to relocate to for decompression */
5909 @@ -233,7 +233,7 @@ ENTRY(startup_64)
5913 - movq $LOAD_PHYSICAL_ADDR, %rbp
5914 + movq $____LOAD_PHYSICAL_ADDR, %rbp
5917 /* Target address to relocate to for decompression */
5918 diff -urNp linux-2.6.38.4/arch/x86/boot/compressed/misc.c linux-2.6.38.4/arch/x86/boot/compressed/misc.c
5919 --- linux-2.6.38.4/arch/x86/boot/compressed/misc.c 2011-03-14 21:20:32.000000000 -0400
5920 +++ linux-2.6.38.4/arch/x86/boot/compressed/misc.c 2011-04-17 15:57:32.000000000 -0400
5921 @@ -310,7 +310,7 @@ static void parse_elf(void *output)
5923 #ifdef CONFIG_RELOCATABLE
5925 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5926 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5928 dest = (void *)(phdr->p_paddr);
5930 @@ -363,7 +363,7 @@ asmlinkage void decompress_kernel(void *
5931 error("Destination address too large");
5933 #ifndef CONFIG_RELOCATABLE
5934 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5935 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5936 error("Wrong destination address");
5939 diff -urNp linux-2.6.38.4/arch/x86/boot/compressed/relocs.c linux-2.6.38.4/arch/x86/boot/compressed/relocs.c
5940 --- linux-2.6.38.4/arch/x86/boot/compressed/relocs.c 2011-03-14 21:20:32.000000000 -0400
5941 +++ linux-2.6.38.4/arch/x86/boot/compressed/relocs.c 2011-04-17 15:57:32.000000000 -0400
5944 static void die(char *fmt, ...);
5946 +#include "../../../../include/generated/autoconf.h"
5948 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5949 static Elf32_Ehdr ehdr;
5950 +static Elf32_Phdr *phdr;
5951 static unsigned long reloc_count, reloc_idx;
5952 static unsigned long *relocs;
5954 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
5958 +static void read_phdrs(FILE *fp)
5962 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5964 + die("Unable to allocate %d program headers\n",
5967 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5968 + die("Seek to %d failed: %s\n",
5969 + ehdr.e_phoff, strerror(errno));
5971 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5972 + die("Cannot read ELF program headers: %s\n",
5975 + for(i = 0; i < ehdr.e_phnum; i++) {
5976 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5977 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5978 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5979 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5980 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5981 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5982 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5983 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5988 static void read_shdrs(FILE *fp)
5994 secs = calloc(ehdr.e_shnum, sizeof(struct section));
5995 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
5997 static void read_strtabs(FILE *fp)
6001 for (i = 0; i < ehdr.e_shnum; i++) {
6002 struct section *sec = &secs[i];
6003 if (sec->shdr.sh_type != SHT_STRTAB) {
6004 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
6006 static void read_symtabs(FILE *fp)
6010 for (i = 0; i < ehdr.e_shnum; i++) {
6011 struct section *sec = &secs[i];
6012 if (sec->shdr.sh_type != SHT_SYMTAB) {
6013 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
6015 static void read_relocs(FILE *fp)
6021 for (i = 0; i < ehdr.e_shnum; i++) {
6022 struct section *sec = &secs[i];
6023 if (sec->shdr.sh_type != SHT_REL) {
6024 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
6025 die("Cannot read symbol table: %s\n",
6029 + for (j = 0; j < ehdr.e_phnum; j++) {
6030 + if (phdr[j].p_type != PT_LOAD )
6032 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
6034 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
6037 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
6038 Elf32_Rel *rel = &sec->reltab[j];
6039 - rel->r_offset = elf32_to_cpu(rel->r_offset);
6040 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
6041 rel->r_info = elf32_to_cpu(rel->r_info);
6044 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
6046 static void print_absolute_symbols(void)
6050 printf("Absolute symbols\n");
6051 printf(" Num: Value Size Type Bind Visibility Name\n");
6052 for (i = 0; i < ehdr.e_shnum; i++) {
6053 struct section *sec = &secs[i];
6055 Elf32_Sym *sh_symtab;
6059 if (sec->shdr.sh_type != SHT_SYMTAB) {
6061 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
6063 static void print_absolute_relocs(void)
6065 - int i, printed = 0;
6066 + unsigned int i, printed = 0;
6068 for (i = 0; i < ehdr.e_shnum; i++) {
6069 struct section *sec = &secs[i];
6070 struct section *sec_applies, *sec_symtab;
6072 Elf32_Sym *sh_symtab;
6075 if (sec->shdr.sh_type != SHT_REL) {
6078 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
6080 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
6084 /* Walk through the relocations */
6085 for (i = 0; i < ehdr.e_shnum; i++) {
6087 Elf32_Sym *sh_symtab;
6088 struct section *sec_applies, *sec_symtab;
6091 struct section *sec = &secs[i];
6093 if (sec->shdr.sh_type != SHT_REL) {
6094 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
6095 !is_rel_reloc(sym_name(sym_strtab, sym))) {
6098 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
6099 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
6102 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
6103 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
6104 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
6106 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
6108 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
6110 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
6117 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
6119 static void emit_relocs(int as_text)
6123 /* Count how many relocations I have and allocate space for them. */
6125 walk_relocs(count_reloc);
6126 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
6127 fname, strerror(errno));
6134 diff -urNp linux-2.6.38.4/arch/x86/boot/cpucheck.c linux-2.6.38.4/arch/x86/boot/cpucheck.c
6135 --- linux-2.6.38.4/arch/x86/boot/cpucheck.c 2011-03-14 21:20:32.000000000 -0400
6136 +++ linux-2.6.38.4/arch/x86/boot/cpucheck.c 2011-04-17 15:57:32.000000000 -0400
6137 @@ -74,7 +74,7 @@ static int has_fpu(void)
6138 u16 fcw = -1, fsw = -1;
6141 - asm("movl %%cr0,%0" : "=r" (cr0));
6142 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
6143 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
6144 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
6145 asm volatile("movl %0,%%cr0" : : "r" (cr0));
6146 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
6151 + asm volatile("pushfl ; "
6155 @@ -115,7 +115,7 @@ static void get_flags(void)
6156 set_bit(X86_FEATURE_FPU, cpu.flags);
6158 if (has_eflag(X86_EFLAGS_ID)) {
6160 + asm volatile("cpuid"
6161 : "=a" (max_intel_level),
6162 "=b" (cpu_vendor[0]),
6163 "=d" (cpu_vendor[1]),
6164 @@ -124,7 +124,7 @@ static void get_flags(void)
6166 if (max_intel_level >= 0x00000001 &&
6167 max_intel_level <= 0x0000ffff) {
6169 + asm volatile("cpuid"
6171 "=c" (cpu.flags[4]),
6173 @@ -136,7 +136,7 @@ static void get_flags(void)
6174 cpu.model += ((tfms >> 16) & 0xf) << 4;
6178 + asm volatile("cpuid"
6179 : "=a" (max_amd_level)
6181 : "ebx", "ecx", "edx");
6182 @@ -144,7 +144,7 @@ static void get_flags(void)
6183 if (max_amd_level >= 0x80000001 &&
6184 max_amd_level <= 0x8000ffff) {
6185 u32 eax = 0x80000001;
6187 + asm volatile("cpuid"
6189 "=c" (cpu.flags[6]),
6191 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6192 u32 ecx = MSR_K7_HWCR;
6195 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6196 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6198 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6199 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6201 get_flags(); /* Make sure it really did something */
6202 err = check_flags();
6203 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6204 u32 ecx = MSR_VIA_FCR;
6207 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6208 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6209 eax |= (1<<1)|(1<<7);
6210 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6211 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6213 set_bit(X86_FEATURE_CX8, cpu.flags);
6214 err = check_flags();
6215 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
6219 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6220 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6222 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6223 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6224 + asm volatile("cpuid"
6225 : "+a" (level), "=d" (cpu.flags[0])
6227 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6228 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6230 err = check_flags();
6232 diff -urNp linux-2.6.38.4/arch/x86/boot/header.S linux-2.6.38.4/arch/x86/boot/header.S
6233 --- linux-2.6.38.4/arch/x86/boot/header.S 2011-03-14 21:20:32.000000000 -0400
6234 +++ linux-2.6.38.4/arch/x86/boot/header.S 2011-04-17 15:57:32.000000000 -0400
6235 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
6236 # single linked list of
6239 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
6240 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
6242 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
6243 #define VO_INIT_SIZE (VO__end - VO__text)
6244 diff -urNp linux-2.6.38.4/arch/x86/boot/memory.c linux-2.6.38.4/arch/x86/boot/memory.c
6245 --- linux-2.6.38.4/arch/x86/boot/memory.c 2011-03-14 21:20:32.000000000 -0400
6246 +++ linux-2.6.38.4/arch/x86/boot/memory.c 2011-04-17 15:57:32.000000000 -0400
6249 static int detect_memory_e820(void)
6252 + unsigned int count = 0;
6253 struct biosregs ireg, oreg;
6254 struct e820entry *desc = boot_params.e820_map;
6255 static struct e820entry buf; /* static so it is zeroed */
6256 diff -urNp linux-2.6.38.4/arch/x86/boot/video.c linux-2.6.38.4/arch/x86/boot/video.c
6257 --- linux-2.6.38.4/arch/x86/boot/video.c 2011-03-14 21:20:32.000000000 -0400
6258 +++ linux-2.6.38.4/arch/x86/boot/video.c 2011-04-17 15:57:32.000000000 -0400
6259 @@ -96,7 +96,7 @@ static void store_mode_params(void)
6260 static unsigned int get_entry(void)
6264 + unsigned int i, len = 0;
6268 diff -urNp linux-2.6.38.4/arch/x86/boot/video-vesa.c linux-2.6.38.4/arch/x86/boot/video-vesa.c
6269 --- linux-2.6.38.4/arch/x86/boot/video-vesa.c 2011-03-14 21:20:32.000000000 -0400
6270 +++ linux-2.6.38.4/arch/x86/boot/video-vesa.c 2011-04-17 15:57:32.000000000 -0400
6271 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
6273 boot_params.screen_info.vesapm_seg = oreg.es;
6274 boot_params.screen_info.vesapm_off = oreg.di;
6275 + boot_params.screen_info.vesapm_size = oreg.cx;
6279 diff -urNp linux-2.6.38.4/arch/x86/ia32/ia32_aout.c linux-2.6.38.4/arch/x86/ia32/ia32_aout.c
6280 --- linux-2.6.38.4/arch/x86/ia32/ia32_aout.c 2011-03-14 21:20:32.000000000 -0400
6281 +++ linux-2.6.38.4/arch/x86/ia32/ia32_aout.c 2011-04-17 15:57:32.000000000 -0400
6282 @@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
6283 unsigned long dump_start, dump_size;
6286 + memset(&dump, 0, sizeof(dump));
6291 diff -urNp linux-2.6.38.4/arch/x86/ia32/ia32entry.S linux-2.6.38.4/arch/x86/ia32/ia32entry.S
6292 --- linux-2.6.38.4/arch/x86/ia32/ia32entry.S 2011-03-14 21:20:32.000000000 -0400
6293 +++ linux-2.6.38.4/arch/x86/ia32/ia32entry.S 2011-04-17 15:57:32.000000000 -0400
6295 #include <asm/thread_info.h>
6296 #include <asm/segment.h>
6297 #include <asm/irqflags.h>
6298 +#include <asm/pgtable.h>
6299 #include <linux/linkage.h>
6301 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
6302 @@ -93,6 +94,23 @@ ENTRY(native_irq_enable_sysexit)
6303 ENDPROC(native_irq_enable_sysexit)
6306 + .macro pax_enter_kernel_user
6307 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6308 + call pax_enter_kernel_user
6312 + .macro pax_exit_kernel_user
6313 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6314 + call pax_exit_kernel_user
6316 +#ifdef CONFIG_PAX_RANDKSTACK
6318 + call pax_randomize_kstack
6324 * 32bit SYSENTER instruction entry.
6326 @@ -119,7 +137,7 @@ ENTRY(ia32_sysenter_target)
6327 CFI_REGISTER rsp,rbp
6329 movq PER_CPU_VAR(kernel_stack), %rsp
6330 - addq $(KERNEL_STACK_OFFSET),%rsp
6331 + pax_enter_kernel_user
6333 * No need to follow this irqs on/off section: the syscall
6334 * disabled irqs, here we enable it straight after entry:
6335 @@ -135,7 +153,8 @@ ENTRY(ia32_sysenter_target)
6337 CFI_ADJUST_CFA_OFFSET 8
6338 /*CFI_REL_OFFSET rflags,0*/
6339 - movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
6340 + GET_THREAD_INFO(%r10)
6341 + movl TI_sysenter_return(%r10), %r10d
6342 CFI_REGISTER rip,r10
6344 CFI_ADJUST_CFA_OFFSET 8
6345 @@ -150,6 +169,12 @@ ENTRY(ia32_sysenter_target)
6347 /* no need to do an access_ok check here because rbp has been
6348 32bit zero extended */
6350 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6351 + mov $PAX_USER_SHADOW_BASE,%r10
6356 .section __ex_table,"a"
6357 .quad 1b,ia32_badarg
6358 @@ -172,6 +197,7 @@ sysenter_dispatch:
6359 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6361 sysexit_from_sys_call:
6362 + pax_exit_kernel_user
6363 andl $~TS_COMPAT,TI_status(%r10)
6364 /* clear IF, that popfq doesn't enable interrupts early */
6365 andl $~0x200,EFLAGS-R11(%rsp)
6366 @@ -283,19 +309,24 @@ ENDPROC(ia32_sysenter_target)
6367 ENTRY(ia32_cstar_target)
6368 CFI_STARTPROC32 simple
6370 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
6372 CFI_REGISTER rip,rcx
6373 /*CFI_REGISTER rflags,r11*/
6377 movq PER_CPU_VAR(kernel_stack),%rsp
6379 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6380 + pax_enter_kernel_user
6384 * No need to follow this irqs on/off section: the syscall
6385 * disabled irqs and here we enable it straight after entry:
6387 ENABLE_INTERRUPTS(CLBR_NONE)
6390 movl %eax,%eax /* zero extension */
6391 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
6392 movq %rcx,RIP-ARGOFFSET(%rsp)
6393 @@ -311,6 +342,12 @@ ENTRY(ia32_cstar_target)
6394 /* no need to do an access_ok check here because r8 has been
6395 32bit zero extended */
6396 /* hardware stack frame is complete now */
6398 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6399 + mov $PAX_USER_SHADOW_BASE,%r10
6404 .section __ex_table,"a"
6405 .quad 1b,ia32_badarg
6406 @@ -323,7 +360,7 @@ ENTRY(ia32_cstar_target)
6407 cmpq $IA32_NR_syscalls-1,%rax
6413 call *ia32_sys_call_table(,%rax,8)
6414 movq %rax,RAX-ARGOFFSET(%rsp)
6415 @@ -333,6 +370,7 @@ cstar_dispatch:
6416 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6418 sysretl_from_sys_call:
6419 + pax_exit_kernel_user
6420 andl $~TS_COMPAT,TI_status(%r10)
6421 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6422 movl RIP-ARGOFFSET(%rsp),%ecx
6423 @@ -415,6 +453,7 @@ ENTRY(ia32_syscall)
6424 CFI_REL_OFFSET rip,RIP-RIP
6425 PARAVIRT_ADJUST_EXCEPTION_FRAME
6427 + pax_enter_kernel_user
6429 * No need to follow this irqs on/off section: the syscall
6430 * disabled irqs and here we enable it straight after entry:
6431 diff -urNp linux-2.6.38.4/arch/x86/ia32/ia32_signal.c linux-2.6.38.4/arch/x86/ia32/ia32_signal.c
6432 --- linux-2.6.38.4/arch/x86/ia32/ia32_signal.c 2011-03-14 21:20:32.000000000 -0400
6433 +++ linux-2.6.38.4/arch/x86/ia32/ia32_signal.c 2011-04-17 15:57:32.000000000 -0400
6434 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6436 /* Align the stack pointer according to the i386 ABI,
6437 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6438 - sp = ((sp + 4) & -16ul) - 4;
6439 + sp = ((sp - 12) & -16ul) - 4;
6440 return (void __user *) sp;
6443 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
6444 * These are actually not used anymore, but left because some
6445 * gdb versions depend on them as a marker.
6447 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6448 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6449 } put_user_catch(err);
6452 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6454 __NR_ia32_rt_sigreturn,
6460 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6461 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
6463 if (ka->sa.sa_flags & SA_RESTORER)
6464 restorer = ka->sa.sa_restorer;
6465 + else if (current->mm->context.vdso)
6466 + /* Return stub is in 32bit vsyscall page */
6467 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
6469 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
6471 + restorer = &frame->retcode;
6472 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
6475 * Not actually used anymore, but left because some gdb
6478 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6479 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6480 } put_user_catch(err);
6483 diff -urNp linux-2.6.38.4/arch/x86/include/asm/alternative.h linux-2.6.38.4/arch/x86/include/asm/alternative.h
6484 --- linux-2.6.38.4/arch/x86/include/asm/alternative.h 2011-03-14 21:20:32.000000000 -0400
6485 +++ linux-2.6.38.4/arch/x86/include/asm/alternative.h 2011-04-17 15:57:32.000000000 -0400
6486 @@ -94,7 +94,7 @@ static inline int alternatives_text_rese
6487 ".section .discard,\"aw\",@progbits\n" \
6488 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6490 - ".section .altinstr_replacement, \"ax\"\n" \
6491 + ".section .altinstr_replacement, \"a\"\n" \
6492 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6495 diff -urNp linux-2.6.38.4/arch/x86/include/asm/apm.h linux-2.6.38.4/arch/x86/include/asm/apm.h
6496 --- linux-2.6.38.4/arch/x86/include/asm/apm.h 2011-03-14 21:20:32.000000000 -0400
6497 +++ linux-2.6.38.4/arch/x86/include/asm/apm.h 2011-04-17 15:57:32.000000000 -0400
6498 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6499 __asm__ __volatile__(APM_DO_ZERO_SEGS
6502 - "lcall *%%cs:apm_bios_entry\n\t"
6503 + "lcall *%%ss:apm_bios_entry\n\t"
6507 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6508 __asm__ __volatile__(APM_DO_ZERO_SEGS
6511 - "lcall *%%cs:apm_bios_entry\n\t"
6512 + "lcall *%%ss:apm_bios_entry\n\t"
6516 diff -urNp linux-2.6.38.4/arch/x86/include/asm/atomic64_32.h linux-2.6.38.4/arch/x86/include/asm/atomic64_32.h
6517 --- linux-2.6.38.4/arch/x86/include/asm/atomic64_32.h 2011-03-14 21:20:32.000000000 -0400
6518 +++ linux-2.6.38.4/arch/x86/include/asm/atomic64_32.h 2011-04-17 15:57:32.000000000 -0400
6519 @@ -12,6 +12,14 @@ typedef struct {
6520 u64 __aligned(8) counter;
6523 +#ifdef CONFIG_PAX_REFCOUNT
6525 + u64 __aligned(8) counter;
6526 +} atomic64_unchecked_t;
6528 +typedef atomic64_t atomic64_unchecked_t;
6531 #define ATOMIC64_INIT(val) { (val) }
6533 #ifdef CONFIG_X86_CMPXCHG64
6534 diff -urNp linux-2.6.38.4/arch/x86/include/asm/atomic64_64.h linux-2.6.38.4/arch/x86/include/asm/atomic64_64.h
6535 --- linux-2.6.38.4/arch/x86/include/asm/atomic64_64.h 2011-03-14 21:20:32.000000000 -0400
6536 +++ linux-2.6.38.4/arch/x86/include/asm/atomic64_64.h 2011-04-17 15:57:32.000000000 -0400
6539 static inline long atomic64_read(const atomic64_t *v)
6541 - return (*(volatile long *)&(v)->counter);
6542 + return (*(volatile const long *)&(v)->counter);
6546 + * atomic64_read_unchecked - read atomic64 variable
6547 + * @v: pointer of type atomic64_unchecked_t
6549 + * Atomically reads the value of @v.
6550 + * Doesn't imply a read memory barrier.
6552 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6554 + return (*(volatile const long *)&(v)->counter);
6558 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
6562 + * atomic64_set_unchecked - set atomic64 variable
6563 + * @v: pointer to type atomic64_unchecked_t
6564 + * @i: required value
6566 + * Atomically sets the value of @v to @i.
6568 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6574 * atomic64_add - add integer to atomic64 variable
6575 * @i: integer value to add
6576 * @v: pointer to type atomic64_t
6577 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
6579 static inline void atomic64_add(long i, atomic64_t *v)
6581 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6583 +#ifdef CONFIG_PAX_REFCOUNT
6585 + LOCK_PREFIX "subq %1,%0\n"
6587 + _ASM_EXTABLE(0b, 0b)
6590 + : "=m" (v->counter)
6591 + : "er" (i), "m" (v->counter));
6595 + * atomic64_add_unchecked - add integer to atomic64 variable
6596 + * @i: integer value to add
6597 + * @v: pointer to type atomic64_unchecked_t
6599 + * Atomically adds @i to @v.
6601 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6603 asm volatile(LOCK_PREFIX "addq %1,%0"
6605 : "er" (i), "m" (v->counter));
6606 @@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
6608 static inline void atomic64_sub(long i, atomic64_t *v)
6610 - asm volatile(LOCK_PREFIX "subq %1,%0"
6611 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6613 +#ifdef CONFIG_PAX_REFCOUNT
6615 + LOCK_PREFIX "addq %1,%0\n"
6617 + _ASM_EXTABLE(0b, 0b)
6620 + : "=m" (v->counter)
6621 + : "er" (i), "m" (v->counter));
6625 + * atomic64_sub_unchecked - subtract the atomic64 variable
6626 + * @i: integer value to subtract
6627 + * @v: pointer to type atomic64_unchecked_t
6629 + * Atomically subtracts @i from @v.
6631 +static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
6633 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6635 : "er" (i), "m" (v->counter));
6637 @@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
6641 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6642 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6644 +#ifdef CONFIG_PAX_REFCOUNT
6646 + LOCK_PREFIX "addq %2,%0\n"
6648 + _ASM_EXTABLE(0b, 0b)
6652 : "=m" (v->counter), "=qm" (c)
6653 : "er" (i), "m" (v->counter) : "memory");
6655 @@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
6657 static inline void atomic64_inc(atomic64_t *v)
6659 + asm volatile(LOCK_PREFIX "incq %0\n"
6661 +#ifdef CONFIG_PAX_REFCOUNT
6663 + LOCK_PREFIX "decq %0\n"
6665 + _ASM_EXTABLE(0b, 0b)
6668 + : "=m" (v->counter)
6669 + : "m" (v->counter));
6673 + * atomic64_inc_unchecked - increment atomic64 variable
6674 + * @v: pointer to type atomic64_unchecked_t
6676 + * Atomically increments @v by 1.
6678 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6680 asm volatile(LOCK_PREFIX "incq %0"
6682 : "m" (v->counter));
6683 @@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
6685 static inline void atomic64_dec(atomic64_t *v)
6687 - asm volatile(LOCK_PREFIX "decq %0"
6688 + asm volatile(LOCK_PREFIX "decq %0\n"
6690 +#ifdef CONFIG_PAX_REFCOUNT
6692 + LOCK_PREFIX "incq %0\n"
6694 + _ASM_EXTABLE(0b, 0b)
6697 + : "=m" (v->counter)
6698 + : "m" (v->counter));
6702 + * atomic64_dec_unchecked - decrement atomic64 variable
6703 + * @v: pointer to type atomic64_t
6705 + * Atomically decrements @v by 1.
6707 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6709 + asm volatile(LOCK_PREFIX "decq %0\n"
6711 : "m" (v->counter));
6713 @@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
6717 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6718 + asm volatile(LOCK_PREFIX "decq %0\n"
6720 +#ifdef CONFIG_PAX_REFCOUNT
6722 + LOCK_PREFIX "incq %0\n"
6724 + _ASM_EXTABLE(0b, 0b)
6728 : "=m" (v->counter), "=qm" (c)
6729 : "m" (v->counter) : "memory");
6731 @@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
6735 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6736 + asm volatile(LOCK_PREFIX "incq %0\n"
6738 +#ifdef CONFIG_PAX_REFCOUNT
6740 + LOCK_PREFIX "decq %0\n"
6742 + _ASM_EXTABLE(0b, 0b)
6746 : "=m" (v->counter), "=qm" (c)
6747 : "m" (v->counter) : "memory");
6749 @@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
6753 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6754 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6756 +#ifdef CONFIG_PAX_REFCOUNT
6758 + LOCK_PREFIX "subq %2,%0\n"
6760 + _ASM_EXTABLE(0b, 0b)
6764 : "=m" (v->counter), "=qm" (c)
6765 : "er" (i), "m" (v->counter) : "memory");
6767 @@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
6768 static inline long atomic64_add_return(long i, atomic64_t *v)
6771 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6772 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6774 +#ifdef CONFIG_PAX_REFCOUNT
6778 + _ASM_EXTABLE(0b, 0b)
6781 + : "+r" (i), "+m" (v->counter)
6787 + * atomic64_add_return_unchecked - add and return
6788 + * @i: integer value to add
6789 + * @v: pointer to type atomic64_unchecked_t
6791 + * Atomically adds @i to @v and returns @i + @v
6793 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6796 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
6797 : "+r" (i), "+m" (v->counter)
6800 @@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
6803 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6804 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6806 + return atomic64_add_return_unchecked(1, v);
6808 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6810 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6811 @@ -206,17 +380,30 @@ static inline long atomic64_xchg(atomic6
6813 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6817 c = atomic64_read(v);
6819 - if (unlikely(c == (u)))
6820 + if (unlikely(c == u))
6822 - old = atomic64_cmpxchg((v), c, c + (a));
6824 + asm volatile("add %2,%0\n"
6826 +#ifdef CONFIG_PAX_REFCOUNT
6830 + _ASM_EXTABLE(0b, 0b)
6834 + : "0" (c), "ir" (a));
6836 + old = atomic64_cmpxchg(v, c, new);
6837 if (likely(old == c))
6845 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
6846 diff -urNp linux-2.6.38.4/arch/x86/include/asm/atomic.h linux-2.6.38.4/arch/x86/include/asm/atomic.h
6847 --- linux-2.6.38.4/arch/x86/include/asm/atomic.h 2011-03-14 21:20:32.000000000 -0400
6848 +++ linux-2.6.38.4/arch/x86/include/asm/atomic.h 2011-04-17 15:57:32.000000000 -0400
6851 static inline int atomic_read(const atomic_t *v)
6853 - return (*(volatile int *)&(v)->counter);
6854 + return (*(volatile const int *)&(v)->counter);
6858 + * atomic_read_unchecked - read atomic variable
6859 + * @v: pointer of type atomic_unchecked_t
6861 + * Atomically reads the value of @v.
6863 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6865 + return (*(volatile const int *)&(v)->counter);
6869 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6873 + * atomic_set_unchecked - set atomic variable
6874 + * @v: pointer of type atomic_unchecked_t
6875 + * @i: required value
6877 + * Atomically sets the value of @v to @i.
6879 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6885 * atomic_add - add integer to atomic variable
6886 * @i: integer value to add
6887 * @v: pointer of type atomic_t
6888 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6890 static inline void atomic_add(int i, atomic_t *v)
6892 - asm volatile(LOCK_PREFIX "addl %1,%0"
6893 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6895 +#ifdef CONFIG_PAX_REFCOUNT
6897 + LOCK_PREFIX "subl %1,%0\n"
6899 + _ASM_EXTABLE(0b, 0b)
6902 + : "+m" (v->counter)
6907 + * atomic_add_unchecked - add integer to atomic variable
6908 + * @i: integer value to add
6909 + * @v: pointer of type atomic_unchecked_t
6911 + * Atomically adds @i to @v.
6913 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6915 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6919 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6921 static inline void atomic_sub(int i, atomic_t *v)
6923 - asm volatile(LOCK_PREFIX "subl %1,%0"
6924 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6926 +#ifdef CONFIG_PAX_REFCOUNT
6928 + LOCK_PREFIX "addl %1,%0\n"
6930 + _ASM_EXTABLE(0b, 0b)
6933 + : "+m" (v->counter)
6938 + * atomic_sub_unchecked - subtract integer from atomic variable
6939 + * @i: integer value to subtract
6940 + * @v: pointer of type atomic_t
6942 + * Atomically subtracts @i from @v.
6944 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
6946 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6950 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
6954 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
6955 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
6957 +#ifdef CONFIG_PAX_REFCOUNT
6959 + LOCK_PREFIX "addl %2,%0\n"
6961 + _ASM_EXTABLE(0b, 0b)
6965 : "+m" (v->counter), "=qm" (c)
6966 : "ir" (i) : "memory");
6968 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
6970 static inline void atomic_inc(atomic_t *v)
6972 - asm volatile(LOCK_PREFIX "incl %0"
6973 + asm volatile(LOCK_PREFIX "incl %0\n"
6975 +#ifdef CONFIG_PAX_REFCOUNT
6977 + LOCK_PREFIX "decl %0\n"
6979 + _ASM_EXTABLE(0b, 0b)
6982 + : "+m" (v->counter));
6986 + * atomic_inc_unchecked - increment atomic variable
6987 + * @v: pointer of type atomic_unchecked_t
6989 + * Atomically increments @v by 1.
6991 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
6993 + asm volatile(LOCK_PREFIX "incl %0\n"
6994 : "+m" (v->counter));
6997 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
6999 static inline void atomic_dec(atomic_t *v)
7001 - asm volatile(LOCK_PREFIX "decl %0"
7002 + asm volatile(LOCK_PREFIX "decl %0\n"
7004 +#ifdef CONFIG_PAX_REFCOUNT
7006 + LOCK_PREFIX "incl %0\n"
7008 + _ASM_EXTABLE(0b, 0b)
7011 + : "+m" (v->counter));
7015 + * atomic_dec_unchecked - decrement atomic variable
7016 + * @v: pointer of type atomic_t
7018 + * Atomically decrements @v by 1.
7020 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
7022 + asm volatile(LOCK_PREFIX "decl %0\n"
7023 : "+m" (v->counter));
7026 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
7030 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
7031 + asm volatile(LOCK_PREFIX "decl %0\n"
7033 +#ifdef CONFIG_PAX_REFCOUNT
7035 + LOCK_PREFIX "incl %0\n"
7037 + _ASM_EXTABLE(0b, 0b)
7041 : "+m" (v->counter), "=qm" (c)
7044 @@ -138,7 +263,16 @@ static inline int atomic_inc_and_test(at
7048 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
7049 + asm volatile(LOCK_PREFIX "incl %0\n"
7051 +#ifdef CONFIG_PAX_REFCOUNT
7053 + LOCK_PREFIX "decl %0\n"
7055 + _ASM_EXTABLE(0b, 0b)
7059 : "+m" (v->counter), "=qm" (c)
7062 @@ -157,7 +291,16 @@ static inline int atomic_add_negative(in
7066 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
7067 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
7069 +#ifdef CONFIG_PAX_REFCOUNT
7071 + LOCK_PREFIX "subl %2,%0\n"
7073 + _ASM_EXTABLE(0b, 0b)
7077 : "+m" (v->counter), "=qm" (c)
7078 : "ir" (i) : "memory");
7080 @@ -180,6 +323,46 @@ static inline int atomic_add_return(int
7082 /* Modern 486+ processor */
7084 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7086 +#ifdef CONFIG_PAX_REFCOUNT
7090 + _ASM_EXTABLE(0b, 0b)
7093 + : "+r" (i), "+m" (v->counter)
7098 +no_xadd: /* Legacy 386 processor */
7099 + local_irq_save(flags);
7100 + __i = atomic_read(v);
7101 + atomic_set(v, i + __i);
7102 + local_irq_restore(flags);
7108 + * atomic_add_return_unchecked - add integer and return
7109 + * @v: pointer of type atomic_unchecked_t
7110 + * @i: integer value to add
7112 + * Atomically adds @i to @v and returns @i + @v
7114 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
7118 + unsigned long flags;
7119 + if (unlikely(boot_cpu_data.x86 <= 3))
7122 + /* Modern 486+ processor */
7124 asm volatile(LOCK_PREFIX "xaddl %0, %1"
7125 : "+r" (i), "+m" (v->counter)
7127 @@ -208,6 +391,10 @@ static inline int atomic_sub_return(int
7130 #define atomic_inc_return(v) (atomic_add_return(1, v))
7131 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7133 + return atomic_add_return_unchecked(1, v);
7135 #define atomic_dec_return(v) (atomic_sub_return(1, v))
7137 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
7138 @@ -231,21 +418,77 @@ static inline int atomic_xchg(atomic_t *
7140 static inline int atomic_add_unless(atomic_t *v, int a, int u)
7146 - if (unlikely(c == (u)))
7147 + if (unlikely(c == u))
7149 - old = atomic_cmpxchg((v), c, c + (a));
7151 + asm volatile("addl %2,%0\n"
7153 +#ifdef CONFIG_PAX_REFCOUNT
7157 + _ASM_EXTABLE(0b, 0b)
7161 + : "0" (c), "ir" (a));
7163 + old = atomic_cmpxchg(v, c, new);
7164 if (likely(old == c))
7172 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
7175 + * atomic_inc_not_zero_hint - increment if not null
7176 + * @v: pointer of type atomic_t
7177 + * @hint: probable value of the atomic before the increment
7179 + * This version of atomic_inc_not_zero() gives a hint of probable
7180 + * value of the atomic. This helps processor to not read the memory
7181 + * before doing the atomic read/modify/write cycle, lowering
7182 + * number of bus transactions on some arches.
7184 + * Returns: 0 if increment was not done, 1 otherwise.
7186 +#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
7187 +static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
7189 + int val, c = hint, new;
7191 + /* sanity test, should be removed by compiler if hint is a constant */
7193 + return atomic_inc_not_zero(v);
7196 + asm volatile("incl %0\n"
7198 +#ifdef CONFIG_PAX_REFCOUNT
7202 + _ASM_EXTABLE(0b, 0b)
7208 + val = atomic_cmpxchg(v, c, new);
7218 * atomic_dec_if_positive - decrement by 1 if old value positive
7219 * @v: pointer of type atomic_t
7220 diff -urNp linux-2.6.38.4/arch/x86/include/asm/bitops.h linux-2.6.38.4/arch/x86/include/asm/bitops.h
7221 --- linux-2.6.38.4/arch/x86/include/asm/bitops.h 2011-03-14 21:20:32.000000000 -0400
7222 +++ linux-2.6.38.4/arch/x86/include/asm/bitops.h 2011-04-17 15:57:32.000000000 -0400
7224 * a mask operation on a byte.
7226 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
7227 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
7228 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
7229 #define CONST_MASK(nr) (1 << ((nr) & 7))
7232 diff -urNp linux-2.6.38.4/arch/x86/include/asm/boot.h linux-2.6.38.4/arch/x86/include/asm/boot.h
7233 --- linux-2.6.38.4/arch/x86/include/asm/boot.h 2011-03-14 21:20:32.000000000 -0400
7234 +++ linux-2.6.38.4/arch/x86/include/asm/boot.h 2011-04-17 15:57:32.000000000 -0400
7236 #include <asm/pgtable_types.h>
7238 /* Physical address where kernel should be loaded. */
7239 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7240 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7241 + (CONFIG_PHYSICAL_ALIGN - 1)) \
7242 & ~(CONFIG_PHYSICAL_ALIGN - 1))
7244 +#ifndef __ASSEMBLY__
7245 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
7246 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
7249 /* Minimum kernel alignment, as a power of two */
7250 #ifdef CONFIG_X86_64
7251 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
7252 diff -urNp linux-2.6.38.4/arch/x86/include/asm/cacheflush.h linux-2.6.38.4/arch/x86/include/asm/cacheflush.h
7253 --- linux-2.6.38.4/arch/x86/include/asm/cacheflush.h 2011-03-14 21:20:32.000000000 -0400
7254 +++ linux-2.6.38.4/arch/x86/include/asm/cacheflush.h 2011-04-17 15:57:32.000000000 -0400
7255 @@ -26,7 +26,7 @@ static inline unsigned long get_page_mem
7256 unsigned long pg_flags = pg->flags & _PGMT_MASK;
7258 if (pg_flags == _PGMT_DEFAULT)
7261 else if (pg_flags == _PGMT_WC)
7262 return _PAGE_CACHE_WC;
7263 else if (pg_flags == _PGMT_UC_MINUS)
7264 diff -urNp linux-2.6.38.4/arch/x86/include/asm/cache.h linux-2.6.38.4/arch/x86/include/asm/cache.h
7265 --- linux-2.6.38.4/arch/x86/include/asm/cache.h 2011-03-14 21:20:32.000000000 -0400
7266 +++ linux-2.6.38.4/arch/x86/include/asm/cache.h 2011-04-17 15:57:32.000000000 -0400
7268 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
7270 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
7271 +#define __read_only __attribute__((__section__(".data..read_only")))
7273 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
7274 #define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
7275 diff -urNp linux-2.6.38.4/arch/x86/include/asm/checksum_32.h linux-2.6.38.4/arch/x86/include/asm/checksum_32.h
7276 --- linux-2.6.38.4/arch/x86/include/asm/checksum_32.h 2011-03-14 21:20:32.000000000 -0400
7277 +++ linux-2.6.38.4/arch/x86/include/asm/checksum_32.h 2011-04-17 15:57:32.000000000 -0400
7278 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
7279 int len, __wsum sum,
7280 int *src_err_ptr, int *dst_err_ptr);
7282 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
7283 + int len, __wsum sum,
7284 + int *src_err_ptr, int *dst_err_ptr);
7286 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
7287 + int len, __wsum sum,
7288 + int *src_err_ptr, int *dst_err_ptr);
7291 * Note: when you get a NULL pointer exception here this means someone
7292 * passed in an incorrect kernel address to one of these functions.
7293 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
7297 - return csum_partial_copy_generic((__force void *)src, dst,
7298 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
7299 len, sum, err_ptr, NULL);
7302 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
7305 if (access_ok(VERIFY_WRITE, dst, len))
7306 - return csum_partial_copy_generic(src, (__force void *)dst,
7307 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
7308 len, sum, NULL, err_ptr);
7311 diff -urNp linux-2.6.38.4/arch/x86/include/asm/cpufeature.h linux-2.6.38.4/arch/x86/include/asm/cpufeature.h
7312 --- linux-2.6.38.4/arch/x86/include/asm/cpufeature.h 2011-03-14 21:20:32.000000000 -0400
7313 +++ linux-2.6.38.4/arch/x86/include/asm/cpufeature.h 2011-04-17 15:57:32.000000000 -0400
7314 @@ -349,7 +349,7 @@ static __always_inline __pure bool __sta
7315 ".section .discard,\"aw\",@progbits\n"
7316 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
7318 - ".section .altinstr_replacement,\"ax\"\n"
7319 + ".section .altinstr_replacement,\"a\"\n"
7323 diff -urNp linux-2.6.38.4/arch/x86/include/asm/desc_defs.h linux-2.6.38.4/arch/x86/include/asm/desc_defs.h
7324 --- linux-2.6.38.4/arch/x86/include/asm/desc_defs.h 2011-03-14 21:20:32.000000000 -0400
7325 +++ linux-2.6.38.4/arch/x86/include/asm/desc_defs.h 2011-04-17 15:57:32.000000000 -0400
7326 @@ -31,6 +31,12 @@ struct desc_struct {
7327 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
7328 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
7333 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
7334 + unsigned offset_high: 16;
7337 } __attribute__((packed));
7339 diff -urNp linux-2.6.38.4/arch/x86/include/asm/desc.h linux-2.6.38.4/arch/x86/include/asm/desc.h
7340 --- linux-2.6.38.4/arch/x86/include/asm/desc.h 2011-03-14 21:20:32.000000000 -0400
7341 +++ linux-2.6.38.4/arch/x86/include/asm/desc.h 2011-04-17 15:57:32.000000000 -0400
7343 #include <asm/desc_defs.h>
7344 #include <asm/ldt.h>
7345 #include <asm/mmu.h>
7346 +#include <asm/pgtable.h>
7347 #include <linux/smp.h>
7349 static inline void fill_ldt(struct desc_struct *desc,
7350 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
7351 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
7352 desc->type = (info->read_exec_only ^ 1) << 1;
7353 desc->type |= info->contents << 2;
7354 + desc->type |= info->seg_not_present ^ 1;
7357 desc->p = info->seg_not_present ^ 1;
7358 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
7361 extern struct desc_ptr idt_descr;
7362 -extern gate_desc idt_table[];
7365 - struct desc_struct gdt[GDT_ENTRIES];
7366 -} __attribute__((aligned(PAGE_SIZE)));
7367 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
7368 +extern gate_desc idt_table[256];
7370 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
7371 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
7373 - return per_cpu(gdt_page, cpu).gdt;
7374 + return cpu_gdt_table[cpu];
7377 #ifdef CONFIG_X86_64
7378 @@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc *
7379 unsigned long base, unsigned dpl, unsigned flags,
7382 - gate->a = (seg << 16) | (base & 0xffff);
7383 - gate->b = (base & 0xffff0000) |
7384 - (((0x80 | type | (dpl << 5)) & 0xff) << 8);
7385 + gate->gate.offset_low = base;
7386 + gate->gate.seg = seg;
7387 + gate->gate.reserved = 0;
7388 + gate->gate.type = type;
7390 + gate->gate.dpl = dpl;
7392 + gate->gate.offset_high = base >> 16;
7396 @@ -115,19 +118,24 @@ static inline void paravirt_free_ldt(str
7397 static inline void native_write_idt_entry(gate_desc *idt, int entry,
7398 const gate_desc *gate)
7400 + pax_open_kernel();
7401 memcpy(&idt[entry], gate, sizeof(*gate));
7402 + pax_close_kernel();
7405 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
7408 + pax_open_kernel();
7409 memcpy(&ldt[entry], desc, 8);
7410 + pax_close_kernel();
7413 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
7414 const void *desc, int type)
7420 size = sizeof(tss_desc);
7421 @@ -139,7 +147,10 @@ static inline void native_write_gdt_entr
7422 size = sizeof(struct desc_struct);
7426 + pax_open_kernel();
7427 memcpy(&gdt[entry], desc, size);
7428 + pax_close_kernel();
7431 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
7432 @@ -211,7 +222,9 @@ static inline void native_set_ldt(const
7434 static inline void native_load_tr_desc(void)
7436 + pax_open_kernel();
7437 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
7438 + pax_close_kernel();
7441 static inline void native_load_gdt(const struct desc_ptr *dtr)
7442 @@ -246,8 +259,10 @@ static inline void native_load_tls(struc
7444 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
7446 + pax_open_kernel();
7447 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
7448 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
7449 + pax_close_kernel();
7452 #define _LDT_empty(info) \
7453 @@ -309,7 +324,7 @@ static inline void set_desc_limit(struct
7454 desc->limit = (limit >> 16) & 0xf;
7457 -static inline void _set_gate(int gate, unsigned type, void *addr,
7458 +static inline void _set_gate(int gate, unsigned type, const void *addr,
7459 unsigned dpl, unsigned ist, unsigned seg)
7462 @@ -327,7 +342,7 @@ static inline void _set_gate(int gate, u
7463 * Pentium F0 0F bugfix can have resulted in the mapped
7464 * IDT being write-protected.
7466 -static inline void set_intr_gate(unsigned int n, void *addr)
7467 +static inline void set_intr_gate(unsigned int n, const void *addr)
7469 BUG_ON((unsigned)n > 0xFF);
7470 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
7471 @@ -356,19 +371,19 @@ static inline void alloc_intr_gate(unsig
7473 * This routine sets up an interrupt gate at directory privilege level 3.
7475 -static inline void set_system_intr_gate(unsigned int n, void *addr)
7476 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
7478 BUG_ON((unsigned)n > 0xFF);
7479 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
7482 -static inline void set_system_trap_gate(unsigned int n, void *addr)
7483 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
7485 BUG_ON((unsigned)n > 0xFF);
7486 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7489 -static inline void set_trap_gate(unsigned int n, void *addr)
7490 +static inline void set_trap_gate(unsigned int n, const void *addr)
7492 BUG_ON((unsigned)n > 0xFF);
7493 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7494 @@ -377,19 +392,31 @@ static inline void set_trap_gate(unsigne
7495 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7497 BUG_ON((unsigned)n > 0xFF);
7498 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7499 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7502 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7503 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7505 BUG_ON((unsigned)n > 0xFF);
7506 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7509 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7510 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7512 BUG_ON((unsigned)n > 0xFF);
7513 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7516 +#ifdef CONFIG_X86_32
7517 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7519 + struct desc_struct d;
7521 + if (likely(limit))
7522 + limit = (limit - 1UL) >> PAGE_SHIFT;
7523 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
7524 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7528 #endif /* _ASM_X86_DESC_H */
7529 diff -urNp linux-2.6.38.4/arch/x86/include/asm/device.h linux-2.6.38.4/arch/x86/include/asm/device.h
7530 --- linux-2.6.38.4/arch/x86/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
7531 +++ linux-2.6.38.4/arch/x86/include/asm/device.h 2011-04-17 15:57:32.000000000 -0400
7532 @@ -6,7 +6,7 @@ struct dev_archdata {
7535 #ifdef CONFIG_X86_64
7536 -struct dma_map_ops *dma_ops;
7537 + const struct dma_map_ops *dma_ops;
7539 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
7540 void *iommu; /* hook for IOMMU specific extension */
7541 diff -urNp linux-2.6.38.4/arch/x86/include/asm/dma-mapping.h linux-2.6.38.4/arch/x86/include/asm/dma-mapping.h
7542 --- linux-2.6.38.4/arch/x86/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
7543 +++ linux-2.6.38.4/arch/x86/include/asm/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
7544 @@ -26,9 +26,9 @@ extern int iommu_merge;
7545 extern struct device x86_dma_fallback_dev;
7546 extern int panic_on_overflow;
7548 -extern struct dma_map_ops *dma_ops;
7549 +extern const struct dma_map_ops *dma_ops;
7551 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
7552 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
7554 #ifdef CONFIG_X86_32
7556 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
7557 /* Make sure we keep the same behaviour */
7558 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
7560 - struct dma_map_ops *ops = get_dma_ops(dev);
7561 + const struct dma_map_ops *ops = get_dma_ops(dev);
7562 if (ops->mapping_error)
7563 return ops->mapping_error(dev, dma_addr);
7565 @@ -115,7 +115,7 @@ static inline void *
7566 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
7569 - struct dma_map_ops *ops = get_dma_ops(dev);
7570 + const struct dma_map_ops *ops = get_dma_ops(dev);
7573 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
7574 @@ -142,7 +142,7 @@ dma_alloc_coherent(struct device *dev, s
7575 static inline void dma_free_coherent(struct device *dev, size_t size,
7576 void *vaddr, dma_addr_t bus)
7578 - struct dma_map_ops *ops = get_dma_ops(dev);
7579 + const struct dma_map_ops *ops = get_dma_ops(dev);
7581 WARN_ON(irqs_disabled()); /* for portability */
7583 diff -urNp linux-2.6.38.4/arch/x86/include/asm/e820.h linux-2.6.38.4/arch/x86/include/asm/e820.h
7584 --- linux-2.6.38.4/arch/x86/include/asm/e820.h 2011-03-14 21:20:32.000000000 -0400
7585 +++ linux-2.6.38.4/arch/x86/include/asm/e820.h 2011-04-17 15:57:32.000000000 -0400
7586 @@ -69,7 +69,7 @@ struct e820map {
7587 #define ISA_START_ADDRESS 0xa0000
7588 #define ISA_END_ADDRESS 0x100000
7590 -#define BIOS_BEGIN 0x000a0000
7591 +#define BIOS_BEGIN 0x000c0000
7592 #define BIOS_END 0x00100000
7594 #define BIOS_ROM_BASE 0xffe00000
7595 diff -urNp linux-2.6.38.4/arch/x86/include/asm/elf.h linux-2.6.38.4/arch/x86/include/asm/elf.h
7596 --- linux-2.6.38.4/arch/x86/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
7597 +++ linux-2.6.38.4/arch/x86/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
7598 @@ -237,7 +237,25 @@ extern int force_personality32;
7599 the loader. We need to make sure that it is out of the way of the program
7600 that it will "exec", and that there is sufficient room for the brk. */
7602 +#ifdef CONFIG_PAX_SEGMEXEC
7603 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7605 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7608 +#ifdef CONFIG_PAX_ASLR
7609 +#ifdef CONFIG_X86_32
7610 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7612 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7613 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7615 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
7617 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7618 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7622 /* This yields a mask that user programs can use to figure out what
7623 instruction set this CPU supports. This could be done in user space,
7624 @@ -291,8 +309,7 @@ do { \
7625 #define ARCH_DLINFO \
7628 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7629 - (unsigned long)current->mm->context.vdso); \
7630 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
7633 #define AT_SYSINFO 32
7634 @@ -303,7 +320,7 @@ do { \
7636 #endif /* !CONFIG_X86_32 */
7638 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7639 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7641 #define VDSO_ENTRY \
7642 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7643 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
7644 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7645 #define compat_arch_setup_additional_pages syscall32_setup_pages
7647 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7648 -#define arch_randomize_brk arch_randomize_brk
7650 #endif /* _ASM_X86_ELF_H */
7651 diff -urNp linux-2.6.38.4/arch/x86/include/asm/futex.h linux-2.6.38.4/arch/x86/include/asm/futex.h
7652 --- linux-2.6.38.4/arch/x86/include/asm/futex.h 2011-03-14 21:20:32.000000000 -0400
7653 +++ linux-2.6.38.4/arch/x86/include/asm/futex.h 2011-04-17 15:57:32.000000000 -0400
7655 #include <asm/system.h>
7657 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7658 + typecheck(u32 *, uaddr); \
7659 asm volatile("1:\t" insn "\n" \
7660 "2:\t.section .fixup,\"ax\"\n" \
7661 "3:\tmov\t%3, %1\n" \
7664 _ASM_EXTABLE(1b, 3b) \
7665 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7666 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 *)____m(uaddr))\
7667 : "i" (-EFAULT), "0" (oparg), "1" (0))
7669 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7670 + typecheck(u32 *, uaddr); \
7671 asm volatile("1:\tmovl %2, %0\n" \
7672 "\tmovl\t%0, %3\n" \
7675 _ASM_EXTABLE(1b, 4b) \
7676 _ASM_EXTABLE(2b, 4b) \
7677 : "=&a" (oldval), "=&r" (ret), \
7678 - "+m" (*uaddr), "=&r" (tem) \
7679 + "+m" (*(u32 *)____m(uaddr)), "=&r" (tem) \
7680 : "r" (oparg), "i" (-EFAULT), "1" (0))
7682 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
7683 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7685 int op = (encoded_op >> 28) & 7;
7686 int cmp = (encoded_op >> 24) & 15;
7687 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
7691 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7692 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
7695 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7696 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
7700 @@ -109,7 +111,7 @@ static inline int futex_atomic_op_inuser
7704 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
7705 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
7709 @@ -119,16 +121,16 @@ static inline int futex_atomic_cmpxchg_i
7713 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
7714 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7717 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7718 + asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %1\n"
7719 "2:\t.section .fixup, \"ax\"\n"
7723 _ASM_EXTABLE(1b, 3b)
7724 - : "=a" (oldval), "+m" (*uaddr)
7725 + : "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
7726 : "i" (-EFAULT), "r" (newval), "0" (oldval)
7729 diff -urNp linux-2.6.38.4/arch/x86/include/asm/i387.h linux-2.6.38.4/arch/x86/include/asm/i387.h
7730 --- linux-2.6.38.4/arch/x86/include/asm/i387.h 2011-03-14 21:20:32.000000000 -0400
7731 +++ linux-2.6.38.4/arch/x86/include/asm/i387.h 2011-04-17 15:57:32.000000000 -0400
7732 @@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc
7736 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7737 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7738 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
7741 /* See comment in fxsave() below. */
7742 #ifdef CONFIG_AS_FXSAVEQ
7743 asm volatile("1: fxrstorq %[fx]\n\t"
7744 @@ -121,6 +126,11 @@ static inline int fxsave_user(struct i38
7748 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7749 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7750 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7754 * Clear the bytes not touched by the fxsave and reserved
7756 @@ -213,13 +223,8 @@ static inline void fpu_fxsave(struct fpu
7757 #endif /* CONFIG_X86_64 */
7759 /* We need a safe address that is cheap to find and that is already
7760 - in L1 during context switch. The best choices are unfortunately
7761 - different for UP and SMP */
7763 -#define safe_address (__per_cpu_offset[0])
7765 -#define safe_address (kstat_cpu(0).cpustat.user)
7767 + in L1 during context switch. */
7768 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
7771 * These must be called with preempt disabled
7772 @@ -237,7 +242,7 @@ static inline void fpu_save_init(struct
7773 } else if (use_fxsr()) {
7776 - asm volatile("fsave %[fx]; fwait"
7777 + asm volatile("fnsave %[fx]; fwait"
7778 : [fx] "=m" (fpu->state->fsave));
7781 @@ -312,7 +317,7 @@ static inline void kernel_fpu_begin(void
7782 struct thread_info *me = current_thread_info();
7784 if (me->status & TS_USEDFPU)
7785 - __save_init_fpu(me->task);
7786 + __save_init_fpu(current);
7790 diff -urNp linux-2.6.38.4/arch/x86/include/asm/io.h linux-2.6.38.4/arch/x86/include/asm/io.h
7791 --- linux-2.6.38.4/arch/x86/include/asm/io.h 2011-03-14 21:20:32.000000000 -0400
7792 +++ linux-2.6.38.4/arch/x86/include/asm/io.h 2011-04-17 15:57:32.000000000 -0400
7793 @@ -216,6 +216,17 @@ extern void set_iounmap_nonlazy(void);
7795 #include <linux/vmalloc.h>
7797 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
7798 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
7800 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7803 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
7805 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7809 * Convert a virtual cached pointer to an uncached pointer
7811 diff -urNp linux-2.6.38.4/arch/x86/include/asm/iommu.h linux-2.6.38.4/arch/x86/include/asm/iommu.h
7812 --- linux-2.6.38.4/arch/x86/include/asm/iommu.h 2011-03-14 21:20:32.000000000 -0400
7813 +++ linux-2.6.38.4/arch/x86/include/asm/iommu.h 2011-04-17 15:57:32.000000000 -0400
7815 #ifndef _ASM_X86_IOMMU_H
7816 #define _ASM_X86_IOMMU_H
7818 -extern struct dma_map_ops nommu_dma_ops;
7819 +extern const struct dma_map_ops nommu_dma_ops;
7820 extern int force_iommu, no_iommu;
7821 extern int iommu_detected;
7822 extern int iommu_pass_through;
7823 diff -urNp linux-2.6.38.4/arch/x86/include/asm/irqflags.h linux-2.6.38.4/arch/x86/include/asm/irqflags.h
7824 --- linux-2.6.38.4/arch/x86/include/asm/irqflags.h 2011-03-14 21:20:32.000000000 -0400
7825 +++ linux-2.6.38.4/arch/x86/include/asm/irqflags.h 2011-04-17 15:57:32.000000000 -0400
7826 @@ -140,6 +140,11 @@ static inline unsigned long arch_local_i
7830 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
7831 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7832 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
7833 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
7836 #define INTERRUPT_RETURN iret
7837 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
7838 diff -urNp linux-2.6.38.4/arch/x86/include/asm/kvm_host.h linux-2.6.38.4/arch/x86/include/asm/kvm_host.h
7839 --- linux-2.6.38.4/arch/x86/include/asm/kvm_host.h 2011-03-14 21:20:32.000000000 -0400
7840 +++ linux-2.6.38.4/arch/x86/include/asm/kvm_host.h 2011-04-17 15:57:32.000000000 -0400
7841 @@ -603,7 +603,7 @@ struct kvm_arch_async_pf {
7845 -extern struct kvm_x86_ops *kvm_x86_ops;
7846 +extern const struct kvm_x86_ops *kvm_x86_ops;
7848 int kvm_mmu_module_init(void);
7849 void kvm_mmu_module_exit(void);
7850 diff -urNp linux-2.6.38.4/arch/x86/include/asm/local.h linux-2.6.38.4/arch/x86/include/asm/local.h
7851 --- linux-2.6.38.4/arch/x86/include/asm/local.h 2011-03-14 21:20:32.000000000 -0400
7852 +++ linux-2.6.38.4/arch/x86/include/asm/local.h 2011-04-17 15:57:32.000000000 -0400
7853 @@ -18,26 +18,58 @@ typedef struct {
7855 static inline void local_inc(local_t *l)
7857 - asm volatile(_ASM_INC "%0"
7858 + asm volatile(_ASM_INC "%0\n"
7860 +#ifdef CONFIG_PAX_REFCOUNT
7864 + _ASM_EXTABLE(0b, 0b)
7867 : "+m" (l->a.counter));
7870 static inline void local_dec(local_t *l)
7872 - asm volatile(_ASM_DEC "%0"
7873 + asm volatile(_ASM_DEC "%0\n"
7875 +#ifdef CONFIG_PAX_REFCOUNT
7879 + _ASM_EXTABLE(0b, 0b)
7882 : "+m" (l->a.counter));
7885 static inline void local_add(long i, local_t *l)
7887 - asm volatile(_ASM_ADD "%1,%0"
7888 + asm volatile(_ASM_ADD "%1,%0\n"
7890 +#ifdef CONFIG_PAX_REFCOUNT
7892 + _ASM_SUB "%1,%0\n"
7894 + _ASM_EXTABLE(0b, 0b)
7897 : "+m" (l->a.counter)
7901 static inline void local_sub(long i, local_t *l)
7903 - asm volatile(_ASM_SUB "%1,%0"
7904 + asm volatile(_ASM_SUB "%1,%0\n"
7906 +#ifdef CONFIG_PAX_REFCOUNT
7908 + _ASM_ADD "%1,%0\n"
7910 + _ASM_EXTABLE(0b, 0b)
7913 : "+m" (l->a.counter)
7916 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
7920 - asm volatile(_ASM_SUB "%2,%0; sete %1"
7921 + asm volatile(_ASM_SUB "%2,%0\n"
7923 +#ifdef CONFIG_PAX_REFCOUNT
7925 + _ASM_ADD "%2,%0\n"
7927 + _ASM_EXTABLE(0b, 0b)
7931 : "+m" (l->a.counter), "=qm" (c)
7932 : "ir" (i) : "memory");
7934 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
7938 - asm volatile(_ASM_DEC "%0; sete %1"
7939 + asm volatile(_ASM_DEC "%0\n"
7941 +#ifdef CONFIG_PAX_REFCOUNT
7945 + _ASM_EXTABLE(0b, 0b)
7949 : "+m" (l->a.counter), "=qm" (c)
7952 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
7956 - asm volatile(_ASM_INC "%0; sete %1"
7957 + asm volatile(_ASM_INC "%0\n"
7959 +#ifdef CONFIG_PAX_REFCOUNT
7963 + _ASM_EXTABLE(0b, 0b)
7967 : "+m" (l->a.counter), "=qm" (c)
7970 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
7974 - asm volatile(_ASM_ADD "%2,%0; sets %1"
7975 + asm volatile(_ASM_ADD "%2,%0\n"
7977 +#ifdef CONFIG_PAX_REFCOUNT
7979 + _ASM_SUB "%2,%0\n"
7981 + _ASM_EXTABLE(0b, 0b)
7985 : "+m" (l->a.counter), "=qm" (c)
7986 : "ir" (i) : "memory");
7988 @@ -133,7 +201,15 @@ static inline long local_add_return(long
7990 /* Modern 486+ processor */
7992 - asm volatile(_ASM_XADD "%0, %1;"
7993 + asm volatile(_ASM_XADD "%0, %1\n"
7995 +#ifdef CONFIG_PAX_REFCOUNT
7997 + _ASM_MOV "%0,%1\n"
7999 + _ASM_EXTABLE(0b, 0b)
8002 : "+r" (i), "+m" (l->a.counter)
8005 diff -urNp linux-2.6.38.4/arch/x86/include/asm/mc146818rtc.h linux-2.6.38.4/arch/x86/include/asm/mc146818rtc.h
8006 --- linux-2.6.38.4/arch/x86/include/asm/mc146818rtc.h 2011-03-14 21:20:32.000000000 -0400
8007 +++ linux-2.6.38.4/arch/x86/include/asm/mc146818rtc.h 2011-04-17 15:57:32.000000000 -0400
8008 @@ -81,8 +81,8 @@ static inline unsigned char current_lock
8010 #define lock_cmos_prefix(reg) do {} while (0)
8011 #define lock_cmos_suffix(reg) do {} while (0)
8012 -#define lock_cmos(reg)
8013 -#define unlock_cmos()
8014 +#define lock_cmos(reg) do {} while (0)
8015 +#define unlock_cmos() do {} while (0)
8016 #define do_i_have_lock_cmos() 0
8017 #define current_lock_cmos_reg() 0
8019 diff -urNp linux-2.6.38.4/arch/x86/include/asm/mce.h linux-2.6.38.4/arch/x86/include/asm/mce.h
8020 --- linux-2.6.38.4/arch/x86/include/asm/mce.h 2011-03-14 21:20:32.000000000 -0400
8021 +++ linux-2.6.38.4/arch/x86/include/asm/mce.h 2011-04-17 15:57:32.000000000 -0400
8022 @@ -198,7 +198,7 @@ int mce_notify_irq(void);
8023 void mce_notify_process(void);
8025 DECLARE_PER_CPU(struct mce, injectm);
8026 -extern struct file_operations mce_chrdev_ops;
8027 +extern struct file_operations mce_chrdev_ops; /* cannot be const, see arch/x86/kernel/cpu/mcheck/mce. */
8031 diff -urNp linux-2.6.38.4/arch/x86/include/asm/microcode.h linux-2.6.38.4/arch/x86/include/asm/microcode.h
8032 --- linux-2.6.38.4/arch/x86/include/asm/microcode.h 2011-03-14 21:20:32.000000000 -0400
8033 +++ linux-2.6.38.4/arch/x86/include/asm/microcode.h 2011-04-17 15:57:32.000000000 -0400
8034 @@ -12,13 +12,13 @@ struct device;
8035 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
8037 struct microcode_ops {
8038 - enum ucode_state (*request_microcode_user) (int cpu,
8039 + enum ucode_state (* const request_microcode_user) (int cpu,
8040 const void __user *buf, size_t size);
8042 - enum ucode_state (*request_microcode_fw) (int cpu,
8043 + enum ucode_state (* const request_microcode_fw) (int cpu,
8044 struct device *device);
8046 - void (*microcode_fini_cpu) (int cpu);
8047 + void (* const microcode_fini_cpu) (int cpu);
8050 * The generic 'microcode_core' part guarantees that
8051 @@ -38,16 +38,16 @@ struct ucode_cpu_info {
8052 extern struct ucode_cpu_info ucode_cpu_info[];
8054 #ifdef CONFIG_MICROCODE_INTEL
8055 -extern struct microcode_ops * __init init_intel_microcode(void);
8056 +extern const struct microcode_ops * __init init_intel_microcode(void);
8058 -static inline struct microcode_ops * __init init_intel_microcode(void)
8059 +static inline const struct microcode_ops * __init init_intel_microcode(void)
8063 #endif /* CONFIG_MICROCODE_INTEL */
8065 #ifdef CONFIG_MICROCODE_AMD
8066 -extern struct microcode_ops * __init init_amd_microcode(void);
8067 +extern const struct microcode_ops * __init init_amd_microcode(void);
8069 static inline void get_ucode_data(void *to, const u8 *from, size_t n)
8071 @@ -55,7 +55,7 @@ static inline void get_ucode_data(void *
8075 -static inline struct microcode_ops * __init init_amd_microcode(void)
8076 +static inline const struct microcode_ops * __init init_amd_microcode(void)
8080 diff -urNp linux-2.6.38.4/arch/x86/include/asm/mman.h linux-2.6.38.4/arch/x86/include/asm/mman.h
8081 --- linux-2.6.38.4/arch/x86/include/asm/mman.h 2011-03-14 21:20:32.000000000 -0400
8082 +++ linux-2.6.38.4/arch/x86/include/asm/mman.h 2011-04-17 15:57:32.000000000 -0400
8085 #include <asm-generic/mman.h>
8088 +#ifndef __ASSEMBLY__
8089 +#ifdef CONFIG_X86_32
8090 +#define arch_mmap_check i386_mmap_check
8091 +int i386_mmap_check(unsigned long addr, unsigned long len,
8092 + unsigned long flags);
8097 #endif /* _ASM_X86_MMAN_H */
8098 diff -urNp linux-2.6.38.4/arch/x86/include/asm/mmu_context.h linux-2.6.38.4/arch/x86/include/asm/mmu_context.h
8099 --- linux-2.6.38.4/arch/x86/include/asm/mmu_context.h 2011-03-14 21:20:32.000000000 -0400
8100 +++ linux-2.6.38.4/arch/x86/include/asm/mmu_context.h 2011-04-17 15:57:32.000000000 -0400
8101 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
8103 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
8106 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8110 + pax_open_kernel();
8111 + pgd = get_cpu_pgd(smp_processor_id());
8112 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
8113 + if (paravirt_enabled())
8114 + set_pgd(pgd+i, native_make_pgd(0));
8116 + pgd[i] = native_make_pgd(0);
8117 + pax_close_kernel();
8121 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
8122 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
8123 @@ -34,16 +49,30 @@ static inline void switch_mm(struct mm_s
8124 struct task_struct *tsk)
8126 unsigned cpu = smp_processor_id();
8127 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
8128 + int tlbstate = TLBSTATE_OK;
8131 if (likely(prev != next)) {
8133 +#ifdef CONFIG_X86_32
8134 + tlbstate = percpu_read(cpu_tlbstate.state);
8136 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8137 percpu_write(cpu_tlbstate.active_mm, next);
8139 cpumask_set_cpu(cpu, mm_cpumask(next));
8141 /* Re-load page tables */
8142 +#ifdef CONFIG_PAX_PER_CPU_PGD
8143 + pax_open_kernel();
8144 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8145 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8146 + pax_close_kernel();
8147 + load_cr3(get_cpu_pgd(cpu));
8149 load_cr3(next->pgd);
8152 /* stop flush ipis for the previous mm */
8153 cpumask_clear_cpu(cpu, mm_cpumask(prev));
8154 @@ -53,9 +82,38 @@ static inline void switch_mm(struct mm_s
8156 if (unlikely(prev->context.ldt != next->context.ldt))
8157 load_LDT_nolock(&next->context);
8160 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8161 + if (!(__supported_pte_mask & _PAGE_NX)) {
8162 + smp_mb__before_clear_bit();
8163 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
8164 + smp_mb__after_clear_bit();
8165 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8169 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8170 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
8171 + prev->context.user_cs_limit != next->context.user_cs_limit))
8172 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8174 + else if (unlikely(tlbstate != TLBSTATE_OK))
8175 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8182 +#ifdef CONFIG_PAX_PER_CPU_PGD
8183 + pax_open_kernel();
8184 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8185 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8186 + pax_close_kernel();
8187 + load_cr3(get_cpu_pgd(cpu));
8191 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8192 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
8194 @@ -64,11 +122,28 @@ static inline void switch_mm(struct mm_s
8195 * tlb flush IPI delivery. We must reload CR3
8196 * to make sure to use no freed page tables.
8199 +#ifndef CONFIG_PAX_PER_CPU_PGD
8200 load_cr3(next->pgd);
8203 load_LDT_nolock(&next->context);
8205 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
8206 + if (!(__supported_pte_mask & _PAGE_NX))
8207 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8210 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8211 +#ifdef CONFIG_PAX_PAGEEXEC
8212 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
8214 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8223 #define activate_mm(prev, next) \
8224 diff -urNp linux-2.6.38.4/arch/x86/include/asm/mmu.h linux-2.6.38.4/arch/x86/include/asm/mmu.h
8225 --- linux-2.6.38.4/arch/x86/include/asm/mmu.h 2011-03-14 21:20:32.000000000 -0400
8226 +++ linux-2.6.38.4/arch/x86/include/asm/mmu.h 2011-04-17 15:57:32.000000000 -0400
8228 * we put the segment information here.
8232 + struct desc_struct *ldt;
8236 + unsigned long vdso;
8238 +#ifdef CONFIG_X86_32
8239 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
8240 + unsigned long user_cs_base;
8241 + unsigned long user_cs_limit;
8243 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8244 + cpumask_t cpu_user_cs_mask;
8253 diff -urNp linux-2.6.38.4/arch/x86/include/asm/module.h linux-2.6.38.4/arch/x86/include/asm/module.h
8254 --- linux-2.6.38.4/arch/x86/include/asm/module.h 2011-03-14 21:20:32.000000000 -0400
8255 +++ linux-2.6.38.4/arch/x86/include/asm/module.h 2011-04-17 15:57:32.000000000 -0400
8257 #error unknown processor family
8260 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8261 +#define MODULE_PAX_UDEREF "UDEREF "
8263 +#define MODULE_PAX_UDEREF ""
8266 #ifdef CONFIG_X86_32
8267 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
8268 +# ifdef CONFIG_PAX_KERNEXEC
8269 +# define MODULE_PAX_KERNEXEC "KERNEXEC "
8271 +# define MODULE_PAX_KERNEXEC ""
8273 +# ifdef CONFIG_GRKERNSEC
8274 +# define MODULE_GRSEC "GRSECURITY "
8276 +# define MODULE_GRSEC ""
8278 +# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
8280 +# define MODULE_ARCH_VERMAGIC MODULE_PAX_UDEREF
8283 #endif /* _ASM_X86_MODULE_H */
8284 diff -urNp linux-2.6.38.4/arch/x86/include/asm/page_64_types.h linux-2.6.38.4/arch/x86/include/asm/page_64_types.h
8285 --- linux-2.6.38.4/arch/x86/include/asm/page_64_types.h 2011-03-14 21:20:32.000000000 -0400
8286 +++ linux-2.6.38.4/arch/x86/include/asm/page_64_types.h 2011-04-17 15:57:32.000000000 -0400
8287 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
8289 /* duplicated to the one in bootmem.h */
8290 extern unsigned long max_pfn;
8291 -extern unsigned long phys_base;
8292 +extern const unsigned long phys_base;
8294 extern unsigned long __phys_addr(unsigned long);
8295 #define __phys_reloc_hide(x) (x)
8296 diff -urNp linux-2.6.38.4/arch/x86/include/asm/paravirt.h linux-2.6.38.4/arch/x86/include/asm/paravirt.h
8297 --- linux-2.6.38.4/arch/x86/include/asm/paravirt.h 2011-03-14 21:20:32.000000000 -0400
8298 +++ linux-2.6.38.4/arch/x86/include/asm/paravirt.h 2011-04-17 15:57:32.000000000 -0400
8299 @@ -739,6 +739,21 @@ static inline void __set_fixmap(unsigned
8300 pv_mmu_ops.set_fixmap(idx, phys, flags);
8303 +#ifdef CONFIG_PAX_KERNEXEC
8304 +static inline unsigned long pax_open_kernel(void)
8306 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
8309 +static inline unsigned long pax_close_kernel(void)
8311 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
8314 +static inline unsigned long pax_open_kernel(void) { return 0; }
8315 +static inline unsigned long pax_close_kernel(void) { return 0; }
8318 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
8320 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
8321 @@ -955,7 +970,7 @@ extern void default_banner(void);
8323 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
8324 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
8325 -#define PARA_INDIRECT(addr) *%cs:addr
8326 +#define PARA_INDIRECT(addr) *%ss:addr
8329 #define INTERRUPT_RETURN \
8330 @@ -1032,6 +1047,21 @@ extern void default_banner(void);
8331 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
8333 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
8335 +#define GET_CR0_INTO_RDI \
8336 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
8339 +#define SET_RDI_INTO_CR0 \
8340 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
8342 +#define GET_CR3_INTO_RDI \
8343 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
8346 +#define SET_RDI_INTO_CR3 \
8347 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
8349 #endif /* CONFIG_X86_32 */
8351 #endif /* __ASSEMBLY__ */
8352 diff -urNp linux-2.6.38.4/arch/x86/include/asm/paravirt_types.h linux-2.6.38.4/arch/x86/include/asm/paravirt_types.h
8353 --- linux-2.6.38.4/arch/x86/include/asm/paravirt_types.h 2011-03-14 21:20:32.000000000 -0400
8354 +++ linux-2.6.38.4/arch/x86/include/asm/paravirt_types.h 2011-04-17 15:57:32.000000000 -0400
8355 @@ -317,6 +317,12 @@ struct pv_mmu_ops {
8356 an mfn. We can tell which is which from the index. */
8357 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
8358 phys_addr_t phys, pgprot_t flags);
8360 +#ifdef CONFIG_PAX_KERNEXEC
8361 + unsigned long (*pax_open_kernel)(void);
8362 + unsigned long (*pax_close_kernel)(void);
8367 struct arch_spinlock;
8368 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pci_x86.h linux-2.6.38.4/arch/x86/include/asm/pci_x86.h
8369 --- linux-2.6.38.4/arch/x86/include/asm/pci_x86.h 2011-03-14 21:20:32.000000000 -0400
8370 +++ linux-2.6.38.4/arch/x86/include/asm/pci_x86.h 2011-04-17 15:57:32.000000000 -0400
8371 @@ -93,16 +93,16 @@ extern int (*pcibios_enable_irq)(struct
8372 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
8374 struct pci_raw_ops {
8375 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8376 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8377 int reg, int len, u32 *val);
8378 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8379 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8380 int reg, int len, u32 val);
8383 -extern struct pci_raw_ops *raw_pci_ops;
8384 -extern struct pci_raw_ops *raw_pci_ext_ops;
8385 +extern const struct pci_raw_ops *raw_pci_ops;
8386 +extern const struct pci_raw_ops *raw_pci_ext_ops;
8388 -extern struct pci_raw_ops pci_direct_conf1;
8389 +extern const struct pci_raw_ops pci_direct_conf1;
8390 extern bool port_cf9_safe;
8392 /* arch_initcall level */
8393 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgalloc.h linux-2.6.38.4/arch/x86/include/asm/pgalloc.h
8394 --- linux-2.6.38.4/arch/x86/include/asm/pgalloc.h 2011-03-14 21:20:32.000000000 -0400
8395 +++ linux-2.6.38.4/arch/x86/include/asm/pgalloc.h 2011-04-17 15:57:32.000000000 -0400
8396 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
8397 pmd_t *pmd, pte_t *pte)
8399 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8400 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8403 +static inline void pmd_populate_user(struct mm_struct *mm,
8404 + pmd_t *pmd, pte_t *pte)
8406 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8407 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8410 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgtable-2level.h linux-2.6.38.4/arch/x86/include/asm/pgtable-2level.h
8411 --- linux-2.6.38.4/arch/x86/include/asm/pgtable-2level.h 2011-03-14 21:20:32.000000000 -0400
8412 +++ linux-2.6.38.4/arch/x86/include/asm/pgtable-2level.h 2011-04-17 15:57:32.000000000 -0400
8413 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8415 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8417 + pax_open_kernel();
8419 + pax_close_kernel();
8422 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8423 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgtable_32.h linux-2.6.38.4/arch/x86/include/asm/pgtable_32.h
8424 --- linux-2.6.38.4/arch/x86/include/asm/pgtable_32.h 2011-03-14 21:20:32.000000000 -0400
8425 +++ linux-2.6.38.4/arch/x86/include/asm/pgtable_32.h 2011-04-17 15:57:32.000000000 -0400
8428 struct vm_area_struct;
8430 -extern pgd_t swapper_pg_dir[1024];
8431 -extern pgd_t initial_page_table[1024];
8433 static inline void pgtable_cache_init(void) { }
8434 static inline void check_pgt_cache(void) { }
8435 void paging_init(void);
8436 @@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
8437 # include <asm/pgtable-2level.h>
8440 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8441 +extern pgd_t initial_page_table[PTRS_PER_PGD];
8442 +#ifdef CONFIG_X86_PAE
8443 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8446 #if defined(CONFIG_HIGHPTE)
8447 #define pte_offset_map(dir, address) \
8448 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
8449 @@ -62,7 +65,9 @@ extern void set_pmd_pfn(unsigned long, u
8450 /* Clear a kernel PTE and flush it from the TLB */
8451 #define kpte_clear_flush(ptep, vaddr) \
8453 + pax_open_kernel(); \
8454 pte_clear(&init_mm, (vaddr), (ptep)); \
8455 + pax_close_kernel(); \
8456 __flush_tlb_one((vaddr)); \
8459 @@ -74,6 +79,9 @@ do { \
8461 #endif /* !__ASSEMBLY__ */
8463 +#define HAVE_ARCH_UNMAPPED_AREA
8464 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8467 * kern_addr_valid() is (1) for FLATMEM and (0) for
8468 * SPARSEMEM and DISCONTIGMEM
8469 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgtable_32_types.h linux-2.6.38.4/arch/x86/include/asm/pgtable_32_types.h
8470 --- linux-2.6.38.4/arch/x86/include/asm/pgtable_32_types.h 2011-03-14 21:20:32.000000000 -0400
8471 +++ linux-2.6.38.4/arch/x86/include/asm/pgtable_32_types.h 2011-04-17 15:57:32.000000000 -0400
8474 #ifdef CONFIG_X86_PAE
8475 # include <asm/pgtable-3level_types.h>
8476 -# define PMD_SIZE (1UL << PMD_SHIFT)
8477 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8478 # define PMD_MASK (~(PMD_SIZE - 1))
8480 # include <asm/pgtable-2level_types.h>
8481 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8482 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8485 +#ifdef CONFIG_PAX_KERNEXEC
8486 +#ifndef __ASSEMBLY__
8487 +extern unsigned char MODULES_EXEC_VADDR[];
8488 +extern unsigned char MODULES_EXEC_END[];
8490 +#include <asm/boot.h>
8491 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8492 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8494 +#define ktla_ktva(addr) (addr)
8495 +#define ktva_ktla(addr) (addr)
8498 #define MODULES_VADDR VMALLOC_START
8499 #define MODULES_END VMALLOC_END
8500 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8501 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgtable-3level.h linux-2.6.38.4/arch/x86/include/asm/pgtable-3level.h
8502 --- linux-2.6.38.4/arch/x86/include/asm/pgtable-3level.h 2011-04-18 17:27:13.000000000 -0400
8503 +++ linux-2.6.38.4/arch/x86/include/asm/pgtable-3level.h 2011-04-17 15:57:32.000000000 -0400
8504 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8506 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8508 + pax_open_kernel();
8509 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8510 + pax_close_kernel();
8513 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8515 + pax_open_kernel();
8516 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8517 + pax_close_kernel();
8521 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgtable_64.h linux-2.6.38.4/arch/x86/include/asm/pgtable_64.h
8522 --- linux-2.6.38.4/arch/x86/include/asm/pgtable_64.h 2011-03-14 21:20:32.000000000 -0400
8523 +++ linux-2.6.38.4/arch/x86/include/asm/pgtable_64.h 2011-04-17 15:57:32.000000000 -0400
8526 extern pud_t level3_kernel_pgt[512];
8527 extern pud_t level3_ident_pgt[512];
8528 +extern pud_t level3_vmalloc_pgt[512];
8529 +extern pud_t level3_vmemmap_pgt[512];
8530 +extern pud_t level2_vmemmap_pgt[512];
8531 extern pmd_t level2_kernel_pgt[512];
8532 extern pmd_t level2_fixmap_pgt[512];
8533 -extern pmd_t level2_ident_pgt[512];
8534 -extern pgd_t init_level4_pgt[];
8535 +extern pmd_t level2_ident_pgt[512*2];
8536 +extern pgd_t init_level4_pgt[512];
8538 #define swapper_pg_dir init_level4_pgt
8540 @@ -61,7 +64,9 @@ static inline void native_set_pte_atomic
8542 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8544 + pax_open_kernel();
8546 + pax_close_kernel();
8549 static inline void native_pmd_clear(pmd_t *pmd)
8550 @@ -107,7 +112,9 @@ static inline void native_pud_clear(pud_
8552 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8554 + pax_open_kernel();
8556 + pax_close_kernel();
8559 static inline void native_pgd_clear(pgd_t *pgd)
8560 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgtable_64_types.h linux-2.6.38.4/arch/x86/include/asm/pgtable_64_types.h
8561 --- linux-2.6.38.4/arch/x86/include/asm/pgtable_64_types.h 2011-03-14 21:20:32.000000000 -0400
8562 +++ linux-2.6.38.4/arch/x86/include/asm/pgtable_64_types.h 2011-04-17 15:57:32.000000000 -0400
8563 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8564 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8565 #define MODULES_END _AC(0xffffffffff000000, UL)
8566 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8567 +#define MODULES_EXEC_VADDR MODULES_VADDR
8568 +#define MODULES_EXEC_END MODULES_END
8570 +#define ktla_ktva(addr) (addr)
8571 +#define ktva_ktla(addr) (addr)
8573 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8574 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgtable.h linux-2.6.38.4/arch/x86/include/asm/pgtable.h
8575 --- linux-2.6.38.4/arch/x86/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
8576 +++ linux-2.6.38.4/arch/x86/include/asm/pgtable.h 2011-04-17 15:57:32.000000000 -0400
8577 @@ -81,12 +81,51 @@ extern struct mm_struct *pgd_page_get_mm
8579 #define arch_end_context_switch(prev) do {} while(0)
8581 +#define pax_open_kernel() native_pax_open_kernel()
8582 +#define pax_close_kernel() native_pax_close_kernel()
8583 #endif /* CONFIG_PARAVIRT */
8585 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
8586 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8588 +#ifdef CONFIG_PAX_KERNEXEC
8589 +static inline unsigned long native_pax_open_kernel(void)
8591 + unsigned long cr0;
8593 + preempt_disable();
8595 + cr0 = read_cr0() ^ X86_CR0_WP;
8596 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
8598 + return cr0 ^ X86_CR0_WP;
8601 +static inline unsigned long native_pax_close_kernel(void)
8603 + unsigned long cr0;
8605 + cr0 = read_cr0() ^ X86_CR0_WP;
8606 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8609 + preempt_enable_no_resched();
8610 + return cr0 ^ X86_CR0_WP;
8613 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
8614 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
8618 * The following only work if pte_present() is true.
8619 * Undefined behaviour if not..
8621 +static inline int pte_user(pte_t pte)
8623 + return pte_val(pte) & _PAGE_USER;
8626 static inline int pte_dirty(pte_t pte)
8628 return pte_flags(pte) & _PAGE_DIRTY;
8629 @@ -196,9 +235,29 @@ static inline pte_t pte_wrprotect(pte_t
8630 return pte_clear_flags(pte, _PAGE_RW);
8633 +static inline pte_t pte_mkread(pte_t pte)
8635 + return __pte(pte_val(pte) | _PAGE_USER);
8638 static inline pte_t pte_mkexec(pte_t pte)
8640 - return pte_clear_flags(pte, _PAGE_NX);
8641 +#ifdef CONFIG_X86_PAE
8642 + if (__supported_pte_mask & _PAGE_NX)
8643 + return pte_clear_flags(pte, _PAGE_NX);
8646 + return pte_set_flags(pte, _PAGE_USER);
8649 +static inline pte_t pte_exprotect(pte_t pte)
8651 +#ifdef CONFIG_X86_PAE
8652 + if (__supported_pte_mask & _PAGE_NX)
8653 + return pte_set_flags(pte, _PAGE_NX);
8656 + return pte_clear_flags(pte, _PAGE_USER);
8659 static inline pte_t pte_mkdirty(pte_t pte)
8660 @@ -390,6 +449,15 @@ pte_t *populate_extra_pte(unsigned long
8663 #ifndef __ASSEMBLY__
8665 +#ifdef CONFIG_PAX_PER_CPU_PGD
8666 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8667 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8669 + return cpu_pgd[cpu];
8673 #include <linux/mm_types.h>
8675 static inline int pte_none(pte_t pte)
8676 @@ -560,7 +628,7 @@ static inline pud_t *pud_offset(pgd_t *p
8678 static inline int pgd_bad(pgd_t pgd)
8680 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8681 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8684 static inline int pgd_none(pgd_t pgd)
8685 @@ -583,7 +651,12 @@ static inline int pgd_none(pgd_t pgd)
8686 * pgd_offset() returns a (pgd_t *)
8687 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8689 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8690 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8692 +#ifdef CONFIG_PAX_PER_CPU_PGD
8693 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8697 * a shortcut which implies the use of the kernel's pgd, instead
8699 @@ -594,6 +667,20 @@ static inline int pgd_none(pgd_t pgd)
8700 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8701 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8703 +#ifdef CONFIG_X86_32
8704 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8706 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8707 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8709 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8710 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8712 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8717 #ifndef __ASSEMBLY__
8719 extern int direct_gbpages;
8720 @@ -758,11 +845,23 @@ static inline void pmdp_set_wrprotect(st
8721 * dst and src can be on the same page, but the range must not overlap,
8722 * and must not cross a page boundary.
8724 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8725 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
8727 - memcpy(dst, src, count * sizeof(pgd_t));
8728 + pax_open_kernel();
8731 + pax_close_kernel();
8734 +#ifdef CONFIG_PAX_PER_CPU_PGD
8735 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8738 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8739 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8741 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8744 #include <asm-generic/pgtable.h>
8745 #endif /* __ASSEMBLY__ */
8746 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgtable_types.h linux-2.6.38.4/arch/x86/include/asm/pgtable_types.h
8747 --- linux-2.6.38.4/arch/x86/include/asm/pgtable_types.h 2011-03-14 21:20:32.000000000 -0400
8748 +++ linux-2.6.38.4/arch/x86/include/asm/pgtable_types.h 2011-04-17 15:57:32.000000000 -0400
8750 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8751 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8752 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8753 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8754 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8755 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8756 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8757 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8758 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8759 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8760 -#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /* only valid on a PSE pmd */
8761 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8762 +#define _PAGE_BIT_SPLITTING _PAGE_BIT_SPECIAL /* only valid on a PSE pmd */
8763 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8765 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8767 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8768 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8769 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8770 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8771 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8772 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8773 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8776 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8777 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8779 +#elif defined(CONFIG_KMEMCHECK)
8780 #define _PAGE_NX (_AT(pteval_t, 0))
8782 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8785 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8787 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8790 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
8791 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
8793 #define __PAGE_KERNEL_EXEC \
8794 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8795 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8797 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8798 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8799 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8800 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8801 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
8802 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8803 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
8804 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8805 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
8806 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
8808 * bits are combined, this will alow user to access the high address mapped
8809 * VDSO in the presence of CONFIG_COMPAT_VDSO
8811 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8812 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8813 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8814 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8815 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8818 @@ -205,7 +208,17 @@ static inline pgdval_t pgd_flags(pgd_t p
8820 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
8824 +#if PAGETABLE_LEVELS == 3
8825 +#include <asm-generic/pgtable-nopud.h>
8828 +#if PAGETABLE_LEVELS == 2
8829 +#include <asm-generic/pgtable-nopmd.h>
8832 +#ifndef __ASSEMBLY__
8833 #if PAGETABLE_LEVELS > 3
8834 typedef struct { pudval_t pud; } pud_t;
8836 @@ -219,8 +232,6 @@ static inline pudval_t native_pud_val(pu
8840 -#include <asm-generic/pgtable-nopud.h>
8842 static inline pudval_t native_pud_val(pud_t pud)
8844 return native_pgd_val(pud.pgd);
8845 @@ -240,8 +251,6 @@ static inline pmdval_t native_pmd_val(pm
8849 -#include <asm-generic/pgtable-nopmd.h>
8851 static inline pmdval_t native_pmd_val(pmd_t pmd)
8853 return native_pgd_val(pmd.pud.pgd);
8854 @@ -281,7 +290,6 @@ typedef struct page *pgtable_t;
8856 extern pteval_t __supported_pte_mask;
8857 extern void set_nx(void);
8858 -extern int nx_enabled;
8860 #define pgprot_writecombine pgprot_writecombine
8861 extern pgprot_t pgprot_writecombine(pgprot_t prot);
8862 diff -urNp linux-2.6.38.4/arch/x86/include/asm/processor.h linux-2.6.38.4/arch/x86/include/asm/processor.h
8863 --- linux-2.6.38.4/arch/x86/include/asm/processor.h 2011-03-14 21:20:32.000000000 -0400
8864 +++ linux-2.6.38.4/arch/x86/include/asm/processor.h 2011-04-17 15:57:32.000000000 -0400
8865 @@ -270,7 +270,7 @@ struct tss_struct {
8867 } ____cacheline_aligned;
8869 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
8870 +extern struct tss_struct init_tss[NR_CPUS];
8873 * Save the original ist values for checking stack pointers during debugging
8874 @@ -864,8 +864,15 @@ static inline void spin_lock_prefetch(co
8876 #define TASK_SIZE PAGE_OFFSET
8877 #define TASK_SIZE_MAX TASK_SIZE
8879 +#ifdef CONFIG_PAX_SEGMEXEC
8880 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
8881 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
8883 #define STACK_TOP TASK_SIZE
8884 -#define STACK_TOP_MAX STACK_TOP
8887 +#define STACK_TOP_MAX TASK_SIZE
8889 #define INIT_THREAD { \
8890 .sp0 = sizeof(init_stack) + (long)&init_stack, \
8891 @@ -882,7 +889,7 @@ static inline void spin_lock_prefetch(co
8893 #define INIT_TSS { \
8895 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
8896 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8897 .ss0 = __KERNEL_DS, \
8898 .ss1 = __KERNEL_CS, \
8899 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
8900 @@ -893,11 +900,7 @@ static inline void spin_lock_prefetch(co
8901 extern unsigned long thread_saved_pc(struct task_struct *tsk);
8903 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
8904 -#define KSTK_TOP(info) \
8906 - unsigned long *__ptr = (unsigned long *)(info); \
8907 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
8909 +#define KSTK_TOP(info) ((info)->task.thread.sp0)
8912 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
8913 @@ -912,7 +915,7 @@ extern unsigned long thread_saved_pc(str
8914 #define task_pt_regs(task) \
8916 struct pt_regs *__regs__; \
8917 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
8918 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
8922 @@ -922,13 +925,13 @@ extern unsigned long thread_saved_pc(str
8924 * User space process size. 47bits minus one guard page.
8926 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
8927 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
8929 /* This decides where the kernel will search for a free chunk of vm
8930 * space during mmap's.
8932 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
8933 - 0xc0000000 : 0xFFFFe000)
8934 + 0xc0000000 : 0xFFFFf000)
8936 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
8937 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
8938 @@ -965,6 +968,10 @@ extern void start_thread(struct pt_regs
8940 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
8942 +#ifdef CONFIG_PAX_SEGMEXEC
8943 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
8946 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
8948 /* Get/set a process' ability to use the timestamp counter instruction */
8949 diff -urNp linux-2.6.38.4/arch/x86/include/asm/ptrace.h linux-2.6.38.4/arch/x86/include/asm/ptrace.h
8950 --- linux-2.6.38.4/arch/x86/include/asm/ptrace.h 2011-03-14 21:20:32.000000000 -0400
8951 +++ linux-2.6.38.4/arch/x86/include/asm/ptrace.h 2011-04-17 15:57:32.000000000 -0400
8952 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
8956 - * user_mode_vm(regs) determines whether a register set came from user mode.
8957 + * user_mode(regs) determines whether a register set came from user mode.
8958 * This is true if V8086 mode was enabled OR if the register set was from
8959 * protected mode with RPL-3 CS value. This tricky test checks that with
8960 * one comparison. Many places in the kernel can bypass this full check
8961 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
8962 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
8965 -static inline int user_mode(struct pt_regs *regs)
8966 +static inline int user_mode_novm(struct pt_regs *regs)
8968 #ifdef CONFIG_X86_32
8969 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
8971 - return !!(regs->cs & 3);
8972 + return !!(regs->cs & SEGMENT_RPL_MASK);
8976 -static inline int user_mode_vm(struct pt_regs *regs)
8977 +static inline int user_mode(struct pt_regs *regs)
8979 #ifdef CONFIG_X86_32
8980 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
8983 - return user_mode(regs);
8984 + return user_mode_novm(regs);
8988 diff -urNp linux-2.6.38.4/arch/x86/include/asm/reboot.h linux-2.6.38.4/arch/x86/include/asm/reboot.h
8989 --- linux-2.6.38.4/arch/x86/include/asm/reboot.h 2011-03-14 21:20:32.000000000 -0400
8990 +++ linux-2.6.38.4/arch/x86/include/asm/reboot.h 2011-04-17 15:57:32.000000000 -0400
8991 @@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
8993 void native_machine_crash_shutdown(struct pt_regs *regs);
8994 void native_machine_shutdown(void);
8995 -void machine_real_restart(const unsigned char *code, int length);
8996 +void machine_real_restart(const unsigned char *code, unsigned int length);
8998 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
8999 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
9000 diff -urNp linux-2.6.38.4/arch/x86/include/asm/rwsem.h linux-2.6.38.4/arch/x86/include/asm/rwsem.h
9001 --- linux-2.6.38.4/arch/x86/include/asm/rwsem.h 2011-03-14 21:20:32.000000000 -0400
9002 +++ linux-2.6.38.4/arch/x86/include/asm/rwsem.h 2011-04-17 15:57:32.000000000 -0400
9003 @@ -118,6 +118,14 @@ static inline void __down_read(struct rw
9005 asm volatile("# beginning down_read\n\t"
9006 LOCK_PREFIX _ASM_INC "(%1)\n\t"
9008 +#ifdef CONFIG_PAX_REFCOUNT
9010 + LOCK_PREFIX _ASM_DEC "(%1)\n"
9012 + _ASM_EXTABLE(0b, 0b)
9015 /* adds 0x00000001 */
9017 " call call_rwsem_down_read_failed\n"
9018 @@ -139,6 +147,14 @@ static inline int __down_read_trylock(st
9023 +#ifdef CONFIG_PAX_REFCOUNT
9027 + _ASM_EXTABLE(0b, 0b)
9031 LOCK_PREFIX " cmpxchg %2,%0\n\t"
9033 @@ -158,6 +174,14 @@ static inline void __down_write_nested(s
9035 asm volatile("# beginning down_write\n\t"
9036 LOCK_PREFIX " xadd %1,(%2)\n\t"
9038 +#ifdef CONFIG_PAX_REFCOUNT
9042 + _ASM_EXTABLE(0b, 0b)
9045 /* adds 0xffff0001, returns the old value */
9047 /* was the count 0 before? */
9048 @@ -196,6 +220,14 @@ static inline void __up_read(struct rw_s
9050 asm volatile("# beginning __up_read\n\t"
9051 LOCK_PREFIX " xadd %1,(%2)\n\t"
9053 +#ifdef CONFIG_PAX_REFCOUNT
9057 + _ASM_EXTABLE(0b, 0b)
9060 /* subtracts 1, returns the old value */
9062 " call call_rwsem_wake\n" /* expects old value in %edx */
9063 @@ -214,6 +246,14 @@ static inline void __up_write(struct rw_
9065 asm volatile("# beginning __up_write\n\t"
9066 LOCK_PREFIX " xadd %1,(%2)\n\t"
9068 +#ifdef CONFIG_PAX_REFCOUNT
9072 + _ASM_EXTABLE(0b, 0b)
9075 /* subtracts 0xffff0001, returns the old value */
9077 " call call_rwsem_wake\n" /* expects old value in %edx */
9078 @@ -231,6 +271,14 @@ static inline void __downgrade_write(str
9080 asm volatile("# beginning __downgrade_write\n\t"
9081 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
9083 +#ifdef CONFIG_PAX_REFCOUNT
9085 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
9087 + _ASM_EXTABLE(0b, 0b)
9091 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
9092 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
9093 @@ -250,7 +298,15 @@ static inline void __downgrade_write(str
9094 static inline void rwsem_atomic_add(rwsem_count_t delta,
9095 struct rw_semaphore *sem)
9097 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
9098 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
9100 +#ifdef CONFIG_PAX_REFCOUNT
9102 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
9104 + _ASM_EXTABLE(0b, 0b)
9110 @@ -263,7 +319,15 @@ static inline rwsem_count_t rwsem_atomic
9112 rwsem_count_t tmp = delta;
9114 - asm volatile(LOCK_PREFIX "xadd %0,%1"
9115 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
9117 +#ifdef CONFIG_PAX_REFCOUNT
9121 + _ASM_EXTABLE(0b, 0b)
9124 : "+r" (tmp), "+m" (sem->count)
9127 diff -urNp linux-2.6.38.4/arch/x86/include/asm/segment.h linux-2.6.38.4/arch/x86/include/asm/segment.h
9128 --- linux-2.6.38.4/arch/x86/include/asm/segment.h 2011-03-14 21:20:32.000000000 -0400
9129 +++ linux-2.6.38.4/arch/x86/include/asm/segment.h 2011-04-17 15:57:32.000000000 -0400
9131 * 26 - ESPFIX small SS
9132 * 27 - per-cpu [ offset to per-cpu data area ]
9133 * 28 - stack_canary-20 [ for stack protector ]
9136 + * 29 - PCI BIOS CS
9137 + * 30 - PCI BIOS DS
9138 * 31 - TSS for double fault handler
9140 #define GDT_ENTRY_TLS_MIN 6
9143 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0)
9145 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
9147 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1)
9149 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4)
9150 @@ -102,6 +104,12 @@
9151 #define __KERNEL_STACK_CANARY 0
9154 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17)
9155 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
9157 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18)
9158 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
9160 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
9166 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
9167 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
9168 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
9173 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
9174 #define __USER32_DS __USER_DS
9176 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
9178 #define GDT_ENTRY_TSS 8 /* needs two entries */
9179 #define GDT_ENTRY_LDT 10 /* needs two entries */
9180 #define GDT_ENTRY_TLS_MIN 12
9184 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
9185 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
9186 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
9187 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
9188 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
9189 diff -urNp linux-2.6.38.4/arch/x86/include/asm/smp.h linux-2.6.38.4/arch/x86/include/asm/smp.h
9190 --- linux-2.6.38.4/arch/x86/include/asm/smp.h 2011-03-14 21:20:32.000000000 -0400
9191 +++ linux-2.6.38.4/arch/x86/include/asm/smp.h 2011-04-17 15:57:32.000000000 -0400
9192 @@ -24,7 +24,7 @@ extern unsigned int num_processors;
9193 DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map);
9194 DECLARE_PER_CPU(cpumask_var_t, cpu_core_map);
9195 DECLARE_PER_CPU(u16, cpu_llc_id);
9196 -DECLARE_PER_CPU(int, cpu_number);
9197 +DECLARE_PER_CPU(unsigned int, cpu_number);
9199 static inline struct cpumask *cpu_sibling_mask(int cpu)
9201 @@ -172,14 +172,8 @@ extern unsigned disabled_cpus __cpuinitd
9202 extern int safe_smp_processor_id(void);
9204 #elif defined(CONFIG_X86_64_SMP)
9205 -#define raw_smp_processor_id() (percpu_read(cpu_number))
9207 -#define stack_smp_processor_id() \
9209 - struct thread_info *ti; \
9210 - __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
9213 +#define raw_smp_processor_id() (percpu_read(cpu_number))
9214 +#define stack_smp_processor_id() raw_smp_processor_id()
9215 #define safe_smp_processor_id() smp_processor_id()
9218 diff -urNp linux-2.6.38.4/arch/x86/include/asm/spinlock.h linux-2.6.38.4/arch/x86/include/asm/spinlock.h
9219 --- linux-2.6.38.4/arch/x86/include/asm/spinlock.h 2011-03-14 21:20:32.000000000 -0400
9220 +++ linux-2.6.38.4/arch/x86/include/asm/spinlock.h 2011-04-17 15:57:32.000000000 -0400
9221 @@ -249,6 +249,14 @@ static inline int arch_write_can_lock(ar
9222 static inline void arch_read_lock(arch_rwlock_t *rw)
9224 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
9226 +#ifdef CONFIG_PAX_REFCOUNT
9228 + LOCK_PREFIX " addl $1,(%0)\n"
9230 + _ASM_EXTABLE(0b, 0b)
9234 "call __read_lock_failed\n\t"
9236 @@ -258,6 +266,14 @@ static inline void arch_read_lock(arch_r
9237 static inline void arch_write_lock(arch_rwlock_t *rw)
9239 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
9241 +#ifdef CONFIG_PAX_REFCOUNT
9243 + LOCK_PREFIX " addl %1,(%0)\n"
9245 + _ASM_EXTABLE(0b, 0b)
9249 "call __write_lock_failed\n\t"
9251 @@ -286,12 +302,29 @@ static inline int arch_write_trylock(arc
9253 static inline void arch_read_unlock(arch_rwlock_t *rw)
9255 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
9256 + asm volatile(LOCK_PREFIX "incl %0\n"
9258 +#ifdef CONFIG_PAX_REFCOUNT
9260 + LOCK_PREFIX "decl %0\n"
9262 + _ASM_EXTABLE(0b, 0b)
9265 + :"+m" (rw->lock) : : "memory");
9268 static inline void arch_write_unlock(arch_rwlock_t *rw)
9270 - asm volatile(LOCK_PREFIX "addl %1, %0"
9271 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
9273 +#ifdef CONFIG_PAX_REFCOUNT
9275 + LOCK_PREFIX "subl %1, %0\n"
9277 + _ASM_EXTABLE(0b, 0b)
9280 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
9283 diff -urNp linux-2.6.38.4/arch/x86/include/asm/stackprotector.h linux-2.6.38.4/arch/x86/include/asm/stackprotector.h
9284 --- linux-2.6.38.4/arch/x86/include/asm/stackprotector.h 2011-03-14 21:20:32.000000000 -0400
9285 +++ linux-2.6.38.4/arch/x86/include/asm/stackprotector.h 2011-04-17 15:57:32.000000000 -0400
9286 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
9288 static inline void load_stack_canary_segment(void)
9290 -#ifdef CONFIG_X86_32
9291 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
9292 asm volatile ("mov %0, %%gs" : : "r" (0));
9295 diff -urNp linux-2.6.38.4/arch/x86/include/asm/stacktrace.h linux-2.6.38.4/arch/x86/include/asm/stacktrace.h
9296 --- linux-2.6.38.4/arch/x86/include/asm/stacktrace.h 2011-03-14 21:20:32.000000000 -0400
9297 +++ linux-2.6.38.4/arch/x86/include/asm/stacktrace.h 2011-04-17 15:57:32.000000000 -0400
9300 extern int kstack_depth_to_print;
9302 -struct thread_info;
9303 +struct task_struct;
9304 struct stacktrace_ops;
9306 -typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo,
9307 - unsigned long *stack,
9309 - const struct stacktrace_ops *ops,
9311 - unsigned long *end,
9314 -extern unsigned long
9315 -print_context_stack(struct thread_info *tinfo,
9316 - unsigned long *stack, unsigned long bp,
9317 - const struct stacktrace_ops *ops, void *data,
9318 - unsigned long *end, int *graph);
9320 -extern unsigned long
9321 -print_context_stack_bp(struct thread_info *tinfo,
9322 - unsigned long *stack, unsigned long bp,
9323 - const struct stacktrace_ops *ops, void *data,
9324 - unsigned long *end, int *graph);
9325 +typedef unsigned long walk_stack_t(struct task_struct *task,
9326 + void *stack_start,
9327 + unsigned long *stack,
9329 + const struct stacktrace_ops *ops,
9331 + unsigned long *end,
9334 +extern walk_stack_t print_context_stack;
9335 +extern walk_stack_t print_context_stack_bp;
9337 /* Generic stack tracer with callbacks */
9339 @@ -43,7 +35,7 @@ struct stacktrace_ops {
9340 void (*address)(void *data, unsigned long address, int reliable);
9341 /* On negative return stop dumping */
9342 int (*stack)(void *data, char *name);
9343 - walk_stack_t walk_stack;
9344 + walk_stack_t *walk_stack;
9347 void dump_trace(struct task_struct *tsk, struct pt_regs *regs,
9348 diff -urNp linux-2.6.38.4/arch/x86/include/asm/system.h linux-2.6.38.4/arch/x86/include/asm/system.h
9349 --- linux-2.6.38.4/arch/x86/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
9350 +++ linux-2.6.38.4/arch/x86/include/asm/system.h 2011-04-17 15:57:32.000000000 -0400
9351 @@ -131,7 +131,7 @@ do { \
9352 "call __switch_to\n\t" \
9353 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
9355 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
9356 + "movq "__percpu_arg([thread_info])",%%r8\n\t" \
9357 "movq %%rax,%%rdi\n\t" \
9358 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
9359 "jnz ret_from_fork\n\t" \
9360 @@ -142,7 +142,7 @@ do { \
9361 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
9362 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
9363 [_tif_fork] "i" (_TIF_FORK), \
9364 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
9365 + [thread_info] "m" (current_tinfo), \
9366 [current_task] "m" (current_task) \
9367 __switch_canary_iparam \
9368 : "memory", "cc" __EXTRA_CLOBBER)
9369 @@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
9371 unsigned long __limit;
9372 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9373 - return __limit + 1;
9377 static inline void native_clts(void)
9378 @@ -342,7 +342,7 @@ void enable_hlt(void);
9380 void cpu_idle_wait(void);
9382 -extern unsigned long arch_align_stack(unsigned long sp);
9383 +#define arch_align_stack(x) ((x) & ~0xfUL)
9384 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9386 void default_idle(void);
9387 diff -urNp linux-2.6.38.4/arch/x86/include/asm/thread_info.h linux-2.6.38.4/arch/x86/include/asm/thread_info.h
9388 --- linux-2.6.38.4/arch/x86/include/asm/thread_info.h 2011-03-14 21:20:32.000000000 -0400
9389 +++ linux-2.6.38.4/arch/x86/include/asm/thread_info.h 2011-04-17 15:57:32.000000000 -0400
9391 #include <linux/compiler.h>
9392 #include <asm/page.h>
9393 #include <asm/types.h>
9394 +#include <asm/percpu.h>
9397 * low level task data that entry.S needs immediate access to
9398 @@ -24,7 +25,6 @@ struct exec_domain;
9399 #include <asm/atomic.h>
9401 struct thread_info {
9402 - struct task_struct *task; /* main task structure */
9403 struct exec_domain *exec_domain; /* execution domain */
9404 __u32 flags; /* low level flags */
9405 __u32 status; /* thread synchronous flags */
9406 @@ -34,18 +34,11 @@ struct thread_info {
9407 mm_segment_t addr_limit;
9408 struct restart_block restart_block;
9409 void __user *sysenter_return;
9410 -#ifdef CONFIG_X86_32
9411 - unsigned long previous_esp; /* ESP of the previous stack in
9412 - case of nested (IRQ) stacks
9414 - __u8 supervisor_stack[0];
9419 -#define INIT_THREAD_INFO(tsk) \
9420 +#define INIT_THREAD_INFO \
9423 .exec_domain = &default_exec_domain, \
9426 @@ -56,7 +49,7 @@ struct thread_info {
9430 -#define init_thread_info (init_thread_union.thread_info)
9431 +#define init_thread_info (init_task.tinfo)
9432 #define init_stack (init_thread_union.stack)
9434 #else /* !__ASSEMBLY__ */
9435 @@ -164,6 +157,23 @@ struct thread_info {
9436 #define alloc_thread_info(tsk) \
9437 ((struct thread_info *)__get_free_pages(THREAD_FLAGS, THREAD_ORDER))
9439 +#ifdef __ASSEMBLY__
9440 +/* how to get the thread information struct from ASM */
9441 +#define GET_THREAD_INFO(reg) \
9442 + mov PER_CPU_VAR(current_tinfo), reg
9444 +/* use this one if reg already contains %esp */
9445 +#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
9447 +/* how to get the thread information struct from C */
9448 +DECLARE_PER_CPU(struct thread_info *, current_tinfo);
9450 +static __always_inline struct thread_info *current_thread_info(void)
9452 + return percpu_read_stable(current_tinfo);
9456 #ifdef CONFIG_X86_32
9458 #define STACK_WARN (THREAD_SIZE/8)
9459 @@ -174,35 +184,13 @@ struct thread_info {
9461 #ifndef __ASSEMBLY__
9464 /* how to get the current stack pointer from C */
9465 register unsigned long current_stack_pointer asm("esp") __used;
9467 -/* how to get the thread information struct from C */
9468 -static inline struct thread_info *current_thread_info(void)
9470 - return (struct thread_info *)
9471 - (current_stack_pointer & ~(THREAD_SIZE - 1));
9474 -#else /* !__ASSEMBLY__ */
9476 -/* how to get the thread information struct from ASM */
9477 -#define GET_THREAD_INFO(reg) \
9478 - movl $-THREAD_SIZE, reg; \
9481 -/* use this one if reg already contains %esp */
9482 -#define GET_THREAD_INFO_WITH_ESP(reg) \
9483 - andl $-THREAD_SIZE, reg
9489 -#include <asm/percpu.h>
9490 -#define KERNEL_STACK_OFFSET (5*8)
9493 * macros/functions for gaining access to the thread information structure
9494 * preempt_count needs to be 1 initially, until the scheduler is functional.
9495 @@ -210,21 +198,6 @@ static inline struct thread_info *curren
9496 #ifndef __ASSEMBLY__
9497 DECLARE_PER_CPU(unsigned long, kernel_stack);
9499 -static inline struct thread_info *current_thread_info(void)
9501 - struct thread_info *ti;
9502 - ti = (void *)(percpu_read_stable(kernel_stack) +
9503 - KERNEL_STACK_OFFSET - THREAD_SIZE);
9507 -#else /* !__ASSEMBLY__ */
9509 -/* how to get the thread information struct from ASM */
9510 -#define GET_THREAD_INFO(reg) \
9511 - movq PER_CPU_VAR(kernel_stack),reg ; \
9512 - subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
9516 #endif /* !X86_32 */
9517 @@ -260,5 +233,16 @@ extern void arch_task_cache_init(void);
9518 extern void free_thread_info(struct thread_info *ti);
9519 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
9520 #define arch_task_cache_init arch_task_cache_init
9522 +#define __HAVE_THREAD_FUNCTIONS
9523 +#define task_thread_info(task) (&(task)->tinfo)
9524 +#define task_stack_page(task) ((task)->stack)
9525 +#define setup_thread_stack(p, org) do {} while (0)
9526 +#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
9528 +#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
9529 +extern struct task_struct *alloc_task_struct(void);
9530 +extern void free_task_struct(struct task_struct *);
9533 #endif /* _ASM_X86_THREAD_INFO_H */
9534 diff -urNp linux-2.6.38.4/arch/x86/include/asm/uaccess_32.h linux-2.6.38.4/arch/x86/include/asm/uaccess_32.h
9535 --- linux-2.6.38.4/arch/x86/include/asm/uaccess_32.h 2011-03-14 21:20:32.000000000 -0400
9536 +++ linux-2.6.38.4/arch/x86/include/asm/uaccess_32.h 2011-04-17 15:57:32.000000000 -0400
9537 @@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
9538 static __always_inline unsigned long __must_check
9539 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9544 if (__builtin_constant_p(n)) {
9547 @@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
9551 + if (!__builtin_constant_p(n))
9552 + check_object_size(from, n, true);
9553 return __copy_to_user_ll(to, from, n);
9556 @@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
9557 static __always_inline unsigned long
9558 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9563 /* Avoid zeroing the tail if the copy fails..
9564 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9565 * but as the zeroing behaviour is only significant when n is not
9566 @@ -138,6 +146,10 @@ static __always_inline unsigned long
9567 __copy_from_user(void *to, const void __user *from, unsigned long n)
9574 if (__builtin_constant_p(n)) {
9577 @@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
9581 + if (!__builtin_constant_p(n))
9582 + check_object_size(to, n, false);
9583 return __copy_from_user_ll(to, from, n);
9586 @@ -160,6 +174,10 @@ static __always_inline unsigned long __c
9587 const void __user *from, unsigned long n)
9594 if (__builtin_constant_p(n)) {
9597 @@ -182,15 +200,19 @@ static __always_inline unsigned long
9598 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9601 - return __copy_from_user_ll_nocache_nozero(to, from, n);
9606 -unsigned long __must_check copy_to_user(void __user *to,
9607 - const void *from, unsigned long n);
9608 -unsigned long __must_check _copy_from_user(void *to,
9609 - const void __user *from,
9611 + return __copy_from_user_ll_nocache_nozero(to, from, n);
9614 +extern void copy_to_user_overflow(void)
9615 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9616 + __compiletime_error("copy_to_user() buffer size is not provably correct")
9618 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
9622 extern void copy_from_user_overflow(void)
9623 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9624 @@ -200,17 +222,61 @@ extern void copy_from_user_overflow(void
9628 -static inline unsigned long __must_check copy_from_user(void *to,
9629 - const void __user *from,
9632 + * copy_to_user: - Copy a block of data into user space.
9633 + * @to: Destination address, in user space.
9634 + * @from: Source address, in kernel space.
9635 + * @n: Number of bytes to copy.
9637 + * Context: User context only. This function may sleep.
9639 + * Copy data from kernel space to user space.
9641 + * Returns number of bytes that could not be copied.
9642 + * On success, this will be zero.
9644 +static inline unsigned long __must_check
9645 +copy_to_user(void __user *to, const void *from, unsigned long n)
9647 + int sz = __compiletime_object_size(from);
9649 + if (unlikely(sz != -1 && sz < n))
9650 + copy_to_user_overflow();
9651 + else if (access_ok(VERIFY_WRITE, to, n))
9652 + n = __copy_to_user(to, from, n);
9657 + * copy_from_user: - Copy a block of data from user space.
9658 + * @to: Destination address, in kernel space.
9659 + * @from: Source address, in user space.
9660 + * @n: Number of bytes to copy.
9662 + * Context: User context only. This function may sleep.
9664 + * Copy data from user space to kernel space.
9666 + * Returns number of bytes that could not be copied.
9667 + * On success, this will be zero.
9669 + * If some data could not be copied, this function will pad the copied
9670 + * data to the requested size using zero bytes.
9672 +static inline unsigned long __must_check
9673 +copy_from_user(void *to, const void __user *from, unsigned long n)
9675 int sz = __compiletime_object_size(to);
9677 - if (likely(sz == -1 || sz >= n))
9678 - n = _copy_from_user(to, from, n);
9680 + if (unlikely(sz != -1 && sz < n))
9681 copy_from_user_overflow();
9683 + else if (access_ok(VERIFY_READ, from, n))
9684 + n = __copy_from_user(to, from, n);
9685 + else if ((long)n > 0) {
9686 + if (!__builtin_constant_p(n))
9687 + check_object_size(to, n, false);
9693 diff -urNp linux-2.6.38.4/arch/x86/include/asm/uaccess_64.h linux-2.6.38.4/arch/x86/include/asm/uaccess_64.h
9694 --- linux-2.6.38.4/arch/x86/include/asm/uaccess_64.h 2011-03-14 21:20:32.000000000 -0400
9695 +++ linux-2.6.38.4/arch/x86/include/asm/uaccess_64.h 2011-04-17 15:57:32.000000000 -0400
9697 #include <asm/alternative.h>
9698 #include <asm/cpufeature.h>
9699 #include <asm/page.h>
9700 +#include <asm/pgtable.h>
9702 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
9705 * Copy To/From Userspace
9706 @@ -37,26 +40,26 @@ copy_user_generic(void *to, const void *
9710 -__must_check unsigned long
9711 -_copy_to_user(void __user *to, const void *from, unsigned len);
9712 -__must_check unsigned long
9713 -_copy_from_user(void *to, const void __user *from, unsigned len);
9714 +static __always_inline __must_check unsigned long
9715 +__copy_to_user(void __user *to, const void *from, unsigned len);
9716 +static __always_inline __must_check unsigned long
9717 +__copy_from_user(void *to, const void __user *from, unsigned len);
9718 __must_check unsigned long
9719 copy_in_user(void __user *to, const void __user *from, unsigned len);
9721 static inline unsigned long __must_check copy_from_user(void *to,
9722 const void __user *from,
9726 - int sz = __compiletime_object_size(to);
9729 - if (likely(sz == -1 || sz >= n))
9730 - n = _copy_from_user(to, from, n);
9731 -#ifdef CONFIG_DEBUG_VM
9733 - WARN(1, "Buffer overflow detected!\n");
9736 + if (access_ok(VERIFY_READ, from, n))
9737 + n = __copy_from_user(to, from, n);
9738 + else if ((int)n > 0) {
9739 + if (!__builtin_constant_p(n))
9740 + check_object_size(to, n, false);
9746 @@ -65,110 +68,174 @@ int copy_to_user(void __user *dst, const
9750 - return _copy_to_user(dst, src, size);
9751 + if (access_ok(VERIFY_WRITE, dst, size))
9752 + size = __copy_to_user(dst, src, size);
9756 static __always_inline __must_check
9757 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
9758 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
9761 + int sz = __compiletime_object_size(dst);
9765 - if (!__builtin_constant_p(size))
9766 - return copy_user_generic(dst, (__force void *)src, size);
9768 + if ((int)size < 0)
9771 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9772 + if (!__access_ok(VERIFY_READ, src, size))
9776 + if (unlikely(sz != -1 && sz < size)) {
9777 +#ifdef CONFIG_DEBUG_VM
9778 + WARN(1, "Buffer overflow detected!\n");
9783 + if (!__builtin_constant_p(size)) {
9784 + check_object_size(dst, size, false);
9785 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9786 + src += PAX_USER_SHADOW_BASE;
9787 + return copy_user_generic(dst, (__force const void *)src, size);
9790 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
9791 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
9792 ret, "b", "b", "=q", 1);
9794 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
9795 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
9796 ret, "w", "w", "=r", 2);
9798 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
9799 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
9800 ret, "l", "k", "=r", 4);
9802 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
9803 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9804 ret, "q", "", "=r", 8);
9807 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9808 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9809 ret, "q", "", "=r", 10);
9812 __get_user_asm(*(u16 *)(8 + (char *)dst),
9813 - (u16 __user *)(8 + (char __user *)src),
9814 + (const u16 __user *)(8 + (const char __user *)src),
9815 ret, "w", "w", "=r", 2);
9818 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9819 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9820 ret, "q", "", "=r", 16);
9823 __get_user_asm(*(u64 *)(8 + (char *)dst),
9824 - (u64 __user *)(8 + (char __user *)src),
9825 + (const u64 __user *)(8 + (const char __user *)src),
9826 ret, "q", "", "=r", 8);
9829 - return copy_user_generic(dst, (__force void *)src, size);
9830 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9831 + src += PAX_USER_SHADOW_BASE;
9832 + return copy_user_generic(dst, (__force const void *)src, size);
9836 static __always_inline __must_check
9837 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
9838 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
9841 + int sz = __compiletime_object_size(src);
9845 - if (!__builtin_constant_p(size))
9847 + if ((int)size < 0)
9850 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9851 + if (!__access_ok(VERIFY_WRITE, dst, size))
9855 + if (unlikely(sz != -1 && sz < size)) {
9856 +#ifdef CONFIG_DEBUG_VM
9857 + WARN(1, "Buffer overflow detected!\n");
9862 + if (!__builtin_constant_p(size)) {
9863 + check_object_size(src, size, true);
9864 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9865 + dst += PAX_USER_SHADOW_BASE;
9866 return copy_user_generic((__force void *)dst, src, size);
9869 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
9870 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
9871 ret, "b", "b", "iq", 1);
9873 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
9874 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
9875 ret, "w", "w", "ir", 2);
9877 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
9878 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
9879 ret, "l", "k", "ir", 4);
9881 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
9882 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9883 ret, "q", "", "er", 8);
9886 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9887 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9888 ret, "q", "", "er", 10);
9892 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
9893 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
9894 ret, "w", "w", "ir", 2);
9897 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9898 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9899 ret, "q", "", "er", 16);
9903 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
9904 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
9905 ret, "q", "", "er", 8);
9908 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9909 + dst += PAX_USER_SHADOW_BASE;
9910 return copy_user_generic((__force void *)dst, src, size);
9914 static __always_inline __must_check
9915 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9916 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9922 - if (!__builtin_constant_p(size))
9924 + if ((int)size < 0)
9927 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9928 + if (!__access_ok(VERIFY_READ, src, size))
9930 + if (!__access_ok(VERIFY_WRITE, dst, size))
9934 + if (!__builtin_constant_p(size)) {
9935 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9936 + src += PAX_USER_SHADOW_BASE;
9937 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9938 + dst += PAX_USER_SHADOW_BASE;
9939 return copy_user_generic((__force void *)dst,
9940 - (__force void *)src, size);
9941 + (__force const void *)src, size);
9946 - __get_user_asm(tmp, (u8 __user *)src,
9947 + __get_user_asm(tmp, (const u8 __user *)src,
9948 ret, "b", "b", "=q", 1);
9950 __put_user_asm(tmp, (u8 __user *)dst,
9951 @@ -177,7 +244,7 @@ int __copy_in_user(void __user *dst, con
9955 - __get_user_asm(tmp, (u16 __user *)src,
9956 + __get_user_asm(tmp, (const u16 __user *)src,
9957 ret, "w", "w", "=r", 2);
9959 __put_user_asm(tmp, (u16 __user *)dst,
9960 @@ -187,7 +254,7 @@ int __copy_in_user(void __user *dst, con
9964 - __get_user_asm(tmp, (u32 __user *)src,
9965 + __get_user_asm(tmp, (const u32 __user *)src,
9966 ret, "l", "k", "=r", 4);
9968 __put_user_asm(tmp, (u32 __user *)dst,
9969 @@ -196,7 +263,7 @@ int __copy_in_user(void __user *dst, con
9973 - __get_user_asm(tmp, (u64 __user *)src,
9974 + __get_user_asm(tmp, (const u64 __user *)src,
9975 ret, "q", "", "=r", 8);
9977 __put_user_asm(tmp, (u64 __user *)dst,
9978 @@ -204,8 +271,12 @@ int __copy_in_user(void __user *dst, con
9982 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9983 + src += PAX_USER_SHADOW_BASE;
9984 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9985 + dst += PAX_USER_SHADOW_BASE;
9986 return copy_user_generic((__force void *)dst,
9987 - (__force void *)src, size);
9988 + (__force const void *)src, size);
9992 @@ -222,33 +293,68 @@ __must_check unsigned long __clear_user(
9993 static __must_check __always_inline int
9994 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
9996 + if ((int)size < 0)
9999 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10000 + if (!__access_ok(VERIFY_READ, src, size))
10004 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10005 + src += PAX_USER_SHADOW_BASE;
10006 return copy_user_generic(dst, (__force const void *)src, size);
10009 -static __must_check __always_inline int
10010 +static __must_check __always_inline unsigned long
10011 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
10013 + if ((int)size < 0)
10016 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10017 + if (!__access_ok(VERIFY_WRITE, dst, size))
10021 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10022 + dst += PAX_USER_SHADOW_BASE;
10023 return copy_user_generic((__force void *)dst, src, size);
10026 -extern long __copy_user_nocache(void *dst, const void __user *src,
10027 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
10028 unsigned size, int zerorest);
10031 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
10032 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
10036 + if ((int)size < 0)
10039 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10040 + if (!__access_ok(VERIFY_READ, src, size))
10044 return __copy_user_nocache(dst, src, size, 1);
10048 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
10049 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
10052 + if ((int)size < 0)
10055 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10056 + if (!__access_ok(VERIFY_READ, src, size))
10060 return __copy_user_nocache(dst, src, size, 0);
10064 +extern unsigned long
10065 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
10067 #endif /* _ASM_X86_UACCESS_64_H */
10068 diff -urNp linux-2.6.38.4/arch/x86/include/asm/uaccess.h linux-2.6.38.4/arch/x86/include/asm/uaccess.h
10069 --- linux-2.6.38.4/arch/x86/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
10070 +++ linux-2.6.38.4/arch/x86/include/asm/uaccess.h 2011-04-17 15:57:32.000000000 -0400
10072 #include <linux/thread_info.h>
10073 #include <linux/prefetch.h>
10074 #include <linux/string.h>
10075 +#include <linux/sched.h>
10076 #include <asm/asm.h>
10077 #include <asm/page.h>
10079 #define VERIFY_READ 0
10080 #define VERIFY_WRITE 1
10082 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
10085 * The fs value determines whether argument validity checking should be
10086 * performed or not. If get_fs() == USER_DS, checking is performed, with
10089 #define get_ds() (KERNEL_DS)
10090 #define get_fs() (current_thread_info()->addr_limit)
10091 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
10092 +void __set_fs(mm_segment_t x);
10093 +void set_fs(mm_segment_t x);
10095 #define set_fs(x) (current_thread_info()->addr_limit = (x))
10098 #define segment_eq(a, b) ((a).seg == (b).seg)
10101 * checks that the pointer is in the user space range - after calling
10102 * this function, memory access functions may still return -EFAULT.
10104 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
10105 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
10106 +#define access_ok(type, addr, size) \
10108 + long __size = size; \
10109 + unsigned long __addr = (unsigned long)addr; \
10110 + unsigned long __addr_ao = __addr & PAGE_MASK; \
10111 + unsigned long __end_ao = __addr + __size - 1; \
10112 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
10113 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
10114 + while(__addr_ao <= __end_ao) { \
10116 + __addr_ao += PAGE_SIZE; \
10117 + if (__size > PAGE_SIZE) \
10118 + cond_resched(); \
10119 + if (__get_user(__c_ao, (char __user *)__addr)) \
10121 + if (type != VERIFY_WRITE) { \
10122 + __addr = __addr_ao; \
10125 + if (__put_user(__c_ao, (char __user *)__addr)) \
10127 + __addr = __addr_ao; \
10134 * The exception table consists of pairs of addresses: the first is the
10135 @@ -183,12 +217,20 @@ extern int __get_user_bad(void);
10136 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
10137 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
10140 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
10141 +#define __copyuser_seg "gs;"
10142 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
10143 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
10145 +#define __copyuser_seg
10146 +#define __COPYUSER_SET_ES
10147 +#define __COPYUSER_RESTORE_ES
10150 #ifdef CONFIG_X86_32
10151 #define __put_user_asm_u64(x, addr, err, errret) \
10152 - asm volatile("1: movl %%eax,0(%2)\n" \
10153 - "2: movl %%edx,4(%2)\n" \
10154 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
10155 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
10157 ".section .fixup,\"ax\"\n" \
10158 "4: movl %3,%0\n" \
10159 @@ -200,8 +242,8 @@ extern int __get_user_bad(void);
10160 : "A" (x), "r" (addr), "i" (errret), "0" (err))
10162 #define __put_user_asm_ex_u64(x, addr) \
10163 - asm volatile("1: movl %%eax,0(%1)\n" \
10164 - "2: movl %%edx,4(%1)\n" \
10165 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
10166 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
10168 _ASM_EXTABLE(1b, 2b - 1b) \
10169 _ASM_EXTABLE(2b, 3b - 2b) \
10170 @@ -374,7 +416,7 @@ do { \
10173 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
10174 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
10175 + asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
10177 ".section .fixup,\"ax\"\n" \
10179 @@ -382,7 +424,7 @@ do { \
10182 _ASM_EXTABLE(1b, 3b) \
10183 - : "=r" (err), ltype(x) \
10184 + : "=r" (err), ltype (x) \
10185 : "m" (__m(addr)), "i" (errret), "0" (err))
10187 #define __get_user_size_ex(x, ptr, size) \
10188 @@ -407,7 +449,7 @@ do { \
10191 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
10192 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
10193 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
10195 _ASM_EXTABLE(1b, 2b - 1b) \
10196 : ltype(x) : "m" (__m(addr)))
10197 @@ -424,13 +466,24 @@ do { \
10199 unsigned long __gu_val; \
10200 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
10201 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
10202 + (x) = (__typeof__(*(ptr)))__gu_val; \
10206 /* FIXME: this hack is definitely wrong -AK */
10207 struct __large_struct { unsigned long buf[100]; };
10208 -#define __m(x) (*(struct __large_struct __user *)(x))
10209 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10210 +#define ____m(x) \
10212 + unsigned long ____x = (unsigned long)(x); \
10213 + if (____x < PAX_USER_SHADOW_BASE) \
10214 + ____x += PAX_USER_SHADOW_BASE; \
10215 + (void __user *)____x; \
10218 +#define ____m(x) (x)
10220 +#define __m(x) (*(struct __large_struct __user *)____m(x))
10223 * Tell gcc we read from memory instead of writing: this is because
10224 @@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
10227 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
10228 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
10229 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
10231 ".section .fixup,\"ax\"\n" \
10233 @@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
10235 _ASM_EXTABLE(1b, 3b) \
10237 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
10238 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
10240 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
10241 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
10242 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
10244 _ASM_EXTABLE(1b, 2b - 1b) \
10245 : : ltype(x), "m" (__m(addr)))
10246 @@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
10247 * On error, the variable @x is set to zero.
10250 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10251 +#define __get_user(x, ptr) get_user((x), (ptr))
10253 #define __get_user(x, ptr) \
10254 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
10258 * __put_user: - Write a simple value into user space, with less checking.
10259 @@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
10260 * Returns zero on success, or -EFAULT on error.
10263 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10264 +#define __put_user(x, ptr) put_user((x), (ptr))
10266 #define __put_user(x, ptr) \
10267 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
10270 #define __get_user_unaligned __get_user
10271 #define __put_user_unaligned __put_user
10272 @@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
10273 #define get_user_ex(x, ptr) do { \
10274 unsigned long __gue_val; \
10275 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
10276 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
10277 + (x) = (__typeof__(*(ptr)))__gue_val; \
10280 #ifdef CONFIG_X86_WP_WORKS_OK
10281 @@ -567,6 +628,7 @@ extern struct movsl_mask {
10283 #define ARCH_HAS_NOCACHE_UACCESS 1
10285 +#define ARCH_HAS_SORT_EXTABLE
10286 #ifdef CONFIG_X86_32
10287 # include "uaccess_32.h"
10289 diff -urNp linux-2.6.38.4/arch/x86/include/asm/vgtod.h linux-2.6.38.4/arch/x86/include/asm/vgtod.h
10290 --- linux-2.6.38.4/arch/x86/include/asm/vgtod.h 2011-03-14 21:20:32.000000000 -0400
10291 +++ linux-2.6.38.4/arch/x86/include/asm/vgtod.h 2011-04-17 15:57:32.000000000 -0400
10292 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
10293 int sysctl_enabled;
10294 struct timezone sys_tz;
10295 struct { /* extract of a clocksource struct */
10297 cycle_t (*vread)(void);
10298 cycle_t cycle_last;
10300 diff -urNp linux-2.6.38.4/arch/x86/include/asm/vsyscall.h linux-2.6.38.4/arch/x86/include/asm/vsyscall.h
10301 --- linux-2.6.38.4/arch/x86/include/asm/vsyscall.h 2011-03-14 21:20:32.000000000 -0400
10302 +++ linux-2.6.38.4/arch/x86/include/asm/vsyscall.h 2011-04-17 15:57:32.000000000 -0400
10303 @@ -15,9 +15,10 @@ enum vsyscall_num {
10306 #include <linux/seqlock.h>
10307 +#include <linux/getcpu.h>
10308 +#include <linux/time.h>
10310 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
10311 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
10313 /* Definitions for CONFIG_GENERIC_TIME definitions */
10314 #define __section_vsyscall_gtod_data __attribute__ \
10315 @@ -31,7 +32,6 @@ enum vsyscall_num {
10316 #define VGETCPU_LSL 2
10318 extern int __vgetcpu_mode;
10319 -extern volatile unsigned long __jiffies;
10321 /* kernel space (writeable) */
10322 extern int vgetcpu_mode;
10323 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
10325 extern void map_vsyscall(void);
10327 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
10328 +extern time_t vtime(time_t *t);
10329 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
10330 #endif /* __KERNEL__ */
10332 #endif /* _ASM_X86_VSYSCALL_H */
10333 diff -urNp linux-2.6.38.4/arch/x86/include/asm/xsave.h linux-2.6.38.4/arch/x86/include/asm/xsave.h
10334 --- linux-2.6.38.4/arch/x86/include/asm/xsave.h 2011-03-14 21:20:32.000000000 -0400
10335 +++ linux-2.6.38.4/arch/x86/include/asm/xsave.h 2011-04-17 15:57:32.000000000 -0400
10336 @@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
10340 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10341 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
10342 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
10346 * Clear the xsave header first, so that reserved fields are
10347 * initialized to zero.
10348 @@ -100,6 +105,11 @@ static inline int xrestore_user(struct x
10350 u32 hmask = mask >> 32;
10352 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10353 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
10354 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
10357 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
10359 ".section .fixup,\"ax\"\n"
10360 diff -urNp linux-2.6.38.4/arch/x86/Kconfig linux-2.6.38.4/arch/x86/Kconfig
10361 --- linux-2.6.38.4/arch/x86/Kconfig 2011-03-14 21:20:32.000000000 -0400
10362 +++ linux-2.6.38.4/arch/x86/Kconfig 2011-04-17 15:57:32.000000000 -0400
10363 @@ -223,7 +223,7 @@ config X86_TRAMPOLINE
10365 config X86_32_LAZY_GS
10367 - depends on X86_32 && !CC_STACKPROTECTOR
10368 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
10370 config ARCH_HWEIGHT_CFLAGS
10372 @@ -1019,7 +1019,7 @@ choice
10376 - depends on !X86_NUMAQ
10377 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10379 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
10380 However, the address space of 32-bit x86 processors is only 4
10381 @@ -1056,7 +1056,7 @@ config NOHIGHMEM
10385 - depends on !X86_NUMAQ
10386 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10388 Select this if you have a 32-bit processor and between 1 and 4
10389 gigabytes of physical RAM.
10390 @@ -1110,7 +1110,7 @@ config PAGE_OFFSET
10392 default 0xB0000000 if VMSPLIT_3G_OPT
10393 default 0x80000000 if VMSPLIT_2G
10394 - default 0x78000000 if VMSPLIT_2G_OPT
10395 + default 0x70000000 if VMSPLIT_2G_OPT
10396 default 0x40000000 if VMSPLIT_1G
10399 @@ -1454,7 +1454,7 @@ config ARCH_USES_PG_UNCACHED
10402 bool "EFI runtime service support"
10404 + depends on ACPI && !PAX_KERNEXEC
10406 This enables the kernel to use EFI runtime services that are
10407 available (such as the EFI variable services).
10408 @@ -1484,6 +1484,7 @@ config SECCOMP
10410 config CC_STACKPROTECTOR
10411 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
10412 + depends on X86_64 || !PAX_MEMORY_UDEREF
10414 This option turns on the -fstack-protector GCC feature. This
10415 feature puts, at the beginning of functions, a canary value on
10416 @@ -1541,6 +1542,7 @@ config KEXEC_JUMP
10417 config PHYSICAL_START
10418 hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
10419 default "0x1000000"
10420 + range 0x400000 0x40000000
10422 This gives the physical address where the kernel is loaded.
10424 @@ -1604,6 +1606,7 @@ config X86_NEED_RELOCS
10425 config PHYSICAL_ALIGN
10426 hex "Alignment value to which kernel should be aligned" if X86_32
10427 default "0x1000000"
10428 + range 0x400000 0x1000000 if PAX_KERNEXEC
10429 range 0x2000 0x1000000
10431 This value puts the alignment restrictions on physical address
10432 @@ -1635,9 +1638,10 @@ config HOTPLUG_CPU
10433 Say N if you want to disable CPU hotplug.
10438 prompt "Compat VDSO support"
10439 depends on X86_32 || IA32_EMULATION
10440 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
10442 Map the 32-bit VDSO to the predictable old-style address too.
10444 diff -urNp linux-2.6.38.4/arch/x86/Kconfig.cpu linux-2.6.38.4/arch/x86/Kconfig.cpu
10445 --- linux-2.6.38.4/arch/x86/Kconfig.cpu 2011-03-14 21:20:32.000000000 -0400
10446 +++ linux-2.6.38.4/arch/x86/Kconfig.cpu 2011-04-17 15:57:32.000000000 -0400
10447 @@ -339,7 +339,7 @@ config X86_PPRO_FENCE
10449 config X86_F00F_BUG
10451 - depends on M586MMX || M586TSC || M586 || M486 || M386
10452 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
10454 config X86_INVD_BUG
10456 @@ -363,7 +363,7 @@ config X86_POPAD_OK
10458 config X86_ALIGNMENT_16
10460 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10461 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10463 config X86_INTEL_USERCOPY
10465 @@ -409,7 +409,7 @@ config X86_CMPXCHG64
10469 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10470 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10472 config X86_MINIMUM_CPU_FAMILY
10474 diff -urNp linux-2.6.38.4/arch/x86/Kconfig.debug linux-2.6.38.4/arch/x86/Kconfig.debug
10475 --- linux-2.6.38.4/arch/x86/Kconfig.debug 2011-03-14 21:20:32.000000000 -0400
10476 +++ linux-2.6.38.4/arch/x86/Kconfig.debug 2011-04-17 15:57:32.000000000 -0400
10477 @@ -101,7 +101,7 @@ config X86_PTDUMP
10478 config DEBUG_RODATA
10479 bool "Write protect kernel read-only data structures"
10481 - depends on DEBUG_KERNEL
10482 + depends on DEBUG_KERNEL && BROKEN
10484 Mark the kernel read-only data as write-protected in the pagetables,
10485 in order to catch accidental (and incorrect) writes to such const
10486 @@ -119,7 +119,7 @@ config DEBUG_RODATA_TEST
10488 config DEBUG_SET_MODULE_RONX
10489 bool "Set loadable kernel module data as NX and text as RO"
10490 - depends on MODULES
10491 + depends on MODULES && BROKEN
10493 This option helps catch unintended modifications to loadable
10494 kernel module's text and read-only data. It also prevents execution
10495 diff -urNp linux-2.6.38.4/arch/x86/kernel/acpi/boot.c linux-2.6.38.4/arch/x86/kernel/acpi/boot.c
10496 --- linux-2.6.38.4/arch/x86/kernel/acpi/boot.c 2011-03-14 21:20:32.000000000 -0400
10497 +++ linux-2.6.38.4/arch/x86/kernel/acpi/boot.c 2011-04-17 15:57:32.000000000 -0400
10498 @@ -1472,7 +1472,7 @@ static struct dmi_system_id __initdata a
10499 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
10503 + { NULL, NULL, {{0, {0}}}, NULL}
10507 diff -urNp linux-2.6.38.4/arch/x86/kernel/acpi/sleep.c linux-2.6.38.4/arch/x86/kernel/acpi/sleep.c
10508 --- linux-2.6.38.4/arch/x86/kernel/acpi/sleep.c 2011-03-14 21:20:32.000000000 -0400
10509 +++ linux-2.6.38.4/arch/x86/kernel/acpi/sleep.c 2011-04-17 15:57:32.000000000 -0400
10511 #include "realmode/wakeup.h"
10514 -unsigned long acpi_wakeup_address;
10515 +unsigned long acpi_wakeup_address = 0x2000;
10516 unsigned long acpi_realmode_flags;
10518 /* address in low memory of the wakeup routine. */
10519 @@ -99,8 +99,12 @@ int acpi_save_state_mem(void)
10520 header->trampoline_segment = setup_trampoline() >> 4;
10522 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
10524 + pax_open_kernel();
10525 early_gdt_descr.address =
10526 (unsigned long)get_cpu_gdt_table(smp_processor_id());
10527 + pax_close_kernel();
10529 initial_gs = per_cpu_offset(smp_processor_id());
10531 initial_code = (unsigned long)wakeup_long64;
10532 diff -urNp linux-2.6.38.4/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.38.4/arch/x86/kernel/acpi/wakeup_32.S
10533 --- linux-2.6.38.4/arch/x86/kernel/acpi/wakeup_32.S 2011-03-14 21:20:32.000000000 -0400
10534 +++ linux-2.6.38.4/arch/x86/kernel/acpi/wakeup_32.S 2011-04-17 15:57:32.000000000 -0400
10535 @@ -30,13 +30,11 @@ wakeup_pmode_return:
10536 # and restore the stack ... but you need gdt for this to work
10537 movl saved_context_esp, %esp
10539 - movl %cs:saved_magic, %eax
10540 - cmpl $0x12345678, %eax
10541 + cmpl $0x12345678, saved_magic
10544 # jump to place where we left off
10545 - movl saved_eip, %eax
10551 diff -urNp linux-2.6.38.4/arch/x86/kernel/alternative.c linux-2.6.38.4/arch/x86/kernel/alternative.c
10552 --- linux-2.6.38.4/arch/x86/kernel/alternative.c 2011-04-18 17:27:13.000000000 -0400
10553 +++ linux-2.6.38.4/arch/x86/kernel/alternative.c 2011-04-17 15:57:32.000000000 -0400
10554 @@ -248,7 +248,7 @@ static void alternatives_smp_lock(const
10555 if (!*poff || ptr < text || ptr >= text_end)
10557 /* turn DS segment override prefix into lock prefix */
10558 - if (*ptr == 0x3e)
10559 + if (*ktla_ktva(ptr) == 0x3e)
10560 text_poke(ptr, ((unsigned char []){0xf0}), 1);
10562 mutex_unlock(&text_mutex);
10563 @@ -269,7 +269,7 @@ static void alternatives_smp_unlock(cons
10564 if (!*poff || ptr < text || ptr >= text_end)
10566 /* turn lock prefix into DS segment override prefix */
10567 - if (*ptr == 0xf0)
10568 + if (*ktla_ktva(ptr) == 0xf0)
10569 text_poke(ptr, ((unsigned char []){0x3E}), 1);
10571 mutex_unlock(&text_mutex);
10572 @@ -438,7 +438,7 @@ void __init_or_module apply_paravirt(str
10574 BUG_ON(p->len > MAX_PATCH_LEN);
10575 /* prep the buffer with the original instructions */
10576 - memcpy(insnbuf, p->instr, p->len);
10577 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
10578 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
10579 (unsigned long)p->instr, p->len);
10581 @@ -506,7 +506,7 @@ void __init alternative_instructions(voi
10583 free_init_pages("SMP alternatives",
10584 (unsigned long)__smp_locks,
10585 - (unsigned long)__smp_locks_end);
10586 + PAGE_ALIGN((unsigned long)__smp_locks_end));
10590 @@ -523,13 +523,17 @@ void __init alternative_instructions(voi
10591 * instructions. And on the local CPU you need to be protected again NMI or MCE
10592 * handlers seeing an inconsistent instruction while you patch.
10594 -void *__init_or_module text_poke_early(void *addr, const void *opcode,
10595 +void *__kprobes text_poke_early(void *addr, const void *opcode,
10598 unsigned long flags;
10599 local_irq_save(flags);
10600 - memcpy(addr, opcode, len);
10602 + pax_open_kernel();
10603 + memcpy(ktla_ktva(addr), opcode, len);
10605 + pax_close_kernel();
10607 local_irq_restore(flags);
10608 /* Could also do a CLFLUSH here to speed up CPU recovery; but
10609 that causes hangs on some VIA CPUs. */
10610 @@ -551,36 +555,22 @@ void *__init_or_module text_poke_early(v
10612 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
10614 - unsigned long flags;
10616 + unsigned char *vaddr = ktla_ktva(addr);
10617 struct page *pages[2];
10621 if (!core_kernel_text((unsigned long)addr)) {
10622 - pages[0] = vmalloc_to_page(addr);
10623 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
10624 + pages[0] = vmalloc_to_page(vaddr);
10625 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10627 - pages[0] = virt_to_page(addr);
10628 + pages[0] = virt_to_page(vaddr);
10629 WARN_ON(!PageReserved(pages[0]));
10630 - pages[1] = virt_to_page(addr + PAGE_SIZE);
10631 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
10634 - local_irq_save(flags);
10635 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
10637 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
10638 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
10639 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10640 - clear_fixmap(FIX_TEXT_POKE0);
10642 - clear_fixmap(FIX_TEXT_POKE1);
10643 - local_flush_tlb();
10645 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
10646 - that causes hangs on some VIA CPUs. */
10647 + text_poke_early(addr, opcode, len);
10648 for (i = 0; i < len; i++)
10649 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10650 - local_irq_restore(flags);
10651 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
10655 @@ -682,9 +672,9 @@ void __kprobes text_poke_smp_batch(struc
10656 #if defined(CONFIG_DYNAMIC_FTRACE) || defined(HAVE_JUMP_LABEL)
10658 #ifdef CONFIG_X86_64
10659 -unsigned char ideal_nop5[5] = { 0x66, 0x66, 0x66, 0x66, 0x90 };
10660 +unsigned char ideal_nop5[5] __read_only = { 0x66, 0x66, 0x66, 0x66, 0x90 };
10662 -unsigned char ideal_nop5[5] = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
10663 +unsigned char ideal_nop5[5] __read_only = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
10666 void __init arch_init_ideal_nop5(void)
10667 diff -urNp linux-2.6.38.4/arch/x86/kernel/amd_iommu.c linux-2.6.38.4/arch/x86/kernel/amd_iommu.c
10668 --- linux-2.6.38.4/arch/x86/kernel/amd_iommu.c 2011-03-14 21:20:32.000000000 -0400
10669 +++ linux-2.6.38.4/arch/x86/kernel/amd_iommu.c 2011-04-17 15:57:32.000000000 -0400
10670 @@ -2286,7 +2286,7 @@ static void prealloc_protection_domains(
10674 -static struct dma_map_ops amd_iommu_dma_ops = {
10675 +static const struct dma_map_ops amd_iommu_dma_ops = {
10676 .alloc_coherent = alloc_coherent,
10677 .free_coherent = free_coherent,
10678 .map_page = map_page,
10679 diff -urNp linux-2.6.38.4/arch/x86/kernel/apic/io_apic.c linux-2.6.38.4/arch/x86/kernel/apic/io_apic.c
10680 --- linux-2.6.38.4/arch/x86/kernel/apic/io_apic.c 2011-03-14 21:20:32.000000000 -0400
10681 +++ linux-2.6.38.4/arch/x86/kernel/apic/io_apic.c 2011-04-17 15:57:32.000000000 -0400
10682 @@ -617,7 +617,7 @@ struct IO_APIC_route_entry **alloc_ioapi
10683 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
10685 if (!ioapic_entries)
10689 for (apic = 0; apic < nr_ioapics; apic++) {
10690 ioapic_entries[apic] =
10691 @@ -634,7 +634,7 @@ nomem:
10692 kfree(ioapic_entries[apic]);
10693 kfree(ioapic_entries);
10700 @@ -1044,7 +1044,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
10702 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10704 -void lock_vector_lock(void)
10705 +void lock_vector_lock(void) __acquires(vector_lock)
10707 /* Used to the online set of cpus does not change
10708 * during assign_irq_vector.
10709 @@ -1052,7 +1052,7 @@ void lock_vector_lock(void)
10710 raw_spin_lock(&vector_lock);
10713 -void unlock_vector_lock(void)
10714 +void unlock_vector_lock(void) __releases(vector_lock)
10716 raw_spin_unlock(&vector_lock);
10718 diff -urNp linux-2.6.38.4/arch/x86/kernel/apm_32.c linux-2.6.38.4/arch/x86/kernel/apm_32.c
10719 --- linux-2.6.38.4/arch/x86/kernel/apm_32.c 2011-03-14 21:20:32.000000000 -0400
10720 +++ linux-2.6.38.4/arch/x86/kernel/apm_32.c 2011-04-17 15:57:32.000000000 -0400
10721 @@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
10722 * This is for buggy BIOS's that refer to (real mode) segment 0x40
10723 * even though they are called in protected mode.
10725 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
10726 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
10727 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
10729 static const char driver_version[] = "1.16ac"; /* no spaces */
10730 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
10732 gdt = get_cpu_gdt_table(cpu);
10733 save_desc_40 = gdt[0x40 / 8];
10735 + pax_open_kernel();
10736 gdt[0x40 / 8] = bad_bios_desc;
10737 + pax_close_kernel();
10739 apm_irq_save(flags);
10741 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
10743 APM_DO_RESTORE_SEGS;
10744 apm_irq_restore(flags);
10746 + pax_open_kernel();
10747 gdt[0x40 / 8] = save_desc_40;
10748 + pax_close_kernel();
10752 return call->eax & 0xff;
10753 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
10755 gdt = get_cpu_gdt_table(cpu);
10756 save_desc_40 = gdt[0x40 / 8];
10758 + pax_open_kernel();
10759 gdt[0x40 / 8] = bad_bios_desc;
10760 + pax_close_kernel();
10762 apm_irq_save(flags);
10764 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
10766 APM_DO_RESTORE_SEGS;
10767 apm_irq_restore(flags);
10769 + pax_open_kernel();
10770 gdt[0x40 / 8] = save_desc_40;
10771 + pax_close_kernel();
10776 @@ -975,7 +989,7 @@ recalc:
10778 static void apm_power_off(void)
10780 - unsigned char po_bios_call[] = {
10781 + const unsigned char po_bios_call[] = {
10782 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
10783 0x8e, 0xd0, /* movw ax,ss */
10784 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
10785 @@ -1932,7 +1946,10 @@ static const struct file_operations apm_
10786 static struct miscdevice apm_device = {
10797 @@ -2253,7 +2270,7 @@ static struct dmi_system_id __initdata a
10798 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
10802 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
10806 @@ -2356,12 +2373,15 @@ static int __init apm_init(void)
10807 * code to that CPU.
10809 gdt = get_cpu_gdt_table(0);
10811 + pax_open_kernel();
10812 set_desc_base(&gdt[APM_CS >> 3],
10813 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
10814 set_desc_base(&gdt[APM_CS_16 >> 3],
10815 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
10816 set_desc_base(&gdt[APM_DS >> 3],
10817 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
10818 + pax_close_kernel();
10820 proc_create("apm", 0, NULL, &apm_file_ops);
10822 diff -urNp linux-2.6.38.4/arch/x86/kernel/asm-offsets_32.c linux-2.6.38.4/arch/x86/kernel/asm-offsets_32.c
10823 --- linux-2.6.38.4/arch/x86/kernel/asm-offsets_32.c 2011-03-14 21:20:32.000000000 -0400
10824 +++ linux-2.6.38.4/arch/x86/kernel/asm-offsets_32.c 2011-04-17 15:57:32.000000000 -0400
10825 @@ -51,7 +51,6 @@ void foo(void)
10826 OFFSET(CPUINFO_x86_vendor_id, cpuinfo_x86, x86_vendor_id);
10829 - OFFSET(TI_task, thread_info, task);
10830 OFFSET(TI_exec_domain, thread_info, exec_domain);
10831 OFFSET(TI_flags, thread_info, flags);
10832 OFFSET(TI_status, thread_info, status);
10833 @@ -113,6 +112,11 @@ void foo(void)
10834 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
10835 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10836 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10838 +#ifdef CONFIG_PAX_KERNEXEC
10839 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10845 diff -urNp linux-2.6.38.4/arch/x86/kernel/asm-offsets_64.c linux-2.6.38.4/arch/x86/kernel/asm-offsets_64.c
10846 --- linux-2.6.38.4/arch/x86/kernel/asm-offsets_64.c 2011-03-14 21:20:32.000000000 -0400
10847 +++ linux-2.6.38.4/arch/x86/kernel/asm-offsets_64.c 2011-04-17 15:57:32.000000000 -0400
10848 @@ -63,6 +63,18 @@ int main(void)
10849 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10850 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
10851 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
10853 +#ifdef CONFIG_PAX_KERNEXEC
10854 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10855 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10858 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10859 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
10860 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
10861 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
10867 @@ -115,6 +127,7 @@ int main(void)
10871 + DEFINE(TSS_size, sizeof(struct tss_struct));
10872 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
10874 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
10875 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/amd.c linux-2.6.38.4/arch/x86/kernel/cpu/amd.c
10876 --- linux-2.6.38.4/arch/x86/kernel/cpu/amd.c 2011-04-22 19:20:59.000000000 -0400
10877 +++ linux-2.6.38.4/arch/x86/kernel/cpu/amd.c 2011-04-22 19:21:10.000000000 -0400
10878 @@ -624,7 +624,7 @@ static unsigned int __cpuinit amd_size_c
10881 /* AMD errata T13 (order #21922) */
10882 - if ((c->x86 == 6)) {
10883 + if (c->x86 == 6) {
10885 if (c->x86_model == 3 && c->x86_mask == 0)
10887 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/common.c linux-2.6.38.4/arch/x86/kernel/cpu/common.c
10888 --- linux-2.6.38.4/arch/x86/kernel/cpu/common.c 2011-03-14 21:20:32.000000000 -0400
10889 +++ linux-2.6.38.4/arch/x86/kernel/cpu/common.c 2011-04-17 15:57:32.000000000 -0400
10890 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
10892 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
10894 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
10895 -#ifdef CONFIG_X86_64
10897 - * We need valid kernel segments for data and code in long mode too
10898 - * IRET will check the segment types kkeil 2000/10/28
10899 - * Also sysret mandates a special GDT layout
10901 - * TLS descriptors are currently at a different place compared to i386.
10902 - * Hopefully nobody expects them at a fixed place (Wine?)
10904 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
10905 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
10906 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
10907 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
10908 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
10909 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
10911 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
10912 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10913 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
10914 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
10916 - * Segments used for calling PnP BIOS have byte granularity.
10917 - * They code segments and data segments have fixed 64k limits,
10918 - * the transfer segment sizes are set at run time.
10920 - /* 32-bit code */
10921 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10922 - /* 16-bit code */
10923 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10924 - /* 16-bit data */
10925 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
10926 - /* 16-bit data */
10927 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
10928 - /* 16-bit data */
10929 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
10931 - * The APM segments have byte granularity and their bases
10932 - * are set at run time. All have 64k limits.
10934 - /* 32-bit code */
10935 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10936 - /* 16-bit code */
10937 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10939 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
10941 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10942 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10943 - GDT_STACK_CANARY_INIT
10946 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
10948 static int __init x86_xsave_setup(char *s)
10950 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
10951 @@ -352,7 +298,7 @@ void switch_to_new_gdt(int cpu)
10953 struct desc_ptr gdt_descr;
10955 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
10956 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10957 gdt_descr.size = GDT_SIZE - 1;
10958 load_gdt(&gdt_descr);
10959 /* Reload the per-cpu base */
10960 @@ -825,6 +771,10 @@ static void __cpuinit identify_cpu(struc
10961 /* Filter out anything that depends on CPUID levels we don't have */
10962 filter_cpuid_features(c, true);
10964 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
10965 + setup_clear_cpu_cap(X86_FEATURE_SEP);
10968 /* If the model name is still unset, do table lookup. */
10969 if (!c->x86_model_id[0]) {
10971 @@ -1004,6 +954,9 @@ static __init int setup_disablecpuid(cha
10973 __setup("clearcpuid=", setup_disablecpuid);
10975 +DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
10976 +EXPORT_PER_CPU_SYMBOL(current_tinfo);
10978 #ifdef CONFIG_X86_64
10979 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
10981 @@ -1019,7 +972,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
10982 EXPORT_PER_CPU_SYMBOL(current_task);
10984 DEFINE_PER_CPU(unsigned long, kernel_stack) =
10985 - (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
10986 + (unsigned long)&init_thread_union - 8 + THREAD_SIZE;
10987 EXPORT_PER_CPU_SYMBOL(kernel_stack);
10989 DEFINE_PER_CPU(char *, irq_stack_ptr) =
10990 @@ -1084,7 +1037,7 @@ struct pt_regs * __cpuinit idle_regs(str
10992 memset(regs, 0, sizeof(struct pt_regs));
10993 regs->fs = __KERNEL_PERCPU;
10994 - regs->gs = __KERNEL_STACK_CANARY;
10995 + savesegment(gs, regs->gs);
10999 @@ -1139,7 +1092,7 @@ void __cpuinit cpu_init(void)
11002 cpu = stack_smp_processor_id();
11003 - t = &per_cpu(init_tss, cpu);
11004 + t = init_tss + cpu;
11005 oist = &per_cpu(orig_ist, cpu);
11008 @@ -1165,7 +1118,7 @@ void __cpuinit cpu_init(void)
11009 switch_to_new_gdt(cpu);
11010 loadsegment(fs, 0);
11012 - load_idt((const struct desc_ptr *)&idt_descr);
11013 + load_idt(&idt_descr);
11015 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
11017 @@ -1174,7 +1127,6 @@ void __cpuinit cpu_init(void)
11018 wrmsrl(MSR_KERNEL_GS_BASE, 0);
11021 - x86_configure_nx();
11025 @@ -1228,7 +1180,7 @@ void __cpuinit cpu_init(void)
11027 int cpu = smp_processor_id();
11028 struct task_struct *curr = current;
11029 - struct tss_struct *t = &per_cpu(init_tss, cpu);
11030 + struct tss_struct *t = init_tss + cpu;
11031 struct thread_struct *thread = &curr->thread;
11033 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
11034 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.38.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
11035 --- linux-2.6.38.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2011-03-14 21:20:32.000000000 -0400
11036 +++ linux-2.6.38.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2011-04-17 15:57:32.000000000 -0400
11037 @@ -481,7 +481,7 @@ static const struct dmi_system_id sw_any
11038 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
11042 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
11045 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
11046 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.38.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
11047 --- linux-2.6.38.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2011-03-14 21:20:32.000000000 -0400
11048 +++ linux-2.6.38.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2011-04-17 15:57:32.000000000 -0400
11049 @@ -226,7 +226,7 @@ static struct cpu_model models[] =
11050 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
11051 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
11054 + { NULL, NULL, 0, NULL}
11058 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/intel.c linux-2.6.38.4/arch/x86/kernel/cpu/intel.c
11059 --- linux-2.6.38.4/arch/x86/kernel/cpu/intel.c 2011-03-14 21:20:32.000000000 -0400
11060 +++ linux-2.6.38.4/arch/x86/kernel/cpu/intel.c 2011-04-17 15:57:32.000000000 -0400
11061 @@ -161,7 +161,7 @@ static void __cpuinit trap_init_f00f_bug
11062 * Update the IDT descriptor and reload the IDT so that
11063 * it uses the read-only mapped virtual address.
11065 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
11066 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
11067 load_idt(&idt_descr);
11070 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/Makefile linux-2.6.38.4/arch/x86/kernel/cpu/Makefile
11071 --- linux-2.6.38.4/arch/x86/kernel/cpu/Makefile 2011-03-14 21:20:32.000000000 -0400
11072 +++ linux-2.6.38.4/arch/x86/kernel/cpu/Makefile 2011-04-17 15:57:32.000000000 -0400
11073 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
11074 CFLAGS_REMOVE_perf_event.o = -pg
11077 -# Make sure load_percpu_segment has no stackprotector
11078 -nostackp := $(call cc-option, -fno-stack-protector)
11079 -CFLAGS_common.o := $(nostackp)
11081 obj-y := intel_cacheinfo.o scattered.o topology.o
11082 obj-y += proc.o capflags.o powerflags.o common.o
11083 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
11084 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.38.4/arch/x86/kernel/cpu/mcheck/mce.c
11085 --- linux-2.6.38.4/arch/x86/kernel/cpu/mcheck/mce.c 2011-03-14 21:20:32.000000000 -0400
11086 +++ linux-2.6.38.4/arch/x86/kernel/cpu/mcheck/mce.c 2011-04-17 15:57:32.000000000 -0400
11088 #include <asm/ipi.h>
11089 #include <asm/mce.h>
11090 #include <asm/msr.h>
11091 +#include <asm/local.h>
11093 #include "mce-internal.h"
11095 @@ -219,7 +220,7 @@ static void print_mce(struct mce *m)
11096 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
11099 - if (m->cs == __KERNEL_CS)
11100 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
11101 print_symbol("{%s}", m->ip);
11104 @@ -1460,14 +1461,14 @@ void __cpuinit mcheck_cpu_init(struct cp
11107 static DEFINE_SPINLOCK(mce_state_lock);
11108 -static int open_count; /* #times opened */
11109 +static local_t open_count; /* #times opened */
11110 static int open_exclu; /* already open exclusive? */
11112 static int mce_open(struct inode *inode, struct file *file)
11114 spin_lock(&mce_state_lock);
11116 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
11117 + if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
11118 spin_unlock(&mce_state_lock);
11121 @@ -1475,7 +1476,7 @@ static int mce_open(struct inode *inode,
11123 if (file->f_flags & O_EXCL)
11126 + local_inc(&open_count);
11128 spin_unlock(&mce_state_lock);
11130 @@ -1486,7 +1487,7 @@ static int mce_release(struct inode *ino
11132 spin_lock(&mce_state_lock);
11135 + local_dec(&open_count);
11138 spin_unlock(&mce_state_lock);
11139 @@ -1658,8 +1659,7 @@ static long mce_ioctl(struct file *f, un
11143 -/* Modified in mce-inject.c, so not static or const */
11144 -struct file_operations mce_chrdev_ops = {
11145 +struct file_operations mce_chrdev_ops = { /* Modified in mce-inject.c, so not static or const */
11147 .release = mce_release,
11149 @@ -1673,6 +1673,7 @@ static struct miscdevice mce_log_device
11153 + {NULL, NULL}, NULL, NULL
11157 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/generic.c
11158 --- linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/generic.c 2011-03-14 21:20:32.000000000 -0400
11159 +++ linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/generic.c 2011-04-17 15:57:32.000000000 -0400
11160 @@ -28,7 +28,7 @@ static struct fixed_range_block fixed_ra
11161 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
11162 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
11163 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
11168 static unsigned long smp_changes_mask;
11169 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/main.c
11170 --- linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/main.c 2011-04-18 17:27:18.000000000 -0400
11171 +++ linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/main.c 2011-04-17 16:53:16.000000000 -0400
11172 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(mtrr_mutex);
11173 u64 size_or_mask, size_and_mask;
11174 static bool mtrr_aps_delayed_init;
11176 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
11177 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
11179 const struct mtrr_ops *mtrr_if;
11181 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/mtrr.h
11182 --- linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-03-14 21:20:32.000000000 -0400
11183 +++ linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-04-17 15:57:32.000000000 -0400
11184 @@ -12,19 +12,19 @@
11185 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
11189 - u32 use_intel_if;
11190 - void (*set)(unsigned int reg, unsigned long base,
11191 + const u32 vendor;
11192 + const u32 use_intel_if;
11193 + void (* const set)(unsigned int reg, unsigned long base,
11194 unsigned long size, mtrr_type type);
11195 - void (*set_all)(void);
11196 + void (* const set_all)(void);
11198 - void (*get)(unsigned int reg, unsigned long *base,
11199 + void (* const get)(unsigned int reg, unsigned long *base,
11200 unsigned long *size, mtrr_type *type);
11201 - int (*get_free_region)(unsigned long base, unsigned long size,
11202 + int (* const get_free_region)(unsigned long base, unsigned long size,
11204 - int (*validate_add_page)(unsigned long base, unsigned long size,
11205 + int (* const validate_add_page)(unsigned long base, unsigned long size,
11206 unsigned int type);
11207 - int (*have_wrcomb)(void);
11208 + int (* const have_wrcomb)(void);
11211 extern int generic_get_free_region(unsigned long base, unsigned long size,
11212 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/perf_event.c linux-2.6.38.4/arch/x86/kernel/cpu/perf_event.c
11213 --- linux-2.6.38.4/arch/x86/kernel/cpu/perf_event.c 2011-03-14 21:20:32.000000000 -0400
11214 +++ linux-2.6.38.4/arch/x86/kernel/cpu/perf_event.c 2011-04-17 15:57:32.000000000 -0400
11215 @@ -1781,7 +1781,7 @@ perf_callchain_user(struct perf_callchai
11218 perf_callchain_store(entry, frame.return_address);
11219 - fp = frame.next_frame;
11220 + fp = (__force const void __user *)frame.next_frame;
11224 diff -urNp linux-2.6.38.4/arch/x86/kernel/crash.c linux-2.6.38.4/arch/x86/kernel/crash.c
11225 --- linux-2.6.38.4/arch/x86/kernel/crash.c 2011-03-14 21:20:32.000000000 -0400
11226 +++ linux-2.6.38.4/arch/x86/kernel/crash.c 2011-04-17 15:57:32.000000000 -0400
11227 @@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
11230 #ifdef CONFIG_X86_32
11231 - if (!user_mode_vm(regs)) {
11232 + if (!user_mode(regs)) {
11233 crash_fixup_ss_esp(&fixed_regs, regs);
11234 regs = &fixed_regs;
11236 diff -urNp linux-2.6.38.4/arch/x86/kernel/doublefault_32.c linux-2.6.38.4/arch/x86/kernel/doublefault_32.c
11237 --- linux-2.6.38.4/arch/x86/kernel/doublefault_32.c 2011-03-14 21:20:32.000000000 -0400
11238 +++ linux-2.6.38.4/arch/x86/kernel/doublefault_32.c 2011-04-17 15:57:32.000000000 -0400
11241 #define DOUBLEFAULT_STACKSIZE (1024)
11242 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
11243 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
11244 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
11246 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
11248 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
11249 unsigned long gdt, tss;
11251 store_gdt(&gdt_desc);
11252 - gdt = gdt_desc.address;
11253 + gdt = (unsigned long)gdt_desc.address;
11255 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
11257 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
11258 /* 0x2 bit is always set */
11259 .flags = X86_EFLAGS_SF | 0x2,
11262 + .es = __KERNEL_DS,
11266 + .ds = __KERNEL_DS,
11267 .fs = __KERNEL_PERCPU,
11269 .__cr3 = __pa_nodebug(swapper_pg_dir),
11270 diff -urNp linux-2.6.38.4/arch/x86/kernel/dumpstack_32.c linux-2.6.38.4/arch/x86/kernel/dumpstack_32.c
11271 --- linux-2.6.38.4/arch/x86/kernel/dumpstack_32.c 2011-03-14 21:20:32.000000000 -0400
11272 +++ linux-2.6.38.4/arch/x86/kernel/dumpstack_32.c 2011-04-17 15:57:32.000000000 -0400
11273 @@ -37,15 +37,12 @@ void dump_trace(struct task_struct *task
11275 bp = stack_frame(task, regs);
11277 - struct thread_info *context;
11278 + void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
11279 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
11281 - context = (struct thread_info *)
11282 - ((unsigned long)stack & (~(THREAD_SIZE - 1)));
11283 - bp = ops->walk_stack(context, stack, bp, ops, data, NULL, &graph);
11285 - stack = (unsigned long *)context->previous_esp;
11287 + if (stack_start == task_stack_page(task))
11289 + stack = *(unsigned long **)stack_start;
11290 if (ops->stack(data, "IRQ") < 0)
11292 touch_nmi_watchdog();
11293 @@ -95,21 +92,22 @@ void show_registers(struct pt_regs *regs
11294 * When in-kernel, we also print out the stack and code at the
11295 * time of the fault..
11297 - if (!user_mode_vm(regs)) {
11298 + if (!user_mode(regs)) {
11299 unsigned int code_prologue = code_bytes * 43 / 64;
11300 unsigned int code_len = code_bytes;
11303 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
11305 printk(KERN_EMERG "Stack:\n");
11306 show_stack_log_lvl(NULL, regs, ®s->sp, KERN_EMERG);
11308 printk(KERN_EMERG "Code: ");
11310 - ip = (u8 *)regs->ip - code_prologue;
11311 + ip = (u8 *)regs->ip - code_prologue + cs_base;
11312 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
11313 /* try starting at IP */
11314 - ip = (u8 *)regs->ip;
11315 + ip = (u8 *)regs->ip + cs_base;
11316 code_len = code_len - code_prologue + 1;
11318 for (i = 0; i < code_len; i++, ip++) {
11319 @@ -118,7 +116,7 @@ void show_registers(struct pt_regs *regs
11320 printk(" Bad EIP value.");
11323 - if (ip == (u8 *)regs->ip)
11324 + if (ip == (u8 *)regs->ip + cs_base)
11325 printk("<%02x> ", c);
11327 printk("%02x ", c);
11328 @@ -131,6 +129,7 @@ int is_valid_bugaddr(unsigned long ip)
11330 unsigned short ud2;
11332 + ip = ktla_ktva(ip);
11333 if (ip < PAGE_OFFSET)
11335 if (probe_kernel_address((unsigned short *)ip, ud2))
11336 diff -urNp linux-2.6.38.4/arch/x86/kernel/dumpstack_64.c linux-2.6.38.4/arch/x86/kernel/dumpstack_64.c
11337 --- linux-2.6.38.4/arch/x86/kernel/dumpstack_64.c 2011-03-14 21:20:32.000000000 -0400
11338 +++ linux-2.6.38.4/arch/x86/kernel/dumpstack_64.c 2011-04-17 15:57:32.000000000 -0400
11339 @@ -147,10 +147,10 @@ void dump_trace(struct task_struct *task
11340 unsigned long *irq_stack_end =
11341 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
11343 - struct thread_info *tinfo;
11345 unsigned long dummy;
11347 + void *stack_start;
11351 @@ -167,10 +167,10 @@ void dump_trace(struct task_struct *task
11352 * current stack address. If the stacks consist of nested
11355 - tinfo = task_thread_info(task);
11358 unsigned long *estack_end;
11360 estack_end = in_exception_stack(cpu, (unsigned long)stack,
11363 @@ -178,7 +178,7 @@ void dump_trace(struct task_struct *task
11364 if (ops->stack(data, id) < 0)
11367 - bp = ops->walk_stack(tinfo, stack, bp, ops,
11368 + bp = ops->walk_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
11369 data, estack_end, &graph);
11370 ops->stack(data, "<EOE>");
11372 @@ -197,7 +197,7 @@ void dump_trace(struct task_struct *task
11373 if (in_irq_stack(stack, irq_stack, irq_stack_end)) {
11374 if (ops->stack(data, "IRQ") < 0)
11376 - bp = ops->walk_stack(tinfo, stack, bp,
11377 + bp = ops->walk_stack(task, irq_stack, stack, bp,
11378 ops, data, irq_stack_end, &graph);
11380 * We link to the next stack (which would be
11381 @@ -218,7 +218,8 @@ void dump_trace(struct task_struct *task
11383 * This handles the process stack:
11385 - bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph);
11386 + stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
11387 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
11390 EXPORT_SYMBOL(dump_trace);
11391 diff -urNp linux-2.6.38.4/arch/x86/kernel/dumpstack.c linux-2.6.38.4/arch/x86/kernel/dumpstack.c
11392 --- linux-2.6.38.4/arch/x86/kernel/dumpstack.c 2011-03-14 21:20:32.000000000 -0400
11393 +++ linux-2.6.38.4/arch/x86/kernel/dumpstack.c 2011-04-17 15:57:32.000000000 -0400
11395 * Copyright (C) 1991, 1992 Linus Torvalds
11396 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
11398 +#ifdef CONFIG_GRKERNSEC_HIDESYM
11399 +#define __INCLUDED_BY_HIDESYM 1
11401 #include <linux/kallsyms.h>
11402 #include <linux/kprobes.h>
11403 #include <linux/uaccess.h>
11404 @@ -27,7 +30,7 @@ static int die_counter;
11406 void printk_address(unsigned long address, int reliable)
11408 - printk(" [<%p>] %s%pS\n", (void *) address,
11409 + printk(" [<%p>] %s%pA\n", (void *) address,
11410 reliable ? "" : "? ", (void *) address);
11413 @@ -35,9 +38,8 @@ void printk_address(unsigned long addres
11415 print_ftrace_graph_addr(unsigned long addr, void *data,
11416 const struct stacktrace_ops *ops,
11417 - struct thread_info *tinfo, int *graph)
11418 + struct task_struct *task, int *graph)
11420 - struct task_struct *task = tinfo->task;
11421 unsigned long ret_addr;
11422 int index = task->curr_ret_stack;
11424 @@ -58,7 +60,7 @@ print_ftrace_graph_addr(unsigned long ad
11426 print_ftrace_graph_addr(unsigned long addr, void *data,
11427 const struct stacktrace_ops *ops,
11428 - struct thread_info *tinfo, int *graph)
11429 + struct task_struct *task, int *graph)
11433 @@ -69,10 +71,8 @@ print_ftrace_graph_addr(unsigned long ad
11434 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
11437 -static inline int valid_stack_ptr(struct thread_info *tinfo,
11438 - void *p, unsigned int size, void *end)
11439 +static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
11443 if (p < end && p >= (end-THREAD_SIZE))
11445 @@ -83,14 +83,14 @@ static inline int valid_stack_ptr(struct
11449 -print_context_stack(struct thread_info *tinfo,
11450 +print_context_stack(struct task_struct *task, void *stack_start,
11451 unsigned long *stack, unsigned long bp,
11452 const struct stacktrace_ops *ops, void *data,
11453 unsigned long *end, int *graph)
11455 struct stack_frame *frame = (struct stack_frame *)bp;
11457 - while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
11458 + while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
11459 unsigned long addr;
11462 @@ -102,7 +102,7 @@ print_context_stack(struct thread_info *
11464 ops->address(data, addr, 0);
11466 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
11467 + print_ftrace_graph_addr(addr, data, ops, task, graph);
11471 @@ -111,7 +111,7 @@ print_context_stack(struct thread_info *
11472 EXPORT_SYMBOL_GPL(print_context_stack);
11475 -print_context_stack_bp(struct thread_info *tinfo,
11476 +print_context_stack_bp(struct task_struct *task, void *stack_start,
11477 unsigned long *stack, unsigned long bp,
11478 const struct stacktrace_ops *ops, void *data,
11479 unsigned long *end, int *graph)
11480 @@ -119,7 +119,7 @@ print_context_stack_bp(struct thread_inf
11481 struct stack_frame *frame = (struct stack_frame *)bp;
11482 unsigned long *ret_addr = &frame->return_address;
11484 - while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) {
11485 + while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) {
11486 unsigned long addr = *ret_addr;
11488 if (!__kernel_text_address(addr))
11489 @@ -128,7 +128,7 @@ print_context_stack_bp(struct thread_inf
11490 ops->address(data, addr, 1);
11491 frame = frame->next_frame;
11492 ret_addr = &frame->return_address;
11493 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
11494 + print_ftrace_graph_addr(addr, data, ops, task, graph);
11497 return (unsigned long)frame;
11498 @@ -200,7 +200,7 @@ void dump_stack(void)
11499 unsigned long stack;
11501 printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
11502 - current->pid, current->comm, current->xid, print_tainted(),
11503 + task_pid_nr(current), current->comm, current->xid, print_tainted(),
11504 init_utsname()->release,
11505 (int)strcspn(init_utsname()->version, " "),
11506 init_utsname()->version);
11507 @@ -236,6 +236,8 @@ unsigned __kprobes long oops_begin(void)
11509 EXPORT_SYMBOL_GPL(oops_begin);
11511 +extern void gr_handle_kernel_exploit(void);
11513 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
11515 if (regs && kexec_should_crash(current))
11516 @@ -257,7 +259,10 @@ void __kprobes oops_end(unsigned long fl
11517 panic("Fatal exception in interrupt");
11519 panic("Fatal exception");
11522 + gr_handle_kernel_exploit();
11524 + do_group_exit(signr);
11527 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
11528 @@ -284,7 +289,7 @@ int __kprobes __die(const char *str, str
11530 show_registers(regs);
11531 #ifdef CONFIG_X86_32
11532 - if (user_mode_vm(regs)) {
11533 + if (user_mode(regs)) {
11535 ss = regs->ss & 0xffff;
11537 @@ -312,7 +317,7 @@ void die(const char *str, struct pt_regs
11538 unsigned long flags = oops_begin();
11541 - if (!user_mode_vm(regs))
11542 + if (!user_mode(regs))
11543 report_bug(regs->ip, regs);
11545 if (__die(str, regs, err))
11546 diff -urNp linux-2.6.38.4/arch/x86/kernel/entry_32.S linux-2.6.38.4/arch/x86/kernel/entry_32.S
11547 --- linux-2.6.38.4/arch/x86/kernel/entry_32.S 2011-04-18 17:27:16.000000000 -0400
11548 +++ linux-2.6.38.4/arch/x86/kernel/entry_32.S 2011-04-19 17:17:51.000000000 -0400
11549 @@ -183,13 +183,81 @@
11550 /*CFI_REL_OFFSET gs, PT_GS*/
11552 .macro SET_KERNEL_GS reg
11554 +#ifdef CONFIG_CC_STACKPROTECTOR
11555 movl $(__KERNEL_STACK_CANARY), \reg
11556 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
11557 + movl $(__USER_DS), \reg
11565 #endif /* CONFIG_X86_32_LAZY_GS */
11568 +.macro PAX_EXIT_KERNEL
11569 +#ifdef CONFIG_PAX_KERNEXEC
11570 +#ifdef CONFIG_PARAVIRT
11571 + push %eax; push %ecx
11574 + cmp $__KERNEXEC_KERNEL_CS, %esi
11576 +#ifdef CONFIG_PARAVIRT
11577 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
11583 + ljmp $__KERNEL_CS, $1f
11585 +#ifdef CONFIG_PARAVIRT
11587 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
11592 +#ifdef CONFIG_PARAVIRT
11593 + pop %ecx; pop %eax
11598 +.macro PAX_ENTER_KERNEL
11599 +#ifdef CONFIG_PAX_KERNEXEC
11600 +#ifdef CONFIG_PARAVIRT
11601 + push %eax; push %ecx
11602 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
11610 + cmp $__KERNEL_CS, %esi
11612 + ljmp $__KERNEL_CS, $3f
11613 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
11615 +#ifdef CONFIG_PARAVIRT
11617 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
11622 +#ifdef CONFIG_PARAVIRT
11623 + pop %ecx; pop %eax
11628 +.macro __SAVE_ALL _DS
11632 @@ -212,7 +280,7 @@
11633 CFI_REL_OFFSET ecx, 0
11635 CFI_REL_OFFSET ebx, 0
11636 - movl $(__USER_DS), %edx
11640 movl $(__KERNEL_PERCPU), %edx
11641 @@ -220,6 +288,15 @@
11646 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
11647 + __SAVE_ALL __KERNEL_DS
11650 + __SAVE_ALL __USER_DS
11654 .macro RESTORE_INT_REGS
11657 @@ -330,7 +407,15 @@ check_userspace:
11658 movb PT_CS(%esp), %al
11659 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
11660 cmpl $USER_RPL, %eax
11662 +#ifdef CONFIG_PAX_KERNEXEC
11663 + jae resume_userspace
11666 + jmp resume_kernel
11668 jb resume_kernel # not returning to v8086 or userspace
11671 ENTRY(resume_userspace)
11673 @@ -392,23 +477,34 @@ sysenter_past_esp:
11674 /*CFI_REL_OFFSET cs, 0*/
11676 * Push current_thread_info()->sysenter_return to the stack.
11677 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
11678 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
11680 - pushl_cfi ((TI_sysenter_return)-THREAD_SIZE_asm+8+4*4)(%esp)
11682 CFI_REL_OFFSET eip, 0
11686 + GET_THREAD_INFO(%ebp)
11687 + movl TI_sysenter_return(%ebp),%ebp
11688 + movl %ebp,PT_EIP(%esp)
11689 ENABLE_INTERRUPTS(CLBR_NONE)
11692 * Load the potential sixth argument from user stack.
11693 * Careful about security.
11695 + movl PT_OLDESP(%esp),%ebp
11697 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11698 + mov PT_OLDSS(%esp),%ds
11699 +1: movl %ds:(%ebp),%ebp
11703 cmpl $__PAGE_OFFSET-3,%ebp
11705 1: movl (%ebp),%ebp
11708 movl %ebp,PT_EBP(%esp)
11709 .section __ex_table,"a"
11711 @@ -431,12 +527,23 @@ sysenter_do_call:
11712 testl $_TIF_ALLWORK_MASK, %ecx
11716 +#ifdef CONFIG_PAX_RANDKSTACK
11718 + CFI_ADJUST_CFA_OFFSET 4
11719 + call pax_randomize_kstack
11721 + CFI_ADJUST_CFA_OFFSET -4
11724 /* if something modifies registers it must also disable sysexit */
11725 movl PT_EIP(%esp), %edx
11726 movl PT_OLDESP(%esp), %ecx
11729 1: mov PT_FS(%esp), %fs
11730 +2: mov PT_DS(%esp), %ds
11731 +3: mov PT_ES(%esp), %es
11733 ENABLE_INTERRUPTS_SYSEXIT
11735 @@ -479,11 +586,17 @@ sysexit_audit:
11738 .pushsection .fixup,"ax"
11739 -2: movl $0,PT_FS(%esp)
11740 +4: movl $0,PT_FS(%esp)
11742 +5: movl $0,PT_DS(%esp)
11744 +6: movl $0,PT_ES(%esp)
11746 .section __ex_table,"a"
11754 ENDPROC(ia32_sysenter_target)
11755 @@ -516,6 +629,10 @@ syscall_exit:
11756 testl $_TIF_ALLWORK_MASK, %ecx # current->work
11757 jne syscall_exit_work
11759 +#ifdef CONFIG_PAX_RANDKSTACK
11760 + call pax_randomize_kstack
11765 restore_all_notrace:
11766 @@ -575,14 +692,21 @@ ldt_ss:
11767 * compensating for the offset by changing to the ESPFIX segment with
11768 * a base address that matches for the difference.
11770 -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
11771 +#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
11772 mov %esp, %edx /* load kernel esp */
11773 mov PT_OLDESP(%esp), %eax /* load userspace esp */
11774 mov %dx, %ax /* eax: new kernel esp */
11775 sub %eax, %edx /* offset (low word is 0) */
11777 + movl PER_CPU_VAR(cpu_number), %ebx
11778 + shll $PAGE_SHIFT_asm, %ebx
11779 + addl $cpu_gdt_table, %ebx
11781 + movl $cpu_gdt_table, %ebx
11784 - mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
11785 - mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
11786 + mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
11787 + mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
11788 pushl_cfi $__ESPFIX_SS
11789 pushl_cfi %eax /* new kernel esp */
11790 /* Disable interrupts, but do not irqtrace this section: we
11791 @@ -617,23 +741,17 @@ work_resched:
11793 work_notifysig: # deal with pending signals and
11794 # notify-resume requests
11797 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
11799 - jne work_notifysig_v86 # returning to kernel-space or
11800 + jz 1f # returning to kernel-space or
11803 - call do_notify_resume
11804 - jmp resume_userspace_sig
11807 -work_notifysig_v86:
11808 pushl_cfi %ecx # save ti_flags for do_notify_resume
11809 call save_v86_state # %eax contains pt_regs pointer
11817 call do_notify_resume
11818 @@ -668,6 +786,10 @@ END(syscall_exit_work)
11820 RING0_INT_FRAME # can't unwind into user space anyway
11822 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11826 GET_THREAD_INFO(%ebp)
11827 movl $-EFAULT,PT_EAX(%esp)
11828 jmp resume_userspace
11829 @@ -750,6 +872,36 @@ ptregs_clone:
11831 ENDPROC(ptregs_clone)
11834 +ENTRY(kernel_execve)
11837 + sub $PT_OLDSS+4,%esp
11841 + lea 3*4(%esp),%edi
11842 + mov $PT_OLDSS/4+1,%ecx
11848 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
11852 + CFI_ADJUST_CFA_OFFSET -4
11853 + GET_THREAD_INFO(%ebp)
11856 + add $PT_OLDSS+4,%esp
11857 + CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4
11861 +ENDPROC(kernel_execve)
11863 .macro FIXUP_ESPFIX_STACK
11865 * Switch back for ESPFIX stack to the normal zerobased stack
11866 @@ -759,8 +911,15 @@ ENDPROC(ptregs_clone)
11867 * normal stack and adjusts ESP with the matching offset.
11869 /* fixup the stack */
11870 - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
11871 - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
11873 + movl PER_CPU_VAR(cpu_number), %ebx
11874 + shll $PAGE_SHIFT_asm, %ebx
11875 + addl $cpu_gdt_table, %ebx
11877 + movl $cpu_gdt_table, %ebx
11879 + mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
11880 + mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
11882 addl %esp, %eax /* the adjusted stack pointer */
11883 pushl_cfi $__KERNEL_DS
11884 @@ -1211,7 +1370,6 @@ return_to_handler:
11888 -.section .rodata,"a"
11889 #include "syscall_table_32.S"
11891 syscall_table_size=(.-sys_call_table)
11892 @@ -1257,9 +1415,12 @@ error_code:
11893 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
11896 - movl $(__USER_DS), %ecx
11897 + movl $(__KERNEL_DS), %ecx
11904 movl %esp,%eax # pt_regs pointer
11906 @@ -1344,6 +1505,9 @@ nmi_stack_correct:
11907 xorl %edx,%edx # zero error code
11908 movl %esp,%eax # pt_regs pointer
11913 jmp restore_all_notrace
11916 @@ -1380,6 +1544,9 @@ nmi_espfix_stack:
11917 FIXUP_ESPFIX_STACK # %eax == %esp
11918 xorl %edx,%edx # zero error code
11924 lss 12+4(%esp), %esp # back to espfix stack
11925 CFI_ADJUST_CFA_OFFSET -24
11926 diff -urNp linux-2.6.38.4/arch/x86/kernel/entry_64.S linux-2.6.38.4/arch/x86/kernel/entry_64.S
11927 --- linux-2.6.38.4/arch/x86/kernel/entry_64.S 2011-04-18 17:27:13.000000000 -0400
11928 +++ linux-2.6.38.4/arch/x86/kernel/entry_64.S 2011-04-17 15:57:32.000000000 -0400
11930 #include <asm/paravirt.h>
11931 #include <asm/ftrace.h>
11932 #include <asm/percpu.h>
11933 +#include <asm/pgtable.h>
11935 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
11936 #include <linux/elf-em.h>
11937 @@ -174,6 +175,206 @@ ENTRY(native_usergs_sysret64)
11938 ENDPROC(native_usergs_sysret64)
11939 #endif /* CONFIG_PARAVIRT */
11941 + .macro ljmpq sel, off
11942 +#if defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
11943 + .byte 0x48; ljmp *1234f(%rip)
11944 + .pushsection .rodata
11946 + 1234: .quad \off; .word \sel
11955 + .macro pax_enter_kernel
11956 +#ifdef CONFIG_PAX_KERNEXEC
11957 + call pax_enter_kernel
11961 + .macro pax_exit_kernel
11962 +#ifdef CONFIG_PAX_KERNEXEC
11963 + call pax_exit_kernel
11967 +#ifdef CONFIG_PAX_KERNEXEC
11968 +ENTRY(pax_enter_kernel)
11971 +#ifdef CONFIG_PARAVIRT
11972 + PV_SAVE_REGS(CLBR_RDI)
11979 + cmp $__KERNEL_CS,%edi
11981 + ljmpq __KERNEL_CS,3f
11982 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
11983 +2: SET_RDI_INTO_CR0
11986 +#ifdef CONFIG_PARAVIRT
11987 + PV_RESTORE_REGS(CLBR_RDI)
11992 +ENDPROC(pax_enter_kernel)
11994 +ENTRY(pax_exit_kernel)
11997 +#ifdef CONFIG_PARAVIRT
11998 + PV_SAVE_REGS(CLBR_RDI)
12002 + cmp $__KERNEXEC_KERNEL_CS,%edi
12006 + ljmpq __KERNEL_CS,1f
12007 +1: SET_RDI_INTO_CR0
12010 +#ifdef CONFIG_PARAVIRT
12011 + PV_RESTORE_REGS(CLBR_RDI);
12016 +ENDPROC(pax_exit_kernel)
12019 + .macro pax_enter_kernel_user
12020 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12021 + call pax_enter_kernel_user
12025 + .macro pax_exit_kernel_user
12026 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12027 + call pax_exit_kernel_user
12029 +#ifdef CONFIG_PAX_RANDKSTACK
12031 + call pax_randomize_kstack
12036 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12037 +ENTRY(pax_enter_kernel_user)
12041 +#ifdef CONFIG_PARAVIRT
12042 + PV_SAVE_REGS(CLBR_RDI)
12047 + add $__START_KERNEL_map,%rbx
12048 + sub phys_base(%rip),%rbx
12050 +#ifdef CONFIG_PARAVIRT
12052 + cmpl $0, pv_info+PARAVIRT_enabled
12055 + .rept USER_PGD_PTRS
12056 + mov i*8(%rbx),%rsi
12058 + lea i*8(%rbx),%rdi
12059 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
12067 + .rept USER_PGD_PTRS
12068 + movb $0,i*8(%rbx)
12072 +#ifdef CONFIG_PARAVIRT
12077 +#ifdef CONFIG_PAX_KERNEXEC
12083 +#ifdef CONFIG_PARAVIRT
12084 + PV_RESTORE_REGS(CLBR_RDI)
12090 +ENDPROC(pax_enter_kernel_user)
12092 +ENTRY(pax_exit_kernel_user)
12095 +#ifdef CONFIG_PARAVIRT
12097 + PV_SAVE_REGS(CLBR_RDI)
12100 +#ifdef CONFIG_PAX_KERNEXEC
12107 + add $__START_KERNEL_map,%rdi
12108 + sub phys_base(%rip),%rdi
12110 +#ifdef CONFIG_PARAVIRT
12111 + cmpl $0, pv_info+PARAVIRT_enabled
12115 + .rept USER_PGD_PTRS
12116 + mov i*8(%rbx),%rsi
12118 + lea i*8(%rbx),%rdi
12119 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
12127 + .rept USER_PGD_PTRS
12128 + movb $0x67,i*8(%rdi)
12132 +#ifdef CONFIG_PARAVIRT
12133 +2: PV_RESTORE_REGS(CLBR_RDI)
12139 +ENDPROC(pax_exit_kernel_user)
12142 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
12143 #ifdef CONFIG_TRACE_IRQFLAGS
12144 @@ -316,7 +517,7 @@ ENTRY(save_args)
12145 leaq -RBP+8(%rsp),%rdi /* arg1 for handler */
12146 movq_cfi rbp, 8 /* push %rbp */
12147 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
12148 - testl $3, CS(%rdi)
12149 + testb $3, CS(%rdi)
12153 @@ -407,7 +608,7 @@ ENTRY(ret_from_fork)
12157 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
12158 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
12159 je int_ret_from_sys_call
12161 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
12162 @@ -453,7 +654,7 @@ END(ret_from_fork)
12164 CFI_STARTPROC simple
12166 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
12167 + CFI_DEF_CFA rsp,0
12168 CFI_REGISTER rip,rcx
12169 /*CFI_REGISTER rflags,r11*/
12170 SWAPGS_UNSAFE_STACK
12171 @@ -466,12 +667,13 @@ ENTRY(system_call_after_swapgs)
12173 movq %rsp,PER_CPU_VAR(old_rsp)
12174 movq PER_CPU_VAR(kernel_stack),%rsp
12175 + pax_enter_kernel_user
12177 * No need to follow this irqs off/on section - it's straight
12180 ENABLE_INTERRUPTS(CLBR_NONE)
12183 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
12184 movq %rcx,RIP-ARGOFFSET(%rsp)
12185 CFI_REL_OFFSET rip,RIP-ARGOFFSET
12186 @@ -500,6 +702,7 @@ sysret_check:
12190 + pax_exit_kernel_user
12192 * sysretq will re-enable interrupts:
12194 @@ -609,7 +812,7 @@ tracesys:
12195 GLOBAL(int_ret_from_sys_call)
12196 DISABLE_INTERRUPTS(CLBR_NONE)
12198 - testl $3,CS-ARGOFFSET(%rsp)
12199 + testb $3,CS-ARGOFFSET(%rsp)
12200 je retint_restore_args
12201 movl $_TIF_ALLWORK_MASK,%edi
12202 /* edi: mask to check */
12203 @@ -791,6 +994,16 @@ END(interrupt)
12204 CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
12207 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12208 + testb $3, CS(%rdi)
12212 +1: pax_enter_kernel_user
12220 @@ -823,7 +1036,7 @@ ret_from_intr:
12221 CFI_ADJUST_CFA_OFFSET -8
12223 GET_THREAD_INFO(%rcx)
12224 - testl $3,CS-ARGOFFSET(%rsp)
12225 + testb $3,CS-ARGOFFSET(%rsp)
12228 /* Interrupt came from user space */
12229 @@ -845,12 +1058,14 @@ retint_swapgs: /* return to user-space
12230 * The iretq could re-enable interrupts:
12232 DISABLE_INTERRUPTS(CLBR_ANY)
12233 + pax_exit_kernel_user
12238 retint_restore_args: /* return to kernel space */
12239 DISABLE_INTERRUPTS(CLBR_ANY)
12242 * The iretq could re-enable interrupts:
12244 @@ -1022,6 +1237,16 @@ ENTRY(\sym)
12245 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12248 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12249 + testb $3, CS(%rsp)
12253 +1: pax_enter_kernel_user
12258 movq %rsp,%rdi /* pt_regs pointer */
12259 xorl %esi,%esi /* no error code */
12261 @@ -1039,6 +1264,16 @@ ENTRY(\sym)
12262 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12265 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12266 + testb $3, CS(%rsp)
12270 +1: pax_enter_kernel_user
12275 movq %rsp,%rdi /* pt_regs pointer */
12276 xorl %esi,%esi /* no error code */
12278 @@ -1047,7 +1282,7 @@ ENTRY(\sym)
12282 -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
12283 +#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
12284 .macro paranoidzeroentry_ist sym do_sym ist
12287 @@ -1057,8 +1292,24 @@ ENTRY(\sym)
12288 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12291 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12292 + testb $3, CS(%rsp)
12296 +1: pax_enter_kernel_user
12301 movq %rsp,%rdi /* pt_regs pointer */
12302 xorl %esi,%esi /* no error code */
12304 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
12305 + lea init_tss(%r12), %r12
12307 + lea init_tss(%rip), %r12
12309 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
12311 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
12312 @@ -1075,6 +1326,16 @@ ENTRY(\sym)
12313 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12316 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12317 + testb $3, CS(%rsp)
12321 +1: pax_enter_kernel_user
12326 movq %rsp,%rdi /* pt_regs pointer */
12327 movq ORIG_RAX(%rsp),%rsi /* get error code */
12328 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
12329 @@ -1094,6 +1355,16 @@ ENTRY(\sym)
12333 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12334 + testb $3, CS(%rsp)
12338 +1: pax_enter_kernel_user
12343 movq %rsp,%rdi /* pt_regs pointer */
12344 movq ORIG_RAX(%rsp),%rsi /* get error code */
12345 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
12346 @@ -1356,14 +1627,27 @@ ENTRY(paranoid_exit)
12348 testl %ebx,%ebx /* swapgs needed? */
12349 jnz paranoid_restore
12350 - testl $3,CS(%rsp)
12351 + testb $3,CS(%rsp)
12352 jnz paranoid_userspace
12353 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12355 + TRACE_IRQS_IRETQ 0
12356 + SWAPGS_UNSAFE_STACK
12361 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12362 + pax_exit_kernel_user
12367 SWAPGS_UNSAFE_STACK
12375 @@ -1421,7 +1705,7 @@ ENTRY(error_entry)
12376 movq_cfi r14, R14+8
12377 movq_cfi r15, R15+8
12379 - testl $3,CS+8(%rsp)
12380 + testb $3,CS+8(%rsp)
12381 je error_kernelspace
12384 @@ -1485,6 +1769,16 @@ ENTRY(nmi)
12385 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12388 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12389 + testb $3, CS(%rsp)
12393 +1: pax_enter_kernel_user
12398 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
12401 @@ -1495,11 +1789,25 @@ ENTRY(nmi)
12402 DISABLE_INTERRUPTS(CLBR_NONE)
12403 testl %ebx,%ebx /* swapgs needed? */
12405 - testl $3,CS(%rsp)
12406 + testb $3,CS(%rsp)
12408 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12410 + SWAPGS_UNSAFE_STACK
12415 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12416 + pax_exit_kernel_user
12420 SWAPGS_UNSAFE_STACK
12428 diff -urNp linux-2.6.38.4/arch/x86/kernel/ftrace.c linux-2.6.38.4/arch/x86/kernel/ftrace.c
12429 --- linux-2.6.38.4/arch/x86/kernel/ftrace.c 2011-03-14 21:20:32.000000000 -0400
12430 +++ linux-2.6.38.4/arch/x86/kernel/ftrace.c 2011-04-17 15:57:32.000000000 -0400
12431 @@ -177,7 +177,9 @@ void ftrace_nmi_enter(void)
12433 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
12435 + pax_open_kernel();
12437 + pax_close_kernel();
12438 atomic_inc(&nmi_update_count);
12440 /* Must have previous changes seen before executions */
12441 @@ -271,6 +273,8 @@ ftrace_modify_code(unsigned long ip, uns
12443 unsigned char replaced[MCOUNT_INSN_SIZE];
12445 + ip = ktla_ktva(ip);
12448 * Note: Due to modules and __init, code can
12449 * disappear and change, we need to protect against faulting
12450 @@ -327,7 +331,7 @@ int ftrace_update_ftrace_func(ftrace_fun
12451 unsigned char old[MCOUNT_INSN_SIZE], *new;
12454 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
12455 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
12456 new = ftrace_call_replace(ip, (unsigned long)func);
12457 ret = ftrace_modify_code(ip, old, new);
12459 @@ -353,6 +357,8 @@ static int ftrace_mod_jmp(unsigned long
12461 unsigned char code[MCOUNT_INSN_SIZE];
12463 + ip = ktla_ktva(ip);
12465 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
12468 diff -urNp linux-2.6.38.4/arch/x86/kernel/head32.c linux-2.6.38.4/arch/x86/kernel/head32.c
12469 --- linux-2.6.38.4/arch/x86/kernel/head32.c 2011-03-14 21:20:32.000000000 -0400
12470 +++ linux-2.6.38.4/arch/x86/kernel/head32.c 2011-04-17 15:57:32.000000000 -0400
12472 #include <asm/io_apic.h>
12473 #include <asm/bios_ebda.h>
12474 #include <asm/tlbflush.h>
12475 +#include <asm/boot.h>
12477 static void __init i386_default_early_setup(void)
12479 @@ -43,7 +44,7 @@ void __init i386_start_kernel(void)
12480 memblock_x86_reserve_range(PAGE_SIZE, PAGE_SIZE + PAGE_SIZE, "EX TRAMPOLINE");
12483 - memblock_x86_reserve_range(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
12484 + memblock_x86_reserve_range(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
12486 #ifdef CONFIG_BLK_DEV_INITRD
12487 /* Reserve INITRD */
12488 diff -urNp linux-2.6.38.4/arch/x86/kernel/head_32.S linux-2.6.38.4/arch/x86/kernel/head_32.S
12489 --- linux-2.6.38.4/arch/x86/kernel/head_32.S 2011-03-14 21:20:32.000000000 -0400
12490 +++ linux-2.6.38.4/arch/x86/kernel/head_32.S 2011-04-17 16:02:16.000000000 -0400
12492 /* Physical address */
12493 #define pa(X) ((X) - __PAGE_OFFSET)
12495 +#ifdef CONFIG_PAX_KERNEXEC
12498 +#define ta(X) ((X) - __PAGE_OFFSET)
12502 * References to members of the new_cpu_data structure.
12505 * and small than max_low_pfn, otherwise will waste some page table entries
12508 -#if PTRS_PER_PMD > 1
12509 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
12511 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
12513 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
12515 /* Number of possible pages in the lowmem region */
12516 LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT)
12517 @@ -77,6 +79,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
12518 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
12521 + * Real beginning of normal "text" segment
12527 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
12528 * %esi points to the real-mode code as a 32-bit pointer.
12529 * CS and DS must be 4 GB flat segments, but we don't depend on
12530 @@ -84,6 +92,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
12535 +#ifdef CONFIG_PAX_KERNEXEC
12537 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
12538 +.fill PAGE_SIZE-5,1,0xcc
12542 movl pa(stack_start),%ecx
12544 @@ -105,6 +120,57 @@ ENTRY(startup_32)
12546 leal -__PAGE_OFFSET(%ecx),%esp
12549 + movl $pa(cpu_gdt_table),%edi
12550 + movl $__per_cpu_load,%eax
12551 + movw %ax,__KERNEL_PERCPU + 2(%edi)
12553 + movb %al,__KERNEL_PERCPU + 4(%edi)
12554 + movb %ah,__KERNEL_PERCPU + 7(%edi)
12555 + movl $__per_cpu_end - 1,%eax
12556 + subl $__per_cpu_start,%eax
12557 + movw %ax,__KERNEL_PERCPU + 0(%edi)
12560 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12561 + movl $NR_CPUS,%ecx
12562 + movl $pa(cpu_gdt_table),%edi
12564 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
12565 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
12566 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
12567 + addl $PAGE_SIZE_asm,%edi
12571 +#ifdef CONFIG_PAX_KERNEXEC
12572 + movl $pa(boot_gdt),%edi
12573 + movl $__LOAD_PHYSICAL_ADDR,%eax
12574 + movw %ax,__BOOT_CS + 2(%edi)
12576 + movb %al,__BOOT_CS + 4(%edi)
12577 + movb %ah,__BOOT_CS + 7(%edi)
12580 + ljmp $(__BOOT_CS),$1f
12583 + movl $NR_CPUS,%ecx
12584 + movl $pa(cpu_gdt_table),%edi
12585 + addl $__PAGE_OFFSET,%eax
12587 + movw %ax,__KERNEL_CS + 2(%edi)
12588 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
12590 + movb %al,__KERNEL_CS + 4(%edi)
12591 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
12592 + movb %ah,__KERNEL_CS + 7(%edi)
12593 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
12595 + addl $PAGE_SIZE_asm,%edi
12600 * Clear BSS first so that there are no surprises...
12602 @@ -195,8 +261,11 @@ ENTRY(startup_32)
12603 movl %eax, pa(max_pfn_mapped)
12605 /* Do early initialization of the fixmap area */
12606 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
12607 - movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
12608 +#ifdef CONFIG_COMPAT_VDSO
12609 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
12611 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
12613 #else /* Not PAE */
12615 page_pde_offset = (__PAGE_OFFSET >> 20);
12616 @@ -226,8 +295,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
12617 movl %eax, pa(max_pfn_mapped)
12619 /* Do early initialization of the fixmap area */
12620 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
12621 - movl %eax,pa(initial_page_table+0xffc)
12622 +#ifdef CONFIG_COMPAT_VDSO
12623 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
12625 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
12629 #ifdef CONFIG_PARAVIRT
12630 @@ -241,9 +313,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
12631 cmpl $num_subarch_entries, %eax
12634 - movl pa(subarch_entries)(,%eax,4), %eax
12635 - subl $__PAGE_OFFSET, %eax
12637 + jmp *pa(subarch_entries)(,%eax,4)
12641 @@ -255,10 +325,10 @@ WEAK(xen_entry)
12645 - .long default_entry /* normal x86/PC */
12646 - .long lguest_entry /* lguest hypervisor */
12647 - .long xen_entry /* Xen hypervisor */
12648 - .long default_entry /* Moorestown MID */
12649 + .long pa(default_entry) /* normal x86/PC */
12650 + .long pa(lguest_entry) /* lguest hypervisor */
12651 + .long pa(xen_entry) /* Xen hypervisor */
12652 + .long pa(default_entry) /* Moorestown MID */
12653 num_subarch_entries = (. - subarch_entries) / 4
12656 @@ -312,6 +382,7 @@ default_entry:
12660 +#ifdef CONFIG_X86_PAE
12661 testb $X86_CR4_PAE, %al # check if PAE is enabled
12664 @@ -340,6 +411,9 @@ default_entry:
12665 /* Make changes effective */
12668 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
12674 @@ -443,7 +517,7 @@ is386: movl $2,%ecx # set MP
12675 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
12676 movl %eax,%ss # after changing gdt.
12678 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
12679 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
12683 @@ -457,15 +531,22 @@ is386: movl $2,%ecx # set MP
12687 - movl $gdt_page,%eax
12688 + movl $cpu_gdt_table,%eax
12689 movl $stack_canary,%ecx
12691 + addl $__per_cpu_load,%ecx
12693 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
12695 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
12696 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
12699 movl $(__KERNEL_STACK_CANARY),%eax
12700 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
12701 + movl $(__USER_DS),%eax
12707 xorl %eax,%eax # Clear LDT
12708 @@ -558,22 +639,22 @@ early_page_fault:
12713 #ifdef CONFIG_PRINTK
12714 + cmpl $1,%ss:early_recursion_flag
12716 + incl %ss:early_recursion_flag
12719 movl $(__KERNEL_DS),%eax
12722 - cmpl $2,early_recursion_flag
12724 - incl early_recursion_flag
12727 pushl %edx /* trapno */
12736 @@ -581,8 +662,11 @@ hlt_loop:
12737 /* This is the default interrupt "handler" :-) */
12741 #ifdef CONFIG_PRINTK
12742 + cmpl $2,%ss:early_recursion_flag
12744 + incl %ss:early_recursion_flag
12749 @@ -591,9 +675,6 @@ ignore_int:
12750 movl $(__KERNEL_DS),%eax
12753 - cmpl $2,early_recursion_flag
12755 - incl early_recursion_flag
12759 @@ -622,29 +703,43 @@ ENTRY(initial_code)
12763 -__PAGE_ALIGNED_BSS
12764 - .align PAGE_SIZE_asm
12765 #ifdef CONFIG_X86_PAE
12766 +.section .initial_pg_pmd,"a",@progbits
12768 .fill 1024*KPMDS,4,0
12770 +.section .initial_page_table,"a",@progbits
12771 ENTRY(initial_page_table)
12774 +.section .initial_pg_fixmap,"a",@progbits
12777 +.section .empty_zero_page,"a",@progbits
12778 ENTRY(empty_zero_page)
12780 +.section .swapper_pg_dir,"a",@progbits
12781 ENTRY(swapper_pg_dir)
12782 +#ifdef CONFIG_X86_PAE
12789 + * The IDT has to be page-aligned to simplify the Pentium
12790 + * F0 0F bug workaround.. We have a special link segment
12793 +.section .idt,"a",@progbits
12798 * This starts the data section.
12800 #ifdef CONFIG_X86_PAE
12801 -__PAGE_ALIGNED_DATA
12802 - /* Page-aligned for the benefit of paravirt? */
12803 - .align PAGE_SIZE_asm
12804 +.section .initial_page_table,"a",@progbits
12805 ENTRY(initial_page_table)
12806 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
12808 @@ -663,18 +758,27 @@ ENTRY(initial_page_table)
12809 # error "Kernel PMDs should be 1, 2 or 3"
12811 .align PAGE_SIZE_asm /* needs to be page-sized too */
12813 +#ifdef CONFIG_PAX_PER_CPU_PGD
12825 - .long init_thread_union+THREAD_SIZE
12826 + .long init_thread_union+THREAD_SIZE-8
12830 +.section .rodata,"a",@progbits
12831 early_recursion_flag:
12837 .asciz "Unknown interrupt or fault at: %p %p %p\n"
12839 @@ -707,7 +811,7 @@ fault_msg:
12840 .word 0 # 32 bit align gdt_desc.address
12843 - .long boot_gdt - __PAGE_OFFSET
12844 + .long pa(boot_gdt)
12846 .word 0 # 32-bit align idt_desc.address
12848 @@ -718,7 +822,7 @@ idt_descr:
12849 .word 0 # 32 bit align gdt_desc.address
12850 ENTRY(early_gdt_descr)
12851 .word GDT_ENTRIES*8-1
12852 - .long gdt_page /* Overwritten for secondary CPUs */
12853 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
12856 * The boot_gdt must mirror the equivalent in setup.S and is
12857 @@ -727,5 +831,65 @@ ENTRY(early_gdt_descr)
12858 .align L1_CACHE_BYTES
12860 .fill GDT_ENTRY_BOOT_CS,8,0
12861 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
12862 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
12863 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
12864 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
12866 + .align PAGE_SIZE_asm
12867 +ENTRY(cpu_gdt_table)
12869 + .quad 0x0000000000000000 /* NULL descriptor */
12870 + .quad 0x0000000000000000 /* 0x0b reserved */
12871 + .quad 0x0000000000000000 /* 0x13 reserved */
12872 + .quad 0x0000000000000000 /* 0x1b reserved */
12874 +#ifdef CONFIG_PAX_KERNEXEC
12875 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
12877 + .quad 0x0000000000000000 /* 0x20 unused */
12880 + .quad 0x0000000000000000 /* 0x28 unused */
12881 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
12882 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
12883 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
12884 + .quad 0x0000000000000000 /* 0x4b reserved */
12885 + .quad 0x0000000000000000 /* 0x53 reserved */
12886 + .quad 0x0000000000000000 /* 0x5b reserved */
12888 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
12889 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
12890 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
12891 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
12893 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
12894 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
12897 + * Segments used for calling PnP BIOS have byte granularity.
12898 + * The code segments and data segments have fixed 64k limits,
12899 + * the transfer segment sizes are set at run time.
12901 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
12902 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
12903 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
12904 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
12905 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
12908 + * The APM segments have byte granularity and their bases
12909 + * are set at run time. All have 64k limits.
12911 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
12912 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
12913 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
12915 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
12916 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
12917 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
12918 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
12919 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
12920 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
12922 + /* Be sure this is zeroed to avoid false validations in Xen */
12923 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
12925 diff -urNp linux-2.6.38.4/arch/x86/kernel/head_64.S linux-2.6.38.4/arch/x86/kernel/head_64.S
12926 --- linux-2.6.38.4/arch/x86/kernel/head_64.S 2011-03-14 21:20:32.000000000 -0400
12927 +++ linux-2.6.38.4/arch/x86/kernel/head_64.S 2011-04-17 15:57:32.000000000 -0400
12929 #include <asm/cache.h>
12930 #include <asm/processor-flags.h>
12931 #include <asm/percpu.h>
12932 +#include <asm/cpufeature.h>
12934 #ifdef CONFIG_PARAVIRT
12935 #include <asm/asm-offsets.h>
12936 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
12937 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
12938 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
12939 L3_START_KERNEL = pud_index(__START_KERNEL_map)
12940 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
12941 +L3_VMALLOC_START = pud_index(VMALLOC_START)
12942 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
12943 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
12947 @@ -85,35 +90,22 @@ startup_64:
12949 addq %rbp, init_level4_pgt + 0(%rip)
12950 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
12951 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
12952 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
12953 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
12955 addq %rbp, level3_ident_pgt + 0(%rip)
12956 +#ifndef CONFIG_XEN
12957 + addq %rbp, level3_ident_pgt + 8(%rip)
12960 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
12961 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
12962 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
12964 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12965 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
12966 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
12968 - /* Add an Identity mapping if I am above 1G */
12969 - leaq _text(%rip), %rdi
12970 - andq $PMD_PAGE_MASK, %rdi
12973 - shrq $PUD_SHIFT, %rax
12974 - andq $(PTRS_PER_PUD - 1), %rax
12975 - jz ident_complete
12977 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
12978 - leaq level3_ident_pgt(%rip), %rbx
12979 - movq %rdx, 0(%rbx, %rax, 8)
12982 - shrq $PMD_SHIFT, %rax
12983 - andq $(PTRS_PER_PMD - 1), %rax
12984 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
12985 - leaq level2_spare_pgt(%rip), %rbx
12986 - movq %rdx, 0(%rbx, %rax, 8)
12988 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12989 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
12992 * Fixup the kernel text+data virtual addresses. Note that
12993 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
12994 * after the boot processor executes this code.
12997 - /* Enable PAE mode and PGE */
12998 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
12999 + /* Enable PAE mode and PSE/PGE */
13000 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
13003 /* Setup early boot stage 4 level pagetables. */
13004 @@ -184,9 +176,14 @@ ENTRY(secondary_startup_64)
13005 movl $MSR_EFER, %ecx
13007 btsl $_EFER_SCE, %eax /* Enable System Call */
13008 - btl $20,%edi /* No Execute supported? */
13009 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
13011 btsl $_EFER_NX, %eax
13012 + leaq init_level4_pgt(%rip), %rdi
13013 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
13014 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
13015 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
13016 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
13017 1: wrmsr /* Make changes effective */
13020 @@ -270,7 +267,7 @@ ENTRY(secondary_startup_64)
13024 - .section ".init.text","ax"
13026 #ifdef CONFIG_EARLY_PRINTK
13027 .globl early_idt_handlers
13028 early_idt_handlers:
13029 @@ -315,18 +312,23 @@ ENTRY(early_idt_handler)
13030 #endif /* EARLY_PRINTK */
13035 #ifdef CONFIG_EARLY_PRINTK
13037 early_recursion_flag:
13041 + .section .rodata,"a",@progbits
13043 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
13046 -#endif /* CONFIG_EARLY_PRINTK */
13048 +#endif /* CONFIG_EARLY_PRINTK */
13050 + .section .rodata,"a",@progbits
13051 #define NEXT_PAGE(name) \
13052 .balign PAGE_SIZE; \
13054 @@ -339,7 +341,6 @@ ENTRY(name)
13060 * This default setting generates an ident mapping at address 0x100000
13061 * and a mapping for the kernel that precisely maps virtual address
13062 @@ -350,13 +351,36 @@ NEXT_PAGE(init_level4_pgt)
13063 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13064 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
13065 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13066 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
13067 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
13068 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
13069 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
13070 .org init_level4_pgt + L4_START_KERNEL*8, 0
13071 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
13072 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
13074 +#ifdef CONFIG_PAX_PER_CPU_PGD
13075 +NEXT_PAGE(cpu_pgd)
13081 NEXT_PAGE(level3_ident_pgt)
13082 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13086 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
13090 +NEXT_PAGE(level3_vmalloc_pgt)
13093 +NEXT_PAGE(level3_vmemmap_pgt)
13094 + .fill L3_VMEMMAP_START,8,0
13095 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
13097 NEXT_PAGE(level3_kernel_pgt)
13098 .fill L3_START_KERNEL,8,0
13099 @@ -364,20 +388,23 @@ NEXT_PAGE(level3_kernel_pgt)
13100 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
13101 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
13103 +NEXT_PAGE(level2_vmemmap_pgt)
13106 NEXT_PAGE(level2_fixmap_pgt)
13108 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
13109 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
13112 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
13113 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
13116 -NEXT_PAGE(level1_fixmap_pgt)
13117 +NEXT_PAGE(level1_vsyscall_pgt)
13120 -NEXT_PAGE(level2_ident_pgt)
13121 - /* Since I easily can, map the first 1G.
13122 + /* Since I easily can, map the first 2G.
13123 * Don't set NX because code runs from these pages.
13125 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
13126 +NEXT_PAGE(level2_ident_pgt)
13127 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
13129 NEXT_PAGE(level2_kernel_pgt)
13131 @@ -390,33 +417,55 @@ NEXT_PAGE(level2_kernel_pgt)
13132 * If you want to increase this then increase MODULES_VADDR
13135 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
13136 - KERNEL_IMAGE_SIZE/PMD_SIZE)
13138 -NEXT_PAGE(level2_spare_pgt)
13140 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
13147 +ENTRY(cpu_gdt_table)
13149 + .quad 0x0000000000000000 /* NULL descriptor */
13150 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
13151 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
13152 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
13153 + .quad 0x00cffb000000ffff /* __USER32_CS */
13154 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
13155 + .quad 0x00affb000000ffff /* __USER_CS */
13157 +#ifdef CONFIG_PAX_KERNEXEC
13158 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
13160 + .quad 0x0 /* unused */
13163 + .quad 0,0 /* TSS */
13164 + .quad 0,0 /* LDT */
13165 + .quad 0,0,0 /* three TLS descriptors */
13166 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
13167 + /* asm/segment.h:GDT_ENTRIES must match this */
13169 + /* zero the remaining page */
13170 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
13174 .globl early_gdt_descr
13176 .word GDT_ENTRIES*8-1
13177 early_gdt_descr_base:
13178 - .quad INIT_PER_CPU_VAR(gdt_page)
13179 + .quad cpu_gdt_table
13182 /* This must match the first entry in level2_kernel_pgt */
13183 .quad 0x0000000000000000
13185 #include "../../x86/xen/xen-head.S"
13187 - .section .bss, "aw", @nobits
13189 + .section .rodata,"a",@progbits
13190 .align L1_CACHE_BYTES
13192 - .skip IDT_ENTRIES * 16
13197 diff -urNp linux-2.6.38.4/arch/x86/kernel/i386_ksyms_32.c linux-2.6.38.4/arch/x86/kernel/i386_ksyms_32.c
13198 --- linux-2.6.38.4/arch/x86/kernel/i386_ksyms_32.c 2011-03-14 21:20:32.000000000 -0400
13199 +++ linux-2.6.38.4/arch/x86/kernel/i386_ksyms_32.c 2011-04-17 15:57:32.000000000 -0400
13200 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
13201 EXPORT_SYMBOL(cmpxchg8b_emu);
13204 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
13206 /* Networking helper routines. */
13207 EXPORT_SYMBOL(csum_partial_copy_generic);
13208 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
13209 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
13211 EXPORT_SYMBOL(__get_user_1);
13212 EXPORT_SYMBOL(__get_user_2);
13213 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
13215 EXPORT_SYMBOL(csum_partial);
13216 EXPORT_SYMBOL(empty_zero_page);
13218 +#ifdef CONFIG_PAX_KERNEXEC
13219 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
13221 diff -urNp linux-2.6.38.4/arch/x86/kernel/init_task.c linux-2.6.38.4/arch/x86/kernel/init_task.c
13222 --- linux-2.6.38.4/arch/x86/kernel/init_task.c 2011-03-14 21:20:32.000000000 -0400
13223 +++ linux-2.6.38.4/arch/x86/kernel/init_task.c 2011-04-17 15:57:32.000000000 -0400
13224 @@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
13225 * way process stacks are handled. This is done by having a special
13226 * "init_task" linker map entry..
13228 -union thread_union init_thread_union __init_task_data =
13229 - { INIT_THREAD_INFO(init_task) };
13230 +union thread_union init_thread_union __init_task_data;
13233 * Initial task structure.
13234 @@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
13235 * section. Since TSS's are completely CPU-local, we want them
13236 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
13238 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
13240 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
13241 +EXPORT_SYMBOL(init_tss);
13242 diff -urNp linux-2.6.38.4/arch/x86/kernel/ioport.c linux-2.6.38.4/arch/x86/kernel/ioport.c
13243 --- linux-2.6.38.4/arch/x86/kernel/ioport.c 2011-03-14 21:20:32.000000000 -0400
13244 +++ linux-2.6.38.4/arch/x86/kernel/ioport.c 2011-04-17 15:57:32.000000000 -0400
13246 #include <linux/sched.h>
13247 #include <linux/kernel.h>
13248 #include <linux/capability.h>
13249 +#include <linux/security.h>
13250 #include <linux/errno.h>
13251 #include <linux/types.h>
13252 #include <linux/ioport.h>
13253 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
13255 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
13257 +#ifdef CONFIG_GRKERNSEC_IO
13258 + if (turn_on && grsec_disable_privio) {
13259 + gr_handle_ioperm();
13263 if (turn_on && !capable(CAP_SYS_RAWIO))
13266 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
13267 * because the ->io_bitmap_max value must match the bitmap
13270 - tss = &per_cpu(init_tss, get_cpu());
13271 + tss = init_tss + get_cpu();
13273 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
13275 @@ -112,6 +119,12 @@ long sys_iopl(unsigned int level, struct
13277 /* Trying to gain more privileges? */
13279 +#ifdef CONFIG_GRKERNSEC_IO
13280 + if (grsec_disable_privio) {
13281 + gr_handle_iopl();
13285 if (!capable(CAP_SYS_RAWIO))
13288 diff -urNp linux-2.6.38.4/arch/x86/kernel/irq_32.c linux-2.6.38.4/arch/x86/kernel/irq_32.c
13289 --- linux-2.6.38.4/arch/x86/kernel/irq_32.c 2011-03-14 21:20:32.000000000 -0400
13290 +++ linux-2.6.38.4/arch/x86/kernel/irq_32.c 2011-04-17 15:57:32.000000000 -0400
13291 @@ -36,7 +36,7 @@ static int check_stack_overflow(void)
13292 __asm__ __volatile__("andl %%esp,%0" :
13293 "=r" (sp) : "0" (THREAD_SIZE - 1));
13295 - return sp < (sizeof(struct thread_info) + STACK_WARN);
13296 + return sp < STACK_WARN;
13299 static void print_stack_overflow(void)
13300 @@ -54,8 +54,8 @@ static inline void print_stack_overflow(
13301 * per-CPU IRQ handling contexts (thread information and stack)
13304 - struct thread_info tinfo;
13305 - u32 stack[THREAD_SIZE/sizeof(u32)];
13306 + unsigned long previous_esp;
13307 + u32 stack[THREAD_SIZE/sizeof(u32)];
13308 } __attribute__((aligned(THREAD_SIZE)));
13310 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
13311 @@ -75,10 +75,9 @@ static void call_on_stack(void *func, vo
13313 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
13315 - union irq_ctx *curctx, *irqctx;
13316 + union irq_ctx *irqctx;
13317 u32 *isp, arg1, arg2;
13319 - curctx = (union irq_ctx *) current_thread_info();
13320 irqctx = __this_cpu_read(hardirq_ctx);
13323 @@ -87,21 +86,17 @@ execute_on_irq_stack(int overflow, struc
13324 * handler) we can't do that and just have to keep using the
13325 * current stack (which is the irq stack already after all)
13327 - if (unlikely(curctx == irqctx))
13328 + if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
13331 /* build the stack frame on the IRQ stack */
13332 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
13333 - irqctx->tinfo.task = curctx->tinfo.task;
13334 - irqctx->tinfo.previous_esp = current_stack_pointer;
13335 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
13336 + irqctx->previous_esp = current_stack_pointer;
13337 + add_preempt_count(HARDIRQ_OFFSET);
13340 - * Copy the softirq bits in preempt_count so that the
13341 - * softirq checks work in the hardirq context.
13343 - irqctx->tinfo.preempt_count =
13344 - (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
13345 - (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
13346 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13347 + __set_fs(MAKE_MM_SEG(0));
13350 if (unlikely(overflow))
13351 call_on_stack(print_stack_overflow, isp);
13352 @@ -113,6 +108,12 @@ execute_on_irq_stack(int overflow, struc
13353 : "0" (irq), "1" (desc), "2" (isp),
13354 "D" (desc->handle_irq)
13355 : "memory", "cc", "ecx");
13357 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13358 + __set_fs(current_thread_info()->addr_limit);
13361 + sub_preempt_count(HARDIRQ_OFFSET);
13365 @@ -121,29 +122,11 @@ execute_on_irq_stack(int overflow, struc
13367 void __cpuinit irq_ctx_init(int cpu)
13369 - union irq_ctx *irqctx;
13371 if (per_cpu(hardirq_ctx, cpu))
13374 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
13377 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
13378 - irqctx->tinfo.cpu = cpu;
13379 - irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
13380 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
13382 - per_cpu(hardirq_ctx, cpu) = irqctx;
13384 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
13387 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
13388 - irqctx->tinfo.cpu = cpu;
13389 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
13391 - per_cpu(softirq_ctx, cpu) = irqctx;
13392 + per_cpu(hardirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
13393 + per_cpu(softirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
13395 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
13396 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
13397 @@ -152,7 +135,6 @@ void __cpuinit irq_ctx_init(int cpu)
13398 asmlinkage void do_softirq(void)
13400 unsigned long flags;
13401 - struct thread_info *curctx;
13402 union irq_ctx *irqctx;
13405 @@ -162,15 +144,22 @@ asmlinkage void do_softirq(void)
13406 local_irq_save(flags);
13408 if (local_softirq_pending()) {
13409 - curctx = current_thread_info();
13410 irqctx = __this_cpu_read(softirq_ctx);
13411 - irqctx->tinfo.task = curctx->task;
13412 - irqctx->tinfo.previous_esp = current_stack_pointer;
13413 + irqctx->previous_esp = current_stack_pointer;
13415 /* build the stack frame on the softirq stack */
13416 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
13417 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
13419 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13420 + __set_fs(MAKE_MM_SEG(0));
13423 call_on_stack(__do_softirq, isp);
13425 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13426 + __set_fs(current_thread_info()->addr_limit);
13430 * Shouldnt happen, we returned above if in_interrupt():
13432 diff -urNp linux-2.6.38.4/arch/x86/kernel/kgdb.c linux-2.6.38.4/arch/x86/kernel/kgdb.c
13433 --- linux-2.6.38.4/arch/x86/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
13434 +++ linux-2.6.38.4/arch/x86/kernel/kgdb.c 2011-04-17 15:57:32.000000000 -0400
13435 @@ -124,11 +124,11 @@ char *dbg_get_reg(int regno, void *mem,
13437 #ifdef CONFIG_X86_32
13439 - if (!user_mode_vm(regs))
13440 + if (!user_mode(regs))
13441 *(unsigned long *)mem = __KERNEL_DS;
13444 - if (!user_mode_vm(regs))
13445 + if (!user_mode(regs))
13446 *(unsigned long *)mem = kernel_stack_pointer(regs);
13449 @@ -719,7 +719,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
13453 -struct kgdb_arch arch_kgdb_ops = {
13454 +const struct kgdb_arch arch_kgdb_ops = {
13455 /* Breakpoint instruction: */
13456 .gdb_bpt_instr = { 0xcc },
13457 .flags = KGDB_HW_BREAKPOINT,
13458 diff -urNp linux-2.6.38.4/arch/x86/kernel/kprobes.c linux-2.6.38.4/arch/x86/kernel/kprobes.c
13459 --- linux-2.6.38.4/arch/x86/kernel/kprobes.c 2011-03-14 21:20:32.000000000 -0400
13460 +++ linux-2.6.38.4/arch/x86/kernel/kprobes.c 2011-04-17 15:57:32.000000000 -0400
13461 @@ -115,8 +115,11 @@ static void __kprobes __synthesize_relat
13462 } __attribute__((packed)) *insn;
13464 insn = (struct __arch_relative_insn *)from;
13466 + pax_open_kernel();
13467 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
13469 + pax_close_kernel();
13472 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
13473 @@ -153,7 +156,7 @@ static int __kprobes can_boost(kprobe_op
13474 kprobe_opcode_t opcode;
13475 kprobe_opcode_t *orig_opcodes = opcodes;
13477 - if (search_exception_tables((unsigned long)opcodes))
13478 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
13479 return 0; /* Page fault may occur on this address. */
13482 @@ -314,7 +317,9 @@ static int __kprobes __copy_instruction(
13485 insn_get_length(&insn);
13486 + pax_open_kernel();
13487 memcpy(dest, insn.kaddr, insn.length);
13488 + pax_close_kernel();
13490 #ifdef CONFIG_X86_64
13491 if (insn_rip_relative(&insn)) {
13492 @@ -338,7 +343,9 @@ static int __kprobes __copy_instruction(
13494 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
13495 disp = (u8 *) dest + insn_offset_displacement(&insn);
13496 + pax_open_kernel();
13497 *(s32 *) disp = (s32) newdisp;
13498 + pax_close_kernel();
13501 return insn.length;
13502 @@ -352,12 +359,12 @@ static void __kprobes arch_copy_kprobe(s
13504 __copy_instruction(p->ainsn.insn, p->addr, 0);
13506 - if (can_boost(p->addr))
13507 + if (can_boost(ktla_ktva(p->addr)))
13508 p->ainsn.boostable = 0;
13510 p->ainsn.boostable = -1;
13512 - p->opcode = *p->addr;
13513 + p->opcode = *(ktla_ktva(p->addr));
13516 int __kprobes arch_prepare_kprobe(struct kprobe *p)
13517 @@ -474,7 +481,7 @@ static void __kprobes setup_singlestep(s
13518 * nor set current_kprobe, because it doesn't use single
13521 - regs->ip = (unsigned long)p->ainsn.insn;
13522 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
13523 preempt_enable_no_resched();
13526 @@ -493,7 +500,7 @@ static void __kprobes setup_singlestep(s
13527 if (p->opcode == BREAKPOINT_INSTRUCTION)
13528 regs->ip = (unsigned long)p->addr;
13530 - regs->ip = (unsigned long)p->ainsn.insn;
13531 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
13535 @@ -572,7 +579,7 @@ static int __kprobes kprobe_handler(stru
13536 setup_singlestep(p, regs, kcb, 0);
13539 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
13540 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
13542 * The breakpoint instruction was removed right
13543 * after we hit it. Another cpu has removed
13544 @@ -817,7 +824,7 @@ static void __kprobes resume_execution(s
13545 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
13547 unsigned long *tos = stack_addr(regs);
13548 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
13549 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
13550 unsigned long orig_ip = (unsigned long)p->addr;
13551 kprobe_opcode_t *insn = p->ainsn.insn;
13553 @@ -999,7 +1006,7 @@ int __kprobes kprobe_exceptions_notify(s
13554 struct die_args *args = data;
13555 int ret = NOTIFY_DONE;
13557 - if (args->regs && user_mode_vm(args->regs))
13558 + if (args->regs && user_mode(args->regs))
13562 @@ -1372,7 +1379,7 @@ int __kprobes arch_prepare_optimized_kpr
13563 * Verify if the address gap is in 2GB range, because this uses
13566 - rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
13567 + rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
13568 if (abs(rel) > 0x7fffffff)
13571 @@ -1393,11 +1400,11 @@ int __kprobes arch_prepare_optimized_kpr
13572 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
13574 /* Set probe function call */
13575 - synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
13576 + synthesize_relcall(buf + TMPL_CALL_IDX, ktla_ktva(optimized_callback));
13578 /* Set returning jmp instruction at the tail of out-of-line buffer */
13579 synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
13580 - (u8 *)op->kp.addr + op->optinsn.size);
13581 + (u8 *)ktla_ktva(op->kp.addr) + op->optinsn.size);
13583 flush_icache_range((unsigned long) buf,
13584 (unsigned long) buf + TMPL_END_IDX +
13585 @@ -1419,7 +1426,7 @@ static void __kprobes setup_optimize_kpr
13586 ((long)op->kp.addr + RELATIVEJUMP_SIZE));
13588 /* Backup instructions which will be replaced by jump address */
13589 - memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
13590 + memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
13591 RELATIVE_ADDR_SIZE);
13593 insn_buf[0] = RELATIVEJUMP_OPCODE;
13594 diff -urNp linux-2.6.38.4/arch/x86/kernel/ldt.c linux-2.6.38.4/arch/x86/kernel/ldt.c
13595 --- linux-2.6.38.4/arch/x86/kernel/ldt.c 2011-03-14 21:20:32.000000000 -0400
13596 +++ linux-2.6.38.4/arch/x86/kernel/ldt.c 2011-04-17 15:57:32.000000000 -0400
13597 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
13602 + load_LDT_nolock(pc);
13603 if (!cpumask_equal(mm_cpumask(current->mm),
13604 cpumask_of(smp_processor_id())))
13605 smp_call_function(flush_ldt, current->mm, 1);
13609 + load_LDT_nolock(pc);
13613 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
13616 for (i = 0; i < old->size; i++)
13617 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
13618 + write_ldt_entry(new->ldt, i, old->ldt + i);
13622 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
13623 retval = copy_ldt(&mm->context, &old_mm->context);
13624 mutex_unlock(&old_mm->context.lock);
13627 + if (tsk == current) {
13628 + mm->context.vdso = 0;
13630 +#ifdef CONFIG_X86_32
13631 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
13632 + mm->context.user_cs_base = 0UL;
13633 + mm->context.user_cs_limit = ~0UL;
13635 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
13636 + cpus_clear(mm->context.cpu_user_cs_mask);
13647 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
13651 +#ifdef CONFIG_PAX_SEGMEXEC
13652 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
13658 fill_ldt(&ldt, &ldt_info);
13661 diff -urNp linux-2.6.38.4/arch/x86/kernel/machine_kexec_32.c linux-2.6.38.4/arch/x86/kernel/machine_kexec_32.c
13662 --- linux-2.6.38.4/arch/x86/kernel/machine_kexec_32.c 2011-03-14 21:20:32.000000000 -0400
13663 +++ linux-2.6.38.4/arch/x86/kernel/machine_kexec_32.c 2011-04-17 15:57:32.000000000 -0400
13665 #include <asm/cacheflush.h>
13666 #include <asm/debugreg.h>
13668 -static void set_idt(void *newidt, __u16 limit)
13669 +static void set_idt(struct desc_struct *newidt, __u16 limit)
13671 struct desc_ptr curidt;
13673 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
13677 -static void set_gdt(void *newgdt, __u16 limit)
13678 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
13680 struct desc_ptr curgdt;
13682 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
13685 control_page = page_address(image->control_code_page);
13686 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
13687 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
13689 relocate_kernel_ptr = control_page;
13690 page_list[PA_CONTROL_PAGE] = __pa(control_page);
13691 diff -urNp linux-2.6.38.4/arch/x86/kernel/microcode_amd.c linux-2.6.38.4/arch/x86/kernel/microcode_amd.c
13692 --- linux-2.6.38.4/arch/x86/kernel/microcode_amd.c 2011-03-14 21:20:32.000000000 -0400
13693 +++ linux-2.6.38.4/arch/x86/kernel/microcode_amd.c 2011-04-17 15:57:32.000000000 -0400
13694 @@ -317,7 +317,7 @@ static void microcode_fini_cpu_amd(int c
13698 -static struct microcode_ops microcode_amd_ops = {
13699 +static const struct microcode_ops microcode_amd_ops = {
13700 .request_microcode_user = request_microcode_user,
13701 .request_microcode_fw = request_microcode_fw,
13702 .collect_cpu_info = collect_cpu_info_amd,
13703 @@ -325,7 +325,7 @@ static struct microcode_ops microcode_am
13704 .microcode_fini_cpu = microcode_fini_cpu_amd,
13707 -struct microcode_ops * __init init_amd_microcode(void)
13708 +const struct microcode_ops * __init init_amd_microcode(void)
13710 return µcode_amd_ops;
13712 diff -urNp linux-2.6.38.4/arch/x86/kernel/microcode_core.c linux-2.6.38.4/arch/x86/kernel/microcode_core.c
13713 --- linux-2.6.38.4/arch/x86/kernel/microcode_core.c 2011-03-14 21:20:32.000000000 -0400
13714 +++ linux-2.6.38.4/arch/x86/kernel/microcode_core.c 2011-04-17 15:57:32.000000000 -0400
13715 @@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
13717 #define MICROCODE_VERSION "2.00"
13719 -static struct microcode_ops *microcode_ops;
13720 +static const struct microcode_ops *microcode_ops;
13724 diff -urNp linux-2.6.38.4/arch/x86/kernel/microcode_intel.c linux-2.6.38.4/arch/x86/kernel/microcode_intel.c
13725 --- linux-2.6.38.4/arch/x86/kernel/microcode_intel.c 2011-03-14 21:20:32.000000000 -0400
13726 +++ linux-2.6.38.4/arch/x86/kernel/microcode_intel.c 2011-04-17 15:57:32.000000000 -0400
13727 @@ -440,13 +440,13 @@ static enum ucode_state request_microcod
13729 static int get_ucode_user(void *to, const void *from, size_t n)
13731 - return copy_from_user(to, from, n);
13732 + return copy_from_user(to, (__force const void __user *)from, n);
13735 static enum ucode_state
13736 request_microcode_user(int cpu, const void __user *buf, size_t size)
13738 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
13739 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
13742 static void microcode_fini_cpu(int cpu)
13743 @@ -457,7 +457,7 @@ static void microcode_fini_cpu(int cpu)
13747 -static struct microcode_ops microcode_intel_ops = {
13748 +static const struct microcode_ops microcode_intel_ops = {
13749 .request_microcode_user = request_microcode_user,
13750 .request_microcode_fw = request_microcode_fw,
13751 .collect_cpu_info = collect_cpu_info,
13752 @@ -465,7 +465,7 @@ static struct microcode_ops microcode_in
13753 .microcode_fini_cpu = microcode_fini_cpu,
13756 -struct microcode_ops * __init init_intel_microcode(void)
13757 +const struct microcode_ops * __init init_intel_microcode(void)
13759 return µcode_intel_ops;
13761 diff -urNp linux-2.6.38.4/arch/x86/kernel/module.c linux-2.6.38.4/arch/x86/kernel/module.c
13762 --- linux-2.6.38.4/arch/x86/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
13763 +++ linux-2.6.38.4/arch/x86/kernel/module.c 2011-04-17 15:57:32.000000000 -0400
13764 @@ -35,21 +35,66 @@
13765 #define DEBUGP(fmt...)
13768 -void *module_alloc(unsigned long size)
13769 +static inline void *__module_alloc(unsigned long size, pgprot_t prot)
13771 if (PAGE_ALIGN(size) > MODULES_LEN)
13773 return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
13774 - GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
13775 + GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot,
13776 -1, __builtin_return_address(0));
13779 +void *module_alloc(unsigned long size)
13782 +#ifdef CONFIG_PAX_KERNEXEC
13783 + return __module_alloc(size, PAGE_KERNEL);
13785 + return __module_alloc(size, PAGE_KERNEL_EXEC);
13790 /* Free memory returned from module_alloc */
13791 void module_free(struct module *mod, void *module_region)
13793 vfree(module_region);
13796 +#ifdef CONFIG_PAX_KERNEXEC
13797 +#ifdef CONFIG_X86_32
13798 +void *module_alloc_exec(unsigned long size)
13800 + struct vm_struct *area;
13805 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
13806 + return area ? area->addr : NULL;
13808 +EXPORT_SYMBOL(module_alloc_exec);
13810 +void module_free_exec(struct module *mod, void *module_region)
13812 + vunmap(module_region);
13814 +EXPORT_SYMBOL(module_free_exec);
13816 +void module_free_exec(struct module *mod, void *module_region)
13818 + module_free(mod, module_region);
13820 +EXPORT_SYMBOL(module_free_exec);
13822 +void *module_alloc_exec(unsigned long size)
13824 + return __module_alloc(size, PAGE_KERNEL_RX);
13826 +EXPORT_SYMBOL(module_alloc_exec);
13830 /* We don't need anything special. */
13831 int module_frob_arch_sections(Elf_Ehdr *hdr,
13833 @@ -69,14 +114,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13835 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
13837 - uint32_t *location;
13838 + uint32_t *plocation, location;
13840 DEBUGP("Applying relocate section %u to %u\n", relsec,
13841 sechdrs[relsec].sh_info);
13842 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
13843 /* This is where to make the change */
13844 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
13845 - + rel[i].r_offset;
13846 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
13847 + location = (uint32_t)plocation;
13848 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
13849 + plocation = ktla_ktva((void *)plocation);
13850 /* This is the symbol it is referring to. Note that all
13851 undefined symbols have been resolved. */
13852 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
13853 @@ -85,11 +132,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13854 switch (ELF32_R_TYPE(rel[i].r_info)) {
13856 /* We add the value into the location given */
13857 - *location += sym->st_value;
13858 + pax_open_kernel();
13859 + *plocation += sym->st_value;
13860 + pax_close_kernel();
13863 /* Add the value, subtract its postition */
13864 - *location += sym->st_value - (uint32_t)location;
13865 + pax_open_kernel();
13866 + *plocation += sym->st_value - location;
13867 + pax_close_kernel();
13870 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
13871 @@ -145,21 +196,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
13872 case R_X86_64_NONE:
13875 + pax_open_kernel();
13877 + pax_close_kernel();
13880 + pax_open_kernel();
13882 + pax_close_kernel();
13883 if (val != *(u32 *)loc)
13887 + pax_open_kernel();
13889 + pax_close_kernel();
13890 if ((s64)val != *(s32 *)loc)
13893 case R_X86_64_PC32:
13895 + pax_open_kernel();
13897 + pax_close_kernel();
13900 if ((s64)val != *(s32 *)loc)
13902 diff -urNp linux-2.6.38.4/arch/x86/kernel/paravirt.c linux-2.6.38.4/arch/x86/kernel/paravirt.c
13903 --- linux-2.6.38.4/arch/x86/kernel/paravirt.c 2011-03-14 21:20:32.000000000 -0400
13904 +++ linux-2.6.38.4/arch/x86/kernel/paravirt.c 2011-04-17 15:57:32.000000000 -0400
13905 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
13906 * corresponding structure. */
13907 static void *get_call_destination(u8 type)
13909 - struct paravirt_patch_template tmpl = {
13910 + const struct paravirt_patch_template tmpl = {
13911 .pv_init_ops = pv_init_ops,
13912 .pv_time_ops = pv_time_ops,
13913 .pv_cpu_ops = pv_cpu_ops,
13914 @@ -145,14 +145,14 @@ unsigned paravirt_patch_default(u8 type,
13915 if (opfunc == NULL)
13916 /* If there's no function, patch it with a ud2a (BUG) */
13917 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
13918 - else if (opfunc == _paravirt_nop)
13919 + else if (opfunc == (void *)_paravirt_nop)
13920 /* If the operation is a nop, then nop the callsite */
13921 ret = paravirt_patch_nop();
13923 /* identity functions just return their single argument */
13924 - else if (opfunc == _paravirt_ident_32)
13925 + else if (opfunc == (void *)_paravirt_ident_32)
13926 ret = paravirt_patch_ident_32(insnbuf, len);
13927 - else if (opfunc == _paravirt_ident_64)
13928 + else if (opfunc == (void *)_paravirt_ident_64)
13929 ret = paravirt_patch_ident_64(insnbuf, len);
13931 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
13932 @@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
13933 if (insn_len > len || start == NULL)
13936 - memcpy(insnbuf, start, insn_len);
13937 + memcpy(insnbuf, ktla_ktva(start), insn_len);
13941 @@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
13945 -struct pv_info pv_info = {
13946 +struct pv_info pv_info __read_only = {
13947 .name = "bare hardware",
13948 .paravirt_enabled = 0,
13950 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
13953 -struct pv_init_ops pv_init_ops = {
13954 +struct pv_init_ops pv_init_ops __read_only = {
13955 .patch = native_patch,
13958 -struct pv_time_ops pv_time_ops = {
13959 +struct pv_time_ops pv_time_ops __read_only = {
13960 .sched_clock = native_sched_clock,
13963 -struct pv_irq_ops pv_irq_ops = {
13964 +struct pv_irq_ops pv_irq_ops __read_only = {
13965 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
13966 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
13967 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
13968 @@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
13972 -struct pv_cpu_ops pv_cpu_ops = {
13973 +struct pv_cpu_ops pv_cpu_ops __read_only = {
13974 .cpuid = native_cpuid,
13975 .get_debugreg = native_get_debugreg,
13976 .set_debugreg = native_set_debugreg,
13977 @@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
13978 .end_context_switch = paravirt_nop,
13981 -struct pv_apic_ops pv_apic_ops = {
13982 +struct pv_apic_ops pv_apic_ops __read_only = {
13983 #ifdef CONFIG_X86_LOCAL_APIC
13984 .startup_ipi_hook = paravirt_nop,
13986 @@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
13987 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
13990 -struct pv_mmu_ops pv_mmu_ops = {
13991 +struct pv_mmu_ops pv_mmu_ops __read_only = {
13993 .read_cr2 = native_read_cr2,
13994 .write_cr2 = native_write_cr2,
13995 @@ -465,6 +465,12 @@ struct pv_mmu_ops pv_mmu_ops = {
13998 .set_fixmap = native_set_fixmap,
14000 +#ifdef CONFIG_PAX_KERNEXEC
14001 + .pax_open_kernel = native_pax_open_kernel,
14002 + .pax_close_kernel = native_pax_close_kernel,
14007 EXPORT_SYMBOL_GPL(pv_time_ops);
14008 diff -urNp linux-2.6.38.4/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.38.4/arch/x86/kernel/paravirt-spinlocks.c
14009 --- linux-2.6.38.4/arch/x86/kernel/paravirt-spinlocks.c 2011-03-14 21:20:32.000000000 -0400
14010 +++ linux-2.6.38.4/arch/x86/kernel/paravirt-spinlocks.c 2011-04-17 15:57:32.000000000 -0400
14011 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
14012 arch_spin_lock(lock);
14015 -struct pv_lock_ops pv_lock_ops = {
14016 +struct pv_lock_ops pv_lock_ops __read_only = {
14018 .spin_is_locked = __ticket_spin_is_locked,
14019 .spin_is_contended = __ticket_spin_is_contended,
14020 diff -urNp linux-2.6.38.4/arch/x86/kernel/pci-calgary_64.c linux-2.6.38.4/arch/x86/kernel/pci-calgary_64.c
14021 --- linux-2.6.38.4/arch/x86/kernel/pci-calgary_64.c 2011-03-14 21:20:32.000000000 -0400
14022 +++ linux-2.6.38.4/arch/x86/kernel/pci-calgary_64.c 2011-04-17 15:57:32.000000000 -0400
14023 @@ -476,7 +476,7 @@ static void calgary_free_coherent(struct
14024 free_pages((unsigned long)vaddr, get_order(size));
14027 -static struct dma_map_ops calgary_dma_ops = {
14028 +static const struct dma_map_ops calgary_dma_ops = {
14029 .alloc_coherent = calgary_alloc_coherent,
14030 .free_coherent = calgary_free_coherent,
14031 .map_sg = calgary_map_sg,
14032 diff -urNp linux-2.6.38.4/arch/x86/kernel/pci-dma.c linux-2.6.38.4/arch/x86/kernel/pci-dma.c
14033 --- linux-2.6.38.4/arch/x86/kernel/pci-dma.c 2011-03-14 21:20:32.000000000 -0400
14034 +++ linux-2.6.38.4/arch/x86/kernel/pci-dma.c 2011-04-17 15:57:32.000000000 -0400
14037 static int forbid_dac __read_mostly;
14039 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
14040 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
14041 EXPORT_SYMBOL(dma_ops);
14043 static int iommu_sac_force __read_mostly;
14044 @@ -250,7 +250,7 @@ early_param("iommu", iommu_setup);
14046 int dma_supported(struct device *dev, u64 mask)
14048 - struct dma_map_ops *ops = get_dma_ops(dev);
14049 + const struct dma_map_ops *ops = get_dma_ops(dev);
14052 if (mask > 0xffffffff && forbid_dac > 0) {
14053 diff -urNp linux-2.6.38.4/arch/x86/kernel/pci-gart_64.c linux-2.6.38.4/arch/x86/kernel/pci-gart_64.c
14054 --- linux-2.6.38.4/arch/x86/kernel/pci-gart_64.c 2011-03-14 21:20:32.000000000 -0400
14055 +++ linux-2.6.38.4/arch/x86/kernel/pci-gart_64.c 2011-04-17 15:57:32.000000000 -0400
14056 @@ -706,7 +706,7 @@ static __init int init_amd_gatt(struct a
14060 -static struct dma_map_ops gart_dma_ops = {
14061 +static const struct dma_map_ops gart_dma_ops = {
14062 .map_sg = gart_map_sg,
14063 .unmap_sg = gart_unmap_sg,
14064 .map_page = gart_map_page,
14065 diff -urNp linux-2.6.38.4/arch/x86/kernel/pci-nommu.c linux-2.6.38.4/arch/x86/kernel/pci-nommu.c
14066 --- linux-2.6.38.4/arch/x86/kernel/pci-nommu.c 2011-03-14 21:20:32.000000000 -0400
14067 +++ linux-2.6.38.4/arch/x86/kernel/pci-nommu.c 2011-04-17 15:57:32.000000000 -0400
14068 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
14069 flush_write_buffers();
14072 -struct dma_map_ops nommu_dma_ops = {
14073 +const struct dma_map_ops nommu_dma_ops = {
14074 .alloc_coherent = dma_generic_alloc_coherent,
14075 .free_coherent = nommu_free_coherent,
14076 .map_sg = nommu_map_sg,
14077 diff -urNp linux-2.6.38.4/arch/x86/kernel/pci-swiotlb.c linux-2.6.38.4/arch/x86/kernel/pci-swiotlb.c
14078 --- linux-2.6.38.4/arch/x86/kernel/pci-swiotlb.c 2011-03-14 21:20:32.000000000 -0400
14079 +++ linux-2.6.38.4/arch/x86/kernel/pci-swiotlb.c 2011-04-17 15:57:32.000000000 -0400
14080 @@ -26,7 +26,7 @@ static void *x86_swiotlb_alloc_coherent(
14081 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
14084 -static struct dma_map_ops swiotlb_dma_ops = {
14085 +static const struct dma_map_ops swiotlb_dma_ops = {
14086 .mapping_error = swiotlb_dma_mapping_error,
14087 .alloc_coherent = x86_swiotlb_alloc_coherent,
14088 .free_coherent = swiotlb_free_coherent,
14089 diff -urNp linux-2.6.38.4/arch/x86/kernel/process_32.c linux-2.6.38.4/arch/x86/kernel/process_32.c
14090 --- linux-2.6.38.4/arch/x86/kernel/process_32.c 2011-03-14 21:20:32.000000000 -0400
14091 +++ linux-2.6.38.4/arch/x86/kernel/process_32.c 2011-04-17 15:57:32.000000000 -0400
14092 @@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
14093 unsigned long thread_saved_pc(struct task_struct *tsk)
14095 return ((unsigned long *)tsk->thread.sp)[3];
14096 +//XXX return tsk->thread.eip;
14100 @@ -126,15 +127,14 @@ void __show_regs(struct pt_regs *regs, i
14102 unsigned short ss, gs;
14104 - if (user_mode_vm(regs)) {
14105 + if (user_mode(regs)) {
14107 ss = regs->ss & 0xffff;
14108 - gs = get_user_gs(regs);
14110 sp = kernel_stack_pointer(regs);
14111 savesegment(ss, ss);
14112 - savesegment(gs, gs);
14114 + gs = get_user_gs(regs);
14116 show_regs_common();
14118 @@ -196,7 +196,7 @@ int copy_thread(unsigned long clone_flag
14119 struct task_struct *tsk;
14122 - childregs = task_pt_regs(p);
14123 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
14124 *childregs = *regs;
14126 childregs->sp = sp;
14127 @@ -293,7 +293,7 @@ __switch_to(struct task_struct *prev_p,
14128 struct thread_struct *prev = &prev_p->thread,
14129 *next = &next_p->thread;
14130 int cpu = smp_processor_id();
14131 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
14132 + struct tss_struct *tss = init_tss + cpu;
14135 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
14136 @@ -328,6 +328,10 @@ __switch_to(struct task_struct *prev_p,
14138 lazy_save_gs(prev->gs);
14140 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14141 + __set_fs(task_thread_info(next_p)->addr_limit);
14145 * Load the per-thread Thread-Local Storage descriptor.
14147 @@ -363,6 +367,9 @@ __switch_to(struct task_struct *prev_p,
14149 arch_end_context_switch(next_p);
14151 + percpu_write(current_task, next_p);
14152 + percpu_write(current_tinfo, &next_p->tinfo);
14155 __math_state_restore();
14157 @@ -372,8 +379,6 @@ __switch_to(struct task_struct *prev_p,
14158 if (prev->gs | next->gs)
14159 lazy_load_gs(next->gs);
14161 - percpu_write(current_task, next_p);
14166 @@ -403,4 +408,3 @@ unsigned long get_wchan(struct task_stru
14167 } while (count++ < 16);
14171 diff -urNp linux-2.6.38.4/arch/x86/kernel/process_64.c linux-2.6.38.4/arch/x86/kernel/process_64.c
14172 --- linux-2.6.38.4/arch/x86/kernel/process_64.c 2011-03-14 21:20:32.000000000 -0400
14173 +++ linux-2.6.38.4/arch/x86/kernel/process_64.c 2011-04-17 15:57:32.000000000 -0400
14174 @@ -87,7 +87,7 @@ static void __exit_idle(void)
14175 void exit_idle(void)
14177 /* idle loop has pid 0 */
14178 - if (current->pid)
14179 + if (task_pid_nr(current))
14183 @@ -260,8 +260,7 @@ int copy_thread(unsigned long clone_flag
14184 struct pt_regs *childregs;
14185 struct task_struct *me = current;
14187 - childregs = ((struct pt_regs *)
14188 - (THREAD_SIZE + task_stack_page(p))) - 1;
14189 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
14190 *childregs = *regs;
14193 @@ -376,7 +375,7 @@ __switch_to(struct task_struct *prev_p,
14194 struct thread_struct *prev = &prev_p->thread;
14195 struct thread_struct *next = &next_p->thread;
14196 int cpu = smp_processor_id();
14197 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
14198 + struct tss_struct *tss = init_tss + cpu;
14199 unsigned fsindex, gsindex;
14202 @@ -472,10 +471,9 @@ __switch_to(struct task_struct *prev_p,
14203 prev->usersp = percpu_read(old_rsp);
14204 percpu_write(old_rsp, next->usersp);
14205 percpu_write(current_task, next_p);
14206 + percpu_write(current_tinfo, &next_p->tinfo);
14208 - percpu_write(kernel_stack,
14209 - (unsigned long)task_stack_page(next_p) +
14210 - THREAD_SIZE - KERNEL_STACK_OFFSET);
14211 + percpu_write(kernel_stack, next->sp0);
14214 * Now maybe reload the debug registers and handle I/O bitmaps
14215 @@ -529,12 +527,11 @@ unsigned long get_wchan(struct task_stru
14216 if (!p || p == current || p->state == TASK_RUNNING)
14218 stack = (unsigned long)task_stack_page(p);
14219 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
14220 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
14222 fp = *(u64 *)(p->thread.sp);
14224 - if (fp < (unsigned long)stack ||
14225 - fp >= (unsigned long)stack+THREAD_SIZE)
14226 + if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
14228 ip = *(u64 *)(fp+8);
14229 if (!in_sched_functions(ip))
14230 diff -urNp linux-2.6.38.4/arch/x86/kernel/process.c linux-2.6.38.4/arch/x86/kernel/process.c
14231 --- linux-2.6.38.4/arch/x86/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
14232 +++ linux-2.6.38.4/arch/x86/kernel/process.c 2011-04-17 15:57:32.000000000 -0400
14233 @@ -48,16 +48,33 @@ void free_thread_xstate(struct task_stru
14235 void free_thread_info(struct thread_info *ti)
14237 - free_thread_xstate(ti->task);
14238 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
14241 +static struct kmem_cache *task_struct_cachep;
14243 void arch_task_cache_init(void)
14245 - task_xstate_cachep =
14246 - kmem_cache_create("task_xstate", xstate_size,
14247 + /* create a slab on which task_structs can be allocated */
14248 + task_struct_cachep =
14249 + kmem_cache_create("task_struct", sizeof(struct task_struct),
14250 + ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
14252 + task_xstate_cachep =
14253 + kmem_cache_create("task_xstate", xstate_size,
14254 __alignof__(union thread_xstate),
14255 - SLAB_PANIC | SLAB_NOTRACK, NULL);
14256 + SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
14259 +struct task_struct *alloc_task_struct(void)
14261 + return kmem_cache_alloc(task_struct_cachep, GFP_KERNEL);
14264 +void free_task_struct(struct task_struct *task)
14266 + free_thread_xstate(task);
14267 + kmem_cache_free(task_struct_cachep, task);
14271 @@ -70,7 +87,7 @@ void exit_thread(void)
14272 unsigned long *bp = t->io_bitmap_ptr;
14275 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
14276 + struct tss_struct *tss = init_tss + get_cpu();
14278 t->io_bitmap_ptr = NULL;
14279 clear_thread_flag(TIF_IO_BITMAP);
14280 @@ -106,7 +123,7 @@ void show_regs_common(void)
14282 printk(KERN_CONT "\n");
14283 printk(KERN_DEFAULT "Pid: %d, xid: #%u, comm: %.20s %s %s %.*s",
14284 - current->pid, current->xid, current->comm, print_tainted(),
14285 + task_pid_nr(current), current->xid, current->comm, print_tainted(),
14286 init_utsname()->release,
14287 (int)strcspn(init_utsname()->version, " "),
14288 init_utsname()->version);
14289 @@ -123,6 +140,9 @@ void flush_thread(void)
14291 struct task_struct *tsk = current;
14293 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
14294 + loadsegment(gs, 0);
14296 flush_ptrace_hw_breakpoint(tsk);
14297 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
14299 @@ -285,10 +305,10 @@ int kernel_thread(int (*fn)(void *), voi
14300 regs.di = (unsigned long) arg;
14302 #ifdef CONFIG_X86_32
14303 - regs.ds = __USER_DS;
14304 - regs.es = __USER_DS;
14305 + regs.ds = __KERNEL_DS;
14306 + regs.es = __KERNEL_DS;
14307 regs.fs = __KERNEL_PERCPU;
14308 - regs.gs = __KERNEL_STACK_CANARY;
14309 + savesegment(gs, regs.gs);
14311 regs.ss = __KERNEL_DS;
14313 @@ -668,16 +688,31 @@ static int __init idle_setup(char *str)
14315 early_param("idle", idle_setup);
14317 -unsigned long arch_align_stack(unsigned long sp)
14318 +#ifdef CONFIG_PAX_RANDKSTACK
14319 +asmlinkage void pax_randomize_kstack(void)
14321 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
14322 - sp -= get_random_int() % 8192;
14323 - return sp & ~0xf;
14325 + struct thread_struct *thread = ¤t->thread;
14326 + unsigned long time;
14328 -unsigned long arch_randomize_brk(struct mm_struct *mm)
14330 - unsigned long range_end = mm->brk + 0x02000000;
14331 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
14333 + if (!randomize_va_space)
14338 + /* P4 seems to return a 0 LSB, ignore it */
14339 +#ifdef CONFIG_MPENTIUM4
14347 + thread->sp0 ^= time;
14348 + load_sp0(init_tss + smp_processor_id(), thread);
14350 +#ifdef CONFIG_X86_64
14351 + percpu_write(kernel_stack, thread->sp0);
14355 diff -urNp linux-2.6.38.4/arch/x86/kernel/ptrace.c linux-2.6.38.4/arch/x86/kernel/ptrace.c
14356 --- linux-2.6.38.4/arch/x86/kernel/ptrace.c 2011-03-14 21:20:32.000000000 -0400
14357 +++ linux-2.6.38.4/arch/x86/kernel/ptrace.c 2011-04-17 15:57:32.000000000 -0400
14358 @@ -805,7 +805,7 @@ long arch_ptrace(struct task_struct *chi
14359 unsigned long addr, unsigned long data)
14362 - unsigned long __user *datap = (unsigned long __user *)data;
14363 + unsigned long __user *datap = (__force unsigned long __user *)data;
14366 /* read the word at location addr in the USER area. */
14367 @@ -890,14 +890,14 @@ long arch_ptrace(struct task_struct *chi
14368 if ((int) addr < 0)
14370 ret = do_get_thread_area(child, addr,
14371 - (struct user_desc __user *)data);
14372 + (__force struct user_desc __user *) data);
14375 case PTRACE_SET_THREAD_AREA:
14376 if ((int) addr < 0)
14378 ret = do_set_thread_area(child, addr,
14379 - (struct user_desc __user *)data, 0);
14380 + (__force struct user_desc __user *) data, 0);
14384 @@ -1314,7 +1314,7 @@ static void fill_sigtrap_info(struct tas
14385 memset(info, 0, sizeof(*info));
14386 info->si_signo = SIGTRAP;
14387 info->si_code = si_code;
14388 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
14389 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
14392 void user_single_step_siginfo(struct task_struct *tsk,
14393 @@ -1347,7 +1347,7 @@ void send_sigtrap(struct task_struct *ts
14394 * We must return the syscall number to actually look up in the table.
14395 * This can be -1L to skip running any syscall at all.
14397 -asmregparm long syscall_trace_enter(struct pt_regs *regs)
14398 +long syscall_trace_enter(struct pt_regs *regs)
14402 @@ -1392,7 +1392,7 @@ asmregparm long syscall_trace_enter(stru
14403 return ret ?: regs->orig_ax;
14406 -asmregparm void syscall_trace_leave(struct pt_regs *regs)
14407 +void syscall_trace_leave(struct pt_regs *regs)
14411 diff -urNp linux-2.6.38.4/arch/x86/kernel/reboot.c linux-2.6.38.4/arch/x86/kernel/reboot.c
14412 --- linux-2.6.38.4/arch/x86/kernel/reboot.c 2011-03-14 21:20:32.000000000 -0400
14413 +++ linux-2.6.38.4/arch/x86/kernel/reboot.c 2011-04-17 15:57:32.000000000 -0400
14414 @@ -34,7 +34,7 @@ void (*pm_power_off)(void);
14415 EXPORT_SYMBOL(pm_power_off);
14417 static const struct desc_ptr no_idt = {};
14418 -static int reboot_mode;
14419 +static unsigned short reboot_mode;
14420 enum reboot_type reboot_type = BOOT_KBD;
14423 @@ -293,7 +293,7 @@ static struct dmi_system_id __initdata r
14424 DMI_MATCH(DMI_BOARD_NAME, "VersaLogic Menlow board"),
14428 + { NULL, NULL, {{0, {0}}}, NULL}
14431 static int __init reboot_init(void)
14432 @@ -309,12 +309,12 @@ core_initcall(reboot_init);
14433 controller to pulse the CPU reset line, which is more thorough, but
14434 doesn't work with at least one type of 486 motherboard. It is easy
14435 to stop this code working; hence the copious comments. */
14436 -static const unsigned long long
14437 -real_mode_gdt_entries [3] =
14438 +static struct desc_struct
14439 +real_mode_gdt_entries [3] __read_only =
14441 - 0x0000000000000000ULL, /* Null descriptor */
14442 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
14443 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
14444 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
14445 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
14446 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
14449 static const struct desc_ptr
14450 @@ -363,7 +363,7 @@ static const unsigned char jump_to_bios
14451 * specified by the code and length parameters.
14452 * We assume that length will aways be less that 100!
14454 -void machine_real_restart(const unsigned char *code, int length)
14455 +void machine_real_restart(const unsigned char *code, unsigned int length)
14457 local_irq_disable();
14459 @@ -390,16 +390,15 @@ void machine_real_restart(const unsigned
14460 boot)". This seems like a fairly standard thing that gets set by
14461 REBOOT.COM programs, and the previous reset routine did this
14463 - *((unsigned short *)0x472) = reboot_mode;
14464 + *(unsigned short *)(__va(0x472)) = reboot_mode;
14466 /* For the switch to real mode, copy some code to low memory. It has
14467 to be in the first 64k because it is running in 16-bit mode, and it
14468 has to have the same physical and virtual address, because it turns
14469 off paging. Copy it near the end of the first page, out of the way
14470 of BIOS variables. */
14471 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
14472 - real_mode_switch, sizeof (real_mode_switch));
14473 - memcpy((void *)(0x1000 - 100), code, length);
14474 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
14475 + memcpy(__va(0x1000 - 100), code, length);
14477 /* Set up the IDT for real mode. */
14478 load_idt(&real_mode_idt);
14479 diff -urNp linux-2.6.38.4/arch/x86/kernel/setup.c linux-2.6.38.4/arch/x86/kernel/setup.c
14480 --- linux-2.6.38.4/arch/x86/kernel/setup.c 2011-04-18 17:27:18.000000000 -0400
14481 +++ linux-2.6.38.4/arch/x86/kernel/setup.c 2011-04-17 16:53:16.000000000 -0400
14482 @@ -654,7 +654,7 @@ static void __init trim_bios_range(void)
14483 * area (640->1Mb) as ram even though it is not.
14486 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
14487 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
14488 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
14491 @@ -790,14 +790,14 @@ void __init setup_arch(char **cmdline_p)
14493 if (!boot_params.hdr.root_flags)
14494 root_mountflags &= ~MS_RDONLY;
14495 - init_mm.start_code = (unsigned long) _text;
14496 - init_mm.end_code = (unsigned long) _etext;
14497 + init_mm.start_code = ktla_ktva((unsigned long) _text);
14498 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
14499 init_mm.end_data = (unsigned long) _edata;
14500 init_mm.brk = _brk_end;
14502 - code_resource.start = virt_to_phys(_text);
14503 - code_resource.end = virt_to_phys(_etext)-1;
14504 - data_resource.start = virt_to_phys(_etext);
14505 + code_resource.start = virt_to_phys(ktla_ktva(_text));
14506 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
14507 + data_resource.start = virt_to_phys(_sdata);
14508 data_resource.end = virt_to_phys(_edata)-1;
14509 bss_resource.start = virt_to_phys(&__bss_start);
14510 bss_resource.end = virt_to_phys(&__bss_stop)-1;
14511 diff -urNp linux-2.6.38.4/arch/x86/kernel/setup_percpu.c linux-2.6.38.4/arch/x86/kernel/setup_percpu.c
14512 --- linux-2.6.38.4/arch/x86/kernel/setup_percpu.c 2011-03-14 21:20:32.000000000 -0400
14513 +++ linux-2.6.38.4/arch/x86/kernel/setup_percpu.c 2011-04-17 15:57:32.000000000 -0400
14514 @@ -21,19 +21,17 @@
14515 #include <asm/cpu.h>
14516 #include <asm/stackprotector.h>
14518 -DEFINE_PER_CPU(int, cpu_number);
14520 +DEFINE_PER_CPU(unsigned int, cpu_number);
14521 EXPORT_PER_CPU_SYMBOL(cpu_number);
14524 -#ifdef CONFIG_X86_64
14525 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
14527 -#define BOOT_PERCPU_OFFSET 0
14530 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
14531 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
14533 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
14534 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
14535 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
14537 EXPORT_SYMBOL(__per_cpu_offset);
14538 @@ -155,10 +153,10 @@ static inline void setup_percpu_segment(
14540 #ifdef CONFIG_X86_32
14541 struct desc_struct gdt;
14542 + unsigned long base = per_cpu_offset(cpu);
14544 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
14545 - 0x2 | DESCTYPE_S, 0x8);
14547 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
14548 + 0x83 | DESCTYPE_S, 0xC);
14549 write_gdt_entry(get_cpu_gdt_table(cpu),
14550 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
14552 @@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void)
14553 /* alrighty, percpu areas up and running */
14554 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
14555 for_each_possible_cpu(cpu) {
14556 +#ifdef CONFIG_CC_STACKPROTECTOR
14557 +#ifdef CONFIG_x86_32
14558 + unsigned long canary = per_cpu(stack_canary, cpu);
14561 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
14562 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
14563 per_cpu(cpu_number, cpu) = cpu;
14564 @@ -243,6 +246,12 @@ void __init setup_per_cpu_areas(void)
14565 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
14568 +#ifdef CONFIG_CC_STACKPROTECTOR
14569 +#ifdef CONFIG_x86_32
14570 + if (cpu == boot_cpu_id)
14571 + per_cpu(stack_canary, cpu) = canary;
14575 * Up to this point, the boot CPU has been using .init.data
14576 * area. Reload any changed state for the boot CPU.
14577 diff -urNp linux-2.6.38.4/arch/x86/kernel/signal.c linux-2.6.38.4/arch/x86/kernel/signal.c
14578 --- linux-2.6.38.4/arch/x86/kernel/signal.c 2011-03-14 21:20:32.000000000 -0400
14579 +++ linux-2.6.38.4/arch/x86/kernel/signal.c 2011-04-17 15:57:32.000000000 -0400
14580 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
14581 * Align the stack pointer according to the i386 ABI,
14582 * i.e. so that on function entry ((sp + 4) & 15) == 0.
14584 - sp = ((sp + 4) & -16ul) - 4;
14585 + sp = ((sp - 12) & -16ul) - 4;
14586 #else /* !CONFIG_X86_32 */
14587 sp = round_down(sp, 16) - 8;
14589 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
14590 * Return an always-bogus address instead so we will die with SIGSEGV.
14592 if (onsigstack && !likely(on_sig_stack(sp)))
14593 - return (void __user *)-1L;
14594 + return (__force void __user *)-1L;
14596 /* save i387 state */
14597 if (used_math() && save_i387_xstate(*fpstate) < 0)
14598 - return (void __user *)-1L;
14599 + return (__force void __user *)-1L;
14601 return (void __user *)sp;
14603 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
14606 if (current->mm->context.vdso)
14607 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
14608 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
14610 - restorer = &frame->retcode;
14611 + restorer = (void __user *)&frame->retcode;
14612 if (ka->sa.sa_flags & SA_RESTORER)
14613 restorer = ka->sa.sa_restorer;
14615 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
14616 * reasons and because gdb uses it as a signature to notice
14617 * signal handler stack frames.
14619 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
14620 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
14624 @@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
14625 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
14627 /* Set up to return from userspace. */
14628 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
14629 + if (current->mm->context.vdso)
14630 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
14632 + restorer = (void __user *)&frame->retcode;
14633 if (ka->sa.sa_flags & SA_RESTORER)
14634 restorer = ka->sa.sa_restorer;
14635 put_user_ex(restorer, &frame->pretcode);
14636 @@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
14637 * reasons and because gdb uses it as a signature to notice
14638 * signal handler stack frames.
14640 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
14641 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
14642 } put_user_catch(err);
14645 @@ -780,7 +783,7 @@ static void do_signal(struct pt_regs *re
14646 * X86_32: vm86 regs switched out by assembly code before reaching
14647 * here, so testing against kernel CS suffices.
14649 - if (!user_mode(regs))
14650 + if (!user_mode_novm(regs))
14653 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
14654 diff -urNp linux-2.6.38.4/arch/x86/kernel/smpboot.c linux-2.6.38.4/arch/x86/kernel/smpboot.c
14655 --- linux-2.6.38.4/arch/x86/kernel/smpboot.c 2011-03-14 21:20:32.000000000 -0400
14656 +++ linux-2.6.38.4/arch/x86/kernel/smpboot.c 2011-04-17 15:57:32.000000000 -0400
14657 @@ -773,17 +773,20 @@ static int __cpuinit do_boot_cpu(int api
14658 set_idle_for_cpu(cpu, c_idle.idle);
14660 per_cpu(current_task, cpu) = c_idle.idle;
14661 + per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
14662 #ifdef CONFIG_X86_32
14663 /* Stack for startup_32 can be just as for start_secondary onwards */
14666 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
14667 initial_gs = per_cpu_offset(cpu);
14668 - per_cpu(kernel_stack, cpu) =
14669 - (unsigned long)task_stack_page(c_idle.idle) -
14670 - KERNEL_STACK_OFFSET + THREAD_SIZE;
14671 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 8 + THREAD_SIZE;
14674 + pax_open_kernel();
14675 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
14676 + pax_close_kernel();
14678 initial_code = (unsigned long)start_secondary;
14679 stack_start = c_idle.idle->thread.sp;
14681 @@ -923,6 +926,12 @@ int __cpuinit native_cpu_up(unsigned int
14683 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
14685 +#ifdef CONFIG_PAX_PER_CPU_PGD
14686 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
14687 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
14688 + KERNEL_PGD_PTRS);
14691 err = do_boot_cpu(apicid, cpu);
14693 pr_debug("do_boot_cpu failed %d\n", err);
14694 diff -urNp linux-2.6.38.4/arch/x86/kernel/step.c linux-2.6.38.4/arch/x86/kernel/step.c
14695 --- linux-2.6.38.4/arch/x86/kernel/step.c 2011-03-14 21:20:32.000000000 -0400
14696 +++ linux-2.6.38.4/arch/x86/kernel/step.c 2011-04-17 15:57:32.000000000 -0400
14697 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
14698 struct desc_struct *desc;
14699 unsigned long base;
14704 mutex_lock(&child->mm->context.lock);
14705 - if (unlikely((seg >> 3) >= child->mm->context.size))
14706 + if (unlikely(seg >= child->mm->context.size))
14707 addr = -1L; /* bogus selector, access would fault */
14709 desc = child->mm->context.ldt + seg;
14710 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
14713 mutex_unlock(&child->mm->context.lock);
14715 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
14716 + addr = ktla_ktva(addr);
14720 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
14721 unsigned char opcode[15];
14722 unsigned long addr = convert_ip_to_linear(child, regs);
14724 + if (addr == -EINVAL)
14727 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
14728 for (i = 0; i < copied; i++) {
14729 switch (opcode[i]) {
14730 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
14732 #ifdef CONFIG_X86_64
14733 case 0x40 ... 0x4f:
14734 - if (regs->cs != __USER_CS)
14735 + if ((regs->cs & 0xffff) != __USER_CS)
14736 /* 32-bit mode: register increment */
14738 /* 64-bit mode: REX prefix */
14739 diff -urNp linux-2.6.38.4/arch/x86/kernel/syscall_table_32.S linux-2.6.38.4/arch/x86/kernel/syscall_table_32.S
14740 --- linux-2.6.38.4/arch/x86/kernel/syscall_table_32.S 2011-03-14 21:20:32.000000000 -0400
14741 +++ linux-2.6.38.4/arch/x86/kernel/syscall_table_32.S 2011-04-17 15:57:32.000000000 -0400
14743 +.section .rodata,"a",@progbits
14744 ENTRY(sys_call_table)
14745 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
14747 diff -urNp linux-2.6.38.4/arch/x86/kernel/sys_i386_32.c linux-2.6.38.4/arch/x86/kernel/sys_i386_32.c
14748 --- linux-2.6.38.4/arch/x86/kernel/sys_i386_32.c 2011-03-14 21:20:32.000000000 -0400
14749 +++ linux-2.6.38.4/arch/x86/kernel/sys_i386_32.c 2011-04-17 15:57:32.000000000 -0400
14750 @@ -24,17 +24,224 @@
14752 #include <asm/syscalls.h>
14755 - * Do a system call from kernel instead of calling sys_execve so we
14756 - * end up with proper pt_regs.
14758 -int kernel_execve(const char *filename,
14759 - const char *const argv[],
14760 - const char *const envp[])
14761 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
14764 - asm volatile ("int $0x80"
14766 - : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory");
14768 + unsigned long pax_task_size = TASK_SIZE;
14770 +#ifdef CONFIG_PAX_SEGMEXEC
14771 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
14772 + pax_task_size = SEGMEXEC_TASK_SIZE;
14775 + if (len > pax_task_size || addr > pax_task_size - len)
14782 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
14783 + unsigned long len, unsigned long pgoff, unsigned long flags)
14785 + struct mm_struct *mm = current->mm;
14786 + struct vm_area_struct *vma;
14787 + unsigned long start_addr, pax_task_size = TASK_SIZE;
14789 +#ifdef CONFIG_PAX_SEGMEXEC
14790 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14791 + pax_task_size = SEGMEXEC_TASK_SIZE;
14794 + pax_task_size -= PAGE_SIZE;
14796 + if (len > pax_task_size)
14799 + if (flags & MAP_FIXED)
14802 +#ifdef CONFIG_PAX_RANDMMAP
14803 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14807 + addr = PAGE_ALIGN(addr);
14808 + if (pax_task_size - len >= addr) {
14809 + vma = find_vma(mm, addr);
14810 + if (check_heap_stack_gap(vma, addr, len))
14814 + if (len > mm->cached_hole_size) {
14815 + start_addr = addr = mm->free_area_cache;
14817 + start_addr = addr = mm->mmap_base;
14818 + mm->cached_hole_size = 0;
14821 +#ifdef CONFIG_PAX_PAGEEXEC
14822 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
14823 + start_addr = 0x00110000UL;
14825 +#ifdef CONFIG_PAX_RANDMMAP
14826 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14827 + start_addr += mm->delta_mmap & 0x03FFF000UL;
14830 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
14831 + start_addr = addr = mm->mmap_base;
14833 + addr = start_addr;
14838 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
14839 + /* At this point: (!vma || addr < vma->vm_end). */
14840 + if (pax_task_size - len < addr) {
14842 + * Start a new search - just in case we missed
14845 + if (start_addr != mm->mmap_base) {
14846 + start_addr = addr = mm->mmap_base;
14847 + mm->cached_hole_size = 0;
14848 + goto full_search;
14852 + if (check_heap_stack_gap(vma, addr, len))
14854 + if (addr + mm->cached_hole_size < vma->vm_start)
14855 + mm->cached_hole_size = vma->vm_start - addr;
14856 + addr = vma->vm_end;
14857 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
14858 + start_addr = addr = mm->mmap_base;
14859 + mm->cached_hole_size = 0;
14860 + goto full_search;
14865 + * Remember the place where we stopped the search:
14867 + mm->free_area_cache = addr + len;
14872 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
14873 + const unsigned long len, const unsigned long pgoff,
14874 + const unsigned long flags)
14876 + struct vm_area_struct *vma;
14877 + struct mm_struct *mm = current->mm;
14878 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
14880 +#ifdef CONFIG_PAX_SEGMEXEC
14881 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14882 + pax_task_size = SEGMEXEC_TASK_SIZE;
14885 + pax_task_size -= PAGE_SIZE;
14887 + /* requested length too big for entire address space */
14888 + if (len > pax_task_size)
14891 + if (flags & MAP_FIXED)
14894 +#ifdef CONFIG_PAX_PAGEEXEC
14895 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
14899 +#ifdef CONFIG_PAX_RANDMMAP
14900 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14903 + /* requesting a specific address */
14905 + addr = PAGE_ALIGN(addr);
14906 + if (pax_task_size - len >= addr) {
14907 + vma = find_vma(mm, addr);
14908 + if (check_heap_stack_gap(vma, addr, len))
14913 + /* check if free_area_cache is useful for us */
14914 + if (len <= mm->cached_hole_size) {
14915 + mm->cached_hole_size = 0;
14916 + mm->free_area_cache = mm->mmap_base;
14919 + /* either no address requested or can't fit in requested address hole */
14920 + addr = mm->free_area_cache;
14922 + /* make sure it can fit in the remaining address space */
14923 + if (addr > len) {
14924 + vma = find_vma(mm, addr-len);
14925 + if (check_heap_stack_gap(vma, addr - len, len))
14926 + /* remember the address as a hint for next time */
14927 + return (mm->free_area_cache = addr-len);
14930 + if (mm->mmap_base < len)
14933 + addr = mm->mmap_base-len;
14937 + * Lookup failure means no vma is above this address,
14938 + * else if new region fits below vma->vm_start,
14939 + * return with success:
14941 + vma = find_vma(mm, addr);
14942 + if (check_heap_stack_gap(vma, addr, len))
14943 + /* remember the address as a hint for next time */
14944 + return (mm->free_area_cache = addr);
14946 + /* remember the largest hole we saw so far */
14947 + if (addr + mm->cached_hole_size < vma->vm_start)
14948 + mm->cached_hole_size = vma->vm_start - addr;
14950 + /* try just below the current vma->vm_start */
14951 + addr = skip_heap_stack_gap(vma, len);
14952 + } while (!IS_ERR_VALUE(addr));
14956 + * A failed mmap() very likely causes application failure,
14957 + * so fall back to the bottom-up function here. This scenario
14958 + * can happen with large stack limits and large mmap()
14962 +#ifdef CONFIG_PAX_SEGMEXEC
14963 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14964 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
14968 + mm->mmap_base = TASK_UNMAPPED_BASE;
14970 +#ifdef CONFIG_PAX_RANDMMAP
14971 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14972 + mm->mmap_base += mm->delta_mmap;
14975 + mm->free_area_cache = mm->mmap_base;
14976 + mm->cached_hole_size = ~0UL;
14977 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14979 + * Restore the topdown base:
14981 + mm->mmap_base = base;
14982 + mm->free_area_cache = base;
14983 + mm->cached_hole_size = ~0UL;
14987 diff -urNp linux-2.6.38.4/arch/x86/kernel/sys_x86_64.c linux-2.6.38.4/arch/x86/kernel/sys_x86_64.c
14988 --- linux-2.6.38.4/arch/x86/kernel/sys_x86_64.c 2011-03-14 21:20:32.000000000 -0400
14989 +++ linux-2.6.38.4/arch/x86/kernel/sys_x86_64.c 2011-04-17 15:57:32.000000000 -0400
14990 @@ -32,8 +32,8 @@ out:
14994 -static void find_start_end(unsigned long flags, unsigned long *begin,
14995 - unsigned long *end)
14996 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
14997 + unsigned long *begin, unsigned long *end)
14999 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
15000 unsigned long new_begin;
15001 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
15002 *begin = new_begin;
15005 - *begin = TASK_UNMAPPED_BASE;
15006 + *begin = mm->mmap_base;
15010 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
15011 if (flags & MAP_FIXED)
15014 - find_start_end(flags, &begin, &end);
15015 + find_start_end(mm, flags, &begin, &end);
15020 +#ifdef CONFIG_PAX_RANDMMAP
15021 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15025 addr = PAGE_ALIGN(addr);
15026 vma = find_vma(mm, addr);
15027 - if (end - len >= addr &&
15028 - (!vma || addr + len <= vma->vm_start))
15029 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
15032 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
15033 @@ -106,7 +109,7 @@ full_search:
15037 - if (!vma || addr + len <= vma->vm_start) {
15038 + if (check_heap_stack_gap(vma, addr, len)) {
15040 * Remember the place where we stopped the search:
15042 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
15044 struct vm_area_struct *vma;
15045 struct mm_struct *mm = current->mm;
15046 - unsigned long addr = addr0;
15047 + unsigned long base = mm->mmap_base, addr = addr0;
15049 /* requested length too big for entire address space */
15050 if (len > TASK_SIZE)
15051 @@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
15052 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
15055 +#ifdef CONFIG_PAX_RANDMMAP
15056 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15059 /* requesting a specific address */
15061 addr = PAGE_ALIGN(addr);
15062 - vma = find_vma(mm, addr);
15063 - if (TASK_SIZE - len >= addr &&
15064 - (!vma || addr + len <= vma->vm_start))
15066 + if (TASK_SIZE - len >= addr) {
15067 + vma = find_vma(mm, addr);
15068 + if (check_heap_stack_gap(vma, addr, len))
15073 /* check if free_area_cache is useful for us */
15074 @@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
15075 /* make sure it can fit in the remaining address space */
15077 vma = find_vma(mm, addr-len);
15078 - if (!vma || addr <= vma->vm_start)
15079 + if (check_heap_stack_gap(vma, addr - len, len))
15080 /* remember the address as a hint for next time */
15081 return mm->free_area_cache = addr-len;
15083 @@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
15084 * return with success:
15086 vma = find_vma(mm, addr);
15087 - if (!vma || addr+len <= vma->vm_start)
15088 + if (check_heap_stack_gap(vma, addr, len))
15089 /* remember the address as a hint for next time */
15090 return mm->free_area_cache = addr;
15092 @@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
15093 mm->cached_hole_size = vma->vm_start - addr;
15095 /* try just below the current vma->vm_start */
15096 - addr = vma->vm_start-len;
15097 - } while (len < vma->vm_start);
15098 + addr = skip_heap_stack_gap(vma, len);
15099 + } while (!IS_ERR_VALUE(addr));
15103 @@ -198,13 +206,21 @@ bottomup:
15104 * can happen with large stack limits and large mmap()
15107 + mm->mmap_base = TASK_UNMAPPED_BASE;
15109 +#ifdef CONFIG_PAX_RANDMMAP
15110 + if (mm->pax_flags & MF_PAX_RANDMMAP)
15111 + mm->mmap_base += mm->delta_mmap;
15114 + mm->free_area_cache = mm->mmap_base;
15115 mm->cached_hole_size = ~0UL;
15116 - mm->free_area_cache = TASK_UNMAPPED_BASE;
15117 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
15119 * Restore the topdown base:
15121 - mm->free_area_cache = mm->mmap_base;
15122 + mm->mmap_base = base;
15123 + mm->free_area_cache = base;
15124 mm->cached_hole_size = ~0UL;
15127 diff -urNp linux-2.6.38.4/arch/x86/kernel/time.c linux-2.6.38.4/arch/x86/kernel/time.c
15128 --- linux-2.6.38.4/arch/x86/kernel/time.c 2011-03-14 21:20:32.000000000 -0400
15129 +++ linux-2.6.38.4/arch/x86/kernel/time.c 2011-04-17 15:57:32.000000000 -0400
15130 @@ -22,17 +22,13 @@
15131 #include <asm/hpet.h>
15132 #include <asm/time.h>
15134 -#ifdef CONFIG_X86_64
15135 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
15138 unsigned long profile_pc(struct pt_regs *regs)
15140 unsigned long pc = instruction_pointer(regs);
15142 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
15143 + if (!user_mode(regs) && in_lock_functions(pc)) {
15144 #ifdef CONFIG_FRAME_POINTER
15145 - return *(unsigned long *)(regs->bp + sizeof(long));
15146 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
15148 unsigned long *sp =
15149 (unsigned long *)kernel_stack_pointer(regs);
15150 @@ -41,11 +37,17 @@ unsigned long profile_pc(struct pt_regs
15151 * or above a saved flags. Eflags has bits 22-31 zero,
15152 * kernel addresses don't.
15155 +#ifdef CONFIG_PAX_KERNEXEC
15156 + return ktla_ktva(sp[0]);
15168 diff -urNp linux-2.6.38.4/arch/x86/kernel/tls.c linux-2.6.38.4/arch/x86/kernel/tls.c
15169 --- linux-2.6.38.4/arch/x86/kernel/tls.c 2011-03-14 21:20:32.000000000 -0400
15170 +++ linux-2.6.38.4/arch/x86/kernel/tls.c 2011-04-17 15:57:32.000000000 -0400
15171 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
15172 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
15175 +#ifdef CONFIG_PAX_SEGMEXEC
15176 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
15180 set_tls_desc(p, idx, &info, 1);
15183 diff -urNp linux-2.6.38.4/arch/x86/kernel/trampoline_32.S linux-2.6.38.4/arch/x86/kernel/trampoline_32.S
15184 --- linux-2.6.38.4/arch/x86/kernel/trampoline_32.S 2011-03-14 21:20:32.000000000 -0400
15185 +++ linux-2.6.38.4/arch/x86/kernel/trampoline_32.S 2011-04-17 15:57:32.000000000 -0400
15187 #include <asm/segment.h>
15188 #include <asm/page_types.h>
15190 +#ifdef CONFIG_PAX_KERNEXEC
15193 +#define ta(X) ((X) - __PAGE_OFFSET)
15196 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
15199 @@ -60,7 +66,7 @@ r_base = .
15200 inc %ax # protected mode (PE) bit
15201 lmsw %ax # into protected mode
15202 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
15203 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
15204 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
15206 # These need to be in the same 64K segment as the above;
15207 # hence we don't use the boot_gdt_descr defined in head.S
15208 diff -urNp linux-2.6.38.4/arch/x86/kernel/trampoline_64.S linux-2.6.38.4/arch/x86/kernel/trampoline_64.S
15209 --- linux-2.6.38.4/arch/x86/kernel/trampoline_64.S 2011-03-14 21:20:32.000000000 -0400
15210 +++ linux-2.6.38.4/arch/x86/kernel/trampoline_64.S 2011-04-17 15:57:32.000000000 -0400
15211 @@ -91,7 +91,7 @@ startup_32:
15212 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
15215 - movl $X86_CR4_PAE, %eax
15216 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
15217 movl %eax, %cr4 # Enable PAE mode
15219 # Setup trampoline 4 level pagetables
15220 @@ -138,7 +138,7 @@ tidt:
15221 # so the kernel can live anywhere
15224 - .short tgdt_end - tgdt # gdt limit
15225 + .short tgdt_end - tgdt - 1 # gdt limit
15226 .long tgdt - r_base
15228 .quad 0x00cf9b000000ffff # __KERNEL32_CS
15229 diff -urNp linux-2.6.38.4/arch/x86/kernel/traps.c linux-2.6.38.4/arch/x86/kernel/traps.c
15230 --- linux-2.6.38.4/arch/x86/kernel/traps.c 2011-03-14 21:20:32.000000000 -0400
15231 +++ linux-2.6.38.4/arch/x86/kernel/traps.c 2011-04-17 15:57:32.000000000 -0400
15232 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
15234 /* Do we ignore FPU interrupts ? */
15235 char ignore_fpu_irq;
15238 - * The IDT has to be page-aligned to simplify the Pentium
15239 - * F0 0F bug workaround.
15241 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
15244 DECLARE_BITMAP(used_vectors, NR_VECTORS);
15245 @@ -117,13 +111,13 @@ static inline void preempt_conditional_c
15248 static void __kprobes
15249 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
15250 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
15251 long error_code, siginfo_t *info)
15253 struct task_struct *tsk = current;
15255 #ifdef CONFIG_X86_32
15256 - if (regs->flags & X86_VM_MASK) {
15257 + if (v8086_mode(regs)) {
15259 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
15260 * On nmi (interrupt 2), do_trap should not be called.
15261 @@ -134,7 +128,7 @@ do_trap(int trapnr, int signr, char *str
15265 - if (!user_mode(regs))
15266 + if (!user_mode_novm(regs))
15269 #ifdef CONFIG_X86_32
15270 @@ -157,7 +151,7 @@ trap_signal:
15271 printk_ratelimit()) {
15273 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
15274 - tsk->comm, tsk->pid, str,
15275 + tsk->comm, task_pid_nr(tsk), str,
15276 regs->ip, regs->sp, error_code);
15277 print_vma_addr(" in ", regs->ip);
15279 @@ -174,8 +168,20 @@ kernel_trap:
15280 if (!fixup_exception(regs)) {
15281 tsk->thread.error_code = error_code;
15282 tsk->thread.trap_no = trapnr;
15284 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15285 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
15286 + str = "PAX: suspicious stack segment fault";
15289 die(str, regs, error_code);
15292 +#ifdef CONFIG_PAX_REFCOUNT
15294 + pax_report_refcount_overflow(regs);
15299 #ifdef CONFIG_X86_32
15300 @@ -264,14 +270,30 @@ do_general_protection(struct pt_regs *re
15301 conditional_sti(regs);
15303 #ifdef CONFIG_X86_32
15304 - if (regs->flags & X86_VM_MASK)
15305 + if (v8086_mode(regs))
15310 - if (!user_mode(regs))
15311 + if (!user_mode_novm(regs))
15314 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
15315 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
15316 + struct mm_struct *mm = tsk->mm;
15317 + unsigned long limit;
15319 + down_write(&mm->mmap_sem);
15320 + limit = mm->context.user_cs_limit;
15321 + if (limit < TASK_SIZE) {
15322 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
15323 + up_write(&mm->mmap_sem);
15326 + up_write(&mm->mmap_sem);
15330 tsk->thread.error_code = error_code;
15331 tsk->thread.trap_no = 13;
15333 @@ -304,6 +326,13 @@ gp_in_kernel:
15334 if (notify_die(DIE_GPF, "general protection fault", regs,
15335 error_code, 13, SIGSEGV) == NOTIFY_STOP)
15338 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15339 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
15340 + die("PAX: suspicious general protection fault", regs, error_code);
15344 die("general protection fault", regs, error_code);
15347 @@ -569,7 +598,7 @@ dotraplinkage void __kprobes do_debug(st
15348 /* It's safe to allow irq's after DR6 has been saved */
15349 preempt_conditional_sti(regs);
15351 - if (regs->flags & X86_VM_MASK) {
15352 + if (v8086_mode(regs)) {
15353 handle_vm86_trap((struct kernel_vm86_regs *) regs,
15355 preempt_conditional_cli(regs);
15356 @@ -583,7 +612,7 @@ dotraplinkage void __kprobes do_debug(st
15357 * We already checked v86 mode above, so we can check for kernel mode
15358 * by just checking the CPL of CS.
15360 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
15361 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
15362 tsk->thread.debugreg6 &= ~DR_STEP;
15363 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
15364 regs->flags &= ~X86_EFLAGS_TF;
15365 @@ -612,7 +641,7 @@ void math_error(struct pt_regs *regs, in
15367 conditional_sti(regs);
15369 - if (!user_mode_vm(regs))
15370 + if (!user_mode(regs))
15372 if (!fixup_exception(regs)) {
15373 task->thread.error_code = error_code;
15374 @@ -723,7 +752,7 @@ asmlinkage void __attribute__((weak)) sm
15375 void __math_state_restore(void)
15377 struct thread_info *thread = current_thread_info();
15378 - struct task_struct *tsk = thread->task;
15379 + struct task_struct *tsk = current;
15382 * Paranoid restore. send a SIGSEGV if we fail to restore the state.
15383 @@ -750,8 +779,7 @@ void __math_state_restore(void)
15385 asmlinkage void math_state_restore(void)
15387 - struct thread_info *thread = current_thread_info();
15388 - struct task_struct *tsk = thread->task;
15389 + struct task_struct *tsk = current;
15391 if (!tsk_used_math(tsk)) {
15392 local_irq_enable();
15393 diff -urNp linux-2.6.38.4/arch/x86/kernel/tsc.c linux-2.6.38.4/arch/x86/kernel/tsc.c
15394 --- linux-2.6.38.4/arch/x86/kernel/tsc.c 2011-03-14 21:20:32.000000000 -0400
15395 +++ linux-2.6.38.4/arch/x86/kernel/tsc.c 2011-04-17 15:57:32.000000000 -0400
15396 @@ -837,7 +837,7 @@ static struct dmi_system_id __initdata b
15397 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
15401 + { NULL, NULL, {{0, {0}}}, NULL}
15404 static void __init check_system_tsc_reliable(void)
15405 diff -urNp linux-2.6.38.4/arch/x86/kernel/vm86_32.c linux-2.6.38.4/arch/x86/kernel/vm86_32.c
15406 --- linux-2.6.38.4/arch/x86/kernel/vm86_32.c 2011-03-14 21:20:32.000000000 -0400
15407 +++ linux-2.6.38.4/arch/x86/kernel/vm86_32.c 2011-04-17 15:57:32.000000000 -0400
15409 #include <linux/ptrace.h>
15410 #include <linux/audit.h>
15411 #include <linux/stddef.h>
15412 +#include <linux/grsecurity.h>
15414 #include <asm/uaccess.h>
15415 #include <asm/io.h>
15416 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
15420 - tss = &per_cpu(init_tss, get_cpu());
15421 + tss = init_tss + get_cpu();
15422 current->thread.sp0 = current->thread.saved_sp0;
15423 current->thread.sysenter_cs = __KERNEL_CS;
15424 load_sp0(tss, ¤t->thread);
15425 @@ -208,6 +209,13 @@ int sys_vm86old(struct vm86_struct __use
15426 struct task_struct *tsk;
15427 int tmp, ret = -EPERM;
15429 +#ifdef CONFIG_GRKERNSEC_VM86
15430 + if (!capable(CAP_SYS_RAWIO)) {
15431 + gr_handle_vm86();
15437 if (tsk->thread.saved_sp0)
15439 @@ -238,6 +246,14 @@ int sys_vm86(unsigned long cmd, unsigned
15441 struct vm86plus_struct __user *v86;
15443 +#ifdef CONFIG_GRKERNSEC_VM86
15444 + if (!capable(CAP_SYS_RAWIO)) {
15445 + gr_handle_vm86();
15453 case VM86_REQUEST_IRQ:
15454 @@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
15455 tsk->thread.saved_fs = info->regs32->fs;
15456 tsk->thread.saved_gs = get_user_gs(info->regs32);
15458 - tss = &per_cpu(init_tss, get_cpu());
15459 + tss = init_tss + get_cpu();
15460 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
15462 tsk->thread.sysenter_cs = 0;
15463 @@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
15464 goto cannot_handle;
15465 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
15466 goto cannot_handle;
15467 - intr_ptr = (unsigned long __user *) (i << 2);
15468 + intr_ptr = (__force unsigned long __user *) (i << 2);
15469 if (get_user(segoffs, intr_ptr))
15470 goto cannot_handle;
15471 if ((segoffs >> 16) == BIOSSEG)
15472 diff -urNp linux-2.6.38.4/arch/x86/kernel/vmlinux.lds.S linux-2.6.38.4/arch/x86/kernel/vmlinux.lds.S
15473 --- linux-2.6.38.4/arch/x86/kernel/vmlinux.lds.S 2011-03-14 21:20:32.000000000 -0400
15474 +++ linux-2.6.38.4/arch/x86/kernel/vmlinux.lds.S 2011-04-17 15:57:32.000000000 -0400
15476 #include <asm/page_types.h>
15477 #include <asm/cache.h>
15478 #include <asm/boot.h>
15479 +#include <asm/segment.h>
15481 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15482 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
15484 +#define __KERNEL_TEXT_OFFSET 0
15487 #undef i386 /* in case the preprocessor is a 32bit one */
15489 @@ -34,11 +41,9 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
15490 #ifdef CONFIG_X86_32
15492 ENTRY(phys_startup_32)
15493 -jiffies = jiffies_64;
15495 OUTPUT_ARCH(i386:x86-64)
15496 ENTRY(phys_startup_64)
15497 -jiffies_64 = jiffies;
15500 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
15501 @@ -69,31 +74,46 @@ jiffies_64 = jiffies;
15504 text PT_LOAD FLAGS(5); /* R_E */
15505 +#ifdef CONFIG_X86_32
15506 + module PT_LOAD FLAGS(5); /* R_E */
15509 + rodata PT_LOAD FLAGS(5); /* R_E */
15511 + rodata PT_LOAD FLAGS(4); /* R__ */
15513 data PT_LOAD FLAGS(6); /* RW_ */
15514 #ifdef CONFIG_X86_64
15515 user PT_LOAD FLAGS(5); /* R_E */
15517 + init.begin PT_LOAD FLAGS(6); /* RW_ */
15519 percpu PT_LOAD FLAGS(6); /* RW_ */
15521 + text.init PT_LOAD FLAGS(5); /* R_E */
15522 + text.exit PT_LOAD FLAGS(5); /* R_E */
15523 init PT_LOAD FLAGS(7); /* RWE */
15525 note PT_NOTE FLAGS(0); /* ___ */
15530 #ifdef CONFIG_X86_32
15531 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
15532 - phys_startup_32 = startup_32 - LOAD_OFFSET;
15533 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
15535 - . = __START_KERNEL;
15536 - phys_startup_64 = startup_64 - LOAD_OFFSET;
15537 + . = __START_KERNEL;
15540 /* Text and read-only data */
15541 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
15543 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
15544 /* bootstrapping code */
15545 +#ifdef CONFIG_X86_32
15546 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
15548 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
15550 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
15553 #ifdef CONFIG_X86_32
15554 . = ALIGN(PAGE_SIZE);
15555 @@ -108,13 +128,47 @@ SECTIONS
15559 - /* End of text section */
15563 - NOTES :text :note
15564 + . += __KERNEL_TEXT_OFFSET;
15566 +#ifdef CONFIG_X86_32
15567 + . = ALIGN(PAGE_SIZE);
15568 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
15570 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
15571 + MODULES_EXEC_VADDR = .;
15573 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
15574 + . = ALIGN(HPAGE_SIZE);
15575 + MODULES_EXEC_END = . - 1;
15581 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
15582 + /* End of text section */
15583 + _etext = . - __KERNEL_TEXT_OFFSET;
15586 - EXCEPTION_TABLE(16) :text = 0x9090
15587 +#ifdef CONFIG_X86_32
15588 + . = ALIGN(PAGE_SIZE);
15589 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
15591 + . = ALIGN(PAGE_SIZE);
15592 + *(.empty_zero_page)
15593 + *(.initial_pg_fixmap)
15594 + *(.initial_pg_pmd)
15595 + *(.initial_page_table)
15596 + *(.swapper_pg_dir)
15600 + . = ALIGN(PAGE_SIZE);
15601 + NOTES :rodata :note
15603 + EXCEPTION_TABLE(16) :rodata
15605 #if defined(CONFIG_DEBUG_RODATA)
15606 /* .text should occupy whole number of pages */
15607 @@ -126,16 +180,20 @@ SECTIONS
15610 .data : AT(ADDR(.data) - LOAD_OFFSET) {
15612 +#ifdef CONFIG_PAX_KERNEXEC
15613 + . = ALIGN(HPAGE_SIZE);
15615 + . = ALIGN(PAGE_SIZE);
15618 /* Start of data section */
15622 INIT_TASK_DATA(THREAD_SIZE)
15624 -#ifdef CONFIG_X86_32
15625 - /* 32 bit has nosave before _edata */
15629 PAGE_ALIGNED_DATA(PAGE_SIZE)
15631 @@ -144,6 +202,8 @@ SECTIONS
15635 + jiffies = jiffies_64;
15637 /* rarely changed data like cpu maps */
15638 READ_MOSTLY_DATA(INTERNODE_CACHE_BYTES)
15640 @@ -198,12 +258,6 @@ SECTIONS
15642 vgetcpu_mode = VVIRT(.vgetcpu_mode);
15644 - . = ALIGN(L1_CACHE_BYTES);
15645 - .jiffies : AT(VLOAD(.jiffies)) {
15648 - jiffies = VVIRT(.jiffies);
15650 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
15653 @@ -219,12 +273,19 @@ SECTIONS
15654 #endif /* CONFIG_X86_64 */
15656 /* Init code and data - will be freed after init */
15657 - . = ALIGN(PAGE_SIZE);
15658 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
15661 +#ifdef CONFIG_PAX_KERNEXEC
15662 + . = ALIGN(HPAGE_SIZE);
15664 + . = ALIGN(PAGE_SIZE);
15667 __init_begin = .; /* paired with __init_end */
15671 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
15674 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
15675 * output PHDR, so the next output section - .init.text - should
15676 @@ -233,12 +294,27 @@ SECTIONS
15677 PERCPU_VADDR(0, :percpu)
15680 - INIT_TEXT_SECTION(PAGE_SIZE)
15681 -#ifdef CONFIG_X86_64
15684 + . = ALIGN(PAGE_SIZE);
15686 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
15687 + VMLINUX_SYMBOL(_sinittext) = .;
15689 + VMLINUX_SYMBOL(_einittext) = .;
15690 + . = ALIGN(PAGE_SIZE);
15693 - INIT_DATA_SECTION(16)
15695 + * .exit.text is discard at runtime, not link time, to deal with
15696 + * references from .altinstructions and .eh_frame
15698 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
15702 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
15704 + . = ALIGN(PAGE_SIZE);
15705 + INIT_DATA_SECTION(16) :init
15707 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
15708 __x86_cpu_dev_start = .;
15709 @@ -292,19 +368,12 @@ SECTIONS
15710 __iommu_table_end = .;
15714 - * .exit.text is discard at runtime, not link time, to deal with
15715 - * references from .altinstructions and .eh_frame
15717 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
15721 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
15725 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
15726 +#ifndef CONFIG_SMP
15727 PERCPU(THREAD_SIZE)
15730 @@ -323,16 +392,10 @@ SECTIONS
15731 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
15734 - . = ALIGN(PAGE_SIZE);
15735 __smp_locks_end = .;
15736 + . = ALIGN(PAGE_SIZE);
15739 -#ifdef CONFIG_X86_64
15740 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
15746 . = ALIGN(PAGE_SIZE);
15747 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
15748 @@ -348,6 +411,7 @@ SECTIONS
15750 . += 64 * 1024; /* 64k alignment slop space */
15751 *(.brk_reservation) /* areas brk users have reserved */
15752 + . = ALIGN(HPAGE_SIZE);
15756 @@ -374,13 +438,12 @@ SECTIONS
15757 * for the boot processor.
15759 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
15760 -INIT_PER_CPU(gdt_page);
15761 INIT_PER_CPU(irq_stack_union);
15764 * Build-time check on the image size:
15766 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
15767 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
15768 "kernel image bigger than KERNEL_IMAGE_SIZE");
15771 diff -urNp linux-2.6.38.4/arch/x86/kernel/vsyscall_64.c linux-2.6.38.4/arch/x86/kernel/vsyscall_64.c
15772 --- linux-2.6.38.4/arch/x86/kernel/vsyscall_64.c 2011-03-14 21:20:32.000000000 -0400
15773 +++ linux-2.6.38.4/arch/x86/kernel/vsyscall_64.c 2011-04-17 15:57:32.000000000 -0400
15774 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
15776 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
15777 /* copy vsyscall data */
15778 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
15779 vsyscall_gtod_data.clock.vread = clock->vread;
15780 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
15781 vsyscall_gtod_data.clock.mask = clock->mask;
15782 @@ -208,7 +209,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
15783 We do this here because otherwise user space would do it on
15784 its own in a likely inferior way (no access to jiffies).
15785 If you don't like it pass NULL. */
15786 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
15787 + if (tcache && tcache->blob[0] == (j = jiffies)) {
15788 p = tcache->blob[1];
15789 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
15790 /* Load per CPU data from RDTSCP */
15791 diff -urNp linux-2.6.38.4/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.38.4/arch/x86/kernel/x8664_ksyms_64.c
15792 --- linux-2.6.38.4/arch/x86/kernel/x8664_ksyms_64.c 2011-03-14 21:20:32.000000000 -0400
15793 +++ linux-2.6.38.4/arch/x86/kernel/x8664_ksyms_64.c 2011-04-17 15:57:32.000000000 -0400
15794 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
15795 EXPORT_SYMBOL(copy_user_generic_string);
15796 EXPORT_SYMBOL(copy_user_generic_unrolled);
15797 EXPORT_SYMBOL(__copy_user_nocache);
15798 -EXPORT_SYMBOL(_copy_from_user);
15799 -EXPORT_SYMBOL(_copy_to_user);
15801 EXPORT_SYMBOL(copy_page);
15802 EXPORT_SYMBOL(clear_page);
15803 diff -urNp linux-2.6.38.4/arch/x86/kernel/xsave.c linux-2.6.38.4/arch/x86/kernel/xsave.c
15804 --- linux-2.6.38.4/arch/x86/kernel/xsave.c 2011-03-14 21:20:32.000000000 -0400
15805 +++ linux-2.6.38.4/arch/x86/kernel/xsave.c 2011-04-17 15:57:32.000000000 -0400
15806 @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
15807 fx_sw_user->xstate_size > fx_sw_user->extended_size)
15810 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
15811 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
15812 fx_sw_user->extended_size -
15813 FP_XSTATE_MAGIC2_SIZE));
15815 @@ -267,7 +267,7 @@ fx_only:
15816 * the other extended state.
15818 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
15819 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
15820 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
15824 @@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
15826 err = restore_user_xstate(buf);
15828 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
15829 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
15831 if (unlikely(err)) {
15833 diff -urNp linux-2.6.38.4/arch/x86/kvm/emulate.c linux-2.6.38.4/arch/x86/kvm/emulate.c
15834 --- linux-2.6.38.4/arch/x86/kvm/emulate.c 2011-03-14 21:20:32.000000000 -0400
15835 +++ linux-2.6.38.4/arch/x86/kvm/emulate.c 2011-04-17 15:57:32.000000000 -0400
15837 #define Src2ImmByte (2<<29)
15838 #define Src2One (3<<29)
15839 #define Src2Imm (4<<29)
15840 -#define Src2Mask (7<<29)
15841 +#define Src2Mask (7U<<29)
15843 #define X2(x...) x, x
15844 #define X3(x...) X2(x), x
15845 @@ -189,6 +189,7 @@ struct group_dual {
15847 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
15849 + unsigned long _tmp; \
15850 __asm__ __volatile__ ( \
15851 _PRE_EFLAGS("0", "4", "2") \
15852 _op _suffix " %"_x"3,%1; " \
15853 @@ -202,8 +203,6 @@ struct group_dual {
15854 /* Raw emulation: instruction has two explicit operands. */
15855 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
15857 - unsigned long _tmp; \
15859 switch ((_dst).bytes) { \
15861 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
15862 @@ -219,7 +218,6 @@ struct group_dual {
15864 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
15866 - unsigned long _tmp; \
15867 switch ((_dst).bytes) { \
15869 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
15870 diff -urNp linux-2.6.38.4/arch/x86/kvm/lapic.c linux-2.6.38.4/arch/x86/kvm/lapic.c
15871 --- linux-2.6.38.4/arch/x86/kvm/lapic.c 2011-03-14 21:20:32.000000000 -0400
15872 +++ linux-2.6.38.4/arch/x86/kvm/lapic.c 2011-04-17 15:57:32.000000000 -0400
15874 #define APIC_BUS_CYCLE_NS 1
15876 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
15877 -#define apic_debug(fmt, arg...)
15878 +#define apic_debug(fmt, arg...) do {} while (0)
15880 #define APIC_LVT_NUM 6
15881 /* 14 is the version for Xeon and Pentium 8.4.8*/
15882 diff -urNp linux-2.6.38.4/arch/x86/kvm/svm.c linux-2.6.38.4/arch/x86/kvm/svm.c
15883 --- linux-2.6.38.4/arch/x86/kvm/svm.c 2011-03-14 21:20:32.000000000 -0400
15884 +++ linux-2.6.38.4/arch/x86/kvm/svm.c 2011-04-17 15:57:32.000000000 -0400
15885 @@ -3273,7 +3273,11 @@ static void reload_tss(struct kvm_vcpu *
15886 int cpu = raw_smp_processor_id();
15888 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
15890 + pax_open_kernel();
15891 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
15892 + pax_close_kernel();
15897 @@ -3850,7 +3854,7 @@ static void svm_fpu_deactivate(struct kv
15898 update_cr0_intercept(svm);
15901 -static struct kvm_x86_ops svm_x86_ops = {
15902 +static const struct kvm_x86_ops svm_x86_ops = {
15903 .cpu_has_kvm_support = has_svm,
15904 .disabled_by_bios = is_disabled,
15905 .hardware_setup = svm_hardware_setup,
15906 diff -urNp linux-2.6.38.4/arch/x86/kvm/vmx.c linux-2.6.38.4/arch/x86/kvm/vmx.c
15907 --- linux-2.6.38.4/arch/x86/kvm/vmx.c 2011-03-14 21:20:32.000000000 -0400
15908 +++ linux-2.6.38.4/arch/x86/kvm/vmx.c 2011-04-17 15:57:32.000000000 -0400
15909 @@ -725,7 +725,11 @@ static void reload_tss(void)
15910 struct desc_struct *descs;
15912 descs = (void *)gdt->address;
15914 + pax_open_kernel();
15915 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
15916 + pax_close_kernel();
15921 @@ -1642,8 +1646,11 @@ static __init int hardware_setup(void)
15922 if (!cpu_has_vmx_flexpriority())
15923 flexpriority_enabled = 0;
15925 - if (!cpu_has_vmx_tpr_shadow())
15926 - kvm_x86_ops->update_cr8_intercept = NULL;
15927 + if (!cpu_has_vmx_tpr_shadow()) {
15928 + pax_open_kernel();
15929 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
15930 + pax_close_kernel();
15933 if (enable_ept && !cpu_has_vmx_ept_2m_page())
15934 kvm_disable_largepages();
15935 @@ -2640,7 +2647,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
15936 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
15938 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
15939 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
15940 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
15941 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
15942 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
15943 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
15944 @@ -4031,6 +4038,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
15945 "jmp .Lkvm_vmx_return \n\t"
15946 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
15947 ".Lkvm_vmx_return: "
15949 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15950 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
15951 + ".Lkvm_vmx_return2: "
15954 /* Save guest registers, load host registers, keep flags */
15955 "xchg %0, (%%"R"sp) \n\t"
15956 "mov %%"R"ax, %c[rax](%0) \n\t"
15957 @@ -4077,6 +4090,11 @@ static void vmx_vcpu_run(struct kvm_vcpu
15958 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
15960 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
15962 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15963 + ,[cs]"i"(__KERNEL_CS)
15967 , R"ax", R"bx", R"di", R"si"
15968 #ifdef CONFIG_X86_64
15969 @@ -4091,7 +4109,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
15971 vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD);
15973 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
15974 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
15977 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
15978 @@ -4326,7 +4344,7 @@ static void vmx_set_supported_cpuid(u32
15982 -static struct kvm_x86_ops vmx_x86_ops = {
15983 +static const struct kvm_x86_ops vmx_x86_ops = {
15984 .cpu_has_kvm_support = cpu_has_kvm_support,
15985 .disabled_by_bios = vmx_disabled_by_bios,
15986 .hardware_setup = hardware_setup,
15987 diff -urNp linux-2.6.38.4/arch/x86/kvm/x86.c linux-2.6.38.4/arch/x86/kvm/x86.c
15988 --- linux-2.6.38.4/arch/x86/kvm/x86.c 2011-03-14 21:20:32.000000000 -0400
15989 +++ linux-2.6.38.4/arch/x86/kvm/x86.c 2011-04-22 19:09:02.000000000 -0400
15990 @@ -93,7 +93,7 @@ static void update_cr8_intercept(struct
15991 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
15992 struct kvm_cpuid_entry2 __user *entries);
15994 -struct kvm_x86_ops *kvm_x86_ops;
15995 +const struct kvm_x86_ops *kvm_x86_ops;
15996 EXPORT_SYMBOL_GPL(kvm_x86_ops);
15998 int ignore_msrs = 0;
15999 @@ -119,38 +119,38 @@ static struct kvm_shared_msrs_global __r
16000 static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
16002 struct kvm_stats_debugfs_item debugfs_entries[] = {
16003 - { "pf_fixed", VCPU_STAT(pf_fixed) },
16004 - { "pf_guest", VCPU_STAT(pf_guest) },
16005 - { "tlb_flush", VCPU_STAT(tlb_flush) },
16006 - { "invlpg", VCPU_STAT(invlpg) },
16007 - { "exits", VCPU_STAT(exits) },
16008 - { "io_exits", VCPU_STAT(io_exits) },
16009 - { "mmio_exits", VCPU_STAT(mmio_exits) },
16010 - { "signal_exits", VCPU_STAT(signal_exits) },
16011 - { "irq_window", VCPU_STAT(irq_window_exits) },
16012 - { "nmi_window", VCPU_STAT(nmi_window_exits) },
16013 - { "halt_exits", VCPU_STAT(halt_exits) },
16014 - { "halt_wakeup", VCPU_STAT(halt_wakeup) },
16015 - { "hypercalls", VCPU_STAT(hypercalls) },
16016 - { "request_irq", VCPU_STAT(request_irq_exits) },
16017 - { "irq_exits", VCPU_STAT(irq_exits) },
16018 - { "host_state_reload", VCPU_STAT(host_state_reload) },
16019 - { "efer_reload", VCPU_STAT(efer_reload) },
16020 - { "fpu_reload", VCPU_STAT(fpu_reload) },
16021 - { "insn_emulation", VCPU_STAT(insn_emulation) },
16022 - { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
16023 - { "irq_injections", VCPU_STAT(irq_injections) },
16024 - { "nmi_injections", VCPU_STAT(nmi_injections) },
16025 - { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
16026 - { "mmu_pte_write", VM_STAT(mmu_pte_write) },
16027 - { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
16028 - { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
16029 - { "mmu_flooded", VM_STAT(mmu_flooded) },
16030 - { "mmu_recycled", VM_STAT(mmu_recycled) },
16031 - { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
16032 - { "mmu_unsync", VM_STAT(mmu_unsync) },
16033 - { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
16034 - { "largepages", VM_STAT(lpages) },
16035 + { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
16036 + { "pf_guest", VCPU_STAT(pf_guest), NULL },
16037 + { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
16038 + { "invlpg", VCPU_STAT(invlpg), NULL },
16039 + { "exits", VCPU_STAT(exits), NULL },
16040 + { "io_exits", VCPU_STAT(io_exits), NULL },
16041 + { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
16042 + { "signal_exits", VCPU_STAT(signal_exits), NULL },
16043 + { "irq_window", VCPU_STAT(irq_window_exits), NULL },
16044 + { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
16045 + { "halt_exits", VCPU_STAT(halt_exits), NULL },
16046 + { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
16047 + { "hypercalls", VCPU_STAT(hypercalls), NULL },
16048 + { "request_irq", VCPU_STAT(request_irq_exits), NULL },
16049 + { "irq_exits", VCPU_STAT(irq_exits), NULL },
16050 + { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
16051 + { "efer_reload", VCPU_STAT(efer_reload), NULL },
16052 + { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
16053 + { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
16054 + { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
16055 + { "irq_injections", VCPU_STAT(irq_injections), NULL },
16056 + { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
16057 + { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
16058 + { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
16059 + { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
16060 + { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
16061 + { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
16062 + { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
16063 + { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
16064 + { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
16065 + { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
16066 + { "largepages", VM_STAT(lpages), NULL },
16070 @@ -2023,6 +2023,8 @@ long kvm_arch_dev_ioctl(struct file *fil
16071 if (n < msr_list.nmsrs)
16074 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
16076 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
16077 num_msrs_to_save * sizeof(u32)))
16079 @@ -2190,15 +2192,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
16080 struct kvm_cpuid2 *cpuid,
16081 struct kvm_cpuid_entry2 __user *entries)
16087 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
16090 - if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
16091 - cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
16092 + if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
16094 + for (i = 0; i < cpuid->nent; ++i) {
16095 + struct kvm_cpuid_entry2 cpuid_entry;
16096 + if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
16098 + vcpu->arch.cpuid_entries[i] = cpuid_entry;
16100 vcpu->arch.cpuid_nent = cpuid->nent;
16101 kvm_apic_set_version(vcpu);
16102 kvm_x86_ops->cpuid_update(vcpu);
16103 @@ -2213,15 +2220,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
16104 struct kvm_cpuid2 *cpuid,
16105 struct kvm_cpuid_entry2 __user *entries)
16111 if (cpuid->nent < vcpu->arch.cpuid_nent)
16114 - if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
16115 - vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
16116 + if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
16118 + for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
16119 + struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
16120 + if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
16126 @@ -2499,7 +2510,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
16127 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
16128 struct kvm_interrupt *irq)
16130 - if (irq->irq < 0 || irq->irq >= 256)
16131 + if (irq->irq >= 256)
16133 if (irqchip_in_kernel(vcpu->kvm))
16135 @@ -4687,10 +4698,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
16137 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
16139 -int kvm_arch_init(void *opaque)
16140 +int kvm_arch_init(const void *opaque)
16143 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
16144 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
16147 printk(KERN_ERR "kvm: already loaded the other module\n");
16148 diff -urNp linux-2.6.38.4/arch/x86/lib/atomic64_cx8_32.S linux-2.6.38.4/arch/x86/lib/atomic64_cx8_32.S
16149 --- linux-2.6.38.4/arch/x86/lib/atomic64_cx8_32.S 2011-03-14 21:20:32.000000000 -0400
16150 +++ linux-2.6.38.4/arch/x86/lib/atomic64_cx8_32.S 2011-04-17 15:57:32.000000000 -0400
16151 @@ -86,13 +86,23 @@ ENTRY(atomic64_\func\()_return_cx8)
16153 \ins\()l %esi, %ebx
16154 \insc\()l %edi, %ecx
16156 +#ifdef CONFIG_PAX_REFCOUNT
16159 + _ASM_EXTABLE(2b, 3f)
16170 +#ifdef CONFIG_PAX_REFCOUNT
16177 @@ -116,13 +126,24 @@ ENTRY(atomic64_\func\()_return_cx8)
16182 +#ifdef CONFIG_PAX_REFCOUNT
16185 + _ASM_EXTABLE(2b, 3f)
16196 +#ifdef CONFIG_PAX_REFCOUNT
16203 @@ -176,6 +197,13 @@ ENTRY(atomic64_add_unless_cx8)
16208 +#ifdef CONFIG_PAX_REFCOUNT
16211 + _ASM_EXTABLE(1234b, 1234b)
16217 @@ -208,6 +236,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
16222 +#ifdef CONFIG_PAX_REFCOUNT
16225 + _ASM_EXTABLE(1234b, 1234b)
16231 diff -urNp linux-2.6.38.4/arch/x86/lib/checksum_32.S linux-2.6.38.4/arch/x86/lib/checksum_32.S
16232 --- linux-2.6.38.4/arch/x86/lib/checksum_32.S 2011-03-14 21:20:32.000000000 -0400
16233 +++ linux-2.6.38.4/arch/x86/lib/checksum_32.S 2011-04-17 15:57:32.000000000 -0400
16235 #include <linux/linkage.h>
16236 #include <asm/dwarf2.h>
16237 #include <asm/errno.h>
16239 +#include <asm/segment.h>
16242 * computes a partial checksum, e.g. for TCP/UDP fragments
16244 @@ -304,9 +305,28 @@ unsigned int csum_partial_copy_generic (
16249 -ENTRY(csum_partial_copy_generic)
16251 +ENTRY(csum_partial_copy_generic_to_user)
16254 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16256 + CFI_ADJUST_CFA_OFFSET 4
16258 + CFI_ADJUST_CFA_OFFSET -4
16259 + jmp csum_partial_copy_generic
16262 +ENTRY(csum_partial_copy_generic_from_user)
16264 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16266 + CFI_ADJUST_CFA_OFFSET 4
16268 + CFI_ADJUST_CFA_OFFSET -4
16271 +ENTRY(csum_partial_copy_generic)
16273 CFI_ADJUST_CFA_OFFSET 4
16275 @@ -331,7 +351,7 @@ ENTRY(csum_partial_copy_generic)
16277 SRC(1: movw (%esi), %bx )
16279 -DST( movw %bx, (%edi) )
16280 +DST( movw %bx, %es:(%edi) )
16284 @@ -343,30 +363,30 @@ DST( movw %bx, (%edi) )
16285 SRC(1: movl (%esi), %ebx )
16286 SRC( movl 4(%esi), %edx )
16288 -DST( movl %ebx, (%edi) )
16289 +DST( movl %ebx, %es:(%edi) )
16291 -DST( movl %edx, 4(%edi) )
16292 +DST( movl %edx, %es:4(%edi) )
16294 SRC( movl 8(%esi), %ebx )
16295 SRC( movl 12(%esi), %edx )
16297 -DST( movl %ebx, 8(%edi) )
16298 +DST( movl %ebx, %es:8(%edi) )
16300 -DST( movl %edx, 12(%edi) )
16301 +DST( movl %edx, %es:12(%edi) )
16303 SRC( movl 16(%esi), %ebx )
16304 SRC( movl 20(%esi), %edx )
16306 -DST( movl %ebx, 16(%edi) )
16307 +DST( movl %ebx, %es:16(%edi) )
16309 -DST( movl %edx, 20(%edi) )
16310 +DST( movl %edx, %es:20(%edi) )
16312 SRC( movl 24(%esi), %ebx )
16313 SRC( movl 28(%esi), %edx )
16315 -DST( movl %ebx, 24(%edi) )
16316 +DST( movl %ebx, %es:24(%edi) )
16318 -DST( movl %edx, 28(%edi) )
16319 +DST( movl %edx, %es:28(%edi) )
16323 @@ -380,7 +400,7 @@ DST( movl %edx, 28(%edi) )
16324 shrl $2, %edx # This clears CF
16325 SRC(3: movl (%esi), %ebx )
16327 -DST( movl %ebx, (%edi) )
16328 +DST( movl %ebx, %es:(%edi) )
16332 @@ -392,12 +412,12 @@ DST( movl %ebx, (%edi) )
16334 SRC( movw (%esi), %cx )
16336 -DST( movw %cx, (%edi) )
16337 +DST( movw %cx, %es:(%edi) )
16341 SRC(5: movb (%esi), %cl )
16342 -DST( movb %cl, (%edi) )
16343 +DST( movb %cl, %es:(%edi) )
16347 @@ -408,7 +428,7 @@ DST( movb %cl, (%edi) )
16350 movl ARGBASE+20(%esp), %ebx # src_err_ptr
16351 - movl $-EFAULT, (%ebx)
16352 + movl $-EFAULT, %ss:(%ebx)
16354 # zero the complete destination - computing the rest
16356 @@ -421,11 +441,19 @@ DST( movb %cl, (%edi) )
16359 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
16360 - movl $-EFAULT,(%ebx)
16361 + movl $-EFAULT,%ss:(%ebx)
16367 + CFI_ADJUST_CFA_OFFSET 4
16369 + CFI_ADJUST_CFA_OFFSET -4
16371 + CFI_ADJUST_CFA_OFFSET 4
16373 + CFI_ADJUST_CFA_OFFSET -4
16375 CFI_ADJUST_CFA_OFFSET -4
16377 @@ -439,26 +467,47 @@ DST( movb %cl, (%edi) )
16378 CFI_ADJUST_CFA_OFFSET -4
16381 -ENDPROC(csum_partial_copy_generic)
16382 +ENDPROC(csum_partial_copy_generic_to_user)
16386 /* Version for PentiumII/PPro */
16388 #define ROUND1(x) \
16390 SRC(movl x(%esi), %ebx ) ; \
16391 addl %ebx, %eax ; \
16392 - DST(movl %ebx, x(%edi) ) ;
16393 + DST(movl %ebx, %es:x(%edi)) ;
16397 SRC(movl x(%esi), %ebx ) ; \
16398 adcl %ebx, %eax ; \
16399 - DST(movl %ebx, x(%edi) ) ;
16400 + DST(movl %ebx, %es:x(%edi)) ;
16404 -ENTRY(csum_partial_copy_generic)
16406 +ENTRY(csum_partial_copy_generic_to_user)
16409 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16411 + CFI_ADJUST_CFA_OFFSET 4
16413 + CFI_ADJUST_CFA_OFFSET -4
16414 + jmp csum_partial_copy_generic
16417 +ENTRY(csum_partial_copy_generic_from_user)
16419 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16421 + CFI_ADJUST_CFA_OFFSET 4
16423 + CFI_ADJUST_CFA_OFFSET -4
16426 +ENTRY(csum_partial_copy_generic)
16428 CFI_ADJUST_CFA_OFFSET 4
16429 CFI_REL_OFFSET ebx, 0
16430 @@ -482,7 +531,7 @@ ENTRY(csum_partial_copy_generic)
16434 - lea 3f(%ebx,%ebx), %ebx
16435 + lea 3f(%ebx,%ebx,2), %ebx
16439 @@ -503,19 +552,19 @@ ENTRY(csum_partial_copy_generic)
16441 SRC( movw (%esi), %dx )
16443 -DST( movw %dx, (%edi) )
16444 +DST( movw %dx, %es:(%edi) )
16449 SRC( movb (%esi), %dl )
16450 -DST( movb %dl, (%edi) )
16451 +DST( movb %dl, %es:(%edi) )
16455 .section .fixup, "ax"
16456 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
16457 - movl $-EFAULT, (%ebx)
16458 + movl $-EFAULT, %ss:(%ebx)
16459 # zero the complete destination (computing the rest is too much work)
16460 movl ARGBASE+8(%esp),%edi # dst
16461 movl ARGBASE+12(%esp),%ecx # len
16462 @@ -523,10 +572,21 @@ DST( movb %dl, (%edi) )
16465 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
16466 - movl $-EFAULT, (%ebx)
16467 + movl $-EFAULT, %ss:(%ebx)
16471 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16473 + CFI_ADJUST_CFA_OFFSET 4
16475 + CFI_ADJUST_CFA_OFFSET -4
16477 + CFI_ADJUST_CFA_OFFSET 4
16479 + CFI_ADJUST_CFA_OFFSET -4
16483 CFI_ADJUST_CFA_OFFSET -4
16485 @@ -538,7 +598,7 @@ DST( movb %dl, (%edi) )
16489 -ENDPROC(csum_partial_copy_generic)
16490 +ENDPROC(csum_partial_copy_generic_to_user)
16494 diff -urNp linux-2.6.38.4/arch/x86/lib/clear_page_64.S linux-2.6.38.4/arch/x86/lib/clear_page_64.S
16495 --- linux-2.6.38.4/arch/x86/lib/clear_page_64.S 2011-03-14 21:20:32.000000000 -0400
16496 +++ linux-2.6.38.4/arch/x86/lib/clear_page_64.S 2011-04-17 15:57:32.000000000 -0400
16497 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
16499 #include <asm/cpufeature.h>
16501 - .section .altinstr_replacement,"ax"
16502 + .section .altinstr_replacement,"a"
16503 1: .byte 0xeb /* jmp <disp8> */
16504 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
16506 diff -urNp linux-2.6.38.4/arch/x86/lib/copy_page_64.S linux-2.6.38.4/arch/x86/lib/copy_page_64.S
16507 --- linux-2.6.38.4/arch/x86/lib/copy_page_64.S 2011-03-14 21:20:32.000000000 -0400
16508 +++ linux-2.6.38.4/arch/x86/lib/copy_page_64.S 2011-04-17 15:57:32.000000000 -0400
16509 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
16511 #include <asm/cpufeature.h>
16513 - .section .altinstr_replacement,"ax"
16514 + .section .altinstr_replacement,"a"
16515 1: .byte 0xeb /* jmp <disp8> */
16516 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
16518 diff -urNp linux-2.6.38.4/arch/x86/lib/copy_user_64.S linux-2.6.38.4/arch/x86/lib/copy_user_64.S
16519 --- linux-2.6.38.4/arch/x86/lib/copy_user_64.S 2011-03-14 21:20:32.000000000 -0400
16520 +++ linux-2.6.38.4/arch/x86/lib/copy_user_64.S 2011-04-17 15:57:32.000000000 -0400
16521 @@ -15,13 +15,14 @@
16522 #include <asm/asm-offsets.h>
16523 #include <asm/thread_info.h>
16524 #include <asm/cpufeature.h>
16525 +#include <asm/pgtable.h>
16527 .macro ALTERNATIVE_JUMP feature,orig,alt
16529 .byte 0xe9 /* 32bit jump */
16530 .long \orig-1f /* by default jump to orig */
16532 - .section .altinstr_replacement,"ax"
16533 + .section .altinstr_replacement,"a"
16534 2: .byte 0xe9 /* near jump with 32bit immediate */
16535 .long \alt-1b /* offset */ /* or alternatively to alt */
16537 @@ -64,37 +65,13 @@
16541 -/* Standard copy_to_user with segment limit checking */
16542 -ENTRY(_copy_to_user)
16544 - GET_THREAD_INFO(%rax)
16548 - cmpq TI_addr_limit(%rax),%rcx
16550 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
16552 -ENDPROC(_copy_to_user)
16554 -/* Standard copy_from_user with segment limit checking */
16555 -ENTRY(_copy_from_user)
16557 - GET_THREAD_INFO(%rax)
16561 - cmpq TI_addr_limit(%rax),%rcx
16562 - jae bad_from_user
16563 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
16565 -ENDPROC(_copy_from_user)
16567 .section .fixup,"ax"
16568 /* must zero dest */
16569 ENTRY(bad_from_user)
16577 diff -urNp linux-2.6.38.4/arch/x86/lib/copy_user_nocache_64.S linux-2.6.38.4/arch/x86/lib/copy_user_nocache_64.S
16578 --- linux-2.6.38.4/arch/x86/lib/copy_user_nocache_64.S 2011-03-14 21:20:32.000000000 -0400
16579 +++ linux-2.6.38.4/arch/x86/lib/copy_user_nocache_64.S 2011-04-17 15:57:32.000000000 -0400
16581 #include <asm/current.h>
16582 #include <asm/asm-offsets.h>
16583 #include <asm/thread_info.h>
16584 +#include <asm/pgtable.h>
16586 .macro ALIGN_DESTINATION
16587 #ifdef FIX_ALIGNMENT
16590 ENTRY(__copy_user_nocache)
16593 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16594 + mov $PAX_USER_SHADOW_BASE,%rcx
16602 jb 20f /* less then 8 bytes, go to byte copy loop */
16604 diff -urNp linux-2.6.38.4/arch/x86/lib/csum-wrappers_64.c linux-2.6.38.4/arch/x86/lib/csum-wrappers_64.c
16605 --- linux-2.6.38.4/arch/x86/lib/csum-wrappers_64.c 2011-03-14 21:20:32.000000000 -0400
16606 +++ linux-2.6.38.4/arch/x86/lib/csum-wrappers_64.c 2011-04-17 15:57:32.000000000 -0400
16607 @@ -52,6 +52,8 @@ csum_partial_copy_from_user(const void _
16611 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
16612 + src += PAX_USER_SHADOW_BASE;
16613 isum = csum_partial_copy_generic((__force const void *)src,
16614 dst, len, isum, errp, NULL);
16615 if (unlikely(*errp))
16616 @@ -105,6 +107,8 @@ csum_partial_copy_to_user(const void *sr
16620 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
16621 + dst += PAX_USER_SHADOW_BASE;
16622 return csum_partial_copy_generic(src, (void __force *)dst,
16623 len, isum, NULL, errp);
16625 diff -urNp linux-2.6.38.4/arch/x86/lib/getuser.S linux-2.6.38.4/arch/x86/lib/getuser.S
16626 --- linux-2.6.38.4/arch/x86/lib/getuser.S 2011-03-14 21:20:32.000000000 -0400
16627 +++ linux-2.6.38.4/arch/x86/lib/getuser.S 2011-04-17 15:57:32.000000000 -0400
16628 @@ -33,14 +33,35 @@
16629 #include <asm/asm-offsets.h>
16630 #include <asm/thread_info.h>
16631 #include <asm/asm.h>
16632 +#include <asm/segment.h>
16633 +#include <asm/pgtable.h>
16635 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16636 +#define __copyuser_seg gs;
16638 +#define __copyuser_seg
16642 ENTRY(__get_user_1)
16645 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16646 GET_THREAD_INFO(%_ASM_DX)
16647 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
16649 -1: movzb (%_ASM_AX),%edx
16651 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16652 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
16653 + cmp %_ASM_DX,%_ASM_AX
16655 + add %_ASM_DX,%_ASM_AX
16661 +1: __copyuser_seg movzb (%_ASM_AX),%edx
16665 @@ -49,11 +70,24 @@ ENDPROC(__get_user_1)
16666 ENTRY(__get_user_2)
16670 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16672 GET_THREAD_INFO(%_ASM_DX)
16673 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
16675 -2: movzwl -1(%_ASM_AX),%edx
16677 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16678 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
16679 + cmp %_ASM_DX,%_ASM_AX
16681 + add %_ASM_DX,%_ASM_AX
16687 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
16691 @@ -62,11 +96,24 @@ ENDPROC(__get_user_2)
16692 ENTRY(__get_user_4)
16696 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16698 GET_THREAD_INFO(%_ASM_DX)
16699 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
16701 -3: mov -3(%_ASM_AX),%edx
16703 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16704 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
16705 + cmp %_ASM_DX,%_ASM_AX
16707 + add %_ASM_DX,%_ASM_AX
16713 +3: __copyuser_seg mov -3(%_ASM_AX),%edx
16717 @@ -80,6 +127,15 @@ ENTRY(__get_user_8)
16718 GET_THREAD_INFO(%_ASM_DX)
16719 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
16722 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16723 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
16724 + cmp %_ASM_DX,%_ASM_AX
16726 + add %_ASM_DX,%_ASM_AX
16730 4: movq -7(%_ASM_AX),%_ASM_DX
16733 diff -urNp linux-2.6.38.4/arch/x86/lib/insn.c linux-2.6.38.4/arch/x86/lib/insn.c
16734 --- linux-2.6.38.4/arch/x86/lib/insn.c 2011-03-14 21:20:32.000000000 -0400
16735 +++ linux-2.6.38.4/arch/x86/lib/insn.c 2011-04-17 15:57:32.000000000 -0400
16737 #include <linux/string.h>
16738 #include <asm/inat.h>
16739 #include <asm/insn.h>
16741 +#include <asm/pgtable_types.h>
16743 +#define ktla_ktva(addr) addr
16746 #define get_next(t, insn) \
16747 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
16749 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
16751 memset(insn, 0, sizeof(*insn));
16752 - insn->kaddr = kaddr;
16753 - insn->next_byte = kaddr;
16754 + insn->kaddr = ktla_ktva(kaddr);
16755 + insn->next_byte = ktla_ktva(kaddr);
16756 insn->x86_64 = x86_64 ? 1 : 0;
16757 insn->opnd_bytes = 4;
16759 diff -urNp linux-2.6.38.4/arch/x86/lib/mmx_32.c linux-2.6.38.4/arch/x86/lib/mmx_32.c
16760 --- linux-2.6.38.4/arch/x86/lib/mmx_32.c 2011-03-14 21:20:32.000000000 -0400
16761 +++ linux-2.6.38.4/arch/x86/lib/mmx_32.c 2011-04-17 15:57:32.000000000 -0400
16762 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
16766 + unsigned long cr0;
16768 if (unlikely(in_interrupt()))
16769 return __memcpy(to, from, len);
16770 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
16771 kernel_fpu_begin();
16773 __asm__ __volatile__ (
16774 - "1: prefetch (%0)\n" /* This set is 28 bytes */
16775 - " prefetch 64(%0)\n"
16776 - " prefetch 128(%0)\n"
16777 - " prefetch 192(%0)\n"
16778 - " prefetch 256(%0)\n"
16779 + "1: prefetch (%1)\n" /* This set is 28 bytes */
16780 + " prefetch 64(%1)\n"
16781 + " prefetch 128(%1)\n"
16782 + " prefetch 192(%1)\n"
16783 + " prefetch 256(%1)\n"
16785 ".section .fixup, \"ax\"\n"
16786 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16789 +#ifdef CONFIG_PAX_KERNEXEC
16790 + " movl %%cr0, %0\n"
16791 + " movl %0, %%eax\n"
16792 + " andl $0xFFFEFFFF, %%eax\n"
16793 + " movl %%eax, %%cr0\n"
16796 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16798 +#ifdef CONFIG_PAX_KERNEXEC
16799 + " movl %0, %%cr0\n"
16804 _ASM_EXTABLE(1b, 3b)
16806 + : "=&r" (cr0) : "r" (from) : "ax");
16808 for ( ; i > 5; i--) {
16809 __asm__ __volatile__ (
16810 - "1: prefetch 320(%0)\n"
16811 - "2: movq (%0), %%mm0\n"
16812 - " movq 8(%0), %%mm1\n"
16813 - " movq 16(%0), %%mm2\n"
16814 - " movq 24(%0), %%mm3\n"
16815 - " movq %%mm0, (%1)\n"
16816 - " movq %%mm1, 8(%1)\n"
16817 - " movq %%mm2, 16(%1)\n"
16818 - " movq %%mm3, 24(%1)\n"
16819 - " movq 32(%0), %%mm0\n"
16820 - " movq 40(%0), %%mm1\n"
16821 - " movq 48(%0), %%mm2\n"
16822 - " movq 56(%0), %%mm3\n"
16823 - " movq %%mm0, 32(%1)\n"
16824 - " movq %%mm1, 40(%1)\n"
16825 - " movq %%mm2, 48(%1)\n"
16826 - " movq %%mm3, 56(%1)\n"
16827 + "1: prefetch 320(%1)\n"
16828 + "2: movq (%1), %%mm0\n"
16829 + " movq 8(%1), %%mm1\n"
16830 + " movq 16(%1), %%mm2\n"
16831 + " movq 24(%1), %%mm3\n"
16832 + " movq %%mm0, (%2)\n"
16833 + " movq %%mm1, 8(%2)\n"
16834 + " movq %%mm2, 16(%2)\n"
16835 + " movq %%mm3, 24(%2)\n"
16836 + " movq 32(%1), %%mm0\n"
16837 + " movq 40(%1), %%mm1\n"
16838 + " movq 48(%1), %%mm2\n"
16839 + " movq 56(%1), %%mm3\n"
16840 + " movq %%mm0, 32(%2)\n"
16841 + " movq %%mm1, 40(%2)\n"
16842 + " movq %%mm2, 48(%2)\n"
16843 + " movq %%mm3, 56(%2)\n"
16844 ".section .fixup, \"ax\"\n"
16845 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16848 +#ifdef CONFIG_PAX_KERNEXEC
16849 + " movl %%cr0, %0\n"
16850 + " movl %0, %%eax\n"
16851 + " andl $0xFFFEFFFF, %%eax\n"
16852 + " movl %%eax, %%cr0\n"
16855 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16857 +#ifdef CONFIG_PAX_KERNEXEC
16858 + " movl %0, %%cr0\n"
16863 _ASM_EXTABLE(1b, 3b)
16864 - : : "r" (from), "r" (to) : "memory");
16865 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16869 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
16870 static void fast_copy_page(void *to, void *from)
16873 + unsigned long cr0;
16875 kernel_fpu_begin();
16877 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
16878 * but that is for later. -AV
16880 __asm__ __volatile__(
16881 - "1: prefetch (%0)\n"
16882 - " prefetch 64(%0)\n"
16883 - " prefetch 128(%0)\n"
16884 - " prefetch 192(%0)\n"
16885 - " prefetch 256(%0)\n"
16886 + "1: prefetch (%1)\n"
16887 + " prefetch 64(%1)\n"
16888 + " prefetch 128(%1)\n"
16889 + " prefetch 192(%1)\n"
16890 + " prefetch 256(%1)\n"
16892 ".section .fixup, \"ax\"\n"
16893 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16896 +#ifdef CONFIG_PAX_KERNEXEC
16897 + " movl %%cr0, %0\n"
16898 + " movl %0, %%eax\n"
16899 + " andl $0xFFFEFFFF, %%eax\n"
16900 + " movl %%eax, %%cr0\n"
16903 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16905 +#ifdef CONFIG_PAX_KERNEXEC
16906 + " movl %0, %%cr0\n"
16911 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
16912 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
16914 for (i = 0; i < (4096-320)/64; i++) {
16915 __asm__ __volatile__ (
16916 - "1: prefetch 320(%0)\n"
16917 - "2: movq (%0), %%mm0\n"
16918 - " movntq %%mm0, (%1)\n"
16919 - " movq 8(%0), %%mm1\n"
16920 - " movntq %%mm1, 8(%1)\n"
16921 - " movq 16(%0), %%mm2\n"
16922 - " movntq %%mm2, 16(%1)\n"
16923 - " movq 24(%0), %%mm3\n"
16924 - " movntq %%mm3, 24(%1)\n"
16925 - " movq 32(%0), %%mm4\n"
16926 - " movntq %%mm4, 32(%1)\n"
16927 - " movq 40(%0), %%mm5\n"
16928 - " movntq %%mm5, 40(%1)\n"
16929 - " movq 48(%0), %%mm6\n"
16930 - " movntq %%mm6, 48(%1)\n"
16931 - " movq 56(%0), %%mm7\n"
16932 - " movntq %%mm7, 56(%1)\n"
16933 + "1: prefetch 320(%1)\n"
16934 + "2: movq (%1), %%mm0\n"
16935 + " movntq %%mm0, (%2)\n"
16936 + " movq 8(%1), %%mm1\n"
16937 + " movntq %%mm1, 8(%2)\n"
16938 + " movq 16(%1), %%mm2\n"
16939 + " movntq %%mm2, 16(%2)\n"
16940 + " movq 24(%1), %%mm3\n"
16941 + " movntq %%mm3, 24(%2)\n"
16942 + " movq 32(%1), %%mm4\n"
16943 + " movntq %%mm4, 32(%2)\n"
16944 + " movq 40(%1), %%mm5\n"
16945 + " movntq %%mm5, 40(%2)\n"
16946 + " movq 48(%1), %%mm6\n"
16947 + " movntq %%mm6, 48(%2)\n"
16948 + " movq 56(%1), %%mm7\n"
16949 + " movntq %%mm7, 56(%2)\n"
16950 ".section .fixup, \"ax\"\n"
16951 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16954 +#ifdef CONFIG_PAX_KERNEXEC
16955 + " movl %%cr0, %0\n"
16956 + " movl %0, %%eax\n"
16957 + " andl $0xFFFEFFFF, %%eax\n"
16958 + " movl %%eax, %%cr0\n"
16961 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16963 +#ifdef CONFIG_PAX_KERNEXEC
16964 + " movl %0, %%cr0\n"
16969 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
16970 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16974 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
16975 static void fast_copy_page(void *to, void *from)
16978 + unsigned long cr0;
16980 kernel_fpu_begin();
16982 __asm__ __volatile__ (
16983 - "1: prefetch (%0)\n"
16984 - " prefetch 64(%0)\n"
16985 - " prefetch 128(%0)\n"
16986 - " prefetch 192(%0)\n"
16987 - " prefetch 256(%0)\n"
16988 + "1: prefetch (%1)\n"
16989 + " prefetch 64(%1)\n"
16990 + " prefetch 128(%1)\n"
16991 + " prefetch 192(%1)\n"
16992 + " prefetch 256(%1)\n"
16994 ".section .fixup, \"ax\"\n"
16995 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16998 +#ifdef CONFIG_PAX_KERNEXEC
16999 + " movl %%cr0, %0\n"
17000 + " movl %0, %%eax\n"
17001 + " andl $0xFFFEFFFF, %%eax\n"
17002 + " movl %%eax, %%cr0\n"
17005 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
17007 +#ifdef CONFIG_PAX_KERNEXEC
17008 + " movl %0, %%cr0\n"
17013 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
17014 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
17016 for (i = 0; i < 4096/64; i++) {
17017 __asm__ __volatile__ (
17018 - "1: prefetch 320(%0)\n"
17019 - "2: movq (%0), %%mm0\n"
17020 - " movq 8(%0), %%mm1\n"
17021 - " movq 16(%0), %%mm2\n"
17022 - " movq 24(%0), %%mm3\n"
17023 - " movq %%mm0, (%1)\n"
17024 - " movq %%mm1, 8(%1)\n"
17025 - " movq %%mm2, 16(%1)\n"
17026 - " movq %%mm3, 24(%1)\n"
17027 - " movq 32(%0), %%mm0\n"
17028 - " movq 40(%0), %%mm1\n"
17029 - " movq 48(%0), %%mm2\n"
17030 - " movq 56(%0), %%mm3\n"
17031 - " movq %%mm0, 32(%1)\n"
17032 - " movq %%mm1, 40(%1)\n"
17033 - " movq %%mm2, 48(%1)\n"
17034 - " movq %%mm3, 56(%1)\n"
17035 + "1: prefetch 320(%1)\n"
17036 + "2: movq (%1), %%mm0\n"
17037 + " movq 8(%1), %%mm1\n"
17038 + " movq 16(%1), %%mm2\n"
17039 + " movq 24(%1), %%mm3\n"
17040 + " movq %%mm0, (%2)\n"
17041 + " movq %%mm1, 8(%2)\n"
17042 + " movq %%mm2, 16(%2)\n"
17043 + " movq %%mm3, 24(%2)\n"
17044 + " movq 32(%1), %%mm0\n"
17045 + " movq 40(%1), %%mm1\n"
17046 + " movq 48(%1), %%mm2\n"
17047 + " movq 56(%1), %%mm3\n"
17048 + " movq %%mm0, 32(%2)\n"
17049 + " movq %%mm1, 40(%2)\n"
17050 + " movq %%mm2, 48(%2)\n"
17051 + " movq %%mm3, 56(%2)\n"
17052 ".section .fixup, \"ax\"\n"
17053 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
17056 +#ifdef CONFIG_PAX_KERNEXEC
17057 + " movl %%cr0, %0\n"
17058 + " movl %0, %%eax\n"
17059 + " andl $0xFFFEFFFF, %%eax\n"
17060 + " movl %%eax, %%cr0\n"
17063 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
17065 +#ifdef CONFIG_PAX_KERNEXEC
17066 + " movl %0, %%cr0\n"
17071 _ASM_EXTABLE(1b, 3b)
17072 - : : "r" (from), "r" (to) : "memory");
17073 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
17077 diff -urNp linux-2.6.38.4/arch/x86/lib/putuser.S linux-2.6.38.4/arch/x86/lib/putuser.S
17078 --- linux-2.6.38.4/arch/x86/lib/putuser.S 2011-03-14 21:20:32.000000000 -0400
17079 +++ linux-2.6.38.4/arch/x86/lib/putuser.S 2011-04-17 15:57:32.000000000 -0400
17081 #include <asm/thread_info.h>
17082 #include <asm/errno.h>
17083 #include <asm/asm.h>
17085 +#include <asm/segment.h>
17086 +#include <asm/pgtable.h>
17090 @@ -29,52 +30,119 @@
17091 * as they get called from within inline assembly.
17094 -#define ENTER CFI_STARTPROC ; \
17095 - GET_THREAD_INFO(%_ASM_BX)
17096 +#define ENTER CFI_STARTPROC
17097 #define EXIT ret ; \
17100 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17101 +#define _DEST %_ASM_CX,%_ASM_BX
17103 +#define _DEST %_ASM_CX
17106 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
17107 +#define __copyuser_seg gs;
17109 +#define __copyuser_seg
17113 ENTRY(__put_user_1)
17116 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
17117 + GET_THREAD_INFO(%_ASM_BX)
17118 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
17120 -1: movb %al,(%_ASM_CX)
17122 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17123 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
17124 + cmp %_ASM_BX,%_ASM_CX
17132 +1: __copyuser_seg movb %al,(_DEST)
17135 ENDPROC(__put_user_1)
17137 ENTRY(__put_user_2)
17140 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
17141 + GET_THREAD_INFO(%_ASM_BX)
17142 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
17144 cmp %_ASM_BX,%_ASM_CX
17146 -2: movw %ax,(%_ASM_CX)
17148 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17149 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
17150 + cmp %_ASM_BX,%_ASM_CX
17158 +2: __copyuser_seg movw %ax,(_DEST)
17161 ENDPROC(__put_user_2)
17163 ENTRY(__put_user_4)
17166 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
17167 + GET_THREAD_INFO(%_ASM_BX)
17168 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
17170 cmp %_ASM_BX,%_ASM_CX
17172 -3: movl %eax,(%_ASM_CX)
17174 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17175 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
17176 + cmp %_ASM_BX,%_ASM_CX
17184 +3: __copyuser_seg movl %eax,(_DEST)
17187 ENDPROC(__put_user_4)
17189 ENTRY(__put_user_8)
17192 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
17193 + GET_THREAD_INFO(%_ASM_BX)
17194 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
17196 cmp %_ASM_BX,%_ASM_CX
17198 -4: mov %_ASM_AX,(%_ASM_CX)
17200 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17201 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
17202 + cmp %_ASM_BX,%_ASM_CX
17210 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
17211 #ifdef CONFIG_X86_32
17212 -5: movl %edx,4(%_ASM_CX)
17213 +5: __copyuser_seg movl %edx,4(_DEST)
17217 diff -urNp linux-2.6.38.4/arch/x86/lib/usercopy_32.c linux-2.6.38.4/arch/x86/lib/usercopy_32.c
17218 --- linux-2.6.38.4/arch/x86/lib/usercopy_32.c 2011-03-14 21:20:32.000000000 -0400
17219 +++ linux-2.6.38.4/arch/x86/lib/usercopy_32.c 2011-04-17 15:57:32.000000000 -0400
17220 @@ -43,7 +43,7 @@ do { \
17221 __asm__ __volatile__( \
17225 + "0: "__copyuser_seg"lodsb\n" \
17227 " testb %%al,%%al\n" \
17229 @@ -128,10 +128,12 @@ do { \
17232 __asm__ __volatile__( \
17233 + __COPYUSER_SET_ES \
17234 "0: rep; stosl\n" \
17236 "1: rep; stosb\n" \
17238 + __COPYUSER_RESTORE_ES \
17239 ".section .fixup,\"ax\"\n" \
17240 "3: lea 0(%2,%0,4),%0\n" \
17242 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
17245 __asm__ __volatile__(
17246 + __COPYUSER_SET_ES
17250 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
17254 + __COPYUSER_RESTORE_ES
17255 ".section .fixup,\"ax\"\n"
17256 "2: xorl %%eax,%%eax\n"
17258 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
17260 #ifdef CONFIG_X86_INTEL_USERCOPY
17261 static unsigned long
17262 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
17263 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
17266 __asm__ __volatile__(
17267 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
17269 "3: movl 0(%4), %%eax\n"
17270 "4: movl 4(%4), %%edx\n"
17271 - "5: movl %%eax, 0(%3)\n"
17272 - "6: movl %%edx, 4(%3)\n"
17273 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
17274 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
17275 "7: movl 8(%4), %%eax\n"
17276 "8: movl 12(%4),%%edx\n"
17277 - "9: movl %%eax, 8(%3)\n"
17278 - "10: movl %%edx, 12(%3)\n"
17279 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
17280 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
17281 "11: movl 16(%4), %%eax\n"
17282 "12: movl 20(%4), %%edx\n"
17283 - "13: movl %%eax, 16(%3)\n"
17284 - "14: movl %%edx, 20(%3)\n"
17285 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
17286 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
17287 "15: movl 24(%4), %%eax\n"
17288 "16: movl 28(%4), %%edx\n"
17289 - "17: movl %%eax, 24(%3)\n"
17290 - "18: movl %%edx, 28(%3)\n"
17291 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
17292 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
17293 "19: movl 32(%4), %%eax\n"
17294 "20: movl 36(%4), %%edx\n"
17295 - "21: movl %%eax, 32(%3)\n"
17296 - "22: movl %%edx, 36(%3)\n"
17297 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
17298 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
17299 "23: movl 40(%4), %%eax\n"
17300 "24: movl 44(%4), %%edx\n"
17301 - "25: movl %%eax, 40(%3)\n"
17302 - "26: movl %%edx, 44(%3)\n"
17303 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
17304 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
17305 "27: movl 48(%4), %%eax\n"
17306 "28: movl 52(%4), %%edx\n"
17307 - "29: movl %%eax, 48(%3)\n"
17308 - "30: movl %%edx, 52(%3)\n"
17309 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
17310 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
17311 "31: movl 56(%4), %%eax\n"
17312 "32: movl 60(%4), %%edx\n"
17313 - "33: movl %%eax, 56(%3)\n"
17314 - "34: movl %%edx, 60(%3)\n"
17315 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
17316 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
17320 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
17322 " andl $3, %%eax\n"
17324 + __COPYUSER_SET_ES
17326 "36: movl %%eax, %0\n"
17329 + __COPYUSER_RESTORE_ES
17330 + ".section .fixup,\"ax\"\n"
17331 + "101: lea 0(%%eax,%0,4),%0\n"
17334 + ".section __ex_table,\"a\"\n"
17336 + " .long 1b,100b\n"
17337 + " .long 2b,100b\n"
17338 + " .long 3b,100b\n"
17339 + " .long 4b,100b\n"
17340 + " .long 5b,100b\n"
17341 + " .long 6b,100b\n"
17342 + " .long 7b,100b\n"
17343 + " .long 8b,100b\n"
17344 + " .long 9b,100b\n"
17345 + " .long 10b,100b\n"
17346 + " .long 11b,100b\n"
17347 + " .long 12b,100b\n"
17348 + " .long 13b,100b\n"
17349 + " .long 14b,100b\n"
17350 + " .long 15b,100b\n"
17351 + " .long 16b,100b\n"
17352 + " .long 17b,100b\n"
17353 + " .long 18b,100b\n"
17354 + " .long 19b,100b\n"
17355 + " .long 20b,100b\n"
17356 + " .long 21b,100b\n"
17357 + " .long 22b,100b\n"
17358 + " .long 23b,100b\n"
17359 + " .long 24b,100b\n"
17360 + " .long 25b,100b\n"
17361 + " .long 26b,100b\n"
17362 + " .long 27b,100b\n"
17363 + " .long 28b,100b\n"
17364 + " .long 29b,100b\n"
17365 + " .long 30b,100b\n"
17366 + " .long 31b,100b\n"
17367 + " .long 32b,100b\n"
17368 + " .long 33b,100b\n"
17369 + " .long 34b,100b\n"
17370 + " .long 35b,100b\n"
17371 + " .long 36b,100b\n"
17372 + " .long 37b,100b\n"
17373 + " .long 99b,101b\n"
17375 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
17376 + : "1"(to), "2"(from), "0"(size)
17377 + : "eax", "edx", "memory");
17381 +static unsigned long
17382 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
17385 + __asm__ __volatile__(
17386 + " .align 2,0x90\n"
17387 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
17388 + " cmpl $67, %0\n"
17390 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
17391 + " .align 2,0x90\n"
17392 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
17393 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
17394 + "5: movl %%eax, 0(%3)\n"
17395 + "6: movl %%edx, 4(%3)\n"
17396 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
17397 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
17398 + "9: movl %%eax, 8(%3)\n"
17399 + "10: movl %%edx, 12(%3)\n"
17400 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
17401 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
17402 + "13: movl %%eax, 16(%3)\n"
17403 + "14: movl %%edx, 20(%3)\n"
17404 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
17405 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
17406 + "17: movl %%eax, 24(%3)\n"
17407 + "18: movl %%edx, 28(%3)\n"
17408 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
17409 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
17410 + "21: movl %%eax, 32(%3)\n"
17411 + "22: movl %%edx, 36(%3)\n"
17412 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
17413 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
17414 + "25: movl %%eax, 40(%3)\n"
17415 + "26: movl %%edx, 44(%3)\n"
17416 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
17417 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
17418 + "29: movl %%eax, 48(%3)\n"
17419 + "30: movl %%edx, 52(%3)\n"
17420 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
17421 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
17422 + "33: movl %%eax, 56(%3)\n"
17423 + "34: movl %%edx, 60(%3)\n"
17424 + " addl $-64, %0\n"
17425 + " addl $64, %4\n"
17426 + " addl $64, %3\n"
17427 + " cmpl $63, %0\n"
17429 + "35: movl %0, %%eax\n"
17431 + " andl $3, %%eax\n"
17433 + "99: rep; "__copyuser_seg" movsl\n"
17434 + "36: movl %%eax, %0\n"
17435 + "37: rep; "__copyuser_seg" movsb\n"
17437 ".section .fixup,\"ax\"\n"
17438 "101: lea 0(%%eax,%0,4),%0\n"
17440 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
17442 __asm__ __volatile__(
17444 - "0: movl 32(%4), %%eax\n"
17445 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
17448 - "1: movl 64(%4), %%eax\n"
17449 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
17451 - "2: movl 0(%4), %%eax\n"
17452 - "21: movl 4(%4), %%edx\n"
17453 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
17454 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
17455 " movl %%eax, 0(%3)\n"
17456 " movl %%edx, 4(%3)\n"
17457 - "3: movl 8(%4), %%eax\n"
17458 - "31: movl 12(%4),%%edx\n"
17459 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
17460 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
17461 " movl %%eax, 8(%3)\n"
17462 " movl %%edx, 12(%3)\n"
17463 - "4: movl 16(%4), %%eax\n"
17464 - "41: movl 20(%4), %%edx\n"
17465 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
17466 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
17467 " movl %%eax, 16(%3)\n"
17468 " movl %%edx, 20(%3)\n"
17469 - "10: movl 24(%4), %%eax\n"
17470 - "51: movl 28(%4), %%edx\n"
17471 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
17472 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
17473 " movl %%eax, 24(%3)\n"
17474 " movl %%edx, 28(%3)\n"
17475 - "11: movl 32(%4), %%eax\n"
17476 - "61: movl 36(%4), %%edx\n"
17477 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
17478 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
17479 " movl %%eax, 32(%3)\n"
17480 " movl %%edx, 36(%3)\n"
17481 - "12: movl 40(%4), %%eax\n"
17482 - "71: movl 44(%4), %%edx\n"
17483 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
17484 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
17485 " movl %%eax, 40(%3)\n"
17486 " movl %%edx, 44(%3)\n"
17487 - "13: movl 48(%4), %%eax\n"
17488 - "81: movl 52(%4), %%edx\n"
17489 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
17490 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
17491 " movl %%eax, 48(%3)\n"
17492 " movl %%edx, 52(%3)\n"
17493 - "14: movl 56(%4), %%eax\n"
17494 - "91: movl 60(%4), %%edx\n"
17495 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
17496 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
17497 " movl %%eax, 56(%3)\n"
17498 " movl %%edx, 60(%3)\n"
17500 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
17502 " andl $3, %%eax\n"
17504 - "6: rep; movsl\n"
17505 + "6: rep; "__copyuser_seg" movsl\n"
17507 - "7: rep; movsb\n"
17508 + "7: rep; "__copyuser_seg" movsb\n"
17510 ".section .fixup,\"ax\"\n"
17511 "9: lea 0(%%eax,%0,4),%0\n"
17512 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
17514 __asm__ __volatile__(
17516 - "0: movl 32(%4), %%eax\n"
17517 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
17520 - "1: movl 64(%4), %%eax\n"
17521 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
17523 - "2: movl 0(%4), %%eax\n"
17524 - "21: movl 4(%4), %%edx\n"
17525 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
17526 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
17527 " movnti %%eax, 0(%3)\n"
17528 " movnti %%edx, 4(%3)\n"
17529 - "3: movl 8(%4), %%eax\n"
17530 - "31: movl 12(%4),%%edx\n"
17531 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
17532 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
17533 " movnti %%eax, 8(%3)\n"
17534 " movnti %%edx, 12(%3)\n"
17535 - "4: movl 16(%4), %%eax\n"
17536 - "41: movl 20(%4), %%edx\n"
17537 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
17538 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
17539 " movnti %%eax, 16(%3)\n"
17540 " movnti %%edx, 20(%3)\n"
17541 - "10: movl 24(%4), %%eax\n"
17542 - "51: movl 28(%4), %%edx\n"
17543 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
17544 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
17545 " movnti %%eax, 24(%3)\n"
17546 " movnti %%edx, 28(%3)\n"
17547 - "11: movl 32(%4), %%eax\n"
17548 - "61: movl 36(%4), %%edx\n"
17549 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
17550 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
17551 " movnti %%eax, 32(%3)\n"
17552 " movnti %%edx, 36(%3)\n"
17553 - "12: movl 40(%4), %%eax\n"
17554 - "71: movl 44(%4), %%edx\n"
17555 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
17556 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
17557 " movnti %%eax, 40(%3)\n"
17558 " movnti %%edx, 44(%3)\n"
17559 - "13: movl 48(%4), %%eax\n"
17560 - "81: movl 52(%4), %%edx\n"
17561 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
17562 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
17563 " movnti %%eax, 48(%3)\n"
17564 " movnti %%edx, 52(%3)\n"
17565 - "14: movl 56(%4), %%eax\n"
17566 - "91: movl 60(%4), %%edx\n"
17567 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
17568 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
17569 " movnti %%eax, 56(%3)\n"
17570 " movnti %%edx, 60(%3)\n"
17572 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
17574 " andl $3, %%eax\n"
17576 - "6: rep; movsl\n"
17577 + "6: rep; "__copyuser_seg" movsl\n"
17579 - "7: rep; movsb\n"
17580 + "7: rep; "__copyuser_seg" movsb\n"
17582 ".section .fixup,\"ax\"\n"
17583 "9: lea 0(%%eax,%0,4),%0\n"
17584 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
17586 __asm__ __volatile__(
17588 - "0: movl 32(%4), %%eax\n"
17589 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
17592 - "1: movl 64(%4), %%eax\n"
17593 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
17595 - "2: movl 0(%4), %%eax\n"
17596 - "21: movl 4(%4), %%edx\n"
17597 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
17598 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
17599 " movnti %%eax, 0(%3)\n"
17600 " movnti %%edx, 4(%3)\n"
17601 - "3: movl 8(%4), %%eax\n"
17602 - "31: movl 12(%4),%%edx\n"
17603 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
17604 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
17605 " movnti %%eax, 8(%3)\n"
17606 " movnti %%edx, 12(%3)\n"
17607 - "4: movl 16(%4), %%eax\n"
17608 - "41: movl 20(%4), %%edx\n"
17609 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
17610 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
17611 " movnti %%eax, 16(%3)\n"
17612 " movnti %%edx, 20(%3)\n"
17613 - "10: movl 24(%4), %%eax\n"
17614 - "51: movl 28(%4), %%edx\n"
17615 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
17616 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
17617 " movnti %%eax, 24(%3)\n"
17618 " movnti %%edx, 28(%3)\n"
17619 - "11: movl 32(%4), %%eax\n"
17620 - "61: movl 36(%4), %%edx\n"
17621 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
17622 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
17623 " movnti %%eax, 32(%3)\n"
17624 " movnti %%edx, 36(%3)\n"
17625 - "12: movl 40(%4), %%eax\n"
17626 - "71: movl 44(%4), %%edx\n"
17627 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
17628 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
17629 " movnti %%eax, 40(%3)\n"
17630 " movnti %%edx, 44(%3)\n"
17631 - "13: movl 48(%4), %%eax\n"
17632 - "81: movl 52(%4), %%edx\n"
17633 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
17634 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
17635 " movnti %%eax, 48(%3)\n"
17636 " movnti %%edx, 52(%3)\n"
17637 - "14: movl 56(%4), %%eax\n"
17638 - "91: movl 60(%4), %%edx\n"
17639 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
17640 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
17641 " movnti %%eax, 56(%3)\n"
17642 " movnti %%edx, 60(%3)\n"
17644 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
17646 " andl $3, %%eax\n"
17648 - "6: rep; movsl\n"
17649 + "6: rep; "__copyuser_seg" movsl\n"
17651 - "7: rep; movsb\n"
17652 + "7: rep; "__copyuser_seg" movsb\n"
17654 ".section .fixup,\"ax\"\n"
17655 "9: lea 0(%%eax,%0,4),%0\n"
17656 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
17658 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
17659 unsigned long size);
17660 -unsigned long __copy_user_intel(void __user *to, const void *from,
17661 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
17662 + unsigned long size);
17663 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
17664 unsigned long size);
17665 unsigned long __copy_user_zeroing_intel_nocache(void *to,
17666 const void __user *from, unsigned long size);
17667 #endif /* CONFIG_X86_INTEL_USERCOPY */
17669 /* Generic arbitrary sized copy. */
17670 -#define __copy_user(to, from, size) \
17671 +#define __copy_user(to, from, size, prefix, set, restore) \
17673 int __d0, __d1, __d2; \
17674 __asm__ __volatile__( \
17682 - "4: rep; movsb\n" \
17683 + "4: rep; "prefix"movsb\n" \
17687 " .align 2,0x90\n" \
17688 - "0: rep; movsl\n" \
17689 + "0: rep; "prefix"movsl\n" \
17691 - "1: rep; movsb\n" \
17692 + "1: rep; "prefix"movsb\n" \
17695 ".section .fixup,\"ax\"\n" \
17696 "5: addl %3,%0\n" \
17698 @@ -682,14 +799,14 @@ do { \
17702 - "4: rep; movsb\n" \
17703 + "4: rep; "__copyuser_seg"movsb\n" \
17707 " .align 2,0x90\n" \
17708 - "0: rep; movsl\n" \
17709 + "0: rep; "__copyuser_seg"movsl\n" \
17711 - "1: rep; movsb\n" \
17712 + "1: rep; "__copyuser_seg"movsb\n" \
17714 ".section .fixup,\"ax\"\n" \
17715 "5: addl %3,%0\n" \
17716 @@ -775,9 +892,9 @@ survive:
17719 if (movsl_is_ok(to, from, n))
17720 - __copy_user(to, from, n);
17721 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
17723 - n = __copy_user_intel(to, from, n);
17724 + n = __generic_copy_to_user_intel(to, from, n);
17727 EXPORT_SYMBOL(__copy_to_user_ll);
17728 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
17731 if (movsl_is_ok(to, from, n))
17732 - __copy_user(to, from, n);
17733 + __copy_user(to, from, n, __copyuser_seg, "", "");
17735 - n = __copy_user_intel((void __user *)to,
17736 - (const void *)from, n);
17737 + n = __generic_copy_from_user_intel(to, from, n);
17740 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
17741 @@ -827,65 +943,49 @@ unsigned long __copy_from_user_ll_nocach
17742 if (n > 64 && cpu_has_xmm2)
17743 n = __copy_user_intel_nocache(to, from, n);
17745 - __copy_user(to, from, n);
17746 + __copy_user(to, from, n, __copyuser_seg, "", "");
17748 - __copy_user(to, from, n);
17749 + __copy_user(to, from, n, __copyuser_seg, "", "");
17753 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
17756 - * copy_to_user: - Copy a block of data into user space.
17757 - * @to: Destination address, in user space.
17758 - * @from: Source address, in kernel space.
17759 - * @n: Number of bytes to copy.
17761 - * Context: User context only. This function may sleep.
17763 - * Copy data from kernel space to user space.
17765 - * Returns number of bytes that could not be copied.
17766 - * On success, this will be zero.
17769 -copy_to_user(void __user *to, const void *from, unsigned long n)
17770 +void copy_from_user_overflow(void)
17772 - if (access_ok(VERIFY_WRITE, to, n))
17773 - n = __copy_to_user(to, from, n);
17775 + WARN(1, "Buffer overflow detected!\n");
17777 -EXPORT_SYMBOL(copy_to_user);
17778 +EXPORT_SYMBOL(copy_from_user_overflow);
17781 - * copy_from_user: - Copy a block of data from user space.
17782 - * @to: Destination address, in kernel space.
17783 - * @from: Source address, in user space.
17784 - * @n: Number of bytes to copy.
17786 - * Context: User context only. This function may sleep.
17788 - * Copy data from user space to kernel space.
17790 - * Returns number of bytes that could not be copied.
17791 - * On success, this will be zero.
17793 - * If some data could not be copied, this function will pad the copied
17794 - * data to the requested size using zero bytes.
17797 -_copy_from_user(void *to, const void __user *from, unsigned long n)
17798 +void copy_to_user_overflow(void)
17800 - if (access_ok(VERIFY_READ, from, n))
17801 - n = __copy_from_user(to, from, n);
17803 - memset(to, 0, n);
17805 + WARN(1, "Buffer overflow detected!\n");
17807 -EXPORT_SYMBOL(_copy_from_user);
17808 +EXPORT_SYMBOL(copy_to_user_overflow);
17810 -void copy_from_user_overflow(void)
17811 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17812 +void __set_fs(mm_segment_t x)
17814 - WARN(1, "Buffer overflow detected!\n");
17817 + loadsegment(gs, 0);
17819 + case TASK_SIZE_MAX:
17820 + loadsegment(gs, __USER_DS);
17823 + loadsegment(gs, __KERNEL_DS);
17830 -EXPORT_SYMBOL(copy_from_user_overflow);
17832 +void set_fs(mm_segment_t x)
17834 + current_thread_info()->addr_limit = x;
17837 +EXPORT_SYMBOL(set_fs);
17839 diff -urNp linux-2.6.38.4/arch/x86/lib/usercopy_64.c linux-2.6.38.4/arch/x86/lib/usercopy_64.c
17840 --- linux-2.6.38.4/arch/x86/lib/usercopy_64.c 2011-03-14 21:20:32.000000000 -0400
17841 +++ linux-2.6.38.4/arch/x86/lib/usercopy_64.c 2011-04-17 15:57:32.000000000 -0400
17842 @@ -42,6 +42,8 @@ long
17843 __strncpy_from_user(char *dst, const char __user *src, long count)
17846 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
17847 + src += PAX_USER_SHADOW_BASE;
17848 __do_strncpy_from_user(dst, src, count, res);
17851 @@ -65,6 +67,8 @@ unsigned long __clear_user(void __user *
17855 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
17856 + addr += PAX_USER_SHADOW_BASE;
17857 /* no memory constraint because it doesn't change any memory gcc knows
17860 @@ -151,10 +155,14 @@ EXPORT_SYMBOL(strlen_user);
17862 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
17864 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17865 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17866 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
17867 + to += PAX_USER_SHADOW_BASE;
17868 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
17869 + from += PAX_USER_SHADOW_BASE;
17870 return copy_user_generic((__force void *)to, (__force void *)from, len);
17876 EXPORT_SYMBOL(copy_in_user);
17878 diff -urNp linux-2.6.38.4/arch/x86/Makefile linux-2.6.38.4/arch/x86/Makefile
17879 --- linux-2.6.38.4/arch/x86/Makefile 2011-03-14 21:20:32.000000000 -0400
17880 +++ linux-2.6.38.4/arch/x86/Makefile 2011-04-17 15:57:32.000000000 -0400
17881 @@ -195,3 +195,12 @@ define archhelp
17882 echo ' FDARGS="..." arguments for the booted kernel'
17883 echo ' FDINITRD=file initrd for the booted kernel'
17888 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
17889 +*** Please upgrade your binutils to 2.18 or newer
17893 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
17894 diff -urNp linux-2.6.38.4/arch/x86/mm/extable.c linux-2.6.38.4/arch/x86/mm/extable.c
17895 --- linux-2.6.38.4/arch/x86/mm/extable.c 2011-03-14 21:20:32.000000000 -0400
17896 +++ linux-2.6.38.4/arch/x86/mm/extable.c 2011-04-17 15:57:32.000000000 -0400
17898 #include <linux/module.h>
17899 #include <linux/spinlock.h>
17900 +#include <linux/sort.h>
17901 #include <asm/uaccess.h>
17902 +#include <asm/pgtable.h>
17905 + * The exception table needs to be sorted so that the binary
17906 + * search that we use to find entries in it works properly.
17907 + * This is used both for the kernel exception table and for
17908 + * the exception tables of modules that get loaded.
17910 +static int cmp_ex(const void *a, const void *b)
17912 + const struct exception_table_entry *x = a, *y = b;
17914 + /* avoid overflow */
17915 + if (x->insn > y->insn)
17917 + if (x->insn < y->insn)
17922 +static void swap_ex(void *a, void *b, int size)
17924 + struct exception_table_entry t, *x = a, *y = b;
17928 + pax_open_kernel();
17931 + pax_close_kernel();
17934 +void sort_extable(struct exception_table_entry *start,
17935 + struct exception_table_entry *finish)
17937 + sort(start, finish - start, sizeof(struct exception_table_entry),
17938 + cmp_ex, swap_ex);
17941 +#ifdef CONFIG_MODULES
17943 + * If the exception table is sorted, any referring to the module init
17944 + * will be at the beginning or the end.
17946 +void trim_init_extable(struct module *m)
17948 + /*trim the beginning*/
17949 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
17951 + m->num_exentries--;
17954 + while (m->num_exentries &&
17955 + within_module_init(m->extable[m->num_exentries-1].insn, m))
17956 + m->num_exentries--;
17958 +#endif /* CONFIG_MODULES */
17960 int fixup_exception(struct pt_regs *regs)
17962 const struct exception_table_entry *fixup;
17964 #ifdef CONFIG_PNPBIOS
17965 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
17966 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
17967 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
17968 extern u32 pnp_bios_is_utter_crap;
17969 pnp_bios_is_utter_crap = 1;
17970 diff -urNp linux-2.6.38.4/arch/x86/mm/fault.c linux-2.6.38.4/arch/x86/mm/fault.c
17971 --- linux-2.6.38.4/arch/x86/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
17972 +++ linux-2.6.38.4/arch/x86/mm/fault.c 2011-04-17 15:57:32.000000000 -0400
17973 @@ -12,10 +12,18 @@
17974 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
17975 #include <linux/perf_event.h> /* perf_sw_event */
17976 #include <linux/hugetlb.h> /* hstate_index_to_shift */
17977 +#include <linux/unistd.h>
17978 +#include <linux/compiler.h>
17980 #include <asm/traps.h> /* dotraplinkage, ... */
17981 #include <asm/pgalloc.h> /* pgd_*(), ... */
17982 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
17983 +#include <asm/vsyscall.h>
17984 +#include <asm/tlbflush.h>
17986 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17987 +#include <asm/stacktrace.h>
17991 * Page fault error code bits:
17992 @@ -53,7 +61,7 @@ static inline int __kprobes notify_page_
17995 /* kprobe_running() needs smp_processor_id() */
17996 - if (kprobes_built_in() && !user_mode_vm(regs)) {
17997 + if (kprobes_built_in() && !user_mode(regs)) {
17999 if (kprobe_running() && kprobe_fault_handler(regs, 14))
18001 @@ -114,7 +122,10 @@ check_prefetch_opcode(struct pt_regs *re
18002 return !instr_lo || (instr_lo>>1) == 1;
18004 /* Prefetch instruction is 0x0F0D or 0x0F18 */
18005 - if (probe_kernel_address(instr, opcode))
18006 + if (user_mode(regs)) {
18007 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
18009 + } else if (probe_kernel_address(instr, opcode))
18012 *prefetch = (instr_lo == 0xF) &&
18013 @@ -148,7 +159,10 @@ is_prefetch(struct pt_regs *regs, unsign
18014 while (instr < max_instr) {
18015 unsigned char opcode;
18017 - if (probe_kernel_address(instr, opcode))
18018 + if (user_mode(regs)) {
18019 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
18021 + } else if (probe_kernel_address(instr, opcode))
18025 @@ -179,6 +193,30 @@ force_sig_info_fault(int si_signo, int s
18026 force_sig_info(si_signo, &info, tsk);
18029 +#ifdef CONFIG_PAX_EMUTRAMP
18030 +static int pax_handle_fetch_fault(struct pt_regs *regs);
18033 +#ifdef CONFIG_PAX_PAGEEXEC
18034 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
18040 + pgd = pgd_offset(mm, address);
18041 + if (!pgd_present(*pgd))
18043 + pud = pud_offset(pgd, address);
18044 + if (!pud_present(*pud))
18046 + pmd = pmd_offset(pud, address);
18047 + if (!pmd_present(*pmd))
18053 DEFINE_SPINLOCK(pgd_lock);
18054 LIST_HEAD(pgd_list);
18056 @@ -229,10 +267,22 @@ void vmalloc_sync_all(void)
18057 for (address = VMALLOC_START & PMD_MASK;
18058 address >= TASK_SIZE && address < FIXADDR_TOP;
18059 address += PMD_SIZE) {
18061 +#ifdef CONFIG_PAX_PER_CPU_PGD
18062 + unsigned long cpu;
18067 spin_lock(&pgd_lock);
18069 +#ifdef CONFIG_PAX_PER_CPU_PGD
18070 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
18071 + pgd_t *pgd = get_cpu_pgd(cpu);
18074 list_for_each_entry(page, &pgd_list, lru) {
18075 + pgd_t *pgd = page_address(page);
18076 spinlock_t *pgt_lock;
18079 @@ -240,8 +290,13 @@ void vmalloc_sync_all(void)
18080 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
18082 spin_lock(pgt_lock);
18083 - ret = vmalloc_sync_one(page_address(page), address);
18086 + ret = vmalloc_sync_one(pgd, address);
18088 +#ifndef CONFIG_PAX_PER_CPU_PGD
18089 spin_unlock(pgt_lock);
18094 @@ -275,6 +330,11 @@ static noinline __kprobes int vmalloc_fa
18095 * an interrupt in the middle of a task switch..
18097 pgd_paddr = read_cr3();
18099 +#ifdef CONFIG_PAX_PER_CPU_PGD
18100 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
18103 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
18106 @@ -370,7 +430,14 @@ static noinline __kprobes int vmalloc_fa
18107 * happen within a race in page table update. In the later
18111 +#ifdef CONFIG_PAX_PER_CPU_PGD
18112 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
18113 + pgd = pgd_offset_cpu(smp_processor_id(), address);
18115 pgd = pgd_offset(current->active_mm, address);
18118 pgd_ref = pgd_offset_k(address);
18119 if (pgd_none(*pgd_ref))
18121 @@ -532,7 +599,7 @@ static int is_errata93(struct pt_regs *r
18122 static int is_errata100(struct pt_regs *regs, unsigned long address)
18124 #ifdef CONFIG_X86_64
18125 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
18126 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
18130 @@ -559,7 +626,7 @@ static int is_f00f_bug(struct pt_regs *r
18133 static const char nx_warning[] = KERN_CRIT
18134 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
18135 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
18138 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
18139 @@ -568,15 +635,26 @@ show_fault_oops(struct pt_regs *regs, un
18140 if (!oops_may_print())
18143 - if (error_code & PF_INSTR) {
18144 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
18145 unsigned int level;
18147 pte_t *pte = lookup_address(address, &level);
18149 if (pte && pte_present(*pte) && !pte_exec(*pte))
18150 - printk(nx_warning, current_uid());
18151 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
18154 +#ifdef CONFIG_PAX_KERNEXEC
18155 + if (init_mm.start_code <= address && address < init_mm.end_code) {
18156 + if (current->signal->curr_ip)
18157 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
18158 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
18160 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
18161 + current->comm, task_pid_nr(current), current_uid(), current_euid());
18165 printk(KERN_ALERT "BUG: unable to handle kernel ");
18166 if (address < PAGE_SIZE)
18167 printk(KERN_CONT "NULL pointer dereference");
18168 @@ -701,6 +779,68 @@ __bad_area_nosemaphore(struct pt_regs *r
18169 unsigned long address, int si_code)
18171 struct task_struct *tsk = current;
18172 + struct mm_struct *mm = tsk->mm;
18174 +#ifdef CONFIG_X86_64
18175 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
18176 + if (regs->ip == (unsigned long)vgettimeofday) {
18177 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
18179 + } else if (regs->ip == (unsigned long)vtime) {
18180 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
18182 + } else if (regs->ip == (unsigned long)vgetcpu) {
18183 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
18189 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18190 + if (mm && (error_code & PF_USER)) {
18191 + unsigned long ip = regs->ip;
18193 + if (v8086_mode(regs))
18194 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
18197 + * It's possible to have interrupts off here:
18199 + local_irq_enable();
18201 +#ifdef CONFIG_PAX_PAGEEXEC
18202 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
18203 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
18205 +#ifdef CONFIG_PAX_EMUTRAMP
18206 + switch (pax_handle_fetch_fault(regs)) {
18212 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
18213 + do_group_exit(SIGKILL);
18217 +#ifdef CONFIG_PAX_SEGMEXEC
18218 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
18220 +#ifdef CONFIG_PAX_EMUTRAMP
18221 + switch (pax_handle_fetch_fault(regs)) {
18227 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
18228 + do_group_exit(SIGKILL);
18235 /* User mode accesses just cause a SIGSEGV */
18236 if (error_code & PF_USER) {
18237 @@ -855,6 +995,99 @@ static int spurious_fault_check(unsigned
18241 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
18242 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
18247 + unsigned char pte_mask;
18249 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
18250 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
18253 + /* PaX: it's our fault, let's handle it if we can */
18255 + /* PaX: take a look at read faults before acquiring any locks */
18256 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
18257 + /* instruction fetch attempt from a protected page in user mode */
18258 + up_read(&mm->mmap_sem);
18260 +#ifdef CONFIG_PAX_EMUTRAMP
18261 + switch (pax_handle_fetch_fault(regs)) {
18267 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
18268 + do_group_exit(SIGKILL);
18271 + pmd = pax_get_pmd(mm, address);
18272 + if (unlikely(!pmd))
18275 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
18276 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
18277 + pte_unmap_unlock(pte, ptl);
18281 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
18282 + /* write attempt to a protected page in user mode */
18283 + pte_unmap_unlock(pte, ptl);
18288 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
18290 + if (likely(address > get_limit(regs->cs)))
18293 + set_pte(pte, pte_mkread(*pte));
18294 + __flush_tlb_one(address);
18295 + pte_unmap_unlock(pte, ptl);
18296 + up_read(&mm->mmap_sem);
18300 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
18303 + * PaX: fill DTLB with user rights and retry
18305 + __asm__ __volatile__ (
18307 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
18309 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
18310 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
18311 + * page fault when examined during a TLB load attempt. this is true not only
18312 + * for PTEs holding a non-present entry but also present entries that will
18313 + * raise a page fault (such as those set up by PaX, or the copy-on-write
18314 + * mechanism). in effect it means that we do *not* need to flush the TLBs
18315 + * for our target pages since their PTEs are simply not in the TLBs at all.
18317 + * the best thing in omitting it is that we gain around 15-20% speed in the
18318 + * fast path of the page fault handler and can get rid of tracing since we
18319 + * can no longer flush unintended entries.
18323 + __copyuser_seg"testb $0,(%0)\n"
18326 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
18327 + : "memory", "cc");
18328 + pte_unmap_unlock(pte, ptl);
18329 + up_read(&mm->mmap_sem);
18335 * Handle a spurious fault caused by a stale TLB entry.
18337 @@ -927,6 +1160,9 @@ int show_unhandled_signals = 1;
18339 access_error(unsigned long error_code, struct vm_area_struct *vma)
18341 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
18344 if (error_code & PF_WRITE) {
18345 /* write, present and write, not present: */
18346 if (unlikely(!(vma->vm_flags & VM_WRITE)))
18347 @@ -960,19 +1196,33 @@ do_page_fault(struct pt_regs *regs, unsi
18349 struct vm_area_struct *vma;
18350 struct task_struct *tsk;
18351 - unsigned long address;
18352 struct mm_struct *mm;
18354 int write = error_code & PF_WRITE;
18355 unsigned int flags = FAULT_FLAG_ALLOW_RETRY |
18356 (write ? FAULT_FLAG_WRITE : 0);
18358 + /* Get the faulting address: */
18359 + unsigned long address = read_cr2();
18361 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18362 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
18363 + if (!search_exception_tables(regs->ip)) {
18364 + bad_area_nosemaphore(regs, error_code, address);
18367 + if (address < PAX_USER_SHADOW_BASE) {
18368 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
18369 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
18370 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, KERN_ERR);
18372 + address -= PAX_USER_SHADOW_BASE;
18379 - /* Get the faulting address: */
18380 - address = read_cr2();
18383 * Detect and handle instructions that would cause a page fault for
18384 * both a tracked kernel page and a userspace page.
18385 @@ -1032,7 +1282,7 @@ do_page_fault(struct pt_regs *regs, unsi
18386 * User-mode registers count as a user access even for any
18387 * potential system fault or CPU buglet:
18389 - if (user_mode_vm(regs)) {
18390 + if (user_mode(regs)) {
18391 local_irq_enable();
18392 error_code |= PF_USER;
18394 @@ -1087,6 +1337,11 @@ retry:
18398 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
18399 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
18403 vma = find_vma(mm, address);
18404 if (unlikely(!vma)) {
18405 bad_area(regs, error_code, address);
18406 @@ -1098,18 +1353,24 @@ retry:
18407 bad_area(regs, error_code, address);
18410 - if (error_code & PF_USER) {
18412 - * Accessing the stack below %sp is always a bug.
18413 - * The large cushion allows instructions like enter
18414 - * and pusha to work. ("enter $65535, $31" pushes
18415 - * 32 pointers and then decrements %sp by 65535.)
18417 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
18418 - bad_area(regs, error_code, address);
18422 + * Accessing the stack below %sp is always a bug.
18423 + * The large cushion allows instructions like enter
18424 + * and pusha to work. ("enter $65535, $31" pushes
18425 + * 32 pointers and then decrements %sp by 65535.)
18427 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
18428 + bad_area(regs, error_code, address);
18432 +#ifdef CONFIG_PAX_SEGMEXEC
18433 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
18434 + bad_area(regs, error_code, address);
18439 if (unlikely(expand_stack(vma, address))) {
18440 bad_area(regs, error_code, address);
18442 @@ -1164,3 +1425,199 @@ good_area:
18444 up_read(&mm->mmap_sem);
18447 +#ifdef CONFIG_PAX_EMUTRAMP
18448 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
18452 + do { /* PaX: gcc trampoline emulation #1 */
18453 + unsigned char mov1, mov2;
18454 + unsigned short jmp;
18455 + unsigned int addr1, addr2;
18457 +#ifdef CONFIG_X86_64
18458 + if ((regs->ip + 11) >> 32)
18462 + err = get_user(mov1, (unsigned char __user *)regs->ip);
18463 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
18464 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
18465 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
18466 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
18471 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
18472 + regs->cx = addr1;
18473 + regs->ax = addr2;
18474 + regs->ip = addr2;
18479 + do { /* PaX: gcc trampoline emulation #2 */
18480 + unsigned char mov, jmp;
18481 + unsigned int addr1, addr2;
18483 +#ifdef CONFIG_X86_64
18484 + if ((regs->ip + 9) >> 32)
18488 + err = get_user(mov, (unsigned char __user *)regs->ip);
18489 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
18490 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
18491 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
18496 + if (mov == 0xB9 && jmp == 0xE9) {
18497 + regs->cx = addr1;
18498 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
18503 + return 1; /* PaX in action */
18506 +#ifdef CONFIG_X86_64
18507 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
18511 + do { /* PaX: gcc trampoline emulation #1 */
18512 + unsigned short mov1, mov2, jmp1;
18513 + unsigned char jmp2;
18514 + unsigned int addr1;
18515 + unsigned long addr2;
18517 + err = get_user(mov1, (unsigned short __user *)regs->ip);
18518 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
18519 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
18520 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
18521 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
18522 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
18527 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
18528 + regs->r11 = addr1;
18529 + regs->r10 = addr2;
18530 + regs->ip = addr1;
18535 + do { /* PaX: gcc trampoline emulation #2 */
18536 + unsigned short mov1, mov2, jmp1;
18537 + unsigned char jmp2;
18538 + unsigned long addr1, addr2;
18540 + err = get_user(mov1, (unsigned short __user *)regs->ip);
18541 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
18542 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
18543 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
18544 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
18545 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
18550 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
18551 + regs->r11 = addr1;
18552 + regs->r10 = addr2;
18553 + regs->ip = addr1;
18558 + return 1; /* PaX in action */
18563 + * PaX: decide what to do with offenders (regs->ip = fault address)
18565 + * returns 1 when task should be killed
18566 + * 2 when gcc trampoline was detected
18568 +static int pax_handle_fetch_fault(struct pt_regs *regs)
18570 + if (v8086_mode(regs))
18573 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
18576 +#ifdef CONFIG_X86_32
18577 + return pax_handle_fetch_fault_32(regs);
18579 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
18580 + return pax_handle_fetch_fault_32(regs);
18582 + return pax_handle_fetch_fault_64(regs);
18587 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18588 +void pax_report_insns(void *pc, void *sp)
18592 + printk(KERN_ERR "PAX: bytes at PC: ");
18593 + for (i = 0; i < 20; i++) {
18595 + if (get_user(c, (__force unsigned char __user *)pc+i))
18596 + printk(KERN_CONT "?? ");
18598 + printk(KERN_CONT "%02x ", c);
18602 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
18603 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
18605 + if (get_user(c, (__force unsigned long __user *)sp+i))
18606 +#ifdef CONFIG_X86_32
18607 + printk(KERN_CONT "???????? ");
18609 + printk(KERN_CONT "???????????????? ");
18612 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
18619 + * probe_kernel_write(): safely attempt to write to a location
18620 + * @dst: address to write to
18621 + * @src: pointer to the data that shall be written
18622 + * @size: size of the data chunk
18624 + * Safely write to address @dst from the buffer at @src. If a kernel fault
18625 + * happens, handle that and return -EFAULT.
18627 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
18630 + mm_segment_t old_fs = get_fs();
18632 + set_fs(KERNEL_DS);
18633 + pagefault_disable();
18634 + pax_open_kernel();
18635 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
18636 + pax_close_kernel();
18637 + pagefault_enable();
18640 + return ret ? -EFAULT : 0;
18642 diff -urNp linux-2.6.38.4/arch/x86/mm/gup.c linux-2.6.38.4/arch/x86/mm/gup.c
18643 --- linux-2.6.38.4/arch/x86/mm/gup.c 2011-03-14 21:20:32.000000000 -0400
18644 +++ linux-2.6.38.4/arch/x86/mm/gup.c 2011-04-17 15:57:32.000000000 -0400
18645 @@ -263,7 +263,7 @@ int __get_user_pages_fast(unsigned long
18647 len = (unsigned long) nr_pages << PAGE_SHIFT;
18649 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
18650 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
18651 (void __user *)start, len)))
18654 diff -urNp linux-2.6.38.4/arch/x86/mm/highmem_32.c linux-2.6.38.4/arch/x86/mm/highmem_32.c
18655 --- linux-2.6.38.4/arch/x86/mm/highmem_32.c 2011-03-14 21:20:32.000000000 -0400
18656 +++ linux-2.6.38.4/arch/x86/mm/highmem_32.c 2011-04-17 15:57:32.000000000 -0400
18657 @@ -44,7 +44,10 @@ void *kmap_atomic_prot(struct page *page
18658 idx = type + KM_TYPE_NR*smp_processor_id();
18659 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
18660 BUG_ON(!pte_none(*(kmap_pte-idx)));
18662 + pax_open_kernel();
18663 set_pte(kmap_pte-idx, mk_pte(page, prot));
18664 + pax_close_kernel();
18666 return (void *)vaddr;
18668 diff -urNp linux-2.6.38.4/arch/x86/mm/hugetlbpage.c linux-2.6.38.4/arch/x86/mm/hugetlbpage.c
18669 --- linux-2.6.38.4/arch/x86/mm/hugetlbpage.c 2011-03-14 21:20:32.000000000 -0400
18670 +++ linux-2.6.38.4/arch/x86/mm/hugetlbpage.c 2011-04-17 15:57:32.000000000 -0400
18671 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
18672 struct hstate *h = hstate_file(file);
18673 struct mm_struct *mm = current->mm;
18674 struct vm_area_struct *vma;
18675 - unsigned long start_addr;
18676 + unsigned long start_addr, pax_task_size = TASK_SIZE;
18678 +#ifdef CONFIG_PAX_SEGMEXEC
18679 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18680 + pax_task_size = SEGMEXEC_TASK_SIZE;
18683 + pax_task_size -= PAGE_SIZE;
18685 if (len > mm->cached_hole_size) {
18686 - start_addr = mm->free_area_cache;
18687 + start_addr = mm->free_area_cache;
18689 - start_addr = TASK_UNMAPPED_BASE;
18690 - mm->cached_hole_size = 0;
18691 + start_addr = mm->mmap_base;
18692 + mm->cached_hole_size = 0;
18696 @@ -280,26 +287,27 @@ full_search:
18698 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
18699 /* At this point: (!vma || addr < vma->vm_end). */
18700 - if (TASK_SIZE - len < addr) {
18701 + if (pax_task_size - len < addr) {
18703 * Start a new search - just in case we missed
18706 - if (start_addr != TASK_UNMAPPED_BASE) {
18707 - start_addr = TASK_UNMAPPED_BASE;
18708 + if (start_addr != mm->mmap_base) {
18709 + start_addr = mm->mmap_base;
18710 mm->cached_hole_size = 0;
18715 - if (!vma || addr + len <= vma->vm_start) {
18716 - mm->free_area_cache = addr + len;
18719 + if (check_heap_stack_gap(vma, addr, len))
18721 if (addr + mm->cached_hole_size < vma->vm_start)
18722 mm->cached_hole_size = vma->vm_start - addr;
18723 addr = ALIGN(vma->vm_end, huge_page_size(h));
18726 + mm->free_area_cache = addr + len;
18730 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
18731 @@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
18733 struct hstate *h = hstate_file(file);
18734 struct mm_struct *mm = current->mm;
18735 - struct vm_area_struct *vma, *prev_vma;
18736 - unsigned long base = mm->mmap_base, addr = addr0;
18737 + struct vm_area_struct *vma;
18738 + unsigned long base = mm->mmap_base, addr;
18739 unsigned long largest_hole = mm->cached_hole_size;
18740 - int first_time = 1;
18742 /* don't allow allocations above current base */
18743 if (mm->free_area_cache > base)
18744 @@ -321,64 +328,63 @@ static unsigned long hugetlb_get_unmappe
18746 mm->free_area_cache = base;
18750 /* make sure it can fit in the remaining address space */
18751 if (mm->free_area_cache < len)
18754 /* either no address requested or cant fit in requested address hole */
18755 - addr = (mm->free_area_cache - len) & huge_page_mask(h);
18756 + addr = (mm->free_area_cache - len);
18758 + addr &= huge_page_mask(h);
18759 + vma = find_vma(mm, addr);
18761 * Lookup failure means no vma is above this address,
18762 * i.e. return with success:
18764 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
18768 * new region fits between prev_vma->vm_end and
18769 * vma->vm_start, use it:
18771 - if (addr + len <= vma->vm_start &&
18772 - (!prev_vma || (addr >= prev_vma->vm_end))) {
18773 + if (check_heap_stack_gap(vma, addr, len)) {
18774 /* remember the address as a hint for next time */
18775 - mm->cached_hole_size = largest_hole;
18776 - return (mm->free_area_cache = addr);
18778 - /* pull free_area_cache down to the first hole */
18779 - if (mm->free_area_cache == vma->vm_end) {
18780 - mm->free_area_cache = vma->vm_start;
18781 - mm->cached_hole_size = largest_hole;
18783 + mm->cached_hole_size = largest_hole;
18784 + return (mm->free_area_cache = addr);
18786 + /* pull free_area_cache down to the first hole */
18787 + if (mm->free_area_cache == vma->vm_end) {
18788 + mm->free_area_cache = vma->vm_start;
18789 + mm->cached_hole_size = largest_hole;
18792 /* remember the largest hole we saw so far */
18793 if (addr + largest_hole < vma->vm_start)
18794 - largest_hole = vma->vm_start - addr;
18795 + largest_hole = vma->vm_start - addr;
18797 /* try just below the current vma->vm_start */
18798 - addr = (vma->vm_start - len) & huge_page_mask(h);
18799 - } while (len <= vma->vm_start);
18800 + addr = skip_heap_stack_gap(vma, len);
18801 + } while (!IS_ERR_VALUE(addr));
18805 - * if hint left us with no space for the requested
18806 - * mapping then try again:
18808 - if (first_time) {
18809 - mm->free_area_cache = base;
18810 - largest_hole = 0;
18815 * A failed mmap() very likely causes application failure,
18816 * so fall back to the bottom-up function here. This scenario
18817 * can happen with large stack limits and large mmap()
18820 - mm->free_area_cache = TASK_UNMAPPED_BASE;
18822 +#ifdef CONFIG_PAX_SEGMEXEC
18823 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18824 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
18828 + mm->mmap_base = TASK_UNMAPPED_BASE;
18830 +#ifdef CONFIG_PAX_RANDMMAP
18831 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18832 + mm->mmap_base += mm->delta_mmap;
18835 + mm->free_area_cache = mm->mmap_base;
18836 mm->cached_hole_size = ~0UL;
18837 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
18838 len, pgoff, flags);
18839 @@ -386,6 +392,7 @@ fail:
18841 * Restore the topdown base:
18843 + mm->mmap_base = base;
18844 mm->free_area_cache = base;
18845 mm->cached_hole_size = ~0UL;
18847 @@ -399,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *f
18848 struct hstate *h = hstate_file(file);
18849 struct mm_struct *mm = current->mm;
18850 struct vm_area_struct *vma;
18851 + unsigned long pax_task_size = TASK_SIZE;
18853 if (len & ~huge_page_mask(h))
18855 - if (len > TASK_SIZE)
18857 +#ifdef CONFIG_PAX_SEGMEXEC
18858 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18859 + pax_task_size = SEGMEXEC_TASK_SIZE;
18862 + pax_task_size -= PAGE_SIZE;
18864 + if (len > pax_task_size)
18867 if (flags & MAP_FIXED) {
18868 @@ -414,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *f
18870 addr = ALIGN(addr, huge_page_size(h));
18871 vma = find_vma(mm, addr);
18872 - if (TASK_SIZE - len >= addr &&
18873 - (!vma || addr + len <= vma->vm_start))
18874 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
18877 if (mm->get_unmapped_area == arch_get_unmapped_area)
18878 diff -urNp linux-2.6.38.4/arch/x86/mm/init_32.c linux-2.6.38.4/arch/x86/mm/init_32.c
18879 --- linux-2.6.38.4/arch/x86/mm/init_32.c 2011-03-14 21:20:32.000000000 -0400
18880 +++ linux-2.6.38.4/arch/x86/mm/init_32.c 2011-04-17 15:57:32.000000000 -0400
18881 @@ -74,36 +74,6 @@ static __init void *alloc_low_page(void)
18885 - * Creates a middle page table and puts a pointer to it in the
18886 - * given global directory entry. This only returns the gd entry
18887 - * in non-PAE compilation mode, since the middle layer is folded.
18889 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
18892 - pmd_t *pmd_table;
18894 -#ifdef CONFIG_X86_PAE
18895 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
18896 - if (after_bootmem)
18897 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
18899 - pmd_table = (pmd_t *)alloc_low_page();
18900 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
18901 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
18902 - pud = pud_offset(pgd, 0);
18903 - BUG_ON(pmd_table != pmd_offset(pud, 0));
18905 - return pmd_table;
18908 - pud = pud_offset(pgd, 0);
18909 - pmd_table = pmd_offset(pud, 0);
18911 - return pmd_table;
18915 * Create a page table and place a pointer to it in a middle page
18918 @@ -123,13 +93,28 @@ static pte_t * __init one_page_table_ini
18919 page_table = (pte_t *)alloc_low_page();
18921 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
18922 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18923 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
18925 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
18927 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
18930 return pte_offset_kernel(pmd, 0);
18933 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
18936 + pmd_t *pmd_table;
18938 + pud = pud_offset(pgd, 0);
18939 + pmd_table = pmd_offset(pud, 0);
18941 + return pmd_table;
18944 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
18946 int pgd_idx = pgd_index(vaddr);
18947 @@ -203,6 +188,7 @@ page_table_range_init(unsigned long star
18948 int pgd_idx, pmd_idx;
18949 unsigned long vaddr;
18955 @@ -212,8 +198,13 @@ page_table_range_init(unsigned long star
18956 pgd = pgd_base + pgd_idx;
18958 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
18959 - pmd = one_md_table_init(pgd);
18960 - pmd = pmd + pmd_index(vaddr);
18961 + pud = pud_offset(pgd, vaddr);
18962 + pmd = pmd_offset(pud, vaddr);
18964 +#ifdef CONFIG_X86_PAE
18965 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18968 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
18969 pmd++, pmd_idx++) {
18970 pte = page_table_kmap_check(one_page_table_init(pmd),
18971 @@ -225,11 +216,20 @@ page_table_range_init(unsigned long star
18975 -static inline int is_kernel_text(unsigned long addr)
18976 +static inline int is_kernel_text(unsigned long start, unsigned long end)
18978 - if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
18981 + if ((start > ktla_ktva((unsigned long)_etext) ||
18982 + end <= ktla_ktva((unsigned long)_stext)) &&
18983 + (start > ktla_ktva((unsigned long)_einittext) ||
18984 + end <= ktla_ktva((unsigned long)_sinittext)) &&
18986 +#ifdef CONFIG_ACPI_SLEEP
18987 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
18990 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
18996 @@ -246,9 +246,10 @@ kernel_physical_mapping_init(unsigned lo
18997 unsigned long last_map_addr = end;
18998 unsigned long start_pfn, end_pfn;
18999 pgd_t *pgd_base = swapper_pg_dir;
19000 - int pgd_idx, pmd_idx, pte_ofs;
19001 + unsigned int pgd_idx, pmd_idx, pte_ofs;
19007 unsigned pages_2m, pages_4k;
19008 @@ -281,8 +282,13 @@ repeat:
19010 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
19011 pgd = pgd_base + pgd_idx;
19012 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
19013 - pmd = one_md_table_init(pgd);
19014 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
19015 + pud = pud_offset(pgd, 0);
19016 + pmd = pmd_offset(pud, 0);
19018 +#ifdef CONFIG_X86_PAE
19019 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
19022 if (pfn >= end_pfn)
19024 @@ -294,14 +300,13 @@ repeat:
19026 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
19027 pmd++, pmd_idx++) {
19028 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
19029 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
19032 * Map with big pages if possible, otherwise
19033 * create normal page tables:
19036 - unsigned int addr2;
19037 pgprot_t prot = PAGE_KERNEL_LARGE;
19039 * first pass will use the same initial
19040 @@ -311,11 +316,7 @@ repeat:
19041 __pgprot(PTE_IDENT_ATTR |
19044 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
19045 - PAGE_OFFSET + PAGE_SIZE-1;
19047 - if (is_kernel_text(addr) ||
19048 - is_kernel_text(addr2))
19049 + if (is_kernel_text(address, address + PMD_SIZE))
19050 prot = PAGE_KERNEL_LARGE_EXEC;
19053 @@ -332,7 +333,7 @@ repeat:
19054 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
19056 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
19057 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
19058 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
19059 pgprot_t prot = PAGE_KERNEL;
19061 * first pass will use the same initial
19062 @@ -340,7 +341,7 @@ repeat:
19064 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
19066 - if (is_kernel_text(addr))
19067 + if (is_kernel_text(address, address + PAGE_SIZE))
19068 prot = PAGE_KERNEL_EXEC;
19071 @@ -472,7 +473,7 @@ void __init native_pagetable_setup_start
19073 pud = pud_offset(pgd, va);
19074 pmd = pmd_offset(pud, va);
19075 - if (!pmd_present(*pmd))
19076 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
19079 pte = pte_offset_kernel(pmd, va);
19080 @@ -524,12 +525,10 @@ void __init early_ioremap_page_table_ran
19082 static void __init pagetable_init(void)
19084 - pgd_t *pgd_base = swapper_pg_dir;
19086 - permanent_kmaps_init(pgd_base);
19087 + permanent_kmaps_init(swapper_pg_dir);
19090 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
19091 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
19092 EXPORT_SYMBOL_GPL(__supported_pte_mask);
19094 /* user-defined highmem size */
19095 @@ -755,6 +754,12 @@ void __init mem_init(void)
19099 +#ifdef CONFIG_PAX_PER_CPU_PGD
19100 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
19101 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
19102 + KERNEL_PGD_PTRS);
19105 #ifdef CONFIG_FLATMEM
19108 @@ -772,7 +777,7 @@ void __init mem_init(void)
19109 set_highmem_pages_init();
19111 codesize = (unsigned long) &_etext - (unsigned long) &_text;
19112 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
19113 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
19114 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
19116 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
19117 @@ -813,10 +818,10 @@ void __init mem_init(void)
19118 ((unsigned long)&__init_end -
19119 (unsigned long)&__init_begin) >> 10,
19121 - (unsigned long)&_etext, (unsigned long)&_edata,
19122 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
19123 + (unsigned long)&_sdata, (unsigned long)&_edata,
19124 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
19126 - (unsigned long)&_text, (unsigned long)&_etext,
19127 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
19128 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
19131 @@ -894,6 +899,7 @@ void set_kernel_text_rw(void)
19132 if (!kernel_set_to_readonly)
19135 + start = ktla_ktva(start);
19136 pr_debug("Set kernel text: %lx - %lx for read write\n",
19137 start, start+size);
19139 @@ -908,6 +914,7 @@ void set_kernel_text_ro(void)
19140 if (!kernel_set_to_readonly)
19143 + start = ktla_ktva(start);
19144 pr_debug("Set kernel text: %lx - %lx for read only\n",
19145 start, start+size);
19147 @@ -936,6 +943,7 @@ void mark_rodata_ro(void)
19148 unsigned long start = PFN_ALIGN(_text);
19149 unsigned long size = PFN_ALIGN(_etext) - start;
19151 + start = ktla_ktva(start);
19152 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
19153 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
19155 diff -urNp linux-2.6.38.4/arch/x86/mm/init_64.c linux-2.6.38.4/arch/x86/mm/init_64.c
19156 --- linux-2.6.38.4/arch/x86/mm/init_64.c 2011-04-18 17:27:18.000000000 -0400
19157 +++ linux-2.6.38.4/arch/x86/mm/init_64.c 2011-04-17 16:53:16.000000000 -0400
19158 @@ -72,7 +72,7 @@ early_param("gbpages", parse_direct_gbpa
19159 * around without checking the pgd every time.
19162 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
19163 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
19164 EXPORT_SYMBOL_GPL(__supported_pte_mask);
19166 int force_personality32;
19167 @@ -105,12 +105,22 @@ void sync_global_pgds(unsigned long star
19169 for (address = start; address <= end; address += PGDIR_SIZE) {
19170 const pgd_t *pgd_ref = pgd_offset_k(address);
19172 +#ifdef CONFIG_PAX_PER_CPU_PGD
19173 + unsigned long cpu;
19178 if (pgd_none(*pgd_ref))
19181 spin_lock(&pgd_lock);
19183 +#ifdef CONFIG_PAX_PER_CPU_PGD
19184 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
19185 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
19187 list_for_each_entry(page, &pgd_list, lru) {
19189 spinlock_t *pgt_lock;
19190 @@ -119,6 +129,7 @@ void sync_global_pgds(unsigned long star
19191 /* the pgt_lock only for Xen */
19192 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
19193 spin_lock(pgt_lock);
19196 if (pgd_none(*pgd))
19197 set_pgd(pgd, *pgd_ref);
19198 @@ -126,7 +137,10 @@ void sync_global_pgds(unsigned long star
19199 BUG_ON(pgd_page_vaddr(*pgd)
19200 != pgd_page_vaddr(*pgd_ref));
19202 +#ifndef CONFIG_PAX_PER_CPU_PGD
19203 spin_unlock(pgt_lock);
19207 spin_unlock(&pgd_lock);
19209 @@ -200,7 +214,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
19210 pmd = fill_pmd(pud, vaddr);
19211 pte = fill_pte(pmd, vaddr);
19213 + pax_open_kernel();
19214 set_pte(pte, new_pte);
19215 + pax_close_kernel();
19218 * It's enough to flush this one mapping.
19219 @@ -259,14 +275,12 @@ static void __init __init_extra_mapping(
19220 pgd = pgd_offset_k((unsigned long)__va(phys));
19221 if (pgd_none(*pgd)) {
19222 pud = (pud_t *) spp_getpage();
19223 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
19225 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
19227 pud = pud_offset(pgd, (unsigned long)__va(phys));
19228 if (pud_none(*pud)) {
19229 pmd = (pmd_t *) spp_getpage();
19230 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
19232 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
19234 pmd = pmd_offset(pud, phys);
19235 BUG_ON(!pmd_none(*pmd));
19236 @@ -706,6 +720,12 @@ void __init mem_init(void)
19240 +#ifdef CONFIG_PAX_PER_CPU_PGD
19241 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
19242 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
19243 + KERNEL_PGD_PTRS);
19246 /* clear_bss() already clear the empty_zero_page */
19249 @@ -866,8 +886,8 @@ int kern_addr_valid(unsigned long addr)
19250 static struct vm_area_struct gate_vma = {
19251 .vm_start = VSYSCALL_START,
19252 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
19253 - .vm_page_prot = PAGE_READONLY_EXEC,
19254 - .vm_flags = VM_READ | VM_EXEC
19255 + .vm_page_prot = PAGE_READONLY,
19256 + .vm_flags = VM_READ
19259 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
19260 @@ -901,7 +921,7 @@ int in_gate_area_no_task(unsigned long a
19262 const char *arch_vma_name(struct vm_area_struct *vma)
19264 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
19265 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
19267 if (vma == &gate_vma)
19268 return "[vsyscall]";
19269 diff -urNp linux-2.6.38.4/arch/x86/mm/init.c linux-2.6.38.4/arch/x86/mm/init.c
19270 --- linux-2.6.38.4/arch/x86/mm/init.c 2011-04-18 17:27:18.000000000 -0400
19271 +++ linux-2.6.38.4/arch/x86/mm/init.c 2011-04-17 16:53:16.000000000 -0400
19272 @@ -72,11 +72,7 @@ static void __init find_early_table_spac
19273 * cause a hotspot and fill up ZONE_DMA. The page tables
19274 * need roughly 0.5KB per GB.
19276 -#ifdef CONFIG_X86_32
19281 + start = 0x100000;
19282 base = memblock_find_in_range(start, max_pfn_mapped<<PAGE_SHIFT,
19283 tables, PAGE_SIZE);
19284 if (base == MEMBLOCK_ERROR)
19285 @@ -323,7 +319,16 @@ unsigned long __init_refok init_memory_m
19287 int devmem_is_allowed(unsigned long pagenr)
19289 - if (pagenr <= 256)
19290 +#ifndef CONFIG_GRKERNSEC_KMEM
19293 +#ifdef CONFIG_VM86
19294 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
19299 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
19301 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
19303 @@ -383,6 +388,86 @@ void free_init_pages(char *what, unsigne
19305 void free_initmem(void)
19308 +#ifdef CONFIG_PAX_KERNEXEC
19309 +#ifdef CONFIG_X86_32
19310 + /* PaX: limit KERNEL_CS to actual size */
19311 + unsigned long addr, limit;
19312 + struct desc_struct d;
19315 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
19316 + limit = (limit - 1UL) >> PAGE_SHIFT;
19318 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
19319 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
19320 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
19321 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
19324 + /* PaX: make KERNEL_CS read-only */
19325 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
19326 + if (!paravirt_enabled())
19327 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
19329 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
19330 + pgd = pgd_offset_k(addr);
19331 + pud = pud_offset(pgd, addr);
19332 + pmd = pmd_offset(pud, addr);
19333 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
19336 +#ifdef CONFIG_X86_PAE
19337 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
19339 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
19340 + pgd = pgd_offset_k(addr);
19341 + pud = pud_offset(pgd, addr);
19342 + pmd = pmd_offset(pud, addr);
19343 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
19348 +#ifdef CONFIG_MODULES
19349 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
19356 + unsigned long addr, end;
19358 + /* PaX: make kernel code/rodata read-only, rest non-executable */
19359 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
19360 + pgd = pgd_offset_k(addr);
19361 + pud = pud_offset(pgd, addr);
19362 + pmd = pmd_offset(pud, addr);
19363 + if (!pmd_present(*pmd))
19365 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
19366 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
19368 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
19371 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
19372 + end = addr + KERNEL_IMAGE_SIZE;
19373 + for (; addr < end; addr += PMD_SIZE) {
19374 + pgd = pgd_offset_k(addr);
19375 + pud = pud_offset(pgd, addr);
19376 + pmd = pmd_offset(pud, addr);
19377 + if (!pmd_present(*pmd))
19379 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
19380 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
19387 free_init_pages("unused kernel memory",
19388 (unsigned long)(&__init_begin),
19389 (unsigned long)(&__init_end));
19390 diff -urNp linux-2.6.38.4/arch/x86/mm/iomap_32.c linux-2.6.38.4/arch/x86/mm/iomap_32.c
19391 --- linux-2.6.38.4/arch/x86/mm/iomap_32.c 2011-03-14 21:20:32.000000000 -0400
19392 +++ linux-2.6.38.4/arch/x86/mm/iomap_32.c 2011-04-17 15:57:32.000000000 -0400
19393 @@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long
19394 type = kmap_atomic_idx_push();
19395 idx = type + KM_TYPE_NR * smp_processor_id();
19396 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
19398 + pax_open_kernel();
19399 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
19400 + pax_close_kernel();
19402 arch_flush_lazy_mmu_mode();
19404 return (void *)vaddr;
19405 diff -urNp linux-2.6.38.4/arch/x86/mm/ioremap.c linux-2.6.38.4/arch/x86/mm/ioremap.c
19406 --- linux-2.6.38.4/arch/x86/mm/ioremap.c 2011-03-14 21:20:32.000000000 -0400
19407 +++ linux-2.6.38.4/arch/x86/mm/ioremap.c 2011-04-17 15:57:32.000000000 -0400
19408 @@ -104,7 +104,7 @@ static void __iomem *__ioremap_caller(re
19409 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
19410 int is_ram = page_is_ram(pfn);
19412 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
19413 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
19415 WARN_ON_ONCE(is_ram);
19417 @@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
19418 early_param("early_ioremap_debug", early_ioremap_debug_setup);
19420 static __initdata int after_paging_init;
19421 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
19422 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
19424 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
19426 @@ -381,8 +381,7 @@ void __init early_ioremap_init(void)
19427 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
19429 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
19430 - memset(bm_pte, 0, sizeof(bm_pte));
19431 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
19432 + pmd_populate_user(&init_mm, pmd, bm_pte);
19435 * The boot-ioremap range spans multiple pmds, for which
19436 diff -urNp linux-2.6.38.4/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.38.4/arch/x86/mm/kmemcheck/kmemcheck.c
19437 --- linux-2.6.38.4/arch/x86/mm/kmemcheck/kmemcheck.c 2011-03-14 21:20:32.000000000 -0400
19438 +++ linux-2.6.38.4/arch/x86/mm/kmemcheck/kmemcheck.c 2011-04-17 15:57:32.000000000 -0400
19439 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
19440 * memory (e.g. tracked pages)? For now, we need this to avoid
19441 * invoking kmemcheck for PnP BIOS calls.
19443 - if (regs->flags & X86_VM_MASK)
19444 + if (v8086_mode(regs))
19446 - if (regs->cs != __KERNEL_CS)
19447 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
19450 pte = kmemcheck_pte_lookup(address);
19451 diff -urNp linux-2.6.38.4/arch/x86/mm/mmap.c linux-2.6.38.4/arch/x86/mm/mmap.c
19452 --- linux-2.6.38.4/arch/x86/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
19453 +++ linux-2.6.38.4/arch/x86/mm/mmap.c 2011-04-17 15:57:32.000000000 -0400
19454 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
19455 * Leave an at least ~128 MB hole with possible stack randomization.
19457 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
19458 -#define MAX_GAP (TASK_SIZE/6*5)
19459 +#define MAX_GAP (pax_task_size/6*5)
19462 * True on X86_32 or when emulating IA32 on X86_64
19463 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
19464 return rnd << PAGE_SHIFT;
19467 -static unsigned long mmap_base(void)
19468 +static unsigned long mmap_base(struct mm_struct *mm)
19470 unsigned long gap = rlimit(RLIMIT_STACK);
19471 + unsigned long pax_task_size = TASK_SIZE;
19473 +#ifdef CONFIG_PAX_SEGMEXEC
19474 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
19475 + pax_task_size = SEGMEXEC_TASK_SIZE;
19480 else if (gap > MAX_GAP)
19483 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
19484 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
19488 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
19489 * does, but not when emulating X86_32
19491 -static unsigned long mmap_legacy_base(void)
19492 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
19494 - if (mmap_is_ia32())
19495 + if (mmap_is_ia32()) {
19497 +#ifdef CONFIG_PAX_SEGMEXEC
19498 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
19499 + return SEGMEXEC_TASK_UNMAPPED_BASE;
19503 return TASK_UNMAPPED_BASE;
19506 return TASK_UNMAPPED_BASE + mmap_rnd();
19509 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
19510 void arch_pick_mmap_layout(struct mm_struct *mm)
19512 if (mmap_is_legacy()) {
19513 - mm->mmap_base = mmap_legacy_base();
19514 + mm->mmap_base = mmap_legacy_base(mm);
19516 +#ifdef CONFIG_PAX_RANDMMAP
19517 + if (mm->pax_flags & MF_PAX_RANDMMAP)
19518 + mm->mmap_base += mm->delta_mmap;
19521 mm->get_unmapped_area = arch_get_unmapped_area;
19522 mm->unmap_area = arch_unmap_area;
19524 - mm->mmap_base = mmap_base();
19525 + mm->mmap_base = mmap_base(mm);
19527 +#ifdef CONFIG_PAX_RANDMMAP
19528 + if (mm->pax_flags & MF_PAX_RANDMMAP)
19529 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
19532 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
19533 mm->unmap_area = arch_unmap_area_topdown;
19535 diff -urNp linux-2.6.38.4/arch/x86/mm/numa_32.c linux-2.6.38.4/arch/x86/mm/numa_32.c
19536 --- linux-2.6.38.4/arch/x86/mm/numa_32.c 2011-03-14 21:20:32.000000000 -0400
19537 +++ linux-2.6.38.4/arch/x86/mm/numa_32.c 2011-04-17 15:57:32.000000000 -0400
19538 @@ -99,7 +99,6 @@ unsigned long node_memmap_size_bytes(int
19542 -extern unsigned long find_max_low_pfn(void);
19543 extern unsigned long highend_pfn, highstart_pfn;
19545 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
19546 diff -urNp linux-2.6.38.4/arch/x86/mm/pageattr.c linux-2.6.38.4/arch/x86/mm/pageattr.c
19547 --- linux-2.6.38.4/arch/x86/mm/pageattr.c 2011-03-14 21:20:32.000000000 -0400
19548 +++ linux-2.6.38.4/arch/x86/mm/pageattr.c 2011-04-17 15:57:32.000000000 -0400
19549 @@ -261,7 +261,7 @@ static inline pgprot_t static_protection
19551 #ifdef CONFIG_PCI_BIOS
19552 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
19553 - pgprot_val(forbidden) |= _PAGE_NX;
19554 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19558 @@ -269,9 +269,10 @@ static inline pgprot_t static_protection
19559 * Does not cover __inittext since that is gone later on. On
19560 * 64bit we do not enforce !NX on the low mapping
19562 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
19563 - pgprot_val(forbidden) |= _PAGE_NX;
19564 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
19565 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19567 +#ifdef CONFIG_DEBUG_RODATA
19569 * The .rodata section needs to be read-only. Using the pfn
19570 * catches all aliases.
19571 @@ -279,6 +280,7 @@ static inline pgprot_t static_protection
19572 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
19573 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
19574 pgprot_val(forbidden) |= _PAGE_RW;
19577 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
19579 @@ -317,6 +319,13 @@ static inline pgprot_t static_protection
19583 +#ifdef CONFIG_PAX_KERNEXEC
19584 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
19585 + pgprot_val(forbidden) |= _PAGE_RW;
19586 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19590 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
19593 @@ -369,23 +378,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
19594 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
19596 /* change init_mm */
19597 + pax_open_kernel();
19598 set_pte_atomic(kpte, pte);
19600 #ifdef CONFIG_X86_32
19601 if (!SHARED_KERNEL_PMD) {
19603 +#ifdef CONFIG_PAX_PER_CPU_PGD
19604 + unsigned long cpu;
19609 +#ifdef CONFIG_PAX_PER_CPU_PGD
19610 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
19611 + pgd_t *pgd = get_cpu_pgd(cpu);
19613 list_for_each_entry(page, &pgd_list, lru) {
19615 + pgd_t *pgd = (pgd_t *)page_address(page);
19621 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
19622 + pgd += pgd_index(address);
19623 pud = pud_offset(pgd, address);
19624 pmd = pmd_offset(pud, address);
19625 set_pte_atomic((pte_t *)pmd, pte);
19629 + pax_close_kernel();
19633 diff -urNp linux-2.6.38.4/arch/x86/mm/pageattr-test.c linux-2.6.38.4/arch/x86/mm/pageattr-test.c
19634 --- linux-2.6.38.4/arch/x86/mm/pageattr-test.c 2011-03-14 21:20:32.000000000 -0400
19635 +++ linux-2.6.38.4/arch/x86/mm/pageattr-test.c 2011-04-17 15:57:32.000000000 -0400
19636 @@ -36,7 +36,7 @@ enum {
19638 static int pte_testbit(pte_t pte)
19640 - return pte_flags(pte) & _PAGE_UNUSED1;
19641 + return pte_flags(pte) & _PAGE_CPA_TEST;
19644 struct split_state {
19645 diff -urNp linux-2.6.38.4/arch/x86/mm/pat.c linux-2.6.38.4/arch/x86/mm/pat.c
19646 --- linux-2.6.38.4/arch/x86/mm/pat.c 2011-03-14 21:20:32.000000000 -0400
19647 +++ linux-2.6.38.4/arch/x86/mm/pat.c 2011-04-17 15:57:32.000000000 -0400
19648 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
19651 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
19652 - current->comm, current->pid, start, end);
19653 + current->comm, task_pid_nr(current), start, end);
19657 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
19658 while (cursor < to) {
19659 if (!devmem_is_allowed(pfn)) {
19661 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
19662 - current->comm, from, to);
19663 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
19664 + current->comm, from, to, cursor);
19667 cursor += PAGE_SIZE;
19668 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
19670 "%s:%d ioremap_change_attr failed %s "
19672 - current->comm, current->pid,
19673 + current->comm, task_pid_nr(current),
19675 base, (unsigned long long)(base + size));
19677 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
19678 if (want_flags != flags) {
19679 printk(KERN_WARNING
19680 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
19681 - current->comm, current->pid,
19682 + current->comm, task_pid_nr(current),
19683 cattr_name(want_flags),
19684 (unsigned long long)paddr,
19685 (unsigned long long)(paddr + size),
19686 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
19687 free_memtype(paddr, paddr + size);
19688 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
19689 " for %Lx-%Lx, got %s\n",
19690 - current->comm, current->pid,
19691 + current->comm, task_pid_nr(current),
19692 cattr_name(want_flags),
19693 (unsigned long long)paddr,
19694 (unsigned long long)(paddr + size),
19695 diff -urNp linux-2.6.38.4/arch/x86/mm/pgtable_32.c linux-2.6.38.4/arch/x86/mm/pgtable_32.c
19696 --- linux-2.6.38.4/arch/x86/mm/pgtable_32.c 2011-03-14 21:20:32.000000000 -0400
19697 +++ linux-2.6.38.4/arch/x86/mm/pgtable_32.c 2011-04-17 15:57:32.000000000 -0400
19698 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
19701 pte = pte_offset_kernel(pmd, vaddr);
19703 + pax_open_kernel();
19704 if (pte_val(pteval))
19705 set_pte_at(&init_mm, vaddr, pte, pteval);
19707 pte_clear(&init_mm, vaddr, pte);
19708 + pax_close_kernel();
19711 * It's enough to flush this one mapping.
19712 diff -urNp linux-2.6.38.4/arch/x86/mm/pgtable.c linux-2.6.38.4/arch/x86/mm/pgtable.c
19713 --- linux-2.6.38.4/arch/x86/mm/pgtable.c 2011-04-18 17:27:13.000000000 -0400
19714 +++ linux-2.6.38.4/arch/x86/mm/pgtable.c 2011-04-17 15:57:32.000000000 -0400
19715 @@ -84,9 +84,58 @@ static inline void pgd_list_del(pgd_t *p
19716 list_del(&page->lru);
19719 -#define UNSHARED_PTRS_PER_PGD \
19720 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19721 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19722 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
19724 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19727 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
19731 +#ifdef CONFIG_PAX_PER_CPU_PGD
19732 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19736 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19737 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
19745 +#ifdef CONFIG_PAX_PER_CPU_PGD
19746 +static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
19747 +static inline void pgd_dtor(pgd_t *pgd) {}
19748 +#ifdef CONFIG_X86_64
19749 +#define pxd_t pud_t
19750 +#define pyd_t pgd_t
19751 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
19752 +#define pxd_free(mm, pud) pud_free((mm), (pud))
19753 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
19754 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
19755 +#define PYD_SIZE PGDIR_SIZE
19757 +#define pxd_t pmd_t
19758 +#define pyd_t pud_t
19759 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19760 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
19761 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
19762 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19763 +#define PYD_SIZE PUD_SIZE
19766 +#define pxd_t pmd_t
19767 +#define pyd_t pud_t
19768 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19769 +#define pxd_free(mm, pmd) pmd_free((mm), (pmd))
19770 +#define pyd_populate(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
19771 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19772 +#define PYD_SIZE PUD_SIZE
19774 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
19776 @@ -128,6 +177,7 @@ static void pgd_dtor(pgd_t *pgd)
19778 spin_unlock(&pgd_lock);
19783 * List of all pgd's needed for non-PAE so it can invalidate entries
19784 @@ -140,7 +190,7 @@ static void pgd_dtor(pgd_t *pgd)
19788 -#ifdef CONFIG_X86_PAE
19789 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
19791 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
19792 * updating the top-level pagetable entries to guarantee the
19793 @@ -152,7 +202,7 @@ static void pgd_dtor(pgd_t *pgd)
19794 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
19795 * and initialize the kernel pmds here.
19797 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
19798 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19800 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
19802 @@ -170,36 +220,38 @@ void pud_populate(struct mm_struct *mm,
19806 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
19807 +#define PREALLOCATED_PXDS USER_PGD_PTRS
19808 #else /* !CONFIG_X86_PAE */
19810 /* No need to prepopulate any pagetable entries in non-PAE modes. */
19811 -#define PREALLOCATED_PMDS 0
19812 +#define PREALLOCATED_PXDS 0
19814 #endif /* CONFIG_X86_PAE */
19816 -static void free_pmds(pmd_t *pmds[])
19817 +static void free_pxds(pxd_t *pxds[])
19821 - for(i = 0; i < PREALLOCATED_PMDS; i++)
19823 - free_page((unsigned long)pmds[i]);
19824 + for(i = 0; i < PREALLOCATED_PXDS; i++)
19826 + free_page((unsigned long)pxds[i]);
19829 -static int preallocate_pmds(pmd_t *pmds[])
19830 +static int preallocate_pxds(pxd_t *pxds[])
19833 bool failed = false;
19835 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19836 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
19838 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19839 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
19852 @@ -212,51 +264,55 @@ static int preallocate_pmds(pmd_t *pmds[
19853 * preallocate which never got a corresponding vma will need to be
19856 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
19857 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
19861 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19862 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19863 pgd_t pgd = pgdp[i];
19865 if (pgd_val(pgd) != 0) {
19866 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
19867 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
19869 - pgdp[i] = native_make_pgd(0);
19870 + set_pgd(pgdp + i, native_make_pgd(0));
19872 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
19873 - pmd_free(mm, pmd);
19874 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
19875 + pxd_free(mm, pxd);
19880 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
19881 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
19885 unsigned long addr;
19888 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
19889 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
19892 - pud = pud_offset(pgd, 0);
19893 +#ifdef CONFIG_X86_64
19894 + pyd = pyd_offset(mm, 0L);
19896 + pyd = pyd_offset(pgd, 0L);
19899 - for (addr = i = 0; i < PREALLOCATED_PMDS;
19900 - i++, pud++, addr += PUD_SIZE) {
19901 - pmd_t *pmd = pmds[i];
19902 + for (addr = i = 0; i < PREALLOCATED_PXDS;
19903 + i++, pyd++, addr += PYD_SIZE) {
19904 + pxd_t *pxd = pxds[i];
19906 if (i >= KERNEL_PGD_BOUNDARY)
19907 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19908 - sizeof(pmd_t) * PTRS_PER_PMD);
19909 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19910 + sizeof(pxd_t) * PTRS_PER_PMD);
19912 - pud_populate(mm, pud, pmd);
19913 + pyd_populate(mm, pyd, pxd);
19917 pgd_t *pgd_alloc(struct mm_struct *mm)
19920 - pmd_t *pmds[PREALLOCATED_PMDS];
19921 + pxd_t *pxds[PREALLOCATED_PXDS];
19923 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
19925 @@ -265,11 +321,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19929 - if (preallocate_pmds(pmds) != 0)
19930 + if (preallocate_pxds(pxds) != 0)
19933 if (paravirt_pgd_alloc(mm) != 0)
19934 - goto out_free_pmds;
19935 + goto out_free_pxds;
19938 * Make sure that pre-populating the pmds is atomic with
19939 @@ -279,14 +335,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19940 spin_lock(&pgd_lock);
19943 - pgd_prepopulate_pmd(mm, pgd, pmds);
19944 + pgd_prepopulate_pxd(mm, pgd, pxds);
19946 spin_unlock(&pgd_lock);
19955 free_page((unsigned long)pgd);
19957 @@ -295,7 +351,7 @@ out:
19959 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
19961 - pgd_mop_up_pmds(mm, pgd);
19962 + pgd_mop_up_pxds(mm, pgd);
19964 paravirt_pgd_free(mm, pgd);
19965 free_page((unsigned long)pgd);
19966 diff -urNp linux-2.6.38.4/arch/x86/mm/setup_nx.c linux-2.6.38.4/arch/x86/mm/setup_nx.c
19967 --- linux-2.6.38.4/arch/x86/mm/setup_nx.c 2011-03-14 21:20:32.000000000 -0400
19968 +++ linux-2.6.38.4/arch/x86/mm/setup_nx.c 2011-04-17 15:57:32.000000000 -0400
19970 #include <asm/pgtable.h>
19971 #include <asm/proto.h>
19973 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19974 static int disable_nx __cpuinitdata;
19976 +#ifndef CONFIG_PAX_PAGEEXEC
19980 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
19983 early_param("noexec", noexec_setup);
19988 void __cpuinit x86_configure_nx(void)
19990 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19991 if (cpu_has_nx && !disable_nx)
19992 __supported_pte_mask |= _PAGE_NX;
19995 __supported_pte_mask &= ~_PAGE_NX;
19998 diff -urNp linux-2.6.38.4/arch/x86/mm/tlb.c linux-2.6.38.4/arch/x86/mm/tlb.c
19999 --- linux-2.6.38.4/arch/x86/mm/tlb.c 2011-03-14 21:20:32.000000000 -0400
20000 +++ linux-2.6.38.4/arch/x86/mm/tlb.c 2011-04-17 15:57:32.000000000 -0400
20002 #include <asm/uv/uv.h>
20004 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
20005 - = { &init_mm, 0, };
20006 + = { &init_mm, 0 };
20009 * Smarter SMP flushing macros.
20010 @@ -65,7 +65,11 @@ void leave_mm(int cpu)
20012 cpumask_clear_cpu(cpu,
20013 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
20015 +#ifndef CONFIG_PAX_PER_CPU_PGD
20016 load_cr3(swapper_pg_dir);
20020 EXPORT_SYMBOL_GPL(leave_mm);
20022 diff -urNp linux-2.6.38.4/arch/x86/oprofile/backtrace.c linux-2.6.38.4/arch/x86/oprofile/backtrace.c
20023 --- linux-2.6.38.4/arch/x86/oprofile/backtrace.c 2011-03-14 21:20:32.000000000 -0400
20024 +++ linux-2.6.38.4/arch/x86/oprofile/backtrace.c 2011-04-17 15:57:32.000000000 -0400
20025 @@ -57,7 +57,7 @@ dump_user_backtrace_32(struct stack_fram
20026 struct stack_frame_ia32 *fp;
20028 /* Also check accessibility of one struct frame_head beyond */
20029 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
20030 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
20032 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
20034 @@ -123,7 +123,7 @@ x86_backtrace(struct pt_regs * const reg
20036 struct stack_frame *head = (struct stack_frame *)frame_pointer(regs);
20038 - if (!user_mode_vm(regs)) {
20039 + if (!user_mode(regs)) {
20040 unsigned long stack = kernel_stack_pointer(regs);
20042 dump_trace(NULL, regs, (unsigned long *)stack,
20043 diff -urNp linux-2.6.38.4/arch/x86/oprofile/op_model_p4.c linux-2.6.38.4/arch/x86/oprofile/op_model_p4.c
20044 --- linux-2.6.38.4/arch/x86/oprofile/op_model_p4.c 2011-03-14 21:20:32.000000000 -0400
20045 +++ linux-2.6.38.4/arch/x86/oprofile/op_model_p4.c 2011-04-17 15:57:32.000000000 -0400
20046 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
20050 -static int inline addr_increment(void)
20051 +static inline int addr_increment(void)
20054 return smp_num_siblings == 2 ? 2 : 1;
20055 diff -urNp linux-2.6.38.4/arch/x86/pci/ce4100.c linux-2.6.38.4/arch/x86/pci/ce4100.c
20056 --- linux-2.6.38.4/arch/x86/pci/ce4100.c 2011-03-14 21:20:32.000000000 -0400
20057 +++ linux-2.6.38.4/arch/x86/pci/ce4100.c 2011-04-17 15:57:32.000000000 -0400
20058 @@ -302,7 +302,7 @@ static int ce4100_conf_write(unsigned in
20059 return pci_direct_conf1.write(seg, bus, devfn, reg, len, value);
20062 -struct pci_raw_ops ce4100_pci_conf = {
20063 +const struct pci_raw_ops ce4100_pci_conf = {
20064 .read = ce4100_conf_read,
20065 .write = ce4100_conf_write,
20067 diff -urNp linux-2.6.38.4/arch/x86/pci/common.c linux-2.6.38.4/arch/x86/pci/common.c
20068 --- linux-2.6.38.4/arch/x86/pci/common.c 2011-03-14 21:20:32.000000000 -0400
20069 +++ linux-2.6.38.4/arch/x86/pci/common.c 2011-04-17 15:57:32.000000000 -0400
20070 @@ -33,8 +33,8 @@ int noioapicreroute = 1;
20071 int pcibios_last_bus = -1;
20072 unsigned long pirq_table_addr;
20073 struct pci_bus *pci_root_bus;
20074 -struct pci_raw_ops *raw_pci_ops;
20075 -struct pci_raw_ops *raw_pci_ext_ops;
20076 +const struct pci_raw_ops *raw_pci_ops;
20077 +const struct pci_raw_ops *raw_pci_ext_ops;
20079 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
20080 int reg, int len, u32 *val)
20081 @@ -423,7 +423,7 @@ static const struct dmi_system_id __devi
20082 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
20086 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
20089 void __init dmi_check_pciprobe(void)
20090 diff -urNp linux-2.6.38.4/arch/x86/pci/direct.c linux-2.6.38.4/arch/x86/pci/direct.c
20091 --- linux-2.6.38.4/arch/x86/pci/direct.c 2011-03-14 21:20:32.000000000 -0400
20092 +++ linux-2.6.38.4/arch/x86/pci/direct.c 2011-04-17 15:57:32.000000000 -0400
20093 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
20095 #undef PCI_CONF1_ADDRESS
20097 -struct pci_raw_ops pci_direct_conf1 = {
20098 +const struct pci_raw_ops pci_direct_conf1 = {
20099 .read = pci_conf1_read,
20100 .write = pci_conf1_write,
20102 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
20104 #undef PCI_CONF2_ADDRESS
20106 -struct pci_raw_ops pci_direct_conf2 = {
20107 +const struct pci_raw_ops pci_direct_conf2 = {
20108 .read = pci_conf2_read,
20109 .write = pci_conf2_write,
20111 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
20112 * This should be close to trivial, but it isn't, because there are buggy
20113 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
20115 -static int __init pci_sanity_check(struct pci_raw_ops *o)
20116 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
20120 diff -urNp linux-2.6.38.4/arch/x86/pci/fixup.c linux-2.6.38.4/arch/x86/pci/fixup.c
20121 --- linux-2.6.38.4/arch/x86/pci/fixup.c 2011-03-14 21:20:32.000000000 -0400
20122 +++ linux-2.6.38.4/arch/x86/pci/fixup.c 2011-04-17 15:57:32.000000000 -0400
20123 @@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
20124 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
20128 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
20132 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
20133 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
20137 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
20140 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
20141 diff -urNp linux-2.6.38.4/arch/x86/pci/irq.c linux-2.6.38.4/arch/x86/pci/irq.c
20142 --- linux-2.6.38.4/arch/x86/pci/irq.c 2011-03-14 21:20:32.000000000 -0400
20143 +++ linux-2.6.38.4/arch/x86/pci/irq.c 2011-04-17 15:57:32.000000000 -0400
20144 @@ -542,7 +542,7 @@ static __init int intel_router_probe(str
20145 static struct pci_device_id __initdata pirq_440gx[] = {
20146 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
20147 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
20149 + { PCI_DEVICE(0, 0) }
20152 /* 440GX has a proprietary PIRQ router -- don't use it */
20153 @@ -1115,7 +1115,7 @@ static struct dmi_system_id __initdata p
20154 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
20158 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
20161 void __init pcibios_irq_init(void)
20162 diff -urNp linux-2.6.38.4/arch/x86/pci/mmconfig_32.c linux-2.6.38.4/arch/x86/pci/mmconfig_32.c
20163 --- linux-2.6.38.4/arch/x86/pci/mmconfig_32.c 2011-03-14 21:20:32.000000000 -0400
20164 +++ linux-2.6.38.4/arch/x86/pci/mmconfig_32.c 2011-04-17 15:57:32.000000000 -0400
20165 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
20169 -static struct pci_raw_ops pci_mmcfg = {
20170 +static const struct pci_raw_ops pci_mmcfg = {
20171 .read = pci_mmcfg_read,
20172 .write = pci_mmcfg_write,
20174 diff -urNp linux-2.6.38.4/arch/x86/pci/mmconfig_64.c linux-2.6.38.4/arch/x86/pci/mmconfig_64.c
20175 --- linux-2.6.38.4/arch/x86/pci/mmconfig_64.c 2011-03-14 21:20:32.000000000 -0400
20176 +++ linux-2.6.38.4/arch/x86/pci/mmconfig_64.c 2011-04-17 15:57:32.000000000 -0400
20177 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
20181 -static struct pci_raw_ops pci_mmcfg = {
20182 +static const struct pci_raw_ops pci_mmcfg = {
20183 .read = pci_mmcfg_read,
20184 .write = pci_mmcfg_write,
20186 diff -urNp linux-2.6.38.4/arch/x86/pci/numaq_32.c linux-2.6.38.4/arch/x86/pci/numaq_32.c
20187 --- linux-2.6.38.4/arch/x86/pci/numaq_32.c 2011-03-14 21:20:32.000000000 -0400
20188 +++ linux-2.6.38.4/arch/x86/pci/numaq_32.c 2011-04-17 15:57:32.000000000 -0400
20189 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
20191 #undef PCI_CONF1_MQ_ADDRESS
20193 -static struct pci_raw_ops pci_direct_conf1_mq = {
20194 +static const struct pci_raw_ops pci_direct_conf1_mq = {
20195 .read = pci_conf1_mq_read,
20196 .write = pci_conf1_mq_write
20198 diff -urNp linux-2.6.38.4/arch/x86/pci/olpc.c linux-2.6.38.4/arch/x86/pci/olpc.c
20199 --- linux-2.6.38.4/arch/x86/pci/olpc.c 2011-03-14 21:20:32.000000000 -0400
20200 +++ linux-2.6.38.4/arch/x86/pci/olpc.c 2011-04-17 15:57:32.000000000 -0400
20201 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
20205 -static struct pci_raw_ops pci_olpc_conf = {
20206 +static const struct pci_raw_ops pci_olpc_conf = {
20207 .read = pci_olpc_read,
20208 .write = pci_olpc_write,
20210 diff -urNp linux-2.6.38.4/arch/x86/pci/pcbios.c linux-2.6.38.4/arch/x86/pci/pcbios.c
20211 --- linux-2.6.38.4/arch/x86/pci/pcbios.c 2011-03-14 21:20:32.000000000 -0400
20212 +++ linux-2.6.38.4/arch/x86/pci/pcbios.c 2011-04-17 15:57:32.000000000 -0400
20213 @@ -79,50 +79,93 @@ union bios32 {
20215 unsigned long address;
20216 unsigned short segment;
20217 -} bios32_indirect = { 0, __KERNEL_CS };
20218 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
20221 * Returns the entry point for the given service, NULL on error
20224 -static unsigned long bios32_service(unsigned long service)
20225 +static unsigned long __devinit bios32_service(unsigned long service)
20227 unsigned char return_code; /* %al */
20228 unsigned long address; /* %ebx */
20229 unsigned long length; /* %ecx */
20230 unsigned long entry; /* %edx */
20231 unsigned long flags;
20232 + struct desc_struct d, *gdt;
20234 local_irq_save(flags);
20235 - __asm__("lcall *(%%edi); cld"
20237 + gdt = get_cpu_gdt_table(smp_processor_id());
20239 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
20240 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
20241 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
20242 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
20244 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
20245 : "=a" (return_code),
20251 - "D" (&bios32_indirect));
20252 + "D" (&bios32_indirect),
20253 + "r"(__PCIBIOS_DS)
20256 + pax_open_kernel();
20257 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
20258 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
20259 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
20260 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
20261 + pax_close_kernel();
20263 local_irq_restore(flags);
20265 switch (return_code) {
20267 - return address + entry;
20268 - case 0x80: /* Not present */
20269 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
20271 - default: /* Shouldn't happen */
20272 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
20273 - service, return_code);
20276 + unsigned char flags;
20278 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
20279 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
20280 + printk(KERN_WARNING "bios32_service: not valid\n");
20283 + address = address + PAGE_OFFSET;
20284 + length += 16UL; /* some BIOSs underreport this... */
20286 + if (length >= 64*1024*1024) {
20287 + length >>= PAGE_SHIFT;
20291 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
20292 + gdt = get_cpu_gdt_table(cpu);
20293 + pack_descriptor(&d, address, length, 0x9b, flags);
20294 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
20295 + pack_descriptor(&d, address, length, 0x93, flags);
20296 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
20300 + case 0x80: /* Not present */
20301 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
20303 + default: /* Shouldn't happen */
20304 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
20305 + service, return_code);
20311 unsigned long address;
20312 unsigned short segment;
20313 -} pci_indirect = { 0, __KERNEL_CS };
20314 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
20316 -static int pci_bios_present;
20317 +static int pci_bios_present __read_only;
20319 static int __devinit check_pcibios(void)
20321 @@ -131,11 +174,13 @@ static int __devinit check_pcibios(void)
20322 unsigned long flags, pcibios_entry;
20324 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
20325 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
20326 + pci_indirect.address = pcibios_entry;
20328 local_irq_save(flags);
20330 - "lcall *(%%edi); cld\n\t"
20331 + __asm__("movw %w6, %%ds\n\t"
20332 + "lcall *%%ss:(%%edi); cld\n\t"
20338 @@ -144,7 +189,8 @@ static int __devinit check_pcibios(void)
20341 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
20342 - "D" (&pci_indirect)
20343 + "D" (&pci_indirect),
20344 + "r" (__PCIBIOS_DS)
20346 local_irq_restore(flags);
20348 @@ -188,7 +234,10 @@ static int pci_bios_read(unsigned int se
20352 - __asm__("lcall *(%%esi); cld\n\t"
20353 + __asm__("movw %w6, %%ds\n\t"
20354 + "lcall *%%ss:(%%esi); cld\n\t"
20360 @@ -197,7 +246,8 @@ static int pci_bios_read(unsigned int se
20361 : "1" (PCIBIOS_READ_CONFIG_BYTE),
20364 - "S" (&pci_indirect));
20365 + "S" (&pci_indirect),
20366 + "r" (__PCIBIOS_DS));
20368 * Zero-extend the result beyond 8 bits, do not trust the
20369 * BIOS having done it:
20370 @@ -205,7 +255,10 @@ static int pci_bios_read(unsigned int se
20374 - __asm__("lcall *(%%esi); cld\n\t"
20375 + __asm__("movw %w6, %%ds\n\t"
20376 + "lcall *%%ss:(%%esi); cld\n\t"
20382 @@ -214,7 +267,8 @@ static int pci_bios_read(unsigned int se
20383 : "1" (PCIBIOS_READ_CONFIG_WORD),
20386 - "S" (&pci_indirect));
20387 + "S" (&pci_indirect),
20388 + "r" (__PCIBIOS_DS));
20390 * Zero-extend the result beyond 16 bits, do not trust the
20391 * BIOS having done it:
20392 @@ -222,7 +276,10 @@ static int pci_bios_read(unsigned int se
20396 - __asm__("lcall *(%%esi); cld\n\t"
20397 + __asm__("movw %w6, %%ds\n\t"
20398 + "lcall *%%ss:(%%esi); cld\n\t"
20404 @@ -231,7 +288,8 @@ static int pci_bios_read(unsigned int se
20405 : "1" (PCIBIOS_READ_CONFIG_DWORD),
20408 - "S" (&pci_indirect));
20409 + "S" (&pci_indirect),
20410 + "r" (__PCIBIOS_DS));
20414 @@ -254,7 +312,10 @@ static int pci_bios_write(unsigned int s
20418 - __asm__("lcall *(%%esi); cld\n\t"
20419 + __asm__("movw %w6, %%ds\n\t"
20420 + "lcall *%%ss:(%%esi); cld\n\t"
20426 @@ -263,10 +324,14 @@ static int pci_bios_write(unsigned int s
20430 - "S" (&pci_indirect));
20431 + "S" (&pci_indirect),
20432 + "r" (__PCIBIOS_DS));
20435 - __asm__("lcall *(%%esi); cld\n\t"
20436 + __asm__("movw %w6, %%ds\n\t"
20437 + "lcall *%%ss:(%%esi); cld\n\t"
20443 @@ -275,10 +340,14 @@ static int pci_bios_write(unsigned int s
20447 - "S" (&pci_indirect));
20448 + "S" (&pci_indirect),
20449 + "r" (__PCIBIOS_DS));
20452 - __asm__("lcall *(%%esi); cld\n\t"
20453 + __asm__("movw %w6, %%ds\n\t"
20454 + "lcall *%%ss:(%%esi); cld\n\t"
20460 @@ -287,7 +356,8 @@ static int pci_bios_write(unsigned int s
20464 - "S" (&pci_indirect));
20465 + "S" (&pci_indirect),
20466 + "r" (__PCIBIOS_DS));
20470 @@ -301,7 +371,7 @@ static int pci_bios_write(unsigned int s
20471 * Function table for BIOS32 access
20474 -static struct pci_raw_ops pci_bios_access = {
20475 +static const struct pci_raw_ops pci_bios_access = {
20476 .read = pci_bios_read,
20477 .write = pci_bios_write
20479 @@ -310,7 +380,7 @@ static struct pci_raw_ops pci_bios_acces
20480 * Try to find PCI BIOS.
20483 -static struct pci_raw_ops * __devinit pci_find_bios(void)
20484 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
20486 union bios32 *check;
20488 @@ -392,10 +462,13 @@ struct irq_routing_table * pcibios_get_i
20490 DBG("PCI: Fetching IRQ routing table... ");
20491 __asm__("push %%es\n\t"
20492 + "movw %w8, %%ds\n\t"
20495 - "lcall *(%%esi); cld\n\t"
20496 + "lcall *%%ss:(%%esi); cld\n\t"
20503 @@ -406,7 +479,8 @@ struct irq_routing_table * pcibios_get_i
20506 "S" (&pci_indirect),
20509 + "r" (__PCIBIOS_DS)
20511 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
20513 @@ -430,7 +504,10 @@ int pcibios_set_irq_routing(struct pci_d
20517 - __asm__("lcall *(%%esi); cld\n\t"
20518 + __asm__("movw %w5, %%ds\n\t"
20519 + "lcall *%%ss:(%%esi); cld\n\t"
20525 @@ -438,7 +515,8 @@ int pcibios_set_irq_routing(struct pci_d
20526 : "0" (PCIBIOS_SET_PCI_HW_INT),
20527 "b" ((dev->bus->number << 8) | dev->devfn),
20528 "c" ((irq << 8) | (pin + 10)),
20529 - "S" (&pci_indirect));
20530 + "S" (&pci_indirect),
20531 + "r" (__PCIBIOS_DS));
20532 return !(ret & 0xff00);
20534 EXPORT_SYMBOL(pcibios_set_irq_routing);
20535 diff -urNp linux-2.6.38.4/arch/x86/platform/efi/efi_32.c linux-2.6.38.4/arch/x86/platform/efi/efi_32.c
20536 --- linux-2.6.38.4/arch/x86/platform/efi/efi_32.c 2011-03-14 21:20:32.000000000 -0400
20537 +++ linux-2.6.38.4/arch/x86/platform/efi/efi_32.c 2011-04-17 15:57:32.000000000 -0400
20538 @@ -38,70 +38,37 @@
20541 static unsigned long efi_rt_eflags;
20542 -static pgd_t efi_bak_pg_dir_pointer[2];
20543 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
20545 -void efi_call_phys_prelog(void)
20546 +void __init efi_call_phys_prelog(void)
20548 - unsigned long cr4;
20549 - unsigned long temp;
20550 struct desc_ptr gdt_descr;
20552 local_irq_save(efi_rt_eflags);
20555 - * If I don't have PAE, I should just duplicate two entries in page
20556 - * directory. If I have PAE, I just need to duplicate one entry in
20557 - * page directory.
20559 - cr4 = read_cr4_safe();
20561 - if (cr4 & X86_CR4_PAE) {
20562 - efi_bak_pg_dir_pointer[0].pgd =
20563 - swapper_pg_dir[pgd_index(0)].pgd;
20564 - swapper_pg_dir[0].pgd =
20565 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
20567 - efi_bak_pg_dir_pointer[0].pgd =
20568 - swapper_pg_dir[pgd_index(0)].pgd;
20569 - efi_bak_pg_dir_pointer[1].pgd =
20570 - swapper_pg_dir[pgd_index(0x400000)].pgd;
20571 - swapper_pg_dir[pgd_index(0)].pgd =
20572 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
20573 - temp = PAGE_OFFSET + 0x400000;
20574 - swapper_pg_dir[pgd_index(0x400000)].pgd =
20575 - swapper_pg_dir[pgd_index(temp)].pgd;
20577 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
20578 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
20579 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
20582 * After the lock is released, the original page table is restored.
20586 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
20587 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
20588 gdt_descr.size = GDT_SIZE - 1;
20589 load_gdt(&gdt_descr);
20592 -void efi_call_phys_epilog(void)
20593 +void __init efi_call_phys_epilog(void)
20595 - unsigned long cr4;
20596 struct desc_ptr gdt_descr;
20598 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
20599 + gdt_descr.address = get_cpu_gdt_table(0);
20600 gdt_descr.size = GDT_SIZE - 1;
20601 load_gdt(&gdt_descr);
20603 - cr4 = read_cr4_safe();
20605 - if (cr4 & X86_CR4_PAE) {
20606 - swapper_pg_dir[pgd_index(0)].pgd =
20607 - efi_bak_pg_dir_pointer[0].pgd;
20609 - swapper_pg_dir[pgd_index(0)].pgd =
20610 - efi_bak_pg_dir_pointer[0].pgd;
20611 - swapper_pg_dir[pgd_index(0x400000)].pgd =
20612 - efi_bak_pg_dir_pointer[1].pgd;
20614 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
20617 * After the lock is released, the original page table is restored.
20618 diff -urNp linux-2.6.38.4/arch/x86/platform/efi/efi_stub_32.S linux-2.6.38.4/arch/x86/platform/efi/efi_stub_32.S
20619 --- linux-2.6.38.4/arch/x86/platform/efi/efi_stub_32.S 2011-03-14 21:20:32.000000000 -0400
20620 +++ linux-2.6.38.4/arch/x86/platform/efi/efi_stub_32.S 2011-04-17 15:57:32.000000000 -0400
20624 #include <linux/linkage.h>
20625 +#include <linux/init.h>
20626 #include <asm/page_types.h>
20630 * service functions will comply with gcc calling convention, too.
20635 ENTRY(efi_call_phys)
20637 * 0. The function can only be called in Linux kernel. So CS has been
20638 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
20639 * The mapping of lower virtual memory has been created in prelog and
20643 - subl $__PAGE_OFFSET, %edx
20645 + jmp 1f-__PAGE_OFFSET
20649 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
20650 * parameter 2, ..., param n. To make things easy, we save the return
20651 * address of efi_call_phys in a global variable.
20654 - movl %edx, saved_return_addr
20655 - /* get the function pointer into ECX*/
20657 - movl %ecx, efi_rt_function_ptr
20659 - subl $__PAGE_OFFSET, %edx
20661 + popl (saved_return_addr)
20662 + popl (efi_rt_function_ptr)
20665 * 3. Clear PG bit in %CR0.
20666 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
20668 * 5. Call the physical function.
20671 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
20675 * 6. After EFI runtime service returns, control will return to
20676 * following instruction. We'd better readjust stack pointer first.
20677 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
20679 orl $0x80000000, %edx
20685 * 8. Now restore the virtual mode from flat mode by
20686 * adding EIP with PAGE_OFFSET.
20690 + jmp 1f+__PAGE_OFFSET
20694 * 9. Balance the stack. And because EAX contain the return value,
20695 * we'd better not clobber it.
20697 - leal efi_rt_function_ptr, %edx
20698 - movl (%edx), %ecx
20700 + pushl (efi_rt_function_ptr)
20703 - * 10. Push the saved return address onto the stack and return.
20704 + * 10. Return to the saved return address.
20706 - leal saved_return_addr, %edx
20707 - movl (%edx), %ecx
20710 + jmpl *(saved_return_addr)
20711 ENDPROC(efi_call_phys)
20718 efi_rt_function_ptr:
20719 diff -urNp linux-2.6.38.4/arch/x86/power/cpu.c linux-2.6.38.4/arch/x86/power/cpu.c
20720 --- linux-2.6.38.4/arch/x86/power/cpu.c 2011-03-14 21:20:32.000000000 -0400
20721 +++ linux-2.6.38.4/arch/x86/power/cpu.c 2011-04-17 15:57:32.000000000 -0400
20722 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
20723 static void fix_processor_context(void)
20725 int cpu = smp_processor_id();
20726 - struct tss_struct *t = &per_cpu(init_tss, cpu);
20727 + struct tss_struct *t = init_tss + cpu;
20729 set_tss_desc(cpu, t); /*
20730 * This just modifies memory; should not be
20731 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
20734 #ifdef CONFIG_X86_64
20735 + pax_open_kernel();
20736 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
20737 + pax_close_kernel();
20739 syscall_init(); /* This sets MSR_*STAR and related */
20741 diff -urNp linux-2.6.38.4/arch/x86/vdso/Makefile linux-2.6.38.4/arch/x86/vdso/Makefile
20742 --- linux-2.6.38.4/arch/x86/vdso/Makefile 2011-03-14 21:20:32.000000000 -0400
20743 +++ linux-2.6.38.4/arch/x86/vdso/Makefile 2011-04-17 15:57:32.000000000 -0400
20744 @@ -123,7 +123,7 @@ quiet_cmd_vdso = VDSO $@
20745 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
20746 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
20748 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
20749 +VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
20753 diff -urNp linux-2.6.38.4/arch/x86/vdso/vclock_gettime.c linux-2.6.38.4/arch/x86/vdso/vclock_gettime.c
20754 --- linux-2.6.38.4/arch/x86/vdso/vclock_gettime.c 2011-03-14 21:20:32.000000000 -0400
20755 +++ linux-2.6.38.4/arch/x86/vdso/vclock_gettime.c 2011-04-17 15:57:32.000000000 -0400
20756 @@ -22,24 +22,48 @@
20757 #include <asm/hpet.h>
20758 #include <asm/unistd.h>
20759 #include <asm/io.h>
20760 +#include <asm/fixmap.h>
20761 #include "vextern.h"
20763 #define gtod vdso_vsyscall_gtod_data
20765 +notrace noinline long __vdso_fallback_time(long *t)
20768 + asm volatile("syscall"
20770 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
20774 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
20777 asm("syscall" : "=a" (ret) :
20778 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
20779 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
20783 +notrace static inline cycle_t __vdso_vread_hpet(void)
20785 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
20788 +notrace static inline cycle_t __vdso_vread_tsc(void)
20790 + cycle_t ret = (cycle_t)vget_cycles();
20792 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
20795 notrace static inline long vgetns(void)
20798 - cycles_t (*vread)(void);
20799 - vread = gtod->clock.vread;
20800 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
20801 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
20802 + v = __vdso_vread_tsc();
20804 + v = __vdso_vread_hpet();
20805 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
20806 return (v * gtod->clock.mult) >> gtod->clock.shift;
20809 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
20811 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
20813 - if (likely(gtod->sysctl_enabled))
20814 + if (likely(gtod->sysctl_enabled &&
20815 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20816 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20818 case CLOCK_REALTIME:
20819 if (likely(gtod->clock.vread))
20820 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
20821 int clock_gettime(clockid_t, struct timespec *)
20822 __attribute__((weak, alias("__vdso_clock_gettime")));
20824 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20825 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
20828 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
20829 + asm("syscall" : "=a" (ret) :
20830 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
20834 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20836 + if (likely(gtod->sysctl_enabled &&
20837 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20838 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20840 if (likely(tv != NULL)) {
20841 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
20842 offsetof(struct timespec, tv_nsec) ||
20843 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
20847 - asm("syscall" : "=a" (ret) :
20848 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
20850 + return __vdso_fallback_gettimeofday(tv, tz);
20852 int gettimeofday(struct timeval *, struct timezone *)
20853 __attribute__((weak, alias("__vdso_gettimeofday")));
20854 diff -urNp linux-2.6.38.4/arch/x86/vdso/vdso32-setup.c linux-2.6.38.4/arch/x86/vdso/vdso32-setup.c
20855 --- linux-2.6.38.4/arch/x86/vdso/vdso32-setup.c 2011-03-14 21:20:32.000000000 -0400
20856 +++ linux-2.6.38.4/arch/x86/vdso/vdso32-setup.c 2011-04-17 15:57:32.000000000 -0400
20858 #include <asm/tlbflush.h>
20859 #include <asm/vdso.h>
20860 #include <asm/proto.h>
20861 +#include <asm/mman.h>
20865 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
20866 void enable_sep_cpu(void)
20868 int cpu = get_cpu();
20869 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
20870 + struct tss_struct *tss = init_tss + cpu;
20872 if (!boot_cpu_has(X86_FEATURE_SEP)) {
20874 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
20875 gate_vma.vm_start = FIXADDR_USER_START;
20876 gate_vma.vm_end = FIXADDR_USER_END;
20877 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
20878 - gate_vma.vm_page_prot = __P101;
20879 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
20881 * Make sure the vDSO gets into every core dump.
20882 * Dumping its contents makes post-mortem fully interpretable later
20883 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
20885 addr = VDSO_HIGH_BASE;
20887 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
20888 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
20889 if (IS_ERR_VALUE(addr)) {
20895 - current->mm->context.vdso = (void *)addr;
20896 + current->mm->context.vdso = addr;
20898 if (compat_uses_vma || !compat) {
20900 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
20903 current_thread_info()->sysenter_return =
20904 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20905 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20909 - current->mm->context.vdso = NULL;
20910 + current->mm->context.vdso = 0;
20912 up_write(&mm->mmap_sem);
20914 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
20916 const char *arch_vma_name(struct vm_area_struct *vma)
20918 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
20919 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
20922 +#ifdef CONFIG_PAX_SEGMEXEC
20923 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
20930 @@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
20931 struct mm_struct *mm = tsk->mm;
20933 /* Check to see if this task was created in compat vdso mode */
20934 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
20935 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
20939 diff -urNp linux-2.6.38.4/arch/x86/vdso/vdso.lds.S linux-2.6.38.4/arch/x86/vdso/vdso.lds.S
20940 --- linux-2.6.38.4/arch/x86/vdso/vdso.lds.S 2011-03-14 21:20:32.000000000 -0400
20941 +++ linux-2.6.38.4/arch/x86/vdso/vdso.lds.S 2011-04-17 15:57:32.000000000 -0400
20942 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
20943 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
20944 #include "vextern.h"
20947 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
20948 +VEXTERN(fallback_gettimeofday)
20949 +VEXTERN(fallback_time)
20952 diff -urNp linux-2.6.38.4/arch/x86/vdso/vextern.h linux-2.6.38.4/arch/x86/vdso/vextern.h
20953 --- linux-2.6.38.4/arch/x86/vdso/vextern.h 2011-03-14 21:20:32.000000000 -0400
20954 +++ linux-2.6.38.4/arch/x86/vdso/vextern.h 2011-04-17 15:57:32.000000000 -0400
20956 put into vextern.h and be referenced as a pointer with vdso prefix.
20957 The main kernel later fills in the values. */
20960 VEXTERN(vgetcpu_mode)
20961 VEXTERN(vsyscall_gtod_data)
20962 diff -urNp linux-2.6.38.4/arch/x86/vdso/vma.c linux-2.6.38.4/arch/x86/vdso/vma.c
20963 --- linux-2.6.38.4/arch/x86/vdso/vma.c 2011-03-14 21:20:32.000000000 -0400
20964 +++ linux-2.6.38.4/arch/x86/vdso/vma.c 2011-04-17 15:57:32.000000000 -0400
20965 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
20969 - if (memcmp(vbase, "\177ELF", 4)) {
20970 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
20971 printk("VDSO: I'm broken; not ELF\n");
20974 @@ -118,7 +118,7 @@ int arch_setup_additional_pages(struct l
20978 - current->mm->context.vdso = (void *)addr;
20979 + current->mm->context.vdso = addr;
20981 ret = install_special_mapping(mm, addr, vdso_size,
20983 @@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
20987 - current->mm->context.vdso = NULL;
20988 + current->mm->context.vdso = 0;
20992 @@ -134,10 +134,3 @@ up_fail:
20993 up_write(&mm->mmap_sem);
20997 -static __init int vdso_setup(char *s)
20999 - vdso_enabled = simple_strtoul(s, NULL, 0);
21002 -__setup("vdso=", vdso_setup);
21003 diff -urNp linux-2.6.38.4/arch/x86/xen/enlighten.c linux-2.6.38.4/arch/x86/xen/enlighten.c
21004 --- linux-2.6.38.4/arch/x86/xen/enlighten.c 2011-03-14 21:20:32.000000000 -0400
21005 +++ linux-2.6.38.4/arch/x86/xen/enlighten.c 2011-04-17 15:57:32.000000000 -0400
21006 @@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
21008 struct shared_info xen_dummy_shared_info;
21010 -void *xen_initial_gdt;
21012 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
21013 __read_mostly int xen_have_vector_callback;
21014 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
21015 @@ -1134,7 +1132,17 @@ asmlinkage void __init xen_start_kernel(
21016 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
21018 /* Work out if we support NX */
21019 - x86_configure_nx();
21020 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
21021 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
21022 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
21025 + __supported_pte_mask |= _PAGE_NX;
21026 + rdmsr(MSR_EFER, l, h);
21028 + wrmsr(MSR_EFER, l, h);
21032 xen_setup_features();
21034 @@ -1165,13 +1173,6 @@ asmlinkage void __init xen_start_kernel(
21036 machine_ops = xen_machine_ops;
21039 - * The only reliable way to retain the initial address of the
21040 - * percpu gdt_page is to remember it here, so we can go and
21041 - * mark it RW later, when the initial percpu area is freed.
21043 - xen_initial_gdt = &per_cpu(gdt_page, 0);
21047 #ifdef CONFIG_ACPI_NUMA
21048 diff -urNp linux-2.6.38.4/arch/x86/xen/mmu.c linux-2.6.38.4/arch/x86/xen/mmu.c
21049 --- linux-2.6.38.4/arch/x86/xen/mmu.c 2011-04-18 17:27:16.000000000 -0400
21050 +++ linux-2.6.38.4/arch/x86/xen/mmu.c 2011-04-17 15:57:32.000000000 -0400
21051 @@ -1721,6 +1721,8 @@ __init pgd_t *xen_setup_kernel_pagetable
21052 convert_pfn_mfn(init_level4_pgt);
21053 convert_pfn_mfn(level3_ident_pgt);
21054 convert_pfn_mfn(level3_kernel_pgt);
21055 + convert_pfn_mfn(level3_vmalloc_pgt);
21056 + convert_pfn_mfn(level3_vmemmap_pgt);
21058 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
21059 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
21060 @@ -1739,7 +1741,10 @@ __init pgd_t *xen_setup_kernel_pagetable
21061 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
21062 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
21063 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
21064 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
21065 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
21066 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
21067 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
21068 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
21069 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
21071 diff -urNp linux-2.6.38.4/arch/x86/xen/pci-swiotlb-xen.c linux-2.6.38.4/arch/x86/xen/pci-swiotlb-xen.c
21072 --- linux-2.6.38.4/arch/x86/xen/pci-swiotlb-xen.c 2011-03-14 21:20:32.000000000 -0400
21073 +++ linux-2.6.38.4/arch/x86/xen/pci-swiotlb-xen.c 2011-04-17 15:57:32.000000000 -0400
21076 int xen_swiotlb __read_mostly;
21078 -static struct dma_map_ops xen_swiotlb_dma_ops = {
21079 +static const struct dma_map_ops xen_swiotlb_dma_ops = {
21080 .mapping_error = xen_swiotlb_dma_mapping_error,
21081 .alloc_coherent = xen_swiotlb_alloc_coherent,
21082 .free_coherent = xen_swiotlb_free_coherent,
21083 diff -urNp linux-2.6.38.4/arch/x86/xen/smp.c linux-2.6.38.4/arch/x86/xen/smp.c
21084 --- linux-2.6.38.4/arch/x86/xen/smp.c 2011-03-14 21:20:32.000000000 -0400
21085 +++ linux-2.6.38.4/arch/x86/xen/smp.c 2011-04-17 15:57:32.000000000 -0400
21086 @@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_
21088 BUG_ON(smp_processor_id() != 0);
21089 native_smp_prepare_boot_cpu();
21091 - /* We've switched to the "real" per-cpu gdt, so make sure the
21092 - old memory can be recycled */
21093 - make_lowmem_page_readwrite(xen_initial_gdt);
21095 xen_filter_cpu_maps();
21096 xen_setup_vcpu_info_placement();
21098 @@ -259,12 +254,12 @@ cpu_initialize_context(unsigned int cpu,
21099 gdt = get_cpu_gdt_table(cpu);
21101 ctxt->flags = VGCF_IN_KERNEL;
21102 - ctxt->user_regs.ds = __USER_DS;
21103 - ctxt->user_regs.es = __USER_DS;
21104 + ctxt->user_regs.ds = __KERNEL_DS;
21105 + ctxt->user_regs.es = __KERNEL_DS;
21106 ctxt->user_regs.ss = __KERNEL_DS;
21107 #ifdef CONFIG_X86_32
21108 ctxt->user_regs.fs = __KERNEL_PERCPU;
21109 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
21110 + savesegment(gs, ctxt->user_regs.gs);
21112 ctxt->gs_base_kernel = per_cpu_offset(cpu);
21114 @@ -315,13 +310,12 @@ static int __cpuinit xen_cpu_up(unsigned
21117 per_cpu(current_task, cpu) = idle;
21118 + per_cpu(current_tinfo, cpu) = &idle->tinfo;
21119 #ifdef CONFIG_X86_32
21122 clear_tsk_thread_flag(idle, TIF_FORK);
21123 - per_cpu(kernel_stack, cpu) =
21124 - (unsigned long)task_stack_page(idle) -
21125 - KERNEL_STACK_OFFSET + THREAD_SIZE;
21126 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 8 + THREAD_SIZE;
21128 xen_setup_runstate_info(cpu);
21129 xen_setup_timer(cpu);
21130 diff -urNp linux-2.6.38.4/arch/x86/xen/xen-asm_32.S linux-2.6.38.4/arch/x86/xen/xen-asm_32.S
21131 --- linux-2.6.38.4/arch/x86/xen/xen-asm_32.S 2011-03-14 21:20:32.000000000 -0400
21132 +++ linux-2.6.38.4/arch/x86/xen/xen-asm_32.S 2011-04-22 19:11:04.000000000 -0400
21133 @@ -83,14 +83,14 @@ ENTRY(xen_iret)
21134 ESP_OFFSET=4 # bytes pushed onto stack
21137 - * Store vcpu_info pointer for easy access. Do it this way to
21138 - * avoid having to reload %fs
21139 + * Store vcpu_info pointer for easy access.
21142 - GET_THREAD_INFO(%eax)
21143 - movl TI_cpu(%eax), %eax
21144 - movl __per_cpu_offset(,%eax,4), %eax
21145 - mov xen_vcpu(%eax), %eax
21147 + mov $(__KERNEL_PERCPU), %eax
21149 + mov PER_CPU_VAR(xen_vcpu), %eax
21152 movl xen_vcpu, %eax
21154 diff -urNp linux-2.6.38.4/arch/x86/xen/xen-head.S linux-2.6.38.4/arch/x86/xen/xen-head.S
21155 --- linux-2.6.38.4/arch/x86/xen/xen-head.S 2011-03-14 21:20:32.000000000 -0400
21156 +++ linux-2.6.38.4/arch/x86/xen/xen-head.S 2011-04-17 15:57:32.000000000 -0400
21157 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
21158 #ifdef CONFIG_X86_32
21159 mov %esi,xen_start_info
21160 mov $init_thread_union+THREAD_SIZE,%esp
21162 + movl $cpu_gdt_table,%edi
21163 + movl $__per_cpu_load,%eax
21164 + movw %ax,__KERNEL_PERCPU + 2(%edi)
21166 + movb %al,__KERNEL_PERCPU + 4(%edi)
21167 + movb %ah,__KERNEL_PERCPU + 7(%edi)
21168 + movl $__per_cpu_end - 1,%eax
21169 + subl $__per_cpu_start,%eax
21170 + movw %ax,__KERNEL_PERCPU + 0(%edi)
21173 mov %rsi,xen_start_info
21174 mov $init_thread_union+THREAD_SIZE,%rsp
21175 diff -urNp linux-2.6.38.4/arch/x86/xen/xen-ops.h linux-2.6.38.4/arch/x86/xen/xen-ops.h
21176 --- linux-2.6.38.4/arch/x86/xen/xen-ops.h 2011-03-14 21:20:32.000000000 -0400
21177 +++ linux-2.6.38.4/arch/x86/xen/xen-ops.h 2011-04-17 15:57:32.000000000 -0400
21179 extern const char xen_hypervisor_callback[];
21180 extern const char xen_failsafe_callback[];
21182 -extern void *xen_initial_gdt;
21185 void xen_copy_trap_info(struct trap_info *traps);
21187 diff -urNp linux-2.6.38.4/block/blk-iopoll.c linux-2.6.38.4/block/blk-iopoll.c
21188 --- linux-2.6.38.4/block/blk-iopoll.c 2011-03-14 21:20:32.000000000 -0400
21189 +++ linux-2.6.38.4/block/blk-iopoll.c 2011-04-17 15:57:32.000000000 -0400
21190 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
21192 EXPORT_SYMBOL(blk_iopoll_complete);
21194 -static void blk_iopoll_softirq(struct softirq_action *h)
21195 +static void blk_iopoll_softirq(void)
21197 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
21198 int rearm = 0, budget = blk_iopoll_budget;
21199 diff -urNp linux-2.6.38.4/block/blk-map.c linux-2.6.38.4/block/blk-map.c
21200 --- linux-2.6.38.4/block/blk-map.c 2011-03-14 21:20:32.000000000 -0400
21201 +++ linux-2.6.38.4/block/blk-map.c 2011-04-17 15:57:32.000000000 -0400
21202 @@ -301,7 +301,7 @@ int blk_rq_map_kern(struct request_queue
21206 - do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
21207 + do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
21209 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
21211 diff -urNp linux-2.6.38.4/block/blk-softirq.c linux-2.6.38.4/block/blk-softirq.c
21212 --- linux-2.6.38.4/block/blk-softirq.c 2011-03-14 21:20:32.000000000 -0400
21213 +++ linux-2.6.38.4/block/blk-softirq.c 2011-04-17 15:57:32.000000000 -0400
21214 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
21215 * Softirq action handler - move entries to local list and loop over them
21216 * while passing them to the queue registered handler.
21218 -static void blk_done_softirq(struct softirq_action *h)
21219 +static void blk_done_softirq(void)
21221 struct list_head *cpu_list, local_list;
21223 diff -urNp linux-2.6.38.4/block/bsg.c linux-2.6.38.4/block/bsg.c
21224 --- linux-2.6.38.4/block/bsg.c 2011-03-14 21:20:32.000000000 -0400
21225 +++ linux-2.6.38.4/block/bsg.c 2011-04-17 15:57:32.000000000 -0400
21226 @@ -176,16 +176,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
21227 struct sg_io_v4 *hdr, struct bsg_device *bd,
21228 fmode_t has_write_perm)
21230 + unsigned char tmpcmd[sizeof(rq->__cmd)];
21231 + unsigned char *cmdptr;
21233 if (hdr->request_len > BLK_MAX_CDB) {
21234 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
21238 + cmdptr = rq->cmd;
21242 - if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request,
21243 + if (copy_from_user(cmdptr, (void *)(unsigned long)hdr->request,
21247 + if (cmdptr != rq->cmd)
21248 + memcpy(rq->cmd, cmdptr, hdr->request_len);
21250 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
21251 if (blk_verify_command(rq->cmd, has_write_perm))
21253 diff -urNp linux-2.6.38.4/block/scsi_ioctl.c linux-2.6.38.4/block/scsi_ioctl.c
21254 --- linux-2.6.38.4/block/scsi_ioctl.c 2011-03-14 21:20:32.000000000 -0400
21255 +++ linux-2.6.38.4/block/scsi_ioctl.c 2011-04-17 15:57:32.000000000 -0400
21256 @@ -222,8 +222,20 @@ EXPORT_SYMBOL(blk_verify_command);
21257 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
21258 struct sg_io_hdr *hdr, fmode_t mode)
21260 - if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
21261 + unsigned char tmpcmd[sizeof(rq->__cmd)];
21262 + unsigned char *cmdptr;
21264 + if (rq->cmd != rq->__cmd)
21265 + cmdptr = rq->cmd;
21269 + if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
21272 + if (cmdptr != rq->cmd)
21273 + memcpy(rq->cmd, cmdptr, hdr->cmd_len);
21275 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
21278 @@ -432,6 +444,8 @@ int sg_scsi_ioctl(struct request_queue *
21280 unsigned int in_len, out_len, bytes, opcode, cmdlen;
21281 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
21282 + unsigned char tmpcmd[sizeof(rq->__cmd)];
21283 + unsigned char *cmdptr;
21287 @@ -465,9 +479,18 @@ int sg_scsi_ioctl(struct request_queue *
21290 rq->cmd_len = cmdlen;
21291 - if (copy_from_user(rq->cmd, sic->data, cmdlen))
21293 + if (rq->cmd != rq->__cmd)
21294 + cmdptr = rq->cmd;
21298 + if (copy_from_user(cmdptr, sic->data, cmdlen))
21301 + if (rq->cmd != cmdptr)
21302 + memcpy(rq->cmd, cmdptr, cmdlen);
21304 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
21307 diff -urNp linux-2.6.38.4/crypto/lrw.c linux-2.6.38.4/crypto/lrw.c
21308 --- linux-2.6.38.4/crypto/lrw.c 2011-03-14 21:20:32.000000000 -0400
21309 +++ linux-2.6.38.4/crypto/lrw.c 2011-04-17 15:57:32.000000000 -0400
21310 @@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
21311 struct priv *ctx = crypto_tfm_ctx(parent);
21312 struct crypto_cipher *child = ctx->child;
21314 - be128 tmp = { 0 };
21315 + be128 tmp = { 0, 0 };
21316 int bsize = crypto_cipher_blocksize(child);
21318 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
21319 diff -urNp linux-2.6.38.4/Documentation/dontdiff linux-2.6.38.4/Documentation/dontdiff
21320 --- linux-2.6.38.4/Documentation/dontdiff 2011-03-14 21:20:32.000000000 -0400
21321 +++ linux-2.6.38.4/Documentation/dontdiff 2011-04-17 15:57:32.000000000 -0400
21341 @@ -49,11 +52,16 @@
21358 @@ -82,6 +90,8 @@ bvmlinux
21367 @@ -106,16 +116,19 @@ fore200e_mkfirm
21382 initramfs_data.cpio
21383 +initramfs_data.cpio.bz2
21384 initramfs_data.cpio.gz
21387 @@ -125,7 +138,6 @@ int32.c
21395 @@ -149,7 +161,9 @@ mkboot
21405 @@ -165,6 +179,7 @@ parse.h
21413 @@ -180,6 +195,7 @@ r600_reg_safe.h
21421 @@ -189,6 +205,7 @@ setup
21429 @@ -213,13 +230,17 @@ version.h*
21447 diff -urNp linux-2.6.38.4/Documentation/filesystems/sysfs.txt linux-2.6.38.4/Documentation/filesystems/sysfs.txt
21448 --- linux-2.6.38.4/Documentation/filesystems/sysfs.txt 2011-03-14 21:20:32.000000000 -0400
21449 +++ linux-2.6.38.4/Documentation/filesystems/sysfs.txt 2011-04-17 15:57:32.000000000 -0400
21450 @@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
21451 show and store methods of the attribute owners.
21454 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
21455 - ssize_t (*store)(struct kobject *, struct attribute *, const char *, size_t);
21456 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
21457 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *, size_t);
21460 [ Subsystems should have already defined a struct kobj_type as a
21461 diff -urNp linux-2.6.38.4/Documentation/kernel-parameters.txt linux-2.6.38.4/Documentation/kernel-parameters.txt
21462 --- linux-2.6.38.4/Documentation/kernel-parameters.txt 2011-03-14 21:20:32.000000000 -0400
21463 +++ linux-2.6.38.4/Documentation/kernel-parameters.txt 2011-04-17 15:57:32.000000000 -0400
21464 @@ -1853,6 +1853,13 @@ bytes respectively. Such letter suffixes
21465 the specified number of seconds. This is to be used if
21466 your oopses keep scrolling off the screen.
21468 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
21469 + virtualization environments that don't cope well with the
21470 + expand down segment used by UDEREF on X86-32 or the frequent
21471 + page table updates on X86-64.
21473 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
21478 diff -urNp linux-2.6.38.4/drivers/acpi/battery.c linux-2.6.38.4/drivers/acpi/battery.c
21479 --- linux-2.6.38.4/drivers/acpi/battery.c 2011-03-14 21:20:32.000000000 -0400
21480 +++ linux-2.6.38.4/drivers/acpi/battery.c 2011-04-17 15:57:32.000000000 -0400
21481 @@ -862,7 +862,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
21484 static struct battery_file {
21485 - struct file_operations ops;
21486 + const struct file_operations ops;
21489 } acpi_battery_file[] = {
21490 diff -urNp linux-2.6.38.4/drivers/acpi/blacklist.c linux-2.6.38.4/drivers/acpi/blacklist.c
21491 --- linux-2.6.38.4/drivers/acpi/blacklist.c 2011-03-14 21:20:32.000000000 -0400
21492 +++ linux-2.6.38.4/drivers/acpi/blacklist.c 2011-04-17 15:57:32.000000000 -0400
21493 @@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
21494 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
21495 "Incorrect _ADR", 1},
21498 + {"", "", 0, NULL, all_versions, NULL, 0}
21501 #if CONFIG_ACPI_BLACKLIST_YEAR
21502 diff -urNp linux-2.6.38.4/drivers/acpi/dock.c linux-2.6.38.4/drivers/acpi/dock.c
21503 --- linux-2.6.38.4/drivers/acpi/dock.c 2011-03-14 21:20:32.000000000 -0400
21504 +++ linux-2.6.38.4/drivers/acpi/dock.c 2011-04-17 15:57:32.000000000 -0400
21505 @@ -77,7 +77,7 @@ struct dock_dependent_device {
21506 struct list_head list;
21507 struct list_head hotplug_list;
21508 acpi_handle handle;
21509 - struct acpi_dock_ops *ops;
21510 + const struct acpi_dock_ops *ops;
21514 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
21515 * the dock driver after _DCK is executed.
21518 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
21519 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
21522 struct dock_dependent_device *dd;
21523 diff -urNp linux-2.6.38.4/drivers/acpi/ec_sys.c linux-2.6.38.4/drivers/acpi/ec_sys.c
21524 --- linux-2.6.38.4/drivers/acpi/ec_sys.c 2011-03-14 21:20:32.000000000 -0400
21525 +++ linux-2.6.38.4/drivers/acpi/ec_sys.c 2011-04-17 15:57:32.000000000 -0400
21526 @@ -96,7 +96,7 @@ static ssize_t acpi_ec_write_io(struct f
21530 -static struct file_operations acpi_ec_io_ops = {
21531 +static const struct file_operations acpi_ec_io_ops = {
21532 .owner = THIS_MODULE,
21533 .open = acpi_ec_open_io,
21534 .read = acpi_ec_read_io,
21535 diff -urNp linux-2.6.38.4/drivers/acpi/power_meter.c linux-2.6.38.4/drivers/acpi/power_meter.c
21536 --- linux-2.6.38.4/drivers/acpi/power_meter.c 2011-03-14 21:20:32.000000000 -0400
21537 +++ linux-2.6.38.4/drivers/acpi/power_meter.c 2011-04-17 15:57:32.000000000 -0400
21538 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
21545 mutex_lock(&resource->lock);
21546 resource->trip[attr->index - 7] = temp;
21547 diff -urNp linux-2.6.38.4/drivers/acpi/proc.c linux-2.6.38.4/drivers/acpi/proc.c
21548 --- linux-2.6.38.4/drivers/acpi/proc.c 2011-03-14 21:20:32.000000000 -0400
21549 +++ linux-2.6.38.4/drivers/acpi/proc.c 2011-04-17 15:57:32.000000000 -0400
21550 @@ -342,19 +342,13 @@ acpi_system_write_wakeup_device(struct f
21551 size_t count, loff_t * ppos)
21553 struct list_head *node, *next;
21555 - char str[5] = "";
21556 - unsigned int len = count;
21562 + char strbuf[5] = {0};
21564 - if (copy_from_user(strbuf, buffer, len))
21567 + if (copy_from_user(strbuf, buffer, count))
21569 - strbuf[len] = '\0';
21570 - sscanf(strbuf, "%s", str);
21571 + strbuf[count] = '\0';
21573 mutex_lock(&acpi_device_lock);
21574 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
21575 @@ -363,7 +357,7 @@ acpi_system_write_wakeup_device(struct f
21576 if (!dev->wakeup.flags.valid)
21579 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
21580 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
21581 if (device_can_wakeup(&dev->dev)) {
21582 bool enable = !device_may_wakeup(&dev->dev);
21583 device_set_wakeup_enable(&dev->dev, enable);
21584 diff -urNp linux-2.6.38.4/drivers/acpi/processor_driver.c linux-2.6.38.4/drivers/acpi/processor_driver.c
21585 --- linux-2.6.38.4/drivers/acpi/processor_driver.c 2011-03-14 21:20:32.000000000 -0400
21586 +++ linux-2.6.38.4/drivers/acpi/processor_driver.c 2011-04-17 15:57:32.000000000 -0400
21587 @@ -473,7 +473,7 @@ static int __cpuinit acpi_processor_add(
21591 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
21592 + BUG_ON(pr->id >= nr_cpu_ids);
21596 diff -urNp linux-2.6.38.4/drivers/acpi/processor_idle.c linux-2.6.38.4/drivers/acpi/processor_idle.c
21597 --- linux-2.6.38.4/drivers/acpi/processor_idle.c 2011-03-14 21:20:32.000000000 -0400
21598 +++ linux-2.6.38.4/drivers/acpi/processor_idle.c 2011-04-17 15:57:32.000000000 -0400
21599 @@ -121,7 +121,7 @@ static struct dmi_system_id __cpuinitdat
21600 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
21601 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
21604 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
21608 diff -urNp linux-2.6.38.4/drivers/ata/acard-ahci.c linux-2.6.38.4/drivers/ata/acard-ahci.c
21609 --- linux-2.6.38.4/drivers/ata/acard-ahci.c 2011-03-14 21:20:32.000000000 -0400
21610 +++ linux-2.6.38.4/drivers/ata/acard-ahci.c 2011-04-17 15:57:32.000000000 -0400
21611 @@ -87,7 +87,7 @@ static struct scsi_host_template acard_a
21612 AHCI_SHT("acard-ahci"),
21615 -static struct ata_port_operations acard_ops = {
21616 +static const struct ata_port_operations acard_ops = {
21617 .inherits = &ahci_ops,
21618 .qc_prep = acard_ahci_qc_prep,
21619 .qc_fill_rtf = acard_ahci_qc_fill_rtf,
21620 diff -urNp linux-2.6.38.4/drivers/ata/ahci.c linux-2.6.38.4/drivers/ata/ahci.c
21621 --- linux-2.6.38.4/drivers/ata/ahci.c 2011-04-18 17:27:13.000000000 -0400
21622 +++ linux-2.6.38.4/drivers/ata/ahci.c 2011-04-17 15:57:32.000000000 -0400
21623 @@ -94,17 +94,17 @@ static struct scsi_host_template ahci_sh
21627 -static struct ata_port_operations ahci_vt8251_ops = {
21628 +static const struct ata_port_operations ahci_vt8251_ops = {
21629 .inherits = &ahci_ops,
21630 .hardreset = ahci_vt8251_hardreset,
21633 -static struct ata_port_operations ahci_p5wdh_ops = {
21634 +static const struct ata_port_operations ahci_p5wdh_ops = {
21635 .inherits = &ahci_ops,
21636 .hardreset = ahci_p5wdh_hardreset,
21639 -static struct ata_port_operations ahci_sb600_ops = {
21640 +static const struct ata_port_operations ahci_sb600_ops = {
21641 .inherits = &ahci_ops,
21642 .softreset = ahci_sb600_softreset,
21643 .pmp_softreset = ahci_sb600_softreset,
21644 @@ -394,7 +394,7 @@ static const struct pci_device_id ahci_p
21645 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
21646 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
21648 - { } /* terminate list */
21649 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
21653 diff -urNp linux-2.6.38.4/drivers/ata/ahci.h linux-2.6.38.4/drivers/ata/ahci.h
21654 --- linux-2.6.38.4/drivers/ata/ahci.h 2011-03-14 21:20:32.000000000 -0400
21655 +++ linux-2.6.38.4/drivers/ata/ahci.h 2011-04-17 15:57:32.000000000 -0400
21656 @@ -309,7 +309,7 @@ extern struct device_attribute *ahci_sde
21657 .shost_attrs = ahci_shost_attrs, \
21658 .sdev_attrs = ahci_sdev_attrs
21660 -extern struct ata_port_operations ahci_ops;
21661 +extern const struct ata_port_operations ahci_ops;
21663 void ahci_fill_cmd_slot(struct ahci_port_priv *pp, unsigned int tag,
21665 diff -urNp linux-2.6.38.4/drivers/ata/ata_generic.c linux-2.6.38.4/drivers/ata/ata_generic.c
21666 --- linux-2.6.38.4/drivers/ata/ata_generic.c 2011-03-14 21:20:32.000000000 -0400
21667 +++ linux-2.6.38.4/drivers/ata/ata_generic.c 2011-04-17 15:57:32.000000000 -0400
21668 @@ -101,7 +101,7 @@ static struct scsi_host_template generic
21669 ATA_BMDMA_SHT(DRV_NAME),
21672 -static struct ata_port_operations generic_port_ops = {
21673 +static const struct ata_port_operations generic_port_ops = {
21674 .inherits = &ata_bmdma_port_ops,
21675 .cable_detect = ata_cable_unknown,
21676 .set_mode = generic_set_mode,
21677 diff -urNp linux-2.6.38.4/drivers/ata/ata_piix.c linux-2.6.38.4/drivers/ata/ata_piix.c
21678 --- linux-2.6.38.4/drivers/ata/ata_piix.c 2011-03-14 21:20:32.000000000 -0400
21679 +++ linux-2.6.38.4/drivers/ata/ata_piix.c 2011-04-17 15:57:32.000000000 -0400
21680 @@ -309,7 +309,7 @@ static const struct pci_device_id piix_p
21681 { 0x8086, 0x1d00, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata },
21682 /* SATA Controller IDE (PBG) */
21683 { 0x8086, 0x1d08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
21684 - { } /* terminate list */
21685 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
21688 static struct pci_driver piix_pci_driver = {
21689 @@ -327,12 +327,12 @@ static struct scsi_host_template piix_sh
21690 ATA_BMDMA_SHT(DRV_NAME),
21693 -static struct ata_port_operations piix_sata_ops = {
21694 +static const struct ata_port_operations piix_sata_ops = {
21695 .inherits = &ata_bmdma32_port_ops,
21696 .sff_irq_check = piix_irq_check,
21699 -static struct ata_port_operations piix_pata_ops = {
21700 +static const struct ata_port_operations piix_pata_ops = {
21701 .inherits = &piix_sata_ops,
21702 .cable_detect = ata_cable_40wire,
21703 .set_piomode = piix_set_piomode,
21704 @@ -340,12 +340,12 @@ static struct ata_port_operations piix_p
21705 .prereset = piix_pata_prereset,
21708 -static struct ata_port_operations piix_vmw_ops = {
21709 +static const struct ata_port_operations piix_vmw_ops = {
21710 .inherits = &piix_pata_ops,
21711 .bmdma_status = piix_vmw_bmdma_status,
21714 -static struct ata_port_operations ich_pata_ops = {
21715 +static const struct ata_port_operations ich_pata_ops = {
21716 .inherits = &piix_pata_ops,
21717 .cable_detect = ich_pata_cable_detect,
21718 .set_dmamode = ich_set_dmamode,
21719 @@ -361,7 +361,7 @@ static struct scsi_host_template piix_si
21720 .shost_attrs = piix_sidpr_shost_attrs,
21723 -static struct ata_port_operations piix_sidpr_sata_ops = {
21724 +static const struct ata_port_operations piix_sidpr_sata_ops = {
21725 .inherits = &piix_sata_ops,
21726 .hardreset = sata_std_hardreset,
21727 .scr_read = piix_sidpr_scr_read,
21728 @@ -638,7 +638,7 @@ static const struct ich_laptop ich_lapto
21729 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
21730 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
21737 @@ -1130,7 +1130,7 @@ static int piix_broken_suspend(void)
21741 - { } /* terminate list */
21742 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
21744 static const char *oemstrs[] = {
21746 diff -urNp linux-2.6.38.4/drivers/ata/libahci.c linux-2.6.38.4/drivers/ata/libahci.c
21747 --- linux-2.6.38.4/drivers/ata/libahci.c 2011-03-14 21:20:32.000000000 -0400
21748 +++ linux-2.6.38.4/drivers/ata/libahci.c 2011-04-17 15:57:32.000000000 -0400
21749 @@ -137,7 +137,7 @@ struct device_attribute *ahci_sdev_attrs
21751 EXPORT_SYMBOL_GPL(ahci_sdev_attrs);
21753 -struct ata_port_operations ahci_ops = {
21754 +const struct ata_port_operations ahci_ops = {
21755 .inherits = &sata_pmp_port_ops,
21757 .qc_defer = ahci_pmp_qc_defer,
21758 diff -urNp linux-2.6.38.4/drivers/ata/libata-acpi.c linux-2.6.38.4/drivers/ata/libata-acpi.c
21759 --- linux-2.6.38.4/drivers/ata/libata-acpi.c 2011-03-14 21:20:32.000000000 -0400
21760 +++ linux-2.6.38.4/drivers/ata/libata-acpi.c 2011-04-17 15:57:32.000000000 -0400
21761 @@ -218,12 +218,12 @@ static void ata_acpi_dev_uevent(acpi_han
21762 ata_acpi_uevent(dev->link->ap, dev, event);
21765 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
21766 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
21767 .handler = ata_acpi_dev_notify_dock,
21768 .uevent = ata_acpi_dev_uevent,
21771 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
21772 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
21773 .handler = ata_acpi_ap_notify_dock,
21774 .uevent = ata_acpi_ap_uevent,
21776 diff -urNp linux-2.6.38.4/drivers/ata/libata-core.c linux-2.6.38.4/drivers/ata/libata-core.c
21777 --- linux-2.6.38.4/drivers/ata/libata-core.c 2011-03-14 21:20:32.000000000 -0400
21778 +++ linux-2.6.38.4/drivers/ata/libata-core.c 2011-04-17 15:57:32.000000000 -0400
21779 @@ -897,7 +897,7 @@ static const struct ata_xfer_ent {
21780 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
21781 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
21782 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
21788 @@ -2885,7 +2885,7 @@ static const struct ata_timing ata_timin
21789 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
21790 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
21793 + { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
21796 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
21797 @@ -4141,7 +4141,7 @@ static const struct ata_blacklist_entry
21798 { "PIONEER DVD-RW DVR-212D", "1.28", ATA_HORKAGE_NOSETXFER },
21802 + { NULL, NULL, 0 }
21806 @@ -4746,7 +4746,7 @@ void ata_qc_free(struct ata_queued_cmd *
21807 struct ata_port *ap;
21810 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21811 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21815 @@ -4762,7 +4762,7 @@ void __ata_qc_complete(struct ata_queued
21816 struct ata_port *ap;
21817 struct ata_link *link;
21819 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21820 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21821 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
21823 link = qc->dev->link;
21824 @@ -5755,7 +5755,7 @@ static void ata_host_stop(struct device
21828 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
21829 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
21831 static DEFINE_SPINLOCK(lock);
21832 const struct ata_port_operations *cur;
21833 @@ -5767,6 +5767,7 @@ static void ata_finalize_port_ops(struct
21837 + pax_open_kernel();
21839 for (cur = ops->inherits; cur; cur = cur->inherits) {
21840 void **inherit = (void **)cur;
21841 @@ -5780,8 +5781,9 @@ static void ata_finalize_port_ops(struct
21845 - ops->inherits = NULL;
21846 + ((struct ata_port_operations *)ops)->inherits = NULL;
21848 + pax_close_kernel();
21849 spin_unlock(&lock);
21852 @@ -5878,7 +5880,7 @@ int ata_host_start(struct ata_host *host
21854 /* KILLME - the only user left is ipr */
21855 void ata_host_init(struct ata_host *host, struct device *dev,
21856 - unsigned long flags, struct ata_port_operations *ops)
21857 + unsigned long flags, const struct ata_port_operations *ops)
21859 spin_lock_init(&host->lock);
21860 mutex_init(&host->eh_mutex);
21861 @@ -6584,7 +6586,7 @@ static void ata_dummy_error_handler(stru
21865 -struct ata_port_operations ata_dummy_port_ops = {
21866 +const struct ata_port_operations ata_dummy_port_ops = {
21867 .qc_prep = ata_noop_qc_prep,
21868 .qc_issue = ata_dummy_qc_issue,
21869 .error_handler = ata_dummy_error_handler,
21870 diff -urNp linux-2.6.38.4/drivers/ata/libata-eh.c linux-2.6.38.4/drivers/ata/libata-eh.c
21871 --- linux-2.6.38.4/drivers/ata/libata-eh.c 2011-04-18 17:27:13.000000000 -0400
21872 +++ linux-2.6.38.4/drivers/ata/libata-eh.c 2011-04-17 15:57:32.000000000 -0400
21873 @@ -3880,7 +3880,7 @@ void ata_do_eh(struct ata_port *ap, ata_
21875 void ata_std_error_handler(struct ata_port *ap)
21877 - struct ata_port_operations *ops = ap->ops;
21878 + const struct ata_port_operations *ops = ap->ops;
21879 ata_reset_fn_t hardreset = ops->hardreset;
21881 /* ignore built-in hardreset if SCR access is not available */
21882 diff -urNp linux-2.6.38.4/drivers/ata/libata-pmp.c linux-2.6.38.4/drivers/ata/libata-pmp.c
21883 --- linux-2.6.38.4/drivers/ata/libata-pmp.c 2011-03-14 21:20:32.000000000 -0400
21884 +++ linux-2.6.38.4/drivers/ata/libata-pmp.c 2011-04-17 15:57:32.000000000 -0400
21885 @@ -912,7 +912,7 @@ static int sata_pmp_handle_link_fail(str
21887 static int sata_pmp_eh_recover(struct ata_port *ap)
21889 - struct ata_port_operations *ops = ap->ops;
21890 + const struct ata_port_operations *ops = ap->ops;
21891 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
21892 struct ata_link *pmp_link = &ap->link;
21893 struct ata_device *pmp_dev = pmp_link->device;
21894 diff -urNp linux-2.6.38.4/drivers/ata/pata_acpi.c linux-2.6.38.4/drivers/ata/pata_acpi.c
21895 --- linux-2.6.38.4/drivers/ata/pata_acpi.c 2011-03-14 21:20:32.000000000 -0400
21896 +++ linux-2.6.38.4/drivers/ata/pata_acpi.c 2011-04-17 15:57:32.000000000 -0400
21897 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
21898 ATA_BMDMA_SHT(DRV_NAME),
21901 -static struct ata_port_operations pacpi_ops = {
21902 +static const struct ata_port_operations pacpi_ops = {
21903 .inherits = &ata_bmdma_port_ops,
21904 .qc_issue = pacpi_qc_issue,
21905 .cable_detect = pacpi_cable_detect,
21906 diff -urNp linux-2.6.38.4/drivers/ata/pata_ali.c linux-2.6.38.4/drivers/ata/pata_ali.c
21907 --- linux-2.6.38.4/drivers/ata/pata_ali.c 2011-03-14 21:20:32.000000000 -0400
21908 +++ linux-2.6.38.4/drivers/ata/pata_ali.c 2011-04-17 15:57:32.000000000 -0400
21909 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
21910 * Port operations for PIO only ALi
21913 -static struct ata_port_operations ali_early_port_ops = {
21914 +static const struct ata_port_operations ali_early_port_ops = {
21915 .inherits = &ata_sff_port_ops,
21916 .cable_detect = ata_cable_40wire,
21917 .set_piomode = ali_set_piomode,
21918 @@ -380,7 +380,7 @@ static const struct ata_port_operations
21919 * Port operations for DMA capable ALi without cable
21922 -static struct ata_port_operations ali_20_port_ops = {
21923 +static const struct ata_port_operations ali_20_port_ops = {
21924 .inherits = &ali_dma_base_ops,
21925 .cable_detect = ata_cable_40wire,
21926 .mode_filter = ali_20_filter,
21927 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
21929 * Port operations for DMA capable ALi with cable detect
21931 -static struct ata_port_operations ali_c2_port_ops = {
21932 +static const struct ata_port_operations ali_c2_port_ops = {
21933 .inherits = &ali_dma_base_ops,
21934 .check_atapi_dma = ali_check_atapi_dma,
21935 .cable_detect = ali_c2_cable_detect,
21936 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
21938 * Port operations for DMA capable ALi with cable detect
21940 -static struct ata_port_operations ali_c4_port_ops = {
21941 +static const struct ata_port_operations ali_c4_port_ops = {
21942 .inherits = &ali_dma_base_ops,
21943 .check_atapi_dma = ali_check_atapi_dma,
21944 .cable_detect = ali_c2_cable_detect,
21945 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
21947 * Port operations for DMA capable ALi with cable detect and LBA48
21949 -static struct ata_port_operations ali_c5_port_ops = {
21950 +static const struct ata_port_operations ali_c5_port_ops = {
21951 .inherits = &ali_dma_base_ops,
21952 .check_atapi_dma = ali_check_atapi_dma,
21953 .dev_config = ali_warn_atapi_dma,
21954 diff -urNp linux-2.6.38.4/drivers/ata/pata_amd.c linux-2.6.38.4/drivers/ata/pata_amd.c
21955 --- linux-2.6.38.4/drivers/ata/pata_amd.c 2011-03-14 21:20:32.000000000 -0400
21956 +++ linux-2.6.38.4/drivers/ata/pata_amd.c 2011-04-17 15:57:32.000000000 -0400
21957 @@ -397,28 +397,28 @@ static const struct ata_port_operations
21958 .prereset = amd_pre_reset,
21961 -static struct ata_port_operations amd33_port_ops = {
21962 +static const struct ata_port_operations amd33_port_ops = {
21963 .inherits = &amd_base_port_ops,
21964 .cable_detect = ata_cable_40wire,
21965 .set_piomode = amd33_set_piomode,
21966 .set_dmamode = amd33_set_dmamode,
21969 -static struct ata_port_operations amd66_port_ops = {
21970 +static const struct ata_port_operations amd66_port_ops = {
21971 .inherits = &amd_base_port_ops,
21972 .cable_detect = ata_cable_unknown,
21973 .set_piomode = amd66_set_piomode,
21974 .set_dmamode = amd66_set_dmamode,
21977 -static struct ata_port_operations amd100_port_ops = {
21978 +static const struct ata_port_operations amd100_port_ops = {
21979 .inherits = &amd_base_port_ops,
21980 .cable_detect = ata_cable_unknown,
21981 .set_piomode = amd100_set_piomode,
21982 .set_dmamode = amd100_set_dmamode,
21985 -static struct ata_port_operations amd133_port_ops = {
21986 +static const struct ata_port_operations amd133_port_ops = {
21987 .inherits = &amd_base_port_ops,
21988 .cable_detect = amd_cable_detect,
21989 .set_piomode = amd133_set_piomode,
21990 @@ -433,13 +433,13 @@ static const struct ata_port_operations
21991 .host_stop = nv_host_stop,
21994 -static struct ata_port_operations nv100_port_ops = {
21995 +static const struct ata_port_operations nv100_port_ops = {
21996 .inherits = &nv_base_port_ops,
21997 .set_piomode = nv100_set_piomode,
21998 .set_dmamode = nv100_set_dmamode,
22001 -static struct ata_port_operations nv133_port_ops = {
22002 +static const struct ata_port_operations nv133_port_ops = {
22003 .inherits = &nv_base_port_ops,
22004 .set_piomode = nv133_set_piomode,
22005 .set_dmamode = nv133_set_dmamode,
22006 diff -urNp linux-2.6.38.4/drivers/ata/pata_artop.c linux-2.6.38.4/drivers/ata/pata_artop.c
22007 --- linux-2.6.38.4/drivers/ata/pata_artop.c 2011-03-14 21:20:32.000000000 -0400
22008 +++ linux-2.6.38.4/drivers/ata/pata_artop.c 2011-04-17 15:57:32.000000000 -0400
22009 @@ -312,7 +312,7 @@ static struct scsi_host_template artop_s
22010 ATA_BMDMA_SHT(DRV_NAME),
22013 -static struct ata_port_operations artop6210_ops = {
22014 +static const struct ata_port_operations artop6210_ops = {
22015 .inherits = &ata_bmdma_port_ops,
22016 .cable_detect = ata_cable_40wire,
22017 .set_piomode = artop6210_set_piomode,
22018 @@ -321,7 +321,7 @@ static struct ata_port_operations artop6
22019 .qc_defer = artop6210_qc_defer,
22022 -static struct ata_port_operations artop6260_ops = {
22023 +static const struct ata_port_operations artop6260_ops = {
22024 .inherits = &ata_bmdma_port_ops,
22025 .cable_detect = artop6260_cable_detect,
22026 .set_piomode = artop6260_set_piomode,
22027 diff -urNp linux-2.6.38.4/drivers/ata/pata_at32.c linux-2.6.38.4/drivers/ata/pata_at32.c
22028 --- linux-2.6.38.4/drivers/ata/pata_at32.c 2011-03-14 21:20:32.000000000 -0400
22029 +++ linux-2.6.38.4/drivers/ata/pata_at32.c 2011-04-17 15:57:32.000000000 -0400
22030 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
22031 ATA_PIO_SHT(DRV_NAME),
22034 -static struct ata_port_operations at32_port_ops = {
22035 +static const struct ata_port_operations at32_port_ops = {
22036 .inherits = &ata_sff_port_ops,
22037 .cable_detect = ata_cable_40wire,
22038 .set_piomode = pata_at32_set_piomode,
22039 diff -urNp linux-2.6.38.4/drivers/ata/pata_at91.c linux-2.6.38.4/drivers/ata/pata_at91.c
22040 --- linux-2.6.38.4/drivers/ata/pata_at91.c 2011-03-14 21:20:32.000000000 -0400
22041 +++ linux-2.6.38.4/drivers/ata/pata_at91.c 2011-04-17 15:57:32.000000000 -0400
22042 @@ -196,7 +196,7 @@ static struct scsi_host_template pata_at
22043 ATA_PIO_SHT(DRV_NAME),
22046 -static struct ata_port_operations pata_at91_port_ops = {
22047 +static const struct ata_port_operations pata_at91_port_ops = {
22048 .inherits = &ata_sff_port_ops,
22050 .sff_data_xfer = pata_at91_data_xfer_noirq,
22051 diff -urNp linux-2.6.38.4/drivers/ata/pata_atiixp.c linux-2.6.38.4/drivers/ata/pata_atiixp.c
22052 --- linux-2.6.38.4/drivers/ata/pata_atiixp.c 2011-03-14 21:20:32.000000000 -0400
22053 +++ linux-2.6.38.4/drivers/ata/pata_atiixp.c 2011-04-17 15:57:32.000000000 -0400
22054 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
22055 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
22058 -static struct ata_port_operations atiixp_port_ops = {
22059 +static const struct ata_port_operations atiixp_port_ops = {
22060 .inherits = &ata_bmdma_port_ops,
22062 .qc_prep = ata_bmdma_dumb_qc_prep,
22063 diff -urNp linux-2.6.38.4/drivers/ata/pata_atp867x.c linux-2.6.38.4/drivers/ata/pata_atp867x.c
22064 --- linux-2.6.38.4/drivers/ata/pata_atp867x.c 2011-03-14 21:20:32.000000000 -0400
22065 +++ linux-2.6.38.4/drivers/ata/pata_atp867x.c 2011-04-17 15:57:32.000000000 -0400
22066 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
22067 ATA_BMDMA_SHT(DRV_NAME),
22070 -static struct ata_port_operations atp867x_ops = {
22071 +static const struct ata_port_operations atp867x_ops = {
22072 .inherits = &ata_bmdma_port_ops,
22073 .cable_detect = atp867x_cable_detect,
22074 .set_piomode = atp867x_set_piomode,
22075 diff -urNp linux-2.6.38.4/drivers/ata/pata_bf54x.c linux-2.6.38.4/drivers/ata/pata_bf54x.c
22076 --- linux-2.6.38.4/drivers/ata/pata_bf54x.c 2011-03-14 21:20:32.000000000 -0400
22077 +++ linux-2.6.38.4/drivers/ata/pata_bf54x.c 2011-04-17 15:57:32.000000000 -0400
22078 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
22079 .dma_boundary = ATA_DMA_BOUNDARY,
22082 -static struct ata_port_operations bfin_pata_ops = {
22083 +static const struct ata_port_operations bfin_pata_ops = {
22084 .inherits = &ata_bmdma_port_ops,
22086 .set_piomode = bfin_set_piomode,
22087 diff -urNp linux-2.6.38.4/drivers/ata/pata_cmd640.c linux-2.6.38.4/drivers/ata/pata_cmd640.c
22088 --- linux-2.6.38.4/drivers/ata/pata_cmd640.c 2011-03-14 21:20:32.000000000 -0400
22089 +++ linux-2.6.38.4/drivers/ata/pata_cmd640.c 2011-04-17 15:57:32.000000000 -0400
22090 @@ -176,7 +176,7 @@ static struct scsi_host_template cmd640_
22091 ATA_PIO_SHT(DRV_NAME),
22094 -static struct ata_port_operations cmd640_port_ops = {
22095 +static const struct ata_port_operations cmd640_port_ops = {
22096 .inherits = &ata_sff_port_ops,
22097 /* In theory xfer_noirq is not needed once we kill the prefetcher */
22098 .sff_data_xfer = ata_sff_data_xfer_noirq,
22099 diff -urNp linux-2.6.38.4/drivers/ata/pata_cmd64x.c linux-2.6.38.4/drivers/ata/pata_cmd64x.c
22100 --- linux-2.6.38.4/drivers/ata/pata_cmd64x.c 2011-03-14 21:20:32.000000000 -0400
22101 +++ linux-2.6.38.4/drivers/ata/pata_cmd64x.c 2011-04-17 15:57:32.000000000 -0400
22102 @@ -268,18 +268,18 @@ static const struct ata_port_operations
22103 .set_dmamode = cmd64x_set_dmamode,
22106 -static struct ata_port_operations cmd64x_port_ops = {
22107 +static const struct ata_port_operations cmd64x_port_ops = {
22108 .inherits = &cmd64x_base_ops,
22109 .cable_detect = ata_cable_40wire,
22112 -static struct ata_port_operations cmd646r1_port_ops = {
22113 +static const struct ata_port_operations cmd646r1_port_ops = {
22114 .inherits = &cmd64x_base_ops,
22115 .bmdma_stop = cmd646r1_bmdma_stop,
22116 .cable_detect = ata_cable_40wire,
22119 -static struct ata_port_operations cmd648_port_ops = {
22120 +static const struct ata_port_operations cmd648_port_ops = {
22121 .inherits = &cmd64x_base_ops,
22122 .bmdma_stop = cmd648_bmdma_stop,
22123 .cable_detect = cmd648_cable_detect,
22124 diff -urNp linux-2.6.38.4/drivers/ata/pata_cs5520.c linux-2.6.38.4/drivers/ata/pata_cs5520.c
22125 --- linux-2.6.38.4/drivers/ata/pata_cs5520.c 2011-03-14 21:20:32.000000000 -0400
22126 +++ linux-2.6.38.4/drivers/ata/pata_cs5520.c 2011-04-17 15:57:32.000000000 -0400
22127 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
22128 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
22131 -static struct ata_port_operations cs5520_port_ops = {
22132 +static const struct ata_port_operations cs5520_port_ops = {
22133 .inherits = &ata_bmdma_port_ops,
22134 .qc_prep = ata_bmdma_dumb_qc_prep,
22135 .cable_detect = ata_cable_40wire,
22136 diff -urNp linux-2.6.38.4/drivers/ata/pata_cs5530.c linux-2.6.38.4/drivers/ata/pata_cs5530.c
22137 --- linux-2.6.38.4/drivers/ata/pata_cs5530.c 2011-03-14 21:20:32.000000000 -0400
22138 +++ linux-2.6.38.4/drivers/ata/pata_cs5530.c 2011-04-17 15:57:32.000000000 -0400
22139 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
22140 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
22143 -static struct ata_port_operations cs5530_port_ops = {
22144 +static const struct ata_port_operations cs5530_port_ops = {
22145 .inherits = &ata_bmdma_port_ops,
22147 .qc_prep = ata_bmdma_dumb_qc_prep,
22148 diff -urNp linux-2.6.38.4/drivers/ata/pata_cs5535.c linux-2.6.38.4/drivers/ata/pata_cs5535.c
22149 --- linux-2.6.38.4/drivers/ata/pata_cs5535.c 2011-03-14 21:20:32.000000000 -0400
22150 +++ linux-2.6.38.4/drivers/ata/pata_cs5535.c 2011-04-17 15:57:32.000000000 -0400
22151 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
22152 ATA_BMDMA_SHT(DRV_NAME),
22155 -static struct ata_port_operations cs5535_port_ops = {
22156 +static const struct ata_port_operations cs5535_port_ops = {
22157 .inherits = &ata_bmdma_port_ops,
22158 .cable_detect = cs5535_cable_detect,
22159 .set_piomode = cs5535_set_piomode,
22160 diff -urNp linux-2.6.38.4/drivers/ata/pata_cs5536.c linux-2.6.38.4/drivers/ata/pata_cs5536.c
22161 --- linux-2.6.38.4/drivers/ata/pata_cs5536.c 2011-03-14 21:20:32.000000000 -0400
22162 +++ linux-2.6.38.4/drivers/ata/pata_cs5536.c 2011-04-17 15:57:32.000000000 -0400
22163 @@ -233,7 +233,7 @@ static struct scsi_host_template cs5536_
22164 ATA_BMDMA_SHT(DRV_NAME),
22167 -static struct ata_port_operations cs5536_port_ops = {
22168 +static const struct ata_port_operations cs5536_port_ops = {
22169 .inherits = &ata_bmdma32_port_ops,
22170 .cable_detect = cs5536_cable_detect,
22171 .set_piomode = cs5536_set_piomode,
22172 diff -urNp linux-2.6.38.4/drivers/ata/pata_cypress.c linux-2.6.38.4/drivers/ata/pata_cypress.c
22173 --- linux-2.6.38.4/drivers/ata/pata_cypress.c 2011-03-14 21:20:32.000000000 -0400
22174 +++ linux-2.6.38.4/drivers/ata/pata_cypress.c 2011-04-17 15:57:32.000000000 -0400
22175 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
22176 ATA_BMDMA_SHT(DRV_NAME),
22179 -static struct ata_port_operations cy82c693_port_ops = {
22180 +static const struct ata_port_operations cy82c693_port_ops = {
22181 .inherits = &ata_bmdma_port_ops,
22182 .cable_detect = ata_cable_40wire,
22183 .set_piomode = cy82c693_set_piomode,
22184 diff -urNp linux-2.6.38.4/drivers/ata/pata_efar.c linux-2.6.38.4/drivers/ata/pata_efar.c
22185 --- linux-2.6.38.4/drivers/ata/pata_efar.c 2011-03-14 21:20:32.000000000 -0400
22186 +++ linux-2.6.38.4/drivers/ata/pata_efar.c 2011-04-17 15:57:32.000000000 -0400
22187 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
22188 ATA_BMDMA_SHT(DRV_NAME),
22191 -static struct ata_port_operations efar_ops = {
22192 +static const struct ata_port_operations efar_ops = {
22193 .inherits = &ata_bmdma_port_ops,
22194 .cable_detect = efar_cable_detect,
22195 .set_piomode = efar_set_piomode,
22196 diff -urNp linux-2.6.38.4/drivers/ata/pata_hpt366.c linux-2.6.38.4/drivers/ata/pata_hpt366.c
22197 --- linux-2.6.38.4/drivers/ata/pata_hpt366.c 2011-03-14 21:20:32.000000000 -0400
22198 +++ linux-2.6.38.4/drivers/ata/pata_hpt366.c 2011-04-17 15:57:32.000000000 -0400
22199 @@ -275,7 +275,7 @@ static struct scsi_host_template hpt36x_
22200 * Configuration for HPT366/68
22203 -static struct ata_port_operations hpt366_port_ops = {
22204 +static const struct ata_port_operations hpt366_port_ops = {
22205 .inherits = &ata_bmdma_port_ops,
22206 .cable_detect = hpt36x_cable_detect,
22207 .mode_filter = hpt366_filter,
22208 diff -urNp linux-2.6.38.4/drivers/ata/pata_hpt37x.c linux-2.6.38.4/drivers/ata/pata_hpt37x.c
22209 --- linux-2.6.38.4/drivers/ata/pata_hpt37x.c 2011-03-14 21:20:32.000000000 -0400
22210 +++ linux-2.6.38.4/drivers/ata/pata_hpt37x.c 2011-04-17 15:57:32.000000000 -0400
22211 @@ -587,7 +587,7 @@ static struct scsi_host_template hpt37x_
22212 * Configuration for HPT370
22215 -static struct ata_port_operations hpt370_port_ops = {
22216 +static const struct ata_port_operations hpt370_port_ops = {
22217 .inherits = &ata_bmdma_port_ops,
22219 .bmdma_stop = hpt370_bmdma_stop,
22220 @@ -603,7 +603,7 @@ static struct ata_port_operations hpt370
22221 * Configuration for HPT370A. Close to 370 but less filters
22224 -static struct ata_port_operations hpt370a_port_ops = {
22225 +static const struct ata_port_operations hpt370a_port_ops = {
22226 .inherits = &hpt370_port_ops,
22227 .mode_filter = hpt370a_filter,
22229 @@ -613,7 +613,7 @@ static struct ata_port_operations hpt370
22230 * mode setting functionality.
22233 -static struct ata_port_operations hpt302_port_ops = {
22234 +static const struct ata_port_operations hpt302_port_ops = {
22235 .inherits = &ata_bmdma_port_ops,
22237 .bmdma_stop = hpt37x_bmdma_stop,
22238 @@ -629,7 +629,7 @@ static struct ata_port_operations hpt302
22239 * but we have a mode filter.
22242 -static struct ata_port_operations hpt372_port_ops = {
22243 +static const struct ata_port_operations hpt372_port_ops = {
22244 .inherits = &hpt302_port_ops,
22245 .mode_filter = hpt372_filter,
22247 @@ -639,7 +639,7 @@ static struct ata_port_operations hpt372
22248 * but we have a different cable detection procedure for function 1.
22251 -static struct ata_port_operations hpt374_fn1_port_ops = {
22252 +static const struct ata_port_operations hpt374_fn1_port_ops = {
22253 .inherits = &hpt372_port_ops,
22254 .cable_detect = hpt374_fn1_cable_detect,
22256 diff -urNp linux-2.6.38.4/drivers/ata/pata_hpt3x2n.c linux-2.6.38.4/drivers/ata/pata_hpt3x2n.c
22257 --- linux-2.6.38.4/drivers/ata/pata_hpt3x2n.c 2011-03-14 21:20:32.000000000 -0400
22258 +++ linux-2.6.38.4/drivers/ata/pata_hpt3x2n.c 2011-04-17 15:57:32.000000000 -0400
22259 @@ -348,7 +348,7 @@ static struct scsi_host_template hpt3x2n
22260 * Configuration for HPT302N/371N.
22263 -static struct ata_port_operations hpt3xxn_port_ops = {
22264 +static const struct ata_port_operations hpt3xxn_port_ops = {
22265 .inherits = &ata_bmdma_port_ops,
22267 .bmdma_stop = hpt3x2n_bmdma_stop,
22268 @@ -366,7 +366,7 @@ static struct ata_port_operations hpt3xx
22269 * Configuration for HPT372N. Same as 302N/371N but we have a mode filter.
22272 -static struct ata_port_operations hpt372n_port_ops = {
22273 +static const struct ata_port_operations hpt372n_port_ops = {
22274 .inherits = &hpt3xxn_port_ops,
22275 .mode_filter = &hpt372n_filter,
22277 diff -urNp linux-2.6.38.4/drivers/ata/pata_hpt3x3.c linux-2.6.38.4/drivers/ata/pata_hpt3x3.c
22278 --- linux-2.6.38.4/drivers/ata/pata_hpt3x3.c 2011-03-14 21:20:32.000000000 -0400
22279 +++ linux-2.6.38.4/drivers/ata/pata_hpt3x3.c 2011-04-17 15:57:32.000000000 -0400
22280 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
22281 ATA_BMDMA_SHT(DRV_NAME),
22284 -static struct ata_port_operations hpt3x3_port_ops = {
22285 +static const struct ata_port_operations hpt3x3_port_ops = {
22286 .inherits = &ata_bmdma_port_ops,
22287 .cable_detect = ata_cable_40wire,
22288 .set_piomode = hpt3x3_set_piomode,
22289 diff -urNp linux-2.6.38.4/drivers/ata/pata_icside.c linux-2.6.38.4/drivers/ata/pata_icside.c
22290 --- linux-2.6.38.4/drivers/ata/pata_icside.c 2011-03-14 21:20:32.000000000 -0400
22291 +++ linux-2.6.38.4/drivers/ata/pata_icside.c 2011-04-17 15:57:32.000000000 -0400
22292 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
22296 -static struct ata_port_operations pata_icside_port_ops = {
22297 +static const struct ata_port_operations pata_icside_port_ops = {
22298 .inherits = &ata_bmdma_port_ops,
22299 /* no need to build any PRD tables for DMA */
22300 .qc_prep = ata_noop_qc_prep,
22301 diff -urNp linux-2.6.38.4/drivers/ata/pata_isapnp.c linux-2.6.38.4/drivers/ata/pata_isapnp.c
22302 --- linux-2.6.38.4/drivers/ata/pata_isapnp.c 2011-03-14 21:20:32.000000000 -0400
22303 +++ linux-2.6.38.4/drivers/ata/pata_isapnp.c 2011-04-17 15:57:32.000000000 -0400
22304 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
22305 ATA_PIO_SHT(DRV_NAME),
22308 -static struct ata_port_operations isapnp_port_ops = {
22309 +static const struct ata_port_operations isapnp_port_ops = {
22310 .inherits = &ata_sff_port_ops,
22311 .cable_detect = ata_cable_40wire,
22314 -static struct ata_port_operations isapnp_noalt_port_ops = {
22315 +static const struct ata_port_operations isapnp_noalt_port_ops = {
22316 .inherits = &ata_sff_port_ops,
22317 .cable_detect = ata_cable_40wire,
22318 /* No altstatus so we don't want to use the lost interrupt poll */
22319 diff -urNp linux-2.6.38.4/drivers/ata/pata_it8213.c linux-2.6.38.4/drivers/ata/pata_it8213.c
22320 --- linux-2.6.38.4/drivers/ata/pata_it8213.c 2011-03-14 21:20:32.000000000 -0400
22321 +++ linux-2.6.38.4/drivers/ata/pata_it8213.c 2011-04-17 15:57:32.000000000 -0400
22322 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
22326 -static struct ata_port_operations it8213_ops = {
22327 +static const struct ata_port_operations it8213_ops = {
22328 .inherits = &ata_bmdma_port_ops,
22329 .cable_detect = it8213_cable_detect,
22330 .set_piomode = it8213_set_piomode,
22331 diff -urNp linux-2.6.38.4/drivers/ata/pata_it821x.c linux-2.6.38.4/drivers/ata/pata_it821x.c
22332 --- linux-2.6.38.4/drivers/ata/pata_it821x.c 2011-03-14 21:20:32.000000000 -0400
22333 +++ linux-2.6.38.4/drivers/ata/pata_it821x.c 2011-04-17 15:57:32.000000000 -0400
22334 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
22335 ATA_BMDMA_SHT(DRV_NAME),
22338 -static struct ata_port_operations it821x_smart_port_ops = {
22339 +static const struct ata_port_operations it821x_smart_port_ops = {
22340 .inherits = &ata_bmdma_port_ops,
22342 .check_atapi_dma= it821x_check_atapi_dma,
22343 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
22344 .port_start = it821x_port_start,
22347 -static struct ata_port_operations it821x_passthru_port_ops = {
22348 +static const struct ata_port_operations it821x_passthru_port_ops = {
22349 .inherits = &ata_bmdma_port_ops,
22351 .check_atapi_dma= it821x_check_atapi_dma,
22352 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
22353 .port_start = it821x_port_start,
22356 -static struct ata_port_operations it821x_rdc_port_ops = {
22357 +static const struct ata_port_operations it821x_rdc_port_ops = {
22358 .inherits = &ata_bmdma_port_ops,
22360 .check_atapi_dma= it821x_check_atapi_dma,
22361 diff -urNp linux-2.6.38.4/drivers/ata/pata_ixp4xx_cf.c linux-2.6.38.4/drivers/ata/pata_ixp4xx_cf.c
22362 --- linux-2.6.38.4/drivers/ata/pata_ixp4xx_cf.c 2011-03-14 21:20:32.000000000 -0400
22363 +++ linux-2.6.38.4/drivers/ata/pata_ixp4xx_cf.c 2011-04-17 15:57:32.000000000 -0400
22364 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
22365 ATA_PIO_SHT(DRV_NAME),
22368 -static struct ata_port_operations ixp4xx_port_ops = {
22369 +static const struct ata_port_operations ixp4xx_port_ops = {
22370 .inherits = &ata_sff_port_ops,
22371 .sff_data_xfer = ixp4xx_mmio_data_xfer,
22372 .cable_detect = ata_cable_40wire,
22373 diff -urNp linux-2.6.38.4/drivers/ata/pata_jmicron.c linux-2.6.38.4/drivers/ata/pata_jmicron.c
22374 --- linux-2.6.38.4/drivers/ata/pata_jmicron.c 2011-03-14 21:20:32.000000000 -0400
22375 +++ linux-2.6.38.4/drivers/ata/pata_jmicron.c 2011-04-17 15:57:32.000000000 -0400
22376 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
22377 ATA_BMDMA_SHT(DRV_NAME),
22380 -static struct ata_port_operations jmicron_ops = {
22381 +static const struct ata_port_operations jmicron_ops = {
22382 .inherits = &ata_bmdma_port_ops,
22383 .prereset = jmicron_pre_reset,
22385 diff -urNp linux-2.6.38.4/drivers/ata/pata_legacy.c linux-2.6.38.4/drivers/ata/pata_legacy.c
22386 --- linux-2.6.38.4/drivers/ata/pata_legacy.c 2011-03-14 21:20:32.000000000 -0400
22387 +++ linux-2.6.38.4/drivers/ata/pata_legacy.c 2011-04-17 15:57:32.000000000 -0400
22388 @@ -116,7 +116,7 @@ struct legacy_probe {
22390 struct legacy_controller {
22392 - struct ata_port_operations *ops;
22393 + const struct ata_port_operations *ops;
22394 unsigned int pio_mask;
22395 unsigned int flags;
22396 unsigned int pflags;
22397 @@ -239,12 +239,12 @@ static const struct ata_port_operations
22398 * pio_mask as well.
22401 -static struct ata_port_operations simple_port_ops = {
22402 +static const struct ata_port_operations simple_port_ops = {
22403 .inherits = &legacy_base_port_ops,
22404 .sff_data_xfer = ata_sff_data_xfer_noirq,
22407 -static struct ata_port_operations legacy_port_ops = {
22408 +static const struct ata_port_operations legacy_port_ops = {
22409 .inherits = &legacy_base_port_ops,
22410 .sff_data_xfer = ata_sff_data_xfer_noirq,
22411 .set_mode = legacy_set_mode,
22412 @@ -340,7 +340,7 @@ static unsigned int pdc_data_xfer_vlb(st
22416 -static struct ata_port_operations pdc20230_port_ops = {
22417 +static const struct ata_port_operations pdc20230_port_ops = {
22418 .inherits = &legacy_base_port_ops,
22419 .set_piomode = pdc20230_set_piomode,
22420 .sff_data_xfer = pdc_data_xfer_vlb,
22421 @@ -373,7 +373,7 @@ static void ht6560a_set_piomode(struct a
22422 ioread8(ap->ioaddr.status_addr);
22425 -static struct ata_port_operations ht6560a_port_ops = {
22426 +static const struct ata_port_operations ht6560a_port_ops = {
22427 .inherits = &legacy_base_port_ops,
22428 .set_piomode = ht6560a_set_piomode,
22430 @@ -416,7 +416,7 @@ static void ht6560b_set_piomode(struct a
22431 ioread8(ap->ioaddr.status_addr);
22434 -static struct ata_port_operations ht6560b_port_ops = {
22435 +static const struct ata_port_operations ht6560b_port_ops = {
22436 .inherits = &legacy_base_port_ops,
22437 .set_piomode = ht6560b_set_piomode,
22439 @@ -515,7 +515,7 @@ static void opti82c611a_set_piomode(stru
22443 -static struct ata_port_operations opti82c611a_port_ops = {
22444 +static const struct ata_port_operations opti82c611a_port_ops = {
22445 .inherits = &legacy_base_port_ops,
22446 .set_piomode = opti82c611a_set_piomode,
22448 @@ -625,7 +625,7 @@ static unsigned int opti82c46x_qc_issue(
22449 return ata_sff_qc_issue(qc);
22452 -static struct ata_port_operations opti82c46x_port_ops = {
22453 +static const struct ata_port_operations opti82c46x_port_ops = {
22454 .inherits = &legacy_base_port_ops,
22455 .set_piomode = opti82c46x_set_piomode,
22456 .qc_issue = opti82c46x_qc_issue,
22457 @@ -787,20 +787,20 @@ static int qdi_port(struct platform_devi
22461 -static struct ata_port_operations qdi6500_port_ops = {
22462 +static const struct ata_port_operations qdi6500_port_ops = {
22463 .inherits = &legacy_base_port_ops,
22464 .set_piomode = qdi6500_set_piomode,
22465 .qc_issue = qdi_qc_issue,
22466 .sff_data_xfer = vlb32_data_xfer,
22469 -static struct ata_port_operations qdi6580_port_ops = {
22470 +static const struct ata_port_operations qdi6580_port_ops = {
22471 .inherits = &legacy_base_port_ops,
22472 .set_piomode = qdi6580_set_piomode,
22473 .sff_data_xfer = vlb32_data_xfer,
22476 -static struct ata_port_operations qdi6580dp_port_ops = {
22477 +static const struct ata_port_operations qdi6580dp_port_ops = {
22478 .inherits = &legacy_base_port_ops,
22479 .set_piomode = qdi6580dp_set_piomode,
22480 .qc_issue = qdi_qc_issue,
22481 @@ -872,7 +872,7 @@ static int winbond_port(struct platform_
22485 -static struct ata_port_operations winbond_port_ops = {
22486 +static const struct ata_port_operations winbond_port_ops = {
22487 .inherits = &legacy_base_port_ops,
22488 .set_piomode = winbond_set_piomode,
22489 .sff_data_xfer = vlb32_data_xfer,
22490 @@ -995,7 +995,7 @@ static __init int legacy_init_one(struct
22491 int pio_modes = controller->pio_mask;
22492 unsigned long io = probe->port;
22493 u32 mask = (1 << probe->slot);
22494 - struct ata_port_operations *ops = controller->ops;
22495 + const struct ata_port_operations *ops = controller->ops;
22496 struct legacy_data *ld = &legacy_data[probe->slot];
22497 struct ata_host *host = NULL;
22498 struct ata_port *ap;
22499 diff -urNp linux-2.6.38.4/drivers/ata/pata_macio.c linux-2.6.38.4/drivers/ata/pata_macio.c
22500 --- linux-2.6.38.4/drivers/ata/pata_macio.c 2011-03-14 21:20:32.000000000 -0400
22501 +++ linux-2.6.38.4/drivers/ata/pata_macio.c 2011-04-17 15:57:32.000000000 -0400
22502 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
22503 .slave_configure = pata_macio_slave_config,
22506 -static struct ata_port_operations pata_macio_ops = {
22507 +static const struct ata_port_operations pata_macio_ops = {
22508 .inherits = &ata_bmdma_port_ops,
22510 .freeze = pata_macio_freeze,
22511 .set_piomode = pata_macio_set_timings,
22512 .set_dmamode = pata_macio_set_timings,
22513 diff -urNp linux-2.6.38.4/drivers/ata/pata_marvell.c linux-2.6.38.4/drivers/ata/pata_marvell.c
22514 --- linux-2.6.38.4/drivers/ata/pata_marvell.c 2011-03-14 21:20:32.000000000 -0400
22515 +++ linux-2.6.38.4/drivers/ata/pata_marvell.c 2011-04-17 15:57:32.000000000 -0400
22516 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
22517 ATA_BMDMA_SHT(DRV_NAME),
22520 -static struct ata_port_operations marvell_ops = {
22521 +static const struct ata_port_operations marvell_ops = {
22522 .inherits = &ata_bmdma_port_ops,
22523 .cable_detect = marvell_cable_detect,
22524 .prereset = marvell_pre_reset,
22525 diff -urNp linux-2.6.38.4/drivers/ata/pata_mpc52xx.c linux-2.6.38.4/drivers/ata/pata_mpc52xx.c
22526 --- linux-2.6.38.4/drivers/ata/pata_mpc52xx.c 2011-03-14 21:20:32.000000000 -0400
22527 +++ linux-2.6.38.4/drivers/ata/pata_mpc52xx.c 2011-04-17 15:57:32.000000000 -0400
22528 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
22529 ATA_PIO_SHT(DRV_NAME),
22532 -static struct ata_port_operations mpc52xx_ata_port_ops = {
22533 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
22534 .inherits = &ata_bmdma_port_ops,
22535 .sff_dev_select = mpc52xx_ata_dev_select,
22536 .set_piomode = mpc52xx_ata_set_piomode,
22537 diff -urNp linux-2.6.38.4/drivers/ata/pata_mpiix.c linux-2.6.38.4/drivers/ata/pata_mpiix.c
22538 --- linux-2.6.38.4/drivers/ata/pata_mpiix.c 2011-03-14 21:20:32.000000000 -0400
22539 +++ linux-2.6.38.4/drivers/ata/pata_mpiix.c 2011-04-17 15:57:32.000000000 -0400
22540 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
22541 ATA_PIO_SHT(DRV_NAME),
22544 -static struct ata_port_operations mpiix_port_ops = {
22545 +static const struct ata_port_operations mpiix_port_ops = {
22546 .inherits = &ata_sff_port_ops,
22547 .qc_issue = mpiix_qc_issue,
22548 .cable_detect = ata_cable_40wire,
22549 diff -urNp linux-2.6.38.4/drivers/ata/pata_netcell.c linux-2.6.38.4/drivers/ata/pata_netcell.c
22550 --- linux-2.6.38.4/drivers/ata/pata_netcell.c 2011-03-14 21:20:32.000000000 -0400
22551 +++ linux-2.6.38.4/drivers/ata/pata_netcell.c 2011-04-17 15:57:32.000000000 -0400
22552 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
22553 ATA_BMDMA_SHT(DRV_NAME),
22556 -static struct ata_port_operations netcell_ops = {
22557 +static const struct ata_port_operations netcell_ops = {
22558 .inherits = &ata_bmdma_port_ops,
22559 .cable_detect = ata_cable_80wire,
22560 .read_id = netcell_read_id,
22561 diff -urNp linux-2.6.38.4/drivers/ata/pata_ninja32.c linux-2.6.38.4/drivers/ata/pata_ninja32.c
22562 --- linux-2.6.38.4/drivers/ata/pata_ninja32.c 2011-03-14 21:20:32.000000000 -0400
22563 +++ linux-2.6.38.4/drivers/ata/pata_ninja32.c 2011-04-17 15:57:32.000000000 -0400
22564 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
22565 ATA_BMDMA_SHT(DRV_NAME),
22568 -static struct ata_port_operations ninja32_port_ops = {
22569 +static const struct ata_port_operations ninja32_port_ops = {
22570 .inherits = &ata_bmdma_port_ops,
22571 .sff_dev_select = ninja32_dev_select,
22572 .cable_detect = ata_cable_40wire,
22573 diff -urNp linux-2.6.38.4/drivers/ata/pata_ns87410.c linux-2.6.38.4/drivers/ata/pata_ns87410.c
22574 --- linux-2.6.38.4/drivers/ata/pata_ns87410.c 2011-03-14 21:20:32.000000000 -0400
22575 +++ linux-2.6.38.4/drivers/ata/pata_ns87410.c 2011-04-17 15:57:32.000000000 -0400
22576 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
22577 ATA_PIO_SHT(DRV_NAME),
22580 -static struct ata_port_operations ns87410_port_ops = {
22581 +static const struct ata_port_operations ns87410_port_ops = {
22582 .inherits = &ata_sff_port_ops,
22583 .qc_issue = ns87410_qc_issue,
22584 .cable_detect = ata_cable_40wire,
22585 diff -urNp linux-2.6.38.4/drivers/ata/pata_ns87415.c linux-2.6.38.4/drivers/ata/pata_ns87415.c
22586 --- linux-2.6.38.4/drivers/ata/pata_ns87415.c 2011-03-14 21:20:32.000000000 -0400
22587 +++ linux-2.6.38.4/drivers/ata/pata_ns87415.c 2011-04-17 15:57:32.000000000 -0400
22588 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
22590 #endif /* 87560 SuperIO Support */
22592 -static struct ata_port_operations ns87415_pata_ops = {
22593 +static const struct ata_port_operations ns87415_pata_ops = {
22594 .inherits = &ata_bmdma_port_ops,
22596 .check_atapi_dma = ns87415_check_atapi_dma,
22597 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
22600 #if defined(CONFIG_SUPERIO)
22601 -static struct ata_port_operations ns87560_pata_ops = {
22602 +static const struct ata_port_operations ns87560_pata_ops = {
22603 .inherits = &ns87415_pata_ops,
22604 .sff_tf_read = ns87560_tf_read,
22605 .sff_check_status = ns87560_check_status,
22606 diff -urNp linux-2.6.38.4/drivers/ata/pata_octeon_cf.c linux-2.6.38.4/drivers/ata/pata_octeon_cf.c
22607 --- linux-2.6.38.4/drivers/ata/pata_octeon_cf.c 2011-03-14 21:20:32.000000000 -0400
22608 +++ linux-2.6.38.4/drivers/ata/pata_octeon_cf.c 2011-04-17 15:57:32.000000000 -0400
22609 @@ -780,7 +780,7 @@ static unsigned int octeon_cf_qc_issue(s
22613 -static struct ata_port_operations octeon_cf_ops = {
22614 +static struct ata_port_operations octeon_cf_ops = { /* cannot be const */
22615 .inherits = &ata_sff_port_ops,
22616 .check_atapi_dma = octeon_cf_check_atapi_dma,
22617 .qc_prep = ata_noop_qc_prep,
22618 diff -urNp linux-2.6.38.4/drivers/ata/pata_oldpiix.c linux-2.6.38.4/drivers/ata/pata_oldpiix.c
22619 --- linux-2.6.38.4/drivers/ata/pata_oldpiix.c 2011-03-14 21:20:32.000000000 -0400
22620 +++ linux-2.6.38.4/drivers/ata/pata_oldpiix.c 2011-04-17 15:57:32.000000000 -0400
22621 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
22622 ATA_BMDMA_SHT(DRV_NAME),
22625 -static struct ata_port_operations oldpiix_pata_ops = {
22626 +static const struct ata_port_operations oldpiix_pata_ops = {
22627 .inherits = &ata_bmdma_port_ops,
22628 .qc_issue = oldpiix_qc_issue,
22629 .cable_detect = ata_cable_40wire,
22630 diff -urNp linux-2.6.38.4/drivers/ata/pata_opti.c linux-2.6.38.4/drivers/ata/pata_opti.c
22631 --- linux-2.6.38.4/drivers/ata/pata_opti.c 2011-03-14 21:20:32.000000000 -0400
22632 +++ linux-2.6.38.4/drivers/ata/pata_opti.c 2011-04-17 15:57:32.000000000 -0400
22633 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
22634 ATA_PIO_SHT(DRV_NAME),
22637 -static struct ata_port_operations opti_port_ops = {
22638 +static const struct ata_port_operations opti_port_ops = {
22639 .inherits = &ata_sff_port_ops,
22640 .cable_detect = ata_cable_40wire,
22641 .set_piomode = opti_set_piomode,
22642 diff -urNp linux-2.6.38.4/drivers/ata/pata_optidma.c linux-2.6.38.4/drivers/ata/pata_optidma.c
22643 --- linux-2.6.38.4/drivers/ata/pata_optidma.c 2011-03-14 21:20:32.000000000 -0400
22644 +++ linux-2.6.38.4/drivers/ata/pata_optidma.c 2011-04-17 15:57:32.000000000 -0400
22645 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
22646 ATA_BMDMA_SHT(DRV_NAME),
22649 -static struct ata_port_operations optidma_port_ops = {
22650 +static const struct ata_port_operations optidma_port_ops = {
22651 .inherits = &ata_bmdma_port_ops,
22652 .cable_detect = ata_cable_40wire,
22653 .set_piomode = optidma_set_pio_mode,
22654 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
22655 .prereset = optidma_pre_reset,
22658 -static struct ata_port_operations optiplus_port_ops = {
22659 +static const struct ata_port_operations optiplus_port_ops = {
22660 .inherits = &optidma_port_ops,
22661 .set_piomode = optiplus_set_pio_mode,
22662 .set_dmamode = optiplus_set_dma_mode,
22663 diff -urNp linux-2.6.38.4/drivers/ata/pata_palmld.c linux-2.6.38.4/drivers/ata/pata_palmld.c
22664 --- linux-2.6.38.4/drivers/ata/pata_palmld.c 2011-03-14 21:20:32.000000000 -0400
22665 +++ linux-2.6.38.4/drivers/ata/pata_palmld.c 2011-04-17 15:57:32.000000000 -0400
22666 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
22667 ATA_PIO_SHT(DRV_NAME),
22670 -static struct ata_port_operations palmld_port_ops = {
22671 +static const struct ata_port_operations palmld_port_ops = {
22672 .inherits = &ata_sff_port_ops,
22673 .sff_data_xfer = ata_sff_data_xfer_noirq,
22674 .cable_detect = ata_cable_40wire,
22675 diff -urNp linux-2.6.38.4/drivers/ata/pata_pcmcia.c linux-2.6.38.4/drivers/ata/pata_pcmcia.c
22676 --- linux-2.6.38.4/drivers/ata/pata_pcmcia.c 2011-03-14 21:20:32.000000000 -0400
22677 +++ linux-2.6.38.4/drivers/ata/pata_pcmcia.c 2011-04-17 15:57:32.000000000 -0400
22678 @@ -151,14 +151,14 @@ static struct scsi_host_template pcmcia_
22679 ATA_PIO_SHT(DRV_NAME),
22682 -static struct ata_port_operations pcmcia_port_ops = {
22683 +static const struct ata_port_operations pcmcia_port_ops = {
22684 .inherits = &ata_sff_port_ops,
22685 .sff_data_xfer = ata_sff_data_xfer_noirq,
22686 .cable_detect = ata_cable_40wire,
22687 .set_mode = pcmcia_set_mode,
22690 -static struct ata_port_operations pcmcia_8bit_port_ops = {
22691 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
22692 .inherits = &ata_sff_port_ops,
22693 .sff_data_xfer = ata_data_xfer_8bit,
22694 .cable_detect = ata_cable_40wire,
22695 @@ -205,7 +205,7 @@ static int pcmcia_init_one(struct pcmcia
22696 unsigned long io_base, ctl_base;
22697 void __iomem *io_addr, *ctl_addr;
22699 - struct ata_port_operations *ops = &pcmcia_port_ops;
22700 + const struct ata_port_operations *ops = &pcmcia_port_ops;
22702 /* Set up attributes in order to probe card and get resources */
22703 pdev->config_flags |= CONF_ENABLE_IRQ | CONF_AUTO_SET_IO |
22704 diff -urNp linux-2.6.38.4/drivers/ata/pata_pdc2027x.c linux-2.6.38.4/drivers/ata/pata_pdc2027x.c
22705 --- linux-2.6.38.4/drivers/ata/pata_pdc2027x.c 2011-03-14 21:20:32.000000000 -0400
22706 +++ linux-2.6.38.4/drivers/ata/pata_pdc2027x.c 2011-04-17 15:57:32.000000000 -0400
22707 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
22708 ATA_BMDMA_SHT(DRV_NAME),
22711 -static struct ata_port_operations pdc2027x_pata100_ops = {
22712 +static const struct ata_port_operations pdc2027x_pata100_ops = {
22713 .inherits = &ata_bmdma_port_ops,
22714 .check_atapi_dma = pdc2027x_check_atapi_dma,
22715 .cable_detect = pdc2027x_cable_detect,
22716 .prereset = pdc2027x_prereset,
22719 -static struct ata_port_operations pdc2027x_pata133_ops = {
22720 +static const struct ata_port_operations pdc2027x_pata133_ops = {
22721 .inherits = &pdc2027x_pata100_ops,
22722 .mode_filter = pdc2027x_mode_filter,
22723 .set_piomode = pdc2027x_set_piomode,
22724 diff -urNp linux-2.6.38.4/drivers/ata/pata_pdc202xx_old.c linux-2.6.38.4/drivers/ata/pata_pdc202xx_old.c
22725 --- linux-2.6.38.4/drivers/ata/pata_pdc202xx_old.c 2011-03-14 21:20:32.000000000 -0400
22726 +++ linux-2.6.38.4/drivers/ata/pata_pdc202xx_old.c 2011-04-17 15:57:32.000000000 -0400
22727 @@ -295,7 +295,7 @@ static struct scsi_host_template pdc202x
22728 ATA_BMDMA_SHT(DRV_NAME),
22731 -static struct ata_port_operations pdc2024x_port_ops = {
22732 +static const struct ata_port_operations pdc2024x_port_ops = {
22733 .inherits = &ata_bmdma_port_ops,
22735 .cable_detect = ata_cable_40wire,
22736 @@ -306,7 +306,7 @@ static struct ata_port_operations pdc202
22737 .sff_irq_check = pdc202xx_irq_check,
22740 -static struct ata_port_operations pdc2026x_port_ops = {
22741 +static const struct ata_port_operations pdc2026x_port_ops = {
22742 .inherits = &pdc2024x_port_ops,
22744 .check_atapi_dma = pdc2026x_check_atapi_dma,
22745 diff -urNp linux-2.6.38.4/drivers/ata/pata_piccolo.c linux-2.6.38.4/drivers/ata/pata_piccolo.c
22746 --- linux-2.6.38.4/drivers/ata/pata_piccolo.c 2011-03-14 21:20:32.000000000 -0400
22747 +++ linux-2.6.38.4/drivers/ata/pata_piccolo.c 2011-04-17 15:57:32.000000000 -0400
22748 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
22749 ATA_BMDMA_SHT(DRV_NAME),
22752 -static struct ata_port_operations tosh_port_ops = {
22753 +static const struct ata_port_operations tosh_port_ops = {
22754 .inherits = &ata_bmdma_port_ops,
22755 .cable_detect = ata_cable_unknown,
22756 .set_piomode = tosh_set_piomode,
22757 diff -urNp linux-2.6.38.4/drivers/ata/pata_platform.c linux-2.6.38.4/drivers/ata/pata_platform.c
22758 --- linux-2.6.38.4/drivers/ata/pata_platform.c 2011-03-14 21:20:32.000000000 -0400
22759 +++ linux-2.6.38.4/drivers/ata/pata_platform.c 2011-04-17 15:57:32.000000000 -0400
22760 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
22761 ATA_PIO_SHT(DRV_NAME),
22764 -static struct ata_port_operations pata_platform_port_ops = {
22765 +static const struct ata_port_operations pata_platform_port_ops = {
22766 .inherits = &ata_sff_port_ops,
22767 .sff_data_xfer = ata_sff_data_xfer_noirq,
22768 .cable_detect = ata_cable_unknown,
22769 diff -urNp linux-2.6.38.4/drivers/ata/pata_pxa.c linux-2.6.38.4/drivers/ata/pata_pxa.c
22770 --- linux-2.6.38.4/drivers/ata/pata_pxa.c 2011-03-14 21:20:32.000000000 -0400
22771 +++ linux-2.6.38.4/drivers/ata/pata_pxa.c 2011-04-17 15:57:32.000000000 -0400
22772 @@ -198,7 +198,7 @@ static struct scsi_host_template pxa_ata
22773 ATA_BMDMA_SHT(DRV_NAME),
22776 -static struct ata_port_operations pxa_ata_port_ops = {
22777 +static const struct ata_port_operations pxa_ata_port_ops = {
22778 .inherits = &ata_bmdma_port_ops,
22779 .cable_detect = ata_cable_40wire,
22781 diff -urNp linux-2.6.38.4/drivers/ata/pata_qdi.c linux-2.6.38.4/drivers/ata/pata_qdi.c
22782 --- linux-2.6.38.4/drivers/ata/pata_qdi.c 2011-03-14 21:20:32.000000000 -0400
22783 +++ linux-2.6.38.4/drivers/ata/pata_qdi.c 2011-04-17 15:57:32.000000000 -0400
22784 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
22785 ATA_PIO_SHT(DRV_NAME),
22788 -static struct ata_port_operations qdi6500_port_ops = {
22789 +static const struct ata_port_operations qdi6500_port_ops = {
22790 .inherits = &ata_sff_port_ops,
22791 .qc_issue = qdi_qc_issue,
22792 .sff_data_xfer = qdi_data_xfer,
22793 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
22794 .set_piomode = qdi6500_set_piomode,
22797 -static struct ata_port_operations qdi6580_port_ops = {
22798 +static const struct ata_port_operations qdi6580_port_ops = {
22799 .inherits = &qdi6500_port_ops,
22800 .set_piomode = qdi6580_set_piomode,
22802 diff -urNp linux-2.6.38.4/drivers/ata/pata_radisys.c linux-2.6.38.4/drivers/ata/pata_radisys.c
22803 --- linux-2.6.38.4/drivers/ata/pata_radisys.c 2011-03-14 21:20:32.000000000 -0400
22804 +++ linux-2.6.38.4/drivers/ata/pata_radisys.c 2011-04-17 15:57:32.000000000 -0400
22805 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
22806 ATA_BMDMA_SHT(DRV_NAME),
22809 -static struct ata_port_operations radisys_pata_ops = {
22810 +static const struct ata_port_operations radisys_pata_ops = {
22811 .inherits = &ata_bmdma_port_ops,
22812 .qc_issue = radisys_qc_issue,
22813 .cable_detect = ata_cable_unknown,
22814 diff -urNp linux-2.6.38.4/drivers/ata/pata_rb532_cf.c linux-2.6.38.4/drivers/ata/pata_rb532_cf.c
22815 --- linux-2.6.38.4/drivers/ata/pata_rb532_cf.c 2011-03-14 21:20:32.000000000 -0400
22816 +++ linux-2.6.38.4/drivers/ata/pata_rb532_cf.c 2011-04-17 15:57:32.000000000 -0400
22817 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
22818 return IRQ_HANDLED;
22821 -static struct ata_port_operations rb532_pata_port_ops = {
22822 +static const struct ata_port_operations rb532_pata_port_ops = {
22823 .inherits = &ata_sff_port_ops,
22824 .sff_data_xfer = ata_sff_data_xfer32,
22826 diff -urNp linux-2.6.38.4/drivers/ata/pata_rdc.c linux-2.6.38.4/drivers/ata/pata_rdc.c
22827 --- linux-2.6.38.4/drivers/ata/pata_rdc.c 2011-03-14 21:20:32.000000000 -0400
22828 +++ linux-2.6.38.4/drivers/ata/pata_rdc.c 2011-04-17 15:57:32.000000000 -0400
22829 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
22830 pci_write_config_byte(dev, 0x48, udma_enable);
22833 -static struct ata_port_operations rdc_pata_ops = {
22834 +static const struct ata_port_operations rdc_pata_ops = {
22835 .inherits = &ata_bmdma32_port_ops,
22836 .cable_detect = rdc_pata_cable_detect,
22837 .set_piomode = rdc_set_piomode,
22838 diff -urNp linux-2.6.38.4/drivers/ata/pata_rz1000.c linux-2.6.38.4/drivers/ata/pata_rz1000.c
22839 --- linux-2.6.38.4/drivers/ata/pata_rz1000.c 2011-03-14 21:20:32.000000000 -0400
22840 +++ linux-2.6.38.4/drivers/ata/pata_rz1000.c 2011-04-17 15:57:32.000000000 -0400
22841 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
22842 ATA_PIO_SHT(DRV_NAME),
22845 -static struct ata_port_operations rz1000_port_ops = {
22846 +static const struct ata_port_operations rz1000_port_ops = {
22847 .inherits = &ata_sff_port_ops,
22848 .cable_detect = ata_cable_40wire,
22849 .set_mode = rz1000_set_mode,
22850 diff -urNp linux-2.6.38.4/drivers/ata/pata_samsung_cf.c linux-2.6.38.4/drivers/ata/pata_samsung_cf.c
22851 --- linux-2.6.38.4/drivers/ata/pata_samsung_cf.c 2011-03-14 21:20:32.000000000 -0400
22852 +++ linux-2.6.38.4/drivers/ata/pata_samsung_cf.c 2011-04-17 15:57:32.000000000 -0400
22853 @@ -399,7 +399,7 @@ static struct scsi_host_template pata_s3
22854 ATA_PIO_SHT(DRV_NAME),
22857 -static struct ata_port_operations pata_s3c_port_ops = {
22858 +static const struct ata_port_operations pata_s3c_port_ops = {
22859 .inherits = &ata_sff_port_ops,
22860 .sff_check_status = pata_s3c_check_status,
22861 .sff_check_altstatus = pata_s3c_check_altstatus,
22862 @@ -413,7 +413,7 @@ static struct ata_port_operations pata_s
22863 .set_piomode = pata_s3c_set_piomode,
22866 -static struct ata_port_operations pata_s5p_port_ops = {
22867 +static const struct ata_port_operations pata_s5p_port_ops = {
22868 .inherits = &ata_sff_port_ops,
22869 .set_piomode = pata_s3c_set_piomode,
22871 diff -urNp linux-2.6.38.4/drivers/ata/pata_sc1200.c linux-2.6.38.4/drivers/ata/pata_sc1200.c
22872 --- linux-2.6.38.4/drivers/ata/pata_sc1200.c 2011-03-14 21:20:32.000000000 -0400
22873 +++ linux-2.6.38.4/drivers/ata/pata_sc1200.c 2011-04-17 15:57:32.000000000 -0400
22874 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
22875 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
22878 -static struct ata_port_operations sc1200_port_ops = {
22879 +static const struct ata_port_operations sc1200_port_ops = {
22880 .inherits = &ata_bmdma_port_ops,
22881 .qc_prep = ata_bmdma_dumb_qc_prep,
22882 .qc_issue = sc1200_qc_issue,
22883 diff -urNp linux-2.6.38.4/drivers/ata/pata_scc.c linux-2.6.38.4/drivers/ata/pata_scc.c
22884 --- linux-2.6.38.4/drivers/ata/pata_scc.c 2011-03-14 21:20:32.000000000 -0400
22885 +++ linux-2.6.38.4/drivers/ata/pata_scc.c 2011-04-17 15:57:32.000000000 -0400
22886 @@ -926,7 +926,7 @@ static struct scsi_host_template scc_sht
22887 ATA_BMDMA_SHT(DRV_NAME),
22890 -static struct ata_port_operations scc_pata_ops = {
22891 +static const struct ata_port_operations scc_pata_ops = {
22892 .inherits = &ata_bmdma_port_ops,
22894 .set_piomode = scc_set_piomode,
22895 diff -urNp linux-2.6.38.4/drivers/ata/pata_sch.c linux-2.6.38.4/drivers/ata/pata_sch.c
22896 --- linux-2.6.38.4/drivers/ata/pata_sch.c 2011-03-14 21:20:32.000000000 -0400
22897 +++ linux-2.6.38.4/drivers/ata/pata_sch.c 2011-04-17 15:57:32.000000000 -0400
22898 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
22899 ATA_BMDMA_SHT(DRV_NAME),
22902 -static struct ata_port_operations sch_pata_ops = {
22903 +static const struct ata_port_operations sch_pata_ops = {
22904 .inherits = &ata_bmdma_port_ops,
22905 .cable_detect = ata_cable_unknown,
22906 .set_piomode = sch_set_piomode,
22907 diff -urNp linux-2.6.38.4/drivers/ata/pata_serverworks.c linux-2.6.38.4/drivers/ata/pata_serverworks.c
22908 --- linux-2.6.38.4/drivers/ata/pata_serverworks.c 2011-03-14 21:20:32.000000000 -0400
22909 +++ linux-2.6.38.4/drivers/ata/pata_serverworks.c 2011-04-17 15:57:32.000000000 -0400
22910 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
22911 ATA_BMDMA_SHT(DRV_NAME),
22914 -static struct ata_port_operations serverworks_osb4_port_ops = {
22915 +static const struct ata_port_operations serverworks_osb4_port_ops = {
22916 .inherits = &ata_bmdma_port_ops,
22917 .cable_detect = serverworks_cable_detect,
22918 .mode_filter = serverworks_osb4_filter,
22919 @@ -308,7 +308,7 @@ static struct ata_port_operations server
22920 .set_dmamode = serverworks_set_dmamode,
22923 -static struct ata_port_operations serverworks_csb_port_ops = {
22924 +static const struct ata_port_operations serverworks_csb_port_ops = {
22925 .inherits = &serverworks_osb4_port_ops,
22926 .mode_filter = serverworks_csb_filter,
22928 diff -urNp linux-2.6.38.4/drivers/ata/pata_sil680.c linux-2.6.38.4/drivers/ata/pata_sil680.c
22929 --- linux-2.6.38.4/drivers/ata/pata_sil680.c 2011-03-14 21:20:32.000000000 -0400
22930 +++ linux-2.6.38.4/drivers/ata/pata_sil680.c 2011-04-17 15:57:32.000000000 -0400
22931 @@ -225,8 +225,7 @@ static struct scsi_host_template sil680_
22932 ATA_BMDMA_SHT(DRV_NAME),
22936 -static struct ata_port_operations sil680_port_ops = {
22937 +static const struct ata_port_operations sil680_port_ops = {
22938 .inherits = &ata_bmdma32_port_ops,
22939 .sff_exec_command = sil680_sff_exec_command,
22940 .sff_irq_check = sil680_sff_irq_check,
22941 diff -urNp linux-2.6.38.4/drivers/ata/pata_sis.c linux-2.6.38.4/drivers/ata/pata_sis.c
22942 --- linux-2.6.38.4/drivers/ata/pata_sis.c 2011-03-14 21:20:32.000000000 -0400
22943 +++ linux-2.6.38.4/drivers/ata/pata_sis.c 2011-04-17 15:57:32.000000000 -0400
22944 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
22945 ATA_BMDMA_SHT(DRV_NAME),
22948 -static struct ata_port_operations sis_133_for_sata_ops = {
22949 +static const struct ata_port_operations sis_133_for_sata_ops = {
22950 .inherits = &ata_bmdma_port_ops,
22951 .set_piomode = sis_133_set_piomode,
22952 .set_dmamode = sis_133_set_dmamode,
22953 .cable_detect = sis_133_cable_detect,
22956 -static struct ata_port_operations sis_base_ops = {
22957 +static const struct ata_port_operations sis_base_ops = {
22958 .inherits = &ata_bmdma_port_ops,
22959 .prereset = sis_pre_reset,
22962 -static struct ata_port_operations sis_133_ops = {
22963 +static const struct ata_port_operations sis_133_ops = {
22964 .inherits = &sis_base_ops,
22965 .set_piomode = sis_133_set_piomode,
22966 .set_dmamode = sis_133_set_dmamode,
22967 .cable_detect = sis_133_cable_detect,
22970 -static struct ata_port_operations sis_133_early_ops = {
22971 +static const struct ata_port_operations sis_133_early_ops = {
22972 .inherits = &sis_base_ops,
22973 .set_piomode = sis_100_set_piomode,
22974 .set_dmamode = sis_133_early_set_dmamode,
22975 .cable_detect = sis_66_cable_detect,
22978 -static struct ata_port_operations sis_100_ops = {
22979 +static const struct ata_port_operations sis_100_ops = {
22980 .inherits = &sis_base_ops,
22981 .set_piomode = sis_100_set_piomode,
22982 .set_dmamode = sis_100_set_dmamode,
22983 .cable_detect = sis_66_cable_detect,
22986 -static struct ata_port_operations sis_66_ops = {
22987 +static const struct ata_port_operations sis_66_ops = {
22988 .inherits = &sis_base_ops,
22989 .set_piomode = sis_old_set_piomode,
22990 .set_dmamode = sis_66_set_dmamode,
22991 .cable_detect = sis_66_cable_detect,
22994 -static struct ata_port_operations sis_old_ops = {
22995 +static const struct ata_port_operations sis_old_ops = {
22996 .inherits = &sis_base_ops,
22997 .set_piomode = sis_old_set_piomode,
22998 .set_dmamode = sis_old_set_dmamode,
22999 diff -urNp linux-2.6.38.4/drivers/ata/pata_sl82c105.c linux-2.6.38.4/drivers/ata/pata_sl82c105.c
23000 --- linux-2.6.38.4/drivers/ata/pata_sl82c105.c 2011-03-14 21:20:32.000000000 -0400
23001 +++ linux-2.6.38.4/drivers/ata/pata_sl82c105.c 2011-04-17 15:57:32.000000000 -0400
23002 @@ -241,7 +241,7 @@ static struct scsi_host_template sl82c10
23003 ATA_BMDMA_SHT(DRV_NAME),
23006 -static struct ata_port_operations sl82c105_port_ops = {
23007 +static const struct ata_port_operations sl82c105_port_ops = {
23008 .inherits = &ata_bmdma_port_ops,
23009 .qc_defer = sl82c105_qc_defer,
23010 .bmdma_start = sl82c105_bmdma_start,
23011 diff -urNp linux-2.6.38.4/drivers/ata/pata_triflex.c linux-2.6.38.4/drivers/ata/pata_triflex.c
23012 --- linux-2.6.38.4/drivers/ata/pata_triflex.c 2011-03-14 21:20:32.000000000 -0400
23013 +++ linux-2.6.38.4/drivers/ata/pata_triflex.c 2011-04-17 15:57:32.000000000 -0400
23014 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
23015 ATA_BMDMA_SHT(DRV_NAME),
23018 -static struct ata_port_operations triflex_port_ops = {
23019 +static const struct ata_port_operations triflex_port_ops = {
23020 .inherits = &ata_bmdma_port_ops,
23021 .bmdma_start = triflex_bmdma_start,
23022 .bmdma_stop = triflex_bmdma_stop,
23023 diff -urNp linux-2.6.38.4/drivers/ata/pata_via.c linux-2.6.38.4/drivers/ata/pata_via.c
23024 --- linux-2.6.38.4/drivers/ata/pata_via.c 2011-03-14 21:20:32.000000000 -0400
23025 +++ linux-2.6.38.4/drivers/ata/pata_via.c 2011-04-17 15:57:32.000000000 -0400
23026 @@ -441,7 +441,7 @@ static struct scsi_host_template via_sht
23027 ATA_BMDMA_SHT(DRV_NAME),
23030 -static struct ata_port_operations via_port_ops = {
23031 +static const struct ata_port_operations via_port_ops = {
23032 .inherits = &ata_bmdma_port_ops,
23033 .cable_detect = via_cable_detect,
23034 .set_piomode = via_set_piomode,
23035 @@ -452,7 +452,7 @@ static struct ata_port_operations via_po
23036 .mode_filter = via_mode_filter,
23039 -static struct ata_port_operations via_port_ops_noirq = {
23040 +static const struct ata_port_operations via_port_ops_noirq = {
23041 .inherits = &via_port_ops,
23042 .sff_data_xfer = ata_sff_data_xfer_noirq,
23044 diff -urNp linux-2.6.38.4/drivers/ata/pdc_adma.c linux-2.6.38.4/drivers/ata/pdc_adma.c
23045 --- linux-2.6.38.4/drivers/ata/pdc_adma.c 2011-03-14 21:20:32.000000000 -0400
23046 +++ linux-2.6.38.4/drivers/ata/pdc_adma.c 2011-04-17 15:57:32.000000000 -0400
23047 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
23048 .dma_boundary = ADMA_DMA_BOUNDARY,
23051 -static struct ata_port_operations adma_ata_ops = {
23052 +static const struct ata_port_operations adma_ata_ops = {
23053 .inherits = &ata_sff_port_ops,
23055 .lost_interrupt = ATA_OP_NULL,
23056 diff -urNp linux-2.6.38.4/drivers/ata/sata_dwc_460ex.c linux-2.6.38.4/drivers/ata/sata_dwc_460ex.c
23057 --- linux-2.6.38.4/drivers/ata/sata_dwc_460ex.c 2011-03-14 21:20:32.000000000 -0400
23058 +++ linux-2.6.38.4/drivers/ata/sata_dwc_460ex.c 2011-04-17 15:57:32.000000000 -0400
23059 @@ -1560,7 +1560,7 @@ static struct scsi_host_template sata_dw
23060 .dma_boundary = ATA_DMA_BOUNDARY,
23063 -static struct ata_port_operations sata_dwc_ops = {
23064 +static const struct ata_port_operations sata_dwc_ops = {
23065 .inherits = &ata_sff_port_ops,
23067 .error_handler = sata_dwc_error_handler,
23068 diff -urNp linux-2.6.38.4/drivers/ata/sata_fsl.c linux-2.6.38.4/drivers/ata/sata_fsl.c
23069 --- linux-2.6.38.4/drivers/ata/sata_fsl.c 2011-03-14 21:20:32.000000000 -0400
23070 +++ linux-2.6.38.4/drivers/ata/sata_fsl.c 2011-04-17 15:57:32.000000000 -0400
23071 @@ -1258,7 +1258,7 @@ static struct scsi_host_template sata_fs
23072 .dma_boundary = ATA_DMA_BOUNDARY,
23075 -static struct ata_port_operations sata_fsl_ops = {
23076 +static const struct ata_port_operations sata_fsl_ops = {
23077 .inherits = &sata_pmp_port_ops,
23079 .qc_defer = ata_std_qc_defer,
23080 diff -urNp linux-2.6.38.4/drivers/ata/sata_inic162x.c linux-2.6.38.4/drivers/ata/sata_inic162x.c
23081 --- linux-2.6.38.4/drivers/ata/sata_inic162x.c 2011-03-14 21:20:32.000000000 -0400
23082 +++ linux-2.6.38.4/drivers/ata/sata_inic162x.c 2011-04-17 15:57:32.000000000 -0400
23083 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
23087 -static struct ata_port_operations inic_port_ops = {
23088 +static const struct ata_port_operations inic_port_ops = {
23089 .inherits = &sata_port_ops,
23091 .check_atapi_dma = inic_check_atapi_dma,
23092 diff -urNp linux-2.6.38.4/drivers/ata/sata_mv.c linux-2.6.38.4/drivers/ata/sata_mv.c
23093 --- linux-2.6.38.4/drivers/ata/sata_mv.c 2011-03-14 21:20:32.000000000 -0400
23094 +++ linux-2.6.38.4/drivers/ata/sata_mv.c 2011-04-17 15:57:32.000000000 -0400
23095 @@ -663,7 +663,7 @@ static struct scsi_host_template mv6_sht
23096 .dma_boundary = MV_DMA_BOUNDARY,
23099 -static struct ata_port_operations mv5_ops = {
23100 +static const struct ata_port_operations mv5_ops = {
23101 .inherits = &ata_sff_port_ops,
23103 .lost_interrupt = ATA_OP_NULL,
23104 @@ -683,7 +683,7 @@ static struct ata_port_operations mv5_op
23105 .port_stop = mv_port_stop,
23108 -static struct ata_port_operations mv6_ops = {
23109 +static const struct ata_port_operations mv6_ops = {
23110 .inherits = &ata_bmdma_port_ops,
23112 .lost_interrupt = ATA_OP_NULL,
23113 @@ -717,7 +717,7 @@ static struct ata_port_operations mv6_op
23114 .port_stop = mv_port_stop,
23117 -static struct ata_port_operations mv_iie_ops = {
23118 +static const struct ata_port_operations mv_iie_ops = {
23119 .inherits = &mv6_ops,
23120 .dev_config = ATA_OP_NULL,
23121 .qc_prep = mv_qc_prep_iie,
23122 diff -urNp linux-2.6.38.4/drivers/ata/sata_nv.c linux-2.6.38.4/drivers/ata/sata_nv.c
23123 --- linux-2.6.38.4/drivers/ata/sata_nv.c 2011-03-14 21:20:32.000000000 -0400
23124 +++ linux-2.6.38.4/drivers/ata/sata_nv.c 2011-04-17 15:57:32.000000000 -0400
23125 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
23126 * cases. Define nv_hardreset() which only kicks in for post-boot
23127 * probing and use it for all variants.
23129 -static struct ata_port_operations nv_generic_ops = {
23130 +static const struct ata_port_operations nv_generic_ops = {
23131 .inherits = &ata_bmdma_port_ops,
23132 .lost_interrupt = ATA_OP_NULL,
23133 .scr_read = nv_scr_read,
23134 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
23135 .hardreset = nv_hardreset,
23138 -static struct ata_port_operations nv_nf2_ops = {
23139 +static const struct ata_port_operations nv_nf2_ops = {
23140 .inherits = &nv_generic_ops,
23141 .freeze = nv_nf2_freeze,
23142 .thaw = nv_nf2_thaw,
23145 -static struct ata_port_operations nv_ck804_ops = {
23146 +static const struct ata_port_operations nv_ck804_ops = {
23147 .inherits = &nv_generic_ops,
23148 .freeze = nv_ck804_freeze,
23149 .thaw = nv_ck804_thaw,
23150 .host_stop = nv_ck804_host_stop,
23153 -static struct ata_port_operations nv_adma_ops = {
23154 +static const struct ata_port_operations nv_adma_ops = {
23155 .inherits = &nv_ck804_ops,
23157 .check_atapi_dma = nv_adma_check_atapi_dma,
23158 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
23159 .host_stop = nv_adma_host_stop,
23162 -static struct ata_port_operations nv_swncq_ops = {
23163 +static const struct ata_port_operations nv_swncq_ops = {
23164 .inherits = &nv_generic_ops,
23166 .qc_defer = ata_std_qc_defer,
23167 diff -urNp linux-2.6.38.4/drivers/ata/sata_promise.c linux-2.6.38.4/drivers/ata/sata_promise.c
23168 --- linux-2.6.38.4/drivers/ata/sata_promise.c 2011-03-14 21:20:32.000000000 -0400
23169 +++ linux-2.6.38.4/drivers/ata/sata_promise.c 2011-04-17 15:57:32.000000000 -0400
23170 @@ -196,7 +196,7 @@ static const struct ata_port_operations
23171 .error_handler = pdc_error_handler,
23174 -static struct ata_port_operations pdc_sata_ops = {
23175 +static const struct ata_port_operations pdc_sata_ops = {
23176 .inherits = &pdc_common_ops,
23177 .cable_detect = pdc_sata_cable_detect,
23178 .freeze = pdc_sata_freeze,
23179 @@ -209,14 +209,14 @@ static struct ata_port_operations pdc_sa
23181 /* First-generation chips need a more restrictive ->check_atapi_dma op,
23182 and ->freeze/thaw that ignore the hotplug controls. */
23183 -static struct ata_port_operations pdc_old_sata_ops = {
23184 +static const struct ata_port_operations pdc_old_sata_ops = {
23185 .inherits = &pdc_sata_ops,
23186 .freeze = pdc_freeze,
23188 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
23191 -static struct ata_port_operations pdc_pata_ops = {
23192 +static const struct ata_port_operations pdc_pata_ops = {
23193 .inherits = &pdc_common_ops,
23194 .cable_detect = pdc_pata_cable_detect,
23195 .freeze = pdc_freeze,
23196 diff -urNp linux-2.6.38.4/drivers/ata/sata_qstor.c linux-2.6.38.4/drivers/ata/sata_qstor.c
23197 --- linux-2.6.38.4/drivers/ata/sata_qstor.c 2011-03-14 21:20:32.000000000 -0400
23198 +++ linux-2.6.38.4/drivers/ata/sata_qstor.c 2011-04-17 15:57:32.000000000 -0400
23199 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
23200 .dma_boundary = QS_DMA_BOUNDARY,
23203 -static struct ata_port_operations qs_ata_ops = {
23204 +static const struct ata_port_operations qs_ata_ops = {
23205 .inherits = &ata_sff_port_ops,
23207 .check_atapi_dma = qs_check_atapi_dma,
23208 diff -urNp linux-2.6.38.4/drivers/ata/sata_sil24.c linux-2.6.38.4/drivers/ata/sata_sil24.c
23209 --- linux-2.6.38.4/drivers/ata/sata_sil24.c 2011-03-14 21:20:32.000000000 -0400
23210 +++ linux-2.6.38.4/drivers/ata/sata_sil24.c 2011-04-17 15:57:32.000000000 -0400
23211 @@ -389,7 +389,7 @@ static struct scsi_host_template sil24_s
23212 .dma_boundary = ATA_DMA_BOUNDARY,
23215 -static struct ata_port_operations sil24_ops = {
23216 +static const struct ata_port_operations sil24_ops = {
23217 .inherits = &sata_pmp_port_ops,
23219 .qc_defer = sil24_qc_defer,
23220 diff -urNp linux-2.6.38.4/drivers/ata/sata_sil.c linux-2.6.38.4/drivers/ata/sata_sil.c
23221 --- linux-2.6.38.4/drivers/ata/sata_sil.c 2011-03-14 21:20:32.000000000 -0400
23222 +++ linux-2.6.38.4/drivers/ata/sata_sil.c 2011-04-17 15:57:32.000000000 -0400
23223 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
23224 .sg_tablesize = ATA_MAX_PRD
23227 -static struct ata_port_operations sil_ops = {
23228 +static const struct ata_port_operations sil_ops = {
23229 .inherits = &ata_bmdma32_port_ops,
23230 .dev_config = sil_dev_config,
23231 .set_mode = sil_set_mode,
23232 diff -urNp linux-2.6.38.4/drivers/ata/sata_sis.c linux-2.6.38.4/drivers/ata/sata_sis.c
23233 --- linux-2.6.38.4/drivers/ata/sata_sis.c 2011-03-14 21:20:32.000000000 -0400
23234 +++ linux-2.6.38.4/drivers/ata/sata_sis.c 2011-04-17 15:57:32.000000000 -0400
23235 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
23236 ATA_BMDMA_SHT(DRV_NAME),
23239 -static struct ata_port_operations sis_ops = {
23240 +static const struct ata_port_operations sis_ops = {
23241 .inherits = &ata_bmdma_port_ops,
23242 .scr_read = sis_scr_read,
23243 .scr_write = sis_scr_write,
23244 diff -urNp linux-2.6.38.4/drivers/ata/sata_svw.c linux-2.6.38.4/drivers/ata/sata_svw.c
23245 --- linux-2.6.38.4/drivers/ata/sata_svw.c 2011-03-14 21:20:32.000000000 -0400
23246 +++ linux-2.6.38.4/drivers/ata/sata_svw.c 2011-04-17 15:57:32.000000000 -0400
23247 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
23251 -static struct ata_port_operations k2_sata_ops = {
23252 +static const struct ata_port_operations k2_sata_ops = {
23253 .inherits = &ata_bmdma_port_ops,
23254 .sff_tf_load = k2_sata_tf_load,
23255 .sff_tf_read = k2_sata_tf_read,
23256 diff -urNp linux-2.6.38.4/drivers/ata/sata_sx4.c linux-2.6.38.4/drivers/ata/sata_sx4.c
23257 --- linux-2.6.38.4/drivers/ata/sata_sx4.c 2011-03-14 21:20:32.000000000 -0400
23258 +++ linux-2.6.38.4/drivers/ata/sata_sx4.c 2011-04-17 15:57:32.000000000 -0400
23259 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
23262 /* TODO: inherit from base port_ops after converting to new EH */
23263 -static struct ata_port_operations pdc_20621_ops = {
23264 +static const struct ata_port_operations pdc_20621_ops = {
23265 .inherits = &ata_sff_port_ops,
23267 .check_atapi_dma = pdc_check_atapi_dma,
23268 diff -urNp linux-2.6.38.4/drivers/ata/sata_uli.c linux-2.6.38.4/drivers/ata/sata_uli.c
23269 --- linux-2.6.38.4/drivers/ata/sata_uli.c 2011-03-14 21:20:32.000000000 -0400
23270 +++ linux-2.6.38.4/drivers/ata/sata_uli.c 2011-04-17 15:57:32.000000000 -0400
23271 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
23272 ATA_BMDMA_SHT(DRV_NAME),
23275 -static struct ata_port_operations uli_ops = {
23276 +static const struct ata_port_operations uli_ops = {
23277 .inherits = &ata_bmdma_port_ops,
23278 .scr_read = uli_scr_read,
23279 .scr_write = uli_scr_write,
23280 diff -urNp linux-2.6.38.4/drivers/ata/sata_via.c linux-2.6.38.4/drivers/ata/sata_via.c
23281 --- linux-2.6.38.4/drivers/ata/sata_via.c 2011-03-14 21:20:32.000000000 -0400
23282 +++ linux-2.6.38.4/drivers/ata/sata_via.c 2011-04-17 15:57:32.000000000 -0400
23283 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
23284 ATA_BMDMA_SHT(DRV_NAME),
23287 -static struct ata_port_operations svia_base_ops = {
23288 +static const struct ata_port_operations svia_base_ops = {
23289 .inherits = &ata_bmdma_port_ops,
23290 .sff_tf_load = svia_tf_load,
23293 -static struct ata_port_operations vt6420_sata_ops = {
23294 +static const struct ata_port_operations vt6420_sata_ops = {
23295 .inherits = &svia_base_ops,
23296 .freeze = svia_noop_freeze,
23297 .prereset = vt6420_prereset,
23298 .bmdma_start = vt6420_bmdma_start,
23301 -static struct ata_port_operations vt6421_pata_ops = {
23302 +static const struct ata_port_operations vt6421_pata_ops = {
23303 .inherits = &svia_base_ops,
23304 .cable_detect = vt6421_pata_cable_detect,
23305 .set_piomode = vt6421_set_pio_mode,
23306 .set_dmamode = vt6421_set_dma_mode,
23309 -static struct ata_port_operations vt6421_sata_ops = {
23310 +static const struct ata_port_operations vt6421_sata_ops = {
23311 .inherits = &svia_base_ops,
23312 .scr_read = svia_scr_read,
23313 .scr_write = svia_scr_write,
23316 -static struct ata_port_operations vt8251_ops = {
23317 +static const struct ata_port_operations vt8251_ops = {
23318 .inherits = &svia_base_ops,
23319 .hardreset = sata_std_hardreset,
23320 .scr_read = vt8251_scr_read,
23321 diff -urNp linux-2.6.38.4/drivers/ata/sata_vsc.c linux-2.6.38.4/drivers/ata/sata_vsc.c
23322 --- linux-2.6.38.4/drivers/ata/sata_vsc.c 2011-03-14 21:20:32.000000000 -0400
23323 +++ linux-2.6.38.4/drivers/ata/sata_vsc.c 2011-04-17 15:57:32.000000000 -0400
23324 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
23328 -static struct ata_port_operations vsc_sata_ops = {
23329 +static const struct ata_port_operations vsc_sata_ops = {
23330 .inherits = &ata_bmdma_port_ops,
23331 /* The IRQ handling is not quite standard SFF behaviour so we
23332 cannot use the default lost interrupt handler */
23333 diff -urNp linux-2.6.38.4/drivers/atm/adummy.c linux-2.6.38.4/drivers/atm/adummy.c
23334 --- linux-2.6.38.4/drivers/atm/adummy.c 2011-03-14 21:20:32.000000000 -0400
23335 +++ linux-2.6.38.4/drivers/atm/adummy.c 2011-04-17 15:57:32.000000000 -0400
23336 @@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
23337 vcc->pop(vcc, skb);
23339 dev_kfree_skb_any(skb);
23340 - atomic_inc(&vcc->stats->tx);
23341 + atomic_inc_unchecked(&vcc->stats->tx);
23345 diff -urNp linux-2.6.38.4/drivers/atm/ambassador.c linux-2.6.38.4/drivers/atm/ambassador.c
23346 --- linux-2.6.38.4/drivers/atm/ambassador.c 2011-03-14 21:20:32.000000000 -0400
23347 +++ linux-2.6.38.4/drivers/atm/ambassador.c 2011-04-17 15:57:32.000000000 -0400
23348 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
23349 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
23352 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23353 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23355 // free the descriptor
23357 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
23358 dump_skb ("<<<", vc, skb);
23361 - atomic_inc(&atm_vcc->stats->rx);
23362 + atomic_inc_unchecked(&atm_vcc->stats->rx);
23363 __net_timestamp(skb);
23364 // end of our responsability
23365 atm_vcc->push (atm_vcc, skb);
23366 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
23368 PRINTK (KERN_INFO, "dropped over-size frame");
23369 // should we count this?
23370 - atomic_inc(&atm_vcc->stats->rx_drop);
23371 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23375 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
23378 if (check_area (skb->data, skb->len)) {
23379 - atomic_inc(&atm_vcc->stats->tx_err);
23380 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
23381 return -ENOMEM; // ?
23384 diff -urNp linux-2.6.38.4/drivers/atm/atmtcp.c linux-2.6.38.4/drivers/atm/atmtcp.c
23385 --- linux-2.6.38.4/drivers/atm/atmtcp.c 2011-03-14 21:20:32.000000000 -0400
23386 +++ linux-2.6.38.4/drivers/atm/atmtcp.c 2011-04-17 15:57:32.000000000 -0400
23387 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
23388 if (vcc->pop) vcc->pop(vcc,skb);
23389 else dev_kfree_skb(skb);
23390 if (dev_data) return 0;
23391 - atomic_inc(&vcc->stats->tx_err);
23392 + atomic_inc_unchecked(&vcc->stats->tx_err);
23395 size = skb->len+sizeof(struct atmtcp_hdr);
23396 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
23398 if (vcc->pop) vcc->pop(vcc,skb);
23399 else dev_kfree_skb(skb);
23400 - atomic_inc(&vcc->stats->tx_err);
23401 + atomic_inc_unchecked(&vcc->stats->tx_err);
23404 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
23405 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
23406 if (vcc->pop) vcc->pop(vcc,skb);
23407 else dev_kfree_skb(skb);
23408 out_vcc->push(out_vcc,new_skb);
23409 - atomic_inc(&vcc->stats->tx);
23410 - atomic_inc(&out_vcc->stats->rx);
23411 + atomic_inc_unchecked(&vcc->stats->tx);
23412 + atomic_inc_unchecked(&out_vcc->stats->rx);
23416 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
23417 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
23418 read_unlock(&vcc_sklist_lock);
23420 - atomic_inc(&vcc->stats->tx_err);
23421 + atomic_inc_unchecked(&vcc->stats->tx_err);
23424 skb_pull(skb,sizeof(struct atmtcp_hdr));
23425 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
23426 __net_timestamp(new_skb);
23427 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
23428 out_vcc->push(out_vcc,new_skb);
23429 - atomic_inc(&vcc->stats->tx);
23430 - atomic_inc(&out_vcc->stats->rx);
23431 + atomic_inc_unchecked(&vcc->stats->tx);
23432 + atomic_inc_unchecked(&out_vcc->stats->rx);
23434 if (vcc->pop) vcc->pop(vcc,skb);
23435 else dev_kfree_skb(skb);
23436 diff -urNp linux-2.6.38.4/drivers/atm/eni.c linux-2.6.38.4/drivers/atm/eni.c
23437 --- linux-2.6.38.4/drivers/atm/eni.c 2011-03-14 21:20:32.000000000 -0400
23438 +++ linux-2.6.38.4/drivers/atm/eni.c 2011-04-17 15:57:32.000000000 -0400
23439 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
23440 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
23443 - atomic_inc(&vcc->stats->rx_err);
23444 + atomic_inc_unchecked(&vcc->stats->rx_err);
23447 length = ATM_CELL_SIZE-1; /* no HEC */
23448 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
23452 - atomic_inc(&vcc->stats->rx_err);
23453 + atomic_inc_unchecked(&vcc->stats->rx_err);
23456 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
23457 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
23458 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
23459 vcc->dev->number,vcc->vci,length,size << 2,descr);
23461 - atomic_inc(&vcc->stats->rx_err);
23462 + atomic_inc_unchecked(&vcc->stats->rx_err);
23465 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
23466 @@ -771,7 +771,7 @@ rx_dequeued++;
23467 vcc->push(vcc,skb);
23470 - atomic_inc(&vcc->stats->rx);
23471 + atomic_inc_unchecked(&vcc->stats->rx);
23473 wake_up(&eni_dev->rx_wait);
23475 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
23477 if (vcc->pop) vcc->pop(vcc,skb);
23478 else dev_kfree_skb_irq(skb);
23479 - atomic_inc(&vcc->stats->tx);
23480 + atomic_inc_unchecked(&vcc->stats->tx);
23481 wake_up(&eni_dev->tx_wait);
23484 diff -urNp linux-2.6.38.4/drivers/atm/firestream.c linux-2.6.38.4/drivers/atm/firestream.c
23485 --- linux-2.6.38.4/drivers/atm/firestream.c 2011-03-14 21:20:32.000000000 -0400
23486 +++ linux-2.6.38.4/drivers/atm/firestream.c 2011-04-17 15:57:32.000000000 -0400
23487 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
23491 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23492 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23494 fs_dprintk (FS_DEBUG_TXMEM, "i");
23495 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
23496 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
23498 skb_put (skb, qe->p1 & 0xffff);
23499 ATM_SKB(skb)->vcc = atm_vcc;
23500 - atomic_inc(&atm_vcc->stats->rx);
23501 + atomic_inc_unchecked(&atm_vcc->stats->rx);
23502 __net_timestamp(skb);
23503 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
23504 atm_vcc->push (atm_vcc, skb);
23505 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
23509 - atomic_inc(&atm_vcc->stats->rx_drop);
23510 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23512 case 0x1f: /* Reassembly abort: no buffers. */
23513 /* Silently increment error counter. */
23515 - atomic_inc(&atm_vcc->stats->rx_drop);
23516 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23518 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
23519 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
23520 diff -urNp linux-2.6.38.4/drivers/atm/fore200e.c linux-2.6.38.4/drivers/atm/fore200e.c
23521 --- linux-2.6.38.4/drivers/atm/fore200e.c 2011-03-14 21:20:32.000000000 -0400
23522 +++ linux-2.6.38.4/drivers/atm/fore200e.c 2011-04-17 15:57:32.000000000 -0400
23523 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
23525 /* check error condition */
23526 if (*entry->status & STATUS_ERROR)
23527 - atomic_inc(&vcc->stats->tx_err);
23528 + atomic_inc_unchecked(&vcc->stats->tx_err);
23530 - atomic_inc(&vcc->stats->tx);
23531 + atomic_inc_unchecked(&vcc->stats->tx);
23535 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
23537 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
23539 - atomic_inc(&vcc->stats->rx_drop);
23540 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23544 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
23546 dev_kfree_skb_any(skb);
23548 - atomic_inc(&vcc->stats->rx_drop);
23549 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23553 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
23555 vcc->push(vcc, skb);
23556 - atomic_inc(&vcc->stats->rx);
23557 + atomic_inc_unchecked(&vcc->stats->rx);
23559 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
23561 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
23562 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
23563 fore200e->atm_dev->number,
23564 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
23565 - atomic_inc(&vcc->stats->rx_err);
23566 + atomic_inc_unchecked(&vcc->stats->rx_err);
23570 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
23574 - atomic_inc(&vcc->stats->tx_err);
23575 + atomic_inc_unchecked(&vcc->stats->tx_err);
23577 fore200e->tx_sat++;
23578 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
23579 diff -urNp linux-2.6.38.4/drivers/atm/he.c linux-2.6.38.4/drivers/atm/he.c
23580 --- linux-2.6.38.4/drivers/atm/he.c 2011-03-14 21:20:32.000000000 -0400
23581 +++ linux-2.6.38.4/drivers/atm/he.c 2011-04-17 15:57:32.000000000 -0400
23582 @@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23584 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
23585 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
23586 - atomic_inc(&vcc->stats->rx_drop);
23587 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23588 goto return_host_buffers;
23591 @@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23592 RBRQ_LEN_ERR(he_dev->rbrq_head)
23594 vcc->vpi, vcc->vci);
23595 - atomic_inc(&vcc->stats->rx_err);
23596 + atomic_inc_unchecked(&vcc->stats->rx_err);
23597 goto return_host_buffers;
23600 @@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23601 vcc->push(vcc, skb);
23602 spin_lock(&he_dev->global_lock);
23604 - atomic_inc(&vcc->stats->rx);
23605 + atomic_inc_unchecked(&vcc->stats->rx);
23607 return_host_buffers:
23609 @@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
23610 tpd->vcc->pop(tpd->vcc, tpd->skb);
23612 dev_kfree_skb_any(tpd->skb);
23613 - atomic_inc(&tpd->vcc->stats->tx_err);
23614 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
23616 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
23618 @@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23619 vcc->pop(vcc, skb);
23621 dev_kfree_skb_any(skb);
23622 - atomic_inc(&vcc->stats->tx_err);
23623 + atomic_inc_unchecked(&vcc->stats->tx_err);
23627 @@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23628 vcc->pop(vcc, skb);
23630 dev_kfree_skb_any(skb);
23631 - atomic_inc(&vcc->stats->tx_err);
23632 + atomic_inc_unchecked(&vcc->stats->tx_err);
23636 @@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23637 vcc->pop(vcc, skb);
23639 dev_kfree_skb_any(skb);
23640 - atomic_inc(&vcc->stats->tx_err);
23641 + atomic_inc_unchecked(&vcc->stats->tx_err);
23642 spin_unlock_irqrestore(&he_dev->global_lock, flags);
23645 @@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23646 vcc->pop(vcc, skb);
23648 dev_kfree_skb_any(skb);
23649 - atomic_inc(&vcc->stats->tx_err);
23650 + atomic_inc_unchecked(&vcc->stats->tx_err);
23651 spin_unlock_irqrestore(&he_dev->global_lock, flags);
23654 @@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23655 __enqueue_tpd(he_dev, tpd, cid);
23656 spin_unlock_irqrestore(&he_dev->global_lock, flags);
23658 - atomic_inc(&vcc->stats->tx);
23659 + atomic_inc_unchecked(&vcc->stats->tx);
23663 diff -urNp linux-2.6.38.4/drivers/atm/horizon.c linux-2.6.38.4/drivers/atm/horizon.c
23664 --- linux-2.6.38.4/drivers/atm/horizon.c 2011-03-14 21:20:32.000000000 -0400
23665 +++ linux-2.6.38.4/drivers/atm/horizon.c 2011-04-17 15:57:32.000000000 -0400
23666 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
23668 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
23670 - atomic_inc(&vcc->stats->rx);
23671 + atomic_inc_unchecked(&vcc->stats->rx);
23672 __net_timestamp(skb);
23673 // end of our responsability
23674 vcc->push (vcc, skb);
23675 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
23676 dev->tx_iovec = NULL;
23679 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23680 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23683 hrz_kfree_skb (skb);
23684 diff -urNp linux-2.6.38.4/drivers/atm/idt77252.c linux-2.6.38.4/drivers/atm/idt77252.c
23685 --- linux-2.6.38.4/drivers/atm/idt77252.c 2011-03-14 21:20:32.000000000 -0400
23686 +++ linux-2.6.38.4/drivers/atm/idt77252.c 2011-04-17 15:57:32.000000000 -0400
23687 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
23689 dev_kfree_skb(skb);
23691 - atomic_inc(&vcc->stats->tx);
23692 + atomic_inc_unchecked(&vcc->stats->tx);
23695 atomic_dec(&scq->used);
23696 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
23697 if ((sb = dev_alloc_skb(64)) == NULL) {
23698 printk("%s: Can't allocate buffers for aal0.\n",
23700 - atomic_add(i, &vcc->stats->rx_drop);
23701 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
23704 if (!atm_charge(vcc, sb->truesize)) {
23705 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
23707 - atomic_add(i - 1, &vcc->stats->rx_drop);
23708 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
23712 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
23713 ATM_SKB(sb)->vcc = vcc;
23714 __net_timestamp(sb);
23715 vcc->push(vcc, sb);
23716 - atomic_inc(&vcc->stats->rx);
23717 + atomic_inc_unchecked(&vcc->stats->rx);
23719 cell += ATM_CELL_PAYLOAD;
23721 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
23723 card->name, len, rpp->len, readl(SAR_REG_CDC));
23724 recycle_rx_pool_skb(card, rpp);
23725 - atomic_inc(&vcc->stats->rx_err);
23726 + atomic_inc_unchecked(&vcc->stats->rx_err);
23729 if (stat & SAR_RSQE_CRC) {
23730 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
23731 recycle_rx_pool_skb(card, rpp);
23732 - atomic_inc(&vcc->stats->rx_err);
23733 + atomic_inc_unchecked(&vcc->stats->rx_err);
23736 if (skb_queue_len(&rpp->queue) > 1) {
23737 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
23738 RXPRINTK("%s: Can't alloc RX skb.\n",
23740 recycle_rx_pool_skb(card, rpp);
23741 - atomic_inc(&vcc->stats->rx_err);
23742 + atomic_inc_unchecked(&vcc->stats->rx_err);
23745 if (!atm_charge(vcc, skb->truesize)) {
23746 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
23747 __net_timestamp(skb);
23749 vcc->push(vcc, skb);
23750 - atomic_inc(&vcc->stats->rx);
23751 + atomic_inc_unchecked(&vcc->stats->rx);
23755 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
23756 __net_timestamp(skb);
23758 vcc->push(vcc, skb);
23759 - atomic_inc(&vcc->stats->rx);
23760 + atomic_inc_unchecked(&vcc->stats->rx);
23762 if (skb->truesize > SAR_FB_SIZE_3)
23763 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
23764 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
23765 if (vcc->qos.aal != ATM_AAL0) {
23766 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
23767 card->name, vpi, vci);
23768 - atomic_inc(&vcc->stats->rx_drop);
23769 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23773 if ((sb = dev_alloc_skb(64)) == NULL) {
23774 printk("%s: Can't allocate buffers for AAL0.\n",
23776 - atomic_inc(&vcc->stats->rx_err);
23777 + atomic_inc_unchecked(&vcc->stats->rx_err);
23781 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
23782 ATM_SKB(sb)->vcc = vcc;
23783 __net_timestamp(sb);
23784 vcc->push(vcc, sb);
23785 - atomic_inc(&vcc->stats->rx);
23786 + atomic_inc_unchecked(&vcc->stats->rx);
23789 skb_pull(queue, 64);
23790 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
23793 printk("%s: NULL connection in send().\n", card->name);
23794 - atomic_inc(&vcc->stats->tx_err);
23795 + atomic_inc_unchecked(&vcc->stats->tx_err);
23796 dev_kfree_skb(skb);
23799 if (!test_bit(VCF_TX, &vc->flags)) {
23800 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
23801 - atomic_inc(&vcc->stats->tx_err);
23802 + atomic_inc_unchecked(&vcc->stats->tx_err);
23803 dev_kfree_skb(skb);
23806 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
23809 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
23810 - atomic_inc(&vcc->stats->tx_err);
23811 + atomic_inc_unchecked(&vcc->stats->tx_err);
23812 dev_kfree_skb(skb);
23816 if (skb_shinfo(skb)->nr_frags != 0) {
23817 printk("%s: No scatter-gather yet.\n", card->name);
23818 - atomic_inc(&vcc->stats->tx_err);
23819 + atomic_inc_unchecked(&vcc->stats->tx_err);
23820 dev_kfree_skb(skb);
23823 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
23825 err = queue_skb(card, vc, skb, oam);
23827 - atomic_inc(&vcc->stats->tx_err);
23828 + atomic_inc_unchecked(&vcc->stats->tx_err);
23829 dev_kfree_skb(skb);
23832 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
23833 skb = dev_alloc_skb(64);
23835 printk("%s: Out of memory in send_oam().\n", card->name);
23836 - atomic_inc(&vcc->stats->tx_err);
23837 + atomic_inc_unchecked(&vcc->stats->tx_err);
23840 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
23841 diff -urNp linux-2.6.38.4/drivers/atm/iphase.c linux-2.6.38.4/drivers/atm/iphase.c
23842 --- linux-2.6.38.4/drivers/atm/iphase.c 2011-03-14 21:20:32.000000000 -0400
23843 +++ linux-2.6.38.4/drivers/atm/iphase.c 2011-04-17 15:57:32.000000000 -0400
23844 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
23845 status = (u_short) (buf_desc_ptr->desc_mode);
23846 if (status & (RX_CER | RX_PTE | RX_OFL))
23848 - atomic_inc(&vcc->stats->rx_err);
23849 + atomic_inc_unchecked(&vcc->stats->rx_err);
23850 IF_ERR(printk("IA: bad packet, dropping it");)
23851 if (status & RX_CER) {
23852 IF_ERR(printk(" cause: packet CRC error\n");)
23853 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
23854 len = dma_addr - buf_addr;
23855 if (len > iadev->rx_buf_sz) {
23856 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
23857 - atomic_inc(&vcc->stats->rx_err);
23858 + atomic_inc_unchecked(&vcc->stats->rx_err);
23859 goto out_free_desc;
23862 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
23863 ia_vcc = INPH_IA_VCC(vcc);
23864 if (ia_vcc == NULL)
23866 - atomic_inc(&vcc->stats->rx_err);
23867 + atomic_inc_unchecked(&vcc->stats->rx_err);
23868 dev_kfree_skb_any(skb);
23869 atm_return(vcc, atm_guess_pdu2truesize(len));
23871 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
23872 if ((length > iadev->rx_buf_sz) || (length >
23873 (skb->len - sizeof(struct cpcs_trailer))))
23875 - atomic_inc(&vcc->stats->rx_err);
23876 + atomic_inc_unchecked(&vcc->stats->rx_err);
23877 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
23878 length, skb->len);)
23879 dev_kfree_skb_any(skb);
23880 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
23882 IF_RX(printk("rx_dle_intr: skb push");)
23883 vcc->push(vcc,skb);
23884 - atomic_inc(&vcc->stats->rx);
23885 + atomic_inc_unchecked(&vcc->stats->rx);
23886 iadev->rx_pkt_cnt++;
23889 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
23891 struct k_sonet_stats *stats;
23892 stats = &PRIV(_ia_dev[board])->sonet_stats;
23893 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
23894 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
23895 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
23896 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
23897 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
23898 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
23899 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
23900 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
23901 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
23902 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
23903 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
23904 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
23905 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
23906 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
23907 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
23908 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
23909 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
23910 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
23912 ia_cmds.status = 0;
23914 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
23915 if ((desc == 0) || (desc > iadev->num_tx_desc))
23917 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
23918 - atomic_inc(&vcc->stats->tx);
23919 + atomic_inc_unchecked(&vcc->stats->tx);
23921 vcc->pop(vcc, skb);
23923 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
23924 ATM_DESC(skb) = vcc->vci;
23925 skb_queue_tail(&iadev->tx_dma_q, skb);
23927 - atomic_inc(&vcc->stats->tx);
23928 + atomic_inc_unchecked(&vcc->stats->tx);
23929 iadev->tx_pkt_cnt++;
23930 /* Increment transaction counter */
23931 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
23934 /* add flow control logic */
23935 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
23936 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
23937 if (iavcc->vc_desc_cnt > 10) {
23938 vcc->tx_quota = vcc->tx_quota * 3 / 4;
23939 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
23940 diff -urNp linux-2.6.38.4/drivers/atm/lanai.c linux-2.6.38.4/drivers/atm/lanai.c
23941 --- linux-2.6.38.4/drivers/atm/lanai.c 2011-03-14 21:20:32.000000000 -0400
23942 +++ linux-2.6.38.4/drivers/atm/lanai.c 2011-04-17 15:57:32.000000000 -0400
23943 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
23944 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
23945 lanai_endtx(lanai, lvcc);
23946 lanai_free_skb(lvcc->tx.atmvcc, skb);
23947 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
23948 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
23951 /* Try to fill the buffer - don't call unless there is backlog */
23952 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
23953 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
23954 __net_timestamp(skb);
23955 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
23956 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
23957 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
23959 lvcc->rx.buf.ptr = end;
23960 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
23961 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
23962 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
23963 "vcc %d\n", lanai->number, (unsigned int) s, vci);
23964 lanai->stats.service_rxnotaal5++;
23965 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23966 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23969 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
23970 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
23972 read_unlock(&vcc_sklist_lock);
23973 DPRINTK("got trashed rx pdu on vci %d\n", vci);
23974 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23975 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23976 lvcc->stats.x.aal5.service_trash++;
23977 bytes = (SERVICE_GET_END(s) * 16) -
23978 (((unsigned long) lvcc->rx.buf.ptr) -
23979 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
23981 if (s & SERVICE_STREAM) {
23982 read_unlock(&vcc_sklist_lock);
23983 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23984 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23985 lvcc->stats.x.aal5.service_stream++;
23986 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
23987 "PDU on VCI %d!\n", lanai->number, vci);
23988 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
23991 DPRINTK("got rx crc error on vci %d\n", vci);
23992 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23993 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23994 lvcc->stats.x.aal5.service_rxcrc++;
23995 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
23996 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
23997 diff -urNp linux-2.6.38.4/drivers/atm/nicstar.c linux-2.6.38.4/drivers/atm/nicstar.c
23998 --- linux-2.6.38.4/drivers/atm/nicstar.c 2011-03-14 21:20:32.000000000 -0400
23999 +++ linux-2.6.38.4/drivers/atm/nicstar.c 2011-04-17 15:57:32.000000000 -0400
24000 @@ -1654,7 +1654,7 @@ static int ns_send(struct atm_vcc *vcc,
24001 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
24002 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
24004 - atomic_inc(&vcc->stats->tx_err);
24005 + atomic_inc_unchecked(&vcc->stats->tx_err);
24006 dev_kfree_skb_any(skb);
24009 @@ -1662,7 +1662,7 @@ static int ns_send(struct atm_vcc *vcc,
24011 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
24013 - atomic_inc(&vcc->stats->tx_err);
24014 + atomic_inc_unchecked(&vcc->stats->tx_err);
24015 dev_kfree_skb_any(skb);
24018 @@ -1670,14 +1670,14 @@ static int ns_send(struct atm_vcc *vcc,
24019 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
24020 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
24022 - atomic_inc(&vcc->stats->tx_err);
24023 + atomic_inc_unchecked(&vcc->stats->tx_err);
24024 dev_kfree_skb_any(skb);
24028 if (skb_shinfo(skb)->nr_frags != 0) {
24029 printk("nicstar%d: No scatter-gather yet.\n", card->index);
24030 - atomic_inc(&vcc->stats->tx_err);
24031 + atomic_inc_unchecked(&vcc->stats->tx_err);
24032 dev_kfree_skb_any(skb);
24035 @@ -1725,11 +1725,11 @@ static int ns_send(struct atm_vcc *vcc,
24038 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
24039 - atomic_inc(&vcc->stats->tx_err);
24040 + atomic_inc_unchecked(&vcc->stats->tx_err);
24041 dev_kfree_skb_any(skb);
24044 - atomic_inc(&vcc->stats->tx);
24045 + atomic_inc_unchecked(&vcc->stats->tx);
24049 @@ -2046,14 +2046,14 @@ static void dequeue_rx(ns_dev * card, ns
24051 ("nicstar%d: Can't allocate buffers for aal0.\n",
24053 - atomic_add(i, &vcc->stats->rx_drop);
24054 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
24057 if (!atm_charge(vcc, sb->truesize)) {
24059 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
24061 - atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
24062 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
24063 dev_kfree_skb_any(sb);
24066 @@ -2068,7 +2068,7 @@ static void dequeue_rx(ns_dev * card, ns
24067 ATM_SKB(sb)->vcc = vcc;
24068 __net_timestamp(sb);
24069 vcc->push(vcc, sb);
24070 - atomic_inc(&vcc->stats->rx);
24071 + atomic_inc_unchecked(&vcc->stats->rx);
24072 cell += ATM_CELL_PAYLOAD;
24075 @@ -2085,7 +2085,7 @@ static void dequeue_rx(ns_dev * card, ns
24076 if (iovb == NULL) {
24077 printk("nicstar%d: Out of iovec buffers.\n",
24079 - atomic_inc(&vcc->stats->rx_drop);
24080 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24081 recycle_rx_buf(card, skb);
24084 @@ -2109,7 +2109,7 @@ static void dequeue_rx(ns_dev * card, ns
24085 small or large buffer itself. */
24086 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
24087 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
24088 - atomic_inc(&vcc->stats->rx_err);
24089 + atomic_inc_unchecked(&vcc->stats->rx_err);
24090 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24092 NS_PRV_IOVCNT(iovb) = 0;
24093 @@ -2129,7 +2129,7 @@ static void dequeue_rx(ns_dev * card, ns
24094 ("nicstar%d: Expected a small buffer, and this is not one.\n",
24096 which_list(card, skb);
24097 - atomic_inc(&vcc->stats->rx_err);
24098 + atomic_inc_unchecked(&vcc->stats->rx_err);
24099 recycle_rx_buf(card, skb);
24101 recycle_iov_buf(card, iovb);
24102 @@ -2142,7 +2142,7 @@ static void dequeue_rx(ns_dev * card, ns
24103 ("nicstar%d: Expected a large buffer, and this is not one.\n",
24105 which_list(card, skb);
24106 - atomic_inc(&vcc->stats->rx_err);
24107 + atomic_inc_unchecked(&vcc->stats->rx_err);
24108 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24109 NS_PRV_IOVCNT(iovb));
24111 @@ -2165,7 +2165,7 @@ static void dequeue_rx(ns_dev * card, ns
24112 printk(" - PDU size mismatch.\n");
24115 - atomic_inc(&vcc->stats->rx_err);
24116 + atomic_inc_unchecked(&vcc->stats->rx_err);
24117 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24118 NS_PRV_IOVCNT(iovb));
24120 @@ -2179,7 +2179,7 @@ static void dequeue_rx(ns_dev * card, ns
24121 /* skb points to a small buffer */
24122 if (!atm_charge(vcc, skb->truesize)) {
24123 push_rxbufs(card, skb);
24124 - atomic_inc(&vcc->stats->rx_drop);
24125 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24128 dequeue_sm_buf(card, skb);
24129 @@ -2189,7 +2189,7 @@ static void dequeue_rx(ns_dev * card, ns
24130 ATM_SKB(skb)->vcc = vcc;
24131 __net_timestamp(skb);
24132 vcc->push(vcc, skb);
24133 - atomic_inc(&vcc->stats->rx);
24134 + atomic_inc_unchecked(&vcc->stats->rx);
24136 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
24137 struct sk_buff *sb;
24138 @@ -2200,7 +2200,7 @@ static void dequeue_rx(ns_dev * card, ns
24139 if (len <= NS_SMBUFSIZE) {
24140 if (!atm_charge(vcc, sb->truesize)) {
24141 push_rxbufs(card, sb);
24142 - atomic_inc(&vcc->stats->rx_drop);
24143 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24146 dequeue_sm_buf(card, sb);
24147 @@ -2210,7 +2210,7 @@ static void dequeue_rx(ns_dev * card, ns
24148 ATM_SKB(sb)->vcc = vcc;
24149 __net_timestamp(sb);
24150 vcc->push(vcc, sb);
24151 - atomic_inc(&vcc->stats->rx);
24152 + atomic_inc_unchecked(&vcc->stats->rx);
24155 push_rxbufs(card, skb);
24156 @@ -2219,7 +2219,7 @@ static void dequeue_rx(ns_dev * card, ns
24158 if (!atm_charge(vcc, skb->truesize)) {
24159 push_rxbufs(card, skb);
24160 - atomic_inc(&vcc->stats->rx_drop);
24161 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24163 dequeue_lg_buf(card, skb);
24164 #ifdef NS_USE_DESTRUCTORS
24165 @@ -2232,7 +2232,7 @@ static void dequeue_rx(ns_dev * card, ns
24166 ATM_SKB(skb)->vcc = vcc;
24167 __net_timestamp(skb);
24168 vcc->push(vcc, skb);
24169 - atomic_inc(&vcc->stats->rx);
24170 + atomic_inc_unchecked(&vcc->stats->rx);
24173 push_rxbufs(card, sb);
24174 @@ -2253,7 +2253,7 @@ static void dequeue_rx(ns_dev * card, ns
24176 ("nicstar%d: Out of huge buffers.\n",
24178 - atomic_inc(&vcc->stats->rx_drop);
24179 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24180 recycle_iovec_rx_bufs(card,
24183 @@ -2304,7 +2304,7 @@ static void dequeue_rx(ns_dev * card, ns
24184 card->hbpool.count++;
24186 dev_kfree_skb_any(hb);
24187 - atomic_inc(&vcc->stats->rx_drop);
24188 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24190 /* Copy the small buffer to the huge buffer */
24191 sb = (struct sk_buff *)iov->iov_base;
24192 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev * card, ns
24193 #endif /* NS_USE_DESTRUCTORS */
24194 __net_timestamp(hb);
24195 vcc->push(vcc, hb);
24196 - atomic_inc(&vcc->stats->rx);
24197 + atomic_inc_unchecked(&vcc->stats->rx);
24201 diff -urNp linux-2.6.38.4/drivers/atm/solos-pci.c linux-2.6.38.4/drivers/atm/solos-pci.c
24202 --- linux-2.6.38.4/drivers/atm/solos-pci.c 2011-04-18 17:27:18.000000000 -0400
24203 +++ linux-2.6.38.4/drivers/atm/solos-pci.c 2011-04-17 16:53:16.000000000 -0400
24204 @@ -715,7 +715,7 @@ void solos_bh(unsigned long card_arg)
24206 atm_charge(vcc, skb->truesize);
24207 vcc->push(vcc, skb);
24208 - atomic_inc(&vcc->stats->rx);
24209 + atomic_inc_unchecked(&vcc->stats->rx);
24213 @@ -1009,7 +1009,7 @@ static uint32_t fpga_tx(struct solos_car
24214 vcc = SKB_CB(oldskb)->vcc;
24217 - atomic_inc(&vcc->stats->tx);
24218 + atomic_inc_unchecked(&vcc->stats->tx);
24219 solos_pop(vcc, oldskb);
24221 dev_kfree_skb_irq(oldskb);
24222 diff -urNp linux-2.6.38.4/drivers/atm/suni.c linux-2.6.38.4/drivers/atm/suni.c
24223 --- linux-2.6.38.4/drivers/atm/suni.c 2011-03-14 21:20:32.000000000 -0400
24224 +++ linux-2.6.38.4/drivers/atm/suni.c 2011-04-17 15:57:32.000000000 -0400
24225 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
24228 #define ADD_LIMITED(s,v) \
24229 - atomic_add((v),&stats->s); \
24230 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
24231 + atomic_add_unchecked((v),&stats->s); \
24232 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
24235 static void suni_hz(unsigned long from_timer)
24236 diff -urNp linux-2.6.38.4/drivers/atm/uPD98402.c linux-2.6.38.4/drivers/atm/uPD98402.c
24237 --- linux-2.6.38.4/drivers/atm/uPD98402.c 2011-03-14 21:20:32.000000000 -0400
24238 +++ linux-2.6.38.4/drivers/atm/uPD98402.c 2011-04-17 15:57:32.000000000 -0400
24239 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
24240 struct sonet_stats tmp;
24243 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
24244 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
24245 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
24246 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
24247 if (zero && !error) {
24248 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
24251 #define ADD_LIMITED(s,v) \
24252 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
24253 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
24254 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
24255 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
24256 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
24257 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
24260 static void stat_event(struct atm_dev *dev)
24261 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
24262 if (reason & uPD98402_INT_PFM) stat_event(dev);
24263 if (reason & uPD98402_INT_PCO) {
24264 (void) GET(PCOCR); /* clear interrupt cause */
24265 - atomic_add(GET(HECCT),
24266 + atomic_add_unchecked(GET(HECCT),
24267 &PRIV(dev)->sonet_stats.uncorr_hcs);
24269 if ((reason & uPD98402_INT_RFO) &&
24270 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
24271 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
24272 uPD98402_INT_LOS),PIMR); /* enable them */
24273 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
24274 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
24275 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
24276 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
24277 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
24278 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
24279 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
24283 diff -urNp linux-2.6.38.4/drivers/atm/zatm.c linux-2.6.38.4/drivers/atm/zatm.c
24284 --- linux-2.6.38.4/drivers/atm/zatm.c 2011-03-14 21:20:32.000000000 -0400
24285 +++ linux-2.6.38.4/drivers/atm/zatm.c 2011-04-17 15:57:32.000000000 -0400
24286 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
24289 dev_kfree_skb_irq(skb);
24290 - if (vcc) atomic_inc(&vcc->stats->rx_err);
24291 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
24294 if (!atm_charge(vcc,skb->truesize)) {
24295 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
24297 ATM_SKB(skb)->vcc = vcc;
24298 vcc->push(vcc,skb);
24299 - atomic_inc(&vcc->stats->rx);
24300 + atomic_inc_unchecked(&vcc->stats->rx);
24302 zout(pos & 0xffff,MTA(mbx));
24303 #if 0 /* probably a stupid idea */
24304 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
24305 skb_queue_head(&zatm_vcc->backlog,skb);
24308 - atomic_inc(&vcc->stats->tx);
24309 + atomic_inc_unchecked(&vcc->stats->tx);
24310 wake_up(&zatm_vcc->tx_wait);
24313 diff -urNp linux-2.6.38.4/drivers/block/cciss.c linux-2.6.38.4/drivers/block/cciss.c
24314 --- linux-2.6.38.4/drivers/block/cciss.c 2011-03-14 21:20:32.000000000 -0400
24315 +++ linux-2.6.38.4/drivers/block/cciss.c 2011-04-17 15:57:32.000000000 -0400
24316 @@ -1112,6 +1112,8 @@ static int cciss_ioctl32_passthru(struct
24320 + memset(&arg64, 0, sizeof(arg64));
24324 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
24325 diff -urNp linux-2.6.38.4/drivers/char/agp/frontend.c linux-2.6.38.4/drivers/char/agp/frontend.c
24326 --- linux-2.6.38.4/drivers/char/agp/frontend.c 2011-03-14 21:20:32.000000000 -0400
24327 +++ linux-2.6.38.4/drivers/char/agp/frontend.c 2011-04-17 15:57:32.000000000 -0400
24328 @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct ag
24329 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
24332 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
24333 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
24336 client = agp_find_client_by_pid(reserve.pid);
24337 diff -urNp linux-2.6.38.4/drivers/char/agp/generic.c linux-2.6.38.4/drivers/char/agp/generic.c
24338 --- linux-2.6.38.4/drivers/char/agp/generic.c 2011-03-14 21:20:32.000000000 -0400
24339 +++ linux-2.6.38.4/drivers/char/agp/generic.c 2011-04-22 19:37:16.000000000 -0400
24340 @@ -115,6 +115,9 @@ static struct agp_memory *agp_create_use
24341 struct agp_memory *new;
24342 unsigned long alloc_size = num_agp_pages*sizeof(struct page *);
24344 + if (INT_MAX/sizeof(struct page *) < num_agp_pages)
24347 new = kzalloc(sizeof(struct agp_memory), GFP_KERNEL);
24350 @@ -234,11 +237,14 @@ struct agp_memory *agp_allocate_memory(s
24352 struct agp_memory *new;
24359 - if ((atomic_read(&bridge->current_memory_agp) + page_count) > bridge->max_memory_agp)
24360 + cur_memory = atomic_read(&bridge->current_memory_agp);
24361 + if ((cur_memory + page_count > bridge->max_memory_agp) ||
24362 + (cur_memory + page_count < page_count))
24365 if (type >= AGP_USER_TYPES) {
24366 @@ -1089,8 +1095,8 @@ int agp_generic_insert_memory(struct agp
24370 - /* AK: could wrap */
24371 - if ((pg_start + mem->page_count) > num_entries)
24372 + if (((pg_start + mem->page_count) > num_entries) ||
24373 + ((pg_start + mem->page_count) < pg_start))
24377 @@ -1124,7 +1130,7 @@ int agp_generic_remove_memory(struct agp
24380 struct agp_bridge_data *bridge;
24382 + int mask_type, num_entries;
24384 bridge = mem->bridge;
24386 @@ -1136,6 +1142,11 @@ int agp_generic_remove_memory(struct agp
24387 if (type != mem->type)
24390 + num_entries = agp_num_entries();
24391 + if (((pg_start + mem->page_count) > num_entries) ||
24392 + ((pg_start + mem->page_count) < pg_start))
24395 mask_type = bridge->driver->agp_type_to_mask_type(bridge, type);
24396 if (mask_type != 0) {
24397 /* The generic routines know nothing of memory types */
24398 diff -urNp linux-2.6.38.4/drivers/char/agp/intel-agp.c linux-2.6.38.4/drivers/char/agp/intel-agp.c
24399 --- linux-2.6.38.4/drivers/char/agp/intel-agp.c 2011-03-14 21:20:32.000000000 -0400
24400 +++ linux-2.6.38.4/drivers/char/agp/intel-agp.c 2011-04-17 15:57:32.000000000 -0400
24401 @@ -903,7 +903,7 @@ static struct pci_device_id agp_intel_pc
24402 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_HB),
24403 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_M_HB),
24404 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_S_HB),
24406 + { 0, 0, 0, 0, 0, 0, 0 }
24409 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
24410 diff -urNp linux-2.6.38.4/drivers/char/briq_panel.c linux-2.6.38.4/drivers/char/briq_panel.c
24411 --- linux-2.6.38.4/drivers/char/briq_panel.c 2011-03-14 21:20:32.000000000 -0400
24412 +++ linux-2.6.38.4/drivers/char/briq_panel.c 2011-04-18 19:47:43.000000000 -0400
24414 #include <linux/types.h>
24415 #include <linux/errno.h>
24416 #include <linux/tty.h>
24417 +#include <linux/mutex.h>
24418 #include <linux/timer.h>
24419 #include <linux/kernel.h>
24420 #include <linux/wait.h>
24421 @@ -34,6 +35,7 @@ static int vfd_is_open;
24422 static unsigned char vfd[40];
24423 static int vfd_cursor;
24424 static unsigned char ledpb, led;
24425 +static DEFINE_MUTEX(vfd_mutex);
24427 static void update_vfd(void)
24429 @@ -140,12 +142,15 @@ static ssize_t briq_panel_write(struct f
24433 + mutex_lock(&vfd_mutex);
24438 - if (get_user(c, buf))
24439 + if (get_user(c, buf)) {
24440 + mutex_unlock(&vfd_mutex);
24446 @@ -175,6 +180,7 @@ static ssize_t briq_panel_write(struct f
24450 + mutex_unlock(&vfd_mutex);
24454 diff -urNp linux-2.6.38.4/drivers/char/genrtc.c linux-2.6.38.4/drivers/char/genrtc.c
24455 --- linux-2.6.38.4/drivers/char/genrtc.c 2011-03-14 21:20:32.000000000 -0400
24456 +++ linux-2.6.38.4/drivers/char/genrtc.c 2011-04-21 16:55:16.000000000 -0400
24457 @@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *fi
24461 + memset(&pll, 0, sizeof(pll));
24462 if (get_rtc_pll(&pll))
24465 diff -urNp linux-2.6.38.4/drivers/char/hpet.c linux-2.6.38.4/drivers/char/hpet.c
24466 --- linux-2.6.38.4/drivers/char/hpet.c 2011-03-14 21:20:32.000000000 -0400
24467 +++ linux-2.6.38.4/drivers/char/hpet.c 2011-04-17 15:57:32.000000000 -0400
24468 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
24472 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
24473 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
24474 struct hpet_info *info)
24476 struct hpet_timer __iomem *timer;
24477 @@ -1043,7 +1043,7 @@ static struct acpi_driver hpet_acpi_driv
24481 -static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
24482 +static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
24484 static int __init hpet_init(void)
24486 diff -urNp linux-2.6.38.4/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.38.4/drivers/char/ipmi/ipmi_msghandler.c
24487 --- linux-2.6.38.4/drivers/char/ipmi/ipmi_msghandler.c 2011-03-14 21:20:32.000000000 -0400
24488 +++ linux-2.6.38.4/drivers/char/ipmi/ipmi_msghandler.c 2011-04-17 15:57:32.000000000 -0400
24489 @@ -414,7 +414,7 @@ struct ipmi_smi {
24490 struct proc_dir_entry *proc_dir;
24491 char proc_dir_name[10];
24493 - atomic_t stats[IPMI_NUM_STATS];
24494 + atomic_unchecked_t stats[IPMI_NUM_STATS];
24497 * run_to_completion duplicate of smb_info, smi_info
24498 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
24501 #define ipmi_inc_stat(intf, stat) \
24502 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
24503 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
24504 #define ipmi_get_stat(intf, stat) \
24505 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
24506 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
24508 static int is_lan_addr(struct ipmi_addr *addr)
24510 @@ -2844,7 +2844,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
24511 INIT_LIST_HEAD(&intf->cmd_rcvrs);
24512 init_waitqueue_head(&intf->waitq);
24513 for (i = 0; i < IPMI_NUM_STATS; i++)
24514 - atomic_set(&intf->stats[i], 0);
24515 + atomic_set_unchecked(&intf->stats[i], 0);
24517 intf->proc_dir = NULL;
24519 diff -urNp linux-2.6.38.4/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.38.4/drivers/char/ipmi/ipmi_si_intf.c
24520 --- linux-2.6.38.4/drivers/char/ipmi/ipmi_si_intf.c 2011-03-14 21:20:32.000000000 -0400
24521 +++ linux-2.6.38.4/drivers/char/ipmi/ipmi_si_intf.c 2011-04-17 15:57:32.000000000 -0400
24522 @@ -285,7 +285,7 @@ struct smi_info {
24523 unsigned char slave_addr;
24525 /* Counters and things for the proc filesystem. */
24526 - atomic_t stats[SI_NUM_STATS];
24527 + atomic_unchecked_t stats[SI_NUM_STATS];
24529 struct task_struct *thread;
24531 @@ -294,9 +294,9 @@ struct smi_info {
24534 #define smi_inc_stat(smi, stat) \
24535 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
24536 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
24537 #define smi_get_stat(smi, stat) \
24538 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
24539 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
24541 #define SI_MAX_PARMS 4
24543 @@ -3202,7 +3202,7 @@ static int try_smi_init(struct smi_info
24544 atomic_set(&new_smi->req_events, 0);
24545 new_smi->run_to_completion = 0;
24546 for (i = 0; i < SI_NUM_STATS; i++)
24547 - atomic_set(&new_smi->stats[i], 0);
24548 + atomic_set_unchecked(&new_smi->stats[i], 0);
24550 new_smi->interrupt_disabled = 1;
24551 atomic_set(&new_smi->stop_operation, 0);
24552 diff -urNp linux-2.6.38.4/drivers/char/istallion.c linux-2.6.38.4/drivers/char/istallion.c
24553 --- linux-2.6.38.4/drivers/char/istallion.c 2011-03-14 21:20:32.000000000 -0400
24554 +++ linux-2.6.38.4/drivers/char/istallion.c 2011-04-18 19:42:25.000000000 -0400
24555 @@ -186,7 +186,6 @@ static struct ktermios stli_deftermios
24556 * re-used for each stats call.
24558 static comstats_t stli_comstats;
24559 -static combrd_t stli_brdstats;
24560 static struct asystats stli_cdkstats;
24562 /*****************************************************************************/
24563 @@ -4005,6 +4004,7 @@ static int stli_getbrdstats(combrd_t __u
24565 struct stlibrd *brdp;
24567 + combrd_t stli_brdstats;
24569 if (copy_from_user(&stli_brdstats, bp, sizeof(combrd_t)))
24571 diff -urNp linux-2.6.38.4/drivers/char/Kconfig linux-2.6.38.4/drivers/char/Kconfig
24572 --- linux-2.6.38.4/drivers/char/Kconfig 2011-03-14 21:20:32.000000000 -0400
24573 +++ linux-2.6.38.4/drivers/char/Kconfig 2011-04-18 19:19:48.000000000 -0400
24574 @@ -90,7 +90,8 @@ config VT_HW_CONSOLE_BINDING
24577 bool "/dev/kmem virtual device support"
24580 + depends on !GRKERNSEC_KMEM
24582 Say Y here if you want to support the /dev/kmem device. The
24583 /dev/kmem device is rarely used, but can be used for certain
24584 @@ -1132,6 +1133,7 @@ config DEVPORT
24587 depends on ISA || PCI
24588 + depends on !GRKERNSEC_KMEM
24591 source "drivers/s390/char/Kconfig"
24592 diff -urNp linux-2.6.38.4/drivers/char/mem.c linux-2.6.38.4/drivers/char/mem.c
24593 --- linux-2.6.38.4/drivers/char/mem.c 2011-03-14 21:20:32.000000000 -0400
24594 +++ linux-2.6.38.4/drivers/char/mem.c 2011-04-17 15:57:32.000000000 -0400
24596 #include <linux/raw.h>
24597 #include <linux/tty.h>
24598 #include <linux/capability.h>
24599 +#include <linux/security.h>
24600 #include <linux/ptrace.h>
24601 #include <linux/device.h>
24602 #include <linux/highmem.h>
24604 # include <linux/efi.h>
24607 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
24608 +extern struct file_operations grsec_fops;
24611 static inline unsigned long size_inside_page(unsigned long start,
24612 unsigned long size)
24614 @@ -68,9 +73,13 @@ static inline int range_is_allowed(unsig
24616 while (cursor < to) {
24617 if (!devmem_is_allowed(pfn)) {
24618 +#ifdef CONFIG_GRKERNSEC_KMEM
24619 + gr_handle_mem_readwrite(from, to);
24622 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
24623 current->comm, from, to);
24627 cursor += PAGE_SIZE;
24628 @@ -78,6 +87,11 @@ static inline int range_is_allowed(unsig
24632 +#elif defined(CONFIG_GRKERNSEC_KMEM)
24633 +static inline int range_is_allowed(unsigned long pfn, unsigned long size)
24638 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
24640 @@ -120,6 +134,7 @@ static ssize_t read_mem(struct file *fil
24642 while (count > 0) {
24643 unsigned long remaining;
24646 sz = size_inside_page(p, count);
24648 @@ -135,7 +150,23 @@ static ssize_t read_mem(struct file *fil
24652 - remaining = copy_to_user(buf, ptr, sz);
24653 +#ifdef CONFIG_PAX_USERCOPY
24654 + temp = kmalloc(sz, GFP_KERNEL);
24656 + unxlate_dev_mem_ptr(p, ptr);
24659 + memcpy(temp, ptr, sz);
24664 + remaining = copy_to_user(buf, temp, sz);
24666 +#ifdef CONFIG_PAX_USERCOPY
24670 unxlate_dev_mem_ptr(p, ptr);
24673 @@ -398,9 +429,8 @@ static ssize_t read_kmem(struct file *fi
24674 size_t count, loff_t *ppos)
24676 unsigned long p = *ppos;
24677 - ssize_t low_count, read, sz;
24678 + ssize_t low_count, read, sz, err = 0;
24679 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
24683 if (p < (unsigned long) high_memory) {
24684 @@ -422,6 +452,8 @@ static ssize_t read_kmem(struct file *fi
24687 while (low_count > 0) {
24690 sz = size_inside_page(p, low_count);
24693 @@ -431,7 +463,22 @@ static ssize_t read_kmem(struct file *fi
24695 kbuf = xlate_dev_kmem_ptr((char *)p);
24697 - if (copy_to_user(buf, kbuf, sz))
24698 +#ifdef CONFIG_PAX_USERCOPY
24699 + temp = kmalloc(sz, GFP_KERNEL);
24702 + memcpy(temp, kbuf, sz);
24707 + err = copy_to_user(buf, temp, sz);
24709 +#ifdef CONFIG_PAX_USERCOPY
24717 @@ -857,6 +904,9 @@ static const struct memdev {
24718 #ifdef CONFIG_CRASH_DUMP
24719 [12] = { "oldmem", 0, &oldmem_fops, NULL },
24721 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
24722 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
24726 static int memory_open(struct inode *inode, struct file *filp)
24727 diff -urNp linux-2.6.38.4/drivers/char/nvram.c linux-2.6.38.4/drivers/char/nvram.c
24728 --- linux-2.6.38.4/drivers/char/nvram.c 2011-03-14 21:20:32.000000000 -0400
24729 +++ linux-2.6.38.4/drivers/char/nvram.c 2011-04-17 15:57:32.000000000 -0400
24730 @@ -246,7 +246,7 @@ static ssize_t nvram_read(struct file *f
24732 spin_unlock_irq(&rtc_lock);
24734 - if (copy_to_user(buf, contents, tmp - contents))
24735 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
24739 @@ -435,7 +435,10 @@ static const struct file_operations nvra
24740 static struct miscdevice nvram_dev = {
24750 static int __init nvram_init(void)
24751 diff -urNp linux-2.6.38.4/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.38.4/drivers/char/pcmcia/ipwireless/tty.c
24752 --- linux-2.6.38.4/drivers/char/pcmcia/ipwireless/tty.c 2011-03-14 21:20:32.000000000 -0400
24753 +++ linux-2.6.38.4/drivers/char/pcmcia/ipwireless/tty.c 2011-04-17 15:57:32.000000000 -0400
24755 #include <linux/tty_driver.h>
24756 #include <linux/tty_flip.h>
24757 #include <linux/uaccess.h>
24758 +#include <asm/local.h>
24761 #include "network.h"
24762 @@ -51,7 +52,7 @@ struct ipw_tty {
24764 struct ipw_network *network;
24765 struct tty_struct *linux_tty;
24767 + local_t open_count;
24768 unsigned int control_lines;
24769 struct mutex ipw_tty_mutex;
24770 int tx_bytes_queued;
24771 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
24772 mutex_unlock(&tty->ipw_tty_mutex);
24775 - if (tty->open_count == 0)
24776 + if (local_read(&tty->open_count) == 0)
24777 tty->tx_bytes_queued = 0;
24779 - tty->open_count++;
24780 + local_inc(&tty->open_count);
24782 tty->linux_tty = linux_tty;
24783 linux_tty->driver_data = tty;
24784 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
24786 static void do_ipw_close(struct ipw_tty *tty)
24788 - tty->open_count--;
24790 - if (tty->open_count == 0) {
24791 + if (local_dec_return(&tty->open_count) == 0) {
24792 struct tty_struct *linux_tty = tty->linux_tty;
24794 if (linux_tty != NULL) {
24795 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
24798 mutex_lock(&tty->ipw_tty_mutex);
24799 - if (tty->open_count == 0) {
24800 + if (local_read(&tty->open_count) == 0) {
24801 mutex_unlock(&tty->ipw_tty_mutex);
24804 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
24808 - if (!tty->open_count) {
24809 + if (!local_read(&tty->open_count)) {
24810 mutex_unlock(&tty->ipw_tty_mutex);
24813 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
24816 mutex_lock(&tty->ipw_tty_mutex);
24817 - if (!tty->open_count) {
24818 + if (!local_read(&tty->open_count)) {
24819 mutex_unlock(&tty->ipw_tty_mutex);
24822 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
24826 - if (!tty->open_count)
24827 + if (!local_read(&tty->open_count))
24830 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
24831 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
24835 - if (!tty->open_count)
24836 + if (!local_read(&tty->open_count))
24839 return tty->tx_bytes_queued;
24840 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
24844 - if (!tty->open_count)
24845 + if (!local_read(&tty->open_count))
24848 return get_control_lines(tty);
24849 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
24853 - if (!tty->open_count)
24854 + if (!local_read(&tty->open_count))
24857 return set_control_lines(tty, set, clear);
24858 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
24862 - if (!tty->open_count)
24863 + if (!local_read(&tty->open_count))
24866 /* FIXME: Exactly how is the tty object locked here .. */
24867 @@ -582,7 +581,7 @@ void ipwireless_tty_free(struct ipw_tty
24868 against a parallel ioctl etc */
24869 mutex_lock(&ttyj->ipw_tty_mutex);
24871 - while (ttyj->open_count)
24872 + while (local_read(&ttyj->open_count))
24873 do_ipw_close(ttyj);
24874 ipwireless_disassociate_network_ttys(network,
24875 ttyj->channel_idx);
24876 diff -urNp linux-2.6.38.4/drivers/char/random.c linux-2.6.38.4/drivers/char/random.c
24877 --- linux-2.6.38.4/drivers/char/random.c 2011-03-14 21:20:32.000000000 -0400
24878 +++ linux-2.6.38.4/drivers/char/random.c 2011-04-17 15:57:32.000000000 -0400
24879 @@ -254,8 +254,13 @@
24881 * Configuration information
24883 +#ifdef CONFIG_GRKERNSEC_RANDNET
24884 +#define INPUT_POOL_WORDS 512
24885 +#define OUTPUT_POOL_WORDS 128
24887 #define INPUT_POOL_WORDS 128
24888 #define OUTPUT_POOL_WORDS 32
24890 #define SEC_XFER_SIZE 512
24891 #define EXTRACT_SIZE 10
24893 @@ -293,10 +298,17 @@ static struct poolinfo {
24895 int tap1, tap2, tap3, tap4, tap5;
24896 } poolinfo_table[] = {
24897 +#ifdef CONFIG_GRKERNSEC_RANDNET
24898 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
24899 + { 512, 411, 308, 208, 104, 1 },
24900 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
24901 + { 128, 103, 76, 51, 25, 1 },
24903 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
24904 { 128, 103, 76, 51, 25, 1 },
24905 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
24906 { 32, 26, 20, 14, 7, 1 },
24909 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
24910 { 2048, 1638, 1231, 819, 411, 1 },
24911 @@ -902,7 +914,7 @@ static ssize_t extract_entropy_user(stru
24913 extract_buf(r, tmp);
24914 i = min_t(int, nbytes, EXTRACT_SIZE);
24915 - if (copy_to_user(buf, tmp, i)) {
24916 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
24920 @@ -1207,7 +1219,7 @@ EXPORT_SYMBOL(generate_random_uuid);
24921 #include <linux/sysctl.h>
24923 static int min_read_thresh = 8, min_write_thresh;
24924 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
24925 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
24926 static int max_write_thresh = INPUT_POOL_WORDS * 32;
24927 static char sysctl_bootid[16];
24929 diff -urNp linux-2.6.38.4/drivers/char/sonypi.c linux-2.6.38.4/drivers/char/sonypi.c
24930 --- linux-2.6.38.4/drivers/char/sonypi.c 2011-03-14 21:20:32.000000000 -0400
24931 +++ linux-2.6.38.4/drivers/char/sonypi.c 2011-04-17 15:57:32.000000000 -0400
24933 #include <asm/uaccess.h>
24934 #include <asm/io.h>
24935 #include <asm/system.h>
24936 +#include <asm/local.h>
24938 #include <linux/sonypi.h>
24940 @@ -491,7 +492,7 @@ static struct sonypi_device {
24941 spinlock_t fifo_lock;
24942 wait_queue_head_t fifo_proc_list;
24943 struct fasync_struct *fifo_async;
24945 + local_t open_count;
24947 struct input_dev *input_jog_dev;
24948 struct input_dev *input_key_dev;
24949 @@ -898,7 +899,7 @@ static int sonypi_misc_fasync(int fd, st
24950 static int sonypi_misc_release(struct inode *inode, struct file *file)
24952 mutex_lock(&sonypi_device.lock);
24953 - sonypi_device.open_count--;
24954 + local_dec(&sonypi_device.open_count);
24955 mutex_unlock(&sonypi_device.lock);
24958 @@ -907,9 +908,9 @@ static int sonypi_misc_open(struct inode
24960 mutex_lock(&sonypi_device.lock);
24961 /* Flush input queue on first open */
24962 - if (!sonypi_device.open_count)
24963 + if (!local_read(&sonypi_device.open_count))
24964 kfifo_reset(&sonypi_device.fifo);
24965 - sonypi_device.open_count++;
24966 + local_inc(&sonypi_device.open_count);
24967 mutex_unlock(&sonypi_device.lock);
24970 diff -urNp linux-2.6.38.4/drivers/char/tpm/tpm_bios.c linux-2.6.38.4/drivers/char/tpm/tpm_bios.c
24971 --- linux-2.6.38.4/drivers/char/tpm/tpm_bios.c 2011-03-14 21:20:32.000000000 -0400
24972 +++ linux-2.6.38.4/drivers/char/tpm/tpm_bios.c 2011-04-17 15:57:32.000000000 -0400
24973 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
24976 if ((event->event_type == 0 && event->event_size == 0) ||
24977 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
24978 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
24982 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
24985 if ((event->event_type == 0 && event->event_size == 0) ||
24986 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
24987 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
24991 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
24994 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
24995 - seq_putc(m, data[i]);
24996 + if (!seq_putc(m, data[i]))
25001 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
25002 log->bios_event_log_end = log->bios_event_log + len;
25004 virt = acpi_os_map_memory(start, len);
25006 + kfree(log->bios_event_log);
25007 + log->bios_event_log = NULL;
25011 memcpy(log->bios_event_log, virt, len);
25013 diff -urNp linux-2.6.38.4/drivers/char/tpm/tpm.c linux-2.6.38.4/drivers/char/tpm/tpm.c
25014 --- linux-2.6.38.4/drivers/char/tpm/tpm.c 2011-04-18 17:27:18.000000000 -0400
25015 +++ linux-2.6.38.4/drivers/char/tpm/tpm.c 2011-04-17 16:53:16.000000000 -0400
25016 @@ -411,7 +411,7 @@ static ssize_t tpm_transmit(struct tpm_c
25017 chip->vendor.req_complete_val)
25020 - if ((status == chip->vendor.req_canceled)) {
25021 + if (status == chip->vendor.req_canceled) {
25022 dev_err(chip->dev, "Operation Canceled\n");
25025 diff -urNp linux-2.6.38.4/drivers/cpuidle/sysfs.c linux-2.6.38.4/drivers/cpuidle/sysfs.c
25026 --- linux-2.6.38.4/drivers/cpuidle/sysfs.c 2011-03-14 21:20:32.000000000 -0400
25027 +++ linux-2.6.38.4/drivers/cpuidle/sysfs.c 2011-04-17 15:57:32.000000000 -0400
25028 @@ -300,7 +300,7 @@ static struct kobj_type ktype_state_cpui
25029 .release = cpuidle_state_sysfs_release,
25032 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
25033 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
25035 kobject_put(&device->kobjs[i]->kobj);
25036 wait_for_completion(&device->kobjs[i]->kobj_unregister);
25037 diff -urNp linux-2.6.38.4/drivers/edac/edac_core.h linux-2.6.38.4/drivers/edac/edac_core.h
25038 --- linux-2.6.38.4/drivers/edac/edac_core.h 2011-03-14 21:20:32.000000000 -0400
25039 +++ linux-2.6.38.4/drivers/edac/edac_core.h 2011-04-17 15:57:32.000000000 -0400
25040 @@ -88,11 +88,11 @@ extern int edac_debug_level;
25042 #else /* !CONFIG_EDAC_DEBUG */
25044 -#define debugf0( ... )
25045 -#define debugf1( ... )
25046 -#define debugf2( ... )
25047 -#define debugf3( ... )
25048 -#define debugf4( ... )
25049 +#define debugf0( ... ) do {} while (0)
25050 +#define debugf1( ... ) do {} while (0)
25051 +#define debugf2( ... ) do {} while (0)
25052 +#define debugf3( ... ) do {} while (0)
25053 +#define debugf4( ... ) do {} while (0)
25055 #endif /* !CONFIG_EDAC_DEBUG */
25057 diff -urNp linux-2.6.38.4/drivers/edac/edac_mc_sysfs.c linux-2.6.38.4/drivers/edac/edac_mc_sysfs.c
25058 --- linux-2.6.38.4/drivers/edac/edac_mc_sysfs.c 2011-03-14 21:20:32.000000000 -0400
25059 +++ linux-2.6.38.4/drivers/edac/edac_mc_sysfs.c 2011-04-17 15:57:32.000000000 -0400
25060 @@ -761,7 +761,7 @@ static void edac_inst_grp_release(struct
25063 /* Intermediate show/store table */
25064 -static struct sysfs_ops inst_grp_ops = {
25065 +static const struct sysfs_ops inst_grp_ops = {
25066 .show = inst_grp_show,
25067 .store = inst_grp_store
25069 diff -urNp linux-2.6.38.4/drivers/firewire/core-cdev.c linux-2.6.38.4/drivers/firewire/core-cdev.c
25070 --- linux-2.6.38.4/drivers/firewire/core-cdev.c 2011-03-14 21:20:32.000000000 -0400
25071 +++ linux-2.6.38.4/drivers/firewire/core-cdev.c 2011-04-17 15:57:32.000000000 -0400
25072 @@ -1329,8 +1329,7 @@ static int init_iso_resource(struct clie
25075 if ((request->channels == 0 && request->bandwidth == 0) ||
25076 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
25077 - request->bandwidth < 0)
25078 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
25081 r = kmalloc(sizeof(*r), GFP_KERNEL);
25082 diff -urNp linux-2.6.38.4/drivers/firmware/dmi_scan.c linux-2.6.38.4/drivers/firmware/dmi_scan.c
25083 --- linux-2.6.38.4/drivers/firmware/dmi_scan.c 2011-03-14 21:20:32.000000000 -0400
25084 +++ linux-2.6.38.4/drivers/firmware/dmi_scan.c 2011-04-17 15:57:32.000000000 -0400
25085 @@ -449,11 +449,6 @@ void __init dmi_scan_machine(void)
25090 - * no iounmap() for that ioremap(); it would be a no-op, but
25091 - * it's so early in setup that sucker gets confused into doing
25092 - * what it shouldn't if we actually call it.
25094 p = dmi_ioremap(0xF0000, 0x10000);
25097 diff -urNp linux-2.6.38.4/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.38.4/drivers/gpu/drm/drm_crtc_helper.c
25098 --- linux-2.6.38.4/drivers/gpu/drm/drm_crtc_helper.c 2011-03-14 21:20:32.000000000 -0400
25099 +++ linux-2.6.38.4/drivers/gpu/drm/drm_crtc_helper.c 2011-04-17 15:57:32.000000000 -0400
25100 @@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
25101 struct drm_crtc *tmp;
25104 - WARN(!crtc, "checking null crtc?\n");
25109 diff -urNp linux-2.6.38.4/drivers/gpu/drm/drm_drv.c linux-2.6.38.4/drivers/gpu/drm/drm_drv.c
25110 --- linux-2.6.38.4/drivers/gpu/drm/drm_drv.c 2011-03-14 21:20:32.000000000 -0400
25111 +++ linux-2.6.38.4/drivers/gpu/drm/drm_drv.c 2011-04-17 15:57:32.000000000 -0400
25112 @@ -425,7 +425,7 @@ long drm_ioctl(struct file *filp,
25114 dev = file_priv->minor->dev;
25115 atomic_inc(&dev->ioctl_count);
25116 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
25117 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
25118 ++file_priv->ioctl_count;
25120 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
25121 diff -urNp linux-2.6.38.4/drivers/gpu/drm/drm_fops.c linux-2.6.38.4/drivers/gpu/drm/drm_fops.c
25122 --- linux-2.6.38.4/drivers/gpu/drm/drm_fops.c 2011-03-14 21:20:32.000000000 -0400
25123 +++ linux-2.6.38.4/drivers/gpu/drm/drm_fops.c 2011-04-17 15:57:32.000000000 -0400
25124 @@ -70,7 +70,7 @@ static int drm_setup(struct drm_device *
25127 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
25128 - atomic_set(&dev->counts[i], 0);
25129 + atomic_set_unchecked(&dev->counts[i], 0);
25131 dev->sigdata.lock = NULL;
25133 @@ -134,8 +134,8 @@ int drm_open(struct inode *inode, struct
25135 retcode = drm_open_helper(inode, filp, dev);
25137 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
25138 - if (!dev->open_count++)
25139 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
25140 + if (local_inc_return(&dev->open_count) == 1)
25141 retcode = drm_setup(dev);
25144 @@ -472,7 +472,7 @@ int drm_release(struct inode *inode, str
25146 mutex_lock(&drm_global_mutex);
25148 - DRM_DEBUG("open_count = %d\n", dev->open_count);
25149 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
25151 if (dev->driver->preclose)
25152 dev->driver->preclose(dev, file_priv);
25153 @@ -484,7 +484,7 @@ int drm_release(struct inode *inode, str
25154 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
25155 task_pid_nr(current),
25156 (long)old_encode_dev(file_priv->minor->device),
25157 - dev->open_count);
25158 + local_read(&dev->open_count));
25160 /* if the master has gone away we can't do anything with the lock */
25161 if (file_priv->minor->master)
25162 @@ -565,8 +565,8 @@ int drm_release(struct inode *inode, str
25163 * End inline drm_release
25166 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
25167 - if (!--dev->open_count) {
25168 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
25169 + if (local_dec_and_test(&dev->open_count)) {
25170 if (atomic_read(&dev->ioctl_count)) {
25171 DRM_ERROR("Device busy: %d\n",
25172 atomic_read(&dev->ioctl_count));
25173 diff -urNp linux-2.6.38.4/drivers/gpu/drm/drm_global.c linux-2.6.38.4/drivers/gpu/drm/drm_global.c
25174 --- linux-2.6.38.4/drivers/gpu/drm/drm_global.c 2011-03-14 21:20:32.000000000 -0400
25175 +++ linux-2.6.38.4/drivers/gpu/drm/drm_global.c 2011-04-17 15:57:32.000000000 -0400
25177 struct drm_global_item {
25178 struct mutex mutex;
25181 + atomic_t refcount;
25184 static struct drm_global_item glob[DRM_GLOBAL_NUM];
25185 @@ -49,7 +49,7 @@ void drm_global_init(void)
25186 struct drm_global_item *item = &glob[i];
25187 mutex_init(&item->mutex);
25188 item->object = NULL;
25189 - item->refcount = 0;
25190 + atomic_set(&item->refcount, 0);
25194 @@ -59,7 +59,7 @@ void drm_global_release(void)
25195 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
25196 struct drm_global_item *item = &glob[i];
25197 BUG_ON(item->object != NULL);
25198 - BUG_ON(item->refcount != 0);
25199 + BUG_ON(atomic_read(&item->refcount) != 0);
25203 @@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
25206 mutex_lock(&item->mutex);
25207 - if (item->refcount == 0) {
25208 + if (atomic_read(&item->refcount) == 0) {
25209 item->object = kzalloc(ref->size, GFP_KERNEL);
25210 if (unlikely(item->object == NULL)) {
25212 @@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
25216 - ++item->refcount;
25217 + atomic_inc(&item->refcount);
25218 ref->object = item->object;
25219 object = item->object;
25220 mutex_unlock(&item->mutex);
25221 @@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
25222 struct drm_global_item *item = &glob[ref->global_type];
25224 mutex_lock(&item->mutex);
25225 - BUG_ON(item->refcount == 0);
25226 + BUG_ON(atomic_read(&item->refcount) == 0);
25227 BUG_ON(ref->object != item->object);
25228 - if (--item->refcount == 0) {
25229 + if (atomic_dec_and_test(&item->refcount)) {
25231 item->object = NULL;
25233 diff -urNp linux-2.6.38.4/drivers/gpu/drm/drm_info.c linux-2.6.38.4/drivers/gpu/drm/drm_info.c
25234 --- linux-2.6.38.4/drivers/gpu/drm/drm_info.c 2011-03-14 21:20:32.000000000 -0400
25235 +++ linux-2.6.38.4/drivers/gpu/drm/drm_info.c 2011-04-17 15:57:32.000000000 -0400
25236 @@ -86,10 +86,14 @@ int drm_vm_info(struct seq_file *m, void
25237 struct drm_local_map *map;
25238 struct drm_map_list *r_list;
25240 - /* Hardcoded from _DRM_FRAME_BUFFER,
25241 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
25242 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
25243 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
25244 + static const char * const types[] = {
25245 + [_DRM_FRAME_BUFFER] = "FB",
25246 + [_DRM_REGISTERS] = "REG",
25247 + [_DRM_SHM] = "SHM",
25248 + [_DRM_AGP] = "AGP",
25249 + [_DRM_SCATTER_GATHER] = "SG",
25250 + [_DRM_CONSISTENT] = "PCI",
25251 + [_DRM_GEM] = "GEM" };
25255 @@ -100,7 +104,7 @@ int drm_vm_info(struct seq_file *m, void
25259 - if (map->type < 0 || map->type > 5)
25260 + if (map->type >= ARRAY_SIZE(types))
25263 type = types[map->type];
25264 @@ -301,7 +305,11 @@ int drm_vma_info(struct seq_file *m, voi
25265 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
25266 vma->vm_flags & VM_LOCKED ? 'l' : '-',
25267 vma->vm_flags & VM_IO ? 'i' : '-',
25268 +#ifdef CONFIG_GRKERNSEC_HIDESYM
25274 #if defined(__i386__)
25275 pgprot = pgprot_val(vma->vm_page_prot);
25276 diff -urNp linux-2.6.38.4/drivers/gpu/drm/drm_ioctl.c linux-2.6.38.4/drivers/gpu/drm/drm_ioctl.c
25277 --- linux-2.6.38.4/drivers/gpu/drm/drm_ioctl.c 2011-03-14 21:20:32.000000000 -0400
25278 +++ linux-2.6.38.4/drivers/gpu/drm/drm_ioctl.c 2011-04-17 15:57:32.000000000 -0400
25279 @@ -353,7 +353,7 @@ int drm_getstats(struct drm_device *dev,
25280 stats->data[i].value =
25281 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
25283 - stats->data[i].value = atomic_read(&dev->counts[i]);
25284 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
25285 stats->data[i].type = dev->types[i];
25288 diff -urNp linux-2.6.38.4/drivers/gpu/drm/drm_lock.c linux-2.6.38.4/drivers/gpu/drm/drm_lock.c
25289 --- linux-2.6.38.4/drivers/gpu/drm/drm_lock.c 2011-03-14 21:20:32.000000000 -0400
25290 +++ linux-2.6.38.4/drivers/gpu/drm/drm_lock.c 2011-04-17 15:57:32.000000000 -0400
25291 @@ -89,7 +89,7 @@ int drm_lock(struct drm_device *dev, voi
25292 if (drm_lock_take(&master->lock, lock->context)) {
25293 master->lock.file_priv = file_priv;
25294 master->lock.lock_time = jiffies;
25295 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
25296 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
25297 break; /* Got lock */
25300 @@ -160,7 +160,7 @@ int drm_unlock(struct drm_device *dev, v
25304 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
25305 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
25307 if (drm_lock_free(&master->lock, lock->context)) {
25308 /* FIXME: Should really bail out here. */
25309 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i810/i810_dma.c linux-2.6.38.4/drivers/gpu/drm/i810/i810_dma.c
25310 --- linux-2.6.38.4/drivers/gpu/drm/i810/i810_dma.c 2011-03-14 21:20:32.000000000 -0400
25311 +++ linux-2.6.38.4/drivers/gpu/drm/i810/i810_dma.c 2011-04-17 15:57:32.000000000 -0400
25312 @@ -953,8 +953,8 @@ static int i810_dma_vertex(struct drm_de
25313 dma->buflist[vertex->idx],
25314 vertex->discard, vertex->used);
25316 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
25317 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
25318 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
25319 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
25320 sarea_priv->last_enqueue = dev_priv->counter - 1;
25321 sarea_priv->last_dispatch = (int)hw_status[5];
25323 @@ -1114,8 +1114,8 @@ static int i810_dma_mc(struct drm_device
25324 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
25327 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
25328 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
25329 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
25330 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
25331 sarea_priv->last_enqueue = dev_priv->counter - 1;
25332 sarea_priv->last_dispatch = (int)hw_status[5];
25334 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ch7017.c
25335 --- linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ch7017.c 2011-03-14 21:20:32.000000000 -0400
25336 +++ linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ch7017.c 2011-04-17 15:57:32.000000000 -0400
25337 @@ -390,7 +390,7 @@ static void ch7017_destroy(struct intel_
25341 -struct intel_dvo_dev_ops ch7017_ops = {
25342 +const struct intel_dvo_dev_ops ch7017_ops = {
25343 .init = ch7017_init,
25344 .detect = ch7017_detect,
25345 .mode_valid = ch7017_mode_valid,
25346 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ch7xxx.c
25347 --- linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-03-14 21:20:32.000000000 -0400
25348 +++ linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-04-17 15:57:32.000000000 -0400
25349 @@ -320,7 +320,7 @@ static void ch7xxx_destroy(struct intel_
25353 -struct intel_dvo_dev_ops ch7xxx_ops = {
25354 +const struct intel_dvo_dev_ops ch7xxx_ops = {
25355 .init = ch7xxx_init,
25356 .detect = ch7xxx_detect,
25357 .mode_valid = ch7xxx_mode_valid,
25358 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/dvo.h linux-2.6.38.4/drivers/gpu/drm/i915/dvo.h
25359 --- linux-2.6.38.4/drivers/gpu/drm/i915/dvo.h 2011-03-14 21:20:32.000000000 -0400
25360 +++ linux-2.6.38.4/drivers/gpu/drm/i915/dvo.h 2011-04-17 15:57:32.000000000 -0400
25361 @@ -122,23 +122,23 @@ struct intel_dvo_dev_ops {
25363 * \return singly-linked list of modes or NULL if no modes found.
25365 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
25366 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
25369 * Clean up driver-specific bits of the output
25371 - void (*destroy) (struct intel_dvo_device *dvo);
25372 + void (* const destroy) (struct intel_dvo_device *dvo);
25375 * Debugging hook to dump device registers to log file
25377 - void (*dump_regs)(struct intel_dvo_device *dvo);
25378 + void (* const dump_regs)(struct intel_dvo_device *dvo);
25381 -extern struct intel_dvo_dev_ops sil164_ops;
25382 -extern struct intel_dvo_dev_ops ch7xxx_ops;
25383 -extern struct intel_dvo_dev_ops ivch_ops;
25384 -extern struct intel_dvo_dev_ops tfp410_ops;
25385 -extern struct intel_dvo_dev_ops ch7017_ops;
25386 +extern const struct intel_dvo_dev_ops sil164_ops;
25387 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
25388 +extern const struct intel_dvo_dev_ops ivch_ops;
25389 +extern const struct intel_dvo_dev_ops tfp410_ops;
25390 +extern const struct intel_dvo_dev_ops ch7017_ops;
25392 #endif /* _INTEL_DVO_H */
25393 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ivch.c
25394 --- linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ivch.c 2011-03-14 21:20:32.000000000 -0400
25395 +++ linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ivch.c 2011-04-17 15:57:32.000000000 -0400
25396 @@ -410,7 +410,7 @@ static void ivch_destroy(struct intel_dv
25400 -struct intel_dvo_dev_ops ivch_ops= {
25401 +const struct intel_dvo_dev_ops ivch_ops= {
25404 .mode_valid = ivch_mode_valid,
25405 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.38.4/drivers/gpu/drm/i915/dvo_sil164.c
25406 --- linux-2.6.38.4/drivers/gpu/drm/i915/dvo_sil164.c 2011-03-14 21:20:32.000000000 -0400
25407 +++ linux-2.6.38.4/drivers/gpu/drm/i915/dvo_sil164.c 2011-04-17 15:57:32.000000000 -0400
25408 @@ -252,7 +252,7 @@ static void sil164_destroy(struct intel_
25412 -struct intel_dvo_dev_ops sil164_ops = {
25413 +const struct intel_dvo_dev_ops sil164_ops = {
25414 .init = sil164_init,
25415 .detect = sil164_detect,
25416 .mode_valid = sil164_mode_valid,
25417 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.38.4/drivers/gpu/drm/i915/dvo_tfp410.c
25418 --- linux-2.6.38.4/drivers/gpu/drm/i915/dvo_tfp410.c 2011-03-14 21:20:32.000000000 -0400
25419 +++ linux-2.6.38.4/drivers/gpu/drm/i915/dvo_tfp410.c 2011-04-17 15:57:32.000000000 -0400
25420 @@ -293,7 +293,7 @@ static void tfp410_destroy(struct intel_
25424 -struct intel_dvo_dev_ops tfp410_ops = {
25425 +const struct intel_dvo_dev_ops tfp410_ops = {
25426 .init = tfp410_init,
25427 .detect = tfp410_detect,
25428 .mode_valid = tfp410_mode_valid,
25429 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/i915_dma.c linux-2.6.38.4/drivers/gpu/drm/i915/i915_dma.c
25430 --- linux-2.6.38.4/drivers/gpu/drm/i915/i915_dma.c 2011-03-14 21:20:32.000000000 -0400
25431 +++ linux-2.6.38.4/drivers/gpu/drm/i915/i915_dma.c 2011-04-17 15:57:32.000000000 -0400
25432 @@ -1159,7 +1159,7 @@ static bool i915_switcheroo_can_switch(s
25435 spin_lock(&dev->count_lock);
25436 - can_switch = (dev->open_count == 0);
25437 + can_switch = (local_read(&dev->open_count) == 0);
25438 spin_unlock(&dev->count_lock);
25441 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/i915_drv.c linux-2.6.38.4/drivers/gpu/drm/i915/i915_drv.c
25442 --- linux-2.6.38.4/drivers/gpu/drm/i915/i915_drv.c 2011-03-14 21:20:32.000000000 -0400
25443 +++ linux-2.6.38.4/drivers/gpu/drm/i915/i915_drv.c 2011-04-17 15:57:32.000000000 -0400
25444 @@ -673,7 +673,7 @@ static const struct dev_pm_ops i915_pm_o
25445 .restore = i915_pm_resume,
25448 -static struct vm_operations_struct i915_gem_vm_ops = {
25449 +static const struct vm_operations_struct i915_gem_vm_ops = {
25450 .fault = i915_gem_fault,
25451 .open = drm_gem_vm_open,
25452 .close = drm_gem_vm_close,
25453 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/i915_drv.h linux-2.6.38.4/drivers/gpu/drm/i915/i915_drv.h
25454 --- linux-2.6.38.4/drivers/gpu/drm/i915/i915_drv.h 2011-03-14 21:20:32.000000000 -0400
25455 +++ linux-2.6.38.4/drivers/gpu/drm/i915/i915_drv.h 2011-04-17 15:57:32.000000000 -0400
25456 @@ -1229,7 +1229,7 @@ extern int intel_setup_gmbus(struct drm_
25457 extern void intel_teardown_gmbus(struct drm_device *dev);
25458 extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed);
25459 extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit);
25460 -extern inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
25461 +static inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
25463 return container_of(adapter, struct intel_gmbus, adapter)->force_bit;
25465 diff -urNp linux-2.6.38.4/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.38.4/drivers/gpu/drm/nouveau/nouveau_state.c
25466 --- linux-2.6.38.4/drivers/gpu/drm/nouveau/nouveau_state.c 2011-03-14 21:20:32.000000000 -0400
25467 +++ linux-2.6.38.4/drivers/gpu/drm/nouveau/nouveau_state.c 2011-04-17 15:57:32.000000000 -0400
25468 @@ -621,7 +621,7 @@ static bool nouveau_switcheroo_can_switc
25471 spin_lock(&dev->count_lock);
25472 - can_switch = (dev->open_count == 0);
25473 + can_switch = (local_read(&dev->open_count) == 0);
25474 spin_unlock(&dev->count_lock);
25477 diff -urNp linux-2.6.38.4/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.38.4/drivers/gpu/drm/radeon/mkregtable.c
25478 --- linux-2.6.38.4/drivers/gpu/drm/radeon/mkregtable.c 2011-03-14 21:20:32.000000000 -0400
25479 +++ linux-2.6.38.4/drivers/gpu/drm/radeon/mkregtable.c 2011-04-17 15:57:32.000000000 -0400
25480 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
25482 regmatch_t match[4];
25490 struct offset *offset;
25491 char last_reg_s[10];
25493 + unsigned long last_reg;
25496 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
25497 diff -urNp linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_device.c
25498 --- linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_device.c 2011-03-14 21:20:32.000000000 -0400
25499 +++ linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_device.c 2011-04-17 15:57:32.000000000 -0400
25500 @@ -673,7 +673,7 @@ static bool radeon_switcheroo_can_switch
25503 spin_lock(&dev->count_lock);
25504 - can_switch = (dev->open_count == 0);
25505 + can_switch = (local_read(&dev->open_count) == 0);
25506 spin_unlock(&dev->count_lock);
25509 diff -urNp linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_ioc32.c linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_ioc32.c
25510 --- linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-03-14 21:20:32.000000000 -0400
25511 +++ linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-04-17 15:57:32.000000000 -0400
25512 @@ -359,7 +359,7 @@ static int compat_radeon_cp_setparam(str
25513 request = compat_alloc_user_space(sizeof(*request));
25514 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
25515 || __put_user(req32.param, &request->param)
25516 - || __put_user((void __user *)(unsigned long)req32.value,
25517 + || __put_user((unsigned long)req32.value,
25521 diff -urNp linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_state.c
25522 --- linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_state.c 2011-03-14 21:20:32.000000000 -0400
25523 +++ linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_state.c 2011-04-17 15:57:32.000000000 -0400
25524 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
25525 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
25526 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
25528 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
25529 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
25530 sarea_priv->nbox * sizeof(depth_boxes[0])))
25533 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
25535 drm_radeon_private_t *dev_priv = dev->dev_private;
25536 drm_radeon_getparam_t *param = data;
25540 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
25542 diff -urNp linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_ttm.c
25543 --- linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_ttm.c 2011-03-14 21:20:32.000000000 -0400
25544 +++ linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_ttm.c 2011-04-17 15:57:32.000000000 -0400
25545 @@ -603,8 +603,9 @@ void radeon_ttm_set_active_vram_size(str
25546 man->size = size >> PAGE_SHIFT;
25549 -static struct vm_operations_struct radeon_ttm_vm_ops;
25550 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
25551 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
25552 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
25553 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
25555 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
25557 @@ -612,17 +613,22 @@ static int radeon_ttm_fault(struct vm_ar
25558 struct radeon_device *rdev;
25561 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
25562 - if (bo == NULL) {
25563 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
25565 return VM_FAULT_NOPAGE;
25567 rdev = radeon_get_rdev(bo->bdev);
25568 mutex_lock(&rdev->vram_mutex);
25569 - r = ttm_vm_ops->fault(vma, vmf);
25570 + r = ttm_bo_vm_fault(vma, vmf);
25571 mutex_unlock(&rdev->vram_mutex);
25575 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
25576 + .fault = radeon_ttm_fault,
25577 + .open = ttm_bo_vm_open,
25578 + .close = ttm_bo_vm_close
25581 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
25583 struct drm_file *file_priv;
25584 @@ -635,18 +641,11 @@ int radeon_mmap(struct file *filp, struc
25586 file_priv = filp->private_data;
25587 rdev = file_priv->minor->dev->dev_private;
25588 - if (rdev == NULL) {
25592 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
25593 - if (unlikely(r != 0)) {
25597 - if (unlikely(ttm_vm_ops == NULL)) {
25598 - ttm_vm_ops = vma->vm_ops;
25599 - radeon_ttm_vm_ops = *ttm_vm_ops;
25600 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
25602 vma->vm_ops = &radeon_ttm_vm_ops;
25605 diff -urNp linux-2.6.38.4/drivers/gpu/drm/radeon/rs690.c linux-2.6.38.4/drivers/gpu/drm/radeon/rs690.c
25606 --- linux-2.6.38.4/drivers/gpu/drm/radeon/rs690.c 2011-03-14 21:20:32.000000000 -0400
25607 +++ linux-2.6.38.4/drivers/gpu/drm/radeon/rs690.c 2011-04-17 15:57:32.000000000 -0400
25608 @@ -304,9 +304,11 @@ void rs690_crtc_bandwidth_compute(struct
25609 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
25610 rdev->pm.sideport_bandwidth.full)
25611 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
25612 - read_delay_latency.full = dfixed_const(370 * 800 * 1000);
25613 + read_delay_latency.full = dfixed_const(800 * 1000);
25614 read_delay_latency.full = dfixed_div(read_delay_latency,
25615 rdev->pm.igp_sideport_mclk);
25616 + a.full = dfixed_const(370);
25617 + read_delay_latency.full = dfixed_mul(read_delay_latency, a);
25619 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
25620 rdev->pm.k8_bandwidth.full)
25621 diff -urNp linux-2.6.38.4/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.38.4/drivers/gpu/drm/ttm/ttm_bo.c
25622 --- linux-2.6.38.4/drivers/gpu/drm/ttm/ttm_bo.c 2011-03-14 21:20:32.000000000 -0400
25623 +++ linux-2.6.38.4/drivers/gpu/drm/ttm/ttm_bo.c 2011-04-17 15:57:32.000000000 -0400
25625 #include <asm/atomic.h>
25627 #define TTM_ASSERT_LOCKED(param)
25628 -#define TTM_DEBUG(fmt, arg...)
25629 +#define TTM_DEBUG(fmt, arg...) do {} while (0)
25630 #define TTM_BO_HASH_ORDER 13
25632 static int ttm_bo_setup_vm(struct ttm_buffer_object *bo);
25633 diff -urNp linux-2.6.38.4/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.38.4/drivers/gpu/drm/ttm/ttm_bo_vm.c
25634 --- linux-2.6.38.4/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-03-14 21:20:32.000000000 -0400
25635 +++ linux-2.6.38.4/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-04-17 15:57:32.000000000 -0400
25636 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
25640 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
25641 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
25643 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
25644 vma->vm_private_data;
25645 - struct ttm_bo_device *bdev = bo->bdev;
25646 + struct ttm_bo_device *bdev;
25647 unsigned long page_offset;
25648 unsigned long page_last;
25650 @@ -83,8 +83,12 @@ static int ttm_bo_vm_fault(struct vm_are
25652 unsigned long address = (unsigned long)vmf->virtual_address;
25653 int retval = VM_FAULT_NOPAGE;
25654 - struct ttm_mem_type_manager *man =
25655 - &bdev->man[bo->mem.mem_type];
25656 + struct ttm_mem_type_manager *man;
25659 + return VM_FAULT_NOPAGE;
25661 + man = &bdev->man[bo->mem.mem_type];
25664 * Work around locking order reversal in fault / nopfn
25665 @@ -219,22 +223,25 @@ out_unlock:
25666 ttm_bo_unreserve(bo);
25669 +EXPORT_SYMBOL(ttm_bo_vm_fault);
25671 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
25672 +void ttm_bo_vm_open(struct vm_area_struct *vma)
25674 struct ttm_buffer_object *bo =
25675 (struct ttm_buffer_object *)vma->vm_private_data;
25677 (void)ttm_bo_reference(bo);
25679 +EXPORT_SYMBOL(ttm_bo_vm_open);
25681 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
25682 +void ttm_bo_vm_close(struct vm_area_struct *vma)
25684 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
25687 vma->vm_private_data = NULL;
25689 +EXPORT_SYMBOL(ttm_bo_vm_close);
25691 static const struct vm_operations_struct ttm_bo_vm_ops = {
25692 .fault = ttm_bo_vm_fault,
25693 diff -urNp linux-2.6.38.4/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c linux-2.6.38.4/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
25694 --- linux-2.6.38.4/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-03-14 21:20:32.000000000 -0400
25695 +++ linux-2.6.38.4/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-04-17 15:57:32.000000000 -0400
25696 @@ -534,7 +534,7 @@ static int vmw_fifo_vm_fault(struct vm_a
25697 return VM_FAULT_SIGBUS;
25700 -static struct vm_operations_struct vmw_fifo_vm_ops = {
25701 +static const struct vm_operations_struct vmw_fifo_vm_ops = {
25702 .fault = vmw_fifo_vm_fault,
25705 diff -urNp linux-2.6.38.4/drivers/hid/usbhid/hiddev.c linux-2.6.38.4/drivers/hid/usbhid/hiddev.c
25706 --- linux-2.6.38.4/drivers/hid/usbhid/hiddev.c 2011-03-14 21:20:32.000000000 -0400
25707 +++ linux-2.6.38.4/drivers/hid/usbhid/hiddev.c 2011-04-17 15:57:32.000000000 -0400
25708 @@ -613,7 +613,7 @@ static long hiddev_ioctl(struct file *fi
25711 case HIDIOCAPPLICATION:
25712 - if (arg < 0 || arg >= hid->maxapplication)
25713 + if (arg >= hid->maxapplication)
25716 for (i = 0; i < hid->maxcollection; i++)
25717 diff -urNp linux-2.6.38.4/drivers/hwmon/k8temp.c linux-2.6.38.4/drivers/hwmon/k8temp.c
25718 --- linux-2.6.38.4/drivers/hwmon/k8temp.c 2011-03-14 21:20:32.000000000 -0400
25719 +++ linux-2.6.38.4/drivers/hwmon/k8temp.c 2011-04-17 15:57:32.000000000 -0400
25720 @@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
25722 static const struct pci_device_id k8temp_ids[] = {
25723 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
25725 + { 0, 0, 0, 0, 0, 0, 0 },
25728 MODULE_DEVICE_TABLE(pci, k8temp_ids);
25729 diff -urNp linux-2.6.38.4/drivers/hwmon/sis5595.c linux-2.6.38.4/drivers/hwmon/sis5595.c
25730 --- linux-2.6.38.4/drivers/hwmon/sis5595.c 2011-03-14 21:20:32.000000000 -0400
25731 +++ linux-2.6.38.4/drivers/hwmon/sis5595.c 2011-04-17 15:57:32.000000000 -0400
25732 @@ -701,7 +701,7 @@ static struct sis5595_data *sis5595_upda
25734 static const struct pci_device_id sis5595_pci_ids[] = {
25735 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
25737 + { 0, 0, 0, 0, 0, 0, 0 }
25740 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
25741 diff -urNp linux-2.6.38.4/drivers/hwmon/via686a.c linux-2.6.38.4/drivers/hwmon/via686a.c
25742 --- linux-2.6.38.4/drivers/hwmon/via686a.c 2011-03-14 21:20:32.000000000 -0400
25743 +++ linux-2.6.38.4/drivers/hwmon/via686a.c 2011-04-17 15:57:32.000000000 -0400
25744 @@ -779,7 +779,7 @@ static struct via686a_data *via686a_upda
25746 static const struct pci_device_id via686a_pci_ids[] = {
25747 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
25749 + { 0, 0, 0, 0, 0, 0, 0 }
25752 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
25753 diff -urNp linux-2.6.38.4/drivers/hwmon/vt8231.c linux-2.6.38.4/drivers/hwmon/vt8231.c
25754 --- linux-2.6.38.4/drivers/hwmon/vt8231.c 2011-03-14 21:20:32.000000000 -0400
25755 +++ linux-2.6.38.4/drivers/hwmon/vt8231.c 2011-04-17 15:57:32.000000000 -0400
25756 @@ -701,7 +701,7 @@ static struct platform_driver vt8231_dri
25758 static const struct pci_device_id vt8231_pci_ids[] = {
25759 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
25761 + { 0, 0, 0, 0, 0, 0, 0 }
25764 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
25765 diff -urNp linux-2.6.38.4/drivers/hwmon/w83791d.c linux-2.6.38.4/drivers/hwmon/w83791d.c
25766 --- linux-2.6.38.4/drivers/hwmon/w83791d.c 2011-03-14 21:20:32.000000000 -0400
25767 +++ linux-2.6.38.4/drivers/hwmon/w83791d.c 2011-04-17 15:57:32.000000000 -0400
25768 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
25769 struct i2c_board_info *info);
25770 static int w83791d_remove(struct i2c_client *client);
25772 -static int w83791d_read(struct i2c_client *client, u8 register);
25773 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
25774 +static int w83791d_read(struct i2c_client *client, u8 reg);
25775 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
25776 static struct w83791d_data *w83791d_update_device(struct device *dev);
25779 diff -urNp linux-2.6.38.4/drivers/i2c/busses/i2c-i801.c linux-2.6.38.4/drivers/i2c/busses/i2c-i801.c
25780 --- linux-2.6.38.4/drivers/i2c/busses/i2c-i801.c 2011-03-14 21:20:32.000000000 -0400
25781 +++ linux-2.6.38.4/drivers/i2c/busses/i2c-i801.c 2011-04-17 15:57:32.000000000 -0400
25782 @@ -621,7 +621,7 @@ static const struct pci_device_id i801_i
25783 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF0) },
25784 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF1) },
25785 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF2) },
25787 + { 0, 0, 0, 0, 0, 0, 0 }
25790 MODULE_DEVICE_TABLE(pci, i801_ids);
25791 diff -urNp linux-2.6.38.4/drivers/i2c/busses/i2c-piix4.c linux-2.6.38.4/drivers/i2c/busses/i2c-piix4.c
25792 --- linux-2.6.38.4/drivers/i2c/busses/i2c-piix4.c 2011-03-14 21:20:32.000000000 -0400
25793 +++ linux-2.6.38.4/drivers/i2c/busses/i2c-piix4.c 2011-04-17 15:57:32.000000000 -0400
25794 @@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
25796 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
25799 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25802 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
25803 @@ -491,7 +491,7 @@ static const struct pci_device_id piix4_
25804 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
25805 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
25806 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
25808 + { 0, 0, 0, 0, 0, 0, 0 }
25811 MODULE_DEVICE_TABLE (pci, piix4_ids);
25812 diff -urNp linux-2.6.38.4/drivers/i2c/busses/i2c-sis630.c linux-2.6.38.4/drivers/i2c/busses/i2c-sis630.c
25813 --- linux-2.6.38.4/drivers/i2c/busses/i2c-sis630.c 2011-03-14 21:20:32.000000000 -0400
25814 +++ linux-2.6.38.4/drivers/i2c/busses/i2c-sis630.c 2011-04-17 15:57:32.000000000 -0400
25815 @@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
25816 static const struct pci_device_id sis630_ids[] __devinitconst = {
25817 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
25818 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
25820 + { 0, 0, 0, 0, 0, 0, 0 }
25823 MODULE_DEVICE_TABLE (pci, sis630_ids);
25824 diff -urNp linux-2.6.38.4/drivers/i2c/busses/i2c-sis96x.c linux-2.6.38.4/drivers/i2c/busses/i2c-sis96x.c
25825 --- linux-2.6.38.4/drivers/i2c/busses/i2c-sis96x.c 2011-03-14 21:20:32.000000000 -0400
25826 +++ linux-2.6.38.4/drivers/i2c/busses/i2c-sis96x.c 2011-04-17 15:57:32.000000000 -0400
25827 @@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
25829 static const struct pci_device_id sis96x_ids[] = {
25830 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
25832 + { 0, 0, 0, 0, 0, 0, 0 }
25835 MODULE_DEVICE_TABLE (pci, sis96x_ids);
25836 diff -urNp linux-2.6.38.4/drivers/ide/ide-cd.c linux-2.6.38.4/drivers/ide/ide-cd.c
25837 --- linux-2.6.38.4/drivers/ide/ide-cd.c 2011-03-14 21:20:32.000000000 -0400
25838 +++ linux-2.6.38.4/drivers/ide/ide-cd.c 2011-04-17 15:57:32.000000000 -0400
25839 @@ -776,7 +776,7 @@ static void cdrom_do_block_pc(ide_drive_
25840 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
25841 if ((unsigned long)buf & alignment
25842 || blk_rq_bytes(rq) & q->dma_pad_mask
25843 - || object_is_on_stack(buf))
25844 + || object_starts_on_stack(buf))
25848 diff -urNp linux-2.6.38.4/drivers/infiniband/core/cm.c linux-2.6.38.4/drivers/infiniband/core/cm.c
25849 --- linux-2.6.38.4/drivers/infiniband/core/cm.c 2011-04-18 17:27:14.000000000 -0400
25850 +++ linux-2.6.38.4/drivers/infiniband/core/cm.c 2011-04-17 15:57:32.000000000 -0400
25851 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
25853 struct cm_counter_group {
25854 struct kobject obj;
25855 - atomic_long_t counter[CM_ATTR_COUNT];
25856 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
25859 struct cm_counter_attribute {
25860 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
25861 struct ib_mad_send_buf *msg = NULL;
25864 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25865 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25866 counter[CM_REQ_COUNTER]);
25868 /* Quick state check to discard duplicate REQs. */
25869 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
25873 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25874 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25875 counter[CM_REP_COUNTER]);
25876 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
25878 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
25879 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
25880 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
25881 spin_unlock_irq(&cm_id_priv->lock);
25882 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25883 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25884 counter[CM_RTU_COUNTER]);
25887 @@ -2111,7 +2111,7 @@ static int cm_dreq_handler(struct cm_wor
25888 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
25889 dreq_msg->local_comm_id);
25891 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25892 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25893 counter[CM_DREQ_COUNTER]);
25894 cm_issue_drep(work->port, work->mad_recv_wc);
25896 @@ -2132,7 +2132,7 @@ static int cm_dreq_handler(struct cm_wor
25897 case IB_CM_MRA_REP_RCVD:
25899 case IB_CM_TIMEWAIT:
25900 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25901 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25902 counter[CM_DREQ_COUNTER]);
25903 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25905 @@ -2146,7 +2146,7 @@ static int cm_dreq_handler(struct cm_wor
25908 case IB_CM_DREQ_RCVD:
25909 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25910 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25911 counter[CM_DREQ_COUNTER]);
25914 @@ -2504,7 +2504,7 @@ static int cm_mra_handler(struct cm_work
25915 ib_modify_mad(cm_id_priv->av.port->mad_agent,
25916 cm_id_priv->msg, timeout)) {
25917 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
25918 - atomic_long_inc(&work->port->
25919 + atomic_long_inc_unchecked(&work->port->
25920 counter_group[CM_RECV_DUPLICATES].
25921 counter[CM_MRA_COUNTER]);
25923 @@ -2513,7 +2513,7 @@ static int cm_mra_handler(struct cm_work
25925 case IB_CM_MRA_REQ_RCVD:
25926 case IB_CM_MRA_REP_RCVD:
25927 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25928 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25929 counter[CM_MRA_COUNTER]);
25932 @@ -2675,7 +2675,7 @@ static int cm_lap_handler(struct cm_work
25933 case IB_CM_LAP_IDLE:
25935 case IB_CM_MRA_LAP_SENT:
25936 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25937 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25938 counter[CM_LAP_COUNTER]);
25939 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25941 @@ -2691,7 +2691,7 @@ static int cm_lap_handler(struct cm_work
25944 case IB_CM_LAP_RCVD:
25945 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25946 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25947 counter[CM_LAP_COUNTER]);
25950 @@ -2975,7 +2975,7 @@ static int cm_sidr_req_handler(struct cm
25951 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
25952 if (cur_cm_id_priv) {
25953 spin_unlock_irq(&cm.lock);
25954 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25955 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25956 counter[CM_SIDR_REQ_COUNTER]);
25957 goto out; /* Duplicate message. */
25959 @@ -3187,10 +3187,10 @@ static void cm_send_handler(struct ib_ma
25960 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
25963 - atomic_long_add(1 + msg->retries,
25964 + atomic_long_add_unchecked(1 + msg->retries,
25965 &port->counter_group[CM_XMIT].counter[attr_index]);
25967 - atomic_long_add(msg->retries,
25968 + atomic_long_add_unchecked(msg->retries,
25969 &port->counter_group[CM_XMIT_RETRIES].
25970 counter[attr_index]);
25972 @@ -3400,7 +3400,7 @@ static void cm_recv_handler(struct ib_ma
25975 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
25976 - atomic_long_inc(&port->counter_group[CM_RECV].
25977 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
25978 counter[attr_id - CM_ATTR_ID_OFFSET]);
25980 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
25981 @@ -3598,7 +3598,7 @@ static ssize_t cm_show_counter(struct ko
25982 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
25984 return sprintf(buf, "%ld\n",
25985 - atomic_long_read(&group->counter[cm_attr->index]));
25986 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
25989 static const struct sysfs_ops cm_counter_ops = {
25990 diff -urNp linux-2.6.38.4/drivers/infiniband/hw/qib/qib.h linux-2.6.38.4/drivers/infiniband/hw/qib/qib.h
25991 --- linux-2.6.38.4/drivers/infiniband/hw/qib/qib.h 2011-03-14 21:20:32.000000000 -0400
25992 +++ linux-2.6.38.4/drivers/infiniband/hw/qib/qib.h 2011-04-17 15:57:32.000000000 -0400
25994 #include <linux/completion.h>
25995 #include <linux/kref.h>
25996 #include <linux/sched.h>
25997 +#include <linux/slab.h>
25999 #include "qib_common.h"
26000 #include "qib_verbs.h"
26001 diff -urNp linux-2.6.38.4/drivers/input/keyboard/atkbd.c linux-2.6.38.4/drivers/input/keyboard/atkbd.c
26002 --- linux-2.6.38.4/drivers/input/keyboard/atkbd.c 2011-03-14 21:20:32.000000000 -0400
26003 +++ linux-2.6.38.4/drivers/input/keyboard/atkbd.c 2011-04-17 15:57:32.000000000 -0400
26004 @@ -1250,7 +1250,7 @@ static struct serio_device_id atkbd_seri
26006 .extra = SERIO_ANY,
26012 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
26013 diff -urNp linux-2.6.38.4/drivers/input/mouse/lifebook.c linux-2.6.38.4/drivers/input/mouse/lifebook.c
26014 --- linux-2.6.38.4/drivers/input/mouse/lifebook.c 2011-03-14 21:20:32.000000000 -0400
26015 +++ linux-2.6.38.4/drivers/input/mouse/lifebook.c 2011-04-17 15:57:32.000000000 -0400
26016 @@ -123,7 +123,7 @@ static const struct dmi_system_id __init
26017 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
26021 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
26024 void __init lifebook_module_init(void)
26025 diff -urNp linux-2.6.38.4/drivers/input/mouse/psmouse-base.c linux-2.6.38.4/drivers/input/mouse/psmouse-base.c
26026 --- linux-2.6.38.4/drivers/input/mouse/psmouse-base.c 2011-03-14 21:20:32.000000000 -0400
26027 +++ linux-2.6.38.4/drivers/input/mouse/psmouse-base.c 2011-04-17 15:57:32.000000000 -0400
26028 @@ -1462,7 +1462,7 @@ static struct serio_device_id psmouse_se
26030 .extra = SERIO_ANY,
26036 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
26037 diff -urNp linux-2.6.38.4/drivers/input/mouse/synaptics.c linux-2.6.38.4/drivers/input/mouse/synaptics.c
26038 --- linux-2.6.38.4/drivers/input/mouse/synaptics.c 2011-04-18 17:27:18.000000000 -0400
26039 +++ linux-2.6.38.4/drivers/input/mouse/synaptics.c 2011-04-17 16:53:16.000000000 -0400
26040 @@ -559,7 +559,7 @@ static void synaptics_process_packet(str
26043 if (SYN_MODEL_PEN(priv->model_id))
26044 - ; /* Nothing, treat a pen as a single finger */
26045 + break; /* Nothing, treat a pen as a single finger */
26048 if (SYN_CAP_PALMDETECT(priv->capabilities))
26049 @@ -825,7 +825,6 @@ static const struct dmi_system_id __init
26050 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
26051 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
26056 /* Toshiba Portege M300 */
26057 @@ -834,10 +833,9 @@ static const struct dmi_system_id __init
26058 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
26059 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
26063 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26068 static bool broken_olpc_ec;
26069 diff -urNp linux-2.6.38.4/drivers/input/mousedev.c linux-2.6.38.4/drivers/input/mousedev.c
26070 --- linux-2.6.38.4/drivers/input/mousedev.c 2011-03-14 21:20:32.000000000 -0400
26071 +++ linux-2.6.38.4/drivers/input/mousedev.c 2011-04-17 15:57:32.000000000 -0400
26072 @@ -764,7 +764,7 @@ static ssize_t mousedev_read(struct file
26074 spin_unlock_irq(&client->packet_lock);
26076 - if (copy_to_user(buffer, data, count))
26077 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
26081 @@ -1067,7 +1067,7 @@ static struct input_handler mousedev_han
26083 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
26084 static struct miscdevice psaux_mouse = {
26085 - PSMOUSE_MINOR, "psaux", &mousedev_fops
26086 + PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
26088 static int psaux_registered;
26090 diff -urNp linux-2.6.38.4/drivers/input/serio/i8042-x86ia64io.h linux-2.6.38.4/drivers/input/serio/i8042-x86ia64io.h
26091 --- linux-2.6.38.4/drivers/input/serio/i8042-x86ia64io.h 2011-03-14 21:20:32.000000000 -0400
26092 +++ linux-2.6.38.4/drivers/input/serio/i8042-x86ia64io.h 2011-04-17 15:57:32.000000000 -0400
26093 @@ -183,7 +183,7 @@ static const struct dmi_system_id __init
26094 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
26098 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26102 @@ -431,7 +431,7 @@ static const struct dmi_system_id __init
26103 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro V13"),
26107 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26110 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
26111 @@ -505,7 +505,7 @@ static const struct dmi_system_id __init
26112 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
26116 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26120 @@ -524,7 +524,7 @@ static const struct dmi_system_id __init
26121 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
26125 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26128 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
26129 @@ -548,7 +548,7 @@ static const struct dmi_system_id __init
26130 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
26134 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26138 @@ -640,7 +640,7 @@ static const struct dmi_system_id __init
26139 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
26143 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26146 #endif /* CONFIG_X86 */
26147 diff -urNp linux-2.6.38.4/drivers/input/serio/serio_raw.c linux-2.6.38.4/drivers/input/serio/serio_raw.c
26148 --- linux-2.6.38.4/drivers/input/serio/serio_raw.c 2011-03-14 21:20:32.000000000 -0400
26149 +++ linux-2.6.38.4/drivers/input/serio/serio_raw.c 2011-04-17 15:57:32.000000000 -0400
26150 @@ -376,7 +376,7 @@ static struct serio_device_id serio_raw_
26152 .extra = SERIO_ANY,
26158 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
26159 diff -urNp linux-2.6.38.4/drivers/isdn/gigaset/common.c linux-2.6.38.4/drivers/isdn/gigaset/common.c
26160 --- linux-2.6.38.4/drivers/isdn/gigaset/common.c 2011-03-14 21:20:32.000000000 -0400
26161 +++ linux-2.6.38.4/drivers/isdn/gigaset/common.c 2011-04-17 15:57:32.000000000 -0400
26162 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
26163 cs->commands_pending = 0;
26164 cs->cur_at_seq = 0;
26166 - cs->open_count = 0;
26167 + local_set(&cs->open_count, 0);
26170 cs->tty_dev = NULL;
26171 diff -urNp linux-2.6.38.4/drivers/isdn/gigaset/gigaset.h linux-2.6.38.4/drivers/isdn/gigaset/gigaset.h
26172 --- linux-2.6.38.4/drivers/isdn/gigaset/gigaset.h 2011-03-14 21:20:32.000000000 -0400
26173 +++ linux-2.6.38.4/drivers/isdn/gigaset/gigaset.h 2011-04-17 15:57:32.000000000 -0400
26175 #include <linux/tty_driver.h>
26176 #include <linux/list.h>
26177 #include <asm/atomic.h>
26178 +#include <asm/local.h>
26180 #define GIG_VERSION {0, 5, 0, 0}
26181 #define GIG_COMPAT {0, 4, 0, 0}
26182 @@ -433,7 +434,7 @@ struct cardstate {
26183 spinlock_t cmdlock;
26184 unsigned curlen, cmdbytes;
26186 - unsigned open_count;
26187 + local_t open_count;
26188 struct tty_struct *tty;
26189 struct tasklet_struct if_wake_tasklet;
26190 unsigned control_state;
26191 diff -urNp linux-2.6.38.4/drivers/isdn/gigaset/interface.c linux-2.6.38.4/drivers/isdn/gigaset/interface.c
26192 --- linux-2.6.38.4/drivers/isdn/gigaset/interface.c 2011-03-14 21:20:32.000000000 -0400
26193 +++ linux-2.6.38.4/drivers/isdn/gigaset/interface.c 2011-04-17 15:57:32.000000000 -0400
26194 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
26195 return -ERESTARTSYS;
26196 tty->driver_data = cs;
26198 - ++cs->open_count;
26200 - if (cs->open_count == 1) {
26201 + if (local_inc_return(&cs->open_count) == 1) {
26202 spin_lock_irqsave(&cs->lock, flags);
26204 spin_unlock_irqrestore(&cs->lock, flags);
26205 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
26207 if (!cs->connected)
26208 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
26209 - else if (!cs->open_count)
26210 + else if (!local_read(&cs->open_count))
26211 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26213 - if (!--cs->open_count) {
26214 + if (!local_dec_return(&cs->open_count)) {
26215 spin_lock_irqsave(&cs->lock, flags);
26217 spin_unlock_irqrestore(&cs->lock, flags);
26218 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
26219 if (!cs->connected) {
26220 gig_dbg(DEBUG_IF, "not connected");
26222 - } else if (!cs->open_count)
26223 + } else if (!local_read(&cs->open_count))
26224 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26227 @@ -358,7 +356,7 @@ static int if_write(struct tty_struct *t
26231 - if (!cs->open_count) {
26232 + if (!local_read(&cs->open_count)) {
26233 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26236 @@ -411,7 +409,7 @@ static int if_write_room(struct tty_stru
26237 if (!cs->connected) {
26238 gig_dbg(DEBUG_IF, "not connected");
26240 - } else if (!cs->open_count)
26241 + } else if (!local_read(&cs->open_count))
26242 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26243 else if (cs->mstate != MS_LOCKED) {
26244 dev_warn(cs->dev, "can't write to unlocked device\n");
26245 @@ -441,7 +439,7 @@ static int if_chars_in_buffer(struct tty
26247 if (!cs->connected)
26248 gig_dbg(DEBUG_IF, "not connected");
26249 - else if (!cs->open_count)
26250 + else if (!local_read(&cs->open_count))
26251 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26252 else if (cs->mstate != MS_LOCKED)
26253 dev_warn(cs->dev, "can't write to unlocked device\n");
26254 @@ -469,7 +467,7 @@ static void if_throttle(struct tty_struc
26256 if (!cs->connected)
26257 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
26258 - else if (!cs->open_count)
26259 + else if (!local_read(&cs->open_count))
26260 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26262 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
26263 @@ -493,7 +491,7 @@ static void if_unthrottle(struct tty_str
26265 if (!cs->connected)
26266 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
26267 - else if (!cs->open_count)
26268 + else if (!local_read(&cs->open_count))
26269 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26271 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
26272 @@ -524,7 +522,7 @@ static void if_set_termios(struct tty_st
26276 - if (!cs->open_count) {
26277 + if (!local_read(&cs->open_count)) {
26278 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26281 diff -urNp linux-2.6.38.4/drivers/isdn/hardware/avm/b1.c linux-2.6.38.4/drivers/isdn/hardware/avm/b1.c
26282 --- linux-2.6.38.4/drivers/isdn/hardware/avm/b1.c 2011-03-14 21:20:32.000000000 -0400
26283 +++ linux-2.6.38.4/drivers/isdn/hardware/avm/b1.c 2011-04-17 15:57:32.000000000 -0400
26284 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
26287 if (t4file->user) {
26288 - if (copy_from_user(buf, dp, left))
26289 + if (left > sizeof buf || copy_from_user(buf, dp, left))
26292 memcpy(buf, dp, left);
26293 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
26296 if (config->user) {
26297 - if (copy_from_user(buf, dp, left))
26298 + if (left > sizeof buf || copy_from_user(buf, dp, left))
26301 memcpy(buf, dp, left);
26302 diff -urNp linux-2.6.38.4/drivers/isdn/icn/icn.c linux-2.6.38.4/drivers/isdn/icn/icn.c
26303 --- linux-2.6.38.4/drivers/isdn/icn/icn.c 2011-03-14 21:20:32.000000000 -0400
26304 +++ linux-2.6.38.4/drivers/isdn/icn/icn.c 2011-04-17 15:57:32.000000000 -0400
26305 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
26309 - if (copy_from_user(msg, buf, count))
26310 + if (count > sizeof msg || copy_from_user(msg, buf, count))
26313 memcpy(msg, buf, count);
26314 diff -urNp linux-2.6.38.4/drivers/lguest/core.c linux-2.6.38.4/drivers/lguest/core.c
26315 --- linux-2.6.38.4/drivers/lguest/core.c 2011-03-14 21:20:32.000000000 -0400
26316 +++ linux-2.6.38.4/drivers/lguest/core.c 2011-04-17 15:57:32.000000000 -0400
26317 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
26318 * it's worked so far. The end address needs +1 because __get_vm_area
26319 * allocates an extra guard page, so we need space for that.
26322 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
26323 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
26324 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
26325 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
26327 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
26328 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
26329 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
26332 if (!switcher_vma) {
26334 printk("lguest: could not map switcher pages high\n");
26335 @@ -119,7 +127,7 @@ static __init int map_switcher(void)
26336 * Now the Switcher is mapped at the right address, we can't fail!
26337 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
26339 - memcpy(switcher_vma->addr, start_switcher_text,
26340 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
26341 end_switcher_text - start_switcher_text);
26343 printk(KERN_INFO "lguest: mapped switcher at %p\n",
26344 diff -urNp linux-2.6.38.4/drivers/lguest/x86/core.c linux-2.6.38.4/drivers/lguest/x86/core.c
26345 --- linux-2.6.38.4/drivers/lguest/x86/core.c 2011-03-14 21:20:32.000000000 -0400
26346 +++ linux-2.6.38.4/drivers/lguest/x86/core.c 2011-04-17 15:57:32.000000000 -0400
26347 @@ -59,7 +59,7 @@ static struct {
26348 /* Offset from where switcher.S was compiled to where we've copied it */
26349 static unsigned long switcher_offset(void)
26351 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
26352 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
26355 /* This cpu's struct lguest_pages. */
26356 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
26357 * These copies are pretty cheap, so we do them unconditionally: */
26358 /* Save the current Host top-level page directory.
26361 +#ifdef CONFIG_PAX_PER_CPU_PGD
26362 + pages->state.host_cr3 = read_cr3();
26364 pages->state.host_cr3 = __pa(current->mm->pgd);
26368 * Set up the Guest's page tables to see this CPU's pages (and no
26369 * other CPU's pages).
26370 @@ -547,7 +553,7 @@ void __init lguest_arch_host_init(void)
26371 * compiled-in switcher code and the high-mapped copy we just made.
26373 for (i = 0; i < IDT_ENTRIES; i++)
26374 - default_idt_entries[i] += switcher_offset();
26375 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
26378 * Set up the Switcher's per-cpu areas.
26379 @@ -630,7 +636,7 @@ void __init lguest_arch_host_init(void)
26380 * it will be undisturbed when we switch. To change %cs and jump we
26381 * need this structure to feed to Intel's "lcall" instruction.
26383 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
26384 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
26385 lguest_entry.segment = LGUEST_CS;
26388 diff -urNp linux-2.6.38.4/drivers/lguest/x86/switcher_32.S linux-2.6.38.4/drivers/lguest/x86/switcher_32.S
26389 --- linux-2.6.38.4/drivers/lguest/x86/switcher_32.S 2011-03-14 21:20:32.000000000 -0400
26390 +++ linux-2.6.38.4/drivers/lguest/x86/switcher_32.S 2011-04-17 15:57:32.000000000 -0400
26392 #include <asm/page.h>
26393 #include <asm/segment.h>
26394 #include <asm/lguest.h>
26395 +#include <asm/processor-flags.h>
26397 // We mark the start of the code to copy
26398 // It's placed in .text tho it's never run here
26399 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
26400 // Changes type when we load it: damn Intel!
26401 // For after we switch over our page tables
26402 // That entry will be read-only: we'd crash.
26404 +#ifdef CONFIG_PAX_KERNEXEC
26406 + xor $X86_CR0_WP, %edx
26410 movl $(GDT_ENTRY_TSS*8), %edx
26413 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
26414 // Let's clear it again for our return.
26415 // The GDT descriptor of the Host
26416 // Points to the table after two "size" bytes
26417 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
26418 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
26419 // Clear "used" from type field (byte 5, bit 2)
26420 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
26421 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
26423 +#ifdef CONFIG_PAX_KERNEXEC
26425 + xor $X86_CR0_WP, %eax
26429 // Once our page table's switched, the Guest is live!
26430 // The Host fades as we run this final step.
26431 @@ -295,13 +309,12 @@ deliver_to_host:
26432 // I consulted gcc, and it gave
26433 // These instructions, which I gladly credit:
26434 leal (%edx,%ebx,8), %eax
26435 - movzwl (%eax),%edx
26436 - movl 4(%eax), %eax
26439 + movl 4(%eax), %edx
26441 // Now the address of the handler's in %edx
26442 // We call it now: its "iret" drops us home.
26444 + ljmp $__KERNEL_CS, $1f
26447 // Every interrupt can come to us here
26448 // But we must truly tell each apart.
26449 diff -urNp linux-2.6.38.4/drivers/md/bitmap.c linux-2.6.38.4/drivers/md/bitmap.c
26450 --- linux-2.6.38.4/drivers/md/bitmap.c 2011-03-14 21:20:32.000000000 -0400
26451 +++ linux-2.6.38.4/drivers/md/bitmap.c 2011-04-17 15:57:32.000000000 -0400
26454 # define PRINTK(x...) printk(KERN_DEBUG x)
26456 -# define PRINTK(x...)
26457 +# define PRINTK(x...) do {} while (0)
26461 diff -urNp linux-2.6.38.4/drivers/md/dm-ioctl.c linux-2.6.38.4/drivers/md/dm-ioctl.c
26462 --- linux-2.6.38.4/drivers/md/dm-ioctl.c 2011-03-14 21:20:32.000000000 -0400
26463 +++ linux-2.6.38.4/drivers/md/dm-ioctl.c 2011-04-17 15:57:32.000000000 -0400
26464 @@ -1541,7 +1541,7 @@ static int validate_params(uint cmd, str
26465 cmd == DM_LIST_VERSIONS_CMD)
26468 - if ((cmd == DM_DEV_CREATE_CMD)) {
26469 + if (cmd == DM_DEV_CREATE_CMD) {
26470 if (!*param->name) {
26471 DMWARN("name not supplied when creating device");
26473 diff -urNp linux-2.6.38.4/drivers/md/dm-table.c linux-2.6.38.4/drivers/md/dm-table.c
26474 --- linux-2.6.38.4/drivers/md/dm-table.c 2011-03-14 21:20:32.000000000 -0400
26475 +++ linux-2.6.38.4/drivers/md/dm-table.c 2011-04-17 15:57:32.000000000 -0400
26476 @@ -372,7 +372,7 @@ static int device_area_is_invalid(struct
26480 - if ((start >= dev_size) || (start + len > dev_size)) {
26481 + if ((start >= dev_size) || (len > dev_size - start)) {
26482 DMWARN("%s: %s too small for target: "
26483 "start=%llu, len=%llu, dev_size=%llu",
26484 dm_device_name(ti->table->md), bdevname(bdev, b),
26485 diff -urNp linux-2.6.38.4/drivers/md/md.c linux-2.6.38.4/drivers/md/md.c
26486 --- linux-2.6.38.4/drivers/md/md.c 2011-03-14 21:20:32.000000000 -0400
26487 +++ linux-2.6.38.4/drivers/md/md.c 2011-04-17 15:57:32.000000000 -0400
26488 @@ -1889,7 +1889,7 @@ static int bind_rdev_to_array(mdk_rdev_t
26490 ko = &part_to_dev(rdev->bdev->bd_part)->kobj;
26491 if (sysfs_create_link(&rdev->kobj, ko, "block"))
26492 - /* failure here is OK */;
26493 + /* failure here is OK */{}
26494 rdev->sysfs_state = sysfs_get_dirent_safe(rdev->kobj.sd, "state");
26496 list_add_rcu(&rdev->same_set, &mddev->disks);
26497 @@ -2499,7 +2499,7 @@ slot_store(mdk_rdev_t *rdev, const char
26498 sysfs_notify_dirent_safe(rdev->sysfs_state);
26499 sprintf(nm, "rd%d", rdev->raid_disk);
26500 if (sysfs_create_link(&rdev->mddev->kobj, &rdev->kobj, nm))
26501 - /* failure here is OK */;
26502 + /* failure here is OK */{}
26503 /* don't wakeup anyone, leave that to userspace. */
26505 if (slot >= rdev->mddev->raid_disks &&
26506 @@ -4594,7 +4594,7 @@ int md_run(mddev_t *mddev)
26508 sprintf(nm, "rd%d", rdev->raid_disk);
26509 if (sysfs_create_link(&mddev->kobj, &rdev->kobj, nm))
26510 - /* failure here is OK */;
26511 + /* failure here is OK */{}
26514 set_bit(MD_RECOVERY_NEEDED, &mddev->recovery);
26515 @@ -6462,7 +6462,7 @@ static int md_seq_show(struct seq_file *
26516 chunk_kb ? "KB" : "B");
26517 if (bitmap->file) {
26518 seq_printf(seq, ", file: ");
26519 - seq_path(seq, &bitmap->file->f_path, " \t\n");
26520 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
26523 seq_printf(seq, "\n");
26524 @@ -6556,7 +6556,7 @@ static int is_mddev_idle(mddev_t *mddev,
26525 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
26526 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
26527 (int)part_stat_read(&disk->part0, sectors[1]) -
26528 - atomic_read(&disk->sync_io);
26529 + atomic_read_unchecked(&disk->sync_io);
26530 /* sync IO will cause sync_io to increase before the disk_stats
26531 * as sync_io is counted when a request starts, and
26532 * disk_stats is counted when it completes.
26533 @@ -7070,7 +7070,7 @@ static int remove_and_add_spares(mddev_t
26534 sprintf(nm, "rd%d", rdev->raid_disk);
26535 if (sysfs_create_link(&mddev->kobj,
26537 - /* failure here is OK */;
26538 + /* failure here is OK */{}
26540 md_new_event(mddev);
26541 set_bit(MD_CHANGE_DEVS, &mddev->flags);
26542 diff -urNp linux-2.6.38.4/drivers/md/md.h linux-2.6.38.4/drivers/md/md.h
26543 --- linux-2.6.38.4/drivers/md/md.h 2011-03-14 21:20:32.000000000 -0400
26544 +++ linux-2.6.38.4/drivers/md/md.h 2011-04-17 15:57:32.000000000 -0400
26545 @@ -360,7 +360,7 @@ static inline void rdev_dec_pending(mdk_
26547 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
26549 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
26550 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
26553 struct mdk_personality
26554 diff -urNp linux-2.6.38.4/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.38.4/drivers/media/dvb/dvb-core/dvbdev.c
26555 --- linux-2.6.38.4/drivers/media/dvb/dvb-core/dvbdev.c 2011-03-14 21:20:32.000000000 -0400
26556 +++ linux-2.6.38.4/drivers/media/dvb/dvb-core/dvbdev.c 2011-04-17 15:57:32.000000000 -0400
26557 @@ -192,7 +192,7 @@ int dvb_register_device(struct dvb_adapt
26558 const struct dvb_device *template, void *priv, int type)
26560 struct dvb_device *dvbdev;
26561 - struct file_operations *dvbdevfops;
26562 + struct file_operations *dvbdevfops; /* cannot be const, see this function */
26563 struct device *clsdev;
26566 diff -urNp linux-2.6.38.4/drivers/media/radio/radio-cadet.c linux-2.6.38.4/drivers/media/radio/radio-cadet.c
26567 --- linux-2.6.38.4/drivers/media/radio/radio-cadet.c 2011-03-14 21:20:32.000000000 -0400
26568 +++ linux-2.6.38.4/drivers/media/radio/radio-cadet.c 2011-04-17 15:57:32.000000000 -0400
26569 @@ -349,7 +349,7 @@ static ssize_t cadet_read(struct file *f
26570 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
26571 mutex_unlock(&dev->lock);
26573 - if (copy_to_user(data, readbuf, i))
26574 + if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
26578 diff -urNp linux-2.6.38.4/drivers/media/rc/ir-lirc-codec.c linux-2.6.38.4/drivers/media/rc/ir-lirc-codec.c
26579 --- linux-2.6.38.4/drivers/media/rc/ir-lirc-codec.c 2011-03-14 21:20:32.000000000 -0400
26580 +++ linux-2.6.38.4/drivers/media/rc/ir-lirc-codec.c 2011-04-17 15:57:32.000000000 -0400
26581 @@ -277,7 +277,7 @@ static void ir_lirc_close(void *data)
26585 -static struct file_operations lirc_fops = {
26586 +static const struct file_operations lirc_fops = {
26587 .owner = THIS_MODULE,
26588 .write = ir_lirc_transmit_ir,
26589 .unlocked_ioctl = ir_lirc_ioctl,
26590 diff -urNp linux-2.6.38.4/drivers/media/rc/lirc_dev.c linux-2.6.38.4/drivers/media/rc/lirc_dev.c
26591 --- linux-2.6.38.4/drivers/media/rc/lirc_dev.c 2011-03-14 21:20:32.000000000 -0400
26592 +++ linux-2.6.38.4/drivers/media/rc/lirc_dev.c 2011-04-17 15:57:32.000000000 -0400
26593 @@ -151,7 +151,7 @@ static int lirc_thread(void *irctl)
26597 -static struct file_operations lirc_dev_fops = {
26598 +static const struct file_operations lirc_dev_fops = {
26599 .owner = THIS_MODULE,
26600 .read = lirc_dev_fop_read,
26601 .write = lirc_dev_fop_write,
26602 diff -urNp linux-2.6.38.4/drivers/message/fusion/mptbase.c linux-2.6.38.4/drivers/message/fusion/mptbase.c
26603 --- linux-2.6.38.4/drivers/message/fusion/mptbase.c 2011-03-14 21:20:32.000000000 -0400
26604 +++ linux-2.6.38.4/drivers/message/fusion/mptbase.c 2011-04-17 15:57:32.000000000 -0400
26605 @@ -6683,8 +6683,13 @@ static int mpt_iocinfo_proc_show(struct
26606 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
26607 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
26609 +#ifdef CONFIG_GRKERNSEC_HIDESYM
26610 + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
26612 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
26613 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
26617 * Rounding UP to nearest 4-kB boundary here...
26619 diff -urNp linux-2.6.38.4/drivers/message/fusion/mptdebug.h linux-2.6.38.4/drivers/message/fusion/mptdebug.h
26620 --- linux-2.6.38.4/drivers/message/fusion/mptdebug.h 2011-03-14 21:20:32.000000000 -0400
26621 +++ linux-2.6.38.4/drivers/message/fusion/mptdebug.h 2011-04-17 15:57:32.000000000 -0400
26626 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
26627 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
26631 diff -urNp linux-2.6.38.4/drivers/message/fusion/mptsas.c linux-2.6.38.4/drivers/message/fusion/mptsas.c
26632 --- linux-2.6.38.4/drivers/message/fusion/mptsas.c 2011-03-14 21:20:32.000000000 -0400
26633 +++ linux-2.6.38.4/drivers/message/fusion/mptsas.c 2011-04-17 15:57:32.000000000 -0400
26634 @@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
26638 +static inline void
26639 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
26641 + if (phy_info->port_details) {
26642 + phy_info->port_details->rphy = rphy;
26643 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
26644 + ioc->name, rphy));
26648 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
26649 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
26650 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
26651 + ioc->name, rphy, rphy->dev.release));
26657 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
26658 @@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
26662 -static inline void
26663 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
26665 - if (phy_info->port_details) {
26666 - phy_info->port_details->rphy = rphy;
26667 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
26668 - ioc->name, rphy));
26672 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
26673 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
26674 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
26675 - ioc->name, rphy, rphy->dev.release));
26679 static inline struct sas_port *
26680 mptsas_get_port(struct mptsas_phyinfo *phy_info)
26682 diff -urNp linux-2.6.38.4/drivers/message/fusion/mptscsih.c linux-2.6.38.4/drivers/message/fusion/mptscsih.c
26683 --- linux-2.6.38.4/drivers/message/fusion/mptscsih.c 2011-03-14 21:20:32.000000000 -0400
26684 +++ linux-2.6.38.4/drivers/message/fusion/mptscsih.c 2011-04-17 15:57:32.000000000 -0400
26685 @@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
26687 h = shost_priv(SChost);
26690 - if (h->info_kbuf == NULL)
26691 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
26692 - return h->info_kbuf;
26693 - h->info_kbuf[0] = '\0';
26697 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
26698 - h->info_kbuf[size-1] = '\0';
26700 + if (h->info_kbuf == NULL)
26701 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
26702 + return h->info_kbuf;
26703 + h->info_kbuf[0] = '\0';
26705 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
26706 + h->info_kbuf[size-1] = '\0';
26708 return h->info_kbuf;
26710 diff -urNp linux-2.6.38.4/drivers/message/i2o/i2o_proc.c linux-2.6.38.4/drivers/message/i2o/i2o_proc.c
26711 --- linux-2.6.38.4/drivers/message/i2o/i2o_proc.c 2011-03-14 21:20:32.000000000 -0400
26712 +++ linux-2.6.38.4/drivers/message/i2o/i2o_proc.c 2011-04-17 15:57:32.000000000 -0400
26713 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
26714 "Array Controller Device"
26717 -static char *chtostr(u8 * chars, int n)
26721 - return strncat(tmp, (char *)chars, n);
26724 static int i2o_report_query_status(struct seq_file *seq, int block_status,
26727 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
26729 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
26730 seq_printf(seq, "%-#8x", ddm_table.module_id);
26731 - seq_printf(seq, "%-29s",
26732 - chtostr(ddm_table.module_name_version, 28));
26733 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
26734 seq_printf(seq, "%9d ", ddm_table.data_size);
26735 seq_printf(seq, "%8d", ddm_table.code_size);
26737 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
26739 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
26740 seq_printf(seq, "%-#8x", dst->module_id);
26741 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
26742 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
26743 + seq_printf(seq, "%-.28s", dst->module_name_version);
26744 + seq_printf(seq, "%-.8s", dst->date);
26745 seq_printf(seq, "%8d ", dst->module_size);
26746 seq_printf(seq, "%8d ", dst->mpb_size);
26747 seq_printf(seq, "0x%04x", dst->module_flags);
26748 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
26749 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
26750 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
26751 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
26752 - seq_printf(seq, "Vendor info : %s\n",
26753 - chtostr((u8 *) (work32 + 2), 16));
26754 - seq_printf(seq, "Product info : %s\n",
26755 - chtostr((u8 *) (work32 + 6), 16));
26756 - seq_printf(seq, "Description : %s\n",
26757 - chtostr((u8 *) (work32 + 10), 16));
26758 - seq_printf(seq, "Product rev. : %s\n",
26759 - chtostr((u8 *) (work32 + 14), 8));
26760 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
26761 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
26762 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
26763 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
26765 seq_printf(seq, "Serial number : ");
26766 print_serial_number(seq, (u8 *) (work32 + 16),
26767 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
26770 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
26771 - seq_printf(seq, "Module name : %s\n",
26772 - chtostr(result.module_name, 24));
26773 - seq_printf(seq, "Module revision : %s\n",
26774 - chtostr(result.module_rev, 8));
26775 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
26776 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
26778 seq_printf(seq, "Serial number : ");
26779 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
26780 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
26784 - seq_printf(seq, "Device name : %s\n",
26785 - chtostr(result.device_name, 64));
26786 - seq_printf(seq, "Service name : %s\n",
26787 - chtostr(result.service_name, 64));
26788 - seq_printf(seq, "Physical name : %s\n",
26789 - chtostr(result.physical_location, 64));
26790 - seq_printf(seq, "Instance number : %s\n",
26791 - chtostr(result.instance_number, 4));
26792 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
26793 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
26794 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
26795 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
26799 diff -urNp linux-2.6.38.4/drivers/mfd/janz-cmodio.c linux-2.6.38.4/drivers/mfd/janz-cmodio.c
26800 --- linux-2.6.38.4/drivers/mfd/janz-cmodio.c 2011-03-14 21:20:32.000000000 -0400
26801 +++ linux-2.6.38.4/drivers/mfd/janz-cmodio.c 2011-04-17 15:57:32.000000000 -0400
26804 #include <linux/kernel.h>
26805 #include <linux/module.h>
26806 +#include <linux/slab.h>
26807 #include <linux/init.h>
26808 #include <linux/pci.h>
26809 #include <linux/interrupt.h>
26810 diff -urNp linux-2.6.38.4/drivers/misc/kgdbts.c linux-2.6.38.4/drivers/misc/kgdbts.c
26811 --- linux-2.6.38.4/drivers/misc/kgdbts.c 2011-03-14 21:20:32.000000000 -0400
26812 +++ linux-2.6.38.4/drivers/misc/kgdbts.c 2011-04-17 15:57:32.000000000 -0400
26813 @@ -118,7 +118,7 @@
26815 #define MAX_CONFIG_LEN 40
26817 -static struct kgdb_io kgdbts_io_ops;
26818 +static const struct kgdb_io kgdbts_io_ops;
26819 static char get_buf[BUFMAX];
26820 static int get_buf_cnt;
26821 static char put_buf[BUFMAX];
26822 @@ -1103,7 +1103,7 @@ static void kgdbts_post_exp_handler(void
26823 module_put(THIS_MODULE);
26826 -static struct kgdb_io kgdbts_io_ops = {
26827 +static const struct kgdb_io kgdbts_io_ops = {
26829 .read_char = kgdbts_get_char,
26830 .write_char = kgdbts_put_char,
26831 diff -urNp linux-2.6.38.4/drivers/misc/sgi-gru/gruhandles.c linux-2.6.38.4/drivers/misc/sgi-gru/gruhandles.c
26832 --- linux-2.6.38.4/drivers/misc/sgi-gru/gruhandles.c 2011-03-14 21:20:32.000000000 -0400
26833 +++ linux-2.6.38.4/drivers/misc/sgi-gru/gruhandles.c 2011-04-17 15:57:32.000000000 -0400
26834 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
26835 unsigned long nsec;
26837 nsec = CLKS2NSEC(clks);
26838 - atomic_long_inc(&mcs_op_statistics[op].count);
26839 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
26840 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
26841 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
26842 if (mcs_op_statistics[op].max < nsec)
26843 mcs_op_statistics[op].max = nsec;
26845 diff -urNp linux-2.6.38.4/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.38.4/drivers/misc/sgi-gru/gruprocfs.c
26846 --- linux-2.6.38.4/drivers/misc/sgi-gru/gruprocfs.c 2011-03-14 21:20:32.000000000 -0400
26847 +++ linux-2.6.38.4/drivers/misc/sgi-gru/gruprocfs.c 2011-04-17 15:57:32.000000000 -0400
26850 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
26852 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
26853 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
26855 - unsigned long val = atomic_long_read(v);
26856 + unsigned long val = atomic_long_read_unchecked(v);
26858 seq_printf(s, "%16lu %s\n", val, id);
26860 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
26862 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
26863 for (op = 0; op < mcsop_last; op++) {
26864 - count = atomic_long_read(&mcs_op_statistics[op].count);
26865 - total = atomic_long_read(&mcs_op_statistics[op].total);
26866 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
26867 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
26868 max = mcs_op_statistics[op].max;
26869 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
26870 count ? total / count : 0, max);
26871 diff -urNp linux-2.6.38.4/drivers/misc/sgi-gru/grutables.h linux-2.6.38.4/drivers/misc/sgi-gru/grutables.h
26872 --- linux-2.6.38.4/drivers/misc/sgi-gru/grutables.h 2011-03-14 21:20:32.000000000 -0400
26873 +++ linux-2.6.38.4/drivers/misc/sgi-gru/grutables.h 2011-04-17 15:57:32.000000000 -0400
26874 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
26877 struct gru_stats_s {
26878 - atomic_long_t vdata_alloc;
26879 - atomic_long_t vdata_free;
26880 - atomic_long_t gts_alloc;
26881 - atomic_long_t gts_free;
26882 - atomic_long_t gms_alloc;
26883 - atomic_long_t gms_free;
26884 - atomic_long_t gts_double_allocate;
26885 - atomic_long_t assign_context;
26886 - atomic_long_t assign_context_failed;
26887 - atomic_long_t free_context;
26888 - atomic_long_t load_user_context;
26889 - atomic_long_t load_kernel_context;
26890 - atomic_long_t lock_kernel_context;
26891 - atomic_long_t unlock_kernel_context;
26892 - atomic_long_t steal_user_context;
26893 - atomic_long_t steal_kernel_context;
26894 - atomic_long_t steal_context_failed;
26895 - atomic_long_t nopfn;
26896 - atomic_long_t asid_new;
26897 - atomic_long_t asid_next;
26898 - atomic_long_t asid_wrap;
26899 - atomic_long_t asid_reuse;
26900 - atomic_long_t intr;
26901 - atomic_long_t intr_cbr;
26902 - atomic_long_t intr_tfh;
26903 - atomic_long_t intr_spurious;
26904 - atomic_long_t intr_mm_lock_failed;
26905 - atomic_long_t call_os;
26906 - atomic_long_t call_os_wait_queue;
26907 - atomic_long_t user_flush_tlb;
26908 - atomic_long_t user_unload_context;
26909 - atomic_long_t user_exception;
26910 - atomic_long_t set_context_option;
26911 - atomic_long_t check_context_retarget_intr;
26912 - atomic_long_t check_context_unload;
26913 - atomic_long_t tlb_dropin;
26914 - atomic_long_t tlb_preload_page;
26915 - atomic_long_t tlb_dropin_fail_no_asid;
26916 - atomic_long_t tlb_dropin_fail_upm;
26917 - atomic_long_t tlb_dropin_fail_invalid;
26918 - atomic_long_t tlb_dropin_fail_range_active;
26919 - atomic_long_t tlb_dropin_fail_idle;
26920 - atomic_long_t tlb_dropin_fail_fmm;
26921 - atomic_long_t tlb_dropin_fail_no_exception;
26922 - atomic_long_t tfh_stale_on_fault;
26923 - atomic_long_t mmu_invalidate_range;
26924 - atomic_long_t mmu_invalidate_page;
26925 - atomic_long_t flush_tlb;
26926 - atomic_long_t flush_tlb_gru;
26927 - atomic_long_t flush_tlb_gru_tgh;
26928 - atomic_long_t flush_tlb_gru_zero_asid;
26930 - atomic_long_t copy_gpa;
26931 - atomic_long_t read_gpa;
26933 - atomic_long_t mesq_receive;
26934 - atomic_long_t mesq_receive_none;
26935 - atomic_long_t mesq_send;
26936 - atomic_long_t mesq_send_failed;
26937 - atomic_long_t mesq_noop;
26938 - atomic_long_t mesq_send_unexpected_error;
26939 - atomic_long_t mesq_send_lb_overflow;
26940 - atomic_long_t mesq_send_qlimit_reached;
26941 - atomic_long_t mesq_send_amo_nacked;
26942 - atomic_long_t mesq_send_put_nacked;
26943 - atomic_long_t mesq_page_overflow;
26944 - atomic_long_t mesq_qf_locked;
26945 - atomic_long_t mesq_qf_noop_not_full;
26946 - atomic_long_t mesq_qf_switch_head_failed;
26947 - atomic_long_t mesq_qf_unexpected_error;
26948 - atomic_long_t mesq_noop_unexpected_error;
26949 - atomic_long_t mesq_noop_lb_overflow;
26950 - atomic_long_t mesq_noop_qlimit_reached;
26951 - atomic_long_t mesq_noop_amo_nacked;
26952 - atomic_long_t mesq_noop_put_nacked;
26953 - atomic_long_t mesq_noop_page_overflow;
26954 + atomic_long_unchecked_t vdata_alloc;
26955 + atomic_long_unchecked_t vdata_free;
26956 + atomic_long_unchecked_t gts_alloc;
26957 + atomic_long_unchecked_t gts_free;
26958 + atomic_long_unchecked_t gms_alloc;
26959 + atomic_long_unchecked_t gms_free;
26960 + atomic_long_unchecked_t gts_double_allocate;
26961 + atomic_long_unchecked_t assign_context;
26962 + atomic_long_unchecked_t assign_context_failed;
26963 + atomic_long_unchecked_t free_context;
26964 + atomic_long_unchecked_t load_user_context;
26965 + atomic_long_unchecked_t load_kernel_context;
26966 + atomic_long_unchecked_t lock_kernel_context;
26967 + atomic_long_unchecked_t unlock_kernel_context;
26968 + atomic_long_unchecked_t steal_user_context;
26969 + atomic_long_unchecked_t steal_kernel_context;
26970 + atomic_long_unchecked_t steal_context_failed;
26971 + atomic_long_unchecked_t nopfn;
26972 + atomic_long_unchecked_t asid_new;
26973 + atomic_long_unchecked_t asid_next;
26974 + atomic_long_unchecked_t asid_wrap;
26975 + atomic_long_unchecked_t asid_reuse;
26976 + atomic_long_unchecked_t intr;
26977 + atomic_long_unchecked_t intr_cbr;
26978 + atomic_long_unchecked_t intr_tfh;
26979 + atomic_long_unchecked_t intr_spurious;
26980 + atomic_long_unchecked_t intr_mm_lock_failed;
26981 + atomic_long_unchecked_t call_os;
26982 + atomic_long_unchecked_t call_os_wait_queue;
26983 + atomic_long_unchecked_t user_flush_tlb;
26984 + atomic_long_unchecked_t user_unload_context;
26985 + atomic_long_unchecked_t user_exception;
26986 + atomic_long_unchecked_t set_context_option;
26987 + atomic_long_unchecked_t check_context_retarget_intr;
26988 + atomic_long_unchecked_t check_context_unload;
26989 + atomic_long_unchecked_t tlb_dropin;
26990 + atomic_long_unchecked_t tlb_preload_page;
26991 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
26992 + atomic_long_unchecked_t tlb_dropin_fail_upm;
26993 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
26994 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
26995 + atomic_long_unchecked_t tlb_dropin_fail_idle;
26996 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
26997 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
26998 + atomic_long_unchecked_t tfh_stale_on_fault;
26999 + atomic_long_unchecked_t mmu_invalidate_range;
27000 + atomic_long_unchecked_t mmu_invalidate_page;
27001 + atomic_long_unchecked_t flush_tlb;
27002 + atomic_long_unchecked_t flush_tlb_gru;
27003 + atomic_long_unchecked_t flush_tlb_gru_tgh;
27004 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
27006 + atomic_long_unchecked_t copy_gpa;
27007 + atomic_long_unchecked_t read_gpa;
27009 + atomic_long_unchecked_t mesq_receive;
27010 + atomic_long_unchecked_t mesq_receive_none;
27011 + atomic_long_unchecked_t mesq_send;
27012 + atomic_long_unchecked_t mesq_send_failed;
27013 + atomic_long_unchecked_t mesq_noop;
27014 + atomic_long_unchecked_t mesq_send_unexpected_error;
27015 + atomic_long_unchecked_t mesq_send_lb_overflow;
27016 + atomic_long_unchecked_t mesq_send_qlimit_reached;
27017 + atomic_long_unchecked_t mesq_send_amo_nacked;
27018 + atomic_long_unchecked_t mesq_send_put_nacked;
27019 + atomic_long_unchecked_t mesq_page_overflow;
27020 + atomic_long_unchecked_t mesq_qf_locked;
27021 + atomic_long_unchecked_t mesq_qf_noop_not_full;
27022 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
27023 + atomic_long_unchecked_t mesq_qf_unexpected_error;
27024 + atomic_long_unchecked_t mesq_noop_unexpected_error;
27025 + atomic_long_unchecked_t mesq_noop_lb_overflow;
27026 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
27027 + atomic_long_unchecked_t mesq_noop_amo_nacked;
27028 + atomic_long_unchecked_t mesq_noop_put_nacked;
27029 + atomic_long_unchecked_t mesq_noop_page_overflow;
27033 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
27034 tghop_invalidate, mcsop_last};
27036 struct mcs_op_statistic {
27037 - atomic_long_t count;
27038 - atomic_long_t total;
27039 + atomic_long_unchecked_t count;
27040 + atomic_long_unchecked_t total;
27044 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
27046 #define STAT(id) do { \
27047 if (gru_options & OPT_STATS) \
27048 - atomic_long_inc(&gru_stats.id); \
27049 + atomic_long_inc_unchecked(&gru_stats.id); \
27052 #ifdef CONFIG_SGI_GRU_DEBUG
27053 diff -urNp linux-2.6.38.4/drivers/mtd/devices/doc2000.c linux-2.6.38.4/drivers/mtd/devices/doc2000.c
27054 --- linux-2.6.38.4/drivers/mtd/devices/doc2000.c 2011-03-14 21:20:32.000000000 -0400
27055 +++ linux-2.6.38.4/drivers/mtd/devices/doc2000.c 2011-04-17 15:57:32.000000000 -0400
27056 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
27058 /* The ECC will not be calculated correctly if less than 512 is written */
27060 - if (len != 0x200 && eccbuf)
27061 + if (len != 0x200)
27062 printk(KERN_WARNING
27063 "ECC needs a full sector write (adr: %lx size %lx)\n",
27064 (long) to, (long) len);
27065 diff -urNp linux-2.6.38.4/drivers/mtd/devices/doc2001.c linux-2.6.38.4/drivers/mtd/devices/doc2001.c
27066 --- linux-2.6.38.4/drivers/mtd/devices/doc2001.c 2011-03-14 21:20:32.000000000 -0400
27067 +++ linux-2.6.38.4/drivers/mtd/devices/doc2001.c 2011-04-17 15:57:32.000000000 -0400
27068 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
27069 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
27071 /* Don't allow read past end of device */
27072 - if (from >= this->totlen)
27073 + if (from >= this->totlen || !len)
27076 /* Don't allow a single read to cross a 512-byte block boundary */
27077 diff -urNp linux-2.6.38.4/drivers/mtd/nand/denali.c linux-2.6.38.4/drivers/mtd/nand/denali.c
27078 --- linux-2.6.38.4/drivers/mtd/nand/denali.c 2011-03-14 21:20:32.000000000 -0400
27079 +++ linux-2.6.38.4/drivers/mtd/nand/denali.c 2011-04-17 15:57:32.000000000 -0400
27081 #include <linux/pci.h>
27082 #include <linux/mtd/mtd.h>
27083 #include <linux/module.h>
27084 +#include <linux/slab.h>
27086 #include "denali.h"
27088 diff -urNp linux-2.6.38.4/drivers/mtd/ubi/build.c linux-2.6.38.4/drivers/mtd/ubi/build.c
27089 --- linux-2.6.38.4/drivers/mtd/ubi/build.c 2011-03-14 21:20:32.000000000 -0400
27090 +++ linux-2.6.38.4/drivers/mtd/ubi/build.c 2011-04-17 15:57:32.000000000 -0400
27091 @@ -1285,7 +1285,7 @@ module_exit(ubi_exit);
27092 static int __init bytes_str_to_int(const char *str)
27095 - unsigned long result;
27096 + unsigned long result, scale = 1;
27098 result = simple_strtoul(str, &endp, 0);
27099 if (str == endp || result >= INT_MAX) {
27100 @@ -1296,11 +1296,11 @@ static int __init bytes_str_to_int(const
27112 if (endp[1] == 'i' && endp[2] == 'B')
27115 @@ -1311,7 +1311,13 @@ static int __init bytes_str_to_int(const
27120 + if ((intoverflow_t)result*scale >= INT_MAX) {
27121 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
27126 + return result*scale;
27130 diff -urNp linux-2.6.38.4/drivers/net/e1000e/82571.c linux-2.6.38.4/drivers/net/e1000e/82571.c
27131 --- linux-2.6.38.4/drivers/net/e1000e/82571.c 2011-03-14 21:20:32.000000000 -0400
27132 +++ linux-2.6.38.4/drivers/net/e1000e/82571.c 2011-04-17 15:57:32.000000000 -0400
27133 @@ -239,7 +239,7 @@ static s32 e1000_init_mac_params_82571(s
27135 struct e1000_hw *hw = &adapter->hw;
27136 struct e1000_mac_info *mac = &hw->mac;
27137 - struct e1000_mac_operations *func = &mac->ops;
27138 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
27141 bool force_clear_smbi = false;
27142 @@ -1930,7 +1930,7 @@ static void e1000_clear_hw_cntrs_82571(s
27146 -static struct e1000_mac_operations e82571_mac_ops = {
27147 +static const struct e1000_mac_operations e82571_mac_ops = {
27148 /* .check_mng_mode: mac type dependent */
27149 /* .check_for_link: media type dependent */
27150 .id_led_init = e1000e_id_led_init,
27151 @@ -1952,7 +1952,7 @@ static struct e1000_mac_operations e8257
27152 .read_mac_addr = e1000_read_mac_addr_82571,
27155 -static struct e1000_phy_operations e82_phy_ops_igp = {
27156 +static const struct e1000_phy_operations e82_phy_ops_igp = {
27157 .acquire = e1000_get_hw_semaphore_82571,
27158 .check_polarity = e1000_check_polarity_igp,
27159 .check_reset_block = e1000e_check_reset_block_generic,
27160 @@ -1970,7 +1970,7 @@ static struct e1000_phy_operations e82_p
27161 .cfg_on_link_up = NULL,
27164 -static struct e1000_phy_operations e82_phy_ops_m88 = {
27165 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
27166 .acquire = e1000_get_hw_semaphore_82571,
27167 .check_polarity = e1000_check_polarity_m88,
27168 .check_reset_block = e1000e_check_reset_block_generic,
27169 @@ -1988,7 +1988,7 @@ static struct e1000_phy_operations e82_p
27170 .cfg_on_link_up = NULL,
27173 -static struct e1000_phy_operations e82_phy_ops_bm = {
27174 +static const struct e1000_phy_operations e82_phy_ops_bm = {
27175 .acquire = e1000_get_hw_semaphore_82571,
27176 .check_polarity = e1000_check_polarity_m88,
27177 .check_reset_block = e1000e_check_reset_block_generic,
27178 @@ -2006,7 +2006,7 @@ static struct e1000_phy_operations e82_p
27179 .cfg_on_link_up = NULL,
27182 -static struct e1000_nvm_operations e82571_nvm_ops = {
27183 +static const struct e1000_nvm_operations e82571_nvm_ops = {
27184 .acquire = e1000_acquire_nvm_82571,
27185 .read = e1000e_read_nvm_eerd,
27186 .release = e1000_release_nvm_82571,
27187 diff -urNp linux-2.6.38.4/drivers/net/e1000e/e1000.h linux-2.6.38.4/drivers/net/e1000e/e1000.h
27188 --- linux-2.6.38.4/drivers/net/e1000e/e1000.h 2011-03-14 21:20:32.000000000 -0400
27189 +++ linux-2.6.38.4/drivers/net/e1000e/e1000.h 2011-04-17 15:57:32.000000000 -0400
27190 @@ -408,9 +408,9 @@ struct e1000_info {
27192 u32 max_hw_frame_size;
27193 s32 (*get_variants)(struct e1000_adapter *);
27194 - struct e1000_mac_operations *mac_ops;
27195 - struct e1000_phy_operations *phy_ops;
27196 - struct e1000_nvm_operations *nvm_ops;
27197 + const struct e1000_mac_operations *mac_ops;
27198 + const struct e1000_phy_operations *phy_ops;
27199 + const struct e1000_nvm_operations *nvm_ops;
27202 /* hardware capability, feature, and workaround flags */
27203 diff -urNp linux-2.6.38.4/drivers/net/e1000e/es2lan.c linux-2.6.38.4/drivers/net/e1000e/es2lan.c
27204 --- linux-2.6.38.4/drivers/net/e1000e/es2lan.c 2011-03-14 21:20:32.000000000 -0400
27205 +++ linux-2.6.38.4/drivers/net/e1000e/es2lan.c 2011-04-17 15:57:32.000000000 -0400
27206 @@ -205,7 +205,7 @@ static s32 e1000_init_mac_params_80003es
27208 struct e1000_hw *hw = &adapter->hw;
27209 struct e1000_mac_info *mac = &hw->mac;
27210 - struct e1000_mac_operations *func = &mac->ops;
27211 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
27213 /* Set media type */
27214 switch (adapter->pdev->device) {
27215 @@ -1431,7 +1431,7 @@ static void e1000_clear_hw_cntrs_80003es
27219 -static struct e1000_mac_operations es2_mac_ops = {
27220 +static const struct e1000_mac_operations es2_mac_ops = {
27221 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
27222 .id_led_init = e1000e_id_led_init,
27223 .check_mng_mode = e1000e_check_mng_mode_generic,
27224 @@ -1453,7 +1453,7 @@ static struct e1000_mac_operations es2_m
27225 .setup_led = e1000e_setup_led_generic,
27228 -static struct e1000_phy_operations es2_phy_ops = {
27229 +static const struct e1000_phy_operations es2_phy_ops = {
27230 .acquire = e1000_acquire_phy_80003es2lan,
27231 .check_polarity = e1000_check_polarity_m88,
27232 .check_reset_block = e1000e_check_reset_block_generic,
27233 @@ -1471,7 +1471,7 @@ static struct e1000_phy_operations es2_p
27234 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
27237 -static struct e1000_nvm_operations es2_nvm_ops = {
27238 +static const struct e1000_nvm_operations es2_nvm_ops = {
27239 .acquire = e1000_acquire_nvm_80003es2lan,
27240 .read = e1000e_read_nvm_eerd,
27241 .release = e1000_release_nvm_80003es2lan,
27242 diff -urNp linux-2.6.38.4/drivers/net/e1000e/hw.h linux-2.6.38.4/drivers/net/e1000e/hw.h
27243 --- linux-2.6.38.4/drivers/net/e1000e/hw.h 2011-03-14 21:20:32.000000000 -0400
27244 +++ linux-2.6.38.4/drivers/net/e1000e/hw.h 2011-04-17 15:57:32.000000000 -0400
27245 @@ -801,16 +801,17 @@ struct e1000_phy_operations {
27247 /* Function pointers for the NVM. */
27248 struct e1000_nvm_operations {
27249 - s32 (*acquire)(struct e1000_hw *);
27250 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
27251 - void (*release)(struct e1000_hw *);
27252 - s32 (*update)(struct e1000_hw *);
27253 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
27254 - s32 (*validate)(struct e1000_hw *);
27255 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
27256 + s32 (* acquire)(struct e1000_hw *); /* cannot be const, see drivers/net/e1000e/82571.c e1000_init_nvm_params_82571() */
27257 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
27258 + void (* release)(struct e1000_hw *); /* cannot be const, see drivers/net/e1000e/82571.c e1000_init_nvm_params_82571() */
27259 + s32 (* const update)(struct e1000_hw *);
27260 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
27261 + s32 (* const validate)(struct e1000_hw *);
27262 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
27265 struct e1000_mac_info {
27266 + /* cannot be const see e1000_init_mac_params_ich8lan */
27267 struct e1000_mac_operations ops;
27270 @@ -853,6 +854,7 @@ struct e1000_mac_info {
27273 struct e1000_phy_info {
27274 + /* Cannot be const see e1000_init_phy_params_82571() */
27275 struct e1000_phy_operations ops;
27277 enum e1000_phy_type type;
27278 @@ -887,6 +889,7 @@ struct e1000_phy_info {
27281 struct e1000_nvm_info {
27282 + /* cannot be const */
27283 struct e1000_nvm_operations ops;
27285 enum e1000_nvm_type type;
27286 diff -urNp linux-2.6.38.4/drivers/net/e1000e/ich8lan.c linux-2.6.38.4/drivers/net/e1000e/ich8lan.c
27287 --- linux-2.6.38.4/drivers/net/e1000e/ich8lan.c 2011-03-14 21:20:32.000000000 -0400
27288 +++ linux-2.6.38.4/drivers/net/e1000e/ich8lan.c 2011-04-17 15:57:32.000000000 -0400
27289 @@ -3840,7 +3840,7 @@ static void e1000_clear_hw_cntrs_ich8lan
27293 -static struct e1000_mac_operations ich8_mac_ops = {
27294 +static const struct e1000_mac_operations ich8_mac_ops = {
27295 .id_led_init = e1000e_id_led_init,
27296 /* check_mng_mode dependent on mac type */
27297 .check_for_link = e1000_check_for_copper_link_ich8lan,
27298 @@ -3859,7 +3859,7 @@ static struct e1000_mac_operations ich8_
27299 /* id_led_init dependent on mac type */
27302 -static struct e1000_phy_operations ich8_phy_ops = {
27303 +static const struct e1000_phy_operations ich8_phy_ops = {
27304 .acquire = e1000_acquire_swflag_ich8lan,
27305 .check_reset_block = e1000_check_reset_block_ich8lan,
27307 @@ -3873,7 +3873,7 @@ static struct e1000_phy_operations ich8_
27308 .write_reg = e1000e_write_phy_reg_igp,
27311 -static struct e1000_nvm_operations ich8_nvm_ops = {
27312 +static const struct e1000_nvm_operations ich8_nvm_ops = {
27313 .acquire = e1000_acquire_nvm_ich8lan,
27314 .read = e1000_read_nvm_ich8lan,
27315 .release = e1000_release_nvm_ich8lan,
27316 diff -urNp linux-2.6.38.4/drivers/net/igb/e1000_82575.c linux-2.6.38.4/drivers/net/igb/e1000_82575.c
27317 --- linux-2.6.38.4/drivers/net/igb/e1000_82575.c 2011-03-14 21:20:32.000000000 -0400
27318 +++ linux-2.6.38.4/drivers/net/igb/e1000_82575.c 2011-04-17 15:57:32.000000000 -0400
27319 @@ -1747,7 +1747,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
27323 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
27324 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
27325 .init_hw = igb_init_hw_82575,
27326 .check_for_link = igb_check_for_link_82575,
27327 .rar_set = igb_rar_set,
27328 @@ -1755,13 +1755,13 @@ static struct e1000_mac_operations e1000
27329 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
27332 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
27333 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
27334 .acquire = igb_acquire_phy_82575,
27335 .get_cfg_done = igb_get_cfg_done_82575,
27336 .release = igb_release_phy_82575,
27339 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
27340 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
27341 .acquire = igb_acquire_nvm_82575,
27342 .read = igb_read_nvm_eerd,
27343 .release = igb_release_nvm_82575,
27344 diff -urNp linux-2.6.38.4/drivers/net/igb/e1000_hw.h linux-2.6.38.4/drivers/net/igb/e1000_hw.h
27345 --- linux-2.6.38.4/drivers/net/igb/e1000_hw.h 2011-03-14 21:20:32.000000000 -0400
27346 +++ linux-2.6.38.4/drivers/net/igb/e1000_hw.h 2011-04-17 15:57:32.000000000 -0400
27347 @@ -327,22 +327,23 @@ struct e1000_phy_operations {
27350 struct e1000_nvm_operations {
27351 - s32 (*acquire)(struct e1000_hw *);
27352 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
27353 - void (*release)(struct e1000_hw *);
27354 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
27355 + s32 (* const acquire)(struct e1000_hw *);
27356 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
27357 + void (* const release)(struct e1000_hw *);
27358 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
27361 struct e1000_info {
27362 s32 (*get_invariants)(struct e1000_hw *);
27363 - struct e1000_mac_operations *mac_ops;
27364 - struct e1000_phy_operations *phy_ops;
27365 - struct e1000_nvm_operations *nvm_ops;
27366 + const struct e1000_mac_operations *mac_ops;
27367 + const struct e1000_phy_operations *phy_ops;
27368 + const struct e1000_nvm_operations *nvm_ops;
27371 extern const struct e1000_info e1000_82575_info;
27373 struct e1000_mac_info {
27374 + /* cannot be const see igb_get_invariants_82575() */
27375 struct e1000_mac_operations ops;
27378 @@ -381,6 +382,7 @@ struct e1000_mac_info {
27381 struct e1000_phy_info {
27382 + /* cannot be const see igb_get_invariants_82575() */
27383 struct e1000_phy_operations ops;
27385 enum e1000_phy_type type;
27386 @@ -416,6 +418,7 @@ struct e1000_phy_info {
27389 struct e1000_nvm_info {
27390 + /* cannot be const */
27391 struct e1000_nvm_operations ops;
27393 enum e1000_nvm_type type;
27394 diff -urNp linux-2.6.38.4/drivers/net/igbvf/vf.h linux-2.6.38.4/drivers/net/igbvf/vf.h
27395 --- linux-2.6.38.4/drivers/net/igbvf/vf.h 2011-03-14 21:20:32.000000000 -0400
27396 +++ linux-2.6.38.4/drivers/net/igbvf/vf.h 2011-04-17 15:57:32.000000000 -0400
27397 @@ -191,6 +191,7 @@ struct e1000_mac_operations {
27400 struct e1000_mac_info {
27401 + /* cannot be const see e1000_init_mac_params_vf() */
27402 struct e1000_mac_operations ops;
27405 diff -urNp linux-2.6.38.4/drivers/net/irda/vlsi_ir.c linux-2.6.38.4/drivers/net/irda/vlsi_ir.c
27406 --- linux-2.6.38.4/drivers/net/irda/vlsi_ir.c 2011-03-14 21:20:32.000000000 -0400
27407 +++ linux-2.6.38.4/drivers/net/irda/vlsi_ir.c 2011-04-17 15:57:32.000000000 -0400
27408 @@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
27409 /* no race - tx-ring already empty */
27410 vlsi_set_baud(idev, iobase);
27411 netif_wake_queue(ndev);
27416 /* keep the speed change pending like it would
27417 * for any len>0 packet. tx completion interrupt
27418 * will apply it when the tx ring becomes empty.
27421 spin_unlock_irqrestore(&idev->lock, flags);
27422 dev_kfree_skb_any(skb);
27423 return NETDEV_TX_OK;
27424 diff -urNp linux-2.6.38.4/drivers/net/pcnet32.c linux-2.6.38.4/drivers/net/pcnet32.c
27425 --- linux-2.6.38.4/drivers/net/pcnet32.c 2011-03-14 21:20:32.000000000 -0400
27426 +++ linux-2.6.38.4/drivers/net/pcnet32.c 2011-04-17 15:57:32.000000000 -0400
27427 @@ -82,7 +82,7 @@ static int cards_found;
27429 * VLB I/O addresses
27431 -static unsigned int pcnet32_portlist[] __initdata =
27432 +static unsigned int pcnet32_portlist[] __devinitdata =
27433 { 0x300, 0x320, 0x340, 0x360, 0 };
27435 static int pcnet32_debug;
27436 diff -urNp linux-2.6.38.4/drivers/net/ppp_generic.c linux-2.6.38.4/drivers/net/ppp_generic.c
27437 --- linux-2.6.38.4/drivers/net/ppp_generic.c 2011-03-14 21:20:32.000000000 -0400
27438 +++ linux-2.6.38.4/drivers/net/ppp_generic.c 2011-04-17 15:57:32.000000000 -0400
27439 @@ -986,7 +986,6 @@ ppp_net_ioctl(struct net_device *dev, st
27440 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
27441 struct ppp_stats stats;
27442 struct ppp_comp_stats cstats;
27446 case SIOCGPPPSTATS:
27447 @@ -1008,8 +1007,7 @@ ppp_net_ioctl(struct net_device *dev, st
27451 - vers = PPP_VERSION;
27452 - if (copy_to_user(addr, vers, strlen(vers) + 1))
27453 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
27457 diff -urNp linux-2.6.38.4/drivers/net/tg3.h linux-2.6.38.4/drivers/net/tg3.h
27458 --- linux-2.6.38.4/drivers/net/tg3.h 2011-03-14 21:20:32.000000000 -0400
27459 +++ linux-2.6.38.4/drivers/net/tg3.h 2011-04-17 15:57:32.000000000 -0400
27460 @@ -131,6 +131,7 @@
27461 #define CHIPREV_ID_5750_A0 0x4000
27462 #define CHIPREV_ID_5750_A1 0x4001
27463 #define CHIPREV_ID_5750_A3 0x4003
27464 +#define CHIPREV_ID_5750_C1 0x4201
27465 #define CHIPREV_ID_5750_C2 0x4202
27466 #define CHIPREV_ID_5752_A0_HW 0x5000
27467 #define CHIPREV_ID_5752_A0 0x6000
27468 diff -urNp linux-2.6.38.4/drivers/net/tulip/de4x5.c linux-2.6.38.4/drivers/net/tulip/de4x5.c
27469 --- linux-2.6.38.4/drivers/net/tulip/de4x5.c 2011-03-14 21:20:32.000000000 -0400
27470 +++ linux-2.6.38.4/drivers/net/tulip/de4x5.c 2011-04-17 15:57:32.000000000 -0400
27471 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
27472 for (i=0; i<ETH_ALEN; i++) {
27473 tmp.addr[i] = dev->dev_addr[i];
27475 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
27476 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
27479 case DE4X5_SET_HWADDR: /* Set the hardware address */
27480 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
27481 spin_lock_irqsave(&lp->lock, flags);
27482 memcpy(&statbuf, &lp->pktStats, ioc->len);
27483 spin_unlock_irqrestore(&lp->lock, flags);
27484 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
27485 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
27489 diff -urNp linux-2.6.38.4/drivers/net/usb/hso.c linux-2.6.38.4/drivers/net/usb/hso.c
27490 --- linux-2.6.38.4/drivers/net/usb/hso.c 2011-03-14 21:20:32.000000000 -0400
27491 +++ linux-2.6.38.4/drivers/net/usb/hso.c 2011-04-17 15:57:32.000000000 -0400
27493 #include <asm/byteorder.h>
27494 #include <linux/serial_core.h>
27495 #include <linux/serial.h>
27497 +#include <asm/local.h>
27499 #define MOD_AUTHOR "Option Wireless"
27500 #define MOD_DESCRIPTION "USB High Speed Option driver"
27501 @@ -257,7 +257,7 @@ struct hso_serial {
27503 /* from usb_serial_port */
27504 struct tty_struct *tty;
27506 + local_t open_count;
27507 spinlock_t serial_lock;
27509 int (*write_data) (struct hso_serial *serial);
27510 @@ -1190,7 +1190,7 @@ static void put_rxbuf_data_and_resubmit_
27513 urb = serial->rx_urb[0];
27514 - if (serial->open_count > 0) {
27515 + if (local_read(&serial->open_count) > 0) {
27516 count = put_rxbuf_data(urb, serial);
27519 @@ -1226,7 +1226,7 @@ static void hso_std_serial_read_bulk_cal
27520 DUMP1(urb->transfer_buffer, urb->actual_length);
27522 /* Anyone listening? */
27523 - if (serial->open_count == 0)
27524 + if (local_read(&serial->open_count) == 0)
27528 @@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
27529 spin_unlock_irq(&serial->serial_lock);
27531 /* check for port already opened, if not set the termios */
27532 - serial->open_count++;
27533 - if (serial->open_count == 1) {
27534 + if (local_inc_return(&serial->open_count) == 1) {
27535 serial->rx_state = RX_IDLE;
27536 /* Force default termio settings */
27537 _hso_serial_set_termios(tty, NULL);
27538 @@ -1324,7 +1323,7 @@ static int hso_serial_open(struct tty_st
27539 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
27541 hso_stop_serial_device(serial->parent);
27542 - serial->open_count--;
27543 + local_dec(&serial->open_count);
27544 kref_put(&serial->parent->ref, hso_serial_ref_free);
27547 @@ -1361,10 +1360,10 @@ static void hso_serial_close(struct tty_
27549 /* reset the rts and dtr */
27550 /* do the actual close */
27551 - serial->open_count--;
27552 + local_dec(&serial->open_count);
27554 - if (serial->open_count <= 0) {
27555 - serial->open_count = 0;
27556 + if (local_read(&serial->open_count) <= 0) {
27557 + local_set(&serial->open_count, 0);
27558 spin_lock_irq(&serial->serial_lock);
27559 if (serial->tty == tty) {
27560 serial->tty->driver_data = NULL;
27561 @@ -1446,7 +1445,7 @@ static void hso_serial_set_termios(struc
27563 /* the actual setup */
27564 spin_lock_irqsave(&serial->serial_lock, flags);
27565 - if (serial->open_count)
27566 + if (local_read(&serial->open_count))
27567 _hso_serial_set_termios(tty, old);
27569 tty->termios = old;
27570 @@ -1905,7 +1904,7 @@ static void intr_callback(struct urb *ur
27571 D1("Pending read interrupt on port %d\n", i);
27572 spin_lock(&serial->serial_lock);
27573 if (serial->rx_state == RX_IDLE &&
27574 - serial->open_count > 0) {
27575 + local_read(&serial->open_count) > 0) {
27576 /* Setup and send a ctrl req read on
27578 if (!serial->rx_urb_filled[0]) {
27579 @@ -3097,7 +3096,7 @@ static int hso_resume(struct usb_interfa
27580 /* Start all serial ports */
27581 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
27582 if (serial_table[i] && (serial_table[i]->interface == iface)) {
27583 - if (dev2ser(serial_table[i])->open_count) {
27584 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
27586 hso_start_serial_device(serial_table[i], GFP_NOIO);
27587 hso_kick_transmit(dev2ser(serial_table[i]));
27588 diff -urNp linux-2.6.38.4/drivers/net/vmxnet3/vmxnet3_ethtool.c linux-2.6.38.4/drivers/net/vmxnet3/vmxnet3_ethtool.c
27589 --- linux-2.6.38.4/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-04-18 17:27:18.000000000 -0400
27590 +++ linux-2.6.38.4/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-04-17 16:53:41.000000000 -0400
27591 @@ -628,8 +628,7 @@ vmxnet3_set_rss_indir(struct net_device
27592 * Return with error code if any of the queue indices
27595 - if (p->ring_index[i] < 0 ||
27596 - p->ring_index[i] >= adapter->num_rx_queues)
27597 + if (p->ring_index[i] >= adapter->num_rx_queues)
27601 diff -urNp linux-2.6.38.4/drivers/net/wireless/b43/debugfs.c linux-2.6.38.4/drivers/net/wireless/b43/debugfs.c
27602 --- linux-2.6.38.4/drivers/net/wireless/b43/debugfs.c 2011-03-14 21:20:32.000000000 -0400
27603 +++ linux-2.6.38.4/drivers/net/wireless/b43/debugfs.c 2011-04-17 15:57:32.000000000 -0400
27604 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
27605 struct b43_debugfs_fops {
27606 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
27607 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
27608 - struct file_operations fops;
27609 + const struct file_operations fops;
27610 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
27611 size_t file_struct_offset;
27613 diff -urNp linux-2.6.38.4/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.38.4/drivers/net/wireless/b43legacy/debugfs.c
27614 --- linux-2.6.38.4/drivers/net/wireless/b43legacy/debugfs.c 2011-03-14 21:20:32.000000000 -0400
27615 +++ linux-2.6.38.4/drivers/net/wireless/b43legacy/debugfs.c 2011-04-17 15:57:32.000000000 -0400
27616 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
27617 struct b43legacy_debugfs_fops {
27618 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
27619 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
27620 - struct file_operations fops;
27621 + const struct file_operations fops;
27622 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
27623 size_t file_struct_offset;
27624 /* Take wl->irq_lock before calling read/write? */
27625 diff -urNp linux-2.6.38.4/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.38.4/drivers/net/wireless/iwlwifi/iwl-debug.h
27626 --- linux-2.6.38.4/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-03-14 21:20:32.000000000 -0400
27627 +++ linux-2.6.38.4/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-04-17 15:57:32.000000000 -0400
27628 @@ -68,8 +68,8 @@ do {
27632 -#define IWL_DEBUG(__priv, level, fmt, args...)
27633 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
27634 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
27635 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
27636 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
27637 const void *p, u32 len)
27639 diff -urNp linux-2.6.38.4/drivers/net/wireless/libertas/debugfs.c linux-2.6.38.4/drivers/net/wireless/libertas/debugfs.c
27640 --- linux-2.6.38.4/drivers/net/wireless/libertas/debugfs.c 2011-03-14 21:20:32.000000000 -0400
27641 +++ linux-2.6.38.4/drivers/net/wireless/libertas/debugfs.c 2011-04-17 15:57:32.000000000 -0400
27642 @@ -702,7 +702,7 @@ out_unlock:
27643 struct lbs_debugfs_files {
27646 - struct file_operations fops;
27647 + const struct file_operations fops;
27650 static const struct lbs_debugfs_files debugfs_files[] = {
27651 diff -urNp linux-2.6.38.4/drivers/net/wireless/rndis_wlan.c linux-2.6.38.4/drivers/net/wireless/rndis_wlan.c
27652 --- linux-2.6.38.4/drivers/net/wireless/rndis_wlan.c 2011-03-14 21:20:32.000000000 -0400
27653 +++ linux-2.6.38.4/drivers/net/wireless/rndis_wlan.c 2011-04-17 15:57:32.000000000 -0400
27654 @@ -1277,7 +1277,7 @@ static int set_rts_threshold(struct usbn
27656 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
27658 - if (rts_threshold < 0 || rts_threshold > 2347)
27659 + if (rts_threshold > 2347)
27660 rts_threshold = 2347;
27662 tmp = cpu_to_le32(rts_threshold);
27663 diff -urNp linux-2.6.38.4/drivers/oprofile/buffer_sync.c linux-2.6.38.4/drivers/oprofile/buffer_sync.c
27664 --- linux-2.6.38.4/drivers/oprofile/buffer_sync.c 2011-03-14 21:20:32.000000000 -0400
27665 +++ linux-2.6.38.4/drivers/oprofile/buffer_sync.c 2011-04-17 15:57:32.000000000 -0400
27666 @@ -342,7 +342,7 @@ static void add_data(struct op_entry *en
27667 if (cookie == NO_COOKIE)
27669 if (cookie == INVALID_COOKIE) {
27670 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
27671 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
27674 if (cookie != last_cookie) {
27675 @@ -386,14 +386,14 @@ add_sample(struct mm_struct *mm, struct
27676 /* add userspace sample */
27679 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
27680 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
27684 cookie = lookup_dcookie(mm, s->eip, &offset);
27686 if (cookie == INVALID_COOKIE) {
27687 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
27688 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
27692 @@ -562,7 +562,7 @@ void sync_buffer(int cpu)
27693 /* ignore backtraces if failed to add a sample */
27694 if (state == sb_bt_start) {
27695 state = sb_bt_ignore;
27696 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
27697 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
27701 diff -urNp linux-2.6.38.4/drivers/oprofile/event_buffer.c linux-2.6.38.4/drivers/oprofile/event_buffer.c
27702 --- linux-2.6.38.4/drivers/oprofile/event_buffer.c 2011-03-14 21:20:32.000000000 -0400
27703 +++ linux-2.6.38.4/drivers/oprofile/event_buffer.c 2011-04-17 15:57:32.000000000 -0400
27704 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
27707 if (buffer_pos == buffer_size) {
27708 - atomic_inc(&oprofile_stats.event_lost_overflow);
27709 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
27713 diff -urNp linux-2.6.38.4/drivers/oprofile/oprof.c linux-2.6.38.4/drivers/oprofile/oprof.c
27714 --- linux-2.6.38.4/drivers/oprofile/oprof.c 2011-03-14 21:20:32.000000000 -0400
27715 +++ linux-2.6.38.4/drivers/oprofile/oprof.c 2011-04-17 15:57:32.000000000 -0400
27716 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
27717 if (oprofile_ops.switch_events())
27720 - atomic_inc(&oprofile_stats.multiplex_counter);
27721 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
27722 start_switch_worker();
27725 diff -urNp linux-2.6.38.4/drivers/oprofile/oprofilefs.c linux-2.6.38.4/drivers/oprofile/oprofilefs.c
27726 --- linux-2.6.38.4/drivers/oprofile/oprofilefs.c 2011-03-14 21:20:32.000000000 -0400
27727 +++ linux-2.6.38.4/drivers/oprofile/oprofilefs.c 2011-04-17 15:57:32.000000000 -0400
27728 @@ -186,7 +186,7 @@ static const struct file_operations atom
27731 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
27732 - char const *name, atomic_t *val)
27733 + char const *name, atomic_unchecked_t *val)
27735 return __oprofilefs_create_file(sb, root, name,
27736 &atomic_ro_fops, 0444, val);
27737 diff -urNp linux-2.6.38.4/drivers/oprofile/oprofile_stats.c linux-2.6.38.4/drivers/oprofile/oprofile_stats.c
27738 --- linux-2.6.38.4/drivers/oprofile/oprofile_stats.c 2011-03-14 21:20:32.000000000 -0400
27739 +++ linux-2.6.38.4/drivers/oprofile/oprofile_stats.c 2011-04-17 15:57:32.000000000 -0400
27740 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
27741 cpu_buf->sample_invalid_eip = 0;
27744 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
27745 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
27746 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
27747 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
27748 - atomic_set(&oprofile_stats.multiplex_counter, 0);
27749 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
27750 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
27751 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
27752 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
27753 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
27757 diff -urNp linux-2.6.38.4/drivers/oprofile/oprofile_stats.h linux-2.6.38.4/drivers/oprofile/oprofile_stats.h
27758 --- linux-2.6.38.4/drivers/oprofile/oprofile_stats.h 2011-03-14 21:20:32.000000000 -0400
27759 +++ linux-2.6.38.4/drivers/oprofile/oprofile_stats.h 2011-04-17 15:57:32.000000000 -0400
27760 @@ -13,11 +13,11 @@
27761 #include <asm/atomic.h>
27763 struct oprofile_stat_struct {
27764 - atomic_t sample_lost_no_mm;
27765 - atomic_t sample_lost_no_mapping;
27766 - atomic_t bt_lost_no_mapping;
27767 - atomic_t event_lost_overflow;
27768 - atomic_t multiplex_counter;
27769 + atomic_unchecked_t sample_lost_no_mm;
27770 + atomic_unchecked_t sample_lost_no_mapping;
27771 + atomic_unchecked_t bt_lost_no_mapping;
27772 + atomic_unchecked_t event_lost_overflow;
27773 + atomic_unchecked_t multiplex_counter;
27776 extern struct oprofile_stat_struct oprofile_stats;
27777 diff -urNp linux-2.6.38.4/drivers/parport/procfs.c linux-2.6.38.4/drivers/parport/procfs.c
27778 --- linux-2.6.38.4/drivers/parport/procfs.c 2011-03-14 21:20:32.000000000 -0400
27779 +++ linux-2.6.38.4/drivers/parport/procfs.c 2011-04-17 15:57:32.000000000 -0400
27780 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
27784 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
27785 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
27788 #ifdef CONFIG_PARPORT_1284
27789 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
27793 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
27794 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
27796 #endif /* IEEE1284.3 support. */
27798 diff -urNp linux-2.6.38.4/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.38.4/drivers/pci/hotplug/acpiphp_glue.c
27799 --- linux-2.6.38.4/drivers/pci/hotplug/acpiphp_glue.c 2011-04-18 17:27:16.000000000 -0400
27800 +++ linux-2.6.38.4/drivers/pci/hotplug/acpiphp_glue.c 2011-04-17 15:57:32.000000000 -0400
27801 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
27805 -static struct acpi_dock_ops acpiphp_dock_ops = {
27806 +static const struct acpi_dock_ops acpiphp_dock_ops = {
27807 .handler = handle_hotplug_event_func,
27810 diff -urNp linux-2.6.38.4/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.38.4/drivers/pci/hotplug/cpqphp_nvram.c
27811 --- linux-2.6.38.4/drivers/pci/hotplug/cpqphp_nvram.c 2011-03-14 21:20:32.000000000 -0400
27812 +++ linux-2.6.38.4/drivers/pci/hotplug/cpqphp_nvram.c 2011-04-17 15:57:32.000000000 -0400
27813 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
27815 void compaq_nvram_init (void __iomem *rom_start)
27818 +#ifndef CONFIG_PAX_KERNEXEC
27820 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
27824 dbg("int15 entry = %p\n", compaq_int15_entry_point);
27826 /* initialize our int15 lock */
27827 diff -urNp linux-2.6.38.4/drivers/pci/intel-iommu.c linux-2.6.38.4/drivers/pci/intel-iommu.c
27828 --- linux-2.6.38.4/drivers/pci/intel-iommu.c 2011-03-14 21:20:32.000000000 -0400
27829 +++ linux-2.6.38.4/drivers/pci/intel-iommu.c 2011-04-17 15:57:32.000000000 -0400
27830 @@ -2934,7 +2934,7 @@ static int intel_mapping_error(struct de
27834 -struct dma_map_ops intel_dma_ops = {
27835 +const struct dma_map_ops intel_dma_ops = {
27836 .alloc_coherent = intel_alloc_coherent,
27837 .free_coherent = intel_free_coherent,
27838 .map_sg = intel_map_sg,
27839 diff -urNp linux-2.6.38.4/drivers/pci/pcie/aspm.c linux-2.6.38.4/drivers/pci/pcie/aspm.c
27840 --- linux-2.6.38.4/drivers/pci/pcie/aspm.c 2011-04-18 17:27:18.000000000 -0400
27841 +++ linux-2.6.38.4/drivers/pci/pcie/aspm.c 2011-04-17 16:53:41.000000000 -0400
27843 #define MODULE_PARAM_PREFIX "pcie_aspm."
27845 /* Note: those are not register definitions */
27846 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
27847 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
27848 -#define ASPM_STATE_L1 (4) /* L1 state */
27849 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
27850 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
27851 +#define ASPM_STATE_L1 (4U) /* L1 state */
27852 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
27853 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
27855 diff -urNp linux-2.6.38.4/drivers/pci/pcie/portdrv_pci.c linux-2.6.38.4/drivers/pci/pcie/portdrv_pci.c
27856 --- linux-2.6.38.4/drivers/pci/pcie/portdrv_pci.c 2011-03-14 21:20:32.000000000 -0400
27857 +++ linux-2.6.38.4/drivers/pci/pcie/portdrv_pci.c 2011-04-17 15:57:32.000000000 -0400
27858 @@ -307,7 +307,7 @@ static void pcie_portdrv_err_resume(stru
27859 static const struct pci_device_id port_pci_ids[] = { {
27860 /* handle any PCI-Express port */
27861 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
27862 - }, { /* end: all zeroes */ }
27863 + }, { 0, 0, 0, 0, 0, 0, 0 }
27865 MODULE_DEVICE_TABLE(pci, port_pci_ids);
27867 diff -urNp linux-2.6.38.4/drivers/pci/probe.c linux-2.6.38.4/drivers/pci/probe.c
27868 --- linux-2.6.38.4/drivers/pci/probe.c 2011-03-14 21:20:32.000000000 -0400
27869 +++ linux-2.6.38.4/drivers/pci/probe.c 2011-04-17 15:57:32.000000000 -0400
27870 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
27874 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
27875 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
27876 struct device_attribute *attr,
27879 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
27882 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
27883 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
27884 struct device_attribute *attr,
27887 @@ -165,7 +165,7 @@ int __pci_read_base(struct pci_dev *dev,
27891 - mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
27892 + mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
27894 if (!dev->mmio_always_on) {
27895 pci_read_config_word(dev, PCI_COMMAND, &orig_cmd);
27896 diff -urNp linux-2.6.38.4/drivers/pci/proc.c linux-2.6.38.4/drivers/pci/proc.c
27897 --- linux-2.6.38.4/drivers/pci/proc.c 2011-03-14 21:20:32.000000000 -0400
27898 +++ linux-2.6.38.4/drivers/pci/proc.c 2011-04-17 15:57:32.000000000 -0400
27899 @@ -476,7 +476,16 @@ static const struct file_operations proc
27900 static int __init pci_proc_init(void)
27902 struct pci_dev *dev = NULL;
27904 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
27905 +#ifdef CONFIG_GRKERNSEC_PROC_USER
27906 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
27907 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
27908 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
27911 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
27913 proc_create("devices", 0, proc_bus_pci_dir,
27914 &proc_bus_pci_dev_operations);
27915 proc_initialized = 1;
27916 diff -urNp linux-2.6.38.4/drivers/pcmcia/ti113x.h linux-2.6.38.4/drivers/pcmcia/ti113x.h
27917 --- linux-2.6.38.4/drivers/pcmcia/ti113x.h 2011-03-14 21:20:32.000000000 -0400
27918 +++ linux-2.6.38.4/drivers/pcmcia/ti113x.h 2011-04-17 15:57:32.000000000 -0400
27919 @@ -936,7 +936,7 @@ static struct pci_device_id ene_tune_tbl
27920 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
27921 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
27924 + { 0, 0, 0, 0, 0, 0, 0 }
27927 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
27928 diff -urNp linux-2.6.38.4/drivers/pcmcia/yenta_socket.c linux-2.6.38.4/drivers/pcmcia/yenta_socket.c
27929 --- linux-2.6.38.4/drivers/pcmcia/yenta_socket.c 2011-03-14 21:20:32.000000000 -0400
27930 +++ linux-2.6.38.4/drivers/pcmcia/yenta_socket.c 2011-04-17 15:57:32.000000000 -0400
27931 @@ -1426,7 +1426,7 @@ static struct pci_device_id yenta_table[
27933 /* match any cardbus bridge */
27934 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
27935 - { /* all zeroes */ }
27936 + { 0, 0, 0, 0, 0, 0, 0 }
27938 MODULE_DEVICE_TABLE(pci, yenta_table);
27940 diff -urNp linux-2.6.38.4/drivers/platform/x86/asus-laptop.c linux-2.6.38.4/drivers/platform/x86/asus-laptop.c
27941 --- linux-2.6.38.4/drivers/platform/x86/asus-laptop.c 2011-03-14 21:20:32.000000000 -0400
27942 +++ linux-2.6.38.4/drivers/platform/x86/asus-laptop.c 2011-04-17 15:57:32.000000000 -0400
27943 @@ -243,7 +243,6 @@ struct asus_laptop {
27944 struct asus_led gled;
27945 struct asus_led kled;
27946 struct workqueue_struct *led_workqueue;
27948 int wireless_status;
27951 diff -urNp linux-2.6.38.4/drivers/pnp/pnpbios/bioscalls.c linux-2.6.38.4/drivers/pnp/pnpbios/bioscalls.c
27952 --- linux-2.6.38.4/drivers/pnp/pnpbios/bioscalls.c 2011-03-14 21:20:32.000000000 -0400
27953 +++ linux-2.6.38.4/drivers/pnp/pnpbios/bioscalls.c 2011-04-17 15:57:32.000000000 -0400
27954 @@ -59,7 +59,7 @@ do { \
27955 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
27958 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
27959 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
27960 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
27963 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
27966 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
27968 + pax_open_kernel();
27969 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
27970 + pax_close_kernel();
27972 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
27973 spin_lock_irqsave(&pnp_bios_lock, flags);
27974 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
27976 spin_unlock_irqrestore(&pnp_bios_lock, flags);
27978 + pax_open_kernel();
27979 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
27980 + pax_close_kernel();
27984 /* If we get here and this is set then the PnP BIOS faulted on us. */
27985 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
27989 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
27990 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
27994 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
27995 pnp_bios_callpoint.offset = header->fields.pm16offset;
27996 pnp_bios_callpoint.segment = PNP_CS16;
27998 + pax_open_kernel();
28000 for_each_possible_cpu(i) {
28001 struct desc_struct *gdt = get_cpu_gdt_table(i);
28003 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
28004 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
28005 (unsigned long)__va(header->fields.pm16dseg));
28008 + pax_close_kernel();
28010 diff -urNp linux-2.6.38.4/drivers/pnp/quirks.c linux-2.6.38.4/drivers/pnp/quirks.c
28011 --- linux-2.6.38.4/drivers/pnp/quirks.c 2011-03-14 21:20:32.000000000 -0400
28012 +++ linux-2.6.38.4/drivers/pnp/quirks.c 2011-04-17 15:57:32.000000000 -0400
28013 @@ -322,7 +322,7 @@ static struct pnp_fixup pnp_fixups[] = {
28014 /* PnP resources that might overlap PCI BARs */
28015 {"PNP0c01", quirk_system_pci_resources},
28016 {"PNP0c02", quirk_system_pci_resources},
28021 void pnp_fixup_device(struct pnp_dev *dev)
28022 diff -urNp linux-2.6.38.4/drivers/pnp/resource.c linux-2.6.38.4/drivers/pnp/resource.c
28023 --- linux-2.6.38.4/drivers/pnp/resource.c 2011-03-14 21:20:32.000000000 -0400
28024 +++ linux-2.6.38.4/drivers/pnp/resource.c 2011-04-17 15:57:32.000000000 -0400
28025 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
28028 /* check if the resource is valid */
28029 - if (*irq < 0 || *irq > 15)
28033 /* check if the resource is reserved */
28034 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
28037 /* check if the resource is valid */
28038 - if (*dma < 0 || *dma == 4 || *dma > 7)
28039 + if (*dma == 4 || *dma > 7)
28042 /* check if the resource is reserved */
28043 diff -urNp linux-2.6.38.4/drivers/rtc/rtc-dev.c linux-2.6.38.4/drivers/rtc/rtc-dev.c
28044 --- linux-2.6.38.4/drivers/rtc/rtc-dev.c 2011-03-14 21:20:32.000000000 -0400
28045 +++ linux-2.6.38.4/drivers/rtc/rtc-dev.c 2011-04-17 15:57:32.000000000 -0400
28047 #include <linux/module.h>
28048 #include <linux/rtc.h>
28049 #include <linux/sched.h>
28050 +#include <linux/grsecurity.h>
28051 #include "rtc-core.h"
28053 static dev_t rtc_devt;
28054 @@ -345,6 +346,8 @@ static long rtc_dev_ioctl(struct file *f
28055 if (copy_from_user(&tm, uarg, sizeof(tm)))
28058 + gr_log_timechange();
28060 return rtc_set_time(rtc, &tm);
28063 diff -urNp linux-2.6.38.4/drivers/s390/cio/qdio_debug.c linux-2.6.38.4/drivers/s390/cio/qdio_debug.c
28064 --- linux-2.6.38.4/drivers/s390/cio/qdio_debug.c 2011-03-14 21:20:32.000000000 -0400
28065 +++ linux-2.6.38.4/drivers/s390/cio/qdio_debug.c 2011-04-17 15:57:32.000000000 -0400
28066 @@ -225,7 +225,7 @@ static int qperf_seq_open(struct inode *
28067 filp->f_path.dentry->d_inode->i_private);
28070 -static struct file_operations debugfs_perf_fops = {
28071 +static const struct file_operations debugfs_perf_fops = {
28072 .owner = THIS_MODULE,
28073 .open = qperf_seq_open,
28075 diff -urNp linux-2.6.38.4/drivers/scsi/aic94xx/aic94xx_init.c linux-2.6.38.4/drivers/scsi/aic94xx/aic94xx_init.c
28076 --- linux-2.6.38.4/drivers/scsi/aic94xx/aic94xx_init.c 2011-03-14 21:20:32.000000000 -0400
28077 +++ linux-2.6.38.4/drivers/scsi/aic94xx/aic94xx_init.c 2011-04-17 15:57:32.000000000 -0400
28078 @@ -486,7 +486,7 @@ static ssize_t asd_show_update_bios(stru
28079 flash_error_table[i].reason);
28082 -static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO,
28083 +static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR,
28084 asd_show_update_bios, asd_store_update_bios);
28086 static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
28087 diff -urNp linux-2.6.38.4/drivers/scsi/hpsa.c linux-2.6.38.4/drivers/scsi/hpsa.c
28088 --- linux-2.6.38.4/drivers/scsi/hpsa.c 2011-03-14 21:20:32.000000000 -0400
28089 +++ linux-2.6.38.4/drivers/scsi/hpsa.c 2011-04-17 15:57:32.000000000 -0400
28090 @@ -2281,6 +2281,8 @@ static int hpsa_ioctl32_passthru(struct
28094 + memset(&arg64, 0, sizeof(arg64));
28097 err |= copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
28098 sizeof(arg64.LUN_info));
28099 diff -urNp linux-2.6.38.4/drivers/scsi/ipr.c linux-2.6.38.4/drivers/scsi/ipr.c
28100 --- linux-2.6.38.4/drivers/scsi/ipr.c 2011-03-14 21:20:32.000000000 -0400
28101 +++ linux-2.6.38.4/drivers/scsi/ipr.c 2011-04-17 15:57:32.000000000 -0400
28102 @@ -6207,7 +6207,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
28106 -static struct ata_port_operations ipr_sata_ops = {
28107 +static const struct ata_port_operations ipr_sata_ops = {
28108 .phy_reset = ipr_ata_phy_reset,
28109 .hardreset = ipr_sata_reset,
28110 .post_internal_cmd = ipr_ata_post_internal,
28111 diff -urNp linux-2.6.38.4/drivers/scsi/libfc/fc_exch.c linux-2.6.38.4/drivers/scsi/libfc/fc_exch.c
28112 --- linux-2.6.38.4/drivers/scsi/libfc/fc_exch.c 2011-03-14 21:20:32.000000000 -0400
28113 +++ linux-2.6.38.4/drivers/scsi/libfc/fc_exch.c 2011-04-17 15:57:32.000000000 -0400
28114 @@ -105,12 +105,12 @@ struct fc_exch_mgr {
28115 * all together if not used XXX
28118 - atomic_t no_free_exch;
28119 - atomic_t no_free_exch_xid;
28120 - atomic_t xid_not_found;
28121 - atomic_t xid_busy;
28122 - atomic_t seq_not_found;
28123 - atomic_t non_bls_resp;
28124 + atomic_unchecked_t no_free_exch;
28125 + atomic_unchecked_t no_free_exch_xid;
28126 + atomic_unchecked_t xid_not_found;
28127 + atomic_unchecked_t xid_busy;
28128 + atomic_unchecked_t seq_not_found;
28129 + atomic_unchecked_t non_bls_resp;
28133 @@ -687,7 +687,7 @@ static struct fc_exch *fc_exch_em_alloc(
28134 /* allocate memory for exchange */
28135 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
28137 - atomic_inc(&mp->stats.no_free_exch);
28138 + atomic_inc_unchecked(&mp->stats.no_free_exch);
28141 memset(ep, 0, sizeof(*ep));
28142 @@ -748,7 +748,7 @@ out:
28145 spin_unlock_bh(&pool->lock);
28146 - atomic_inc(&mp->stats.no_free_exch_xid);
28147 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
28148 mempool_free(ep, mp->ep_pool);
28151 @@ -893,7 +893,7 @@ static enum fc_pf_rjt_reason fc_seq_look
28152 xid = ntohs(fh->fh_ox_id); /* we originated exch */
28153 ep = fc_exch_find(mp, xid);
28155 - atomic_inc(&mp->stats.xid_not_found);
28156 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28157 reject = FC_RJT_OX_ID;
28160 @@ -923,7 +923,7 @@ static enum fc_pf_rjt_reason fc_seq_look
28161 ep = fc_exch_find(mp, xid);
28162 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
28164 - atomic_inc(&mp->stats.xid_busy);
28165 + atomic_inc_unchecked(&mp->stats.xid_busy);
28166 reject = FC_RJT_RX_ID;
28169 @@ -934,7 +934,7 @@ static enum fc_pf_rjt_reason fc_seq_look
28171 xid = ep->xid; /* get our XID */
28173 - atomic_inc(&mp->stats.xid_not_found);
28174 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28175 reject = FC_RJT_RX_ID; /* XID not found */
28178 @@ -951,7 +951,7 @@ static enum fc_pf_rjt_reason fc_seq_look
28181 if (sp->id != fh->fh_seq_id) {
28182 - atomic_inc(&mp->stats.seq_not_found);
28183 + atomic_inc_unchecked(&mp->stats.seq_not_found);
28184 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
28187 @@ -1368,22 +1368,22 @@ static void fc_exch_recv_seq_resp(struct
28189 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
28191 - atomic_inc(&mp->stats.xid_not_found);
28192 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28195 if (ep->esb_stat & ESB_ST_COMPLETE) {
28196 - atomic_inc(&mp->stats.xid_not_found);
28197 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28200 if (ep->rxid == FC_XID_UNKNOWN)
28201 ep->rxid = ntohs(fh->fh_rx_id);
28202 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
28203 - atomic_inc(&mp->stats.xid_not_found);
28204 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28207 if (ep->did != ntoh24(fh->fh_s_id) &&
28208 ep->did != FC_FID_FLOGI) {
28209 - atomic_inc(&mp->stats.xid_not_found);
28210 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28214 @@ -1392,7 +1392,7 @@ static void fc_exch_recv_seq_resp(struct
28215 sp->ssb_stat |= SSB_ST_RESP;
28216 sp->id = fh->fh_seq_id;
28217 } else if (sp->id != fh->fh_seq_id) {
28218 - atomic_inc(&mp->stats.seq_not_found);
28219 + atomic_inc_unchecked(&mp->stats.seq_not_found);
28223 @@ -1455,9 +1455,9 @@ static void fc_exch_recv_resp(struct fc_
28224 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
28227 - atomic_inc(&mp->stats.xid_not_found);
28228 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28230 - atomic_inc(&mp->stats.non_bls_resp);
28231 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
28235 diff -urNp linux-2.6.38.4/drivers/scsi/libsas/sas_ata.c linux-2.6.38.4/drivers/scsi/libsas/sas_ata.c
28236 --- linux-2.6.38.4/drivers/scsi/libsas/sas_ata.c 2011-03-14 21:20:32.000000000 -0400
28237 +++ linux-2.6.38.4/drivers/scsi/libsas/sas_ata.c 2011-04-17 15:57:32.000000000 -0400
28238 @@ -348,10 +348,10 @@ static int sas_ata_scr_read(struct ata_l
28242 -static struct ata_port_operations sas_sata_ops = {
28243 +static const struct ata_port_operations sas_sata_ops = {
28244 .phy_reset = sas_ata_phy_reset,
28245 .post_internal_cmd = sas_ata_post_internal,
28246 - .qc_defer = ata_std_qc_defer,
28247 + .qc_defer = ata_std_qc_defer,
28248 .qc_prep = ata_noop_qc_prep,
28249 .qc_issue = sas_ata_qc_issue,
28250 .qc_fill_rtf = sas_ata_qc_fill_rtf,
28251 diff -urNp linux-2.6.38.4/drivers/scsi/mpt2sas/mpt2sas_debug.h linux-2.6.38.4/drivers/scsi/mpt2sas/mpt2sas_debug.h
28252 --- linux-2.6.38.4/drivers/scsi/mpt2sas/mpt2sas_debug.h 2011-03-14 21:20:32.000000000 -0400
28253 +++ linux-2.6.38.4/drivers/scsi/mpt2sas/mpt2sas_debug.h 2011-04-17 15:57:32.000000000 -0400
28258 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
28259 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
28260 #endif /* CONFIG_SCSI_MPT2SAS_LOGGING */
28263 diff -urNp linux-2.6.38.4/drivers/scsi/qla2xxx/qla_os.c linux-2.6.38.4/drivers/scsi/qla2xxx/qla_os.c
28264 --- linux-2.6.38.4/drivers/scsi/qla2xxx/qla_os.c 2011-03-14 21:20:32.000000000 -0400
28265 +++ linux-2.6.38.4/drivers/scsi/qla2xxx/qla_os.c 2011-04-17 15:57:32.000000000 -0400
28266 @@ -4096,7 +4096,7 @@ static struct pci_driver qla2xxx_pci_dri
28267 .err_handler = &qla2xxx_err_handler,
28270 -static struct file_operations apidev_fops = {
28271 +static const struct file_operations apidev_fops = {
28272 .owner = THIS_MODULE,
28273 .llseek = noop_llseek,
28275 diff -urNp linux-2.6.38.4/drivers/scsi/scsi_logging.h linux-2.6.38.4/drivers/scsi/scsi_logging.h
28276 --- linux-2.6.38.4/drivers/scsi/scsi_logging.h 2011-03-14 21:20:32.000000000 -0400
28277 +++ linux-2.6.38.4/drivers/scsi/scsi_logging.h 2011-04-17 15:57:32.000000000 -0400
28278 @@ -51,7 +51,7 @@ do { \
28282 -#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
28283 +#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
28284 #endif /* CONFIG_SCSI_LOGGING */
28287 diff -urNp linux-2.6.38.4/drivers/scsi/scsi_transport_fc.c linux-2.6.38.4/drivers/scsi/scsi_transport_fc.c
28288 --- linux-2.6.38.4/drivers/scsi/scsi_transport_fc.c 2011-03-14 21:20:32.000000000 -0400
28289 +++ linux-2.6.38.4/drivers/scsi/scsi_transport_fc.c 2011-04-17 15:57:32.000000000 -0400
28290 @@ -836,7 +836,7 @@ static int fc_str_to_dev_loss(const char
28293 *val = simple_strtoul(buf, &cp, 0);
28294 - if ((*cp && (*cp != '\n')) || (*val < 0))
28295 + if (*cp && (*cp != '\n'))
28298 * Check for overflow; dev_loss_tmo is u32
28299 diff -urNp linux-2.6.38.4/drivers/scsi/sg.c linux-2.6.38.4/drivers/scsi/sg.c
28300 --- linux-2.6.38.4/drivers/scsi/sg.c 2011-03-14 21:20:32.000000000 -0400
28301 +++ linux-2.6.38.4/drivers/scsi/sg.c 2011-04-17 15:57:32.000000000 -0400
28302 @@ -2310,7 +2310,7 @@ struct sg_proc_leaf {
28303 const struct file_operations * fops;
28306 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
28307 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
28308 {"allow_dio", &adio_fops},
28309 {"debug", &debug_fops},
28310 {"def_reserved_size", &dressz_fops},
28311 @@ -2325,7 +2325,7 @@ sg_proc_init(void)
28314 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
28315 - struct sg_proc_leaf * leaf;
28316 + const struct sg_proc_leaf * leaf;
28318 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
28320 diff -urNp linux-2.6.38.4/drivers/staging/autofs/root.c linux-2.6.38.4/drivers/staging/autofs/root.c
28321 --- linux-2.6.38.4/drivers/staging/autofs/root.c 2011-03-14 21:20:32.000000000 -0400
28322 +++ linux-2.6.38.4/drivers/staging/autofs/root.c 2011-04-17 15:57:32.000000000 -0400
28323 @@ -311,7 +311,8 @@ static int autofs_root_symlink(struct in
28324 set_bit(n,sbi->symlink_bitmap);
28325 sl = &sbi->symlink[n];
28326 sl->len = strlen(symname);
28327 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
28328 + slsize = sl->len+1;
28329 + sl->data = kmalloc(slsize, GFP_KERNEL);
28331 clear_bit(n,sbi->symlink_bitmap);
28333 diff -urNp linux-2.6.38.4/drivers/staging/bcm/Bcmchar.c linux-2.6.38.4/drivers/staging/bcm/Bcmchar.c
28334 --- linux-2.6.38.4/drivers/staging/bcm/Bcmchar.c 2011-03-14 21:20:32.000000000 -0400
28335 +++ linux-2.6.38.4/drivers/staging/bcm/Bcmchar.c 2011-04-17 15:57:32.000000000 -0400
28336 @@ -2093,7 +2093,7 @@ static long bcm_char_ioctl(struct file *
28340 -static struct file_operations bcm_fops = {
28341 +static const struct file_operations bcm_fops = {
28342 .owner = THIS_MODULE,
28343 .open = bcm_char_open,
28344 .release = bcm_char_release,
28345 diff -urNp linux-2.6.38.4/drivers/staging/brcm80211/brcmfmac/dhd_linux.c linux-2.6.38.4/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
28346 --- linux-2.6.38.4/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-03-14 21:20:32.000000000 -0400
28347 +++ linux-2.6.38.4/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-04-17 15:57:32.000000000 -0400
28348 @@ -863,14 +863,14 @@ static void dhd_op_if(dhd_if_t *ifp)
28349 free_netdev(ifp->net);
28351 /* Allocate etherdev, including space for private structure */
28352 - ifp->net = alloc_etherdev(sizeof(dhd));
28353 + ifp->net = alloc_etherdev(sizeof(*dhd));
28355 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
28359 strcpy(ifp->net->name, ifp->name);
28360 - memcpy(netdev_priv(ifp->net), &dhd, sizeof(dhd));
28361 + memcpy(netdev_priv(ifp->net), dhd, sizeof(*dhd));
28362 err = dhd_net_attach(&dhd->pub, ifp->idx);
28364 DHD_ERROR(("%s: dhd_net_attach failed, "
28365 @@ -1969,25 +1969,23 @@ dhd_pub_t *dhd_attach(struct osl_info *o
28366 strcpy(nv_path, nvram_path);
28368 /* Allocate etherdev, including space for private structure */
28369 - net = alloc_etherdev(sizeof(dhd));
28370 + net = alloc_etherdev(sizeof(*dhd));
28372 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
28376 /* Allocate primary dhd_info */
28377 - dhd = kmalloc(sizeof(dhd_info_t), GFP_ATOMIC);
28378 + dhd = kzalloc(sizeof(dhd_info_t), GFP_ATOMIC);
28380 DHD_ERROR(("%s: OOM - alloc dhd_info\n", __func__));
28384 - memset(dhd, 0, sizeof(dhd_info_t));
28387 * Save the dhd_info into the priv
28389 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
28390 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
28391 dhd->pub.osh = osh;
28393 /* Set network interface name if it was provided as module parameter */
28394 @@ -2105,7 +2103,7 @@ dhd_pub_t *dhd_attach(struct osl_info *o
28396 * Save the dhd_info into the priv
28398 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
28399 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
28401 #if defined(CUSTOMER_HW2) && defined(CONFIG_WIFI_CONTROL_FUNC)
28403 diff -urNp linux-2.6.38.4/drivers/staging/brcm80211/brcmfmac/wl_iw.c linux-2.6.38.4/drivers/staging/brcm80211/brcmfmac/wl_iw.c
28404 --- linux-2.6.38.4/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-03-14 21:20:32.000000000 -0400
28405 +++ linux-2.6.38.4/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-04-17 15:57:32.000000000 -0400
28406 @@ -513,7 +513,7 @@ wl_iw_get_range(struct net_device *dev,
28407 list = (wl_u32_list_t *) channels;
28409 dwrq->length = sizeof(struct iw_range);
28410 - memset(range, 0, sizeof(range));
28411 + memset(range, 0, sizeof(*range));
28413 range->min_nwid = range->max_nwid = 0;
28415 diff -urNp linux-2.6.38.4/drivers/staging/comedi/comedi_fops.c linux-2.6.38.4/drivers/staging/comedi/comedi_fops.c
28416 --- linux-2.6.38.4/drivers/staging/comedi/comedi_fops.c 2011-03-14 21:20:32.000000000 -0400
28417 +++ linux-2.6.38.4/drivers/staging/comedi/comedi_fops.c 2011-04-17 15:57:32.000000000 -0400
28418 @@ -1426,7 +1426,7 @@ static void comedi_unmap(struct vm_area_
28419 mutex_unlock(&dev->mutex);
28422 -static struct vm_operations_struct comedi_vm_ops = {
28423 +static const struct vm_operations_struct comedi_vm_ops = {
28424 .close = comedi_unmap,
28427 diff -urNp linux-2.6.38.4/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c linux-2.6.38.4/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c
28428 --- linux-2.6.38.4/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-03-14 21:20:32.000000000 -0400
28429 +++ linux-2.6.38.4/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-04-17 15:57:32.000000000 -0400
28430 @@ -55,7 +55,7 @@ int numofmsgbuf = 0;
28432 // Table of entry-point routines for char device
28434 -static struct file_operations ft1000fops =
28435 +static const struct file_operations ft1000fops =
28437 .unlocked_ioctl = ft1000_ioctl,
28438 .poll = ft1000_poll_dev,
28439 diff -urNp linux-2.6.38.4/drivers/staging/go7007/go7007-v4l2.c linux-2.6.38.4/drivers/staging/go7007/go7007-v4l2.c
28440 --- linux-2.6.38.4/drivers/staging/go7007/go7007-v4l2.c 2011-03-14 21:20:32.000000000 -0400
28441 +++ linux-2.6.38.4/drivers/staging/go7007/go7007-v4l2.c 2011-04-17 15:57:32.000000000 -0400
28442 @@ -1672,7 +1672,7 @@ static int go7007_vm_fault(struct vm_are
28446 -static struct vm_operations_struct go7007_vm_ops = {
28447 +static const struct vm_operations_struct go7007_vm_ops = {
28448 .open = go7007_vm_open,
28449 .close = go7007_vm_close,
28450 .fault = go7007_vm_fault,
28451 diff -urNp linux-2.6.38.4/drivers/staging/hv/hv.c linux-2.6.38.4/drivers/staging/hv/hv.c
28452 --- linux-2.6.38.4/drivers/staging/hv/hv.c 2011-03-14 21:20:32.000000000 -0400
28453 +++ linux-2.6.38.4/drivers/staging/hv/hv.c 2011-04-17 15:57:32.000000000 -0400
28454 @@ -163,7 +163,7 @@ static u64 do_hypercall(u64 control, voi
28455 u64 output_address = (output) ? virt_to_phys(output) : 0;
28456 u32 output_address_hi = output_address >> 32;
28457 u32 output_address_lo = output_address & 0xFFFFFFFF;
28458 - volatile void *hypercall_page = hv_context.hypercall_page;
28459 + volatile void *hypercall_page = ktva_ktla(hv_context.hypercall_page);
28461 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
28462 control, input, output);
28463 diff -urNp linux-2.6.38.4/drivers/staging/phison/phison.c linux-2.6.38.4/drivers/staging/phison/phison.c
28464 --- linux-2.6.38.4/drivers/staging/phison/phison.c 2011-03-14 21:20:32.000000000 -0400
28465 +++ linux-2.6.38.4/drivers/staging/phison/phison.c 2011-04-17 15:57:32.000000000 -0400
28466 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
28467 ATA_BMDMA_SHT(DRV_NAME),
28470 -static struct ata_port_operations phison_ops = {
28471 +static const struct ata_port_operations phison_ops = {
28472 .inherits = &ata_bmdma_port_ops,
28473 .prereset = phison_pre_reset,
28475 diff -urNp linux-2.6.38.4/drivers/staging/pohmelfs/inode.c linux-2.6.38.4/drivers/staging/pohmelfs/inode.c
28476 --- linux-2.6.38.4/drivers/staging/pohmelfs/inode.c 2011-03-14 21:20:32.000000000 -0400
28477 +++ linux-2.6.38.4/drivers/staging/pohmelfs/inode.c 2011-04-17 15:57:32.000000000 -0400
28478 @@ -1855,7 +1855,7 @@ static int pohmelfs_fill_super(struct su
28479 mutex_init(&psb->mcache_lock);
28480 psb->mcache_root = RB_ROOT;
28481 psb->mcache_timeout = msecs_to_jiffies(5000);
28482 - atomic_long_set(&psb->mcache_gen, 0);
28483 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
28485 psb->trans_max_pages = 100;
28487 diff -urNp linux-2.6.38.4/drivers/staging/pohmelfs/mcache.c linux-2.6.38.4/drivers/staging/pohmelfs/mcache.c
28488 --- linux-2.6.38.4/drivers/staging/pohmelfs/mcache.c 2011-03-14 21:20:32.000000000 -0400
28489 +++ linux-2.6.38.4/drivers/staging/pohmelfs/mcache.c 2011-04-17 15:57:32.000000000 -0400
28490 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
28494 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
28495 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
28497 mutex_lock(&psb->mcache_lock);
28498 err = pohmelfs_mcache_insert(psb, m);
28499 diff -urNp linux-2.6.38.4/drivers/staging/pohmelfs/netfs.h linux-2.6.38.4/drivers/staging/pohmelfs/netfs.h
28500 --- linux-2.6.38.4/drivers/staging/pohmelfs/netfs.h 2011-03-14 21:20:32.000000000 -0400
28501 +++ linux-2.6.38.4/drivers/staging/pohmelfs/netfs.h 2011-04-17 15:57:32.000000000 -0400
28502 @@ -571,7 +571,7 @@ struct pohmelfs_config;
28503 struct pohmelfs_sb {
28504 struct rb_root mcache_root;
28505 struct mutex mcache_lock;
28506 - atomic_long_t mcache_gen;
28507 + atomic_long_unchecked_t mcache_gen;
28508 unsigned long mcache_timeout;
28511 diff -urNp linux-2.6.38.4/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.38.4/drivers/staging/rtl8192u/ieee80211/proc.c
28512 --- linux-2.6.38.4/drivers/staging/rtl8192u/ieee80211/proc.c 2011-03-14 21:20:32.000000000 -0400
28513 +++ linux-2.6.38.4/drivers/staging/rtl8192u/ieee80211/proc.c 2011-04-17 15:57:32.000000000 -0400
28514 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
28515 return seq_open(file, &crypto_seq_ops);
28518 -static struct file_operations proc_crypto_ops = {
28519 +static const struct file_operations proc_crypto_ops = {
28520 .open = crypto_info_open,
28522 .llseek = seq_lseek,
28523 diff -urNp linux-2.6.38.4/drivers/staging/spectra/ffsport.c linux-2.6.38.4/drivers/staging/spectra/ffsport.c
28524 --- linux-2.6.38.4/drivers/staging/spectra/ffsport.c 2011-03-14 21:20:32.000000000 -0400
28525 +++ linux-2.6.38.4/drivers/staging/spectra/ffsport.c 2011-04-17 15:57:32.000000000 -0400
28526 @@ -604,7 +604,7 @@ int GLOB_SBD_unlocked_ioctl(struct block
28530 -static struct block_device_operations GLOB_SBD_ops = {
28531 +static const struct block_device_operations GLOB_SBD_ops = {
28532 .owner = THIS_MODULE,
28533 .open = GLOB_SBD_open,
28534 .release = GLOB_SBD_release,
28535 diff -urNp linux-2.6.38.4/drivers/staging/vme/devices/vme_user.c linux-2.6.38.4/drivers/staging/vme/devices/vme_user.c
28536 --- linux-2.6.38.4/drivers/staging/vme/devices/vme_user.c 2011-03-14 21:20:32.000000000 -0400
28537 +++ linux-2.6.38.4/drivers/staging/vme/devices/vme_user.c 2011-04-17 15:57:32.000000000 -0400
28538 @@ -138,7 +138,7 @@ static long vme_user_unlocked_ioctl(stru
28539 static int __devinit vme_user_probe(struct device *, int, int);
28540 static int __devexit vme_user_remove(struct device *, int, int);
28542 -static struct file_operations vme_user_fops = {
28543 +static const struct file_operations vme_user_fops = {
28544 .open = vme_user_open,
28545 .release = vme_user_release,
28546 .read = vme_user_read,
28547 diff -urNp linux-2.6.38.4/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c linux-2.6.38.4/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c
28548 --- linux-2.6.38.4/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-03-14 21:20:32.000000000 -0400
28549 +++ linux-2.6.38.4/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-04-17 15:57:32.000000000 -0400
28550 @@ -426,7 +426,7 @@ int cyasblkdev_revalidate_disk(struct ge
28553 /*standard block device driver interface */
28554 -static struct block_device_operations cyasblkdev_bdops = {
28555 +static const struct block_device_operations cyasblkdev_bdops = {
28556 .open = cyasblkdev_blk_open,
28557 .release = cyasblkdev_blk_release,
28558 .ioctl = cyasblkdev_blk_ioctl,
28559 diff -urNp linux-2.6.38.4/drivers/tty/hvc/hvc_console.h linux-2.6.38.4/drivers/tty/hvc/hvc_console.h
28560 --- linux-2.6.38.4/drivers/tty/hvc/hvc_console.h 2011-03-14 21:20:32.000000000 -0400
28561 +++ linux-2.6.38.4/drivers/tty/hvc/hvc_console.h 2011-04-17 15:57:32.000000000 -0400
28562 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
28563 /* register a vterm for hvc tty operation (module_init or hotplug add) */
28564 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
28565 const struct hv_ops *ops, int outbuf_size);
28567 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
28568 extern int hvc_remove(struct hvc_struct *hp);
28570 diff -urNp linux-2.6.38.4/drivers/tty/hvc/hvcs.c linux-2.6.38.4/drivers/tty/hvc/hvcs.c
28571 --- linux-2.6.38.4/drivers/tty/hvc/hvcs.c 2011-03-14 21:20:32.000000000 -0400
28572 +++ linux-2.6.38.4/drivers/tty/hvc/hvcs.c 2011-04-17 15:57:32.000000000 -0400
28574 #include <asm/hvcserver.h>
28575 #include <asm/uaccess.h>
28576 #include <asm/vio.h>
28577 +#include <asm/local.h>
28580 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
28581 @@ -270,7 +271,7 @@ struct hvcs_struct {
28582 unsigned int index;
28584 struct tty_struct *tty;
28586 + local_t open_count;
28589 * Used to tell the driver kernel_thread what operations need to take
28590 @@ -420,7 +421,7 @@ static ssize_t hvcs_vterm_state_store(st
28592 spin_lock_irqsave(&hvcsd->lock, flags);
28594 - if (hvcsd->open_count > 0) {
28595 + if (local_read(&hvcsd->open_count) > 0) {
28596 spin_unlock_irqrestore(&hvcsd->lock, flags);
28597 printk(KERN_INFO "HVCS: vterm state unchanged. "
28598 "The hvcs device node is still in use.\n");
28599 @@ -1136,7 +1137,7 @@ static int hvcs_open(struct tty_struct *
28600 if ((retval = hvcs_partner_connect(hvcsd)))
28601 goto error_release;
28603 - hvcsd->open_count = 1;
28604 + local_set(&hvcsd->open_count, 1);
28606 tty->driver_data = hvcsd;
28608 @@ -1170,7 +1171,7 @@ fast_open:
28610 spin_lock_irqsave(&hvcsd->lock, flags);
28611 kref_get(&hvcsd->kref);
28612 - hvcsd->open_count++;
28613 + local_inc(&hvcsd->open_count);
28614 hvcsd->todo_mask |= HVCS_SCHED_READ;
28615 spin_unlock_irqrestore(&hvcsd->lock, flags);
28617 @@ -1214,7 +1215,7 @@ static void hvcs_close(struct tty_struct
28618 hvcsd = tty->driver_data;
28620 spin_lock_irqsave(&hvcsd->lock, flags);
28621 - if (--hvcsd->open_count == 0) {
28622 + if (local_dec_and_test(&hvcsd->open_count)) {
28624 vio_disable_interrupts(hvcsd->vdev);
28626 @@ -1240,10 +1241,10 @@ static void hvcs_close(struct tty_struct
28627 free_irq(irq, hvcsd);
28628 kref_put(&hvcsd->kref, destroy_hvcs_struct);
28630 - } else if (hvcsd->open_count < 0) {
28631 + } else if (local_read(&hvcsd->open_count) < 0) {
28632 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
28633 " is missmanaged.\n",
28634 - hvcsd->vdev->unit_address, hvcsd->open_count);
28635 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
28638 spin_unlock_irqrestore(&hvcsd->lock, flags);
28639 @@ -1259,7 +1260,7 @@ static void hvcs_hangup(struct tty_struc
28641 spin_lock_irqsave(&hvcsd->lock, flags);
28642 /* Preserve this so that we know how many kref refs to put */
28643 - temp_open_count = hvcsd->open_count;
28644 + temp_open_count = local_read(&hvcsd->open_count);
28647 * Don't kref put inside the spinlock because the destruction
28648 @@ -1274,7 +1275,7 @@ static void hvcs_hangup(struct tty_struc
28649 hvcsd->tty->driver_data = NULL;
28652 - hvcsd->open_count = 0;
28653 + local_set(&hvcsd->open_count, 0);
28655 /* This will drop any buffered data on the floor which is OK in a hangup
28657 @@ -1345,7 +1346,7 @@ static int hvcs_write(struct tty_struct
28658 * the middle of a write operation? This is a crummy place to do this
28659 * but we want to keep it all in the spinlock.
28661 - if (hvcsd->open_count <= 0) {
28662 + if (local_read(&hvcsd->open_count) <= 0) {
28663 spin_unlock_irqrestore(&hvcsd->lock, flags);
28666 @@ -1419,7 +1420,7 @@ static int hvcs_write_room(struct tty_st
28668 struct hvcs_struct *hvcsd = tty->driver_data;
28670 - if (!hvcsd || hvcsd->open_count <= 0)
28671 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
28674 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
28675 diff -urNp linux-2.6.38.4/drivers/tty/hvc/hvc_xen.c linux-2.6.38.4/drivers/tty/hvc/hvc_xen.c
28676 --- linux-2.6.38.4/drivers/tty/hvc/hvc_xen.c 2011-03-14 21:20:32.000000000 -0400
28677 +++ linux-2.6.38.4/drivers/tty/hvc/hvc_xen.c 2011-04-17 15:57:32.000000000 -0400
28678 @@ -123,7 +123,7 @@ static int domU_read_console(uint32_t vt
28682 -static struct hv_ops domU_hvc_ops = {
28683 +static const struct hv_ops domU_hvc_ops = {
28684 .get_chars = domU_read_console,
28685 .put_chars = domU_write_console,
28686 .notifier_add = notifier_add_irq,
28687 @@ -149,7 +149,7 @@ static int dom0_write_console(uint32_t v
28691 -static struct hv_ops dom0_hvc_ops = {
28692 +static const struct hv_ops dom0_hvc_ops = {
28693 .get_chars = dom0_read_console,
28694 .put_chars = dom0_write_console,
28695 .notifier_add = notifier_add_irq,
28696 @@ -160,7 +160,7 @@ static struct hv_ops dom0_hvc_ops = {
28697 static int __init xen_hvc_init(void)
28699 struct hvc_struct *hp;
28700 - struct hv_ops *ops;
28701 + const struct hv_ops *ops;
28703 if (!xen_pv_domain())
28705 @@ -203,7 +203,7 @@ static void __exit xen_hvc_fini(void)
28707 static int xen_cons_init(void)
28709 - struct hv_ops *ops;
28710 + const struct hv_ops *ops;
28712 if (!xen_pv_domain())
28714 diff -urNp linux-2.6.38.4/drivers/tty/n_gsm.c linux-2.6.38.4/drivers/tty/n_gsm.c
28715 --- linux-2.6.38.4/drivers/tty/n_gsm.c 2011-03-14 21:20:32.000000000 -0400
28716 +++ linux-2.6.38.4/drivers/tty/n_gsm.c 2011-04-17 15:57:32.000000000 -0400
28717 @@ -1589,7 +1589,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
28719 spin_lock_init(&dlci->lock);
28720 dlci->fifo = &dlci->_fifo;
28721 - if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
28722 + if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
28726 diff -urNp linux-2.6.38.4/drivers/tty/n_tty.c linux-2.6.38.4/drivers/tty/n_tty.c
28727 --- linux-2.6.38.4/drivers/tty/n_tty.c 2011-03-14 21:20:32.000000000 -0400
28728 +++ linux-2.6.38.4/drivers/tty/n_tty.c 2011-04-17 15:57:32.000000000 -0400
28729 @@ -2116,6 +2116,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
28731 *ops = tty_ldisc_N_TTY;
28733 - ops->refcount = ops->flags = 0;
28734 + atomic_set(&ops->refcount, 0);
28737 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
28738 diff -urNp linux-2.6.38.4/drivers/tty/pty.c linux-2.6.38.4/drivers/tty/pty.c
28739 --- linux-2.6.38.4/drivers/tty/pty.c 2011-03-14 21:20:32.000000000 -0400
28740 +++ linux-2.6.38.4/drivers/tty/pty.c 2011-04-17 15:57:32.000000000 -0400
28741 @@ -700,7 +700,18 @@ out:
28745 -static struct file_operations ptmx_fops;
28746 +static const struct file_operations ptmx_fops = {
28747 + .llseek = no_llseek,
28748 + .read = tty_read,
28749 + .write = tty_write,
28750 + .poll = tty_poll,
28751 + .unlocked_ioctl = tty_ioctl,
28752 + .compat_ioctl = tty_compat_ioctl,
28753 + .open = ptmx_open,
28754 + .release = tty_release,
28755 + .fasync = tty_fasync,
28759 static void __init unix98_pty_init(void)
28761 @@ -753,10 +764,6 @@ static void __init unix98_pty_init(void)
28763 register_sysctl_table(pty_root_table);
28765 - /* Now create the /dev/ptmx special device */
28766 - tty_default_fops(&ptmx_fops);
28767 - ptmx_fops.open = ptmx_open;
28769 cdev_init(&ptmx_cdev, &ptmx_fops);
28770 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
28771 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
28772 diff -urNp linux-2.6.38.4/drivers/tty/serial/8250_pci.c linux-2.6.38.4/drivers/tty/serial/8250_pci.c
28773 --- linux-2.6.38.4/drivers/tty/serial/8250_pci.c 2011-03-14 21:20:32.000000000 -0400
28774 +++ linux-2.6.38.4/drivers/tty/serial/8250_pci.c 2011-04-17 15:57:32.000000000 -0400
28775 @@ -3818,7 +3818,7 @@ static struct pci_device_id serial_pci_t
28776 PCI_ANY_ID, PCI_ANY_ID,
28777 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
28778 0xffff00, pbn_default },
28780 + { 0, 0, 0, 0, 0, 0, 0 }
28783 static struct pci_driver serial_pci_driver = {
28784 diff -urNp linux-2.6.38.4/drivers/tty/serial/kgdboc.c linux-2.6.38.4/drivers/tty/serial/kgdboc.c
28785 --- linux-2.6.38.4/drivers/tty/serial/kgdboc.c 2011-03-14 21:20:32.000000000 -0400
28786 +++ linux-2.6.38.4/drivers/tty/serial/kgdboc.c 2011-04-17 15:57:32.000000000 -0400
28789 #define MAX_CONFIG_LEN 40
28791 -static struct kgdb_io kgdboc_io_ops;
28792 +static struct kgdb_io kgdboc_io_ops; /* cannot be const, see configure_kgdboc() */
28794 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
28795 static int configured = -1;
28796 @@ -293,7 +293,7 @@ static void kgdboc_post_exp_handler(void
28797 kgdboc_restore_input();
28800 -static struct kgdb_io kgdboc_io_ops = {
28801 +static struct kgdb_io kgdboc_io_ops = { /* cannot be const, see configure_kgdboc() */
28803 .read_char = kgdboc_get_char,
28804 .write_char = kgdboc_put_char,
28805 diff -urNp linux-2.6.38.4/drivers/tty/tty_io.c linux-2.6.38.4/drivers/tty/tty_io.c
28806 --- linux-2.6.38.4/drivers/tty/tty_io.c 2011-03-14 21:20:32.000000000 -0400
28807 +++ linux-2.6.38.4/drivers/tty/tty_io.c 2011-04-17 15:57:32.000000000 -0400
28808 @@ -140,21 +140,11 @@ EXPORT_SYMBOL(tty_mutex);
28809 /* Spinlock to protect the tty->tty_files list */
28810 DEFINE_SPINLOCK(tty_files_lock);
28812 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
28813 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
28814 ssize_t redirected_tty_write(struct file *, const char __user *,
28816 -static unsigned int tty_poll(struct file *, poll_table *);
28817 static int tty_open(struct inode *, struct file *);
28818 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
28819 -#ifdef CONFIG_COMPAT
28820 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
28821 - unsigned long arg);
28823 -#define tty_compat_ioctl NULL
28825 static int __tty_fasync(int fd, struct file *filp, int on);
28826 -static int tty_fasync(int fd, struct file *filp, int on);
28827 static void release_tty(struct tty_struct *tty, int idx);
28828 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
28829 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
28830 @@ -938,7 +928,7 @@ EXPORT_SYMBOL(start_tty);
28831 * read calls may be outstanding in parallel.
28834 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
28835 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
28839 @@ -964,6 +954,8 @@ static ssize_t tty_read(struct file *fil
28843 +EXPORT_SYMBOL(tty_read);
28845 void tty_write_unlock(struct tty_struct *tty)
28847 mutex_unlock(&tty->atomic_write_lock);
28848 @@ -1113,7 +1105,7 @@ void tty_write_message(struct tty_struct
28849 * write method will not be invoked in parallel for each device.
28852 -static ssize_t tty_write(struct file *file, const char __user *buf,
28853 +ssize_t tty_write(struct file *file, const char __user *buf,
28854 size_t count, loff_t *ppos)
28856 struct inode *inode = file->f_path.dentry->d_inode;
28857 @@ -1139,6 +1131,8 @@ static ssize_t tty_write(struct file *fi
28861 +EXPORT_SYMBOL(tty_write);
28863 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
28864 size_t count, loff_t *ppos)
28866 @@ -1778,6 +1772,8 @@ int tty_release(struct inode *inode, str
28870 +EXPORT_SYMBOL(tty_release);
28873 * tty_open - open a tty device
28874 * @inode: inode of device file
28875 @@ -1969,7 +1965,7 @@ got_driver:
28876 * may be re-entered freely by other callers.
28879 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
28880 +unsigned int tty_poll(struct file *filp, poll_table *wait)
28882 struct tty_struct *tty = file_tty(filp);
28883 struct tty_ldisc *ld;
28884 @@ -1985,6 +1981,8 @@ static unsigned int tty_poll(struct file
28888 +EXPORT_SYMBOL(tty_poll);
28890 static int __tty_fasync(int fd, struct file *filp, int on)
28892 struct tty_struct *tty = file_tty(filp);
28893 @@ -2026,7 +2024,7 @@ out:
28897 -static int tty_fasync(int fd, struct file *filp, int on)
28898 +int tty_fasync(int fd, struct file *filp, int on)
28902 @@ -2035,6 +2033,8 @@ static int tty_fasync(int fd, struct fil
28906 +EXPORT_SYMBOL(tty_fasync);
28909 * tiocsti - fake input character
28910 * @tty: tty to fake input into
28911 @@ -2692,8 +2692,10 @@ long tty_ioctl(struct file *file, unsign
28915 +EXPORT_SYMBOL(tty_ioctl);
28917 #ifdef CONFIG_COMPAT
28918 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
28919 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
28922 struct inode *inode = file->f_dentry->d_inode;
28923 @@ -2717,6 +2719,9 @@ static long tty_compat_ioctl(struct file
28928 +EXPORT_SYMBOL(tty_compat_ioctl);
28933 @@ -3195,11 +3200,6 @@ struct tty_struct *get_current_tty(void)
28935 EXPORT_SYMBOL_GPL(get_current_tty);
28937 -void tty_default_fops(struct file_operations *fops)
28939 - *fops = tty_fops;
28943 * Initialize the console device. This is called *early*, so
28944 * we can't necessarily depend on lots of kernel help here.
28945 diff -urNp linux-2.6.38.4/drivers/tty/tty_ldisc.c linux-2.6.38.4/drivers/tty/tty_ldisc.c
28946 --- linux-2.6.38.4/drivers/tty/tty_ldisc.c 2011-03-14 21:20:32.000000000 -0400
28947 +++ linux-2.6.38.4/drivers/tty/tty_ldisc.c 2011-04-17 15:57:32.000000000 -0400
28948 @@ -76,7 +76,7 @@ static void put_ldisc(struct tty_ldisc *
28949 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
28950 struct tty_ldisc_ops *ldo = ld->ops;
28953 + atomic_dec(&ldo->refcount);
28954 module_put(ldo->owner);
28955 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28957 @@ -111,7 +111,7 @@ int tty_register_ldisc(int disc, struct
28958 spin_lock_irqsave(&tty_ldisc_lock, flags);
28959 tty_ldiscs[disc] = new_ldisc;
28960 new_ldisc->num = disc;
28961 - new_ldisc->refcount = 0;
28962 + atomic_set(&new_ldisc->refcount, 0);
28963 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28966 @@ -139,7 +139,7 @@ int tty_unregister_ldisc(int disc)
28969 spin_lock_irqsave(&tty_ldisc_lock, flags);
28970 - if (tty_ldiscs[disc]->refcount)
28971 + if (atomic_read(&tty_ldiscs[disc]->refcount))
28974 tty_ldiscs[disc] = NULL;
28975 @@ -160,7 +160,7 @@ static struct tty_ldisc_ops *get_ldops(i
28977 ret = ERR_PTR(-EAGAIN);
28978 if (try_module_get(ldops->owner)) {
28979 - ldops->refcount++;
28980 + atomic_inc(&ldops->refcount);
28984 @@ -173,7 +173,7 @@ static void put_ldops(struct tty_ldisc_o
28985 unsigned long flags;
28987 spin_lock_irqsave(&tty_ldisc_lock, flags);
28988 - ldops->refcount--;
28989 + atomic_dec(&ldops->refcount);
28990 module_put(ldops->owner);
28991 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28993 diff -urNp linux-2.6.38.4/drivers/tty/vt/keyboard.c linux-2.6.38.4/drivers/tty/vt/keyboard.c
28994 --- linux-2.6.38.4/drivers/tty/vt/keyboard.c 2011-03-14 21:20:32.000000000 -0400
28995 +++ linux-2.6.38.4/drivers/tty/vt/keyboard.c 2011-04-17 15:57:32.000000000 -0400
28996 @@ -657,6 +657,16 @@ static void k_spec(struct vc_data *vc, u
28997 kbd->kbdmode == VC_MEDIUMRAW) &&
28998 value != KVAL(K_SAK))
28999 return; /* SAK is allowed even in raw mode */
29001 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
29003 + void *func = fn_handler[value];
29004 + if (func == fn_show_state || func == fn_show_ptregs ||
29005 + func == fn_show_mem)
29010 fn_handler[value](vc);
29013 @@ -1413,7 +1423,7 @@ static const struct input_device_id kbd_
29014 .evbit = { BIT_MASK(EV_SND) },
29017 - { }, /* Terminating entry */
29018 + { 0 }, /* Terminating entry */
29021 MODULE_DEVICE_TABLE(input, kbd_ids);
29022 diff -urNp linux-2.6.38.4/drivers/tty/vt/vt.c linux-2.6.38.4/drivers/tty/vt/vt.c
29023 --- linux-2.6.38.4/drivers/tty/vt/vt.c 2011-03-14 21:20:32.000000000 -0400
29024 +++ linux-2.6.38.4/drivers/tty/vt/vt.c 2011-04-17 15:57:32.000000000 -0400
29025 @@ -262,7 +262,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
29027 static void notify_write(struct vc_data *vc, unsigned int unicode)
29029 - struct vt_notifier_param param = { .vc = vc, unicode = unicode };
29030 + struct vt_notifier_param param = { .vc = vc, .c = unicode };
29031 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, ¶m);
29034 diff -urNp linux-2.6.38.4/drivers/tty/vt/vt_ioctl.c linux-2.6.38.4/drivers/tty/vt/vt_ioctl.c
29035 --- linux-2.6.38.4/drivers/tty/vt/vt_ioctl.c 2011-03-14 21:20:32.000000000 -0400
29036 +++ linux-2.6.38.4/drivers/tty/vt/vt_ioctl.c 2011-04-17 15:57:32.000000000 -0400
29037 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
29038 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
29041 - if (!capable(CAP_SYS_TTY_CONFIG))
29046 key_map = key_maps[s];
29047 @@ -224,6 +221,9 @@ do_kdsk_ioctl(int cmd, struct kbentry __
29048 val = (i ? K_HOLE : K_NOSUCHMAP);
29049 return put_user(val, &user_kbe->kb_value);
29051 + if (!capable(CAP_SYS_TTY_CONFIG))
29056 if (!i && v == K_NOSUCHMAP) {
29057 @@ -325,9 +325,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
29061 - if (!capable(CAP_SYS_TTY_CONFIG))
29064 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
29067 @@ -361,6 +358,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
29069 return ((p && *p) ? -EOVERFLOW : 0);
29071 + if (!capable(CAP_SYS_TTY_CONFIG))
29077 diff -urNp linux-2.6.38.4/drivers/uio/uio.c linux-2.6.38.4/drivers/uio/uio.c
29078 --- linux-2.6.38.4/drivers/uio/uio.c 2011-03-14 21:20:32.000000000 -0400
29079 +++ linux-2.6.38.4/drivers/uio/uio.c 2011-04-17 15:57:32.000000000 -0400
29081 #include <linux/kobject.h>
29082 #include <linux/cdev.h>
29083 #include <linux/uio_driver.h>
29084 +#include <asm/local.h>
29086 #define UIO_MAX_DEVICES (1U << MINORBITS)
29088 @@ -35,7 +36,7 @@ struct uio_device {
29090 struct fasync_struct *async_queue;
29091 wait_queue_head_t wait;
29093 + local_t vma_count;
29094 struct uio_info *info;
29095 struct kobject *map_dir;
29096 struct kobject *portio_dir;
29097 @@ -602,13 +603,13 @@ static int uio_find_mem_index(struct vm_
29098 static void uio_vma_open(struct vm_area_struct *vma)
29100 struct uio_device *idev = vma->vm_private_data;
29101 - idev->vma_count++;
29102 + local_inc(&idev->vma_count);
29105 static void uio_vma_close(struct vm_area_struct *vma)
29107 struct uio_device *idev = vma->vm_private_data;
29108 - idev->vma_count--;
29109 + local_dec(&idev->vma_count);
29112 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
29113 diff -urNp linux-2.6.38.4/drivers/usb/atm/cxacru.c linux-2.6.38.4/drivers/usb/atm/cxacru.c
29114 --- linux-2.6.38.4/drivers/usb/atm/cxacru.c 2011-03-14 21:20:32.000000000 -0400
29115 +++ linux-2.6.38.4/drivers/usb/atm/cxacru.c 2011-04-17 15:57:32.000000000 -0400
29116 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
29117 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
29120 - if (index < 0 || index > 0x7f)
29121 + if (index > 0x7f)
29125 diff -urNp linux-2.6.38.4/drivers/usb/atm/usbatm.c linux-2.6.38.4/drivers/usb/atm/usbatm.c
29126 --- linux-2.6.38.4/drivers/usb/atm/usbatm.c 2011-03-14 21:20:32.000000000 -0400
29127 +++ linux-2.6.38.4/drivers/usb/atm/usbatm.c 2011-04-17 15:57:32.000000000 -0400
29128 @@ -332,7 +332,7 @@ static void usbatm_extract_one_cell(stru
29129 if (printk_ratelimit())
29130 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
29131 __func__, vpi, vci);
29132 - atomic_inc(&vcc->stats->rx_err);
29133 + atomic_inc_unchecked(&vcc->stats->rx_err);
29137 @@ -360,7 +360,7 @@ static void usbatm_extract_one_cell(stru
29138 if (length > ATM_MAX_AAL5_PDU) {
29139 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
29140 __func__, length, vcc);
29141 - atomic_inc(&vcc->stats->rx_err);
29142 + atomic_inc_unchecked(&vcc->stats->rx_err);
29146 @@ -369,14 +369,14 @@ static void usbatm_extract_one_cell(stru
29147 if (sarb->len < pdu_length) {
29148 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
29149 __func__, pdu_length, sarb->len, vcc);
29150 - atomic_inc(&vcc->stats->rx_err);
29151 + atomic_inc_unchecked(&vcc->stats->rx_err);
29155 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
29156 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
29158 - atomic_inc(&vcc->stats->rx_err);
29159 + atomic_inc_unchecked(&vcc->stats->rx_err);
29163 @@ -386,7 +386,7 @@ static void usbatm_extract_one_cell(stru
29164 if (printk_ratelimit())
29165 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
29167 - atomic_inc(&vcc->stats->rx_drop);
29168 + atomic_inc_unchecked(&vcc->stats->rx_drop);
29172 @@ -411,7 +411,7 @@ static void usbatm_extract_one_cell(stru
29174 vcc->push(vcc, skb);
29176 - atomic_inc(&vcc->stats->rx);
29177 + atomic_inc_unchecked(&vcc->stats->rx);
29181 @@ -614,7 +614,7 @@ static void usbatm_tx_process(unsigned l
29182 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
29184 usbatm_pop(vcc, skb);
29185 - atomic_inc(&vcc->stats->tx);
29186 + atomic_inc_unchecked(&vcc->stats->tx);
29188 skb = skb_dequeue(&instance->sndqueue);
29190 @@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
29192 return sprintf(page,
29193 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
29194 - atomic_read(&atm_dev->stats.aal5.tx),
29195 - atomic_read(&atm_dev->stats.aal5.tx_err),
29196 - atomic_read(&atm_dev->stats.aal5.rx),
29197 - atomic_read(&atm_dev->stats.aal5.rx_err),
29198 - atomic_read(&atm_dev->stats.aal5.rx_drop));
29199 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
29200 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
29201 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
29202 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
29203 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
29206 if (instance->disconnected)
29207 diff -urNp linux-2.6.38.4/drivers/usb/class/cdc-acm.c linux-2.6.38.4/drivers/usb/class/cdc-acm.c
29208 --- linux-2.6.38.4/drivers/usb/class/cdc-acm.c 2011-04-18 17:27:16.000000000 -0400
29209 +++ linux-2.6.38.4/drivers/usb/class/cdc-acm.c 2011-04-17 15:57:32.000000000 -0400
29210 @@ -1640,7 +1640,7 @@ static const struct usb_device_id acm_id
29211 { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
29212 USB_CDC_ACM_PROTO_AT_CDMA) },
29215 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
29218 MODULE_DEVICE_TABLE(usb, acm_ids);
29219 diff -urNp linux-2.6.38.4/drivers/usb/class/usblp.c linux-2.6.38.4/drivers/usb/class/usblp.c
29220 --- linux-2.6.38.4/drivers/usb/class/usblp.c 2011-03-14 21:20:32.000000000 -0400
29221 +++ linux-2.6.38.4/drivers/usb/class/usblp.c 2011-04-17 15:57:32.000000000 -0400
29222 @@ -227,7 +227,7 @@ static const struct quirk_printer_struct
29223 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
29224 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
29225 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
29230 static int usblp_wwait(struct usblp *usblp, int nonblock);
29231 @@ -1398,7 +1398,7 @@ static const struct usb_device_id usblp_
29232 { USB_INTERFACE_INFO(7, 1, 2) },
29233 { USB_INTERFACE_INFO(7, 1, 3) },
29234 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
29235 - { } /* Terminating entry */
29236 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
29239 MODULE_DEVICE_TABLE(usb, usblp_ids);
29240 diff -urNp linux-2.6.38.4/drivers/usb/core/hcd.c linux-2.6.38.4/drivers/usb/core/hcd.c
29241 --- linux-2.6.38.4/drivers/usb/core/hcd.c 2011-04-22 19:20:59.000000000 -0400
29242 +++ linux-2.6.38.4/drivers/usb/core/hcd.c 2011-04-22 19:21:23.000000000 -0400
29243 @@ -2457,7 +2457,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
29245 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
29247 -struct usb_mon_operations *mon_ops;
29248 +const struct usb_mon_operations *mon_ops;
29251 * The registration is unlocked.
29252 @@ -2467,7 +2467,7 @@ struct usb_mon_operations *mon_ops;
29253 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
29256 -int usb_mon_register (struct usb_mon_operations *ops)
29257 +int usb_mon_register (const struct usb_mon_operations *ops)
29261 diff -urNp linux-2.6.38.4/drivers/usb/core/hub.c linux-2.6.38.4/drivers/usb/core/hub.c
29262 --- linux-2.6.38.4/drivers/usb/core/hub.c 2011-03-14 21:20:32.000000000 -0400
29263 +++ linux-2.6.38.4/drivers/usb/core/hub.c 2011-04-17 15:57:32.000000000 -0400
29264 @@ -3492,7 +3492,7 @@ static const struct usb_device_id hub_id
29265 .bDeviceClass = USB_CLASS_HUB},
29266 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
29267 .bInterfaceClass = USB_CLASS_HUB},
29268 - { } /* Terminating entry */
29269 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
29272 MODULE_DEVICE_TABLE (usb, hub_id_table);
29273 diff -urNp linux-2.6.38.4/drivers/usb/core/message.c linux-2.6.38.4/drivers/usb/core/message.c
29274 --- linux-2.6.38.4/drivers/usb/core/message.c 2011-03-14 21:20:32.000000000 -0400
29275 +++ linux-2.6.38.4/drivers/usb/core/message.c 2011-04-17 15:57:32.000000000 -0400
29276 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
29277 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
29279 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
29281 - smallbuf = kmalloc(++len, GFP_NOIO);
29283 + smallbuf = kmalloc(len, GFP_NOIO);
29286 memcpy(smallbuf, buf, len);
29287 diff -urNp linux-2.6.38.4/drivers/usb/early/ehci-dbgp.c linux-2.6.38.4/drivers/usb/early/ehci-dbgp.c
29288 --- linux-2.6.38.4/drivers/usb/early/ehci-dbgp.c 2011-03-14 21:20:32.000000000 -0400
29289 +++ linux-2.6.38.4/drivers/usb/early/ehci-dbgp.c 2011-04-17 15:57:32.000000000 -0400
29290 @@ -96,7 +96,7 @@ static inline u32 dbgp_len_update(u32 x,
29294 -static struct kgdb_io kgdbdbgp_io_ops;
29295 +static struct kgdb_io kgdbdbgp_io_ops; /* cannot be const, see kgdbdbgp_parse_config */
29296 #define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
29298 #define dbgp_kgdb_mode (0)
29299 @@ -1026,7 +1026,7 @@ static void kgdbdbgp_write_char(u8 chr)
29300 early_dbgp_write(NULL, &chr, 1);
29303 -static struct kgdb_io kgdbdbgp_io_ops = {
29304 +static struct kgdb_io kgdbdbgp_io_ops = { /* cannot be const, see kgdbdbgp_parse_config() */
29305 .name = "kgdbdbgp",
29306 .read_char = kgdbdbgp_read_char,
29307 .write_char = kgdbdbgp_write_char,
29308 diff -urNp linux-2.6.38.4/drivers/usb/host/ehci-pci.c linux-2.6.38.4/drivers/usb/host/ehci-pci.c
29309 --- linux-2.6.38.4/drivers/usb/host/ehci-pci.c 2011-03-14 21:20:32.000000000 -0400
29310 +++ linux-2.6.38.4/drivers/usb/host/ehci-pci.c 2011-04-17 15:57:32.000000000 -0400
29311 @@ -516,7 +516,7 @@ static const struct pci_device_id pci_id
29312 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
29313 .driver_data = (unsigned long) &ehci_pci_hc_driver,
29315 - { /* end: all zeroes */ }
29316 + { 0, 0, 0, 0, 0, 0, 0 }
29318 MODULE_DEVICE_TABLE(pci, pci_ids);
29320 diff -urNp linux-2.6.38.4/drivers/usb/host/uhci-hcd.c linux-2.6.38.4/drivers/usb/host/uhci-hcd.c
29321 --- linux-2.6.38.4/drivers/usb/host/uhci-hcd.c 2011-03-14 21:20:32.000000000 -0400
29322 +++ linux-2.6.38.4/drivers/usb/host/uhci-hcd.c 2011-04-17 15:57:32.000000000 -0400
29323 @@ -948,7 +948,7 @@ static const struct pci_device_id uhci_p
29324 /* handle any USB UHCI controller */
29325 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
29326 .driver_data = (unsigned long) &uhci_driver,
29327 - }, { /* end: all zeroes */ }
29328 + }, { 0, 0, 0, 0, 0, 0, 0 }
29331 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
29332 diff -urNp linux-2.6.38.4/drivers/usb/mon/mon_main.c linux-2.6.38.4/drivers/usb/mon/mon_main.c
29333 --- linux-2.6.38.4/drivers/usb/mon/mon_main.c 2011-03-14 21:20:32.000000000 -0400
29334 +++ linux-2.6.38.4/drivers/usb/mon/mon_main.c 2011-04-17 15:57:32.000000000 -0400
29335 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
29339 -static struct usb_mon_operations mon_ops_0 = {
29340 +static const struct usb_mon_operations mon_ops_0 = {
29341 .urb_submit = mon_submit,
29342 .urb_submit_error = mon_submit_error,
29343 .urb_complete = mon_complete,
29344 diff -urNp linux-2.6.38.4/drivers/usb/storage/debug.h linux-2.6.38.4/drivers/usb/storage/debug.h
29345 --- linux-2.6.38.4/drivers/usb/storage/debug.h 2011-03-14 21:20:32.000000000 -0400
29346 +++ linux-2.6.38.4/drivers/usb/storage/debug.h 2011-04-17 15:57:32.000000000 -0400
29347 @@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
29348 #define US_DEBUGPX(x...) printk( x )
29349 #define US_DEBUG(x) x
29351 -#define US_DEBUGP(x...)
29352 -#define US_DEBUGPX(x...)
29353 -#define US_DEBUG(x)
29354 +#define US_DEBUGP(x...) do {} while (0)
29355 +#define US_DEBUGPX(x...) do {} while (0)
29356 +#define US_DEBUG(x) do {} while (0)
29360 diff -urNp linux-2.6.38.4/drivers/usb/storage/usb.c linux-2.6.38.4/drivers/usb/storage/usb.c
29361 --- linux-2.6.38.4/drivers/usb/storage/usb.c 2011-03-14 21:20:32.000000000 -0400
29362 +++ linux-2.6.38.4/drivers/usb/storage/usb.c 2011-04-17 15:57:32.000000000 -0400
29363 @@ -122,7 +122,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
29365 static struct us_unusual_dev us_unusual_dev_list[] = {
29366 # include "unusual_devs.h"
29367 - { } /* Terminating entry */
29368 + { NULL, NULL, 0, 0, NULL } /* Terminating entry */
29372 diff -urNp linux-2.6.38.4/drivers/usb/storage/usual-tables.c linux-2.6.38.4/drivers/usb/storage/usual-tables.c
29373 --- linux-2.6.38.4/drivers/usb/storage/usual-tables.c 2011-03-14 21:20:32.000000000 -0400
29374 +++ linux-2.6.38.4/drivers/usb/storage/usual-tables.c 2011-04-17 15:57:32.000000000 -0400
29377 struct usb_device_id usb_storage_usb_ids[] = {
29378 # include "unusual_devs.h"
29379 - { } /* Terminating entry */
29380 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
29382 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
29384 diff -urNp linux-2.6.38.4/drivers/vhost/vhost.c linux-2.6.38.4/drivers/vhost/vhost.c
29385 --- linux-2.6.38.4/drivers/vhost/vhost.c 2011-03-14 21:20:32.000000000 -0400
29386 +++ linux-2.6.38.4/drivers/vhost/vhost.c 2011-04-17 15:57:32.000000000 -0400
29387 @@ -565,7 +565,7 @@ static int init_used(struct vhost_virtqu
29388 return get_user(vq->last_used_idx, &used->idx);
29391 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
29392 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
29394 struct file *eventfp, *filep = NULL,
29395 *pollstart = NULL, *pollstop = NULL;
29396 diff -urNp linux-2.6.38.4/drivers/video/fbcmap.c linux-2.6.38.4/drivers/video/fbcmap.c
29397 --- linux-2.6.38.4/drivers/video/fbcmap.c 2011-03-14 21:20:32.000000000 -0400
29398 +++ linux-2.6.38.4/drivers/video/fbcmap.c 2011-04-17 15:57:32.000000000 -0400
29399 @@ -285,8 +285,7 @@ int fb_set_user_cmap(struct fb_cmap_user
29403 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
29404 - !info->fbops->fb_setcmap)) {
29405 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
29409 diff -urNp linux-2.6.38.4/drivers/video/fbmem.c linux-2.6.38.4/drivers/video/fbmem.c
29410 --- linux-2.6.38.4/drivers/video/fbmem.c 2011-03-14 21:20:32.000000000 -0400
29411 +++ linux-2.6.38.4/drivers/video/fbmem.c 2011-04-17 15:57:32.000000000 -0400
29412 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
29413 image->dx += image->width + 8;
29415 } else if (rotate == FB_ROTATE_UD) {
29416 - for (x = 0; x < num && image->dx >= 0; x++) {
29417 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
29418 info->fbops->fb_imageblit(info, image);
29419 image->dx -= image->width + 8;
29421 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
29422 image->dy += image->height + 8;
29424 } else if (rotate == FB_ROTATE_CCW) {
29425 - for (x = 0; x < num && image->dy >= 0; x++) {
29426 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
29427 info->fbops->fb_imageblit(info, image);
29428 image->dy -= image->height + 8;
29430 @@ -1101,7 +1101,7 @@ static long do_fb_ioctl(struct fb_info *
29432 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
29434 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
29435 + if (con2fb.framebuffer >= FB_MAX)
29437 if (!registered_fb[con2fb.framebuffer])
29438 request_module("fb%d", con2fb.framebuffer);
29439 diff -urNp linux-2.6.38.4/drivers/video/fbmon.c linux-2.6.38.4/drivers/video/fbmon.c
29440 --- linux-2.6.38.4/drivers/video/fbmon.c 2011-03-14 21:20:32.000000000 -0400
29441 +++ linux-2.6.38.4/drivers/video/fbmon.c 2011-04-17 15:57:32.000000000 -0400
29444 #define DPRINTK(fmt, args...) printk(fmt,## args)
29446 -#define DPRINTK(fmt, args...)
29447 +#define DPRINTK(fmt, args...) do {} while (0)
29450 #define FBMON_FIX_HEADER 1
29451 diff -urNp linux-2.6.38.4/drivers/video/i810/i810_accel.c linux-2.6.38.4/drivers/video/i810/i810_accel.c
29452 --- linux-2.6.38.4/drivers/video/i810/i810_accel.c 2011-03-14 21:20:32.000000000 -0400
29453 +++ linux-2.6.38.4/drivers/video/i810/i810_accel.c 2011-04-17 15:57:32.000000000 -0400
29454 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
29457 printk("ringbuffer lockup!!!\n");
29458 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
29459 i810_report_error(mmio);
29460 par->dev_flags |= LOCKUP;
29461 info->pixmap.scan_align = 1;
29462 diff -urNp linux-2.6.38.4/drivers/video/i810/i810_main.c linux-2.6.38.4/drivers/video/i810/i810_main.c
29463 --- linux-2.6.38.4/drivers/video/i810/i810_main.c 2011-03-14 21:20:32.000000000 -0400
29464 +++ linux-2.6.38.4/drivers/video/i810/i810_main.c 2011-04-17 15:57:32.000000000 -0400
29465 @@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
29466 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
29467 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
29468 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
29470 + { 0, 0, 0, 0, 0, 0, 0 },
29473 static struct pci_driver i810fb_driver = {
29474 diff -urNp linux-2.6.38.4/drivers/video/modedb.c linux-2.6.38.4/drivers/video/modedb.c
29475 --- linux-2.6.38.4/drivers/video/modedb.c 2011-03-14 21:20:32.000000000 -0400
29476 +++ linux-2.6.38.4/drivers/video/modedb.c 2011-04-17 15:57:32.000000000 -0400
29477 @@ -40,255 +40,255 @@ static const struct fb_videomode modedb[
29479 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
29480 { NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2, 0,
29481 - FB_VMODE_NONINTERLACED },
29482 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29484 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
29485 { NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2, 0,
29486 - FB_VMODE_NONINTERLACED },
29487 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29489 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
29490 { NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2, 0,
29491 - FB_VMODE_NONINTERLACED },
29492 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29494 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
29495 { NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8, 0,
29496 - FB_VMODE_INTERLACED },
29497 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
29499 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
29500 { NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
29501 - FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED },
29502 + FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29504 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
29505 { NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3, 0,
29506 - FB_VMODE_NONINTERLACED },
29507 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29509 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
29510 { NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3, 0,
29511 - FB_VMODE_NONINTERLACED },
29512 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29514 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
29515 { NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
29516 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29517 - FB_VMODE_NONINTERLACED },
29518 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29520 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
29521 { NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3, 0,
29522 - FB_VMODE_NONINTERLACED },
29523 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29525 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
29526 { NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10, 0,
29527 - FB_VMODE_INTERLACED },
29528 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
29529 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
29530 { NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
29531 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29532 - FB_VMODE_NONINTERLACED },
29533 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29535 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
29536 { NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6, 0,
29537 - FB_VMODE_NONINTERLACED },
29538 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29540 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
29541 { NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6, 0,
29542 - FB_VMODE_NONINTERLACED },
29543 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29545 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
29546 { NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8, 0,
29547 - FB_VMODE_NONINTERLACED },
29548 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29550 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
29551 { NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5, 0,
29552 - FB_VMODE_NONINTERLACED },
29553 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29555 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
29556 { NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6, 0,
29557 - FB_VMODE_NONINTERLACED },
29558 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29560 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
29561 { NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12, 0,
29562 - FB_VMODE_INTERLACED },
29563 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
29565 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
29566 { NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6, 0,
29567 - FB_VMODE_NONINTERLACED },
29568 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29570 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
29571 { NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3, 0,
29572 - FB_VMODE_NONINTERLACED },
29573 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29575 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
29576 { NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10, 0,
29577 - FB_VMODE_NONINTERLACED },
29578 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29580 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
29581 { NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3, 0,
29582 - FB_VMODE_NONINTERLACED },
29583 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29585 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
29586 { NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3, 0,
29587 - FB_VMODE_NONINTERLACED },
29588 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29590 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
29591 { NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
29592 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29593 - FB_VMODE_NONINTERLACED },
29594 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29596 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
29597 { NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
29598 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29599 - FB_VMODE_NONINTERLACED },
29600 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29602 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
29603 { NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6, 0,
29604 - FB_VMODE_NONINTERLACED },
29605 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29607 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
29608 { NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12, 0,
29609 - FB_VMODE_NONINTERLACED },
29610 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29612 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
29613 { NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8, 0,
29614 - FB_VMODE_NONINTERLACED },
29615 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29617 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
29618 { NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
29619 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29620 - FB_VMODE_NONINTERLACED },
29621 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29623 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
29624 { NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12, 0,
29625 - FB_VMODE_NONINTERLACED },
29626 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29628 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
29629 { NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3, 0,
29630 - FB_VMODE_NONINTERLACED },
29631 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29633 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
29634 { NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10, 0,
29635 - FB_VMODE_NONINTERLACED },
29636 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29638 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
29639 { NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3, 0,
29640 - FB_VMODE_NONINTERLACED },
29641 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29643 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
29644 { NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3, 0,
29645 - FB_VMODE_NONINTERLACED },
29646 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29648 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
29649 { NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19, 0,
29650 - FB_VMODE_NONINTERLACED },
29651 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29653 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
29654 { NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
29655 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29656 - FB_VMODE_NONINTERLACED },
29657 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29659 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
29660 { NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
29661 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29662 - FB_VMODE_NONINTERLACED },
29663 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29665 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
29666 { NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
29667 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29668 - FB_VMODE_NONINTERLACED },
29669 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29671 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
29672 { NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
29673 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29674 - FB_VMODE_NONINTERLACED },
29675 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29677 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
29678 { NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15, 0,
29679 - FB_VMODE_NONINTERLACED },
29680 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29682 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
29683 { NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
29684 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29685 - FB_VMODE_NONINTERLACED },
29686 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29688 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
29689 { NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
29690 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29691 - FB_VMODE_NONINTERLACED },
29692 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29694 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
29695 { NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3, 0,
29696 - FB_VMODE_NONINTERLACED },
29697 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29699 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
29700 { NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3, 0,
29701 - FB_VMODE_NONINTERLACED },
29702 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29704 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
29705 { NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1, 0,
29706 - FB_VMODE_DOUBLE },
29707 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29709 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
29710 { NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1, 0,
29711 - FB_VMODE_DOUBLE },
29712 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29714 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
29715 { NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2, 0,
29716 - FB_VMODE_DOUBLE },
29717 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29719 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
29720 { NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1, 0,
29721 - FB_VMODE_DOUBLE },
29722 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29724 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
29725 { NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2, 0,
29726 - FB_VMODE_DOUBLE },
29727 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29729 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
29730 { NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3, 0,
29731 - FB_VMODE_DOUBLE },
29732 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29734 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
29735 { NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1, 0,
29736 - FB_VMODE_DOUBLE },
29737 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29739 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
29740 { NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2, 0,
29741 - FB_VMODE_DOUBLE },
29742 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29744 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
29745 { NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2, 0,
29746 - FB_VMODE_DOUBLE },
29747 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29749 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
29750 { NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3, 0,
29751 - FB_VMODE_DOUBLE },
29752 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29754 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
29755 { NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
29756 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29757 - FB_VMODE_NONINTERLACED },
29758 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29760 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
29761 { NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
29762 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29763 - FB_VMODE_NONINTERLACED },
29764 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29766 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
29767 { NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5, 0,
29768 - FB_VMODE_NONINTERLACED },
29769 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29771 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
29772 { NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3, 0,
29773 - FB_VMODE_NONINTERLACED },
29774 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29776 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
29777 { NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5, 0,
29778 - FB_VMODE_INTERLACED },
29779 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
29781 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
29782 { NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5, 0,
29783 - FB_VMODE_INTERLACED },
29784 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
29786 /* 864x480 @ 60 Hz, 35.15 kHz hsync */
29787 { NULL, 60, 864, 480, 27777, 1, 1, 1, 1, 0, 0,
29788 - 0, FB_VMODE_NONINTERLACED },
29789 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29792 #ifdef CONFIG_FB_MODE_HELPERS
29793 diff -urNp linux-2.6.38.4/drivers/video/pxa3xx-gcu.c linux-2.6.38.4/drivers/video/pxa3xx-gcu.c
29794 --- linux-2.6.38.4/drivers/video/pxa3xx-gcu.c 2011-03-14 21:20:32.000000000 -0400
29795 +++ linux-2.6.38.4/drivers/video/pxa3xx-gcu.c 2011-04-17 15:57:32.000000000 -0400
29796 @@ -103,7 +103,7 @@ struct pxa3xx_gcu_priv {
29797 dma_addr_t shared_phys;
29798 struct resource *resource_mem;
29799 struct miscdevice misc_dev;
29800 - struct file_operations misc_fops;
29801 + const struct file_operations misc_fops;
29802 wait_queue_head_t wait_idle;
29803 wait_queue_head_t wait_free;
29804 spinlock_t spinlock;
29805 diff -urNp linux-2.6.38.4/drivers/video/uvesafb.c linux-2.6.38.4/drivers/video/uvesafb.c
29806 --- linux-2.6.38.4/drivers/video/uvesafb.c 2011-03-14 21:20:32.000000000 -0400
29807 +++ linux-2.6.38.4/drivers/video/uvesafb.c 2011-04-17 15:57:32.000000000 -0400
29809 #include <linux/io.h>
29810 #include <linux/mutex.h>
29811 #include <linux/slab.h>
29812 +#include <linux/moduleloader.h>
29813 #include <video/edid.h>
29814 #include <video/uvesafb.h>
29816 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
29820 - return call_usermodehelper(v86d_path, argv, envp, 1);
29821 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
29825 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
29826 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
29827 par->pmi_setpal = par->ypan = 0;
29830 +#ifdef CONFIG_PAX_KERNEXEC
29831 +#ifdef CONFIG_MODULES
29832 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
29834 + if (!par->pmi_code) {
29835 + par->pmi_setpal = par->ypan = 0;
29840 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
29841 + task->t.regs.edi);
29843 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29844 + pax_open_kernel();
29845 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
29846 + pax_close_kernel();
29848 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
29849 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
29851 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
29852 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
29855 printk(KERN_INFO "uvesafb: protected mode interface info at "
29857 (u16)task->t.regs.es, (u16)task->t.regs.edi);
29858 @@ -1800,6 +1823,11 @@ out:
29859 if (par->vbe_modes)
29860 kfree(par->vbe_modes);
29862 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29863 + if (par->pmi_code)
29864 + module_free_exec(NULL, par->pmi_code);
29867 framebuffer_release(info);
29870 @@ -1826,6 +1854,12 @@ static int uvesafb_remove(struct platfor
29871 kfree(par->vbe_state_orig);
29872 if (par->vbe_state_saved)
29873 kfree(par->vbe_state_saved);
29875 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29876 + if (par->pmi_code)
29877 + module_free_exec(NULL, par->pmi_code);
29882 framebuffer_release(info);
29883 diff -urNp linux-2.6.38.4/drivers/video/vesafb.c linux-2.6.38.4/drivers/video/vesafb.c
29884 --- linux-2.6.38.4/drivers/video/vesafb.c 2011-03-14 21:20:32.000000000 -0400
29885 +++ linux-2.6.38.4/drivers/video/vesafb.c 2011-04-17 15:57:32.000000000 -0400
29889 #include <linux/module.h>
29890 +#include <linux/moduleloader.h>
29891 #include <linux/kernel.h>
29892 #include <linux/errno.h>
29893 #include <linux/string.h>
29894 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
29895 static int vram_total __initdata; /* Set total amount of memory */
29896 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
29897 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
29898 -static void (*pmi_start)(void) __read_mostly;
29899 -static void (*pmi_pal) (void) __read_mostly;
29900 +static void (*pmi_start)(void) __read_only;
29901 +static void (*pmi_pal) (void) __read_only;
29902 static int depth __read_mostly;
29903 static int vga_compat __read_mostly;
29904 /* --------------------------------------------------------------------- */
29905 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
29906 unsigned int size_vmode;
29907 unsigned int size_remap;
29908 unsigned int size_total;
29909 + void *pmi_code = NULL;
29911 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
29913 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
29914 size_remap = size_total;
29915 vesafb_fix.smem_len = size_remap;
29918 - screen_info.vesapm_seg = 0;
29921 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
29922 printk(KERN_WARNING
29923 "vesafb: cannot reserve video memory at 0x%lx\n",
29924 @@ -319,9 +317,21 @@ static int __init vesafb_probe(struct pl
29925 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
29926 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
29930 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29931 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
29933 +#elif !defined(CONFIG_PAX_KERNEXEC)
29938 + screen_info.vesapm_seg = 0;
29940 if (screen_info.vesapm_seg) {
29941 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
29942 - screen_info.vesapm_seg,screen_info.vesapm_off);
29943 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
29944 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
29947 if (screen_info.vesapm_seg < 0xc000)
29948 @@ -329,9 +339,25 @@ static int __init vesafb_probe(struct pl
29950 if (ypan || pmi_setpal) {
29951 unsigned short *pmi_base;
29952 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
29953 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
29954 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
29956 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
29958 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29959 + pax_open_kernel();
29960 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
29962 + pmi_code = pmi_base;
29965 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
29966 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
29968 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29969 + pmi_start = ktva_ktla(pmi_start);
29970 + pmi_pal = ktva_ktla(pmi_pal);
29971 + pax_close_kernel();
29974 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
29976 printk(KERN_INFO "vesafb: pmi: ports = ");
29977 @@ -473,6 +499,11 @@ static int __init vesafb_probe(struct pl
29978 info->node, info->fix.id);
29982 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29983 + module_free_exec(NULL, pmi_code);
29986 if (info->screen_base)
29987 iounmap(info->screen_base);
29988 framebuffer_release(info);
29989 diff -urNp linux-2.6.38.4/fs/9p/vfs_inode.c linux-2.6.38.4/fs/9p/vfs_inode.c
29990 --- linux-2.6.38.4/fs/9p/vfs_inode.c 2011-03-14 21:20:32.000000000 -0400
29991 +++ linux-2.6.38.4/fs/9p/vfs_inode.c 2011-04-17 15:57:32.000000000 -0400
29992 @@ -1094,7 +1094,7 @@ static void *v9fs_vfs_follow_link(struct
29994 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
29996 - char *s = nd_get_link(nd);
29997 + const char *s = nd_get_link(nd);
29999 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
30000 IS_ERR(s) ? "<error>" : s);
30001 diff -urNp linux-2.6.38.4/fs/aio.c linux-2.6.38.4/fs/aio.c
30002 --- linux-2.6.38.4/fs/aio.c 2011-04-18 17:27:16.000000000 -0400
30003 +++ linux-2.6.38.4/fs/aio.c 2011-04-17 15:57:32.000000000 -0400
30004 @@ -130,7 +130,7 @@ static int aio_setup_ring(struct kioctx
30005 size += sizeof(struct io_event) * nr_events;
30006 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
30008 - if (nr_pages < 0)
30009 + if (nr_pages <= 0)
30012 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
30013 diff -urNp linux-2.6.38.4/fs/attr.c linux-2.6.38.4/fs/attr.c
30014 --- linux-2.6.38.4/fs/attr.c 2011-03-14 21:20:32.000000000 -0400
30015 +++ linux-2.6.38.4/fs/attr.c 2011-04-17 15:57:32.000000000 -0400
30016 @@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
30017 unsigned long limit;
30019 limit = rlimit(RLIMIT_FSIZE);
30020 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
30021 if (limit != RLIM_INFINITY && offset > limit)
30023 if (offset > inode->i_sb->s_maxbytes)
30024 diff -urNp linux-2.6.38.4/fs/befs/linuxvfs.c linux-2.6.38.4/fs/befs/linuxvfs.c
30025 --- linux-2.6.38.4/fs/befs/linuxvfs.c 2011-03-14 21:20:32.000000000 -0400
30026 +++ linux-2.6.38.4/fs/befs/linuxvfs.c 2011-04-17 15:57:32.000000000 -0400
30027 @@ -499,7 +499,7 @@ static void befs_put_link(struct dentry
30029 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
30030 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
30031 - char *link = nd_get_link(nd);
30032 + const char *link = nd_get_link(nd);
30036 diff -urNp linux-2.6.38.4/fs/binfmt_aout.c linux-2.6.38.4/fs/binfmt_aout.c
30037 --- linux-2.6.38.4/fs/binfmt_aout.c 2011-03-14 21:20:32.000000000 -0400
30038 +++ linux-2.6.38.4/fs/binfmt_aout.c 2011-04-17 15:57:32.000000000 -0400
30040 #include <linux/string.h>
30041 #include <linux/fs.h>
30042 #include <linux/file.h>
30043 +#include <linux/security.h>
30044 #include <linux/stat.h>
30045 #include <linux/fcntl.h>
30046 #include <linux/ptrace.h>
30047 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
30049 # define START_STACK(u) ((void __user *)u.start_stack)
30051 + memset(&dump, 0, sizeof(dump));
30056 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
30058 /* If the size of the dump file exceeds the rlimit, then see what would happen
30059 if we wrote the stack, but not the data area. */
30060 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
30061 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
30064 /* Make sure we have enough room to write the stack and data areas. */
30065 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
30066 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
30069 @@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
30070 rlim = rlimit(RLIMIT_DATA);
30071 if (rlim >= RLIM_INFINITY)
30074 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
30075 if (ex.a_data + ex.a_bss > rlim)
30078 @@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
30079 install_exec_creds(bprm);
30080 current->flags &= ~PF_FORKNOEXEC;
30082 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
30083 + current->mm->pax_flags = 0UL;
30086 +#ifdef CONFIG_PAX_PAGEEXEC
30087 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
30088 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
30090 +#ifdef CONFIG_PAX_EMUTRAMP
30091 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
30092 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
30095 +#ifdef CONFIG_PAX_MPROTECT
30096 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
30097 + current->mm->pax_flags |= MF_PAX_MPROTECT;
30103 if (N_MAGIC(ex) == OMAGIC) {
30104 unsigned long text_addr, map_size;
30106 @@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
30108 down_write(¤t->mm->mmap_sem);
30109 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
30110 - PROT_READ | PROT_WRITE | PROT_EXEC,
30111 + PROT_READ | PROT_WRITE,
30112 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
30113 fd_offset + ex.a_text);
30114 up_write(¤t->mm->mmap_sem);
30115 diff -urNp linux-2.6.38.4/fs/binfmt_elf.c linux-2.6.38.4/fs/binfmt_elf.c
30116 --- linux-2.6.38.4/fs/binfmt_elf.c 2011-04-22 19:20:59.000000000 -0400
30117 +++ linux-2.6.38.4/fs/binfmt_elf.c 2011-04-22 19:21:23.000000000 -0400
30118 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
30119 #define elf_core_dump NULL
30122 +#ifdef CONFIG_PAX_MPROTECT
30123 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
30126 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
30127 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
30129 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
30130 .load_binary = load_elf_binary,
30131 .load_shlib = load_elf_library,
30132 .core_dump = elf_core_dump,
30134 +#ifdef CONFIG_PAX_MPROTECT
30135 + .handle_mprotect= elf_handle_mprotect,
30138 .min_coredump = ELF_EXEC_PAGESIZE,
30141 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
30143 static int set_brk(unsigned long start, unsigned long end)
30145 + unsigned long e = end;
30147 start = ELF_PAGEALIGN(start);
30148 end = ELF_PAGEALIGN(end);
30150 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
30151 if (BAD_ADDR(addr))
30154 - current->mm->start_brk = current->mm->brk = end;
30155 + current->mm->start_brk = current->mm->brk = e;
30159 @@ -148,12 +159,13 @@ create_elf_tables(struct linux_binprm *b
30160 elf_addr_t __user *u_rand_bytes;
30161 const char *k_platform = ELF_PLATFORM;
30162 const char *k_base_platform = ELF_BASE_PLATFORM;
30163 - unsigned char k_rand_bytes[16];
30164 + u32 k_rand_bytes[4];
30166 elf_addr_t *elf_info;
30168 const struct cred *cred = current_cred();
30169 struct vm_area_struct *vma;
30170 + unsigned long saved_auxv[AT_VECTOR_SIZE];
30173 * In some cases (e.g. Hyper-Threading), we want to avoid L1
30174 @@ -195,8 +207,12 @@ create_elf_tables(struct linux_binprm *b
30175 * Generate 16 random bytes for userspace PRNG seeding.
30177 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
30178 - u_rand_bytes = (elf_addr_t __user *)
30179 - STACK_ALLOC(p, sizeof(k_rand_bytes));
30180 + srandom32(k_rand_bytes[0] ^ random32());
30181 + srandom32(k_rand_bytes[1] ^ random32());
30182 + srandom32(k_rand_bytes[2] ^ random32());
30183 + srandom32(k_rand_bytes[3] ^ random32());
30184 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
30185 + u_rand_bytes = (elf_addr_t __user *) p;
30186 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
30189 @@ -308,9 +324,11 @@ create_elf_tables(struct linux_binprm *b
30191 current->mm->env_end = p;
30193 + memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
30195 /* Put the elf_info on the stack in the right place. */
30196 sp = (elf_addr_t __user *)envp + 1;
30197 - if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
30198 + if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
30202 @@ -381,10 +399,10 @@ static unsigned long load_elf_interp(str
30204 struct elf_phdr *elf_phdata;
30205 struct elf_phdr *eppnt;
30206 - unsigned long load_addr = 0;
30207 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
30208 int load_addr_set = 0;
30209 unsigned long last_bss = 0, elf_bss = 0;
30210 - unsigned long error = ~0UL;
30211 + unsigned long error = -EINVAL;
30212 unsigned long total_size;
30213 int retval, i, size;
30215 @@ -430,6 +448,11 @@ static unsigned long load_elf_interp(str
30219 +#ifdef CONFIG_PAX_SEGMEXEC
30220 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
30221 + pax_task_size = SEGMEXEC_TASK_SIZE;
30224 eppnt = elf_phdata;
30225 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
30226 if (eppnt->p_type == PT_LOAD) {
30227 @@ -473,8 +496,8 @@ static unsigned long load_elf_interp(str
30228 k = load_addr + eppnt->p_vaddr;
30230 eppnt->p_filesz > eppnt->p_memsz ||
30231 - eppnt->p_memsz > TASK_SIZE ||
30232 - TASK_SIZE - eppnt->p_memsz < k) {
30233 + eppnt->p_memsz > pax_task_size ||
30234 + pax_task_size - eppnt->p_memsz < k) {
30238 @@ -528,6 +551,193 @@ out:
30242 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
30243 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
30245 + unsigned long pax_flags = 0UL;
30247 +#ifdef CONFIG_PAX_PAGEEXEC
30248 + if (elf_phdata->p_flags & PF_PAGEEXEC)
30249 + pax_flags |= MF_PAX_PAGEEXEC;
30252 +#ifdef CONFIG_PAX_SEGMEXEC
30253 + if (elf_phdata->p_flags & PF_SEGMEXEC)
30254 + pax_flags |= MF_PAX_SEGMEXEC;
30257 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
30258 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30259 + if ((__supported_pte_mask & _PAGE_NX))
30260 + pax_flags &= ~MF_PAX_SEGMEXEC;
30262 + pax_flags &= ~MF_PAX_PAGEEXEC;
30266 +#ifdef CONFIG_PAX_EMUTRAMP
30267 + if (elf_phdata->p_flags & PF_EMUTRAMP)
30268 + pax_flags |= MF_PAX_EMUTRAMP;
30271 +#ifdef CONFIG_PAX_MPROTECT
30272 + if (elf_phdata->p_flags & PF_MPROTECT)
30273 + pax_flags |= MF_PAX_MPROTECT;
30276 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
30277 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
30278 + pax_flags |= MF_PAX_RANDMMAP;
30281 + return pax_flags;
30285 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
30286 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
30288 + unsigned long pax_flags = 0UL;
30290 +#ifdef CONFIG_PAX_PAGEEXEC
30291 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
30292 + pax_flags |= MF_PAX_PAGEEXEC;
30295 +#ifdef CONFIG_PAX_SEGMEXEC
30296 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
30297 + pax_flags |= MF_PAX_SEGMEXEC;
30300 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
30301 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30302 + if ((__supported_pte_mask & _PAGE_NX))
30303 + pax_flags &= ~MF_PAX_SEGMEXEC;
30305 + pax_flags &= ~MF_PAX_PAGEEXEC;
30309 +#ifdef CONFIG_PAX_EMUTRAMP
30310 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
30311 + pax_flags |= MF_PAX_EMUTRAMP;
30314 +#ifdef CONFIG_PAX_MPROTECT
30315 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
30316 + pax_flags |= MF_PAX_MPROTECT;
30319 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
30320 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
30321 + pax_flags |= MF_PAX_RANDMMAP;
30324 + return pax_flags;
30328 +#ifdef CONFIG_PAX_EI_PAX
30329 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
30331 + unsigned long pax_flags = 0UL;
30333 +#ifdef CONFIG_PAX_PAGEEXEC
30334 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
30335 + pax_flags |= MF_PAX_PAGEEXEC;
30338 +#ifdef CONFIG_PAX_SEGMEXEC
30339 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
30340 + pax_flags |= MF_PAX_SEGMEXEC;
30343 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
30344 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30345 + if ((__supported_pte_mask & _PAGE_NX))
30346 + pax_flags &= ~MF_PAX_SEGMEXEC;
30348 + pax_flags &= ~MF_PAX_PAGEEXEC;
30352 +#ifdef CONFIG_PAX_EMUTRAMP
30353 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
30354 + pax_flags |= MF_PAX_EMUTRAMP;
30357 +#ifdef CONFIG_PAX_MPROTECT
30358 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
30359 + pax_flags |= MF_PAX_MPROTECT;
30362 +#ifdef CONFIG_PAX_ASLR
30363 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
30364 + pax_flags |= MF_PAX_RANDMMAP;
30367 + return pax_flags;
30371 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
30372 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
30374 + unsigned long pax_flags = 0UL;
30376 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
30378 + int found_flags = 0;
30381 +#ifdef CONFIG_PAX_EI_PAX
30382 + pax_flags = pax_parse_ei_pax(elf_ex);
30385 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
30386 + for (i = 0UL; i < elf_ex->e_phnum; i++)
30387 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
30388 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
30389 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
30390 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
30391 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
30392 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
30395 +#ifdef CONFIG_PAX_SOFTMODE
30396 + if (pax_softmode)
30397 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
30401 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
30407 +#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
30408 + if (found_flags == 0) {
30409 + struct elf_phdr phdr;
30410 + memset(&phdr, 0, sizeof(phdr));
30411 + phdr.p_flags = PF_NOEMUTRAMP;
30412 +#ifdef CONFIG_PAX_SOFTMODE
30413 + if (pax_softmode)
30414 + pax_flags = pax_parse_softmode(&phdr);
30417 + pax_flags = pax_parse_hardmode(&phdr);
30421 + if (0 > pax_check_flags(&pax_flags))
30424 + current->mm->pax_flags = pax_flags;
30430 * These are the functions used to load ELF style executables and shared
30431 * libraries. There is no binary dependent code anywhere else.
30432 @@ -544,6 +754,11 @@ static unsigned long randomize_stack_top
30434 unsigned int random_variable = 0;
30436 +#ifdef CONFIG_PAX_RANDUSTACK
30437 + if (randomize_va_space)
30438 + return stack_top - current->mm->delta_stack;
30441 if ((current->flags & PF_RANDOMIZE) &&
30442 !(current->personality & ADDR_NO_RANDOMIZE)) {
30443 random_variable = get_random_int() & STACK_RND_MASK;
30444 @@ -562,7 +777,7 @@ static int load_elf_binary(struct linux_
30445 unsigned long load_addr = 0, load_bias = 0;
30446 int load_addr_set = 0;
30447 char * elf_interpreter = NULL;
30448 - unsigned long error;
30449 + unsigned long error = 0;
30450 struct elf_phdr *elf_ppnt, *elf_phdata;
30451 unsigned long elf_bss, elf_brk;
30453 @@ -572,11 +787,11 @@ static int load_elf_binary(struct linux_
30454 unsigned long start_code, end_code, start_data, end_data;
30455 unsigned long reloc_func_desc = 0;
30456 int executable_stack = EXSTACK_DEFAULT;
30457 - unsigned long def_flags = 0;
30459 struct elfhdr elf_ex;
30460 struct elfhdr interp_elf_ex;
30462 + unsigned long pax_task_size = TASK_SIZE;
30464 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
30466 @@ -714,11 +929,80 @@ static int load_elf_binary(struct linux_
30468 /* OK, This is the point of no return */
30469 current->flags &= ~PF_FORKNOEXEC;
30470 - current->mm->def_flags = def_flags;
30472 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
30473 + current->mm->pax_flags = 0UL;
30476 +#ifdef CONFIG_PAX_DLRESOLVE
30477 + current->mm->call_dl_resolve = 0UL;
30480 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
30481 + current->mm->call_syscall = 0UL;
30484 +#ifdef CONFIG_PAX_ASLR
30485 + current->mm->delta_mmap = 0UL;
30486 + current->mm->delta_stack = 0UL;
30489 + current->mm->def_flags = 0;
30491 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
30492 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
30493 + send_sig(SIGKILL, current, 0);
30494 + goto out_free_dentry;
30498 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
30499 + pax_set_initial_flags(bprm);
30500 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
30501 + if (pax_set_initial_flags_func)
30502 + (pax_set_initial_flags_func)(bprm);
30505 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
30506 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
30507 + current->mm->context.user_cs_limit = PAGE_SIZE;
30508 + current->mm->def_flags |= VM_PAGEEXEC;
30512 +#ifdef CONFIG_PAX_SEGMEXEC
30513 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
30514 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
30515 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
30516 + pax_task_size = SEGMEXEC_TASK_SIZE;
30520 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
30521 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30522 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
30527 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
30528 may depend on the personality. */
30529 SET_PERSONALITY(loc->elf_ex);
30531 +#ifdef CONFIG_PAX_ASLR
30532 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
30533 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
30534 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
30538 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30539 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30540 + executable_stack = EXSTACK_DISABLE_X;
30541 + current->personality &= ~READ_IMPLIES_EXEC;
30545 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
30546 current->personality |= READ_IMPLIES_EXEC;
30548 @@ -800,6 +1084,20 @@ static int load_elf_binary(struct linux_
30550 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
30553 +#ifdef CONFIG_PAX_RANDMMAP
30554 + /* PaX: randomize base address at the default exe base if requested */
30555 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
30556 +#ifdef CONFIG_SPARC64
30557 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
30559 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
30561 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
30562 + elf_flags |= MAP_FIXED;
30568 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
30569 @@ -832,9 +1130,9 @@ static int load_elf_binary(struct linux_
30570 * allowed task size. Note that p_filesz must always be
30571 * <= p_memsz so it is only necessary to check p_memsz.
30573 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
30574 - elf_ppnt->p_memsz > TASK_SIZE ||
30575 - TASK_SIZE - elf_ppnt->p_memsz < k) {
30576 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
30577 + elf_ppnt->p_memsz > pax_task_size ||
30578 + pax_task_size - elf_ppnt->p_memsz < k) {
30579 /* set_brk can never work. Avoid overflows. */
30580 send_sig(SIGKILL, current, 0);
30582 @@ -862,6 +1160,11 @@ static int load_elf_binary(struct linux_
30583 start_data += load_bias;
30584 end_data += load_bias;
30586 +#ifdef CONFIG_PAX_RANDMMAP
30587 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
30588 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
30591 /* Calling set_brk effectively mmaps the pages that we need
30592 * for the bss and break sections. We must do this before
30593 * mapping in the interpreter, to make sure it doesn't wind
30594 @@ -873,9 +1176,11 @@ static int load_elf_binary(struct linux_
30595 goto out_free_dentry;
30597 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
30598 - send_sig(SIGSEGV, current, 0);
30599 - retval = -EFAULT; /* Nobody gets to see this, but.. */
30600 - goto out_free_dentry;
30602 + * This bss-zeroing can fail if the ELF
30603 + * file specifies odd protections. So
30604 + * we don't check the return value
30608 if (elf_interpreter) {
30609 @@ -1090,7 +1395,7 @@ out:
30610 * Decide what to dump of a segment, part, all or none.
30612 static unsigned long vma_dump_size(struct vm_area_struct *vma,
30613 - unsigned long mm_flags)
30614 + unsigned long mm_flags, long signr)
30616 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
30618 @@ -1124,7 +1429,7 @@ static unsigned long vma_dump_size(struc
30619 if (vma->vm_file == NULL)
30622 - if (FILTER(MAPPED_PRIVATE))
30623 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
30627 @@ -1346,9 +1651,9 @@ static void fill_auxv_note(struct memelf
30629 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
30634 - while (auxv[i - 2] != AT_NULL);
30635 + } while (auxv[i - 2] != AT_NULL);
30636 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
30639 @@ -1854,14 +2159,14 @@ static void fill_extnum_info(struct elfh
30642 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
30643 - unsigned long mm_flags)
30644 + struct coredump_params *cprm)
30646 struct vm_area_struct *vma;
30649 for (vma = first_vma(current, gate_vma); vma != NULL;
30650 vma = next_vma(vma, gate_vma))
30651 - size += vma_dump_size(vma, mm_flags);
30652 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
30656 @@ -1955,7 +2260,7 @@ static int elf_core_dump(struct coredump
30658 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
30660 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
30661 + offset += elf_core_vma_data_size(gate_vma, cprm);
30662 offset += elf_core_extra_data_size();
30665 @@ -1969,10 +2274,12 @@ static int elf_core_dump(struct coredump
30668 size += sizeof(*elf);
30669 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
30670 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
30673 size += sizeof(*phdr4note);
30674 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
30675 if (size > cprm->limit
30676 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
30678 @@ -1986,7 +2293,7 @@ static int elf_core_dump(struct coredump
30679 phdr.p_offset = offset;
30680 phdr.p_vaddr = vma->vm_start;
30682 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
30683 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
30684 phdr.p_memsz = vma->vm_end - vma->vm_start;
30685 offset += phdr.p_filesz;
30686 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
30687 @@ -1997,6 +2304,7 @@ static int elf_core_dump(struct coredump
30688 phdr.p_align = ELF_EXEC_PAGESIZE;
30690 size += sizeof(phdr);
30691 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
30692 if (size > cprm->limit
30693 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
30695 @@ -2021,7 +2329,7 @@ static int elf_core_dump(struct coredump
30696 unsigned long addr;
30699 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
30700 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
30702 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
30704 @@ -2030,6 +2338,7 @@ static int elf_core_dump(struct coredump
30705 page = get_dump_page(addr);
30707 void *kaddr = kmap(page);
30708 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
30709 stop = ((size += PAGE_SIZE) > cprm->limit) ||
30710 !dump_write(cprm->file, kaddr,
30712 @@ -2047,6 +2356,7 @@ static int elf_core_dump(struct coredump
30714 if (e_phnum == PN_XNUM) {
30715 size += sizeof(*shdr4extnum);
30716 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
30717 if (size > cprm->limit
30718 || !dump_write(cprm->file, shdr4extnum,
30719 sizeof(*shdr4extnum)))
30720 @@ -2067,6 +2377,97 @@ out:
30722 #endif /* CONFIG_ELF_CORE */
30724 +#ifdef CONFIG_PAX_MPROTECT
30725 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
30726 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
30727 + * we'll remove VM_MAYWRITE for good on RELRO segments.
30729 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
30730 + * basis because we want to allow the common case and not the special ones.
30732 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
30734 + struct elfhdr elf_h;
30735 + struct elf_phdr elf_p;
30737 + unsigned long oldflags;
30738 + bool is_textrel_rw, is_textrel_rx, is_relro;
30740 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
30743 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
30744 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
30746 +#ifdef CONFIG_PAX_ELFRELOCS
30747 + /* possible TEXTREL */
30748 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
30749 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
30751 + is_textrel_rw = false;
30752 + is_textrel_rx = false;
30755 + /* possible RELRO */
30756 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
30758 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
30761 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
30762 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
30764 +#ifdef CONFIG_PAX_ETEXECRELOCS
30765 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
30767 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
30770 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
30771 + !elf_check_arch(&elf_h) ||
30772 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
30773 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
30776 + for (i = 0UL; i < elf_h.e_phnum; i++) {
30777 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
30779 + switch (elf_p.p_type) {
30781 + if (!is_textrel_rw && !is_textrel_rx)
30784 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
30787 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
30789 + if (dyn.d_tag == DT_NULL)
30791 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
30792 + gr_log_textrel(vma);
30793 + if (is_textrel_rw)
30794 + vma->vm_flags |= VM_MAYWRITE;
30796 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
30797 + vma->vm_flags &= ~VM_MAYWRITE;
30804 + case PT_GNU_RELRO:
30807 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
30808 + vma->vm_flags &= ~VM_MAYWRITE;
30815 static int __init init_elf_binfmt(void)
30817 return register_binfmt(&elf_format);
30818 diff -urNp linux-2.6.38.4/fs/binfmt_flat.c linux-2.6.38.4/fs/binfmt_flat.c
30819 --- linux-2.6.38.4/fs/binfmt_flat.c 2011-03-14 21:20:32.000000000 -0400
30820 +++ linux-2.6.38.4/fs/binfmt_flat.c 2011-04-17 15:57:32.000000000 -0400
30821 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
30822 realdatastart = (unsigned long) -ENOMEM;
30823 printk("Unable to allocate RAM for process data, errno %d\n",
30824 (int)-realdatastart);
30825 + down_write(¤t->mm->mmap_sem);
30826 do_munmap(current->mm, textpos, text_len);
30827 + up_write(¤t->mm->mmap_sem);
30828 ret = realdatastart;
30831 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
30833 if (IS_ERR_VALUE(result)) {
30834 printk("Unable to read data+bss, errno %d\n", (int)-result);
30835 + down_write(¤t->mm->mmap_sem);
30836 do_munmap(current->mm, textpos, text_len);
30837 do_munmap(current->mm, realdatastart, len);
30838 + up_write(¤t->mm->mmap_sem);
30842 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
30844 if (IS_ERR_VALUE(result)) {
30845 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
30846 + down_write(¤t->mm->mmap_sem);
30847 do_munmap(current->mm, textpos, text_len + data_len + extra +
30848 MAX_SHARED_LIBS * sizeof(unsigned long));
30849 + up_write(¤t->mm->mmap_sem);
30853 diff -urNp linux-2.6.38.4/fs/binfmt_misc.c linux-2.6.38.4/fs/binfmt_misc.c
30854 --- linux-2.6.38.4/fs/binfmt_misc.c 2011-03-14 21:20:32.000000000 -0400
30855 +++ linux-2.6.38.4/fs/binfmt_misc.c 2011-04-17 15:57:32.000000000 -0400
30856 @@ -698,7 +698,7 @@ static int bm_fill_super(struct super_bl
30857 static struct tree_descr bm_files[] = {
30858 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
30859 [3] = {"register", &bm_register_operations, S_IWUSR},
30860 - /* last one */ {""}
30861 + /* last one */ {"", NULL, 0}
30863 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
30865 diff -urNp linux-2.6.38.4/fs/bio.c linux-2.6.38.4/fs/bio.c
30866 --- linux-2.6.38.4/fs/bio.c 2011-03-14 21:20:32.000000000 -0400
30867 +++ linux-2.6.38.4/fs/bio.c 2011-04-17 15:57:32.000000000 -0400
30868 @@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
30869 const int read = bio_data_dir(bio) == READ;
30870 struct bio_map_data *bmd = bio->bi_private;
30872 - char *p = bmd->sgvecs[0].iov_base;
30873 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
30875 __bio_for_each_segment(bvec, bio, i, 0) {
30876 char *addr = page_address(bvec->bv_page);
30877 diff -urNp linux-2.6.38.4/fs/block_dev.c linux-2.6.38.4/fs/block_dev.c
30878 --- linux-2.6.38.4/fs/block_dev.c 2011-03-14 21:20:32.000000000 -0400
30879 +++ linux-2.6.38.4/fs/block_dev.c 2011-04-17 15:57:32.000000000 -0400
30880 @@ -669,7 +669,7 @@ static bool bd_may_claim(struct block_de
30881 else if (bdev->bd_contains == bdev)
30882 return true; /* is a whole device which isn't held */
30884 - else if (whole->bd_holder == bd_may_claim)
30885 + else if (whole->bd_holder == (void *)bd_may_claim)
30886 return true; /* is a partition of a device that is being partitioned */
30887 else if (whole->bd_holder != NULL)
30888 return false; /* is a partition of a held device */
30889 diff -urNp linux-2.6.38.4/fs/btrfs/ctree.c linux-2.6.38.4/fs/btrfs/ctree.c
30890 --- linux-2.6.38.4/fs/btrfs/ctree.c 2011-03-14 21:20:32.000000000 -0400
30891 +++ linux-2.6.38.4/fs/btrfs/ctree.c 2011-04-17 15:57:32.000000000 -0400
30892 @@ -468,9 +468,12 @@ static noinline int __btrfs_cow_block(st
30893 free_extent_buffer(buf);
30894 add_root_to_dirty_list(root);
30896 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
30897 - parent_start = parent->start;
30899 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
30901 + parent_start = parent->start;
30903 + parent_start = 0;
30907 WARN_ON(trans->transid != btrfs_header_generation(parent));
30908 @@ -3776,7 +3779,6 @@ setup_items_for_insert(struct btrfs_tran
30912 - struct btrfs_disk_key disk_key;
30913 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
30914 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
30916 diff -urNp linux-2.6.38.4/fs/btrfs/disk-io.c linux-2.6.38.4/fs/btrfs/disk-io.c
30917 --- linux-2.6.38.4/fs/btrfs/disk-io.c 2011-04-18 17:27:18.000000000 -0400
30918 +++ linux-2.6.38.4/fs/btrfs/disk-io.c 2011-04-17 16:53:48.000000000 -0400
30920 #include "tree-log.h"
30921 #include "free-space-cache.h"
30923 -static struct extent_io_ops btree_extent_io_ops;
30924 +static const struct extent_io_ops btree_extent_io_ops;
30925 static void end_workqueue_fn(struct btrfs_work *work);
30926 static void free_fs_root(struct btrfs_root *root);
30927 static void btrfs_check_super_valid(struct btrfs_fs_info *fs_info,
30928 @@ -3030,7 +3030,7 @@ static int btrfs_cleanup_transaction(str
30932 -static struct extent_io_ops btree_extent_io_ops = {
30933 +static const struct extent_io_ops btree_extent_io_ops = {
30934 .write_cache_pages_lock_hook = btree_lock_page_hook,
30935 .readpage_end_io_hook = btree_readpage_end_io_hook,
30936 .submit_bio_hook = btree_submit_bio_hook,
30937 diff -urNp linux-2.6.38.4/fs/btrfs/extent_io.h linux-2.6.38.4/fs/btrfs/extent_io.h
30938 --- linux-2.6.38.4/fs/btrfs/extent_io.h 2011-03-14 21:20:32.000000000 -0400
30939 +++ linux-2.6.38.4/fs/btrfs/extent_io.h 2011-04-17 15:57:32.000000000 -0400
30940 @@ -55,36 +55,36 @@ typedef int (extent_submit_bio_hook_t)(s
30941 struct bio *bio, int mirror_num,
30942 unsigned long bio_flags, u64 bio_offset);
30943 struct extent_io_ops {
30944 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
30945 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
30946 u64 start, u64 end, int *page_started,
30947 unsigned long *nr_written);
30948 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
30949 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
30950 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
30951 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
30952 extent_submit_bio_hook_t *submit_bio_hook;
30953 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
30954 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
30955 size_t size, struct bio *bio,
30956 unsigned long bio_flags);
30957 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
30958 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
30959 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
30960 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
30961 u64 start, u64 end,
30962 struct extent_state *state);
30963 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
30964 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
30965 u64 start, u64 end,
30966 struct extent_state *state);
30967 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
30968 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
30969 struct extent_state *state);
30970 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
30971 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
30972 struct extent_state *state, int uptodate);
30973 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
30974 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
30976 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
30977 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
30979 - int (*merge_extent_hook)(struct inode *inode,
30980 + int (* const merge_extent_hook)(struct inode *inode,
30981 struct extent_state *new,
30982 struct extent_state *other);
30983 - int (*split_extent_hook)(struct inode *inode,
30984 + int (* const split_extent_hook)(struct inode *inode,
30985 struct extent_state *orig, u64 split);
30986 - int (*write_cache_pages_lock_hook)(struct page *page);
30987 + int (* const write_cache_pages_lock_hook)(struct page *page);
30990 struct extent_io_tree {
30991 @@ -94,7 +94,7 @@ struct extent_io_tree {
30994 spinlock_t buffer_lock;
30995 - struct extent_io_ops *ops;
30996 + const struct extent_io_ops *ops;
30999 struct extent_state {
31000 diff -urNp linux-2.6.38.4/fs/btrfs/free-space-cache.c linux-2.6.38.4/fs/btrfs/free-space-cache.c
31001 --- linux-2.6.38.4/fs/btrfs/free-space-cache.c 2011-03-14 21:20:32.000000000 -0400
31002 +++ linux-2.6.38.4/fs/btrfs/free-space-cache.c 2011-04-17 15:57:32.000000000 -0400
31003 @@ -1855,8 +1855,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
31006 if (entry->bytes < bytes || entry->offset < min_start) {
31007 - struct rb_node *node;
31009 node = rb_next(&entry->offset_index);
31012 @@ -2018,7 +2016,7 @@ again:
31014 while (entry->bitmap || found_bitmap ||
31015 (!entry->bitmap && entry->bytes < min_bytes)) {
31016 - struct rb_node *node = rb_next(&entry->offset_index);
31017 + node = rb_next(&entry->offset_index);
31019 if (entry->bitmap && entry->bytes > bytes + empty_size) {
31020 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
31021 diff -urNp linux-2.6.38.4/fs/btrfs/inode.c linux-2.6.38.4/fs/btrfs/inode.c
31022 --- linux-2.6.38.4/fs/btrfs/inode.c 2011-03-14 21:20:32.000000000 -0400
31023 +++ linux-2.6.38.4/fs/btrfs/inode.c 2011-04-17 15:57:32.000000000 -0400
31024 @@ -64,7 +64,7 @@ static const struct inode_operations btr
31025 static const struct address_space_operations btrfs_aops;
31026 static const struct address_space_operations btrfs_symlink_aops;
31027 static const struct file_operations btrfs_dir_file_operations;
31028 -static struct extent_io_ops btrfs_extent_io_ops;
31029 +static const struct extent_io_ops btrfs_extent_io_ops;
31031 static struct kmem_cache *btrfs_inode_cachep;
31032 struct kmem_cache *btrfs_trans_handle_cachep;
31033 @@ -6796,7 +6796,7 @@ fail:
31037 -static int btrfs_getattr(struct vfsmount *mnt,
31038 +int btrfs_getattr(struct vfsmount *mnt,
31039 struct dentry *dentry, struct kstat *stat)
31041 struct inode *inode = dentry->d_inode;
31042 @@ -6808,6 +6808,14 @@ static int btrfs_getattr(struct vfsmount
31046 +EXPORT_SYMBOL(btrfs_getattr);
31048 +dev_t get_btrfs_dev_from_inode(struct inode *inode)
31050 + return BTRFS_I(inode)->root->anon_super.s_dev;
31052 +EXPORT_SYMBOL(get_btrfs_dev_from_inode);
31054 static int btrfs_rename(struct inode *old_dir, struct dentry *old_dentry,
31055 struct inode *new_dir, struct dentry *new_dentry)
31057 @@ -7311,7 +7319,7 @@ static const struct file_operations btrf
31058 .fsync = btrfs_sync_file,
31061 -static struct extent_io_ops btrfs_extent_io_ops = {
31062 +static const struct extent_io_ops btrfs_extent_io_ops = {
31063 .fill_delalloc = run_delalloc_range,
31064 .submit_bio_hook = btrfs_submit_bio_hook,
31065 .merge_bio_hook = btrfs_merge_bio_hook,
31066 diff -urNp linux-2.6.38.4/fs/btrfs/ioctl.c linux-2.6.38.4/fs/btrfs/ioctl.c
31067 --- linux-2.6.38.4/fs/btrfs/ioctl.c 2011-04-18 17:27:18.000000000 -0400
31068 +++ linux-2.6.38.4/fs/btrfs/ioctl.c 2011-04-17 16:53:48.000000000 -0400
31069 @@ -2274,9 +2274,12 @@ long btrfs_ioctl_space_info(struct btrfs
31070 for (i = 0; i < num_types; i++) {
31071 struct btrfs_space_info *tmp;
31073 + /* Don't copy in more than we allocated */
31081 list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
31082 @@ -2298,10 +2301,7 @@ long btrfs_ioctl_space_info(struct btrfs
31083 memcpy(dest, &space, sizeof(space));
31085 space_args.total_spaces++;
31091 up_read(&info->groups_sem);
31093 diff -urNp linux-2.6.38.4/fs/btrfs/relocation.c linux-2.6.38.4/fs/btrfs/relocation.c
31094 --- linux-2.6.38.4/fs/btrfs/relocation.c 2011-03-14 21:20:32.000000000 -0400
31095 +++ linux-2.6.38.4/fs/btrfs/relocation.c 2011-04-17 15:57:32.000000000 -0400
31096 @@ -1239,7 +1239,7 @@ static int __update_reloc_root(struct bt
31098 spin_unlock(&rc->reloc_root_tree.lock);
31100 - BUG_ON((struct btrfs_root *)node->data != root);
31101 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
31104 spin_lock(&rc->reloc_root_tree.lock);
31105 diff -urNp linux-2.6.38.4/fs/cachefiles/bind.c linux-2.6.38.4/fs/cachefiles/bind.c
31106 --- linux-2.6.38.4/fs/cachefiles/bind.c 2011-03-14 21:20:32.000000000 -0400
31107 +++ linux-2.6.38.4/fs/cachefiles/bind.c 2011-04-17 15:57:32.000000000 -0400
31108 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
31111 /* start by checking things over */
31112 - ASSERT(cache->fstop_percent >= 0 &&
31113 - cache->fstop_percent < cache->fcull_percent &&
31114 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
31115 cache->fcull_percent < cache->frun_percent &&
31116 cache->frun_percent < 100);
31118 - ASSERT(cache->bstop_percent >= 0 &&
31119 - cache->bstop_percent < cache->bcull_percent &&
31120 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
31121 cache->bcull_percent < cache->brun_percent &&
31122 cache->brun_percent < 100);
31124 diff -urNp linux-2.6.38.4/fs/cachefiles/daemon.c linux-2.6.38.4/fs/cachefiles/daemon.c
31125 --- linux-2.6.38.4/fs/cachefiles/daemon.c 2011-03-14 21:20:32.000000000 -0400
31126 +++ linux-2.6.38.4/fs/cachefiles/daemon.c 2011-04-17 15:57:32.000000000 -0400
31127 @@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(st
31131 - if (copy_to_user(_buffer, buffer, n) != 0)
31132 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
31136 @@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(s
31137 if (test_bit(CACHEFILES_DEAD, &cache->flags))
31140 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
31141 + if (datalen > PAGE_SIZE - 1)
31142 return -EOPNOTSUPP;
31144 /* drag the command string into the kernel so we can parse it */
31145 @@ -386,7 +386,7 @@ static int cachefiles_daemon_fstop(struc
31146 if (args[0] != '%' || args[1] != '\0')
31149 - if (fstop < 0 || fstop >= cache->fcull_percent)
31150 + if (fstop >= cache->fcull_percent)
31151 return cachefiles_daemon_range_error(cache, args);
31153 cache->fstop_percent = fstop;
31154 @@ -458,7 +458,7 @@ static int cachefiles_daemon_bstop(struc
31155 if (args[0] != '%' || args[1] != '\0')
31158 - if (bstop < 0 || bstop >= cache->bcull_percent)
31159 + if (bstop >= cache->bcull_percent)
31160 return cachefiles_daemon_range_error(cache, args);
31162 cache->bstop_percent = bstop;
31163 diff -urNp linux-2.6.38.4/fs/cachefiles/rdwr.c linux-2.6.38.4/fs/cachefiles/rdwr.c
31164 --- linux-2.6.38.4/fs/cachefiles/rdwr.c 2011-03-14 21:20:32.000000000 -0400
31165 +++ linux-2.6.38.4/fs/cachefiles/rdwr.c 2011-04-17 15:57:32.000000000 -0400
31166 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
31169 ret = file->f_op->write(
31170 - file, (const void __user *) data, len, &pos);
31171 + file, (__force const void __user *) data, len, &pos);
31175 diff -urNp linux-2.6.38.4/fs/ceph/dir.c linux-2.6.38.4/fs/ceph/dir.c
31176 --- linux-2.6.38.4/fs/ceph/dir.c 2011-03-14 21:20:32.000000000 -0400
31177 +++ linux-2.6.38.4/fs/ceph/dir.c 2011-04-17 15:57:32.000000000 -0400
31178 @@ -226,7 +226,7 @@ static int ceph_readdir(struct file *fil
31179 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
31180 struct ceph_mds_client *mdsc = fsc->mdsc;
31181 unsigned frag = fpos_frag(filp->f_pos);
31182 - int off = fpos_off(filp->f_pos);
31183 + unsigned int off = fpos_off(filp->f_pos);
31186 struct ceph_mds_reply_info_parsed *rinfo;
31187 @@ -358,7 +358,7 @@ more:
31188 rinfo = &fi->last_readdir->r_reply_info;
31189 dout("readdir frag %x num %d off %d chunkoff %d\n", frag,
31190 rinfo->dir_nr, off, fi->offset);
31191 - while (off - fi->offset >= 0 && off - fi->offset < rinfo->dir_nr) {
31192 + while (off >= fi->offset && off - fi->offset < rinfo->dir_nr) {
31193 u64 pos = ceph_make_fpos(frag, off);
31194 struct ceph_mds_reply_inode *in =
31195 rinfo->dir_in[off - fi->offset].in;
31196 diff -urNp linux-2.6.38.4/fs/cifs/cifs_uniupr.h linux-2.6.38.4/fs/cifs/cifs_uniupr.h
31197 --- linux-2.6.38.4/fs/cifs/cifs_uniupr.h 2011-03-14 21:20:32.000000000 -0400
31198 +++ linux-2.6.38.4/fs/cifs/cifs_uniupr.h 2011-04-17 15:57:32.000000000 -0400
31199 @@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
31200 {0x0490, 0x04cc, UniCaseRangeU0490},
31201 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
31202 {0xff40, 0xff5a, UniCaseRangeUff40},
31208 diff -urNp linux-2.6.38.4/fs/cifs/link.c linux-2.6.38.4/fs/cifs/link.c
31209 --- linux-2.6.38.4/fs/cifs/link.c 2011-03-14 21:20:32.000000000 -0400
31210 +++ linux-2.6.38.4/fs/cifs/link.c 2011-04-17 15:57:32.000000000 -0400
31211 @@ -577,7 +577,7 @@ symlink_exit:
31213 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
31215 - char *p = nd_get_link(nd);
31216 + const char *p = nd_get_link(nd);
31220 diff -urNp linux-2.6.38.4/fs/compat_binfmt_elf.c linux-2.6.38.4/fs/compat_binfmt_elf.c
31221 --- linux-2.6.38.4/fs/compat_binfmt_elf.c 2011-03-14 21:20:32.000000000 -0400
31222 +++ linux-2.6.38.4/fs/compat_binfmt_elf.c 2011-04-17 15:57:32.000000000 -0400
31223 @@ -30,11 +30,13 @@
31229 #define elfhdr elf32_hdr
31230 #define elf_phdr elf32_phdr
31231 #define elf_shdr elf32_shdr
31232 #define elf_note elf32_note
31233 +#define elf_dyn Elf32_Dyn
31234 #define elf_addr_t Elf32_Addr
31237 diff -urNp linux-2.6.38.4/fs/compat.c linux-2.6.38.4/fs/compat.c
31238 --- linux-2.6.38.4/fs/compat.c 2011-03-14 21:20:32.000000000 -0400
31239 +++ linux-2.6.38.4/fs/compat.c 2011-04-17 15:57:32.000000000 -0400
31240 @@ -594,7 +594,7 @@ ssize_t compat_rw_copy_check_uvector(int
31244 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
31245 + if (nr_segs > UIO_MAXIOV)
31247 if (nr_segs > fast_segs) {
31249 @@ -876,6 +876,7 @@ struct compat_old_linux_dirent {
31251 struct compat_readdir_callback {
31252 struct compat_old_linux_dirent __user *dirent;
31253 + struct file * file;
31257 @@ -893,6 +894,10 @@ static int compat_fillonedir(void *__buf
31258 buf->result = -EOVERFLOW;
31262 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31266 dirent = buf->dirent;
31267 if (!access_ok(VERIFY_WRITE, dirent,
31268 @@ -925,6 +930,7 @@ asmlinkage long compat_sys_old_readdir(u
31271 buf.dirent = dirent;
31274 error = vfs_readdir(file, compat_fillonedir, &buf);
31276 @@ -945,6 +951,7 @@ struct compat_linux_dirent {
31277 struct compat_getdents_callback {
31278 struct compat_linux_dirent __user *current_dir;
31279 struct compat_linux_dirent __user *previous;
31280 + struct file * file;
31284 @@ -966,6 +973,10 @@ static int compat_filldir(void *__buf, c
31285 buf->error = -EOVERFLOW;
31289 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31292 dirent = buf->previous;
31294 if (__put_user(offset, &dirent->d_off))
31295 @@ -1013,6 +1024,7 @@ asmlinkage long compat_sys_getdents(unsi
31296 buf.previous = NULL;
31301 error = vfs_readdir(file, compat_filldir, &buf);
31303 @@ -1034,6 +1046,7 @@ out:
31304 struct compat_getdents_callback64 {
31305 struct linux_dirent64 __user *current_dir;
31306 struct linux_dirent64 __user *previous;
31307 + struct file * file;
31311 @@ -1050,6 +1063,10 @@ static int compat_filldir64(void * __buf
31312 buf->error = -EINVAL; /* only used if we fail.. */
31313 if (reclen > buf->count)
31316 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31319 dirent = buf->previous;
31322 @@ -1101,6 +1118,7 @@ asmlinkage long compat_sys_getdents64(un
31323 buf.previous = NULL;
31328 error = vfs_readdir(file, compat_filldir64, &buf);
31330 @@ -1423,6 +1441,7 @@ static int compat_copy_strings(int argc,
31332 page = get_arg_page(bprm, pos, 1);
31334 + /* We've exceed the stack rlimit. */
31338 @@ -1464,6 +1483,11 @@ int compat_do_execve(char * filename,
31339 compat_uptr_t __user *envp,
31340 struct pt_regs * regs)
31342 +#ifdef CONFIG_GRKERNSEC
31343 + struct file *old_exec_file;
31344 + struct acl_subject_label *old_acl;
31345 + struct rlimit old_rlim[RLIM_NLIMITS];
31347 struct linux_binprm *bprm;
31349 struct files_struct *displaced;
31350 @@ -1500,6 +1524,19 @@ int compat_do_execve(char * filename,
31351 bprm->filename = filename;
31352 bprm->interp = filename;
31354 + if (gr_process_user_ban()) {
31359 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
31360 + retval = -EAGAIN;
31361 + if (gr_handle_nproc())
31363 + retval = -EACCES;
31364 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
31367 retval = bprm_mm_init(bprm);
31370 @@ -1529,9 +1566,40 @@ int compat_do_execve(char * filename,
31374 + if (!gr_tpe_allow(file)) {
31375 + retval = -EACCES;
31379 + if (gr_check_crash_exec(file)) {
31380 + retval = -EACCES;
31384 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
31386 + gr_handle_exec_args_compat(bprm, argv);
31388 +#ifdef CONFIG_GRKERNSEC
31389 + old_acl = current->acl;
31390 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
31391 + old_exec_file = current->exec_file;
31393 + current->exec_file = file;
31396 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
31397 + bprm->unsafe & LSM_UNSAFE_SHARE);
31401 retval = search_binary_handler(bprm, regs);
31405 +#ifdef CONFIG_GRKERNSEC
31406 + if (old_exec_file)
31407 + fput(old_exec_file);
31410 /* execve succeeded */
31411 current->fs->in_exec = 0;
31412 @@ -1542,6 +1610,14 @@ int compat_do_execve(char * filename,
31413 put_files_struct(displaced);
31417 +#ifdef CONFIG_GRKERNSEC
31418 + current->acl = old_acl;
31419 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
31420 + fput(current->exec_file);
31421 + current->exec_file = old_exec_file;
31426 acct_arg_size(bprm, 0);
31427 diff -urNp linux-2.6.38.4/fs/compat_ioctl.c linux-2.6.38.4/fs/compat_ioctl.c
31428 --- linux-2.6.38.4/fs/compat_ioctl.c 2011-03-14 21:20:32.000000000 -0400
31429 +++ linux-2.6.38.4/fs/compat_ioctl.c 2011-04-17 15:57:32.000000000 -0400
31430 @@ -208,6 +208,8 @@ static int do_video_set_spu_palette(unsi
31432 err = get_user(palp, &up->palette);
31433 err |= get_user(length, &up->length);
31437 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
31438 err = put_user(compat_ptr(palp), &up_native->palette);
31439 @@ -1638,8 +1640,8 @@ asmlinkage long compat_sys_ioctl(unsigne
31440 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
31443 - a = *(unsigned int *)p;
31444 - b = *(unsigned int *)q;
31445 + a = *(const unsigned int *)p;
31446 + b = *(const unsigned int *)q;
31450 diff -urNp linux-2.6.38.4/fs/dcache.c linux-2.6.38.4/fs/dcache.c
31451 --- linux-2.6.38.4/fs/dcache.c 2011-04-18 17:27:16.000000000 -0400
31452 +++ linux-2.6.38.4/fs/dcache.c 2011-04-17 15:57:32.000000000 -0400
31453 @@ -3092,7 +3092,7 @@ void __init vfs_caches_init(unsigned lon
31454 mempages -= reserve;
31456 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
31457 - SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
31458 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
31462 diff -urNp linux-2.6.38.4/fs/debugfs/inode.c linux-2.6.38.4/fs/debugfs/inode.c
31463 --- linux-2.6.38.4/fs/debugfs/inode.c 2011-03-14 21:20:32.000000000 -0400
31464 +++ linux-2.6.38.4/fs/debugfs/inode.c 2011-04-17 15:57:32.000000000 -0400
31465 @@ -130,7 +130,7 @@ static inline int debugfs_positive(struc
31467 static int debug_fill_super(struct super_block *sb, void *data, int silent)
31469 - static struct tree_descr debug_files[] = {{""}};
31470 + static struct tree_descr debug_files[] = {{"", NULL, 0}};
31472 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
31474 diff -urNp linux-2.6.38.4/fs/dlm/lockspace.c linux-2.6.38.4/fs/dlm/lockspace.c
31475 --- linux-2.6.38.4/fs/dlm/lockspace.c 2011-03-14 21:20:32.000000000 -0400
31476 +++ linux-2.6.38.4/fs/dlm/lockspace.c 2011-04-17 15:57:32.000000000 -0400
31477 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
31481 -static struct kset_uevent_ops dlm_uevent_ops = {
31482 +static const struct kset_uevent_ops dlm_uevent_ops = {
31483 .uevent = dlm_uevent,
31486 diff -urNp linux-2.6.38.4/fs/ecryptfs/inode.c linux-2.6.38.4/fs/ecryptfs/inode.c
31487 --- linux-2.6.38.4/fs/ecryptfs/inode.c 2011-03-14 21:20:32.000000000 -0400
31488 +++ linux-2.6.38.4/fs/ecryptfs/inode.c 2011-04-17 15:57:32.000000000 -0400
31489 @@ -658,7 +658,7 @@ static int ecryptfs_readlink_lower(struc
31492 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
31493 - (char __user *)lower_buf,
31494 + (__force char __user *)lower_buf,
31498 @@ -704,7 +704,7 @@ static void *ecryptfs_follow_link(struct
31502 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
31503 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
31507 @@ -719,7 +719,7 @@ out:
31509 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
31511 - char *buf = nd_get_link(nd);
31512 + const char *buf = nd_get_link(nd);
31513 if (!IS_ERR(buf)) {
31514 /* Free the char* */
31516 diff -urNp linux-2.6.38.4/fs/ecryptfs/miscdev.c linux-2.6.38.4/fs/ecryptfs/miscdev.c
31517 --- linux-2.6.38.4/fs/ecryptfs/miscdev.c 2011-03-14 21:20:32.000000000 -0400
31518 +++ linux-2.6.38.4/fs/ecryptfs/miscdev.c 2011-04-17 15:57:32.000000000 -0400
31519 @@ -328,7 +328,7 @@ check_list:
31520 goto out_unlock_msg_ctx;
31522 if (msg_ctx->msg) {
31523 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
31524 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
31525 goto out_unlock_msg_ctx;
31526 i += packet_length_size;
31527 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
31528 diff -urNp linux-2.6.38.4/fs/exec.c linux-2.6.38.4/fs/exec.c
31529 --- linux-2.6.38.4/fs/exec.c 2011-03-14 21:20:32.000000000 -0400
31530 +++ linux-2.6.38.4/fs/exec.c 2011-04-17 15:57:32.000000000 -0400
31531 @@ -55,12 +55,24 @@
31532 #include <linux/fs_struct.h>
31533 #include <linux/pipe_fs_i.h>
31534 #include <linux/oom.h>
31535 +#include <linux/random.h>
31536 +#include <linux/seq_file.h>
31538 +#ifdef CONFIG_PAX_REFCOUNT
31539 +#include <linux/kallsyms.h>
31540 +#include <linux/kdebug.h>
31543 #include <asm/uaccess.h>
31544 #include <asm/mmu_context.h>
31545 #include <asm/tlb.h>
31546 #include "internal.h"
31548 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
31549 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
31550 +EXPORT_SYMBOL(pax_set_initial_flags_func);
31554 char core_pattern[CORENAME_MAX_SIZE] = "core";
31555 unsigned int core_pipe_limit;
31556 @@ -120,7 +132,7 @@ SYSCALL_DEFINE1(uselib, const char __use
31559 file = do_filp_open(AT_FDCWD, tmp,
31560 - O_LARGEFILE | O_RDONLY | __FMODE_EXEC, 0,
31561 + O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC, 0,
31562 MAY_READ | MAY_EXEC | MAY_OPEN);
31564 error = PTR_ERR(file);
31565 @@ -187,18 +199,10 @@ struct page *get_arg_page(struct linux_b
31571 -#ifdef CONFIG_STACK_GROWSUP
31573 - ret = expand_stack_downwards(bprm->vma, pos);
31578 - ret = get_user_pages(current, bprm->mm, pos,
31579 - 1, write, 1, &page, NULL);
31581 + if (0 > expand_stack_downwards(bprm->vma, pos))
31583 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
31587 @@ -273,6 +277,11 @@ static int __bprm_mm_init(struct linux_b
31588 vma->vm_end = STACK_TOP_MAX;
31589 vma->vm_start = vma->vm_end - PAGE_SIZE;
31590 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
31592 +#ifdef CONFIG_PAX_SEGMEXEC
31593 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
31596 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
31597 INIT_LIST_HEAD(&vma->anon_vma_chain);
31599 @@ -287,6 +296,12 @@ static int __bprm_mm_init(struct linux_b
31600 mm->stack_vm = mm->total_vm = 1;
31601 up_write(&mm->mmap_sem);
31602 bprm->p = vma->vm_end - sizeof(void *);
31604 +#ifdef CONFIG_PAX_RANDUSTACK
31605 + if (randomize_va_space)
31606 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
31611 up_write(&mm->mmap_sem);
31612 @@ -522,7 +537,7 @@ int copy_strings_kernel(int argc, const
31614 mm_segment_t oldfs = get_fs();
31616 - r = copy_strings(argc, (const char __user *const __user *)argv, bprm);
31617 + r = copy_strings(argc, (__force const char __user *const __user *)argv, bprm);
31621 @@ -552,7 +567,8 @@ static int shift_arg_pages(struct vm_are
31622 unsigned long new_end = old_end - shift;
31623 struct mmu_gather *tlb;
31625 - BUG_ON(new_start > new_end);
31626 + if (new_start >= new_end || new_start < mmap_min_addr)
31630 * ensure there are no vmas between where we want to go
31631 @@ -561,6 +577,10 @@ static int shift_arg_pages(struct vm_are
31632 if (vma != find_vma(mm, new_start))
31635 +#ifdef CONFIG_PAX_SEGMEXEC
31636 + BUG_ON(pax_find_mirror_vma(vma));
31640 * cover the whole range: [new_start, old_end)
31642 @@ -641,10 +661,6 @@ int setup_arg_pages(struct linux_binprm
31643 stack_top = arch_align_stack(stack_top);
31644 stack_top = PAGE_ALIGN(stack_top);
31646 - if (unlikely(stack_top < mmap_min_addr) ||
31647 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
31650 stack_shift = vma->vm_end - stack_top;
31652 bprm->p -= stack_shift;
31653 @@ -656,8 +672,28 @@ int setup_arg_pages(struct linux_binprm
31654 bprm->exec -= stack_shift;
31656 down_write(&mm->mmap_sem);
31658 + /* Move stack pages down in memory. */
31659 + if (stack_shift) {
31660 + ret = shift_arg_pages(vma, stack_shift);
31665 vm_flags = VM_STACK_FLAGS;
31667 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
31668 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
31669 + vm_flags &= ~VM_EXEC;
31671 +#ifdef CONFIG_PAX_MPROTECT
31672 + if (mm->pax_flags & MF_PAX_MPROTECT)
31673 + vm_flags &= ~VM_MAYEXEC;
31680 * Adjust stack execute permissions; explicitly enable for
31681 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
31682 @@ -676,13 +712,6 @@ int setup_arg_pages(struct linux_binprm
31684 BUG_ON(prev != vma);
31686 - /* Move stack pages down in memory. */
31687 - if (stack_shift) {
31688 - ret = shift_arg_pages(vma, stack_shift);
31693 /* mprotect_fixup is overkill to remove the temporary stack flags */
31694 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
31696 @@ -723,7 +752,7 @@ struct file *open_exec(const char *name)
31699 file = do_filp_open(AT_FDCWD, name,
31700 - O_LARGEFILE | O_RDONLY | __FMODE_EXEC, 0,
31701 + O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC, 0,
31702 MAY_EXEC | MAY_OPEN);
31705 @@ -760,7 +789,7 @@ int kernel_read(struct file *file, loff_
31708 /* The cast to a user pointer is valid due to the set_fs() */
31709 - result = vfs_read(file, (void __user *)addr, count, &pos);
31710 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
31714 @@ -1182,7 +1211,7 @@ int check_unsafe_exec(struct linux_binpr
31718 - if (p->fs->users > n_fs) {
31719 + if (atomic_read(&p->fs->users) > n_fs) {
31720 bprm->unsafe |= LSM_UNSAFE_SHARE;
31723 @@ -1378,6 +1407,11 @@ int do_execve(const char * filename,
31724 const char __user *const __user *envp,
31725 struct pt_regs * regs)
31727 +#ifdef CONFIG_GRKERNSEC
31728 + struct file *old_exec_file;
31729 + struct acl_subject_label *old_acl;
31730 + struct rlimit old_rlim[RLIM_NLIMITS];
31732 struct linux_binprm *bprm;
31734 struct files_struct *displaced;
31735 @@ -1414,6 +1448,23 @@ int do_execve(const char * filename,
31736 bprm->filename = filename;
31737 bprm->interp = filename;
31739 + if (gr_process_user_ban()) {
31744 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
31746 + if (gr_handle_nproc()) {
31747 + retval = -EAGAIN;
31751 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
31752 + retval = -EACCES;
31756 retval = bprm_mm_init(bprm);
31759 @@ -1443,9 +1494,40 @@ int do_execve(const char * filename,
31763 + if (!gr_tpe_allow(file)) {
31764 + retval = -EACCES;
31768 + if (gr_check_crash_exec(file)) {
31769 + retval = -EACCES;
31773 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
31775 + gr_handle_exec_args(bprm, argv);
31777 +#ifdef CONFIG_GRKERNSEC
31778 + old_acl = current->acl;
31779 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
31780 + old_exec_file = current->exec_file;
31782 + current->exec_file = file;
31785 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
31786 + bprm->unsafe & LSM_UNSAFE_SHARE);
31790 retval = search_binary_handler(bprm,regs);
31794 +#ifdef CONFIG_GRKERNSEC
31795 + if (old_exec_file)
31796 + fput(old_exec_file);
31799 /* execve succeeded */
31800 current->fs->in_exec = 0;
31801 @@ -1456,6 +1538,14 @@ int do_execve(const char * filename,
31802 put_files_struct(displaced);
31806 +#ifdef CONFIG_GRKERNSEC
31807 + current->acl = old_acl;
31808 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
31809 + fput(current->exec_file);
31810 + current->exec_file = old_exec_file;
31815 acct_arg_size(bprm, 0);
31816 @@ -1642,6 +1732,208 @@ out:
31820 +int pax_check_flags(unsigned long *flags)
31824 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
31825 + if (*flags & MF_PAX_SEGMEXEC)
31827 + *flags &= ~MF_PAX_SEGMEXEC;
31828 + retval = -EINVAL;
31832 + if ((*flags & MF_PAX_PAGEEXEC)
31834 +#ifdef CONFIG_PAX_PAGEEXEC
31835 + && (*flags & MF_PAX_SEGMEXEC)
31840 + *flags &= ~MF_PAX_PAGEEXEC;
31841 + retval = -EINVAL;
31844 + if ((*flags & MF_PAX_MPROTECT)
31846 +#ifdef CONFIG_PAX_MPROTECT
31847 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
31852 + *flags &= ~MF_PAX_MPROTECT;
31853 + retval = -EINVAL;
31856 + if ((*flags & MF_PAX_EMUTRAMP)
31858 +#ifdef CONFIG_PAX_EMUTRAMP
31859 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
31864 + *flags &= ~MF_PAX_EMUTRAMP;
31865 + retval = -EINVAL;
31871 +EXPORT_SYMBOL(pax_check_flags);
31873 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
31874 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
31876 + struct task_struct *tsk = current;
31877 + struct mm_struct *mm = current->mm;
31878 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
31879 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
31880 + char *path_exec = NULL;
31881 + char *path_fault = NULL;
31882 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
31884 + if (buffer_exec && buffer_fault) {
31885 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
31887 + down_read(&mm->mmap_sem);
31889 + while (vma && (!vma_exec || !vma_fault)) {
31890 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
31892 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
31894 + vma = vma->vm_next;
31897 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
31898 + if (IS_ERR(path_exec))
31899 + path_exec = "<path too long>";
31901 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
31904 + path_exec = buffer_exec;
31906 + path_exec = "<path too long>";
31910 + start = vma_fault->vm_start;
31911 + end = vma_fault->vm_end;
31912 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
31913 + if (vma_fault->vm_file) {
31914 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
31915 + if (IS_ERR(path_fault))
31916 + path_fault = "<path too long>";
31918 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
31919 + if (path_fault) {
31921 + path_fault = buffer_fault;
31923 + path_fault = "<path too long>";
31926 + path_fault = "<anonymous mapping>";
31928 + up_read(&mm->mmap_sem);
31930 + if (tsk->signal->curr_ip)
31931 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
31933 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
31934 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
31935 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
31936 + task_uid(tsk), task_euid(tsk), pc, sp);
31937 + free_page((unsigned long)buffer_exec);
31938 + free_page((unsigned long)buffer_fault);
31939 + pax_report_insns(pc, sp);
31940 + do_coredump(SIGKILL, SIGKILL, regs);
31944 +#ifdef CONFIG_PAX_REFCOUNT
31945 +void pax_report_refcount_overflow(struct pt_regs *regs)
31947 + if (current->signal->curr_ip)
31948 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
31949 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
31951 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
31952 + current->comm, task_pid_nr(current), current_uid(), current_euid());
31953 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
31955 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
31959 +#ifdef CONFIG_PAX_USERCOPY
31960 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
31961 +int object_is_on_stack(const void *obj, unsigned long len)
31963 + const void * const stack = task_stack_page(current);
31964 + const void * const stackend = stack + THREAD_SIZE;
31966 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
31967 + const void *frame = NULL;
31968 + const void *oldframe;
31971 + if (obj + len < obj)
31974 + if (obj + len <= stack || stackend <= obj)
31977 + if (obj < stack || stackend < obj + len)
31980 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
31981 + oldframe = __builtin_frame_address(1);
31983 + frame = __builtin_frame_address(2);
31985 + low ----------------------------------------------> high
31986 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
31987 + ^----------------^
31988 + allow copies only within here
31990 + while (stack <= frame && frame < stackend) {
31991 + /* if obj + len extends past the last frame, this
31992 + check won't pass and the next frame will be 0,
31993 + causing us to bail out and correctly report
31994 + the copy as invalid
31996 + if (obj + len <= frame)
31997 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
31998 + oldframe = frame;
31999 + frame = *(const void * const *)frame;
32008 +void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
32010 + if (current->signal->curr_ip)
32011 + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
32012 + ¤t->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
32014 + printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
32015 + to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
32017 + gr_handle_kernel_exploit();
32018 + do_group_exit(SIGKILL);
32022 static int zap_process(struct task_struct *start, int exit_code)
32024 struct task_struct *t;
32025 @@ -1852,17 +2144,17 @@ static void wait_for_dump_helpers(struct
32026 pipe = file->f_path.dentry->d_inode->i_pipe;
32031 + atomic_inc(&pipe->readers);
32032 + atomic_dec(&pipe->writers);
32034 - while ((pipe->readers > 1) && (!signal_pending(current))) {
32035 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
32036 wake_up_interruptible_sync(&pipe->wait);
32037 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
32043 + atomic_dec(&pipe->readers);
32044 + atomic_inc(&pipe->writers);
32048 @@ -1938,6 +2230,9 @@ void do_coredump(long signr, int exit_co
32050 audit_core_dumps(signr);
32052 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
32053 + gr_handle_brute_attach(current, cprm.mm_flags);
32055 binfmt = mm->binfmt;
32056 if (!binfmt || !binfmt->core_dump)
32058 @@ -1978,6 +2273,8 @@ void do_coredump(long signr, int exit_co
32059 goto fail_corename;
32062 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
32066 char **helper_argv;
32067 diff -urNp linux-2.6.38.4/fs/ext2/balloc.c linux-2.6.38.4/fs/ext2/balloc.c
32068 --- linux-2.6.38.4/fs/ext2/balloc.c 2011-03-14 21:20:32.000000000 -0400
32069 +++ linux-2.6.38.4/fs/ext2/balloc.c 2011-04-17 15:57:32.000000000 -0400
32070 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
32072 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
32073 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
32074 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
32075 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
32076 sbi->s_resuid != current_fsuid() &&
32077 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
32079 diff -urNp linux-2.6.38.4/fs/ext2/xattr.c linux-2.6.38.4/fs/ext2/xattr.c
32080 --- linux-2.6.38.4/fs/ext2/xattr.c 2011-03-14 21:20:32.000000000 -0400
32081 +++ linux-2.6.38.4/fs/ext2/xattr.c 2011-04-17 15:57:32.000000000 -0400
32086 -# define ea_idebug(f...)
32087 -# define ea_bdebug(f...)
32088 +# define ea_idebug(inode, f...) do {} while (0)
32089 +# define ea_bdebug(bh, f...) do {} while (0)
32092 static int ext2_xattr_set2(struct inode *, struct buffer_head *,
32093 diff -urNp linux-2.6.38.4/fs/ext3/balloc.c linux-2.6.38.4/fs/ext3/balloc.c
32094 --- linux-2.6.38.4/fs/ext3/balloc.c 2011-03-14 21:20:32.000000000 -0400
32095 +++ linux-2.6.38.4/fs/ext3/balloc.c 2011-04-17 15:57:32.000000000 -0400
32096 @@ -1441,7 +1441,7 @@ static int ext3_has_free_blocks(struct e
32098 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
32099 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
32100 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
32101 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
32102 sbi->s_resuid != current_fsuid() &&
32103 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
32105 diff -urNp linux-2.6.38.4/fs/ext3/namei.c linux-2.6.38.4/fs/ext3/namei.c
32106 --- linux-2.6.38.4/fs/ext3/namei.c 2011-04-18 17:27:14.000000000 -0400
32107 +++ linux-2.6.38.4/fs/ext3/namei.c 2011-04-17 15:57:32.000000000 -0400
32108 @@ -1159,7 +1159,7 @@ static struct ext3_dir_entry_2 *do_split
32109 char *data1 = (*bh)->b_data, *data2;
32110 unsigned split, move, size;
32111 struct ext3_dir_entry_2 *de = NULL, *de2;
32115 bh2 = ext3_append (handle, dir, &newblock, &err);
32117 diff -urNp linux-2.6.38.4/fs/ext3/xattr.c linux-2.6.38.4/fs/ext3/xattr.c
32118 --- linux-2.6.38.4/fs/ext3/xattr.c 2011-03-14 21:20:32.000000000 -0400
32119 +++ linux-2.6.38.4/fs/ext3/xattr.c 2011-04-17 15:57:32.000000000 -0400
32124 -# define ea_idebug(f...)
32125 -# define ea_bdebug(f...)
32126 +# define ea_idebug(f...) do {} while (0)
32127 +# define ea_bdebug(f...) do {} while (0)
32130 static void ext3_xattr_cache_insert(struct buffer_head *);
32131 diff -urNp linux-2.6.38.4/fs/ext4/balloc.c linux-2.6.38.4/fs/ext4/balloc.c
32132 --- linux-2.6.38.4/fs/ext4/balloc.c 2011-03-14 21:20:32.000000000 -0400
32133 +++ linux-2.6.38.4/fs/ext4/balloc.c 2011-04-17 15:57:32.000000000 -0400
32134 @@ -519,7 +519,7 @@ static int ext4_has_free_blocks(struct e
32135 /* Hm, nope. Are (enough) root reserved blocks available? */
32136 if (sbi->s_resuid == current_fsuid() ||
32137 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
32138 - capable(CAP_SYS_RESOURCE)) {
32139 + capable_nolog(CAP_SYS_RESOURCE)) {
32140 if (free_blocks >= (nblocks + dirty_blocks))
32143 diff -urNp linux-2.6.38.4/fs/ext4/ext4.h linux-2.6.38.4/fs/ext4/ext4.h
32144 --- linux-2.6.38.4/fs/ext4/ext4.h 2011-03-14 21:20:32.000000000 -0400
32145 +++ linux-2.6.38.4/fs/ext4/ext4.h 2011-04-17 15:57:32.000000000 -0400
32146 @@ -1166,19 +1166,19 @@ struct ext4_sb_info {
32147 unsigned long s_mb_last_start;
32149 /* stats for buddy allocator */
32150 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
32151 - atomic_t s_bal_success; /* we found long enough chunks */
32152 - atomic_t s_bal_allocated; /* in blocks */
32153 - atomic_t s_bal_ex_scanned; /* total extents scanned */
32154 - atomic_t s_bal_goals; /* goal hits */
32155 - atomic_t s_bal_breaks; /* too long searches */
32156 - atomic_t s_bal_2orders; /* 2^order hits */
32157 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
32158 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
32159 + atomic_unchecked_t s_bal_allocated; /* in blocks */
32160 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
32161 + atomic_unchecked_t s_bal_goals; /* goal hits */
32162 + atomic_unchecked_t s_bal_breaks; /* too long searches */
32163 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
32164 spinlock_t s_bal_lock;
32165 unsigned long s_mb_buddies_generated;
32166 unsigned long long s_mb_generation_time;
32167 - atomic_t s_mb_lost_chunks;
32168 - atomic_t s_mb_preallocated;
32169 - atomic_t s_mb_discarded;
32170 + atomic_unchecked_t s_mb_lost_chunks;
32171 + atomic_unchecked_t s_mb_preallocated;
32172 + atomic_unchecked_t s_mb_discarded;
32173 atomic_t s_lock_busy;
32175 /* locality groups */
32176 diff -urNp linux-2.6.38.4/fs/ext4/mballoc.c linux-2.6.38.4/fs/ext4/mballoc.c
32177 --- linux-2.6.38.4/fs/ext4/mballoc.c 2011-03-14 21:20:32.000000000 -0400
32178 +++ linux-2.6.38.4/fs/ext4/mballoc.c 2011-04-17 15:57:32.000000000 -0400
32179 @@ -1846,7 +1846,7 @@ void ext4_mb_simple_scan_group(struct ex
32180 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
32182 if (EXT4_SB(sb)->s_mb_stats)
32183 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
32184 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
32188 @@ -2140,7 +2140,7 @@ repeat:
32189 ac->ac_status = AC_STATUS_CONTINUE;
32190 ac->ac_flags |= EXT4_MB_HINT_FIRST;
32192 - atomic_inc(&sbi->s_mb_lost_chunks);
32193 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
32197 @@ -2606,25 +2606,25 @@ int ext4_mb_release(struct super_block *
32198 if (sbi->s_mb_stats) {
32200 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
32201 - atomic_read(&sbi->s_bal_allocated),
32202 - atomic_read(&sbi->s_bal_reqs),
32203 - atomic_read(&sbi->s_bal_success));
32204 + atomic_read_unchecked(&sbi->s_bal_allocated),
32205 + atomic_read_unchecked(&sbi->s_bal_reqs),
32206 + atomic_read_unchecked(&sbi->s_bal_success));
32208 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
32209 "%u 2^N hits, %u breaks, %u lost\n",
32210 - atomic_read(&sbi->s_bal_ex_scanned),
32211 - atomic_read(&sbi->s_bal_goals),
32212 - atomic_read(&sbi->s_bal_2orders),
32213 - atomic_read(&sbi->s_bal_breaks),
32214 - atomic_read(&sbi->s_mb_lost_chunks));
32215 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
32216 + atomic_read_unchecked(&sbi->s_bal_goals),
32217 + atomic_read_unchecked(&sbi->s_bal_2orders),
32218 + atomic_read_unchecked(&sbi->s_bal_breaks),
32219 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
32221 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
32222 sbi->s_mb_buddies_generated++,
32223 sbi->s_mb_generation_time);
32225 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
32226 - atomic_read(&sbi->s_mb_preallocated),
32227 - atomic_read(&sbi->s_mb_discarded));
32228 + atomic_read_unchecked(&sbi->s_mb_preallocated),
32229 + atomic_read_unchecked(&sbi->s_mb_discarded));
32232 free_percpu(sbi->s_locality_groups);
32233 @@ -3100,16 +3100,16 @@ static void ext4_mb_collect_stats(struct
32234 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
32236 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
32237 - atomic_inc(&sbi->s_bal_reqs);
32238 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
32239 + atomic_inc_unchecked(&sbi->s_bal_reqs);
32240 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
32241 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
32242 - atomic_inc(&sbi->s_bal_success);
32243 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
32244 + atomic_inc_unchecked(&sbi->s_bal_success);
32245 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
32246 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
32247 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
32248 - atomic_inc(&sbi->s_bal_goals);
32249 + atomic_inc_unchecked(&sbi->s_bal_goals);
32250 if (ac->ac_found > sbi->s_mb_max_to_scan)
32251 - atomic_inc(&sbi->s_bal_breaks);
32252 + atomic_inc_unchecked(&sbi->s_bal_breaks);
32255 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
32256 @@ -3507,7 +3507,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
32257 trace_ext4_mb_new_inode_pa(ac, pa);
32259 ext4_mb_use_inode_pa(ac, pa);
32260 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
32261 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
32263 ei = EXT4_I(ac->ac_inode);
32264 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
32265 @@ -3567,7 +3567,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
32266 trace_ext4_mb_new_group_pa(ac, pa);
32268 ext4_mb_use_group_pa(ac, pa);
32269 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
32270 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
32272 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
32274 @@ -3654,7 +3654,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
32275 * from the bitmap and continue.
32278 - atomic_add(free, &sbi->s_mb_discarded);
32279 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
32283 @@ -3672,7 +3672,7 @@ ext4_mb_release_group_pa(struct ext4_bud
32284 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
32285 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
32286 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
32287 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
32288 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
32289 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
32292 diff -urNp linux-2.6.38.4/fs/ext4/namei.c linux-2.6.38.4/fs/ext4/namei.c
32293 --- linux-2.6.38.4/fs/ext4/namei.c 2011-03-14 21:20:32.000000000 -0400
32294 +++ linux-2.6.38.4/fs/ext4/namei.c 2011-04-17 15:57:32.000000000 -0400
32295 @@ -1161,7 +1161,7 @@ static struct ext4_dir_entry_2 *do_split
32296 char *data1 = (*bh)->b_data, *data2;
32297 unsigned split, move, size;
32298 struct ext4_dir_entry_2 *de = NULL, *de2;
32302 bh2 = ext4_append (handle, dir, &newblock, &err);
32304 diff -urNp linux-2.6.38.4/fs/ext4/xattr.c linux-2.6.38.4/fs/ext4/xattr.c
32305 --- linux-2.6.38.4/fs/ext4/xattr.c 2011-03-14 21:20:32.000000000 -0400
32306 +++ linux-2.6.38.4/fs/ext4/xattr.c 2011-04-17 15:57:32.000000000 -0400
32311 -# define ea_idebug(f...)
32312 -# define ea_bdebug(f...)
32313 +# define ea_idebug(inode, f...) do {} while (0)
32314 +# define ea_bdebug(bh, f...) do {} while (0)
32317 static void ext4_xattr_cache_insert(struct buffer_head *);
32318 diff -urNp linux-2.6.38.4/fs/fcntl.c linux-2.6.38.4/fs/fcntl.c
32319 --- linux-2.6.38.4/fs/fcntl.c 2011-03-14 21:20:32.000000000 -0400
32320 +++ linux-2.6.38.4/fs/fcntl.c 2011-04-17 15:57:32.000000000 -0400
32321 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
32325 + if (gr_handle_chroot_fowner(pid, type))
32327 + if (gr_check_protected_task_fowner(pid, type))
32330 f_modown(filp, pid, type, force);
32333 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
32336 case F_DUPFD_CLOEXEC:
32337 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
32338 if (arg >= rlimit(RLIMIT_NOFILE))
32340 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
32341 @@ -808,14 +814,14 @@ static int __init fcntl_init(void)
32342 * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
32343 * is defined as O_NONBLOCK on some platforms and not on others.
32345 - BUILD_BUG_ON(18 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
32346 + BUILD_BUG_ON(19 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
32347 O_RDONLY | O_WRONLY | O_RDWR |
32348 O_CREAT | O_EXCL | O_NOCTTY |
32349 O_TRUNC | O_APPEND | /* O_NONBLOCK | */
32350 __O_SYNC | O_DSYNC | FASYNC |
32351 O_DIRECT | O_LARGEFILE | O_DIRECTORY |
32352 O_NOFOLLOW | O_NOATIME | O_CLOEXEC |
32354 + __FMODE_EXEC | FMODE_GREXEC
32357 fasync_cache = kmem_cache_create("fasync_cache",
32358 diff -urNp linux-2.6.38.4/fs/fifo.c linux-2.6.38.4/fs/fifo.c
32359 --- linux-2.6.38.4/fs/fifo.c 2011-03-14 21:20:32.000000000 -0400
32360 +++ linux-2.6.38.4/fs/fifo.c 2011-04-17 15:57:32.000000000 -0400
32361 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
32363 filp->f_op = &read_pipefifo_fops;
32365 - if (pipe->readers++ == 0)
32366 + if (atomic_inc_return(&pipe->readers) == 1)
32367 wake_up_partner(inode);
32369 - if (!pipe->writers) {
32370 + if (!atomic_read(&pipe->writers)) {
32371 if ((filp->f_flags & O_NONBLOCK)) {
32372 /* suppress POLLHUP until we have
32374 @@ -82,15 +82,15 @@ static int fifo_open(struct inode *inode
32375 * errno=ENXIO when there is no process reading the FIFO.
32378 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
32379 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
32382 filp->f_op = &write_pipefifo_fops;
32384 - if (!pipe->writers++)
32385 + if (atomic_inc_return(&pipe->writers) == 1)
32386 wake_up_partner(inode);
32388 - if (!pipe->readers) {
32389 + if (!atomic_read(&pipe->readers)) {
32390 wait_for_partner(inode, &pipe->r_counter);
32391 if (signal_pending(current))
32393 @@ -106,11 +106,11 @@ static int fifo_open(struct inode *inode
32395 filp->f_op = &rdwr_pipefifo_fops;
32399 + atomic_inc(&pipe->readers);
32400 + atomic_inc(&pipe->writers);
32403 - if (pipe->readers == 1 || pipe->writers == 1)
32404 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
32405 wake_up_partner(inode);
32408 @@ -124,19 +124,19 @@ static int fifo_open(struct inode *inode
32412 - if (!--pipe->readers)
32413 + if (atomic_dec_and_test(&pipe->readers))
32414 wake_up_interruptible(&pipe->wait);
32415 ret = -ERESTARTSYS;
32419 - if (!--pipe->writers)
32420 + if (atomic_dec_and_test(&pipe->writers))
32421 wake_up_interruptible(&pipe->wait);
32422 ret = -ERESTARTSYS;
32426 - if (!pipe->readers && !pipe->writers)
32427 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
32428 free_pipe_info(inode);
32431 diff -urNp linux-2.6.38.4/fs/file.c linux-2.6.38.4/fs/file.c
32432 --- linux-2.6.38.4/fs/file.c 2011-03-14 21:20:32.000000000 -0400
32433 +++ linux-2.6.38.4/fs/file.c 2011-04-17 15:57:32.000000000 -0400
32435 #include <linux/slab.h>
32436 #include <linux/vmalloc.h>
32437 #include <linux/file.h>
32438 +#include <linux/security.h>
32439 #include <linux/fdtable.h>
32440 #include <linux/bitops.h>
32441 #include <linux/interrupt.h>
32442 @@ -250,6 +251,7 @@ int expand_files(struct files_struct *fi
32443 * N.B. For clone tasks sharing a files structure, this test
32444 * will limit the total number of files that can be opened.
32446 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
32447 if (nr >= rlimit(RLIMIT_NOFILE))
32450 diff -urNp linux-2.6.38.4/fs/filesystems.c linux-2.6.38.4/fs/filesystems.c
32451 --- linux-2.6.38.4/fs/filesystems.c 2011-03-14 21:20:32.000000000 -0400
32452 +++ linux-2.6.38.4/fs/filesystems.c 2011-04-17 15:57:32.000000000 -0400
32453 @@ -275,7 +275,12 @@ struct file_system_type *get_fs_type(con
32454 int len = dot ? dot - name : strlen(name);
32456 fs = __get_fs_type(name, len);
32458 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
32459 + if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
32461 if (!fs && (request_module("%.*s", len, name) == 0))
32463 fs = __get_fs_type(name, len);
32465 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
32466 diff -urNp linux-2.6.38.4/fs/fs_struct.c linux-2.6.38.4/fs/fs_struct.c
32467 --- linux-2.6.38.4/fs/fs_struct.c 2011-03-14 21:20:32.000000000 -0400
32468 +++ linux-2.6.38.4/fs/fs_struct.c 2011-04-17 15:57:32.000000000 -0400
32470 #include <linux/slab.h>
32471 #include <linux/fs_struct.h>
32472 #include <linux/vserver/global.h>
32473 +#include <linux/grsecurity.h>
32474 #include "internal.h"
32476 static inline void path_get_longterm(struct path *path)
32477 @@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
32478 old_root = fs->root;
32480 path_get_longterm(path);
32481 + gr_set_chroot_entries(current, path);
32482 write_seqcount_end(&fs->seq);
32483 spin_unlock(&fs->lock);
32484 if (old_root.dentry)
32485 @@ -74,6 +76,7 @@ void chroot_fs_refs(struct path *old_roo
32486 && fs->root.mnt == old_root->mnt) {
32487 path_get_longterm(new_root);
32488 fs->root = *new_root;
32489 + gr_set_chroot_entries(p, new_root);
32492 if (fs->pwd.dentry == old_root->dentry
32493 @@ -109,7 +112,8 @@ void exit_fs(struct task_struct *tsk)
32494 spin_lock(&fs->lock);
32495 write_seqcount_begin(&fs->seq);
32497 - kill = !--fs->users;
32498 + gr_clear_chroot_entries(tsk);
32499 + kill = !atomic_dec_return(&fs->users);
32500 write_seqcount_end(&fs->seq);
32501 spin_unlock(&fs->lock);
32503 @@ -123,7 +127,7 @@ struct fs_struct *copy_fs_struct(struct
32504 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
32505 /* We don't need to lock fs - think why ;-) */
32508 + atomic_set(&fs->users, 1);
32510 spin_lock_init(&fs->lock);
32511 seqcount_init(&fs->seq);
32512 @@ -132,6 +136,9 @@ struct fs_struct *copy_fs_struct(struct
32513 spin_lock(&old->lock);
32514 fs->root = old->root;
32515 path_get_longterm(&fs->root);
32516 + /* instead of calling gr_set_chroot_entries here,
32517 + we call it from every caller of this function
32519 fs->pwd = old->pwd;
32520 path_get_longterm(&fs->pwd);
32521 spin_unlock(&old->lock);
32522 @@ -150,8 +157,9 @@ int unshare_fs_struct(void)
32524 task_lock(current);
32525 spin_lock(&fs->lock);
32526 - kill = !--fs->users;
32527 + kill = !atomic_dec_return(&fs->users);
32528 current->fs = new_fs;
32529 + gr_set_chroot_entries(current, &new_fs->root);
32530 spin_unlock(&fs->lock);
32531 task_unlock(current);
32533 @@ -170,7 +178,7 @@ EXPORT_SYMBOL(current_umask);
32535 /* to be mentioned only in INIT_TASK */
32536 struct fs_struct init_fs = {
32538 + .users = ATOMIC_INIT(1),
32539 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
32540 .seq = SEQCNT_ZERO,
32542 @@ -186,12 +194,13 @@ void daemonize_fs_struct(void)
32543 task_lock(current);
32545 spin_lock(&init_fs.lock);
32547 + atomic_inc(&init_fs.users);
32548 spin_unlock(&init_fs.lock);
32550 spin_lock(&fs->lock);
32551 current->fs = &init_fs;
32552 - kill = !--fs->users;
32553 + gr_set_chroot_entries(current, ¤t->fs->root);
32554 + kill = !atomic_dec_return(&fs->users);
32555 spin_unlock(&fs->lock);
32557 task_unlock(current);
32558 diff -urNp linux-2.6.38.4/fs/fuse/control.c linux-2.6.38.4/fs/fuse/control.c
32559 --- linux-2.6.38.4/fs/fuse/control.c 2011-03-14 21:20:32.000000000 -0400
32560 +++ linux-2.6.38.4/fs/fuse/control.c 2011-04-17 15:57:32.000000000 -0400
32561 @@ -298,7 +298,7 @@ void fuse_ctl_remove_conn(struct fuse_co
32563 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
32565 - struct tree_descr empty_descr = {""};
32566 + struct tree_descr empty_descr = {"", NULL, 0};
32567 struct fuse_conn *fc;
32570 diff -urNp linux-2.6.38.4/fs/fuse/cuse.c linux-2.6.38.4/fs/fuse/cuse.c
32571 --- linux-2.6.38.4/fs/fuse/cuse.c 2011-03-14 21:20:32.000000000 -0400
32572 +++ linux-2.6.38.4/fs/fuse/cuse.c 2011-04-17 15:57:32.000000000 -0400
32573 @@ -530,8 +530,18 @@ static int cuse_channel_release(struct i
32577 -static struct file_operations cuse_channel_fops; /* initialized during init */
32579 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
32580 + .owner = THIS_MODULE,
32581 + .llseek = no_llseek,
32582 + .read = do_sync_read,
32583 + .aio_read = fuse_dev_read,
32584 + .write = do_sync_write,
32585 + .aio_write = fuse_dev_write,
32586 + .poll = fuse_dev_poll,
32587 + .open = cuse_channel_open,
32588 + .release = cuse_channel_release,
32589 + .fasync = fuse_dev_fasync,
32592 /**************************************************************************
32593 * Misc stuff and module initializatiion
32594 @@ -577,12 +587,6 @@ static int __init cuse_init(void)
32595 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
32596 INIT_LIST_HEAD(&cuse_conntbl[i]);
32598 - /* inherit and extend fuse_dev_operations */
32599 - cuse_channel_fops = fuse_dev_operations;
32600 - cuse_channel_fops.owner = THIS_MODULE;
32601 - cuse_channel_fops.open = cuse_channel_open;
32602 - cuse_channel_fops.release = cuse_channel_release;
32604 cuse_class = class_create(THIS_MODULE, "cuse");
32605 if (IS_ERR(cuse_class))
32606 return PTR_ERR(cuse_class);
32607 diff -urNp linux-2.6.38.4/fs/fuse/dev.c linux-2.6.38.4/fs/fuse/dev.c
32608 --- linux-2.6.38.4/fs/fuse/dev.c 2011-03-14 21:20:32.000000000 -0400
32609 +++ linux-2.6.38.4/fs/fuse/dev.c 2011-04-17 15:57:32.000000000 -0400
32610 @@ -1183,7 +1183,7 @@ static ssize_t fuse_dev_do_read(struct f
32614 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
32615 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
32616 unsigned long nr_segs, loff_t pos)
32618 struct fuse_copy_state cs;
32619 @@ -1197,6 +1197,8 @@ static ssize_t fuse_dev_read(struct kioc
32620 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
32623 +EXPORT_SYMBOL_GPL(fuse_dev_read);
32625 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
32626 struct pipe_buffer *buf)
32628 @@ -1240,7 +1242,7 @@ static ssize_t fuse_dev_splice_read(stru
32632 - if (!pipe->readers) {
32633 + if (!atomic_read(&pipe->readers)) {
32634 send_sig(SIGPIPE, current, 0);
32637 @@ -1733,7 +1735,7 @@ static ssize_t fuse_dev_do_write(struct
32641 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
32642 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
32643 unsigned long nr_segs, loff_t pos)
32645 struct fuse_copy_state cs;
32646 @@ -1746,6 +1748,8 @@ static ssize_t fuse_dev_write(struct kio
32647 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
32650 +EXPORT_SYMBOL_GPL(fuse_dev_write);
32652 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
32653 struct file *out, loff_t *ppos,
32654 size_t len, unsigned int flags)
32655 @@ -1824,7 +1828,7 @@ out:
32659 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
32660 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
32662 unsigned mask = POLLOUT | POLLWRNORM;
32663 struct fuse_conn *fc = fuse_get_conn(file);
32664 @@ -1843,6 +1847,8 @@ static unsigned fuse_dev_poll(struct fil
32668 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
32671 * Abort all requests on the given list (pending or processing)
32673 @@ -1962,7 +1968,7 @@ int fuse_dev_release(struct inode *inode
32675 EXPORT_SYMBOL_GPL(fuse_dev_release);
32677 -static int fuse_dev_fasync(int fd, struct file *file, int on)
32678 +int fuse_dev_fasync(int fd, struct file *file, int on)
32680 struct fuse_conn *fc = fuse_get_conn(file);
32682 @@ -1972,6 +1978,8 @@ static int fuse_dev_fasync(int fd, struc
32683 return fasync_helper(fd, file, on, &fc->fasync);
32686 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
32688 const struct file_operations fuse_dev_operations = {
32689 .owner = THIS_MODULE,
32690 .llseek = no_llseek,
32691 diff -urNp linux-2.6.38.4/fs/fuse/dir.c linux-2.6.38.4/fs/fuse/dir.c
32692 --- linux-2.6.38.4/fs/fuse/dir.c 2011-03-14 21:20:32.000000000 -0400
32693 +++ linux-2.6.38.4/fs/fuse/dir.c 2011-04-17 15:57:32.000000000 -0400
32694 @@ -1133,7 +1133,7 @@ static char *read_link(struct dentry *de
32698 -static void free_link(char *link)
32699 +static void free_link(const char *link)
32702 free_page((unsigned long) link);
32703 diff -urNp linux-2.6.38.4/fs/fuse/fuse_i.h linux-2.6.38.4/fs/fuse/fuse_i.h
32704 --- linux-2.6.38.4/fs/fuse/fuse_i.h 2011-03-14 21:20:32.000000000 -0400
32705 +++ linux-2.6.38.4/fs/fuse/fuse_i.h 2011-04-17 15:57:32.000000000 -0400
32706 @@ -541,6 +541,16 @@ extern const struct file_operations fuse
32708 extern const struct dentry_operations fuse_dentry_operations;
32710 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
32711 + unsigned long nr_segs, loff_t pos);
32713 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
32714 + unsigned long nr_segs, loff_t pos);
32716 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
32718 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
32721 * Inode to nodeid comparison.
32723 diff -urNp linux-2.6.38.4/fs/hfs/inode.c linux-2.6.38.4/fs/hfs/inode.c
32724 --- linux-2.6.38.4/fs/hfs/inode.c 2011-03-14 21:20:32.000000000 -0400
32725 +++ linux-2.6.38.4/fs/hfs/inode.c 2011-04-17 15:57:32.000000000 -0400
32726 @@ -447,7 +447,7 @@ int hfs_write_inode(struct inode *inode,
32728 if (S_ISDIR(main_inode->i_mode)) {
32729 if (fd.entrylength < sizeof(struct hfs_cat_dir))
32732 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
32733 sizeof(struct hfs_cat_dir));
32734 if (rec.type != HFS_CDR_DIR ||
32735 @@ -468,7 +468,7 @@ int hfs_write_inode(struct inode *inode,
32736 sizeof(struct hfs_cat_file));
32738 if (fd.entrylength < sizeof(struct hfs_cat_file))
32741 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
32742 sizeof(struct hfs_cat_file));
32743 if (rec.type != HFS_CDR_FIL ||
32744 diff -urNp linux-2.6.38.4/fs/hfsplus/inode.c linux-2.6.38.4/fs/hfsplus/inode.c
32745 --- linux-2.6.38.4/fs/hfsplus/inode.c 2011-03-14 21:20:32.000000000 -0400
32746 +++ linux-2.6.38.4/fs/hfsplus/inode.c 2011-04-17 15:57:32.000000000 -0400
32747 @@ -498,7 +498,7 @@ int hfsplus_cat_read_inode(struct inode
32748 struct hfsplus_cat_folder *folder = &entry.folder;
32750 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
32753 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
32754 sizeof(struct hfsplus_cat_folder));
32755 hfsplus_get_perms(inode, &folder->permissions, 1);
32756 @@ -515,7 +515,7 @@ int hfsplus_cat_read_inode(struct inode
32757 struct hfsplus_cat_file *file = &entry.file;
32759 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
32762 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
32763 sizeof(struct hfsplus_cat_file));
32765 @@ -572,7 +572,7 @@ int hfsplus_cat_write_inode(struct inode
32766 struct hfsplus_cat_folder *folder = &entry.folder;
32768 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
32771 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
32772 sizeof(struct hfsplus_cat_folder));
32773 /* simple node checks? */
32774 @@ -594,7 +594,7 @@ int hfsplus_cat_write_inode(struct inode
32775 struct hfsplus_cat_file *file = &entry.file;
32777 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
32780 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
32781 sizeof(struct hfsplus_cat_file));
32782 hfsplus_inode_write_fork(inode, &file->data_fork);
32783 diff -urNp linux-2.6.38.4/fs/hugetlbfs/inode.c linux-2.6.38.4/fs/hugetlbfs/inode.c
32784 --- linux-2.6.38.4/fs/hugetlbfs/inode.c 2011-03-14 21:20:32.000000000 -0400
32785 +++ linux-2.6.38.4/fs/hugetlbfs/inode.c 2011-04-17 15:57:32.000000000 -0400
32786 @@ -915,7 +915,7 @@ static struct file_system_type hugetlbfs
32787 .kill_sb = kill_litter_super,
32790 -static struct vfsmount *hugetlbfs_vfsmount;
32791 +struct vfsmount *hugetlbfs_vfsmount;
32793 static int can_do_hugetlb_shm(void)
32795 diff -urNp linux-2.6.38.4/fs/jffs2/debug.h linux-2.6.38.4/fs/jffs2/debug.h
32796 --- linux-2.6.38.4/fs/jffs2/debug.h 2011-03-14 21:20:32.000000000 -0400
32797 +++ linux-2.6.38.4/fs/jffs2/debug.h 2011-04-17 15:57:32.000000000 -0400
32798 @@ -53,13 +53,13 @@
32799 #if CONFIG_JFFS2_FS_DEBUG > 0
32803 +#define D1(x) do {} while (0);
32806 #if CONFIG_JFFS2_FS_DEBUG > 1
32810 +#define D2(x) do {} while (0);
32813 /* The prefixes of JFFS2 messages */
32814 @@ -115,73 +115,73 @@
32815 #ifdef JFFS2_DBG_READINODE_MESSAGES
32816 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32818 -#define dbg_readinode(fmt, ...)
32819 +#define dbg_readinode(fmt, ...) do {} while (0)
32821 #ifdef JFFS2_DBG_READINODE2_MESSAGES
32822 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32824 -#define dbg_readinode2(fmt, ...)
32825 +#define dbg_readinode2(fmt, ...) do {} while (0)
32828 /* Fragtree build debugging messages */
32829 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
32830 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32832 -#define dbg_fragtree(fmt, ...)
32833 +#define dbg_fragtree(fmt, ...) do {} while (0)
32835 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
32836 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32838 -#define dbg_fragtree2(fmt, ...)
32839 +#define dbg_fragtree2(fmt, ...) do {} while (0)
32842 /* Directory entry list manilulation debugging messages */
32843 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
32844 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32846 -#define dbg_dentlist(fmt, ...)
32847 +#define dbg_dentlist(fmt, ...) do {} while (0)
32850 /* Print the messages about manipulating node_refs */
32851 #ifdef JFFS2_DBG_NODEREF_MESSAGES
32852 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32854 -#define dbg_noderef(fmt, ...)
32855 +#define dbg_noderef(fmt, ...) do {} while (0)
32858 /* Manipulations with the list of inodes (JFFS2 inocache) */
32859 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
32860 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32862 -#define dbg_inocache(fmt, ...)
32863 +#define dbg_inocache(fmt, ...) do {} while (0)
32866 /* Summary debugging messages */
32867 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
32868 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32870 -#define dbg_summary(fmt, ...)
32871 +#define dbg_summary(fmt, ...) do {} while (0)
32874 /* File system build messages */
32875 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
32876 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32878 -#define dbg_fsbuild(fmt, ...)
32879 +#define dbg_fsbuild(fmt, ...) do {} while (0)
32882 /* Watch the object allocations */
32883 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
32884 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32886 -#define dbg_memalloc(fmt, ...)
32887 +#define dbg_memalloc(fmt, ...) do {} while (0)
32890 /* Watch the XATTR subsystem */
32891 #ifdef JFFS2_DBG_XATTR_MESSAGES
32892 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32894 -#define dbg_xattr(fmt, ...)
32895 +#define dbg_xattr(fmt, ...) do {} while (0)
32898 /* "Sanity" checks */
32899 diff -urNp linux-2.6.38.4/fs/jffs2/erase.c linux-2.6.38.4/fs/jffs2/erase.c
32900 --- linux-2.6.38.4/fs/jffs2/erase.c 2011-03-14 21:20:32.000000000 -0400
32901 +++ linux-2.6.38.4/fs/jffs2/erase.c 2011-04-17 15:57:32.000000000 -0400
32902 @@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
32903 struct jffs2_unknown_node marker = {
32904 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
32905 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
32906 - .totlen = cpu_to_je32(c->cleanmarker_size)
32907 + .totlen = cpu_to_je32(c->cleanmarker_size),
32908 + .hdr_crc = cpu_to_je32(0)
32911 jffs2_prealloc_raw_node_refs(c, jeb, 1);
32912 diff -urNp linux-2.6.38.4/fs/jffs2/summary.h linux-2.6.38.4/fs/jffs2/summary.h
32913 --- linux-2.6.38.4/fs/jffs2/summary.h 2011-03-14 21:20:32.000000000 -0400
32914 +++ linux-2.6.38.4/fs/jffs2/summary.h 2011-04-17 15:57:32.000000000 -0400
32915 @@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
32917 #define jffs2_sum_active() (0)
32918 #define jffs2_sum_init(a) (0)
32919 -#define jffs2_sum_exit(a)
32920 -#define jffs2_sum_disable_collecting(a)
32921 +#define jffs2_sum_exit(a) do {} while (0)
32922 +#define jffs2_sum_disable_collecting(a) do {} while (0)
32923 #define jffs2_sum_is_disabled(a) (0)
32924 -#define jffs2_sum_reset_collected(a)
32925 +#define jffs2_sum_reset_collected(a) do {} while (0)
32926 #define jffs2_sum_add_kvec(a,b,c,d) (0)
32927 -#define jffs2_sum_move_collected(a,b)
32928 +#define jffs2_sum_move_collected(a,b) do {} while (0)
32929 #define jffs2_sum_write_sumnode(a) (0)
32930 -#define jffs2_sum_add_padding_mem(a,b)
32931 -#define jffs2_sum_add_inode_mem(a,b,c)
32932 -#define jffs2_sum_add_dirent_mem(a,b,c)
32933 -#define jffs2_sum_add_xattr_mem(a,b,c)
32934 -#define jffs2_sum_add_xref_mem(a,b,c)
32935 +#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
32936 +#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
32937 +#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
32938 +#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
32939 +#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
32940 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
32942 #endif /* CONFIG_JFFS2_SUMMARY */
32943 diff -urNp linux-2.6.38.4/fs/jffs2/wbuf.c linux-2.6.38.4/fs/jffs2/wbuf.c
32944 --- linux-2.6.38.4/fs/jffs2/wbuf.c 2011-03-14 21:20:32.000000000 -0400
32945 +++ linux-2.6.38.4/fs/jffs2/wbuf.c 2011-04-17 15:57:32.000000000 -0400
32946 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
32948 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
32949 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
32950 - .totlen = constant_cpu_to_je32(8)
32951 + .totlen = constant_cpu_to_je32(8),
32952 + .hdr_crc = constant_cpu_to_je32(0)
32956 diff -urNp linux-2.6.38.4/fs/Kconfig.binfmt linux-2.6.38.4/fs/Kconfig.binfmt
32957 --- linux-2.6.38.4/fs/Kconfig.binfmt 2011-03-14 21:20:32.000000000 -0400
32958 +++ linux-2.6.38.4/fs/Kconfig.binfmt 2011-04-17 15:57:32.000000000 -0400
32959 @@ -86,7 +86,7 @@ config HAVE_AOUT
32962 tristate "Kernel support for a.out and ECOFF binaries"
32963 - depends on HAVE_AOUT
32964 + depends on HAVE_AOUT && BROKEN
32966 A.out (Assembler.OUTput) is a set of formats for libraries and
32967 executables used in the earliest versions of UNIX. Linux used
32968 diff -urNp linux-2.6.38.4/fs/libfs.c linux-2.6.38.4/fs/libfs.c
32969 --- linux-2.6.38.4/fs/libfs.c 2011-03-14 21:20:32.000000000 -0400
32970 +++ linux-2.6.38.4/fs/libfs.c 2011-04-17 15:57:32.000000000 -0400
32971 @@ -138,6 +138,8 @@ int dcache_readdir(struct file * filp, v
32972 struct dentry *dentry = filp->f_path.dentry;
32973 struct dentry *cursor = filp->private_data;
32974 struct list_head *p, *q = &cursor->d_u.d_child;
32975 + char d_name[DNAME_INLINE_LEN];
32976 + const char *name;
32978 int i = filp->f_pos;
32980 @@ -172,7 +174,12 @@ int dcache_readdir(struct file * filp, v
32982 spin_unlock(&next->d_lock);
32983 spin_unlock(&dentry->d_lock);
32984 - if (filldir(dirent, next->d_name.name,
32985 + if (next->d_name.len < DNAME_INLINE_LEN) {
32986 + memcpy(d_name, next->d_name.name, next->d_name.len);
32989 + name = next->d_name.name;
32990 + if (filldir(dirent, name,
32991 next->d_name.len, filp->f_pos,
32992 next->d_inode->i_ino,
32993 dt_type(next->d_inode)) < 0)
32994 diff -urNp linux-2.6.38.4/fs/lockd/svc.c linux-2.6.38.4/fs/lockd/svc.c
32995 --- linux-2.6.38.4/fs/lockd/svc.c 2011-03-14 21:20:32.000000000 -0400
32996 +++ linux-2.6.38.4/fs/lockd/svc.c 2011-04-17 15:57:32.000000000 -0400
32999 static struct svc_program nlmsvc_program;
33001 -struct nlmsvc_binding * nlmsvc_ops;
33002 +const struct nlmsvc_binding * nlmsvc_ops;
33003 EXPORT_SYMBOL_GPL(nlmsvc_ops);
33005 static DEFINE_MUTEX(nlmsvc_mutex);
33006 diff -urNp linux-2.6.38.4/fs/locks.c linux-2.6.38.4/fs/locks.c
33007 --- linux-2.6.38.4/fs/locks.c 2011-03-14 21:20:32.000000000 -0400
33008 +++ linux-2.6.38.4/fs/locks.c 2011-04-17 15:57:32.000000000 -0400
33009 @@ -2044,16 +2044,16 @@ void locks_remove_flock(struct file *fil
33012 if (filp->f_op && filp->f_op->flock) {
33013 - struct file_lock fl = {
33014 + struct file_lock flock = {
33015 .fl_pid = current->tgid,
33017 .fl_flags = FL_FLOCK,
33018 .fl_type = F_UNLCK,
33019 .fl_end = OFFSET_MAX,
33021 - filp->f_op->flock(filp, F_SETLKW, &fl);
33022 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
33023 - fl.fl_ops->fl_release_private(&fl);
33024 + filp->f_op->flock(filp, F_SETLKW, &flock);
33025 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
33026 + flock.fl_ops->fl_release_private(&flock);
33030 diff -urNp linux-2.6.38.4/fs/namei.c linux-2.6.38.4/fs/namei.c
33031 --- linux-2.6.38.4/fs/namei.c 2011-04-22 19:20:59.000000000 -0400
33032 +++ linux-2.6.38.4/fs/namei.c 2011-04-22 19:21:23.000000000 -0400
33033 @@ -226,14 +226,6 @@ int generic_permission(struct inode *ino
33037 - * Read/write DACs are always overridable.
33038 - * Executable DACs are overridable if at least one exec bit is set.
33040 - if (!(mask & MAY_EXEC) || execute_ok(inode))
33041 - if (capable(CAP_DAC_OVERRIDE))
33045 * Searching includes executable on directories, else just read.
33047 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
33048 @@ -241,6 +233,14 @@ int generic_permission(struct inode *ino
33049 if (capable(CAP_DAC_READ_SEARCH))
33053 + * Read/write DACs are always overridable.
33054 + * Executable DACs are overridable if at least one exec bit is set.
33056 + if (!(mask & MAY_EXEC) || execute_ok(inode))
33057 + if (capable(CAP_DAC_OVERRIDE))
33063 @@ -687,7 +687,8 @@ static inline int exec_permission(struct
33064 if (ret == -ECHILD)
33067 - if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
33068 + if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH) ||
33069 + capable(CAP_DAC_OVERRIDE))
33073 @@ -776,7 +777,7 @@ __do_follow_link(const struct path *link
33074 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
33075 error = PTR_ERR(*p);
33077 - char *s = nd_get_link(nd);
33078 + const char *s = nd_get_link(nd);
33081 error = __vfs_follow_link(nd, s);
33082 @@ -815,6 +816,13 @@ static inline int do_follow_link(struct
33083 err = security_inode_follow_link(path->dentry, nd);
33087 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
33088 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
33093 current->link_count++;
33094 current->total_link_count++;
33096 @@ -1506,13 +1514,36 @@ return_reval:
33098 if (nameidata_drop_rcu_last_maybe(nd))
33101 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
33103 + goto err_and_ret;
33108 if (!(nd->flags & LOOKUP_RCU))
33109 path_put_conditional(&next, nd);
33112 +#ifdef CONFIG_GRKERNSEC
33113 + /* we do this because we can't operate here on an rcu'd dentry,
33114 + acquire a properly-referenced copy
33116 + if (nameidata_drop_rcu_last_maybe(nd))
33120 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
33124 +#ifndef CONFIG_GRKERNSEC
33125 + /* since we convert to ref-walk above, always put the path if we reach
33128 if (!(nd->flags & LOOKUP_RCU))
33130 path_put(&nd->path);
33133 @@ -1739,6 +1770,9 @@ static int do_path_lookup(int dfd, const
33136 if (likely(!retval)) {
33137 + if (*name != '/' && nd->path.dentry && nd->inode && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
33140 if (unlikely(!audit_dummy_context())) {
33141 if (nd->path.dentry && nd->inode)
33142 audit_inode(name, nd->path.dentry);
33143 @@ -2079,6 +2113,30 @@ int vfs_create(struct inode *dir, struct
33148 + * Note that while the flag value (low two bits) for sys_open means:
33150 + * 01 - write-only
33151 + * 10 - read-write
33153 + * it is changed into
33154 + * 00 - no permissions needed
33155 + * 01 - read-permission
33156 + * 10 - write-permission
33157 + * 11 - read-write
33158 + * for the internal routines (ie open_namei()/follow_link() etc)
33159 + * This is more logical, and also allows the 00 "no perm needed"
33160 + * to be used for symlinks (where the permissions are checked
33164 +static inline int open_to_namei_flags(int flag)
33166 + if ((flag+1) & O_ACCMODE)
33171 int may_open(struct path *path, int acc_mode, int flag)
33173 struct dentry *dentry = path->dentry;
33174 @@ -2127,7 +2185,27 @@ int may_open(struct path *path, int acc_
33176 * Ensure there are no outstanding leases on the file.
33178 - return break_lease(inode, flag);
33179 + error = break_lease(inode, flag);
33184 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
33189 + if (gr_handle_rawio(inode)) {
33194 + if (!gr_acl_handle_open(dentry, path->mnt, open_to_namei_flags(flag))) {
33202 static int handle_truncate(struct file *filp)
33203 @@ -2162,6 +2240,12 @@ static int __open_namei_create(struct na
33206 struct dentry *dir = nd->path.dentry;
33207 + int flag = open_to_namei_flags(open_flag);
33209 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, flag, mode)) {
33214 if (!IS_POSIXACL(dir->d_inode))
33215 mode &= ~current_umask();
33216 @@ -2169,6 +2253,8 @@ static int __open_namei_create(struct na
33219 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
33221 + gr_handle_create(path->dentry, nd->path.mnt);
33223 mutex_unlock(&dir->d_inode->i_mutex);
33224 dput(nd->path.dentry);
33225 @@ -2180,30 +2266,6 @@ out_unlock:
33226 return may_open(&nd->path, 0, open_flag & ~O_TRUNC);
33230 - * Note that while the flag value (low two bits) for sys_open means:
33232 - * 01 - write-only
33233 - * 10 - read-write
33235 - * it is changed into
33236 - * 00 - no permissions needed
33237 - * 01 - read-permission
33238 - * 10 - write-permission
33239 - * 11 - read-write
33240 - * for the internal routines (ie open_namei()/follow_link() etc)
33241 - * This is more logical, and also allows the 00 "no perm needed"
33242 - * to be used for symlinks (where the permissions are checked
33246 -static inline int open_to_namei_flags(int flag)
33248 - if ((flag+1) & O_ACCMODE)
33253 static int open_will_truncate(int flag, struct inode *inode)
33256 @@ -2274,6 +2336,7 @@ static struct file *do_last(struct namei
33257 int mode, const char *pathname)
33259 struct dentry *dir = nd->path.dentry;
33260 + int flag = open_to_namei_flags(open_flag);
33262 int error = -EISDIR;
33264 @@ -2352,6 +2415,14 @@ static struct file *do_last(struct namei
33266 * It already exists.
33269 + /* only check if O_CREAT is specified, all other checks need to go
33271 + if (gr_handle_fifo(path->dentry, path->mnt, dir, flag, acc_mode)) {
33273 + goto exit_mutex_unlock;
33276 mutex_unlock(&dir->d_inode->i_mutex);
33277 audit_inode(pathname, path->dentry);
33279 @@ -2535,6 +2606,11 @@ reval:
33280 error = security_inode_follow_link(link.dentry, &nd);
33283 + if (gr_handle_follow_link(link.dentry->d_parent->d_inode,
33284 + link.dentry->d_inode, link.dentry, nd.path.mnt)) {
33288 error = __do_follow_link(&link, &nd, &cookie);
33289 if (unlikely(error)) {
33290 if (!IS_ERR(cookie) && linki->i_op->put_link)
33291 @@ -2705,6 +2781,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
33292 error = may_mknod(mode);
33296 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
33301 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
33306 error = mnt_want_write(nd.path.mnt);
33309 @@ -2725,6 +2812,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
33312 mnt_drop_write(nd.path.mnt);
33315 + gr_handle_create(dentry, nd.path.mnt);
33319 @@ -2777,6 +2867,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
33320 if (IS_ERR(dentry))
33323 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
33328 if (!IS_POSIXACL(nd.path.dentry->d_inode))
33329 mode &= ~current_umask();
33330 error = mnt_want_write(nd.path.mnt);
33331 @@ -2788,6 +2883,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
33332 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
33334 mnt_drop_write(nd.path.mnt);
33337 + gr_handle_create(dentry, nd.path.mnt);
33342 @@ -2867,6 +2966,8 @@ static long do_rmdir(int dfd, const char
33344 struct dentry *dentry;
33345 struct nameidata nd;
33346 + ino_t saved_ino = 0;
33347 + dev_t saved_dev = 0;
33349 error = user_path_parent(dfd, pathname, &nd, &name);
33351 @@ -2891,6 +2992,19 @@ static long do_rmdir(int dfd, const char
33352 error = PTR_ERR(dentry);
33353 if (IS_ERR(dentry))
33356 + if (dentry->d_inode != NULL) {
33357 + if (dentry->d_inode->i_nlink <= 1) {
33358 + saved_ino = dentry->d_inode->i_ino;
33359 + saved_dev = gr_get_dev_from_dentry(dentry);
33362 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
33368 error = mnt_want_write(nd.path.mnt);
33371 @@ -2898,6 +3012,8 @@ static long do_rmdir(int dfd, const char
33374 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
33375 + if (!error && (saved_dev || saved_ino))
33376 + gr_handle_delete(saved_ino, saved_dev);
33378 mnt_drop_write(nd.path.mnt);
33380 @@ -2960,6 +3076,8 @@ static long do_unlinkat(int dfd, const c
33381 struct dentry *dentry;
33382 struct nameidata nd;
33383 struct inode *inode = NULL;
33384 + ino_t saved_ino = 0;
33385 + dev_t saved_dev = 0;
33387 error = user_path_parent(dfd, pathname, &nd, &name);
33389 @@ -2979,8 +3097,17 @@ static long do_unlinkat(int dfd, const c
33390 if (nd.last.name[nd.last.len])
33392 inode = dentry->d_inode;
33396 + if (inode->i_nlink <= 1) {
33397 + saved_ino = inode->i_ino;
33398 + saved_dev = gr_get_dev_from_dentry(dentry);
33400 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
33405 error = mnt_want_write(nd.path.mnt);
33408 @@ -2988,6 +3115,8 @@ static long do_unlinkat(int dfd, const c
33411 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
33412 + if (!error && (saved_ino || saved_dev))
33413 + gr_handle_delete(saved_ino, saved_dev);
33415 mnt_drop_write(nd.path.mnt);
33417 @@ -3065,6 +3194,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
33418 if (IS_ERR(dentry))
33421 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
33426 error = mnt_want_write(nd.path.mnt);
33429 @@ -3072,6 +3206,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
33431 goto out_drop_write;
33432 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
33434 + gr_handle_create(dentry, nd.path.mnt);
33436 mnt_drop_write(nd.path.mnt);
33438 @@ -3164,6 +3300,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
33439 error = PTR_ERR(new_dentry);
33440 if (IS_ERR(new_dentry))
33443 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
33444 + old_path.dentry->d_inode,
33445 + old_path.dentry->d_inode->i_mode, to)) {
33450 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
33451 + old_path.dentry, old_path.mnt, to)) {
33456 error = mnt_want_write(nd.path.mnt);
33459 @@ -3171,6 +3321,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
33461 goto out_drop_write;
33462 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
33464 + gr_handle_create(new_dentry, nd.path.mnt);
33466 mnt_drop_write(nd.path.mnt);
33468 @@ -3404,6 +3556,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
33469 if (new_dentry == trap)
33472 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
33473 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
33478 error = mnt_want_write(oldnd.path.mnt);
33481 @@ -3413,6 +3571,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
33483 error = vfs_rename(old_dir->d_inode, old_dentry,
33484 new_dir->d_inode, new_dentry);
33486 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
33487 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
33489 mnt_drop_write(oldnd.path.mnt);
33491 @@ -3438,6 +3599,8 @@ SYSCALL_DEFINE2(rename, const char __use
33493 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
33496 + const char *newlink;
33499 len = PTR_ERR(link);
33500 @@ -3447,7 +3610,14 @@ int vfs_readlink(struct dentry *dentry,
33501 len = strlen(link);
33502 if (len > (unsigned) buflen)
33504 - if (copy_to_user(buffer, link, len))
33506 + if (len < sizeof(tmpbuf)) {
33507 + memcpy(tmpbuf, link, len);
33508 + newlink = tmpbuf;
33512 + if (copy_to_user(buffer, newlink, len))
33516 diff -urNp linux-2.6.38.4/fs/namespace.c linux-2.6.38.4/fs/namespace.c
33517 --- linux-2.6.38.4/fs/namespace.c 2011-04-18 17:27:16.000000000 -0400
33518 +++ linux-2.6.38.4/fs/namespace.c 2011-04-17 15:57:32.000000000 -0400
33519 @@ -1285,6 +1285,9 @@ static int do_umount(struct vfsmount *mn
33520 if (!(sb->s_flags & MS_RDONLY))
33521 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
33522 up_write(&sb->s_umount);
33524 + gr_log_remount(mnt->mnt_devname, retval);
33529 @@ -1304,6 +1307,9 @@ static int do_umount(struct vfsmount *mn
33530 br_write_unlock(vfsmount_lock);
33531 up_write(&namespace_sem);
33532 release_mounts(&umount_list);
33534 + gr_log_unmount(mnt->mnt_devname, retval);
33539 @@ -2241,6 +2247,16 @@ long do_mount(char *dev_name, char *dir_
33540 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
33543 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
33548 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
33553 if (flags & MS_REMOUNT)
33554 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
33556 @@ -2255,6 +2271,9 @@ long do_mount(char *dev_name, char *dir_
33557 dev_name, data_page);
33561 + gr_log_mount(dev_name, dir_name, retval);
33566 @@ -2480,6 +2499,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
33570 + if (gr_handle_chroot_pivot()) {
33576 get_fs_root(current->fs, &root);
33577 down_write(&namespace_sem);
33578 mutex_lock(&old.dentry->d_inode->i_mutex);
33579 diff -urNp linux-2.6.38.4/fs/nfs/inode.c linux-2.6.38.4/fs/nfs/inode.c
33580 --- linux-2.6.38.4/fs/nfs/inode.c 2011-03-14 21:20:32.000000000 -0400
33581 +++ linux-2.6.38.4/fs/nfs/inode.c 2011-04-17 15:57:32.000000000 -0400
33582 @@ -998,16 +998,16 @@ static int nfs_size_need_update(const st
33583 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
33586 -static atomic_long_t nfs_attr_generation_counter;
33587 +static atomic_long_unchecked_t nfs_attr_generation_counter;
33589 static unsigned long nfs_read_attr_generation_counter(void)
33591 - return atomic_long_read(&nfs_attr_generation_counter);
33592 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
33595 unsigned long nfs_inc_attr_generation_counter(void)
33597 - return atomic_long_inc_return(&nfs_attr_generation_counter);
33598 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
33601 void nfs_fattr_init(struct nfs_fattr *fattr)
33602 diff -urNp linux-2.6.38.4/fs/nfs/nfs4proc.c linux-2.6.38.4/fs/nfs/nfs4proc.c
33603 --- linux-2.6.38.4/fs/nfs/nfs4proc.c 2011-03-14 21:20:32.000000000 -0400
33604 +++ linux-2.6.38.4/fs/nfs/nfs4proc.c 2011-04-17 15:57:32.000000000 -0400
33605 @@ -1198,7 +1198,7 @@ static int _nfs4_do_open_reclaim(struct
33606 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
33608 struct nfs_server *server = NFS_SERVER(state->inode);
33609 - struct nfs4_exception exception = { };
33610 + struct nfs4_exception exception = {0, 0};
33613 err = _nfs4_do_open_reclaim(ctx, state);
33614 @@ -1240,7 +1240,7 @@ static int _nfs4_open_delegation_recall(
33616 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
33618 - struct nfs4_exception exception = { };
33619 + struct nfs4_exception exception = {0, 0};
33620 struct nfs_server *server = NFS_SERVER(state->inode);
33623 @@ -1615,7 +1615,7 @@ static int _nfs4_open_expired(struct nfs
33624 static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
33626 struct nfs_server *server = NFS_SERVER(state->inode);
33627 - struct nfs4_exception exception = { };
33628 + struct nfs4_exception exception = {0, 0};
33632 @@ -1730,7 +1730,7 @@ out_err:
33634 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
33636 - struct nfs4_exception exception = { };
33637 + struct nfs4_exception exception = {0, 0};
33638 struct nfs4_state *res;
33641 @@ -1821,7 +1821,7 @@ static int nfs4_do_setattr(struct inode
33642 struct nfs4_state *state)
33644 struct nfs_server *server = NFS_SERVER(inode);
33645 - struct nfs4_exception exception = { };
33646 + struct nfs4_exception exception = {0, 0};
33649 err = nfs4_handle_exception(server,
33650 @@ -2111,7 +2111,7 @@ static int _nfs4_server_capabilities(str
33652 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
33654 - struct nfs4_exception exception = { };
33655 + struct nfs4_exception exception = {0, 0};
33658 err = nfs4_handle_exception(server,
33659 @@ -2145,7 +2145,7 @@ static int _nfs4_lookup_root(struct nfs_
33660 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
33661 struct nfs_fsinfo *info)
33663 - struct nfs4_exception exception = { };
33664 + struct nfs4_exception exception = {0, 0};
33667 err = nfs4_handle_exception(server,
33668 @@ -2233,7 +2233,7 @@ static int _nfs4_proc_getattr(struct nfs
33670 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
33672 - struct nfs4_exception exception = { };
33673 + struct nfs4_exception exception = {0, 0};
33676 err = nfs4_handle_exception(server,
33677 @@ -2321,7 +2321,7 @@ static int nfs4_proc_lookupfh(struct nfs
33678 struct qstr *name, struct nfs_fh *fhandle,
33679 struct nfs_fattr *fattr)
33681 - struct nfs4_exception exception = { };
33682 + struct nfs4_exception exception = {0, 0};
33685 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
33686 @@ -2350,7 +2350,7 @@ static int _nfs4_proc_lookup(struct inod
33688 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
33690 - struct nfs4_exception exception = { };
33691 + struct nfs4_exception exception = {0, 0};
33694 err = nfs4_handle_exception(NFS_SERVER(dir),
33695 @@ -2417,7 +2417,7 @@ static int _nfs4_proc_access(struct inod
33697 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
33699 - struct nfs4_exception exception = { };
33700 + struct nfs4_exception exception = {0, 0};
33703 err = nfs4_handle_exception(NFS_SERVER(inode),
33704 @@ -2473,7 +2473,7 @@ static int _nfs4_proc_readlink(struct in
33705 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
33706 unsigned int pgbase, unsigned int pglen)
33708 - struct nfs4_exception exception = { };
33709 + struct nfs4_exception exception = {0, 0};
33712 err = nfs4_handle_exception(NFS_SERVER(inode),
33713 @@ -2568,7 +2568,7 @@ out:
33715 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
33717 - struct nfs4_exception exception = { };
33718 + struct nfs4_exception exception = {0, 0};
33721 err = nfs4_handle_exception(NFS_SERVER(dir),
33722 @@ -2673,7 +2673,7 @@ out:
33723 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
33724 struct inode *new_dir, struct qstr *new_name)
33726 - struct nfs4_exception exception = { };
33727 + struct nfs4_exception exception = {0, 0};
33730 err = nfs4_handle_exception(NFS_SERVER(old_dir),
33731 @@ -2722,7 +2722,7 @@ out:
33733 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
33735 - struct nfs4_exception exception = { };
33736 + struct nfs4_exception exception = {0, 0};
33739 err = nfs4_handle_exception(NFS_SERVER(inode),
33740 @@ -2814,7 +2814,7 @@ out:
33741 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
33742 struct page *page, unsigned int len, struct iattr *sattr)
33744 - struct nfs4_exception exception = { };
33745 + struct nfs4_exception exception = {0, 0};
33748 err = nfs4_handle_exception(NFS_SERVER(dir),
33749 @@ -2845,7 +2845,7 @@ out:
33750 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
33751 struct iattr *sattr)
33753 - struct nfs4_exception exception = { };
33754 + struct nfs4_exception exception = {0, 0};
33757 sattr->ia_mode &= ~current_umask();
33758 @@ -2899,7 +2899,7 @@ static int _nfs4_proc_readdir(struct den
33759 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
33760 u64 cookie, struct page **pages, unsigned int count, int plus)
33762 - struct nfs4_exception exception = { };
33763 + struct nfs4_exception exception = {0, 0};
33766 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
33767 @@ -2947,7 +2947,7 @@ out:
33768 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
33769 struct iattr *sattr, dev_t rdev)
33771 - struct nfs4_exception exception = { };
33772 + struct nfs4_exception exception = {0, 0};
33775 sattr->ia_mode &= ~current_umask();
33776 @@ -2981,7 +2981,7 @@ static int _nfs4_proc_statfs(struct nfs_
33778 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
33780 - struct nfs4_exception exception = { };
33781 + struct nfs4_exception exception = {0, 0};
33784 err = nfs4_handle_exception(server,
33785 @@ -3012,7 +3012,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
33787 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
33789 - struct nfs4_exception exception = { };
33790 + struct nfs4_exception exception = {0, 0};
33794 @@ -3058,7 +3058,7 @@ static int _nfs4_proc_pathconf(struct nf
33795 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
33796 struct nfs_pathconf *pathconf)
33798 - struct nfs4_exception exception = { };
33799 + struct nfs4_exception exception = {0, 0};
33803 @@ -3404,7 +3404,7 @@ out_free:
33805 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
33807 - struct nfs4_exception exception = { };
33808 + struct nfs4_exception exception = {0, 0};
33811 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
33812 @@ -3479,7 +3479,7 @@ static int __nfs4_proc_set_acl(struct in
33814 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
33816 - struct nfs4_exception exception = { };
33817 + struct nfs4_exception exception = {0, 0};
33820 err = nfs4_handle_exception(NFS_SERVER(inode),
33821 @@ -3760,7 +3760,7 @@ out:
33822 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
33824 struct nfs_server *server = NFS_SERVER(inode);
33825 - struct nfs4_exception exception = { };
33826 + struct nfs4_exception exception = {0, 0};
33829 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
33830 @@ -3834,7 +3834,7 @@ out:
33832 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
33834 - struct nfs4_exception exception = { };
33835 + struct nfs4_exception exception = {0, 0};
33839 @@ -4239,7 +4239,7 @@ static int _nfs4_do_setlk(struct nfs4_st
33840 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
33842 struct nfs_server *server = NFS_SERVER(state->inode);
33843 - struct nfs4_exception exception = { };
33844 + struct nfs4_exception exception = {0, 0};
33848 @@ -4257,7 +4257,7 @@ static int nfs4_lock_reclaim(struct nfs4
33849 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
33851 struct nfs_server *server = NFS_SERVER(state->inode);
33852 - struct nfs4_exception exception = { };
33853 + struct nfs4_exception exception = {0, 0};
33856 err = nfs4_set_lock_state(state, request);
33857 @@ -4321,7 +4321,7 @@ out:
33859 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
33861 - struct nfs4_exception exception = { };
33862 + struct nfs4_exception exception = {0, 0};
33866 @@ -4381,7 +4381,7 @@ nfs4_proc_lock(struct file *filp, int cm
33867 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
33869 struct nfs_server *server = NFS_SERVER(state->inode);
33870 - struct nfs4_exception exception = { };
33871 + struct nfs4_exception exception = {0, 0};
33874 err = nfs4_set_lock_state(state, fl);
33875 diff -urNp linux-2.6.38.4/fs/nfsd/lockd.c linux-2.6.38.4/fs/nfsd/lockd.c
33876 --- linux-2.6.38.4/fs/nfsd/lockd.c 2011-04-18 17:27:18.000000000 -0400
33877 +++ linux-2.6.38.4/fs/nfsd/lockd.c 2011-04-17 16:53:48.000000000 -0400
33878 @@ -60,7 +60,7 @@ nlm_fclose(struct file *filp)
33882 -static struct nlmsvc_binding nfsd_nlm_ops = {
33883 +static const struct nlmsvc_binding nfsd_nlm_ops = {
33884 .fopen = nlm_fopen, /* open file for locking */
33885 .fclose = nlm_fclose, /* close file */
33887 diff -urNp linux-2.6.38.4/fs/nfsd/nfsctl.c linux-2.6.38.4/fs/nfsd/nfsctl.c
33888 --- linux-2.6.38.4/fs/nfsd/nfsctl.c 2011-03-14 21:20:32.000000000 -0400
33889 +++ linux-2.6.38.4/fs/nfsd/nfsctl.c 2011-04-17 15:57:32.000000000 -0400
33890 @@ -180,7 +180,7 @@ static int export_features_open(struct i
33891 return single_open(file, export_features_show, NULL);
33894 -static struct file_operations export_features_operations = {
33895 +static const struct file_operations export_features_operations = {
33896 .open = export_features_open,
33898 .llseek = seq_lseek,
33899 diff -urNp linux-2.6.38.4/fs/nfsd/vfs.c linux-2.6.38.4/fs/nfsd/vfs.c
33900 --- linux-2.6.38.4/fs/nfsd/vfs.c 2011-03-14 21:20:32.000000000 -0400
33901 +++ linux-2.6.38.4/fs/nfsd/vfs.c 2011-04-17 15:57:32.000000000 -0400
33902 @@ -898,7 +898,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
33906 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
33907 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
33911 @@ -1002,7 +1002,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
33913 /* Write the data. */
33914 oldfs = get_fs(); set_fs(KERNEL_DS);
33915 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
33916 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
33920 @@ -1518,7 +1518,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
33923 oldfs = get_fs(); set_fs(KERNEL_DS);
33924 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
33925 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
33929 diff -urNp linux-2.6.38.4/fs/nls/nls_base.c linux-2.6.38.4/fs/nls/nls_base.c
33930 --- linux-2.6.38.4/fs/nls/nls_base.c 2011-03-14 21:20:32.000000000 -0400
33931 +++ linux-2.6.38.4/fs/nls/nls_base.c 2011-04-17 15:57:32.000000000 -0400
33932 @@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
33933 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
33934 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
33935 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
33936 - {0, /* end of table */}
33937 + {0, 0, 0, 0, 0, /* end of table */}
33940 #define UNICODE_MAX 0x0010ffff
33941 diff -urNp linux-2.6.38.4/fs/notify/dnotify/dnotify.c linux-2.6.38.4/fs/notify/dnotify/dnotify.c
33942 --- linux-2.6.38.4/fs/notify/dnotify/dnotify.c 2011-03-14 21:20:32.000000000 -0400
33943 +++ linux-2.6.38.4/fs/notify/dnotify/dnotify.c 2011-04-17 15:57:32.000000000 -0400
33944 @@ -151,7 +151,7 @@ static void dnotify_free_mark(struct fsn
33945 kmem_cache_free(dnotify_mark_cache, dn_mark);
33948 -static struct fsnotify_ops dnotify_fsnotify_ops = {
33949 +static const struct fsnotify_ops dnotify_fsnotify_ops = {
33950 .handle_event = dnotify_handle_event,
33951 .should_send_event = dnotify_should_send_event,
33952 .free_group_priv = NULL,
33953 diff -urNp linux-2.6.38.4/fs/ntfs/dir.c linux-2.6.38.4/fs/ntfs/dir.c
33954 --- linux-2.6.38.4/fs/ntfs/dir.c 2011-03-14 21:20:32.000000000 -0400
33955 +++ linux-2.6.38.4/fs/ntfs/dir.c 2011-04-17 15:57:32.000000000 -0400
33956 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
33957 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
33958 ~(s64)(ndir->itype.index.block_size - 1)));
33959 /* Bounds checks. */
33960 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
33961 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
33962 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
33963 "inode 0x%lx or driver bug.", vdir->i_ino);
33965 diff -urNp linux-2.6.38.4/fs/ntfs/file.c linux-2.6.38.4/fs/ntfs/file.c
33966 --- linux-2.6.38.4/fs/ntfs/file.c 2011-03-14 21:20:32.000000000 -0400
33967 +++ linux-2.6.38.4/fs/ntfs/file.c 2011-04-17 15:57:32.000000000 -0400
33968 @@ -2222,6 +2222,6 @@ const struct inode_operations ntfs_file_
33969 #endif /* NTFS_RW */
33972 -const struct file_operations ntfs_empty_file_ops = {};
33973 +const struct file_operations ntfs_empty_file_ops __read_only;
33975 -const struct inode_operations ntfs_empty_inode_ops = {};
33976 +const struct inode_operations ntfs_empty_inode_ops __read_only;
33977 diff -urNp linux-2.6.38.4/fs/ocfs2/localalloc.c linux-2.6.38.4/fs/ocfs2/localalloc.c
33978 --- linux-2.6.38.4/fs/ocfs2/localalloc.c 2011-03-14 21:20:32.000000000 -0400
33979 +++ linux-2.6.38.4/fs/ocfs2/localalloc.c 2011-04-17 15:57:32.000000000 -0400
33980 @@ -1307,7 +1307,7 @@ static int ocfs2_local_alloc_slide_windo
33984 - atomic_inc(&osb->alloc_stats.moves);
33985 + atomic_inc_unchecked(&osb->alloc_stats.moves);
33989 diff -urNp linux-2.6.38.4/fs/ocfs2/ocfs2.h linux-2.6.38.4/fs/ocfs2/ocfs2.h
33990 --- linux-2.6.38.4/fs/ocfs2/ocfs2.h 2011-03-14 21:20:32.000000000 -0400
33991 +++ linux-2.6.38.4/fs/ocfs2/ocfs2.h 2011-04-17 15:57:32.000000000 -0400
33992 @@ -230,11 +230,11 @@ enum ocfs2_vol_state
33994 struct ocfs2_alloc_stats
33997 - atomic_t local_data;
33998 - atomic_t bitmap_data;
33999 - atomic_t bg_allocs;
34000 - atomic_t bg_extends;
34001 + atomic_unchecked_t moves;
34002 + atomic_unchecked_t local_data;
34003 + atomic_unchecked_t bitmap_data;
34004 + atomic_unchecked_t bg_allocs;
34005 + atomic_unchecked_t bg_extends;
34008 enum ocfs2_local_alloc_state
34009 diff -urNp linux-2.6.38.4/fs/ocfs2/suballoc.c linux-2.6.38.4/fs/ocfs2/suballoc.c
34010 --- linux-2.6.38.4/fs/ocfs2/suballoc.c 2011-03-14 21:20:32.000000000 -0400
34011 +++ linux-2.6.38.4/fs/ocfs2/suballoc.c 2011-04-17 15:57:32.000000000 -0400
34012 @@ -877,7 +877,7 @@ static int ocfs2_reserve_suballoc_bits(s
34013 mlog_errno(status);
34016 - atomic_inc(&osb->alloc_stats.bg_extends);
34017 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
34019 /* You should never ask for this much metadata */
34020 BUG_ON(bits_wanted >
34021 @@ -2012,7 +2012,7 @@ int ocfs2_claim_metadata(handle_t *handl
34022 mlog_errno(status);
34025 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
34026 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
34028 *suballoc_loc = res.sr_bg_blkno;
34029 *suballoc_bit_start = res.sr_bit_offset;
34030 @@ -2219,7 +2219,7 @@ int ocfs2_claim_new_inode(handle_t *hand
34031 mlog_errno(status);
34034 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
34035 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
34037 BUG_ON(res.sr_bits != 1);
34039 @@ -2324,7 +2324,7 @@ int __ocfs2_claim_clusters(handle_t *han
34043 - atomic_inc(&osb->alloc_stats.local_data);
34044 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
34046 if (min_clusters > (osb->bitmap_cpg - 1)) {
34047 /* The only paths asking for contiguousness
34048 @@ -2350,7 +2350,7 @@ int __ocfs2_claim_clusters(handle_t *han
34049 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
34051 res.sr_bit_offset);
34052 - atomic_inc(&osb->alloc_stats.bitmap_data);
34053 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
34054 *num_clusters = res.sr_bits;
34057 diff -urNp linux-2.6.38.4/fs/ocfs2/super.c linux-2.6.38.4/fs/ocfs2/super.c
34058 --- linux-2.6.38.4/fs/ocfs2/super.c 2011-03-14 21:20:32.000000000 -0400
34059 +++ linux-2.6.38.4/fs/ocfs2/super.c 2011-04-17 15:57:32.000000000 -0400
34060 @@ -297,11 +297,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
34061 "%10s => GlobalAllocs: %d LocalAllocs: %d "
34062 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
34064 - atomic_read(&osb->alloc_stats.bitmap_data),
34065 - atomic_read(&osb->alloc_stats.local_data),
34066 - atomic_read(&osb->alloc_stats.bg_allocs),
34067 - atomic_read(&osb->alloc_stats.moves),
34068 - atomic_read(&osb->alloc_stats.bg_extends));
34069 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
34070 + atomic_read_unchecked(&osb->alloc_stats.local_data),
34071 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
34072 + atomic_read_unchecked(&osb->alloc_stats.moves),
34073 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
34075 out += snprintf(buf + out, len - out,
34076 "%10s => State: %u Descriptor: %llu Size: %u bits "
34077 @@ -2141,11 +2141,11 @@ static int ocfs2_initialize_super(struct
34078 spin_lock_init(&osb->osb_xattr_lock);
34079 ocfs2_init_steal_slots(osb);
34081 - atomic_set(&osb->alloc_stats.moves, 0);
34082 - atomic_set(&osb->alloc_stats.local_data, 0);
34083 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
34084 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
34085 - atomic_set(&osb->alloc_stats.bg_extends, 0);
34086 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
34087 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
34088 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
34089 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
34090 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
34092 /* Copy the blockcheck stats from the superblock probe */
34093 osb->osb_ecc_stats = *stats;
34094 diff -urNp linux-2.6.38.4/fs/ocfs2/symlink.c linux-2.6.38.4/fs/ocfs2/symlink.c
34095 --- linux-2.6.38.4/fs/ocfs2/symlink.c 2011-03-14 21:20:32.000000000 -0400
34096 +++ linux-2.6.38.4/fs/ocfs2/symlink.c 2011-04-17 15:57:32.000000000 -0400
34097 @@ -148,7 +148,7 @@ bail:
34099 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
34101 - char *link = nd_get_link(nd);
34102 + const char *link = nd_get_link(nd);
34106 diff -urNp linux-2.6.38.4/fs/open.c linux-2.6.38.4/fs/open.c
34107 --- linux-2.6.38.4/fs/open.c 2011-03-14 21:20:32.000000000 -0400
34108 +++ linux-2.6.38.4/fs/open.c 2011-04-17 15:57:32.000000000 -0400
34109 @@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
34110 error = locks_verify_truncate(inode, NULL, length);
34112 error = security_path_truncate(&path);
34114 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
34118 error = do_truncate(path.dentry, length, 0, NULL);
34120 @@ -358,6 +362,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
34121 if (__mnt_is_readonly(path.mnt))
34124 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
34130 @@ -384,6 +391,8 @@ SYSCALL_DEFINE1(chdir, const char __user
34134 + gr_log_chdir(path.dentry, path.mnt);
34136 set_fs_pwd(current->fs, &path);
34139 @@ -410,6 +419,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
34142 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
34144 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
34148 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
34151 set_fs_pwd(current->fs, &file->f_path);
34153 @@ -438,7 +454,18 @@ SYSCALL_DEFINE1(chroot, const char __use
34157 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
34158 + goto dput_and_out;
34160 + if (gr_handle_chroot_caps(&path)) {
34162 + goto dput_and_out;
34165 set_fs_root(current->fs, &path);
34167 + gr_handle_chroot_chdir(&path);
34172 @@ -466,12 +493,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
34173 err = mnt_want_write_file(file);
34177 mutex_lock(&inode->i_mutex);
34179 + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
34184 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
34187 if (mode == (mode_t) -1)
34188 mode = inode->i_mode;
34190 + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
34195 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
34196 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
34197 err = notify_change(dentry, &newattrs);
34198 @@ -499,12 +539,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
34199 error = mnt_want_write(path.mnt);
34203 mutex_lock(&inode->i_mutex);
34205 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
34210 error = security_path_chmod(path.dentry, path.mnt, mode);
34213 if (mode == (mode_t) -1)
34214 mode = inode->i_mode;
34216 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
34221 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
34222 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
34223 error = notify_change(path.dentry, &newattrs);
34224 @@ -528,6 +581,9 @@ static int chown_common(struct path *pat
34226 struct iattr newattrs;
34228 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
34231 newattrs.ia_valid = ATTR_CTIME;
34232 if (user != (uid_t) -1) {
34233 newattrs.ia_valid |= ATTR_UID;
34234 @@ -898,7 +954,10 @@ long do_sys_open(int dfd, const char __u
34235 if (!IS_ERR(tmp)) {
34236 fd = get_unused_fd_flags(flags);
34238 - struct file *f = do_filp_open(dfd, tmp, flags, mode, 0);
34240 + /* don't allow to be set by userland */
34241 + flags &= ~FMODE_GREXEC;
34242 + f = do_filp_open(dfd, tmp, flags, mode, 0);
34246 diff -urNp linux-2.6.38.4/fs/partitions/ldm.c linux-2.6.38.4/fs/partitions/ldm.c
34247 --- linux-2.6.38.4/fs/partitions/ldm.c 2011-03-14 21:20:32.000000000 -0400
34248 +++ linux-2.6.38.4/fs/partitions/ldm.c 2011-04-18 19:31:25.000000000 -0400
34249 @@ -1299,6 +1299,11 @@ static bool ldm_frag_add (const u8 *data
34251 BUG_ON (!data || !frags);
34253 + if (size < 2 * VBLK_SIZE_HEAD) {
34254 + ldm_error("Value of size is to small.");
34258 group = get_unaligned_be32(data + 0x08);
34259 rec = get_unaligned_be16(data + 0x0C);
34260 num = get_unaligned_be16(data + 0x0E);
34261 @@ -1307,13 +1312,18 @@ static bool ldm_frag_add (const u8 *data
34265 + if (rec >= num) {
34266 + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
34270 list_for_each (item, frags) {
34271 f = list_entry (item, struct frag, list);
34272 if (f->group == group)
34276 - f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
34277 + f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
34279 ldm_crit ("Out of memory.");
34281 @@ -1334,10 +1344,9 @@ found:
34283 f->map |= (1 << rec);
34286 - data += VBLK_SIZE_HEAD;
34287 - size -= VBLK_SIZE_HEAD;
34289 + data += VBLK_SIZE_HEAD;
34290 + size -= VBLK_SIZE_HEAD;
34292 memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size);
34295 diff -urNp linux-2.6.38.4/fs/pipe.c linux-2.6.38.4/fs/pipe.c
34296 --- linux-2.6.38.4/fs/pipe.c 2011-03-14 21:20:32.000000000 -0400
34297 +++ linux-2.6.38.4/fs/pipe.c 2011-04-17 15:57:32.000000000 -0400
34298 @@ -420,9 +420,9 @@ redo:
34300 if (bufs) /* More to do? */
34302 - if (!pipe->writers)
34303 + if (!atomic_read(&pipe->writers))
34305 - if (!pipe->waiting_writers) {
34306 + if (!atomic_read(&pipe->waiting_writers)) {
34307 /* syscall merging: Usually we must not sleep
34308 * if O_NONBLOCK is set, or if we got some data.
34309 * But if a writer sleeps in kernel space, then
34310 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
34311 mutex_lock(&inode->i_mutex);
34312 pipe = inode->i_pipe;
34314 - if (!pipe->readers) {
34315 + if (!atomic_read(&pipe->readers)) {
34316 send_sig(SIGPIPE, current, 0);
34319 @@ -530,7 +530,7 @@ redo1:
34323 - if (!pipe->readers) {
34324 + if (!atomic_read(&pipe->readers)) {
34325 send_sig(SIGPIPE, current, 0);
34328 @@ -616,9 +616,9 @@ redo2:
34329 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
34332 - pipe->waiting_writers++;
34333 + atomic_inc(&pipe->waiting_writers);
34335 - pipe->waiting_writers--;
34336 + atomic_dec(&pipe->waiting_writers);
34339 mutex_unlock(&inode->i_mutex);
34340 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
34342 if (filp->f_mode & FMODE_READ) {
34343 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
34344 - if (!pipe->writers && filp->f_version != pipe->w_counter)
34345 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
34349 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
34350 * Most Unices do not set POLLERR for FIFOs but on Linux they
34351 * behave exactly like pipes for poll().
34353 - if (!pipe->readers)
34354 + if (!atomic_read(&pipe->readers))
34358 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
34360 mutex_lock(&inode->i_mutex);
34361 pipe = inode->i_pipe;
34362 - pipe->readers -= decr;
34363 - pipe->writers -= decw;
34364 + atomic_sub(decr, &pipe->readers);
34365 + atomic_sub(decw, &pipe->writers);
34367 - if (!pipe->readers && !pipe->writers) {
34368 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
34369 free_pipe_info(inode);
34371 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
34372 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
34374 if (inode->i_pipe) {
34376 - inode->i_pipe->readers++;
34377 + atomic_inc(&inode->i_pipe->readers);
34380 mutex_unlock(&inode->i_mutex);
34381 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
34383 if (inode->i_pipe) {
34385 - inode->i_pipe->writers++;
34386 + atomic_inc(&inode->i_pipe->writers);
34389 mutex_unlock(&inode->i_mutex);
34390 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
34391 if (inode->i_pipe) {
34393 if (filp->f_mode & FMODE_READ)
34394 - inode->i_pipe->readers++;
34395 + atomic_inc(&inode->i_pipe->readers);
34396 if (filp->f_mode & FMODE_WRITE)
34397 - inode->i_pipe->writers++;
34398 + atomic_inc(&inode->i_pipe->writers);
34401 mutex_unlock(&inode->i_mutex);
34402 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
34403 inode->i_pipe = NULL;
34406 -static struct vfsmount *pipe_mnt __read_mostly;
34407 +struct vfsmount *pipe_mnt __read_mostly;
34410 * pipefs_dname() is called from d_path().
34411 @@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(voi
34413 inode->i_pipe = pipe;
34415 - pipe->readers = pipe->writers = 1;
34416 + atomic_set(&pipe->readers, 1);
34417 + atomic_set(&pipe->writers, 1);
34418 inode->i_fop = &rdwr_pipefifo_fops;
34421 diff -urNp linux-2.6.38.4/fs/proc/array.c linux-2.6.38.4/fs/proc/array.c
34422 --- linux-2.6.38.4/fs/proc/array.c 2011-04-18 17:27:16.000000000 -0400
34423 +++ linux-2.6.38.4/fs/proc/array.c 2011-04-20 18:14:54.000000000 -0400
34425 #include <linux/tty.h>
34426 #include <linux/string.h>
34427 #include <linux/mman.h>
34428 +#include <linux/grsecurity.h>
34429 #include <linux/proc_fs.h>
34430 #include <linux/ioport.h>
34431 #include <linux/uaccess.h>
34432 @@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
34436 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
34437 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
34440 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
34441 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
34442 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
34443 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
34444 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
34445 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
34447 + seq_printf(m, "PaX:\t-----\n");
34451 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
34452 struct pid *pid, struct task_struct *task)
34454 @@ -354,9 +370,24 @@ int proc_pid_status(struct seq_file *m,
34455 cpuset_task_status_allowed(m, task);
34456 task_vs_id(m, task);
34457 task_context_switch_counts(m, task);
34459 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
34460 + task_pax(m, task);
34463 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
34464 + task_grsec_rbac(m, task);
34470 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34471 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
34472 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
34473 + _mm->pax_flags & MF_PAX_SEGMEXEC))
34476 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
34477 struct pid *pid, struct task_struct *task, int whole)
34479 @@ -449,6 +480,19 @@ static int do_task_stat(struct seq_file
34480 gtime = task->gtime;
34483 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34484 + if (PAX_RAND_FLAGS(mm)) {
34490 +#ifdef CONFIG_GRKERNSEC_HIDESYM
34496 /* scale priority and nice values from timeslices to -20..20 */
34497 /* to make it look like a "normal" Unix priority/nice value */
34498 priority = task_prio(task);
34499 @@ -489,9 +533,15 @@ static int do_task_stat(struct seq_file
34501 mm ? get_mm_rss(mm) : 0,
34503 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34504 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
34505 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
34506 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
34508 mm ? (permitted ? mm->start_code : 1) : 0,
34509 mm ? (permitted ? mm->end_code : 1) : 0,
34510 (permitted && mm) ? mm->start_stack : 0,
34514 /* The signal information here is obsolete.
34515 @@ -544,3 +594,18 @@ int proc_pid_statm(struct seq_file *m, s
34520 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
34521 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
34524 + unsigned long flags;
34526 + if (lock_task_sighand(task, &flags)) {
34527 + curr_ip = task->signal->curr_ip;
34528 + unlock_task_sighand(task, &flags);
34531 + return sprintf(buffer, "%pI4\n", &curr_ip);
34534 diff -urNp linux-2.6.38.4/fs/proc/base.c linux-2.6.38.4/fs/proc/base.c
34535 --- linux-2.6.38.4/fs/proc/base.c 2011-04-22 19:20:59.000000000 -0400
34536 +++ linux-2.6.38.4/fs/proc/base.c 2011-04-22 19:21:23.000000000 -0400
34537 @@ -104,6 +104,22 @@ struct pid_entry {
34541 +struct getdents_callback {
34542 + struct linux_dirent __user * current_dir;
34543 + struct linux_dirent __user * previous;
34544 + struct file * file;
34549 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
34550 + loff_t offset, u64 ino, unsigned int d_type)
34552 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
34553 + buf->error = -EINVAL;
34557 #define NOD(NAME, MODE, IOP, FOP, OP) { \
34559 .len = sizeof(NAME) - 1, \
34560 @@ -203,6 +219,9 @@ static int check_mem_permission(struct t
34561 if (task == current)
34564 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
34568 * If current is actively ptrace'ing, and would also be
34569 * permitted to freshly attach with ptrace now, permit it.
34570 @@ -250,6 +269,9 @@ static int proc_pid_cmdline(struct task_
34572 goto out_mm; /* Shh! No looking before we're done */
34574 + if (gr_acl_handle_procpidmem(task))
34577 len = mm->arg_end - mm->arg_start;
34579 if (len > PAGE_SIZE)
34580 @@ -277,12 +299,28 @@ out:
34584 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34585 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
34586 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
34587 + _mm->pax_flags & MF_PAX_SEGMEXEC))
34590 static int proc_pid_auxv(struct task_struct *task, char *buffer)
34593 struct mm_struct *mm = get_task_mm(task);
34595 unsigned int nwords = 0;
34597 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34598 + /* allow if we're currently ptracing this task */
34599 + if (PAX_RAND_FLAGS(mm) &&
34600 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
34608 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
34609 @@ -296,7 +334,7 @@ static int proc_pid_auxv(struct task_str
34613 -#ifdef CONFIG_KALLSYMS
34614 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
34616 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
34617 * Returns the resolved symbol. If that fails, simply return the address.
34618 @@ -318,7 +356,7 @@ static int proc_pid_wchan(struct task_st
34620 #endif /* CONFIG_KALLSYMS */
34622 -#ifdef CONFIG_STACKTRACE
34623 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
34625 #define MAX_STACK_TRACE_DEPTH 64
34627 @@ -503,7 +541,7 @@ static int proc_pid_limits(struct task_s
34631 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
34632 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
34633 static int proc_pid_syscall(struct task_struct *task, char *buffer)
34636 @@ -528,7 +566,7 @@ static int proc_pid_syscall(struct task_
34637 /************************************************************************/
34639 /* permission checks */
34640 -static int proc_fd_access_allowed(struct inode *inode)
34641 +static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
34643 struct task_struct *task;
34645 @@ -538,7 +576,10 @@ static int proc_fd_access_allowed(struct
34647 task = get_proc_task(inode);
34649 - allowed = ptrace_may_access(task, PTRACE_MODE_READ);
34651 + allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
34653 + allowed = ptrace_may_access(task, PTRACE_MODE_READ);
34654 put_task_struct(task);
34657 @@ -917,6 +958,9 @@ static ssize_t environ_read(struct file
34661 + if (gr_acl_handle_procpidmem(task))
34664 if (!ptrace_may_access(task, PTRACE_MODE_READ))
34667 @@ -1606,7 +1650,7 @@ static void *proc_pid_follow_link(struct
34668 path_put(&nd->path);
34670 /* Are we allowed to snoop on the tasks file descriptors? */
34671 - if (!proc_fd_access_allowed(inode))
34672 + if (!proc_fd_access_allowed(inode,0))
34675 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
34676 @@ -1645,8 +1689,18 @@ static int proc_pid_readlink(struct dent
34679 /* Are we allowed to snoop on the tasks file descriptors? */
34680 - if (!proc_fd_access_allowed(inode))
34682 + /* logging this is needed for learning on chromium to work properly,
34683 + but we don't want to flood the logs from 'ps' which does a readlink
34684 + on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
34685 + CAP_SYS_PTRACE as it's not necessary for its basic functionality
34687 + if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
34688 + if (!proc_fd_access_allowed(inode,0))
34691 + if (!proc_fd_access_allowed(inode,1))
34695 error = PROC_I(inode)->op.proc_get_link(inode, &path);
34697 @@ -1712,7 +1766,11 @@ static struct inode *proc_pid_make_inode
34699 cred = __task_cred(task);
34700 inode->i_uid = cred->euid;
34701 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
34702 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
34704 inode->i_gid = cred->egid;
34708 security_task_to_inode(task, inode);
34709 @@ -1730,6 +1788,9 @@ static int pid_getattr(struct vfsmount *
34710 struct inode *inode = dentry->d_inode;
34711 struct task_struct *task;
34712 const struct cred *cred;
34713 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34714 + const struct cred *tmpcred = current_cred();
34717 generic_fillattr(inode, stat);
34719 @@ -1737,12 +1798,34 @@ static int pid_getattr(struct vfsmount *
34722 task = pid_task(proc_pid(inode), PIDTYPE_PID);
34724 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
34725 + rcu_read_unlock();
34730 + cred = __task_cred(task);
34731 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34732 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
34733 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
34734 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
34738 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
34739 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34740 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
34741 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34742 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
34744 task_dumpable(task)) {
34745 - cred = __task_cred(task);
34746 stat->uid = cred->euid;
34747 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
34748 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
34750 stat->gid = cred->egid;
34755 @@ -1780,11 +1863,20 @@ static int pid_revalidate(struct dentry
34758 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
34759 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34760 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
34761 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34762 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
34764 task_dumpable(task)) {
34766 cred = __task_cred(task);
34767 inode->i_uid = cred->euid;
34768 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
34769 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
34771 inode->i_gid = cred->egid;
34776 @@ -1905,7 +1997,8 @@ static int proc_fd_info(struct inode *in
34777 int fd = proc_fd(inode);
34780 - files = get_files_struct(task);
34781 + if (!gr_acl_handle_procpidmem(task))
34782 + files = get_files_struct(task);
34783 put_task_struct(task);
34786 @@ -2165,15 +2258,25 @@ static const struct file_operations proc
34788 static int proc_fd_permission(struct inode *inode, int mask, unsigned int flags)
34790 + struct task_struct *task;
34793 if (flags & IPERM_FLAG_RCU)
34795 rv = generic_permission(inode, mask, flags, NULL);
34799 if (task_pid(current) == proc_pid(inode))
34802 + task = get_proc_task(inode);
34803 + if (task == NULL)
34806 + if (gr_acl_handle_procpidmem(task))
34809 + put_task_struct(task);
34814 @@ -2283,6 +2386,9 @@ static struct dentry *proc_pident_lookup
34818 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
34822 * Yes, it does not scale. And it should not. Don't add
34823 * new entries into /proc/<tgid>/ without very good reasons.
34824 @@ -2327,6 +2433,9 @@ static int proc_pident_readdir(struct fi
34828 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
34834 @@ -2597,7 +2706,7 @@ static void *proc_self_follow_link(struc
34835 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
34838 - char *s = nd_get_link(nd);
34839 + const char *s = nd_get_link(nd);
34843 @@ -2777,7 +2886,7 @@ static const struct pid_entry tgid_base_
34844 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
34846 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
34847 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
34848 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
34849 INF("syscall", S_IRUSR, proc_pid_syscall),
34851 INF("cmdline", S_IRUGO, proc_pid_cmdline),
34852 @@ -2802,10 +2911,10 @@ static const struct pid_entry tgid_base_
34853 #ifdef CONFIG_SECURITY
34854 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
34856 -#ifdef CONFIG_KALLSYMS
34857 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
34858 INF("wchan", S_IRUGO, proc_pid_wchan),
34860 -#ifdef CONFIG_STACKTRACE
34861 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
34862 ONE("stack", S_IRUSR, proc_pid_stack),
34864 #ifdef CONFIG_SCHEDSTATS
34865 @@ -2836,6 +2945,9 @@ static const struct pid_entry tgid_base_
34866 INF("io", S_IRUGO, proc_tgid_io_accounting),
34868 ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
34869 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
34870 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
34874 static int proc_tgid_base_readdir(struct file * filp,
34875 @@ -2961,7 +3073,14 @@ static struct dentry *proc_pid_instantia
34879 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34880 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
34881 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34882 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
34883 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
34885 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
34887 inode->i_op = &proc_tgid_base_inode_operations;
34888 inode->i_fop = &proc_tgid_base_operations;
34889 inode->i_flags|=S_IMMUTABLE;
34890 @@ -3003,7 +3122,11 @@ struct dentry *proc_pid_lookup(struct in
34894 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
34895 + goto out_put_task;
34897 result = proc_pid_instantiate(dir, dentry, task, NULL);
34899 put_task_struct(task);
34902 @@ -3068,6 +3191,11 @@ int proc_pid_readdir(struct file * filp,
34905 struct task_struct *reaper;
34906 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34907 + const struct cred *tmpcred = current_cred();
34908 + const struct cred *itercred;
34910 + filldir_t __filldir = filldir;
34911 struct tgid_iter iter;
34912 struct pid_namespace *ns;
34914 @@ -3091,8 +3219,27 @@ int proc_pid_readdir(struct file * filp,
34915 for (iter = next_tgid(ns, iter);
34917 iter.tgid += 1, iter = next_tgid(ns, iter)) {
34918 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34920 + itercred = __task_cred(iter.task);
34922 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
34923 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34924 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
34925 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
34926 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
34931 + __filldir = &gr_fake_filldir;
34933 + __filldir = filldir;
34934 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34935 + rcu_read_unlock();
34937 filp->f_pos = iter.tgid + TGID_OFFSET;
34938 if (!vx_proc_task_visible(iter.task))
34940 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
34941 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
34942 put_task_struct(iter.task);
34943 @@ -3119,7 +3266,7 @@ static const struct pid_entry tid_base_s
34944 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
34946 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
34947 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
34948 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
34949 INF("syscall", S_IRUSR, proc_pid_syscall),
34951 INF("cmdline", S_IRUGO, proc_pid_cmdline),
34952 @@ -3143,10 +3290,10 @@ static const struct pid_entry tid_base_s
34953 #ifdef CONFIG_SECURITY
34954 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
34956 -#ifdef CONFIG_KALLSYMS
34957 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
34958 INF("wchan", S_IRUGO, proc_pid_wchan),
34960 -#ifdef CONFIG_STACKTRACE
34961 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
34962 ONE("stack", S_IRUSR, proc_pid_stack),
34964 #ifdef CONFIG_SCHEDSTATS
34965 diff -urNp linux-2.6.38.4/fs/proc/cmdline.c linux-2.6.38.4/fs/proc/cmdline.c
34966 --- linux-2.6.38.4/fs/proc/cmdline.c 2011-03-14 21:20:32.000000000 -0400
34967 +++ linux-2.6.38.4/fs/proc/cmdline.c 2011-04-17 15:57:32.000000000 -0400
34968 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
34970 static int __init proc_cmdline_init(void)
34972 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
34973 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
34975 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
34979 module_init(proc_cmdline_init);
34980 diff -urNp linux-2.6.38.4/fs/proc/devices.c linux-2.6.38.4/fs/proc/devices.c
34981 --- linux-2.6.38.4/fs/proc/devices.c 2011-03-14 21:20:32.000000000 -0400
34982 +++ linux-2.6.38.4/fs/proc/devices.c 2011-04-17 15:57:32.000000000 -0400
34983 @@ -64,7 +64,11 @@ static const struct file_operations proc
34985 static int __init proc_devices_init(void)
34987 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
34988 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
34990 proc_create("devices", 0, NULL, &proc_devinfo_operations);
34994 module_init(proc_devices_init);
34995 diff -urNp linux-2.6.38.4/fs/proc/inode.c linux-2.6.38.4/fs/proc/inode.c
34996 --- linux-2.6.38.4/fs/proc/inode.c 2011-03-14 21:20:32.000000000 -0400
34997 +++ linux-2.6.38.4/fs/proc/inode.c 2011-04-17 15:57:32.000000000 -0400
34998 @@ -435,7 +435,11 @@ struct inode *proc_get_inode(struct supe
35000 inode->i_mode = de->mode;
35001 inode->i_uid = de->uid;
35002 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
35003 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
35005 inode->i_gid = de->gid;
35009 inode->i_size = de->size;
35010 diff -urNp linux-2.6.38.4/fs/proc/internal.h linux-2.6.38.4/fs/proc/internal.h
35011 --- linux-2.6.38.4/fs/proc/internal.h 2011-03-14 21:20:32.000000000 -0400
35012 +++ linux-2.6.38.4/fs/proc/internal.h 2011-04-17 15:57:32.000000000 -0400
35013 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
35014 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
35015 struct pid *pid, struct task_struct *task);
35017 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
35018 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
35020 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
35022 extern const struct file_operations proc_maps_operations;
35023 diff -urNp linux-2.6.38.4/fs/proc/Kconfig linux-2.6.38.4/fs/proc/Kconfig
35024 --- linux-2.6.38.4/fs/proc/Kconfig 2011-03-14 21:20:32.000000000 -0400
35025 +++ linux-2.6.38.4/fs/proc/Kconfig 2011-04-17 15:57:32.000000000 -0400
35026 @@ -30,12 +30,12 @@ config PROC_FS
35029 bool "/proc/kcore support" if !ARM
35030 - depends on PROC_FS && MMU
35031 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
35034 bool "/proc/vmcore support"
35035 - depends on PROC_FS && CRASH_DUMP
35037 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
35040 Exports the dump image of crashed kernel in ELF format.
35042 @@ -59,8 +59,8 @@ config PROC_SYSCTL
35045 config PROC_PAGE_MONITOR
35047 - depends on PROC_FS && MMU
35049 + depends on PROC_FS && MMU && !GRKERNSEC
35050 bool "Enable /proc page monitoring" if EXPERT
35052 Various /proc files exist to monitor process memory utilization:
35053 diff -urNp linux-2.6.38.4/fs/proc/kcore.c linux-2.6.38.4/fs/proc/kcore.c
35054 --- linux-2.6.38.4/fs/proc/kcore.c 2011-03-14 21:20:32.000000000 -0400
35055 +++ linux-2.6.38.4/fs/proc/kcore.c 2011-04-17 15:57:32.000000000 -0400
35056 @@ -478,9 +478,10 @@ read_kcore(struct file *file, char __use
35057 * the addresses in the elf_phdr on our list.
35059 start = kc_offset_to_vaddr(*fpos - elf_buflen);
35060 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
35061 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
35062 + if (tsz > buflen)
35067 struct kcore_list *m;
35069 @@ -509,20 +510,23 @@ read_kcore(struct file *file, char __use
35072 if (kern_addr_valid(start)) {
35075 + mm_segment_t oldfs;
35077 - n = copy_to_user(buffer, (char *)start, tsz);
35079 - * We cannot distingush between fault on source
35080 - * and fault on destination. When this happens
35081 - * we clear too and hope it will trigger the
35085 - if (clear_user(buffer + tsz - n,
35087 + elf_buf = kmalloc(tsz, GFP_KERNEL);
35090 + oldfs = get_fs();
35091 + set_fs(KERNEL_DS);
35092 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
35094 + if (copy_to_user(buffer, elf_buf, tsz)) {
35102 if (clear_user(buffer, tsz))
35104 @@ -542,6 +546,9 @@ read_kcore(struct file *file, char __use
35106 static int open_kcore(struct inode *inode, struct file *filp)
35108 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
35111 if (!capable(CAP_SYS_RAWIO))
35113 if (kcore_need_update)
35114 diff -urNp linux-2.6.38.4/fs/proc/meminfo.c linux-2.6.38.4/fs/proc/meminfo.c
35115 --- linux-2.6.38.4/fs/proc/meminfo.c 2011-03-14 21:20:32.000000000 -0400
35116 +++ linux-2.6.38.4/fs/proc/meminfo.c 2011-04-17 15:57:32.000000000 -0400
35117 @@ -157,7 +157,7 @@ static int meminfo_proc_show(struct seq_
35119 vmi.largest_chunk >> 10
35120 #ifdef CONFIG_MEMORY_FAILURE
35121 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
35122 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
35124 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
35125 ,K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
35126 diff -urNp linux-2.6.38.4/fs/proc/nommu.c linux-2.6.38.4/fs/proc/nommu.c
35127 --- linux-2.6.38.4/fs/proc/nommu.c 2011-03-14 21:20:32.000000000 -0400
35128 +++ linux-2.6.38.4/fs/proc/nommu.c 2011-04-17 15:57:32.000000000 -0400
35129 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
35132 seq_printf(m, "%*c", len, ' ');
35133 - seq_path(m, &file->f_path, "");
35134 + seq_path(m, &file->f_path, "\n\\");
35138 diff -urNp linux-2.6.38.4/fs/proc/proc_net.c linux-2.6.38.4/fs/proc/proc_net.c
35139 --- linux-2.6.38.4/fs/proc/proc_net.c 2011-03-14 21:20:32.000000000 -0400
35140 +++ linux-2.6.38.4/fs/proc/proc_net.c 2011-04-17 15:57:32.000000000 -0400
35141 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
35142 struct task_struct *task;
35143 struct nsproxy *ns;
35144 struct net *net = NULL;
35145 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
35146 + const struct cred *cred = current_cred();
35149 +#ifdef CONFIG_GRKERNSEC_PROC_USER
35152 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
35153 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
35158 task = pid_task(proc_pid(dir), PIDTYPE_PID);
35159 diff -urNp linux-2.6.38.4/fs/proc/proc_sysctl.c linux-2.6.38.4/fs/proc/proc_sysctl.c
35160 --- linux-2.6.38.4/fs/proc/proc_sysctl.c 2011-03-14 21:20:32.000000000 -0400
35161 +++ linux-2.6.38.4/fs/proc/proc_sysctl.c 2011-04-17 15:57:32.000000000 -0400
35163 #include <linux/namei.h>
35164 #include "internal.h"
35166 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
35168 static const struct dentry_operations proc_sys_dentry_operations;
35169 static const struct file_operations proc_sys_file_operations;
35170 static const struct inode_operations proc_sys_inode_operations;
35171 @@ -112,6 +114,9 @@ static struct dentry *proc_sys_lookup(st
35175 + if (gr_handle_sysctl(p, MAY_EXEC))
35178 err = ERR_PTR(-ENOMEM);
35179 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
35181 @@ -231,6 +236,9 @@ static int scan(struct ctl_table_header
35182 if (*pos < file->f_pos)
35185 + if (gr_handle_sysctl(table, 0))
35188 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
35191 @@ -359,6 +367,9 @@ static int proc_sys_getattr(struct vfsmo
35193 return PTR_ERR(head);
35195 + if (table && gr_handle_sysctl(table, MAY_EXEC))
35198 generic_fillattr(inode, stat);
35200 stat->mode = (stat->mode & S_IFMT) | table->mode;
35201 diff -urNp linux-2.6.38.4/fs/proc/root.c linux-2.6.38.4/fs/proc/root.c
35202 --- linux-2.6.38.4/fs/proc/root.c 2011-03-14 21:20:32.000000000 -0400
35203 +++ linux-2.6.38.4/fs/proc/root.c 2011-04-17 15:57:32.000000000 -0400
35204 @@ -132,7 +132,15 @@ void __init proc_root_init(void)
35205 #ifdef CONFIG_PROC_DEVICETREE
35206 proc_device_tree_init();
35208 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
35209 +#ifdef CONFIG_GRKERNSEC_PROC_USER
35210 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
35211 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
35212 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
35215 proc_mkdir("bus", NULL);
35220 diff -urNp linux-2.6.38.4/fs/proc/task_mmu.c linux-2.6.38.4/fs/proc/task_mmu.c
35221 --- linux-2.6.38.4/fs/proc/task_mmu.c 2011-04-18 17:27:16.000000000 -0400
35222 +++ linux-2.6.38.4/fs/proc/task_mmu.c 2011-04-18 19:35:47.000000000 -0400
35223 @@ -49,8 +49,13 @@ void task_mem(struct seq_file *m, struct
35224 "VmExe:\t%8lu kB\n"
35225 "VmLib:\t%8lu kB\n"
35226 "VmPTE:\t%8lu kB\n"
35227 - "VmSwap:\t%8lu kB\n",
35228 - hiwater_vm << (PAGE_SHIFT-10),
35229 + "VmSwap:\t%8lu kB\n"
35231 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
35232 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
35235 + ,hiwater_vm << (PAGE_SHIFT-10),
35236 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
35237 mm->locked_vm << (PAGE_SHIFT-10),
35238 hiwater_rss << (PAGE_SHIFT-10),
35239 @@ -58,7 +63,13 @@ void task_mem(struct seq_file *m, struct
35240 data << (PAGE_SHIFT-10),
35241 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
35242 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
35243 - swap << (PAGE_SHIFT-10));
35244 + swap << (PAGE_SHIFT-10)
35246 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
35247 + , mm->context.user_cs_base, mm->context.user_cs_limit
35253 unsigned long task_vsize(struct mm_struct *mm)
35254 @@ -180,7 +191,8 @@ static void m_stop(struct seq_file *m, v
35255 struct proc_maps_private *priv = m->private;
35256 struct vm_area_struct *vma = v;
35258 - vma_stop(priv, vma);
35259 + if (!IS_ERR(vma))
35260 + vma_stop(priv, vma);
35262 put_task_struct(priv->task);
35264 @@ -204,6 +216,12 @@ static int do_maps_open(struct inode *in
35268 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
35269 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
35270 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
35271 + _mm->pax_flags & MF_PAX_SEGMEXEC))
35274 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
35276 struct mm_struct *mm = vma->vm_mm;
35277 @@ -211,7 +229,6 @@ static void show_map_vma(struct seq_file
35278 int flags = vma->vm_flags;
35279 unsigned long ino = 0;
35280 unsigned long long pgoff = 0;
35281 - unsigned long start;
35285 @@ -222,20 +239,23 @@ static void show_map_vma(struct seq_file
35286 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
35289 - /* We don't show the stack guard page in /proc/maps */
35290 - start = vma->vm_start;
35291 - if (vma->vm_flags & VM_GROWSDOWN)
35292 - if (!vma_stack_continue(vma->vm_prev, vma->vm_start))
35293 - start += PAGE_SIZE;
35295 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
35297 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
35298 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
35299 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
35304 flags & VM_READ ? 'r' : '-',
35305 flags & VM_WRITE ? 'w' : '-',
35306 flags & VM_EXEC ? 'x' : '-',
35307 flags & VM_MAYSHARE ? 's' : 'p',
35308 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
35309 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
35313 MAJOR(dev), MINOR(dev), ino, &len);
35316 @@ -244,16 +264,16 @@ static void show_map_vma(struct seq_file
35319 pad_len_spaces(m, len);
35320 - seq_path(m, &file->f_path, "\n");
35321 + seq_path(m, &file->f_path, "\n\\");
35323 const char *name = arch_vma_name(vma);
35326 - if (vma->vm_start <= mm->brk &&
35327 - vma->vm_end >= mm->start_brk) {
35328 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
35330 - } else if (vma->vm_start <= mm->start_stack &&
35331 - vma->vm_end >= mm->start_stack) {
35332 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
35333 + (vma->vm_start <= mm->start_stack &&
35334 + vma->vm_end >= mm->start_stack)) {
35338 @@ -399,11 +419,16 @@ static int show_smap(struct seq_file *m,
35341 memset(&mss, 0, sizeof mss);
35343 - /* mmap_sem is held in m_start */
35344 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
35345 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
35347 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
35348 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
35351 + /* mmap_sem is held in m_start */
35352 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
35353 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
35354 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
35357 show_map_vma(m, vma);
35360 @@ -420,7 +445,11 @@ static int show_smap(struct seq_file *m,
35361 "KernelPageSize: %8lu kB\n"
35362 "MMUPageSize: %8lu kB\n"
35363 "Locked: %8lu kB\n",
35364 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
35365 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
35367 (vma->vm_end - vma->vm_start) >> 10,
35369 mss.resident >> 10,
35370 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
35371 mss.shared_clean >> 10,
35372 diff -urNp linux-2.6.38.4/fs/proc/task_nommu.c linux-2.6.38.4/fs/proc/task_nommu.c
35373 --- linux-2.6.38.4/fs/proc/task_nommu.c 2011-03-14 21:20:32.000000000 -0400
35374 +++ linux-2.6.38.4/fs/proc/task_nommu.c 2011-04-17 15:57:32.000000000 -0400
35375 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
35377 bytes += kobjsize(mm);
35379 - if (current->fs && current->fs->users > 1)
35380 + if (current->fs && atomic_read(¤t->fs->users) > 1)
35381 sbytes += kobjsize(current->fs);
35383 bytes += kobjsize(current->fs);
35384 @@ -166,7 +166,7 @@ static int nommu_vma_show(struct seq_fil
35387 pad_len_spaces(m, len);
35388 - seq_path(m, &file->f_path, "");
35389 + seq_path(m, &file->f_path, "\n\\");
35391 if (vma->vm_start <= mm->start_stack &&
35392 vma->vm_end >= mm->start_stack) {
35393 diff -urNp linux-2.6.38.4/fs/readdir.c linux-2.6.38.4/fs/readdir.c
35394 --- linux-2.6.38.4/fs/readdir.c 2011-03-14 21:20:32.000000000 -0400
35395 +++ linux-2.6.38.4/fs/readdir.c 2011-04-17 15:57:32.000000000 -0400
35397 #include <linux/security.h>
35398 #include <linux/syscalls.h>
35399 #include <linux/unistd.h>
35400 +#include <linux/namei.h>
35402 #include <asm/uaccess.h>
35404 @@ -67,6 +68,7 @@ struct old_linux_dirent {
35406 struct readdir_callback {
35407 struct old_linux_dirent __user * dirent;
35408 + struct file * file;
35412 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
35413 buf->result = -EOVERFLOW;
35417 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
35421 dirent = buf->dirent;
35422 if (!access_ok(VERIFY_WRITE, dirent,
35423 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
35426 buf.dirent = dirent;
35429 error = vfs_readdir(file, fillonedir, &buf);
35431 @@ -142,6 +149,7 @@ struct linux_dirent {
35432 struct getdents_callback {
35433 struct linux_dirent __user * current_dir;
35434 struct linux_dirent __user * previous;
35435 + struct file * file;
35439 @@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
35440 buf->error = -EOVERFLOW;
35444 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
35447 dirent = buf->previous;
35449 if (__put_user(offset, &dirent->d_off))
35450 @@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
35451 buf.previous = NULL;
35456 error = vfs_readdir(file, filldir, &buf);
35458 @@ -229,6 +242,7 @@ out:
35459 struct getdents_callback64 {
35460 struct linux_dirent64 __user * current_dir;
35461 struct linux_dirent64 __user * previous;
35462 + struct file *file;
35466 @@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
35467 buf->error = -EINVAL; /* only used if we fail.. */
35468 if (reclen > buf->count)
35471 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
35474 dirent = buf->previous;
35476 if (__put_user(offset, &dirent->d_off))
35477 @@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
35479 buf.current_dir = dirent;
35480 buf.previous = NULL;
35485 diff -urNp linux-2.6.38.4/fs/reiserfs/do_balan.c linux-2.6.38.4/fs/reiserfs/do_balan.c
35486 --- linux-2.6.38.4/fs/reiserfs/do_balan.c 2011-03-14 21:20:32.000000000 -0400
35487 +++ linux-2.6.38.4/fs/reiserfs/do_balan.c 2011-04-17 15:57:32.000000000 -0400
35488 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
35492 - atomic_inc(&(fs_generation(tb->tb_sb)));
35493 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
35494 do_balance_starts(tb);
35496 /* balance leaf returns 0 except if combining L R and S into
35497 diff -urNp linux-2.6.38.4/fs/reiserfs/item_ops.c linux-2.6.38.4/fs/reiserfs/item_ops.c
35498 --- linux-2.6.38.4/fs/reiserfs/item_ops.c 2011-03-14 21:20:32.000000000 -0400
35499 +++ linux-2.6.38.4/fs/reiserfs/item_ops.c 2011-04-17 15:57:32.000000000 -0400
35500 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
35501 vi->vi_index, vi->vi_type, vi->vi_ih);
35504 -static struct item_operations stat_data_ops = {
35505 +static const struct item_operations stat_data_ops = {
35506 .bytes_number = sd_bytes_number,
35507 .decrement_key = sd_decrement_key,
35508 .is_left_mergeable = sd_is_left_mergeable,
35509 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
35510 vi->vi_index, vi->vi_type, vi->vi_ih);
35513 -static struct item_operations direct_ops = {
35514 +static const struct item_operations direct_ops = {
35515 .bytes_number = direct_bytes_number,
35516 .decrement_key = direct_decrement_key,
35517 .is_left_mergeable = direct_is_left_mergeable,
35518 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
35519 vi->vi_index, vi->vi_type, vi->vi_ih);
35522 -static struct item_operations indirect_ops = {
35523 +static const struct item_operations indirect_ops = {
35524 .bytes_number = indirect_bytes_number,
35525 .decrement_key = indirect_decrement_key,
35526 .is_left_mergeable = indirect_is_left_mergeable,
35527 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
35531 -static struct item_operations direntry_ops = {
35532 +static const struct item_operations direntry_ops = {
35533 .bytes_number = direntry_bytes_number,
35534 .decrement_key = direntry_decrement_key,
35535 .is_left_mergeable = direntry_is_left_mergeable,
35536 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
35537 "Invalid item type observed, run fsck ASAP");
35540 -static struct item_operations errcatch_ops = {
35541 +static const struct item_operations errcatch_ops = {
35542 errcatch_bytes_number,
35543 errcatch_decrement_key,
35544 errcatch_is_left_mergeable,
35545 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
35546 #error Item types must use disk-format assigned values.
35549 -struct item_operations *item_ops[TYPE_ANY + 1] = {
35550 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
35554 diff -urNp linux-2.6.38.4/fs/reiserfs/procfs.c linux-2.6.38.4/fs/reiserfs/procfs.c
35555 --- linux-2.6.38.4/fs/reiserfs/procfs.c 2011-03-14 21:20:32.000000000 -0400
35556 +++ linux-2.6.38.4/fs/reiserfs/procfs.c 2011-04-17 15:57:32.000000000 -0400
35557 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
35558 "SMALL_TAILS " : "NO_TAILS ",
35559 replay_only(sb) ? "REPLAY_ONLY " : "",
35560 convert_reiserfs(sb) ? "CONV " : "",
35561 - atomic_read(&r->s_generation_counter),
35562 + atomic_read_unchecked(&r->s_generation_counter),
35563 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
35564 SF(s_do_balance), SF(s_unneeded_left_neighbor),
35565 SF(s_good_search_by_key_reada), SF(s_bmaps),
35566 diff -urNp linux-2.6.38.4/fs/select.c linux-2.6.38.4/fs/select.c
35567 --- linux-2.6.38.4/fs/select.c 2011-03-14 21:20:32.000000000 -0400
35568 +++ linux-2.6.38.4/fs/select.c 2011-04-17 15:57:32.000000000 -0400
35570 #include <linux/module.h>
35571 #include <linux/slab.h>
35572 #include <linux/poll.h>
35573 +#include <linux/security.h>
35574 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
35575 #include <linux/file.h>
35576 #include <linux/fdtable.h>
35577 @@ -840,6 +841,7 @@ int do_sys_poll(struct pollfd __user *uf
35578 struct poll_list *walk = head;
35579 unsigned long todo = nfds;
35581 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
35582 if (nfds > rlimit(RLIMIT_NOFILE))
35585 diff -urNp linux-2.6.38.4/fs/seq_file.c linux-2.6.38.4/fs/seq_file.c
35586 --- linux-2.6.38.4/fs/seq_file.c 2011-03-14 21:20:32.000000000 -0400
35587 +++ linux-2.6.38.4/fs/seq_file.c 2011-04-17 15:57:32.000000000 -0400
35588 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
35592 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
35593 + m->size = PAGE_SIZE;
35594 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
35598 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
35602 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
35604 + m->buf = kmalloc(m->size, GFP_KERNEL);
35605 return !m->buf ? -ENOMEM : -EAGAIN;
35608 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
35609 m->version = file->f_version;
35610 /* grab buffer if we didn't have one */
35612 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
35613 + m->size = PAGE_SIZE;
35614 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
35618 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
35622 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
35624 + m->buf = kmalloc(m->size, GFP_KERNEL);
35628 diff -urNp linux-2.6.38.4/fs/splice.c linux-2.6.38.4/fs/splice.c
35629 --- linux-2.6.38.4/fs/splice.c 2011-03-14 21:20:32.000000000 -0400
35630 +++ linux-2.6.38.4/fs/splice.c 2011-04-17 15:57:32.000000000 -0400
35631 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
35635 - if (!pipe->readers) {
35636 + if (!atomic_read(&pipe->readers)) {
35637 send_sig(SIGPIPE, current, 0);
35640 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
35644 - pipe->waiting_writers++;
35645 + atomic_inc(&pipe->waiting_writers);
35647 - pipe->waiting_writers--;
35648 + atomic_dec(&pipe->waiting_writers);
35652 @@ -556,7 +556,7 @@ static ssize_t kernel_readv(struct file
35655 /* The cast to a user pointer is valid due to the set_fs() */
35656 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
35657 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
35661 @@ -571,7 +571,7 @@ static ssize_t kernel_write(struct file
35664 /* The cast to a user pointer is valid due to the set_fs() */
35665 - res = vfs_write(file, (const char __user *)buf, count, &pos);
35666 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
35670 @@ -622,7 +622,7 @@ ssize_t default_file_splice_read(struct
35673 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
35674 - vec[i].iov_base = (void __user *) page_address(page);
35675 + vec[i].iov_base = (__force void __user *) page_address(page);
35676 vec[i].iov_len = this_len;
35677 spd.pages[i] = page;
35679 @@ -842,10 +842,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
35680 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
35682 while (!pipe->nrbufs) {
35683 - if (!pipe->writers)
35684 + if (!atomic_read(&pipe->writers))
35687 - if (!pipe->waiting_writers && sd->num_spliced)
35688 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
35691 if (sd->flags & SPLICE_F_NONBLOCK)
35692 @@ -1178,7 +1178,7 @@ ssize_t splice_direct_to_actor(struct fi
35693 * out of the pipe right after the splice_to_pipe(). So set
35694 * PIPE_READERS appropriately.
35696 - pipe->readers = 1;
35697 + atomic_set(&pipe->readers, 1);
35699 current->splice_pipe = pipe;
35701 @@ -1730,9 +1730,9 @@ static int ipipe_prep(struct pipe_inode_
35702 ret = -ERESTARTSYS;
35705 - if (!pipe->writers)
35706 + if (!atomic_read(&pipe->writers))
35708 - if (!pipe->waiting_writers) {
35709 + if (!atomic_read(&pipe->waiting_writers)) {
35710 if (flags & SPLICE_F_NONBLOCK) {
35713 @@ -1764,7 +1764,7 @@ static int opipe_prep(struct pipe_inode_
35716 while (pipe->nrbufs >= pipe->buffers) {
35717 - if (!pipe->readers) {
35718 + if (!atomic_read(&pipe->readers)) {
35719 send_sig(SIGPIPE, current, 0);
35722 @@ -1777,9 +1777,9 @@ static int opipe_prep(struct pipe_inode_
35723 ret = -ERESTARTSYS;
35726 - pipe->waiting_writers++;
35727 + atomic_inc(&pipe->waiting_writers);
35729 - pipe->waiting_writers--;
35730 + atomic_dec(&pipe->waiting_writers);
35734 @@ -1815,14 +1815,14 @@ retry:
35735 pipe_double_lock(ipipe, opipe);
35738 - if (!opipe->readers) {
35739 + if (!atomic_read(&opipe->readers)) {
35740 send_sig(SIGPIPE, current, 0);
35746 - if (!ipipe->nrbufs && !ipipe->writers)
35747 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
35751 @@ -1922,7 +1922,7 @@ static int link_pipe(struct pipe_inode_i
35752 pipe_double_lock(ipipe, opipe);
35755 - if (!opipe->readers) {
35756 + if (!atomic_read(&opipe->readers)) {
35757 send_sig(SIGPIPE, current, 0);
35760 @@ -1967,7 +1967,7 @@ static int link_pipe(struct pipe_inode_i
35761 * return EAGAIN if we have the potential of some data in the
35762 * future, otherwise just return 0
35764 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
35765 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
35768 pipe_unlock(ipipe);
35769 diff -urNp linux-2.6.38.4/fs/sysfs/mount.c linux-2.6.38.4/fs/sysfs/mount.c
35770 --- linux-2.6.38.4/fs/sysfs/mount.c 2011-03-14 21:20:32.000000000 -0400
35771 +++ linux-2.6.38.4/fs/sysfs/mount.c 2011-04-17 15:57:32.000000000 -0400
35772 @@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
35774 .s_count = ATOMIC_INIT(1),
35775 .s_flags = SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT),
35776 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
35777 + .s_mode = S_IFDIR | S_IRWXU,
35779 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
35784 diff -urNp linux-2.6.38.4/fs/sysfs/symlink.c linux-2.6.38.4/fs/sysfs/symlink.c
35785 --- linux-2.6.38.4/fs/sysfs/symlink.c 2011-03-14 21:20:32.000000000 -0400
35786 +++ linux-2.6.38.4/fs/sysfs/symlink.c 2011-04-17 15:57:32.000000000 -0400
35787 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
35789 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
35791 - char *page = nd_get_link(nd);
35792 + const char *page = nd_get_link(nd);
35794 free_page((unsigned long)page);
35796 diff -urNp linux-2.6.38.4/fs/udf/misc.c linux-2.6.38.4/fs/udf/misc.c
35797 --- linux-2.6.38.4/fs/udf/misc.c 2011-03-14 21:20:32.000000000 -0400
35798 +++ linux-2.6.38.4/fs/udf/misc.c 2011-04-17 15:57:32.000000000 -0400
35799 @@ -142,8 +142,8 @@ struct genericFormat *udf_add_extendedat
35800 iinfo->i_lenEAttr += size;
35801 return (struct genericFormat *)&ea[offset];
35805 + if (loc & 0x02) {
35810 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
35812 u8 udf_tag_checksum(const struct tag *t)
35814 - u8 *data = (u8 *)t;
35815 + const u8 *data = (const u8 *)t;
35818 for (i = 0; i < sizeof(struct tag); ++i)
35819 diff -urNp linux-2.6.38.4/fs/udf/udfdecl.h linux-2.6.38.4/fs/udf/udfdecl.h
35820 --- linux-2.6.38.4/fs/udf/udfdecl.h 2011-03-14 21:20:32.000000000 -0400
35821 +++ linux-2.6.38.4/fs/udf/udfdecl.h 2011-04-17 15:57:32.000000000 -0400
35822 @@ -26,7 +26,7 @@ do { \
35826 -#define udf_debug(f, a...) /**/
35827 +#define udf_debug(f, a...) do {} while (0)
35830 #define udf_info(f, a...) \
35831 diff -urNp linux-2.6.38.4/fs/utimes.c linux-2.6.38.4/fs/utimes.c
35832 --- linux-2.6.38.4/fs/utimes.c 2011-03-14 21:20:32.000000000 -0400
35833 +++ linux-2.6.38.4/fs/utimes.c 2011-04-17 15:57:32.000000000 -0400
35835 #include <linux/compiler.h>
35836 #include <linux/file.h>
35837 #include <linux/fs.h>
35838 +#include <linux/security.h>
35839 #include <linux/linkage.h>
35840 #include <linux/mount.h>
35841 #include <linux/namei.h>
35842 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
35843 goto mnt_drop_write_and_out;
35847 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
35849 + goto mnt_drop_write_and_out;
35852 mutex_lock(&inode->i_mutex);
35853 error = notify_change(path->dentry, &newattrs);
35854 mutex_unlock(&inode->i_mutex);
35855 diff -urNp linux-2.6.38.4/fs/xattr_acl.c linux-2.6.38.4/fs/xattr_acl.c
35856 --- linux-2.6.38.4/fs/xattr_acl.c 2011-03-14 21:20:32.000000000 -0400
35857 +++ linux-2.6.38.4/fs/xattr_acl.c 2011-04-17 15:57:32.000000000 -0400
35860 posix_acl_from_xattr(const void *value, size_t size)
35862 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
35863 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
35864 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
35865 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
35867 struct posix_acl *acl;
35868 struct posix_acl_entry *acl_e;
35869 diff -urNp linux-2.6.38.4/fs/xattr.c linux-2.6.38.4/fs/xattr.c
35870 --- linux-2.6.38.4/fs/xattr.c 2011-03-14 21:20:32.000000000 -0400
35871 +++ linux-2.6.38.4/fs/xattr.c 2011-04-17 15:57:32.000000000 -0400
35872 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
35873 * Extended attribute SET operations
35876 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
35877 +setxattr(struct path *path, const char __user *name, const void __user *value,
35878 size_t size, int flags)
35881 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
35882 return PTR_ERR(kvalue);
35885 - error = vfs_setxattr(d, kname, kvalue, size, flags);
35886 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
35891 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
35896 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
35898 error = mnt_want_write(path.mnt);
35900 - error = setxattr(path.dentry, name, value, size, flags);
35901 + error = setxattr(&path, name, value, size, flags);
35902 mnt_drop_write(path.mnt);
35905 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
35907 error = mnt_want_write(path.mnt);
35909 - error = setxattr(path.dentry, name, value, size, flags);
35910 + error = setxattr(&path, name, value, size, flags);
35911 mnt_drop_write(path.mnt);
35914 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
35915 const void __user *,value, size_t, size, int, flags)
35918 - struct dentry *dentry;
35919 int error = -EBADF;
35924 - dentry = f->f_path.dentry;
35925 - audit_inode(NULL, dentry);
35926 + audit_inode(NULL, f->f_path.dentry);
35927 error = mnt_want_write_file(f);
35929 - error = setxattr(dentry, name, value, size, flags);
35930 + error = setxattr(&f->f_path, name, value, size, flags);
35931 mnt_drop_write(f->f_path.mnt);
35934 diff -urNp linux-2.6.38.4/fs/xfs/linux-2.6/xfs_ioctl32.c linux-2.6.38.4/fs/xfs/linux-2.6/xfs_ioctl32.c
35935 --- linux-2.6.38.4/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-03-14 21:20:32.000000000 -0400
35936 +++ linux-2.6.38.4/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-04-17 15:57:32.000000000 -0400
35937 @@ -73,6 +73,7 @@ xfs_compat_ioc_fsgeometry_v1(
35938 xfs_fsop_geom_t fsgeo;
35941 + memset(&fsgeo, 0, sizeof(fsgeo));
35942 error = xfs_fs_geometry(mp, &fsgeo, 3);
35945 diff -urNp linux-2.6.38.4/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.38.4/fs/xfs/linux-2.6/xfs_ioctl.c
35946 --- linux-2.6.38.4/fs/xfs/linux-2.6/xfs_ioctl.c 2011-03-14 21:20:32.000000000 -0400
35947 +++ linux-2.6.38.4/fs/xfs/linux-2.6/xfs_ioctl.c 2011-04-17 20:08:09.000000000 -0400
35948 @@ -128,7 +128,7 @@ xfs_find_handle(
35952 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
35953 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
35954 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
35957 diff -urNp linux-2.6.38.4/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.38.4/fs/xfs/linux-2.6/xfs_iops.c
35958 --- linux-2.6.38.4/fs/xfs/linux-2.6/xfs_iops.c 2011-03-14 21:20:32.000000000 -0400
35959 +++ linux-2.6.38.4/fs/xfs/linux-2.6/xfs_iops.c 2011-04-17 15:57:32.000000000 -0400
35960 @@ -436,7 +436,7 @@ xfs_vn_put_link(
35961 struct nameidata *nd,
35964 - char *s = nd_get_link(nd);
35965 + const char *s = nd_get_link(nd);
35969 diff -urNp linux-2.6.38.4/fs/xfs/xfs_bmap.c linux-2.6.38.4/fs/xfs/xfs_bmap.c
35970 --- linux-2.6.38.4/fs/xfs/xfs_bmap.c 2011-03-14 21:20:32.000000000 -0400
35971 +++ linux-2.6.38.4/fs/xfs/xfs_bmap.c 2011-04-17 15:57:32.000000000 -0400
35972 @@ -287,7 +287,7 @@ xfs_bmap_validate_ret(
35976 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
35977 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
35981 diff -urNp linux-2.6.38.4/fs/xfs/xfs_dir2_sf.c linux-2.6.38.4/fs/xfs/xfs_dir2_sf.c
35982 --- linux-2.6.38.4/fs/xfs/xfs_dir2_sf.c 2011-03-14 21:20:32.000000000 -0400
35983 +++ linux-2.6.38.4/fs/xfs/xfs_dir2_sf.c 2011-04-18 22:03:12.000000000 -0400
35984 @@ -780,7 +780,15 @@ xfs_dir2_sf_getdents(
35987 ino = xfs_dir2_sf_get_inumber(sfp, xfs_dir2_sf_inumberp(sfep));
35988 - if (filldir(dirent, (char *)sfep->name, sfep->namelen,
35989 + if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
35990 + char name[sfep->namelen];
35991 + memcpy(name, sfep->name, sfep->namelen);
35992 + if (filldir(dirent, name, sfep->namelen,
35993 + off & 0x7fffffff, ino, DT_UNKNOWN)) {
35994 + *offset = off & 0x7fffffff;
35997 + } else if (filldir(dirent, (char *)sfep->name, sfep->namelen,
35998 off & 0x7fffffff, ino, DT_UNKNOWN)) {
35999 *offset = off & 0x7fffffff;
36001 diff -urNp linux-2.6.38.4/grsecurity/gracl_alloc.c linux-2.6.38.4/grsecurity/gracl_alloc.c
36002 --- linux-2.6.38.4/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
36003 +++ linux-2.6.38.4/grsecurity/gracl_alloc.c 2011-04-17 15:57:32.000000000 -0400
36005 +#include <linux/kernel.h>
36006 +#include <linux/mm.h>
36007 +#include <linux/slab.h>
36008 +#include <linux/vmalloc.h>
36009 +#include <linux/gracl.h>
36010 +#include <linux/grsecurity.h>
36012 +static unsigned long alloc_stack_next = 1;
36013 +static unsigned long alloc_stack_size = 1;
36014 +static void **alloc_stack;
36016 +static __inline__ int
36019 + if (alloc_stack_next == 1)
36022 + kfree(alloc_stack[alloc_stack_next - 2]);
36024 + alloc_stack_next--;
36029 +static __inline__ int
36030 +alloc_push(void *buf)
36032 + if (alloc_stack_next >= alloc_stack_size)
36035 + alloc_stack[alloc_stack_next - 1] = buf;
36037 + alloc_stack_next++;
36043 +acl_alloc(unsigned long len)
36045 + void *ret = NULL;
36047 + if (!len || len > PAGE_SIZE)
36050 + ret = kmalloc(len, GFP_KERNEL);
36053 + if (alloc_push(ret)) {
36064 +acl_alloc_num(unsigned long num, unsigned long len)
36066 + if (!len || (num > (PAGE_SIZE / len)))
36069 + return acl_alloc(num * len);
36073 +acl_free_all(void)
36075 + if (gr_acl_is_enabled() || !alloc_stack)
36078 + while (alloc_pop()) ;
36080 + if (alloc_stack) {
36081 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
36082 + kfree(alloc_stack);
36084 + vfree(alloc_stack);
36087 + alloc_stack = NULL;
36088 + alloc_stack_size = 1;
36089 + alloc_stack_next = 1;
36095 +acl_alloc_stack_init(unsigned long size)
36097 + if ((size * sizeof (void *)) <= PAGE_SIZE)
36099 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
36101 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
36103 + alloc_stack_size = size;
36105 + if (!alloc_stack)
36110 diff -urNp linux-2.6.38.4/grsecurity/gracl.c linux-2.6.38.4/grsecurity/gracl.c
36111 --- linux-2.6.38.4/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
36112 +++ linux-2.6.38.4/grsecurity/gracl.c 2011-04-17 15:57:32.000000000 -0400
36114 +#include <linux/kernel.h>
36115 +#include <linux/module.h>
36116 +#include <linux/sched.h>
36117 +#include <linux/mm.h>
36118 +#include <linux/file.h>
36119 +#include <linux/fs.h>
36120 +#include <linux/namei.h>
36121 +#include <linux/mount.h>
36122 +#include <linux/tty.h>
36123 +#include <linux/proc_fs.h>
36124 +#include <linux/smp_lock.h>
36125 +#include <linux/lglock.h>
36126 +#include <linux/slab.h>
36127 +#include <linux/vmalloc.h>
36128 +#include <linux/types.h>
36129 +#include <linux/sysctl.h>
36130 +#include <linux/netdevice.h>
36131 +#include <linux/ptrace.h>
36132 +#include <linux/gracl.h>
36133 +#include <linux/gralloc.h>
36134 +#include <linux/grsecurity.h>
36135 +#include <linux/grinternal.h>
36136 +#include <linux/pid_namespace.h>
36137 +#include <linux/fdtable.h>
36138 +#include <linux/percpu.h>
36140 +#include <asm/uaccess.h>
36141 +#include <asm/errno.h>
36142 +#include <asm/mman.h>
36144 +static struct acl_role_db acl_role_set;
36145 +static struct name_db name_set;
36146 +static struct inodev_db inodev_set;
36148 +/* for keeping track of userspace pointers used for subjects, so we
36149 + can share references in the kernel as well
36152 +static struct path real_root;
36154 +static struct acl_subj_map_db subj_map_set;
36156 +static struct acl_role_label *default_role;
36158 +static struct acl_role_label *role_list;
36160 +static u16 acl_sp_role_value;
36162 +extern char *gr_shared_page[4];
36163 +static DEFINE_MUTEX(gr_dev_mutex);
36164 +DEFINE_RWLOCK(gr_inode_lock);
36166 +struct gr_arg *gr_usermode;
36168 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
36170 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
36171 +extern void gr_clear_learn_entries(void);
36173 +#ifdef CONFIG_GRKERNSEC_RESLOG
36174 +extern void gr_log_resource(const struct task_struct *task,
36175 + const int res, const unsigned long wanted, const int gt);
36178 +unsigned char *gr_system_salt;
36179 +unsigned char *gr_system_sum;
36181 +static struct sprole_pw **acl_special_roles = NULL;
36182 +static __u16 num_sprole_pws = 0;
36184 +static struct acl_role_label *kernel_role = NULL;
36186 +static unsigned int gr_auth_attempts = 0;
36187 +static unsigned long gr_auth_expires = 0UL;
36189 +extern struct vfsmount *sock_mnt;
36190 +extern struct vfsmount *pipe_mnt;
36191 +extern struct vfsmount *shm_mnt;
36192 +#ifdef CONFIG_HUGETLBFS
36193 +extern struct vfsmount *hugetlbfs_vfsmount;
36196 +static struct acl_object_label *fakefs_obj;
36198 +extern int gr_init_uidset(void);
36199 +extern void gr_free_uidset(void);
36200 +extern void gr_remove_uid(uid_t uid);
36201 +extern int gr_find_uid(uid_t uid);
36203 +DECLARE_BRLOCK(vfsmount_lock);
36206 +gr_acl_is_enabled(void)
36208 + return (gr_status & GR_READY);
36211 +#ifdef CONFIG_BTRFS_FS
36212 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
36213 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
36216 +static inline dev_t __get_dev(const struct dentry *dentry)
36218 +#ifdef CONFIG_BTRFS_FS
36219 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
36220 + return get_btrfs_dev_from_inode(dentry->d_inode);
36223 + return dentry->d_inode->i_sb->s_dev;
36226 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
36228 + return __get_dev(dentry);
36231 +static char gr_task_roletype_to_char(struct task_struct *task)
36233 + switch (task->role->roletype &
36234 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
36235 + GR_ROLE_SPECIAL)) {
36236 + case GR_ROLE_DEFAULT:
36238 + case GR_ROLE_USER:
36240 + case GR_ROLE_GROUP:
36242 + case GR_ROLE_SPECIAL:
36249 +char gr_roletype_to_char(void)
36251 + return gr_task_roletype_to_char(current);
36255 +gr_acl_tpe_check(void)
36257 + if (unlikely(!(gr_status & GR_READY)))
36259 + if (current->role->roletype & GR_ROLE_TPE)
36266 +gr_handle_rawio(const struct inode *inode)
36268 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
36269 + if (inode && S_ISBLK(inode->i_mode) &&
36270 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
36271 + !capable(CAP_SYS_RAWIO))
36278 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
36280 + if (likely(lena != lenb))
36283 + return !memcmp(a, b, lena);
36286 +static int prepend(char **buffer, int *buflen, const char *str, int namelen)
36288 + *buflen -= namelen;
36290 + return -ENAMETOOLONG;
36291 + *buffer -= namelen;
36292 + memcpy(*buffer, str, namelen);
36296 +static int prepend_name(char **buffer, int *buflen, struct qstr *name)
36298 + return prepend(buffer, buflen, name->name, name->len);
36301 +static int prepend_path(const struct path *path, struct path *root,
36302 + char **buffer, int *buflen)
36304 + struct dentry *dentry = path->dentry;
36305 + struct vfsmount *vfsmnt = path->mnt;
36306 + bool slash = false;
36309 + while (dentry != root->dentry || vfsmnt != root->mnt) {
36310 + struct dentry * parent;
36312 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
36313 + /* Global root? */
36314 + if (vfsmnt->mnt_parent == vfsmnt) {
36317 + dentry = vfsmnt->mnt_mountpoint;
36318 + vfsmnt = vfsmnt->mnt_parent;
36321 + parent = dentry->d_parent;
36322 + prefetch(parent);
36323 + spin_lock(&dentry->d_lock);
36324 + error = prepend_name(buffer, buflen, &dentry->d_name);
36325 + spin_unlock(&dentry->d_lock);
36327 + error = prepend(buffer, buflen, "/", 1);
36336 + if (!error && !slash)
36337 + error = prepend(buffer, buflen, "/", 1);
36342 +/* this must be called with vfsmount_lock and rename_lock held */
36344 +static char *__our_d_path(const struct path *path, struct path *root,
36345 + char *buf, int buflen)
36347 + char *res = buf + buflen;
36350 + prepend(&res, &buflen, "\0", 1);
36351 + error = prepend_path(path, root, &res, &buflen);
36353 + return ERR_PTR(error);
36359 +gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
36363 + retval = __our_d_path(path, root, buf, buflen);
36364 + if (unlikely(IS_ERR(retval)))
36365 + retval = strcpy(buf, "<path too long>");
36366 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
36367 + retval[1] = '\0';
36373 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
36374 + char *buf, int buflen)
36376 + struct path path;
36379 + path.dentry = (struct dentry *)dentry;
36380 + path.mnt = (struct vfsmount *)vfsmnt;
36382 + /* we can use real_root.dentry, real_root.mnt, because this is only called
36383 + by the RBAC system */
36384 + res = gen_full_path(&path, &real_root, buf, buflen);
36390 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
36391 + char *buf, int buflen)
36394 + struct path path;
36395 + struct path root;
36396 + struct task_struct *reaper = &init_task;
36398 + path.dentry = (struct dentry *)dentry;
36399 + path.mnt = (struct vfsmount *)vfsmnt;
36401 + /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
36402 + get_fs_root(reaper->fs, &root);
36404 + write_seqlock(&rename_lock);
36405 + br_read_lock(vfsmount_lock);
36406 + res = gen_full_path(&path, &root, buf, buflen);
36407 + br_read_unlock(vfsmount_lock);
36408 + write_sequnlock(&rename_lock);
36415 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
36418 + write_seqlock(&rename_lock);
36419 + br_read_lock(vfsmount_lock);
36420 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
36422 + br_read_unlock(vfsmount_lock);
36423 + write_sequnlock(&rename_lock);
36428 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
36430 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
36435 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
36437 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
36442 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
36444 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
36449 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
36451 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
36456 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
36458 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
36463 +to_gr_audit(const __u32 reqmode)
36465 + /* masks off auditable permission flags, then shifts them to create
36466 + auditing flags, and adds the special case of append auditing if
36467 + we're requesting write */
36468 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
36471 +struct acl_subject_label *
36472 +lookup_subject_map(const struct acl_subject_label *userp)
36474 + unsigned int index = shash(userp, subj_map_set.s_size);
36475 + struct subject_map *match;
36477 + match = subj_map_set.s_hash[index];
36479 + while (match && match->user != userp)
36480 + match = match->next;
36482 + if (match != NULL)
36483 + return match->kernel;
36489 +insert_subj_map_entry(struct subject_map *subjmap)
36491 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
36492 + struct subject_map **curr;
36494 + subjmap->prev = NULL;
36496 + curr = &subj_map_set.s_hash[index];
36497 + if (*curr != NULL)
36498 + (*curr)->prev = subjmap;
36500 + subjmap->next = *curr;
36506 +static struct acl_role_label *
36507 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
36510 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
36511 + struct acl_role_label *match;
36512 + struct role_allowed_ip *ipp;
36514 + u32 curr_ip = task->signal->curr_ip;
36516 + task->signal->saved_ip = curr_ip;
36518 + match = acl_role_set.r_hash[index];
36521 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
36522 + for (x = 0; x < match->domain_child_num; x++) {
36523 + if (match->domain_children[x] == uid)
36526 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
36528 + match = match->next;
36531 + if (match == NULL) {
36533 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
36534 + match = acl_role_set.r_hash[index];
36537 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
36538 + for (x = 0; x < match->domain_child_num; x++) {
36539 + if (match->domain_children[x] == gid)
36542 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
36544 + match = match->next;
36547 + if (match == NULL)
36548 + match = default_role;
36549 + if (match->allowed_ips == NULL)
36552 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
36554 + ((ntohl(curr_ip) & ipp->netmask) ==
36555 + (ntohl(ipp->addr) & ipp->netmask)))
36558 + match = default_role;
36560 + } else if (match->allowed_ips == NULL) {
36563 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
36565 + ((ntohl(curr_ip) & ipp->netmask) ==
36566 + (ntohl(ipp->addr) & ipp->netmask)))
36575 +struct acl_subject_label *
36576 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
36577 + const struct acl_role_label *role)
36579 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
36580 + struct acl_subject_label *match;
36582 + match = role->subj_hash[index];
36584 + while (match && (match->inode != ino || match->device != dev ||
36585 + (match->mode & GR_DELETED))) {
36586 + match = match->next;
36589 + if (match && !(match->mode & GR_DELETED))
36595 +struct acl_subject_label *
36596 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
36597 + const struct acl_role_label *role)
36599 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
36600 + struct acl_subject_label *match;
36602 + match = role->subj_hash[index];
36604 + while (match && (match->inode != ino || match->device != dev ||
36605 + !(match->mode & GR_DELETED))) {
36606 + match = match->next;
36609 + if (match && (match->mode & GR_DELETED))
36615 +static struct acl_object_label *
36616 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
36617 + const struct acl_subject_label *subj)
36619 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
36620 + struct acl_object_label *match;
36622 + match = subj->obj_hash[index];
36624 + while (match && (match->inode != ino || match->device != dev ||
36625 + (match->mode & GR_DELETED))) {
36626 + match = match->next;
36629 + if (match && !(match->mode & GR_DELETED))
36635 +static struct acl_object_label *
36636 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
36637 + const struct acl_subject_label *subj)
36639 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
36640 + struct acl_object_label *match;
36642 + match = subj->obj_hash[index];
36644 + while (match && (match->inode != ino || match->device != dev ||
36645 + !(match->mode & GR_DELETED))) {
36646 + match = match->next;
36649 + if (match && (match->mode & GR_DELETED))
36652 + match = subj->obj_hash[index];
36654 + while (match && (match->inode != ino || match->device != dev ||
36655 + (match->mode & GR_DELETED))) {
36656 + match = match->next;
36659 + if (match && !(match->mode & GR_DELETED))
36665 +static struct name_entry *
36666 +lookup_name_entry(const char *name)
36668 + unsigned int len = strlen(name);
36669 + unsigned int key = full_name_hash(name, len);
36670 + unsigned int index = key % name_set.n_size;
36671 + struct name_entry *match;
36673 + match = name_set.n_hash[index];
36675 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
36676 + match = match->next;
36681 +static struct name_entry *
36682 +lookup_name_entry_create(const char *name)
36684 + unsigned int len = strlen(name);
36685 + unsigned int key = full_name_hash(name, len);
36686 + unsigned int index = key % name_set.n_size;
36687 + struct name_entry *match;
36689 + match = name_set.n_hash[index];
36691 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
36692 + !match->deleted))
36693 + match = match->next;
36695 + if (match && match->deleted)
36698 + match = name_set.n_hash[index];
36700 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
36702 + match = match->next;
36704 + if (match && !match->deleted)
36710 +static struct inodev_entry *
36711 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
36713 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
36714 + struct inodev_entry *match;
36716 + match = inodev_set.i_hash[index];
36718 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
36719 + match = match->next;
36725 +insert_inodev_entry(struct inodev_entry *entry)
36727 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
36728 + inodev_set.i_size);
36729 + struct inodev_entry **curr;
36731 + entry->prev = NULL;
36733 + curr = &inodev_set.i_hash[index];
36734 + if (*curr != NULL)
36735 + (*curr)->prev = entry;
36737 + entry->next = *curr;
36744 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
36746 + unsigned int index =
36747 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
36748 + struct acl_role_label **curr;
36749 + struct acl_role_label *tmp;
36751 + curr = &acl_role_set.r_hash[index];
36753 + /* if role was already inserted due to domains and already has
36754 + a role in the same bucket as it attached, then we need to
36755 + combine these two buckets
36757 + if (role->next) {
36758 + tmp = role->next;
36759 + while (tmp->next)
36761 + tmp->next = *curr;
36763 + role->next = *curr;
36770 +insert_acl_role_label(struct acl_role_label *role)
36774 + if (role_list == NULL) {
36775 + role_list = role;
36776 + role->prev = NULL;
36778 + role->prev = role_list;
36779 + role_list = role;
36782 + /* used for hash chains */
36783 + role->next = NULL;
36785 + if (role->roletype & GR_ROLE_DOMAIN) {
36786 + for (i = 0; i < role->domain_child_num; i++)
36787 + __insert_acl_role_label(role, role->domain_children[i]);
36789 + __insert_acl_role_label(role, role->uidgid);
36793 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
36795 + struct name_entry **curr, *nentry;
36796 + struct inodev_entry *ientry;
36797 + unsigned int len = strlen(name);
36798 + unsigned int key = full_name_hash(name, len);
36799 + unsigned int index = key % name_set.n_size;
36801 + curr = &name_set.n_hash[index];
36803 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
36804 + curr = &((*curr)->next);
36806 + if (*curr != NULL)
36809 + nentry = acl_alloc(sizeof (struct name_entry));
36810 + if (nentry == NULL)
36812 + ientry = acl_alloc(sizeof (struct inodev_entry));
36813 + if (ientry == NULL)
36815 + ientry->nentry = nentry;
36817 + nentry->key = key;
36818 + nentry->name = name;
36819 + nentry->inode = inode;
36820 + nentry->device = device;
36821 + nentry->len = len;
36822 + nentry->deleted = deleted;
36824 + nentry->prev = NULL;
36825 + curr = &name_set.n_hash[index];
36826 + if (*curr != NULL)
36827 + (*curr)->prev = nentry;
36828 + nentry->next = *curr;
36831 + /* insert us into the table searchable by inode/dev */
36832 + insert_inodev_entry(ientry);
36838 +insert_acl_obj_label(struct acl_object_label *obj,
36839 + struct acl_subject_label *subj)
36841 + unsigned int index =
36842 + fhash(obj->inode, obj->device, subj->obj_hash_size);
36843 + struct acl_object_label **curr;
36846 + obj->prev = NULL;
36848 + curr = &subj->obj_hash[index];
36849 + if (*curr != NULL)
36850 + (*curr)->prev = obj;
36852 + obj->next = *curr;
36859 +insert_acl_subj_label(struct acl_subject_label *obj,
36860 + struct acl_role_label *role)
36862 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
36863 + struct acl_subject_label **curr;
36865 + obj->prev = NULL;
36867 + curr = &role->subj_hash[index];
36868 + if (*curr != NULL)
36869 + (*curr)->prev = obj;
36871 + obj->next = *curr;
36877 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
36880 +create_table(__u32 * len, int elementsize)
36882 + unsigned int table_sizes[] = {
36883 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
36884 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
36885 + 4194301, 8388593, 16777213, 33554393, 67108859
36887 + void *newtable = NULL;
36888 + unsigned int pwr = 0;
36890 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
36891 + table_sizes[pwr] <= *len)
36894 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
36897 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
36899 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
36901 + newtable = vmalloc(table_sizes[pwr] * elementsize);
36903 + *len = table_sizes[pwr];
36909 +init_variables(const struct gr_arg *arg)
36911 + struct task_struct *reaper = &init_task;
36912 + unsigned int stacksize;
36914 + subj_map_set.s_size = arg->role_db.num_subjects;
36915 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
36916 + name_set.n_size = arg->role_db.num_objects;
36917 + inodev_set.i_size = arg->role_db.num_objects;
36919 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
36920 + !name_set.n_size || !inodev_set.i_size)
36923 + if (!gr_init_uidset())
36926 + /* set up the stack that holds allocation info */
36928 + stacksize = arg->role_db.num_pointers + 5;
36930 + if (!acl_alloc_stack_init(stacksize))
36933 + /* grab reference for the real root dentry and vfsmount */
36934 + get_fs_root(reaper->fs, &real_root);
36936 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
36937 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root.dentry), real_root.dentry->d_inode->i_ino);
36940 + fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
36941 + if (fakefs_obj == NULL)
36943 + fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
36945 + subj_map_set.s_hash =
36946 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
36947 + acl_role_set.r_hash =
36948 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
36949 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
36950 + inodev_set.i_hash =
36951 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
36953 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
36954 + !name_set.n_hash || !inodev_set.i_hash)
36957 + memset(subj_map_set.s_hash, 0,
36958 + sizeof(struct subject_map *) * subj_map_set.s_size);
36959 + memset(acl_role_set.r_hash, 0,
36960 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
36961 + memset(name_set.n_hash, 0,
36962 + sizeof (struct name_entry *) * name_set.n_size);
36963 + memset(inodev_set.i_hash, 0,
36964 + sizeof (struct inodev_entry *) * inodev_set.i_size);
36969 +/* free information not needed after startup
36970 + currently contains user->kernel pointer mappings for subjects
36974 +free_init_variables(void)
36978 + if (subj_map_set.s_hash) {
36979 + for (i = 0; i < subj_map_set.s_size; i++) {
36980 + if (subj_map_set.s_hash[i]) {
36981 + kfree(subj_map_set.s_hash[i]);
36982 + subj_map_set.s_hash[i] = NULL;
36986 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
36988 + kfree(subj_map_set.s_hash);
36990 + vfree(subj_map_set.s_hash);
36997 +free_variables(void)
36999 + struct acl_subject_label *s;
37000 + struct acl_role_label *r;
37001 + struct task_struct *task, *task2;
37004 + gr_clear_learn_entries();
37006 + read_lock(&tasklist_lock);
37007 + do_each_thread(task2, task) {
37008 + task->acl_sp_role = 0;
37009 + task->acl_role_id = 0;
37010 + task->acl = NULL;
37011 + task->role = NULL;
37012 + } while_each_thread(task2, task);
37013 + read_unlock(&tasklist_lock);
37015 + /* release the reference to the real root dentry and vfsmount */
37016 + path_put(&real_root);
37018 + /* free all object hash tables */
37020 + FOR_EACH_ROLE_START(r)
37021 + if (r->subj_hash == NULL)
37023 + FOR_EACH_SUBJECT_START(r, s, x)
37024 + if (s->obj_hash == NULL)
37026 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
37027 + kfree(s->obj_hash);
37029 + vfree(s->obj_hash);
37030 + FOR_EACH_SUBJECT_END(s, x)
37031 + FOR_EACH_NESTED_SUBJECT_START(r, s)
37032 + if (s->obj_hash == NULL)
37034 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
37035 + kfree(s->obj_hash);
37037 + vfree(s->obj_hash);
37038 + FOR_EACH_NESTED_SUBJECT_END(s)
37039 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
37040 + kfree(r->subj_hash);
37042 + vfree(r->subj_hash);
37043 + r->subj_hash = NULL;
37045 + FOR_EACH_ROLE_END(r)
37049 + if (acl_role_set.r_hash) {
37050 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
37052 + kfree(acl_role_set.r_hash);
37054 + vfree(acl_role_set.r_hash);
37056 + if (name_set.n_hash) {
37057 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
37059 + kfree(name_set.n_hash);
37061 + vfree(name_set.n_hash);
37064 + if (inodev_set.i_hash) {
37065 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
37067 + kfree(inodev_set.i_hash);
37069 + vfree(inodev_set.i_hash);
37072 + gr_free_uidset();
37074 + memset(&name_set, 0, sizeof (struct name_db));
37075 + memset(&inodev_set, 0, sizeof (struct inodev_db));
37076 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
37077 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
37079 + default_role = NULL;
37080 + role_list = NULL;
37086 +count_user_objs(struct acl_object_label *userp)
37088 + struct acl_object_label o_tmp;
37092 + if (copy_from_user(&o_tmp, userp,
37093 + sizeof (struct acl_object_label)))
37096 + userp = o_tmp.prev;
37103 +static struct acl_subject_label *
37104 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
37107 +copy_user_glob(struct acl_object_label *obj)
37109 + struct acl_object_label *g_tmp, **guser;
37110 + unsigned int len;
37113 + if (obj->globbed == NULL)
37116 + guser = &obj->globbed;
37118 + g_tmp = (struct acl_object_label *)
37119 + acl_alloc(sizeof (struct acl_object_label));
37120 + if (g_tmp == NULL)
37123 + if (copy_from_user(g_tmp, *guser,
37124 + sizeof (struct acl_object_label)))
37127 + len = strnlen_user(g_tmp->filename, PATH_MAX);
37129 + if (!len || len >= PATH_MAX)
37132 + if ((tmp = (char *) acl_alloc(len)) == NULL)
37135 + if (copy_from_user(tmp, g_tmp->filename, len))
37137 + tmp[len-1] = '\0';
37138 + g_tmp->filename = tmp;
37141 + guser = &(g_tmp->next);
37148 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
37149 + struct acl_role_label *role)
37151 + struct acl_object_label *o_tmp;
37152 + unsigned int len;
37157 + if ((o_tmp = (struct acl_object_label *)
37158 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
37161 + if (copy_from_user(o_tmp, userp,
37162 + sizeof (struct acl_object_label)))
37165 + userp = o_tmp->prev;
37167 + len = strnlen_user(o_tmp->filename, PATH_MAX);
37169 + if (!len || len >= PATH_MAX)
37172 + if ((tmp = (char *) acl_alloc(len)) == NULL)
37175 + if (copy_from_user(tmp, o_tmp->filename, len))
37177 + tmp[len-1] = '\0';
37178 + o_tmp->filename = tmp;
37180 + insert_acl_obj_label(o_tmp, subj);
37181 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
37182 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
37185 + ret = copy_user_glob(o_tmp);
37189 + if (o_tmp->nested) {
37190 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
37191 + if (IS_ERR(o_tmp->nested))
37192 + return PTR_ERR(o_tmp->nested);
37194 + /* insert into nested subject list */
37195 + o_tmp->nested->next = role->hash->first;
37196 + role->hash->first = o_tmp->nested;
37204 +count_user_subjs(struct acl_subject_label *userp)
37206 + struct acl_subject_label s_tmp;
37210 + if (copy_from_user(&s_tmp, userp,
37211 + sizeof (struct acl_subject_label)))
37214 + userp = s_tmp.prev;
37215 + /* do not count nested subjects against this count, since
37216 + they are not included in the hash table, but are
37217 + attached to objects. We have already counted
37218 + the subjects in userspace for the allocation
37221 + if (!(s_tmp.mode & GR_NESTED))
37229 +copy_user_allowedips(struct acl_role_label *rolep)
37231 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
37233 + ruserip = rolep->allowed_ips;
37235 + while (ruserip) {
37238 + if ((rtmp = (struct role_allowed_ip *)
37239 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
37242 + if (copy_from_user(rtmp, ruserip,
37243 + sizeof (struct role_allowed_ip)))
37246 + ruserip = rtmp->prev;
37249 + rtmp->prev = NULL;
37250 + rolep->allowed_ips = rtmp;
37252 + rlast->next = rtmp;
37253 + rtmp->prev = rlast;
37257 + rtmp->next = NULL;
37264 +copy_user_transitions(struct acl_role_label *rolep)
37266 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
37268 + unsigned int len;
37271 + rusertp = rolep->transitions;
37273 + while (rusertp) {
37276 + if ((rtmp = (struct role_transition *)
37277 + acl_alloc(sizeof (struct role_transition))) == NULL)
37280 + if (copy_from_user(rtmp, rusertp,
37281 + sizeof (struct role_transition)))
37284 + rusertp = rtmp->prev;
37286 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
37288 + if (!len || len >= GR_SPROLE_LEN)
37291 + if ((tmp = (char *) acl_alloc(len)) == NULL)
37294 + if (copy_from_user(tmp, rtmp->rolename, len))
37296 + tmp[len-1] = '\0';
37297 + rtmp->rolename = tmp;
37300 + rtmp->prev = NULL;
37301 + rolep->transitions = rtmp;
37303 + rlast->next = rtmp;
37304 + rtmp->prev = rlast;
37308 + rtmp->next = NULL;
37314 +static struct acl_subject_label *
37315 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
37317 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
37318 + unsigned int len;
37321 + struct acl_ip_label **i_tmp, *i_utmp2;
37322 + struct gr_hash_struct ghash;
37323 + struct subject_map *subjmap;
37324 + unsigned int i_num;
37327 + s_tmp = lookup_subject_map(userp);
37329 + /* we've already copied this subject into the kernel, just return
37330 + the reference to it, and don't copy it over again
37335 + if ((s_tmp = (struct acl_subject_label *)
37336 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
37337 + return ERR_PTR(-ENOMEM);
37339 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
37340 + if (subjmap == NULL)
37341 + return ERR_PTR(-ENOMEM);
37343 + subjmap->user = userp;
37344 + subjmap->kernel = s_tmp;
37345 + insert_subj_map_entry(subjmap);
37347 + if (copy_from_user(s_tmp, userp,
37348 + sizeof (struct acl_subject_label)))
37349 + return ERR_PTR(-EFAULT);
37351 + len = strnlen_user(s_tmp->filename, PATH_MAX);
37353 + if (!len || len >= PATH_MAX)
37354 + return ERR_PTR(-EINVAL);
37356 + if ((tmp = (char *) acl_alloc(len)) == NULL)
37357 + return ERR_PTR(-ENOMEM);
37359 + if (copy_from_user(tmp, s_tmp->filename, len))
37360 + return ERR_PTR(-EFAULT);
37361 + tmp[len-1] = '\0';
37362 + s_tmp->filename = tmp;
37364 + if (!strcmp(s_tmp->filename, "/"))
37365 + role->root_label = s_tmp;
37367 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
37368 + return ERR_PTR(-EFAULT);
37370 + /* copy user and group transition tables */
37372 + if (s_tmp->user_trans_num) {
37375 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
37376 + if (uidlist == NULL)
37377 + return ERR_PTR(-ENOMEM);
37378 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
37379 + return ERR_PTR(-EFAULT);
37381 + s_tmp->user_transitions = uidlist;
37384 + if (s_tmp->group_trans_num) {
37387 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
37388 + if (gidlist == NULL)
37389 + return ERR_PTR(-ENOMEM);
37390 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
37391 + return ERR_PTR(-EFAULT);
37393 + s_tmp->group_transitions = gidlist;
37396 + /* set up object hash table */
37397 + num_objs = count_user_objs(ghash.first);
37399 + s_tmp->obj_hash_size = num_objs;
37400 + s_tmp->obj_hash =
37401 + (struct acl_object_label **)
37402 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
37404 + if (!s_tmp->obj_hash)
37405 + return ERR_PTR(-ENOMEM);
37407 + memset(s_tmp->obj_hash, 0,
37408 + s_tmp->obj_hash_size *
37409 + sizeof (struct acl_object_label *));
37411 + /* add in objects */
37412 + err = copy_user_objs(ghash.first, s_tmp, role);
37415 + return ERR_PTR(err);
37417 + /* set pointer for parent subject */
37418 + if (s_tmp->parent_subject) {
37419 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
37421 + if (IS_ERR(s_tmp2))
37424 + s_tmp->parent_subject = s_tmp2;
37427 + /* add in ip acls */
37429 + if (!s_tmp->ip_num) {
37430 + s_tmp->ips = NULL;
37435 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
37436 + sizeof (struct acl_ip_label *));
37439 + return ERR_PTR(-ENOMEM);
37441 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
37442 + *(i_tmp + i_num) =
37443 + (struct acl_ip_label *)
37444 + acl_alloc(sizeof (struct acl_ip_label));
37445 + if (!*(i_tmp + i_num))
37446 + return ERR_PTR(-ENOMEM);
37448 + if (copy_from_user
37449 + (&i_utmp2, s_tmp->ips + i_num,
37450 + sizeof (struct acl_ip_label *)))
37451 + return ERR_PTR(-EFAULT);
37453 + if (copy_from_user
37454 + (*(i_tmp + i_num), i_utmp2,
37455 + sizeof (struct acl_ip_label)))
37456 + return ERR_PTR(-EFAULT);
37458 + if ((*(i_tmp + i_num))->iface == NULL)
37461 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
37462 + if (!len || len >= IFNAMSIZ)
37463 + return ERR_PTR(-EINVAL);
37464 + tmp = acl_alloc(len);
37466 + return ERR_PTR(-ENOMEM);
37467 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
37468 + return ERR_PTR(-EFAULT);
37469 + (*(i_tmp + i_num))->iface = tmp;
37472 + s_tmp->ips = i_tmp;
37475 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
37476 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
37477 + return ERR_PTR(-ENOMEM);
37483 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
37485 + struct acl_subject_label s_pre;
37486 + struct acl_subject_label * ret;
37490 + if (copy_from_user(&s_pre, userp,
37491 + sizeof (struct acl_subject_label)))
37494 + /* do not add nested subjects here, add
37495 + while parsing objects
37498 + if (s_pre.mode & GR_NESTED) {
37499 + userp = s_pre.prev;
37503 + ret = do_copy_user_subj(userp, role);
37505 + err = PTR_ERR(ret);
37509 + insert_acl_subj_label(ret, role);
37511 + userp = s_pre.prev;
37518 +copy_user_acl(struct gr_arg *arg)
37520 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
37521 + struct sprole_pw *sptmp;
37522 + struct gr_hash_struct *ghash;
37523 + uid_t *domainlist;
37524 + unsigned int r_num;
37525 + unsigned int len;
37531 + /* we need a default and kernel role */
37532 + if (arg->role_db.num_roles < 2)
37535 + /* copy special role authentication info from userspace */
37537 + num_sprole_pws = arg->num_sprole_pws;
37538 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
37540 + if (!acl_special_roles) {
37545 + for (i = 0; i < num_sprole_pws; i++) {
37546 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
37551 + if (copy_from_user(sptmp, arg->sprole_pws + i,
37552 + sizeof (struct sprole_pw))) {
37558 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
37560 + if (!len || len >= GR_SPROLE_LEN) {
37565 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
37570 + if (copy_from_user(tmp, sptmp->rolename, len)) {
37574 + tmp[len-1] = '\0';
37575 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
37576 + printk(KERN_ALERT "Copying special role %s\n", tmp);
37578 + sptmp->rolename = tmp;
37579 + acl_special_roles[i] = sptmp;
37582 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
37584 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
37585 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
37592 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
37593 + sizeof (struct acl_role_label *))) {
37598 + if (copy_from_user(r_tmp, r_utmp2,
37599 + sizeof (struct acl_role_label))) {
37604 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
37606 + if (!len || len >= PATH_MAX) {
37611 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
37615 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
37619 + tmp[len-1] = '\0';
37620 + r_tmp->rolename = tmp;
37622 + if (!strcmp(r_tmp->rolename, "default")
37623 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
37624 + default_role = r_tmp;
37625 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
37626 + kernel_role = r_tmp;
37629 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
37633 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
37638 + r_tmp->hash = ghash;
37640 + num_subjs = count_user_subjs(r_tmp->hash->first);
37642 + r_tmp->subj_hash_size = num_subjs;
37643 + r_tmp->subj_hash =
37644 + (struct acl_subject_label **)
37645 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
37647 + if (!r_tmp->subj_hash) {
37652 + err = copy_user_allowedips(r_tmp);
37656 + /* copy domain info */
37657 + if (r_tmp->domain_children != NULL) {
37658 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
37659 + if (domainlist == NULL) {
37663 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
37667 + r_tmp->domain_children = domainlist;
37670 + err = copy_user_transitions(r_tmp);
37674 + memset(r_tmp->subj_hash, 0,
37675 + r_tmp->subj_hash_size *
37676 + sizeof (struct acl_subject_label *));
37678 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
37683 + /* set nested subject list to null */
37684 + r_tmp->hash->first = NULL;
37686 + insert_acl_role_label(r_tmp);
37691 + free_variables();
37698 +gracl_init(struct gr_arg *args)
37702 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
37703 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
37705 + if (init_variables(args)) {
37706 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
37708 + free_variables();
37712 + error = copy_user_acl(args);
37713 + free_init_variables();
37715 + free_variables();
37719 + if ((error = gr_set_acls(0))) {
37720 + free_variables();
37724 + pax_open_kernel();
37725 + gr_status |= GR_READY;
37726 + pax_close_kernel();
37732 +/* derived from glibc fnmatch() 0: match, 1: no match*/
37735 +glob_match(const char *p, const char *n)
37739 + while ((c = *p++) != '\0') {
37744 + else if (*n == '/')
37752 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
37755 + else if (c == '?') {
37765 + const char *endp;
37767 + if ((endp = strchr(n, '/')) == NULL)
37768 + endp = n + strlen(n);
37771 + for (--p; n < endp; ++n)
37772 + if (!glob_match(p, n))
37774 + } else if (c == '/') {
37775 + while (*n != '\0' && *n != '/')
37777 + if (*n == '/' && !glob_match(p, n + 1))
37780 + for (--p; n < endp; ++n)
37781 + if (*n == c && !glob_match(p, n))
37792 + if (*n == '\0' || *n == '/')
37795 + not = (*p == '!' || *p == '^');
37801 + unsigned char fn = (unsigned char)*n;
37811 + if (c == '-' && *p != ']') {
37812 + unsigned char cend = *p++;
37814 + if (cend == '\0')
37817 + if (cold <= fn && fn <= cend)
37831 + while (c != ']') {
37858 +static struct acl_object_label *
37859 +chk_glob_label(struct acl_object_label *globbed,
37860 + struct dentry *dentry, struct vfsmount *mnt, char **path)
37862 + struct acl_object_label *tmp;
37864 + if (*path == NULL)
37865 + *path = gr_to_filename_nolock(dentry, mnt);
37870 + if (!glob_match(tmp->filename, *path))
37878 +static struct acl_object_label *
37879 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
37880 + const ino_t curr_ino, const dev_t curr_dev,
37881 + const struct acl_subject_label *subj, char **path, const int checkglob)
37883 + struct acl_subject_label *tmpsubj;
37884 + struct acl_object_label *retval;
37885 + struct acl_object_label *retval2;
37887 + tmpsubj = (struct acl_subject_label *) subj;
37888 + read_lock(&gr_inode_lock);
37890 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
37892 + if (checkglob && retval->globbed) {
37893 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
37894 + (struct vfsmount *)orig_mnt, path);
37896 + retval = retval2;
37900 + } while ((tmpsubj = tmpsubj->parent_subject));
37901 + read_unlock(&gr_inode_lock);
37906 +static __inline__ struct acl_object_label *
37907 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
37908 + struct dentry *curr_dentry,
37909 + const struct acl_subject_label *subj, char **path, const int checkglob)
37911 + int newglob = checkglob;
37915 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
37916 + as we don't want a / * rule to match instead of the / object
37917 + don't do this for create lookups that call this function though, since they're looking up
37918 + on the parent and thus need globbing checks on all paths
37920 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
37921 + newglob = GR_NO_GLOB;
37923 + spin_lock(&curr_dentry->d_lock);
37924 + inode = curr_dentry->d_inode->i_ino;
37925 + device = __get_dev(curr_dentry);
37926 + spin_unlock(&curr_dentry->d_lock);
37928 + return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
37931 +static struct acl_object_label *
37932 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
37933 + const struct acl_subject_label *subj, char *path, const int checkglob)
37935 + struct dentry *dentry = (struct dentry *) l_dentry;
37936 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
37937 + struct acl_object_label *retval;
37938 + struct dentry *parent;
37940 + write_seqlock(&rename_lock);
37941 + br_read_lock(vfsmount_lock);
37943 + if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt || mnt == sock_mnt ||
37944 +#ifdef CONFIG_HUGETLBFS
37945 + (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
37947 + /* ignore Eric Biederman */
37948 + IS_PRIVATE(l_dentry->d_inode))) {
37949 + retval = fakefs_obj;
37954 + if (dentry == real_root.dentry && mnt == real_root.mnt)
37957 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
37958 + if (mnt->mnt_parent == mnt)
37961 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
37962 + if (retval != NULL)
37965 + dentry = mnt->mnt_mountpoint;
37966 + mnt = mnt->mnt_parent;
37970 + parent = dentry->d_parent;
37971 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
37972 + if (retval != NULL)
37978 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
37980 + /* real_root is pinned so we don't have to hold a reference */
37981 + if (retval == NULL)
37982 + retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
37984 + br_read_unlock(vfsmount_lock);
37985 + write_sequnlock(&rename_lock);
37987 + BUG_ON(retval == NULL);
37992 +static __inline__ struct acl_object_label *
37993 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
37994 + const struct acl_subject_label *subj)
37996 + char *path = NULL;
37997 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
38000 +static __inline__ struct acl_object_label *
38001 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
38002 + const struct acl_subject_label *subj)
38004 + char *path = NULL;
38005 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
38008 +static __inline__ struct acl_object_label *
38009 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
38010 + const struct acl_subject_label *subj, char *path)
38012 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
38015 +static struct acl_subject_label *
38016 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
38017 + const struct acl_role_label *role)
38019 + struct dentry *dentry = (struct dentry *) l_dentry;
38020 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
38021 + struct acl_subject_label *retval;
38022 + struct dentry *parent;
38024 + write_seqlock(&rename_lock);
38025 + br_read_lock(vfsmount_lock);
38028 + if (dentry == real_root.dentry && mnt == real_root.mnt)
38030 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
38031 + if (mnt->mnt_parent == mnt)
38034 + spin_lock(&dentry->d_lock);
38035 + read_lock(&gr_inode_lock);
38037 + lookup_acl_subj_label(dentry->d_inode->i_ino,
38038 + __get_dev(dentry), role);
38039 + read_unlock(&gr_inode_lock);
38040 + spin_unlock(&dentry->d_lock);
38041 + if (retval != NULL)
38044 + dentry = mnt->mnt_mountpoint;
38045 + mnt = mnt->mnt_parent;
38049 + spin_lock(&dentry->d_lock);
38050 + read_lock(&gr_inode_lock);
38051 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
38052 + __get_dev(dentry), role);
38053 + read_unlock(&gr_inode_lock);
38054 + parent = dentry->d_parent;
38055 + spin_unlock(&dentry->d_lock);
38057 + if (retval != NULL)
38063 + spin_lock(&dentry->d_lock);
38064 + read_lock(&gr_inode_lock);
38065 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
38066 + __get_dev(dentry), role);
38067 + read_unlock(&gr_inode_lock);
38068 + spin_unlock(&dentry->d_lock);
38070 + if (unlikely(retval == NULL)) {
38071 + /* real_root is pinned, we don't need to hold a reference */
38072 + read_lock(&gr_inode_lock);
38073 + retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
38074 + __get_dev(real_root.dentry), role);
38075 + read_unlock(&gr_inode_lock);
38078 + br_read_unlock(vfsmount_lock);
38079 + write_sequnlock(&rename_lock);
38081 + BUG_ON(retval == NULL);
38087 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
38089 + struct task_struct *task = current;
38090 + const struct cred *cred = current_cred();
38092 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
38093 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
38094 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
38095 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
38101 +gr_log_learn_sysctl(const char *path, const __u32 mode)
38103 + struct task_struct *task = current;
38104 + const struct cred *cred = current_cred();
38106 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
38107 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
38108 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
38109 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
38115 +gr_log_learn_id_change(const char type, const unsigned int real,
38116 + const unsigned int effective, const unsigned int fs)
38118 + struct task_struct *task = current;
38119 + const struct cred *cred = current_cred();
38121 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
38122 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
38123 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
38124 + type, real, effective, fs, &task->signal->saved_ip);
38130 +gr_check_link(const struct dentry * new_dentry,
38131 + const struct dentry * parent_dentry,
38132 + const struct vfsmount * parent_mnt,
38133 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
38135 + struct acl_object_label *obj;
38136 + __u32 oldmode, newmode;
38139 + if (unlikely(!(gr_status & GR_READY)))
38140 + return (GR_CREATE | GR_LINK);
38142 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
38143 + oldmode = obj->mode;
38145 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
38146 + oldmode |= (GR_CREATE | GR_LINK);
38148 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
38149 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
38150 + needmode |= GR_SETID | GR_AUDIT_SETID;
38153 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
38154 + oldmode | needmode);
38156 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
38157 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
38158 + GR_INHERIT | GR_AUDIT_INHERIT);
38160 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
38163 + if ((oldmode & needmode) != needmode)
38166 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
38167 + if ((newmode & needmode) != needmode)
38170 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
38173 + needmode = oldmode;
38174 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
38175 + needmode |= GR_SETID;
38177 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
38178 + gr_log_learn(old_dentry, old_mnt, needmode);
38179 + return (GR_CREATE | GR_LINK);
38180 + } else if (newmode & GR_SUPPRESS)
38181 + return GR_SUPPRESS;
38187 +gr_search_file(const struct dentry * dentry, const __u32 mode,
38188 + const struct vfsmount * mnt)
38190 + __u32 retval = mode;
38191 + struct acl_subject_label *curracl;
38192 + struct acl_object_label *currobj;
38194 + if (unlikely(!(gr_status & GR_READY)))
38195 + return (mode & ~GR_AUDITS);
38197 + curracl = current->acl;
38199 + currobj = chk_obj_label(dentry, mnt, curracl);
38200 + retval = currobj->mode & mode;
38202 + /* if we're opening a specified transfer file for writing
38203 + (e.g. /dev/initctl), then transfer our role to init
38205 + if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
38206 + current->role->roletype & GR_ROLE_PERSIST)) {
38207 + struct task_struct *task = init_pid_ns.child_reaper;
38209 + if (task->role != current->role) {
38210 + task->acl_sp_role = 0;
38211 + task->acl_role_id = current->acl_role_id;
38212 + task->role = current->role;
38214 + read_lock(&grsec_exec_file_lock);
38215 + gr_apply_subject_to_task(task);
38216 + read_unlock(&grsec_exec_file_lock);
38217 + rcu_read_unlock();
38218 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
38223 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
38224 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
38225 + __u32 new_mode = mode;
38227 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
38229 + retval = new_mode;
38231 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
38232 + new_mode |= GR_INHERIT;
38234 + if (!(mode & GR_NOLEARN))
38235 + gr_log_learn(dentry, mnt, new_mode);
38242 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
38243 + const struct vfsmount * mnt, const __u32 mode)
38245 + struct name_entry *match;
38246 + struct acl_object_label *matchpo;
38247 + struct acl_subject_label *curracl;
38251 + if (unlikely(!(gr_status & GR_READY)))
38252 + return (mode & ~GR_AUDITS);
38254 + preempt_disable();
38255 + path = gr_to_filename_rbac(new_dentry, mnt);
38256 + match = lookup_name_entry_create(path);
38259 + goto check_parent;
38261 + curracl = current->acl;
38263 + read_lock(&gr_inode_lock);
38264 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
38265 + read_unlock(&gr_inode_lock);
38268 + if ((matchpo->mode & mode) !=
38269 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
38270 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
38271 + __u32 new_mode = mode;
38273 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
38275 + gr_log_learn(new_dentry, mnt, new_mode);
38277 + preempt_enable();
38280 + preempt_enable();
38281 + return (matchpo->mode & mode);
38285 + curracl = current->acl;
38287 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
38288 + retval = matchpo->mode & mode;
38290 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
38291 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
38292 + __u32 new_mode = mode;
38294 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
38296 + gr_log_learn(new_dentry, mnt, new_mode);
38297 + preempt_enable();
38301 + preempt_enable();
38306 +gr_check_hidden_task(const struct task_struct *task)
38308 + if (unlikely(!(gr_status & GR_READY)))
38311 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
38318 +gr_check_protected_task(const struct task_struct *task)
38320 + if (unlikely(!(gr_status & GR_READY) || !task))
38323 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
38324 + task->acl != current->acl)
38331 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
38333 + struct task_struct *p;
38336 + if (unlikely(!(gr_status & GR_READY) || !pid))
38339 + read_lock(&tasklist_lock);
38340 + do_each_pid_task(pid, type, p) {
38341 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
38342 + p->acl != current->acl) {
38346 + } while_each_pid_task(pid, type, p);
38348 + read_unlock(&tasklist_lock);
38354 +gr_copy_label(struct task_struct *tsk)
38356 + tsk->signal->used_accept = 0;
38357 + tsk->acl_sp_role = 0;
38358 + tsk->acl_role_id = current->acl_role_id;
38359 + tsk->acl = current->acl;
38360 + tsk->role = current->role;
38361 + tsk->signal->curr_ip = current->signal->curr_ip;
38362 + tsk->signal->saved_ip = current->signal->saved_ip;
38363 + if (current->exec_file)
38364 + get_file(current->exec_file);
38365 + tsk->exec_file = current->exec_file;
38366 + tsk->is_writable = current->is_writable;
38367 + if (unlikely(current->signal->used_accept)) {
38368 + current->signal->curr_ip = 0;
38369 + current->signal->saved_ip = 0;
38376 +gr_set_proc_res(struct task_struct *task)
38378 + struct acl_subject_label *proc;
38379 + unsigned short i;
38381 + proc = task->acl;
38383 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
38386 + for (i = 0; i < RLIM_NLIMITS; i++) {
38387 + if (!(proc->resmask & (1 << i)))
38390 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
38391 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
38398 +gr_check_user_change(int real, int effective, int fs)
38405 + int effectiveok = 0;
38408 + if (unlikely(!(gr_status & GR_READY)))
38411 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
38412 + gr_log_learn_id_change('u', real, effective, fs);
38414 + num = current->acl->user_trans_num;
38415 + uidlist = current->acl->user_transitions;
38417 + if (uidlist == NULL)
38422 + if (effective == -1)
38427 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
38428 + for (i = 0; i < num; i++) {
38429 + curuid = (int)uidlist[i];
38430 + if (real == curuid)
38432 + if (effective == curuid)
38434 + if (fs == curuid)
38437 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
38438 + for (i = 0; i < num; i++) {
38439 + curuid = (int)uidlist[i];
38440 + if (real == curuid)
38442 + if (effective == curuid)
38444 + if (fs == curuid)
38447 + /* not in deny list */
38455 + if (realok && effectiveok && fsok)
38458 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
38464 +gr_check_group_change(int real, int effective, int fs)
38471 + int effectiveok = 0;
38474 + if (unlikely(!(gr_status & GR_READY)))
38477 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
38478 + gr_log_learn_id_change('g', real, effective, fs);
38480 + num = current->acl->group_trans_num;
38481 + gidlist = current->acl->group_transitions;
38483 + if (gidlist == NULL)
38488 + if (effective == -1)
38493 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
38494 + for (i = 0; i < num; i++) {
38495 + curgid = (int)gidlist[i];
38496 + if (real == curgid)
38498 + if (effective == curgid)
38500 + if (fs == curgid)
38503 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
38504 + for (i = 0; i < num; i++) {
38505 + curgid = (int)gidlist[i];
38506 + if (real == curgid)
38508 + if (effective == curgid)
38510 + if (fs == curgid)
38513 + /* not in deny list */
38521 + if (realok && effectiveok && fsok)
38524 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
38530 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
38532 + struct acl_role_label *role = task->role;
38533 + struct acl_subject_label *subj = NULL;
38534 + struct acl_object_label *obj;
38535 + struct file *filp;
38537 + if (unlikely(!(gr_status & GR_READY)))
38540 + filp = task->exec_file;
38542 + /* kernel process, we'll give them the kernel role */
38543 + if (unlikely(!filp)) {
38544 + task->role = kernel_role;
38545 + task->acl = kernel_role->root_label;
38547 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
38548 + role = lookup_acl_role_label(task, uid, gid);
38550 + /* perform subject lookup in possibly new role
38551 + we can use this result below in the case where role == task->role
38553 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
38555 + /* if we changed uid/gid, but result in the same role
38556 + and are using inheritance, don't lose the inherited subject
38557 + if current subject is other than what normal lookup
38558 + would result in, we arrived via inheritance, don't
38561 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
38562 + (subj == task->acl)))
38563 + task->acl = subj;
38565 + task->role = role;
38567 + task->is_writable = 0;
38569 + /* ignore additional mmap checks for processes that are writable
38570 + by the default ACL */
38571 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
38572 + if (unlikely(obj->mode & GR_WRITE))
38573 + task->is_writable = 1;
38574 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
38575 + if (unlikely(obj->mode & GR_WRITE))
38576 + task->is_writable = 1;
38578 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
38579 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
38582 + gr_set_proc_res(task);
38588 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
38589 + const int unsafe_share)
38591 + struct task_struct *task = current;
38592 + struct acl_subject_label *newacl;
38593 + struct acl_object_label *obj;
38596 + if (unlikely(!(gr_status & GR_READY)))
38599 + newacl = chk_subj_label(dentry, mnt, task->role);
38602 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
38603 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
38604 + !(task->role->roletype & GR_ROLE_GOD) &&
38605 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
38606 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
38607 + task_unlock(task);
38608 + if (unsafe_share)
38609 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
38611 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
38614 + task_unlock(task);
38616 + obj = chk_obj_label(dentry, mnt, task->acl);
38617 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
38619 + if (!(task->acl->mode & GR_INHERITLEARN) &&
38620 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
38622 + task->acl = obj->nested;
38624 + task->acl = newacl;
38625 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
38626 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
38628 + task->is_writable = 0;
38630 + /* ignore additional mmap checks for processes that are writable
38631 + by the default ACL */
38632 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
38633 + if (unlikely(obj->mode & GR_WRITE))
38634 + task->is_writable = 1;
38635 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
38636 + if (unlikely(obj->mode & GR_WRITE))
38637 + task->is_writable = 1;
38639 + gr_set_proc_res(task);
38641 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
38642 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
38647 +/* always called with valid inodev ptr */
38649 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
38651 + struct acl_object_label *matchpo;
38652 + struct acl_subject_label *matchps;
38653 + struct acl_subject_label *subj;
38654 + struct acl_role_label *role;
38657 + FOR_EACH_ROLE_START(role)
38658 + FOR_EACH_SUBJECT_START(role, subj, x)
38659 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
38660 + matchpo->mode |= GR_DELETED;
38661 + FOR_EACH_SUBJECT_END(subj,x)
38662 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
38663 + if (subj->inode == ino && subj->device == dev)
38664 + subj->mode |= GR_DELETED;
38665 + FOR_EACH_NESTED_SUBJECT_END(subj)
38666 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
38667 + matchps->mode |= GR_DELETED;
38668 + FOR_EACH_ROLE_END(role)
38670 + inodev->nentry->deleted = 1;
38676 +gr_handle_delete(const ino_t ino, const dev_t dev)
38678 + struct inodev_entry *inodev;
38680 + if (unlikely(!(gr_status & GR_READY)))
38683 + write_lock(&gr_inode_lock);
38684 + inodev = lookup_inodev_entry(ino, dev);
38685 + if (inodev != NULL)
38686 + do_handle_delete(inodev, ino, dev);
38687 + write_unlock(&gr_inode_lock);
38693 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
38694 + const ino_t newinode, const dev_t newdevice,
38695 + struct acl_subject_label *subj)
38697 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
38698 + struct acl_object_label *match;
38700 + match = subj->obj_hash[index];
38702 + while (match && (match->inode != oldinode ||
38703 + match->device != olddevice ||
38704 + !(match->mode & GR_DELETED)))
38705 + match = match->next;
38707 + if (match && (match->inode == oldinode)
38708 + && (match->device == olddevice)
38709 + && (match->mode & GR_DELETED)) {
38710 + if (match->prev == NULL) {
38711 + subj->obj_hash[index] = match->next;
38712 + if (match->next != NULL)
38713 + match->next->prev = NULL;
38715 + match->prev->next = match->next;
38716 + if (match->next != NULL)
38717 + match->next->prev = match->prev;
38719 + match->prev = NULL;
38720 + match->next = NULL;
38721 + match->inode = newinode;
38722 + match->device = newdevice;
38723 + match->mode &= ~GR_DELETED;
38725 + insert_acl_obj_label(match, subj);
38732 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
38733 + const ino_t newinode, const dev_t newdevice,
38734 + struct acl_role_label *role)
38736 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
38737 + struct acl_subject_label *match;
38739 + match = role->subj_hash[index];
38741 + while (match && (match->inode != oldinode ||
38742 + match->device != olddevice ||
38743 + !(match->mode & GR_DELETED)))
38744 + match = match->next;
38746 + if (match && (match->inode == oldinode)
38747 + && (match->device == olddevice)
38748 + && (match->mode & GR_DELETED)) {
38749 + if (match->prev == NULL) {
38750 + role->subj_hash[index] = match->next;
38751 + if (match->next != NULL)
38752 + match->next->prev = NULL;
38754 + match->prev->next = match->next;
38755 + if (match->next != NULL)
38756 + match->next->prev = match->prev;
38758 + match->prev = NULL;
38759 + match->next = NULL;
38760 + match->inode = newinode;
38761 + match->device = newdevice;
38762 + match->mode &= ~GR_DELETED;
38764 + insert_acl_subj_label(match, role);
38771 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
38772 + const ino_t newinode, const dev_t newdevice)
38774 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
38775 + struct inodev_entry *match;
38777 + match = inodev_set.i_hash[index];
38779 + while (match && (match->nentry->inode != oldinode ||
38780 + match->nentry->device != olddevice || !match->nentry->deleted))
38781 + match = match->next;
38783 + if (match && (match->nentry->inode == oldinode)
38784 + && (match->nentry->device == olddevice) &&
38785 + match->nentry->deleted) {
38786 + if (match->prev == NULL) {
38787 + inodev_set.i_hash[index] = match->next;
38788 + if (match->next != NULL)
38789 + match->next->prev = NULL;
38791 + match->prev->next = match->next;
38792 + if (match->next != NULL)
38793 + match->next->prev = match->prev;
38795 + match->prev = NULL;
38796 + match->next = NULL;
38797 + match->nentry->inode = newinode;
38798 + match->nentry->device = newdevice;
38799 + match->nentry->deleted = 0;
38801 + insert_inodev_entry(match);
38808 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
38809 + const struct vfsmount *mnt)
38811 + struct acl_subject_label *subj;
38812 + struct acl_role_label *role;
38814 + ino_t ino = dentry->d_inode->i_ino;
38815 + dev_t dev = __get_dev(dentry);
38817 + FOR_EACH_ROLE_START(role)
38818 + update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
38820 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
38821 + if ((subj->inode == ino) && (subj->device == dev)) {
38822 + subj->inode = ino;
38823 + subj->device = dev;
38825 + FOR_EACH_NESTED_SUBJECT_END(subj)
38826 + FOR_EACH_SUBJECT_START(role, subj, x)
38827 + update_acl_obj_label(matchn->inode, matchn->device,
38829 + FOR_EACH_SUBJECT_END(subj,x)
38830 + FOR_EACH_ROLE_END(role)
38832 + update_inodev_entry(matchn->inode, matchn->device, ino, dev);
38838 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
38840 + struct name_entry *matchn;
38842 + if (unlikely(!(gr_status & GR_READY)))
38845 + preempt_disable();
38846 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
38848 + if (unlikely((unsigned long)matchn)) {
38849 + write_lock(&gr_inode_lock);
38850 + do_handle_create(matchn, dentry, mnt);
38851 + write_unlock(&gr_inode_lock);
38853 + preempt_enable();
38859 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
38860 + struct dentry *old_dentry,
38861 + struct dentry *new_dentry,
38862 + struct vfsmount *mnt, const __u8 replace)
38864 + struct name_entry *matchn;
38865 + struct inodev_entry *inodev;
38866 + ino_t old_ino = old_dentry->d_inode->i_ino;
38867 + dev_t old_dev = __get_dev(old_dentry);
38869 + /* vfs_rename swaps the name and parent link for old_dentry and
38871 + at this point, old_dentry has the new name, parent link, and inode
38872 + for the renamed file
38873 + if a file is being replaced by a rename, new_dentry has the inode
38874 + and name for the replaced file
38877 + if (unlikely(!(gr_status & GR_READY)))
38880 + preempt_disable();
38881 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
38883 + /* we wouldn't have to check d_inode if it weren't for
38884 + NFS silly-renaming
38887 + write_lock(&gr_inode_lock);
38888 + if (unlikely(replace && new_dentry->d_inode)) {
38889 + ino_t new_ino = new_dentry->d_inode->i_ino;
38890 + dev_t new_dev = __get_dev(new_dentry);
38892 + inodev = lookup_inodev_entry(new_ino, new_dev);
38893 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
38894 + do_handle_delete(inodev, new_ino, new_dev);
38897 + inodev = lookup_inodev_entry(old_ino, old_dev);
38898 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
38899 + do_handle_delete(inodev, old_ino, old_dev);
38901 + if (unlikely((unsigned long)matchn))
38902 + do_handle_create(matchn, old_dentry, mnt);
38904 + write_unlock(&gr_inode_lock);
38905 + preempt_enable();
38911 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
38912 + unsigned char **sum)
38914 + struct acl_role_label *r;
38915 + struct role_allowed_ip *ipp;
38916 + struct role_transition *trans;
38919 + u32 curr_ip = current->signal->curr_ip;
38921 + current->signal->saved_ip = curr_ip;
38923 + /* check transition table */
38925 + for (trans = current->role->transitions; trans; trans = trans->next) {
38926 + if (!strcmp(rolename, trans->rolename)) {
38935 + /* handle special roles that do not require authentication
38938 + FOR_EACH_ROLE_START(r)
38939 + if (!strcmp(rolename, r->rolename) &&
38940 + (r->roletype & GR_ROLE_SPECIAL)) {
38942 + if (r->allowed_ips != NULL) {
38943 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
38944 + if ((ntohl(curr_ip) & ipp->netmask) ==
38945 + (ntohl(ipp->addr) & ipp->netmask))
38953 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
38954 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
38960 + FOR_EACH_ROLE_END(r)
38962 + for (i = 0; i < num_sprole_pws; i++) {
38963 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
38964 + *salt = acl_special_roles[i]->salt;
38965 + *sum = acl_special_roles[i]->sum;
38974 +assign_special_role(char *rolename)
38976 + struct acl_object_label *obj;
38977 + struct acl_role_label *r;
38978 + struct acl_role_label *assigned = NULL;
38979 + struct task_struct *tsk;
38980 + struct file *filp;
38982 + FOR_EACH_ROLE_START(r)
38983 + if (!strcmp(rolename, r->rolename) &&
38984 + (r->roletype & GR_ROLE_SPECIAL)) {
38988 + FOR_EACH_ROLE_END(r)
38993 + read_lock(&tasklist_lock);
38994 + read_lock(&grsec_exec_file_lock);
38996 + tsk = current->real_parent;
39000 + filp = tsk->exec_file;
39001 + if (filp == NULL)
39004 + tsk->is_writable = 0;
39006 + tsk->acl_sp_role = 1;
39007 + tsk->acl_role_id = ++acl_sp_role_value;
39008 + tsk->role = assigned;
39009 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
39011 + /* ignore additional mmap checks for processes that are writable
39012 + by the default ACL */
39013 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
39014 + if (unlikely(obj->mode & GR_WRITE))
39015 + tsk->is_writable = 1;
39016 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
39017 + if (unlikely(obj->mode & GR_WRITE))
39018 + tsk->is_writable = 1;
39020 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
39021 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
39025 + read_unlock(&grsec_exec_file_lock);
39026 + read_unlock(&tasklist_lock);
39030 +int gr_check_secure_terminal(struct task_struct *task)
39032 + struct task_struct *p, *p2, *p3;
39033 + struct files_struct *files;
39034 + struct fdtable *fdt;
39035 + struct file *our_file = NULL, *file;
39038 + if (task->signal->tty == NULL)
39041 + files = get_files_struct(task);
39042 + if (files != NULL) {
39044 + fdt = files_fdtable(files);
39045 + for (i=0; i < fdt->max_fds; i++) {
39046 + file = fcheck_files(files, i);
39047 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
39052 + rcu_read_unlock();
39053 + put_files_struct(files);
39056 + if (our_file == NULL)
39059 + read_lock(&tasklist_lock);
39060 + do_each_thread(p2, p) {
39061 + files = get_files_struct(p);
39062 + if (files == NULL ||
39063 + (p->signal && p->signal->tty == task->signal->tty)) {
39064 + if (files != NULL)
39065 + put_files_struct(files);
39069 + fdt = files_fdtable(files);
39070 + for (i=0; i < fdt->max_fds; i++) {
39071 + file = fcheck_files(files, i);
39072 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
39073 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
39075 + while (p3->pid > 0) {
39078 + p3 = p3->real_parent;
39082 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
39083 + gr_handle_alertkill(p);
39084 + rcu_read_unlock();
39085 + put_files_struct(files);
39086 + read_unlock(&tasklist_lock);
39091 + rcu_read_unlock();
39092 + put_files_struct(files);
39093 + } while_each_thread(p2, p);
39094 + read_unlock(&tasklist_lock);
39101 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
39103 + struct gr_arg_wrapper uwrap;
39104 + unsigned char *sprole_salt = NULL;
39105 + unsigned char *sprole_sum = NULL;
39106 + int error = sizeof (struct gr_arg_wrapper);
39109 + mutex_lock(&gr_dev_mutex);
39111 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
39116 + if (count != sizeof (struct gr_arg_wrapper)) {
39117 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
39123 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
39124 + gr_auth_expires = 0;
39125 + gr_auth_attempts = 0;
39128 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
39133 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
39138 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
39143 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
39144 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
39145 + time_after(gr_auth_expires, get_seconds())) {
39150 + /* if non-root trying to do anything other than use a special role,
39151 + do not attempt authentication, do not count towards authentication
39155 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
39156 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
39162 + /* ensure pw and special role name are null terminated */
39164 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
39165 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
39168 + * We have our enough of the argument structure..(we have yet
39169 + * to copy_from_user the tables themselves) . Copy the tables
39170 + * only if we need them, i.e. for loading operations. */
39172 + switch (gr_usermode->mode) {
39174 + if (gr_status & GR_READY) {
39176 + if (!gr_check_secure_terminal(current))
39181 + case GR_SHUTDOWN:
39182 + if ((gr_status & GR_READY)
39183 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
39184 + pax_open_kernel();
39185 + gr_status &= ~GR_READY;
39186 + pax_close_kernel();
39188 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
39189 + free_variables();
39190 + memset(gr_usermode, 0, sizeof (struct gr_arg));
39191 + memset(gr_system_salt, 0, GR_SALT_LEN);
39192 + memset(gr_system_sum, 0, GR_SHA_LEN);
39193 + } else if (gr_status & GR_READY) {
39194 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
39197 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
39202 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
39203 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
39205 + if (gr_status & GR_READY)
39209 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
39213 + if (!(gr_status & GR_READY)) {
39214 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
39216 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
39217 + preempt_disable();
39219 + pax_open_kernel();
39220 + gr_status &= ~GR_READY;
39221 + pax_close_kernel();
39223 + free_variables();
39224 + if (!(error2 = gracl_init(gr_usermode))) {
39225 + preempt_enable();
39226 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
39228 + preempt_enable();
39230 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
39233 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
39238 + if (unlikely(!(gr_status & GR_READY))) {
39239 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
39244 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
39245 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
39246 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
39247 + struct acl_subject_label *segvacl;
39249 + lookup_acl_subj_label(gr_usermode->segv_inode,
39250 + gr_usermode->segv_device,
39253 + segvacl->crashes = 0;
39254 + segvacl->expires = 0;
39256 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
39257 + gr_remove_uid(gr_usermode->segv_uid);
39260 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
39265 + case GR_SPROLEPAM:
39266 + if (unlikely(!(gr_status & GR_READY))) {
39267 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
39272 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
39273 + current->role->expires = 0;
39274 + current->role->auth_attempts = 0;
39277 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
39278 + time_after(current->role->expires, get_seconds())) {
39283 + if (lookup_special_role_auth
39284 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
39285 + && ((!sprole_salt && !sprole_sum)
39286 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
39288 + assign_special_role(gr_usermode->sp_role);
39289 + read_lock(&tasklist_lock);
39290 + if (current->real_parent)
39291 + p = current->real_parent->role->rolename;
39292 + read_unlock(&tasklist_lock);
39293 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
39294 + p, acl_sp_role_value);
39296 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
39298 + if(!(current->role->auth_attempts++))
39299 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
39304 + case GR_UNSPROLE:
39305 + if (unlikely(!(gr_status & GR_READY))) {
39306 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
39311 + if (current->role->roletype & GR_ROLE_SPECIAL) {
39315 + read_lock(&tasklist_lock);
39316 + if (current->real_parent) {
39317 + p = current->real_parent->role->rolename;
39318 + i = current->real_parent->acl_role_id;
39320 + read_unlock(&tasklist_lock);
39322 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
39330 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
39335 + if (error != -EPERM)
39338 + if(!(gr_auth_attempts++))
39339 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
39342 + mutex_unlock(&gr_dev_mutex);
39346 +/* must be called with
39348 + read_lock(&tasklist_lock);
39349 + read_lock(&grsec_exec_file_lock);
39351 +int gr_apply_subject_to_task(struct task_struct *task)
39353 + struct acl_object_label *obj;
39355 + struct acl_subject_label *tmpsubj;
39356 + struct file *filp;
39357 + struct name_entry *nmatch;
39359 + filp = task->exec_file;
39360 + if (filp == NULL)
39363 + /* the following is to apply the correct subject
39364 + on binaries running when the RBAC system
39365 + is enabled, when the binaries have been
39366 + replaced or deleted since their execution
39368 + when the RBAC system starts, the inode/dev
39369 + from exec_file will be one the RBAC system
39370 + is unaware of. It only knows the inode/dev
39371 + of the present file on disk, or the absence
39374 + preempt_disable();
39375 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
39377 + nmatch = lookup_name_entry(tmpname);
39378 + preempt_enable();
39381 + if (nmatch->deleted)
39382 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
39384 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
39385 + if (tmpsubj != NULL)
39386 + task->acl = tmpsubj;
39388 + if (tmpsubj == NULL)
39389 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
39392 + struct acl_subject_label *curr;
39393 + curr = task->acl;
39395 + task->is_writable = 0;
39396 + /* ignore additional mmap checks for processes that are writable
39397 + by the default ACL */
39398 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
39399 + if (unlikely(obj->mode & GR_WRITE))
39400 + task->is_writable = 1;
39401 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
39402 + if (unlikely(obj->mode & GR_WRITE))
39403 + task->is_writable = 1;
39405 + gr_set_proc_res(task);
39407 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
39408 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
39418 +gr_set_acls(const int type)
39420 + struct task_struct *task, *task2;
39421 + struct acl_role_label *role = current->role;
39422 + __u16 acl_role_id = current->acl_role_id;
39423 + const struct cred *cred;
39427 + read_lock(&tasklist_lock);
39428 + read_lock(&grsec_exec_file_lock);
39429 + do_each_thread(task2, task) {
39430 + /* check to see if we're called from the exit handler,
39431 + if so, only replace ACLs that have inherited the admin
39434 + if (type && (task->role != role ||
39435 + task->acl_role_id != acl_role_id))
39438 + task->acl_role_id = 0;
39439 + task->acl_sp_role = 0;
39441 + if (task->exec_file) {
39442 + cred = __task_cred(task);
39443 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
39444 + ret = gr_apply_subject_to_task(task);
39446 + read_unlock(&grsec_exec_file_lock);
39447 + read_unlock(&tasklist_lock);
39448 + rcu_read_unlock();
39449 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
39453 + // it's a kernel process
39454 + task->role = kernel_role;
39455 + task->acl = kernel_role->root_label;
39456 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
39457 + task->acl->mode &= ~GR_PROCFIND;
39460 + } while_each_thread(task2, task);
39461 + read_unlock(&grsec_exec_file_lock);
39462 + read_unlock(&tasklist_lock);
39463 + rcu_read_unlock();
39469 +gr_learn_resource(const struct task_struct *task,
39470 + const int res, const unsigned long wanted, const int gt)
39472 + struct acl_subject_label *acl;
39473 + const struct cred *cred;
39475 + if (unlikely((gr_status & GR_READY) &&
39476 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
39477 + goto skip_reslog;
39479 +#ifdef CONFIG_GRKERNSEC_RESLOG
39480 + gr_log_resource(task, res, wanted, gt);
39484 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
39489 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
39490 + !(acl->resmask & (1 << (unsigned short) res))))
39493 + if (wanted >= acl->res[res].rlim_cur) {
39494 + unsigned long res_add;
39496 + res_add = wanted;
39499 + res_add += GR_RLIM_CPU_BUMP;
39501 + case RLIMIT_FSIZE:
39502 + res_add += GR_RLIM_FSIZE_BUMP;
39504 + case RLIMIT_DATA:
39505 + res_add += GR_RLIM_DATA_BUMP;
39507 + case RLIMIT_STACK:
39508 + res_add += GR_RLIM_STACK_BUMP;
39510 + case RLIMIT_CORE:
39511 + res_add += GR_RLIM_CORE_BUMP;
39514 + res_add += GR_RLIM_RSS_BUMP;
39516 + case RLIMIT_NPROC:
39517 + res_add += GR_RLIM_NPROC_BUMP;
39519 + case RLIMIT_NOFILE:
39520 + res_add += GR_RLIM_NOFILE_BUMP;
39522 + case RLIMIT_MEMLOCK:
39523 + res_add += GR_RLIM_MEMLOCK_BUMP;
39526 + res_add += GR_RLIM_AS_BUMP;
39528 + case RLIMIT_LOCKS:
39529 + res_add += GR_RLIM_LOCKS_BUMP;
39531 + case RLIMIT_SIGPENDING:
39532 + res_add += GR_RLIM_SIGPENDING_BUMP;
39534 + case RLIMIT_MSGQUEUE:
39535 + res_add += GR_RLIM_MSGQUEUE_BUMP;
39537 + case RLIMIT_NICE:
39538 + res_add += GR_RLIM_NICE_BUMP;
39540 + case RLIMIT_RTPRIO:
39541 + res_add += GR_RLIM_RTPRIO_BUMP;
39543 + case RLIMIT_RTTIME:
39544 + res_add += GR_RLIM_RTTIME_BUMP;
39548 + acl->res[res].rlim_cur = res_add;
39550 + if (wanted > acl->res[res].rlim_max)
39551 + acl->res[res].rlim_max = res_add;
39553 + /* only log the subject filename, since resource logging is supported for
39554 + single-subject learning only */
39556 + cred = __task_cred(task);
39557 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
39558 + task->role->roletype, cred->uid, cred->gid, acl->filename,
39559 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
39560 + "", (unsigned long) res, &task->signal->saved_ip);
39561 + rcu_read_unlock();
39567 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
39569 +pax_set_initial_flags(struct linux_binprm *bprm)
39571 + struct task_struct *task = current;
39572 + struct acl_subject_label *proc;
39573 + unsigned long flags;
39575 + if (unlikely(!(gr_status & GR_READY)))
39578 + flags = pax_get_flags(task);
39580 + proc = task->acl;
39582 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
39583 + flags &= ~MF_PAX_PAGEEXEC;
39584 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
39585 + flags &= ~MF_PAX_SEGMEXEC;
39586 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
39587 + flags &= ~MF_PAX_RANDMMAP;
39588 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
39589 + flags &= ~MF_PAX_EMUTRAMP;
39590 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
39591 + flags &= ~MF_PAX_MPROTECT;
39593 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
39594 + flags |= MF_PAX_PAGEEXEC;
39595 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
39596 + flags |= MF_PAX_SEGMEXEC;
39597 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
39598 + flags |= MF_PAX_RANDMMAP;
39599 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
39600 + flags |= MF_PAX_EMUTRAMP;
39601 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
39602 + flags |= MF_PAX_MPROTECT;
39604 + pax_set_flags(task, flags);
39610 +#ifdef CONFIG_SYSCTL
39611 +/* Eric Biederman likes breaking userland ABI and every inode-based security
39612 + system to save 35kb of memory */
39614 +/* we modify the passed in filename, but adjust it back before returning */
39615 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
39617 + struct name_entry *nmatch;
39618 + char *p, *lastp = NULL;
39619 + struct acl_object_label *obj = NULL, *tmp;
39620 + struct acl_subject_label *tmpsubj;
39623 + read_lock(&gr_inode_lock);
39625 + p = name + len - 1;
39627 + nmatch = lookup_name_entry(name);
39628 + if (lastp != NULL)
39631 + if (nmatch == NULL)
39632 + goto next_component;
39633 + tmpsubj = current->acl;
39635 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
39636 + if (obj != NULL) {
39637 + tmp = obj->globbed;
39639 + if (!glob_match(tmp->filename, name)) {
39647 + } while ((tmpsubj = tmpsubj->parent_subject));
39653 + while (*p != '/')
39665 + read_unlock(&gr_inode_lock);
39666 + /* obj returned will always be non-null */
39670 +/* returns 0 when allowing, non-zero on error
39671 + op of 0 is used for readdir, so we don't log the names of hidden files
39674 +gr_handle_sysctl(const struct ctl_table *table, const int op)
39676 + struct ctl_table *tmp;
39677 + const char *proc_sys = "/proc/sys";
39679 + struct acl_object_label *obj;
39680 + unsigned short len = 0, pos = 0, depth = 0, i;
39684 + if (unlikely(!(gr_status & GR_READY)))
39687 + /* for now, ignore operations on non-sysctl entries if it's not a
39689 + if (table->child != NULL && op != 0)
39693 + /* it's only a read if it's an entry, read on dirs is for readdir */
39694 + if (op & MAY_READ)
39696 + if (op & MAY_WRITE)
39697 + mode |= GR_WRITE;
39699 + preempt_disable();
39701 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
39703 + /* it's only a read/write if it's an actual entry, not a dir
39704 + (which are opened for readdir)
39707 + /* convert the requested sysctl entry into a pathname */
39709 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
39710 + len += strlen(tmp->procname);
39715 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
39720 + memset(path, 0, PAGE_SIZE);
39722 + memcpy(path, proc_sys, strlen(proc_sys));
39724 + pos += strlen(proc_sys);
39726 + for (; depth > 0; depth--) {
39729 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
39730 + if (depth == i) {
39731 + memcpy(path + pos, tmp->procname,
39732 + strlen(tmp->procname));
39733 + pos += strlen(tmp->procname);
39739 + obj = gr_lookup_by_name(path, pos);
39740 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
39742 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
39743 + ((err & mode) != mode))) {
39744 + __u32 new_mode = mode;
39746 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
39749 + gr_log_learn_sysctl(path, new_mode);
39750 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
39751 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
39753 + } else if (!(err & GR_FIND)) {
39755 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
39756 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
39757 + path, (mode & GR_READ) ? " reading" : "",
39758 + (mode & GR_WRITE) ? " writing" : "");
39760 + } else if ((err & mode) != mode) {
39762 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
39763 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
39764 + path, (mode & GR_READ) ? " reading" : "",
39765 + (mode & GR_WRITE) ? " writing" : "");
39771 + preempt_enable();
39778 +gr_handle_proc_ptrace(struct task_struct *task)
39780 + struct file *filp;
39781 + struct task_struct *tmp = task;
39782 + struct task_struct *curtemp = current;
39785 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
39786 + if (unlikely(!(gr_status & GR_READY)))
39790 + read_lock(&tasklist_lock);
39791 + read_lock(&grsec_exec_file_lock);
39792 + filp = task->exec_file;
39794 + while (tmp->pid > 0) {
39795 + if (tmp == curtemp)
39797 + tmp = tmp->real_parent;
39800 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
39801 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
39802 + read_unlock(&grsec_exec_file_lock);
39803 + read_unlock(&tasklist_lock);
39807 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
39808 + if (!(gr_status & GR_READY)) {
39809 + read_unlock(&grsec_exec_file_lock);
39810 + read_unlock(&tasklist_lock);
39815 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
39816 + read_unlock(&grsec_exec_file_lock);
39817 + read_unlock(&tasklist_lock);
39819 + if (retmode & GR_NOPTRACE)
39822 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
39823 + && (current->acl != task->acl || (current->acl != current->role->root_label
39824 + && current->pid != task->pid)))
39830 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
39832 + if (unlikely(!(gr_status & GR_READY)))
39835 + if (!(current->role->roletype & GR_ROLE_GOD))
39838 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
39839 + p->role->rolename, gr_task_roletype_to_char(p),
39840 + p->acl->filename);
39844 +gr_handle_ptrace(struct task_struct *task, const long request)
39846 + struct task_struct *tmp = task;
39847 + struct task_struct *curtemp = current;
39850 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
39851 + if (unlikely(!(gr_status & GR_READY)))
39855 + read_lock(&tasklist_lock);
39856 + while (tmp->pid > 0) {
39857 + if (tmp == curtemp)
39859 + tmp = tmp->real_parent;
39862 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
39863 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
39864 + read_unlock(&tasklist_lock);
39865 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
39868 + read_unlock(&tasklist_lock);
39870 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
39871 + if (!(gr_status & GR_READY))
39875 + read_lock(&grsec_exec_file_lock);
39876 + if (unlikely(!task->exec_file)) {
39877 + read_unlock(&grsec_exec_file_lock);
39881 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
39882 + read_unlock(&grsec_exec_file_lock);
39884 + if (retmode & GR_NOPTRACE) {
39885 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
39889 + if (retmode & GR_PTRACERD) {
39890 + switch (request) {
39891 + case PTRACE_POKETEXT:
39892 + case PTRACE_POKEDATA:
39893 + case PTRACE_POKEUSR:
39894 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
39895 + case PTRACE_SETREGS:
39896 + case PTRACE_SETFPREGS:
39899 + case PTRACE_SETFPXREGS:
39901 +#ifdef CONFIG_ALTIVEC
39902 + case PTRACE_SETVRREGS:
39908 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
39909 + !(current->role->roletype & GR_ROLE_GOD) &&
39910 + (current->acl != task->acl)) {
39911 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
39918 +static int is_writable_mmap(const struct file *filp)
39920 + struct task_struct *task = current;
39921 + struct acl_object_label *obj, *obj2;
39923 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
39924 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
39925 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
39926 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
39927 + task->role->root_label);
39928 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
39929 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
39937 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
39941 + if (unlikely(!file || !(prot & PROT_EXEC)))
39944 + if (is_writable_mmap(file))
39948 + gr_search_file(file->f_path.dentry,
39949 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
39950 + file->f_path.mnt);
39952 + if (!gr_tpe_allow(file))
39955 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
39956 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
39958 + } else if (unlikely(!(mode & GR_EXEC))) {
39960 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
39961 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
39969 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
39973 + if (unlikely(!file || !(prot & PROT_EXEC)))
39976 + if (is_writable_mmap(file))
39980 + gr_search_file(file->f_path.dentry,
39981 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
39982 + file->f_path.mnt);
39984 + if (!gr_tpe_allow(file))
39987 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
39988 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
39990 + } else if (unlikely(!(mode & GR_EXEC))) {
39992 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
39993 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
40001 +gr_acl_handle_psacct(struct task_struct *task, const long code)
40003 + unsigned long runtime;
40004 + unsigned long cputime;
40005 + unsigned int wday, cday;
40009 + struct timespec timeval;
40011 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
40012 + !(task->acl->mode & GR_PROCACCT)))
40015 + do_posix_clock_monotonic_gettime(&timeval);
40016 + runtime = timeval.tv_sec - task->start_time.tv_sec;
40017 + wday = runtime / (3600 * 24);
40018 + runtime -= wday * (3600 * 24);
40019 + whr = runtime / 3600;
40020 + runtime -= whr * 3600;
40021 + wmin = runtime / 60;
40022 + runtime -= wmin * 60;
40025 + cputime = (task->utime + task->stime) / HZ;
40026 + cday = cputime / (3600 * 24);
40027 + cputime -= cday * (3600 * 24);
40028 + chr = cputime / 3600;
40029 + cputime -= chr * 3600;
40030 + cmin = cputime / 60;
40031 + cputime -= cmin * 60;
40034 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
40039 +void gr_set_kernel_label(struct task_struct *task)
40041 + if (gr_status & GR_READY) {
40042 + task->role = kernel_role;
40043 + task->acl = kernel_role->root_label;
40048 +#ifdef CONFIG_TASKSTATS
40049 +int gr_is_taskstats_denied(int pid)
40051 + struct task_struct *task;
40052 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
40053 + const struct cred *cred;
40057 + /* restrict taskstats viewing to un-chrooted root users
40058 + who have the 'view' subject flag if the RBAC system is enabled
40062 + read_lock(&tasklist_lock);
40063 + task = find_task_by_vpid(pid);
40065 +#ifdef CONFIG_GRKERNSEC_CHROOT
40066 + if (proc_is_chrooted(task))
40069 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
40070 + cred = __task_cred(task);
40071 +#ifdef CONFIG_GRKERNSEC_PROC_USER
40072 + if (cred->uid != 0)
40074 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
40075 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
40079 + if (gr_status & GR_READY) {
40080 + if (!(task->acl->mode & GR_VIEW))
40086 + read_unlock(&tasklist_lock);
40087 + rcu_read_unlock();
40093 +/* AUXV entries are filled via a descendant of search_binary_handler
40094 + after we've already applied the subject for the target
40096 +int gr_acl_enable_at_secure(void)
40098 + if (unlikely(!(gr_status & GR_READY)))
40101 + if (current->acl->mode & GR_ATSECURE)
40107 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
40109 + struct task_struct *task = current;
40110 + struct dentry *dentry = file->f_path.dentry;
40111 + struct vfsmount *mnt = file->f_path.mnt;
40112 + struct acl_object_label *obj, *tmp;
40113 + struct acl_subject_label *subj;
40114 + unsigned int bufsize;
40117 + dev_t dev = __get_dev(dentry);
40119 + if (unlikely(!(gr_status & GR_READY)))
40122 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
40125 + /* ignore Eric Biederman */
40126 + if (IS_PRIVATE(dentry->d_inode))
40129 + subj = task->acl;
40131 + obj = lookup_acl_obj_label(ino, dev, subj);
40133 + return (obj->mode & GR_FIND) ? 1 : 0;
40134 + } while ((subj = subj->parent_subject));
40136 + /* this is purely an optimization since we're looking for an object
40137 + for the directory we're doing a readdir on
40138 + if it's possible for any globbed object to match the entry we're
40139 + filling into the directory, then the object we find here will be
40140 + an anchor point with attached globbed objects
40142 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
40143 + if (obj->globbed == NULL)
40144 + return (obj->mode & GR_FIND) ? 1 : 0;
40146 + is_not_root = ((obj->filename[0] == '/') &&
40147 + (obj->filename[1] == '\0')) ? 0 : 1;
40148 + bufsize = PAGE_SIZE - namelen - is_not_root;
40150 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
40151 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
40154 + preempt_disable();
40155 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
40158 + bufsize = strlen(path);
40160 + /* if base is "/", don't append an additional slash */
40162 + *(path + bufsize) = '/';
40163 + memcpy(path + bufsize + is_not_root, name, namelen);
40164 + *(path + bufsize + namelen + is_not_root) = '\0';
40166 + tmp = obj->globbed;
40168 + if (!glob_match(tmp->filename, path)) {
40169 + preempt_enable();
40170 + return (tmp->mode & GR_FIND) ? 1 : 0;
40174 + preempt_enable();
40175 + return (obj->mode & GR_FIND) ? 1 : 0;
40178 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
40179 +EXPORT_SYMBOL(gr_acl_is_enabled);
40181 +EXPORT_SYMBOL(gr_learn_resource);
40182 +EXPORT_SYMBOL(gr_set_kernel_label);
40183 +#ifdef CONFIG_SECURITY
40184 +EXPORT_SYMBOL(gr_check_user_change);
40185 +EXPORT_SYMBOL(gr_check_group_change);
40188 diff -urNp linux-2.6.38.4/grsecurity/gracl_cap.c linux-2.6.38.4/grsecurity/gracl_cap.c
40189 --- linux-2.6.38.4/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
40190 +++ linux-2.6.38.4/grsecurity/gracl_cap.c 2011-04-17 15:57:32.000000000 -0400
40192 +#include <linux/kernel.h>
40193 +#include <linux/module.h>
40194 +#include <linux/sched.h>
40195 +#include <linux/gracl.h>
40196 +#include <linux/grsecurity.h>
40197 +#include <linux/grinternal.h>
40199 +static const char *captab_log[] = {
40201 + "CAP_DAC_OVERRIDE",
40202 + "CAP_DAC_READ_SEARCH",
40209 + "CAP_LINUX_IMMUTABLE",
40210 + "CAP_NET_BIND_SERVICE",
40211 + "CAP_NET_BROADCAST",
40216 + "CAP_SYS_MODULE",
40218 + "CAP_SYS_CHROOT",
40219 + "CAP_SYS_PTRACE",
40224 + "CAP_SYS_RESOURCE",
40226 + "CAP_SYS_TTY_CONFIG",
40229 + "CAP_AUDIT_WRITE",
40230 + "CAP_AUDIT_CONTROL",
40232 + "CAP_MAC_OVERRIDE",
40237 +EXPORT_SYMBOL(gr_is_capable);
40238 +EXPORT_SYMBOL(gr_is_capable_nolog);
40241 +gr_is_capable(const int cap)
40243 + struct task_struct *task = current;
40244 + const struct cred *cred = current_cred();
40245 + struct acl_subject_label *curracl;
40246 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
40247 + kernel_cap_t cap_audit = __cap_empty_set;
40249 + if (!gr_acl_is_enabled())
40252 + curracl = task->acl;
40254 + cap_drop = curracl->cap_lower;
40255 + cap_mask = curracl->cap_mask;
40256 + cap_audit = curracl->cap_invert_audit;
40258 + while ((curracl = curracl->parent_subject)) {
40259 + /* if the cap isn't specified in the current computed mask but is specified in the
40260 + current level subject, and is lowered in the current level subject, then add
40261 + it to the set of dropped capabilities
40262 + otherwise, add the current level subject's mask to the current computed mask
40264 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
40265 + cap_raise(cap_mask, cap);
40266 + if (cap_raised(curracl->cap_lower, cap))
40267 + cap_raise(cap_drop, cap);
40268 + if (cap_raised(curracl->cap_invert_audit, cap))
40269 + cap_raise(cap_audit, cap);
40273 + if (!cap_raised(cap_drop, cap)) {
40274 + if (cap_raised(cap_audit, cap))
40275 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
40279 + curracl = task->acl;
40281 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
40282 + && cap_raised(cred->cap_effective, cap)) {
40283 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
40284 + task->role->roletype, cred->uid,
40285 + cred->gid, task->exec_file ?
40286 + gr_to_filename(task->exec_file->f_path.dentry,
40287 + task->exec_file->f_path.mnt) : curracl->filename,
40288 + curracl->filename, 0UL,
40289 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
40293 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
40294 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
40299 +gr_is_capable_nolog(const int cap)
40301 + struct acl_subject_label *curracl;
40302 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
40304 + if (!gr_acl_is_enabled())
40307 + curracl = current->acl;
40309 + cap_drop = curracl->cap_lower;
40310 + cap_mask = curracl->cap_mask;
40312 + while ((curracl = curracl->parent_subject)) {
40313 + /* if the cap isn't specified in the current computed mask but is specified in the
40314 + current level subject, and is lowered in the current level subject, then add
40315 + it to the set of dropped capabilities
40316 + otherwise, add the current level subject's mask to the current computed mask
40318 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
40319 + cap_raise(cap_mask, cap);
40320 + if (cap_raised(curracl->cap_lower, cap))
40321 + cap_raise(cap_drop, cap);
40325 + if (!cap_raised(cap_drop, cap))
40331 diff -urNp linux-2.6.38.4/grsecurity/gracl_fs.c linux-2.6.38.4/grsecurity/gracl_fs.c
40332 --- linux-2.6.38.4/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
40333 +++ linux-2.6.38.4/grsecurity/gracl_fs.c 2011-04-17 15:57:32.000000000 -0400
40335 +#include <linux/kernel.h>
40336 +#include <linux/sched.h>
40337 +#include <linux/types.h>
40338 +#include <linux/fs.h>
40339 +#include <linux/file.h>
40340 +#include <linux/stat.h>
40341 +#include <linux/grsecurity.h>
40342 +#include <linux/grinternal.h>
40343 +#include <linux/gracl.h>
40346 +gr_acl_handle_hidden_file(const struct dentry * dentry,
40347 + const struct vfsmount * mnt)
40351 + if (unlikely(!dentry->d_inode))
40355 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
40357 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
40358 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
40360 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
40361 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
40363 + } else if (unlikely(!(mode & GR_FIND)))
40370 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
40373 + __u32 reqmode = GR_FIND;
40376 + if (unlikely(!dentry->d_inode))
40379 + if (unlikely(fmode & O_APPEND))
40380 + reqmode |= GR_APPEND;
40381 + else if (unlikely(fmode & FMODE_WRITE))
40382 + reqmode |= GR_WRITE;
40383 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
40384 + reqmode |= GR_READ;
40385 + if ((fmode & FMODE_GREXEC) && (fmode & __FMODE_EXEC))
40386 + reqmode &= ~GR_READ;
40388 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
40391 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
40392 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
40393 + reqmode & GR_READ ? " reading" : "",
40394 + reqmode & GR_WRITE ? " writing" : reqmode &
40395 + GR_APPEND ? " appending" : "");
40398 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
40400 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
40401 + reqmode & GR_READ ? " reading" : "",
40402 + reqmode & GR_WRITE ? " writing" : reqmode &
40403 + GR_APPEND ? " appending" : "");
40405 + } else if (unlikely((mode & reqmode) != reqmode))
40412 +gr_acl_handle_creat(const struct dentry * dentry,
40413 + const struct dentry * p_dentry,
40414 + const struct vfsmount * p_mnt, const int fmode,
40417 + __u32 reqmode = GR_WRITE | GR_CREATE;
40420 + if (unlikely(fmode & O_APPEND))
40421 + reqmode |= GR_APPEND;
40422 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
40423 + reqmode |= GR_READ;
40424 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
40425 + reqmode |= GR_SETID;
40428 + gr_check_create(dentry, p_dentry, p_mnt,
40429 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
40431 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
40432 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
40433 + reqmode & GR_READ ? " reading" : "",
40434 + reqmode & GR_WRITE ? " writing" : reqmode &
40435 + GR_APPEND ? " appending" : "");
40438 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
40440 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
40441 + reqmode & GR_READ ? " reading" : "",
40442 + reqmode & GR_WRITE ? " writing" : reqmode &
40443 + GR_APPEND ? " appending" : "");
40445 + } else if (unlikely((mode & reqmode) != reqmode))
40452 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
40455 + __u32 mode, reqmode = GR_FIND;
40457 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
40458 + reqmode |= GR_EXEC;
40459 + if (fmode & S_IWOTH)
40460 + reqmode |= GR_WRITE;
40461 + if (fmode & S_IROTH)
40462 + reqmode |= GR_READ;
40465 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
40468 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
40469 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
40470 + reqmode & GR_READ ? " reading" : "",
40471 + reqmode & GR_WRITE ? " writing" : "",
40472 + reqmode & GR_EXEC ? " executing" : "");
40475 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
40477 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
40478 + reqmode & GR_READ ? " reading" : "",
40479 + reqmode & GR_WRITE ? " writing" : "",
40480 + reqmode & GR_EXEC ? " executing" : "");
40482 + } else if (unlikely((mode & reqmode) != reqmode))
40488 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
40492 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
40494 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
40495 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
40497 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
40498 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
40500 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
40503 + return (reqmode);
40507 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
40509 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
40513 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
40515 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
40519 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
40521 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
40525 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
40527 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
40531 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
40534 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
40537 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
40538 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
40539 + GR_FCHMOD_ACL_MSG);
40541 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
40546 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
40549 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
40550 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
40551 + GR_CHMOD_ACL_MSG);
40553 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
40558 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
40560 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
40564 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
40566 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
40570 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
40572 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
40576 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
40578 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
40579 + GR_UNIXCONNECT_ACL_MSG);
40582 +/* hardlinks require at minimum create permission,
40583 + any additional privilege required is based on the
40584 + privilege of the file being linked to
40587 +gr_acl_handle_link(const struct dentry * new_dentry,
40588 + const struct dentry * parent_dentry,
40589 + const struct vfsmount * parent_mnt,
40590 + const struct dentry * old_dentry,
40591 + const struct vfsmount * old_mnt, const char *to)
40594 + __u32 needmode = GR_CREATE | GR_LINK;
40595 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
40598 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
40601 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
40602 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
40604 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
40605 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
40607 + } else if (unlikely((mode & needmode) != needmode))
40614 +gr_acl_handle_symlink(const struct dentry * new_dentry,
40615 + const struct dentry * parent_dentry,
40616 + const struct vfsmount * parent_mnt, const char *from)
40618 + __u32 needmode = GR_WRITE | GR_CREATE;
40622 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
40623 + GR_CREATE | GR_AUDIT_CREATE |
40624 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
40626 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
40627 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
40629 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
40630 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
40632 + } else if (unlikely((mode & needmode) != needmode))
40635 + return (GR_WRITE | GR_CREATE);
40638 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
40642 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
40644 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
40645 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
40647 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
40648 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
40650 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
40653 + return (reqmode);
40657 +gr_acl_handle_mknod(const struct dentry * new_dentry,
40658 + const struct dentry * parent_dentry,
40659 + const struct vfsmount * parent_mnt,
40662 + __u32 reqmode = GR_WRITE | GR_CREATE;
40663 + if (unlikely(mode & (S_ISUID | S_ISGID)))
40664 + reqmode |= GR_SETID;
40666 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
40667 + reqmode, GR_MKNOD_ACL_MSG);
40671 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
40672 + const struct dentry *parent_dentry,
40673 + const struct vfsmount *parent_mnt)
40675 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
40676 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
40679 +#define RENAME_CHECK_SUCCESS(old, new) \
40680 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
40681 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
40684 +gr_acl_handle_rename(struct dentry *new_dentry,
40685 + struct dentry *parent_dentry,
40686 + const struct vfsmount *parent_mnt,
40687 + struct dentry *old_dentry,
40688 + struct inode *old_parent_inode,
40689 + struct vfsmount *old_mnt, const char *newname)
40691 + __u32 comp1, comp2;
40694 + if (unlikely(!gr_acl_is_enabled()))
40697 + if (!new_dentry->d_inode) {
40698 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
40699 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
40700 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
40701 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
40702 + GR_DELETE | GR_AUDIT_DELETE |
40703 + GR_AUDIT_READ | GR_AUDIT_WRITE |
40704 + GR_SUPPRESS, old_mnt);
40706 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
40707 + GR_CREATE | GR_DELETE |
40708 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
40709 + GR_AUDIT_READ | GR_AUDIT_WRITE |
40710 + GR_SUPPRESS, parent_mnt);
40712 + gr_search_file(old_dentry,
40713 + GR_READ | GR_WRITE | GR_AUDIT_READ |
40714 + GR_DELETE | GR_AUDIT_DELETE |
40715 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
40718 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
40719 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
40720 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
40721 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
40722 + && !(comp2 & GR_SUPPRESS)) {
40723 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
40725 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
40732 +gr_acl_handle_exit(void)
40736 + struct file *exec_file;
40738 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
40739 + !(current->role->roletype & GR_ROLE_PERSIST))) {
40740 + id = current->acl_role_id;
40741 + rolename = current->role->rolename;
40743 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
40746 + write_lock(&grsec_exec_file_lock);
40747 + exec_file = current->exec_file;
40748 + current->exec_file = NULL;
40749 + write_unlock(&grsec_exec_file_lock);
40756 +gr_acl_handle_procpidmem(const struct task_struct *task)
40758 + if (unlikely(!gr_acl_is_enabled()))
40761 + if (task != current && task->acl->mode & GR_PROTPROCFD)
40766 diff -urNp linux-2.6.38.4/grsecurity/gracl_ip.c linux-2.6.38.4/grsecurity/gracl_ip.c
40767 --- linux-2.6.38.4/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
40768 +++ linux-2.6.38.4/grsecurity/gracl_ip.c 2011-04-17 15:57:32.000000000 -0400
40770 +#include <linux/kernel.h>
40771 +#include <asm/uaccess.h>
40772 +#include <asm/errno.h>
40773 +#include <net/sock.h>
40774 +#include <linux/file.h>
40775 +#include <linux/fs.h>
40776 +#include <linux/net.h>
40777 +#include <linux/in.h>
40778 +#include <linux/skbuff.h>
40779 +#include <linux/ip.h>
40780 +#include <linux/udp.h>
40781 +#include <linux/smp_lock.h>
40782 +#include <linux/types.h>
40783 +#include <linux/sched.h>
40784 +#include <linux/netdevice.h>
40785 +#include <linux/inetdevice.h>
40786 +#include <linux/gracl.h>
40787 +#include <linux/grsecurity.h>
40788 +#include <linux/grinternal.h>
40790 +#define GR_BIND 0x01
40791 +#define GR_CONNECT 0x02
40792 +#define GR_INVERT 0x04
40793 +#define GR_BINDOVERRIDE 0x08
40794 +#define GR_CONNECTOVERRIDE 0x10
40795 +#define GR_SOCK_FAMILY 0x20
40797 +static const char * gr_protocols[IPPROTO_MAX] = {
40798 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
40799 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
40800 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
40801 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
40802 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
40803 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
40804 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
40805 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
40806 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
40807 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
40808 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
40809 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
40810 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
40811 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
40812 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
40813 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
40814 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
40815 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
40816 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
40817 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
40818 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
40819 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
40820 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
40821 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
40822 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
40823 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
40824 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
40825 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
40826 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
40827 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
40828 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
40829 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
40832 +static const char * gr_socktypes[SOCK_MAX] = {
40833 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
40834 + "unknown:7", "unknown:8", "unknown:9", "packet"
40837 +static const char * gr_sockfamilies[AF_MAX+1] = {
40838 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
40839 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
40840 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
40841 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
40845 +gr_proto_to_name(unsigned char proto)
40847 + return gr_protocols[proto];
40851 +gr_socktype_to_name(unsigned char type)
40853 + return gr_socktypes[type];
40857 +gr_sockfamily_to_name(unsigned char family)
40859 + return gr_sockfamilies[family];
40863 +gr_search_socket(const int domain, const int type, const int protocol)
40865 + struct acl_subject_label *curr;
40866 + const struct cred *cred = current_cred();
40868 + if (unlikely(!gr_acl_is_enabled()))
40871 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
40872 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
40873 + goto exit; // let the kernel handle it
40875 + curr = current->acl;
40877 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
40878 + /* the family is allowed, if this is PF_INET allow it only if
40879 + the extra sock type/protocol checks pass */
40880 + if (domain == PF_INET)
40884 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
40885 + __u32 fakeip = 0;
40886 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
40887 + current->role->roletype, cred->uid,
40888 + cred->gid, current->exec_file ?
40889 + gr_to_filename(current->exec_file->f_path.dentry,
40890 + current->exec_file->f_path.mnt) :
40891 + curr->filename, curr->filename,
40892 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
40893 + ¤t->signal->saved_ip);
40900 + /* the rest of this checking is for IPv4 only */
40904 + if ((curr->ip_type & (1 << type)) &&
40905 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
40908 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
40909 + /* we don't place acls on raw sockets , and sometimes
40910 + dgram/ip sockets are opened for ioctl and not
40911 + bind/connect, so we'll fake a bind learn log */
40912 + if (type == SOCK_RAW || type == SOCK_PACKET) {
40913 + __u32 fakeip = 0;
40914 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
40915 + current->role->roletype, cred->uid,
40916 + cred->gid, current->exec_file ?
40917 + gr_to_filename(current->exec_file->f_path.dentry,
40918 + current->exec_file->f_path.mnt) :
40919 + curr->filename, curr->filename,
40920 + &fakeip, 0, type,
40921 + protocol, GR_CONNECT, ¤t->signal->saved_ip);
40922 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
40923 + __u32 fakeip = 0;
40924 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
40925 + current->role->roletype, cred->uid,
40926 + cred->gid, current->exec_file ?
40927 + gr_to_filename(current->exec_file->f_path.dentry,
40928 + current->exec_file->f_path.mnt) :
40929 + curr->filename, curr->filename,
40930 + &fakeip, 0, type,
40931 + protocol, GR_BIND, ¤t->signal->saved_ip);
40933 + /* we'll log when they use connect or bind */
40938 + if (domain == PF_INET)
40939 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
40940 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
40942 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
40943 + gr_socktype_to_name(type), protocol);
40950 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
40952 + if ((ip->mode & mode) &&
40953 + (ip_port >= ip->low) &&
40954 + (ip_port <= ip->high) &&
40955 + ((ntohl(ip_addr) & our_netmask) ==
40956 + (ntohl(our_addr) & our_netmask))
40957 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
40958 + && (ip->type & (1 << type))) {
40959 + if (ip->mode & GR_INVERT)
40960 + return 2; // specifically denied
40962 + return 1; // allowed
40965 + return 0; // not specifically allowed, may continue parsing
40969 +gr_search_connectbind(const int full_mode, struct sock *sk,
40970 + struct sockaddr_in *addr, const int type)
40972 + char iface[IFNAMSIZ] = {0};
40973 + struct acl_subject_label *curr;
40974 + struct acl_ip_label *ip;
40975 + struct inet_sock *isk;
40976 + struct net_device *dev;
40977 + struct in_device *idev;
40980 + int mode = full_mode & (GR_BIND | GR_CONNECT);
40981 + __u32 ip_addr = 0;
40983 + __u32 our_netmask;
40985 + __u16 ip_port = 0;
40986 + const struct cred *cred = current_cred();
40988 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
40991 + curr = current->acl;
40992 + isk = inet_sk(sk);
40994 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
40995 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
40996 + addr->sin_addr.s_addr = curr->inaddr_any_override;
40997 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
40998 + struct sockaddr_in saddr;
41001 + saddr.sin_family = AF_INET;
41002 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
41003 + saddr.sin_port = isk->inet_sport;
41005 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
41009 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
41017 + ip_addr = addr->sin_addr.s_addr;
41018 + ip_port = ntohs(addr->sin_port);
41020 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
41021 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
41022 + current->role->roletype, cred->uid,
41023 + cred->gid, current->exec_file ?
41024 + gr_to_filename(current->exec_file->f_path.dentry,
41025 + current->exec_file->f_path.mnt) :
41026 + curr->filename, curr->filename,
41027 + &ip_addr, ip_port, type,
41028 + sk->sk_protocol, mode, ¤t->signal->saved_ip);
41032 + for (i = 0; i < curr->ip_num; i++) {
41033 + ip = *(curr->ips + i);
41034 + if (ip->iface != NULL) {
41035 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
41036 + p = strchr(iface, ':');
41039 + dev = dev_get_by_name(sock_net(sk), iface);
41042 + idev = in_dev_get(dev);
41043 + if (idev == NULL) {
41049 + if (!strcmp(ip->iface, ifa->ifa_label)) {
41050 + our_addr = ifa->ifa_address;
41051 + our_netmask = 0xffffffff;
41052 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
41054 + rcu_read_unlock();
41055 + in_dev_put(idev);
41058 + } else if (ret == 2) {
41059 + rcu_read_unlock();
41060 + in_dev_put(idev);
41065 + } endfor_ifa(idev);
41066 + rcu_read_unlock();
41067 + in_dev_put(idev);
41070 + our_addr = ip->addr;
41071 + our_netmask = ip->netmask;
41072 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
41075 + else if (ret == 2)
41081 + if (mode == GR_BIND)
41082 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
41083 + else if (mode == GR_CONNECT)
41084 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
41090 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
41092 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
41096 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
41098 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
41101 +int gr_search_listen(struct socket *sock)
41103 + struct sock *sk = sock->sk;
41104 + struct sockaddr_in addr;
41106 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
41107 + addr.sin_port = inet_sk(sk)->inet_sport;
41109 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
41112 +int gr_search_accept(struct socket *sock)
41114 + struct sock *sk = sock->sk;
41115 + struct sockaddr_in addr;
41117 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
41118 + addr.sin_port = inet_sk(sk)->inet_sport;
41120 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
41124 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
41127 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
41129 + struct sockaddr_in sin;
41130 + const struct inet_sock *inet = inet_sk(sk);
41132 + sin.sin_addr.s_addr = inet->inet_daddr;
41133 + sin.sin_port = inet->inet_dport;
41135 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
41140 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
41142 + struct sockaddr_in sin;
41144 + if (unlikely(skb->len < sizeof (struct udphdr)))
41145 + return 0; // skip this packet
41147 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
41148 + sin.sin_port = udp_hdr(skb)->source;
41150 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
41152 diff -urNp linux-2.6.38.4/grsecurity/gracl_learn.c linux-2.6.38.4/grsecurity/gracl_learn.c
41153 --- linux-2.6.38.4/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
41154 +++ linux-2.6.38.4/grsecurity/gracl_learn.c 2011-04-17 15:57:32.000000000 -0400
41156 +#include <linux/kernel.h>
41157 +#include <linux/mm.h>
41158 +#include <linux/sched.h>
41159 +#include <linux/poll.h>
41160 +#include <linux/smp_lock.h>
41161 +#include <linux/string.h>
41162 +#include <linux/file.h>
41163 +#include <linux/types.h>
41164 +#include <linux/vmalloc.h>
41165 +#include <linux/grinternal.h>
41167 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
41168 + size_t count, loff_t *ppos);
41169 +extern int gr_acl_is_enabled(void);
41171 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
41172 +static int gr_learn_attached;
41174 +/* use a 512k buffer */
41175 +#define LEARN_BUFFER_SIZE (512 * 1024)
41177 +static DEFINE_SPINLOCK(gr_learn_lock);
41178 +static DEFINE_MUTEX(gr_learn_user_mutex);
41180 +/* we need to maintain two buffers, so that the kernel context of grlearn
41181 + uses a semaphore around the userspace copying, and the other kernel contexts
41182 + use a spinlock when copying into the buffer, since they cannot sleep
41184 +static char *learn_buffer;
41185 +static char *learn_buffer_user;
41186 +static int learn_buffer_len;
41187 +static int learn_buffer_user_len;
41190 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
41192 + DECLARE_WAITQUEUE(wait, current);
41193 + ssize_t retval = 0;
41195 + add_wait_queue(&learn_wait, &wait);
41196 + set_current_state(TASK_INTERRUPTIBLE);
41198 + mutex_lock(&gr_learn_user_mutex);
41199 + spin_lock(&gr_learn_lock);
41200 + if (learn_buffer_len)
41202 + spin_unlock(&gr_learn_lock);
41203 + mutex_unlock(&gr_learn_user_mutex);
41204 + if (file->f_flags & O_NONBLOCK) {
41205 + retval = -EAGAIN;
41208 + if (signal_pending(current)) {
41209 + retval = -ERESTARTSYS;
41216 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
41217 + learn_buffer_user_len = learn_buffer_len;
41218 + retval = learn_buffer_len;
41219 + learn_buffer_len = 0;
41221 + spin_unlock(&gr_learn_lock);
41223 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
41224 + retval = -EFAULT;
41226 + mutex_unlock(&gr_learn_user_mutex);
41228 + set_current_state(TASK_RUNNING);
41229 + remove_wait_queue(&learn_wait, &wait);
41233 +static unsigned int
41234 +poll_learn(struct file * file, poll_table * wait)
41236 + poll_wait(file, &learn_wait, wait);
41238 + if (learn_buffer_len)
41239 + return (POLLIN | POLLRDNORM);
41245 +gr_clear_learn_entries(void)
41249 + mutex_lock(&gr_learn_user_mutex);
41250 + if (learn_buffer != NULL) {
41251 + spin_lock(&gr_learn_lock);
41252 + tmp = learn_buffer;
41253 + learn_buffer = NULL;
41254 + spin_unlock(&gr_learn_lock);
41255 + vfree(learn_buffer);
41257 + if (learn_buffer_user != NULL) {
41258 + vfree(learn_buffer_user);
41259 + learn_buffer_user = NULL;
41261 + learn_buffer_len = 0;
41262 + mutex_unlock(&gr_learn_user_mutex);
41268 +gr_add_learn_entry(const char *fmt, ...)
41271 + unsigned int len;
41273 + if (!gr_learn_attached)
41276 + spin_lock(&gr_learn_lock);
41278 + /* leave a gap at the end so we know when it's "full" but don't have to
41279 + compute the exact length of the string we're trying to append
41281 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
41282 + spin_unlock(&gr_learn_lock);
41283 + wake_up_interruptible(&learn_wait);
41286 + if (learn_buffer == NULL) {
41287 + spin_unlock(&gr_learn_lock);
41291 + va_start(args, fmt);
41292 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
41295 + learn_buffer_len += len + 1;
41297 + spin_unlock(&gr_learn_lock);
41298 + wake_up_interruptible(&learn_wait);
41304 +open_learn(struct inode *inode, struct file *file)
41306 + if (file->f_mode & FMODE_READ && gr_learn_attached)
41308 + if (file->f_mode & FMODE_READ) {
41310 + mutex_lock(&gr_learn_user_mutex);
41311 + if (learn_buffer == NULL)
41312 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
41313 + if (learn_buffer_user == NULL)
41314 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
41315 + if (learn_buffer == NULL) {
41316 + retval = -ENOMEM;
41319 + if (learn_buffer_user == NULL) {
41320 + retval = -ENOMEM;
41323 + learn_buffer_len = 0;
41324 + learn_buffer_user_len = 0;
41325 + gr_learn_attached = 1;
41327 + mutex_unlock(&gr_learn_user_mutex);
41334 +close_learn(struct inode *inode, struct file *file)
41338 + if (file->f_mode & FMODE_READ) {
41339 + mutex_lock(&gr_learn_user_mutex);
41340 + if (learn_buffer != NULL) {
41341 + spin_lock(&gr_learn_lock);
41342 + tmp = learn_buffer;
41343 + learn_buffer = NULL;
41344 + spin_unlock(&gr_learn_lock);
41347 + if (learn_buffer_user != NULL) {
41348 + vfree(learn_buffer_user);
41349 + learn_buffer_user = NULL;
41351 + learn_buffer_len = 0;
41352 + learn_buffer_user_len = 0;
41353 + gr_learn_attached = 0;
41354 + mutex_unlock(&gr_learn_user_mutex);
41360 +const struct file_operations grsec_fops = {
41361 + .read = read_learn,
41362 + .write = write_grsec_handler,
41363 + .open = open_learn,
41364 + .release = close_learn,
41365 + .poll = poll_learn,
41367 diff -urNp linux-2.6.38.4/grsecurity/gracl_res.c linux-2.6.38.4/grsecurity/gracl_res.c
41368 --- linux-2.6.38.4/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
41369 +++ linux-2.6.38.4/grsecurity/gracl_res.c 2011-04-17 15:57:32.000000000 -0400
41371 +#include <linux/kernel.h>
41372 +#include <linux/sched.h>
41373 +#include <linux/gracl.h>
41374 +#include <linux/grinternal.h>
41376 +static const char *restab_log[] = {
41377 + [RLIMIT_CPU] = "RLIMIT_CPU",
41378 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
41379 + [RLIMIT_DATA] = "RLIMIT_DATA",
41380 + [RLIMIT_STACK] = "RLIMIT_STACK",
41381 + [RLIMIT_CORE] = "RLIMIT_CORE",
41382 + [RLIMIT_RSS] = "RLIMIT_RSS",
41383 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
41384 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
41385 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
41386 + [RLIMIT_AS] = "RLIMIT_AS",
41387 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
41388 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
41389 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
41390 + [RLIMIT_NICE] = "RLIMIT_NICE",
41391 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
41392 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
41393 + [GR_CRASH_RES] = "RLIMIT_CRASH"
41397 +gr_log_resource(const struct task_struct *task,
41398 + const int res, const unsigned long wanted, const int gt)
41400 + const struct cred *cred;
41401 + unsigned long rlim;
41403 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
41406 + // not yet supported resource
41407 + if (unlikely(!restab_log[res]))
41410 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
41411 + rlim = task_rlimit_max(task, res);
41413 + rlim = task_rlimit(task, res);
41415 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
41419 + cred = __task_cred(task);
41421 + if (res == RLIMIT_NPROC &&
41422 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
41423 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
41424 + goto out_rcu_unlock;
41425 + else if (res == RLIMIT_MEMLOCK &&
41426 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
41427 + goto out_rcu_unlock;
41428 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
41429 + goto out_rcu_unlock;
41430 + rcu_read_unlock();
41432 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
41436 + rcu_read_unlock();
41439 diff -urNp linux-2.6.38.4/grsecurity/gracl_segv.c linux-2.6.38.4/grsecurity/gracl_segv.c
41440 --- linux-2.6.38.4/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
41441 +++ linux-2.6.38.4/grsecurity/gracl_segv.c 2011-04-17 15:57:32.000000000 -0400
41443 +#include <linux/kernel.h>
41444 +#include <linux/mm.h>
41445 +#include <asm/uaccess.h>
41446 +#include <asm/errno.h>
41447 +#include <asm/mman.h>
41448 +#include <net/sock.h>
41449 +#include <linux/file.h>
41450 +#include <linux/fs.h>
41451 +#include <linux/net.h>
41452 +#include <linux/in.h>
41453 +#include <linux/smp_lock.h>
41454 +#include <linux/slab.h>
41455 +#include <linux/types.h>
41456 +#include <linux/sched.h>
41457 +#include <linux/timer.h>
41458 +#include <linux/gracl.h>
41459 +#include <linux/grsecurity.h>
41460 +#include <linux/grinternal.h>
41462 +static struct crash_uid *uid_set;
41463 +static unsigned short uid_used;
41464 +static DEFINE_SPINLOCK(gr_uid_lock);
41465 +extern rwlock_t gr_inode_lock;
41466 +extern struct acl_subject_label *
41467 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
41468 + struct acl_role_label *role);
41470 +#ifdef CONFIG_BTRFS_FS
41471 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
41472 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
41475 +static inline dev_t __get_dev(const struct dentry *dentry)
41477 +#ifdef CONFIG_BTRFS_FS
41478 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
41479 + return get_btrfs_dev_from_inode(dentry->d_inode);
41482 + return dentry->d_inode->i_sb->s_dev;
41486 +gr_init_uidset(void)
41489 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
41492 + return uid_set ? 1 : 0;
41496 +gr_free_uidset(void)
41505 +gr_find_uid(const uid_t uid)
41507 + struct crash_uid *tmp = uid_set;
41509 + int low = 0, high = uid_used - 1, mid;
41511 + while (high >= low) {
41512 + mid = (low + high) >> 1;
41513 + buid = tmp[mid].uid;
41525 +static __inline__ void
41526 +gr_insertsort(void)
41528 + unsigned short i, j;
41529 + struct crash_uid index;
41531 + for (i = 1; i < uid_used; i++) {
41532 + index = uid_set[i];
41534 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
41535 + uid_set[j] = uid_set[j - 1];
41538 + uid_set[j] = index;
41544 +static __inline__ void
41545 +gr_insert_uid(const uid_t uid, const unsigned long expires)
41549 + if (uid_used == GR_UIDTABLE_MAX)
41552 + loc = gr_find_uid(uid);
41555 + uid_set[loc].expires = expires;
41559 + uid_set[uid_used].uid = uid;
41560 + uid_set[uid_used].expires = expires;
41569 +gr_remove_uid(const unsigned short loc)
41571 + unsigned short i;
41573 + for (i = loc + 1; i < uid_used; i++)
41574 + uid_set[i - 1] = uid_set[i];
41582 +gr_check_crash_uid(const uid_t uid)
41587 + if (unlikely(!gr_acl_is_enabled()))
41590 + spin_lock(&gr_uid_lock);
41591 + loc = gr_find_uid(uid);
41596 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
41597 + gr_remove_uid(loc);
41602 + spin_unlock(&gr_uid_lock);
41606 +static __inline__ int
41607 +proc_is_setxid(const struct cred *cred)
41609 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
41610 + cred->uid != cred->fsuid)
41612 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
41613 + cred->gid != cred->fsgid)
41619 +extern int gr_fake_force_sig(int sig, struct task_struct *t);
41622 +gr_handle_crash(struct task_struct *task, const int sig)
41624 + struct acl_subject_label *curr;
41625 + struct acl_subject_label *curr2;
41626 + struct task_struct *tsk, *tsk2;
41627 + const struct cred *cred;
41628 + const struct cred *cred2;
41630 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
41633 + if (unlikely(!gr_acl_is_enabled()))
41636 + curr = task->acl;
41638 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
41641 + if (time_before_eq(curr->expires, get_seconds())) {
41642 + curr->expires = 0;
41643 + curr->crashes = 0;
41648 + if (!curr->expires)
41649 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
41651 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
41652 + time_after(curr->expires, get_seconds())) {
41654 + cred = __task_cred(task);
41655 + if (cred->uid && proc_is_setxid(cred)) {
41656 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
41657 + spin_lock(&gr_uid_lock);
41658 + gr_insert_uid(cred->uid, curr->expires);
41659 + spin_unlock(&gr_uid_lock);
41660 + curr->expires = 0;
41661 + curr->crashes = 0;
41662 + read_lock(&tasklist_lock);
41663 + do_each_thread(tsk2, tsk) {
41664 + cred2 = __task_cred(tsk);
41665 + if (tsk != task && cred2->uid == cred->uid)
41666 + gr_fake_force_sig(SIGKILL, tsk);
41667 + } while_each_thread(tsk2, tsk);
41668 + read_unlock(&tasklist_lock);
41670 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
41671 + read_lock(&tasklist_lock);
41672 + do_each_thread(tsk2, tsk) {
41673 + if (likely(tsk != task)) {
41674 + curr2 = tsk->acl;
41676 + if (curr2->device == curr->device &&
41677 + curr2->inode == curr->inode)
41678 + gr_fake_force_sig(SIGKILL, tsk);
41680 + } while_each_thread(tsk2, tsk);
41681 + read_unlock(&tasklist_lock);
41683 + rcu_read_unlock();
41690 +gr_check_crash_exec(const struct file *filp)
41692 + struct acl_subject_label *curr;
41694 + if (unlikely(!gr_acl_is_enabled()))
41697 + read_lock(&gr_inode_lock);
41698 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
41699 + __get_dev(filp->f_path.dentry),
41701 + read_unlock(&gr_inode_lock);
41703 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
41704 + (!curr->crashes && !curr->expires))
41707 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
41708 + time_after(curr->expires, get_seconds()))
41710 + else if (time_before_eq(curr->expires, get_seconds())) {
41711 + curr->crashes = 0;
41712 + curr->expires = 0;
41719 +gr_handle_alertkill(struct task_struct *task)
41721 + struct acl_subject_label *curracl;
41723 + struct task_struct *p, *p2;
41725 + if (unlikely(!gr_acl_is_enabled()))
41728 + curracl = task->acl;
41729 + curr_ip = task->signal->curr_ip;
41731 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
41732 + read_lock(&tasklist_lock);
41733 + do_each_thread(p2, p) {
41734 + if (p->signal->curr_ip == curr_ip)
41735 + gr_fake_force_sig(SIGKILL, p);
41736 + } while_each_thread(p2, p);
41737 + read_unlock(&tasklist_lock);
41738 + } else if (curracl->mode & GR_KILLPROC)
41739 + gr_fake_force_sig(SIGKILL, task);
41743 diff -urNp linux-2.6.38.4/grsecurity/gracl_shm.c linux-2.6.38.4/grsecurity/gracl_shm.c
41744 --- linux-2.6.38.4/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
41745 +++ linux-2.6.38.4/grsecurity/gracl_shm.c 2011-04-17 15:57:32.000000000 -0400
41747 +#include <linux/kernel.h>
41748 +#include <linux/mm.h>
41749 +#include <linux/sched.h>
41750 +#include <linux/file.h>
41751 +#include <linux/ipc.h>
41752 +#include <linux/gracl.h>
41753 +#include <linux/grsecurity.h>
41754 +#include <linux/grinternal.h>
41757 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
41758 + const time_t shm_createtime, const uid_t cuid, const int shmid)
41760 + struct task_struct *task;
41762 + if (!gr_acl_is_enabled())
41766 + read_lock(&tasklist_lock);
41768 + task = find_task_by_vpid(shm_cprid);
41770 + if (unlikely(!task))
41771 + task = find_task_by_vpid(shm_lapid);
41773 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
41774 + (task->pid == shm_lapid)) &&
41775 + (task->acl->mode & GR_PROTSHM) &&
41776 + (task->acl != current->acl))) {
41777 + read_unlock(&tasklist_lock);
41778 + rcu_read_unlock();
41779 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
41782 + read_unlock(&tasklist_lock);
41783 + rcu_read_unlock();
41787 diff -urNp linux-2.6.38.4/grsecurity/grsec_chdir.c linux-2.6.38.4/grsecurity/grsec_chdir.c
41788 --- linux-2.6.38.4/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
41789 +++ linux-2.6.38.4/grsecurity/grsec_chdir.c 2011-04-17 15:57:32.000000000 -0400
41791 +#include <linux/kernel.h>
41792 +#include <linux/sched.h>
41793 +#include <linux/fs.h>
41794 +#include <linux/file.h>
41795 +#include <linux/grsecurity.h>
41796 +#include <linux/grinternal.h>
41799 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
41801 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
41802 + if ((grsec_enable_chdir && grsec_enable_group &&
41803 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
41804 + !grsec_enable_group)) {
41805 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
41810 diff -urNp linux-2.6.38.4/grsecurity/grsec_chroot.c linux-2.6.38.4/grsecurity/grsec_chroot.c
41811 --- linux-2.6.38.4/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
41812 +++ linux-2.6.38.4/grsecurity/grsec_chroot.c 2011-04-17 15:57:32.000000000 -0400
41814 +#include <linux/kernel.h>
41815 +#include <linux/module.h>
41816 +#include <linux/sched.h>
41817 +#include <linux/file.h>
41818 +#include <linux/fs.h>
41819 +#include <linux/mount.h>
41820 +#include <linux/types.h>
41821 +#include <linux/pid_namespace.h>
41822 +#include <linux/grsecurity.h>
41823 +#include <linux/grinternal.h>
41825 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
41827 +#ifdef CONFIG_GRKERNSEC
41828 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
41829 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
41830 + task->gr_is_chrooted = 1;
41832 + task->gr_is_chrooted = 0;
41834 + task->gr_chroot_dentry = path->dentry;
41839 +void gr_clear_chroot_entries(struct task_struct *task)
41841 +#ifdef CONFIG_GRKERNSEC
41842 + task->gr_is_chrooted = 0;
41843 + task->gr_chroot_dentry = NULL;
41849 +gr_handle_chroot_unix(struct pid *pid)
41851 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
41852 + struct task_struct *p;
41854 + if (unlikely(!grsec_enable_chroot_unix))
41857 + if (likely(!proc_is_chrooted(current)))
41861 + read_lock(&tasklist_lock);
41862 + p = pid_task(pid, PIDTYPE_PID);
41863 + if (unlikely(p && !have_same_root(current, p))) {
41864 + read_unlock(&tasklist_lock);
41865 + rcu_read_unlock();
41866 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
41869 + read_unlock(&tasklist_lock);
41870 + rcu_read_unlock();
41876 +gr_handle_chroot_nice(void)
41878 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
41879 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
41880 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
41888 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
41890 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
41891 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
41892 + && proc_is_chrooted(current)) {
41893 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
41901 +gr_handle_chroot_rawio(const struct inode *inode)
41903 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
41904 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
41905 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
41912 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
41914 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
41915 + struct task_struct *p;
41917 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
41920 + read_lock(&tasklist_lock);
41921 + do_each_pid_task(pid, type, p) {
41922 + if (!have_same_root(current, p)) {
41926 + } while_each_pid_task(pid, type, p);
41928 + read_unlock(&tasklist_lock);
41935 +gr_pid_is_chrooted(struct task_struct *p)
41937 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
41938 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
41941 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
41942 + !have_same_root(current, p)) {
41949 +EXPORT_SYMBOL(gr_pid_is_chrooted);
41951 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
41952 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
41954 + struct path path, currentroot;
41957 + path.dentry = (struct dentry *)u_dentry;
41958 + path.mnt = (struct vfsmount *)u_mnt;
41959 + get_fs_root(current->fs, ¤troot);
41960 + if (path_is_under(&path, ¤troot))
41962 + path_put(¤troot);
41969 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
41971 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
41972 + if (!grsec_enable_chroot_fchdir)
41975 + if (!proc_is_chrooted(current))
41977 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
41978 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
41986 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
41987 + const time_t shm_createtime)
41989 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
41990 + struct pid *pid = NULL;
41991 + time_t starttime;
41993 + if (unlikely(!grsec_enable_chroot_shmat))
41996 + if (likely(!proc_is_chrooted(current)))
42000 + read_lock(&tasklist_lock);
42002 + pid = find_vpid(shm_cprid);
42004 + struct task_struct *p;
42005 + p = pid_task(pid, PIDTYPE_PID);
42008 + starttime = p->start_time.tv_sec;
42009 + if (unlikely(!have_same_root(current, p) &&
42010 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
42011 + read_unlock(&tasklist_lock);
42012 + rcu_read_unlock();
42013 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
42017 + pid = find_vpid(shm_lapid);
42019 + struct task_struct *p;
42020 + p = pid_task(pid, PIDTYPE_PID);
42023 + if (unlikely(!have_same_root(current, p))) {
42024 + read_unlock(&tasklist_lock);
42025 + rcu_read_unlock();
42026 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
42032 + read_unlock(&tasklist_lock);
42033 + rcu_read_unlock();
42039 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
42041 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
42042 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
42043 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
42049 +gr_handle_chroot_mknod(const struct dentry *dentry,
42050 + const struct vfsmount *mnt, const int mode)
42052 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
42053 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
42054 + proc_is_chrooted(current)) {
42055 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
42063 +gr_handle_chroot_mount(const struct dentry *dentry,
42064 + const struct vfsmount *mnt, const char *dev_name)
42066 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
42067 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
42068 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
42076 +gr_handle_chroot_pivot(void)
42078 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
42079 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
42080 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
42088 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
42090 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
42091 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
42092 + !gr_is_outside_chroot(dentry, mnt)) {
42093 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
42101 +gr_handle_chroot_caps(struct path *path)
42103 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
42104 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
42105 + (init_task.fs->root.dentry != path->dentry) &&
42106 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
42108 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
42109 + const struct cred *old = current_cred();
42110 + struct cred *new = prepare_creds();
42114 + new->cap_permitted = cap_drop(old->cap_permitted,
42116 + new->cap_inheritable = cap_drop(old->cap_inheritable,
42118 + new->cap_effective = cap_drop(old->cap_effective,
42121 + commit_creds(new);
42130 +gr_handle_chroot_sysctl(const int op)
42132 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
42133 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
42134 + proc_is_chrooted(current))
42141 +gr_handle_chroot_chdir(struct path *path)
42143 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
42144 + if (grsec_enable_chroot_chdir)
42145 + set_fs_pwd(current->fs, path);
42151 +gr_handle_chroot_chmod(const struct dentry *dentry,
42152 + const struct vfsmount *mnt, const int mode)
42154 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
42155 + /* allow chmod +s on directories, but not files */
42156 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
42157 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
42158 + proc_is_chrooted(current)) {
42159 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
42166 +#ifdef CONFIG_SECURITY
42167 +EXPORT_SYMBOL(gr_handle_chroot_caps);
42169 diff -urNp linux-2.6.38.4/grsecurity/grsec_disabled.c linux-2.6.38.4/grsecurity/grsec_disabled.c
42170 --- linux-2.6.38.4/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
42171 +++ linux-2.6.38.4/grsecurity/grsec_disabled.c 2011-04-17 15:57:32.000000000 -0400
42173 +#include <linux/kernel.h>
42174 +#include <linux/module.h>
42175 +#include <linux/sched.h>
42176 +#include <linux/file.h>
42177 +#include <linux/fs.h>
42178 +#include <linux/kdev_t.h>
42179 +#include <linux/net.h>
42180 +#include <linux/in.h>
42181 +#include <linux/ip.h>
42182 +#include <linux/skbuff.h>
42183 +#include <linux/sysctl.h>
42185 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
42187 +pax_set_initial_flags(struct linux_binprm *bprm)
42193 +#ifdef CONFIG_SYSCTL
42195 +gr_handle_sysctl(const struct ctl_table * table, const int op)
42201 +#ifdef CONFIG_TASKSTATS
42202 +int gr_is_taskstats_denied(int pid)
42209 +gr_acl_is_enabled(void)
42215 +gr_handle_rawio(const struct inode *inode)
42221 +gr_acl_handle_psacct(struct task_struct *task, const long code)
42227 +gr_handle_ptrace(struct task_struct *task, const long request)
42233 +gr_handle_proc_ptrace(struct task_struct *task)
42239 +gr_learn_resource(const struct task_struct *task,
42240 + const int res, const unsigned long wanted, const int gt)
42246 +gr_set_acls(const int type)
42252 +gr_check_hidden_task(const struct task_struct *tsk)
42258 +gr_check_protected_task(const struct task_struct *task)
42264 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
42270 +gr_copy_label(struct task_struct *tsk)
42276 +gr_set_pax_flags(struct task_struct *task)
42282 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
42283 + const int unsafe_share)
42289 +gr_handle_delete(const ino_t ino, const dev_t dev)
42295 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
42301 +gr_handle_crash(struct task_struct *task, const int sig)
42307 +gr_check_crash_exec(const struct file *filp)
42313 +gr_check_crash_uid(const uid_t uid)
42319 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
42320 + struct dentry *old_dentry,
42321 + struct dentry *new_dentry,
42322 + struct vfsmount *mnt, const __u8 replace)
42328 +gr_search_socket(const int family, const int type, const int protocol)
42334 +gr_search_connectbind(const int mode, const struct socket *sock,
42335 + const struct sockaddr_in *addr)
42341 +gr_is_capable(const int cap)
42347 +gr_is_capable_nolog(const int cap)
42353 +gr_handle_alertkill(struct task_struct *task)
42359 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
42365 +gr_acl_handle_hidden_file(const struct dentry * dentry,
42366 + const struct vfsmount * mnt)
42372 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
42379 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
42385 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
42391 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
42392 + unsigned int *vm_flags)
42398 +gr_acl_handle_truncate(const struct dentry * dentry,
42399 + const struct vfsmount * mnt)
42405 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
42411 +gr_acl_handle_access(const struct dentry * dentry,
42412 + const struct vfsmount * mnt, const int fmode)
42418 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
42425 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
42432 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
42438 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
42444 +grsecurity_init(void)
42450 +gr_acl_handle_mknod(const struct dentry * new_dentry,
42451 + const struct dentry * parent_dentry,
42452 + const struct vfsmount * parent_mnt,
42459 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
42460 + const struct dentry * parent_dentry,
42461 + const struct vfsmount * parent_mnt)
42467 +gr_acl_handle_symlink(const struct dentry * new_dentry,
42468 + const struct dentry * parent_dentry,
42469 + const struct vfsmount * parent_mnt, const char *from)
42475 +gr_acl_handle_link(const struct dentry * new_dentry,
42476 + const struct dentry * parent_dentry,
42477 + const struct vfsmount * parent_mnt,
42478 + const struct dentry * old_dentry,
42479 + const struct vfsmount * old_mnt, const char *to)
42485 +gr_acl_handle_rename(const struct dentry *new_dentry,
42486 + const struct dentry *parent_dentry,
42487 + const struct vfsmount *parent_mnt,
42488 + const struct dentry *old_dentry,
42489 + const struct inode *old_parent_inode,
42490 + const struct vfsmount *old_mnt, const char *newname)
42496 +gr_acl_handle_filldir(const struct file *file, const char *name,
42497 + const int namelen, const ino_t ino)
42503 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
42504 + const time_t shm_createtime, const uid_t cuid, const int shmid)
42510 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
42516 +gr_search_accept(const struct socket *sock)
42522 +gr_search_listen(const struct socket *sock)
42528 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
42534 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
42540 +gr_acl_handle_creat(const struct dentry * dentry,
42541 + const struct dentry * p_dentry,
42542 + const struct vfsmount * p_mnt, const int fmode,
42549 +gr_acl_handle_exit(void)
42555 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
42561 +gr_set_role_label(const uid_t uid, const gid_t gid)
42567 +gr_acl_handle_procpidmem(const struct task_struct *task)
42573 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
42579 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
42585 +gr_set_kernel_label(struct task_struct *task)
42591 +gr_check_user_change(int real, int effective, int fs)
42597 +gr_check_group_change(int real, int effective, int fs)
42602 +int gr_acl_enable_at_secure(void)
42607 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
42609 + return dentry->d_inode->i_sb->s_dev;
42612 +EXPORT_SYMBOL(gr_is_capable);
42613 +EXPORT_SYMBOL(gr_is_capable_nolog);
42614 +EXPORT_SYMBOL(gr_learn_resource);
42615 +EXPORT_SYMBOL(gr_set_kernel_label);
42616 +#ifdef CONFIG_SECURITY
42617 +EXPORT_SYMBOL(gr_check_user_change);
42618 +EXPORT_SYMBOL(gr_check_group_change);
42620 diff -urNp linux-2.6.38.4/grsecurity/grsec_exec.c linux-2.6.38.4/grsecurity/grsec_exec.c
42621 --- linux-2.6.38.4/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
42622 +++ linux-2.6.38.4/grsecurity/grsec_exec.c 2011-04-17 15:57:32.000000000 -0400
42624 +#include <linux/kernel.h>
42625 +#include <linux/sched.h>
42626 +#include <linux/file.h>
42627 +#include <linux/binfmts.h>
42628 +#include <linux/smp_lock.h>
42629 +#include <linux/fs.h>
42630 +#include <linux/types.h>
42631 +#include <linux/grdefs.h>
42632 +#include <linux/grinternal.h>
42633 +#include <linux/capability.h>
42634 +#include <linux/compat.h>
42636 +#include <asm/uaccess.h>
42638 +#ifdef CONFIG_GRKERNSEC_EXECLOG
42639 +static char gr_exec_arg_buf[132];
42640 +static DEFINE_MUTEX(gr_exec_arg_mutex);
42644 +gr_handle_nproc(void)
42646 +#ifdef CONFIG_GRKERNSEC_EXECVE
42647 + const struct cred *cred = current_cred();
42648 + if (grsec_enable_execve && cred->user &&
42649 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
42650 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
42651 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
42659 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
42661 +#ifdef CONFIG_GRKERNSEC_EXECLOG
42662 + char *grarg = gr_exec_arg_buf;
42663 + unsigned int i, x, execlen = 0;
42666 + if (!((grsec_enable_execlog && grsec_enable_group &&
42667 + in_group_p(grsec_audit_gid))
42668 + || (grsec_enable_execlog && !grsec_enable_group)))
42671 + mutex_lock(&gr_exec_arg_mutex);
42672 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
42674 + if (unlikely(argv == NULL))
42677 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
42678 + const char __user *p;
42679 + unsigned int len;
42681 + if (copy_from_user(&p, argv + i, sizeof(p)))
42685 + len = strnlen_user(p, 128 - execlen);
42686 + if (len > 128 - execlen)
42687 + len = 128 - execlen;
42688 + else if (len > 0)
42690 + if (copy_from_user(grarg + execlen, p, len))
42693 + /* rewrite unprintable characters */
42694 + for (x = 0; x < len; x++) {
42695 + c = *(grarg + execlen + x);
42696 + if (c < 32 || c > 126)
42697 + *(grarg + execlen + x) = ' ';
42701 + *(grarg + execlen) = ' ';
42702 + *(grarg + execlen + 1) = '\0';
42707 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
42708 + bprm->file->f_path.mnt, grarg);
42709 + mutex_unlock(&gr_exec_arg_mutex);
42714 +#ifdef CONFIG_COMPAT
42716 +gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
42718 +#ifdef CONFIG_GRKERNSEC_EXECLOG
42719 + char *grarg = gr_exec_arg_buf;
42720 + unsigned int i, x, execlen = 0;
42723 + if (!((grsec_enable_execlog && grsec_enable_group &&
42724 + in_group_p(grsec_audit_gid))
42725 + || (grsec_enable_execlog && !grsec_enable_group)))
42728 + mutex_lock(&gr_exec_arg_mutex);
42729 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
42731 + if (unlikely(argv == NULL))
42734 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
42736 + unsigned int len;
42738 + if (get_user(p, argv + i))
42740 + len = strnlen_user(compat_ptr(p), 128 - execlen);
42741 + if (len > 128 - execlen)
42742 + len = 128 - execlen;
42743 + else if (len > 0)
42747 + if (copy_from_user(grarg + execlen, compat_ptr(p), len))
42750 + /* rewrite unprintable characters */
42751 + for (x = 0; x < len; x++) {
42752 + c = *(grarg + execlen + x);
42753 + if (c < 32 || c > 126)
42754 + *(grarg + execlen + x) = ' ';
42758 + *(grarg + execlen) = ' ';
42759 + *(grarg + execlen + 1) = '\0';
42764 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
42765 + bprm->file->f_path.mnt, grarg);
42766 + mutex_unlock(&gr_exec_arg_mutex);
42771 diff -urNp linux-2.6.38.4/grsecurity/grsec_fifo.c linux-2.6.38.4/grsecurity/grsec_fifo.c
42772 --- linux-2.6.38.4/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
42773 +++ linux-2.6.38.4/grsecurity/grsec_fifo.c 2011-04-17 15:57:32.000000000 -0400
42775 +#include <linux/kernel.h>
42776 +#include <linux/sched.h>
42777 +#include <linux/fs.h>
42778 +#include <linux/file.h>
42779 +#include <linux/grinternal.h>
42782 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
42783 + const struct dentry *dir, const int flag, const int acc_mode)
42785 +#ifdef CONFIG_GRKERNSEC_FIFO
42786 + const struct cred *cred = current_cred();
42788 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
42789 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
42790 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
42791 + (cred->fsuid != dentry->d_inode->i_uid)) {
42792 + if (!inode_permission(dentry->d_inode, acc_mode))
42793 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
42799 diff -urNp linux-2.6.38.4/grsecurity/grsec_fork.c linux-2.6.38.4/grsecurity/grsec_fork.c
42800 --- linux-2.6.38.4/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
42801 +++ linux-2.6.38.4/grsecurity/grsec_fork.c 2011-04-17 15:57:32.000000000 -0400
42803 +#include <linux/kernel.h>
42804 +#include <linux/sched.h>
42805 +#include <linux/grsecurity.h>
42806 +#include <linux/grinternal.h>
42807 +#include <linux/errno.h>
42810 +gr_log_forkfail(const int retval)
42812 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
42813 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
42814 + switch (retval) {
42816 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
42819 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
42826 diff -urNp linux-2.6.38.4/grsecurity/grsec_init.c linux-2.6.38.4/grsecurity/grsec_init.c
42827 --- linux-2.6.38.4/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
42828 +++ linux-2.6.38.4/grsecurity/grsec_init.c 2011-04-17 15:57:32.000000000 -0400
42830 +#include <linux/kernel.h>
42831 +#include <linux/sched.h>
42832 +#include <linux/mm.h>
42833 +#include <linux/smp_lock.h>
42834 +#include <linux/gracl.h>
42835 +#include <linux/slab.h>
42836 +#include <linux/vmalloc.h>
42837 +#include <linux/percpu.h>
42838 +#include <linux/module.h>
42840 +int grsec_enable_link;
42841 +int grsec_enable_dmesg;
42842 +int grsec_enable_harden_ptrace;
42843 +int grsec_enable_fifo;
42844 +int grsec_enable_execve;
42845 +int grsec_enable_execlog;
42846 +int grsec_enable_signal;
42847 +int grsec_enable_forkfail;
42848 +int grsec_enable_audit_ptrace;
42849 +int grsec_enable_time;
42850 +int grsec_enable_audit_textrel;
42851 +int grsec_enable_group;
42852 +int grsec_audit_gid;
42853 +int grsec_enable_chdir;
42854 +int grsec_enable_mount;
42855 +int grsec_enable_rofs;
42856 +int grsec_enable_chroot_findtask;
42857 +int grsec_enable_chroot_mount;
42858 +int grsec_enable_chroot_shmat;
42859 +int grsec_enable_chroot_fchdir;
42860 +int grsec_enable_chroot_double;
42861 +int grsec_enable_chroot_pivot;
42862 +int grsec_enable_chroot_chdir;
42863 +int grsec_enable_chroot_chmod;
42864 +int grsec_enable_chroot_mknod;
42865 +int grsec_enable_chroot_nice;
42866 +int grsec_enable_chroot_execlog;
42867 +int grsec_enable_chroot_caps;
42868 +int grsec_enable_chroot_sysctl;
42869 +int grsec_enable_chroot_unix;
42870 +int grsec_enable_tpe;
42871 +int grsec_tpe_gid;
42872 +int grsec_enable_blackhole;
42873 +#ifdef CONFIG_IPV6_MODULE
42874 +EXPORT_SYMBOL(grsec_enable_blackhole);
42876 +int grsec_lastack_retries;
42877 +int grsec_enable_tpe_all;
42878 +int grsec_enable_tpe_invert;
42879 +int grsec_enable_socket_all;
42880 +int grsec_socket_all_gid;
42881 +int grsec_enable_socket_client;
42882 +int grsec_socket_client_gid;
42883 +int grsec_enable_socket_server;
42884 +int grsec_socket_server_gid;
42885 +int grsec_resource_logging;
42886 +int grsec_disable_privio;
42887 +int grsec_enable_log_rwxmaps;
42890 +DEFINE_SPINLOCK(grsec_alert_lock);
42891 +unsigned long grsec_alert_wtime = 0;
42892 +unsigned long grsec_alert_fyet = 0;
42894 +DEFINE_SPINLOCK(grsec_audit_lock);
42896 +DEFINE_RWLOCK(grsec_exec_file_lock);
42898 +char *gr_shared_page[4];
42900 +char *gr_alert_log_fmt;
42901 +char *gr_audit_log_fmt;
42902 +char *gr_alert_log_buf;
42903 +char *gr_audit_log_buf;
42905 +extern struct gr_arg *gr_usermode;
42906 +extern unsigned char *gr_system_salt;
42907 +extern unsigned char *gr_system_sum;
42910 +grsecurity_init(void)
42913 + /* create the per-cpu shared pages */
42916 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
42919 + for (j = 0; j < 4; j++) {
42920 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
42921 + if (gr_shared_page[j] == NULL) {
42922 + panic("Unable to allocate grsecurity shared page");
42927 + /* allocate log buffers */
42928 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
42929 + if (!gr_alert_log_fmt) {
42930 + panic("Unable to allocate grsecurity alert log format buffer");
42933 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
42934 + if (!gr_audit_log_fmt) {
42935 + panic("Unable to allocate grsecurity audit log format buffer");
42938 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
42939 + if (!gr_alert_log_buf) {
42940 + panic("Unable to allocate grsecurity alert log buffer");
42943 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
42944 + if (!gr_audit_log_buf) {
42945 + panic("Unable to allocate grsecurity audit log buffer");
42949 + /* allocate memory for authentication structure */
42950 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
42951 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
42952 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
42954 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
42955 + panic("Unable to allocate grsecurity authentication structure");
42960 +#ifdef CONFIG_GRKERNSEC_IO
42961 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
42962 + grsec_disable_privio = 1;
42963 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
42964 + grsec_disable_privio = 1;
42966 + grsec_disable_privio = 0;
42970 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
42971 + /* for backward compatibility, tpe_invert always defaults to on if
42972 + enabled in the kernel
42974 + grsec_enable_tpe_invert = 1;
42977 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
42978 +#ifndef CONFIG_GRKERNSEC_SYSCTL
42982 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42983 + grsec_enable_audit_textrel = 1;
42985 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42986 + grsec_enable_log_rwxmaps = 1;
42988 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
42989 + grsec_enable_group = 1;
42990 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
42992 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
42993 + grsec_enable_chdir = 1;
42995 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
42996 + grsec_enable_harden_ptrace = 1;
42998 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42999 + grsec_enable_mount = 1;
43001 +#ifdef CONFIG_GRKERNSEC_LINK
43002 + grsec_enable_link = 1;
43004 +#ifdef CONFIG_GRKERNSEC_DMESG
43005 + grsec_enable_dmesg = 1;
43007 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
43008 + grsec_enable_blackhole = 1;
43009 + grsec_lastack_retries = 4;
43011 +#ifdef CONFIG_GRKERNSEC_FIFO
43012 + grsec_enable_fifo = 1;
43014 +#ifdef CONFIG_GRKERNSEC_EXECVE
43015 + grsec_enable_execve = 1;
43017 +#ifdef CONFIG_GRKERNSEC_EXECLOG
43018 + grsec_enable_execlog = 1;
43020 +#ifdef CONFIG_GRKERNSEC_SIGNAL
43021 + grsec_enable_signal = 1;
43023 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
43024 + grsec_enable_forkfail = 1;
43026 +#ifdef CONFIG_GRKERNSEC_TIME
43027 + grsec_enable_time = 1;
43029 +#ifdef CONFIG_GRKERNSEC_RESLOG
43030 + grsec_resource_logging = 1;
43032 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
43033 + grsec_enable_chroot_findtask = 1;
43035 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
43036 + grsec_enable_chroot_unix = 1;
43038 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
43039 + grsec_enable_chroot_mount = 1;
43041 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
43042 + grsec_enable_chroot_fchdir = 1;
43044 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
43045 + grsec_enable_chroot_shmat = 1;
43047 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
43048 + grsec_enable_audit_ptrace = 1;
43050 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
43051 + grsec_enable_chroot_double = 1;
43053 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
43054 + grsec_enable_chroot_pivot = 1;
43056 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
43057 + grsec_enable_chroot_chdir = 1;
43059 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
43060 + grsec_enable_chroot_chmod = 1;
43062 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
43063 + grsec_enable_chroot_mknod = 1;
43065 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
43066 + grsec_enable_chroot_nice = 1;
43068 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
43069 + grsec_enable_chroot_execlog = 1;
43071 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
43072 + grsec_enable_chroot_caps = 1;
43074 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
43075 + grsec_enable_chroot_sysctl = 1;
43077 +#ifdef CONFIG_GRKERNSEC_TPE
43078 + grsec_enable_tpe = 1;
43079 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
43080 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
43081 + grsec_enable_tpe_all = 1;
43084 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
43085 + grsec_enable_socket_all = 1;
43086 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
43088 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
43089 + grsec_enable_socket_client = 1;
43090 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
43092 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
43093 + grsec_enable_socket_server = 1;
43094 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
43100 diff -urNp linux-2.6.38.4/grsecurity/grsec_link.c linux-2.6.38.4/grsecurity/grsec_link.c
43101 --- linux-2.6.38.4/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
43102 +++ linux-2.6.38.4/grsecurity/grsec_link.c 2011-04-17 15:57:32.000000000 -0400
43104 +#include <linux/kernel.h>
43105 +#include <linux/sched.h>
43106 +#include <linux/fs.h>
43107 +#include <linux/file.h>
43108 +#include <linux/grinternal.h>
43111 +gr_handle_follow_link(const struct inode *parent,
43112 + const struct inode *inode,
43113 + const struct dentry *dentry, const struct vfsmount *mnt)
43115 +#ifdef CONFIG_GRKERNSEC_LINK
43116 + const struct cred *cred = current_cred();
43118 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
43119 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
43120 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
43121 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
43129 +gr_handle_hardlink(const struct dentry *dentry,
43130 + const struct vfsmount *mnt,
43131 + struct inode *inode, const int mode, const char *to)
43133 +#ifdef CONFIG_GRKERNSEC_LINK
43134 + const struct cred *cred = current_cred();
43136 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
43137 + (!S_ISREG(mode) || (mode & S_ISUID) ||
43138 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
43139 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
43140 + !capable(CAP_FOWNER) && cred->uid) {
43141 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
43147 diff -urNp linux-2.6.38.4/grsecurity/grsec_log.c linux-2.6.38.4/grsecurity/grsec_log.c
43148 --- linux-2.6.38.4/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
43149 +++ linux-2.6.38.4/grsecurity/grsec_log.c 2011-04-17 15:57:32.000000000 -0400
43151 +#include <linux/kernel.h>
43152 +#include <linux/sched.h>
43153 +#include <linux/file.h>
43154 +#include <linux/tty.h>
43155 +#include <linux/fs.h>
43156 +#include <linux/grinternal.h>
43158 +#ifdef CONFIG_TREE_PREEMPT_RCU
43159 +#define DISABLE_PREEMPT() preempt_disable()
43160 +#define ENABLE_PREEMPT() preempt_enable()
43162 +#define DISABLE_PREEMPT()
43163 +#define ENABLE_PREEMPT()
43166 +#define BEGIN_LOCKS(x) \
43167 + DISABLE_PREEMPT(); \
43168 + rcu_read_lock(); \
43169 + read_lock(&tasklist_lock); \
43170 + read_lock(&grsec_exec_file_lock); \
43171 + if (x != GR_DO_AUDIT) \
43172 + spin_lock(&grsec_alert_lock); \
43174 + spin_lock(&grsec_audit_lock)
43176 +#define END_LOCKS(x) \
43177 + if (x != GR_DO_AUDIT) \
43178 + spin_unlock(&grsec_alert_lock); \
43180 + spin_unlock(&grsec_audit_lock); \
43181 + read_unlock(&grsec_exec_file_lock); \
43182 + read_unlock(&tasklist_lock); \
43183 + rcu_read_unlock(); \
43184 + ENABLE_PREEMPT(); \
43185 + if (x == GR_DONT_AUDIT) \
43186 + gr_handle_alertkill(current)
43193 +extern char *gr_alert_log_fmt;
43194 +extern char *gr_audit_log_fmt;
43195 +extern char *gr_alert_log_buf;
43196 +extern char *gr_audit_log_buf;
43198 +static int gr_log_start(int audit)
43200 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
43201 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
43202 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
43204 + if (audit == GR_DO_AUDIT)
43207 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
43208 + grsec_alert_wtime = jiffies;
43209 + grsec_alert_fyet = 0;
43210 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
43211 + grsec_alert_fyet++;
43212 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
43213 + grsec_alert_wtime = jiffies;
43214 + grsec_alert_fyet++;
43215 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
43217 + } else return FLOODING;
43220 + memset(buf, 0, PAGE_SIZE);
43221 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
43222 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
43223 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
43224 + } else if (current->signal->curr_ip) {
43225 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
43226 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
43227 + } else if (gr_acl_is_enabled()) {
43228 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
43229 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
43231 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
43232 + strcpy(buf, fmt);
43235 + return NO_FLOODING;
43238 +static void gr_log_middle(int audit, const char *msg, va_list ap)
43239 + __attribute__ ((format (printf, 2, 0)));
43241 +static void gr_log_middle(int audit, const char *msg, va_list ap)
43243 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
43244 + unsigned int len = strlen(buf);
43246 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
43251 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
43252 + __attribute__ ((format (printf, 2, 3)));
43254 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
43256 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
43257 + unsigned int len = strlen(buf);
43260 + va_start(ap, msg);
43261 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
43267 +static void gr_log_end(int audit)
43269 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
43270 + unsigned int len = strlen(buf);
43272 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
43273 + printk("%s\n", buf);
43278 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
43281 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
43282 + char *str1, *str2, *str3;
43285 + unsigned long ulong1, ulong2;
43286 + struct dentry *dentry;
43287 + struct vfsmount *mnt;
43288 + struct file *file;
43289 + struct task_struct *task;
43290 + const struct cred *cred, *pcred;
43293 + BEGIN_LOCKS(audit);
43294 + logtype = gr_log_start(audit);
43295 + if (logtype == FLOODING) {
43296 + END_LOCKS(audit);
43299 + va_start(ap, argtypes);
43300 + switch (argtypes) {
43301 + case GR_TTYSNIFF:
43302 + task = va_arg(ap, struct task_struct *);
43303 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
43305 + case GR_SYSCTL_HIDDEN:
43306 + str1 = va_arg(ap, char *);
43307 + gr_log_middle_varargs(audit, msg, result, str1);
43310 + dentry = va_arg(ap, struct dentry *);
43311 + mnt = va_arg(ap, struct vfsmount *);
43312 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
43314 + case GR_RBAC_STR:
43315 + dentry = va_arg(ap, struct dentry *);
43316 + mnt = va_arg(ap, struct vfsmount *);
43317 + str1 = va_arg(ap, char *);
43318 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
43320 + case GR_STR_RBAC:
43321 + str1 = va_arg(ap, char *);
43322 + dentry = va_arg(ap, struct dentry *);
43323 + mnt = va_arg(ap, struct vfsmount *);
43324 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
43326 + case GR_RBAC_MODE2:
43327 + dentry = va_arg(ap, struct dentry *);
43328 + mnt = va_arg(ap, struct vfsmount *);
43329 + str1 = va_arg(ap, char *);
43330 + str2 = va_arg(ap, char *);
43331 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
43333 + case GR_RBAC_MODE3:
43334 + dentry = va_arg(ap, struct dentry *);
43335 + mnt = va_arg(ap, struct vfsmount *);
43336 + str1 = va_arg(ap, char *);
43337 + str2 = va_arg(ap, char *);
43338 + str3 = va_arg(ap, char *);
43339 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
43341 + case GR_FILENAME:
43342 + dentry = va_arg(ap, struct dentry *);
43343 + mnt = va_arg(ap, struct vfsmount *);
43344 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
43346 + case GR_STR_FILENAME:
43347 + str1 = va_arg(ap, char *);
43348 + dentry = va_arg(ap, struct dentry *);
43349 + mnt = va_arg(ap, struct vfsmount *);
43350 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
43352 + case GR_FILENAME_STR:
43353 + dentry = va_arg(ap, struct dentry *);
43354 + mnt = va_arg(ap, struct vfsmount *);
43355 + str1 = va_arg(ap, char *);
43356 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
43358 + case GR_FILENAME_TWO_INT:
43359 + dentry = va_arg(ap, struct dentry *);
43360 + mnt = va_arg(ap, struct vfsmount *);
43361 + num1 = va_arg(ap, int);
43362 + num2 = va_arg(ap, int);
43363 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
43365 + case GR_FILENAME_TWO_INT_STR:
43366 + dentry = va_arg(ap, struct dentry *);
43367 + mnt = va_arg(ap, struct vfsmount *);
43368 + num1 = va_arg(ap, int);
43369 + num2 = va_arg(ap, int);
43370 + str1 = va_arg(ap, char *);
43371 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
43374 + file = va_arg(ap, struct file *);
43375 + ulong1 = va_arg(ap, unsigned long);
43376 + ulong2 = va_arg(ap, unsigned long);
43377 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
43380 + task = va_arg(ap, struct task_struct *);
43381 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
43383 + case GR_RESOURCE:
43384 + task = va_arg(ap, struct task_struct *);
43385 + cred = __task_cred(task);
43386 + pcred = __task_cred(task->real_parent);
43387 + ulong1 = va_arg(ap, unsigned long);
43388 + str1 = va_arg(ap, char *);
43389 + ulong2 = va_arg(ap, unsigned long);
43390 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
43393 + task = va_arg(ap, struct task_struct *);
43394 + cred = __task_cred(task);
43395 + pcred = __task_cred(task->real_parent);
43396 + str1 = va_arg(ap, char *);
43397 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
43400 + str1 = va_arg(ap, char *);
43401 + voidptr = va_arg(ap, void *);
43402 + gr_log_middle_varargs(audit, msg, str1, voidptr);
43405 + task = va_arg(ap, struct task_struct *);
43406 + cred = __task_cred(task);
43407 + pcred = __task_cred(task->real_parent);
43408 + num1 = va_arg(ap, int);
43409 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
43412 + task = va_arg(ap, struct task_struct *);
43413 + cred = __task_cred(task);
43414 + pcred = __task_cred(task->real_parent);
43415 + ulong1 = va_arg(ap, unsigned long);
43416 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
43419 + task = va_arg(ap, struct task_struct *);
43420 + cred = __task_cred(task);
43421 + pcred = __task_cred(task->real_parent);
43422 + ulong1 = va_arg(ap, unsigned long);
43423 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
43426 + file = va_arg(ap, struct file *);
43427 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
43431 + unsigned int wday, cday;
43435 + char cur_tty[64] = { 0 };
43436 + char parent_tty[64] = { 0 };
43438 + task = va_arg(ap, struct task_struct *);
43439 + wday = va_arg(ap, unsigned int);
43440 + cday = va_arg(ap, unsigned int);
43441 + whr = va_arg(ap, int);
43442 + chr = va_arg(ap, int);
43443 + wmin = va_arg(ap, int);
43444 + cmin = va_arg(ap, int);
43445 + wsec = va_arg(ap, int);
43446 + csec = va_arg(ap, int);
43447 + ulong1 = va_arg(ap, unsigned long);
43448 + cred = __task_cred(task);
43449 + pcred = __task_cred(task->real_parent);
43451 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
43455 + gr_log_middle(audit, msg, ap);
43458 + gr_log_end(audit);
43459 + END_LOCKS(audit);
43461 diff -urNp linux-2.6.38.4/grsecurity/grsec_mem.c linux-2.6.38.4/grsecurity/grsec_mem.c
43462 --- linux-2.6.38.4/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
43463 +++ linux-2.6.38.4/grsecurity/grsec_mem.c 2011-04-17 15:57:32.000000000 -0400
43465 +#include <linux/kernel.h>
43466 +#include <linux/sched.h>
43467 +#include <linux/mm.h>
43468 +#include <linux/mman.h>
43469 +#include <linux/grinternal.h>
43472 +gr_handle_ioperm(void)
43474 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
43479 +gr_handle_iopl(void)
43481 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
43486 +gr_handle_mem_readwrite(u64 from, u64 to)
43488 + gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
43493 +gr_handle_vm86(void)
43495 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
43498 diff -urNp linux-2.6.38.4/grsecurity/grsec_mount.c linux-2.6.38.4/grsecurity/grsec_mount.c
43499 --- linux-2.6.38.4/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
43500 +++ linux-2.6.38.4/grsecurity/grsec_mount.c 2011-04-17 15:57:32.000000000 -0400
43502 +#include <linux/kernel.h>
43503 +#include <linux/sched.h>
43504 +#include <linux/mount.h>
43505 +#include <linux/grsecurity.h>
43506 +#include <linux/grinternal.h>
43509 +gr_log_remount(const char *devname, const int retval)
43511 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
43512 + if (grsec_enable_mount && (retval >= 0))
43513 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
43519 +gr_log_unmount(const char *devname, const int retval)
43521 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
43522 + if (grsec_enable_mount && (retval >= 0))
43523 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
43529 +gr_log_mount(const char *from, const char *to, const int retval)
43531 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
43532 + if (grsec_enable_mount && (retval >= 0))
43533 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
43539 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
43541 +#ifdef CONFIG_GRKERNSEC_ROFS
43542 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
43543 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
43552 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
43554 +#ifdef CONFIG_GRKERNSEC_ROFS
43555 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
43556 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
43557 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
43564 diff -urNp linux-2.6.38.4/grsecurity/grsec_pax.c linux-2.6.38.4/grsecurity/grsec_pax.c
43565 --- linux-2.6.38.4/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
43566 +++ linux-2.6.38.4/grsecurity/grsec_pax.c 2011-04-17 15:57:32.000000000 -0400
43568 +#include <linux/kernel.h>
43569 +#include <linux/sched.h>
43570 +#include <linux/mm.h>
43571 +#include <linux/file.h>
43572 +#include <linux/grinternal.h>
43573 +#include <linux/grsecurity.h>
43576 +gr_log_textrel(struct vm_area_struct * vma)
43578 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
43579 + if (grsec_enable_audit_textrel)
43580 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
43586 +gr_log_rwxmmap(struct file *file)
43588 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
43589 + if (grsec_enable_log_rwxmaps)
43590 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
43596 +gr_log_rwxmprotect(struct file *file)
43598 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
43599 + if (grsec_enable_log_rwxmaps)
43600 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
43604 diff -urNp linux-2.6.38.4/grsecurity/grsec_ptrace.c linux-2.6.38.4/grsecurity/grsec_ptrace.c
43605 --- linux-2.6.38.4/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
43606 +++ linux-2.6.38.4/grsecurity/grsec_ptrace.c 2011-04-17 15:57:32.000000000 -0400
43608 +#include <linux/kernel.h>
43609 +#include <linux/sched.h>
43610 +#include <linux/grinternal.h>
43611 +#include <linux/grsecurity.h>
43614 +gr_audit_ptrace(struct task_struct *task)
43616 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
43617 + if (grsec_enable_audit_ptrace)
43618 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
43622 diff -urNp linux-2.6.38.4/grsecurity/grsec_sig.c linux-2.6.38.4/grsecurity/grsec_sig.c
43623 --- linux-2.6.38.4/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
43624 +++ linux-2.6.38.4/grsecurity/grsec_sig.c 2011-04-17 15:57:32.000000000 -0400
43626 +#include <linux/kernel.h>
43627 +#include <linux/sched.h>
43628 +#include <linux/delay.h>
43629 +#include <linux/grsecurity.h>
43630 +#include <linux/grinternal.h>
43631 +#include <linux/hardirq.h>
43633 +char *signames[] = {
43634 + [SIGSEGV] = "Segmentation fault",
43635 + [SIGILL] = "Illegal instruction",
43636 + [SIGABRT] = "Abort",
43637 + [SIGBUS] = "Invalid alignment/Bus error"
43641 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
43643 +#ifdef CONFIG_GRKERNSEC_SIGNAL
43644 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
43645 + (sig == SIGABRT) || (sig == SIGBUS))) {
43646 + if (t->pid == current->pid) {
43647 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
43649 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
43657 +gr_handle_signal(const struct task_struct *p, const int sig)
43659 +#ifdef CONFIG_GRKERNSEC
43660 + if (current->pid > 1 && gr_check_protected_task(p)) {
43661 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
43663 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
43670 +#ifdef CONFIG_GRKERNSEC
43671 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
43673 +int gr_fake_force_sig(int sig, struct task_struct *t)
43675 + unsigned long int flags;
43676 + int ret, blocked, ignored;
43677 + struct k_sigaction *action;
43679 + spin_lock_irqsave(&t->sighand->siglock, flags);
43680 + action = &t->sighand->action[sig-1];
43681 + ignored = action->sa.sa_handler == SIG_IGN;
43682 + blocked = sigismember(&t->blocked, sig);
43683 + if (blocked || ignored) {
43684 + action->sa.sa_handler = SIG_DFL;
43686 + sigdelset(&t->blocked, sig);
43687 + recalc_sigpending_and_wake(t);
43690 + if (action->sa.sa_handler == SIG_DFL)
43691 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
43692 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
43694 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
43700 +#ifdef CONFIG_GRKERNSEC_BRUTE
43701 +#define GR_USER_BAN_TIME (15 * 60)
43703 +static int __get_dumpable(unsigned long mm_flags)
43707 + ret = mm_flags & MMF_DUMPABLE_MASK;
43708 + return (ret >= 2) ? 2 : ret;
43712 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
43714 +#ifdef CONFIG_GRKERNSEC_BRUTE
43718 + read_lock(&tasklist_lock);
43719 + read_lock(&grsec_exec_file_lock);
43720 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
43721 + p->real_parent->brute = 1;
43723 + const struct cred *cred = __task_cred(p), *cred2;
43724 + struct task_struct *tsk, *tsk2;
43726 + if (!__get_dumpable(mm_flags) && cred->uid) {
43727 + struct user_struct *user;
43731 + /* this is put upon execution past expiration */
43732 + user = find_user(uid);
43733 + if (user == NULL)
43735 + user->banned = 1;
43736 + user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
43737 + if (user->ban_expires == ~0UL)
43738 + user->ban_expires--;
43740 + do_each_thread(tsk2, tsk) {
43741 + cred2 = __task_cred(tsk);
43742 + if (tsk != p && cred2->uid == uid)
43743 + gr_fake_force_sig(SIGKILL, tsk);
43744 + } while_each_thread(tsk2, tsk);
43748 + read_unlock(&grsec_exec_file_lock);
43749 + read_unlock(&tasklist_lock);
43750 + rcu_read_unlock();
43753 + printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
43759 +void gr_handle_brute_check(void)
43761 +#ifdef CONFIG_GRKERNSEC_BRUTE
43762 + if (current->brute)
43763 + msleep(30 * 1000);
43768 +void gr_handle_kernel_exploit(void)
43770 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
43771 + const struct cred *cred;
43772 + struct task_struct *tsk, *tsk2;
43773 + struct user_struct *user;
43776 + if (in_irq() || in_serving_softirq() || in_nmi())
43777 + panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
43779 + uid = current_uid();
43782 + panic("grsec: halting the system due to suspicious kernel crash caused by root");
43784 + /* kill all the processes of this user, hold a reference
43785 + to their creds struct, and prevent them from creating
43786 + another process until system reset
43788 + printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
43789 + /* we intentionally leak this ref */
43790 + user = get_uid(current->cred->user);
43792 + user->banned = 1;
43793 + user->ban_expires = ~0UL;
43796 + read_lock(&tasklist_lock);
43797 + do_each_thread(tsk2, tsk) {
43798 + cred = __task_cred(tsk);
43799 + if (cred->uid == uid)
43800 + gr_fake_force_sig(SIGKILL, tsk);
43801 + } while_each_thread(tsk2, tsk);
43802 + read_unlock(&tasklist_lock);
43807 +int gr_process_user_ban(void)
43809 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
43810 + if (unlikely(current->cred->user->banned)) {
43811 + struct user_struct *user = current->cred->user;
43812 + if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
43813 + user->banned = 0;
43814 + user->ban_expires = 0;
43823 diff -urNp linux-2.6.38.4/grsecurity/grsec_sock.c linux-2.6.38.4/grsecurity/grsec_sock.c
43824 --- linux-2.6.38.4/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
43825 +++ linux-2.6.38.4/grsecurity/grsec_sock.c 2011-04-17 15:57:32.000000000 -0400
43827 +#include <linux/kernel.h>
43828 +#include <linux/module.h>
43829 +#include <linux/sched.h>
43830 +#include <linux/file.h>
43831 +#include <linux/net.h>
43832 +#include <linux/in.h>
43833 +#include <linux/ip.h>
43834 +#include <net/sock.h>
43835 +#include <net/inet_sock.h>
43836 +#include <linux/grsecurity.h>
43837 +#include <linux/grinternal.h>
43838 +#include <linux/gracl.h>
43840 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
43841 +EXPORT_SYMBOL(gr_cap_rtnetlink);
43843 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
43844 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
43846 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
43847 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
43849 +#ifdef CONFIG_UNIX_MODULE
43850 +EXPORT_SYMBOL(gr_acl_handle_unix);
43851 +EXPORT_SYMBOL(gr_acl_handle_mknod);
43852 +EXPORT_SYMBOL(gr_handle_chroot_unix);
43853 +EXPORT_SYMBOL(gr_handle_create);
43856 +#ifdef CONFIG_GRKERNSEC
43857 +#define gr_conn_table_size 32749
43858 +struct conn_table_entry {
43859 + struct conn_table_entry *next;
43860 + struct signal_struct *sig;
43863 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
43864 +DEFINE_SPINLOCK(gr_conn_table_lock);
43866 +extern const char * gr_socktype_to_name(unsigned char type);
43867 +extern const char * gr_proto_to_name(unsigned char proto);
43868 +extern const char * gr_sockfamily_to_name(unsigned char family);
43870 +static __inline__ int
43871 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
43873 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
43876 +static __inline__ int
43877 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
43878 + __u16 sport, __u16 dport)
43880 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
43881 + sig->gr_sport == sport && sig->gr_dport == dport))
43887 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
43889 + struct conn_table_entry **match;
43890 + unsigned int index;
43892 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
43893 + sig->gr_sport, sig->gr_dport,
43894 + gr_conn_table_size);
43896 + newent->sig = sig;
43898 + match = &gr_conn_table[index];
43899 + newent->next = *match;
43905 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
43907 + struct conn_table_entry *match, *last = NULL;
43908 + unsigned int index;
43910 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
43911 + sig->gr_sport, sig->gr_dport,
43912 + gr_conn_table_size);
43914 + match = gr_conn_table[index];
43915 + while (match && !conn_match(match->sig,
43916 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
43917 + sig->gr_dport)) {
43919 + match = match->next;
43924 + last->next = match->next;
43926 + gr_conn_table[index] = NULL;
43933 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
43934 + __u16 sport, __u16 dport)
43936 + struct conn_table_entry *match;
43937 + unsigned int index;
43939 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
43941 + match = gr_conn_table[index];
43942 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
43943 + match = match->next;
43946 + return match->sig;
43953 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
43955 +#ifdef CONFIG_GRKERNSEC
43956 + struct signal_struct *sig = task->signal;
43957 + struct conn_table_entry *newent;
43959 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
43960 + if (newent == NULL)
43962 + /* no bh lock needed since we are called with bh disabled */
43963 + spin_lock(&gr_conn_table_lock);
43964 + gr_del_task_from_ip_table_nolock(sig);
43965 + sig->gr_saddr = inet->inet_rcv_saddr;
43966 + sig->gr_daddr = inet->inet_daddr;
43967 + sig->gr_sport = inet->inet_sport;
43968 + sig->gr_dport = inet->inet_dport;
43969 + gr_add_to_task_ip_table_nolock(sig, newent);
43970 + spin_unlock(&gr_conn_table_lock);
43975 +void gr_del_task_from_ip_table(struct task_struct *task)
43977 +#ifdef CONFIG_GRKERNSEC
43978 + spin_lock_bh(&gr_conn_table_lock);
43979 + gr_del_task_from_ip_table_nolock(task->signal);
43980 + spin_unlock_bh(&gr_conn_table_lock);
43986 +gr_attach_curr_ip(const struct sock *sk)
43988 +#ifdef CONFIG_GRKERNSEC
43989 + struct signal_struct *p, *set;
43990 + const struct inet_sock *inet = inet_sk(sk);
43992 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
43995 + set = current->signal;
43997 + spin_lock_bh(&gr_conn_table_lock);
43998 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
43999 + inet->inet_dport, inet->inet_sport);
44000 + if (unlikely(p != NULL)) {
44001 + set->curr_ip = p->curr_ip;
44002 + set->used_accept = 1;
44003 + gr_del_task_from_ip_table_nolock(p);
44004 + spin_unlock_bh(&gr_conn_table_lock);
44007 + spin_unlock_bh(&gr_conn_table_lock);
44009 + set->curr_ip = inet->inet_daddr;
44010 + set->used_accept = 1;
44016 +gr_handle_sock_all(const int family, const int type, const int protocol)
44018 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
44019 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
44020 + (family != AF_UNIX)) {
44021 + if (family == AF_INET)
44022 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
44024 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
44032 +gr_handle_sock_server(const struct sockaddr *sck)
44034 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
44035 + if (grsec_enable_socket_server &&
44036 + in_group_p(grsec_socket_server_gid) &&
44037 + sck && (sck->sa_family != AF_UNIX) &&
44038 + (sck->sa_family != AF_LOCAL)) {
44039 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
44047 +gr_handle_sock_server_other(const struct sock *sck)
44049 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
44050 + if (grsec_enable_socket_server &&
44051 + in_group_p(grsec_socket_server_gid) &&
44052 + sck && (sck->sk_family != AF_UNIX) &&
44053 + (sck->sk_family != AF_LOCAL)) {
44054 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
44062 +gr_handle_sock_client(const struct sockaddr *sck)
44064 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
44065 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
44066 + sck && (sck->sa_family != AF_UNIX) &&
44067 + (sck->sa_family != AF_LOCAL)) {
44068 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
44076 +gr_cap_rtnetlink(struct sock *sock)
44078 +#ifdef CONFIG_GRKERNSEC
44079 + if (!gr_acl_is_enabled())
44080 + return current_cap();
44081 + else if (sock->sk_protocol == NETLINK_ISCSI &&
44082 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
44083 + gr_is_capable(CAP_SYS_ADMIN))
44084 + return current_cap();
44085 + else if (sock->sk_protocol == NETLINK_AUDIT &&
44086 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
44087 + gr_is_capable(CAP_AUDIT_WRITE) &&
44088 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
44089 + gr_is_capable(CAP_AUDIT_CONTROL))
44090 + return current_cap();
44091 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
44092 + ((sock->sk_protocol == NETLINK_ROUTE) ?
44093 + gr_is_capable_nolog(CAP_NET_ADMIN) :
44094 + gr_is_capable(CAP_NET_ADMIN)))
44095 + return current_cap();
44097 + return __cap_empty_set;
44099 + return current_cap();
44102 diff -urNp linux-2.6.38.4/grsecurity/grsec_sysctl.c linux-2.6.38.4/grsecurity/grsec_sysctl.c
44103 --- linux-2.6.38.4/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
44104 +++ linux-2.6.38.4/grsecurity/grsec_sysctl.c 2011-04-17 15:57:32.000000000 -0400
44106 +#include <linux/kernel.h>
44107 +#include <linux/sched.h>
44108 +#include <linux/sysctl.h>
44109 +#include <linux/grsecurity.h>
44110 +#include <linux/grinternal.h>
44113 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
44115 +#ifdef CONFIG_GRKERNSEC_SYSCTL
44116 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
44117 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
44124 +#ifdef CONFIG_GRKERNSEC_ROFS
44125 +static int __maybe_unused one = 1;
44128 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
44129 +struct ctl_table grsecurity_table[] = {
44130 +#ifdef CONFIG_GRKERNSEC_SYSCTL
44131 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
44132 +#ifdef CONFIG_GRKERNSEC_IO
44134 + .procname = "disable_priv_io",
44135 + .data = &grsec_disable_privio,
44136 + .maxlen = sizeof(int),
44138 + .proc_handler = &proc_dointvec,
44142 +#ifdef CONFIG_GRKERNSEC_LINK
44144 + .procname = "linking_restrictions",
44145 + .data = &grsec_enable_link,
44146 + .maxlen = sizeof(int),
44148 + .proc_handler = &proc_dointvec,
44151 +#ifdef CONFIG_GRKERNSEC_FIFO
44153 + .procname = "fifo_restrictions",
44154 + .data = &grsec_enable_fifo,
44155 + .maxlen = sizeof(int),
44157 + .proc_handler = &proc_dointvec,
44160 +#ifdef CONFIG_GRKERNSEC_EXECVE
44162 + .procname = "execve_limiting",
44163 + .data = &grsec_enable_execve,
44164 + .maxlen = sizeof(int),
44166 + .proc_handler = &proc_dointvec,
44169 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
44171 + .procname = "ip_blackhole",
44172 + .data = &grsec_enable_blackhole,
44173 + .maxlen = sizeof(int),
44175 + .proc_handler = &proc_dointvec,
44178 + .procname = "lastack_retries",
44179 + .data = &grsec_lastack_retries,
44180 + .maxlen = sizeof(int),
44182 + .proc_handler = &proc_dointvec,
44185 +#ifdef CONFIG_GRKERNSEC_EXECLOG
44187 + .procname = "exec_logging",
44188 + .data = &grsec_enable_execlog,
44189 + .maxlen = sizeof(int),
44191 + .proc_handler = &proc_dointvec,
44194 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
44196 + .procname = "rwxmap_logging",
44197 + .data = &grsec_enable_log_rwxmaps,
44198 + .maxlen = sizeof(int),
44200 + .proc_handler = &proc_dointvec,
44203 +#ifdef CONFIG_GRKERNSEC_SIGNAL
44205 + .procname = "signal_logging",
44206 + .data = &grsec_enable_signal,
44207 + .maxlen = sizeof(int),
44209 + .proc_handler = &proc_dointvec,
44212 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
44214 + .procname = "forkfail_logging",
44215 + .data = &grsec_enable_forkfail,
44216 + .maxlen = sizeof(int),
44218 + .proc_handler = &proc_dointvec,
44221 +#ifdef CONFIG_GRKERNSEC_TIME
44223 + .procname = "timechange_logging",
44224 + .data = &grsec_enable_time,
44225 + .maxlen = sizeof(int),
44227 + .proc_handler = &proc_dointvec,
44230 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
44232 + .procname = "chroot_deny_shmat",
44233 + .data = &grsec_enable_chroot_shmat,
44234 + .maxlen = sizeof(int),
44236 + .proc_handler = &proc_dointvec,
44239 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
44241 + .procname = "chroot_deny_unix",
44242 + .data = &grsec_enable_chroot_unix,
44243 + .maxlen = sizeof(int),
44245 + .proc_handler = &proc_dointvec,
44248 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
44250 + .procname = "chroot_deny_mount",
44251 + .data = &grsec_enable_chroot_mount,
44252 + .maxlen = sizeof(int),
44254 + .proc_handler = &proc_dointvec,
44257 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
44259 + .procname = "chroot_deny_fchdir",
44260 + .data = &grsec_enable_chroot_fchdir,
44261 + .maxlen = sizeof(int),
44263 + .proc_handler = &proc_dointvec,
44266 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
44268 + .procname = "chroot_deny_chroot",
44269 + .data = &grsec_enable_chroot_double,
44270 + .maxlen = sizeof(int),
44272 + .proc_handler = &proc_dointvec,
44275 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
44277 + .procname = "chroot_deny_pivot",
44278 + .data = &grsec_enable_chroot_pivot,
44279 + .maxlen = sizeof(int),
44281 + .proc_handler = &proc_dointvec,
44284 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
44286 + .procname = "chroot_enforce_chdir",
44287 + .data = &grsec_enable_chroot_chdir,
44288 + .maxlen = sizeof(int),
44290 + .proc_handler = &proc_dointvec,
44293 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
44295 + .procname = "chroot_deny_chmod",
44296 + .data = &grsec_enable_chroot_chmod,
44297 + .maxlen = sizeof(int),
44299 + .proc_handler = &proc_dointvec,
44302 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
44304 + .procname = "chroot_deny_mknod",
44305 + .data = &grsec_enable_chroot_mknod,
44306 + .maxlen = sizeof(int),
44308 + .proc_handler = &proc_dointvec,
44311 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
44313 + .procname = "chroot_restrict_nice",
44314 + .data = &grsec_enable_chroot_nice,
44315 + .maxlen = sizeof(int),
44317 + .proc_handler = &proc_dointvec,
44320 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
44322 + .procname = "chroot_execlog",
44323 + .data = &grsec_enable_chroot_execlog,
44324 + .maxlen = sizeof(int),
44326 + .proc_handler = &proc_dointvec,
44329 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
44331 + .procname = "chroot_caps",
44332 + .data = &grsec_enable_chroot_caps,
44333 + .maxlen = sizeof(int),
44335 + .proc_handler = &proc_dointvec,
44338 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
44340 + .procname = "chroot_deny_sysctl",
44341 + .data = &grsec_enable_chroot_sysctl,
44342 + .maxlen = sizeof(int),
44344 + .proc_handler = &proc_dointvec,
44347 +#ifdef CONFIG_GRKERNSEC_TPE
44349 + .procname = "tpe",
44350 + .data = &grsec_enable_tpe,
44351 + .maxlen = sizeof(int),
44353 + .proc_handler = &proc_dointvec,
44356 + .procname = "tpe_gid",
44357 + .data = &grsec_tpe_gid,
44358 + .maxlen = sizeof(int),
44360 + .proc_handler = &proc_dointvec,
44363 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
44365 + .procname = "tpe_invert",
44366 + .data = &grsec_enable_tpe_invert,
44367 + .maxlen = sizeof(int),
44369 + .proc_handler = &proc_dointvec,
44372 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
44374 + .procname = "tpe_restrict_all",
44375 + .data = &grsec_enable_tpe_all,
44376 + .maxlen = sizeof(int),
44378 + .proc_handler = &proc_dointvec,
44381 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
44383 + .procname = "socket_all",
44384 + .data = &grsec_enable_socket_all,
44385 + .maxlen = sizeof(int),
44387 + .proc_handler = &proc_dointvec,
44390 + .procname = "socket_all_gid",
44391 + .data = &grsec_socket_all_gid,
44392 + .maxlen = sizeof(int),
44394 + .proc_handler = &proc_dointvec,
44397 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
44399 + .procname = "socket_client",
44400 + .data = &grsec_enable_socket_client,
44401 + .maxlen = sizeof(int),
44403 + .proc_handler = &proc_dointvec,
44406 + .procname = "socket_client_gid",
44407 + .data = &grsec_socket_client_gid,
44408 + .maxlen = sizeof(int),
44410 + .proc_handler = &proc_dointvec,
44413 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
44415 + .procname = "socket_server",
44416 + .data = &grsec_enable_socket_server,
44417 + .maxlen = sizeof(int),
44419 + .proc_handler = &proc_dointvec,
44422 + .procname = "socket_server_gid",
44423 + .data = &grsec_socket_server_gid,
44424 + .maxlen = sizeof(int),
44426 + .proc_handler = &proc_dointvec,
44429 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
44431 + .procname = "audit_group",
44432 + .data = &grsec_enable_group,
44433 + .maxlen = sizeof(int),
44435 + .proc_handler = &proc_dointvec,
44438 + .procname = "audit_gid",
44439 + .data = &grsec_audit_gid,
44440 + .maxlen = sizeof(int),
44442 + .proc_handler = &proc_dointvec,
44445 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
44447 + .procname = "audit_chdir",
44448 + .data = &grsec_enable_chdir,
44449 + .maxlen = sizeof(int),
44451 + .proc_handler = &proc_dointvec,
44454 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
44456 + .procname = "audit_mount",
44457 + .data = &grsec_enable_mount,
44458 + .maxlen = sizeof(int),
44460 + .proc_handler = &proc_dointvec,
44463 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
44465 + .procname = "audit_textrel",
44466 + .data = &grsec_enable_audit_textrel,
44467 + .maxlen = sizeof(int),
44469 + .proc_handler = &proc_dointvec,
44472 +#ifdef CONFIG_GRKERNSEC_DMESG
44474 + .procname = "dmesg",
44475 + .data = &grsec_enable_dmesg,
44476 + .maxlen = sizeof(int),
44478 + .proc_handler = &proc_dointvec,
44481 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
44483 + .procname = "chroot_findtask",
44484 + .data = &grsec_enable_chroot_findtask,
44485 + .maxlen = sizeof(int),
44487 + .proc_handler = &proc_dointvec,
44490 +#ifdef CONFIG_GRKERNSEC_RESLOG
44492 + .procname = "resource_logging",
44493 + .data = &grsec_resource_logging,
44494 + .maxlen = sizeof(int),
44496 + .proc_handler = &proc_dointvec,
44499 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
44501 + .procname = "audit_ptrace",
44502 + .data = &grsec_enable_audit_ptrace,
44503 + .maxlen = sizeof(int),
44505 + .proc_handler = &proc_dointvec,
44508 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
44510 + .procname = "harden_ptrace",
44511 + .data = &grsec_enable_harden_ptrace,
44512 + .maxlen = sizeof(int),
44514 + .proc_handler = &proc_dointvec,
44518 + .procname = "grsec_lock",
44519 + .data = &grsec_lock,
44520 + .maxlen = sizeof(int),
44522 + .proc_handler = &proc_dointvec,
44525 +#ifdef CONFIG_GRKERNSEC_ROFS
44527 + .procname = "romount_protect",
44528 + .data = &grsec_enable_rofs,
44529 + .maxlen = sizeof(int),
44531 + .proc_handler = &proc_dointvec_minmax,
44539 diff -urNp linux-2.6.38.4/grsecurity/grsec_time.c linux-2.6.38.4/grsecurity/grsec_time.c
44540 --- linux-2.6.38.4/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
44541 +++ linux-2.6.38.4/grsecurity/grsec_time.c 2011-04-17 15:57:32.000000000 -0400
44543 +#include <linux/kernel.h>
44544 +#include <linux/sched.h>
44545 +#include <linux/grinternal.h>
44546 +#include <linux/module.h>
44549 +gr_log_timechange(void)
44551 +#ifdef CONFIG_GRKERNSEC_TIME
44552 + if (grsec_enable_time)
44553 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
44558 +EXPORT_SYMBOL(gr_log_timechange);
44559 diff -urNp linux-2.6.38.4/grsecurity/grsec_tpe.c linux-2.6.38.4/grsecurity/grsec_tpe.c
44560 --- linux-2.6.38.4/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
44561 +++ linux-2.6.38.4/grsecurity/grsec_tpe.c 2011-04-17 15:57:32.000000000 -0400
44563 +#include <linux/kernel.h>
44564 +#include <linux/sched.h>
44565 +#include <linux/file.h>
44566 +#include <linux/fs.h>
44567 +#include <linux/grinternal.h>
44569 +extern int gr_acl_tpe_check(void);
44572 +gr_tpe_allow(const struct file *file)
44574 +#ifdef CONFIG_GRKERNSEC
44575 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
44576 + const struct cred *cred = current_cred();
44578 + if (cred->uid && ((grsec_enable_tpe &&
44579 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
44580 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
44581 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
44583 + in_group_p(grsec_tpe_gid)
44585 + ) || gr_acl_tpe_check()) &&
44586 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
44587 + (inode->i_mode & S_IWOTH))))) {
44588 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
44591 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
44592 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
44593 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
44594 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
44595 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
44602 diff -urNp linux-2.6.38.4/grsecurity/grsum.c linux-2.6.38.4/grsecurity/grsum.c
44603 --- linux-2.6.38.4/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
44604 +++ linux-2.6.38.4/grsecurity/grsum.c 2011-04-17 15:57:32.000000000 -0400
44606 +#include <linux/err.h>
44607 +#include <linux/kernel.h>
44608 +#include <linux/sched.h>
44609 +#include <linux/mm.h>
44610 +#include <linux/scatterlist.h>
44611 +#include <linux/crypto.h>
44612 +#include <linux/gracl.h>
44615 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
44616 +#error "crypto and sha256 must be built into the kernel"
44620 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
44623 + struct crypto_hash *tfm;
44624 + struct hash_desc desc;
44625 + struct scatterlist sg;
44626 + unsigned char temp_sum[GR_SHA_LEN];
44627 + volatile int retval = 0;
44628 + volatile int dummy = 0;
44631 + sg_init_table(&sg, 1);
44633 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
44634 + if (IS_ERR(tfm)) {
44635 + /* should never happen, since sha256 should be built in */
44642 + crypto_hash_init(&desc);
44645 + sg_set_buf(&sg, p, GR_SALT_LEN);
44646 + crypto_hash_update(&desc, &sg, sg.length);
44649 + sg_set_buf(&sg, p, strlen(p));
44651 + crypto_hash_update(&desc, &sg, sg.length);
44653 + crypto_hash_final(&desc, temp_sum);
44655 + memset(entry->pw, 0, GR_PW_LEN);
44657 + for (i = 0; i < GR_SHA_LEN; i++)
44658 + if (sum[i] != temp_sum[i])
44661 + dummy = 1; // waste a cycle
44663 + crypto_free_hash(tfm);
44667 diff -urNp linux-2.6.38.4/grsecurity/Kconfig linux-2.6.38.4/grsecurity/Kconfig
44668 --- linux-2.6.38.4/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
44669 +++ linux-2.6.38.4/grsecurity/Kconfig 2011-04-17 15:57:32.000000000 -0400
44672 +# grecurity configuration
44678 + bool "Grsecurity"
44680 + select CRYPTO_SHA256
44682 + If you say Y here, you will be able to configure many features
44683 + that will enhance the security of your system. It is highly
44684 + recommended that you say Y here and read through the help
44685 + for each option so that you fully understand the features and
44686 + can evaluate their usefulness for your machine.
44689 + prompt "Security Level"
44690 + depends on GRKERNSEC
44691 + default GRKERNSEC_CUSTOM
44693 +config GRKERNSEC_LOW
44695 + select GRKERNSEC_LINK
44696 + select GRKERNSEC_FIFO
44697 + select GRKERNSEC_EXECVE
44698 + select GRKERNSEC_RANDNET
44699 + select GRKERNSEC_DMESG
44700 + select GRKERNSEC_CHROOT
44701 + select GRKERNSEC_CHROOT_CHDIR
44704 + If you choose this option, several of the grsecurity options will
44705 + be enabled that will give you greater protection against a number
44706 + of attacks, while assuring that none of your software will have any
44707 + conflicts with the additional security measures. If you run a lot
44708 + of unusual software, or you are having problems with the higher
44709 + security levels, you should say Y here. With this option, the
44710 + following features are enabled:
44712 + - Linking restrictions
44713 + - FIFO restrictions
44714 + - Enforcing RLIMIT_NPROC on execve
44715 + - Restricted dmesg
44716 + - Enforced chdir("/") on chroot
44717 + - Runtime module disabling
44719 +config GRKERNSEC_MEDIUM
44722 + select PAX_EI_PAX
44723 + select PAX_PT_PAX_FLAGS
44724 + select PAX_HAVE_ACL_FLAGS
44725 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
44726 + select GRKERNSEC_CHROOT
44727 + select GRKERNSEC_CHROOT_SYSCTL
44728 + select GRKERNSEC_LINK
44729 + select GRKERNSEC_FIFO
44730 + select GRKERNSEC_EXECVE
44731 + select GRKERNSEC_DMESG
44732 + select GRKERNSEC_RANDNET
44733 + select GRKERNSEC_FORKFAIL
44734 + select GRKERNSEC_TIME
44735 + select GRKERNSEC_SIGNAL
44736 + select GRKERNSEC_CHROOT
44737 + select GRKERNSEC_CHROOT_UNIX
44738 + select GRKERNSEC_CHROOT_MOUNT
44739 + select GRKERNSEC_CHROOT_PIVOT
44740 + select GRKERNSEC_CHROOT_DOUBLE
44741 + select GRKERNSEC_CHROOT_CHDIR
44742 + select GRKERNSEC_CHROOT_MKNOD
44743 + select GRKERNSEC_PROC
44744 + select GRKERNSEC_PROC_USERGROUP
44745 + select PAX_RANDUSTACK
44747 + select PAX_RANDMMAP
44748 + select PAX_REFCOUNT if (X86 || SPARC64)
44749 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC) && (SLAB || SLUB || SLOB))
44752 + If you say Y here, several features in addition to those included
44753 + in the low additional security level will be enabled. These
44754 + features provide even more security to your system, though in rare
44755 + cases they may be incompatible with very old or poorly written
44756 + software. If you enable this option, make sure that your auth
44757 + service (identd) is running as gid 1001. With this option,
44758 + the following features (in addition to those provided in the
44759 + low additional security level) will be enabled:
44761 + - Failed fork logging
44762 + - Time change logging
44764 + - Deny mounts in chroot
44765 + - Deny double chrooting
44766 + - Deny sysctl writes in chroot
44767 + - Deny mknod in chroot
44768 + - Deny access to abstract AF_UNIX sockets out of chroot
44769 + - Deny pivot_root in chroot
44770 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
44771 + - /proc restrictions with special GID set to 10 (usually wheel)
44772 + - Address Space Layout Randomization (ASLR)
44773 + - Prevent exploitation of most refcount overflows
44774 + - Bounds checking of copying between the kernel and userland
44776 +config GRKERNSEC_HIGH
44778 + select GRKERNSEC_LINK
44779 + select GRKERNSEC_FIFO
44780 + select GRKERNSEC_EXECVE
44781 + select GRKERNSEC_DMESG
44782 + select GRKERNSEC_FORKFAIL
44783 + select GRKERNSEC_TIME
44784 + select GRKERNSEC_SIGNAL
44785 + select GRKERNSEC_CHROOT
44786 + select GRKERNSEC_CHROOT_SHMAT
44787 + select GRKERNSEC_CHROOT_UNIX
44788 + select GRKERNSEC_CHROOT_MOUNT
44789 + select GRKERNSEC_CHROOT_FCHDIR
44790 + select GRKERNSEC_CHROOT_PIVOT
44791 + select GRKERNSEC_CHROOT_DOUBLE
44792 + select GRKERNSEC_CHROOT_CHDIR
44793 + select GRKERNSEC_CHROOT_MKNOD
44794 + select GRKERNSEC_CHROOT_CAPS
44795 + select GRKERNSEC_CHROOT_SYSCTL
44796 + select GRKERNSEC_CHROOT_FINDTASK
44797 + select GRKERNSEC_SYSFS_RESTRICT
44798 + select GRKERNSEC_PROC
44799 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
44800 + select GRKERNSEC_HIDESYM
44801 + select GRKERNSEC_BRUTE
44802 + select GRKERNSEC_PROC_USERGROUP
44803 + select GRKERNSEC_KMEM
44804 + select GRKERNSEC_RESLOG
44805 + select GRKERNSEC_RANDNET
44806 + select GRKERNSEC_PROC_ADD
44807 + select GRKERNSEC_CHROOT_CHMOD
44808 + select GRKERNSEC_CHROOT_NICE
44809 + select GRKERNSEC_AUDIT_MOUNT
44810 + select GRKERNSEC_MODHARDEN if (MODULES)
44811 + select GRKERNSEC_HARDEN_PTRACE
44812 + select GRKERNSEC_VM86 if (X86_32)
44813 + select GRKERNSEC_KERN_LOCKOUT if (X86)
44815 + select PAX_RANDUSTACK
44817 + select PAX_RANDMMAP
44818 + select PAX_NOEXEC
44819 + select PAX_MPROTECT
44820 + select PAX_EI_PAX
44821 + select PAX_PT_PAX_FLAGS
44822 + select PAX_HAVE_ACL_FLAGS
44823 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
44824 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
44825 + select PAX_RANDKSTACK if (X86_TSC && X86)
44826 + select PAX_SEGMEXEC if (X86_32)
44827 + select PAX_PAGEEXEC
44828 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
44829 + select PAX_EMUTRAMP if (PARISC)
44830 + select PAX_EMUSIGRT if (PARISC)
44831 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
44832 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
44833 + select PAX_REFCOUNT if (X86 || SPARC64)
44834 + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
44836 + If you say Y here, many of the features of grsecurity will be
44837 + enabled, which will protect you against many kinds of attacks
44838 + against your system. The heightened security comes at a cost
44839 + of an increased chance of incompatibilities with rare software
44840 + on your machine. Since this security level enables PaX, you should
44841 + view <http://pax.grsecurity.net> and read about the PaX
44842 + project. While you are there, download chpax and run it on
44843 + binaries that cause problems with PaX. Also remember that
44844 + since the /proc restrictions are enabled, you must run your
44845 + identd as gid 1001. This security level enables the following
44846 + features in addition to those listed in the low and medium
44849 + - Additional /proc restrictions
44850 + - Chmod restrictions in chroot
44851 + - No signals, ptrace, or viewing of processes outside of chroot
44852 + - Capability restrictions in chroot
44853 + - Deny fchdir out of chroot
44854 + - Priority restrictions in chroot
44855 + - Segmentation-based implementation of PaX
44856 + - Mprotect restrictions
44857 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
44858 + - Kernel stack randomization
44859 + - Mount/unmount/remount logging
44860 + - Kernel symbol hiding
44861 + - Prevention of memory exhaustion-based exploits
44862 + - Hardening of module auto-loading
44863 + - Ptrace restrictions
44864 + - Restricted vm86 mode
44865 + - Restricted sysfs/debugfs
44866 + - Active kernel exploit response
44868 +config GRKERNSEC_CUSTOM
44871 + If you say Y here, you will be able to configure every grsecurity
44872 + option, which allows you to enable many more features that aren't
44873 + covered in the basic security levels. These additional features
44874 + include TPE, socket restrictions, and the sysctl system for
44875 + grsecurity. It is advised that you read through the help for
44876 + each option to determine its usefulness in your situation.
44880 +menu "Address Space Protection"
44881 +depends on GRKERNSEC
44883 +config GRKERNSEC_KMEM
44884 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
44885 + select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
44887 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
44888 + be written to via mmap or otherwise to modify the running kernel.
44889 + /dev/port will also not be allowed to be opened. If you have module
44890 + support disabled, enabling this will close up four ways that are
44891 + currently used to insert malicious code into the running kernel.
44892 + Even with all these features enabled, we still highly recommend that
44893 + you use the RBAC system, as it is still possible for an attacker to
44894 + modify the running kernel through privileged I/O granted by ioperm/iopl.
44895 + If you are not using XFree86, you may be able to stop this additional
44896 + case by enabling the 'Disable privileged I/O' option. Though nothing
44897 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
44898 + but only to video memory, which is the only writing we allow in this
44899 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
44900 + not be allowed to mprotect it with PROT_WRITE later.
44901 + It is highly recommended that you say Y here if you meet all the
44902 + conditions above.
44904 +config GRKERNSEC_VM86
44905 + bool "Restrict VM86 mode"
44906 + depends on X86_32
44909 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
44910 + make use of a special execution mode on 32bit x86 processors called
44911 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
44912 + video cards and will still work with this option enabled. The purpose
44913 + of the option is to prevent exploitation of emulation errors in
44914 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
44915 + Nearly all users should be able to enable this option.
44917 +config GRKERNSEC_IO
44918 + bool "Disable privileged I/O"
44921 + select RTC_INTF_DEV
44922 + select RTC_DRV_CMOS
44925 + If you say Y here, all ioperm and iopl calls will return an error.
44926 + Ioperm and iopl can be used to modify the running kernel.
44927 + Unfortunately, some programs need this access to operate properly,
44928 + the most notable of which are XFree86 and hwclock. hwclock can be
44929 + remedied by having RTC support in the kernel, so real-time
44930 + clock support is enabled if this option is enabled, to ensure
44931 + that hwclock operates correctly. XFree86 still will not
44932 + operate correctly with this option enabled, so DO NOT CHOOSE Y
44933 + IF YOU USE XFree86. If you use XFree86 and you still want to
44934 + protect your kernel against modification, use the RBAC system.
44936 +config GRKERNSEC_PROC_MEMMAP
44937 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
44938 + default y if (PAX_NOEXEC || PAX_ASLR)
44939 + depends on PAX_NOEXEC || PAX_ASLR
44941 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
44942 + give no information about the addresses of its mappings if
44943 + PaX features that rely on random addresses are enabled on the task.
44944 + If you use PaX it is greatly recommended that you say Y here as it
44945 + closes up a hole that makes the full ASLR useless for suid
44948 +config GRKERNSEC_BRUTE
44949 + bool "Deter exploit bruteforcing"
44951 + If you say Y here, attempts to bruteforce exploits against forking
44952 + daemons such as apache or sshd, as well as against suid/sgid binaries
44953 + will be deterred. When a child of a forking daemon is killed by PaX
44954 + or crashes due to an illegal instruction or other suspicious signal,
44955 + the parent process will be delayed 30 seconds upon every subsequent
44956 + fork until the administrator is able to assess the situation and
44957 + restart the daemon.
44958 + In the suid/sgid case, the attempt is logged, the user has all their
44959 + processes terminated, and they are prevented from executing any further
44960 + processes for 15 minutes.
44961 + It is recommended that you also enable signal logging in the auditing
44962 + section so that logs are generated when a process triggers a suspicious
44965 +config GRKERNSEC_MODHARDEN
44966 + bool "Harden module auto-loading"
44967 + depends on MODULES
44969 + If you say Y here, module auto-loading in response to use of some
44970 + feature implemented by an unloaded module will be restricted to
44971 + root users. Enabling this option helps defend against attacks
44972 + by unprivileged users who abuse the auto-loading behavior to
44973 + cause a vulnerable module to load that is then exploited.
44975 + If this option prevents a legitimate use of auto-loading for a
44976 + non-root user, the administrator can execute modprobe manually
44977 + with the exact name of the module mentioned in the alert log.
44978 + Alternatively, the administrator can add the module to the list
44979 + of modules loaded at boot by modifying init scripts.
44981 + Modification of init scripts will most likely be needed on
44982 + Ubuntu servers with encrypted home directory support enabled,
44983 + as the first non-root user logging in will cause the ecb(aes),
44984 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
44986 +config GRKERNSEC_HIDESYM
44987 + bool "Hide kernel symbols"
44989 + If you say Y here, getting information on loaded modules, and
44990 + displaying all kernel symbols through a syscall will be restricted
44991 + to users with CAP_SYS_MODULE. For software compatibility reasons,
44992 + /proc/kallsyms will be restricted to the root user. The RBAC
44993 + system can hide that entry even from root.
44995 + This option also prevents leaking of kernel addresses through
44996 + several /proc entries.
44998 + Note that this option is only effective provided the following
44999 + conditions are met:
45000 + 1) The kernel using grsecurity is not precompiled by some distribution
45001 + 2) You have also enabled GRKERNSEC_DMESG
45002 + 3) You are using the RBAC system and hiding other files such as your
45003 + kernel image and System.map. Alternatively, enabling this option
45004 + causes the permissions on /boot, /lib/modules, and the kernel
45005 + source directory to change at compile time to prevent
45006 + reading by non-root users.
45007 + If the above conditions are met, this option will aid in providing a
45008 + useful protection against local kernel exploitation of overflows
45009 + and arbitrary read/write vulnerabilities.
45011 +config GRKERNSEC_KERN_LOCKOUT
45012 + bool "Active kernel exploit response"
45015 + If you say Y here, when a PaX alert is triggered due to suspicious
45016 + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
45017 + or an OOPs occurs due to bad memory accesses, instead of just
45018 + terminating the offending process (and potentially allowing
45019 + a subsequent exploit from the same user), we will take one of two
45021 + If the user was root, we will panic the system
45022 + If the user was non-root, we will log the attempt, terminate
45023 + all processes owned by the user, then prevent them from creating
45024 + any new processes until the system is restarted
45025 + This deters repeated kernel exploitation/bruteforcing attempts
45026 + and is useful for later forensics.
45029 +menu "Role Based Access Control Options"
45030 +depends on GRKERNSEC
45032 +config GRKERNSEC_RBAC_DEBUG
45035 +config GRKERNSEC_NO_RBAC
45036 + bool "Disable RBAC system"
45038 + If you say Y here, the /dev/grsec device will be removed from the kernel,
45039 + preventing the RBAC system from being enabled. You should only say Y
45040 + here if you have no intention of using the RBAC system, so as to prevent
45041 + an attacker with root access from misusing the RBAC system to hide files
45042 + and processes when loadable module support and /dev/[k]mem have been
45045 +config GRKERNSEC_ACL_HIDEKERN
45046 + bool "Hide kernel processes"
45048 + If you say Y here, all kernel threads will be hidden to all
45049 + processes but those whose subject has the "view hidden processes"
45052 +config GRKERNSEC_ACL_MAXTRIES
45053 + int "Maximum tries before password lockout"
45056 + This option enforces the maximum number of times a user can attempt
45057 + to authorize themselves with the grsecurity RBAC system before being
45058 + denied the ability to attempt authorization again for a specified time.
45059 + The lower the number, the harder it will be to brute-force a password.
45061 +config GRKERNSEC_ACL_TIMEOUT
45062 + int "Time to wait after max password tries, in seconds"
45065 + This option specifies the time the user must wait after attempting to
45066 + authorize to the RBAC system with the maximum number of invalid
45067 + passwords. The higher the number, the harder it will be to brute-force
45071 +menu "Filesystem Protections"
45072 +depends on GRKERNSEC
45074 +config GRKERNSEC_PROC
45075 + bool "Proc restrictions"
45077 + If you say Y here, the permissions of the /proc filesystem
45078 + will be altered to enhance system security and privacy. You MUST
45079 + choose either a user only restriction or a user and group restriction.
45080 + Depending upon the option you choose, you can either restrict users to
45081 + see only the processes they themselves run, or choose a group that can
45082 + view all processes and files normally restricted to root if you choose
45083 + the "restrict to user only" option. NOTE: If you're running identd as
45084 + a non-root user, you will have to run it as the group you specify here.
45086 +config GRKERNSEC_PROC_USER
45087 + bool "Restrict /proc to user only"
45088 + depends on GRKERNSEC_PROC
45090 + If you say Y here, non-root users will only be able to view their own
45091 + processes, and restricts them from viewing network-related information,
45092 + and viewing kernel symbol and module information.
45094 +config GRKERNSEC_PROC_USERGROUP
45095 + bool "Allow special group"
45096 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
45098 + If you say Y here, you will be able to select a group that will be
45099 + able to view all processes and network-related information. If you've
45100 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
45101 + remain hidden. This option is useful if you want to run identd as
45104 +config GRKERNSEC_PROC_GID
45105 + int "GID for special group"
45106 + depends on GRKERNSEC_PROC_USERGROUP
45109 +config GRKERNSEC_PROC_ADD
45110 + bool "Additional restrictions"
45111 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
45113 + If you say Y here, additional restrictions will be placed on
45114 + /proc that keep normal users from viewing device information and
45115 + slabinfo information that could be useful for exploits.
45117 +config GRKERNSEC_LINK
45118 + bool "Linking restrictions"
45120 + If you say Y here, /tmp race exploits will be prevented, since users
45121 + will no longer be able to follow symlinks owned by other users in
45122 + world-writable +t directories (e.g. /tmp), unless the owner of the
45123 + symlink is the owner of the directory. users will also not be
45124 + able to hardlink to files they do not own. If the sysctl option is
45125 + enabled, a sysctl option with name "linking_restrictions" is created.
45127 +config GRKERNSEC_FIFO
45128 + bool "FIFO restrictions"
45130 + If you say Y here, users will not be able to write to FIFOs they don't
45131 + own in world-writable +t directories (e.g. /tmp), unless the owner of
45132 + the FIFO is the same owner of the directory it's held in. If the sysctl
45133 + option is enabled, a sysctl option with name "fifo_restrictions" is
45136 +config GRKERNSEC_SYSFS_RESTRICT
45137 + bool "Sysfs/debugfs restriction"
45140 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
45141 + any filesystem normally mounted under it (e.g. debugfs) will only
45142 + be accessible by root. These filesystems generally provide access
45143 + to hardware and debug information that isn't appropriate for unprivileged
45144 + users of the system. Sysfs and debugfs have also become a large source
45145 + of new vulnerabilities, ranging from infoleaks to local compromise.
45146 + There has been very little oversight with an eye toward security involved
45147 + in adding new exporters of information to these filesystems, so their
45148 + use is discouraged.
45149 + This option is equivalent to a chmod 0700 of the mount paths.
45151 +config GRKERNSEC_ROFS
45152 + bool "Runtime read-only mount protection"
45154 + If you say Y here, a sysctl option with name "romount_protect" will
45155 + be created. By setting this option to 1 at runtime, filesystems
45156 + will be protected in the following ways:
45157 + * No new writable mounts will be allowed
45158 + * Existing read-only mounts won't be able to be remounted read/write
45159 + * Write operations will be denied on all block devices
45160 + This option acts independently of grsec_lock: once it is set to 1,
45161 + it cannot be turned off. Therefore, please be mindful of the resulting
45162 + behavior if this option is enabled in an init script on a read-only
45163 + filesystem. This feature is mainly intended for secure embedded systems.
45165 +config GRKERNSEC_CHROOT
45166 + bool "Chroot jail restrictions"
45168 + If you say Y here, you will be able to choose several options that will
45169 + make breaking out of a chrooted jail much more difficult. If you
45170 + encounter no software incompatibilities with the following options, it
45171 + is recommended that you enable each one.
45173 +config GRKERNSEC_CHROOT_MOUNT
45174 + bool "Deny mounts"
45175 + depends on GRKERNSEC_CHROOT
45177 + If you say Y here, processes inside a chroot will not be able to
45178 + mount or remount filesystems. If the sysctl option is enabled, a
45179 + sysctl option with name "chroot_deny_mount" is created.
45181 +config GRKERNSEC_CHROOT_DOUBLE
45182 + bool "Deny double-chroots"
45183 + depends on GRKERNSEC_CHROOT
45185 + If you say Y here, processes inside a chroot will not be able to chroot
45186 + again outside the chroot. This is a widely used method of breaking
45187 + out of a chroot jail and should not be allowed. If the sysctl
45188 + option is enabled, a sysctl option with name
45189 + "chroot_deny_chroot" is created.
45191 +config GRKERNSEC_CHROOT_PIVOT
45192 + bool "Deny pivot_root in chroot"
45193 + depends on GRKERNSEC_CHROOT
45195 + If you say Y here, processes inside a chroot will not be able to use
45196 + a function called pivot_root() that was introduced in Linux 2.3.41. It
45197 + works similar to chroot in that it changes the root filesystem. This
45198 + function could be misused in a chrooted process to attempt to break out
45199 + of the chroot, and therefore should not be allowed. If the sysctl
45200 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
45203 +config GRKERNSEC_CHROOT_CHDIR
45204 + bool "Enforce chdir(\"/\") on all chroots"
45205 + depends on GRKERNSEC_CHROOT
45207 + If you say Y here, the current working directory of all newly-chrooted
45208 + applications will be set to the the root directory of the chroot.
45209 + The man page on chroot(2) states:
45210 + Note that this call does not change the current working
45211 + directory, so that `.' can be outside the tree rooted at
45212 + `/'. In particular, the super-user can escape from a
45213 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
45215 + It is recommended that you say Y here, since it's not known to break
45216 + any software. If the sysctl option is enabled, a sysctl option with
45217 + name "chroot_enforce_chdir" is created.
45219 +config GRKERNSEC_CHROOT_CHMOD
45220 + bool "Deny (f)chmod +s"
45221 + depends on GRKERNSEC_CHROOT
45223 + If you say Y here, processes inside a chroot will not be able to chmod
45224 + or fchmod files to make them have suid or sgid bits. This protects
45225 + against another published method of breaking a chroot. If the sysctl
45226 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
45229 +config GRKERNSEC_CHROOT_FCHDIR
45230 + bool "Deny fchdir out of chroot"
45231 + depends on GRKERNSEC_CHROOT
45233 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
45234 + to a file descriptor of the chrooting process that points to a directory
45235 + outside the filesystem will be stopped. If the sysctl option
45236 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
45238 +config GRKERNSEC_CHROOT_MKNOD
45239 + bool "Deny mknod"
45240 + depends on GRKERNSEC_CHROOT
45242 + If you say Y here, processes inside a chroot will not be allowed to
45243 + mknod. The problem with using mknod inside a chroot is that it
45244 + would allow an attacker to create a device entry that is the same
45245 + as one on the physical root of your system, which could range from
45246 + anything from the console device to a device for your harddrive (which
45247 + they could then use to wipe the drive or steal data). It is recommended
45248 + that you say Y here, unless you run into software incompatibilities.
45249 + If the sysctl option is enabled, a sysctl option with name
45250 + "chroot_deny_mknod" is created.
45252 +config GRKERNSEC_CHROOT_SHMAT
45253 + bool "Deny shmat() out of chroot"
45254 + depends on GRKERNSEC_CHROOT
45256 + If you say Y here, processes inside a chroot will not be able to attach
45257 + to shared memory segments that were created outside of the chroot jail.
45258 + It is recommended that you say Y here. If the sysctl option is enabled,
45259 + a sysctl option with name "chroot_deny_shmat" is created.
45261 +config GRKERNSEC_CHROOT_UNIX
45262 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
45263 + depends on GRKERNSEC_CHROOT
45265 + If you say Y here, processes inside a chroot will not be able to
45266 + connect to abstract (meaning not belonging to a filesystem) Unix
45267 + domain sockets that were bound outside of a chroot. It is recommended
45268 + that you say Y here. If the sysctl option is enabled, a sysctl option
45269 + with name "chroot_deny_unix" is created.
45271 +config GRKERNSEC_CHROOT_FINDTASK
45272 + bool "Protect outside processes"
45273 + depends on GRKERNSEC_CHROOT
45275 + If you say Y here, processes inside a chroot will not be able to
45276 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
45277 + getsid, or view any process outside of the chroot. If the sysctl
45278 + option is enabled, a sysctl option with name "chroot_findtask" is
45281 +config GRKERNSEC_CHROOT_NICE
45282 + bool "Restrict priority changes"
45283 + depends on GRKERNSEC_CHROOT
45285 + If you say Y here, processes inside a chroot will not be able to raise
45286 + the priority of processes in the chroot, or alter the priority of
45287 + processes outside the chroot. This provides more security than simply
45288 + removing CAP_SYS_NICE from the process' capability set. If the
45289 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
45292 +config GRKERNSEC_CHROOT_SYSCTL
45293 + bool "Deny sysctl writes"
45294 + depends on GRKERNSEC_CHROOT
45296 + If you say Y here, an attacker in a chroot will not be able to
45297 + write to sysctl entries, either by sysctl(2) or through a /proc
45298 + interface. It is strongly recommended that you say Y here. If the
45299 + sysctl option is enabled, a sysctl option with name
45300 + "chroot_deny_sysctl" is created.
45302 +config GRKERNSEC_CHROOT_CAPS
45303 + bool "Capability restrictions"
45304 + depends on GRKERNSEC_CHROOT
45306 + If you say Y here, the capabilities on all root processes within a
45307 + chroot jail will be lowered to stop module insertion, raw i/o,
45308 + system and net admin tasks, rebooting the system, modifying immutable
45309 + files, modifying IPC owned by another, and changing the system time.
45310 + This is left an option because it can break some apps. Disable this
45311 + if your chrooted apps are having problems performing those kinds of
45312 + tasks. If the sysctl option is enabled, a sysctl option with
45313 + name "chroot_caps" is created.
45316 +menu "Kernel Auditing"
45317 +depends on GRKERNSEC
45319 +config GRKERNSEC_AUDIT_GROUP
45320 + bool "Single group for auditing"
45322 + If you say Y here, the exec, chdir, and (un)mount logging features
45323 + will only operate on a group you specify. This option is recommended
45324 + if you only want to watch certain users instead of having a large
45325 + amount of logs from the entire system. If the sysctl option is enabled,
45326 + a sysctl option with name "audit_group" is created.
45328 +config GRKERNSEC_AUDIT_GID
45329 + int "GID for auditing"
45330 + depends on GRKERNSEC_AUDIT_GROUP
45333 +config GRKERNSEC_EXECLOG
45334 + bool "Exec logging"
45336 + If you say Y here, all execve() calls will be logged (since the
45337 + other exec*() calls are frontends to execve(), all execution
45338 + will be logged). Useful for shell-servers that like to keep track
45339 + of their users. If the sysctl option is enabled, a sysctl option with
45340 + name "exec_logging" is created.
45341 + WARNING: This option when enabled will produce a LOT of logs, especially
45342 + on an active system.
45344 +config GRKERNSEC_RESLOG
45345 + bool "Resource logging"
45347 + If you say Y here, all attempts to overstep resource limits will
45348 + be logged with the resource name, the requested size, and the current
45349 + limit. It is highly recommended that you say Y here. If the sysctl
45350 + option is enabled, a sysctl option with name "resource_logging" is
45351 + created. If the RBAC system is enabled, the sysctl value is ignored.
45353 +config GRKERNSEC_CHROOT_EXECLOG
45354 + bool "Log execs within chroot"
45356 + If you say Y here, all executions inside a chroot jail will be logged
45357 + to syslog. This can cause a large amount of logs if certain
45358 + applications (eg. djb's daemontools) are installed on the system, and
45359 + is therefore left as an option. If the sysctl option is enabled, a
45360 + sysctl option with name "chroot_execlog" is created.
45362 +config GRKERNSEC_AUDIT_PTRACE
45363 + bool "Ptrace logging"
45365 + If you say Y here, all attempts to attach to a process via ptrace
45366 + will be logged. If the sysctl option is enabled, a sysctl option
45367 + with name "audit_ptrace" is created.
45369 +config GRKERNSEC_AUDIT_CHDIR
45370 + bool "Chdir logging"
45372 + If you say Y here, all chdir() calls will be logged. If the sysctl
45373 + option is enabled, a sysctl option with name "audit_chdir" is created.
45375 +config GRKERNSEC_AUDIT_MOUNT
45376 + bool "(Un)Mount logging"
45378 + If you say Y here, all mounts and unmounts will be logged. If the
45379 + sysctl option is enabled, a sysctl option with name "audit_mount" is
45382 +config GRKERNSEC_SIGNAL
45383 + bool "Signal logging"
45385 + If you say Y here, certain important signals will be logged, such as
45386 + SIGSEGV, which will as a result inform you of when a error in a program
45387 + occurred, which in some cases could mean a possible exploit attempt.
45388 + If the sysctl option is enabled, a sysctl option with name
45389 + "signal_logging" is created.
45391 +config GRKERNSEC_FORKFAIL
45392 + bool "Fork failure logging"
45394 + If you say Y here, all failed fork() attempts will be logged.
45395 + This could suggest a fork bomb, or someone attempting to overstep
45396 + their process limit. If the sysctl option is enabled, a sysctl option
45397 + with name "forkfail_logging" is created.
45399 +config GRKERNSEC_TIME
45400 + bool "Time change logging"
45402 + If you say Y here, any changes of the system clock will be logged.
45403 + If the sysctl option is enabled, a sysctl option with name
45404 + "timechange_logging" is created.
45406 +config GRKERNSEC_PROC_IPADDR
45407 + bool "/proc/<pid>/ipaddr support"
45409 + If you say Y here, a new entry will be added to each /proc/<pid>
45410 + directory that contains the IP address of the person using the task.
45411 + The IP is carried across local TCP and AF_UNIX stream sockets.
45412 + This information can be useful for IDS/IPSes to perform remote response
45413 + to a local attack. The entry is readable by only the owner of the
45414 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
45415 + the RBAC system), and thus does not create privacy concerns.
45417 +config GRKERNSEC_RWXMAP_LOG
45418 + bool 'Denied RWX mmap/mprotect logging'
45419 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
45421 + If you say Y here, calls to mmap() and mprotect() with explicit
45422 + usage of PROT_WRITE and PROT_EXEC together will be logged when
45423 + denied by the PAX_MPROTECT feature. If the sysctl option is
45424 + enabled, a sysctl option with name "rwxmap_logging" is created.
45426 +config GRKERNSEC_AUDIT_TEXTREL
45427 + bool 'ELF text relocations logging (READ HELP)'
45428 + depends on PAX_MPROTECT
45430 + If you say Y here, text relocations will be logged with the filename
45431 + of the offending library or binary. The purpose of the feature is
45432 + to help Linux distribution developers get rid of libraries and
45433 + binaries that need text relocations which hinder the future progress
45434 + of PaX. Only Linux distribution developers should say Y here, and
45435 + never on a production machine, as this option creates an information
45436 + leak that could aid an attacker in defeating the randomization of
45437 + a single memory region. If the sysctl option is enabled, a sysctl
45438 + option with name "audit_textrel" is created.
45442 +menu "Executable Protections"
45443 +depends on GRKERNSEC
45445 +config GRKERNSEC_EXECVE
45446 + bool "Enforce RLIMIT_NPROC on execs"
45448 + If you say Y here, users with a resource limit on processes will
45449 + have the value checked during execve() calls. The current system
45450 + only checks the system limit during fork() calls. If the sysctl option
45451 + is enabled, a sysctl option with name "execve_limiting" is created.
45453 +config GRKERNSEC_DMESG
45454 + bool "Dmesg(8) restriction"
45456 + If you say Y here, non-root users will not be able to use dmesg(8)
45457 + to view up to the last 4kb of messages in the kernel's log buffer.
45458 + The kernel's log buffer often contains kernel addresses and other
45459 + identifying information useful to an attacker in fingerprinting a
45460 + system for a targeted exploit.
45461 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
45464 +config GRKERNSEC_HARDEN_PTRACE
45465 + bool "Deter ptrace-based process snooping"
45467 + If you say Y here, TTY sniffers and other malicious monitoring
45468 + programs implemented through ptrace will be defeated. If you
45469 + have been using the RBAC system, this option has already been
45470 + enabled for several years for all users, with the ability to make
45471 + fine-grained exceptions.
45473 + This option only affects the ability of non-root users to ptrace
45474 + processes that are not a descendent of the ptracing process.
45475 + This means that strace ./binary and gdb ./binary will still work,
45476 + but attaching to arbitrary processes will not. If the sysctl
45477 + option is enabled, a sysctl option with name "harden_ptrace" is
45480 +config GRKERNSEC_TPE
45481 + bool "Trusted Path Execution (TPE)"
45483 + If you say Y here, you will be able to choose a gid to add to the
45484 + supplementary groups of users you want to mark as "untrusted."
45485 + These users will not be able to execute any files that are not in
45486 + root-owned directories writable only by root. If the sysctl option
45487 + is enabled, a sysctl option with name "tpe" is created.
45489 +config GRKERNSEC_TPE_ALL
45490 + bool "Partially restrict all non-root users"
45491 + depends on GRKERNSEC_TPE
45493 + If you say Y here, all non-root users will be covered under
45494 + a weaker TPE restriction. This is separate from, and in addition to,
45495 + the main TPE options that you have selected elsewhere. Thus, if a
45496 + "trusted" GID is chosen, this restriction applies to even that GID.
45497 + Under this restriction, all non-root users will only be allowed to
45498 + execute files in directories they own that are not group or
45499 + world-writable, or in directories owned by root and writable only by
45500 + root. If the sysctl option is enabled, a sysctl option with name
45501 + "tpe_restrict_all" is created.
45503 +config GRKERNSEC_TPE_INVERT
45504 + bool "Invert GID option"
45505 + depends on GRKERNSEC_TPE
45507 + If you say Y here, the group you specify in the TPE configuration will
45508 + decide what group TPE restrictions will be *disabled* for. This
45509 + option is useful if you want TPE restrictions to be applied to most
45510 + users on the system. If the sysctl option is enabled, a sysctl option
45511 + with name "tpe_invert" is created. Unlike other sysctl options, this
45512 + entry will default to on for backward-compatibility.
45514 +config GRKERNSEC_TPE_GID
45515 + int "GID for untrusted users"
45516 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
45519 + Setting this GID determines what group TPE restrictions will be
45520 + *enabled* for. If the sysctl option is enabled, a sysctl option
45521 + with name "tpe_gid" is created.
45523 +config GRKERNSEC_TPE_GID
45524 + int "GID for trusted users"
45525 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
45528 + Setting this GID determines what group TPE restrictions will be
45529 + *disabled* for. If the sysctl option is enabled, a sysctl option
45530 + with name "tpe_gid" is created.
45533 +menu "Network Protections"
45534 +depends on GRKERNSEC
45536 +config GRKERNSEC_RANDNET
45537 + bool "Larger entropy pools"
45539 + If you say Y here, the entropy pools used for many features of Linux
45540 + and grsecurity will be doubled in size. Since several grsecurity
45541 + features use additional randomness, it is recommended that you say Y
45542 + here. Saying Y here has a similar effect as modifying
45543 + /proc/sys/kernel/random/poolsize.
45545 +config GRKERNSEC_BLACKHOLE
45546 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
45548 + If you say Y here, neither TCP resets nor ICMP
45549 + destination-unreachable packets will be sent in response to packets
45550 + sent to ports for which no associated listening process exists.
45551 + This feature supports both IPV4 and IPV6 and exempts the
45552 + loopback interface from blackholing. Enabling this feature
45553 + makes a host more resilient to DoS attacks and reduces network
45554 + visibility against scanners.
45556 + The blackhole feature as-implemented is equivalent to the FreeBSD
45557 + blackhole feature, as it prevents RST responses to all packets, not
45558 + just SYNs. Under most application behavior this causes no
45559 + problems, but applications (like haproxy) may not close certain
45560 + connections in a way that cleanly terminates them on the remote
45561 + end, leaving the remote host in LAST_ACK state. Because of this
45562 + side-effect and to prevent intentional LAST_ACK DoSes, this
45563 + feature also adds automatic mitigation against such attacks.
45564 + The mitigation drastically reduces the amount of time a socket
45565 + can spend in LAST_ACK state. If you're using haproxy and not
45566 + all servers it connects to have this option enabled, consider
45567 + disabling this feature on the haproxy host.
45569 + If the sysctl option is enabled, two sysctl options with names
45570 + "ip_blackhole" and "lastack_retries" will be created.
45571 + While "ip_blackhole" takes the standard zero/non-zero on/off
45572 + toggle, "lastack_retries" uses the same kinds of values as
45573 + "tcp_retries1" and "tcp_retries2". The default value of 4
45574 + prevents a socket from lasting more than 45 seconds in LAST_ACK
45577 +config GRKERNSEC_SOCKET
45578 + bool "Socket restrictions"
45580 + If you say Y here, you will be able to choose from several options.
45581 + If you assign a GID on your system and add it to the supplementary
45582 + groups of users you want to restrict socket access to, this patch
45583 + will perform up to three things, based on the option(s) you choose.
45585 +config GRKERNSEC_SOCKET_ALL
45586 + bool "Deny any sockets to group"
45587 + depends on GRKERNSEC_SOCKET
45589 + If you say Y here, you will be able to choose a GID of whose users will
45590 + be unable to connect to other hosts from your machine or run server
45591 + applications from your machine. If the sysctl option is enabled, a
45592 + sysctl option with name "socket_all" is created.
45594 +config GRKERNSEC_SOCKET_ALL_GID
45595 + int "GID to deny all sockets for"
45596 + depends on GRKERNSEC_SOCKET_ALL
45599 + Here you can choose the GID to disable socket access for. Remember to
45600 + add the users you want socket access disabled for to the GID
45601 + specified here. If the sysctl option is enabled, a sysctl option
45602 + with name "socket_all_gid" is created.
45604 +config GRKERNSEC_SOCKET_CLIENT
45605 + bool "Deny client sockets to group"
45606 + depends on GRKERNSEC_SOCKET
45608 + If you say Y here, you will be able to choose a GID of whose users will
45609 + be unable to connect to other hosts from your machine, but will be
45610 + able to run servers. If this option is enabled, all users in the group
45611 + you specify will have to use passive mode when initiating ftp transfers
45612 + from the shell on your machine. If the sysctl option is enabled, a
45613 + sysctl option with name "socket_client" is created.
45615 +config GRKERNSEC_SOCKET_CLIENT_GID
45616 + int "GID to deny client sockets for"
45617 + depends on GRKERNSEC_SOCKET_CLIENT
45620 + Here you can choose the GID to disable client socket access for.
45621 + Remember to add the users you want client socket access disabled for to
45622 + the GID specified here. If the sysctl option is enabled, a sysctl
45623 + option with name "socket_client_gid" is created.
45625 +config GRKERNSEC_SOCKET_SERVER
45626 + bool "Deny server sockets to group"
45627 + depends on GRKERNSEC_SOCKET
45629 + If you say Y here, you will be able to choose a GID of whose users will
45630 + be unable to run server applications from your machine. If the sysctl
45631 + option is enabled, a sysctl option with name "socket_server" is created.
45633 +config GRKERNSEC_SOCKET_SERVER_GID
45634 + int "GID to deny server sockets for"
45635 + depends on GRKERNSEC_SOCKET_SERVER
45638 + Here you can choose the GID to disable server socket access for.
45639 + Remember to add the users you want server socket access disabled for to
45640 + the GID specified here. If the sysctl option is enabled, a sysctl
45641 + option with name "socket_server_gid" is created.
45644 +menu "Sysctl support"
45645 +depends on GRKERNSEC && SYSCTL
45647 +config GRKERNSEC_SYSCTL
45648 + bool "Sysctl support"
45650 + If you say Y here, you will be able to change the options that
45651 + grsecurity runs with at bootup, without having to recompile your
45652 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
45653 + to enable (1) or disable (0) various features. All the sysctl entries
45654 + are mutable until the "grsec_lock" entry is set to a non-zero value.
45655 + All features enabled in the kernel configuration are disabled at boot
45656 + if you do not say Y to the "Turn on features by default" option.
45657 + All options should be set at startup, and the grsec_lock entry should
45658 + be set to a non-zero value after all the options are set.
45659 + *THIS IS EXTREMELY IMPORTANT*
45661 +config GRKERNSEC_SYSCTL_DISTRO
45662 + bool "Extra sysctl support for distro makers (READ HELP)"
45663 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
45665 + If you say Y here, additional sysctl options will be created
45666 + for features that affect processes running as root. Therefore,
45667 + it is critical when using this option that the grsec_lock entry be
45668 + enabled after boot. Only distros with prebuilt kernel packages
45669 + with this option enabled that can ensure grsec_lock is enabled
45670 + after boot should use this option.
45671 + *Failure to set grsec_lock after boot makes all grsec features
45672 + this option covers useless*
45674 + Currently this option creates the following sysctl entries:
45675 + "Disable Privileged I/O": "disable_priv_io"
45677 +config GRKERNSEC_SYSCTL_ON
45678 + bool "Turn on features by default"
45679 + depends on GRKERNSEC_SYSCTL
45681 + If you say Y here, instead of having all features enabled in the
45682 + kernel configuration disabled at boot time, the features will be
45683 + enabled at boot time. It is recommended you say Y here unless
45684 + there is some reason you would want all sysctl-tunable features to
45685 + be disabled by default. As mentioned elsewhere, it is important
45686 + to enable the grsec_lock entry once you have finished modifying
45687 + the sysctl entries.
45690 +menu "Logging Options"
45691 +depends on GRKERNSEC
45693 +config GRKERNSEC_FLOODTIME
45694 + int "Seconds in between log messages (minimum)"
45697 + This option allows you to enforce the number of seconds between
45698 + grsecurity log messages. The default should be suitable for most
45699 + people, however, if you choose to change it, choose a value small enough
45700 + to allow informative logs to be produced, but large enough to
45701 + prevent flooding.
45703 +config GRKERNSEC_FLOODBURST
45704 + int "Number of messages in a burst (maximum)"
45707 + This option allows you to choose the maximum number of messages allowed
45708 + within the flood time interval you chose in a separate option. The
45709 + default should be suitable for most people, however if you find that
45710 + many of your logs are being interpreted as flooding, you may want to
45711 + raise this value.
45716 diff -urNp linux-2.6.38.4/grsecurity/Makefile linux-2.6.38.4/grsecurity/Makefile
45717 --- linux-2.6.38.4/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
45718 +++ linux-2.6.38.4/grsecurity/Makefile 2011-04-17 15:57:32.000000000 -0400
45720 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
45721 +# during 2001-2009 it has been completely redesigned by Brad Spengler
45722 +# into an RBAC system
45724 +# All code in this directory and various hooks inserted throughout the kernel
45725 +# are copyright Brad Spengler - Open Source Security, Inc., and released
45726 +# under the GPL v2 or higher
45728 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
45729 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
45730 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
45732 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
45733 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
45734 + gracl_learn.o grsec_log.o
45735 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
45737 +ifndef CONFIG_GRKERNSEC
45738 +obj-y += grsec_disabled.o
45741 +ifdef CONFIG_GRKERNSEC_HIDESYM
45742 +extra-y := grsec_hidesym.o
45743 +$(obj)/grsec_hidesym.o:
45744 + @-chmod -f 500 /boot
45745 + @-chmod -f 500 /lib/modules
45747 + @echo ' grsec: protected kernel image paths'
45749 diff -urNp linux-2.6.38.4/include/acpi/acoutput.h linux-2.6.38.4/include/acpi/acoutput.h
45750 --- linux-2.6.38.4/include/acpi/acoutput.h 2011-03-14 21:20:32.000000000 -0400
45751 +++ linux-2.6.38.4/include/acpi/acoutput.h 2011-04-17 15:57:32.000000000 -0400
45752 @@ -269,8 +269,8 @@
45753 * leaving no executable debug code!
45755 #define ACPI_FUNCTION_NAME(a)
45756 -#define ACPI_DEBUG_PRINT(pl)
45757 -#define ACPI_DEBUG_PRINT_RAW(pl)
45758 +#define ACPI_DEBUG_PRINT(pl) do {} while (0)
45759 +#define ACPI_DEBUG_PRINT_RAW(pl) do {} while (0)
45761 #endif /* ACPI_DEBUG_OUTPUT */
45763 diff -urNp linux-2.6.38.4/include/acpi/acpi_drivers.h linux-2.6.38.4/include/acpi/acpi_drivers.h
45764 --- linux-2.6.38.4/include/acpi/acpi_drivers.h 2011-03-14 21:20:32.000000000 -0400
45765 +++ linux-2.6.38.4/include/acpi/acpi_drivers.h 2011-04-17 15:57:32.000000000 -0400
45766 @@ -119,8 +119,8 @@ void pci_acpi_crs_quirks(void);
45768 -------------------------------------------------------------------------- */
45769 struct acpi_dock_ops {
45770 - acpi_notify_handler handler;
45771 - acpi_notify_handler uevent;
45772 + const acpi_notify_handler handler;
45773 + const acpi_notify_handler uevent;
45776 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
45777 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
45778 extern int register_dock_notifier(struct notifier_block *nb);
45779 extern void unregister_dock_notifier(struct notifier_block *nb);
45780 extern int register_hotplug_dock_device(acpi_handle handle,
45781 - struct acpi_dock_ops *ops,
45782 + const struct acpi_dock_ops *ops,
45784 extern void unregister_hotplug_dock_device(acpi_handle handle);
45786 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
45789 static inline int register_hotplug_dock_device(acpi_handle handle,
45790 - struct acpi_dock_ops *ops,
45791 + const struct acpi_dock_ops *ops,
45795 diff -urNp linux-2.6.38.4/include/asm-generic/atomic-long.h linux-2.6.38.4/include/asm-generic/atomic-long.h
45796 --- linux-2.6.38.4/include/asm-generic/atomic-long.h 2011-03-14 21:20:32.000000000 -0400
45797 +++ linux-2.6.38.4/include/asm-generic/atomic-long.h 2011-04-17 15:57:32.000000000 -0400
45800 typedef atomic64_t atomic_long_t;
45802 +#ifdef CONFIG_PAX_REFCOUNT
45803 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
45805 +typedef atomic64_t atomic_long_unchecked_t;
45808 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
45810 static inline long atomic_long_read(atomic_long_t *l)
45811 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
45812 return (long)atomic64_read(v);
45815 +#ifdef CONFIG_PAX_REFCOUNT
45816 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
45818 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
45820 + return (long)atomic64_read_unchecked(v);
45824 static inline void atomic_long_set(atomic_long_t *l, long i)
45826 atomic64_t *v = (atomic64_t *)l;
45827 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
45828 atomic64_set(v, i);
45831 +#ifdef CONFIG_PAX_REFCOUNT
45832 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
45834 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
45836 + atomic64_set_unchecked(v, i);
45840 static inline void atomic_long_inc(atomic_long_t *l)
45842 atomic64_t *v = (atomic64_t *)l;
45843 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
45847 +#ifdef CONFIG_PAX_REFCOUNT
45848 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
45850 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
45852 + atomic64_inc_unchecked(v);
45856 static inline void atomic_long_dec(atomic_long_t *l)
45858 atomic64_t *v = (atomic64_t *)l;
45859 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
45863 +#ifdef CONFIG_PAX_REFCOUNT
45864 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
45866 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
45868 + atomic64_dec_unchecked(v);
45872 static inline void atomic_long_add(long i, atomic_long_t *l)
45874 atomic64_t *v = (atomic64_t *)l;
45875 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
45876 atomic64_add(i, v);
45879 +#ifdef CONFIG_PAX_REFCOUNT
45880 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
45882 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
45884 + atomic64_add_unchecked(i, v);
45888 static inline void atomic_long_sub(long i, atomic_long_t *l)
45890 atomic64_t *v = (atomic64_t *)l;
45891 @@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
45892 atomic64_sub(i, v);
45895 +#ifdef CONFIG_PAX_REFCOUNT
45896 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
45898 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
45900 + atomic64_sub_unchecked(i, v);
45904 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
45906 atomic64_t *v = (atomic64_t *)l;
45907 @@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
45908 return (long)atomic64_inc_return(v);
45911 +#ifdef CONFIG_PAX_REFCOUNT
45912 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
45914 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
45916 + return (long)atomic64_inc_return_unchecked(v);
45920 static inline long atomic_long_dec_return(atomic_long_t *l)
45922 atomic64_t *v = (atomic64_t *)l;
45923 @@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
45925 typedef atomic_t atomic_long_t;
45927 +#ifdef CONFIG_PAX_REFCOUNT
45928 +typedef atomic_unchecked_t atomic_long_unchecked_t;
45930 +typedef atomic_t atomic_long_unchecked_t;
45933 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
45934 static inline long atomic_long_read(atomic_long_t *l)
45936 @@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
45937 return (long)atomic_read(v);
45940 +#ifdef CONFIG_PAX_REFCOUNT
45941 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
45943 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
45945 + return (long)atomic_read_unchecked(v);
45949 static inline void atomic_long_set(atomic_long_t *l, long i)
45951 atomic_t *v = (atomic_t *)l;
45952 @@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
45956 +#ifdef CONFIG_PAX_REFCOUNT
45957 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
45959 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
45961 + atomic_set_unchecked(v, i);
45965 static inline void atomic_long_inc(atomic_long_t *l)
45967 atomic_t *v = (atomic_t *)l;
45968 @@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
45972 +#ifdef CONFIG_PAX_REFCOUNT
45973 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
45975 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
45977 + atomic_inc_unchecked(v);
45981 static inline void atomic_long_dec(atomic_long_t *l)
45983 atomic_t *v = (atomic_t *)l;
45984 @@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
45988 +#ifdef CONFIG_PAX_REFCOUNT
45989 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
45991 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
45993 + atomic_dec_unchecked(v);
45997 static inline void atomic_long_add(long i, atomic_long_t *l)
45999 atomic_t *v = (atomic_t *)l;
46000 @@ -176,6 +287,15 @@ static inline void atomic_long_add(long
46004 +#ifdef CONFIG_PAX_REFCOUNT
46005 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
46007 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
46009 + atomic_add_unchecked(i, v);
46013 static inline void atomic_long_sub(long i, atomic_long_t *l)
46015 atomic_t *v = (atomic_t *)l;
46016 @@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
46020 +#ifdef CONFIG_PAX_REFCOUNT
46021 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
46023 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
46025 + atomic_sub_unchecked(i, v);
46029 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
46031 atomic_t *v = (atomic_t *)l;
46032 @@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
46033 return (long)atomic_inc_return(v);
46036 +#ifdef CONFIG_PAX_REFCOUNT
46037 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
46039 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
46041 + return (long)atomic_inc_return_unchecked(v);
46045 static inline long atomic_long_dec_return(atomic_long_t *l)
46047 atomic_t *v = (atomic_t *)l;
46048 @@ -255,4 +393,41 @@ static inline long atomic_long_add_unles
46050 #endif /* BITS_PER_LONG == 64 */
46052 +#ifdef CONFIG_PAX_REFCOUNT
46053 +static inline void pax_refcount_needs_these_functions(void)
46055 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
46056 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
46057 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
46058 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
46059 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
46060 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
46061 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
46063 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
46064 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
46065 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
46066 + atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
46067 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
46068 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
46069 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
46072 +#define atomic_read_unchecked(v) atomic_read(v)
46073 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
46074 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
46075 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
46076 +#define atomic_inc_unchecked(v) atomic_inc(v)
46077 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
46078 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
46080 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
46081 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
46082 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
46083 +#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
46084 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
46085 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
46086 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
46089 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
46090 diff -urNp linux-2.6.38.4/include/asm-generic/dma-mapping-common.h linux-2.6.38.4/include/asm-generic/dma-mapping-common.h
46091 --- linux-2.6.38.4/include/asm-generic/dma-mapping-common.h 2011-03-14 21:20:32.000000000 -0400
46092 +++ linux-2.6.38.4/include/asm-generic/dma-mapping-common.h 2011-04-17 15:57:32.000000000 -0400
46093 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
46094 enum dma_data_direction dir,
46095 struct dma_attrs *attrs)
46097 - struct dma_map_ops *ops = get_dma_ops(dev);
46098 + const struct dma_map_ops *ops = get_dma_ops(dev);
46101 kmemcheck_mark_initialized(ptr, size);
46102 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
46103 enum dma_data_direction dir,
46104 struct dma_attrs *attrs)
46106 - struct dma_map_ops *ops = get_dma_ops(dev);
46107 + const struct dma_map_ops *ops = get_dma_ops(dev);
46109 BUG_ON(!valid_dma_direction(dir));
46110 if (ops->unmap_page)
46111 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
46112 int nents, enum dma_data_direction dir,
46113 struct dma_attrs *attrs)
46115 - struct dma_map_ops *ops = get_dma_ops(dev);
46116 + const struct dma_map_ops *ops = get_dma_ops(dev);
46118 struct scatterlist *s;
46120 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
46121 int nents, enum dma_data_direction dir,
46122 struct dma_attrs *attrs)
46124 - struct dma_map_ops *ops = get_dma_ops(dev);
46125 + const struct dma_map_ops *ops = get_dma_ops(dev);
46127 BUG_ON(!valid_dma_direction(dir));
46128 debug_dma_unmap_sg(dev, sg, nents, dir);
46129 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
46130 size_t offset, size_t size,
46131 enum dma_data_direction dir)
46133 - struct dma_map_ops *ops = get_dma_ops(dev);
46134 + const struct dma_map_ops *ops = get_dma_ops(dev);
46137 kmemcheck_mark_initialized(page_address(page) + offset, size);
46138 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
46139 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
46140 size_t size, enum dma_data_direction dir)
46142 - struct dma_map_ops *ops = get_dma_ops(dev);
46143 + const struct dma_map_ops *ops = get_dma_ops(dev);
46145 BUG_ON(!valid_dma_direction(dir));
46146 if (ops->unmap_page)
46147 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
46149 enum dma_data_direction dir)
46151 - struct dma_map_ops *ops = get_dma_ops(dev);
46152 + const struct dma_map_ops *ops = get_dma_ops(dev);
46154 BUG_ON(!valid_dma_direction(dir));
46155 if (ops->sync_single_for_cpu)
46156 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
46157 dma_addr_t addr, size_t size,
46158 enum dma_data_direction dir)
46160 - struct dma_map_ops *ops = get_dma_ops(dev);
46161 + const struct dma_map_ops *ops = get_dma_ops(dev);
46163 BUG_ON(!valid_dma_direction(dir));
46164 if (ops->sync_single_for_device)
46165 @@ -139,7 +139,7 @@ static inline void
46166 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
46167 int nelems, enum dma_data_direction dir)
46169 - struct dma_map_ops *ops = get_dma_ops(dev);
46170 + const struct dma_map_ops *ops = get_dma_ops(dev);
46172 BUG_ON(!valid_dma_direction(dir));
46173 if (ops->sync_sg_for_cpu)
46174 @@ -151,7 +151,7 @@ static inline void
46175 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
46176 int nelems, enum dma_data_direction dir)
46178 - struct dma_map_ops *ops = get_dma_ops(dev);
46179 + const struct dma_map_ops *ops = get_dma_ops(dev);
46181 BUG_ON(!valid_dma_direction(dir));
46182 if (ops->sync_sg_for_device)
46183 diff -urNp linux-2.6.38.4/include/asm-generic/futex.h linux-2.6.38.4/include/asm-generic/futex.h
46184 --- linux-2.6.38.4/include/asm-generic/futex.h 2011-03-14 21:20:32.000000000 -0400
46185 +++ linux-2.6.38.4/include/asm-generic/futex.h 2011-04-17 15:57:32.000000000 -0400
46187 #include <asm/errno.h>
46190 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
46191 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
46193 int op = (encoded_op >> 28) & 7;
46194 int cmp = (encoded_op >> 24) & 15;
46195 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
46199 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
46200 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
46204 diff -urNp linux-2.6.38.4/include/asm-generic/int-l64.h linux-2.6.38.4/include/asm-generic/int-l64.h
46205 --- linux-2.6.38.4/include/asm-generic/int-l64.h 2011-03-14 21:20:32.000000000 -0400
46206 +++ linux-2.6.38.4/include/asm-generic/int-l64.h 2011-04-17 15:57:32.000000000 -0400
46207 @@ -46,6 +46,8 @@ typedef unsigned int u32;
46208 typedef signed long s64;
46209 typedef unsigned long u64;
46211 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
46214 #define U8_C(x) x ## U
46216 diff -urNp linux-2.6.38.4/include/asm-generic/int-ll64.h linux-2.6.38.4/include/asm-generic/int-ll64.h
46217 --- linux-2.6.38.4/include/asm-generic/int-ll64.h 2011-03-14 21:20:32.000000000 -0400
46218 +++ linux-2.6.38.4/include/asm-generic/int-ll64.h 2011-04-17 15:57:32.000000000 -0400
46219 @@ -51,6 +51,8 @@ typedef unsigned int u32;
46220 typedef signed long long s64;
46221 typedef unsigned long long u64;
46223 +typedef unsigned long long intoverflow_t;
46226 #define U8_C(x) x ## U
46228 diff -urNp linux-2.6.38.4/include/asm-generic/kmap_types.h linux-2.6.38.4/include/asm-generic/kmap_types.h
46229 --- linux-2.6.38.4/include/asm-generic/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
46230 +++ linux-2.6.38.4/include/asm-generic/kmap_types.h 2011-04-17 15:57:32.000000000 -0400
46231 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
46233 KMAP_D(18) KM_NMI_PTE,
46235 +KMAP_D(20) KM_CLEARPAGE,
46237 * Remember to update debug_kmap_atomic() when adding new kmap types!
46239 -KMAP_D(20) KM_TYPE_NR
46240 +KMAP_D(21) KM_TYPE_NR
46244 diff -urNp linux-2.6.38.4/include/asm-generic/pgtable.h linux-2.6.38.4/include/asm-generic/pgtable.h
46245 --- linux-2.6.38.4/include/asm-generic/pgtable.h 2011-03-14 21:20:32.000000000 -0400
46246 +++ linux-2.6.38.4/include/asm-generic/pgtable.h 2011-04-17 15:57:32.000000000 -0400
46247 @@ -447,6 +447,14 @@ static inline int pmd_write(pmd_t pmd)
46248 #endif /* __HAVE_ARCH_PMD_WRITE */
46251 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
46252 +static inline unsigned long pax_open_kernel(void) { return 0; }
46255 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
46256 +static inline unsigned long pax_close_kernel(void) { return 0; }
46259 #endif /* !__ASSEMBLY__ */
46261 #endif /* _ASM_GENERIC_PGTABLE_H */
46262 diff -urNp linux-2.6.38.4/include/asm-generic/pgtable-nopmd.h linux-2.6.38.4/include/asm-generic/pgtable-nopmd.h
46263 --- linux-2.6.38.4/include/asm-generic/pgtable-nopmd.h 2011-03-14 21:20:32.000000000 -0400
46264 +++ linux-2.6.38.4/include/asm-generic/pgtable-nopmd.h 2011-04-17 15:57:32.000000000 -0400
46266 #ifndef _PGTABLE_NOPMD_H
46267 #define _PGTABLE_NOPMD_H
46269 -#ifndef __ASSEMBLY__
46271 #include <asm-generic/pgtable-nopud.h>
46275 #define __PAGETABLE_PMD_FOLDED
46277 +#define PMD_SHIFT PUD_SHIFT
46278 +#define PTRS_PER_PMD 1
46279 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
46280 +#define PMD_MASK (~(PMD_SIZE-1))
46282 +#ifndef __ASSEMBLY__
46287 * Having the pmd type consist of a pud gets the size right, and allows
46288 * us to conceptually access the pud entry that this pmd is folded into
46289 @@ -16,11 +21,6 @@ struct mm_struct;
46291 typedef struct { pud_t pud; } pmd_t;
46293 -#define PMD_SHIFT PUD_SHIFT
46294 -#define PTRS_PER_PMD 1
46295 -#define PMD_SIZE (1UL << PMD_SHIFT)
46296 -#define PMD_MASK (~(PMD_SIZE-1))
46299 * The "pud_xxx()" functions here are trivial for a folded two-level
46300 * setup: the pmd is never bad, and a pmd always exists (as it's folded
46301 diff -urNp linux-2.6.38.4/include/asm-generic/pgtable-nopud.h linux-2.6.38.4/include/asm-generic/pgtable-nopud.h
46302 --- linux-2.6.38.4/include/asm-generic/pgtable-nopud.h 2011-03-14 21:20:32.000000000 -0400
46303 +++ linux-2.6.38.4/include/asm-generic/pgtable-nopud.h 2011-04-17 15:57:32.000000000 -0400
46305 #ifndef _PGTABLE_NOPUD_H
46306 #define _PGTABLE_NOPUD_H
46308 -#ifndef __ASSEMBLY__
46310 #define __PAGETABLE_PUD_FOLDED
46312 +#define PUD_SHIFT PGDIR_SHIFT
46313 +#define PTRS_PER_PUD 1
46314 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
46315 +#define PUD_MASK (~(PUD_SIZE-1))
46317 +#ifndef __ASSEMBLY__
46320 * Having the pud type consist of a pgd gets the size right, and allows
46321 * us to conceptually access the pgd entry that this pud is folded into
46324 typedef struct { pgd_t pgd; } pud_t;
46326 -#define PUD_SHIFT PGDIR_SHIFT
46327 -#define PTRS_PER_PUD 1
46328 -#define PUD_SIZE (1UL << PUD_SHIFT)
46329 -#define PUD_MASK (~(PUD_SIZE-1))
46332 * The "pgd_xxx()" functions here are trivial for a folded two-level
46333 * setup: the pud is never bad, and a pud always exists (as it's folded
46334 diff -urNp linux-2.6.38.4/include/asm-generic/vmlinux.lds.h linux-2.6.38.4/include/asm-generic/vmlinux.lds.h
46335 --- linux-2.6.38.4/include/asm-generic/vmlinux.lds.h 2011-03-14 21:20:32.000000000 -0400
46336 +++ linux-2.6.38.4/include/asm-generic/vmlinux.lds.h 2011-04-17 15:57:32.000000000 -0400
46337 @@ -213,6 +213,7 @@
46338 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
46339 VMLINUX_SYMBOL(__start_rodata) = .; \
46340 *(.rodata) *(.rodata.*) \
46341 + *(.data..read_only) \
46342 *(__vermagic) /* Kernel version magic */ \
46344 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
46345 @@ -696,14 +697,15 @@
46346 * section in the linker script will go there too. @phdr should have
46349 - * Note that this macros defines __per_cpu_load as an absolute symbol.
46350 + * Note that this macros defines per_cpu_load as an absolute symbol.
46351 * If there is no need to put the percpu section at a predetermined
46352 * address, use PERCPU().
46354 #define PERCPU_VADDR(vaddr, phdr) \
46355 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
46356 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
46357 + per_cpu_load = .; \
46358 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
46360 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
46361 VMLINUX_SYMBOL(__per_cpu_start) = .; \
46362 *(.data..percpu..first) \
46363 . = ALIGN(PAGE_SIZE); \
46364 @@ -713,7 +715,7 @@
46365 *(.data..percpu..shared_aligned) \
46366 VMLINUX_SYMBOL(__per_cpu_end) = .; \
46368 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
46369 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
46372 * PERCPU - define output section for percpu area, simple version
46373 diff -urNp linux-2.6.38.4/include/drm/drm_pciids.h linux-2.6.38.4/include/drm/drm_pciids.h
46374 --- linux-2.6.38.4/include/drm/drm_pciids.h 2011-04-18 17:27:18.000000000 -0400
46375 +++ linux-2.6.38.4/include/drm/drm_pciids.h 2011-04-17 16:58:34.000000000 -0400
46376 @@ -460,7 +460,7 @@
46377 {0x1002, 0x9805, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PALM|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
46378 {0x1002, 0x9806, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PALM|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
46379 {0x1002, 0x9807, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PALM|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
46381 + {0, 0, 0, 0, 0, 0}
46383 #define r128_PCI_IDS \
46384 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46385 @@ -500,14 +500,14 @@
46386 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46387 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46388 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46390 + {0, 0, 0, 0, 0, 0}
46392 #define mga_PCI_IDS \
46393 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
46394 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
46395 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
46396 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
46398 + {0, 0, 0, 0, 0, 0}
46400 #define mach64_PCI_IDS \
46401 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46402 @@ -530,7 +530,7 @@
46403 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46404 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46405 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46407 + {0, 0, 0, 0, 0, 0}
46409 #define sisdrv_PCI_IDS \
46410 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46411 @@ -541,7 +541,7 @@
46412 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46413 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
46414 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
46416 + {0, 0, 0, 0, 0, 0}
46418 #define tdfx_PCI_IDS \
46419 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46420 @@ -550,7 +550,7 @@
46421 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46422 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46423 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46425 + {0, 0, 0, 0, 0, 0}
46427 #define viadrv_PCI_IDS \
46428 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46429 @@ -562,14 +562,14 @@
46430 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46431 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
46432 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
46434 + {0, 0, 0, 0, 0, 0}
46436 #define i810_PCI_IDS \
46437 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46438 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46439 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46440 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46442 + {0, 0, 0, 0, 0, 0}
46444 #define i830_PCI_IDS \
46445 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46446 @@ -577,11 +577,11 @@
46447 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46448 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46449 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46451 + {0, 0, 0, 0, 0, 0}
46453 #define gamma_PCI_IDS \
46454 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46456 + {0, 0, 0, 0, 0, 0}
46458 #define savage_PCI_IDS \
46459 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
46460 @@ -607,10 +607,10 @@
46461 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
46462 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
46463 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
46465 + {0, 0, 0, 0, 0, 0}
46467 #define ffb_PCI_IDS \
46469 + {0, 0, 0, 0, 0, 0}
46471 #define i915_PCI_IDS \
46472 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
46473 @@ -644,4 +644,4 @@
46474 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
46475 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
46476 {0x8086, 0x0102, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
46478 + {0, 0, 0, 0, 0, 0}
46479 diff -urNp linux-2.6.38.4/include/drm/drmP.h linux-2.6.38.4/include/drm/drmP.h
46480 --- linux-2.6.38.4/include/drm/drmP.h 2011-03-14 21:20:32.000000000 -0400
46481 +++ linux-2.6.38.4/include/drm/drmP.h 2011-04-17 15:57:32.000000000 -0400
46483 #include <linux/workqueue.h>
46484 #include <linux/poll.h>
46485 #include <asm/pgalloc.h>
46486 +#include <asm/local.h>
46489 #include <linux/idr.h>
46490 @@ -881,7 +882,7 @@ struct drm_driver {
46491 void (*vgaarb_irq)(struct drm_device *dev, bool state);
46493 /* Driver private ops for this object */
46494 - struct vm_operations_struct *gem_vm_ops;
46495 + const struct vm_operations_struct *gem_vm_ops;
46499 @@ -894,7 +895,7 @@ struct drm_driver {
46501 struct drm_ioctl_desc *ioctls;
46503 - struct file_operations fops;
46504 + const struct file_operations fops;
46505 struct pci_driver pci_driver;
46506 struct platform_device *platform_device;
46507 /* List of devices hanging off this driver */
46508 @@ -991,7 +992,7 @@ struct drm_device {
46510 /** \name Usage Counters */
46512 - int open_count; /**< Outstanding files open */
46513 + local_t open_count; /**< Outstanding files open */
46514 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
46515 atomic_t vma_count; /**< Outstanding vma areas open */
46516 int buf_use; /**< Buffers in use -- cannot alloc */
46517 @@ -1002,7 +1003,7 @@ struct drm_device {
46519 unsigned long counters;
46520 enum drm_stat_type types[15];
46521 - atomic_t counts[15];
46522 + atomic_unchecked_t counts[15];
46525 struct list_head filelist;
46526 @@ -1101,7 +1102,7 @@ struct drm_device {
46527 struct platform_device *platformdev; /**< Platform device struture */
46529 struct drm_sg_mem *sg; /**< Scatter gather memory */
46530 - unsigned int num_crtcs; /**< Number of CRTCs on this device */
46531 + unsigned int num_crtcs; /**< Number of CRTCs on this device */
46532 void *dev_private; /**< device private data */
46534 struct address_space *dev_mapping;
46535 diff -urNp linux-2.6.38.4/include/linux/a.out.h linux-2.6.38.4/include/linux/a.out.h
46536 --- linux-2.6.38.4/include/linux/a.out.h 2011-03-14 21:20:32.000000000 -0400
46537 +++ linux-2.6.38.4/include/linux/a.out.h 2011-04-17 15:57:32.000000000 -0400
46538 @@ -39,6 +39,14 @@ enum machine_type {
46539 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
46542 +/* Constants for the N_FLAGS field */
46543 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
46544 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
46545 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
46546 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
46547 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
46548 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
46550 #if !defined (N_MAGIC)
46551 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
46553 diff -urNp linux-2.6.38.4/include/linux/atmdev.h linux-2.6.38.4/include/linux/atmdev.h
46554 --- linux-2.6.38.4/include/linux/atmdev.h 2011-04-18 17:27:18.000000000 -0400
46555 +++ linux-2.6.38.4/include/linux/atmdev.h 2011-04-17 16:53:48.000000000 -0400
46556 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
46559 struct k_atm_aal_stats {
46560 -#define __HANDLE_ITEM(i) atomic_t i
46561 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
46563 #undef __HANDLE_ITEM
46565 diff -urNp linux-2.6.38.4/include/linux/binfmts.h linux-2.6.38.4/include/linux/binfmts.h
46566 --- linux-2.6.38.4/include/linux/binfmts.h 2011-03-14 21:20:32.000000000 -0400
46567 +++ linux-2.6.38.4/include/linux/binfmts.h 2011-04-17 15:57:32.000000000 -0400
46568 @@ -92,6 +92,7 @@ struct linux_binfmt {
46569 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
46570 int (*load_shlib)(struct file *);
46571 int (*core_dump)(struct coredump_params *cprm);
46572 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
46573 unsigned long min_coredump; /* minimal dump size */
46576 diff -urNp linux-2.6.38.4/include/linux/blkdev.h linux-2.6.38.4/include/linux/blkdev.h
46577 --- linux-2.6.38.4/include/linux/blkdev.h 2011-03-14 21:20:32.000000000 -0400
46578 +++ linux-2.6.38.4/include/linux/blkdev.h 2011-04-17 15:57:32.000000000 -0400
46579 @@ -1247,22 +1247,22 @@ queue_max_integrity_segments(struct requ
46580 #endif /* CONFIG_BLK_DEV_INTEGRITY */
46582 struct block_device_operations {
46583 - int (*open) (struct block_device *, fmode_t);
46584 - int (*release) (struct gendisk *, fmode_t);
46585 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
46586 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
46587 - int (*direct_access) (struct block_device *, sector_t,
46588 + int (* const open) (struct block_device *, fmode_t);
46589 + int (* const release) (struct gendisk *, fmode_t);
46590 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
46591 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
46592 + int (* const direct_access) (struct block_device *, sector_t,
46593 void **, unsigned long *);
46594 - unsigned int (*check_events) (struct gendisk *disk,
46595 + unsigned int (* const check_events) (struct gendisk *disk,
46596 unsigned int clearing);
46597 /* ->media_changed() is DEPRECATED, use ->check_events() instead */
46598 - int (*media_changed) (struct gendisk *);
46599 - void (*unlock_native_capacity) (struct gendisk *);
46600 - int (*revalidate_disk) (struct gendisk *);
46601 - int (*getgeo)(struct block_device *, struct hd_geometry *);
46602 + int (* const media_changed) (struct gendisk *);
46603 + void (* const unlock_native_capacity) (struct gendisk *);
46604 + int (* const revalidate_disk) (struct gendisk *);
46605 + int (* const getgeo)(struct block_device *, struct hd_geometry *);
46606 /* this callback is with swap_lock and sometimes page table lock held */
46607 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
46608 - struct module *owner;
46609 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
46610 + struct module * const owner;
46613 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
46614 diff -urNp linux-2.6.38.4/include/linux/byteorder/little_endian.h linux-2.6.38.4/include/linux/byteorder/little_endian.h
46615 --- linux-2.6.38.4/include/linux/byteorder/little_endian.h 2011-03-14 21:20:32.000000000 -0400
46616 +++ linux-2.6.38.4/include/linux/byteorder/little_endian.h 2011-04-17 15:57:32.000000000 -0400
46617 @@ -42,51 +42,51 @@
46619 static inline __le64 __cpu_to_le64p(const __u64 *p)
46621 - return (__force __le64)*p;
46622 + return (__force const __le64)*p;
46624 static inline __u64 __le64_to_cpup(const __le64 *p)
46626 - return (__force __u64)*p;
46627 + return (__force const __u64)*p;
46629 static inline __le32 __cpu_to_le32p(const __u32 *p)
46631 - return (__force __le32)*p;
46632 + return (__force const __le32)*p;
46634 static inline __u32 __le32_to_cpup(const __le32 *p)
46636 - return (__force __u32)*p;
46637 + return (__force const __u32)*p;
46639 static inline __le16 __cpu_to_le16p(const __u16 *p)
46641 - return (__force __le16)*p;
46642 + return (__force const __le16)*p;
46644 static inline __u16 __le16_to_cpup(const __le16 *p)
46646 - return (__force __u16)*p;
46647 + return (__force const __u16)*p;
46649 static inline __be64 __cpu_to_be64p(const __u64 *p)
46651 - return (__force __be64)__swab64p(p);
46652 + return (__force const __be64)__swab64p(p);
46654 static inline __u64 __be64_to_cpup(const __be64 *p)
46656 - return __swab64p((__u64 *)p);
46657 + return __swab64p((const __u64 *)p);
46659 static inline __be32 __cpu_to_be32p(const __u32 *p)
46661 - return (__force __be32)__swab32p(p);
46662 + return (__force const __be32)__swab32p(p);
46664 static inline __u32 __be32_to_cpup(const __be32 *p)
46666 - return __swab32p((__u32 *)p);
46667 + return __swab32p((const __u32 *)p);
46669 static inline __be16 __cpu_to_be16p(const __u16 *p)
46671 - return (__force __be16)__swab16p(p);
46672 + return (__force const __be16)__swab16p(p);
46674 static inline __u16 __be16_to_cpup(const __be16 *p)
46676 - return __swab16p((__u16 *)p);
46677 + return __swab16p((const __u16 *)p);
46679 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
46680 #define __le64_to_cpus(x) do { (void)(x); } while (0)
46681 diff -urNp linux-2.6.38.4/include/linux/cache.h linux-2.6.38.4/include/linux/cache.h
46682 --- linux-2.6.38.4/include/linux/cache.h 2011-03-14 21:20:32.000000000 -0400
46683 +++ linux-2.6.38.4/include/linux/cache.h 2011-04-17 15:57:32.000000000 -0400
46685 #define __read_mostly
46688 +#ifndef __read_only
46689 +#define __read_only __read_mostly
46692 #ifndef ____cacheline_aligned
46693 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
46695 diff -urNp linux-2.6.38.4/include/linux/capability.h linux-2.6.38.4/include/linux/capability.h
46696 --- linux-2.6.38.4/include/linux/capability.h 2011-03-14 21:20:32.000000000 -0400
46697 +++ linux-2.6.38.4/include/linux/capability.h 2011-04-17 15:57:32.000000000 -0400
46698 @@ -561,6 +561,7 @@ extern const kernel_cap_t __cap_init_eff
46699 (security_real_capable_noaudit((t), (cap)) == 0)
46701 extern int capable(int cap);
46702 +int capable_nolog(int cap);
46704 /* audit system wants to get cap info from files as well */
46706 diff -urNp linux-2.6.38.4/include/linux/compiler-gcc4.h linux-2.6.38.4/include/linux/compiler-gcc4.h
46707 --- linux-2.6.38.4/include/linux/compiler-gcc4.h 2011-03-14 21:20:32.000000000 -0400
46708 +++ linux-2.6.38.4/include/linux/compiler-gcc4.h 2011-04-17 15:57:32.000000000 -0400
46713 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
46714 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
46715 +#define __bos0(ptr) __bos((ptr), 0)
46716 +#define __bos1(ptr) __bos((ptr), 1)
46719 #if __GNUC_MINOR__ > 0
46720 diff -urNp linux-2.6.38.4/include/linux/compiler.h linux-2.6.38.4/include/linux/compiler.h
46721 --- linux-2.6.38.4/include/linux/compiler.h 2011-03-14 21:20:32.000000000 -0400
46722 +++ linux-2.6.38.4/include/linux/compiler.h 2011-04-17 15:57:32.000000000 -0400
46723 @@ -273,6 +273,22 @@ void ftrace_likely_update(struct ftrace_
46727 +#ifndef __alloc_size
46728 +#define __alloc_size
46743 /* Simple shorthand for a section definition */
46745 # define __section(S) __attribute__ ((__section__(#S)))
46746 @@ -306,6 +322,7 @@ void ftrace_likely_update(struct ftrace_
46747 * use is to mediate communication between process-level code and irq/NMI
46748 * handlers, all running on the same CPU.
46750 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
46751 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
46752 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
46754 #endif /* __LINUX_COMPILER_H */
46755 diff -urNp linux-2.6.38.4/include/linux/cpuset.h linux-2.6.38.4/include/linux/cpuset.h
46756 --- linux-2.6.38.4/include/linux/cpuset.h 2011-03-14 21:20:32.000000000 -0400
46757 +++ linux-2.6.38.4/include/linux/cpuset.h 2011-04-17 15:57:32.000000000 -0400
46758 @@ -118,7 +118,7 @@ static inline void put_mems_allowed(void
46762 - --ACCESS_ONCE(current->mems_allowed_change_disable);
46763 + --ACCESS_ONCE_RW(current->mems_allowed_change_disable);
46766 static inline void set_mems_allowed(nodemask_t nodemask)
46767 diff -urNp linux-2.6.38.4/include/linux/decompress/mm.h linux-2.6.38.4/include/linux/decompress/mm.h
46768 --- linux-2.6.38.4/include/linux/decompress/mm.h 2011-03-14 21:20:32.000000000 -0400
46769 +++ linux-2.6.38.4/include/linux/decompress/mm.h 2011-04-17 15:57:32.000000000 -0400
46770 @@ -77,7 +77,7 @@ static void free(void *where)
46771 * warnings when not needed (indeed large_malloc / large_free are not
46772 * needed by inflate */
46774 -#define malloc(a) kmalloc(a, GFP_KERNEL)
46775 +#define malloc(a) kmalloc((a), GFP_KERNEL)
46776 #define free(a) kfree(a)
46778 #define large_malloc(a) vmalloc(a)
46779 diff -urNp linux-2.6.38.4/include/linux/dma-mapping.h linux-2.6.38.4/include/linux/dma-mapping.h
46780 --- linux-2.6.38.4/include/linux/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
46781 +++ linux-2.6.38.4/include/linux/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
46782 @@ -16,40 +16,40 @@ enum dma_data_direction {
46785 struct dma_map_ops {
46786 - void* (*alloc_coherent)(struct device *dev, size_t size,
46787 + void* (* const alloc_coherent)(struct device *dev, size_t size,
46788 dma_addr_t *dma_handle, gfp_t gfp);
46789 - void (*free_coherent)(struct device *dev, size_t size,
46790 + void (* const free_coherent)(struct device *dev, size_t size,
46791 void *vaddr, dma_addr_t dma_handle);
46792 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
46793 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
46794 unsigned long offset, size_t size,
46795 enum dma_data_direction dir,
46796 struct dma_attrs *attrs);
46797 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
46798 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
46799 size_t size, enum dma_data_direction dir,
46800 struct dma_attrs *attrs);
46801 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
46802 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
46803 int nents, enum dma_data_direction dir,
46804 struct dma_attrs *attrs);
46805 - void (*unmap_sg)(struct device *dev,
46806 + void (* const unmap_sg)(struct device *dev,
46807 struct scatterlist *sg, int nents,
46808 enum dma_data_direction dir,
46809 struct dma_attrs *attrs);
46810 - void (*sync_single_for_cpu)(struct device *dev,
46811 + void (* const sync_single_for_cpu)(struct device *dev,
46812 dma_addr_t dma_handle, size_t size,
46813 enum dma_data_direction dir);
46814 - void (*sync_single_for_device)(struct device *dev,
46815 + void (* const sync_single_for_device)(struct device *dev,
46816 dma_addr_t dma_handle, size_t size,
46817 enum dma_data_direction dir);
46818 - void (*sync_sg_for_cpu)(struct device *dev,
46819 + void (* const sync_sg_for_cpu)(struct device *dev,
46820 struct scatterlist *sg, int nents,
46821 enum dma_data_direction dir);
46822 - void (*sync_sg_for_device)(struct device *dev,
46823 + void (* const sync_sg_for_device)(struct device *dev,
46824 struct scatterlist *sg, int nents,
46825 enum dma_data_direction dir);
46826 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
46827 - int (*dma_supported)(struct device *dev, u64 mask);
46828 - int (*set_dma_mask)(struct device *dev, u64 mask);
46830 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
46831 + int (* const dma_supported)(struct device *dev, u64 mask);
46832 + int (* set_dma_mask)(struct device *dev, u64 mask);
46833 + const int is_phys;
46836 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
46837 diff -urNp linux-2.6.38.4/include/linux/elf.h linux-2.6.38.4/include/linux/elf.h
46838 --- linux-2.6.38.4/include/linux/elf.h 2011-03-14 21:20:32.000000000 -0400
46839 +++ linux-2.6.38.4/include/linux/elf.h 2011-04-17 15:57:32.000000000 -0400
46840 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
46841 #define PT_GNU_EH_FRAME 0x6474e550
46843 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
46844 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
46846 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
46848 +/* Constants for the e_flags field */
46849 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
46850 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
46851 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
46852 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
46853 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
46854 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
46857 * Extended Numbering
46858 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
46859 #define DT_DEBUG 21
46860 #define DT_TEXTREL 22
46861 #define DT_JMPREL 23
46862 +#define DT_FLAGS 30
46863 + #define DF_TEXTREL 0x00000004
46864 #define DT_ENCODING 32
46865 #define OLD_DT_LOOS 0x60000000
46866 #define DT_LOOS 0x6000000d
46867 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
46871 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
46872 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
46873 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
46874 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
46875 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
46876 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
46877 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
46878 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
46879 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
46880 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
46881 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
46882 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
46884 typedef struct elf32_phdr{
46886 Elf32_Off p_offset;
46887 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
46893 #define ELFMAG0 0x7f /* EI_MAG */
46894 #define ELFMAG1 'E'
46895 #define ELFMAG2 'L'
46896 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
46897 #define elf_note elf32_note
46898 #define elf_addr_t Elf32_Off
46899 #define Elf_Half Elf32_Half
46900 +#define elf_dyn Elf32_Dyn
46904 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
46905 #define elf_note elf64_note
46906 #define elf_addr_t Elf64_Off
46907 #define Elf_Half Elf64_Half
46908 +#define elf_dyn Elf64_Dyn
46912 diff -urNp linux-2.6.38.4/include/linux/fs.h linux-2.6.38.4/include/linux/fs.h
46913 --- linux-2.6.38.4/include/linux/fs.h 2011-03-14 21:20:32.000000000 -0400
46914 +++ linux-2.6.38.4/include/linux/fs.h 2011-04-17 15:57:32.000000000 -0400
46915 @@ -105,6 +105,11 @@ struct inodes_stat_t {
46916 /* File was opened by fanotify and shouldn't generate fanotify events */
46917 #define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
46919 +/* Hack for grsec so as not to require read permission simply to execute
46922 +#define FMODE_GREXEC ((__force fmode_t)0x2000000)
46925 * The below are the various read and write types that we support. Some of
46926 * them include behavioral modifiers that send information down to the
46927 @@ -581,42 +586,42 @@ typedef int (*read_actor_t)(read_descrip
46928 unsigned long, unsigned long);
46930 struct address_space_operations {
46931 - int (*writepage)(struct page *page, struct writeback_control *wbc);
46932 - int (*readpage)(struct file *, struct page *);
46933 - void (*sync_page)(struct page *);
46934 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
46935 + int (* const readpage)(struct file *, struct page *);
46936 + void (* const sync_page)(struct page *);
46938 /* Write back some dirty pages from this mapping. */
46939 - int (*writepages)(struct address_space *, struct writeback_control *);
46940 + int (* const writepages)(struct address_space *, struct writeback_control *);
46942 /* Set a page dirty. Return true if this dirtied it */
46943 - int (*set_page_dirty)(struct page *page);
46944 + int (* const set_page_dirty)(struct page *page);
46946 - int (*readpages)(struct file *filp, struct address_space *mapping,
46947 + int (* const readpages)(struct file *filp, struct address_space *mapping,
46948 struct list_head *pages, unsigned nr_pages);
46950 - int (*write_begin)(struct file *, struct address_space *mapping,
46951 + int (* const write_begin)(struct file *, struct address_space *mapping,
46952 loff_t pos, unsigned len, unsigned flags,
46953 struct page **pagep, void **fsdata);
46954 - int (*write_end)(struct file *, struct address_space *mapping,
46955 + int (* const write_end)(struct file *, struct address_space *mapping,
46956 loff_t pos, unsigned len, unsigned copied,
46957 struct page *page, void *fsdata);
46959 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
46960 - sector_t (*bmap)(struct address_space *, sector_t);
46961 - void (*invalidatepage) (struct page *, unsigned long);
46962 - int (*releasepage) (struct page *, gfp_t);
46963 - void (*freepage)(struct page *);
46964 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
46965 + sector_t (* const bmap)(struct address_space *, sector_t);
46966 + void (* const invalidatepage) (struct page *, unsigned long);
46967 + int (* const releasepage) (struct page *, gfp_t);
46968 + void (* const freepage)(struct page *);
46969 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
46970 loff_t offset, unsigned long nr_segs);
46971 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
46972 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
46973 void **, unsigned long *);
46974 /* migrate the contents of a page to the specified target */
46975 - int (*migratepage) (struct address_space *,
46976 + int (* const migratepage) (struct address_space *,
46977 struct page *, struct page *);
46978 - int (*launder_page) (struct page *);
46979 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
46980 + int (* const launder_page) (struct page *);
46981 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
46983 - int (*error_remove_page)(struct address_space *, struct page *);
46984 + int (* const error_remove_page)(struct address_space *, struct page *);
46988 @@ -1059,17 +1064,17 @@ static inline int file_check_writeable(s
46989 typedef struct files_struct *fl_owner_t;
46991 struct file_lock_operations {
46992 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
46993 - void (*fl_release_private)(struct file_lock *);
46994 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
46995 + void (* const fl_release_private)(struct file_lock *);
46998 struct lock_manager_operations {
46999 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
47000 - void (*fl_notify)(struct file_lock *); /* unblock callback */
47001 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
47002 - void (*fl_release_private)(struct file_lock *);
47003 - void (*fl_break)(struct file_lock *);
47004 - int (*fl_change)(struct file_lock **, int);
47005 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
47006 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
47007 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
47008 + void (* const fl_release_private)(struct file_lock *);
47009 + void (* const fl_break)(struct file_lock *);
47010 + int (* const fl_change)(struct file_lock **, int);
47013 struct lock_manager {
47014 diff -urNp linux-2.6.38.4/include/linux/fs_struct.h linux-2.6.38.4/include/linux/fs_struct.h
47015 --- linux-2.6.38.4/include/linux/fs_struct.h 2011-03-14 21:20:32.000000000 -0400
47016 +++ linux-2.6.38.4/include/linux/fs_struct.h 2011-04-17 15:57:32.000000000 -0400
47018 #include <linux/seqlock.h>
47026 diff -urNp linux-2.6.38.4/include/linux/genhd.h linux-2.6.38.4/include/linux/genhd.h
47027 --- linux-2.6.38.4/include/linux/genhd.h 2011-03-14 21:20:32.000000000 -0400
47028 +++ linux-2.6.38.4/include/linux/genhd.h 2011-04-17 15:57:32.000000000 -0400
47029 @@ -183,7 +183,7 @@ struct gendisk {
47030 struct kobject *slave_dir;
47032 struct timer_rand_state *random;
47033 - atomic_t sync_io; /* RAID */
47034 + atomic_unchecked_t sync_io; /* RAID */
47035 struct disk_events *ev;
47036 #ifdef CONFIG_BLK_DEV_INTEGRITY
47037 struct blk_integrity *integrity;
47038 diff -urNp linux-2.6.38.4/include/linux/gracl.h linux-2.6.38.4/include/linux/gracl.h
47039 --- linux-2.6.38.4/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
47040 +++ linux-2.6.38.4/include/linux/gracl.h 2011-04-17 15:57:32.000000000 -0400
47045 +#include <linux/grdefs.h>
47046 +#include <linux/resource.h>
47047 +#include <linux/capability.h>
47048 +#include <linux/dcache.h>
47049 +#include <asm/resource.h>
47051 +/* Major status information */
47053 +#define GR_VERSION "grsecurity 2.2.2"
47054 +#define GRSECURITY_VERSION 0x2202
47065 + GR_SPROLEPAM = 8,
47068 +/* Password setup definitions
47069 + * kernel/grhash.c */
47072 + GR_SALT_LEN = 16,
47077 + GR_SPROLE_LEN = 64,
47086 +#define GR_NLIMITS 32
47088 +/* Begin Data Structures */
47090 +struct sprole_pw {
47091 + unsigned char *rolename;
47092 + unsigned char salt[GR_SALT_LEN];
47093 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
47096 +struct name_entry {
47103 + struct name_entry *prev;
47104 + struct name_entry *next;
47107 +struct inodev_entry {
47108 + struct name_entry *nentry;
47109 + struct inodev_entry *prev;
47110 + struct inodev_entry *next;
47113 +struct acl_role_db {
47114 + struct acl_role_label **r_hash;
47118 +struct inodev_db {
47119 + struct inodev_entry **i_hash;
47124 + struct name_entry **n_hash;
47128 +struct crash_uid {
47130 + unsigned long expires;
47133 +struct gr_hash_struct {
47135 + void **nametable;
47137 + __u32 table_size;
47142 +/* Userspace Grsecurity ACL data structures */
47144 +struct acl_subject_label {
47149 + kernel_cap_t cap_mask;
47150 + kernel_cap_t cap_lower;
47151 + kernel_cap_t cap_invert_audit;
47153 + struct rlimit res[GR_NLIMITS];
47156 + __u8 user_trans_type;
47157 + __u8 group_trans_type;
47158 + uid_t *user_transitions;
47159 + gid_t *group_transitions;
47160 + __u16 user_trans_num;
47161 + __u16 group_trans_num;
47163 + __u32 sock_families[2];
47164 + __u32 ip_proto[8];
47166 + struct acl_ip_label **ips;
47168 + __u32 inaddr_any_override;
47171 + unsigned long expires;
47173 + struct acl_subject_label *parent_subject;
47174 + struct gr_hash_struct *hash;
47175 + struct acl_subject_label *prev;
47176 + struct acl_subject_label *next;
47178 + struct acl_object_label **obj_hash;
47179 + __u32 obj_hash_size;
47183 +struct role_allowed_ip {
47187 + struct role_allowed_ip *prev;
47188 + struct role_allowed_ip *next;
47191 +struct role_transition {
47194 + struct role_transition *prev;
47195 + struct role_transition *next;
47198 +struct acl_role_label {
47203 + __u16 auth_attempts;
47204 + unsigned long expires;
47206 + struct acl_subject_label *root_label;
47207 + struct gr_hash_struct *hash;
47209 + struct acl_role_label *prev;
47210 + struct acl_role_label *next;
47212 + struct role_transition *transitions;
47213 + struct role_allowed_ip *allowed_ips;
47214 + uid_t *domain_children;
47215 + __u16 domain_child_num;
47217 + struct acl_subject_label **subj_hash;
47218 + __u32 subj_hash_size;
47221 +struct user_acl_role_db {
47222 + struct acl_role_label **r_table;
47223 + __u32 num_pointers; /* Number of allocations to track */
47224 + __u32 num_roles; /* Number of roles */
47225 + __u32 num_domain_children; /* Number of domain children */
47226 + __u32 num_subjects; /* Number of subjects */
47227 + __u32 num_objects; /* Number of objects */
47230 +struct acl_object_label {
47236 + struct acl_subject_label *nested;
47237 + struct acl_object_label *globbed;
47239 + /* next two structures not used */
47241 + struct acl_object_label *prev;
47242 + struct acl_object_label *next;
47245 +struct acl_ip_label {
47254 + /* next two structures not used */
47256 + struct acl_ip_label *prev;
47257 + struct acl_ip_label *next;
47261 + struct user_acl_role_db role_db;
47262 + unsigned char pw[GR_PW_LEN];
47263 + unsigned char salt[GR_SALT_LEN];
47264 + unsigned char sum[GR_SHA_LEN];
47265 + unsigned char sp_role[GR_SPROLE_LEN];
47266 + struct sprole_pw *sprole_pws;
47267 + dev_t segv_device;
47268 + ino_t segv_inode;
47270 + __u16 num_sprole_pws;
47274 +struct gr_arg_wrapper {
47275 + struct gr_arg *arg;
47280 +struct subject_map {
47281 + struct acl_subject_label *user;
47282 + struct acl_subject_label *kernel;
47283 + struct subject_map *prev;
47284 + struct subject_map *next;
47287 +struct acl_subj_map_db {
47288 + struct subject_map **s_hash;
47292 +/* End Data Structures Section */
47294 +/* Hash functions generated by empirical testing by Brad Spengler
47295 + Makes good use of the low bits of the inode. Generally 0-1 times
47296 + in loop for successful match. 0-3 for unsuccessful match.
47297 + Shift/add algorithm with modulus of table size and an XOR*/
47299 +static __inline__ unsigned int
47300 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
47302 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
47305 + static __inline__ unsigned int
47306 +shash(const struct acl_subject_label *userp, const unsigned int sz)
47308 + return ((const unsigned long)userp % sz);
47311 +static __inline__ unsigned int
47312 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
47314 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
47317 +static __inline__ unsigned int
47318 +nhash(const char *name, const __u16 len, const unsigned int sz)
47320 + return full_name_hash((const unsigned char *)name, len) % sz;
47323 +#define FOR_EACH_ROLE_START(role) \
47324 + role = role_list; \
47327 +#define FOR_EACH_ROLE_END(role) \
47328 + role = role->prev; \
47331 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
47334 + while (iter < role->subj_hash_size) { \
47335 + if (subj == NULL) \
47336 + subj = role->subj_hash[iter]; \
47337 + if (subj == NULL) { \
47342 +#define FOR_EACH_SUBJECT_END(subj,iter) \
47343 + subj = subj->next; \
47344 + if (subj == NULL) \
47349 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
47350 + subj = role->hash->first; \
47351 + while (subj != NULL) {
47353 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
47354 + subj = subj->next; \
47359 diff -urNp linux-2.6.38.4/include/linux/gralloc.h linux-2.6.38.4/include/linux/gralloc.h
47360 --- linux-2.6.38.4/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
47361 +++ linux-2.6.38.4/include/linux/gralloc.h 2011-04-17 15:57:32.000000000 -0400
47363 +#ifndef __GRALLOC_H
47364 +#define __GRALLOC_H
47366 +void acl_free_all(void);
47367 +int acl_alloc_stack_init(unsigned long size);
47368 +void *acl_alloc(unsigned long len);
47369 +void *acl_alloc_num(unsigned long num, unsigned long len);
47372 diff -urNp linux-2.6.38.4/include/linux/grdefs.h linux-2.6.38.4/include/linux/grdefs.h
47373 --- linux-2.6.38.4/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
47374 +++ linux-2.6.38.4/include/linux/grdefs.h 2011-04-17 15:57:32.000000000 -0400
47379 +/* Begin grsecurity status declarations */
47383 + GR_STATUS_INIT = 0x00 // disabled state
47386 +/* Begin ACL declarations */
47391 + GR_ROLE_USER = 0x0001,
47392 + GR_ROLE_GROUP = 0x0002,
47393 + GR_ROLE_DEFAULT = 0x0004,
47394 + GR_ROLE_SPECIAL = 0x0008,
47395 + GR_ROLE_AUTH = 0x0010,
47396 + GR_ROLE_NOPW = 0x0020,
47397 + GR_ROLE_GOD = 0x0040,
47398 + GR_ROLE_LEARN = 0x0080,
47399 + GR_ROLE_TPE = 0x0100,
47400 + GR_ROLE_DOMAIN = 0x0200,
47401 + GR_ROLE_PAM = 0x0400,
47402 + GR_ROLE_PERSIST = 0x0800
47405 +/* ACL Subject and Object mode flags */
47407 + GR_DELETED = 0x80000000
47410 +/* ACL Object-only mode flags */
47412 + GR_READ = 0x00000001,
47413 + GR_APPEND = 0x00000002,
47414 + GR_WRITE = 0x00000004,
47415 + GR_EXEC = 0x00000008,
47416 + GR_FIND = 0x00000010,
47417 + GR_INHERIT = 0x00000020,
47418 + GR_SETID = 0x00000040,
47419 + GR_CREATE = 0x00000080,
47420 + GR_DELETE = 0x00000100,
47421 + GR_LINK = 0x00000200,
47422 + GR_AUDIT_READ = 0x00000400,
47423 + GR_AUDIT_APPEND = 0x00000800,
47424 + GR_AUDIT_WRITE = 0x00001000,
47425 + GR_AUDIT_EXEC = 0x00002000,
47426 + GR_AUDIT_FIND = 0x00004000,
47427 + GR_AUDIT_INHERIT= 0x00008000,
47428 + GR_AUDIT_SETID = 0x00010000,
47429 + GR_AUDIT_CREATE = 0x00020000,
47430 + GR_AUDIT_DELETE = 0x00040000,
47431 + GR_AUDIT_LINK = 0x00080000,
47432 + GR_PTRACERD = 0x00100000,
47433 + GR_NOPTRACE = 0x00200000,
47434 + GR_SUPPRESS = 0x00400000,
47435 + GR_NOLEARN = 0x00800000,
47436 + GR_INIT_TRANSFER= 0x01000000
47439 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
47440 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
47441 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
47443 +/* ACL subject-only mode flags */
47445 + GR_KILL = 0x00000001,
47446 + GR_VIEW = 0x00000002,
47447 + GR_PROTECTED = 0x00000004,
47448 + GR_LEARN = 0x00000008,
47449 + GR_OVERRIDE = 0x00000010,
47450 + /* just a placeholder, this mode is only used in userspace */
47451 + GR_DUMMY = 0x00000020,
47452 + GR_PROTSHM = 0x00000040,
47453 + GR_KILLPROC = 0x00000080,
47454 + GR_KILLIPPROC = 0x00000100,
47455 + /* just a placeholder, this mode is only used in userspace */
47456 + GR_NOTROJAN = 0x00000200,
47457 + GR_PROTPROCFD = 0x00000400,
47458 + GR_PROCACCT = 0x00000800,
47459 + GR_RELAXPTRACE = 0x00001000,
47460 + GR_NESTED = 0x00002000,
47461 + GR_INHERITLEARN = 0x00004000,
47462 + GR_PROCFIND = 0x00008000,
47463 + GR_POVERRIDE = 0x00010000,
47464 + GR_KERNELAUTH = 0x00020000,
47465 + GR_ATSECURE = 0x00040000
47469 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
47470 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
47471 + GR_PAX_ENABLE_MPROTECT = 0x0004,
47472 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
47473 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
47474 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
47475 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
47476 + GR_PAX_DISABLE_MPROTECT = 0x0400,
47477 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
47478 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
47482 + GR_ID_USER = 0x01,
47483 + GR_ID_GROUP = 0x02,
47487 + GR_ID_ALLOW = 0x01,
47488 + GR_ID_DENY = 0x02,
47491 +#define GR_CRASH_RES 31
47492 +#define GR_UIDTABLE_MAX 500
47494 +/* begin resource learning section */
47496 + GR_RLIM_CPU_BUMP = 60,
47497 + GR_RLIM_FSIZE_BUMP = 50000,
47498 + GR_RLIM_DATA_BUMP = 10000,
47499 + GR_RLIM_STACK_BUMP = 1000,
47500 + GR_RLIM_CORE_BUMP = 10000,
47501 + GR_RLIM_RSS_BUMP = 500000,
47502 + GR_RLIM_NPROC_BUMP = 1,
47503 + GR_RLIM_NOFILE_BUMP = 5,
47504 + GR_RLIM_MEMLOCK_BUMP = 50000,
47505 + GR_RLIM_AS_BUMP = 500000,
47506 + GR_RLIM_LOCKS_BUMP = 2,
47507 + GR_RLIM_SIGPENDING_BUMP = 5,
47508 + GR_RLIM_MSGQUEUE_BUMP = 10000,
47509 + GR_RLIM_NICE_BUMP = 1,
47510 + GR_RLIM_RTPRIO_BUMP = 1,
47511 + GR_RLIM_RTTIME_BUMP = 1000000
47515 diff -urNp linux-2.6.38.4/include/linux/grinternal.h linux-2.6.38.4/include/linux/grinternal.h
47516 --- linux-2.6.38.4/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
47517 +++ linux-2.6.38.4/include/linux/grinternal.h 2011-04-17 15:57:32.000000000 -0400
47519 +#ifndef __GRINTERNAL_H
47520 +#define __GRINTERNAL_H
47522 +#ifdef CONFIG_GRKERNSEC
47524 +#include <linux/fs.h>
47525 +#include <linux/mnt_namespace.h>
47526 +#include <linux/nsproxy.h>
47527 +#include <linux/gracl.h>
47528 +#include <linux/grdefs.h>
47529 +#include <linux/grmsg.h>
47531 +void gr_add_learn_entry(const char *fmt, ...)
47532 + __attribute__ ((format (printf, 1, 2)));
47533 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
47534 + const struct vfsmount *mnt);
47535 +__u32 gr_check_create(const struct dentry *new_dentry,
47536 + const struct dentry *parent,
47537 + const struct vfsmount *mnt, const __u32 mode);
47538 +int gr_check_protected_task(const struct task_struct *task);
47539 +__u32 to_gr_audit(const __u32 reqmode);
47540 +int gr_set_acls(const int type);
47541 +int gr_apply_subject_to_task(struct task_struct *task);
47542 +int gr_acl_is_enabled(void);
47543 +char gr_roletype_to_char(void);
47545 +void gr_handle_alertkill(struct task_struct *task);
47546 +char *gr_to_filename(const struct dentry *dentry,
47547 + const struct vfsmount *mnt);
47548 +char *gr_to_filename1(const struct dentry *dentry,
47549 + const struct vfsmount *mnt);
47550 +char *gr_to_filename2(const struct dentry *dentry,
47551 + const struct vfsmount *mnt);
47552 +char *gr_to_filename3(const struct dentry *dentry,
47553 + const struct vfsmount *mnt);
47555 +extern int grsec_enable_harden_ptrace;
47556 +extern int grsec_enable_link;
47557 +extern int grsec_enable_fifo;
47558 +extern int grsec_enable_execve;
47559 +extern int grsec_enable_shm;
47560 +extern int grsec_enable_execlog;
47561 +extern int grsec_enable_signal;
47562 +extern int grsec_enable_audit_ptrace;
47563 +extern int grsec_enable_forkfail;
47564 +extern int grsec_enable_time;
47565 +extern int grsec_enable_rofs;
47566 +extern int grsec_enable_chroot_shmat;
47567 +extern int grsec_enable_chroot_findtask;
47568 +extern int grsec_enable_chroot_mount;
47569 +extern int grsec_enable_chroot_double;
47570 +extern int grsec_enable_chroot_pivot;
47571 +extern int grsec_enable_chroot_chdir;
47572 +extern int grsec_enable_chroot_chmod;
47573 +extern int grsec_enable_chroot_mknod;
47574 +extern int grsec_enable_chroot_fchdir;
47575 +extern int grsec_enable_chroot_nice;
47576 +extern int grsec_enable_chroot_execlog;
47577 +extern int grsec_enable_chroot_caps;
47578 +extern int grsec_enable_chroot_sysctl;
47579 +extern int grsec_enable_chroot_unix;
47580 +extern int grsec_enable_tpe;
47581 +extern int grsec_tpe_gid;
47582 +extern int grsec_enable_tpe_all;
47583 +extern int grsec_enable_tpe_invert;
47584 +extern int grsec_enable_socket_all;
47585 +extern int grsec_socket_all_gid;
47586 +extern int grsec_enable_socket_client;
47587 +extern int grsec_socket_client_gid;
47588 +extern int grsec_enable_socket_server;
47589 +extern int grsec_socket_server_gid;
47590 +extern int grsec_audit_gid;
47591 +extern int grsec_enable_group;
47592 +extern int grsec_enable_audit_textrel;
47593 +extern int grsec_enable_log_rwxmaps;
47594 +extern int grsec_enable_mount;
47595 +extern int grsec_enable_chdir;
47596 +extern int grsec_resource_logging;
47597 +extern int grsec_enable_blackhole;
47598 +extern int grsec_lastack_retries;
47599 +extern int grsec_lock;
47601 +extern spinlock_t grsec_alert_lock;
47602 +extern unsigned long grsec_alert_wtime;
47603 +extern unsigned long grsec_alert_fyet;
47605 +extern spinlock_t grsec_audit_lock;
47607 +extern rwlock_t grsec_exec_file_lock;
47609 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
47610 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
47611 + (tsk)->exec_file->f_vfsmnt) : "/")
47613 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
47614 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
47615 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
47617 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
47618 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
47619 + (tsk)->exec_file->f_vfsmnt) : "/")
47621 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
47622 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
47623 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
47625 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
47627 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
47629 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
47630 + (task)->pid, (cred)->uid, \
47631 + (cred)->euid, (cred)->gid, (cred)->egid, \
47632 + gr_parent_task_fullpath(task), \
47633 + (task)->real_parent->comm, (task)->real_parent->pid, \
47634 + (pcred)->uid, (pcred)->euid, \
47635 + (pcred)->gid, (pcred)->egid
47637 +#define GR_CHROOT_CAPS {{ \
47638 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
47639 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
47640 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
47641 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
47642 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
47643 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
47645 +#define security_learn(normal_msg,args...) \
47647 + read_lock(&grsec_exec_file_lock); \
47648 + gr_add_learn_entry(normal_msg "\n", ## args); \
47649 + read_unlock(&grsec_exec_file_lock); \
47655 + /* used for non-audit messages that we shouldn't kill the task on */
47656 + GR_DONT_AUDIT_GOOD
47667 + GR_SYSCTL_HIDDEN,
47670 + GR_ONE_INT_TWO_STR,
47677 + GR_FIVE_INT_TWO_STR,
47683 + GR_FILENAME_TWO_INT,
47684 + GR_FILENAME_TWO_INT_STR,
47697 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
47698 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
47699 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
47700 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
47701 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
47702 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
47703 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
47704 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
47705 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
47706 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
47707 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
47708 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
47709 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
47710 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
47711 +#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
47712 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
47713 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
47714 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
47715 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
47716 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
47717 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
47718 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
47719 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
47720 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
47721 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
47722 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
47723 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
47724 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
47725 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
47726 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
47727 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
47728 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
47729 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
47730 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
47731 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
47733 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
47738 diff -urNp linux-2.6.38.4/include/linux/grmsg.h linux-2.6.38.4/include/linux/grmsg.h
47739 --- linux-2.6.38.4/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
47740 +++ linux-2.6.38.4/include/linux/grmsg.h 2011-04-17 15:57:32.000000000 -0400
47742 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
47743 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
47744 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
47745 +#define GR_STOPMOD_MSG "denied modification of module state by "
47746 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
47747 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
47748 +#define GR_IOPERM_MSG "denied use of ioperm() by "
47749 +#define GR_IOPL_MSG "denied use of iopl() by "
47750 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
47751 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
47752 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
47753 +#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
47754 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
47755 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
47756 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
47757 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
47758 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
47759 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
47760 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
47761 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
47762 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
47763 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
47764 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
47765 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
47766 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
47767 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
47768 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
47769 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
47770 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
47771 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
47772 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
47773 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
47774 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
47775 +#define GR_NPROC_MSG "denied overstep of process limit by "
47776 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
47777 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
47778 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
47779 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
47780 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
47781 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
47782 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
47783 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
47784 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
47785 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
47786 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
47787 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
47788 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
47789 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
47790 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
47791 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
47792 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
47793 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
47794 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
47795 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
47796 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
47797 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
47798 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
47799 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
47800 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
47801 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
47802 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
47803 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
47804 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
47805 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
47806 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
47807 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
47808 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
47809 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
47810 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
47811 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
47812 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
47813 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
47814 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
47815 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
47816 +#define GR_NICE_CHROOT_MSG "denied priority change by "
47817 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
47818 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
47819 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
47820 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
47821 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
47822 +#define GR_TIME_MSG "time set by "
47823 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
47824 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
47825 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
47826 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
47827 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
47828 +#define GR_BIND_MSG "denied bind() by "
47829 +#define GR_CONNECT_MSG "denied connect() by "
47830 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
47831 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
47832 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
47833 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
47834 +#define GR_CAP_ACL_MSG "use of %s denied for "
47835 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
47836 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
47837 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
47838 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
47839 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
47840 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
47841 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
47842 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
47843 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
47844 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
47845 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
47846 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
47847 +#define GR_VM86_MSG "denied use of vm86 by "
47848 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
47849 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
47850 diff -urNp linux-2.6.38.4/include/linux/grsecurity.h linux-2.6.38.4/include/linux/grsecurity.h
47851 --- linux-2.6.38.4/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
47852 +++ linux-2.6.38.4/include/linux/grsecurity.h 2011-04-17 15:57:32.000000000 -0400
47854 +#ifndef GR_SECURITY_H
47855 +#define GR_SECURITY_H
47856 +#include <linux/fs.h>
47857 +#include <linux/fs_struct.h>
47858 +#include <linux/binfmts.h>
47859 +#include <linux/gracl.h>
47860 +#include <linux/compat.h>
47862 +/* notify of brain-dead configs */
47863 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
47864 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
47866 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
47867 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
47869 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
47870 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
47872 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
47873 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
47875 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
47876 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
47879 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
47880 +void gr_handle_brute_check(void);
47881 +void gr_handle_kernel_exploit(void);
47882 +int gr_process_user_ban(void);
47884 +char gr_roletype_to_char(void);
47886 +int gr_acl_enable_at_secure(void);
47888 +int gr_check_user_change(int real, int effective, int fs);
47889 +int gr_check_group_change(int real, int effective, int fs);
47891 +void gr_del_task_from_ip_table(struct task_struct *p);
47893 +int gr_pid_is_chrooted(struct task_struct *p);
47894 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
47895 +int gr_handle_chroot_nice(void);
47896 +int gr_handle_chroot_sysctl(const int op);
47897 +int gr_handle_chroot_setpriority(struct task_struct *p,
47898 + const int niceval);
47899 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
47900 +int gr_handle_chroot_chroot(const struct dentry *dentry,
47901 + const struct vfsmount *mnt);
47902 +int gr_handle_chroot_caps(struct path *path);
47903 +void gr_handle_chroot_chdir(struct path *path);
47904 +int gr_handle_chroot_chmod(const struct dentry *dentry,
47905 + const struct vfsmount *mnt, const int mode);
47906 +int gr_handle_chroot_mknod(const struct dentry *dentry,
47907 + const struct vfsmount *mnt, const int mode);
47908 +int gr_handle_chroot_mount(const struct dentry *dentry,
47909 + const struct vfsmount *mnt,
47910 + const char *dev_name);
47911 +int gr_handle_chroot_pivot(void);
47912 +int gr_handle_chroot_unix(struct pid *pid);
47914 +int gr_handle_rawio(const struct inode *inode);
47915 +int gr_handle_nproc(void);
47917 +void gr_handle_ioperm(void);
47918 +void gr_handle_iopl(void);
47920 +int gr_tpe_allow(const struct file *file);
47922 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
47923 +void gr_clear_chroot_entries(struct task_struct *task);
47925 +void gr_log_forkfail(const int retval);
47926 +void gr_log_timechange(void);
47927 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
47928 +void gr_log_chdir(const struct dentry *dentry,
47929 + const struct vfsmount *mnt);
47930 +void gr_log_chroot_exec(const struct dentry *dentry,
47931 + const struct vfsmount *mnt);
47932 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
47933 +#ifdef CONFIG_COMPAT
47934 +void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
47936 +void gr_log_remount(const char *devname, const int retval);
47937 +void gr_log_unmount(const char *devname, const int retval);
47938 +void gr_log_mount(const char *from, const char *to, const int retval);
47939 +void gr_log_textrel(struct vm_area_struct *vma);
47940 +void gr_log_rwxmmap(struct file *file);
47941 +void gr_log_rwxmprotect(struct file *file);
47943 +int gr_handle_follow_link(const struct inode *parent,
47944 + const struct inode *inode,
47945 + const struct dentry *dentry,
47946 + const struct vfsmount *mnt);
47947 +int gr_handle_fifo(const struct dentry *dentry,
47948 + const struct vfsmount *mnt,
47949 + const struct dentry *dir, const int flag,
47950 + const int acc_mode);
47951 +int gr_handle_hardlink(const struct dentry *dentry,
47952 + const struct vfsmount *mnt,
47953 + struct inode *inode,
47954 + const int mode, const char *to);
47956 +int gr_is_capable(const int cap);
47957 +int gr_is_capable_nolog(const int cap);
47958 +void gr_learn_resource(const struct task_struct *task, const int limit,
47959 + const unsigned long wanted, const int gt);
47960 +void gr_copy_label(struct task_struct *tsk);
47961 +void gr_handle_crash(struct task_struct *task, const int sig);
47962 +int gr_handle_signal(const struct task_struct *p, const int sig);
47963 +int gr_check_crash_uid(const uid_t uid);
47964 +int gr_check_protected_task(const struct task_struct *task);
47965 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
47966 +int gr_acl_handle_mmap(const struct file *file,
47967 + const unsigned long prot);
47968 +int gr_acl_handle_mprotect(const struct file *file,
47969 + const unsigned long prot);
47970 +int gr_check_hidden_task(const struct task_struct *tsk);
47971 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
47972 + const struct vfsmount *mnt);
47973 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
47974 + const struct vfsmount *mnt);
47975 +__u32 gr_acl_handle_access(const struct dentry *dentry,
47976 + const struct vfsmount *mnt, const int fmode);
47977 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
47978 + const struct vfsmount *mnt, mode_t mode);
47979 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
47980 + const struct vfsmount *mnt, mode_t mode);
47981 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
47982 + const struct vfsmount *mnt);
47983 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
47984 + const struct vfsmount *mnt);
47985 +int gr_handle_ptrace(struct task_struct *task, const long request);
47986 +int gr_handle_proc_ptrace(struct task_struct *task);
47987 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
47988 + const struct vfsmount *mnt);
47989 +int gr_check_crash_exec(const struct file *filp);
47990 +int gr_acl_is_enabled(void);
47991 +void gr_set_kernel_label(struct task_struct *task);
47992 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
47993 + const gid_t gid);
47994 +int gr_set_proc_label(const struct dentry *dentry,
47995 + const struct vfsmount *mnt,
47996 + const int unsafe_share);
47997 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
47998 + const struct vfsmount *mnt);
47999 +__u32 gr_acl_handle_open(const struct dentry *dentry,
48000 + const struct vfsmount *mnt, const int fmode);
48001 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
48002 + const struct dentry *p_dentry,
48003 + const struct vfsmount *p_mnt, const int fmode,
48004 + const int imode);
48005 +void gr_handle_create(const struct dentry *dentry,
48006 + const struct vfsmount *mnt);
48007 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
48008 + const struct dentry *parent_dentry,
48009 + const struct vfsmount *parent_mnt,
48011 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
48012 + const struct dentry *parent_dentry,
48013 + const struct vfsmount *parent_mnt);
48014 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
48015 + const struct vfsmount *mnt);
48016 +void gr_handle_delete(const ino_t ino, const dev_t dev);
48017 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
48018 + const struct vfsmount *mnt);
48019 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
48020 + const struct dentry *parent_dentry,
48021 + const struct vfsmount *parent_mnt,
48022 + const char *from);
48023 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
48024 + const struct dentry *parent_dentry,
48025 + const struct vfsmount *parent_mnt,
48026 + const struct dentry *old_dentry,
48027 + const struct vfsmount *old_mnt, const char *to);
48028 +int gr_acl_handle_rename(struct dentry *new_dentry,
48029 + struct dentry *parent_dentry,
48030 + const struct vfsmount *parent_mnt,
48031 + struct dentry *old_dentry,
48032 + struct inode *old_parent_inode,
48033 + struct vfsmount *old_mnt, const char *newname);
48034 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
48035 + struct dentry *old_dentry,
48036 + struct dentry *new_dentry,
48037 + struct vfsmount *mnt, const __u8 replace);
48038 +__u32 gr_check_link(const struct dentry *new_dentry,
48039 + const struct dentry *parent_dentry,
48040 + const struct vfsmount *parent_mnt,
48041 + const struct dentry *old_dentry,
48042 + const struct vfsmount *old_mnt);
48043 +int gr_acl_handle_filldir(const struct file *file, const char *name,
48044 + const unsigned int namelen, const ino_t ino);
48046 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
48047 + const struct vfsmount *mnt);
48048 +void gr_acl_handle_exit(void);
48049 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
48050 +int gr_acl_handle_procpidmem(const struct task_struct *task);
48051 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
48052 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
48053 +void gr_audit_ptrace(struct task_struct *task);
48054 +dev_t gr_get_dev_from_dentry(struct dentry *dentry);
48056 +#ifdef CONFIG_GRKERNSEC
48057 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
48058 +void gr_handle_vm86(void);
48059 +void gr_handle_mem_readwrite(u64 from, u64 to);
48061 +extern int grsec_enable_dmesg;
48062 +extern int grsec_disable_privio;
48066 diff -urNp linux-2.6.38.4/include/linux/grsock.h linux-2.6.38.4/include/linux/grsock.h
48067 --- linux-2.6.38.4/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
48068 +++ linux-2.6.38.4/include/linux/grsock.h 2011-04-17 15:57:32.000000000 -0400
48070 +#ifndef __GRSOCK_H
48071 +#define __GRSOCK_H
48073 +extern void gr_attach_curr_ip(const struct sock *sk);
48074 +extern int gr_handle_sock_all(const int family, const int type,
48075 + const int protocol);
48076 +extern int gr_handle_sock_server(const struct sockaddr *sck);
48077 +extern int gr_handle_sock_server_other(const struct sock *sck);
48078 +extern int gr_handle_sock_client(const struct sockaddr *sck);
48079 +extern int gr_search_connect(struct socket * sock,
48080 + struct sockaddr_in * addr);
48081 +extern int gr_search_bind(struct socket * sock,
48082 + struct sockaddr_in * addr);
48083 +extern int gr_search_listen(struct socket * sock);
48084 +extern int gr_search_accept(struct socket * sock);
48085 +extern int gr_search_socket(const int domain, const int type,
48086 + const int protocol);
48089 diff -urNp linux-2.6.38.4/include/linux/highmem.h linux-2.6.38.4/include/linux/highmem.h
48090 --- linux-2.6.38.4/include/linux/highmem.h 2011-03-14 21:20:32.000000000 -0400
48091 +++ linux-2.6.38.4/include/linux/highmem.h 2011-04-17 15:57:32.000000000 -0400
48092 @@ -185,6 +185,18 @@ static inline void clear_highpage(struct
48093 kunmap_atomic(kaddr, KM_USER0);
48096 +static inline void sanitize_highpage(struct page *page)
48099 + unsigned long flags;
48101 + local_irq_save(flags);
48102 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
48103 + clear_page(kaddr);
48104 + kunmap_atomic(kaddr, KM_CLEARPAGE);
48105 + local_irq_restore(flags);
48108 static inline void zero_user_segments(struct page *page,
48109 unsigned start1, unsigned end1,
48110 unsigned start2, unsigned end2)
48111 diff -urNp linux-2.6.38.4/include/linux/init.h linux-2.6.38.4/include/linux/init.h
48112 --- linux-2.6.38.4/include/linux/init.h 2011-03-14 21:20:32.000000000 -0400
48113 +++ linux-2.6.38.4/include/linux/init.h 2011-04-17 15:57:32.000000000 -0400
48114 @@ -293,13 +293,13 @@ void __init parse_early_options(char *cm
48116 /* Each module must use one module_init(). */
48117 #define module_init(initfn) \
48118 - static inline initcall_t __inittest(void) \
48119 + static inline __used initcall_t __inittest(void) \
48120 { return initfn; } \
48121 int init_module(void) __attribute__((alias(#initfn)));
48123 /* This is only required if you want to be unloadable. */
48124 #define module_exit(exitfn) \
48125 - static inline exitcall_t __exittest(void) \
48126 + static inline __used exitcall_t __exittest(void) \
48127 { return exitfn; } \
48128 void cleanup_module(void) __attribute__((alias(#exitfn)));
48130 diff -urNp linux-2.6.38.4/include/linux/init_task.h linux-2.6.38.4/include/linux/init_task.h
48131 --- linux-2.6.38.4/include/linux/init_task.h 2011-03-14 21:20:32.000000000 -0400
48132 +++ linux-2.6.38.4/include/linux/init_task.h 2011-04-18 18:02:13.000000000 -0400
48133 @@ -83,6 +83,12 @@ extern struct group_info init_groups;
48138 +#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
48140 +#define INIT_TASK_THREAD_INFO
48144 * Because of the reduced scope of CAP_SETPCAP when filesystem
48145 * capabilities are in effect, it is safe to allow CAP_SETPCAP to
48146 @@ -163,6 +169,7 @@ extern struct cred init_cred;
48147 RCU_INIT_POINTER(.cred, &init_cred), \
48148 .comm = "swapper", \
48149 .thread = INIT_THREAD, \
48150 + INIT_TASK_THREAD_INFO \
48152 .files = &init_files, \
48153 .signal = &init_signals, \
48154 diff -urNp linux-2.6.38.4/include/linux/interrupt.h linux-2.6.38.4/include/linux/interrupt.h
48155 --- linux-2.6.38.4/include/linux/interrupt.h 2011-03-14 21:20:32.000000000 -0400
48156 +++ linux-2.6.38.4/include/linux/interrupt.h 2011-04-17 15:57:32.000000000 -0400
48157 @@ -393,7 +393,7 @@ enum
48158 /* map softirq index to softirq name. update 'softirq_to_name' in
48159 * kernel/softirq.c when adding a new softirq.
48161 -extern char *softirq_to_name[NR_SOFTIRQS];
48162 +extern const char * const softirq_to_name[NR_SOFTIRQS];
48164 /* softirq mask and active fields moved to irq_cpustat_t in
48165 * asm/hardirq.h to get better cache usage. KAO
48166 @@ -401,12 +401,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
48168 struct softirq_action
48170 - void (*action)(struct softirq_action *);
48171 + void (*action)(void);
48174 asmlinkage void do_softirq(void);
48175 asmlinkage void __do_softirq(void);
48176 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
48177 +extern void open_softirq(int nr, void (*action)(void));
48178 extern void softirq_init(void);
48179 static inline void __raise_softirq_irqoff(unsigned int nr)
48181 diff -urNp linux-2.6.38.4/include/linux/jbd2.h linux-2.6.38.4/include/linux/jbd2.h
48182 --- linux-2.6.38.4/include/linux/jbd2.h 2011-03-14 21:20:32.000000000 -0400
48183 +++ linux-2.6.38.4/include/linux/jbd2.h 2011-04-17 15:57:32.000000000 -0400
48184 @@ -67,7 +67,7 @@ extern u8 jbd2_journal_enable_debug;
48188 -#define jbd_debug(f, a...) /**/
48189 +#define jbd_debug(f, a...) do {} while (0)
48192 extern void *jbd2_alloc(size_t size, gfp_t flags);
48193 diff -urNp linux-2.6.38.4/include/linux/jbd.h linux-2.6.38.4/include/linux/jbd.h
48194 --- linux-2.6.38.4/include/linux/jbd.h 2011-03-14 21:20:32.000000000 -0400
48195 +++ linux-2.6.38.4/include/linux/jbd.h 2011-04-17 15:57:32.000000000 -0400
48196 @@ -67,7 +67,7 @@ extern u8 journal_enable_debug;
48200 -#define jbd_debug(f, a...) /**/
48201 +#define jbd_debug(f, a...) do {} while (0)
48204 static inline void *jbd_alloc(size_t size, gfp_t flags)
48205 diff -urNp linux-2.6.38.4/include/linux/kallsyms.h linux-2.6.38.4/include/linux/kallsyms.h
48206 --- linux-2.6.38.4/include/linux/kallsyms.h 2011-03-14 21:20:32.000000000 -0400
48207 +++ linux-2.6.38.4/include/linux/kallsyms.h 2011-04-17 15:57:32.000000000 -0400
48212 -#ifdef CONFIG_KALLSYMS
48213 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
48214 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
48215 /* Lookup the address for a symbol. Returns 0 if not found. */
48216 unsigned long kallsyms_lookup_name(const char *name);
48218 @@ -92,6 +93,15 @@ static inline int lookup_symbol_attrs(un
48219 /* Stupid that this does nothing, but I didn't create this mess. */
48220 #define __print_symbol(fmt, addr)
48221 #endif /*CONFIG_KALLSYMS*/
48222 +#else /* when included by kallsyms.c, vsnprintf.c, or
48223 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
48224 +extern void __print_symbol(const char *fmt, unsigned long address);
48225 +extern int sprint_symbol(char *buffer, unsigned long address);
48226 +const char *kallsyms_lookup(unsigned long addr,
48227 + unsigned long *symbolsize,
48228 + unsigned long *offset,
48229 + char **modname, char *namebuf);
48232 /* This macro allows us to keep printk typechecking */
48233 static void __check_printsym_format(const char *fmt, ...)
48234 diff -urNp linux-2.6.38.4/include/linux/kgdb.h linux-2.6.38.4/include/linux/kgdb.h
48235 --- linux-2.6.38.4/include/linux/kgdb.h 2011-03-14 21:20:32.000000000 -0400
48236 +++ linux-2.6.38.4/include/linux/kgdb.h 2011-04-17 15:57:32.000000000 -0400
48237 @@ -269,22 +269,22 @@ struct kgdb_arch {
48241 - int (*read_char) (void);
48242 - void (*write_char) (u8);
48243 - void (*flush) (void);
48244 - int (*init) (void);
48245 - void (*pre_exception) (void);
48246 - void (*post_exception) (void);
48247 + int (* const read_char) (void);
48248 + void (* const write_char) (u8);
48249 + void (* const flush) (void);
48250 + int (* const init) (void);
48251 + void (* const pre_exception) (void);
48252 + void (* const post_exception) (void);
48256 -extern struct kgdb_arch arch_kgdb_ops;
48257 +extern const struct kgdb_arch arch_kgdb_ops;
48259 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
48261 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
48262 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
48263 -extern struct kgdb_io *dbg_io_ops;
48264 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
48265 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
48266 +extern const struct kgdb_io *dbg_io_ops;
48268 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
48269 extern char *kgdb_mem2hex(char *mem, char *buf, int count);
48270 diff -urNp linux-2.6.38.4/include/linux/kmod.h linux-2.6.38.4/include/linux/kmod.h
48271 --- linux-2.6.38.4/include/linux/kmod.h 2011-03-14 21:20:32.000000000 -0400
48272 +++ linux-2.6.38.4/include/linux/kmod.h 2011-04-17 15:57:32.000000000 -0400
48273 @@ -33,6 +33,8 @@ extern char modprobe_path[]; /* for sysc
48274 * usually useless though. */
48275 extern int __request_module(bool wait, const char *name, ...) \
48276 __attribute__((format(printf, 2, 3)));
48277 +extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
48278 + __attribute__((format(printf, 3, 4)));
48279 #define request_module(mod...) __request_module(true, mod)
48280 #define request_module_nowait(mod...) __request_module(false, mod)
48281 #define try_then_request_module(x, mod...) \
48282 diff -urNp linux-2.6.38.4/include/linux/kvm_host.h linux-2.6.38.4/include/linux/kvm_host.h
48283 --- linux-2.6.38.4/include/linux/kvm_host.h 2011-03-14 21:20:32.000000000 -0400
48284 +++ linux-2.6.38.4/include/linux/kvm_host.h 2011-04-17 15:57:32.000000000 -0400
48285 @@ -288,7 +288,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
48286 void vcpu_load(struct kvm_vcpu *vcpu);
48287 void vcpu_put(struct kvm_vcpu *vcpu);
48289 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
48290 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
48291 struct module *module);
48292 void kvm_exit(void);
48294 @@ -428,7 +428,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
48295 struct kvm_guest_debug *dbg);
48296 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
48298 -int kvm_arch_init(void *opaque);
48299 +int kvm_arch_init(const void *opaque);
48300 void kvm_arch_exit(void);
48302 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
48303 diff -urNp linux-2.6.38.4/include/linux/libata.h linux-2.6.38.4/include/linux/libata.h
48304 --- linux-2.6.38.4/include/linux/libata.h 2011-03-14 21:20:32.000000000 -0400
48305 +++ linux-2.6.38.4/include/linux/libata.h 2011-04-17 15:57:32.000000000 -0400
48306 @@ -65,11 +65,11 @@
48307 #ifdef ATA_VERBOSE_DEBUG
48308 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
48310 -#define VPRINTK(fmt, args...)
48311 +#define VPRINTK(fmt, args...) do {} while (0)
48312 #endif /* ATA_VERBOSE_DEBUG */
48314 -#define DPRINTK(fmt, args...)
48315 -#define VPRINTK(fmt, args...)
48316 +#define DPRINTK(fmt, args...) do {} while (0)
48317 +#define VPRINTK(fmt, args...) do {} while (0)
48318 #endif /* ATA_DEBUG */
48320 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
48321 @@ -530,11 +530,11 @@ struct ata_ioports {
48325 - struct device *dev;
48326 + struct device *dev;
48327 void __iomem * const *iomap;
48328 unsigned int n_ports;
48329 void *private_data;
48330 - struct ata_port_operations *ops;
48331 + const struct ata_port_operations *ops;
48332 unsigned long flags;
48334 struct mutex eh_mutex;
48335 @@ -725,7 +725,7 @@ struct ata_link {
48338 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
48339 - struct ata_port_operations *ops;
48340 + const struct ata_port_operations *ops;
48342 /* Flags owned by the EH context. Only EH should touch these once the
48344 @@ -913,7 +913,7 @@ struct ata_port_info {
48345 unsigned long pio_mask;
48346 unsigned long mwdma_mask;
48347 unsigned long udma_mask;
48348 - struct ata_port_operations *port_ops;
48349 + const struct ata_port_operations *port_ops;
48350 void *private_data;
48353 @@ -937,7 +937,7 @@ extern const unsigned long sata_deb_timi
48354 extern const unsigned long sata_deb_timing_hotplug[];
48355 extern const unsigned long sata_deb_timing_long[];
48357 -extern struct ata_port_operations ata_dummy_port_ops;
48358 +extern const struct ata_port_operations ata_dummy_port_ops;
48359 extern const struct ata_port_info ata_dummy_port_info;
48361 static inline const unsigned long *
48362 @@ -983,7 +983,7 @@ extern int ata_host_activate(struct ata_
48363 struct scsi_host_template *sht);
48364 extern void ata_host_detach(struct ata_host *host);
48365 extern void ata_host_init(struct ata_host *, struct device *,
48366 - unsigned long, struct ata_port_operations *);
48367 + unsigned long, const struct ata_port_operations *);
48368 extern int ata_scsi_detect(struct scsi_host_template *sht);
48369 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
48370 extern int ata_scsi_queuecmd(struct Scsi_Host *h, struct scsi_cmnd *cmd);
48371 diff -urNp linux-2.6.38.4/include/linux/lockd/bind.h linux-2.6.38.4/include/linux/lockd/bind.h
48372 --- linux-2.6.38.4/include/linux/lockd/bind.h 2011-03-14 21:20:32.000000000 -0400
48373 +++ linux-2.6.38.4/include/linux/lockd/bind.h 2011-04-17 15:57:32.000000000 -0400
48374 @@ -23,13 +23,13 @@ struct svc_rqst;
48375 * This is the set of functions for lockd->nfsd communication
48377 struct nlmsvc_binding {
48378 - __be32 (*fopen)(struct svc_rqst *,
48379 + __be32 (* const fopen)(struct svc_rqst *,
48382 - void (*fclose)(struct file *);
48383 + void (* const fclose)(struct file *);
48386 -extern struct nlmsvc_binding * nlmsvc_ops;
48387 +extern const struct nlmsvc_binding * nlmsvc_ops;
48390 * Similar to nfs_client_initdata, but without the NFS-specific
48391 diff -urNp linux-2.6.38.4/include/linux/mm.h linux-2.6.38.4/include/linux/mm.h
48392 --- linux-2.6.38.4/include/linux/mm.h 2011-04-18 17:27:16.000000000 -0400
48393 +++ linux-2.6.38.4/include/linux/mm.h 2011-04-17 15:57:32.000000000 -0400
48394 @@ -113,7 +113,14 @@ extern unsigned int kobjsize(const void
48396 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
48397 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
48399 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
48400 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
48401 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
48403 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
48406 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
48407 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
48409 @@ -992,12 +999,6 @@ int set_page_dirty(struct page *page);
48410 int set_page_dirty_lock(struct page *page);
48411 int clear_page_dirty_for_io(struct page *page);
48413 -/* Is the vma a continuation of the stack vma above it? */
48414 -static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
48416 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
48419 extern unsigned long move_page_tables(struct vm_area_struct *vma,
48420 unsigned long old_addr, struct vm_area_struct *new_vma,
48421 unsigned long new_addr, unsigned long len);
48422 @@ -1149,6 +1150,15 @@ struct shrinker {
48423 extern void register_shrinker(struct shrinker *);
48424 extern void unregister_shrinker(struct shrinker *);
48427 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
48429 +static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
48431 + return __pgprot(0);
48435 int vma_wants_writenotify(struct vm_area_struct *vma);
48437 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
48438 @@ -1438,6 +1448,7 @@ out:
48441 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
48442 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
48444 extern unsigned long do_brk(unsigned long, unsigned long);
48446 @@ -1494,6 +1505,10 @@ extern struct vm_area_struct * find_vma(
48447 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
48448 struct vm_area_struct **pprev);
48450 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
48451 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
48452 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
48454 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
48455 NULL if none. Assume start_addr < end_addr. */
48456 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
48457 @@ -1510,15 +1525,6 @@ static inline unsigned long vma_pages(st
48458 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
48462 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
48464 -static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
48466 - return __pgprot(0);
48470 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
48471 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
48472 unsigned long pfn, unsigned long size, pgprot_t);
48473 @@ -1627,7 +1633,7 @@ extern int unpoison_memory(unsigned long
48474 extern int sysctl_memory_failure_early_kill;
48475 extern int sysctl_memory_failure_recovery;
48476 extern void shake_page(struct page *p, int access);
48477 -extern atomic_long_t mce_bad_pages;
48478 +extern atomic_long_unchecked_t mce_bad_pages;
48479 extern int soft_offline_page(struct page *page, int flags);
48480 #ifdef CONFIG_MEMORY_FAILURE
48481 int is_hwpoison_address(unsigned long addr);
48482 @@ -1649,5 +1655,11 @@ extern void copy_user_huge_page(struct p
48483 unsigned int pages_per_huge_page);
48484 #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
48486 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
48487 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
48489 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
48492 #endif /* __KERNEL__ */
48493 #endif /* _LINUX_MM_H */
48494 diff -urNp linux-2.6.38.4/include/linux/mm_types.h linux-2.6.38.4/include/linux/mm_types.h
48495 --- linux-2.6.38.4/include/linux/mm_types.h 2011-03-14 21:20:32.000000000 -0400
48496 +++ linux-2.6.38.4/include/linux/mm_types.h 2011-04-17 15:57:32.000000000 -0400
48497 @@ -183,6 +183,8 @@ struct vm_area_struct {
48499 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
48502 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
48505 struct core_thread {
48506 @@ -315,6 +317,24 @@ struct mm_struct {
48508 /* How many tasks sharing this mm are OOM_DISABLE */
48509 atomic_t oom_disable_count;
48511 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
48512 + unsigned long pax_flags;
48515 +#ifdef CONFIG_PAX_DLRESOLVE
48516 + unsigned long call_dl_resolve;
48519 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
48520 + unsigned long call_syscall;
48523 +#ifdef CONFIG_PAX_ASLR
48524 + unsigned long delta_mmap; /* randomized offset */
48525 + unsigned long delta_stack; /* randomized offset */
48530 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
48531 diff -urNp linux-2.6.38.4/include/linux/mmu_notifier.h linux-2.6.38.4/include/linux/mmu_notifier.h
48532 --- linux-2.6.38.4/include/linux/mmu_notifier.h 2011-03-14 21:20:32.000000000 -0400
48533 +++ linux-2.6.38.4/include/linux/mmu_notifier.h 2011-04-17 15:57:32.000000000 -0400
48534 @@ -255,12 +255,12 @@ static inline void mmu_notifier_mm_destr
48536 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
48540 struct vm_area_struct *___vma = __vma; \
48541 unsigned long ___address = __address; \
48542 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
48543 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
48544 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
48549 #define pmdp_clear_flush_notify(__vma, __address, __pmdp) \
48550 diff -urNp linux-2.6.38.4/include/linux/mmzone.h linux-2.6.38.4/include/linux/mmzone.h
48551 --- linux-2.6.38.4/include/linux/mmzone.h 2011-03-14 21:20:32.000000000 -0400
48552 +++ linux-2.6.38.4/include/linux/mmzone.h 2011-04-17 15:57:32.000000000 -0400
48553 @@ -355,7 +355,7 @@ struct zone {
48554 unsigned long flags; /* zone flags, see below */
48556 /* Zone statistics */
48557 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
48558 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
48561 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
48562 diff -urNp linux-2.6.38.4/include/linux/mod_devicetable.h linux-2.6.38.4/include/linux/mod_devicetable.h
48563 --- linux-2.6.38.4/include/linux/mod_devicetable.h 2011-03-14 21:20:32.000000000 -0400
48564 +++ linux-2.6.38.4/include/linux/mod_devicetable.h 2011-04-17 15:57:32.000000000 -0400
48566 typedef unsigned long kernel_ulong_t;
48569 -#define PCI_ANY_ID (~0)
48570 +#define PCI_ANY_ID ((__u16)~0)
48572 struct pci_device_id {
48573 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
48574 @@ -131,7 +131,7 @@ struct usb_device_id {
48575 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
48576 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
48578 -#define HID_ANY_ID (~0)
48579 +#define HID_ANY_ID (~0U)
48581 struct hid_device_id {
48583 diff -urNp linux-2.6.38.4/include/linux/module.h linux-2.6.38.4/include/linux/module.h
48584 --- linux-2.6.38.4/include/linux/module.h 2011-03-14 21:20:32.000000000 -0400
48585 +++ linux-2.6.38.4/include/linux/module.h 2011-04-17 15:57:32.000000000 -0400
48586 @@ -324,19 +324,16 @@ struct module
48589 /* If this is non-NULL, vfree after init() returns */
48590 - void *module_init;
48591 + void *module_init_rx, *module_init_rw;
48593 /* Here is the actual code + data, vfree'd on unload. */
48594 - void *module_core;
48595 + void *module_core_rx, *module_core_rw;
48597 /* Here are the sizes of the init and core sections */
48598 - unsigned int init_size, core_size;
48599 + unsigned int init_size_rw, core_size_rw;
48601 /* The size of the executable code in each section. */
48602 - unsigned int init_text_size, core_text_size;
48604 - /* Size of RO sections of the module (text+rodata) */
48605 - unsigned int init_ro_size, core_ro_size;
48606 + unsigned int init_size_rx, core_size_rx;
48608 /* Arch-specific module values */
48609 struct mod_arch_specific arch;
48610 @@ -441,16 +438,46 @@ bool is_module_address(unsigned long add
48611 bool is_module_percpu_address(unsigned long addr);
48612 bool is_module_text_address(unsigned long addr);
48614 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
48617 +#ifdef CONFIG_PAX_KERNEXEC
48618 + if (ktla_ktva(addr) >= (unsigned long)start &&
48619 + ktla_ktva(addr) < (unsigned long)start + size)
48623 + return ((void *)addr >= start && (void *)addr < start + size);
48626 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
48628 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
48631 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
48633 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
48636 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
48638 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
48641 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
48643 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
48646 static inline int within_module_core(unsigned long addr, struct module *mod)
48648 - return (unsigned long)mod->module_core <= addr &&
48649 - addr < (unsigned long)mod->module_core + mod->core_size;
48650 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
48653 static inline int within_module_init(unsigned long addr, struct module *mod)
48655 - return (unsigned long)mod->module_init <= addr &&
48656 - addr < (unsigned long)mod->module_init + mod->init_size;
48657 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
48660 /* Search for module by name: must hold module_mutex. */
48661 diff -urNp linux-2.6.38.4/include/linux/moduleloader.h linux-2.6.38.4/include/linux/moduleloader.h
48662 --- linux-2.6.38.4/include/linux/moduleloader.h 2011-03-14 21:20:32.000000000 -0400
48663 +++ linux-2.6.38.4/include/linux/moduleloader.h 2011-04-17 15:57:32.000000000 -0400
48664 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
48665 sections. Returns NULL on failure. */
48666 void *module_alloc(unsigned long size);
48668 +#ifdef CONFIG_PAX_KERNEXEC
48669 +void *module_alloc_exec(unsigned long size);
48671 +#define module_alloc_exec(x) module_alloc(x)
48674 /* Free memory returned from module_alloc. */
48675 void module_free(struct module *mod, void *module_region);
48677 +#ifdef CONFIG_PAX_KERNEXEC
48678 +void module_free_exec(struct module *mod, void *module_region);
48680 +#define module_free_exec(x, y) module_free((x), (y))
48683 /* Apply the given relocation to the (simplified) ELF. Return -error
48685 int apply_relocate(Elf_Shdr *sechdrs,
48686 diff -urNp linux-2.6.38.4/include/linux/moduleparam.h linux-2.6.38.4/include/linux/moduleparam.h
48687 --- linux-2.6.38.4/include/linux/moduleparam.h 2011-03-14 21:20:32.000000000 -0400
48688 +++ linux-2.6.38.4/include/linux/moduleparam.h 2011-04-17 15:57:32.000000000 -0400
48689 @@ -255,7 +255,7 @@ static inline void __kernel_param_unlock
48690 * @len is usually just sizeof(string).
48692 #define module_param_string(name, string, len, perm) \
48693 - static const struct kparam_string __param_string_##name \
48694 + static const struct kparam_string __param_string_##name __used \
48695 = { len, string }; \
48696 __module_param_call(MODULE_PARAM_PREFIX, name, \
48697 ¶m_ops_string, \
48698 @@ -370,7 +370,7 @@ extern int param_get_invbool(char *buffe
48699 * module_param_named() for why this might be necessary.
48701 #define module_param_array_named(name, array, type, nump, perm) \
48702 - static const struct kparam_array __param_arr_##name \
48703 + static const struct kparam_array __param_arr_##name __used \
48704 = { ARRAY_SIZE(array), nump, ¶m_ops_##type, \
48705 sizeof(array[0]), array }; \
48706 __module_param_call(MODULE_PARAM_PREFIX, name, \
48707 diff -urNp linux-2.6.38.4/include/linux/mutex.h linux-2.6.38.4/include/linux/mutex.h
48708 --- linux-2.6.38.4/include/linux/mutex.h 2011-03-14 21:20:32.000000000 -0400
48709 +++ linux-2.6.38.4/include/linux/mutex.h 2011-04-17 17:44:37.000000000 -0400
48710 @@ -51,7 +51,7 @@ struct mutex {
48711 spinlock_t wait_lock;
48712 struct list_head wait_list;
48713 #if defined(CONFIG_DEBUG_MUTEXES) || defined(CONFIG_SMP)
48714 - struct thread_info *owner;
48715 + struct task_struct *owner;
48717 #ifdef CONFIG_DEBUG_MUTEXES
48719 diff -urNp linux-2.6.38.4/include/linux/namei.h linux-2.6.38.4/include/linux/namei.h
48720 --- linux-2.6.38.4/include/linux/namei.h 2011-03-14 21:20:32.000000000 -0400
48721 +++ linux-2.6.38.4/include/linux/namei.h 2011-04-17 15:57:32.000000000 -0400
48722 @@ -25,7 +25,7 @@ struct nameidata {
48726 - char *saved_names[MAX_NESTED_LINKS + 1];
48727 + const char *saved_names[MAX_NESTED_LINKS + 1];
48731 @@ -88,12 +88,12 @@ extern int follow_up(struct path *);
48732 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
48733 extern void unlock_rename(struct dentry *, struct dentry *);
48735 -static inline void nd_set_link(struct nameidata *nd, char *path)
48736 +static inline void nd_set_link(struct nameidata *nd, const char *path)
48738 nd->saved_names[nd->depth] = path;
48741 -static inline char *nd_get_link(struct nameidata *nd)
48742 +static inline const char *nd_get_link(const struct nameidata *nd)
48744 return nd->saved_names[nd->depth];
48746 diff -urNp linux-2.6.38.4/include/linux/netfilter/xt_gradm.h linux-2.6.38.4/include/linux/netfilter/xt_gradm.h
48747 --- linux-2.6.38.4/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
48748 +++ linux-2.6.38.4/include/linux/netfilter/xt_gradm.h 2011-04-17 15:57:32.000000000 -0400
48750 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
48751 +#define _LINUX_NETFILTER_XT_GRADM_H 1
48753 +struct xt_gradm_mtinfo {
48759 diff -urNp linux-2.6.38.4/include/linux/oprofile.h linux-2.6.38.4/include/linux/oprofile.h
48760 --- linux-2.6.38.4/include/linux/oprofile.h 2011-03-14 21:20:32.000000000 -0400
48761 +++ linux-2.6.38.4/include/linux/oprofile.h 2011-04-17 15:57:32.000000000 -0400
48762 @@ -132,9 +132,9 @@ int oprofilefs_create_ulong(struct super
48763 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
48764 char const * name, ulong * val);
48766 -/** Create a file for read-only access to an atomic_t. */
48767 +/** Create a file for read-only access to an atomic_unchecked_t. */
48768 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
48769 - char const * name, atomic_t * val);
48770 + char const * name, atomic_unchecked_t * val);
48772 /** create a directory */
48773 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
48774 diff -urNp linux-2.6.38.4/include/linux/pipe_fs_i.h linux-2.6.38.4/include/linux/pipe_fs_i.h
48775 --- linux-2.6.38.4/include/linux/pipe_fs_i.h 2011-03-14 21:20:32.000000000 -0400
48776 +++ linux-2.6.38.4/include/linux/pipe_fs_i.h 2011-04-17 15:57:32.000000000 -0400
48777 @@ -46,9 +46,9 @@ struct pipe_buffer {
48778 struct pipe_inode_info {
48779 wait_queue_head_t wait;
48780 unsigned int nrbufs, curbuf, buffers;
48781 - unsigned int readers;
48782 - unsigned int writers;
48783 - unsigned int waiting_writers;
48784 + atomic_t readers;
48785 + atomic_t writers;
48786 + atomic_t waiting_writers;
48787 unsigned int r_counter;
48788 unsigned int w_counter;
48789 struct page *tmp_page;
48790 diff -urNp linux-2.6.38.4/include/linux/pm_runtime.h linux-2.6.38.4/include/linux/pm_runtime.h
48791 --- linux-2.6.38.4/include/linux/pm_runtime.h 2011-03-14 21:20:32.000000000 -0400
48792 +++ linux-2.6.38.4/include/linux/pm_runtime.h 2011-04-17 15:57:32.000000000 -0400
48793 @@ -89,7 +89,7 @@ static inline bool pm_runtime_enabled(st
48795 static inline void pm_runtime_mark_last_busy(struct device *dev)
48797 - ACCESS_ONCE(dev->power.last_busy) = jiffies;
48798 + ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
48801 #else /* !CONFIG_PM_RUNTIME */
48802 diff -urNp linux-2.6.38.4/include/linux/poison.h linux-2.6.38.4/include/linux/poison.h
48803 --- linux-2.6.38.4/include/linux/poison.h 2011-03-14 21:20:32.000000000 -0400
48804 +++ linux-2.6.38.4/include/linux/poison.h 2011-04-17 15:57:32.000000000 -0400
48806 * under normal circumstances, used to verify that nobody uses
48807 * non-initialized list entries.
48809 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
48810 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
48811 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
48812 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
48814 /********** include/linux/timer.h **********/
48816 diff -urNp linux-2.6.38.4/include/linux/proc_fs.h linux-2.6.38.4/include/linux/proc_fs.h
48817 --- linux-2.6.38.4/include/linux/proc_fs.h 2011-03-14 21:20:32.000000000 -0400
48818 +++ linux-2.6.38.4/include/linux/proc_fs.h 2011-04-17 15:57:32.000000000 -0400
48819 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
48820 return proc_create_data(name, mode, parent, proc_fops, NULL);
48823 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
48824 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
48826 +#ifdef CONFIG_GRKERNSEC_PROC_USER
48827 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
48828 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48829 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
48831 + return proc_create_data(name, mode, parent, proc_fops, NULL);
48836 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
48837 mode_t mode, struct proc_dir_entry *base,
48838 read_proc_t *read_proc, void * data)
48839 diff -urNp linux-2.6.38.4/include/linux/ptrace.h linux-2.6.38.4/include/linux/ptrace.h
48840 --- linux-2.6.38.4/include/linux/ptrace.h 2011-03-14 21:20:32.000000000 -0400
48841 +++ linux-2.6.38.4/include/linux/ptrace.h 2011-04-17 15:57:32.000000000 -0400
48842 @@ -115,10 +115,10 @@ extern void __ptrace_unlink(struct task_
48843 extern void exit_ptrace(struct task_struct *tracer);
48844 #define PTRACE_MODE_READ 1
48845 #define PTRACE_MODE_ATTACH 2
48846 -/* Returns 0 on success, -errno on denial. */
48847 -extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
48848 /* Returns true on success, false on denial. */
48849 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
48850 +/* Returns true on success, false on denial. */
48851 +extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
48853 static inline int ptrace_reparented(struct task_struct *child)
48855 diff -urNp linux-2.6.38.4/include/linux/random.h linux-2.6.38.4/include/linux/random.h
48856 --- linux-2.6.38.4/include/linux/random.h 2011-03-14 21:20:32.000000000 -0400
48857 +++ linux-2.6.38.4/include/linux/random.h 2011-04-17 15:57:32.000000000 -0400
48858 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
48860 u32 prandom32(struct rnd_state *);
48862 +static inline unsigned long pax_get_random_long(void)
48864 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
48868 * Handle minimum values for seeds
48870 static inline u32 __seed(u32 x, u32 m)
48872 - return (x < m) ? x + m : x;
48873 + return (x <= m) ? x + m + 1 : x;
48877 diff -urNp linux-2.6.38.4/include/linux/reiserfs_fs.h linux-2.6.38.4/include/linux/reiserfs_fs.h
48878 --- linux-2.6.38.4/include/linux/reiserfs_fs.h 2011-03-14 21:20:32.000000000 -0400
48879 +++ linux-2.6.38.4/include/linux/reiserfs_fs.h 2011-04-17 15:57:32.000000000 -0400
48880 @@ -1403,7 +1403,7 @@ static inline loff_t max_reiserfs_offset
48881 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
48883 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
48884 -#define get_generation(s) atomic_read (&fs_generation(s))
48885 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
48886 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
48887 #define __fs_changed(gen,s) (gen != get_generation (s))
48888 #define fs_changed(gen,s) \
48889 @@ -1615,24 +1615,24 @@ static inline struct super_block *sb_fro
48892 struct item_operations {
48893 - int (*bytes_number) (struct item_head * ih, int block_size);
48894 - void (*decrement_key) (struct cpu_key *);
48895 - int (*is_left_mergeable) (struct reiserfs_key * ih,
48896 + int (* const bytes_number) (struct item_head * ih, int block_size);
48897 + void (* const decrement_key) (struct cpu_key *);
48898 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
48899 unsigned long bsize);
48900 - void (*print_item) (struct item_head *, char *item);
48901 - void (*check_item) (struct item_head *, char *item);
48902 + void (* const print_item) (struct item_head *, char *item);
48903 + void (* const check_item) (struct item_head *, char *item);
48905 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
48906 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
48907 int is_affected, int insert_size);
48908 - int (*check_left) (struct virtual_item * vi, int free,
48909 + int (* const check_left) (struct virtual_item * vi, int free,
48910 int start_skip, int end_skip);
48911 - int (*check_right) (struct virtual_item * vi, int free);
48912 - int (*part_size) (struct virtual_item * vi, int from, int to);
48913 - int (*unit_num) (struct virtual_item * vi);
48914 - void (*print_vi) (struct virtual_item * vi);
48915 + int (* const check_right) (struct virtual_item * vi, int free);
48916 + int (* const part_size) (struct virtual_item * vi, int from, int to);
48917 + int (* const unit_num) (struct virtual_item * vi);
48918 + void (* const print_vi) (struct virtual_item * vi);
48921 -extern struct item_operations *item_ops[TYPE_ANY + 1];
48922 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
48924 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
48925 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
48926 diff -urNp linux-2.6.38.4/include/linux/reiserfs_fs_sb.h linux-2.6.38.4/include/linux/reiserfs_fs_sb.h
48927 --- linux-2.6.38.4/include/linux/reiserfs_fs_sb.h 2011-03-14 21:20:32.000000000 -0400
48928 +++ linux-2.6.38.4/include/linux/reiserfs_fs_sb.h 2011-04-17 15:57:32.000000000 -0400
48929 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
48930 /* Comment? -Hans */
48931 wait_queue_head_t s_wait;
48932 /* To be obsoleted soon by per buffer seals.. -Hans */
48933 - atomic_t s_generation_counter; // increased by one every time the
48934 + atomic_unchecked_t s_generation_counter; // increased by one every time the
48935 // tree gets re-balanced
48936 unsigned long s_properties; /* File system properties. Currently holds
48937 on-disk FS format */
48938 diff -urNp linux-2.6.38.4/include/linux/rmap.h linux-2.6.38.4/include/linux/rmap.h
48939 --- linux-2.6.38.4/include/linux/rmap.h 2011-03-14 21:20:32.000000000 -0400
48940 +++ linux-2.6.38.4/include/linux/rmap.h 2011-04-17 15:57:32.000000000 -0400
48941 @@ -145,8 +145,8 @@ static inline void anon_vma_unlock(struc
48942 void anon_vma_init(void); /* create anon_vma_cachep */
48943 int anon_vma_prepare(struct vm_area_struct *);
48944 void unlink_anon_vmas(struct vm_area_struct *);
48945 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
48946 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
48947 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
48948 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
48949 void __anon_vma_link(struct vm_area_struct *);
48950 void anon_vma_free(struct anon_vma *);
48952 diff -urNp linux-2.6.38.4/include/linux/sched.h linux-2.6.38.4/include/linux/sched.h
48953 --- linux-2.6.38.4/include/linux/sched.h 2011-04-22 19:20:59.000000000 -0400
48954 +++ linux-2.6.38.4/include/linux/sched.h 2011-04-22 19:21:35.000000000 -0400
48955 @@ -99,6 +99,7 @@ struct robust_list_head;
48958 struct perf_event_context;
48959 +struct linux_binprm;
48962 * List of flags we want to share for kernel threads,
48963 @@ -359,7 +360,7 @@ extern signed long schedule_timeout_inte
48964 extern signed long schedule_timeout_killable(signed long timeout);
48965 extern signed long schedule_timeout_uninterruptible(signed long timeout);
48966 asmlinkage void schedule(void);
48967 -extern int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner);
48968 +extern int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner);
48971 struct user_namespace;
48972 @@ -380,10 +381,13 @@ struct user_namespace;
48973 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
48975 extern int sysctl_max_map_count;
48976 +extern unsigned long sysctl_heap_stack_gap;
48978 #include <linux/aio.h>
48981 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
48982 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
48983 extern void arch_pick_mmap_layout(struct mm_struct *mm);
48984 extern unsigned long
48985 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
48986 @@ -628,6 +632,17 @@ struct signal_struct {
48987 #ifdef CONFIG_TASKSTATS
48988 struct taskstats *stats;
48991 +#ifdef CONFIG_GRKERNSEC
48998 + u8 used_accept:1;
49001 #ifdef CONFIG_AUDIT
49002 unsigned audit_tty;
49003 struct tty_audit_buf *tty_audit_buf;
49004 @@ -700,6 +715,11 @@ struct user_struct {
49005 struct key *session_keyring; /* UID's default session keyring */
49008 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
49009 + unsigned int banned;
49010 + unsigned long ban_expires;
49013 /* Hash table maintenance information */
49014 struct hlist_node uidhash_node;
49016 @@ -1310,8 +1330,8 @@ struct task_struct {
49017 struct list_head thread_group;
49019 struct completion *vfork_done; /* for vfork() */
49020 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
49021 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
49022 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
49023 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
49025 cputime_t utime, stime, utimescaled, stimescaled;
49027 @@ -1327,13 +1347,6 @@ struct task_struct {
49028 struct task_cputime cputime_expires;
49029 struct list_head cpu_timers[3];
49031 -/* process credentials */
49032 - const struct cred __rcu *real_cred; /* objective and real subjective task
49033 - * credentials (COW) */
49034 - const struct cred __rcu *cred; /* effective (overridable) subjective task
49035 - * credentials (COW) */
49036 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
49038 char comm[TASK_COMM_LEN]; /* executable name excluding path
49039 - access with [gs]et_task_comm (which lock
49040 it with task_lock())
49041 @@ -1350,8 +1363,16 @@ struct task_struct {
49043 /* CPU-specific state of this task */
49044 struct thread_struct thread;
49045 +/* thread_info moved to task_struct */
49047 + struct thread_info tinfo;
49049 /* filesystem information */
49050 struct fs_struct *fs;
49052 + const struct cred __rcu *cred; /* effective (overridable) subjective task
49053 + * credentials (COW) */
49055 /* open file information */
49056 struct files_struct *files;
49058 @@ -1398,6 +1419,11 @@ struct task_struct {
49059 struct rt_mutex_waiter *pi_blocked_on;
49062 +/* process credentials */
49063 + const struct cred __rcu *real_cred; /* objective and real subjective task
49064 + * credentials (COW) */
49065 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
49067 #ifdef CONFIG_DEBUG_MUTEXES
49068 /* mutex deadlock detection */
49069 struct mutex_waiter *blocked_on;
49070 @@ -1502,6 +1528,21 @@ struct task_struct {
49071 unsigned long default_timer_slack_ns;
49073 struct list_head *scm_work_list;
49075 +#ifdef CONFIG_GRKERNSEC
49077 + struct dentry *gr_chroot_dentry;
49078 + struct acl_subject_label *acl;
49079 + struct acl_role_label *role;
49080 + struct file *exec_file;
49082 + /* is this the task that authenticated to the special role */
49086 + u8 gr_is_chrooted;
49089 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
49090 /* Index of current stored address in ret_stack */
49091 int curr_ret_stack;
49092 @@ -1533,6 +1574,51 @@ struct task_struct {
49096 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
49097 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
49098 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
49099 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
49100 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
49101 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
49103 +#ifdef CONFIG_PAX_SOFTMODE
49104 +extern unsigned int pax_softmode;
49107 +extern int pax_check_flags(unsigned long *);
49109 +/* if tsk != current then task_lock must be held on it */
49110 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49111 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
49113 + if (likely(tsk->mm))
49114 + return tsk->mm->pax_flags;
49119 +/* if tsk != current then task_lock must be held on it */
49120 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
49122 + if (likely(tsk->mm)) {
49123 + tsk->mm->pax_flags = flags;
49130 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
49131 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
49132 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
49133 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
49136 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
49137 +void pax_report_insns(void *pc, void *sp);
49138 +void pax_report_refcount_overflow(struct pt_regs *regs);
49139 +void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type);
49141 /* Future-safe accessor for struct task_struct's cpus_allowed. */
49142 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
49144 @@ -2002,7 +2088,9 @@ void yield(void);
49145 extern struct exec_domain default_exec_domain;
49147 union thread_union {
49148 +#ifndef CONFIG_X86
49149 struct thread_info thread_info;
49151 unsigned long stack[THREAD_SIZE/sizeof(long)];
49154 @@ -2172,7 +2260,7 @@ extern void __cleanup_sighand(struct sig
49155 extern void exit_itimers(struct signal_struct *);
49156 extern void flush_itimer_signals(void);
49158 -extern NORET_TYPE void do_group_exit(int);
49159 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
49161 extern void daemonize(const char *, ...);
49162 extern int allow_signal(int);
49163 @@ -2313,13 +2401,17 @@ static inline unsigned long *end_of_stac
49167 -static inline int object_is_on_stack(void *obj)
49168 +static inline int object_starts_on_stack(void *obj)
49170 - void *stack = task_stack_page(current);
49171 + const void *stack = task_stack_page(current);
49173 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
49176 +#ifdef CONFIG_PAX_USERCOPY
49177 +extern int object_is_on_stack(const void *obj, unsigned long len);
49180 extern void thread_info_cache_init(void);
49182 #ifdef CONFIG_DEBUG_STACK_USAGE
49183 diff -urNp linux-2.6.38.4/include/linux/screen_info.h linux-2.6.38.4/include/linux/screen_info.h
49184 --- linux-2.6.38.4/include/linux/screen_info.h 2011-03-14 21:20:32.000000000 -0400
49185 +++ linux-2.6.38.4/include/linux/screen_info.h 2011-04-17 15:57:32.000000000 -0400
49186 @@ -43,7 +43,8 @@ struct screen_info {
49187 __u16 pages; /* 0x32 */
49188 __u16 vesa_attributes; /* 0x34 */
49189 __u32 capabilities; /* 0x36 */
49190 - __u8 _reserved[6]; /* 0x3a */
49191 + __u16 vesapm_size; /* 0x3a */
49192 + __u8 _reserved[4]; /* 0x3c */
49193 } __attribute__((packed));
49195 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
49196 diff -urNp linux-2.6.38.4/include/linux/security.h linux-2.6.38.4/include/linux/security.h
49197 --- linux-2.6.38.4/include/linux/security.h 2011-03-14 21:20:32.000000000 -0400
49198 +++ linux-2.6.38.4/include/linux/security.h 2011-04-17 15:57:32.000000000 -0400
49200 #include <linux/key.h>
49201 #include <linux/xfrm.h>
49202 #include <linux/slab.h>
49203 +#include <linux/grsecurity.h>
49204 #include <net/flow.h>
49206 /* Maximum number of letters for an LSM name string */
49207 diff -urNp linux-2.6.38.4/include/linux/shm.h linux-2.6.38.4/include/linux/shm.h
49208 --- linux-2.6.38.4/include/linux/shm.h 2011-03-14 21:20:32.000000000 -0400
49209 +++ linux-2.6.38.4/include/linux/shm.h 2011-04-17 15:57:32.000000000 -0400
49210 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
49213 struct user_struct *mlock_user;
49214 +#ifdef CONFIG_GRKERNSEC
49215 + time_t shm_createtime;
49220 /* shm_mode upper byte flags */
49221 diff -urNp linux-2.6.38.4/include/linux/skbuff.h linux-2.6.38.4/include/linux/skbuff.h
49222 --- linux-2.6.38.4/include/linux/skbuff.h 2011-03-14 21:20:32.000000000 -0400
49223 +++ linux-2.6.38.4/include/linux/skbuff.h 2011-04-17 15:57:32.000000000 -0400
49224 @@ -589,7 +589,7 @@ static inline struct skb_shared_hwtstamp
49226 static inline int skb_queue_empty(const struct sk_buff_head *list)
49228 - return list->next == (struct sk_buff *)list;
49229 + return list->next == (const struct sk_buff *)list;
49233 @@ -602,7 +602,7 @@ static inline int skb_queue_empty(const
49234 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
49235 const struct sk_buff *skb)
49237 - return skb->next == (struct sk_buff *)list;
49238 + return skb->next == (const struct sk_buff *)list;
49242 @@ -615,7 +615,7 @@ static inline bool skb_queue_is_last(con
49243 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
49244 const struct sk_buff *skb)
49246 - return skb->prev == (struct sk_buff *)list;
49247 + return skb->prev == (const struct sk_buff *)list;
49251 diff -urNp linux-2.6.38.4/include/linux/slab.h linux-2.6.38.4/include/linux/slab.h
49252 --- linux-2.6.38.4/include/linux/slab.h 2011-03-14 21:20:32.000000000 -0400
49253 +++ linux-2.6.38.4/include/linux/slab.h 2011-04-17 15:57:32.000000000 -0400
49254 @@ -11,12 +11,20 @@
49256 #include <linux/gfp.h>
49257 #include <linux/types.h>
49258 +#include <linux/err.h>
49261 * Flags to pass to kmem_cache_create().
49262 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
49264 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
49266 +#ifdef CONFIG_PAX_USERCOPY
49267 +#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
49269 +#define SLAB_USERCOPY 0x00000000UL
49272 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
49273 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
49274 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
49275 @@ -87,10 +95,13 @@
49276 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
49277 * Both make kfree a no-op.
49279 -#define ZERO_SIZE_PTR ((void *)16)
49280 +#define ZERO_SIZE_PTR \
49282 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
49283 + (void *)(-MAX_ERRNO-1L); \
49286 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
49287 - (unsigned long)ZERO_SIZE_PTR)
49288 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
49291 * struct kmem_cache related prototypes
49292 @@ -142,6 +153,7 @@ void * __must_check krealloc(const void
49293 void kfree(const void *);
49294 void kzfree(const void *);
49295 size_t ksize(const void *);
49296 +void check_object_size(const void *ptr, unsigned long n, bool to);
49299 * Allocator specific definitions. These are mainly used to establish optimized
49300 @@ -334,4 +346,37 @@ static inline void *kzalloc_node(size_t
49302 void __init kmem_cache_init_late(void);
49304 +#define kmalloc(x, y) \
49306 + void *___retval; \
49307 + intoverflow_t ___x = (intoverflow_t)x; \
49308 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
49309 + ___retval = NULL; \
49311 + ___retval = kmalloc((size_t)___x, (y)); \
49315 +#define kmalloc_node(x, y, z) \
49317 + void *___retval; \
49318 + intoverflow_t ___x = (intoverflow_t)x; \
49319 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
49320 + ___retval = NULL; \
49322 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
49326 +#define kzalloc(x, y) \
49328 + void *___retval; \
49329 + intoverflow_t ___x = (intoverflow_t)x; \
49330 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
49331 + ___retval = NULL; \
49333 + ___retval = kzalloc((size_t)___x, (y)); \
49337 #endif /* _LINUX_SLAB_H */
49338 diff -urNp linux-2.6.38.4/include/linux/slub_def.h linux-2.6.38.4/include/linux/slub_def.h
49339 --- linux-2.6.38.4/include/linux/slub_def.h 2011-03-14 21:20:32.000000000 -0400
49340 +++ linux-2.6.38.4/include/linux/slub_def.h 2011-04-17 15:57:32.000000000 -0400
49341 @@ -79,7 +79,7 @@ struct kmem_cache {
49342 struct kmem_cache_order_objects max;
49343 struct kmem_cache_order_objects min;
49344 gfp_t allocflags; /* gfp flags to use on each alloc */
49345 - int refcount; /* Refcount for slab cache destroy */
49346 + atomic_t refcount; /* Refcount for slab cache destroy */
49347 void (*ctor)(void *);
49348 int inuse; /* Offset to metadata */
49349 int align; /* Alignment */
49350 diff -urNp linux-2.6.38.4/include/linux/sonet.h linux-2.6.38.4/include/linux/sonet.h
49351 --- linux-2.6.38.4/include/linux/sonet.h 2011-03-14 21:20:32.000000000 -0400
49352 +++ linux-2.6.38.4/include/linux/sonet.h 2011-04-17 15:57:32.000000000 -0400
49353 @@ -61,7 +61,7 @@ struct sonet_stats {
49354 #include <asm/atomic.h>
49356 struct k_sonet_stats {
49357 -#define __HANDLE_ITEM(i) atomic_t i
49358 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
49360 #undef __HANDLE_ITEM
49362 diff -urNp linux-2.6.38.4/include/linux/sunrpc/clnt.h linux-2.6.38.4/include/linux/sunrpc/clnt.h
49363 --- linux-2.6.38.4/include/linux/sunrpc/clnt.h 2011-03-14 21:20:32.000000000 -0400
49364 +++ linux-2.6.38.4/include/linux/sunrpc/clnt.h 2011-04-17 15:57:32.000000000 -0400
49365 @@ -168,9 +168,9 @@ static inline unsigned short rpc_get_por
49367 switch (sap->sa_family) {
49369 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
49370 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
49372 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
49373 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
49377 @@ -203,7 +203,7 @@ static inline bool __rpc_cmp_addr4(const
49378 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
49379 const struct sockaddr *src)
49381 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
49382 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
49383 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
49385 dsin->sin_family = ssin->sin_family;
49386 @@ -300,7 +300,7 @@ static inline u32 rpc_get_scope_id(const
49387 if (sa->sa_family != AF_INET6)
49390 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
49391 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
49394 #endif /* __KERNEL__ */
49395 diff -urNp linux-2.6.38.4/include/linux/suspend.h linux-2.6.38.4/include/linux/suspend.h
49396 --- linux-2.6.38.4/include/linux/suspend.h 2011-03-14 21:20:32.000000000 -0400
49397 +++ linux-2.6.38.4/include/linux/suspend.h 2011-04-17 15:57:32.000000000 -0400
49398 @@ -106,15 +106,15 @@ typedef int __bitwise suspend_state_t;
49399 * which require special recovery actions in that situation.
49401 struct platform_suspend_ops {
49402 - int (*valid)(suspend_state_t state);
49403 - int (*begin)(suspend_state_t state);
49404 - int (*prepare)(void);
49405 - int (*prepare_late)(void);
49406 - int (*enter)(suspend_state_t state);
49407 - void (*wake)(void);
49408 - void (*finish)(void);
49409 - void (*end)(void);
49410 - void (*recover)(void);
49411 + int (* const valid)(suspend_state_t state);
49412 + int (* const begin)(suspend_state_t state);
49413 + int (* const prepare)(void);
49414 + int (* const prepare_late)(void);
49415 + int (* const enter)(suspend_state_t state);
49416 + void (* const wake)(void);
49417 + void (* const finish)(void);
49418 + void (* const end)(void);
49419 + void (* const recover)(void);
49422 #ifdef CONFIG_SUSPEND
49423 @@ -217,16 +217,16 @@ extern void mark_free_pages(struct zone
49424 * platforms which require special recovery actions in that situation.
49426 struct platform_hibernation_ops {
49427 - int (*begin)(void);
49428 - void (*end)(void);
49429 - int (*pre_snapshot)(void);
49430 - void (*finish)(void);
49431 - int (*prepare)(void);
49432 - int (*enter)(void);
49433 - void (*leave)(void);
49434 - int (*pre_restore)(void);
49435 - void (*restore_cleanup)(void);
49436 - void (*recover)(void);
49437 + int (* const begin)(void);
49438 + void (* const end)(void);
49439 + int (* const pre_snapshot)(void);
49440 + void (* const finish)(void);
49441 + int (* const prepare)(void);
49442 + int (* const enter)(void);
49443 + void (* const leave)(void);
49444 + int (* const pre_restore)(void);
49445 + void (* const restore_cleanup)(void);
49446 + void (* const recover)(void);
49449 #ifdef CONFIG_HIBERNATION
49450 diff -urNp linux-2.6.38.4/include/linux/sysctl.h linux-2.6.38.4/include/linux/sysctl.h
49451 --- linux-2.6.38.4/include/linux/sysctl.h 2011-03-14 21:20:32.000000000 -0400
49452 +++ linux-2.6.38.4/include/linux/sysctl.h 2011-04-17 15:57:32.000000000 -0400
49453 @@ -155,7 +155,11 @@ enum
49454 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
49458 +#ifdef CONFIG_PAX_SOFTMODE
49460 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
49464 /* CTL_VM names: */
49466 @@ -967,6 +971,8 @@ typedef int proc_handler (struct ctl_tab
49468 extern int proc_dostring(struct ctl_table *, int,
49469 void __user *, size_t *, loff_t *);
49470 +extern int proc_dostring_modpriv(struct ctl_table *, int,
49471 + void __user *, size_t *, loff_t *);
49472 extern int proc_dointvec(struct ctl_table *, int,
49473 void __user *, size_t *, loff_t *);
49474 extern int proc_dointvec_minmax(struct ctl_table *, int,
49475 diff -urNp linux-2.6.38.4/include/linux/sysfs.h linux-2.6.38.4/include/linux/sysfs.h
49476 --- linux-2.6.38.4/include/linux/sysfs.h 2011-03-14 21:20:32.000000000 -0400
49477 +++ linux-2.6.38.4/include/linux/sysfs.h 2011-04-17 15:57:32.000000000 -0400
49478 @@ -110,8 +110,8 @@ struct bin_attribute {
49479 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
49482 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
49483 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
49484 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
49485 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
49488 struct sysfs_dirent;
49489 diff -urNp linux-2.6.38.4/include/linux/tty.h linux-2.6.38.4/include/linux/tty.h
49490 --- linux-2.6.38.4/include/linux/tty.h 2011-03-14 21:20:32.000000000 -0400
49491 +++ linux-2.6.38.4/include/linux/tty.h 2011-04-17 15:57:32.000000000 -0400
49493 #include <linux/tty_driver.h>
49494 #include <linux/tty_ldisc.h>
49495 #include <linux/mutex.h>
49496 +#include <linux/poll.h>
49497 +#include <linux/smp_lock.h>
49499 #include <asm/system.h>
49501 @@ -465,7 +467,6 @@ extern int tty_perform_flush(struct tty_
49502 extern dev_t tty_devnum(struct tty_struct *tty);
49503 extern void proc_clear_tty(struct task_struct *p);
49504 extern struct tty_struct *get_current_tty(void);
49505 -extern void tty_default_fops(struct file_operations *fops);
49506 extern struct tty_struct *alloc_tty_struct(void);
49507 extern int tty_add_file(struct tty_struct *tty, struct file *file);
49508 extern void free_tty_struct(struct tty_struct *tty);
49509 @@ -528,6 +529,18 @@ extern void tty_ldisc_begin(void);
49510 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
49511 extern void tty_ldisc_enable(struct tty_struct *tty);
49514 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
49515 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
49516 +extern unsigned int tty_poll(struct file *, poll_table *);
49517 +#ifdef CONFIG_COMPAT
49518 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
49519 + unsigned long arg);
49521 +#define tty_compat_ioctl NULL
49523 +extern int tty_release(struct inode *, struct file *);
49524 +extern int tty_fasync(int fd, struct file *filp, int on);
49527 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
49528 diff -urNp linux-2.6.38.4/include/linux/tty_ldisc.h linux-2.6.38.4/include/linux/tty_ldisc.h
49529 --- linux-2.6.38.4/include/linux/tty_ldisc.h 2011-03-14 21:20:32.000000000 -0400
49530 +++ linux-2.6.38.4/include/linux/tty_ldisc.h 2011-04-17 15:57:32.000000000 -0400
49531 @@ -148,7 +148,7 @@ struct tty_ldisc_ops {
49533 struct module *owner;
49536 + atomic_t refcount;
49540 diff -urNp linux-2.6.38.4/include/linux/types.h linux-2.6.38.4/include/linux/types.h
49541 --- linux-2.6.38.4/include/linux/types.h 2011-03-14 21:20:32.000000000 -0400
49542 +++ linux-2.6.38.4/include/linux/types.h 2011-04-17 15:57:32.000000000 -0400
49543 @@ -207,10 +207,26 @@ typedef struct {
49547 +#ifdef CONFIG_PAX_REFCOUNT
49550 +} atomic_unchecked_t;
49552 +typedef atomic_t atomic_unchecked_t;
49555 #ifdef CONFIG_64BIT
49560 +#ifdef CONFIG_PAX_REFCOUNT
49563 +} atomic64_unchecked_t;
49565 +typedef atomic64_t atomic64_unchecked_t;
49570 diff -urNp linux-2.6.38.4/include/linux/uaccess.h linux-2.6.38.4/include/linux/uaccess.h
49571 --- linux-2.6.38.4/include/linux/uaccess.h 2011-03-14 21:20:32.000000000 -0400
49572 +++ linux-2.6.38.4/include/linux/uaccess.h 2011-04-17 15:57:32.000000000 -0400
49573 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
49575 mm_segment_t old_fs = get_fs(); \
49577 - set_fs(KERNEL_DS); \
49578 pagefault_disable(); \
49579 + set_fs(KERNEL_DS); \
49580 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
49581 - pagefault_enable(); \
49583 + pagefault_enable(); \
49587 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
49588 * Safely read from address @src to the buffer at @dst. If a kernel fault
49589 * happens, handle that and return -EFAULT.
49591 -extern long probe_kernel_read(void *dst, void *src, size_t size);
49592 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
49593 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
49594 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
49597 * probe_kernel_write(): safely attempt to write to a location
49598 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
49599 * Safely write to address @dst from the buffer at @src. If a kernel fault
49600 * happens, handle that and return -EFAULT.
49602 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
49603 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
49604 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
49605 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
49607 #endif /* __LINUX_UACCESS_H__ */
49608 diff -urNp linux-2.6.38.4/include/linux/unaligned/access_ok.h linux-2.6.38.4/include/linux/unaligned/access_ok.h
49609 --- linux-2.6.38.4/include/linux/unaligned/access_ok.h 2011-03-14 21:20:32.000000000 -0400
49610 +++ linux-2.6.38.4/include/linux/unaligned/access_ok.h 2011-04-17 15:57:32.000000000 -0400
49613 static inline u16 get_unaligned_le16(const void *p)
49615 - return le16_to_cpup((__le16 *)p);
49616 + return le16_to_cpup((const __le16 *)p);
49619 static inline u32 get_unaligned_le32(const void *p)
49621 - return le32_to_cpup((__le32 *)p);
49622 + return le32_to_cpup((const __le32 *)p);
49625 static inline u64 get_unaligned_le64(const void *p)
49627 - return le64_to_cpup((__le64 *)p);
49628 + return le64_to_cpup((const __le64 *)p);
49631 static inline u16 get_unaligned_be16(const void *p)
49633 - return be16_to_cpup((__be16 *)p);
49634 + return be16_to_cpup((const __be16 *)p);
49637 static inline u32 get_unaligned_be32(const void *p)
49639 - return be32_to_cpup((__be32 *)p);
49640 + return be32_to_cpup((const __be32 *)p);
49643 static inline u64 get_unaligned_be64(const void *p)
49645 - return be64_to_cpup((__be64 *)p);
49646 + return be64_to_cpup((const __be64 *)p);
49649 static inline void put_unaligned_le16(u16 val, void *p)
49650 diff -urNp linux-2.6.38.4/include/linux/usb/hcd.h linux-2.6.38.4/include/linux/usb/hcd.h
49651 --- linux-2.6.38.4/include/linux/usb/hcd.h 2011-04-18 17:27:14.000000000 -0400
49652 +++ linux-2.6.38.4/include/linux/usb/hcd.h 2011-04-17 15:57:32.000000000 -0400
49653 @@ -589,7 +589,7 @@ struct usb_mon_operations {
49654 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
49657 -extern struct usb_mon_operations *mon_ops;
49658 +extern const struct usb_mon_operations *mon_ops;
49660 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
49662 @@ -611,7 +611,7 @@ static inline void usbmon_urb_complete(s
49663 (*mon_ops->urb_complete)(bus, urb, status);
49666 -int usb_mon_register(struct usb_mon_operations *ops);
49667 +int usb_mon_register(const struct usb_mon_operations *ops);
49668 void usb_mon_deregister(void);
49671 diff -urNp linux-2.6.38.4/include/linux/vmalloc.h linux-2.6.38.4/include/linux/vmalloc.h
49672 --- linux-2.6.38.4/include/linux/vmalloc.h 2011-03-14 21:20:32.000000000 -0400
49673 +++ linux-2.6.38.4/include/linux/vmalloc.h 2011-04-17 15:57:32.000000000 -0400
49674 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
49675 #define VM_MAP 0x00000004 /* vmap()ed pages */
49676 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
49677 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
49679 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
49680 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
49683 /* bits [20..32] reserved for arch specific ioremap internals */
49686 @@ -123,4 +128,103 @@ struct vm_struct **pcpu_get_vm_areas(con
49687 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
49690 +#define vmalloc(x) \
49692 + void *___retval; \
49693 + intoverflow_t ___x = (intoverflow_t)x; \
49694 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
49695 + ___retval = NULL; \
49697 + ___retval = vmalloc((unsigned long)___x); \
49701 +#define vzalloc(x) \
49703 + void *___retval; \
49704 + intoverflow_t ___x = (intoverflow_t)x; \
49705 + if (WARN(___x > ULONG_MAX, "vzalloc size overflow\n")) \
49706 + ___retval = NULL; \
49708 + ___retval = vzalloc((unsigned long)___x); \
49712 +#define __vmalloc(x, y, z) \
49714 + void *___retval; \
49715 + intoverflow_t ___x = (intoverflow_t)x; \
49716 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
49717 + ___retval = NULL; \
49719 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
49723 +#define vmalloc_user(x) \
49725 + void *___retval; \
49726 + intoverflow_t ___x = (intoverflow_t)x; \
49727 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
49728 + ___retval = NULL; \
49730 + ___retval = vmalloc_user((unsigned long)___x); \
49734 +#define vmalloc_exec(x) \
49736 + void *___retval; \
49737 + intoverflow_t ___x = (intoverflow_t)x; \
49738 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
49739 + ___retval = NULL; \
49741 + ___retval = vmalloc_exec((unsigned long)___x); \
49745 +#define vmalloc_node(x, y) \
49747 + void *___retval; \
49748 + intoverflow_t ___x = (intoverflow_t)x; \
49749 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
49750 + ___retval = NULL; \
49752 + ___retval = vmalloc_node((unsigned long)___x, (y));\
49756 +#define vzalloc_node(x, y) \
49758 + void *___retval; \
49759 + intoverflow_t ___x = (intoverflow_t)x; \
49760 + if (WARN(___x > ULONG_MAX, "vzalloc_node size overflow\n"))\
49761 + ___retval = NULL; \
49763 + ___retval = vzalloc_node((unsigned long)___x, (y));\
49767 +#define vmalloc_32(x) \
49769 + void *___retval; \
49770 + intoverflow_t ___x = (intoverflow_t)x; \
49771 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
49772 + ___retval = NULL; \
49774 + ___retval = vmalloc_32((unsigned long)___x); \
49778 +#define vmalloc_32_user(x) \
49780 +void *___retval; \
49781 + intoverflow_t ___x = (intoverflow_t)x; \
49782 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
49783 + ___retval = NULL; \
49785 + ___retval = vmalloc_32_user((unsigned long)___x);\
49789 #endif /* _LINUX_VMALLOC_H */
49790 diff -urNp linux-2.6.38.4/include/linux/vmstat.h linux-2.6.38.4/include/linux/vmstat.h
49791 --- linux-2.6.38.4/include/linux/vmstat.h 2011-03-14 21:20:32.000000000 -0400
49792 +++ linux-2.6.38.4/include/linux/vmstat.h 2011-04-17 15:57:32.000000000 -0400
49793 @@ -140,18 +140,18 @@ static inline void vm_events_fold_cpu(in
49795 * Zone based page accounting with per cpu differentials.
49797 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
49798 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
49800 static inline void zone_page_state_add(long x, struct zone *zone,
49801 enum zone_stat_item item)
49803 - atomic_long_add(x, &zone->vm_stat[item]);
49804 - atomic_long_add(x, &vm_stat[item]);
49805 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
49806 + atomic_long_add_unchecked(x, &vm_stat[item]);
49809 static inline unsigned long global_page_state(enum zone_stat_item item)
49811 - long x = atomic_long_read(&vm_stat[item]);
49812 + long x = atomic_long_read_unchecked(&vm_stat[item]);
49816 @@ -162,7 +162,7 @@ static inline unsigned long global_page_
49817 static inline unsigned long zone_page_state(struct zone *zone,
49818 enum zone_stat_item item)
49820 - long x = atomic_long_read(&zone->vm_stat[item]);
49821 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
49825 @@ -179,7 +179,7 @@ static inline unsigned long zone_page_st
49826 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
49827 enum zone_stat_item item)
49829 - long x = atomic_long_read(&zone->vm_stat[item]);
49830 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
49834 @@ -273,8 +273,8 @@ static inline void __mod_zone_page_state
49836 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
49838 - atomic_long_inc(&zone->vm_stat[item]);
49839 - atomic_long_inc(&vm_stat[item]);
49840 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
49841 + atomic_long_inc_unchecked(&vm_stat[item]);
49844 static inline void __inc_zone_page_state(struct page *page,
49845 @@ -285,8 +285,8 @@ static inline void __inc_zone_page_state
49847 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
49849 - atomic_long_dec(&zone->vm_stat[item]);
49850 - atomic_long_dec(&vm_stat[item]);
49851 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
49852 + atomic_long_dec_unchecked(&vm_stat[item]);
49855 static inline void __dec_zone_page_state(struct page *page,
49856 diff -urNp linux-2.6.38.4/include/net/inetpeer.h linux-2.6.38.4/include/net/inetpeer.h
49857 --- linux-2.6.38.4/include/net/inetpeer.h 2011-03-14 21:20:32.000000000 -0400
49858 +++ linux-2.6.38.4/include/net/inetpeer.h 2011-04-17 15:57:32.000000000 -0400
49859 @@ -38,8 +38,8 @@ struct inet_peer {
49863 - atomic_t rid; /* Frag reception counter */
49864 - atomic_t ip_id_count; /* IP ID for the next packet */
49865 + atomic_unchecked_t rid; /* Frag reception counter */
49866 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
49868 __u32 tcp_ts_stamp;
49870 @@ -88,7 +88,7 @@ static inline __u16 inet_getid(struct in
49873 inet_peer_refcheck(p);
49874 - return atomic_add_return(more, &p->ip_id_count) - more;
49875 + return atomic_add_return_unchecked(more, &p->ip_id_count) - more;
49878 #endif /* _NET_INETPEER_H */
49879 diff -urNp linux-2.6.38.4/include/net/irda/ircomm_tty.h linux-2.6.38.4/include/net/irda/ircomm_tty.h
49880 --- linux-2.6.38.4/include/net/irda/ircomm_tty.h 2011-03-14 21:20:32.000000000 -0400
49881 +++ linux-2.6.38.4/include/net/irda/ircomm_tty.h 2011-04-17 15:57:32.000000000 -0400
49883 #include <linux/termios.h>
49884 #include <linux/timer.h>
49885 #include <linux/tty.h> /* struct tty_struct */
49886 +#include <asm/local.h>
49888 #include <net/irda/irias_object.h>
49889 #include <net/irda/ircomm_core.h>
49890 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
49891 unsigned short close_delay;
49892 unsigned short closing_wait; /* time to wait before closing */
49895 - int blocked_open; /* # of blocked opens */
49896 + local_t open_count;
49897 + local_t blocked_open; /* # of blocked opens */
49899 /* Protect concurent access to :
49900 * o self->open_count
49901 diff -urNp linux-2.6.38.4/include/net/neighbour.h linux-2.6.38.4/include/net/neighbour.h
49902 --- linux-2.6.38.4/include/net/neighbour.h 2011-03-14 21:20:32.000000000 -0400
49903 +++ linux-2.6.38.4/include/net/neighbour.h 2011-04-17 15:57:32.000000000 -0400
49904 @@ -118,12 +118,12 @@ struct neighbour {
49908 - void (*solicit)(struct neighbour *, struct sk_buff*);
49909 - void (*error_report)(struct neighbour *, struct sk_buff*);
49910 - int (*output)(struct sk_buff*);
49911 - int (*connected_output)(struct sk_buff*);
49912 - int (*hh_output)(struct sk_buff*);
49913 - int (*queue_xmit)(struct sk_buff*);
49914 + void (* const solicit)(struct neighbour *, struct sk_buff*);
49915 + void (* const error_report)(struct neighbour *, struct sk_buff*);
49916 + int (* const output)(struct sk_buff*);
49917 + int (* const connected_output)(struct sk_buff*);
49918 + int (* const hh_output)(struct sk_buff*);
49919 + int (* const queue_xmit)(struct sk_buff*);
49922 struct pneigh_entry {
49923 diff -urNp linux-2.6.38.4/include/net/netlink.h linux-2.6.38.4/include/net/netlink.h
49924 --- linux-2.6.38.4/include/net/netlink.h 2011-03-14 21:20:32.000000000 -0400
49925 +++ linux-2.6.38.4/include/net/netlink.h 2011-04-17 15:57:32.000000000 -0400
49926 @@ -562,7 +562,7 @@ static inline void *nlmsg_get_pos(struct
49927 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
49930 - skb_trim(skb, (unsigned char *) mark - skb->data);
49931 + skb_trim(skb, (const unsigned char *) mark - skb->data);
49935 diff -urNp linux-2.6.38.4/include/net/sctp/sctp.h linux-2.6.38.4/include/net/sctp/sctp.h
49936 --- linux-2.6.38.4/include/net/sctp/sctp.h 2011-03-14 21:20:32.000000000 -0400
49937 +++ linux-2.6.38.4/include/net/sctp/sctp.h 2011-04-17 15:57:32.000000000 -0400
49938 @@ -316,9 +316,9 @@ do { \
49940 #else /* SCTP_DEBUG */
49942 -#define SCTP_DEBUG_PRINTK(whatever...)
49943 -#define SCTP_DEBUG_PRINTK_CONT(fmt, args...)
49944 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
49945 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
49946 +#define SCTP_DEBUG_PRINTK_CONT(fmt, args...) do {} while (0)
49947 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
49948 #define SCTP_ENABLE_DEBUG
49949 #define SCTP_DISABLE_DEBUG
49950 #define SCTP_ASSERT(expr, str, func)
49951 diff -urNp linux-2.6.38.4/include/net/tcp.h linux-2.6.38.4/include/net/tcp.h
49952 --- linux-2.6.38.4/include/net/tcp.h 2011-03-14 21:20:32.000000000 -0400
49953 +++ linux-2.6.38.4/include/net/tcp.h 2011-04-17 15:57:32.000000000 -0400
49954 @@ -1382,7 +1382,7 @@ enum tcp_seq_states {
49955 struct tcp_seq_afinfo {
49957 sa_family_t family;
49958 - struct file_operations seq_fops;
49959 + struct file_operations seq_fops; /* cannot be const */
49960 struct seq_operations seq_ops;
49963 diff -urNp linux-2.6.38.4/include/net/udp.h linux-2.6.38.4/include/net/udp.h
49964 --- linux-2.6.38.4/include/net/udp.h 2011-03-14 21:20:32.000000000 -0400
49965 +++ linux-2.6.38.4/include/net/udp.h 2011-04-17 15:57:32.000000000 -0400
49966 @@ -223,7 +223,7 @@ struct udp_seq_afinfo {
49968 sa_family_t family;
49969 struct udp_table *udp_table;
49970 - struct file_operations seq_fops;
49971 + struct file_operations seq_fops; /* cannot be const */
49972 struct seq_operations seq_ops;
49975 diff -urNp linux-2.6.38.4/include/sound/ac97_codec.h linux-2.6.38.4/include/sound/ac97_codec.h
49976 --- linux-2.6.38.4/include/sound/ac97_codec.h 2011-03-14 21:20:32.000000000 -0400
49977 +++ linux-2.6.38.4/include/sound/ac97_codec.h 2011-04-17 15:57:32.000000000 -0400
49978 @@ -419,15 +419,15 @@
49981 struct snd_ac97_build_ops {
49982 - int (*build_3d) (struct snd_ac97 *ac97);
49983 - int (*build_specific) (struct snd_ac97 *ac97);
49984 - int (*build_spdif) (struct snd_ac97 *ac97);
49985 - int (*build_post_spdif) (struct snd_ac97 *ac97);
49986 + int (* const build_3d) (struct snd_ac97 *ac97);
49987 + int (* const build_specific) (struct snd_ac97 *ac97);
49988 + int (* const build_spdif) (struct snd_ac97 *ac97);
49989 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
49991 - void (*suspend) (struct snd_ac97 *ac97);
49992 - void (*resume) (struct snd_ac97 *ac97);
49993 + void (* const suspend) (struct snd_ac97 *ac97);
49994 + void (* const resume) (struct snd_ac97 *ac97);
49996 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
49997 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
50000 struct snd_ac97_bus_ops {
50001 diff -urNp linux-2.6.38.4/include/trace/events/irq.h linux-2.6.38.4/include/trace/events/irq.h
50002 --- linux-2.6.38.4/include/trace/events/irq.h 2011-03-14 21:20:32.000000000 -0400
50003 +++ linux-2.6.38.4/include/trace/events/irq.h 2011-04-17 15:57:32.000000000 -0400
50004 @@ -36,7 +36,7 @@ struct softirq_action;
50006 TRACE_EVENT(irq_handler_entry,
50008 - TP_PROTO(int irq, struct irqaction *action),
50009 + TP_PROTO(int irq, const struct irqaction *action),
50011 TP_ARGS(irq, action),
50013 @@ -66,7 +66,7 @@ TRACE_EVENT(irq_handler_entry,
50015 TRACE_EVENT(irq_handler_exit,
50017 - TP_PROTO(int irq, struct irqaction *action, int ret),
50018 + TP_PROTO(int irq, const struct irqaction *action, int ret),
50020 TP_ARGS(irq, action, ret),
50022 diff -urNp linux-2.6.38.4/include/video/uvesafb.h linux-2.6.38.4/include/video/uvesafb.h
50023 --- linux-2.6.38.4/include/video/uvesafb.h 2011-03-14 21:20:32.000000000 -0400
50024 +++ linux-2.6.38.4/include/video/uvesafb.h 2011-04-17 15:57:32.000000000 -0400
50025 @@ -177,6 +177,7 @@ struct uvesafb_par {
50026 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
50027 u8 pmi_setpal; /* PMI for palette changes */
50028 u16 *pmi_base; /* protected mode interface location */
50029 + u8 *pmi_code; /* protected mode code location */
50032 u8 *vbe_state_orig; /*
50033 diff -urNp linux-2.6.38.4/init/do_mounts.c linux-2.6.38.4/init/do_mounts.c
50034 --- linux-2.6.38.4/init/do_mounts.c 2011-03-14 21:20:32.000000000 -0400
50035 +++ linux-2.6.38.4/init/do_mounts.c 2011-04-17 15:57:32.000000000 -0400
50036 @@ -287,7 +287,7 @@ static void __init get_fs_names(char *pa
50038 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
50040 - int err = sys_mount(name, "/root", fs, flags, data);
50041 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
50045 @@ -382,18 +382,18 @@ void __init change_floppy(char *fmt, ...
50046 va_start(args, fmt);
50047 vsprintf(buf, fmt, args);
50049 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
50050 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
50052 sys_ioctl(fd, FDEJECT, 0);
50055 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
50056 - fd = sys_open("/dev/console", O_RDWR, 0);
50057 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
50059 sys_ioctl(fd, TCGETS, (long)&termios);
50060 termios.c_lflag &= ~ICANON;
50061 sys_ioctl(fd, TCSETSF, (long)&termios);
50062 - sys_read(fd, &c, 1);
50063 + sys_read(fd, (char __user *)&c, 1);
50064 termios.c_lflag |= ICANON;
50065 sys_ioctl(fd, TCSETSF, (long)&termios);
50067 @@ -487,6 +487,6 @@ void __init prepare_namespace(void)
50070 devtmpfs_mount("dev");
50071 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
50072 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
50073 sys_chroot((const char __user __force *)".");
50075 diff -urNp linux-2.6.38.4/init/do_mounts.h linux-2.6.38.4/init/do_mounts.h
50076 --- linux-2.6.38.4/init/do_mounts.h 2011-03-14 21:20:32.000000000 -0400
50077 +++ linux-2.6.38.4/init/do_mounts.h 2011-04-17 15:57:32.000000000 -0400
50078 @@ -15,15 +15,15 @@ extern int root_mountflags;
50080 static inline int create_dev(char *name, dev_t dev)
50082 - sys_unlink(name);
50083 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
50084 + sys_unlink((__force char __user *)name);
50085 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
50088 #if BITS_PER_LONG == 32
50089 static inline u32 bstat(char *name)
50091 struct stat64 stat;
50092 - if (sys_stat64(name, &stat) != 0)
50093 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
50095 if (!S_ISBLK(stat.st_mode))
50097 diff -urNp linux-2.6.38.4/init/do_mounts_initrd.c linux-2.6.38.4/init/do_mounts_initrd.c
50098 --- linux-2.6.38.4/init/do_mounts_initrd.c 2011-03-14 21:20:32.000000000 -0400
50099 +++ linux-2.6.38.4/init/do_mounts_initrd.c 2011-04-17 15:57:32.000000000 -0400
50100 @@ -44,13 +44,13 @@ static void __init handle_initrd(void)
50101 create_dev("/dev/root.old", Root_RAM0);
50102 /* mount initrd on rootfs' /root */
50103 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
50104 - sys_mkdir("/old", 0700);
50105 - root_fd = sys_open("/", 0, 0);
50106 - old_fd = sys_open("/old", 0, 0);
50107 + sys_mkdir((__force const char __user *)"/old", 0700);
50108 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
50109 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
50110 /* move initrd over / and chdir/chroot in initrd root */
50111 - sys_chdir("/root");
50112 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
50114 + sys_chdir((__force const char __user *)"/root");
50115 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
50116 + sys_chroot((__force const char __user *)".");
50119 * In case that a resume from disk is carried out by linuxrc or one of
50120 @@ -67,15 +67,15 @@ static void __init handle_initrd(void)
50122 /* move initrd to rootfs' /old */
50123 sys_fchdir(old_fd);
50124 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
50125 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
50126 /* switch root and cwd back to / of rootfs */
50127 sys_fchdir(root_fd);
50129 + sys_chroot((__force const char __user *)".");
50131 sys_close(root_fd);
50133 if (new_decode_dev(real_root_dev) == Root_RAM0) {
50134 - sys_chdir("/old");
50135 + sys_chdir((__force const char __user *)"/old");
50139 @@ -83,17 +83,17 @@ static void __init handle_initrd(void)
50142 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
50143 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
50144 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
50148 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
50149 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
50150 if (error == -ENOENT)
50151 printk("/initrd does not exist. Ignored.\n");
50153 printk("failed\n");
50154 printk(KERN_NOTICE "Unmounting old root\n");
50155 - sys_umount("/old", MNT_DETACH);
50156 + sys_umount((__force char __user *)"/old", MNT_DETACH);
50157 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
50160 @@ -116,11 +116,11 @@ int __init initrd_load(void)
50161 * mounted in the normal path.
50163 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
50164 - sys_unlink("/initrd.image");
50165 + sys_unlink((__force const char __user *)"/initrd.image");
50170 - sys_unlink("/initrd.image");
50171 + sys_unlink((__force const char __user *)"/initrd.image");
50174 diff -urNp linux-2.6.38.4/init/do_mounts_md.c linux-2.6.38.4/init/do_mounts_md.c
50175 --- linux-2.6.38.4/init/do_mounts_md.c 2011-03-14 21:20:32.000000000 -0400
50176 +++ linux-2.6.38.4/init/do_mounts_md.c 2011-04-17 15:57:32.000000000 -0400
50177 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
50178 partitioned ? "_d" : "", minor,
50179 md_setup_args[ent].device_names);
50181 - fd = sys_open(name, 0, 0);
50182 + fd = sys_open((__force char __user *)name, 0, 0);
50184 printk(KERN_ERR "md: open failed - cannot start "
50185 "array %s\n", name);
50186 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
50190 - fd = sys_open(name, 0, 0);
50191 + fd = sys_open((__force char __user *)name, 0, 0);
50192 sys_ioctl(fd, BLKRRPART, 0);
50195 diff -urNp linux-2.6.38.4/init/initramfs.c linux-2.6.38.4/init/initramfs.c
50196 --- linux-2.6.38.4/init/initramfs.c 2011-03-14 21:20:32.000000000 -0400
50197 +++ linux-2.6.38.4/init/initramfs.c 2011-04-17 15:57:32.000000000 -0400
50198 @@ -74,7 +74,7 @@ static void __init free_hash(void)
50202 -static long __init do_utime(char __user *filename, time_t mtime)
50203 +static long __init do_utime(__force char __user *filename, time_t mtime)
50205 struct timespec t[2];
50207 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
50208 struct dir_entry *de, *tmp;
50209 list_for_each_entry_safe(de, tmp, &dir_list, list) {
50210 list_del(&de->list);
50211 - do_utime(de->name, de->mtime);
50212 + do_utime((__force char __user *)de->name, de->mtime);
50216 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
50218 char *old = find_link(major, minor, ino, mode, collected);
50220 - return (sys_link(old, collected) < 0) ? -1 : 1;
50221 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
50225 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
50229 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
50230 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
50231 if (S_ISDIR(st.st_mode))
50233 + sys_rmdir((__force char __user *)path);
50235 - sys_unlink(path);
50236 + sys_unlink((__force char __user *)path);
50240 @@ -305,7 +305,7 @@ static int __init do_name(void)
50241 int openflags = O_WRONLY|O_CREAT;
50243 openflags |= O_TRUNC;
50244 - wfd = sys_open(collected, openflags, mode);
50245 + wfd = sys_open((__force char __user *)collected, openflags, mode);
50248 sys_fchown(wfd, uid, gid);
50249 @@ -317,17 +317,17 @@ static int __init do_name(void)
50252 } else if (S_ISDIR(mode)) {
50253 - sys_mkdir(collected, mode);
50254 - sys_chown(collected, uid, gid);
50255 - sys_chmod(collected, mode);
50256 + sys_mkdir((__force char __user *)collected, mode);
50257 + sys_chown((__force char __user *)collected, uid, gid);
50258 + sys_chmod((__force char __user *)collected, mode);
50259 dir_add(collected, mtime);
50260 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
50261 S_ISFIFO(mode) || S_ISSOCK(mode)) {
50262 if (maybe_link() == 0) {
50263 - sys_mknod(collected, mode, rdev);
50264 - sys_chown(collected, uid, gid);
50265 - sys_chmod(collected, mode);
50266 - do_utime(collected, mtime);
50267 + sys_mknod((__force char __user *)collected, mode, rdev);
50268 + sys_chown((__force char __user *)collected, uid, gid);
50269 + sys_chmod((__force char __user *)collected, mode);
50270 + do_utime((__force char __user *)collected, mtime);
50274 @@ -336,15 +336,15 @@ static int __init do_name(void)
50275 static int __init do_copy(void)
50277 if (count >= body_len) {
50278 - sys_write(wfd, victim, body_len);
50279 + sys_write(wfd, (__force char __user *)victim, body_len);
50281 - do_utime(vcollected, mtime);
50282 + do_utime((__force char __user *)vcollected, mtime);
50288 - sys_write(wfd, victim, count);
50289 + sys_write(wfd, (__force char __user *)victim, count);
50293 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
50295 collected[N_ALIGN(name_len) + body_len] = '\0';
50296 clean_path(collected, 0);
50297 - sys_symlink(collected + N_ALIGN(name_len), collected);
50298 - sys_lchown(collected, uid, gid);
50299 - do_utime(collected, mtime);
50300 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
50301 + sys_lchown((__force char __user *)collected, uid, gid);
50302 + do_utime((__force char __user *)collected, mtime);
50304 next_state = Reset;
50306 diff -urNp linux-2.6.38.4/init/Kconfig linux-2.6.38.4/init/Kconfig
50307 --- linux-2.6.38.4/init/Kconfig 2011-03-14 21:20:32.000000000 -0400
50308 +++ linux-2.6.38.4/init/Kconfig 2011-04-17 15:57:32.000000000 -0400
50309 @@ -1185,7 +1185,7 @@ config SLUB_DEBUG
50312 bool "Disable heap randomization"
50316 Randomizing heap placement makes heap exploits harder, but it
50317 also breaks ancient binaries (including anything libc5 based).
50318 diff -urNp linux-2.6.38.4/init/main.c linux-2.6.38.4/init/main.c
50319 --- linux-2.6.38.4/init/main.c 2011-03-14 21:20:32.000000000 -0400
50320 +++ linux-2.6.38.4/init/main.c 2011-04-17 15:57:32.000000000 -0400
50321 @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void)
50322 extern void tc_init(void);
50325 +extern void grsecurity_init(void);
50328 * Debug helper: via this flag we know that we are in 'early bootup code'
50329 * where only the boot processor is running with IRQ disabled. This means
50330 @@ -206,6 +208,47 @@ static int __init set_reset_devices(char
50332 __setup("reset_devices", set_reset_devices);
50334 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
50335 +extern char pax_enter_kernel_user[];
50336 +extern char pax_exit_kernel_user[];
50337 +extern pgdval_t clone_pgd_mask;
50340 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
50341 +static int __init setup_pax_nouderef(char *str)
50343 +#ifdef CONFIG_X86_32
50344 + unsigned int cpu;
50346 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
50347 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
50348 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
50349 + get_cpu_gdt_table(cpu)[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
50350 + get_cpu_gdt_table(cpu)[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
50352 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
50354 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
50355 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
50356 + clone_pgd_mask = ~(pgdval_t)0UL;
50361 +early_param("pax_nouderef", setup_pax_nouderef);
50364 +#ifdef CONFIG_PAX_SOFTMODE
50365 +unsigned int pax_softmode;
50367 +static int __init setup_pax_softmode(char *str)
50369 + get_option(&str, &pax_softmode);
50372 +__setup("pax_softmode=", setup_pax_softmode);
50375 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
50376 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
50377 static const char *panic_later, *panic_param;
50378 @@ -751,6 +794,7 @@ int __init_or_module do_one_initcall(ini
50380 int count = preempt_count();
50382 + const char *msg1 = "", *msg2 = "";
50384 if (initcall_debug)
50385 ret = do_one_initcall_debug(fn);
50386 @@ -763,15 +807,15 @@ int __init_or_module do_one_initcall(ini
50387 sprintf(msgbuf, "error code %d ", ret);
50389 if (preempt_count() != count) {
50390 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
50391 + msg1 = " preemption imbalance";
50392 preempt_count() = count;
50394 if (irqs_disabled()) {
50395 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
50396 + msg2 = " disabled interrupts";
50397 local_irq_enable();
50400 - printk("initcall %pF returned with %s\n", fn, msgbuf);
50401 + if (msgbuf[0] || *msg1 || *msg2) {
50402 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
50406 @@ -898,7 +942,7 @@ static int __init kernel_init(void * unu
50409 /* Open the /dev/console on the rootfs, this should never fail */
50410 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
50411 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
50412 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
50415 @@ -911,11 +955,13 @@ static int __init kernel_init(void * unu
50416 if (!ramdisk_execute_command)
50417 ramdisk_execute_command = "/init";
50419 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
50420 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
50421 ramdisk_execute_command = NULL;
50422 prepare_namespace();
50425 + grsecurity_init();
50428 * Ok, we have completed the initial bootup, and
50429 * we're essentially up and running. Get rid of the
50430 diff -urNp linux-2.6.38.4/ipc/mqueue.c linux-2.6.38.4/ipc/mqueue.c
50431 --- linux-2.6.38.4/ipc/mqueue.c 2011-03-14 21:20:32.000000000 -0400
50432 +++ linux-2.6.38.4/ipc/mqueue.c 2011-04-17 15:57:32.000000000 -0400
50433 @@ -154,6 +154,7 @@ static struct inode *mqueue_get_inode(st
50434 mq_bytes = (mq_msg_tblsz +
50435 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
50437 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
50438 spin_lock(&mq_lock);
50439 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
50440 u->mq_bytes + mq_bytes >
50441 diff -urNp linux-2.6.38.4/ipc/shm.c linux-2.6.38.4/ipc/shm.c
50442 --- linux-2.6.38.4/ipc/shm.c 2011-03-14 21:20:32.000000000 -0400
50443 +++ linux-2.6.38.4/ipc/shm.c 2011-04-17 15:57:32.000000000 -0400
50444 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
50445 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
50448 +#ifdef CONFIG_GRKERNSEC
50449 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
50450 + const time_t shm_createtime, const uid_t cuid,
50451 + const int shmid);
50452 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
50453 + const time_t shm_createtime);
50456 void shm_init_ns(struct ipc_namespace *ns)
50458 ns->shm_ctlmax = SHMMAX;
50459 @@ -401,6 +409,14 @@ static int newseg(struct ipc_namespace *
50460 shp->shm_lprid = 0;
50461 shp->shm_atim = shp->shm_dtim = 0;
50462 shp->shm_ctim = get_seconds();
50463 +#ifdef CONFIG_GRKERNSEC
50465 + struct timespec timeval;
50466 + do_posix_clock_monotonic_gettime(&timeval);
50468 + shp->shm_createtime = timeval.tv_sec;
50471 shp->shm_segsz = size;
50472 shp->shm_nattch = 0;
50473 shp->shm_file = file;
50474 @@ -761,8 +777,6 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int,
50478 - struct file *uninitialized_var(shm_file);
50480 lru_add_drain_all(); /* drain pagevecs to lru lists */
50482 shp = shm_lock_check(ns, shmid);
50483 @@ -895,9 +909,21 @@ long do_shmat(int shmid, char __user *sh
50487 +#ifdef CONFIG_GRKERNSEC
50488 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
50489 + shp->shm_perm.cuid, shmid) ||
50490 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
50496 path = shp->shm_file->f_path;
50499 +#ifdef CONFIG_GRKERNSEC
50500 + shp->shm_lapid = current->pid;
50502 size = i_size_read(path.dentry->d_inode);
50505 diff -urNp linux-2.6.38.4/kernel/acct.c linux-2.6.38.4/kernel/acct.c
50506 --- linux-2.6.38.4/kernel/acct.c 2011-03-14 21:20:32.000000000 -0400
50507 +++ linux-2.6.38.4/kernel/acct.c 2011-04-17 15:57:32.000000000 -0400
50508 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
50510 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
50511 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
50512 - file->f_op->write(file, (char *)&ac,
50513 + file->f_op->write(file, (__force char __user *)&ac,
50514 sizeof(acct_t), &file->f_pos);
50515 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
50517 diff -urNp linux-2.6.38.4/kernel/capability.c linux-2.6.38.4/kernel/capability.c
50518 --- linux-2.6.38.4/kernel/capability.c 2011-03-14 21:20:32.000000000 -0400
50519 +++ linux-2.6.38.4/kernel/capability.c 2011-04-17 15:57:32.000000000 -0400
50520 @@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
50521 * before modification is attempted and the application
50524 + if (tocopy > ARRAY_SIZE(kdata))
50527 if (copy_to_user(dataptr, kdata, tocopy
50528 * sizeof(struct __user_cap_data_struct))) {
50530 @@ -306,10 +309,26 @@ int capable(int cap)
50534 - if (security_capable(current_cred(), cap) == 0) {
50535 + if (security_capable(current_cred(), cap) == 0 && gr_is_capable(cap)) {
50536 current->flags |= PF_SUPERPRIV;
50542 +int capable_nolog(int cap)
50544 + if (unlikely(!cap_valid(cap))) {
50545 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
50549 + if (security_capable(current_cred(), cap) == 0 && gr_is_capable_nolog(cap)) {
50550 + current->flags |= PF_SUPERPRIV;
50556 EXPORT_SYMBOL(capable);
50557 +EXPORT_SYMBOL(capable_nolog);
50558 diff -urNp linux-2.6.38.4/kernel/compat.c linux-2.6.38.4/kernel/compat.c
50559 --- linux-2.6.38.4/kernel/compat.c 2011-03-14 21:20:32.000000000 -0400
50560 +++ linux-2.6.38.4/kernel/compat.c 2011-04-17 15:57:32.000000000 -0400
50563 #include <linux/linkage.h>
50564 #include <linux/compat.h>
50565 +#include <linux/module.h>
50566 #include <linux/errno.h>
50567 #include <linux/time.h>
50568 #include <linux/signal.h>
50569 diff -urNp linux-2.6.38.4/kernel/configs.c linux-2.6.38.4/kernel/configs.c
50570 --- linux-2.6.38.4/kernel/configs.c 2011-03-14 21:20:32.000000000 -0400
50571 +++ linux-2.6.38.4/kernel/configs.c 2011-04-17 15:57:32.000000000 -0400
50572 @@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
50573 struct proc_dir_entry *entry;
50575 /* create the current config file */
50576 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
50577 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
50578 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
50579 + &ikconfig_file_ops);
50580 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50581 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
50582 + &ikconfig_file_ops);
50585 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
50586 &ikconfig_file_ops);
50592 diff -urNp linux-2.6.38.4/kernel/cred.c linux-2.6.38.4/kernel/cred.c
50593 --- linux-2.6.38.4/kernel/cred.c 2011-03-14 21:20:32.000000000 -0400
50594 +++ linux-2.6.38.4/kernel/cred.c 2011-04-17 15:57:32.000000000 -0400
50595 @@ -483,6 +483,8 @@ int commit_creds(struct cred *new)
50597 get_cred(new); /* we will require a ref for the subj creds too */
50599 + gr_set_role_label(task, new->uid, new->gid);
50601 /* dumpability changes */
50602 if (old->euid != new->euid ||
50603 old->egid != new->egid ||
50604 diff -urNp linux-2.6.38.4/kernel/debug/debug_core.c linux-2.6.38.4/kernel/debug/debug_core.c
50605 --- linux-2.6.38.4/kernel/debug/debug_core.c 2011-03-14 21:20:32.000000000 -0400
50606 +++ linux-2.6.38.4/kernel/debug/debug_core.c 2011-04-17 15:57:32.000000000 -0400
50607 @@ -72,7 +72,7 @@ int kgdb_io_module_registered;
50608 /* Guard for recursive entry */
50609 static int exception_level;
50611 -struct kgdb_io *dbg_io_ops;
50612 +const struct kgdb_io *dbg_io_ops;
50613 static DEFINE_SPINLOCK(kgdb_registration_lock);
50615 /* kgdb console driver is loaded */
50616 @@ -864,7 +864,7 @@ static void kgdb_initial_breakpoint(void
50618 * Register it with the KGDB core.
50620 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
50621 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
50625 @@ -909,7 +909,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
50627 * Unregister it with the KGDB core.
50629 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
50630 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
50632 BUG_ON(kgdb_connected);
50634 diff -urNp linux-2.6.38.4/kernel/debug/kdb/kdb_main.c linux-2.6.38.4/kernel/debug/kdb/kdb_main.c
50635 --- linux-2.6.38.4/kernel/debug/kdb/kdb_main.c 2011-03-14 21:20:32.000000000 -0400
50636 +++ linux-2.6.38.4/kernel/debug/kdb/kdb_main.c 2011-04-17 15:57:32.000000000 -0400
50637 @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
50638 list_for_each_entry(mod, kdb_modules, list) {
50640 kdb_printf("%-20s%8u 0x%p ", mod->name,
50641 - mod->core_size, (void *)mod);
50642 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
50643 #ifdef CONFIG_MODULE_UNLOAD
50644 kdb_printf("%4d ", module_refcount(mod));
50646 @@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
50647 kdb_printf(" (Loading)");
50649 kdb_printf(" (Live)");
50650 - kdb_printf(" 0x%p", mod->module_core);
50651 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
50653 #ifdef CONFIG_MODULE_UNLOAD
50655 diff -urNp linux-2.6.38.4/kernel/exit.c linux-2.6.38.4/kernel/exit.c
50656 --- linux-2.6.38.4/kernel/exit.c 2011-03-14 21:20:32.000000000 -0400
50657 +++ linux-2.6.38.4/kernel/exit.c 2011-04-17 15:57:32.000000000 -0400
50659 #include <asm/pgtable.h>
50660 #include <asm/mmu_context.h>
50662 +#ifdef CONFIG_GRKERNSEC
50663 +extern rwlock_t grsec_exec_file_lock;
50666 static void exit_mm(struct task_struct * tsk);
50668 static void __unhash_process(struct task_struct *p, bool group_dead)
50669 @@ -169,6 +173,8 @@ void release_task(struct task_struct * p
50670 struct task_struct *leader;
50673 + gr_del_task_from_ip_table(p);
50675 tracehook_prepare_release_task(p);
50676 /* don't need to get the RCU readlock here - the process is dead and
50677 * can't be modifying its own credentials. But shut RCU-lockdep up */
50678 @@ -338,11 +344,22 @@ static void reparent_to_kthreadd(void)
50680 write_lock_irq(&tasklist_lock);
50682 +#ifdef CONFIG_GRKERNSEC
50683 + write_lock(&grsec_exec_file_lock);
50684 + if (current->exec_file) {
50685 + fput(current->exec_file);
50686 + current->exec_file = NULL;
50688 + write_unlock(&grsec_exec_file_lock);
50691 ptrace_unlink(current);
50692 /* Reparent to init */
50693 current->real_parent = current->parent = kthreadd_task;
50694 list_move_tail(¤t->sibling, ¤t->real_parent->children);
50696 + gr_set_kernel_label(current);
50698 /* Set the exit signal to SIGCHLD so we signal init on exit */
50699 current->exit_signal = SIGCHLD;
50701 @@ -394,7 +411,7 @@ int allow_signal(int sig)
50702 * know it'll be handled, so that they don't get converted to
50703 * SIGKILL or just silently dropped.
50705 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
50706 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
50707 recalc_sigpending();
50708 spin_unlock_irq(¤t->sighand->siglock);
50710 @@ -430,6 +447,17 @@ void daemonize(const char *name, ...)
50711 vsnprintf(current->comm, sizeof(current->comm), name, args);
50714 +#ifdef CONFIG_GRKERNSEC
50715 + write_lock(&grsec_exec_file_lock);
50716 + if (current->exec_file) {
50717 + fput(current->exec_file);
50718 + current->exec_file = NULL;
50720 + write_unlock(&grsec_exec_file_lock);
50723 + gr_set_kernel_label(current);
50726 * If we were started as result of loading a module, close all of the
50727 * user space pages. We don't need them, and if we didn't close them
50728 @@ -905,17 +933,17 @@ NORET_TYPE void do_exit(long code)
50729 struct task_struct *tsk = current;
50732 - profile_task_exit(tsk);
50734 - WARN_ON(atomic_read(&tsk->fs_excl));
50737 + * Check this first since set_fs() below depends on
50738 + * current_thread_info(), which we better not access when we're in
50739 + * interrupt context. Other than that, we want to do the set_fs()
50740 + * as early as possible.
50742 if (unlikely(in_interrupt()))
50743 panic("Aiee, killing interrupt handler!");
50744 - if (unlikely(!tsk->pid))
50745 - panic("Attempted to kill the idle task!");
50748 - * If do_exit is called because this processes oopsed, it's possible
50749 + * If do_exit is called because this processes Oops'ed, it's possible
50750 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
50751 * continuing. Amongst other possible reasons, this is to prevent
50752 * mm_release()->clear_child_tid() from writing to a user-controlled
50753 @@ -923,6 +951,13 @@ NORET_TYPE void do_exit(long code)
50757 + profile_task_exit(tsk);
50759 + WARN_ON(atomic_read(&tsk->fs_excl));
50761 + if (unlikely(!tsk->pid))
50762 + panic("Attempted to kill the idle task!");
50764 tracehook_report_exit(&code);
50766 validate_creds_for_do_exit(tsk);
50767 @@ -983,6 +1018,9 @@ NORET_TYPE void do_exit(long code)
50768 tsk->exit_code = code;
50769 taskstats_exit(tsk, group_dead);
50771 + gr_acl_handle_psacct(tsk, code);
50772 + gr_acl_handle_exit();
50777 diff -urNp linux-2.6.38.4/kernel/fork.c linux-2.6.38.4/kernel/fork.c
50778 --- linux-2.6.38.4/kernel/fork.c 2011-03-14 21:20:32.000000000 -0400
50779 +++ linux-2.6.38.4/kernel/fork.c 2011-04-17 15:57:32.000000000 -0400
50780 @@ -280,7 +280,7 @@ static struct task_struct *dup_task_stru
50781 *stackend = STACK_END_MAGIC; /* for overflow detection */
50783 #ifdef CONFIG_CC_STACKPROTECTOR
50784 - tsk->stack_canary = get_random_int();
50785 + tsk->stack_canary = pax_get_random_long();
50788 /* One for us, one for whoever does the "release_task()" (usually parent) */
50789 @@ -302,13 +302,78 @@ out:
50793 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
50795 + struct vm_area_struct *tmp;
50796 + unsigned long charge;
50797 + struct mempolicy *pol;
50798 + struct file *file;
50801 + if (mpnt->vm_flags & VM_ACCOUNT) {
50802 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
50803 + if (security_vm_enough_memory(len))
50807 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
50812 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
50813 + pol = mpol_dup(vma_policy(mpnt));
50815 + goto fail_nomem_policy;
50816 + vma_set_policy(tmp, pol);
50817 + if (anon_vma_fork(tmp, mpnt))
50818 + goto fail_nomem_anon_vma_fork;
50819 + tmp->vm_flags &= ~VM_LOCKED;
50820 + tmp->vm_next = tmp->vm_prev = NULL;
50821 + tmp->vm_mirror = NULL;
50822 + file = tmp->vm_file;
50824 + struct inode *inode = file->f_path.dentry->d_inode;
50825 + struct address_space *mapping = file->f_mapping;
50828 + if (tmp->vm_flags & VM_DENYWRITE)
50829 + atomic_dec(&inode->i_writecount);
50830 + spin_lock(&mapping->i_mmap_lock);
50831 + if (tmp->vm_flags & VM_SHARED)
50832 + mapping->i_mmap_writable++;
50833 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
50834 + flush_dcache_mmap_lock(mapping);
50835 + /* insert tmp into the share list, just after mpnt */
50836 + vma_prio_tree_add(tmp, mpnt);
50837 + flush_dcache_mmap_unlock(mapping);
50838 + spin_unlock(&mapping->i_mmap_lock);
50842 + * Clear hugetlb-related page reserves for children. This only
50843 + * affects MAP_PRIVATE mappings. Faults generated by the child
50844 + * are not guaranteed to succeed, even if read-only
50846 + if (is_vm_hugetlb_page(tmp))
50847 + reset_vma_resv_huge_pages(tmp);
50851 +fail_nomem_anon_vma_fork:
50853 +fail_nomem_policy:
50854 + kmem_cache_free(vm_area_cachep, tmp);
50856 + vm_unacct_memory(charge);
50860 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
50862 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
50863 struct rb_node **rb_link, *rb_parent;
50865 - unsigned long charge;
50866 - struct mempolicy *pol;
50868 down_write(&oldmm->mmap_sem);
50869 flush_cache_dup_mm(oldmm);
50870 @@ -320,8 +385,8 @@ static int dup_mmap(struct mm_struct *mm
50873 mm->mmap_cache = NULL;
50874 - mm->free_area_cache = oldmm->mmap_base;
50875 - mm->cached_hole_size = ~0UL;
50876 + mm->free_area_cache = oldmm->free_area_cache;
50877 + mm->cached_hole_size = oldmm->cached_hole_size;
50879 cpumask_clear(mm_cpumask(mm));
50880 mm->mm_rb = RB_ROOT;
50881 @@ -337,8 +402,6 @@ static int dup_mmap(struct mm_struct *mm
50884 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
50885 - struct file *file;
50887 if (mpnt->vm_flags & VM_DONTCOPY) {
50888 long pages = vma_pages(mpnt);
50889 mm->total_vm -= pages;
50890 @@ -346,56 +409,13 @@ static int dup_mmap(struct mm_struct *mm
50895 - if (mpnt->vm_flags & VM_ACCOUNT) {
50896 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
50897 - if (security_vm_enough_memory(len))
50901 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
50905 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
50906 - pol = mpol_dup(vma_policy(mpnt));
50907 - retval = PTR_ERR(pol);
50909 - goto fail_nomem_policy;
50910 - vma_set_policy(tmp, pol);
50912 - if (anon_vma_fork(tmp, mpnt))
50913 - goto fail_nomem_anon_vma_fork;
50914 - tmp->vm_flags &= ~VM_LOCKED;
50915 - tmp->vm_next = tmp->vm_prev = NULL;
50916 - file = tmp->vm_file;
50918 - struct inode *inode = file->f_path.dentry->d_inode;
50919 - struct address_space *mapping = file->f_mapping;
50922 - if (tmp->vm_flags & VM_DENYWRITE)
50923 - atomic_dec(&inode->i_writecount);
50924 - spin_lock(&mapping->i_mmap_lock);
50925 - if (tmp->vm_flags & VM_SHARED)
50926 - mapping->i_mmap_writable++;
50927 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
50928 - flush_dcache_mmap_lock(mapping);
50929 - /* insert tmp into the share list, just after mpnt */
50930 - vma_prio_tree_add(tmp, mpnt);
50931 - flush_dcache_mmap_unlock(mapping);
50932 - spin_unlock(&mapping->i_mmap_lock);
50933 + tmp = dup_vma(mm, mpnt);
50935 + retval = -ENOMEM;
50940 - * Clear hugetlb-related page reserves for children. This only
50941 - * affects MAP_PRIVATE mappings. Faults generated by the child
50942 - * are not guaranteed to succeed, even if read-only
50944 - if (is_vm_hugetlb_page(tmp))
50945 - reset_vma_resv_huge_pages(tmp);
50948 * Link in the new vma and copy the page table entries.
50951 @@ -416,6 +436,31 @@ static int dup_mmap(struct mm_struct *mm
50956 +#ifdef CONFIG_PAX_SEGMEXEC
50957 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
50958 + struct vm_area_struct *mpnt_m;
50960 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
50961 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
50963 + if (!mpnt->vm_mirror)
50966 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
50967 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
50968 + mpnt->vm_mirror = mpnt_m;
50970 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
50971 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
50972 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
50973 + mpnt->vm_mirror->vm_mirror = mpnt;
50980 /* a new mm has just been created */
50981 arch_dup_mmap(oldmm, mm);
50983 @@ -424,14 +469,6 @@ out:
50984 flush_tlb_mm(oldmm);
50985 up_write(&oldmm->mmap_sem);
50987 -fail_nomem_anon_vma_fork:
50989 -fail_nomem_policy:
50990 - kmem_cache_free(vm_area_cachep, tmp);
50992 - retval = -ENOMEM;
50993 - vm_unacct_memory(charge);
50997 static inline int mm_alloc_pgd(struct mm_struct * mm)
50998 @@ -778,13 +815,14 @@ static int copy_fs(unsigned long clone_f
50999 spin_unlock(&fs->lock);
51003 + atomic_inc(&fs->users);
51004 spin_unlock(&fs->lock);
51007 tsk->fs = copy_fs_struct(fs);
51010 + gr_set_chroot_entries(tsk, &tsk->fs->root);
51014 @@ -1042,10 +1080,13 @@ static struct task_struct *copy_process(
51016 if (!vx_nproc_avail(1))
51017 goto bad_fork_free;
51019 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
51021 if (atomic_read(&p->real_cred->user->processes) >=
51022 task_rlimit(p, RLIMIT_NPROC)) {
51023 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
51024 - p->real_cred->user != INIT_USER)
51025 + if (p->real_cred->user != INIT_USER &&
51026 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
51027 goto bad_fork_free;
51030 @@ -1199,6 +1240,8 @@ static struct task_struct *copy_process(
51031 goto bad_fork_free_pid;
51034 + gr_copy_label(p);
51036 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
51038 * Clear TID on mm_release()?
51039 @@ -1356,6 +1399,8 @@ bad_fork_cleanup_count:
51043 + gr_log_forkfail(retval);
51045 return ERR_PTR(retval);
51048 @@ -1444,6 +1489,8 @@ long do_fork(unsigned long clone_flags,
51049 if (clone_flags & CLONE_PARENT_SETTID)
51050 put_user(nr, parent_tidptr);
51052 + gr_handle_brute_check();
51054 if (clone_flags & CLONE_VFORK) {
51055 p->vfork_done = &vfork;
51056 init_completion(&vfork);
51057 @@ -1559,7 +1606,7 @@ static int unshare_fs(unsigned long unsh
51060 /* don't need lock here; in the worst case we'll do useless copy */
51061 - if (fs->users == 1)
51062 + if (atomic_read(&fs->users) == 1)
51065 *new_fsp = copy_fs_struct(fs);
51066 @@ -1682,7 +1729,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
51068 spin_lock(&fs->lock);
51069 current->fs = new_fs;
51071 + gr_set_chroot_entries(current, ¤t->fs->root);
51072 + if (atomic_dec_return(&fs->users))
51076 diff -urNp linux-2.6.38.4/kernel/futex.c linux-2.6.38.4/kernel/futex.c
51077 --- linux-2.6.38.4/kernel/futex.c 2011-04-22 19:20:59.000000000 -0400
51078 +++ linux-2.6.38.4/kernel/futex.c 2011-04-22 19:21:35.000000000 -0400
51080 #include <linux/mount.h>
51081 #include <linux/pagemap.h>
51082 #include <linux/syscalls.h>
51083 +#include <linux/ptrace.h>
51084 #include <linux/signal.h>
51085 #include <linux/module.h>
51086 #include <linux/magic.h>
51087 @@ -236,6 +237,11 @@ get_futex_key(u32 __user *uaddr, int fsh
51088 struct page *page, *page_head;
51091 +#ifdef CONFIG_PAX_SEGMEXEC
51092 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
51097 * The futex address must be "naturally" aligned.
51099 @@ -2404,7 +2410,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
51101 struct robust_list_head __user *head;
51103 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
51104 const struct cred *cred = current_cred(), *pcred;
51107 if (!futex_cmpxchg_enabled)
51109 @@ -2420,11 +2428,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
51113 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51114 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
51117 pcred = __task_cred(p);
51118 if (cred->euid != pcred->euid &&
51119 cred->euid != pcred->uid &&
51120 !capable(CAP_SYS_PTRACE))
51123 head = p->robust_list;
51126 @@ -2667,6 +2680,7 @@ static int __init futex_init(void)
51130 + mm_segment_t oldfs;
51133 * This will fail and we want it. Some arch implementations do
51134 @@ -2678,7 +2692,10 @@ static int __init futex_init(void)
51135 * implementation, the non-functional ones will return
51138 + oldfs = get_fs();
51140 curval = cmpxchg_futex_value_locked(NULL, 0, 0);
51142 if (curval == -EFAULT)
51143 futex_cmpxchg_enabled = 1;
51145 diff -urNp linux-2.6.38.4/kernel/futex_compat.c linux-2.6.38.4/kernel/futex_compat.c
51146 --- linux-2.6.38.4/kernel/futex_compat.c 2011-03-14 21:20:32.000000000 -0400
51147 +++ linux-2.6.38.4/kernel/futex_compat.c 2011-04-17 15:57:32.000000000 -0400
51149 #include <linux/compat.h>
51150 #include <linux/nsproxy.h>
51151 #include <linux/futex.h>
51152 +#include <linux/ptrace.h>
51154 #include <asm/uaccess.h>
51156 @@ -136,7 +137,10 @@ compat_sys_get_robust_list(int pid, comp
51158 struct compat_robust_list_head __user *head;
51160 - const struct cred *cred = current_cred(), *pcred;
51161 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
51162 + const struct cred *cred = current_cred();
51163 + const struct cred *pcred;
51166 if (!futex_cmpxchg_enabled)
51168 @@ -152,11 +156,16 @@ compat_sys_get_robust_list(int pid, comp
51172 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51173 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
51176 pcred = __task_cred(p);
51177 if (cred->euid != pcred->euid &&
51178 cred->euid != pcred->uid &&
51179 !capable(CAP_SYS_PTRACE))
51182 head = p->compat_robust_list;
51185 diff -urNp linux-2.6.38.4/kernel/gcov/base.c linux-2.6.38.4/kernel/gcov/base.c
51186 --- linux-2.6.38.4/kernel/gcov/base.c 2011-03-14 21:20:32.000000000 -0400
51187 +++ linux-2.6.38.4/kernel/gcov/base.c 2011-04-17 15:57:32.000000000 -0400
51188 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
51191 #ifdef CONFIG_MODULES
51192 -static inline int within(void *addr, void *start, unsigned long size)
51194 - return ((addr >= start) && (addr < start + size));
51197 /* Update list and generate events when modules are unloaded. */
51198 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
51200 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
51202 /* Remove entries located in module from linked list. */
51203 for (info = gcov_info_head; info; info = info->next) {
51204 - if (within(info, mod->module_core, mod->core_size)) {
51205 + if (within_module_core_rw((unsigned long)info, mod)) {
51207 prev->next = info->next;
51209 diff -urNp linux-2.6.38.4/kernel/hrtimer.c linux-2.6.38.4/kernel/hrtimer.c
51210 --- linux-2.6.38.4/kernel/hrtimer.c 2011-03-14 21:20:32.000000000 -0400
51211 +++ linux-2.6.38.4/kernel/hrtimer.c 2011-04-17 15:57:32.000000000 -0400
51212 @@ -1371,7 +1371,7 @@ void hrtimer_peek_ahead_timers(void)
51213 local_irq_restore(flags);
51216 -static void run_hrtimer_softirq(struct softirq_action *h)
51217 +static void run_hrtimer_softirq(void)
51219 hrtimer_peek_ahead_timers();
51221 diff -urNp linux-2.6.38.4/kernel/jump_label.c linux-2.6.38.4/kernel/jump_label.c
51222 --- linux-2.6.38.4/kernel/jump_label.c 2011-03-14 21:20:32.000000000 -0400
51223 +++ linux-2.6.38.4/kernel/jump_label.c 2011-04-17 15:57:32.000000000 -0400
51224 @@ -49,6 +49,17 @@ void jump_label_unlock(void)
51225 mutex_unlock(&jump_label_mutex);
51228 +static void jump_label_swap(void *a, void *b, int size)
51230 + struct jump_entry t;
51232 + t = *(struct jump_entry *)a;
51233 + pax_open_kernel();
51234 + *(struct jump_entry *)a = *(struct jump_entry *)b;
51235 + *(struct jump_entry *)b = t;
51236 + pax_close_kernel();
51239 static int jump_label_cmp(const void *a, const void *b)
51241 const struct jump_entry *jea = a;
51242 @@ -70,7 +81,7 @@ sort_jump_label_entries(struct jump_entr
51244 size = (((unsigned long)stop - (unsigned long)start)
51245 / sizeof(struct jump_entry));
51246 - sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
51247 + sort(start, size, sizeof(struct jump_entry), jump_label_cmp, jump_label_swap);
51250 static struct jump_label_entry *get_jump_label_entry(jump_label_t key)
51251 @@ -407,8 +418,11 @@ static void remove_jump_label_module_ini
51252 count = e_module->nr_entries;
51253 iter = e_module->table;
51255 - if (within_module_init(iter->code, mod))
51256 + if (within_module_init(iter->code, mod)) {
51257 + pax_open_kernel();
51259 + pax_close_kernel();
51264 diff -urNp linux-2.6.38.4/kernel/kallsyms.c linux-2.6.38.4/kernel/kallsyms.c
51265 --- linux-2.6.38.4/kernel/kallsyms.c 2011-03-14 21:20:32.000000000 -0400
51266 +++ linux-2.6.38.4/kernel/kallsyms.c 2011-04-17 15:57:32.000000000 -0400
51268 * Changed the compression method from stem compression to "table lookup"
51269 * compression (see scripts/kallsyms.c for a more complete description)
51271 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51272 +#define __INCLUDED_BY_HIDESYM 1
51274 #include <linux/kallsyms.h>
51275 #include <linux/module.h>
51276 #include <linux/init.h>
51277 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
51279 static inline int is_kernel_inittext(unsigned long addr)
51281 + if (system_state != SYSTEM_BOOTING)
51284 if (addr >= (unsigned long)_sinittext
51285 && addr <= (unsigned long)_einittext)
51290 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
51291 +#ifdef CONFIG_MODULES
51292 +static inline int is_module_text(unsigned long addr)
51294 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
51297 + addr = ktla_ktva(addr);
51298 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
51301 +static inline int is_module_text(unsigned long addr)
51308 static inline int is_kernel_text(unsigned long addr)
51310 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
51311 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
51313 static inline int is_kernel(unsigned long addr)
51316 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
51317 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
51320 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
51322 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
51326 return in_gate_area_no_task(addr);
51329 static int is_ksym_addr(unsigned long addr)
51332 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
51333 + if (is_module_text(addr))
51338 return is_kernel(addr);
51340 @@ -416,7 +455,6 @@ static unsigned long get_ksymbol_core(st
51342 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
51344 - iter->name[0] = '\0';
51345 iter->nameoff = get_symbol_offset(new_pos);
51346 iter->pos = new_pos;
51348 @@ -464,6 +502,11 @@ static int s_show(struct seq_file *m, vo
51350 struct kallsym_iter *iter = m->private;
51352 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51353 + if (current_uid())
51357 /* Some debugging symbols have no name. Ignore them. */
51358 if (!iter->name[0])
51360 @@ -504,7 +547,7 @@ static int kallsyms_open(struct inode *i
51361 struct kallsym_iter *iter;
51364 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
51365 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
51368 reset_iter(iter, 0);
51369 diff -urNp linux-2.6.38.4/kernel/kmod.c linux-2.6.38.4/kernel/kmod.c
51370 --- linux-2.6.38.4/kernel/kmod.c 2011-03-14 21:20:32.000000000 -0400
51371 +++ linux-2.6.38.4/kernel/kmod.c 2011-04-17 15:57:32.000000000 -0400
51372 @@ -65,13 +65,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
51373 * If module auto-loading support is disabled then this function
51374 * becomes a no-operation.
51376 -int __request_module(bool wait, const char *fmt, ...)
51377 +static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
51380 char module_name[MODULE_NAME_LEN];
51381 unsigned int max_modprobes;
51383 - char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
51384 + char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
51385 static char *envp[] = { "HOME=/",
51387 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
51388 @@ -80,9 +79,7 @@ int __request_module(bool wait, const ch
51389 #define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
51390 static int kmod_loop_msg;
51392 - va_start(args, fmt);
51393 - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
51395 + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
51396 if (ret >= MODULE_NAME_LEN)
51397 return -ENAMETOOLONG;
51399 @@ -90,6 +87,20 @@ int __request_module(bool wait, const ch
51403 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
51404 + if (!current_uid()) {
51405 + /* hack to workaround consolekit/udisks stupidity */
51406 + read_lock(&tasklist_lock);
51407 + if (!strcmp(current->comm, "mount") &&
51408 + current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
51409 + read_unlock(&tasklist_lock);
51410 + printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
51413 + read_unlock(&tasklist_lock);
51417 /* If modprobe needs a service that is in a module, we get a recursive
51418 * loop. Limit the number of running kmod threads to max_threads/2 or
51419 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
51420 @@ -123,6 +134,47 @@ int __request_module(bool wait, const ch
51421 atomic_dec(&kmod_concurrent);
51425 +int ___request_module(bool wait, char *module_param, const char *fmt, ...)
51430 + va_start(args, fmt);
51431 + ret = ____request_module(wait, module_param, fmt, args);
51437 +int __request_module(bool wait, const char *fmt, ...)
51442 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
51443 + if (current_uid()) {
51444 + char module_param[MODULE_NAME_LEN];
51446 + memset(module_param, 0, sizeof(module_param));
51448 + snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
51450 + va_start(args, fmt);
51451 + ret = ____request_module(wait, module_param, fmt, args);
51458 + va_start(args, fmt);
51459 + ret = ____request_module(wait, NULL, fmt, args);
51465 EXPORT_SYMBOL(__request_module);
51466 #endif /* CONFIG_MODULES */
51468 diff -urNp linux-2.6.38.4/kernel/kprobes.c linux-2.6.38.4/kernel/kprobes.c
51469 --- linux-2.6.38.4/kernel/kprobes.c 2011-03-14 21:20:32.000000000 -0400
51470 +++ linux-2.6.38.4/kernel/kprobes.c 2011-04-17 15:57:32.000000000 -0400
51471 @@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_
51472 * kernel image and loaded module images reside. This is required
51473 * so x86_64 can correctly handle the %rip-relative fixups.
51475 - kip->insns = module_alloc(PAGE_SIZE);
51476 + kip->insns = module_alloc_exec(PAGE_SIZE);
51480 @@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(st
51482 if (!list_is_singular(&kip->list)) {
51483 list_del(&kip->list);
51484 - module_free(NULL, kip->insns);
51485 + module_free_exec(NULL, kip->insns);
51489 @@ -1936,7 +1936,7 @@ static int __init init_kprobes(void)
51492 unsigned long offset = 0, size = 0;
51493 - char *modname, namebuf[128];
51494 + char *modname, namebuf[KSYM_NAME_LEN];
51495 const char *symbol_name;
51497 struct kprobe_blackpoint *kb;
51498 @@ -2062,7 +2062,7 @@ static int __kprobes show_kprobe_addr(st
51499 const char *sym = NULL;
51500 unsigned int i = *(loff_t *) v;
51501 unsigned long offset = 0;
51502 - char *modname, namebuf[128];
51503 + char *modname, namebuf[KSYM_NAME_LEN];
51505 head = &kprobe_table[i];
51507 diff -urNp linux-2.6.38.4/kernel/lockdep.c linux-2.6.38.4/kernel/lockdep.c
51508 --- linux-2.6.38.4/kernel/lockdep.c 2011-03-14 21:20:32.000000000 -0400
51509 +++ linux-2.6.38.4/kernel/lockdep.c 2011-04-17 15:57:32.000000000 -0400
51510 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
51511 end = (unsigned long) &_end,
51512 addr = (unsigned long) obj;
51514 +#ifdef CONFIG_PAX_KERNEXEC
51515 + start = ktla_ktva(start);
51521 @@ -706,6 +710,7 @@ register_lock_class(struct lockdep_map *
51522 if (!static_obj(lock->key)) {
51524 printk("INFO: trying to register non-static key.\n");
51525 + printk("lock:%pS key:%pS.\n", lock, lock->key);
51526 printk("the code is fine but needs lockdep annotation.\n");
51527 printk("turning off the locking correctness validator.\n");
51529 @@ -2752,7 +2757,7 @@ static int __lock_acquire(struct lockdep
51533 - atomic_inc((atomic_t *)&class->ops);
51534 + atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
51535 if (very_verbose(class)) {
51536 printk("\nacquire class [%p] %s", class->key, class->name);
51537 if (class->name_version > 1)
51538 diff -urNp linux-2.6.38.4/kernel/lockdep_proc.c linux-2.6.38.4/kernel/lockdep_proc.c
51539 --- linux-2.6.38.4/kernel/lockdep_proc.c 2011-03-14 21:20:32.000000000 -0400
51540 +++ linux-2.6.38.4/kernel/lockdep_proc.c 2011-04-17 15:57:32.000000000 -0400
51541 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
51543 static void print_name(struct seq_file *m, struct lock_class *class)
51546 + char str[KSYM_NAME_LEN];
51547 const char *name = class->name;
51550 diff -urNp linux-2.6.38.4/kernel/module.c linux-2.6.38.4/kernel/module.c
51551 --- linux-2.6.38.4/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
51552 +++ linux-2.6.38.4/kernel/module.c 2011-04-17 16:05:04.000000000 -0400
51554 #include <linux/kmemleak.h>
51555 #include <linux/jump_label.h>
51556 #include <linux/pfn.h>
51557 +#include <linux/grsecurity.h>
51559 #define CREATE_TRACE_POINTS
51560 #include <trace/events/module.h>
51561 @@ -118,7 +119,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
51563 /* Bounds of module allocation, for speeding __module_address.
51564 * Protected by module_mutex. */
51565 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
51566 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
51567 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
51569 int register_module_notifier(struct notifier_block * nb)
51571 @@ -282,7 +284,7 @@ bool each_symbol(bool (*fn)(const struct
51574 list_for_each_entry_rcu(mod, &modules, list) {
51575 - struct symsearch arr[] = {
51576 + struct symsearch modarr[] = {
51577 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
51578 NOT_GPL_ONLY, false },
51579 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
51580 @@ -304,7 +306,7 @@ bool each_symbol(bool (*fn)(const struct
51584 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
51585 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
51589 @@ -415,7 +417,7 @@ static inline void __percpu *mod_percpu(
51590 static int percpu_modalloc(struct module *mod,
51591 unsigned long size, unsigned long align)
51593 - if (align > PAGE_SIZE) {
51594 + if (align-1 >= PAGE_SIZE) {
51595 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
51596 mod->name, align, PAGE_SIZE);
51598 @@ -1143,7 +1145,7 @@ resolve_symbol_wait(struct module *mod,
51600 #ifdef CONFIG_SYSFS
51602 -#ifdef CONFIG_KALLSYMS
51603 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
51604 static inline bool sect_empty(const Elf_Shdr *sect)
51606 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
51607 @@ -1612,17 +1614,17 @@ void unset_section_ro_nx(struct module *
51609 unsigned long total_pages;
51611 - if (mod->module_core == module_region) {
51612 + if (mod->module_core_rx == module_region) {
51613 /* Set core as NX+RW */
51614 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_core, mod->core_size);
51615 - set_memory_nx((unsigned long)mod->module_core, total_pages);
51616 - set_memory_rw((unsigned long)mod->module_core, total_pages);
51617 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_core_rx, mod->core_size_rx);
51618 + set_memory_nx((unsigned long)mod->module_core_rx, total_pages);
51619 + set_memory_rw((unsigned long)mod->module_core_rx, total_pages);
51621 - } else if (mod->module_init == module_region) {
51622 + } else if (mod->module_init_rx == module_region) {
51623 /* Set init as NX+RW */
51624 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_init, mod->init_size);
51625 - set_memory_nx((unsigned long)mod->module_init, total_pages);
51626 - set_memory_rw((unsigned long)mod->module_init, total_pages);
51627 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_init_rx, mod->init_size_rx);
51628 + set_memory_nx((unsigned long)mod->module_init_rx, total_pages);
51629 + set_memory_rw((unsigned long)mod->module_init_rx, total_pages);
51633 @@ -1633,14 +1635,14 @@ void set_all_modules_text_rw()
51635 mutex_lock(&module_mutex);
51636 list_for_each_entry_rcu(mod, &modules, list) {
51637 - if ((mod->module_core) && (mod->core_text_size)) {
51638 - set_page_attributes(mod->module_core,
51639 - mod->module_core + mod->core_text_size,
51640 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
51641 + set_page_attributes(mod->module_core_rx,
51642 + mod->module_core_rx + mod->core_size_rx,
51645 - if ((mod->module_init) && (mod->init_text_size)) {
51646 - set_page_attributes(mod->module_init,
51647 - mod->module_init + mod->init_text_size,
51648 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
51649 + set_page_attributes(mod->module_init_rx,
51650 + mod->module_init_rx + mod->init_size_rx,
51654 @@ -1654,14 +1656,14 @@ void set_all_modules_text_ro()
51656 mutex_lock(&module_mutex);
51657 list_for_each_entry_rcu(mod, &modules, list) {
51658 - if ((mod->module_core) && (mod->core_text_size)) {
51659 - set_page_attributes(mod->module_core,
51660 - mod->module_core + mod->core_text_size,
51661 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
51662 + set_page_attributes(mod->module_core_rx,
51663 + mod->module_core_rx + mod->core_size_rx,
51666 - if ((mod->module_init) && (mod->init_text_size)) {
51667 - set_page_attributes(mod->module_init,
51668 - mod->module_init + mod->init_text_size,
51669 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
51670 + set_page_attributes(mod->module_init_rx,
51671 + mod->module_init_rx + mod->init_size_rx,
51675 @@ -1696,17 +1698,20 @@ static void free_module(struct module *m
51676 destroy_params(mod->kp, mod->num_kp);
51678 /* This may be NULL, but that's OK */
51679 - unset_section_ro_nx(mod, mod->module_init);
51680 - module_free(mod, mod->module_init);
51681 + unset_section_ro_nx(mod, mod->module_init_rx);
51682 + module_free(mod, mod->module_init_rw);
51683 + module_free_exec(mod, mod->module_init_rx);
51685 percpu_modfree(mod);
51687 /* Free lock-classes: */
51688 - lockdep_free_key_range(mod->module_core, mod->core_size);
51689 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
51690 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
51692 /* Finally, free the core (containing the module structure) */
51693 - unset_section_ro_nx(mod, mod->module_core);
51694 - module_free(mod, mod->module_core);
51695 + unset_section_ro_nx(mod, mod->module_core_rx);
51696 + module_free_exec(mod, mod->module_core_rx);
51697 + module_free(mod, mod->module_core_rw);
51700 update_protections(current->mm);
51701 @@ -1775,10 +1780,25 @@ static int simplify_symbols(struct modul
51704 const struct kernel_symbol *ksym;
51705 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
51706 + int is_fs_load = 0;
51707 + int register_filesystem_found = 0;
51709 + if (strstr(mod->args, "grsec_modharden_fs"))
51713 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
51714 const char *name = info->strtab + sym[i].st_name;
51716 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
51717 + /* it's a real shame this will never get ripped and copied
51720 + if (is_fs_load && !strcmp(name, "register_filesystem"))
51721 + register_filesystem_found = 1;
51724 switch (sym[i].st_shndx) {
51726 /* We compiled with -fno-common. These are not
51727 @@ -1799,7 +1819,9 @@ static int simplify_symbols(struct modul
51728 ksym = resolve_symbol_wait(mod, info, name);
51729 /* Ok if resolved. */
51730 if (ksym && !IS_ERR(ksym)) {
51731 + pax_open_kernel();
51732 sym[i].st_value = ksym->value;
51733 + pax_close_kernel();
51737 @@ -1818,11 +1840,20 @@ static int simplify_symbols(struct modul
51738 secbase = (unsigned long)mod_percpu(mod);
51740 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
51741 + pax_open_kernel();
51742 sym[i].st_value += secbase;
51743 + pax_close_kernel();
51748 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
51749 + if (is_fs_load && !register_filesystem_found) {
51750 + printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
51758 @@ -1906,22 +1937,12 @@ static void layout_sections(struct modul
51759 || s->sh_entsize != ~0UL
51760 || strstarts(sname, ".init"))
51762 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
51763 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
51764 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
51766 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
51767 DEBUGP("\t%s\n", name);
51770 - case 0: /* executable */
51771 - mod->core_size = debug_align(mod->core_size);
51772 - mod->core_text_size = mod->core_size;
51774 - case 1: /* RO: text and ro-data */
51775 - mod->core_size = debug_align(mod->core_size);
51776 - mod->core_ro_size = mod->core_size;
51778 - case 3: /* whole core */
51779 - mod->core_size = debug_align(mod->core_size);
51784 DEBUGP("Init section allocation order:\n");
51785 @@ -1935,23 +1956,13 @@ static void layout_sections(struct modul
51786 || s->sh_entsize != ~0UL
51787 || !strstarts(sname, ".init"))
51789 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
51790 - | INIT_OFFSET_MASK);
51791 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
51792 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
51794 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
51795 + s->sh_entsize |= INIT_OFFSET_MASK;
51796 DEBUGP("\t%s\n", sname);
51799 - case 0: /* executable */
51800 - mod->init_size = debug_align(mod->init_size);
51801 - mod->init_text_size = mod->init_size;
51803 - case 1: /* RO: text and ro-data */
51804 - mod->init_size = debug_align(mod->init_size);
51805 - mod->init_ro_size = mod->init_size;
51807 - case 3: /* whole init */
51808 - mod->init_size = debug_align(mod->init_size);
51814 @@ -2119,7 +2130,7 @@ static void layout_symtab(struct module
51816 /* Put symbol section at end of init part of module. */
51817 symsect->sh_flags |= SHF_ALLOC;
51818 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
51819 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
51820 info->index.sym) | INIT_OFFSET_MASK;
51821 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
51823 @@ -2136,19 +2147,19 @@ static void layout_symtab(struct module
51826 /* Append room for core symbols at end of core part. */
51827 - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
51828 - mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
51829 + info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
51830 + mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
51832 /* Put string table section at end of init part of module. */
51833 strsect->sh_flags |= SHF_ALLOC;
51834 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
51835 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
51836 info->index.str) | INIT_OFFSET_MASK;
51837 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
51839 /* Append room for core symbols' strings at end of core part. */
51840 - info->stroffs = mod->core_size;
51841 + info->stroffs = mod->core_size_rx;
51842 __set_bit(0, info->strmap);
51843 - mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
51844 + mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
51847 static void add_kallsyms(struct module *mod, const struct load_info *info)
51848 @@ -2164,11 +2175,13 @@ static void add_kallsyms(struct module *
51849 /* Make sure we get permanent strtab: don't use info->strtab. */
51850 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
51852 + pax_open_kernel();
51854 /* Set types up while we still have access to sections. */
51855 for (i = 0; i < mod->num_symtab; i++)
51856 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
51858 - mod->core_symtab = dst = mod->module_core + info->symoffs;
51859 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
51862 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
51863 @@ -2181,10 +2194,12 @@ static void add_kallsyms(struct module *
51865 mod->core_num_syms = ndst;
51867 - mod->core_strtab = s = mod->module_core + info->stroffs;
51868 + mod->core_strtab = s = mod->module_core_rx + info->stroffs;
51869 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
51870 if (test_bit(i, info->strmap))
51871 *++s = mod->strtab[i];
51873 + pax_close_kernel();
51876 static inline void layout_symtab(struct module *mod, struct load_info *info)
51877 @@ -2213,17 +2228,33 @@ static void dynamic_debug_remove(struct
51878 ddebug_remove_module(debug->modname);
51881 -static void *module_alloc_update_bounds(unsigned long size)
51882 +static void *module_alloc_update_bounds_rw(unsigned long size)
51884 void *ret = module_alloc(size);
51887 mutex_lock(&module_mutex);
51888 /* Update module bounds. */
51889 - if ((unsigned long)ret < module_addr_min)
51890 - module_addr_min = (unsigned long)ret;
51891 - if ((unsigned long)ret + size > module_addr_max)
51892 - module_addr_max = (unsigned long)ret + size;
51893 + if ((unsigned long)ret < module_addr_min_rw)
51894 + module_addr_min_rw = (unsigned long)ret;
51895 + if ((unsigned long)ret + size > module_addr_max_rw)
51896 + module_addr_max_rw = (unsigned long)ret + size;
51897 + mutex_unlock(&module_mutex);
51902 +static void *module_alloc_update_bounds_rx(unsigned long size)
51904 + void *ret = module_alloc_exec(size);
51907 + mutex_lock(&module_mutex);
51908 + /* Update module bounds. */
51909 + if ((unsigned long)ret < module_addr_min_rx)
51910 + module_addr_min_rx = (unsigned long)ret;
51911 + if ((unsigned long)ret + size > module_addr_max_rx)
51912 + module_addr_max_rx = (unsigned long)ret + size;
51913 mutex_unlock(&module_mutex);
51916 @@ -2516,7 +2547,7 @@ static int move_module(struct module *mo
51919 /* Do the allocs. */
51920 - ptr = module_alloc_update_bounds(mod->core_size);
51921 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
51923 * The pointer to this block is stored in the module structure
51924 * which is inside the block. Just mark it as not being a
51925 @@ -2526,23 +2557,50 @@ static int move_module(struct module *mo
51929 - memset(ptr, 0, mod->core_size);
51930 - mod->module_core = ptr;
51931 + memset(ptr, 0, mod->core_size_rw);
51932 + mod->module_core_rw = ptr;
51934 - ptr = module_alloc_update_bounds(mod->init_size);
51935 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
51937 * The pointer to this block is stored in the module structure
51938 * which is inside the block. This block doesn't need to be
51939 * scanned as it contains data and code that will be freed
51940 * after the module is initialized.
51942 - kmemleak_ignore(ptr);
51943 - if (!ptr && mod->init_size) {
51944 - module_free(mod, mod->module_core);
51945 + kmemleak_not_leak(ptr);
51946 + if (!ptr && mod->init_size_rw) {
51947 + module_free(mod, mod->module_core_rw);
51950 - memset(ptr, 0, mod->init_size);
51951 - mod->module_init = ptr;
51952 + memset(ptr, 0, mod->init_size_rw);
51953 + mod->module_init_rw = ptr;
51955 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
51956 + kmemleak_not_leak(ptr);
51958 + module_free(mod, mod->module_init_rw);
51959 + module_free(mod, mod->module_core_rw);
51963 + pax_open_kernel();
51964 + memset(ptr, 0, mod->core_size_rx);
51965 + pax_close_kernel();
51966 + mod->module_core_rx = ptr;
51968 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
51969 + kmemleak_not_leak(ptr);
51970 + if (!ptr && mod->init_size_rx) {
51971 + module_free_exec(mod, mod->module_core_rx);
51972 + module_free(mod, mod->module_init_rw);
51973 + module_free(mod, mod->module_core_rw);
51977 + pax_open_kernel();
51978 + memset(ptr, 0, mod->init_size_rx);
51979 + pax_close_kernel();
51980 + mod->module_init_rx = ptr;
51982 /* Transfer each section which specifies SHF_ALLOC */
51983 DEBUGP("final section addresses:\n");
51984 @@ -2553,16 +2611,45 @@ static int move_module(struct module *mo
51985 if (!(shdr->sh_flags & SHF_ALLOC))
51988 - if (shdr->sh_entsize & INIT_OFFSET_MASK)
51989 - dest = mod->module_init
51990 - + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
51992 - dest = mod->module_core + shdr->sh_entsize;
51993 + if (shdr->sh_entsize & INIT_OFFSET_MASK) {
51994 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
51995 + dest = mod->module_init_rw
51996 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
51998 + dest = mod->module_init_rx
51999 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
52001 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
52002 + dest = mod->module_core_rw + shdr->sh_entsize;
52004 + dest = mod->module_core_rx + shdr->sh_entsize;
52007 + if (shdr->sh_type != SHT_NOBITS) {
52009 +#ifdef CONFIG_PAX_KERNEXEC
52010 +#ifdef CONFIG_X86_64
52011 + if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
52012 + set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
52014 + if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
52015 + pax_open_kernel();
52016 + memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
52017 + pax_close_kernel();
52021 - if (shdr->sh_type != SHT_NOBITS)
52022 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
52024 /* Update sh_addr to point to copy in image. */
52025 - shdr->sh_addr = (unsigned long)dest;
52027 +#ifdef CONFIG_PAX_KERNEXEC
52028 + if (shdr->sh_flags & SHF_EXECINSTR)
52029 + shdr->sh_addr = ktva_ktla((unsigned long)dest);
52033 + shdr->sh_addr = (unsigned long)dest;
52034 DEBUGP("\t0x%lx %s\n",
52035 shdr->sh_addr, info->secstrings + shdr->sh_name);
52037 @@ -2613,12 +2700,12 @@ static void flush_module_icache(const st
52038 * Do it before processing of module parameters, so the module
52039 * can provide parameter accessor functions of its own.
52041 - if (mod->module_init)
52042 - flush_icache_range((unsigned long)mod->module_init,
52043 - (unsigned long)mod->module_init
52044 - + mod->init_size);
52045 - flush_icache_range((unsigned long)mod->module_core,
52046 - (unsigned long)mod->module_core + mod->core_size);
52047 + if (mod->module_init_rx)
52048 + flush_icache_range((unsigned long)mod->module_init_rx,
52049 + (unsigned long)mod->module_init_rx
52050 + + mod->init_size_rx);
52051 + flush_icache_range((unsigned long)mod->module_core_rx,
52052 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
52056 @@ -2690,8 +2777,10 @@ static void module_deallocate(struct mod
52058 kfree(info->strmap);
52059 percpu_modfree(mod);
52060 - module_free(mod, mod->module_init);
52061 - module_free(mod, mod->module_core);
52062 + module_free_exec(mod, mod->module_init_rx);
52063 + module_free_exec(mod, mod->module_core_rx);
52064 + module_free(mod, mod->module_init_rw);
52065 + module_free(mod, mod->module_core_rw);
52068 static int post_relocation(struct module *mod, const struct load_info *info)
52069 @@ -2748,9 +2837,38 @@ static struct module *load_module(void _
52073 + /* Now copy in args */
52074 + mod->args = strndup_user(uargs, ~0UL >> 1);
52075 + if (IS_ERR(mod->args)) {
52076 + err = PTR_ERR(mod->args);
52077 + goto free_unload;
52080 /* Set up MODINFO_ATTR fields */
52081 setup_modinfo(mod, &info);
52083 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
52087 + if (strstr(mod->args, "grsec_modharden_netdev")) {
52088 + printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
52090 + goto free_modinfo;
52091 + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
52092 + p += strlen("grsec_modharden_normal");
52093 + p2 = strstr(p, "_");
52096 + printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
52100 + goto free_modinfo;
52105 /* Fix up syms, so that st_value is a pointer to location. */
52106 err = simplify_symbols(mod, &info);
52108 @@ -2766,13 +2884,6 @@ static struct module *load_module(void _
52110 flush_module_icache(mod);
52112 - /* Now copy in args */
52113 - mod->args = strndup_user(uargs, ~0UL >> 1);
52114 - if (IS_ERR(mod->args)) {
52115 - err = PTR_ERR(mod->args);
52116 - goto free_arch_cleanup;
52119 /* Mark state as coming so strong_try_module_get() ignores us. */
52120 mod->state = MODULE_STATE_COMING;
52122 @@ -2832,11 +2943,10 @@ static struct module *load_module(void _
52124 mutex_unlock(&module_mutex);
52125 synchronize_sched();
52126 - kfree(mod->args);
52127 - free_arch_cleanup:
52128 module_arch_cleanup(mod);
52131 + kfree(mod->args);
52133 module_unload_free(mod);
52135 @@ -2877,16 +2987,16 @@ SYSCALL_DEFINE3(init_module, void __user
52136 MODULE_STATE_COMING, mod);
52138 /* Set RO and NX regions for core */
52139 - set_section_ro_nx(mod->module_core,
52140 - mod->core_text_size,
52141 - mod->core_ro_size,
52143 + set_section_ro_nx(mod->module_core_rx,
52144 + mod->core_size_rx,
52145 + mod->core_size_rx,
52146 + mod->core_size_rx);
52148 /* Set RO and NX regions for init */
52149 - set_section_ro_nx(mod->module_init,
52150 - mod->init_text_size,
52151 - mod->init_ro_size,
52153 + set_section_ro_nx(mod->module_init_rx,
52154 + mod->init_size_rx,
52155 + mod->init_size_rx,
52156 + mod->init_size_rx);
52159 /* Start the module */
52160 @@ -2931,11 +3041,13 @@ SYSCALL_DEFINE3(init_module, void __user
52161 mod->symtab = mod->core_symtab;
52162 mod->strtab = mod->core_strtab;
52164 - unset_section_ro_nx(mod, mod->module_init);
52165 - module_free(mod, mod->module_init);
52166 - mod->module_init = NULL;
52167 - mod->init_size = 0;
52168 - mod->init_text_size = 0;
52169 + unset_section_ro_nx(mod, mod->module_init_rx);
52170 + module_free(mod, mod->module_init_rw);
52171 + module_free_exec(mod, mod->module_init_rx);
52172 + mod->module_init_rw = NULL;
52173 + mod->module_init_rx = NULL;
52174 + mod->init_size_rw = 0;
52175 + mod->init_size_rx = 0;
52176 mutex_unlock(&module_mutex);
52179 @@ -2966,10 +3078,16 @@ static const char *get_ksymbol(struct mo
52180 unsigned long nextval;
52182 /* At worse, next value is at end of module */
52183 - if (within_module_init(addr, mod))
52184 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
52185 + if (within_module_init_rx(addr, mod))
52186 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
52187 + else if (within_module_init_rw(addr, mod))
52188 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
52189 + else if (within_module_core_rx(addr, mod))
52190 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
52191 + else if (within_module_core_rw(addr, mod))
52192 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
52194 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
52197 /* Scan for closest preceeding symbol, and next symbol. (ELF
52198 starts real symbols at 1). */
52199 @@ -3215,7 +3333,7 @@ static int m_show(struct seq_file *m, vo
52202 seq_printf(m, "%s %u",
52203 - mod->name, mod->init_size + mod->core_size);
52204 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
52205 print_unload_info(m, mod);
52207 /* Informative for users. */
52208 @@ -3224,7 +3342,7 @@ static int m_show(struct seq_file *m, vo
52209 mod->state == MODULE_STATE_COMING ? "Loading":
52211 /* Used by oprofile and other similar tools. */
52212 - seq_printf(m, " 0x%p", mod->module_core);
52213 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
52217 @@ -3260,7 +3378,17 @@ static const struct file_operations proc
52219 static int __init proc_modules_init(void)
52221 +#ifndef CONFIG_GRKERNSEC_HIDESYM
52222 +#ifdef CONFIG_GRKERNSEC_PROC_USER
52223 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
52224 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52225 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
52227 proc_create("modules", 0, NULL, &proc_modules_operations);
52230 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
52234 module_init(proc_modules_init);
52235 @@ -3319,12 +3447,12 @@ struct module *__module_address(unsigned
52237 struct module *mod;
52239 - if (addr < module_addr_min || addr > module_addr_max)
52240 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
52241 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
52244 list_for_each_entry_rcu(mod, &modules, list)
52245 - if (within_module_core(addr, mod)
52246 - || within_module_init(addr, mod))
52247 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
52251 @@ -3358,11 +3486,20 @@ bool is_module_text_address(unsigned lon
52253 struct module *__module_text_address(unsigned long addr)
52255 - struct module *mod = __module_address(addr);
52256 + struct module *mod;
52258 +#ifdef CONFIG_X86_32
52259 + addr = ktla_ktva(addr);
52262 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
52265 + mod = __module_address(addr);
52268 /* Make sure it's within the text section. */
52269 - if (!within(addr, mod->module_init, mod->init_text_size)
52270 - && !within(addr, mod->module_core, mod->core_text_size))
52271 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
52275 diff -urNp linux-2.6.38.4/kernel/mutex.c linux-2.6.38.4/kernel/mutex.c
52276 --- linux-2.6.38.4/kernel/mutex.c 2011-03-14 21:20:32.000000000 -0400
52277 +++ linux-2.6.38.4/kernel/mutex.c 2011-04-17 16:24:38.000000000 -0400
52278 @@ -160,7 +160,7 @@ __mutex_lock_common(struct mutex *lock,
52282 - struct thread_info *owner;
52283 + struct task_struct *owner;
52286 * If we own the BKL, then don't spin. The owner of
52287 @@ -205,7 +205,7 @@ __mutex_lock_common(struct mutex *lock,
52288 spin_lock_mutex(&lock->wait_lock, flags);
52290 debug_mutex_lock_common(lock, &waiter);
52291 - debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
52292 + debug_mutex_add_waiter(lock, &waiter, task);
52294 /* add waiting tasks to the end of the waitqueue (FIFO): */
52295 list_add_tail(&waiter.list, &lock->wait_list);
52296 @@ -234,8 +234,7 @@ __mutex_lock_common(struct mutex *lock,
52297 * TASK_UNINTERRUPTIBLE case.)
52299 if (unlikely(signal_pending_state(state, task))) {
52300 - mutex_remove_waiter(lock, &waiter,
52301 - task_thread_info(task));
52302 + mutex_remove_waiter(lock, &waiter, task);
52303 mutex_release(&lock->dep_map, 1, ip);
52304 spin_unlock_mutex(&lock->wait_lock, flags);
52306 @@ -256,7 +255,7 @@ __mutex_lock_common(struct mutex *lock,
52308 lock_acquired(&lock->dep_map, ip);
52309 /* got the lock - rejoice! */
52310 - mutex_remove_waiter(lock, &waiter, current_thread_info());
52311 + mutex_remove_waiter(lock, &waiter, current);
52312 mutex_set_owner(lock);
52314 /* set it to 0 if there are no waiters left: */
52315 diff -urNp linux-2.6.38.4/kernel/mutex-debug.c linux-2.6.38.4/kernel/mutex-debug.c
52316 --- linux-2.6.38.4/kernel/mutex-debug.c 2011-03-14 21:20:32.000000000 -0400
52317 +++ linux-2.6.38.4/kernel/mutex-debug.c 2011-04-17 16:23:07.000000000 -0400
52318 @@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
52321 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
52322 - struct thread_info *ti)
52323 + struct task_struct *task)
52325 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
52327 /* Mark the current thread as blocked on the lock: */
52328 - ti->task->blocked_on = waiter;
52329 + task->blocked_on = waiter;
52332 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
52333 - struct thread_info *ti)
52334 + struct task_struct *task)
52336 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
52337 - DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
52338 - DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
52339 - ti->task->blocked_on = NULL;
52340 + DEBUG_LOCKS_WARN_ON(waiter->task != task);
52341 + DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter->task);
52342 + task->blocked_on = NULL;
52344 list_del_init(&waiter->list);
52345 waiter->task = NULL;
52346 @@ -75,7 +75,7 @@ void debug_mutex_unlock(struct mutex *lo
52349 DEBUG_LOCKS_WARN_ON(lock->magic != lock);
52350 - DEBUG_LOCKS_WARN_ON(lock->owner != current_thread_info());
52351 + DEBUG_LOCKS_WARN_ON(lock->owner != current);
52352 DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
52353 mutex_clear_owner(lock);
52355 diff -urNp linux-2.6.38.4/kernel/mutex-debug.h linux-2.6.38.4/kernel/mutex-debug.h
52356 --- linux-2.6.38.4/kernel/mutex-debug.h 2011-03-14 21:20:32.000000000 -0400
52357 +++ linux-2.6.38.4/kernel/mutex-debug.h 2011-04-17 16:26:49.000000000 -0400
52358 @@ -20,16 +20,16 @@ extern void debug_mutex_wake_waiter(stru
52359 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
52360 extern void debug_mutex_add_waiter(struct mutex *lock,
52361 struct mutex_waiter *waiter,
52362 - struct thread_info *ti);
52363 + struct task_struct *task);
52364 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
52365 - struct thread_info *ti);
52366 + struct task_struct *task);
52367 extern void debug_mutex_unlock(struct mutex *lock);
52368 extern void debug_mutex_init(struct mutex *lock, const char *name,
52369 struct lock_class_key *key);
52371 static inline void mutex_set_owner(struct mutex *lock)
52373 - lock->owner = current_thread_info();
52374 + lock->owner = current;
52377 static inline void mutex_clear_owner(struct mutex *lock)
52378 diff -urNp linux-2.6.38.4/kernel/mutex.h linux-2.6.38.4/kernel/mutex.h
52379 --- linux-2.6.38.4/kernel/mutex.h 2011-03-14 21:20:32.000000000 -0400
52380 +++ linux-2.6.38.4/kernel/mutex.h 2011-04-17 16:24:51.000000000 -0400
52383 static inline void mutex_set_owner(struct mutex *lock)
52385 - lock->owner = current_thread_info();
52386 + lock->owner = current;
52389 static inline void mutex_clear_owner(struct mutex *lock)
52390 diff -urNp linux-2.6.38.4/kernel/panic.c linux-2.6.38.4/kernel/panic.c
52391 --- linux-2.6.38.4/kernel/panic.c 2011-03-14 21:20:32.000000000 -0400
52392 +++ linux-2.6.38.4/kernel/panic.c 2011-04-17 15:57:32.000000000 -0400
52393 @@ -369,7 +369,7 @@ static void warn_slowpath_common(const c
52396 printk(KERN_WARNING "------------[ cut here ]------------\n");
52397 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
52398 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
52399 board = dmi_get_system_info(DMI_PRODUCT_NAME);
52401 printk(KERN_WARNING "Hardware name: %s\n", board);
52402 @@ -424,7 +424,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
52404 void __stack_chk_fail(void)
52406 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
52408 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
52409 __builtin_return_address(0));
52411 EXPORT_SYMBOL(__stack_chk_fail);
52412 diff -urNp linux-2.6.38.4/kernel/pid.c linux-2.6.38.4/kernel/pid.c
52413 --- linux-2.6.38.4/kernel/pid.c 2011-04-22 19:20:59.000000000 -0400
52414 +++ linux-2.6.38.4/kernel/pid.c 2011-04-18 19:22:06.000000000 -0400
52416 #include <linux/rculist.h>
52417 #include <linux/bootmem.h>
52418 #include <linux/hash.h>
52419 +#include <linux/security.h>
52420 #include <linux/pid_namespace.h>
52421 #include <linux/init_task.h>
52422 #include <linux/syscalls.h>
52423 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
52425 int pid_max = PID_MAX_DEFAULT;
52427 -#define RESERVED_PIDS 300
52428 +#define RESERVED_PIDS 500
52430 int pid_max_min = RESERVED_PIDS + 1;
52431 int pid_max_max = PID_MAX_LIMIT;
52432 @@ -419,8 +420,15 @@ EXPORT_SYMBOL(pid_task);
52434 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
52436 + struct task_struct *task;
52438 rcu_lockdep_assert(rcu_read_lock_held());
52439 - return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
52440 + task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
52442 + if (gr_pid_is_chrooted(task))
52448 struct task_struct *find_task_by_vpid(pid_t vnr)
52449 diff -urNp linux-2.6.38.4/kernel/posix-cpu-timers.c linux-2.6.38.4/kernel/posix-cpu-timers.c
52450 --- linux-2.6.38.4/kernel/posix-cpu-timers.c 2011-03-14 21:20:32.000000000 -0400
52451 +++ linux-2.6.38.4/kernel/posix-cpu-timers.c 2011-04-17 15:57:32.000000000 -0400
52453 #include <linux/posix-timers.h>
52454 #include <linux/errno.h>
52455 #include <linux/math64.h>
52456 +#include <linux/security.h>
52457 #include <asm/uaccess.h>
52458 #include <linux/kernel_stat.h>
52459 #include <trace/events/timer.h>
52460 diff -urNp linux-2.6.38.4/kernel/posix-timers.c linux-2.6.38.4/kernel/posix-timers.c
52461 --- linux-2.6.38.4/kernel/posix-timers.c 2011-03-14 21:20:32.000000000 -0400
52462 +++ linux-2.6.38.4/kernel/posix-timers.c 2011-04-17 15:57:33.000000000 -0400
52464 #include <linux/compiler.h>
52465 #include <linux/idr.h>
52466 #include <linux/posix-timers.h>
52467 +#include <linux/grsecurity.h>
52468 #include <linux/syscalls.h>
52469 #include <linux/wait.h>
52470 #include <linux/workqueue.h>
52471 @@ -955,6 +956,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
52472 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
52475 + /* only the CLOCK_REALTIME clock can be set, all other clocks
52476 + have their clock_set fptr set to a nosettime dummy function
52477 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
52478 + call common_clock_set, which calls do_sys_settimeofday, which
52482 return CLOCK_DISPATCH(which_clock, clock_set, (which_clock, &new_tp));
52485 diff -urNp linux-2.6.38.4/kernel/power/poweroff.c linux-2.6.38.4/kernel/power/poweroff.c
52486 --- linux-2.6.38.4/kernel/power/poweroff.c 2011-03-14 21:20:32.000000000 -0400
52487 +++ linux-2.6.38.4/kernel/power/poweroff.c 2011-04-17 15:57:33.000000000 -0400
52488 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
52489 .enable_mask = SYSRQ_ENABLE_BOOT,
52492 -static int pm_sysrq_init(void)
52493 +static int __init pm_sysrq_init(void)
52495 register_sysrq_key('o', &sysrq_poweroff_op);
52497 diff -urNp linux-2.6.38.4/kernel/power/process.c linux-2.6.38.4/kernel/power/process.c
52498 --- linux-2.6.38.4/kernel/power/process.c 2011-03-14 21:20:32.000000000 -0400
52499 +++ linux-2.6.38.4/kernel/power/process.c 2011-04-17 15:57:33.000000000 -0400
52500 @@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_
52501 u64 elapsed_csecs64;
52502 unsigned int elapsed_csecs;
52503 bool wakeup = false;
52504 + bool timedout = false;
52506 do_gettimeofday(&start);
52508 @@ -51,6 +52,8 @@ static int try_to_freeze_tasks(bool sig_
52512 + if (time_after(jiffies, end_time))
52514 read_lock(&tasklist_lock);
52515 do_each_thread(g, p) {
52516 if (frozen(p) || !freezable(p))
52517 @@ -71,9 +74,13 @@ static int try_to_freeze_tasks(bool sig_
52518 * try_to_stop() after schedule() in ptrace/signal
52519 * stop sees TIF_FREEZE.
52521 - if (!task_is_stopped_or_traced(p) &&
52522 - !freezer_should_skip(p))
52523 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
52526 + printk(KERN_ERR "Task refusing to freeze:\n");
52527 + sched_show_task(p);
52530 } while_each_thread(g, p);
52531 read_unlock(&tasklist_lock);
52533 @@ -82,7 +89,7 @@ static int try_to_freeze_tasks(bool sig_
52537 - if (!todo || time_after(jiffies, end_time))
52538 + if (!todo || timedout)
52541 if (pm_wakeup_pending()) {
52542 diff -urNp linux-2.6.38.4/kernel/printk.c linux-2.6.38.4/kernel/printk.c
52543 --- linux-2.6.38.4/kernel/printk.c 2011-03-14 21:20:32.000000000 -0400
52544 +++ linux-2.6.38.4/kernel/printk.c 2011-04-17 15:57:33.000000000 -0400
52545 @@ -279,12 +279,17 @@ static int check_syslog_permissions(int
52546 if (from_file && type != SYSLOG_ACTION_OPEN)
52549 +#ifdef CONFIG_GRKERNSEC_DMESG
52550 + if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
52554 if (syslog_action_restricted(type)) {
52555 if (vx_capable(CAP_SYSLOG, VXC_SYSLOG))
52557 /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
52558 if (capable(CAP_SYS_ADMIN)) {
52559 - WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "
52560 + printk_once(KERN_WARNING "Attempt to access syslog with CAP_SYS_ADMIN "
52561 "but no CAP_SYSLOG (deprecated).\n");
52564 diff -urNp linux-2.6.38.4/kernel/ptrace.c linux-2.6.38.4/kernel/ptrace.c
52565 --- linux-2.6.38.4/kernel/ptrace.c 2011-03-14 21:20:32.000000000 -0400
52566 +++ linux-2.6.38.4/kernel/ptrace.c 2011-04-17 15:57:33.000000000 -0400
52567 @@ -116,7 +116,8 @@ int ptrace_check_attach(struct task_stru
52571 -int __ptrace_may_access(struct task_struct *task, unsigned int mode)
52572 +static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
52573 + unsigned int log)
52575 const struct cred *cred = current_cred(), *tcred;
52577 @@ -140,7 +141,9 @@ int __ptrace_may_access(struct task_stru
52578 cred->gid != tcred->egid ||
52579 cred->gid != tcred->sgid ||
52580 cred->gid != tcred->gid) &&
52581 - !capable(CAP_SYS_PTRACE)) {
52582 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
52583 + (log && !capable(CAP_SYS_PTRACE)))
52588 @@ -148,7 +151,9 @@ int __ptrace_may_access(struct task_stru
52591 dumpable = get_dumpable(task->mm);
52592 - if (!dumpable && !capable(CAP_SYS_PTRACE))
52594 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
52595 + (log && !capable(CAP_SYS_PTRACE))))
52598 return security_ptrace_access_check(task, mode);
52599 @@ -158,7 +163,16 @@ bool ptrace_may_access(struct task_struc
52603 - err = __ptrace_may_access(task, mode);
52604 + err = __ptrace_may_access(task, mode, 0);
52605 + task_unlock(task);
52609 +bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
52613 + err = __ptrace_may_access(task, mode, 1);
52617 @@ -185,7 +199,7 @@ static int ptrace_attach(struct task_str
52621 - retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
52622 + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
52626 @@ -198,7 +212,7 @@ static int ptrace_attach(struct task_str
52627 goto unlock_tasklist;
52629 task->ptrace = PT_PTRACED;
52630 - if (capable(CAP_SYS_PTRACE))
52631 + if (capable_nolog(CAP_SYS_PTRACE))
52632 task->ptrace |= PT_PTRACE_CAP;
52634 __ptrace_link(task, current);
52635 @@ -369,7 +383,7 @@ int ptrace_readdata(struct task_struct *
52639 - if (copy_to_user(dst, buf, retval))
52640 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
52644 @@ -565,7 +579,7 @@ int ptrace_request(struct task_struct *c
52648 - void __user *datavp = (void __user *) data;
52649 + void __user *datavp = (__force void __user *) data;
52650 unsigned long __user *datalp = datavp;
52653 @@ -713,14 +727,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
52654 if (!vx_check(vx_task_xid(child), VS_WATCH_P | VS_IDENT))
52655 goto out_put_task_struct;
52657 + if (gr_handle_ptrace(child, request)) {
52659 + goto out_put_task_struct;
52662 if (request == PTRACE_ATTACH) {
52663 ret = ptrace_attach(child);
52665 * Some architectures need to do book-keeping after
52670 arch_ptrace_attach(child);
52671 + gr_audit_ptrace(child);
52673 goto out_put_task_struct;
52676 @@ -855,14 +876,21 @@ asmlinkage long compat_sys_ptrace(compat
52680 + if (gr_handle_ptrace(child, request)) {
52682 + goto out_put_task_struct;
52685 if (request == PTRACE_ATTACH) {
52686 ret = ptrace_attach(child);
52688 * Some architectures need to do book-keeping after
52693 arch_ptrace_attach(child);
52694 + gr_audit_ptrace(child);
52696 goto out_put_task_struct;
52699 diff -urNp linux-2.6.38.4/kernel/rcutree.c linux-2.6.38.4/kernel/rcutree.c
52700 --- linux-2.6.38.4/kernel/rcutree.c 2011-03-14 21:20:32.000000000 -0400
52701 +++ linux-2.6.38.4/kernel/rcutree.c 2011-04-17 15:57:33.000000000 -0400
52702 @@ -1389,7 +1389,7 @@ __rcu_process_callbacks(struct rcu_state
52704 * Do softirq processing for the current CPU.
52706 -static void rcu_process_callbacks(struct softirq_action *unused)
52707 +static void rcu_process_callbacks(void)
52710 * Memory references from any prior RCU read-side critical sections
52711 diff -urNp linux-2.6.38.4/kernel/rcutree_plugin.h linux-2.6.38.4/kernel/rcutree_plugin.h
52712 --- linux-2.6.38.4/kernel/rcutree_plugin.h 2011-03-14 21:20:32.000000000 -0400
52713 +++ linux-2.6.38.4/kernel/rcutree_plugin.h 2011-04-17 15:57:33.000000000 -0400
52714 @@ -730,7 +730,7 @@ void synchronize_rcu_expedited(void)
52716 /* Clean up and exit. */
52717 smp_mb(); /* ensure expedited GP seen before counter increment. */
52718 - ACCESS_ONCE(sync_rcu_preempt_exp_count)++;
52719 + ACCESS_ONCE_RW(sync_rcu_preempt_exp_count)++;
52721 mutex_unlock(&sync_rcu_preempt_exp_mutex);
52723 diff -urNp linux-2.6.38.4/kernel/resource.c linux-2.6.38.4/kernel/resource.c
52724 --- linux-2.6.38.4/kernel/resource.c 2011-03-14 21:20:32.000000000 -0400
52725 +++ linux-2.6.38.4/kernel/resource.c 2011-04-17 15:57:33.000000000 -0400
52726 @@ -133,8 +133,18 @@ static const struct file_operations proc
52728 static int __init ioresources_init(void)
52730 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
52731 +#ifdef CONFIG_GRKERNSEC_PROC_USER
52732 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
52733 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
52734 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52735 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
52736 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
52739 proc_create("ioports", 0, NULL, &proc_ioports_operations);
52740 proc_create("iomem", 0, NULL, &proc_iomem_operations);
52744 __initcall(ioresources_init);
52745 diff -urNp linux-2.6.38.4/kernel/rtmutex.c linux-2.6.38.4/kernel/rtmutex.c
52746 --- linux-2.6.38.4/kernel/rtmutex.c 2011-03-14 21:20:32.000000000 -0400
52747 +++ linux-2.6.38.4/kernel/rtmutex.c 2011-04-17 15:57:33.000000000 -0400
52748 @@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt
52750 raw_spin_lock_irqsave(&pendowner->pi_lock, flags);
52752 - WARN_ON(!pendowner->pi_blocked_on);
52753 + BUG_ON(!pendowner->pi_blocked_on);
52754 WARN_ON(pendowner->pi_blocked_on != waiter);
52755 WARN_ON(pendowner->pi_blocked_on->lock != lock);
52757 diff -urNp linux-2.6.38.4/kernel/sched.c linux-2.6.38.4/kernel/sched.c
52758 --- linux-2.6.38.4/kernel/sched.c 2011-04-18 17:27:14.000000000 -0400
52759 +++ linux-2.6.38.4/kernel/sched.c 2011-04-17 16:29:21.000000000 -0400
52760 @@ -4024,7 +4024,7 @@ EXPORT_SYMBOL(schedule);
52761 * Look out! "owner" is an entirely speculative pointer
52762 * access and not reliable.
52764 -int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
52765 +int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner)
52769 @@ -4038,10 +4038,10 @@ int mutex_spin_on_owner(struct mutex *lo
52770 * DEBUG_PAGEALLOC could have unmapped it if
52771 * the mutex owner just released it and exited.
52773 - if (probe_kernel_address(&owner->cpu, cpu))
52774 + if (probe_kernel_address(&task_thread_info(owner)->cpu, cpu))
52777 - cpu = owner->cpu;
52778 + cpu = task_thread_info(owner)->cpu;
52782 @@ -4078,7 +4078,7 @@ int mutex_spin_on_owner(struct mutex *lo
52784 * Is that owner really running on that cpu?
52786 - if (task_thread_info(rq->curr) != owner || need_resched())
52787 + if (rq->curr != owner || need_resched())
52790 arch_mutex_cpu_relax();
52791 @@ -4638,6 +4638,8 @@ int can_nice(const struct task_struct *p
52792 /* convert nice value [19,-20] to rlimit style value [1,40] */
52793 int nice_rlim = 20 - nice;
52795 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
52797 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
52798 capable(CAP_SYS_NICE));
52800 @@ -4671,7 +4673,8 @@ SYSCALL_DEFINE1(nice, int, increment)
52804 - if (increment < 0 && !can_nice(current, nice))
52805 + if (increment < 0 && (!can_nice(current, nice) ||
52806 + gr_handle_chroot_nice()))
52807 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
52809 retval = security_task_setnice(current, nice);
52810 @@ -4814,6 +4817,7 @@ recheck:
52811 unsigned long rlim_rtprio =
52812 task_rlimit(p, RLIMIT_RTPRIO);
52814 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
52815 /* can't set/change the rt policy */
52816 if (policy != p->policy && !rlim_rtprio)
52818 @@ -6942,7 +6946,7 @@ static void init_sched_groups_power(int
52822 - WARN_ON(!sd || !sd->groups);
52823 + BUG_ON(!sd || !sd->groups);
52825 if (cpu != group_first_cpu(sd->groups))
52827 diff -urNp linux-2.6.38.4/kernel/sched_fair.c linux-2.6.38.4/kernel/sched_fair.c
52828 --- linux-2.6.38.4/kernel/sched_fair.c 2011-04-22 19:20:59.000000000 -0400
52829 +++ linux-2.6.38.4/kernel/sched_fair.c 2011-04-22 19:21:39.000000000 -0400
52830 @@ -3957,7 +3957,7 @@ static void nohz_idle_balance(int this_c
52831 * run_rebalance_domains is triggered when needed from the scheduler tick.
52832 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
52834 -static void run_rebalance_domains(struct softirq_action *h)
52835 +static void run_rebalance_domains(void)
52837 int this_cpu = smp_processor_id();
52838 struct rq *this_rq = cpu_rq(this_cpu);
52839 diff -urNp linux-2.6.38.4/kernel/signal.c linux-2.6.38.4/kernel/signal.c
52840 --- linux-2.6.38.4/kernel/signal.c 2011-04-18 17:27:18.000000000 -0400
52841 +++ linux-2.6.38.4/kernel/signal.c 2011-04-17 16:53:48.000000000 -0400
52842 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
52844 int print_fatal_signals __read_mostly;
52846 -static void __user *sig_handler(struct task_struct *t, int sig)
52847 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
52849 return t->sighand->action[sig - 1].sa.sa_handler;
52852 -static int sig_handler_ignored(void __user *handler, int sig)
52853 +static int sig_handler_ignored(__sighandler_t handler, int sig)
52855 /* Is it explicitly or implicitly ignored? */
52856 return handler == SIG_IGN ||
52857 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
52858 static int sig_task_ignored(struct task_struct *t, int sig,
52859 int from_ancestor_ns)
52861 - void __user *handler;
52862 + __sighandler_t handler;
52864 handler = sig_handler(t, sig);
52866 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
52867 atomic_inc(&user->sigpending);
52870 + if (!override_rlimit)
52871 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
52873 if (override_rlimit ||
52874 atomic_read(&user->sigpending) <=
52875 task_rlimit(t, RLIMIT_SIGPENDING)) {
52876 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
52878 int unhandled_signal(struct task_struct *tsk, int sig)
52880 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
52881 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
52882 if (is_global_init(tsk))
52884 if (handler != SIG_IGN && handler != SIG_DFL)
52885 @@ -705,6 +708,10 @@ static int check_kill_permission(int sig
52886 sig, info, t, vx_task_xid(t), t->pid, current->xid);
52890 + if (gr_handle_signal(t, sig))
52894 return security_task_kill(t, info, sig, 0);
52896 @@ -1025,7 +1032,7 @@ __group_send_sig_info(int sig, struct si
52897 return send_signal(sig, info, p, 1);
52902 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
52904 return send_signal(sig, info, t, 0);
52905 @@ -1062,6 +1068,7 @@ force_sig_info(int sig, struct siginfo *
52906 unsigned long int flags;
52907 int ret, blocked, ignored;
52908 struct k_sigaction *action;
52909 + int is_unhandled = 0;
52911 spin_lock_irqsave(&t->sighand->siglock, flags);
52912 action = &t->sighand->action[sig-1];
52913 @@ -1076,9 +1083,18 @@ force_sig_info(int sig, struct siginfo *
52915 if (action->sa.sa_handler == SIG_DFL)
52916 t->signal->flags &= ~SIGNAL_UNKILLABLE;
52917 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
52918 + is_unhandled = 1;
52919 ret = specific_send_sig_info(sig, info, t);
52920 spin_unlock_irqrestore(&t->sighand->siglock, flags);
52922 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
52923 + normal operation */
52924 + if (is_unhandled) {
52925 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
52926 + gr_handle_crash(t, sig);
52932 @@ -1137,8 +1153,11 @@ int group_send_sig_info(int sig, struct
52933 ret = check_kill_permission(sig, info, p);
52937 + if (!ret && sig) {
52938 ret = do_send_sig_info(sig, info, p, true);
52940 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
52945 diff -urNp linux-2.6.38.4/kernel/smp.c linux-2.6.38.4/kernel/smp.c
52946 --- linux-2.6.38.4/kernel/smp.c 2011-04-18 17:27:14.000000000 -0400
52947 +++ linux-2.6.38.4/kernel/smp.c 2011-04-17 15:57:33.000000000 -0400
52948 @@ -583,22 +583,22 @@ int smp_call_function(smp_call_func_t fu
52950 EXPORT_SYMBOL(smp_call_function);
52952 -void ipi_call_lock(void)
52953 +void ipi_call_lock(void) __acquires(call_function.lock)
52955 raw_spin_lock(&call_function.lock);
52958 -void ipi_call_unlock(void)
52959 +void ipi_call_unlock(void) __releases(call_function.lock)
52961 raw_spin_unlock(&call_function.lock);
52964 -void ipi_call_lock_irq(void)
52965 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
52967 raw_spin_lock_irq(&call_function.lock);
52970 -void ipi_call_unlock_irq(void)
52971 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
52973 raw_spin_unlock_irq(&call_function.lock);
52975 diff -urNp linux-2.6.38.4/kernel/softirq.c linux-2.6.38.4/kernel/softirq.c
52976 --- linux-2.6.38.4/kernel/softirq.c 2011-03-14 21:20:32.000000000 -0400
52977 +++ linux-2.6.38.4/kernel/softirq.c 2011-04-17 15:57:33.000000000 -0400
52978 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
52980 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
52982 -char *softirq_to_name[NR_SOFTIRQS] = {
52983 +const char * const softirq_to_name[NR_SOFTIRQS] = {
52984 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
52985 "TASKLET", "SCHED", "HRTIMER", "RCU"
52987 @@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
52989 asmlinkage void __do_softirq(void)
52991 - struct softirq_action *h;
52992 + const struct softirq_action *h;
52994 int max_restart = MAX_SOFTIRQ_RESTART;
52996 @@ -235,7 +235,7 @@ restart:
52997 kstat_incr_softirqs_this_cpu(vec_nr);
52999 trace_softirq_entry(vec_nr);
53002 trace_softirq_exit(vec_nr);
53003 if (unlikely(prev_count != preempt_count())) {
53004 printk(KERN_ERR "huh, entered softirq %u %s %p"
53005 @@ -365,7 +365,7 @@ void raise_softirq(unsigned int nr)
53006 local_irq_restore(flags);
53009 -void open_softirq(int nr, void (*action)(struct softirq_action *))
53010 +void open_softirq(int nr, void (*action)(void))
53012 softirq_vec[nr].action = action;
53014 @@ -421,7 +421,7 @@ void __tasklet_hi_schedule_first(struct
53016 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
53018 -static void tasklet_action(struct softirq_action *a)
53019 +static void tasklet_action(void)
53021 struct tasklet_struct *list;
53023 @@ -456,7 +456,7 @@ static void tasklet_action(struct softir
53027 -static void tasklet_hi_action(struct softirq_action *a)
53028 +static void tasklet_hi_action(void)
53030 struct tasklet_struct *list;
53032 diff -urNp linux-2.6.38.4/kernel/sys.c linux-2.6.38.4/kernel/sys.c
53033 --- linux-2.6.38.4/kernel/sys.c 2011-03-14 21:20:32.000000000 -0400
53034 +++ linux-2.6.38.4/kernel/sys.c 2011-04-17 15:57:33.000000000 -0400
53035 @@ -136,6 +136,12 @@ static int set_one_prio(struct task_stru
53040 + if (gr_handle_chroot_setpriority(p, niceval)) {
53045 no_nice = security_task_setnice(p, niceval);
53048 @@ -517,6 +523,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
53052 + if (gr_check_group_change(new->gid, new->egid, -1))
53055 if (rgid != (gid_t) -1 ||
53056 (egid != (gid_t) -1 && egid != old->gid))
53057 new->sgid = new->egid;
53058 @@ -546,6 +555,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
53059 old = current_cred();
53063 + if (gr_check_group_change(gid, gid, gid))
53066 if (capable(CAP_SETGID))
53067 new->gid = new->egid = new->sgid = new->fsgid = gid;
53068 else if (gid == old->gid || gid == old->sgid)
53069 @@ -626,6 +639,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
53073 + if (gr_check_user_change(new->uid, new->euid, -1))
53076 if (new->uid != old->uid) {
53077 retval = set_user(new);
53079 @@ -670,6 +686,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
53080 old = current_cred();
53084 + if (gr_check_crash_uid(uid))
53086 + if (gr_check_user_change(uid, uid, uid))
53089 if (capable(CAP_SETUID)) {
53090 new->suid = new->uid = uid;
53091 if (uid != old->uid) {
53092 @@ -724,6 +746,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
53096 + if (gr_check_user_change(ruid, euid, -1))
53099 if (ruid != (uid_t) -1) {
53101 if (ruid != old->uid) {
53102 @@ -788,6 +813,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
53106 + if (gr_check_group_change(rgid, egid, -1))
53109 if (rgid != (gid_t) -1)
53111 if (egid != (gid_t) -1)
53112 @@ -834,6 +862,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
53113 old = current_cred();
53114 old_fsuid = old->fsuid;
53116 + if (gr_check_user_change(-1, -1, uid))
53119 if (uid == old->uid || uid == old->euid ||
53120 uid == old->suid || uid == old->fsuid ||
53121 capable(CAP_SETUID)) {
53122 @@ -844,6 +875,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
53130 @@ -870,12 +902,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
53131 if (gid == old->gid || gid == old->egid ||
53132 gid == old->sgid || gid == old->fsgid ||
53133 capable(CAP_SETGID)) {
53134 + if (gr_check_group_change(-1, -1, gid))
53137 if (gid != old_fsgid) {
53147 @@ -1616,7 +1652,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
53148 error = get_dumpable(me->mm);
53150 case PR_SET_DUMPABLE:
53151 - if (arg2 < 0 || arg2 > 1) {
53156 diff -urNp linux-2.6.38.4/kernel/sysctl.c linux-2.6.38.4/kernel/sysctl.c
53157 --- linux-2.6.38.4/kernel/sysctl.c 2011-04-18 17:27:16.000000000 -0400
53158 +++ linux-2.6.38.4/kernel/sysctl.c 2011-04-17 15:57:33.000000000 -0400
53162 #if defined(CONFIG_SYSCTL)
53163 +#include <linux/grsecurity.h>
53164 +#include <linux/grinternal.h>
53166 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
53167 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
53169 +extern int gr_handle_chroot_sysctl(const int op);
53171 /* External variables not in a header file. */
53172 extern int sysctl_overcommit_memory;
53173 @@ -195,6 +202,7 @@ static int sysrq_sysctl_handler(ctl_tabl
53177 +extern struct ctl_table grsecurity_table[];
53179 static struct ctl_table root_table[];
53180 static struct ctl_table_root sysctl_table_root;
53181 @@ -224,6 +232,20 @@ extern struct ctl_table epoll_table[];
53182 int sysctl_legacy_va_layout;
53185 +#ifdef CONFIG_PAX_SOFTMODE
53186 +static ctl_table pax_table[] = {
53188 + .procname = "softmode",
53189 + .data = &pax_softmode,
53190 + .maxlen = sizeof(unsigned int),
53192 + .proc_handler = &proc_dointvec,
53199 /* The default sysctl tables: */
53201 static struct ctl_table root_table[] = {
53202 @@ -270,6 +292,22 @@ static int max_extfrag_threshold = 1000;
53205 static struct ctl_table kern_table[] = {
53206 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
53208 + .procname = "grsecurity",
53210 + .child = grsecurity_table,
53214 +#ifdef CONFIG_PAX_SOFTMODE
53216 + .procname = "pax",
53218 + .child = pax_table,
53223 .procname = "sched_child_runs_first",
53224 .data = &sysctl_sched_child_runs_first,
53225 @@ -551,7 +589,7 @@ static struct ctl_table kern_table[] = {
53226 .data = &modprobe_path,
53227 .maxlen = KMOD_PATH_LEN,
53229 - .proc_handler = proc_dostring,
53230 + .proc_handler = proc_dostring_modpriv,
53233 .procname = "modules_disabled",
53234 @@ -713,16 +751,20 @@ static struct ctl_table kern_table[] = {
53240 .procname = "kptr_restrict",
53241 .data = &kptr_restrict,
53242 .maxlen = sizeof(int),
53244 .proc_handler = proc_dmesg_restrict,
53245 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53254 .procname = "ngroups_max",
53255 .data = &ngroups_max,
53256 @@ -1187,6 +1229,13 @@ static struct ctl_table vm_table[] = {
53257 .proc_handler = proc_dointvec_minmax,
53261 + .procname = "heap_stack_gap",
53262 + .data = &sysctl_heap_stack_gap,
53263 + .maxlen = sizeof(sysctl_heap_stack_gap),
53265 + .proc_handler = proc_doulongvec_minmax,
53269 .procname = "nr_trim_pages",
53270 @@ -1698,6 +1747,16 @@ int sysctl_perm(struct ctl_table_root *r
53274 + if (table->parent != NULL && table->parent->procname != NULL &&
53275 + table->procname != NULL &&
53276 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
53278 + if (gr_handle_chroot_sysctl(op))
53280 + error = gr_handle_sysctl(table, op);
53284 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
53287 @@ -2105,6 +2164,16 @@ int proc_dostring(struct ctl_table *tabl
53288 buffer, lenp, ppos);
53291 +int proc_dostring_modpriv(struct ctl_table *table, int write,
53292 + void __user *buffer, size_t *lenp, loff_t *ppos)
53294 + if (write && !capable(CAP_SYS_MODULE))
53297 + return _proc_do_string(table->data, table->maxlen, write,
53298 + buffer, lenp, ppos);
53301 static size_t proc_skip_spaces(char **buf)
53304 @@ -2210,6 +2279,8 @@ static int proc_put_long(void __user **b
53308 + if (len > sizeof(tmp))
53309 + len = sizeof(tmp);
53310 if (copy_to_user(*buf, tmp, len))
53313 @@ -2526,8 +2597,11 @@ static int __do_proc_doulongvec_minmax(v
53316 val = convdiv * (*i) / convmul;
53319 err = proc_put_char(&buffer, &left, '\t');
53323 err = proc_put_long(&buffer, &left, val, false);
53326 @@ -2922,6 +2996,12 @@ int proc_dostring(struct ctl_table *tabl
53330 +int proc_dostring_modpriv(struct ctl_table *table, int write,
53331 + void __user *buffer, size_t *lenp, loff_t *ppos)
53336 int proc_dointvec(struct ctl_table *table, int write,
53337 void __user *buffer, size_t *lenp, loff_t *ppos)
53339 @@ -2978,6 +3058,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
53340 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
53341 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
53342 EXPORT_SYMBOL(proc_dostring);
53343 +EXPORT_SYMBOL(proc_dostring_modpriv);
53344 EXPORT_SYMBOL(proc_doulongvec_minmax);
53345 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
53346 EXPORT_SYMBOL(register_sysctl_table);
53347 diff -urNp linux-2.6.38.4/kernel/sysctl_check.c linux-2.6.38.4/kernel/sysctl_check.c
53348 --- linux-2.6.38.4/kernel/sysctl_check.c 2011-03-14 21:20:32.000000000 -0400
53349 +++ linux-2.6.38.4/kernel/sysctl_check.c 2011-04-17 15:57:33.000000000 -0400
53350 @@ -131,6 +131,7 @@ int sysctl_check_table(struct nsproxy *n
53351 set_fail(&fail, table, "Directory with extra2");
53353 if ((table->proc_handler == proc_dostring) ||
53354 + (table->proc_handler == proc_dostring_modpriv) ||
53355 (table->proc_handler == proc_dointvec) ||
53356 (table->proc_handler == proc_dointvec_minmax) ||
53357 (table->proc_handler == proc_dointvec_jiffies) ||
53358 diff -urNp linux-2.6.38.4/kernel/taskstats.c linux-2.6.38.4/kernel/taskstats.c
53359 --- linux-2.6.38.4/kernel/taskstats.c 2011-03-14 21:20:32.000000000 -0400
53360 +++ linux-2.6.38.4/kernel/taskstats.c 2011-04-17 15:57:33.000000000 -0400
53362 #include <linux/cgroup.h>
53363 #include <linux/fs.h>
53364 #include <linux/file.h>
53365 +#include <linux/grsecurity.h>
53366 #include <net/genetlink.h>
53367 #include <asm/atomic.h>
53369 +extern int gr_is_taskstats_denied(int pid);
53372 * Maximum length of a cpumask that can be specified in
53373 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
53374 @@ -549,6 +552,9 @@ err:
53376 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
53378 + if (gr_is_taskstats_denied(current->pid))
53381 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
53382 return cmd_attr_register_cpumask(info);
53383 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
53384 diff -urNp linux-2.6.38.4/kernel/time/tick-broadcast.c linux-2.6.38.4/kernel/time/tick-broadcast.c
53385 --- linux-2.6.38.4/kernel/time/tick-broadcast.c 2011-03-14 21:20:32.000000000 -0400
53386 +++ linux-2.6.38.4/kernel/time/tick-broadcast.c 2011-04-17 15:57:33.000000000 -0400
53387 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
53388 * then clear the broadcast bit.
53390 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
53391 - int cpu = smp_processor_id();
53392 + cpu = smp_processor_id();
53394 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
53395 tick_broadcast_clear_oneshot(cpu);
53396 diff -urNp linux-2.6.38.4/kernel/time/timekeeping.c linux-2.6.38.4/kernel/time/timekeeping.c
53397 --- linux-2.6.38.4/kernel/time/timekeeping.c 2011-03-14 21:20:32.000000000 -0400
53398 +++ linux-2.6.38.4/kernel/time/timekeeping.c 2011-04-17 15:57:33.000000000 -0400
53400 #include <linux/init.h>
53401 #include <linux/mm.h>
53402 #include <linux/sched.h>
53403 +#include <linux/grsecurity.h>
53404 #include <linux/sysdev.h>
53405 #include <linux/clocksource.h>
53406 #include <linux/jiffies.h>
53407 @@ -361,6 +362,8 @@ int do_settimeofday(struct timespec *tv)
53408 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
53411 + gr_log_timechange();
53413 write_seqlock_irqsave(&xtime_lock, flags);
53415 timekeeping_forward_now();
53416 diff -urNp linux-2.6.38.4/kernel/time/timer_list.c linux-2.6.38.4/kernel/time/timer_list.c
53417 --- linux-2.6.38.4/kernel/time/timer_list.c 2011-03-14 21:20:32.000000000 -0400
53418 +++ linux-2.6.38.4/kernel/time/timer_list.c 2011-04-17 15:57:33.000000000 -0400
53419 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
53421 static void print_name_offset(struct seq_file *m, void *sym)
53423 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53424 + SEQ_printf(m, "<%p>", NULL);
53426 char symname[KSYM_NAME_LEN];
53428 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
53429 SEQ_printf(m, "<%pK>", sym);
53431 SEQ_printf(m, "%s", symname);
53436 @@ -112,7 +116,11 @@ next_one:
53438 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
53440 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53441 + SEQ_printf(m, " .base: %p\n", NULL);
53443 SEQ_printf(m, " .base: %pK\n", base);
53445 SEQ_printf(m, " .index: %d\n",
53447 SEQ_printf(m, " .resolution: %Lu nsecs\n",
53448 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
53450 struct proc_dir_entry *pe;
53452 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
53453 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
53455 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
53460 diff -urNp linux-2.6.38.4/kernel/time/timer_stats.c linux-2.6.38.4/kernel/time/timer_stats.c
53461 --- linux-2.6.38.4/kernel/time/timer_stats.c 2011-03-14 21:20:32.000000000 -0400
53462 +++ linux-2.6.38.4/kernel/time/timer_stats.c 2011-04-17 15:57:33.000000000 -0400
53463 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
53465 static void print_name_offset(struct seq_file *m, unsigned long addr)
53467 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53468 + seq_printf(m, "<%p>", NULL);
53470 char symname[KSYM_NAME_LEN];
53472 if (lookup_symbol_name(addr, symname) < 0)
53473 seq_printf(m, "<%p>", (void *)addr);
53475 seq_printf(m, "%s", symname);
53479 static int tstats_show(struct seq_file *m, void *v)
53480 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
53482 struct proc_dir_entry *pe;
53484 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
53485 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
53487 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
53492 diff -urNp linux-2.6.38.4/kernel/time.c linux-2.6.38.4/kernel/time.c
53493 --- linux-2.6.38.4/kernel/time.c 2011-03-14 21:20:32.000000000 -0400
53494 +++ linux-2.6.38.4/kernel/time.c 2011-04-17 15:57:33.000000000 -0400
53495 @@ -163,6 +163,11 @@ int do_sys_settimeofday(struct timespec
53499 + /* we log in do_settimeofday called below, so don't log twice
53502 + gr_log_timechange();
53504 /* SMP safe, global irq locking makes it work. */
53506 update_vsyscall_tz();
53507 diff -urNp linux-2.6.38.4/kernel/timer.c linux-2.6.38.4/kernel/timer.c
53508 --- linux-2.6.38.4/kernel/timer.c 2011-03-14 21:20:32.000000000 -0400
53509 +++ linux-2.6.38.4/kernel/timer.c 2011-04-17 15:57:33.000000000 -0400
53510 @@ -1276,7 +1276,7 @@ void update_process_times(int user_tick)
53512 * This function runs timers and the timer-tq in bottom half context.
53514 -static void run_timer_softirq(struct softirq_action *h)
53515 +static void run_timer_softirq(void)
53517 struct tvec_base *base = __this_cpu_read(tvec_bases);
53519 diff -urNp linux-2.6.38.4/kernel/trace/ftrace.c linux-2.6.38.4/kernel/trace/ftrace.c
53520 --- linux-2.6.38.4/kernel/trace/ftrace.c 2011-04-18 17:27:14.000000000 -0400
53521 +++ linux-2.6.38.4/kernel/trace/ftrace.c 2011-04-17 15:57:33.000000000 -0400
53522 @@ -1107,13 +1107,18 @@ ftrace_code_disable(struct module *mod,
53526 + ret = ftrace_arch_code_modify_prepare();
53527 + FTRACE_WARN_ON(ret);
53531 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
53532 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
53534 ftrace_bug(ret, ip);
53535 rec->flags |= FTRACE_FL_FAILED;
53539 + return ret ? 0 : 1;
53543 diff -urNp linux-2.6.38.4/kernel/trace/ring_buffer.c linux-2.6.38.4/kernel/trace/ring_buffer.c
53544 --- linux-2.6.38.4/kernel/trace/ring_buffer.c 2011-03-14 21:20:32.000000000 -0400
53545 +++ linux-2.6.38.4/kernel/trace/ring_buffer.c 2011-04-17 15:57:33.000000000 -0400
53546 @@ -669,7 +669,7 @@ static struct list_head *rb_list_head(st
53547 * the reader page). But if the next page is a header page,
53548 * its flags will be non zero.
53552 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
53553 struct buffer_page *page, struct list_head *list)
53555 diff -urNp linux-2.6.38.4/kernel/trace/trace.c linux-2.6.38.4/kernel/trace/trace.c
53556 --- linux-2.6.38.4/kernel/trace/trace.c 2011-03-14 21:20:32.000000000 -0400
53557 +++ linux-2.6.38.4/kernel/trace/trace.c 2011-04-17 15:57:33.000000000 -0400
53558 @@ -3967,10 +3967,9 @@ static const struct file_operations trac
53562 -static struct dentry *d_tracer;
53564 struct dentry *tracing_init_dentry(void)
53566 + static struct dentry *d_tracer;
53570 @@ -3990,10 +3989,9 @@ struct dentry *tracing_init_dentry(void)
53574 -static struct dentry *d_percpu;
53576 struct dentry *tracing_dentry_percpu(void)
53578 + static struct dentry *d_percpu;
53580 struct dentry *d_tracer;
53582 diff -urNp linux-2.6.38.4/kernel/trace/trace_events.c linux-2.6.38.4/kernel/trace/trace_events.c
53583 --- linux-2.6.38.4/kernel/trace/trace_events.c 2011-03-14 21:20:32.000000000 -0400
53584 +++ linux-2.6.38.4/kernel/trace/trace_events.c 2011-04-17 15:57:33.000000000 -0400
53585 @@ -1240,10 +1240,10 @@ static LIST_HEAD(ftrace_module_file_list
53586 struct ftrace_module_file_ops {
53587 struct list_head list;
53588 struct module *mod;
53589 - struct file_operations id;
53590 - struct file_operations enable;
53591 - struct file_operations format;
53592 - struct file_operations filter;
53593 + struct file_operations id; /* cannot be const, see trace_create_file_ops() */
53594 + struct file_operations enable; /* cannot be const, see trace_create_file_ops() */
53595 + struct file_operations format; /* cannot be const, see trace_create_file_ops() */
53596 + struct file_operations filter; /* cannot be const, see trace_create_file_ops() */
53599 static struct ftrace_module_file_ops *
53600 diff -urNp linux-2.6.38.4/kernel/trace/trace_output.c linux-2.6.38.4/kernel/trace/trace_output.c
53601 --- linux-2.6.38.4/kernel/trace/trace_output.c 2011-03-14 21:20:32.000000000 -0400
53602 +++ linux-2.6.38.4/kernel/trace/trace_output.c 2011-04-17 15:57:33.000000000 -0400
53603 @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
53605 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
53607 - p = mangle_path(s->buffer + s->len, p, "\n");
53608 + p = mangle_path(s->buffer + s->len, p, "\n\\");
53610 s->len = p - s->buffer;
53612 diff -urNp linux-2.6.38.4/kernel/trace/trace_stack.c linux-2.6.38.4/kernel/trace/trace_stack.c
53613 --- linux-2.6.38.4/kernel/trace/trace_stack.c 2011-03-14 21:20:32.000000000 -0400
53614 +++ linux-2.6.38.4/kernel/trace/trace_stack.c 2011-04-17 15:57:33.000000000 -0400
53615 @@ -50,7 +50,7 @@ static inline void check_stack(void)
53618 /* we do not handle interrupt stacks yet */
53619 - if (!object_is_on_stack(&this_size))
53620 + if (!object_starts_on_stack(&this_size))
53623 local_irq_save(flags);
53624 diff -urNp linux-2.6.38.4/kernel/trace/trace_workqueue.c linux-2.6.38.4/kernel/trace/trace_workqueue.c
53625 --- linux-2.6.38.4/kernel/trace/trace_workqueue.c 2011-03-14 21:20:32.000000000 -0400
53626 +++ linux-2.6.38.4/kernel/trace/trace_workqueue.c 2011-04-17 15:57:33.000000000 -0400
53627 @@ -22,7 +22,7 @@ struct cpu_workqueue_stats {
53630 /* Can be inserted from interrupt or user context, need to be atomic */
53631 - atomic_t inserted;
53632 + atomic_unchecked_t inserted;
53634 * Don't need to be atomic, works are serialized in a single workqueue thread
53636 @@ -60,7 +60,7 @@ probe_workqueue_insertion(void *ignore,
53637 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
53638 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
53639 if (node->pid == wq_thread->pid) {
53640 - atomic_inc(&node->inserted);
53641 + atomic_inc_unchecked(&node->inserted);
53645 @@ -210,7 +210,7 @@ static int workqueue_stat_show(struct se
53646 tsk = get_pid_task(pid, PIDTYPE_PID);
53648 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
53649 - atomic_read(&cws->inserted), cws->executed,
53650 + atomic_read_unchecked(&cws->inserted), cws->executed,
53652 put_task_struct(tsk);
53654 diff -urNp linux-2.6.38.4/lib/bug.c linux-2.6.38.4/lib/bug.c
53655 --- linux-2.6.38.4/lib/bug.c 2011-03-14 21:20:32.000000000 -0400
53656 +++ linux-2.6.38.4/lib/bug.c 2011-04-17 15:57:33.000000000 -0400
53657 @@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
53658 return BUG_TRAP_TYPE_NONE;
53660 bug = find_bug(bugaddr);
53662 + return BUG_TRAP_TYPE_NONE;
53666 diff -urNp linux-2.6.38.4/lib/debugobjects.c linux-2.6.38.4/lib/debugobjects.c
53667 --- linux-2.6.38.4/lib/debugobjects.c 2011-03-14 21:20:32.000000000 -0400
53668 +++ linux-2.6.38.4/lib/debugobjects.c 2011-04-17 15:57:33.000000000 -0400
53669 @@ -281,7 +281,7 @@ static void debug_object_is_on_stack(voi
53673 - is_on_stack = object_is_on_stack(addr);
53674 + is_on_stack = object_starts_on_stack(addr);
53675 if (is_on_stack == onstack)
53678 diff -urNp linux-2.6.38.4/lib/dma-debug.c linux-2.6.38.4/lib/dma-debug.c
53679 --- linux-2.6.38.4/lib/dma-debug.c 2011-03-14 21:20:32.000000000 -0400
53680 +++ linux-2.6.38.4/lib/dma-debug.c 2011-04-17 15:57:33.000000000 -0400
53681 @@ -862,7 +862,7 @@ out:
53683 static void check_for_stack(struct device *dev, void *addr)
53685 - if (object_is_on_stack(addr))
53686 + if (object_starts_on_stack(addr))
53687 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
53688 "stack [addr=%p]\n", addr);
53690 diff -urNp linux-2.6.38.4/lib/inflate.c linux-2.6.38.4/lib/inflate.c
53691 --- linux-2.6.38.4/lib/inflate.c 2011-03-14 21:20:32.000000000 -0400
53692 +++ linux-2.6.38.4/lib/inflate.c 2011-04-17 15:57:33.000000000 -0400
53693 @@ -269,7 +269,7 @@ static void free(void *where)
53694 malloc_ptr = free_mem_ptr;
53697 -#define malloc(a) kmalloc(a, GFP_KERNEL)
53698 +#define malloc(a) kmalloc((a), GFP_KERNEL)
53699 #define free(a) kfree(a)
53702 diff -urNp linux-2.6.38.4/lib/Kconfig.debug linux-2.6.38.4/lib/Kconfig.debug
53703 --- linux-2.6.38.4/lib/Kconfig.debug 2011-04-22 19:20:59.000000000 -0400
53704 +++ linux-2.6.38.4/lib/Kconfig.debug 2011-04-22 19:21:39.000000000 -0400
53705 @@ -1066,6 +1066,7 @@ config LATENCYTOP
53706 depends on DEBUG_KERNEL
53707 depends on STACKTRACE_SUPPORT
53709 + depends on !GRKERNSEC_HIDESYM
53710 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
53712 select KALLSYMS_ALL
53713 diff -urNp linux-2.6.38.4/lib/kref.c linux-2.6.38.4/lib/kref.c
53714 --- linux-2.6.38.4/lib/kref.c 2011-03-14 21:20:32.000000000 -0400
53715 +++ linux-2.6.38.4/lib/kref.c 2011-04-17 15:57:33.000000000 -0400
53716 @@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
53718 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
53720 - WARN_ON(release == NULL);
53721 + BUG_ON(release == NULL);
53722 WARN_ON(release == (void (*)(struct kref *))kfree);
53724 if (atomic_dec_and_test(&kref->refcount)) {
53725 diff -urNp linux-2.6.38.4/lib/radix-tree.c linux-2.6.38.4/lib/radix-tree.c
53726 --- linux-2.6.38.4/lib/radix-tree.c 2011-03-14 21:20:32.000000000 -0400
53727 +++ linux-2.6.38.4/lib/radix-tree.c 2011-04-17 15:57:33.000000000 -0400
53728 @@ -80,7 +80,7 @@ struct radix_tree_preload {
53730 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
53732 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
53733 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
53735 static inline void *ptr_to_indirect(void *ptr)
53737 diff -urNp linux-2.6.38.4/lib/vsprintf.c linux-2.6.38.4/lib/vsprintf.c
53738 --- linux-2.6.38.4/lib/vsprintf.c 2011-04-22 19:20:59.000000000 -0400
53739 +++ linux-2.6.38.4/lib/vsprintf.c 2011-04-22 19:21:39.000000000 -0400
53741 * - scnprintf and vscnprintf
53744 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53745 +#define __INCLUDED_BY_HIDESYM 1
53747 #include <stdarg.h>
53748 #include <linux/module.h>
53749 #include <linux/types.h>
53750 @@ -433,7 +436,7 @@ char *symbol_string(char *buf, char *end
53751 unsigned long value = (unsigned long) ptr;
53752 #ifdef CONFIG_KALLSYMS
53753 char sym[KSYM_SYMBOL_LEN];
53754 - if (ext != 'f' && ext != 's')
53755 + if (ext != 'f' && ext != 's' && ext != 'a')
53756 sprint_symbol(sym, value);
53758 kallsyms_lookup(value, NULL, NULL, NULL, sym);
53759 @@ -795,7 +798,11 @@ char *uuid_string(char *buf, char *end,
53760 return string(buf, end, uuid, spec);
53763 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53764 +int kptr_restrict = 2;
53766 int kptr_restrict = 1;
53770 * Show a '%p' thing. A kernel extension is that the '%p' is followed
53771 @@ -808,6 +815,8 @@ int kptr_restrict = 1;
53772 * - 'f' For simple symbolic function names without offset
53773 * - 'S' For symbolic direct pointers with offset
53774 * - 's' For symbolic direct pointers without offset
53775 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
53776 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
53777 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
53778 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
53779 * - 'M' For a 6-byte MAC address, it prints the address in the
53780 @@ -852,12 +861,12 @@ char *pointer(const char *fmt, char *buf
53784 - * Print (null) with the same width as a pointer so it makes
53785 + * Print (nil) with the same width as a pointer so it makes
53786 * tabular output look nice.
53788 if (spec.field_width == -1)
53789 spec.field_width = 2 * sizeof(void *);
53790 - return string(buf, end, "(null)", spec);
53791 + return string(buf, end, "(nil)", spec);
53795 @@ -867,6 +876,13 @@ char *pointer(const char *fmt, char *buf
53799 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53802 + return symbol_string(buf, end, ptr, spec, *fmt);
53806 return symbol_string(buf, end, ptr, spec, *fmt);
53809 @@ -1631,11 +1647,11 @@ int bstr_printf(char *buf, size_t size,
53810 typeof(type) value; \
53811 if (sizeof(type) == 8) { \
53812 args = PTR_ALIGN(args, sizeof(u32)); \
53813 - *(u32 *)&value = *(u32 *)args; \
53814 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
53815 + *(u32 *)&value = *(const u32 *)args; \
53816 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
53818 args = PTR_ALIGN(args, sizeof(type)); \
53819 - value = *(typeof(type) *)args; \
53820 + value = *(const typeof(type) *)args; \
53822 args += sizeof(type); \
53824 @@ -1698,7 +1714,7 @@ int bstr_printf(char *buf, size_t size,
53825 case FORMAT_TYPE_STR: {
53826 const char *str_arg = args;
53827 args += strlen(str_arg) + 1;
53828 - str = string(str, end, (char *)str_arg, spec);
53829 + str = string(str, end, str_arg, spec);
53833 diff -urNp linux-2.6.38.4/localversion-grsec linux-2.6.38.4/localversion-grsec
53834 --- linux-2.6.38.4/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
53835 +++ linux-2.6.38.4/localversion-grsec 2011-04-17 15:57:33.000000000 -0400
53838 diff -urNp linux-2.6.38.4/Makefile linux-2.6.38.4/Makefile
53839 --- linux-2.6.38.4/Makefile 2011-04-22 19:20:59.000000000 -0400
53840 +++ linux-2.6.38.4/Makefile 2011-04-22 19:21:10.000000000 -0400
53841 @@ -233,8 +233,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
53845 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
53846 -HOSTCXXFLAGS = -O2
53847 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
53848 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
53850 # Decide whether to build built-in, modular, or both.
53851 # Normally, just do built-in.
53852 @@ -681,7 +681,7 @@ export mod_strip_cmd
53855 ifeq ($(KBUILD_EXTMOD),)
53856 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
53857 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
53859 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
53860 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
53861 diff -urNp linux-2.6.38.4/mm/bootmem.c linux-2.6.38.4/mm/bootmem.c
53862 --- linux-2.6.38.4/mm/bootmem.c 2011-03-14 21:20:32.000000000 -0400
53863 +++ linux-2.6.38.4/mm/bootmem.c 2011-04-17 15:57:33.000000000 -0400
53864 @@ -201,19 +201,30 @@ static void __init __free_pages_memory(u
53865 unsigned long __init free_all_memory_core_early(int nodeid)
53869 + u64 start, end, startrange, endrange;
53870 unsigned long count = 0;
53871 - struct range *range = NULL;
53872 + struct range *range = NULL, rangerange = { 0, 0 };
53875 nr_range = get_free_all_memory_range(&range, nodeid);
53876 + startrange = __pa(range) >> PAGE_SHIFT;
53877 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
53879 for (i = 0; i < nr_range; i++) {
53880 start = range[i].start;
53881 end = range[i].end;
53882 + if (start <= endrange && startrange < end) {
53883 + BUG_ON(rangerange.start | rangerange.end);
53884 + rangerange = range[i];
53887 count += end - start;
53888 __free_pages_memory(start, end);
53890 + start = rangerange.start;
53891 + end = rangerange.end;
53892 + count += end - start;
53893 + __free_pages_memory(start, end);
53897 diff -urNp linux-2.6.38.4/mm/filemap.c linux-2.6.38.4/mm/filemap.c
53898 --- linux-2.6.38.4/mm/filemap.c 2011-03-14 21:20:32.000000000 -0400
53899 +++ linux-2.6.38.4/mm/filemap.c 2011-04-17 15:57:33.000000000 -0400
53900 @@ -1664,7 +1664,7 @@ int generic_file_mmap(struct file * file
53901 struct address_space *mapping = file->f_mapping;
53903 if (!mapping->a_ops->readpage)
53906 file_accessed(file);
53907 vma->vm_ops = &generic_file_vm_ops;
53908 vma->vm_flags |= VM_CAN_NONLINEAR;
53909 @@ -2060,6 +2060,7 @@ inline int generic_write_checks(struct f
53910 *pos = i_size_read(inode);
53912 if (limit != RLIM_INFINITY) {
53913 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
53914 if (*pos >= limit) {
53915 send_sig(SIGXFSZ, current, 0);
53917 diff -urNp linux-2.6.38.4/mm/fremap.c linux-2.6.38.4/mm/fremap.c
53918 --- linux-2.6.38.4/mm/fremap.c 2011-03-14 21:20:32.000000000 -0400
53919 +++ linux-2.6.38.4/mm/fremap.c 2011-04-17 15:57:33.000000000 -0400
53920 @@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
53922 vma = find_vma(mm, start);
53924 +#ifdef CONFIG_PAX_SEGMEXEC
53925 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
53930 * Make sure the vma is shared, that it supports prefaulting,
53931 * and that the remapped range is valid and fully within
53932 @@ -224,7 +229,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
53934 * drop PG_Mlocked flag for over-mapped range
53936 - unsigned int saved_flags = vma->vm_flags;
53937 + unsigned long saved_flags = vma->vm_flags;
53938 munlock_vma_pages_range(vma, start, start + size);
53939 vma->vm_flags = saved_flags;
53941 diff -urNp linux-2.6.38.4/mm/highmem.c linux-2.6.38.4/mm/highmem.c
53942 --- linux-2.6.38.4/mm/highmem.c 2011-03-14 21:20:32.000000000 -0400
53943 +++ linux-2.6.38.4/mm/highmem.c 2011-04-17 15:57:33.000000000 -0400
53944 @@ -125,9 +125,10 @@ static void flush_all_zero_pkmaps(void)
53945 * So no dangers, even with speculative execution.
53947 page = pte_page(pkmap_page_table[i]);
53948 + pax_open_kernel();
53949 pte_clear(&init_mm, (unsigned long)page_address(page),
53950 &pkmap_page_table[i]);
53952 + pax_close_kernel();
53953 set_page_address(page, NULL);
53956 @@ -186,9 +187,11 @@ start:
53959 vaddr = PKMAP_ADDR(last_pkmap_nr);
53961 + pax_open_kernel();
53962 set_pte_at(&init_mm, vaddr,
53963 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
53965 + pax_close_kernel();
53966 pkmap_count[last_pkmap_nr] = 1;
53967 set_page_address(page, (void *)vaddr);
53969 diff -urNp linux-2.6.38.4/mm/hugetlb.c linux-2.6.38.4/mm/hugetlb.c
53970 --- linux-2.6.38.4/mm/hugetlb.c 2011-03-14 21:20:32.000000000 -0400
53971 +++ linux-2.6.38.4/mm/hugetlb.c 2011-04-17 15:57:33.000000000 -0400
53972 @@ -2333,6 +2333,27 @@ static int unmap_ref_private(struct mm_s
53976 +#ifdef CONFIG_PAX_SEGMEXEC
53977 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
53979 + struct mm_struct *mm = vma->vm_mm;
53980 + struct vm_area_struct *vma_m;
53981 + unsigned long address_m;
53984 + vma_m = pax_find_mirror_vma(vma);
53988 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
53989 + address_m = address + SEGMEXEC_TASK_SIZE;
53990 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
53991 + get_page(page_m);
53992 + hugepage_add_anon_rmap(page_m, vma_m, address_m);
53993 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
53998 * Hugetlb_cow() should be called with page lock of the original hugepage held.
54000 @@ -2434,6 +2455,11 @@ retry_avoidcopy:
54001 make_huge_pte(vma, new_page, 1));
54002 page_remove_rmap(old_page);
54003 hugepage_add_new_anon_rmap(new_page, vma, address);
54005 +#ifdef CONFIG_PAX_SEGMEXEC
54006 + pax_mirror_huge_pte(vma, address, new_page);
54009 /* Make the old page be freed below */
54010 new_page = old_page;
54011 mmu_notifier_invalidate_range_end(mm,
54012 @@ -2585,6 +2611,10 @@ retry:
54013 && (vma->vm_flags & VM_SHARED)));
54014 set_huge_pte_at(mm, address, ptep, new_pte);
54016 +#ifdef CONFIG_PAX_SEGMEXEC
54017 + pax_mirror_huge_pte(vma, address, page);
54020 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
54021 /* Optimization, do the COW without a second fault */
54022 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
54023 @@ -2614,6 +2644,10 @@ int hugetlb_fault(struct mm_struct *mm,
54024 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
54025 struct hstate *h = hstate_vma(vma);
54027 +#ifdef CONFIG_PAX_SEGMEXEC
54028 + struct vm_area_struct *vma_m;
54031 ptep = huge_pte_offset(mm, address);
54033 entry = huge_ptep_get(ptep);
54034 @@ -2625,6 +2659,26 @@ int hugetlb_fault(struct mm_struct *mm,
54035 VM_FAULT_SET_HINDEX(h - hstates);
54038 +#ifdef CONFIG_PAX_SEGMEXEC
54039 + vma_m = pax_find_mirror_vma(vma);
54041 + unsigned long address_m;
54043 + if (vma->vm_start > vma_m->vm_start) {
54044 + address_m = address;
54045 + address -= SEGMEXEC_TASK_SIZE;
54047 + h = hstate_vma(vma);
54049 + address_m = address + SEGMEXEC_TASK_SIZE;
54051 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
54052 + return VM_FAULT_OOM;
54053 + address_m &= HPAGE_MASK;
54054 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
54058 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
54060 return VM_FAULT_OOM;
54061 diff -urNp linux-2.6.38.4/mm/Kconfig linux-2.6.38.4/mm/Kconfig
54062 --- linux-2.6.38.4/mm/Kconfig 2011-03-14 21:20:32.000000000 -0400
54063 +++ linux-2.6.38.4/mm/Kconfig 2011-04-17 15:57:33.000000000 -0400
54064 @@ -240,7 +240,7 @@ config KSM
54065 config DEFAULT_MMAP_MIN_ADDR
54066 int "Low address space to protect from user allocation"
54071 This is the portion of low virtual memory which should be protected
54072 from userspace allocation. Keeping a user from writing to low pages
54073 diff -urNp linux-2.6.38.4/mm/kmemleak.c linux-2.6.38.4/mm/kmemleak.c
54074 --- linux-2.6.38.4/mm/kmemleak.c 2011-03-14 21:20:32.000000000 -0400
54075 +++ linux-2.6.38.4/mm/kmemleak.c 2011-04-17 15:57:33.000000000 -0400
54076 @@ -357,7 +357,7 @@ static void print_unreferenced(struct se
54078 for (i = 0; i < object->trace_len; i++) {
54079 void *ptr = (void *)object->trace[i];
54080 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
54081 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
54085 diff -urNp linux-2.6.38.4/mm/maccess.c linux-2.6.38.4/mm/maccess.c
54086 --- linux-2.6.38.4/mm/maccess.c 2011-03-14 21:20:32.000000000 -0400
54087 +++ linux-2.6.38.4/mm/maccess.c 2011-04-17 15:57:33.000000000 -0400
54088 @@ -15,10 +15,10 @@
54089 * happens, handle that and return -EFAULT.
54092 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
54093 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
54094 __attribute__((alias("__probe_kernel_read")));
54096 -long __probe_kernel_read(void *dst, void *src, size_t size)
54097 +long __probe_kernel_read(void *dst, const void *src, size_t size)
54100 mm_segment_t old_fs = get_fs();
54101 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
54102 * Safely write to address @dst from the buffer at @src. If a kernel fault
54103 * happens, handle that and return -EFAULT.
54105 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
54106 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
54107 __attribute__((alias("__probe_kernel_write")));
54109 -long __probe_kernel_write(void *dst, void *src, size_t size)
54110 +long __probe_kernel_write(void *dst, const void *src, size_t size)
54113 mm_segment_t old_fs = get_fs();
54114 diff -urNp linux-2.6.38.4/mm/madvise.c linux-2.6.38.4/mm/madvise.c
54115 --- linux-2.6.38.4/mm/madvise.c 2011-03-14 21:20:32.000000000 -0400
54116 +++ linux-2.6.38.4/mm/madvise.c 2011-04-17 15:57:33.000000000 -0400
54117 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
54119 unsigned long new_flags = vma->vm_flags;
54121 +#ifdef CONFIG_PAX_SEGMEXEC
54122 + struct vm_area_struct *vma_m;
54125 switch (behavior) {
54127 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
54128 @@ -110,6 +114,13 @@ success:
54130 * vm_flags is protected by the mmap_sem held in write mode.
54133 +#ifdef CONFIG_PAX_SEGMEXEC
54134 + vma_m = pax_find_mirror_vma(vma);
54136 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
54139 vma->vm_flags = new_flags;
54142 @@ -168,6 +179,11 @@ static long madvise_dontneed(struct vm_a
54143 struct vm_area_struct ** prev,
54144 unsigned long start, unsigned long end)
54147 +#ifdef CONFIG_PAX_SEGMEXEC
54148 + struct vm_area_struct *vma_m;
54152 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
54154 @@ -180,6 +196,21 @@ static long madvise_dontneed(struct vm_a
54155 zap_page_range(vma, start, end - start, &details);
54157 zap_page_range(vma, start, end - start, NULL);
54159 +#ifdef CONFIG_PAX_SEGMEXEC
54160 + vma_m = pax_find_mirror_vma(vma);
54162 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
54163 + struct zap_details details = {
54164 + .nonlinear_vma = vma_m,
54165 + .last_index = ULONG_MAX,
54167 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
54169 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
54176 @@ -376,6 +407,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
54180 +#ifdef CONFIG_PAX_SEGMEXEC
54181 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
54182 + if (end > SEGMEXEC_TASK_SIZE)
54187 + if (end > TASK_SIZE)
54193 diff -urNp linux-2.6.38.4/mm/memory.c linux-2.6.38.4/mm/memory.c
54194 --- linux-2.6.38.4/mm/memory.c 2011-04-22 19:20:59.000000000 -0400
54195 +++ linux-2.6.38.4/mm/memory.c 2011-04-22 19:53:54.000000000 -0400
54196 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
54199 pmd = pmd_offset(pud, start);
54201 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
54203 pmd_free_tlb(tlb, pmd, start);
54208 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
54209 @@ -291,9 +295,12 @@ static inline void free_pud_range(struct
54210 if (end - 1 > ceiling - 1)
54213 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
54214 pud = pud_offset(pgd, start);
54216 pud_free_tlb(tlb, pud, start);
54222 @@ -1410,13 +1417,6 @@ no_page_table:
54226 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
54228 - return (vma->vm_flags & VM_GROWSDOWN) &&
54229 - (vma->vm_start == addr) &&
54230 - !vma_stack_continue(vma->vm_prev, addr);
54233 int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
54234 unsigned long start, int nr_pages, unsigned int gup_flags,
54235 struct page **pages, struct vm_area_struct **vmas,
54236 @@ -1440,12 +1440,13 @@ int __get_user_pages(struct task_struct
54237 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
54241 + while (nr_pages) {
54242 struct vm_area_struct *vma;
54244 - vma = find_extend_vma(mm, start);
54245 + vma = find_vma(mm, start);
54246 if (!vma && in_gate_area(tsk, start)) {
54247 unsigned long pg = start & PAGE_MASK;
54248 + struct vm_area_struct *gate_vma = get_gate_vma(tsk);
54252 @@ -1470,11 +1471,10 @@ int __get_user_pages(struct task_struct
54254 return i ? : -EFAULT;
54256 - vma = get_gate_vma(tsk);
54260 - page = vm_normal_page(vma, start, *pte);
54261 + page = vm_normal_page(gate_vma, start, *pte);
54263 if (!(gup_flags & FOLL_DUMP) &&
54264 is_zero_pfn(pte_pfn(*pte)))
54265 @@ -1488,10 +1488,15 @@ int __get_user_pages(struct task_struct
54271 + vmas[i] = gate_vma;
54273 + start += PAGE_SIZE;
54279 + if (!vma || start < vma->vm_start ||
54280 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
54281 !(vm_flags & vma->vm_flags))
54282 return i ? : -EFAULT;
54283 @@ -1502,13 +1507,6 @@ int __get_user_pages(struct task_struct
54288 - * If we don't actually want the page itself,
54289 - * and it's the stack guard page, just skip it.
54291 - if (!pages && stack_guard_page(vma, start))
54296 unsigned int foll_flags = gup_flags;
54297 @@ -1578,14 +1576,13 @@ int __get_user_pages(struct task_struct
54298 flush_anon_page(vma, page, start);
54299 flush_dcache_page(page);
54305 start += PAGE_SIZE;
54307 } while (nr_pages && start < vma->vm_end);
54308 - } while (nr_pages);
54313 @@ -1734,6 +1731,10 @@ static int insert_page(struct vm_area_st
54314 page_add_file_rmap(page);
54315 set_pte_at(mm, addr, pte, mk_pte(page, prot));
54317 +#ifdef CONFIG_PAX_SEGMEXEC
54318 + pax_mirror_file_pte(vma, addr, page, ptl);
54322 pte_unmap_unlock(pte, ptl);
54324 @@ -1768,10 +1769,22 @@ out:
54325 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
54329 +#ifdef CONFIG_PAX_SEGMEXEC
54330 + struct vm_area_struct *vma_m;
54333 if (addr < vma->vm_start || addr >= vma->vm_end)
54335 if (!page_count(page))
54338 +#ifdef CONFIG_PAX_SEGMEXEC
54339 + vma_m = pax_find_mirror_vma(vma);
54341 + vma_m->vm_flags |= VM_INSERTPAGE;
54344 vma->vm_flags |= VM_INSERTPAGE;
54345 return insert_page(vma, addr, page, vma->vm_page_prot);
54347 @@ -1857,6 +1870,7 @@ int vm_insert_mixed(struct vm_area_struc
54350 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
54351 + BUG_ON(vma->vm_mirror);
54353 if (addr < vma->vm_start || addr >= vma->vm_end)
54355 @@ -2172,6 +2186,186 @@ static inline void cow_user_page(struct
54356 copy_user_highpage(dst, src, va, vma);
54359 +#ifdef CONFIG_PAX_SEGMEXEC
54360 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
54362 + struct mm_struct *mm = vma->vm_mm;
54364 + pte_t *pte, entry;
54366 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
54368 + if (!pte_present(entry)) {
54369 + if (!pte_none(entry)) {
54370 + BUG_ON(pte_file(entry));
54371 + free_swap_and_cache(pte_to_swp_entry(entry));
54372 + pte_clear_not_present_full(mm, address, pte, 0);
54375 + struct page *page;
54377 + flush_cache_page(vma, address, pte_pfn(entry));
54378 + entry = ptep_clear_flush(vma, address, pte);
54379 + BUG_ON(pte_dirty(entry));
54380 + page = vm_normal_page(vma, address, entry);
54382 + update_hiwater_rss(mm);
54383 + if (PageAnon(page))
54384 + dec_mm_counter_fast(mm, MM_ANONPAGES);
54386 + dec_mm_counter_fast(mm, MM_FILEPAGES);
54387 + page_remove_rmap(page);
54388 + page_cache_release(page);
54391 + pte_unmap_unlock(pte, ptl);
54394 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
54396 + * the ptl of the lower mapped page is held on entry and is not released on exit
54397 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
54399 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
54401 + struct mm_struct *mm = vma->vm_mm;
54402 + unsigned long address_m;
54403 + spinlock_t *ptl_m;
54404 + struct vm_area_struct *vma_m;
54406 + pte_t *pte_m, entry_m;
54408 + BUG_ON(!page_m || !PageAnon(page_m));
54410 + vma_m = pax_find_mirror_vma(vma);
54414 + BUG_ON(!PageLocked(page_m));
54415 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
54416 + address_m = address + SEGMEXEC_TASK_SIZE;
54417 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
54418 + pte_m = pte_offset_map(pmd_m, address_m);
54419 + ptl_m = pte_lockptr(mm, pmd_m);
54420 + if (ptl != ptl_m) {
54421 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
54422 + if (!pte_none(*pte_m))
54426 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
54427 + page_cache_get(page_m);
54428 + page_add_anon_rmap(page_m, vma_m, address_m);
54429 + inc_mm_counter_fast(mm, MM_ANONPAGES);
54430 + set_pte_at(mm, address_m, pte_m, entry_m);
54431 + update_mmu_cache(vma_m, address_m, entry_m);
54433 + if (ptl != ptl_m)
54434 + spin_unlock(ptl_m);
54435 + pte_unmap(pte_m);
54436 + unlock_page(page_m);
54439 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
54441 + struct mm_struct *mm = vma->vm_mm;
54442 + unsigned long address_m;
54443 + spinlock_t *ptl_m;
54444 + struct vm_area_struct *vma_m;
54446 + pte_t *pte_m, entry_m;
54448 + BUG_ON(!page_m || PageAnon(page_m));
54450 + vma_m = pax_find_mirror_vma(vma);
54454 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
54455 + address_m = address + SEGMEXEC_TASK_SIZE;
54456 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
54457 + pte_m = pte_offset_map(pmd_m, address_m);
54458 + ptl_m = pte_lockptr(mm, pmd_m);
54459 + if (ptl != ptl_m) {
54460 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
54461 + if (!pte_none(*pte_m))
54465 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
54466 + page_cache_get(page_m);
54467 + page_add_file_rmap(page_m);
54468 + inc_mm_counter_fast(mm, MM_FILEPAGES);
54469 + set_pte_at(mm, address_m, pte_m, entry_m);
54470 + update_mmu_cache(vma_m, address_m, entry_m);
54472 + if (ptl != ptl_m)
54473 + spin_unlock(ptl_m);
54474 + pte_unmap(pte_m);
54477 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
54479 + struct mm_struct *mm = vma->vm_mm;
54480 + unsigned long address_m;
54481 + spinlock_t *ptl_m;
54482 + struct vm_area_struct *vma_m;
54484 + pte_t *pte_m, entry_m;
54486 + vma_m = pax_find_mirror_vma(vma);
54490 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
54491 + address_m = address + SEGMEXEC_TASK_SIZE;
54492 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
54493 + pte_m = pte_offset_map(pmd_m, address_m);
54494 + ptl_m = pte_lockptr(mm, pmd_m);
54495 + if (ptl != ptl_m) {
54496 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
54497 + if (!pte_none(*pte_m))
54501 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
54502 + set_pte_at(mm, address_m, pte_m, entry_m);
54504 + if (ptl != ptl_m)
54505 + spin_unlock(ptl_m);
54506 + pte_unmap(pte_m);
54509 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
54511 + struct page *page_m;
54514 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
54518 + page_m = vm_normal_page(vma, address, entry);
54520 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
54521 + else if (PageAnon(page_m)) {
54522 + if (pax_find_mirror_vma(vma)) {
54523 + pte_unmap_unlock(pte, ptl);
54524 + lock_page(page_m);
54525 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
54526 + if (pte_same(entry, *pte))
54527 + pax_mirror_anon_pte(vma, address, page_m, ptl);
54529 + unlock_page(page_m);
54532 + pax_mirror_file_pte(vma, address, page_m, ptl);
54535 + pte_unmap_unlock(pte, ptl);
54540 * This routine handles present pages, when users try to write
54541 * to a shared page. It is done by copying the page to a new address
54542 @@ -2383,6 +2577,12 @@ gotten:
54544 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
54545 if (likely(pte_same(*page_table, orig_pte))) {
54547 +#ifdef CONFIG_PAX_SEGMEXEC
54548 + if (pax_find_mirror_vma(vma))
54549 + BUG_ON(!trylock_page(new_page));
54553 if (!PageAnon(old_page)) {
54554 dec_mm_counter_fast(mm, MM_FILEPAGES);
54555 @@ -2434,6 +2634,10 @@ gotten:
54556 page_remove_rmap(old_page);
54559 +#ifdef CONFIG_PAX_SEGMEXEC
54560 + pax_mirror_anon_pte(vma, address, new_page, ptl);
54563 /* Free the old page.. */
54564 new_page = old_page;
54565 ret |= VM_FAULT_WRITE;
54566 @@ -2844,6 +3048,11 @@ static int do_swap_page(struct mm_struct
54568 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
54569 try_to_free_swap(page);
54571 +#ifdef CONFIG_PAX_SEGMEXEC
54572 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
54578 @@ -2867,6 +3076,11 @@ static int do_swap_page(struct mm_struct
54580 /* No need to invalidate - it was non-present before */
54581 update_mmu_cache(vma, address, page_table);
54583 +#ifdef CONFIG_PAX_SEGMEXEC
54584 + pax_mirror_anon_pte(vma, address, page, ptl);
54588 pte_unmap_unlock(page_table, ptl);
54590 @@ -2886,40 +3100,6 @@ out_release:
54594 - * This is like a special single-page "expand_{down|up}wards()",
54595 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
54596 - * doesn't hit another vma.
54598 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
54600 - address &= PAGE_MASK;
54601 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
54602 - struct vm_area_struct *prev = vma->vm_prev;
54605 - * Is there a mapping abutting this one below?
54607 - * That's only ok if it's the same stack mapping
54608 - * that has gotten split..
54610 - if (prev && prev->vm_end == address)
54611 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
54613 - expand_stack(vma, address - PAGE_SIZE);
54615 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
54616 - struct vm_area_struct *next = vma->vm_next;
54618 - /* As VM_GROWSDOWN but s/below/above/ */
54619 - if (next && next->vm_start == address + PAGE_SIZE)
54620 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
54622 - expand_upwards(vma, address + PAGE_SIZE);
54628 * We enter with non-exclusive mmap_sem (to exclude vma changes,
54629 * but allow concurrent faults), and pte mapped but not yet locked.
54630 * We return with mmap_sem still held, but pte unmapped and unlocked.
54631 @@ -2928,27 +3108,23 @@ static int do_anonymous_page(struct mm_s
54632 unsigned long address, pte_t *page_table, pmd_t *pmd,
54633 unsigned int flags)
54635 - struct page *page;
54636 + struct page *page = NULL;
54640 - pte_unmap(page_table);
54642 - /* Check if we need to add a guard page to the stack */
54643 - if (check_stack_guard_page(vma, address) < 0)
54644 - return VM_FAULT_SIGBUS;
54646 - /* Use the zero-page for reads */
54647 if (!(flags & FAULT_FLAG_WRITE)) {
54648 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
54649 vma->vm_page_prot));
54650 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
54651 + ptl = pte_lockptr(mm, pmd);
54653 if (!pte_none(*page_table))
54658 /* Allocate our own private page. */
54659 + pte_unmap(page_table);
54661 if (unlikely(anon_vma_prepare(vma)))
54663 page = alloc_zeroed_user_highpage_movable(vma, address);
54664 @@ -2967,6 +3143,11 @@ static int do_anonymous_page(struct mm_s
54665 if (!pte_none(*page_table))
54668 +#ifdef CONFIG_PAX_SEGMEXEC
54669 + if (pax_find_mirror_vma(vma))
54670 + BUG_ON(!trylock_page(page));
54673 inc_mm_counter_fast(mm, MM_ANONPAGES);
54674 page_add_new_anon_rmap(page, vma, address);
54676 @@ -2974,6 +3155,12 @@ setpte:
54678 /* No need to invalidate - it was non-present before */
54679 update_mmu_cache(vma, address, page_table);
54681 +#ifdef CONFIG_PAX_SEGMEXEC
54683 + pax_mirror_anon_pte(vma, address, page, ptl);
54687 pte_unmap_unlock(page_table, ptl);
54689 @@ -3111,6 +3298,12 @@ static int __do_fault(struct mm_struct *
54691 /* Only go through if we didn't race with anybody else... */
54692 if (likely(pte_same(*page_table, orig_pte))) {
54694 +#ifdef CONFIG_PAX_SEGMEXEC
54695 + if (anon && pax_find_mirror_vma(vma))
54696 + BUG_ON(!trylock_page(page));
54699 flush_icache_page(vma, page);
54700 entry = mk_pte(page, vma->vm_page_prot);
54701 if (flags & FAULT_FLAG_WRITE)
54702 @@ -3130,6 +3323,14 @@ static int __do_fault(struct mm_struct *
54704 /* no need to invalidate: a not-present page won't be cached */
54705 update_mmu_cache(vma, address, page_table);
54707 +#ifdef CONFIG_PAX_SEGMEXEC
54709 + pax_mirror_anon_pte(vma, address, page, ptl);
54711 + pax_mirror_file_pte(vma, address, page, ptl);
54716 mem_cgroup_uncharge_page(page);
54717 @@ -3277,6 +3478,12 @@ int handle_pte_fault(struct mm_struct *m
54718 if (flags & FAULT_FLAG_WRITE)
54719 flush_tlb_fix_spurious_fault(vma, address);
54722 +#ifdef CONFIG_PAX_SEGMEXEC
54723 + pax_mirror_pte(vma, address, pte, pmd, ptl);
54728 pte_unmap_unlock(pte, ptl);
54730 @@ -3293,6 +3500,10 @@ int handle_mm_fault(struct mm_struct *mm
54734 +#ifdef CONFIG_PAX_SEGMEXEC
54735 + struct vm_area_struct *vma_m;
54738 __set_current_state(TASK_RUNNING);
54740 count_vm_event(PGFAULT);
54741 @@ -3303,6 +3514,34 @@ int handle_mm_fault(struct mm_struct *mm
54742 if (unlikely(is_vm_hugetlb_page(vma)))
54743 return hugetlb_fault(mm, vma, address, flags);
54745 +#ifdef CONFIG_PAX_SEGMEXEC
54746 + vma_m = pax_find_mirror_vma(vma);
54748 + unsigned long address_m;
54753 + if (vma->vm_start > vma_m->vm_start) {
54754 + address_m = address;
54755 + address -= SEGMEXEC_TASK_SIZE;
54758 + address_m = address + SEGMEXEC_TASK_SIZE;
54760 + pgd_m = pgd_offset(mm, address_m);
54761 + pud_m = pud_alloc(mm, pgd_m, address_m);
54763 + return VM_FAULT_OOM;
54764 + pmd_m = pmd_alloc(mm, pud_m, address_m);
54766 + return VM_FAULT_OOM;
54767 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
54768 + return VM_FAULT_OOM;
54769 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
54773 pgd = pgd_offset(mm, address);
54774 pud = pud_alloc(mm, pgd, address);
54776 @@ -3436,7 +3675,7 @@ static int __init gate_vma_init(void)
54777 gate_vma.vm_start = FIXADDR_USER_START;
54778 gate_vma.vm_end = FIXADDR_USER_END;
54779 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
54780 - gate_vma.vm_page_prot = __P101;
54781 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
54783 * Make sure the vDSO gets into every core dump.
54784 * Dumping its contents makes post-mortem fully interpretable later
54785 diff -urNp linux-2.6.38.4/mm/memory-failure.c linux-2.6.38.4/mm/memory-failure.c
54786 --- linux-2.6.38.4/mm/memory-failure.c 2011-03-14 21:20:32.000000000 -0400
54787 +++ linux-2.6.38.4/mm/memory-failure.c 2011-04-17 15:57:33.000000000 -0400
54788 @@ -58,7 +58,7 @@ int sysctl_memory_failure_early_kill __r
54790 int sysctl_memory_failure_recovery __read_mostly = 1;
54792 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
54793 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
54795 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
54797 @@ -1012,7 +1012,7 @@ int __memory_failure(unsigned long pfn,
54800 nr_pages = 1 << compound_trans_order(hpage);
54801 - atomic_long_add(nr_pages, &mce_bad_pages);
54802 + atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
54805 * We need/can do nothing about count=0 pages.
54806 @@ -1042,7 +1042,7 @@ int __memory_failure(unsigned long pfn,
54807 if (!PageHWPoison(hpage)
54808 || (hwpoison_filter(p) && TestClearPageHWPoison(p))
54809 || (p != hpage && TestSetPageHWPoison(hpage))) {
54810 - atomic_long_sub(nr_pages, &mce_bad_pages);
54811 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
54814 set_page_hwpoison_huge_page(hpage);
54815 @@ -1100,7 +1100,7 @@ int __memory_failure(unsigned long pfn,
54817 if (hwpoison_filter(p)) {
54818 if (TestClearPageHWPoison(p))
54819 - atomic_long_sub(nr_pages, &mce_bad_pages);
54820 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
54821 unlock_page(hpage);
54824 @@ -1226,7 +1226,7 @@ int unpoison_memory(unsigned long pfn)
54827 if (TestClearPageHWPoison(p))
54828 - atomic_long_sub(nr_pages, &mce_bad_pages);
54829 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
54830 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
54833 @@ -1240,7 +1240,7 @@ int unpoison_memory(unsigned long pfn)
54835 if (TestClearPageHWPoison(page)) {
54836 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
54837 - atomic_long_sub(nr_pages, &mce_bad_pages);
54838 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
54840 if (PageHuge(page))
54841 clear_page_hwpoison_huge_page(page);
54842 @@ -1353,7 +1353,7 @@ static int soft_offline_huge_page(struct
54845 if (!PageHWPoison(hpage))
54846 - atomic_long_add(1 << compound_trans_order(hpage), &mce_bad_pages);
54847 + atomic_long_add_unchecked(1 << compound_trans_order(hpage), &mce_bad_pages);
54848 set_page_hwpoison_huge_page(hpage);
54849 dequeue_hwpoisoned_huge_page(hpage);
54850 /* keep elevated page count for bad page */
54851 @@ -1482,7 +1482,7 @@ int soft_offline_page(struct page *page,
54855 - atomic_long_add(1, &mce_bad_pages);
54856 + atomic_long_add_unchecked(1, &mce_bad_pages);
54857 SetPageHWPoison(page);
54858 /* keep elevated page count for bad page */
54860 diff -urNp linux-2.6.38.4/mm/mempolicy.c linux-2.6.38.4/mm/mempolicy.c
54861 --- linux-2.6.38.4/mm/mempolicy.c 2011-03-14 21:20:32.000000000 -0400
54862 +++ linux-2.6.38.4/mm/mempolicy.c 2011-04-17 15:57:33.000000000 -0400
54863 @@ -643,6 +643,10 @@ static int mbind_range(struct mm_struct
54864 unsigned long vmstart;
54865 unsigned long vmend;
54867 +#ifdef CONFIG_PAX_SEGMEXEC
54868 + struct vm_area_struct *vma_m;
54871 vma = find_vma_prev(mm, start, &prev);
54872 if (!vma || vma->vm_start > start)
54874 @@ -673,6 +677,16 @@ static int mbind_range(struct mm_struct
54875 err = policy_vma(vma, new_pol);
54879 +#ifdef CONFIG_PAX_SEGMEXEC
54880 + vma_m = pax_find_mirror_vma(vma);
54882 + err = policy_vma(vma_m, new_pol);
54891 @@ -1106,6 +1120,17 @@ static long do_mbind(unsigned long start
54896 +#ifdef CONFIG_PAX_SEGMEXEC
54897 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
54898 + if (end > SEGMEXEC_TASK_SIZE)
54903 + if (end > TASK_SIZE)
54909 @@ -1324,6 +1349,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
54913 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
54914 + if (mm != current->mm &&
54915 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
54922 * Check if this process has the right to modify the specified
54923 * process. The right exists if the process has administrative
54924 @@ -1333,8 +1366,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
54926 tcred = __task_cred(task);
54927 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
54928 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
54929 - !capable(CAP_SYS_NICE)) {
54930 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
54934 @@ -2635,7 +2667,7 @@ int show_numa_map(struct seq_file *m, vo
54937 seq_printf(m, " file=");
54938 - seq_path(m, &file->f_path, "\n\t= ");
54939 + seq_path(m, &file->f_path, "\n\t\\= ");
54940 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
54941 seq_printf(m, " heap");
54942 } else if (vma->vm_start <= mm->start_stack &&
54943 diff -urNp linux-2.6.38.4/mm/migrate.c linux-2.6.38.4/mm/migrate.c
54944 --- linux-2.6.38.4/mm/migrate.c 2011-03-14 21:20:32.000000000 -0400
54945 +++ linux-2.6.38.4/mm/migrate.c 2011-04-17 15:57:33.000000000 -0400
54946 @@ -1299,6 +1299,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
54950 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
54951 + if (mm != current->mm &&
54952 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
54959 * Check if this process has the right to modify the specified
54960 * process. The right exists if the process has administrative
54961 @@ -1308,8 +1316,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
54963 tcred = __task_cred(task);
54964 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
54965 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
54966 - !capable(CAP_SYS_NICE)) {
54967 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
54971 diff -urNp linux-2.6.38.4/mm/mlock.c linux-2.6.38.4/mm/mlock.c
54972 --- linux-2.6.38.4/mm/mlock.c 2011-04-22 19:20:59.000000000 -0400
54973 +++ linux-2.6.38.4/mm/mlock.c 2011-04-17 15:57:33.000000000 -0400
54975 #include <linux/pagemap.h>
54976 #include <linux/mempolicy.h>
54977 #include <linux/syscalls.h>
54978 +#include <linux/security.h>
54979 #include <linux/sched.h>
54980 #include <linux/module.h>
54981 #include <linux/rmap.h>
54982 @@ -380,6 +381,9 @@ static int do_mlock(unsigned long start,
54986 + if (end > TASK_SIZE)
54989 vma = find_vma_prev(current->mm, start, &prev);
54990 if (!vma || vma->vm_start > start)
54992 @@ -390,6 +394,11 @@ static int do_mlock(unsigned long start,
54993 for (nstart = start ; ; ) {
54994 unsigned int newflags;
54996 +#ifdef CONFIG_PAX_SEGMEXEC
54997 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
55001 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
55003 newflags = vma->vm_flags | VM_LOCKED;
55004 @@ -495,6 +504,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
55005 lock_limit >>= PAGE_SHIFT;
55007 /* check against resource limits */
55008 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
55009 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
55010 error = do_mlock(start, len, 1);
55011 up_write(¤t->mm->mmap_sem);
55012 @@ -518,17 +528,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
55013 static int do_mlockall(int flags)
55015 struct vm_area_struct * vma, * prev = NULL;
55016 - unsigned int def_flags = 0;
55018 if (flags & MCL_FUTURE)
55019 - def_flags = VM_LOCKED;
55020 - current->mm->def_flags = def_flags;
55021 + current->mm->def_flags |= VM_LOCKED;
55023 + current->mm->def_flags &= ~VM_LOCKED;
55024 if (flags == MCL_FUTURE)
55027 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
55028 - unsigned int newflags;
55029 + unsigned long newflags;
55031 +#ifdef CONFIG_PAX_SEGMEXEC
55032 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
55036 + BUG_ON(vma->vm_end > TASK_SIZE);
55037 newflags = vma->vm_flags | VM_LOCKED;
55038 if (!(flags & MCL_CURRENT))
55039 newflags &= ~VM_LOCKED;
55040 @@ -560,6 +576,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
55041 lock_limit >>= PAGE_SHIFT;
55044 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
55045 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
55046 capable(CAP_IPC_LOCK))
55047 ret = do_mlockall(flags);
55048 diff -urNp linux-2.6.38.4/mm/mmap.c linux-2.6.38.4/mm/mmap.c
55049 --- linux-2.6.38.4/mm/mmap.c 2011-04-22 19:20:59.000000000 -0400
55050 +++ linux-2.6.38.4/mm/mmap.c 2011-04-22 19:25:32.000000000 -0400
55052 #define arch_rebalance_pgtables(addr, len) (addr)
55055 +static inline void verify_mm_writelocked(struct mm_struct *mm)
55057 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
55058 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
55059 + up_read(&mm->mmap_sem);
55065 static void unmap_region(struct mm_struct *mm,
55066 struct vm_area_struct *vma, struct vm_area_struct *prev,
55067 unsigned long start, unsigned long end);
55068 @@ -71,22 +81,32 @@ static void unmap_region(struct mm_struc
55069 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
55072 -pgprot_t protection_map[16] = {
55073 +pgprot_t protection_map[16] __read_only = {
55074 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
55075 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
55078 pgprot_t vm_get_page_prot(unsigned long vm_flags)
55080 - return __pgprot(pgprot_val(protection_map[vm_flags &
55081 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
55082 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
55083 pgprot_val(arch_vm_get_page_prot(vm_flags)));
55085 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
55086 + if (!(__supported_pte_mask & _PAGE_NX) &&
55087 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
55088 + (vm_flags & (VM_READ | VM_WRITE)))
55089 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
55094 EXPORT_SYMBOL(vm_get_page_prot);
55096 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
55097 int sysctl_overcommit_ratio = 50; /* default is 50% */
55098 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
55099 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
55100 struct percpu_counter vm_committed_as;
55103 @@ -232,6 +252,7 @@ static struct vm_area_struct *remove_vma
55104 struct vm_area_struct *next = vma->vm_next;
55107 + BUG_ON(vma->vm_mirror);
55108 if (vma->vm_ops && vma->vm_ops->close)
55109 vma->vm_ops->close(vma);
55110 if (vma->vm_file) {
55111 @@ -276,6 +297,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
55112 * not page aligned -Ram Gupta
55114 rlim = rlimit(RLIMIT_DATA);
55115 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
55116 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
55117 (mm->end_data - mm->start_data) > rlim)
55119 @@ -719,6 +741,12 @@ static int
55120 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
55121 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
55124 +#ifdef CONFIG_PAX_SEGMEXEC
55125 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
55129 if (is_mergeable_vma(vma, file, vm_flags) &&
55130 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
55131 if (vma->vm_pgoff == vm_pgoff)
55132 @@ -738,6 +766,12 @@ static int
55133 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
55134 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
55137 +#ifdef CONFIG_PAX_SEGMEXEC
55138 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
55142 if (is_mergeable_vma(vma, file, vm_flags) &&
55143 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
55145 @@ -780,13 +814,20 @@ can_vma_merge_after(struct vm_area_struc
55146 struct vm_area_struct *vma_merge(struct mm_struct *mm,
55147 struct vm_area_struct *prev, unsigned long addr,
55148 unsigned long end, unsigned long vm_flags,
55149 - struct anon_vma *anon_vma, struct file *file,
55150 + struct anon_vma *anon_vma, struct file *file,
55151 pgoff_t pgoff, struct mempolicy *policy)
55153 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
55154 struct vm_area_struct *area, *next;
55157 +#ifdef CONFIG_PAX_SEGMEXEC
55158 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
55159 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
55161 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
55165 * We later require that vma->vm_flags == vm_flags,
55166 * so this tests vma->vm_flags & VM_SPECIAL, too.
55167 @@ -802,6 +843,15 @@ struct vm_area_struct *vma_merge(struct
55168 if (next && next->vm_end == end) /* cases 6, 7, 8 */
55169 next = next->vm_next;
55171 +#ifdef CONFIG_PAX_SEGMEXEC
55173 + prev_m = pax_find_mirror_vma(prev);
55175 + area_m = pax_find_mirror_vma(area);
55177 + next_m = pax_find_mirror_vma(next);
55181 * Can it merge with the predecessor?
55183 @@ -821,9 +871,24 @@ struct vm_area_struct *vma_merge(struct
55185 err = vma_adjust(prev, prev->vm_start,
55186 next->vm_end, prev->vm_pgoff, NULL);
55187 - } else /* cases 2, 5, 7 */
55189 +#ifdef CONFIG_PAX_SEGMEXEC
55190 + if (!err && prev_m)
55191 + err = vma_adjust(prev_m, prev_m->vm_start,
55192 + next_m->vm_end, prev_m->vm_pgoff, NULL);
55195 + } else { /* cases 2, 5, 7 */
55196 err = vma_adjust(prev, prev->vm_start,
55197 end, prev->vm_pgoff, NULL);
55199 +#ifdef CONFIG_PAX_SEGMEXEC
55200 + if (!err && prev_m)
55201 + err = vma_adjust(prev_m, prev_m->vm_start,
55202 + end_m, prev_m->vm_pgoff, NULL);
55208 khugepaged_enter_vma_merge(prev);
55209 @@ -837,12 +902,27 @@ struct vm_area_struct *vma_merge(struct
55210 mpol_equal(policy, vma_policy(next)) &&
55211 can_vma_merge_before(next, vm_flags,
55212 anon_vma, file, pgoff+pglen)) {
55213 - if (prev && addr < prev->vm_end) /* case 4 */
55214 + if (prev && addr < prev->vm_end) { /* case 4 */
55215 err = vma_adjust(prev, prev->vm_start,
55216 addr, prev->vm_pgoff, NULL);
55217 - else /* cases 3, 8 */
55219 +#ifdef CONFIG_PAX_SEGMEXEC
55220 + if (!err && prev_m)
55221 + err = vma_adjust(prev_m, prev_m->vm_start,
55222 + addr_m, prev_m->vm_pgoff, NULL);
55225 + } else { /* cases 3, 8 */
55226 err = vma_adjust(area, addr, next->vm_end,
55227 next->vm_pgoff - pglen, NULL);
55229 +#ifdef CONFIG_PAX_SEGMEXEC
55230 + if (!err && area_m)
55231 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
55232 + next_m->vm_pgoff - pglen, NULL);
55238 khugepaged_enter_vma_merge(area);
55239 @@ -958,14 +1038,11 @@ none:
55240 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
55241 struct file *file, long pages)
55243 - const unsigned long stack_flags
55244 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
55247 mm->shared_vm += pages;
55248 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
55249 mm->exec_vm += pages;
55250 - } else if (flags & stack_flags)
55251 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
55252 mm->stack_vm += pages;
55253 if (flags & (VM_RESERVED|VM_IO))
55254 mm->reserved_vm += pages;
55255 @@ -992,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file
55256 * (the exception is when the underlying filesystem is noexec
55257 * mounted, in which case we dont add PROT_EXEC.)
55259 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
55260 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
55261 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
55264 @@ -1018,7 +1095,7 @@ unsigned long do_mmap_pgoff(struct file
55265 /* Obtain the address to map to. we verify (or select) it and ensure
55266 * that it represents a valid section of the address space.
55268 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
55269 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
55270 if (addr & ~PAGE_MASK)
55273 @@ -1029,6 +1106,36 @@ unsigned long do_mmap_pgoff(struct file
55274 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
55275 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
55277 +#ifdef CONFIG_PAX_MPROTECT
55278 + if (mm->pax_flags & MF_PAX_MPROTECT) {
55279 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
55280 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
55281 + gr_log_rwxmmap(file);
55283 +#ifdef CONFIG_PAX_EMUPLT
55284 + vm_flags &= ~VM_EXEC;
55291 + if (!(vm_flags & VM_EXEC))
55292 + vm_flags &= ~VM_MAYEXEC;
55294 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
55295 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
55298 + vm_flags &= ~VM_MAYWRITE;
55302 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
55303 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
55304 + vm_flags &= ~VM_PAGEEXEC;
55307 if (flags & MAP_LOCKED)
55308 if (!can_do_mlock())
55310 @@ -1040,6 +1147,7 @@ unsigned long do_mmap_pgoff(struct file
55311 locked += mm->locked_vm;
55312 lock_limit = rlimit(RLIMIT_MEMLOCK);
55313 lock_limit >>= PAGE_SHIFT;
55314 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
55315 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
55318 @@ -1110,6 +1218,9 @@ unsigned long do_mmap_pgoff(struct file
55322 + if (!gr_acl_handle_mmap(file, prot))
55325 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
55327 EXPORT_SYMBOL(do_mmap_pgoff);
55328 @@ -1187,10 +1298,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
55330 int vma_wants_writenotify(struct vm_area_struct *vma)
55332 - unsigned int vm_flags = vma->vm_flags;
55333 + unsigned long vm_flags = vma->vm_flags;
55335 /* If it was private or non-writable, the write bit is already clear */
55336 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
55337 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
55340 /* The backer wishes to know when pages are first written to? */
55341 @@ -1239,14 +1350,24 @@ unsigned long mmap_region(struct file *f
55342 unsigned long charged = 0;
55343 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
55345 +#ifdef CONFIG_PAX_SEGMEXEC
55346 + struct vm_area_struct *vma_m = NULL;
55350 + * mm->mmap_sem is required to protect against another thread
55351 + * changing the mappings in case we sleep.
55353 + verify_mm_writelocked(mm);
55355 /* Clear old maps */
55358 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
55359 if (vma && vma->vm_start < addr + len) {
55360 if (do_munmap(mm, addr, len))
55362 - goto munmap_back;
55363 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
55364 + BUG_ON(vma && vma->vm_start < addr + len);
55367 /* Check against address space limit. */
55368 @@ -1295,6 +1416,16 @@ munmap_back:
55372 +#ifdef CONFIG_PAX_SEGMEXEC
55373 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
55374 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
55383 vma->vm_start = addr;
55384 vma->vm_end = addr + len;
55385 @@ -1318,6 +1449,19 @@ munmap_back:
55386 error = file->f_op->mmap(file, vma);
55388 goto unmap_and_free_vma;
55390 +#ifdef CONFIG_PAX_SEGMEXEC
55391 + if (vma_m && (vm_flags & VM_EXECUTABLE))
55392 + added_exe_file_vma(mm);
55395 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
55396 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
55397 + vma->vm_flags |= VM_PAGEEXEC;
55398 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
55402 if (vm_flags & VM_EXECUTABLE)
55403 added_exe_file_vma(mm);
55405 @@ -1353,6 +1497,11 @@ munmap_back:
55406 vma_link(mm, vma, prev, rb_link, rb_parent);
55407 file = vma->vm_file;
55409 +#ifdef CONFIG_PAX_SEGMEXEC
55411 + BUG_ON(pax_mirror_vma(vma_m, vma));
55414 /* Once vma denies write, undo our temporary denial count */
55415 if (correct_wcount)
55416 atomic_inc(&inode->i_writecount);
55417 @@ -1361,6 +1510,7 @@ out:
55419 mm->total_vm += len >> PAGE_SHIFT;
55420 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
55421 + track_exec_limit(mm, addr, addr + len, vm_flags);
55422 if (vm_flags & VM_LOCKED) {
55423 if (!mlock_vma_pages_range(vma, addr, addr + len))
55424 mm->locked_vm += (len >> PAGE_SHIFT);
55425 @@ -1378,6 +1528,12 @@ unmap_and_free_vma:
55426 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
55430 +#ifdef CONFIG_PAX_SEGMEXEC
55432 + kmem_cache_free(vm_area_cachep, vma_m);
55435 kmem_cache_free(vm_area_cachep, vma);
55438 @@ -1385,6 +1541,44 @@ unacct_error:
55442 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
55445 +#ifdef CONFIG_STACK_GROWSUP
55446 + if (addr > sysctl_heap_stack_gap)
55447 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
55449 + vma = find_vma(current->mm, 0);
55450 + if (vma && (vma->vm_flags & VM_GROWSUP))
55456 + if (addr + len > vma->vm_start)
55459 + if (vma->vm_flags & VM_GROWSDOWN)
55460 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
55461 +#ifdef CONFIG_STACK_GROWSUP
55462 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
55463 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
55469 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
55471 + if (vma->vm_start < len)
55473 + if (!(vma->vm_flags & VM_GROWSDOWN))
55474 + return vma->vm_start - len;
55475 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
55476 + return vma->vm_start - len - sysctl_heap_stack_gap;
55480 /* Get an address range which is currently unmapped.
55481 * For shmat() with addr=0.
55483 @@ -1411,18 +1605,23 @@ arch_get_unmapped_area(struct file *filp
55484 if (flags & MAP_FIXED)
55487 +#ifdef CONFIG_PAX_RANDMMAP
55488 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
55492 addr = PAGE_ALIGN(addr);
55493 - vma = find_vma(mm, addr);
55494 - if (TASK_SIZE - len >= addr &&
55495 - (!vma || addr + len <= vma->vm_start))
55497 + if (TASK_SIZE - len >= addr) {
55498 + vma = find_vma(mm, addr);
55499 + if (check_heap_stack_gap(vma, addr, len))
55503 if (len > mm->cached_hole_size) {
55504 - start_addr = addr = mm->free_area_cache;
55505 + start_addr = addr = mm->free_area_cache;
55507 - start_addr = addr = TASK_UNMAPPED_BASE;
55508 - mm->cached_hole_size = 0;
55509 + start_addr = addr = mm->mmap_base;
55510 + mm->cached_hole_size = 0;
55514 @@ -1433,34 +1632,40 @@ full_search:
55515 * Start a new search - just in case we missed
55518 - if (start_addr != TASK_UNMAPPED_BASE) {
55519 - addr = TASK_UNMAPPED_BASE;
55520 - start_addr = addr;
55521 + if (start_addr != mm->mmap_base) {
55522 + start_addr = addr = mm->mmap_base;
55523 mm->cached_hole_size = 0;
55528 - if (!vma || addr + len <= vma->vm_start) {
55530 - * Remember the place where we stopped the search:
55532 - mm->free_area_cache = addr + len;
55535 + if (check_heap_stack_gap(vma, addr, len))
55537 if (addr + mm->cached_hole_size < vma->vm_start)
55538 mm->cached_hole_size = vma->vm_start - addr;
55539 addr = vma->vm_end;
55543 + * Remember the place where we stopped the search:
55545 + mm->free_area_cache = addr + len;
55550 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
55553 +#ifdef CONFIG_PAX_SEGMEXEC
55554 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
55559 * Is this a new hole at the lowest possible address?
55561 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
55562 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
55563 mm->free_area_cache = addr;
55564 mm->cached_hole_size = ~0UL;
55566 @@ -1478,7 +1683,7 @@ arch_get_unmapped_area_topdown(struct fi
55568 struct vm_area_struct *vma;
55569 struct mm_struct *mm = current->mm;
55570 - unsigned long addr = addr0;
55571 + unsigned long base = mm->mmap_base, addr = addr0;
55573 /* requested length too big for entire address space */
55574 if (len > TASK_SIZE)
55575 @@ -1487,13 +1692,18 @@ arch_get_unmapped_area_topdown(struct fi
55576 if (flags & MAP_FIXED)
55579 +#ifdef CONFIG_PAX_RANDMMAP
55580 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
55583 /* requesting a specific address */
55585 addr = PAGE_ALIGN(addr);
55586 - vma = find_vma(mm, addr);
55587 - if (TASK_SIZE - len >= addr &&
55588 - (!vma || addr + len <= vma->vm_start))
55590 + if (TASK_SIZE - len >= addr) {
55591 + vma = find_vma(mm, addr);
55592 + if (check_heap_stack_gap(vma, addr, len))
55597 /* check if free_area_cache is useful for us */
55598 @@ -1508,7 +1718,7 @@ arch_get_unmapped_area_topdown(struct fi
55599 /* make sure it can fit in the remaining address space */
55601 vma = find_vma(mm, addr-len);
55602 - if (!vma || addr <= vma->vm_start)
55603 + if (check_heap_stack_gap(vma, addr - len, len))
55604 /* remember the address as a hint for next time */
55605 return (mm->free_area_cache = addr-len);
55607 @@ -1525,7 +1735,7 @@ arch_get_unmapped_area_topdown(struct fi
55608 * return with success:
55610 vma = find_vma(mm, addr);
55611 - if (!vma || addr+len <= vma->vm_start)
55612 + if (check_heap_stack_gap(vma, addr, len))
55613 /* remember the address as a hint for next time */
55614 return (mm->free_area_cache = addr);
55616 @@ -1534,8 +1744,8 @@ arch_get_unmapped_area_topdown(struct fi
55617 mm->cached_hole_size = vma->vm_start - addr;
55619 /* try just below the current vma->vm_start */
55620 - addr = vma->vm_start-len;
55621 - } while (len < vma->vm_start);
55622 + addr = skip_heap_stack_gap(vma, len);
55623 + } while (!IS_ERR_VALUE(addr));
55627 @@ -1544,13 +1754,21 @@ bottomup:
55628 * can happen with large stack limits and large mmap()
55631 + mm->mmap_base = TASK_UNMAPPED_BASE;
55633 +#ifdef CONFIG_PAX_RANDMMAP
55634 + if (mm->pax_flags & MF_PAX_RANDMMAP)
55635 + mm->mmap_base += mm->delta_mmap;
55638 + mm->free_area_cache = mm->mmap_base;
55639 mm->cached_hole_size = ~0UL;
55640 - mm->free_area_cache = TASK_UNMAPPED_BASE;
55641 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
55643 * Restore the topdown base:
55645 - mm->free_area_cache = mm->mmap_base;
55646 + mm->mmap_base = base;
55647 + mm->free_area_cache = base;
55648 mm->cached_hole_size = ~0UL;
55651 @@ -1559,6 +1777,12 @@ bottomup:
55653 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
55656 +#ifdef CONFIG_PAX_SEGMEXEC
55657 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
55662 * Is this a new hole at the highest possible address?
55664 @@ -1566,8 +1790,10 @@ void arch_unmap_area_topdown(struct mm_s
55665 mm->free_area_cache = addr;
55667 /* dont allow allocations above current base */
55668 - if (mm->free_area_cache > mm->mmap_base)
55669 + if (mm->free_area_cache > mm->mmap_base) {
55670 mm->free_area_cache = mm->mmap_base;
55671 + mm->cached_hole_size = ~0UL;
55676 @@ -1675,6 +1901,28 @@ out:
55677 return prev ? prev->vm_next : vma;
55680 +#ifdef CONFIG_PAX_SEGMEXEC
55681 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
55683 + struct vm_area_struct *vma_m;
55685 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
55686 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
55687 + BUG_ON(vma->vm_mirror);
55690 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
55691 + vma_m = vma->vm_mirror;
55692 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
55693 + BUG_ON(vma->vm_file != vma_m->vm_file);
55694 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
55695 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
55696 + BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
55697 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
55703 * Verify that the stack growth is acceptable and
55704 * update accounting. This is shared with both the
55705 @@ -1691,6 +1939,7 @@ static int acct_stack_growth(struct vm_a
55708 /* Stack limit test */
55709 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
55710 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
55713 @@ -1701,6 +1950,7 @@ static int acct_stack_growth(struct vm_a
55714 locked = mm->locked_vm + grow;
55715 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
55716 limit >>= PAGE_SHIFT;
55717 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
55718 if (locked > limit && !capable(CAP_IPC_LOCK))
55721 @@ -1731,37 +1981,48 @@ static int acct_stack_growth(struct vm_a
55722 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
55723 * vma is the last one with address > vma->vm_end. Have to extend vma.
55725 +#ifndef CONFIG_IA64
55728 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
55733 if (!(vma->vm_flags & VM_GROWSUP))
55736 + /* Also guard against wrapping around to address 0. */
55737 + if (address < PAGE_ALIGN(address+1))
55738 + address = PAGE_ALIGN(address+1);
55743 * We must make sure the anon_vma is allocated
55744 * so that the anon_vma locking is not a noop.
55746 if (unlikely(anon_vma_prepare(vma)))
55748 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
55749 + if (locknext && anon_vma_prepare(vma->vm_next))
55751 vma_lock_anon_vma(vma);
55753 + vma_lock_anon_vma(vma->vm_next);
55756 * vma->vm_start/vm_end cannot change under us because the caller
55757 * is required to hold the mmap_sem in read mode. We need the
55758 - * anon_vma lock to serialize against concurrent expand_stacks.
55759 - * Also guard against wrapping around to address 0.
55760 + * anon_vma locks to serialize against concurrent expand_stacks
55761 + * and expand_upwards.
55763 - if (address < PAGE_ALIGN(address+4))
55764 - address = PAGE_ALIGN(address+4);
55766 - vma_unlock_anon_vma(vma);
55771 /* Somebody else might have raced and expanded it already */
55772 - if (address > vma->vm_end) {
55773 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
55775 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
55776 unsigned long size, grow;
55778 size = address - vma->vm_start;
55779 @@ -1773,6 +2034,8 @@ int expand_upwards(struct vm_area_struct
55780 perf_event_mmap(vma);
55784 + vma_unlock_anon_vma(vma->vm_next);
55785 vma_unlock_anon_vma(vma);
55786 khugepaged_enter_vma_merge(vma);
55788 @@ -1786,6 +2049,8 @@ static int expand_downwards(struct vm_ar
55789 unsigned long address)
55792 + bool lockprev = false;
55793 + struct vm_area_struct *prev;
55796 * We must make sure the anon_vma is allocated
55797 @@ -1799,6 +2064,15 @@ static int expand_downwards(struct vm_ar
55801 + prev = vma->vm_prev;
55802 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
55803 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
55805 + if (lockprev && anon_vma_prepare(prev))
55808 + vma_lock_anon_vma(prev);
55810 vma_lock_anon_vma(vma);
55813 @@ -1808,9 +2082,17 @@ static int expand_downwards(struct vm_ar
55816 /* Somebody else might have raced and expanded it already */
55817 - if (address < vma->vm_start) {
55818 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
55820 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
55821 unsigned long size, grow;
55823 +#ifdef CONFIG_PAX_SEGMEXEC
55824 + struct vm_area_struct *vma_m;
55826 + vma_m = pax_find_mirror_vma(vma);
55829 size = vma->vm_end - address;
55830 grow = (vma->vm_start - address) >> PAGE_SHIFT;
55832 @@ -1820,11 +2102,22 @@ static int expand_downwards(struct vm_ar
55834 vma->vm_start = address;
55835 vma->vm_pgoff -= grow;
55836 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
55838 +#ifdef CONFIG_PAX_SEGMEXEC
55840 + vma_m->vm_start -= grow << PAGE_SHIFT;
55841 + vma_m->vm_pgoff -= grow;
55845 perf_event_mmap(vma);
55849 vma_unlock_anon_vma(vma);
55851 + vma_unlock_anon_vma(prev);
55852 khugepaged_enter_vma_merge(vma);
55855 @@ -1899,6 +2192,13 @@ static void remove_vma_list(struct mm_st
55857 long nrpages = vma_pages(vma);
55859 +#ifdef CONFIG_PAX_SEGMEXEC
55860 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
55861 + vma = remove_vma(vma);
55866 mm->total_vm -= nrpages;
55867 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
55868 vma = remove_vma(vma);
55869 @@ -1944,6 +2244,16 @@ detach_vmas_to_be_unmapped(struct mm_str
55870 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
55871 vma->vm_prev = NULL;
55874 +#ifdef CONFIG_PAX_SEGMEXEC
55875 + if (vma->vm_mirror) {
55876 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
55877 + vma->vm_mirror->vm_mirror = NULL;
55878 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
55879 + vma->vm_mirror = NULL;
55883 rb_erase(&vma->vm_rb, &mm->mm_rb);
55886 @@ -1972,14 +2282,33 @@ static int __split_vma(struct mm_struct
55887 struct vm_area_struct *new;
55890 +#ifdef CONFIG_PAX_SEGMEXEC
55891 + struct vm_area_struct *vma_m, *new_m = NULL;
55892 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
55895 if (is_vm_hugetlb_page(vma) && (addr &
55896 ~(huge_page_mask(hstate_vma(vma)))))
55899 +#ifdef CONFIG_PAX_SEGMEXEC
55900 + vma_m = pax_find_mirror_vma(vma);
55903 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
55907 +#ifdef CONFIG_PAX_SEGMEXEC
55909 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
55911 + kmem_cache_free(vm_area_cachep, new);
55917 /* most fields are the same, copy all, and then fixup */
55920 @@ -1992,6 +2321,22 @@ static int __split_vma(struct mm_struct
55921 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
55924 +#ifdef CONFIG_PAX_SEGMEXEC
55927 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
55928 + new_m->vm_mirror = new;
55929 + new->vm_mirror = new_m;
55932 + new_m->vm_end = addr_m;
55934 + new_m->vm_start = addr_m;
55935 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
55940 pol = mpol_dup(vma_policy(vma));
55942 err = PTR_ERR(pol);
55943 @@ -2017,6 +2362,42 @@ static int __split_vma(struct mm_struct
55945 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
55947 +#ifdef CONFIG_PAX_SEGMEXEC
55948 + if (!err && vma_m) {
55949 + if (anon_vma_clone(new_m, vma_m))
55950 + goto out_free_mpol;
55953 + vma_set_policy(new_m, pol);
55955 + if (new_m->vm_file) {
55956 + get_file(new_m->vm_file);
55957 + if (vma_m->vm_flags & VM_EXECUTABLE)
55958 + added_exe_file_vma(mm);
55961 + if (new_m->vm_ops && new_m->vm_ops->open)
55962 + new_m->vm_ops->open(new_m);
55965 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
55966 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
55968 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
55971 + if (new_m->vm_ops && new_m->vm_ops->close)
55972 + new_m->vm_ops->close(new_m);
55973 + if (new_m->vm_file) {
55974 + if (vma_m->vm_flags & VM_EXECUTABLE)
55975 + removed_exe_file_vma(mm);
55976 + fput(new_m->vm_file);
55986 @@ -2029,10 +2410,18 @@ static int __split_vma(struct mm_struct
55987 removed_exe_file_vma(mm);
55988 fput(new->vm_file);
55990 - unlink_anon_vmas(new);
55995 +#ifdef CONFIG_PAX_SEGMEXEC
55997 + unlink_anon_vmas(new_m);
55998 + kmem_cache_free(vm_area_cachep, new_m);
56002 + unlink_anon_vmas(new);
56003 kmem_cache_free(vm_area_cachep, new);
56006 @@ -2045,6 +2434,15 @@ static int __split_vma(struct mm_struct
56007 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
56008 unsigned long addr, int new_below)
56011 +#ifdef CONFIG_PAX_SEGMEXEC
56012 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
56013 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
56014 + if (mm->map_count >= sysctl_max_map_count-1)
56019 if (mm->map_count >= sysctl_max_map_count)
56022 @@ -2056,11 +2454,30 @@ int split_vma(struct mm_struct *mm, stru
56023 * work. This now handles partial unmappings.
56024 * Jeremy Fitzhardinge <jeremy@goop.org>
56026 +#ifdef CONFIG_PAX_SEGMEXEC
56027 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
56029 + int ret = __do_munmap(mm, start, len);
56030 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
56033 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
56036 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
56038 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
56042 struct vm_area_struct *vma, *prev, *last;
56045 + * mm->mmap_sem is required to protect against another thread
56046 + * changing the mappings in case we sleep.
56048 + verify_mm_writelocked(mm);
56050 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
56053 @@ -2134,6 +2551,8 @@ int do_munmap(struct mm_struct *mm, unsi
56054 /* Fix up all other VM information */
56055 remove_vma_list(mm, vma);
56057 + track_exec_limit(mm, start, end, 0UL);
56062 @@ -2146,22 +2565,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
56064 profile_munmap(addr);
56066 +#ifdef CONFIG_PAX_SEGMEXEC
56067 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
56068 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
56072 down_write(&mm->mmap_sem);
56073 ret = do_munmap(mm, addr, len);
56074 up_write(&mm->mmap_sem);
56078 -static inline void verify_mm_writelocked(struct mm_struct *mm)
56080 -#ifdef CONFIG_DEBUG_VM
56081 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
56083 - up_read(&mm->mmap_sem);
56089 * this is really a simplified "do_mmap". it only handles
56090 * anonymous maps. eventually we may be able to do some
56091 @@ -2175,6 +2590,7 @@ unsigned long do_brk(unsigned long addr,
56092 struct rb_node ** rb_link, * rb_parent;
56093 pgoff_t pgoff = addr >> PAGE_SHIFT;
56095 + unsigned long charged;
56097 len = PAGE_ALIGN(len);
56099 @@ -2186,16 +2602,30 @@ unsigned long do_brk(unsigned long addr,
56101 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
56103 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
56104 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
56105 + flags &= ~VM_EXEC;
56107 +#ifdef CONFIG_PAX_MPROTECT
56108 + if (mm->pax_flags & MF_PAX_MPROTECT)
56109 + flags &= ~VM_MAYEXEC;
56115 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
56116 if (error & ~PAGE_MASK)
56119 + charged = len >> PAGE_SHIFT;
56122 * mlock MCL_FUTURE?
56124 if (mm->def_flags & VM_LOCKED) {
56125 unsigned long locked, lock_limit;
56126 - locked = len >> PAGE_SHIFT;
56127 + locked = charged;
56128 locked += mm->locked_vm;
56129 lock_limit = rlimit(RLIMIT_MEMLOCK);
56130 lock_limit >>= PAGE_SHIFT;
56131 @@ -2212,22 +2642,22 @@ unsigned long do_brk(unsigned long addr,
56133 * Clear old maps. this also does some error checking for us
56136 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
56137 if (vma && vma->vm_start < addr + len) {
56138 if (do_munmap(mm, addr, len))
56140 - goto munmap_back;
56141 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
56142 + BUG_ON(vma && vma->vm_start < addr + len);
56145 /* Check against address space limits *after* clearing old maps... */
56146 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
56147 + if (!may_expand_vm(mm, charged))
56150 if (mm->map_count > sysctl_max_map_count)
56153 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
56154 + if (security_vm_enough_memory(charged))
56157 /* Can we just expand an old private anonymous mapping? */
56158 @@ -2241,7 +2671,7 @@ unsigned long do_brk(unsigned long addr,
56160 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
56162 - vm_unacct_memory(len >> PAGE_SHIFT);
56163 + vm_unacct_memory(charged);
56167 @@ -2255,11 +2685,12 @@ unsigned long do_brk(unsigned long addr,
56168 vma_link(mm, vma, prev, rb_link, rb_parent);
56170 perf_event_mmap(vma);
56171 - mm->total_vm += len >> PAGE_SHIFT;
56172 + mm->total_vm += charged;
56173 if (flags & VM_LOCKED) {
56174 if (!mlock_vma_pages_range(vma, addr, addr + len))
56175 - mm->locked_vm += (len >> PAGE_SHIFT);
56176 + mm->locked_vm += charged;
56178 + track_exec_limit(mm, addr, addr + len, flags);
56182 @@ -2306,8 +2737,10 @@ void exit_mmap(struct mm_struct *mm)
56183 * Walk the list again, actually closing and freeing it,
56184 * with preemption enabled, without holding any MM locks.
56188 + vma->vm_mirror = NULL;
56189 vma = remove_vma(vma);
56192 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
56194 @@ -2321,6 +2754,13 @@ int insert_vm_struct(struct mm_struct *
56195 struct vm_area_struct * __vma, * prev;
56196 struct rb_node ** rb_link, * rb_parent;
56198 +#ifdef CONFIG_PAX_SEGMEXEC
56199 + struct vm_area_struct *vma_m = NULL;
56202 + if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1))
56206 * The vm_pgoff of a purely anonymous vma should be irrelevant
56207 * until its first write fault, when page's anon_vma and index
56208 @@ -2343,7 +2783,22 @@ int insert_vm_struct(struct mm_struct *
56209 if ((vma->vm_flags & VM_ACCOUNT) &&
56210 security_vm_enough_memory_mm(mm, vma_pages(vma)))
56213 +#ifdef CONFIG_PAX_SEGMEXEC
56214 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
56215 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
56221 vma_link(mm, vma, prev, rb_link, rb_parent);
56223 +#ifdef CONFIG_PAX_SEGMEXEC
56225 + BUG_ON(pax_mirror_vma(vma_m, vma));
56231 @@ -2361,6 +2816,8 @@ struct vm_area_struct *copy_vma(struct v
56232 struct rb_node **rb_link, *rb_parent;
56233 struct mempolicy *pol;
56235 + BUG_ON(vma->vm_mirror);
56238 * If anonymous vma has not yet been faulted, update new pgoff
56239 * to match new location, to increase its chance of merging.
56240 @@ -2410,6 +2867,39 @@ struct vm_area_struct *copy_vma(struct v
56241 kmem_cache_free(vm_area_cachep, new_vma);
56245 +#ifdef CONFIG_PAX_SEGMEXEC
56246 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
56248 + struct vm_area_struct *prev_m;
56249 + struct rb_node **rb_link_m, *rb_parent_m;
56250 + struct mempolicy *pol_m;
56252 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
56253 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
56254 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
56256 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
56257 + if (anon_vma_clone(vma_m, vma))
56259 + pol_m = vma_policy(vma_m);
56261 + vma_set_policy(vma_m, pol_m);
56262 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
56263 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
56264 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
56265 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
56266 + if (vma_m->vm_file)
56267 + get_file(vma_m->vm_file);
56268 + if (vma_m->vm_ops && vma_m->vm_ops->open)
56269 + vma_m->vm_ops->open(vma_m);
56270 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
56271 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
56272 + vma_m->vm_mirror = vma;
56273 + vma->vm_mirror = vma_m;
56279 * Return true if the calling process may expand its vm space by the passed
56280 @@ -2421,7 +2911,7 @@ int may_expand_vm(struct mm_struct *mm,
56283 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
56285 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
56286 if (cur + npages > lim)
56289 @@ -2492,6 +2982,22 @@ int install_special_mapping(struct mm_st
56290 vma->vm_start = addr;
56291 vma->vm_end = addr + len;
56293 +#ifdef CONFIG_PAX_MPROTECT
56294 + if (mm->pax_flags & MF_PAX_MPROTECT) {
56295 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
56296 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
56298 + if (!(vm_flags & VM_EXEC))
56299 + vm_flags &= ~VM_MAYEXEC;
56301 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
56302 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
56305 + vm_flags &= ~VM_MAYWRITE;
56309 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
56310 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
56312 diff -urNp linux-2.6.38.4/mm/mprotect.c linux-2.6.38.4/mm/mprotect.c
56313 --- linux-2.6.38.4/mm/mprotect.c 2011-03-14 21:20:32.000000000 -0400
56314 +++ linux-2.6.38.4/mm/mprotect.c 2011-04-17 15:57:33.000000000 -0400
56315 @@ -23,10 +23,16 @@
56316 #include <linux/mmu_notifier.h>
56317 #include <linux/migrate.h>
56318 #include <linux/perf_event.h>
56320 +#ifdef CONFIG_PAX_MPROTECT
56321 +#include <linux/elf.h>
56324 #include <asm/uaccess.h>
56325 #include <asm/pgtable.h>
56326 #include <asm/cacheflush.h>
56327 #include <asm/tlbflush.h>
56328 +#include <asm/mmu_context.h>
56330 #ifndef pgprot_modify
56331 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
56332 @@ -141,6 +147,48 @@ static void change_protection(struct vm_
56333 flush_tlb_range(vma, start, end);
56336 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
56337 +/* called while holding the mmap semaphor for writing except stack expansion */
56338 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
56340 + unsigned long oldlimit, newlimit = 0UL;
56342 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
56345 + spin_lock(&mm->page_table_lock);
56346 + oldlimit = mm->context.user_cs_limit;
56347 + if ((prot & VM_EXEC) && oldlimit < end)
56348 + /* USER_CS limit moved up */
56350 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
56351 + /* USER_CS limit moved down */
56352 + newlimit = start;
56355 + mm->context.user_cs_limit = newlimit;
56359 + cpus_clear(mm->context.cpu_user_cs_mask);
56360 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
56363 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
56365 + spin_unlock(&mm->page_table_lock);
56366 + if (newlimit == end) {
56367 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
56369 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
56370 + if (is_vm_hugetlb_page(vma))
56371 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
56373 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
56379 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
56380 unsigned long start, unsigned long end, unsigned long newflags)
56381 @@ -153,11 +201,29 @@ mprotect_fixup(struct vm_area_struct *vm
56383 int dirty_accountable = 0;
56385 +#ifdef CONFIG_PAX_SEGMEXEC
56386 + struct vm_area_struct *vma_m = NULL;
56387 + unsigned long start_m, end_m;
56389 + start_m = start + SEGMEXEC_TASK_SIZE;
56390 + end_m = end + SEGMEXEC_TASK_SIZE;
56393 if (newflags == oldflags) {
56398 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
56399 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
56401 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
56404 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
56409 * If we make a private mapping writable we increase our commit;
56410 * but (without finer accounting) cannot reduce our commit if we
56411 @@ -174,6 +240,42 @@ mprotect_fixup(struct vm_area_struct *vm
56415 +#ifdef CONFIG_PAX_SEGMEXEC
56416 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
56417 + if (start != vma->vm_start) {
56418 + error = split_vma(mm, vma, start, 1);
56421 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
56422 + *pprev = (*pprev)->vm_next;
56425 + if (end != vma->vm_end) {
56426 + error = split_vma(mm, vma, end, 0);
56431 + if (pax_find_mirror_vma(vma)) {
56432 + error = __do_munmap(mm, start_m, end_m - start_m);
56436 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
56441 + vma->vm_flags = newflags;
56442 + error = pax_mirror_vma(vma_m, vma);
56444 + vma->vm_flags = oldflags;
56452 * First try to merge with previous and/or next vma.
56454 @@ -204,9 +306,21 @@ success:
56455 * vm_flags and vm_page_prot are protected by the mmap_sem
56456 * held in write mode.
56459 +#ifdef CONFIG_PAX_SEGMEXEC
56460 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
56461 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
56464 vma->vm_flags = newflags;
56466 +#ifdef CONFIG_PAX_MPROTECT
56467 + if (mm->binfmt && mm->binfmt->handle_mprotect)
56468 + mm->binfmt->handle_mprotect(vma, newflags);
56471 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
56472 - vm_get_page_prot(newflags));
56473 + vm_get_page_prot(vma->vm_flags));
56475 if (vma_wants_writenotify(vma)) {
56476 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
56477 @@ -248,6 +362,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
56482 +#ifdef CONFIG_PAX_SEGMEXEC
56483 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
56484 + if (end > SEGMEXEC_TASK_SIZE)
56489 + if (end > TASK_SIZE)
56492 if (!arch_validate_prot(prot))
56495 @@ -255,7 +380,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
56497 * Does the application expect PROT_READ to imply PROT_EXEC:
56499 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
56500 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
56503 vm_flags = calc_vm_prot_bits(prot);
56504 @@ -287,6 +412,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
56505 if (start > vma->vm_start)
56508 +#ifdef CONFIG_PAX_MPROTECT
56509 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
56510 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
56513 for (nstart = start ; ; ) {
56514 unsigned long newflags;
56516 @@ -296,6 +426,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
56518 /* newflags >> 4 shift VM_MAY% in place of VM_% */
56519 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
56520 + if (prot & (PROT_WRITE | PROT_EXEC))
56521 + gr_log_rwxmprotect(vma->vm_file);
56527 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
56531 @@ -310,6 +448,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
56532 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
56536 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
56540 if (nstart < prev->vm_end)
56541 diff -urNp linux-2.6.38.4/mm/mremap.c linux-2.6.38.4/mm/mremap.c
56542 --- linux-2.6.38.4/mm/mremap.c 2011-04-18 17:27:18.000000000 -0400
56543 +++ linux-2.6.38.4/mm/mremap.c 2011-04-17 16:53:48.000000000 -0400
56544 @@ -114,6 +114,12 @@ static void move_ptes(struct vm_area_str
56546 pte = ptep_clear_flush(vma, old_addr, old_pte);
56547 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
56549 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
56550 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
56551 + pte = pte_exprotect(pte);
56554 set_pte_at(mm, new_addr, new_pte, pte);
56557 @@ -273,6 +279,11 @@ static struct vm_area_struct *vma_to_res
56558 if (is_vm_hugetlb_page(vma))
56561 +#ifdef CONFIG_PAX_SEGMEXEC
56562 + if (pax_find_mirror_vma(vma))
56566 /* We can't remap across vm area boundaries */
56567 if (old_len > vma->vm_end - addr)
56569 @@ -329,20 +340,25 @@ static unsigned long mremap_to(unsigned
56570 unsigned long ret = -EINVAL;
56571 unsigned long charged = 0;
56572 unsigned long map_flags;
56573 + unsigned long pax_task_size = TASK_SIZE;
56575 if (new_addr & ~PAGE_MASK)
56578 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
56579 +#ifdef CONFIG_PAX_SEGMEXEC
56580 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
56581 + pax_task_size = SEGMEXEC_TASK_SIZE;
56584 + pax_task_size -= PAGE_SIZE;
56586 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
56589 /* Check if the location we're moving into overlaps the
56590 * old location at all, and fail if it does.
56592 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
56595 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
56596 + if (addr + old_len > new_addr && new_addr + new_len > addr)
56599 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
56600 @@ -414,6 +430,7 @@ unsigned long do_mremap(unsigned long ad
56601 struct vm_area_struct *vma;
56602 unsigned long ret = -EINVAL;
56603 unsigned long charged = 0;
56604 + unsigned long pax_task_size = TASK_SIZE;
56606 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
56608 @@ -432,6 +449,17 @@ unsigned long do_mremap(unsigned long ad
56612 +#ifdef CONFIG_PAX_SEGMEXEC
56613 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
56614 + pax_task_size = SEGMEXEC_TASK_SIZE;
56617 + pax_task_size -= PAGE_SIZE;
56619 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
56620 + old_len > pax_task_size || addr > pax_task_size-old_len)
56623 if (flags & MREMAP_FIXED) {
56624 if (flags & MREMAP_MAYMOVE)
56625 ret = mremap_to(addr, old_len, new_addr, new_len);
56626 @@ -481,6 +509,7 @@ unsigned long do_mremap(unsigned long ad
56630 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
56634 @@ -507,7 +536,13 @@ unsigned long do_mremap(unsigned long ad
56635 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
56639 + map_flags = vma->vm_flags;
56640 ret = move_vma(vma, addr, old_len, new_len, new_addr);
56641 + if (!(ret & ~PAGE_MASK)) {
56642 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
56643 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
56647 if (ret & ~PAGE_MASK)
56648 diff -urNp linux-2.6.38.4/mm/nommu.c linux-2.6.38.4/mm/nommu.c
56649 --- linux-2.6.38.4/mm/nommu.c 2011-03-14 21:20:32.000000000 -0400
56650 +++ linux-2.6.38.4/mm/nommu.c 2011-04-17 15:57:33.000000000 -0400
56651 @@ -63,7 +63,6 @@ int sysctl_overcommit_memory = OVERCOMMI
56652 int sysctl_overcommit_ratio = 50; /* default is 50% */
56653 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
56654 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
56655 -int heap_stack_gap = 0;
56657 atomic_long_t mmap_pages_allocated;
56659 @@ -833,15 +832,6 @@ struct vm_area_struct *find_vma(struct m
56660 EXPORT_SYMBOL(find_vma);
56664 - * - we don't extend stack VMAs under NOMMU conditions
56666 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
56668 - return find_vma(mm, addr);
56672 * expand a stack to a given address
56673 * - not supported under NOMMU conditions
56675 @@ -1563,6 +1553,7 @@ int split_vma(struct mm_struct *mm, stru
56677 /* most fields are the same, copy all, and then fixup */
56679 + INIT_LIST_HEAD(&new->anon_vma_chain);
56680 *region = *vma->vm_region;
56681 new->vm_region = region;
56683 diff -urNp linux-2.6.38.4/mm/page_alloc.c linux-2.6.38.4/mm/page_alloc.c
56684 --- linux-2.6.38.4/mm/page_alloc.c 2011-04-18 17:27:16.000000000 -0400
56685 +++ linux-2.6.38.4/mm/page_alloc.c 2011-04-17 15:57:33.000000000 -0400
56686 @@ -644,6 +644,10 @@ static bool free_pages_prepare(struct pa
56690 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
56691 + unsigned long index = 1UL << order;
56694 trace_mm_page_free_direct(page, order);
56695 kmemcheck_free_shadow(page, order);
56697 @@ -659,6 +663,12 @@ static bool free_pages_prepare(struct pa
56698 debug_check_no_obj_freed(page_address(page),
56699 PAGE_SIZE << order);
56702 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
56703 + for (; index; --index)
56704 + sanitize_highpage(page + index - 1);
56707 arch_free_page(page, order);
56708 kernel_map_pages(page, 1 << order, 0);
56710 @@ -773,8 +783,10 @@ static int prep_new_page(struct page *pa
56711 arch_alloc_page(page, order);
56712 kernel_map_pages(page, 1 << order, 1);
56714 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
56715 if (gfp_flags & __GFP_ZERO)
56716 prep_zero_page(page, order, gfp_flags);
56719 if (order && (gfp_flags & __GFP_COMP))
56720 prep_compound_page(page, order);
56721 diff -urNp linux-2.6.38.4/mm/percpu.c linux-2.6.38.4/mm/percpu.c
56722 --- linux-2.6.38.4/mm/percpu.c 2011-03-14 21:20:32.000000000 -0400
56723 +++ linux-2.6.38.4/mm/percpu.c 2011-04-17 15:57:33.000000000 -0400
56724 @@ -121,7 +121,7 @@ static unsigned int pcpu_first_unit_cpu
56725 static unsigned int pcpu_last_unit_cpu __read_mostly;
56727 /* the address of the first chunk which starts with the kernel static area */
56728 -void *pcpu_base_addr __read_mostly;
56729 +void *pcpu_base_addr __read_only;
56730 EXPORT_SYMBOL_GPL(pcpu_base_addr);
56732 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
56733 diff -urNp linux-2.6.38.4/mm/rmap.c linux-2.6.38.4/mm/rmap.c
56734 --- linux-2.6.38.4/mm/rmap.c 2011-03-14 21:20:32.000000000 -0400
56735 +++ linux-2.6.38.4/mm/rmap.c 2011-04-17 15:57:33.000000000 -0400
56736 @@ -117,6 +117,10 @@ int anon_vma_prepare(struct vm_area_stru
56737 struct anon_vma *anon_vma = vma->anon_vma;
56738 struct anon_vma_chain *avc;
56740 +#ifdef CONFIG_PAX_SEGMEXEC
56741 + struct anon_vma_chain *avc_m = NULL;
56745 if (unlikely(!anon_vma)) {
56746 struct mm_struct *mm = vma->vm_mm;
56747 @@ -126,6 +130,12 @@ int anon_vma_prepare(struct vm_area_stru
56751 +#ifdef CONFIG_PAX_SEGMEXEC
56752 + avc_m = anon_vma_chain_alloc();
56754 + goto out_enomem_free_avc;
56757 anon_vma = find_mergeable_anon_vma(vma);
56760 @@ -144,6 +154,21 @@ int anon_vma_prepare(struct vm_area_stru
56761 /* page_table_lock to protect against threads */
56762 spin_lock(&mm->page_table_lock);
56763 if (likely(!vma->anon_vma)) {
56765 +#ifdef CONFIG_PAX_SEGMEXEC
56766 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
56769 + BUG_ON(vma_m->anon_vma);
56770 + vma_m->anon_vma = anon_vma;
56771 + avc_m->anon_vma = anon_vma;
56772 + avc_m->vma = vma;
56773 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
56774 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
56779 vma->anon_vma = anon_vma;
56780 avc->anon_vma = anon_vma;
56782 @@ -157,12 +182,24 @@ int anon_vma_prepare(struct vm_area_stru
56784 if (unlikely(allocated))
56785 anon_vma_free(allocated);
56787 +#ifdef CONFIG_PAX_SEGMEXEC
56788 + if (unlikely(avc_m))
56789 + anon_vma_chain_free(avc_m);
56793 anon_vma_chain_free(avc);
56797 out_enomem_free_avc:
56799 +#ifdef CONFIG_PAX_SEGMEXEC
56801 + anon_vma_chain_free(avc_m);
56804 anon_vma_chain_free(avc);
56807 @@ -189,7 +226,7 @@ static void anon_vma_chain_link(struct v
56808 * Attach the anon_vmas from src to dst.
56809 * Returns 0 on success, -ENOMEM on failure.
56811 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
56812 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
56814 struct anon_vma_chain *avc, *pavc;
56816 @@ -211,7 +248,7 @@ int anon_vma_clone(struct vm_area_struct
56817 * the corresponding VMA in the parent process is attached to.
56818 * Returns 0 on success, non-zero on failure.
56820 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
56821 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
56823 struct anon_vma_chain *avc;
56824 struct anon_vma *anon_vma;
56825 diff -urNp linux-2.6.38.4/mm/shmem.c linux-2.6.38.4/mm/shmem.c
56826 --- linux-2.6.38.4/mm/shmem.c 2011-04-18 17:27:16.000000000 -0400
56827 +++ linux-2.6.38.4/mm/shmem.c 2011-04-18 22:03:12.000000000 -0400
56829 #include <linux/percpu_counter.h>
56830 #include <linux/swap.h>
56832 -static struct vfsmount *shm_mnt;
56833 +struct vfsmount *shm_mnt;
56835 #ifdef CONFIG_SHMEM
56837 @@ -1070,6 +1070,8 @@ static int shmem_writepage(struct page *
56840 entry = shmem_swp_entry(info, index, NULL);
56845 * The more uptodate page coming down from a stacked
56846 @@ -1995,7 +1997,7 @@ static int shmem_symlink(struct inode *d
56848 info = SHMEM_I(inode);
56849 inode->i_size = len-1;
56850 - if (len <= (char *)inode - (char *)info) {
56851 + if (len <= min((char *)inode - (char *)info, 64)) {
56853 memcpy(info, symname, len);
56854 inode->i_op = &shmem_symlink_inline_operations;
56855 diff -urNp linux-2.6.38.4/mm/slab.c linux-2.6.38.4/mm/slab.c
56856 --- linux-2.6.38.4/mm/slab.c 2011-04-18 17:27:16.000000000 -0400
56857 +++ linux-2.6.38.4/mm/slab.c 2011-04-18 22:03:34.000000000 -0400
56858 @@ -150,7 +150,7 @@
56860 /* Legal flag mask for kmem_cache_create(). */
56862 -# define CREATE_MASK (SLAB_RED_ZONE | \
56863 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
56864 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
56866 SLAB_STORE_USER | \
56867 @@ -158,7 +158,7 @@
56868 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
56869 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
56871 -# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
56872 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
56874 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
56875 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
56876 @@ -284,7 +284,7 @@ struct kmem_list3 {
56877 * Need this for bootstrapping a per node allocator.
56879 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
56880 -static struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
56881 +static struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
56882 #define CACHE_CACHE 0
56883 #define SIZE_AC MAX_NUMNODES
56884 #define SIZE_L3 (2 * MAX_NUMNODES)
56885 @@ -534,7 +534,7 @@ static inline void *index_to_obj(struct
56886 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
56888 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
56889 - const struct slab *slab, void *obj)
56890 + const struct slab *slab, const void *obj)
56892 u32 offset = (obj - slab->s_mem);
56893 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
56894 @@ -560,14 +560,14 @@ struct cache_names {
56895 static struct cache_names __initdata cache_names[] = {
56896 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
56897 #include <linux/kmalloc_sizes.h>
56903 static struct arraycache_init initarray_cache __initdata =
56904 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
56905 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
56906 static struct arraycache_init initarray_generic =
56907 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
56908 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
56910 /* internal cache of cache description objs */
56911 static struct kmem_cache cache_cache = {
56912 @@ -1526,7 +1526,7 @@ void __init kmem_cache_init(void)
56913 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
56914 sizes[INDEX_AC].cs_size,
56915 ARCH_KMALLOC_MINALIGN,
56916 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
56917 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
56920 if (INDEX_AC != INDEX_L3) {
56921 @@ -1534,7 +1534,7 @@ void __init kmem_cache_init(void)
56922 kmem_cache_create(names[INDEX_L3].name,
56923 sizes[INDEX_L3].cs_size,
56924 ARCH_KMALLOC_MINALIGN,
56925 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
56926 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
56930 @@ -1552,7 +1552,7 @@ void __init kmem_cache_init(void)
56931 sizes->cs_cachep = kmem_cache_create(names->name,
56933 ARCH_KMALLOC_MINALIGN,
56934 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
56935 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
56938 #ifdef CONFIG_ZONE_DMA
56939 @@ -4535,15 +4535,66 @@ static const struct file_operations proc
56941 static int __init slab_proc_init(void)
56943 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
56944 + mode_t gr_mode = S_IRUGO;
56946 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
56947 + gr_mode = S_IRUSR;
56950 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
56951 #ifdef CONFIG_DEBUG_SLAB_LEAK
56952 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
56953 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
56957 module_init(slab_proc_init);
56960 +void check_object_size(const void *ptr, unsigned long n, bool to)
56963 +#ifdef CONFIG_PAX_USERCOPY
56964 + struct page *page;
56965 + struct kmem_cache *cachep = NULL;
56966 + struct slab *slabp;
56967 + unsigned int objnr;
56968 + unsigned long offset;
56973 + if (ZERO_OR_NULL_PTR(ptr))
56976 + if (!virt_addr_valid(ptr))
56979 + page = virt_to_head_page(ptr);
56981 + if (!PageSlab(page)) {
56982 + if (object_is_on_stack(ptr, n) == -1)
56987 + cachep = page_get_cache(page);
56988 + if (!(cachep->flags & SLAB_USERCOPY))
56991 + slabp = page_get_slab(page);
56992 + objnr = obj_to_index(cachep, slabp, ptr);
56993 + BUG_ON(objnr >= cachep->num);
56994 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
56995 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
56999 + pax_report_usercopy(ptr, n, to, cachep ? cachep->name : NULL);
57003 +EXPORT_SYMBOL(check_object_size);
57006 * ksize - get the actual amount of memory allocated for a given object
57007 * @objp: Pointer to the object
57008 diff -urNp linux-2.6.38.4/mm/slob.c linux-2.6.38.4/mm/slob.c
57009 --- linux-2.6.38.4/mm/slob.c 2011-03-14 21:20:32.000000000 -0400
57010 +++ linux-2.6.38.4/mm/slob.c 2011-04-17 15:57:33.000000000 -0400
57012 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
57013 * alloc_pages() directly, allocating compound pages so the page order
57014 * does not have to be separately tracked, and also stores the exact
57015 - * allocation size in page->private so that it can be used to accurately
57016 + * allocation size in slob_page->size so that it can be used to accurately
57017 * provide ksize(). These objects are detected in kfree() because slob_page()
57018 * is false for them.
57023 #include <linux/kernel.h>
57024 +#include <linux/sched.h>
57025 #include <linux/slab.h>
57026 #include <linux/mm.h>
57027 #include <linux/swap.h> /* struct reclaim_state */
57028 @@ -102,7 +103,8 @@ struct slob_page {
57029 unsigned long flags; /* mandatory */
57030 atomic_t _count; /* mandatory */
57031 slobidx_t units; /* free units left in page */
57032 - unsigned long pad[2];
57033 + unsigned long pad[1];
57034 + unsigned long size; /* size when >=PAGE_SIZE */
57035 slob_t *free; /* first free slob_t in page */
57036 struct list_head list; /* linked list of free pages */
57038 @@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
57040 static inline int is_slob_page(struct slob_page *sp)
57042 - return PageSlab((struct page *)sp);
57043 + return PageSlab((struct page *)sp) && !sp->size;
57046 static inline void set_slob_page(struct slob_page *sp)
57047 @@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
57049 static inline struct slob_page *slob_page(const void *addr)
57051 - return (struct slob_page *)virt_to_page(addr);
57052 + return (struct slob_page *)virt_to_head_page(addr);
57056 @@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
57058 * Return the size of a slob block.
57060 -static slobidx_t slob_units(slob_t *s)
57061 +static slobidx_t slob_units(const slob_t *s)
57065 @@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
57067 * Return the next free slob block pointer after this one.
57069 -static slob_t *slob_next(slob_t *s)
57070 +static slob_t *slob_next(const slob_t *s)
57072 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
57074 @@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
57076 * Returns true if s is the last free block in its page.
57078 -static int slob_last(slob_t *s)
57079 +static int slob_last(const slob_t *s)
57081 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
57083 @@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
57087 + set_slob_page(page);
57088 return page_address(page);
57091 @@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
57095 - set_slob_page(sp);
57097 spin_lock_irqsave(&slob_lock, flags);
57098 sp->units = SLOB_UNITS(PAGE_SIZE);
57101 INIT_LIST_HEAD(&sp->list);
57102 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
57103 set_slob_page_free(sp, slob_list);
57104 @@ -476,10 +479,9 @@ out:
57105 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
57108 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
57109 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
57112 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
57116 lockdep_trace_alloc(gfp);
57117 @@ -492,7 +494,10 @@ void *__kmalloc_node(size_t size, gfp_t
57122 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
57123 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
57124 + m[0].units = size;
57125 + m[1].units = align;
57126 ret = (void *)m + align;
57128 trace_kmalloc_node(_RET_IP_, ret,
57129 @@ -504,9 +509,9 @@ void *__kmalloc_node(size_t size, gfp_t
57131 ret = slob_new_pages(gfp, order, node);
57133 - struct page *page;
57134 - page = virt_to_page(ret);
57135 - page->private = size;
57136 + struct slob_page *sp;
57137 + sp = slob_page(ret);
57141 trace_kmalloc_node(_RET_IP_, ret,
57142 @@ -516,6 +521,13 @@ void *__kmalloc_node(size_t size, gfp_t
57143 kmemleak_alloc(ret, size, 1, gfp);
57147 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
57149 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
57151 + return __kmalloc_node_align(size, gfp, node, align);
57153 EXPORT_SYMBOL(__kmalloc_node);
57155 void kfree(const void *block)
57156 @@ -531,13 +543,81 @@ void kfree(const void *block)
57157 sp = slob_page(block);
57158 if (is_slob_page(sp)) {
57159 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
57160 - unsigned int *m = (unsigned int *)(block - align);
57161 - slob_free(m, *m + align);
57163 + slob_t *m = (slob_t *)(block - align);
57164 + slob_free(m, m[0].units + align);
57166 + clear_slob_page(sp);
57167 + free_slob_page(sp);
57169 put_page(&sp->page);
57172 EXPORT_SYMBOL(kfree);
57174 +void check_object_size(const void *ptr, unsigned long n, bool to)
57177 +#ifdef CONFIG_PAX_USERCOPY
57178 + struct slob_page *sp;
57179 + const slob_t *free;
57180 + const void *base;
57185 + if (ZERO_OR_NULL_PTR(ptr))
57188 + if (!virt_addr_valid(ptr))
57191 + sp = slob_page(ptr);
57192 + if (!PageSlab((struct page*)sp)) {
57193 + if (object_is_on_stack(ptr, n) == -1)
57199 + base = page_address(&sp->page);
57200 + if (base <= ptr && n <= sp->size - (ptr - base))
57205 + /* some tricky double walking to find the chunk */
57206 + base = (void *)((unsigned long)ptr & PAGE_MASK);
57209 + while (!slob_last(free) && (void *)free <= ptr) {
57210 + base = free + slob_units(free);
57211 + free = slob_next(free);
57214 + while (base < (void *)free) {
57215 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
57216 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
57219 + if (ptr < base + align)
57222 + offset = ptr - base - align;
57223 + if (offset < m) {
57224 + if (n <= m - offset)
57232 + pax_report_usercopy(ptr, n, to, NULL);
57236 +EXPORT_SYMBOL(check_object_size);
57238 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
57239 size_t ksize(const void *block)
57241 @@ -550,10 +630,10 @@ size_t ksize(const void *block)
57242 sp = slob_page(block);
57243 if (is_slob_page(sp)) {
57244 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
57245 - unsigned int *m = (unsigned int *)(block - align);
57246 - return SLOB_UNITS(*m) * SLOB_UNIT;
57247 + slob_t *m = (slob_t *)(block - align);
57248 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
57250 - return sp->page.private;
57253 EXPORT_SYMBOL(ksize);
57255 @@ -608,17 +688,25 @@ void *kmem_cache_alloc_node(struct kmem_
57259 +#ifdef CONFIG_PAX_USERCOPY
57260 + b = __kmalloc_node_align(c->size, flags, node, c->align);
57262 if (c->size < PAGE_SIZE) {
57263 b = slob_alloc(c->size, flags, c->align, node);
57264 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
57265 SLOB_UNITS(c->size) * SLOB_UNIT,
57268 + struct slob_page *sp;
57270 b = slob_new_pages(flags, get_order(c->size), node);
57271 + sp = slob_page(b);
57272 + sp->size = c->size;
57273 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
57274 PAGE_SIZE << get_order(c->size),
57281 @@ -630,10 +718,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
57283 static void __kmem_cache_free(void *b, int size)
57285 - if (size < PAGE_SIZE)
57286 + struct slob_page *sp = slob_page(b);
57288 + if (is_slob_page(sp))
57289 slob_free(b, size);
57292 + clear_slob_page(sp);
57293 + free_slob_page(sp);
57295 slob_free_pages(b, get_order(size));
57299 static void kmem_rcu_free(struct rcu_head *head)
57300 @@ -646,14 +740,23 @@ static void kmem_rcu_free(struct rcu_hea
57302 void kmem_cache_free(struct kmem_cache *c, void *b)
57304 + int size = c->size;
57306 +#ifdef CONFIG_PAX_USERCOPY
57307 + if (size + c->align < PAGE_SIZE) {
57308 + size += c->align;
57313 kmemleak_free_recursive(b, c->flags);
57314 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
57315 struct slob_rcu *slob_rcu;
57316 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
57317 - slob_rcu->size = c->size;
57318 + slob_rcu = b + (size - sizeof(struct slob_rcu));
57319 + slob_rcu->size = size;
57320 call_rcu(&slob_rcu->head, kmem_rcu_free);
57322 - __kmem_cache_free(b, c->size);
57323 + __kmem_cache_free(b, size);
57326 trace_kmem_cache_free(_RET_IP_, b);
57327 diff -urNp linux-2.6.38.4/mm/slub.c linux-2.6.38.4/mm/slub.c
57328 --- linux-2.6.38.4/mm/slub.c 2011-03-14 21:20:32.000000000 -0400
57329 +++ linux-2.6.38.4/mm/slub.c 2011-04-17 15:57:33.000000000 -0400
57330 @@ -390,7 +390,7 @@ static void print_track(const char *s, s
57334 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
57335 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
57336 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
57339 @@ -1927,6 +1927,8 @@ void kmem_cache_free(struct kmem_cache *
57341 page = virt_to_head_page(x);
57343 + BUG_ON(!PageSlab(page));
57345 slab_free(s, page, x, _RET_IP_);
57347 trace_kmem_cache_free(_RET_IP_, x);
57348 @@ -1960,7 +1962,7 @@ static int slub_min_objects;
57349 * Merge control. If this is set then no merging of slab caches will occur.
57350 * (Could be removed. This was introduced to pacify the merge skeptics.)
57352 -static int slub_nomerge;
57353 +static int slub_nomerge = 1;
57356 * Calculate the order of allocation given an slab object size.
57357 @@ -2370,7 +2372,7 @@ static int kmem_cache_open(struct kmem_c
57358 * list to avoid pounding the page allocator excessively.
57360 set_min_partial(s, ilog2(s->size));
57362 + atomic_set(&s->refcount, 1);
57364 s->remote_node_defrag_ratio = 1000;
57366 @@ -2482,8 +2484,7 @@ static inline int kmem_cache_close(struc
57367 void kmem_cache_destroy(struct kmem_cache *s)
57369 down_write(&slub_lock);
57371 - if (!s->refcount) {
57372 + if (atomic_dec_and_test(&s->refcount)) {
57373 list_del(&s->list);
57374 if (kmem_cache_close(s)) {
57375 printk(KERN_ERR "SLUB %s: %s called for cache that "
57376 @@ -2693,6 +2694,46 @@ void *__kmalloc_node(size_t size, gfp_t
57377 EXPORT_SYMBOL(__kmalloc_node);
57380 +void check_object_size(const void *ptr, unsigned long n, bool to)
57383 +#ifdef CONFIG_PAX_USERCOPY
57384 + struct page *page;
57385 + struct kmem_cache *s = NULL;
57386 + unsigned long offset;
57391 + if (ZERO_OR_NULL_PTR(ptr))
57394 + if (!virt_addr_valid(ptr))
57397 + page = virt_to_head_page(ptr);
57399 + if (!PageSlab(page)) {
57400 + if (object_is_on_stack(ptr, n) == -1)
57406 + if (!(s->flags & SLAB_USERCOPY))
57409 + offset = (ptr - page_address(page)) % s->size;
57410 + if (offset <= s->objsize && n <= s->objsize - offset)
57414 + pax_report_usercopy(ptr, n, to, s ? s->name : NULL);
57418 +EXPORT_SYMBOL(check_object_size);
57420 size_t ksize(const void *object)
57423 @@ -2958,7 +2999,7 @@ static void __init kmem_cache_bootstrap_
57426 list_add(&s->list, &slab_caches);
57427 - s->refcount = -1;
57428 + atomic_set(&s->refcount, -1);
57430 for_each_node_state(node, N_NORMAL_MEMORY) {
57431 struct kmem_cache_node *n = get_node(s, node);
57432 @@ -3075,17 +3116,17 @@ void __init kmem_cache_init(void)
57434 /* Caches that are not of the two-to-the-power-of size */
57435 if (KMALLOC_MIN_SIZE <= 32) {
57436 - kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, 0);
57437 + kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, SLAB_USERCOPY);
57441 if (KMALLOC_MIN_SIZE <= 64) {
57442 - kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, 0);
57443 + kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, SLAB_USERCOPY);
57447 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
57448 - kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, 0);
57449 + kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, SLAB_USERCOPY);
57453 @@ -3153,7 +3194,7 @@ static int slab_unmergeable(struct kmem_
57455 * We may have set a slab to be unmergeable during bootstrap.
57457 - if (s->refcount < 0)
57458 + if (atomic_read(&s->refcount) < 0)
57462 @@ -3212,7 +3253,7 @@ struct kmem_cache *kmem_cache_create(con
57463 down_write(&slub_lock);
57464 s = find_mergeable(size, align, flags, name, ctor);
57467 + atomic_inc(&s->refcount);
57469 * Adjust the object sizes so that we clear
57470 * the complete object on kzalloc.
57471 @@ -3221,7 +3262,7 @@ struct kmem_cache *kmem_cache_create(con
57472 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
57474 if (sysfs_slab_alias(s, name)) {
57476 + atomic_dec(&s->refcount);
57479 up_write(&slub_lock);
57480 @@ -3954,7 +3995,7 @@ SLAB_ATTR_RO(ctor);
57482 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
57484 - return sprintf(buf, "%d\n", s->refcount - 1);
57485 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
57487 SLAB_ATTR_RO(aliases);
57489 @@ -4691,7 +4732,13 @@ static const struct file_operations proc
57491 static int __init slab_proc_init(void)
57493 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
57494 + mode_t gr_mode = S_IRUGO;
57496 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
57497 + gr_mode = S_IRUSR;
57500 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
57503 module_init(slab_proc_init);
57504 diff -urNp linux-2.6.38.4/mm/util.c linux-2.6.38.4/mm/util.c
57505 --- linux-2.6.38.4/mm/util.c 2011-03-14 21:20:32.000000000 -0400
57506 +++ linux-2.6.38.4/mm/util.c 2011-04-17 15:57:33.000000000 -0400
57507 @@ -219,6 +219,12 @@ EXPORT_SYMBOL(strndup_user);
57508 void arch_pick_mmap_layout(struct mm_struct *mm)
57510 mm->mmap_base = TASK_UNMAPPED_BASE;
57512 +#ifdef CONFIG_PAX_RANDMMAP
57513 + if (mm->pax_flags & MF_PAX_RANDMMAP)
57514 + mm->mmap_base += mm->delta_mmap;
57517 mm->get_unmapped_area = arch_get_unmapped_area;
57518 mm->unmap_area = arch_unmap_area;
57520 diff -urNp linux-2.6.38.4/mm/vmalloc.c linux-2.6.38.4/mm/vmalloc.c
57521 --- linux-2.6.38.4/mm/vmalloc.c 2011-03-14 21:20:32.000000000 -0400
57522 +++ linux-2.6.38.4/mm/vmalloc.c 2011-04-17 15:57:33.000000000 -0400
57523 @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd,
57525 pte = pte_offset_kernel(pmd, addr);
57527 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
57528 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
57530 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
57531 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
57532 + BUG_ON(!pte_exec(*pte));
57533 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
57539 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
57540 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
57542 } while (pte++, addr += PAGE_SIZE, addr != end);
57545 @@ -91,6 +102,7 @@ static int vmap_pte_range(pmd_t *pmd, un
57546 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
57549 + int ret = -ENOMEM;
57552 * nr is a running index into the array which helps higher level
57553 @@ -100,17 +112,30 @@ static int vmap_pte_range(pmd_t *pmd, un
57554 pte = pte_alloc_kernel(pmd, addr);
57558 + pax_open_kernel();
57560 struct page *page = pages[*nr];
57562 - if (WARN_ON(!pte_none(*pte)))
57564 - if (WARN_ON(!page))
57566 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
57567 + if (pgprot_val(prot) & _PAGE_NX)
57570 + if (WARN_ON(!pte_none(*pte))) {
57574 + if (WARN_ON(!page)) {
57578 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
57580 } while (pte++, addr += PAGE_SIZE, addr != end);
57584 + pax_close_kernel();
57588 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
57589 @@ -191,11 +216,20 @@ int is_vmalloc_or_module_addr(const void
57590 * and fall back on vmalloc() if that fails. Others
57591 * just put it in the vmalloc space.
57593 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
57594 +#ifdef CONFIG_MODULES
57595 +#ifdef MODULES_VADDR
57596 unsigned long addr = (unsigned long)x;
57597 if (addr >= MODULES_VADDR && addr < MODULES_END)
57601 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
57602 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
57608 return is_vmalloc_addr(x);
57611 @@ -216,8 +250,14 @@ struct page *vmalloc_to_page(const void
57613 if (!pgd_none(*pgd)) {
57614 pud_t *pud = pud_offset(pgd, addr);
57616 + if (!pud_large(*pud))
57618 if (!pud_none(*pud)) {
57619 pmd_t *pmd = pmd_offset(pud, addr);
57621 + if (!pmd_large(*pmd))
57623 if (!pmd_none(*pmd)) {
57626 @@ -1244,6 +1284,16 @@ static struct vm_struct *__get_vm_area_n
57627 struct vm_struct *area;
57629 BUG_ON(in_interrupt());
57631 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
57632 + if (flags & VM_KERNEXEC) {
57633 + if (start != VMALLOC_START || end != VMALLOC_END)
57635 + start = (unsigned long)MODULES_EXEC_VADDR;
57636 + end = (unsigned long)MODULES_EXEC_END;
57640 if (flags & VM_IOREMAP) {
57641 int bit = fls(size);
57643 @@ -1462,6 +1512,11 @@ void *vmap(struct page **pages, unsigned
57644 if (count > totalram_pages)
57647 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
57648 + if (!(pgprot_val(prot) & _PAGE_NX))
57649 + flags |= VM_KERNEXEC;
57652 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
57653 __builtin_return_address(0));
57655 @@ -1558,6 +1613,13 @@ void *__vmalloc_node_range(unsigned long
57656 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
57659 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
57660 + if (!(pgprot_val(prot) & _PAGE_NX))
57661 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
57662 + node, gfp_mask, caller);
57666 area = __get_vm_area_node(size, align, VM_ALLOC, start, end, node,
57669 @@ -1597,6 +1659,7 @@ static void *__vmalloc_node(unsigned lon
57670 gfp_mask, prot, node, caller);
57674 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
57676 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
57677 @@ -1620,6 +1683,7 @@ static inline void *__vmalloc_node_flags
57678 * For tight control over page level allocator and protection flags
57679 * use __vmalloc() instead.
57682 void *vmalloc(unsigned long size)
57684 return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
57685 @@ -1636,6 +1700,7 @@ EXPORT_SYMBOL(vmalloc);
57686 * For tight control over page level allocator and protection flags
57687 * use __vmalloc() instead.
57690 void *vzalloc(unsigned long size)
57692 return __vmalloc_node_flags(size, -1,
57693 @@ -1650,6 +1715,7 @@ EXPORT_SYMBOL(vzalloc);
57694 * The resulting memory area is zeroed so it can be mapped to userspace
57695 * without leaking data.
57697 +#undef vmalloc_user
57698 void *vmalloc_user(unsigned long size)
57700 struct vm_struct *area;
57701 @@ -1677,6 +1743,7 @@ EXPORT_SYMBOL(vmalloc_user);
57702 * For tight control over page level allocator and protection flags
57703 * use __vmalloc() instead.
57705 +#undef vmalloc_node
57706 void *vmalloc_node(unsigned long size, int node)
57708 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
57709 @@ -1696,6 +1763,7 @@ EXPORT_SYMBOL(vmalloc_node);
57710 * For tight control over page level allocator and protection flags
57711 * use __vmalloc_node() instead.
57713 +#undef vzalloc_node
57714 void *vzalloc_node(unsigned long size, int node)
57716 return __vmalloc_node_flags(size, node,
57717 @@ -1718,10 +1786,10 @@ EXPORT_SYMBOL(vzalloc_node);
57718 * For tight control over page level allocator and protection flags
57719 * use __vmalloc() instead.
57722 +#undef vmalloc_exec
57723 void *vmalloc_exec(unsigned long size)
57725 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
57726 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
57727 -1, __builtin_return_address(0));
57730 @@ -1740,6 +1808,7 @@ void *vmalloc_exec(unsigned long size)
57731 * Allocate enough 32bit PA addressable pages to cover @size from the
57732 * page level allocator and map them into contiguous kernel virtual space.
57735 void *vmalloc_32(unsigned long size)
57737 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
57738 @@ -1754,6 +1823,7 @@ EXPORT_SYMBOL(vmalloc_32);
57739 * The resulting memory area is 32bit addressable and zeroed so it can be
57740 * mapped to userspace without leaking data.
57742 +#undef vmalloc_32_user
57743 void *vmalloc_32_user(unsigned long size)
57745 struct vm_struct *area;
57746 @@ -2018,6 +2088,8 @@ int remap_vmalloc_range(struct vm_area_s
57747 unsigned long uaddr = vma->vm_start;
57748 unsigned long usize = vma->vm_end - vma->vm_start;
57750 + BUG_ON(vma->vm_mirror);
57752 if ((PAGE_SIZE-1) & (unsigned long)addr)
57755 diff -urNp linux-2.6.38.4/mm/vmstat.c linux-2.6.38.4/mm/vmstat.c
57756 --- linux-2.6.38.4/mm/vmstat.c 2011-03-14 21:20:32.000000000 -0400
57757 +++ linux-2.6.38.4/mm/vmstat.c 2011-04-17 15:57:33.000000000 -0400
57758 @@ -78,7 +78,7 @@ void vm_events_fold_cpu(int cpu)
57760 * vm_stat contains the global counters
57762 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
57763 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
57764 EXPORT_SYMBOL(vm_stat);
57767 @@ -451,7 +451,7 @@ void refresh_cpu_vm_stats(int cpu)
57768 v = p->vm_stat_diff[i];
57769 p->vm_stat_diff[i] = 0;
57770 local_irq_restore(flags);
57771 - atomic_long_add(v, &zone->vm_stat[i]);
57772 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
57773 global_diff[i] += v;
57775 /* 3 seconds idle till flush */
57776 @@ -489,7 +489,7 @@ void refresh_cpu_vm_stats(int cpu)
57778 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
57779 if (global_diff[i])
57780 - atomic_long_add(global_diff[i], &vm_stat[i]);
57781 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
57785 @@ -1188,10 +1188,20 @@ static int __init setup_vmstat(void)
57786 start_cpu_timer(cpu);
57788 #ifdef CONFIG_PROC_FS
57789 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
57790 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
57791 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
57792 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
57794 + mode_t gr_mode = S_IRUGO;
57795 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
57796 + gr_mode = S_IRUSR;
57798 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
57799 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
57800 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
57801 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
57803 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
57805 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
57810 diff -urNp linux-2.6.38.4/net/8021q/vlan.c linux-2.6.38.4/net/8021q/vlan.c
57811 --- linux-2.6.38.4/net/8021q/vlan.c 2011-03-14 21:20:32.000000000 -0400
57812 +++ linux-2.6.38.4/net/8021q/vlan.c 2011-04-17 15:57:33.000000000 -0400
57813 @@ -589,8 +589,7 @@ static int vlan_ioctl_handler(struct net
57815 if (!capable(CAP_NET_ADMIN))
57817 - if ((args.u.name_type >= 0) &&
57818 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
57819 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
57820 struct vlan_net *vn;
57822 vn = net_generic(net, vlan_net_id);
57823 diff -urNp linux-2.6.38.4/net/atm/atm_misc.c linux-2.6.38.4/net/atm/atm_misc.c
57824 --- linux-2.6.38.4/net/atm/atm_misc.c 2011-03-14 21:20:32.000000000 -0400
57825 +++ linux-2.6.38.4/net/atm/atm_misc.c 2011-04-17 15:57:33.000000000 -0400
57826 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
57827 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
57829 atm_return(vcc, truesize);
57830 - atomic_inc(&vcc->stats->rx_drop);
57831 + atomic_inc_unchecked(&vcc->stats->rx_drop);
57834 EXPORT_SYMBOL(atm_charge);
57835 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
57838 atm_return(vcc, guess);
57839 - atomic_inc(&vcc->stats->rx_drop);
57840 + atomic_inc_unchecked(&vcc->stats->rx_drop);
57843 EXPORT_SYMBOL(atm_alloc_charge);
57844 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
57846 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
57848 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
57849 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
57851 #undef __HANDLE_ITEM
57853 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
57855 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
57857 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
57858 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
57860 #undef __HANDLE_ITEM
57862 diff -urNp linux-2.6.38.4/net/atm/proc.c linux-2.6.38.4/net/atm/proc.c
57863 --- linux-2.6.38.4/net/atm/proc.c 2011-03-14 21:20:32.000000000 -0400
57864 +++ linux-2.6.38.4/net/atm/proc.c 2011-04-17 15:57:33.000000000 -0400
57865 @@ -45,9 +45,9 @@ static void add_stats(struct seq_file *s
57866 const struct k_atm_aal_stats *stats)
57868 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
57869 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
57870 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
57871 - atomic_read(&stats->rx_drop));
57872 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
57873 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
57874 + atomic_read_unchecked(&stats->rx_drop));
57877 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
57878 @@ -191,7 +191,12 @@ static void vcc_info(struct seq_file *se
57880 struct sock *sk = sk_atm(vcc);
57882 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57883 + seq_printf(seq, "%p ", NULL);
57885 seq_printf(seq, "%p ", vcc);
57889 seq_printf(seq, "Unassigned ");
57891 @@ -218,7 +223,11 @@ static void svc_info(struct seq_file *se
57894 seq_printf(seq, sizeof(void *) == 4 ?
57895 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57896 + "N/A@%p%10s" : "N/A@%p%2s", NULL, "");
57898 "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
57901 seq_printf(seq, "%3d %3d %5d ",
57902 vcc->dev->number, vcc->vpi, vcc->vci);
57903 diff -urNp linux-2.6.38.4/net/atm/resources.c linux-2.6.38.4/net/atm/resources.c
57904 --- linux-2.6.38.4/net/atm/resources.c 2011-03-14 21:20:32.000000000 -0400
57905 +++ linux-2.6.38.4/net/atm/resources.c 2011-04-17 15:57:33.000000000 -0400
57906 @@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
57907 static void copy_aal_stats(struct k_atm_aal_stats *from,
57908 struct atm_aal_stats *to)
57910 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
57911 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
57913 #undef __HANDLE_ITEM
57915 @@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_
57916 static void subtract_aal_stats(struct k_atm_aal_stats *from,
57917 struct atm_aal_stats *to)
57919 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
57920 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
57922 #undef __HANDLE_ITEM
57924 diff -urNp linux-2.6.38.4/net/bridge/br_multicast.c linux-2.6.38.4/net/bridge/br_multicast.c
57925 --- linux-2.6.38.4/net/bridge/br_multicast.c 2011-04-22 19:20:59.000000000 -0400
57926 +++ linux-2.6.38.4/net/bridge/br_multicast.c 2011-04-22 19:21:47.000000000 -0400
57927 @@ -1482,7 +1482,7 @@ static int br_multicast_ipv6_rcv(struct
57928 nexthdr = ip6h->nexthdr;
57929 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
57931 - if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
57932 + if (nexthdr != IPPROTO_ICMPV6)
57935 /* Okay, we found ICMPv6 header */
57936 diff -urNp linux-2.6.38.4/net/bridge/netfilter/ebtables.c linux-2.6.38.4/net/bridge/netfilter/ebtables.c
57937 --- linux-2.6.38.4/net/bridge/netfilter/ebtables.c 2011-04-18 17:27:18.000000000 -0400
57938 +++ linux-2.6.38.4/net/bridge/netfilter/ebtables.c 2011-04-17 17:00:29.000000000 -0400
57939 @@ -1512,7 +1512,7 @@ static int do_ebt_get_ctl(struct sock *s
57940 tmp.valid_hooks = t->table->valid_hooks;
57942 mutex_unlock(&ebt_mutex);
57943 - if (copy_to_user(user, &tmp, *len) != 0){
57944 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
57945 BUGPRINT("c2u Didn't work\n");
57948 diff -urNp linux-2.6.38.4/net/can/bcm.c linux-2.6.38.4/net/can/bcm.c
57949 --- linux-2.6.38.4/net/can/bcm.c 2011-03-14 21:20:32.000000000 -0400
57950 +++ linux-2.6.38.4/net/can/bcm.c 2011-04-17 15:57:33.000000000 -0400
57951 @@ -165,9 +165,15 @@ static int bcm_proc_show(struct seq_file
57952 struct bcm_sock *bo = bcm_sk(sk);
57955 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57956 + seq_printf(m, ">>> socket %p", NULL);
57957 + seq_printf(m, " / sk %p", NULL);
57958 + seq_printf(m, " / bo %p", NULL);
57960 seq_printf(m, ">>> socket %p", sk->sk_socket);
57961 seq_printf(m, " / sk %p", sk);
57962 seq_printf(m, " / bo %p", bo);
57964 seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
57965 seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
57966 seq_printf(m, " <<<\n");
57967 diff -urNp linux-2.6.38.4/net/can/raw.c linux-2.6.38.4/net/can/raw.c
57968 --- linux-2.6.38.4/net/can/raw.c 2011-03-14 21:20:32.000000000 -0400
57969 +++ linux-2.6.38.4/net/can/raw.c 2011-04-22 19:39:11.000000000 -0400
57970 @@ -305,7 +305,12 @@ static int raw_init(struct sock *sk)
57971 static int raw_release(struct socket *sock)
57973 struct sock *sk = sock->sk;
57974 - struct raw_sock *ro = raw_sk(sk);
57975 + struct raw_sock *ro;
57982 unregister_netdevice_notifier(&ro->notifier);
57984 diff -urNp linux-2.6.38.4/net/core/dev.c linux-2.6.38.4/net/core/dev.c
57985 --- linux-2.6.38.4/net/core/dev.c 2011-03-14 21:20:32.000000000 -0400
57986 +++ linux-2.6.38.4/net/core/dev.c 2011-04-17 15:57:33.000000000 -0400
57987 @@ -1124,10 +1124,14 @@ void dev_load(struct net *net, const cha
57988 if (no_module && capable(CAP_NET_ADMIN))
57989 no_module = request_module("netdev-%s", name);
57990 if (no_module && capable(CAP_SYS_MODULE)) {
57991 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
57992 + ___request_module(true, "grsec_modharden_netdev", "%s", name);
57994 if (!request_module("%s", name))
57995 pr_err("Loading kernel module for a network device "
57996 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
57997 "instead\n", name);
58001 EXPORT_SYMBOL(dev_load);
58002 @@ -2787,7 +2791,7 @@ int netif_rx_ni(struct sk_buff *skb)
58004 EXPORT_SYMBOL(netif_rx_ni);
58006 -static void net_tx_action(struct softirq_action *h)
58007 +static void net_tx_action(void)
58009 struct softnet_data *sd = &__get_cpu_var(softnet_data);
58011 @@ -3697,7 +3701,7 @@ void netif_napi_del(struct napi_struct *
58013 EXPORT_SYMBOL(netif_napi_del);
58015 -static void net_rx_action(struct softirq_action *h)
58016 +static void net_rx_action(void)
58018 struct softnet_data *sd = &__get_cpu_var(softnet_data);
58019 unsigned long time_limit = jiffies + 2;
58020 diff -urNp linux-2.6.38.4/net/core/sock.c linux-2.6.38.4/net/core/sock.c
58021 --- linux-2.6.38.4/net/core/sock.c 2011-03-14 21:20:32.000000000 -0400
58022 +++ linux-2.6.38.4/net/core/sock.c 2011-04-17 15:57:33.000000000 -0400
58023 @@ -934,7 +934,7 @@ int sock_getsockopt(struct socket *sock,
58027 - if (copy_to_user(optval, address, len))
58028 + if (len > sizeof(address) || copy_to_user(optval, address, len))
58032 @@ -967,7 +967,7 @@ int sock_getsockopt(struct socket *sock,
58036 - if (copy_to_user(optval, &v, len))
58037 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
58040 if (put_user(len, optlen))
58041 diff -urNp linux-2.6.38.4/net/dccp/ccids/ccid3.c linux-2.6.38.4/net/dccp/ccids/ccid3.c
58042 --- linux-2.6.38.4/net/dccp/ccids/ccid3.c 2011-03-14 21:20:32.000000000 -0400
58043 +++ linux-2.6.38.4/net/dccp/ccids/ccid3.c 2011-04-17 15:57:33.000000000 -0400
58045 static int ccid3_debug;
58046 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
58048 -#define ccid3_pr_debug(format, a...)
58049 +#define ccid3_pr_debug(format, a...) do {} while (0)
58053 diff -urNp linux-2.6.38.4/net/dccp/dccp.h linux-2.6.38.4/net/dccp/dccp.h
58054 --- linux-2.6.38.4/net/dccp/dccp.h 2011-03-14 21:20:32.000000000 -0400
58055 +++ linux-2.6.38.4/net/dccp/dccp.h 2011-04-17 15:57:33.000000000 -0400
58056 @@ -44,9 +44,9 @@ extern int dccp_debug;
58057 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
58058 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
58060 -#define dccp_pr_debug(format, a...)
58061 -#define dccp_pr_debug_cat(format, a...)
58062 -#define dccp_debug(format, a...)
58063 +#define dccp_pr_debug(format, a...) do {} while (0)
58064 +#define dccp_pr_debug_cat(format, a...) do {} while (0)
58065 +#define dccp_debug(format, a...) do {} while (0)
58068 extern struct inet_hashinfo dccp_hashinfo;
58069 diff -urNp linux-2.6.38.4/net/decnet/sysctl_net_decnet.c linux-2.6.38.4/net/decnet/sysctl_net_decnet.c
58070 --- linux-2.6.38.4/net/decnet/sysctl_net_decnet.c 2011-03-14 21:20:32.000000000 -0400
58071 +++ linux-2.6.38.4/net/decnet/sysctl_net_decnet.c 2011-04-17 15:57:33.000000000 -0400
58072 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
58074 if (len > *lenp) len = *lenp;
58076 - if (copy_to_user(buffer, addr, len))
58077 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
58081 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
58083 if (len > *lenp) len = *lenp;
58085 - if (copy_to_user(buffer, devname, len))
58086 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
58090 diff -urNp linux-2.6.38.4/net/econet/Kconfig linux-2.6.38.4/net/econet/Kconfig
58091 --- linux-2.6.38.4/net/econet/Kconfig 2011-03-14 21:20:32.000000000 -0400
58092 +++ linux-2.6.38.4/net/econet/Kconfig 2011-04-17 15:57:33.000000000 -0400
58096 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
58097 - depends on EXPERIMENTAL && INET
58098 + depends on EXPERIMENTAL && INET && BROKEN
58100 Econet is a fairly old and slow networking protocol mainly used by
58101 Acorn computers to access file and print servers. It uses native
58102 diff -urNp linux-2.6.38.4/net/ipv4/inet_diag.c linux-2.6.38.4/net/ipv4/inet_diag.c
58103 --- linux-2.6.38.4/net/ipv4/inet_diag.c 2011-03-14 21:20:32.000000000 -0400
58104 +++ linux-2.6.38.4/net/ipv4/inet_diag.c 2011-04-17 15:57:33.000000000 -0400
58105 @@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
58106 r->idiag_retrans = 0;
58108 r->id.idiag_if = sk->sk_bound_dev_if;
58110 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58111 + r->id.idiag_cookie[0] = 0;
58112 + r->id.idiag_cookie[1] = 0;
58114 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
58115 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
58118 r->id.idiag_sport = inet->inet_sport;
58119 r->id.idiag_dport = inet->inet_dport;
58120 @@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
58121 r->idiag_family = tw->tw_family;
58122 r->idiag_retrans = 0;
58123 r->id.idiag_if = tw->tw_bound_dev_if;
58125 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58126 + r->id.idiag_cookie[0] = 0;
58127 + r->id.idiag_cookie[1] = 0;
58129 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
58130 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
58133 r->id.idiag_sport = tw->tw_sport;
58134 r->id.idiag_dport = tw->tw_dport;
58135 r->id.idiag_src[0] = tw->tw_rcv_saddr;
58136 @@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
58140 +#ifndef CONFIG_GRKERNSEC_HIDESYM
58142 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
58143 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
58144 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
58145 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
58150 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
58151 @@ -582,8 +597,14 @@ static int inet_diag_fill_req(struct sk_
58152 r->idiag_retrans = req->retrans;
58154 r->id.idiag_if = sk->sk_bound_dev_if;
58156 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58157 + r->id.idiag_cookie[0] = 0;
58158 + r->id.idiag_cookie[1] = 0;
58160 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
58161 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
58164 tmo = req->expires - jiffies;
58166 diff -urNp linux-2.6.38.4/net/ipv4/inet_hashtables.c linux-2.6.38.4/net/ipv4/inet_hashtables.c
58167 --- linux-2.6.38.4/net/ipv4/inet_hashtables.c 2011-03-14 21:20:32.000000000 -0400
58168 +++ linux-2.6.38.4/net/ipv4/inet_hashtables.c 2011-04-17 15:57:33.000000000 -0400
58169 @@ -18,11 +18,14 @@
58170 #include <linux/sched.h>
58171 #include <linux/slab.h>
58172 #include <linux/wait.h>
58173 +#include <linux/security.h>
58175 #include <net/inet_connection_sock.h>
58176 #include <net/inet_hashtables.h>
58177 #include <net/route.h>
58178 #include <net/ip.h>
58180 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
58183 * Allocate and initialize a new local port bind bucket.
58184 * The bindhash mutex for snum's hash chain must be held here.
58185 @@ -529,6 +532,8 @@ ok:
58186 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
58187 spin_unlock(&head->lock);
58189 + gr_update_task_in_ip_table(current, inet_sk(sk));
58192 inet_twsk_deschedule(tw, death_row);
58194 diff -urNp linux-2.6.38.4/net/ipv4/inetpeer.c linux-2.6.38.4/net/ipv4/inetpeer.c
58195 --- linux-2.6.38.4/net/ipv4/inetpeer.c 2011-03-14 21:20:32.000000000 -0400
58196 +++ linux-2.6.38.4/net/ipv4/inetpeer.c 2011-04-17 15:57:33.000000000 -0400
58197 @@ -509,8 +509,8 @@ struct inet_peer *inet_getpeer(struct in
58200 atomic_set(&p->refcnt, 1);
58201 - atomic_set(&p->rid, 0);
58202 - atomic_set(&p->ip_id_count, secure_ip_id(daddr->a4));
58203 + atomic_set_unchecked(&p->rid, 0);
58204 + atomic_set_unchecked(&p->ip_id_count, secure_ip_id(daddr->a4));
58205 p->tcp_ts_stamp = 0;
58206 INIT_LIST_HEAD(&p->unused);
58208 diff -urNp linux-2.6.38.4/net/ipv4/ip_fragment.c linux-2.6.38.4/net/ipv4/ip_fragment.c
58209 --- linux-2.6.38.4/net/ipv4/ip_fragment.c 2011-03-14 21:20:32.000000000 -0400
58210 +++ linux-2.6.38.4/net/ipv4/ip_fragment.c 2011-04-17 15:57:33.000000000 -0400
58211 @@ -298,7 +298,7 @@ static inline int ip_frag_too_far(struct
58215 - end = atomic_inc_return(&peer->rid);
58216 + end = atomic_inc_return_unchecked(&peer->rid);
58219 rc = qp->q.fragments && (end - start) > max;
58220 diff -urNp linux-2.6.38.4/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.38.4/net/ipv4/netfilter/nf_nat_snmp_basic.c
58221 --- linux-2.6.38.4/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-03-14 21:20:32.000000000 -0400
58222 +++ linux-2.6.38.4/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-04-17 15:57:33.000000000 -0400
58223 @@ -398,7 +398,7 @@ static unsigned char asn1_octets_decode(
58227 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
58228 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
58229 if (*octets == NULL) {
58230 if (net_ratelimit())
58231 pr_notice("OOM in bsalg (%d)\n", __LINE__);
58232 diff -urNp linux-2.6.38.4/net/ipv4/raw.c linux-2.6.38.4/net/ipv4/raw.c
58233 --- linux-2.6.38.4/net/ipv4/raw.c 2011-03-14 21:20:32.000000000 -0400
58234 +++ linux-2.6.38.4/net/ipv4/raw.c 2011-04-17 15:57:33.000000000 -0400
58235 @@ -724,15 +724,19 @@ static int raw_init(struct sock *sk)
58237 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
58239 + struct icmp_filter filter;
58241 if (optlen > sizeof(struct icmp_filter))
58242 optlen = sizeof(struct icmp_filter);
58243 - if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
58244 + if (copy_from_user(&filter, optval, optlen))
58246 + memcpy(&raw_sk(sk)->filter, &filter, sizeof(filter));
58250 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
58252 + struct icmp_filter filter;
58253 int len, ret = -EFAULT;
58255 if (get_user(len, optlen))
58256 @@ -743,8 +747,9 @@ static int raw_geticmpfilter(struct sock
58257 if (len > sizeof(struct icmp_filter))
58258 len = sizeof(struct icmp_filter);
58260 + memcpy(&filter, &raw_sk(sk)->filter, len);
58261 if (put_user(len, optlen) ||
58262 - copy_to_user(optval, &raw_sk(sk)->filter, len))
58263 + copy_to_user(optval, &filter, len))
58267 diff -urNp linux-2.6.38.4/net/ipv4/route.c linux-2.6.38.4/net/ipv4/route.c
58268 --- linux-2.6.38.4/net/ipv4/route.c 2011-04-22 19:20:59.000000000 -0400
58269 +++ linux-2.6.38.4/net/ipv4/route.c 2011-04-22 19:21:47.000000000 -0400
58270 @@ -2857,7 +2857,7 @@ static int rt_fill_info(struct net *net,
58271 expires = rt->dst.expires ? rt->dst.expires - jiffies : 0;
58273 inet_peer_refcheck(rt->peer);
58274 - id = atomic_read(&rt->peer->ip_id_count) & 0xffff;
58275 + id = atomic_read_unchecked(&rt->peer->ip_id_count) & 0xffff;
58276 if (rt->peer->tcp_ts_stamp) {
58277 ts = rt->peer->tcp_ts;
58278 tsage = get_seconds() - rt->peer->tcp_ts_stamp;
58279 diff -urNp linux-2.6.38.4/net/ipv4/tcp_ipv4.c linux-2.6.38.4/net/ipv4/tcp_ipv4.c
58280 --- linux-2.6.38.4/net/ipv4/tcp_ipv4.c 2011-03-14 21:20:32.000000000 -0400
58281 +++ linux-2.6.38.4/net/ipv4/tcp_ipv4.c 2011-04-17 15:57:33.000000000 -0400
58282 @@ -86,6 +86,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
58283 int sysctl_tcp_low_latency __read_mostly;
58284 EXPORT_SYMBOL(sysctl_tcp_low_latency);
58286 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58287 +extern int grsec_enable_blackhole;
58290 #ifdef CONFIG_TCP_MD5SIG
58291 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
58292 @@ -1593,6 +1596,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
58296 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58297 + if (!grsec_enable_blackhole)
58299 tcp_v4_send_reset(rsk, skb);
58302 @@ -1655,12 +1661,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
58303 TCP_SKB_CB(skb)->sacked = 0;
58305 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
58308 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58311 goto no_tcp_socket;
58315 - if (sk->sk_state == TCP_TIME_WAIT)
58316 + if (sk->sk_state == TCP_TIME_WAIT) {
58317 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58323 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
58324 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
58325 @@ -1710,6 +1723,10 @@ no_tcp_socket:
58327 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
58329 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58330 + if (!grsec_enable_blackhole || (ret == 1 &&
58331 + (skb->dev->flags & IFF_LOOPBACK)))
58333 tcp_v4_send_reset(NULL, skb);
58336 @@ -2373,7 +2390,11 @@ static void get_openreq4(struct sock *sk
58337 0, /* non standard timer */
58338 0, /* open_requests have no inode */
58339 atomic_read(&sk->sk_refcnt),
58340 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58348 @@ -2423,7 +2444,12 @@ static void get_tcp4_sock(struct sock *s
58350 icsk->icsk_probes_out,
58352 - atomic_read(&sk->sk_refcnt), sk,
58353 + atomic_read(&sk->sk_refcnt),
58354 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58359 jiffies_to_clock_t(icsk->icsk_rto),
58360 jiffies_to_clock_t(icsk->icsk_ack.ato),
58361 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
58362 @@ -2451,7 +2477,13 @@ static void get_timewait4_sock(struct in
58363 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
58364 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
58365 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
58366 - atomic_read(&tw->tw_refcnt), tw, len);
58367 + atomic_read(&tw->tw_refcnt),
58368 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58377 diff -urNp linux-2.6.38.4/net/ipv4/tcp_minisocks.c linux-2.6.38.4/net/ipv4/tcp_minisocks.c
58378 --- linux-2.6.38.4/net/ipv4/tcp_minisocks.c 2011-03-14 21:20:32.000000000 -0400
58379 +++ linux-2.6.38.4/net/ipv4/tcp_minisocks.c 2011-04-17 15:57:33.000000000 -0400
58381 #include <net/inet_common.h>
58382 #include <net/xfrm.h>
58384 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58385 +extern int grsec_enable_blackhole;
58388 int sysctl_tcp_syncookies __read_mostly = 1;
58389 EXPORT_SYMBOL(sysctl_tcp_syncookies);
58391 @@ -745,6 +749,10 @@ listen_overflow:
58394 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
58396 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58397 + if (!grsec_enable_blackhole)
58399 if (!(flg & TCP_FLAG_RST))
58400 req->rsk_ops->send_reset(sk, skb);
58402 diff -urNp linux-2.6.38.4/net/ipv4/tcp_probe.c linux-2.6.38.4/net/ipv4/tcp_probe.c
58403 --- linux-2.6.38.4/net/ipv4/tcp_probe.c 2011-03-14 21:20:32.000000000 -0400
58404 +++ linux-2.6.38.4/net/ipv4/tcp_probe.c 2011-04-17 15:57:33.000000000 -0400
58405 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
58406 if (cnt + width >= len)
58409 - if (copy_to_user(buf + cnt, tbuf, width))
58410 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
58414 diff -urNp linux-2.6.38.4/net/ipv4/tcp_timer.c linux-2.6.38.4/net/ipv4/tcp_timer.c
58415 --- linux-2.6.38.4/net/ipv4/tcp_timer.c 2011-03-14 21:20:32.000000000 -0400
58416 +++ linux-2.6.38.4/net/ipv4/tcp_timer.c 2011-04-17 15:57:33.000000000 -0400
58418 #include <linux/gfp.h>
58419 #include <net/tcp.h>
58421 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58422 +extern int grsec_lastack_retries;
58425 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
58426 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
58427 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
58428 @@ -199,6 +203,13 @@ static int tcp_write_timeout(struct sock
58432 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58433 + if ((sk->sk_state == TCP_LAST_ACK) &&
58434 + (grsec_lastack_retries > 0) &&
58435 + (grsec_lastack_retries < retry_until))
58436 + retry_until = grsec_lastack_retries;
58439 if (retransmits_timed_out(sk, retry_until,
58440 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
58441 /* Has it gone just too far? */
58442 diff -urNp linux-2.6.38.4/net/ipv4/udp.c linux-2.6.38.4/net/ipv4/udp.c
58443 --- linux-2.6.38.4/net/ipv4/udp.c 2011-03-14 21:20:32.000000000 -0400
58444 +++ linux-2.6.38.4/net/ipv4/udp.c 2011-04-17 15:57:33.000000000 -0400
58446 #include <linux/types.h>
58447 #include <linux/fcntl.h>
58448 #include <linux/module.h>
58449 +#include <linux/security.h>
58450 #include <linux/socket.h>
58451 #include <linux/sockios.h>
58452 #include <linux/igmp.h>
58453 @@ -107,6 +108,10 @@
58454 #include <net/xfrm.h>
58455 #include "udp_impl.h"
58457 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58458 +extern int grsec_enable_blackhole;
58461 struct udp_table udp_table __read_mostly;
58462 EXPORT_SYMBOL(udp_table);
58464 @@ -564,6 +569,9 @@ found:
58468 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
58469 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
58472 * This routine is called by the ICMP module when it gets some
58473 * sort of error condition. If err < 0 then the socket should
58474 @@ -832,9 +840,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
58475 dport = usin->sin_port;
58479 + err = gr_search_udp_sendmsg(sk, usin);
58483 if (sk->sk_state != TCP_ESTABLISHED)
58484 return -EDESTADDRREQ;
58486 + err = gr_search_udp_sendmsg(sk, NULL);
58490 daddr = inet->inet_daddr;
58491 dport = inet->inet_dport;
58492 /* Open fast path for connected socket.
58493 @@ -1139,6 +1156,10 @@ try_again:
58497 + err = gr_search_udp_recvmsg(sk, skb);
58501 ulen = skb->len - sizeof(struct udphdr);
58504 @@ -1623,6 +1644,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
58507 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
58508 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58509 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
58511 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
58514 @@ -2050,7 +2074,12 @@ static void udp4_format_sock(struct sock
58515 sk_wmem_alloc_get(sp),
58516 sk_rmem_alloc_get(sp),
58517 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
58518 - atomic_read(&sp->sk_refcnt), sp,
58519 + atomic_read(&sp->sk_refcnt),
58520 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58525 atomic_read(&sp->sk_drops), len);
58528 diff -urNp linux-2.6.38.4/net/ipv6/exthdrs.c linux-2.6.38.4/net/ipv6/exthdrs.c
58529 --- linux-2.6.38.4/net/ipv6/exthdrs.c 2011-03-14 21:20:32.000000000 -0400
58530 +++ linux-2.6.38.4/net/ipv6/exthdrs.c 2011-04-17 15:57:33.000000000 -0400
58531 @@ -634,7 +634,7 @@ static struct tlvtype_proc tlvprochopopt
58532 .type = IPV6_TLV_JUMBO,
58533 .func = ipv6_hop_jumbo,
58539 int ipv6_parse_hopopts(struct sk_buff *skb)
58540 diff -urNp linux-2.6.38.4/net/ipv6/raw.c linux-2.6.38.4/net/ipv6/raw.c
58541 --- linux-2.6.38.4/net/ipv6/raw.c 2011-03-14 21:20:32.000000000 -0400
58542 +++ linux-2.6.38.4/net/ipv6/raw.c 2011-04-17 15:57:33.000000000 -0400
58543 @@ -602,7 +602,7 @@ out:
58547 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
58548 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
58549 struct flowi *fl, struct dst_entry **dstp,
58550 unsigned int flags)
58552 @@ -919,12 +919,15 @@ do_confirm:
58553 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
58554 char __user *optval, int optlen)
58556 + struct icmp6_filter filter;
58559 case ICMPV6_FILTER:
58560 if (optlen > sizeof(struct icmp6_filter))
58561 optlen = sizeof(struct icmp6_filter);
58562 - if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
58563 + if (copy_from_user(&filter, optval, optlen))
58565 + memcpy(&raw6_sk(sk)->filter, &filter, optlen);
58568 return -ENOPROTOOPT;
58569 @@ -936,6 +939,7 @@ static int rawv6_seticmpfilter(struct so
58570 static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
58571 char __user *optval, int __user *optlen)
58573 + struct icmp6_filter filter;
58577 @@ -948,7 +952,8 @@ static int rawv6_geticmpfilter(struct so
58578 len = sizeof(struct icmp6_filter);
58579 if (put_user(len, optlen))
58581 - if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
58582 + memcpy(&filter, &raw6_sk(sk)->filter, len);
58583 + if (copy_to_user(optval, &filter, len))
58587 @@ -1262,7 +1267,13 @@ static void raw6_sock_seq_show(struct se
58591 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
58592 + atomic_read(&sp->sk_refcnt),
58593 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58598 + atomic_read(&sp->sk_drops));
58601 static int raw6_seq_show(struct seq_file *seq, void *v)
58602 diff -urNp linux-2.6.38.4/net/ipv6/tcp_ipv6.c linux-2.6.38.4/net/ipv6/tcp_ipv6.c
58603 --- linux-2.6.38.4/net/ipv6/tcp_ipv6.c 2011-03-14 21:20:32.000000000 -0400
58604 +++ linux-2.6.38.4/net/ipv6/tcp_ipv6.c 2011-04-17 15:57:33.000000000 -0400
58605 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
58609 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58610 +extern int grsec_enable_blackhole;
58613 static void tcp_v6_hash(struct sock *sk)
58615 if (sk->sk_state != TCP_CLOSE) {
58616 @@ -1676,6 +1680,9 @@ static int tcp_v6_do_rcv(struct sock *sk
58620 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58621 + if (!grsec_enable_blackhole)
58623 tcp_v6_send_reset(sk, skb);
58626 @@ -1755,12 +1762,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
58627 TCP_SKB_CB(skb)->sacked = 0;
58629 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
58632 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58635 goto no_tcp_socket;
58639 - if (sk->sk_state == TCP_TIME_WAIT)
58640 + if (sk->sk_state == TCP_TIME_WAIT) {
58641 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58647 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
58648 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
58649 @@ -1808,6 +1823,10 @@ no_tcp_socket:
58651 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
58653 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58654 + if (!grsec_enable_blackhole || (ret == 1 &&
58655 + (skb->dev->flags & IFF_LOOPBACK)))
58657 tcp_v6_send_reset(NULL, skb);
58660 @@ -2068,7 +2087,13 @@ static void get_openreq6(struct seq_file
58662 0, /* non standard timer */
58663 0, /* open_requests have no inode */
58666 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58674 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
58675 @@ -2118,7 +2143,12 @@ static void get_tcp6_sock(struct seq_fil
58677 icsk->icsk_probes_out,
58679 - atomic_read(&sp->sk_refcnt), sp,
58680 + atomic_read(&sp->sk_refcnt),
58681 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58686 jiffies_to_clock_t(icsk->icsk_rto),
58687 jiffies_to_clock_t(icsk->icsk_ack.ato),
58688 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
58689 @@ -2153,7 +2183,13 @@ static void get_timewait6_sock(struct se
58690 dest->s6_addr32[2], dest->s6_addr32[3], destp,
58691 tw->tw_substate, 0, 0,
58692 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
58693 - atomic_read(&tw->tw_refcnt), tw);
58694 + atomic_read(&tw->tw_refcnt),
58695 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58703 static int tcp6_seq_show(struct seq_file *seq, void *v)
58704 diff -urNp linux-2.6.38.4/net/ipv6/udp.c linux-2.6.38.4/net/ipv6/udp.c
58705 --- linux-2.6.38.4/net/ipv6/udp.c 2011-03-14 21:20:32.000000000 -0400
58706 +++ linux-2.6.38.4/net/ipv6/udp.c 2011-04-17 15:57:33.000000000 -0400
58708 #include <linux/seq_file.h>
58709 #include "udp_impl.h"
58711 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58712 +extern int grsec_enable_blackhole;
58715 int ipv6_rcv_saddr_equal(const struct sock *sk1, const struct sock *sk2)
58717 const struct in6_addr *sk1_rcv_saddr6 = &inet6_sk(sk1)->rcv_saddr;
58718 @@ -773,6 +777,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
58719 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
58720 proto == IPPROTO_UDPLITE);
58722 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58723 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
58725 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
58728 @@ -1407,7 +1414,12 @@ static void udp6_sock_seq_show(struct se
58732 - atomic_read(&sp->sk_refcnt), sp,
58733 + atomic_read(&sp->sk_refcnt),
58734 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58739 atomic_read(&sp->sk_drops));
58742 diff -urNp linux-2.6.38.4/net/irda/ircomm/ircomm_tty.c linux-2.6.38.4/net/irda/ircomm/ircomm_tty.c
58743 --- linux-2.6.38.4/net/irda/ircomm/ircomm_tty.c 2011-03-14 21:20:32.000000000 -0400
58744 +++ linux-2.6.38.4/net/irda/ircomm/ircomm_tty.c 2011-04-17 15:57:33.000000000 -0400
58745 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
58746 add_wait_queue(&self->open_wait, &wait);
58748 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
58749 - __FILE__,__LINE__, tty->driver->name, self->open_count );
58750 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
58752 /* As far as I can see, we protect open_count - Jean II */
58753 spin_lock_irqsave(&self->spinlock, flags);
58754 if (!tty_hung_up_p(filp)) {
58756 - self->open_count--;
58757 + local_dec(&self->open_count);
58759 spin_unlock_irqrestore(&self->spinlock, flags);
58760 - self->blocked_open++;
58761 + local_inc(&self->blocked_open);
58764 if (tty->termios->c_cflag & CBAUD) {
58765 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
58768 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
58769 - __FILE__,__LINE__, tty->driver->name, self->open_count );
58770 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
58774 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
58776 /* ++ is not atomic, so this should be protected - Jean II */
58777 spin_lock_irqsave(&self->spinlock, flags);
58778 - self->open_count++;
58779 + local_inc(&self->open_count);
58780 spin_unlock_irqrestore(&self->spinlock, flags);
58782 - self->blocked_open--;
58783 + local_dec(&self->blocked_open);
58785 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
58786 - __FILE__,__LINE__, tty->driver->name, self->open_count);
58787 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
58790 self->flags |= ASYNC_NORMAL_ACTIVE;
58791 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
58793 /* ++ is not atomic, so this should be protected - Jean II */
58794 spin_lock_irqsave(&self->spinlock, flags);
58795 - self->open_count++;
58796 + local_inc(&self->open_count);
58798 tty->driver_data = self;
58800 spin_unlock_irqrestore(&self->spinlock, flags);
58802 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
58803 - self->line, self->open_count);
58804 + self->line, local_read(&self->open_count));
58806 /* Not really used by us, but lets do it anyway */
58807 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
58808 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
58812 - if ((tty->count == 1) && (self->open_count != 1)) {
58813 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
58815 * Uh, oh. tty->count is 1, which means that the tty
58816 * structure will be freed. state->count should always
58817 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
58819 IRDA_DEBUG(0, "%s(), bad serial port count; "
58820 "tty->count is 1, state->count is %d\n", __func__ ,
58821 - self->open_count);
58822 - self->open_count = 1;
58823 + local_read(&self->open_count));
58824 + local_set(&self->open_count, 1);
58827 - if (--self->open_count < 0) {
58828 + if (local_dec_return(&self->open_count) < 0) {
58829 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
58830 - __func__, self->line, self->open_count);
58831 - self->open_count = 0;
58832 + __func__, self->line, local_read(&self->open_count));
58833 + local_set(&self->open_count, 0);
58835 - if (self->open_count) {
58836 + if (local_read(&self->open_count)) {
58837 spin_unlock_irqrestore(&self->spinlock, flags);
58839 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
58840 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
58844 - if (self->blocked_open) {
58845 + if (local_read(&self->blocked_open)) {
58846 if (self->close_delay)
58847 schedule_timeout_interruptible(self->close_delay);
58848 wake_up_interruptible(&self->open_wait);
58849 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
58850 spin_lock_irqsave(&self->spinlock, flags);
58851 self->flags &= ~ASYNC_NORMAL_ACTIVE;
58853 - self->open_count = 0;
58854 + local_set(&self->open_count, 0);
58855 spin_unlock_irqrestore(&self->spinlock, flags);
58857 wake_up_interruptible(&self->open_wait);
58858 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
58861 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
58862 - seq_printf(m, "Open count: %d\n", self->open_count);
58863 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
58864 seq_printf(m, "Max data size: %d\n", self->max_data_size);
58865 seq_printf(m, "Max header size: %d\n", self->max_header_size);
58867 diff -urNp linux-2.6.38.4/net/key/af_key.c linux-2.6.38.4/net/key/af_key.c
58868 --- linux-2.6.38.4/net/key/af_key.c 2011-03-14 21:20:32.000000000 -0400
58869 +++ linux-2.6.38.4/net/key/af_key.c 2011-04-17 15:57:33.000000000 -0400
58870 @@ -3644,7 +3644,11 @@ static int pfkey_seq_show(struct seq_fil
58871 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
58873 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
58874 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58879 atomic_read(&s->sk_refcnt),
58880 sk_rmem_alloc_get(s),
58881 sk_wmem_alloc_get(s),
58882 diff -urNp linux-2.6.38.4/net/mac80211/cfg.c linux-2.6.38.4/net/mac80211/cfg.c
58883 --- linux-2.6.38.4/net/mac80211/cfg.c 2011-03-14 21:20:32.000000000 -0400
58884 +++ linux-2.6.38.4/net/mac80211/cfg.c 2011-04-17 15:57:33.000000000 -0400
58885 @@ -1939,7 +1939,7 @@ static int ieee80211_get_antenna(struct
58886 return drv_get_antenna(local, tx_ant, rx_ant);
58889 -struct cfg80211_ops mac80211_config_ops = {
58890 +const struct cfg80211_ops mac80211_config_ops = {
58891 .add_virtual_intf = ieee80211_add_iface,
58892 .del_virtual_intf = ieee80211_del_iface,
58893 .change_virtual_intf = ieee80211_change_iface,
58894 diff -urNp linux-2.6.38.4/net/mac80211/cfg.h linux-2.6.38.4/net/mac80211/cfg.h
58895 --- linux-2.6.38.4/net/mac80211/cfg.h 2011-03-14 21:20:32.000000000 -0400
58896 +++ linux-2.6.38.4/net/mac80211/cfg.h 2011-04-17 15:57:33.000000000 -0400
58901 -extern struct cfg80211_ops mac80211_config_ops;
58902 +extern const struct cfg80211_ops mac80211_config_ops;
58904 #endif /* __CFG_H */
58905 diff -urNp linux-2.6.38.4/net/mac80211/ieee80211_i.h linux-2.6.38.4/net/mac80211/ieee80211_i.h
58906 --- linux-2.6.38.4/net/mac80211/ieee80211_i.h 2011-03-14 21:20:32.000000000 -0400
58907 +++ linux-2.6.38.4/net/mac80211/ieee80211_i.h 2011-04-17 15:57:33.000000000 -0400
58909 #include <net/ieee80211_radiotap.h>
58910 #include <net/cfg80211.h>
58911 #include <net/mac80211.h>
58912 +#include <asm/local.h>
58914 #include "sta_info.h"
58916 @@ -716,7 +717,7 @@ struct ieee80211_local {
58917 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
58918 spinlock_t queue_stop_reason_lock;
58921 + local_t open_count;
58922 int monitors, cooked_mntrs;
58923 /* number of interfaces with corresponding FIF_ flags */
58924 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
58925 diff -urNp linux-2.6.38.4/net/mac80211/iface.c linux-2.6.38.4/net/mac80211/iface.c
58926 --- linux-2.6.38.4/net/mac80211/iface.c 2011-03-14 21:20:32.000000000 -0400
58927 +++ linux-2.6.38.4/net/mac80211/iface.c 2011-04-17 15:57:33.000000000 -0400
58928 @@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_
58932 - if (local->open_count == 0) {
58933 + if (local_read(&local->open_count) == 0) {
58934 res = drv_start(local);
58937 @@ -235,7 +235,7 @@ static int ieee80211_do_open(struct net_
58938 memcpy(dev->perm_addr, dev->dev_addr, ETH_ALEN);
58940 if (!is_valid_ether_addr(dev->dev_addr)) {
58941 - if (!local->open_count)
58942 + if (!local_read(&local->open_count))
58944 return -EADDRNOTAVAIL;
58946 @@ -327,7 +327,7 @@ static int ieee80211_do_open(struct net_
58947 mutex_unlock(&local->mtx);
58950 - local->open_count++;
58951 + local_inc(&local->open_count);
58953 if (hw_reconf_flags) {
58954 ieee80211_hw_config(local, hw_reconf_flags);
58955 @@ -347,7 +347,7 @@ static int ieee80211_do_open(struct net_
58957 drv_remove_interface(local, &sdata->vif);
58959 - if (!local->open_count)
58960 + if (!local_read(&local->open_count))
58964 @@ -473,7 +473,7 @@ static void ieee80211_do_stop(struct iee
58968 - local->open_count--;
58969 + local_dec(&local->open_count);
58971 switch (sdata->vif.type) {
58972 case NL80211_IFTYPE_AP_VLAN:
58973 @@ -532,7 +532,7 @@ static void ieee80211_do_stop(struct iee
58975 ieee80211_recalc_ps(local, -1);
58977 - if (local->open_count == 0) {
58978 + if (local_read(&local->open_count) == 0) {
58979 if (local->ops->napi_poll)
58980 napi_disable(&local->napi);
58981 ieee80211_clear_tx_pending(local);
58982 diff -urNp linux-2.6.38.4/net/mac80211/main.c linux-2.6.38.4/net/mac80211/main.c
58983 --- linux-2.6.38.4/net/mac80211/main.c 2011-03-14 21:20:32.000000000 -0400
58984 +++ linux-2.6.38.4/net/mac80211/main.c 2011-04-17 15:57:33.000000000 -0400
58985 @@ -161,7 +161,7 @@ int ieee80211_hw_config(struct ieee80211
58986 local->hw.conf.power_level = power;
58989 - if (changed && local->open_count) {
58990 + if (changed && local_read(&local->open_count)) {
58991 ret = drv_config(local, changed);
58994 diff -urNp linux-2.6.38.4/net/mac80211/pm.c linux-2.6.38.4/net/mac80211/pm.c
58995 --- linux-2.6.38.4/net/mac80211/pm.c 2011-03-14 21:20:32.000000000 -0400
58996 +++ linux-2.6.38.4/net/mac80211/pm.c 2011-04-17 15:57:33.000000000 -0400
58997 @@ -95,7 +95,7 @@ int __ieee80211_suspend(struct ieee80211
59000 /* stop hardware - this must stop RX */
59001 - if (local->open_count)
59002 + if (local_read(&local->open_count))
59003 ieee80211_stop_device(local);
59005 local->suspended = true;
59006 diff -urNp linux-2.6.38.4/net/mac80211/rate.c linux-2.6.38.4/net/mac80211/rate.c
59007 --- linux-2.6.38.4/net/mac80211/rate.c 2011-03-14 21:20:32.000000000 -0400
59008 +++ linux-2.6.38.4/net/mac80211/rate.c 2011-04-17 15:57:33.000000000 -0400
59009 @@ -371,7 +371,7 @@ int ieee80211_init_rate_ctrl_alg(struct
59013 - if (local->open_count)
59014 + if (local_read(&local->open_count))
59017 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
59018 diff -urNp linux-2.6.38.4/net/mac80211/rc80211_pid_debugfs.c linux-2.6.38.4/net/mac80211/rc80211_pid_debugfs.c
59019 --- linux-2.6.38.4/net/mac80211/rc80211_pid_debugfs.c 2011-03-14 21:20:32.000000000 -0400
59020 +++ linux-2.6.38.4/net/mac80211/rc80211_pid_debugfs.c 2011-04-17 15:57:33.000000000 -0400
59021 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
59023 spin_unlock_irqrestore(&events->lock, status);
59025 - if (copy_to_user(buf, pb, p))
59026 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
59030 diff -urNp linux-2.6.38.4/net/mac80211/tx.c linux-2.6.38.4/net/mac80211/tx.c
59031 --- linux-2.6.38.4/net/mac80211/tx.c 2011-03-14 21:20:32.000000000 -0400
59032 +++ linux-2.6.38.4/net/mac80211/tx.c 2011-04-17 15:57:33.000000000 -0400
59033 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
59034 return cpu_to_le16(dur);
59037 -static int inline is_ieee80211_device(struct ieee80211_local *local,
59038 +static inline int is_ieee80211_device(struct ieee80211_local *local,
59039 struct net_device *dev)
59041 return local == wdev_priv(dev->ieee80211_ptr);
59042 diff -urNp linux-2.6.38.4/net/mac80211/util.c linux-2.6.38.4/net/mac80211/util.c
59043 --- linux-2.6.38.4/net/mac80211/util.c 2011-03-14 21:20:32.000000000 -0400
59044 +++ linux-2.6.38.4/net/mac80211/util.c 2011-04-17 15:57:33.000000000 -0400
59045 @@ -1135,7 +1135,7 @@ int ieee80211_reconfig(struct ieee80211_
59046 local->resuming = true;
59048 /* restart hardware */
59049 - if (local->open_count) {
59050 + if (local_read(&local->open_count)) {
59052 * Upon resume hardware can sometimes be goofy due to
59053 * various platform / driver / bus issues, so restarting
59054 diff -urNp linux-2.6.38.4/net/netfilter/Kconfig linux-2.6.38.4/net/netfilter/Kconfig
59055 --- linux-2.6.38.4/net/netfilter/Kconfig 2011-03-14 21:20:32.000000000 -0400
59056 +++ linux-2.6.38.4/net/netfilter/Kconfig 2011-04-17 15:57:33.000000000 -0400
59057 @@ -709,6 +709,16 @@ config NETFILTER_XT_MATCH_ESP
59059 To compile it as a module, choose M here. If unsure, say N.
59061 +config NETFILTER_XT_MATCH_GRADM
59062 + tristate '"gradm" match support'
59063 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
59064 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
59066 + The gradm match allows to match on grsecurity RBAC being enabled.
59067 + It is useful when iptables rules are applied early on bootup to
59068 + prevent connections to the machine (except from a trusted host)
59069 + while the RBAC system is disabled.
59071 config NETFILTER_XT_MATCH_HASHLIMIT
59072 tristate '"hashlimit" match support'
59073 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
59074 diff -urNp linux-2.6.38.4/net/netfilter/Makefile linux-2.6.38.4/net/netfilter/Makefile
59075 --- linux-2.6.38.4/net/netfilter/Makefile 2011-03-14 21:20:32.000000000 -0400
59076 +++ linux-2.6.38.4/net/netfilter/Makefile 2011-04-17 15:57:33.000000000 -0400
59077 @@ -74,6 +74,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) +=
59078 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
59079 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
59080 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
59081 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
59082 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
59083 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
59084 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
59085 diff -urNp linux-2.6.38.4/net/netfilter/nf_conntrack_netlink.c linux-2.6.38.4/net/netfilter/nf_conntrack_netlink.c
59086 --- linux-2.6.38.4/net/netfilter/nf_conntrack_netlink.c 2011-03-14 21:20:32.000000000 -0400
59087 +++ linux-2.6.38.4/net/netfilter/nf_conntrack_netlink.c 2011-04-17 15:57:33.000000000 -0400
59088 @@ -761,7 +761,7 @@ static const struct nla_policy tuple_nla
59090 ctnetlink_parse_tuple(const struct nlattr * const cda[],
59091 struct nf_conntrack_tuple *tuple,
59092 - enum ctattr_tuple type, u_int8_t l3num)
59093 + enum ctattr_type type, u_int8_t l3num)
59095 struct nlattr *tb[CTA_TUPLE_MAX+1];
59097 diff -urNp linux-2.6.38.4/net/netfilter/xt_gradm.c linux-2.6.38.4/net/netfilter/xt_gradm.c
59098 --- linux-2.6.38.4/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
59099 +++ linux-2.6.38.4/net/netfilter/xt_gradm.c 2011-04-17 15:57:33.000000000 -0400
59102 + * gradm match for netfilter
59103 + * Copyright © Zbigniew Krzystolik, 2010
59105 + * This program is free software; you can redistribute it and/or modify
59106 + * it under the terms of the GNU General Public License; either version
59107 + * 2 or 3 as published by the Free Software Foundation.
59109 +#include <linux/module.h>
59110 +#include <linux/moduleparam.h>
59111 +#include <linux/skbuff.h>
59112 +#include <linux/netfilter/x_tables.h>
59113 +#include <linux/grsecurity.h>
59114 +#include <linux/netfilter/xt_gradm.h>
59117 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
59119 + const struct xt_gradm_mtinfo *info = par->matchinfo;
59120 + bool retval = false;
59121 + if (gr_acl_is_enabled())
59123 + return retval ^ info->invflags;
59126 +static struct xt_match gradm_mt_reg __read_mostly = {
59129 + .family = NFPROTO_UNSPEC,
59130 + .match = gradm_mt,
59131 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
59132 + .me = THIS_MODULE,
59135 +static int __init gradm_mt_init(void)
59137 + return xt_register_match(&gradm_mt_reg);
59140 +static void __exit gradm_mt_exit(void)
59142 + xt_unregister_match(&gradm_mt_reg);
59145 +module_init(gradm_mt_init);
59146 +module_exit(gradm_mt_exit);
59147 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
59148 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
59149 +MODULE_LICENSE("GPL");
59150 +MODULE_ALIAS("ipt_gradm");
59151 +MODULE_ALIAS("ip6t_gradm");
59152 diff -urNp linux-2.6.38.4/net/netlink/af_netlink.c linux-2.6.38.4/net/netlink/af_netlink.c
59153 --- linux-2.6.38.4/net/netlink/af_netlink.c 2011-03-14 21:20:32.000000000 -0400
59154 +++ linux-2.6.38.4/net/netlink/af_netlink.c 2011-04-17 15:57:33.000000000 -0400
59155 @@ -2001,13 +2001,21 @@ static int netlink_seq_show(struct seq_f
59156 struct netlink_sock *nlk = nlk_sk(s);
59158 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
59159 +#ifdef CONFIG_GRKERNSEC_HIDESYM
59166 nlk->groups ? (u32)nlk->groups[0] : 0,
59167 sk_rmem_alloc_get(s),
59168 sk_wmem_alloc_get(s),
59169 +#ifdef CONFIG_GRKERNSEC_HIDESYM
59174 atomic_read(&s->sk_refcnt),
59175 atomic_read(&s->sk_drops),
59177 diff -urNp linux-2.6.38.4/net/netrom/af_netrom.c linux-2.6.38.4/net/netrom/af_netrom.c
59178 --- linux-2.6.38.4/net/netrom/af_netrom.c 2011-03-14 21:20:32.000000000 -0400
59179 +++ linux-2.6.38.4/net/netrom/af_netrom.c 2011-04-17 15:57:33.000000000 -0400
59180 @@ -840,6 +840,7 @@ static int nr_getname(struct socket *soc
59181 struct sock *sk = sock->sk;
59182 struct nr_sock *nr = nr_sk(sk);
59184 + memset(sax, 0, sizeof(*sax));
59187 if (sk->sk_state != TCP_ESTABLISHED) {
59188 @@ -854,7 +855,6 @@ static int nr_getname(struct socket *soc
59189 *uaddr_len = sizeof(struct full_sockaddr_ax25);
59191 sax->fsa_ax25.sax25_family = AF_NETROM;
59192 - sax->fsa_ax25.sax25_ndigis = 0;
59193 sax->fsa_ax25.sax25_call = nr->source_addr;
59194 *uaddr_len = sizeof(struct sockaddr_ax25);
59196 diff -urNp linux-2.6.38.4/net/packet/af_packet.c linux-2.6.38.4/net/packet/af_packet.c
59197 --- linux-2.6.38.4/net/packet/af_packet.c 2011-03-14 21:20:32.000000000 -0400
59198 +++ linux-2.6.38.4/net/packet/af_packet.c 2011-04-17 15:57:33.000000000 -0400
59199 @@ -2134,7 +2134,7 @@ static int packet_getsockopt(struct sock
59200 case PACKET_HDRLEN:
59201 if (len > sizeof(int))
59203 - if (copy_from_user(&val, optval, len))
59204 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
59208 @@ -2172,7 +2172,7 @@ static int packet_getsockopt(struct sock
59210 if (put_user(len, optlen))
59212 - if (copy_to_user(optval, data, len))
59213 + if (len > sizeof(st) || copy_to_user(optval, data, len))
59217 @@ -2684,7 +2684,11 @@ static int packet_seq_show(struct seq_fi
59220 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
59221 +#ifdef CONFIG_GRKERNSEC_HIDESYM
59226 atomic_read(&s->sk_refcnt),
59229 diff -urNp linux-2.6.38.4/net/phonet/af_phonet.c linux-2.6.38.4/net/phonet/af_phonet.c
59230 --- linux-2.6.38.4/net/phonet/af_phonet.c 2011-03-14 21:20:32.000000000 -0400
59231 +++ linux-2.6.38.4/net/phonet/af_phonet.c 2011-04-17 15:57:33.000000000 -0400
59232 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
59234 struct phonet_protocol *pp;
59236 - if (protocol >= PHONET_NPROTO)
59237 + if (protocol < 0 || protocol >= PHONET_NPROTO)
59241 @@ -463,7 +463,7 @@ int __init_or_module phonet_proto_regist
59245 - if (protocol >= PHONET_NPROTO)
59246 + if (protocol < 0 || protocol >= PHONET_NPROTO)
59249 err = proto_register(pp->prot, 1);
59250 diff -urNp linux-2.6.38.4/net/phonet/socket.c linux-2.6.38.4/net/phonet/socket.c
59251 --- linux-2.6.38.4/net/phonet/socket.c 2011-03-14 21:20:32.000000000 -0400
59252 +++ linux-2.6.38.4/net/phonet/socket.c 2011-04-17 15:57:33.000000000 -0400
59253 @@ -637,7 +637,12 @@ static int pn_sock_seq_show(struct seq_f
59255 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
59256 sock_i_uid(sk), sock_i_ino(sk),
59257 - atomic_read(&sk->sk_refcnt), sk,
59258 + atomic_read(&sk->sk_refcnt),
59259 +#ifdef CONFIG_GRKERNSEC_HIDESYM
59264 atomic_read(&sk->sk_drops), &len);
59266 seq_printf(seq, "%*s\n", 127 - len, "");
59267 diff -urNp linux-2.6.38.4/net/sctp/proc.c linux-2.6.38.4/net/sctp/proc.c
59268 --- linux-2.6.38.4/net/sctp/proc.c 2011-03-14 21:20:32.000000000 -0400
59269 +++ linux-2.6.38.4/net/sctp/proc.c 2011-04-17 15:57:33.000000000 -0400
59270 @@ -212,7 +212,12 @@ static int sctp_eps_seq_show(struct seq_
59271 sctp_for_each_hentry(epb, node, &head->chain) {
59274 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
59275 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
59276 +#ifdef CONFIG_GRKERNSEC_HIDESYM
59281 sctp_sk(sk)->type, sk->sk_state, hash,
59282 epb->bind_addr.port,
59283 sock_i_uid(sk), sock_i_ino(sk));
59284 @@ -318,7 +323,12 @@ static int sctp_assocs_seq_show(struct s
59286 "%8p %8p %-3d %-3d %-2d %-4d "
59287 "%4d %8d %8d %7d %5lu %-5d %5d ",
59288 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
59289 +#ifdef CONFIG_GRKERNSEC_HIDESYM
59294 + sctp_sk(sk)->type, sk->sk_state,
59295 assoc->state, hash,
59297 assoc->sndbuf_used,
59298 diff -urNp linux-2.6.38.4/net/sctp/socket.c linux-2.6.38.4/net/sctp/socket.c
59299 --- linux-2.6.38.4/net/sctp/socket.c 2011-03-14 21:20:32.000000000 -0400
59300 +++ linux-2.6.38.4/net/sctp/socket.c 2011-04-17 15:57:33.000000000 -0400
59301 @@ -1496,7 +1496,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
59302 struct sctp_sndrcvinfo *sinfo;
59303 struct sctp_initmsg *sinit;
59304 sctp_assoc_t associd = 0;
59305 - sctp_cmsgs_t cmsgs = { NULL };
59306 + sctp_cmsgs_t cmsgs = { NULL, NULL };
59308 sctp_scope_t scope;
59310 @@ -4435,7 +4435,7 @@ static int sctp_getsockopt_peer_addrs(st
59311 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
59312 if (space_left < addrlen)
59314 - if (copy_to_user(to, &temp, addrlen))
59315 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
59319 diff -urNp linux-2.6.38.4/net/socket.c linux-2.6.38.4/net/socket.c
59320 --- linux-2.6.38.4/net/socket.c 2011-04-18 17:27:16.000000000 -0400
59321 +++ linux-2.6.38.4/net/socket.c 2011-04-17 15:57:33.000000000 -0400
59323 #include <linux/nsproxy.h>
59324 #include <linux/magic.h>
59325 #include <linux/slab.h>
59326 +#include <linux/in.h>
59328 #include <asm/uaccess.h>
59329 #include <asm/unistd.h>
59330 @@ -105,6 +106,8 @@
59331 #include <linux/sockios.h>
59332 #include <linux/atalk.h>
59334 +#include <linux/grsock.h>
59336 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
59337 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
59338 unsigned long nr_segs, loff_t pos);
59339 @@ -326,7 +329,7 @@ static struct dentry *sockfs_mount(struc
59340 &sockfs_dentry_operations, SOCKFS_MAGIC);
59343 -static struct vfsmount *sock_mnt __read_mostly;
59344 +struct vfsmount *sock_mnt __read_mostly;
59346 static struct file_system_type sock_fs_type = {
59348 @@ -1174,6 +1177,8 @@ int __sock_create(struct net *net, int f
59349 return -EAFNOSUPPORT;
59350 if (type < 0 || type >= SOCK_MAX)
59352 + if (protocol < 0)
59357 @@ -1306,6 +1311,16 @@ SYSCALL_DEFINE3(socket, int, family, int
59358 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
59359 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
59361 + if(!gr_search_socket(family, type, protocol)) {
59362 + retval = -EACCES;
59366 + if (gr_handle_sock_all(family, type, protocol)) {
59367 + retval = -EACCES;
59371 retval = sock_create(family, type, protocol, &sock);
59374 @@ -1418,6 +1433,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
59376 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
59378 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
59382 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
59386 err = security_socket_bind(sock,
59387 (struct sockaddr *)&address,
59389 @@ -1426,6 +1449,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
59390 (struct sockaddr *)
59391 &address, addrlen);
59394 fput_light(sock->file, fput_needed);
59397 @@ -1449,10 +1473,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
59398 if ((unsigned)backlog > somaxconn)
59399 backlog = somaxconn;
59401 + if (gr_handle_sock_server_other(sock->sk)) {
59406 + err = gr_search_listen(sock);
59410 err = security_socket_listen(sock, backlog);
59412 err = sock->ops->listen(sock, backlog);
59415 fput_light(sock->file, fput_needed);
59418 @@ -1496,6 +1530,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
59419 newsock->type = sock->type;
59420 newsock->ops = sock->ops;
59422 + if (gr_handle_sock_server_other(sock->sk)) {
59424 + sock_release(newsock);
59428 + err = gr_search_accept(sock);
59430 + sock_release(newsock);
59435 * We don't need try_module_get here, as the listening socket (sock)
59436 * has the protocol module (sock->ops->owner) held.
59437 @@ -1534,6 +1580,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
59438 fd_install(newfd, newfile);
59441 + gr_attach_curr_ip(newsock->sk);
59444 fput_light(sock->file, fput_needed);
59446 @@ -1566,6 +1614,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
59449 struct socket *sock;
59450 + struct sockaddr *sck;
59451 struct sockaddr_storage address;
59452 int err, fput_needed;
59454 @@ -1576,6 +1625,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
59458 + sck = (struct sockaddr *)&address;
59460 + if (gr_handle_sock_client(sck)) {
59465 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
59470 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
59472 diff -urNp linux-2.6.38.4/net/sunrpc/sched.c linux-2.6.38.4/net/sunrpc/sched.c
59473 --- linux-2.6.38.4/net/sunrpc/sched.c 2011-04-18 17:27:14.000000000 -0400
59474 +++ linux-2.6.38.4/net/sunrpc/sched.c 2011-04-17 15:57:33.000000000 -0400
59475 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
59477 static void rpc_task_set_debuginfo(struct rpc_task *task)
59479 - static atomic_t rpc_pid;
59480 + static atomic_unchecked_t rpc_pid;
59482 - task->tk_pid = atomic_inc_return(&rpc_pid);
59483 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
59486 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
59487 diff -urNp linux-2.6.38.4/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.38.4/net/sunrpc/xprtrdma/svc_rdma.c
59488 --- linux-2.6.38.4/net/sunrpc/xprtrdma/svc_rdma.c 2011-03-14 21:20:32.000000000 -0400
59489 +++ linux-2.6.38.4/net/sunrpc/xprtrdma/svc_rdma.c 2011-04-17 15:57:33.000000000 -0400
59490 @@ -109,7 +109,7 @@ static int read_reset_stat(ctl_table *ta
59494 - if (len && copy_to_user(buffer, str_buf, len))
59495 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
59499 diff -urNp linux-2.6.38.4/net/sysctl_net.c linux-2.6.38.4/net/sysctl_net.c
59500 --- linux-2.6.38.4/net/sysctl_net.c 2011-03-14 21:20:32.000000000 -0400
59501 +++ linux-2.6.38.4/net/sysctl_net.c 2011-04-17 15:57:33.000000000 -0400
59502 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
59503 struct ctl_table *table)
59505 /* Allow network administrator to have same access as root. */
59506 - if (capable(CAP_NET_ADMIN)) {
59507 + if (capable_nolog(CAP_NET_ADMIN)) {
59508 int mode = (table->mode >> 6) & 7;
59509 return (mode << 6) | (mode << 3) | mode;
59511 diff -urNp linux-2.6.38.4/net/tipc/socket.c linux-2.6.38.4/net/tipc/socket.c
59512 --- linux-2.6.38.4/net/tipc/socket.c 2011-03-14 21:20:32.000000000 -0400
59513 +++ linux-2.6.38.4/net/tipc/socket.c 2011-04-17 15:57:33.000000000 -0400
59514 @@ -1447,8 +1447,9 @@ static int connect(struct socket *sock,
59519 - ; /* leave "res" unchanged */
59521 + /* leave "res" unchanged */
59523 sock->state = SS_DISCONNECTING;
59526 diff -urNp linux-2.6.38.4/net/unix/af_unix.c linux-2.6.38.4/net/unix/af_unix.c
59527 --- linux-2.6.38.4/net/unix/af_unix.c 2011-03-14 21:20:32.000000000 -0400
59528 +++ linux-2.6.38.4/net/unix/af_unix.c 2011-04-17 15:57:33.000000000 -0400
59529 @@ -765,6 +765,12 @@ static struct sock *unix_find_other(stru
59530 err = -ECONNREFUSED;
59531 if (!S_ISSOCK(inode->i_mode))
59534 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
59539 u = unix_find_socket_byinode(inode);
59542 @@ -785,6 +791,13 @@ static struct sock *unix_find_other(stru
59544 struct dentry *dentry;
59545 dentry = unix_sk(u)->dentry;
59547 + if (!gr_handle_chroot_unix(u->sk_peer_pid)) {
59554 touch_atime(unix_sk(u)->mnt, dentry);
59556 @@ -870,11 +883,18 @@ static int unix_bind(struct socket *sock
59557 err = security_path_mknod(&nd.path, dentry, mode, 0);
59559 goto out_mknod_drop_write;
59560 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
59562 + goto out_mknod_drop_write;
59564 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
59565 out_mknod_drop_write:
59566 mnt_drop_write(nd.path.mnt);
59568 goto out_mknod_dput;
59570 + gr_handle_create(dentry, nd.path.mnt);
59572 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
59573 dput(nd.path.dentry);
59574 nd.path.dentry = dentry;
59575 @@ -892,6 +912,11 @@ out_mknod_drop_write:
59579 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
59580 + put_pid(sk->sk_peer_pid);
59581 + sk->sk_peer_pid = get_pid(task_tgid(current));
59584 list = &unix_socket_table[addr->hash];
59586 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
59587 @@ -2235,7 +2260,11 @@ static int unix_seq_show(struct seq_file
59588 unix_state_lock(s);
59590 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
59591 +#ifdef CONFIG_GRKERNSEC_HIDESYM
59596 atomic_read(&s->sk_refcnt),
59598 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
59599 diff -urNp linux-2.6.38.4/net/wireless/reg.c linux-2.6.38.4/net/wireless/reg.c
59600 --- linux-2.6.38.4/net/wireless/reg.c 2011-03-14 21:20:32.000000000 -0400
59601 +++ linux-2.6.38.4/net/wireless/reg.c 2011-04-17 15:57:33.000000000 -0400
59603 printk(KERN_DEBUG pr_fmt(format), ##args); \
59606 -#define REG_DBG_PRINT(args...)
59607 +#define REG_DBG_PRINT(args...) do {} while (0)
59610 /* Receipt of information from last regulatory request */
59611 diff -urNp linux-2.6.38.4/net/wireless/wext-core.c linux-2.6.38.4/net/wireless/wext-core.c
59612 --- linux-2.6.38.4/net/wireless/wext-core.c 2011-03-14 21:20:32.000000000 -0400
59613 +++ linux-2.6.38.4/net/wireless/wext-core.c 2011-04-17 15:57:33.000000000 -0400
59614 @@ -746,8 +746,7 @@ static int ioctl_standard_iw_point(struc
59617 /* Support for very large requests */
59618 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
59619 - (user_length > descr->max_tokens)) {
59620 + if (user_length > descr->max_tokens) {
59621 /* Allow userspace to GET more than max so
59622 * we can support any size GET requests.
59623 * There is still a limit : -ENOMEM.
59624 @@ -784,22 +783,6 @@ static int ioctl_standard_iw_point(struc
59628 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
59630 - * If this is a GET, but not NOMAX, it means that the extra
59631 - * data is not bounded by userspace, but by max_tokens. Thus
59632 - * set the length to max_tokens. This matches the extra data
59634 - * The driver should fill it with the number of tokens it
59635 - * provided, and it may check iwp->length rather than having
59636 - * knowledge of max_tokens. If the driver doesn't change the
59637 - * iwp->length, this ioctl just copies back max_token tokens
59638 - * filled with zeroes. Hopefully the driver isn't claiming
59639 - * them to be valid data.
59641 - iwp->length = descr->max_tokens;
59644 err = handler(dev, info, (union iwreq_data *) iwp, extra);
59646 iwp->length += essid_compat;
59647 diff -urNp linux-2.6.38.4/net/x25/x25_facilities.c linux-2.6.38.4/net/x25/x25_facilities.c
59648 --- linux-2.6.38.4/net/x25/x25_facilities.c 2011-03-14 21:20:32.000000000 -0400
59649 +++ linux-2.6.38.4/net/x25/x25_facilities.c 2011-04-17 15:57:33.000000000 -0400
59650 @@ -167,7 +167,8 @@ int x25_parse_facilities(struct sk_buff
59653 printk(KERN_DEBUG "X.25: unknown facility %02X,"
59654 - "length %d\n", p[0], p[1]);
59655 + "length %d, values %02X, %02X\n",
59656 + p[0], p[1], p[2], p[3]);
59660 diff -urNp linux-2.6.38.4/net/xfrm/xfrm_policy.c linux-2.6.38.4/net/xfrm/xfrm_policy.c
59661 --- linux-2.6.38.4/net/xfrm/xfrm_policy.c 2011-04-22 19:20:59.000000000 -0400
59662 +++ linux-2.6.38.4/net/xfrm/xfrm_policy.c 2011-04-22 19:21:47.000000000 -0400
59663 @@ -1507,7 +1507,7 @@ free_dst:
59669 xfrm_dst_alloc_copy(void **target, void *src, int size)
59672 @@ -1519,7 +1519,7 @@ xfrm_dst_alloc_copy(void **target, void
59678 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
59680 #ifdef CONFIG_XFRM_SUB_POLICY
59681 @@ -1531,7 +1531,7 @@ xfrm_dst_update_parent(struct dst_entry
59687 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
59689 #ifdef CONFIG_XFRM_SUB_POLICY
59690 diff -urNp linux-2.6.38.4/scripts/basic/fixdep.c linux-2.6.38.4/scripts/basic/fixdep.c
59691 --- linux-2.6.38.4/scripts/basic/fixdep.c 2011-03-14 21:20:32.000000000 -0400
59692 +++ linux-2.6.38.4/scripts/basic/fixdep.c 2011-04-17 15:57:33.000000000 -0400
59693 @@ -235,9 +235,9 @@ static void use_config(const char *m, in
59695 static void parse_config_file(const char *map, size_t len)
59697 - const int *end = (const int *) (map + len);
59698 + const unsigned int *end = (const unsigned int *) (map + len);
59699 /* start at +1, so that p can never be < map */
59700 - const int *m = (const int *) map + 1;
59701 + const unsigned int *m = (const unsigned int *) map + 1;
59704 for (; m < end; m++) {
59705 @@ -405,7 +405,7 @@ static void print_deps(void)
59706 static void traps(void)
59708 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
59709 - int *p = (int *)test;
59710 + unsigned int *p = (unsigned int *)test;
59712 if (*p != INT_CONF) {
59713 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
59714 diff -urNp linux-2.6.38.4/scripts/kallsyms.c linux-2.6.38.4/scripts/kallsyms.c
59715 --- linux-2.6.38.4/scripts/kallsyms.c 2011-03-14 21:20:32.000000000 -0400
59716 +++ linux-2.6.38.4/scripts/kallsyms.c 2011-04-17 15:57:33.000000000 -0400
59717 @@ -43,10 +43,10 @@ struct text_range {
59719 static unsigned long long _text;
59720 static struct text_range text_ranges[] = {
59721 - { "_stext", "_etext" },
59722 - { "_sinittext", "_einittext" },
59723 - { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
59724 - { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
59725 + { "_stext", "_etext", 0, 0 },
59726 + { "_sinittext", "_einittext", 0, 0 },
59727 + { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
59728 + { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
59730 #define text_range_text (&text_ranges[0])
59731 #define text_range_inittext (&text_ranges[1])
59732 diff -urNp linux-2.6.38.4/scripts/mod/file2alias.c linux-2.6.38.4/scripts/mod/file2alias.c
59733 --- linux-2.6.38.4/scripts/mod/file2alias.c 2011-03-14 21:20:32.000000000 -0400
59734 +++ linux-2.6.38.4/scripts/mod/file2alias.c 2011-04-17 15:57:33.000000000 -0400
59735 @@ -72,7 +72,7 @@ static void device_id_check(const char *
59736 unsigned long size, unsigned long id_size,
59742 if (size % id_size || size < id_size) {
59743 if (cross_build != 0)
59744 @@ -102,7 +102,7 @@ static void device_id_check(const char *
59745 /* USB is special because the bcdDevice can be matched against a numeric range */
59746 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
59747 static void do_usb_entry(struct usb_device_id *id,
59748 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
59749 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
59750 unsigned char range_lo, unsigned char range_hi,
59751 unsigned char max, struct module *mod)
59753 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
59754 for (i = 0; i < count; i++) {
59755 const char *id = (char *)devs[i].id;
59756 char acpi_id[sizeof(devs[0].id)];
59760 buf_printf(&mod->dev_table_buf,
59761 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
59762 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
59764 for (j = 0; j < PNP_MAX_DEVICES; j++) {
59765 const char *id = (char *)card->devs[j].id;
59767 + unsigned int i2, j2;
59771 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
59772 /* add an individual alias for every device entry */
59774 char acpi_id[sizeof(card->devs[0].id)];
59778 buf_printf(&mod->dev_table_buf,
59779 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
59780 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
59781 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
59785 + unsigned int i, j;
59787 sprintf(alias, "dmi*");
59789 diff -urNp linux-2.6.38.4/scripts/mod/modpost.c linux-2.6.38.4/scripts/mod/modpost.c
59790 --- linux-2.6.38.4/scripts/mod/modpost.c 2011-03-14 21:20:32.000000000 -0400
59791 +++ linux-2.6.38.4/scripts/mod/modpost.c 2011-04-17 15:57:33.000000000 -0400
59792 @@ -896,6 +896,7 @@ enum mismatch {
59793 ANY_INIT_TO_ANY_EXIT,
59794 ANY_EXIT_TO_ANY_INIT,
59795 EXPORT_TO_INIT_EXIT,
59799 struct sectioncheck {
59800 @@ -1004,6 +1005,12 @@ const struct sectioncheck sectioncheck[]
59801 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
59802 .mismatch = EXPORT_TO_INIT_EXIT,
59803 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
59805 +/* Do not reference code from writable data */
59807 + .fromsec = { DATA_SECTIONS, NULL },
59808 + .tosec = { TEXT_SECTIONS, NULL },
59809 + .mismatch = DATA_TO_TEXT
59813 @@ -1126,10 +1133,10 @@ static Elf_Sym *find_elf_symbol(struct e
59815 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
59817 - if (sym->st_value == addr)
59819 /* Find a symbol nearby - addr are maybe negative */
59820 d = sym->st_value - addr;
59824 d = addr - sym->st_value;
59825 if (d < distance) {
59826 @@ -1401,6 +1408,14 @@ static void report_sec_mismatch(const ch
59827 tosym, prl_to, prl_to, tosym);
59830 + case DATA_TO_TEXT:
59833 + "The variable %s references\n"
59834 + "the %s %s%s%s\n",
59835 + fromsym, to, sec2annotation(tosec), tosym, to_p);
59839 fprintf(stderr, "\n");
59841 @@ -1724,7 +1739,7 @@ void __attribute__((format(printf, 2, 3)
59845 -void buf_write(struct buffer *buf, const char *s, int len)
59846 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
59848 if (buf->size - buf->pos < len) {
59849 buf->size += len + SZ;
59850 @@ -1936,7 +1951,7 @@ static void write_if_changed(struct buff
59851 if (fstat(fileno(file), &st) < 0)
59854 - if (st.st_size != b->pos)
59855 + if (st.st_size != (off_t)b->pos)
59858 tmp = NOFAIL(malloc(b->pos));
59859 diff -urNp linux-2.6.38.4/scripts/mod/modpost.h linux-2.6.38.4/scripts/mod/modpost.h
59860 --- linux-2.6.38.4/scripts/mod/modpost.h 2011-03-14 21:20:32.000000000 -0400
59861 +++ linux-2.6.38.4/scripts/mod/modpost.h 2011-04-17 15:57:33.000000000 -0400
59862 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
59868 + unsigned int pos;
59869 + unsigned int size;
59872 void __attribute__((format(printf, 2, 3)))
59873 buf_printf(struct buffer *buf, const char *fmt, ...);
59876 -buf_write(struct buffer *buf, const char *s, int len);
59877 +buf_write(struct buffer *buf, const char *s, unsigned int len);
59880 struct module *next;
59881 diff -urNp linux-2.6.38.4/scripts/mod/sumversion.c linux-2.6.38.4/scripts/mod/sumversion.c
59882 --- linux-2.6.38.4/scripts/mod/sumversion.c 2011-03-14 21:20:32.000000000 -0400
59883 +++ linux-2.6.38.4/scripts/mod/sumversion.c 2011-04-17 15:57:33.000000000 -0400
59884 @@ -470,7 +470,7 @@ static void write_version(const char *fi
59888 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
59889 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
59890 warn("writing sum in %s failed: %s\n",
59891 filename, strerror(errno));
59893 diff -urNp linux-2.6.38.4/scripts/pnmtologo.c linux-2.6.38.4/scripts/pnmtologo.c
59894 --- linux-2.6.38.4/scripts/pnmtologo.c 2011-03-14 21:20:32.000000000 -0400
59895 +++ linux-2.6.38.4/scripts/pnmtologo.c 2011-04-17 15:57:33.000000000 -0400
59896 @@ -237,14 +237,14 @@ static void write_header(void)
59897 fprintf(out, " * Linux logo %s\n", logoname);
59898 fputs(" */\n\n", out);
59899 fputs("#include <linux/linux_logo.h>\n\n", out);
59900 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
59901 + fprintf(out, "static unsigned char %s_data[] = {\n",
59905 static void write_footer(void)
59907 fputs("\n};\n\n", out);
59908 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
59909 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
59910 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
59911 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
59912 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
59913 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
59914 fputs("\n};\n\n", out);
59916 /* write logo clut */
59917 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
59918 + fprintf(out, "static unsigned char %s_clut[] = {\n",
59921 for (i = 0; i < logo_clutsize; i++) {
59922 diff -urNp linux-2.6.38.4/security/apparmor/lsm.c linux-2.6.38.4/security/apparmor/lsm.c
59923 --- linux-2.6.38.4/security/apparmor/lsm.c 2011-03-14 21:20:32.000000000 -0400
59924 +++ linux-2.6.38.4/security/apparmor/lsm.c 2011-04-17 15:57:33.000000000 -0400
59925 @@ -619,7 +619,7 @@ static int apparmor_task_setrlimit(struc
59929 -static struct security_operations apparmor_ops = {
59930 +static struct security_operations apparmor_ops __read_only = {
59931 .name = "apparmor",
59933 .ptrace_access_check = apparmor_ptrace_access_check,
59934 diff -urNp linux-2.6.38.4/security/commoncap.c linux-2.6.38.4/security/commoncap.c
59935 --- linux-2.6.38.4/security/commoncap.c 2011-03-14 21:20:32.000000000 -0400
59936 +++ linux-2.6.38.4/security/commoncap.c 2011-04-17 15:57:33.000000000 -0400
59938 #include <linux/prctl.h>
59939 #include <linux/securebits.h>
59940 // #include <linux/vs_context.h>
59941 +#include <net/sock.h>
59944 * If a non-root user executes a setuid-root binary in
59945 @@ -50,9 +51,11 @@ static void warn_setuid_and_fcaps_mixed(
59949 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
59951 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
59953 - NETLINK_CB(skb).eff_cap = vx_mbcaps(current_cap());
59954 + NETLINK_CB(skb).eff_cap = vx_mbcaps(gr_cap_rtnetlink(sk));
59958 @@ -534,6 +537,9 @@ int cap_bprm_secureexec(struct linux_bin
59960 const struct cred *cred = current_cred();
59962 + if (gr_acl_enable_at_secure())
59965 if (cred->uid != 0) {
59966 if (bprm->cap_effective)
59968 diff -urNp linux-2.6.38.4/security/integrity/ima/ima_api.c linux-2.6.38.4/security/integrity/ima/ima_api.c
59969 --- linux-2.6.38.4/security/integrity/ima/ima_api.c 2011-03-14 21:20:32.000000000 -0400
59970 +++ linux-2.6.38.4/security/integrity/ima/ima_api.c 2011-04-17 15:57:33.000000000 -0400
59971 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
59974 /* can overflow, only indicator */
59975 - atomic_long_inc(&ima_htable.violations);
59976 + atomic_long_inc_unchecked(&ima_htable.violations);
59978 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
59980 diff -urNp linux-2.6.38.4/security/integrity/ima/ima_fs.c linux-2.6.38.4/security/integrity/ima/ima_fs.c
59981 --- linux-2.6.38.4/security/integrity/ima/ima_fs.c 2011-03-14 21:20:32.000000000 -0400
59982 +++ linux-2.6.38.4/security/integrity/ima/ima_fs.c 2011-04-17 15:57:33.000000000 -0400
59983 @@ -28,12 +28,12 @@
59984 static int valid_policy = 1;
59985 #define TMPBUFLEN 12
59986 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
59987 - loff_t *ppos, atomic_long_t *val)
59988 + loff_t *ppos, atomic_long_unchecked_t *val)
59990 char tmpbuf[TMPBUFLEN];
59993 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
59994 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
59995 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
59998 diff -urNp linux-2.6.38.4/security/integrity/ima/ima.h linux-2.6.38.4/security/integrity/ima/ima.h
59999 --- linux-2.6.38.4/security/integrity/ima/ima.h 2011-03-14 21:20:32.000000000 -0400
60000 +++ linux-2.6.38.4/security/integrity/ima/ima.h 2011-04-17 15:57:33.000000000 -0400
60001 @@ -85,8 +85,8 @@ void ima_add_violation(struct inode *ino
60002 extern spinlock_t ima_queue_lock;
60004 struct ima_h_table {
60005 - atomic_long_t len; /* number of stored measurements in the list */
60006 - atomic_long_t violations;
60007 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
60008 + atomic_long_unchecked_t violations;
60009 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
60011 extern struct ima_h_table ima_htable;
60012 diff -urNp linux-2.6.38.4/security/integrity/ima/ima_queue.c linux-2.6.38.4/security/integrity/ima/ima_queue.c
60013 --- linux-2.6.38.4/security/integrity/ima/ima_queue.c 2011-03-14 21:20:32.000000000 -0400
60014 +++ linux-2.6.38.4/security/integrity/ima/ima_queue.c 2011-04-17 15:57:33.000000000 -0400
60015 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
60016 INIT_LIST_HEAD(&qe->later);
60017 list_add_tail_rcu(&qe->later, &ima_measurements);
60019 - atomic_long_inc(&ima_htable.len);
60020 + atomic_long_inc_unchecked(&ima_htable.len);
60021 key = ima_hash_key(entry->digest);
60022 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
60024 diff -urNp linux-2.6.38.4/security/Kconfig linux-2.6.38.4/security/Kconfig
60025 --- linux-2.6.38.4/security/Kconfig 2011-03-14 21:20:32.000000000 -0400
60026 +++ linux-2.6.38.4/security/Kconfig 2011-04-17 15:57:33.000000000 -0400
60029 menu "Security options"
60031 +source grsecurity/Kconfig
60035 + config ARCH_TRACK_EXEC_LIMIT
60038 + config PAX_PER_CPU_PGD
60041 + config TASK_SIZE_MAX_SHIFT
60043 + depends on X86_64
60044 + default 47 if !PAX_PER_CPU_PGD
60045 + default 42 if PAX_PER_CPU_PGD
60047 + config PAX_ENABLE_PAE
60049 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
60052 + bool "Enable various PaX features"
60053 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
60055 + This allows you to enable various PaX features. PaX adds
60056 + intrusion prevention mechanisms to the kernel that reduce
60057 + the risks posed by exploitable memory corruption bugs.
60059 +menu "PaX Control"
60062 +config PAX_SOFTMODE
60063 + bool 'Support soft mode'
60064 + select PAX_PT_PAX_FLAGS
60066 + Enabling this option will allow you to run PaX in soft mode, that
60067 + is, PaX features will not be enforced by default, only on executables
60068 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
60069 + is the only way to mark executables for soft mode use.
60071 + Soft mode can be activated by using the "pax_softmode=1" kernel command
60072 + line option on boot. Furthermore you can control various PaX features
60073 + at runtime via the entries in /proc/sys/kernel/pax.
60076 + bool 'Use legacy ELF header marking'
60078 + Enabling this option will allow you to control PaX features on
60079 + a per executable basis via the 'chpax' utility available at
60080 + http://pax.grsecurity.net/. The control flags will be read from
60081 + an otherwise reserved part of the ELF header. This marking has
60082 + numerous drawbacks (no support for soft-mode, toolchain does not
60083 + know about the non-standard use of the ELF header) therefore it
60084 + has been deprecated in favour of PT_PAX_FLAGS support.
60086 + Note that if you enable PT_PAX_FLAGS marking support as well,
60087 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
60089 +config PAX_PT_PAX_FLAGS
60090 + bool 'Use ELF program header marking'
60092 + Enabling this option will allow you to control PaX features on
60093 + a per executable basis via the 'paxctl' utility available at
60094 + http://pax.grsecurity.net/. The control flags will be read from
60095 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
60096 + has the benefits of supporting both soft mode and being fully
60097 + integrated into the toolchain (the binutils patch is available
60098 + from http://pax.grsecurity.net).
60100 + If your toolchain does not support PT_PAX_FLAGS markings,
60101 + you can create one in most cases with 'paxctl -C'.
60103 + Note that if you enable the legacy EI_PAX marking support as well,
60104 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
60107 + prompt 'MAC system integration'
60108 + default PAX_HAVE_ACL_FLAGS
60110 + Mandatory Access Control systems have the option of controlling
60111 + PaX flags on a per executable basis, choose the method supported
60112 + by your particular system.
60114 + - "none": if your MAC system does not interact with PaX,
60115 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
60116 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
60118 + NOTE: this option is for developers/integrators only.
60120 + config PAX_NO_ACL_FLAGS
60123 + config PAX_HAVE_ACL_FLAGS
60126 + config PAX_HOOK_ACL_FLAGS
60132 +menu "Non-executable pages"
60136 + bool "Enforce non-executable pages"
60137 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
60139 + By design some architectures do not allow for protecting memory
60140 + pages against execution or even if they do, Linux does not make
60141 + use of this feature. In practice this means that if a page is
60142 + readable (such as the stack or heap) it is also executable.
60144 + There is a well known exploit technique that makes use of this
60145 + fact and a common programming mistake where an attacker can
60146 + introduce code of his choice somewhere in the attacked program's
60147 + memory (typically the stack or the heap) and then execute it.
60149 + If the attacked program was running with different (typically
60150 + higher) privileges than that of the attacker, then he can elevate
60151 + his own privilege level (e.g. get a root shell, write to files for
60152 + which he does not have write access to, etc).
60154 + Enabling this option will let you choose from various features
60155 + that prevent the injection and execution of 'foreign' code in
60158 + This will also break programs that rely on the old behaviour and
60159 + expect that dynamically allocated memory via the malloc() family
60160 + of functions is executable (which it is not). Notable examples
60161 + are the XFree86 4.x server, the java runtime and wine.
60163 +config PAX_PAGEEXEC
60164 + bool "Paging based non-executable pages"
60165 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
60166 + select S390_SWITCH_AMODE if S390
60167 + select S390_EXEC_PROTECT if S390
60168 + select ARCH_TRACK_EXEC_LIMIT if X86_32
60170 + This implementation is based on the paging feature of the CPU.
60171 + On i386 without hardware non-executable bit support there is a
60172 + variable but usually low performance impact, however on Intel's
60173 + P4 core based CPUs it is very high so you should not enable this
60174 + for kernels meant to be used on such CPUs.
60176 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
60177 + with hardware non-executable bit support there is no performance
60178 + impact, on ppc the impact is negligible.
60180 + Note that several architectures require various emulations due to
60181 + badly designed userland ABIs, this will cause a performance impact
60182 + but will disappear as soon as userland is fixed. For example, ppc
60183 + userland MUST have been built with secure-plt by a recent toolchain.
60185 +config PAX_SEGMEXEC
60186 + bool "Segmentation based non-executable pages"
60187 + depends on PAX_NOEXEC && X86_32
60189 + This implementation is based on the segmentation feature of the
60190 + CPU and has a very small performance impact, however applications
60191 + will be limited to a 1.5 GB address space instead of the normal
60194 +config PAX_EMUTRAMP
60195 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
60196 + default y if PARISC
60198 + There are some programs and libraries that for one reason or
60199 + another attempt to execute special small code snippets from
60200 + non-executable memory pages. Most notable examples are the
60201 + signal handler return code generated by the kernel itself and
60202 + the GCC trampolines.
60204 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
60205 + such programs will no longer work under your kernel.
60207 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
60208 + utilities to enable trampoline emulation for the affected programs
60209 + yet still have the protection provided by the non-executable pages.
60211 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
60212 + your system will not even boot.
60214 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
60215 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
60216 + for the affected files.
60218 + NOTE: enabling this feature *may* open up a loophole in the
60219 + protection provided by non-executable pages that an attacker
60220 + could abuse. Therefore the best solution is to not have any
60221 + files on your system that would require this option. This can
60222 + be achieved by not using libc5 (which relies on the kernel
60223 + signal handler return code) and not using or rewriting programs
60224 + that make use of the nested function implementation of GCC.
60225 + Skilled users can just fix GCC itself so that it implements
60226 + nested function calls in a way that does not interfere with PaX.
60228 +config PAX_EMUSIGRT
60229 + bool "Automatically emulate sigreturn trampolines"
60230 + depends on PAX_EMUTRAMP && PARISC
60233 + Enabling this option will have the kernel automatically detect
60234 + and emulate signal return trampolines executing on the stack
60235 + that would otherwise lead to task termination.
60237 + This solution is intended as a temporary one for users with
60238 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
60239 + Modula-3 runtime, etc) or executables linked to such, basically
60240 + everything that does not specify its own SA_RESTORER function in
60241 + normal executable memory like glibc 2.1+ does.
60243 + On parisc you MUST enable this option, otherwise your system will
60246 + NOTE: this feature cannot be disabled on a per executable basis
60247 + and since it *does* open up a loophole in the protection provided
60248 + by non-executable pages, the best solution is to not have any
60249 + files on your system that would require this option.
60251 +config PAX_MPROTECT
60252 + bool "Restrict mprotect()"
60253 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
60255 + Enabling this option will prevent programs from
60256 + - changing the executable status of memory pages that were
60257 + not originally created as executable,
60258 + - making read-only executable pages writable again,
60259 + - creating executable pages from anonymous memory,
60260 + - making read-only-after-relocations (RELRO) data pages writable again.
60262 + You should say Y here to complete the protection provided by
60263 + the enforcement of non-executable pages.
60265 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
60266 + this feature on a per file basis.
60268 +config PAX_MPROTECT_COMPAT
60269 + bool "Use legacy/compat protection demoting (read help)"
60270 + depends on PAX_MPROTECT
60273 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
60274 + by sending the proper error code to the application. For some broken
60275 + userland, this can cause problems with Python or other applications. The
60276 + current implementation however allows for applications like clamav to
60277 + detect if JIT compilation/execution is allowed and to fall back gracefully
60278 + to an interpreter-based mode if it does not. While we encourage everyone
60279 + to use the current implementation as-is and push upstream to fix broken
60280 + userland (note that the RWX logging option can assist with this), in some
60281 + environments this may not be possible. Having to disable MPROTECT
60282 + completely on certain binaries reduces the security benefit of PaX,
60283 + so this option is provided for those environments to revert to the old
60286 +config PAX_ELFRELOCS
60287 + bool "Allow ELF text relocations (read help)"
60288 + depends on PAX_MPROTECT
60291 + Non-executable pages and mprotect() restrictions are effective
60292 + in preventing the introduction of new executable code into an
60293 + attacked task's address space. There remain only two venues
60294 + for this kind of attack: if the attacker can execute already
60295 + existing code in the attacked task then he can either have it
60296 + create and mmap() a file containing his code or have it mmap()
60297 + an already existing ELF library that does not have position
60298 + independent code in it and use mprotect() on it to make it
60299 + writable and copy his code there. While protecting against
60300 + the former approach is beyond PaX, the latter can be prevented
60301 + by having only PIC ELF libraries on one's system (which do not
60302 + need to relocate their code). If you are sure this is your case,
60303 + as is the case with all modern Linux distributions, then leave
60304 + this option disabled. You should say 'n' here.
60306 +config PAX_ETEXECRELOCS
60307 + bool "Allow ELF ET_EXEC text relocations"
60308 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
60309 + select PAX_ELFRELOCS
60312 + On some architectures there are incorrectly created applications
60313 + that require text relocations and would not work without enabling
60314 + this option. If you are an alpha, ia64 or parisc user, you should
60315 + enable this option and disable it once you have made sure that
60316 + none of your applications need it.
60319 + bool "Automatically emulate ELF PLT"
60320 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
60323 + Enabling this option will have the kernel automatically detect
60324 + and emulate the Procedure Linkage Table entries in ELF files.
60325 + On some architectures such entries are in writable memory, and
60326 + become non-executable leading to task termination. Therefore
60327 + it is mandatory that you enable this option on alpha, parisc,
60328 + sparc and sparc64, otherwise your system would not even boot.
60330 + NOTE: this feature *does* open up a loophole in the protection
60331 + provided by the non-executable pages, therefore the proper
60332 + solution is to modify the toolchain to produce a PLT that does
60333 + not need to be writable.
60335 +config PAX_DLRESOLVE
60336 + bool 'Emulate old glibc resolver stub'
60337 + depends on PAX_EMUPLT && SPARC
60340 + This option is needed if userland has an old glibc (before 2.4)
60341 + that puts a 'save' instruction into the runtime generated resolver
60342 + stub that needs special emulation.
60344 +config PAX_KERNEXEC
60345 + bool "Enforce non-executable kernel pages"
60346 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
60347 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
60349 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
60350 + that is, enabling this option will make it harder to inject
60351 + and execute 'foreign' code in kernel memory itself.
60353 +config PAX_KERNEXEC_MODULE_TEXT
60354 + int "Minimum amount of memory reserved for module code"
60356 + depends on PAX_KERNEXEC && X86_32 && MODULES
60358 + Due to implementation details the kernel must reserve a fixed
60359 + amount of memory for module code at compile time that cannot be
60360 + changed at runtime. Here you can specify the minimum amount
60361 + in MB that will be reserved. Due to the same implementation
60362 + details this size will always be rounded up to the next 2/4 MB
60363 + boundary (depends on PAE) so the actually available memory for
60364 + module code will usually be more than this minimum.
60366 + The default 4 MB should be enough for most users but if you have
60367 + an excessive number of modules (e.g., most distribution configs
60368 + compile many drivers as modules) or use huge modules such as
60369 + nvidia's kernel driver, you will need to adjust this amount.
60370 + A good rule of thumb is to look at your currently loaded kernel
60371 + modules and add up their sizes.
60375 +menu "Address Space Layout Randomization"
60379 + bool "Address Space Layout Randomization"
60380 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
60382 + Many if not most exploit techniques rely on the knowledge of
60383 + certain addresses in the attacked program. The following options
60384 + will allow the kernel to apply a certain amount of randomization
60385 + to specific parts of the program thereby forcing an attacker to
60386 + guess them in most cases. Any failed guess will most likely crash
60387 + the attacked program which allows the kernel to detect such attempts
60388 + and react on them. PaX itself provides no reaction mechanisms,
60389 + instead it is strongly encouraged that you make use of Nergal's
60390 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
60391 + (http://www.grsecurity.net/) built-in crash detection features or
60392 + develop one yourself.
60394 + By saying Y here you can choose to randomize the following areas:
60395 + - top of the task's kernel stack
60396 + - top of the task's userland stack
60397 + - base address for mmap() requests that do not specify one
60398 + (this includes all libraries)
60399 + - base address of the main executable
60401 + It is strongly recommended to say Y here as address space layout
60402 + randomization has negligible impact on performance yet it provides
60403 + a very effective protection.
60405 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
60406 + this feature on a per file basis.
60408 +config PAX_RANDKSTACK
60409 + bool "Randomize kernel stack base"
60410 + depends on PAX_ASLR && X86_TSC && X86
60412 + By saying Y here the kernel will randomize every task's kernel
60413 + stack on every system call. This will not only force an attacker
60414 + to guess it but also prevent him from making use of possible
60415 + leaked information about it.
60417 + Since the kernel stack is a rather scarce resource, randomization
60418 + may cause unexpected stack overflows, therefore you should very
60419 + carefully test your system. Note that once enabled in the kernel
60420 + configuration, this feature cannot be disabled on a per file basis.
60422 +config PAX_RANDUSTACK
60423 + bool "Randomize user stack base"
60424 + depends on PAX_ASLR
60426 + By saying Y here the kernel will randomize every task's userland
60427 + stack. The randomization is done in two steps where the second
60428 + one may apply a big amount of shift to the top of the stack and
60429 + cause problems for programs that want to use lots of memory (more
60430 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
60431 + For this reason the second step can be controlled by 'chpax' or
60432 + 'paxctl' on a per file basis.
60434 +config PAX_RANDMMAP
60435 + bool "Randomize mmap() base"
60436 + depends on PAX_ASLR
60438 + By saying Y here the kernel will use a randomized base address for
60439 + mmap() requests that do not specify one themselves. As a result
60440 + all dynamically loaded libraries will appear at random addresses
60441 + and therefore be harder to exploit by a technique where an attacker
60442 + attempts to execute library code for his purposes (e.g. spawn a
60443 + shell from an exploited program that is running at an elevated
60444 + privilege level).
60446 + Furthermore, if a program is relinked as a dynamic ELF file, its
60447 + base address will be randomized as well, completing the full
60448 + randomization of the address space layout. Attacking such programs
60449 + becomes a guess game. You can find an example of doing this at
60450 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
60451 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
60453 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
60454 + feature on a per file basis.
60458 +menu "Miscellaneous hardening features"
60460 +config PAX_MEMORY_SANITIZE
60461 + bool "Sanitize all freed memory"
60463 + By saying Y here the kernel will erase memory pages as soon as they
60464 + are freed. This in turn reduces the lifetime of data stored in the
60465 + pages, making it less likely that sensitive information such as
60466 + passwords, cryptographic secrets, etc stay in memory for too long.
60468 + This is especially useful for programs whose runtime is short, long
60469 + lived processes and the kernel itself benefit from this as long as
60470 + they operate on whole memory pages and ensure timely freeing of pages
60471 + that may hold sensitive information.
60473 + The tradeoff is performance impact, on a single CPU system kernel
60474 + compilation sees a 3% slowdown, other systems and workloads may vary
60475 + and you are advised to test this feature on your expected workload
60476 + before deploying it.
60478 + Note that this feature does not protect data stored in live pages,
60479 + e.g., process memory swapped to disk may stay there for a long time.
60481 +config PAX_MEMORY_UDEREF
60482 + bool "Prevent invalid userland pointer dereference"
60483 + depends on X86 && !UML_X86 && !XEN
60484 + select PAX_PER_CPU_PGD if X86_64
60486 + By saying Y here the kernel will be prevented from dereferencing
60487 + userland pointers in contexts where the kernel expects only kernel
60488 + pointers. This is both a useful runtime debugging feature and a
60489 + security measure that prevents exploiting a class of kernel bugs.
60491 + The tradeoff is that some virtualization solutions may experience
60492 + a huge slowdown and therefore you should not enable this feature
60493 + for kernels meant to run in such environments. Whether a given VM
60494 + solution is affected or not is best determined by simply trying it
60495 + out, the performance impact will be obvious right on boot as this
60496 + mechanism engages from very early on. A good rule of thumb is that
60497 + VMs running on CPUs without hardware virtualization support (i.e.,
60498 + the majority of IA-32 CPUs) will likely experience the slowdown.
60500 +config PAX_REFCOUNT
60501 + bool "Prevent various kernel object reference counter overflows"
60502 + depends on GRKERNSEC && (X86 || SPARC64)
60504 + By saying Y here the kernel will detect and prevent overflowing
60505 + various (but not all) kinds of object reference counters. Such
60506 + overflows can normally occur due to bugs only and are often, if
60507 + not always, exploitable.
60509 + The tradeoff is that data structures protected by an overflowed
60510 + refcount will never be freed and therefore will leak memory. Note
60511 + that this leak also happens even without this protection but in
60512 + that case the overflow can eventually trigger the freeing of the
60513 + data structure while it is still being used elsewhere, resulting
60514 + in the exploitable situation that this feature prevents.
60516 + Since this has a negligible performance impact, you should enable
60519 +config PAX_USERCOPY
60520 + bool "Harden heap object copies between kernel and userland"
60521 + depends on X86 || PPC || SPARC
60522 + depends on GRKERNSEC && (SLAB || SLUB)
60524 + By saying Y here the kernel will enforce the size of heap objects
60525 + when they are copied in either direction between the kernel and
60526 + userland, even if only a part of the heap object is copied.
60528 + Specifically, this checking prevents information leaking from the
60529 + kernel heap during kernel to userland copies (if the kernel heap
60530 + object is otherwise fully initialized) and prevents kernel heap
60531 + overflows during userland to kernel copies.
60533 + Note that the current implementation provides the strictest bounds
60534 + checks for the SLUB allocator.
60536 + Enabling this option also enables per-slab cache protection against
60537 + data in a given cache being copied into/out of via userland
60538 + accessors. Though the whitelist of regions will be reduced over
60539 + time, it notably protects important data structures like task structs.
60541 + If frame pointers are enabled on x86, this option will also restrict
60542 + copies into and out of the kernel stack to local variables within a
60545 + Since this has a negligible performance impact, you should enable
60553 bool "Enable access key retention support"
60555 @@ -167,7 +688,7 @@ config INTEL_TXT
60556 config LSM_MMAP_MIN_ADDR
60557 int "Low address space for LSM to protect from user allocation"
60558 depends on SECURITY && SECURITY_SELINUX
60562 This is the portion of low virtual memory which should be protected
60563 from userspace allocation. Keeping a user from writing to low pages
60564 diff -urNp linux-2.6.38.4/security/keys/keyring.c linux-2.6.38.4/security/keys/keyring.c
60565 --- linux-2.6.38.4/security/keys/keyring.c 2011-03-14 21:20:32.000000000 -0400
60566 +++ linux-2.6.38.4/security/keys/keyring.c 2011-04-18 22:03:12.000000000 -0400
60567 @@ -213,15 +213,15 @@ static long keyring_read(const struct ke
60570 for (loop = 0; loop < klist->nkeys; loop++) {
60571 + key_serial_t serial;
60572 key = klist->keys[loop];
60573 + serial = key->serial;
60575 tmp = sizeof(key_serial_t);
60579 - if (copy_to_user(buffer,
60582 + if (copy_to_user(buffer, &serial, tmp))
60586 diff -urNp linux-2.6.38.4/security/min_addr.c linux-2.6.38.4/security/min_addr.c
60587 --- linux-2.6.38.4/security/min_addr.c 2011-03-14 21:20:32.000000000 -0400
60588 +++ linux-2.6.38.4/security/min_addr.c 2011-04-17 15:57:33.000000000 -0400
60589 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
60591 static void update_mmap_min_addr(void)
60594 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
60595 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
60596 mmap_min_addr = dac_mmap_min_addr;
60597 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
60599 mmap_min_addr = dac_mmap_min_addr;
60605 diff -urNp linux-2.6.38.4/security/security.c linux-2.6.38.4/security/security.c
60606 --- linux-2.6.38.4/security/security.c 2011-03-14 21:20:32.000000000 -0400
60607 +++ linux-2.6.38.4/security/security.c 2011-04-17 15:57:33.000000000 -0400
60608 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
60609 /* things that live in capability.c */
60610 extern void __init security_fixup_ops(struct security_operations *ops);
60612 -static struct security_operations *security_ops;
60613 -static struct security_operations default_security_ops = {
60614 +static struct security_operations *security_ops __read_only;
60615 +static struct security_operations default_security_ops __read_only = {
60619 @@ -67,7 +67,9 @@ int __init security_init(void)
60621 void reset_security_ops(void)
60623 + pax_open_kernel();
60624 security_ops = &default_security_ops;
60625 + pax_close_kernel();
60628 /* Save user chosen LSM */
60629 diff -urNp linux-2.6.38.4/security/selinux/hooks.c linux-2.6.38.4/security/selinux/hooks.c
60630 --- linux-2.6.38.4/security/selinux/hooks.c 2011-03-14 21:20:32.000000000 -0400
60631 +++ linux-2.6.38.4/security/selinux/hooks.c 2011-04-17 15:57:33.000000000 -0400
60633 #define NUM_SEL_MNT_OPTS 5
60635 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
60636 -extern struct security_operations *security_ops;
60638 /* SECMARK reference count */
60639 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
60640 @@ -5395,7 +5394,7 @@ static int selinux_key_getsecurity(struc
60644 -static struct security_operations selinux_ops = {
60645 +static struct security_operations selinux_ops __read_only = {
60648 .ptrace_access_check = selinux_ptrace_access_check,
60649 diff -urNp linux-2.6.38.4/security/smack/smack_lsm.c linux-2.6.38.4/security/smack/smack_lsm.c
60650 --- linux-2.6.38.4/security/smack/smack_lsm.c 2011-03-14 21:20:32.000000000 -0400
60651 +++ linux-2.6.38.4/security/smack/smack_lsm.c 2011-04-17 15:57:33.000000000 -0400
60652 @@ -3179,7 +3179,7 @@ static int smack_inode_getsecctx(struct
60656 -struct security_operations smack_ops = {
60657 +struct security_operations smack_ops __read_only = {
60660 .ptrace_access_check = smack_ptrace_access_check,
60661 diff -urNp linux-2.6.38.4/security/tomoyo/tomoyo.c linux-2.6.38.4/security/tomoyo/tomoyo.c
60662 --- linux-2.6.38.4/security/tomoyo/tomoyo.c 2011-03-14 21:20:32.000000000 -0400
60663 +++ linux-2.6.38.4/security/tomoyo/tomoyo.c 2011-04-17 15:57:33.000000000 -0400
60664 @@ -240,7 +240,7 @@ static int tomoyo_sb_pivotroot(struct pa
60665 * tomoyo_security_ops is a "struct security_operations" which is used for
60666 * registering TOMOYO.
60668 -static struct security_operations tomoyo_security_ops = {
60669 +static struct security_operations tomoyo_security_ops __read_only = {
60671 .cred_alloc_blank = tomoyo_cred_alloc_blank,
60672 .cred_prepare = tomoyo_cred_prepare,
60673 diff -urNp linux-2.6.38.4/sound/aoa/codecs/onyx.c linux-2.6.38.4/sound/aoa/codecs/onyx.c
60674 --- linux-2.6.38.4/sound/aoa/codecs/onyx.c 2011-03-14 21:20:32.000000000 -0400
60675 +++ linux-2.6.38.4/sound/aoa/codecs/onyx.c 2011-04-17 15:57:33.000000000 -0400
60676 @@ -54,7 +54,7 @@ struct onyx {
60681 + local_t open_count;
60682 struct codec_info *codec_info;
60684 /* mutex serializes concurrent access to the device
60685 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
60686 struct onyx *onyx = cii->codec_data;
60688 mutex_lock(&onyx->mutex);
60689 - onyx->open_count++;
60690 + local_inc(&onyx->open_count);
60691 mutex_unlock(&onyx->mutex);
60694 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
60695 struct onyx *onyx = cii->codec_data;
60697 mutex_lock(&onyx->mutex);
60698 - onyx->open_count--;
60699 - if (!onyx->open_count)
60700 + if (local_dec_and_test(&onyx->open_count))
60701 onyx->spdif_locked = onyx->analog_locked = 0;
60702 mutex_unlock(&onyx->mutex);
60704 diff -urNp linux-2.6.38.4/sound/aoa/codecs/onyx.h linux-2.6.38.4/sound/aoa/codecs/onyx.h
60705 --- linux-2.6.38.4/sound/aoa/codecs/onyx.h 2011-03-14 21:20:32.000000000 -0400
60706 +++ linux-2.6.38.4/sound/aoa/codecs/onyx.h 2011-04-17 15:57:33.000000000 -0400
60708 #include <linux/i2c.h>
60709 #include <asm/pmac_low_i2c.h>
60710 #include <asm/prom.h>
60711 +#include <asm/local.h>
60713 /* PCM3052 register definitions */
60715 diff -urNp linux-2.6.38.4/sound/core/oss/pcm_oss.c linux-2.6.38.4/sound/core/oss/pcm_oss.c
60716 --- linux-2.6.38.4/sound/core/oss/pcm_oss.c 2011-03-14 21:20:32.000000000 -0400
60717 +++ linux-2.6.38.4/sound/core/oss/pcm_oss.c 2011-04-17 15:57:33.000000000 -0400
60718 @@ -2971,8 +2971,8 @@ static void snd_pcm_oss_proc_done(struct
60721 #else /* !CONFIG_SND_VERBOSE_PROCFS */
60722 -#define snd_pcm_oss_proc_init(pcm)
60723 -#define snd_pcm_oss_proc_done(pcm)
60724 +#define snd_pcm_oss_proc_init(pcm) do {} while (0)
60725 +#define snd_pcm_oss_proc_done(pcm) do {} while (0)
60726 #endif /* CONFIG_SND_VERBOSE_PROCFS */
60729 diff -urNp linux-2.6.38.4/sound/core/seq/seq_lock.h linux-2.6.38.4/sound/core/seq/seq_lock.h
60730 --- linux-2.6.38.4/sound/core/seq/seq_lock.h 2011-03-14 21:20:32.000000000 -0400
60731 +++ linux-2.6.38.4/sound/core/seq/seq_lock.h 2011-04-17 15:57:33.000000000 -0400
60732 @@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
60733 #else /* SMP || CONFIG_SND_DEBUG */
60735 typedef spinlock_t snd_use_lock_t; /* dummy */
60736 -#define snd_use_lock_init(lockp) /**/
60737 -#define snd_use_lock_use(lockp) /**/
60738 -#define snd_use_lock_free(lockp) /**/
60739 -#define snd_use_lock_sync(lockp) /**/
60740 +#define snd_use_lock_init(lockp) do {} while (0)
60741 +#define snd_use_lock_use(lockp) do {} while (0)
60742 +#define snd_use_lock_free(lockp) do {} while (0)
60743 +#define snd_use_lock_sync(lockp) do {} while (0)
60745 #endif /* SMP || CONFIG_SND_DEBUG */
60747 diff -urNp linux-2.6.38.4/sound/drivers/mts64.c linux-2.6.38.4/sound/drivers/mts64.c
60748 --- linux-2.6.38.4/sound/drivers/mts64.c 2011-03-14 21:20:32.000000000 -0400
60749 +++ linux-2.6.38.4/sound/drivers/mts64.c 2011-04-17 15:57:33.000000000 -0400
60751 #include <sound/initval.h>
60752 #include <sound/rawmidi.h>
60753 #include <sound/control.h>
60754 +#include <asm/local.h>
60756 #define CARD_NAME "Miditerminal 4140"
60757 #define DRIVER_NAME "MTS64"
60758 @@ -66,7 +67,7 @@ struct mts64 {
60759 struct pardevice *pardev;
60760 int pardev_claimed;
60763 + local_t open_count;
60764 int current_midi_output_port;
60765 int current_midi_input_port;
60766 u8 mode[MTS64_NUM_INPUT_PORTS];
60767 @@ -696,7 +697,7 @@ static int snd_mts64_rawmidi_open(struct
60769 struct mts64 *mts = substream->rmidi->private_data;
60771 - if (mts->open_count == 0) {
60772 + if (local_read(&mts->open_count) == 0) {
60773 /* We don't need a spinlock here, because this is just called
60774 if the device has not been opened before.
60775 So there aren't any IRQs from the device */
60776 @@ -704,7 +705,7 @@ static int snd_mts64_rawmidi_open(struct
60780 - ++(mts->open_count);
60781 + local_inc(&mts->open_count);
60785 @@ -714,8 +715,7 @@ static int snd_mts64_rawmidi_close(struc
60786 struct mts64 *mts = substream->rmidi->private_data;
60787 unsigned long flags;
60789 - --(mts->open_count);
60790 - if (mts->open_count == 0) {
60791 + if (local_dec_return(&mts->open_count) == 0) {
60792 /* We need the spinlock_irqsave here because we can still
60793 have IRQs at this point */
60794 spin_lock_irqsave(&mts->lock, flags);
60795 @@ -724,8 +724,8 @@ static int snd_mts64_rawmidi_close(struc
60799 - } else if (mts->open_count < 0)
60800 - mts->open_count = 0;
60801 + } else if (local_read(&mts->open_count) < 0)
60802 + local_set(&mts->open_count, 0);
60806 diff -urNp linux-2.6.38.4/sound/drivers/portman2x4.c linux-2.6.38.4/sound/drivers/portman2x4.c
60807 --- linux-2.6.38.4/sound/drivers/portman2x4.c 2011-03-14 21:20:32.000000000 -0400
60808 +++ linux-2.6.38.4/sound/drivers/portman2x4.c 2011-04-17 15:57:33.000000000 -0400
60810 #include <sound/initval.h>
60811 #include <sound/rawmidi.h>
60812 #include <sound/control.h>
60813 +#include <asm/local.h>
60815 #define CARD_NAME "Portman 2x4"
60816 #define DRIVER_NAME "portman"
60817 @@ -84,7 +85,7 @@ struct portman {
60818 struct pardevice *pardev;
60819 int pardev_claimed;
60822 + local_t open_count;
60823 int mode[PORTMAN_NUM_INPUT_PORTS];
60824 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
60826 diff -urNp linux-2.6.38.4/sound/oss/sb_audio.c linux-2.6.38.4/sound/oss/sb_audio.c
60827 --- linux-2.6.38.4/sound/oss/sb_audio.c 2011-03-14 21:20:32.000000000 -0400
60828 +++ linux-2.6.38.4/sound/oss/sb_audio.c 2011-04-17 15:57:33.000000000 -0400
60829 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
60830 buf16 = (signed short *)(localbuf + localoffs);
60833 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
60834 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
60835 if (copy_from_user(lbuf8,
60836 userbuf+useroffs + p,
60838 diff -urNp linux-2.6.38.4/sound/oss/swarm_cs4297a.c linux-2.6.38.4/sound/oss/swarm_cs4297a.c
60839 --- linux-2.6.38.4/sound/oss/swarm_cs4297a.c 2011-03-14 21:20:32.000000000 -0400
60840 +++ linux-2.6.38.4/sound/oss/swarm_cs4297a.c 2011-04-17 15:57:33.000000000 -0400
60841 @@ -2606,7 +2606,6 @@ static int __init cs4297a_init(void)
60843 struct cs4297a_state *s;
60847 #ifndef CONFIG_BCM_CS4297A_CSWARM
60849 @@ -2696,22 +2695,23 @@ static int __init cs4297a_init(void)
60851 char *sb1250_duart_present;
60858 val = SOUND_MASK_LINE;
60859 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
60860 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
60861 val = initvol[i].vol;
60862 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
60865 // cs4297a_write_ac97(s, 0x18, 0x0808);
60867 // cs4297a_write_ac97(s, 0x5e, 0x180);
60868 cs4297a_write_ac97(s, 0x02, 0x0808);
60869 cs4297a_write_ac97(s, 0x18, 0x0808);
60873 list_add(&s->list, &cs4297a_devs);
60875 diff -urNp linux-2.6.38.4/sound/pci/ac97/ac97_patch.c linux-2.6.38.4/sound/pci/ac97/ac97_patch.c
60876 --- linux-2.6.38.4/sound/pci/ac97/ac97_patch.c 2011-03-14 21:20:32.000000000 -0400
60877 +++ linux-2.6.38.4/sound/pci/ac97/ac97_patch.c 2011-04-17 15:57:33.000000000 -0400
60878 @@ -1486,7 +1486,7 @@ static const struct snd_ac97_res_table a
60879 { AC97_VIDEO, 0x9f1f },
60880 { AC97_AUX, 0x9f1f },
60881 { AC97_PCM, 0x9f1f },
60882 - { } /* terminator */
60883 + { 0, 0 } /* terminator */
60886 static int patch_ad1819(struct snd_ac97 * ac97)
60887 @@ -3864,7 +3864,7 @@ static struct snd_ac97_res_table lm4550_
60888 { AC97_AUX, 0x1f1f },
60889 { AC97_PCM, 0x1f1f },
60890 { AC97_REC_GAIN, 0x0f0f },
60891 - { } /* terminator */
60892 + { 0, 0 } /* terminator */
60895 static int patch_lm4550(struct snd_ac97 *ac97)
60896 diff -urNp linux-2.6.38.4/sound/pci/ens1370.c linux-2.6.38.4/sound/pci/ens1370.c
60897 --- linux-2.6.38.4/sound/pci/ens1370.c 2011-04-18 17:27:18.000000000 -0400
60898 +++ linux-2.6.38.4/sound/pci/ens1370.c 2011-04-17 16:54:08.000000000 -0400
60899 @@ -453,7 +453,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_audio
60900 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
60901 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
60904 + { 0, 0, 0, 0, 0, 0, 0 }
60907 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
60908 diff -urNp linux-2.6.38.4/sound/pci/hda/patch_hdmi.c linux-2.6.38.4/sound/pci/hda/patch_hdmi.c
60909 --- linux-2.6.38.4/sound/pci/hda/patch_hdmi.c 2011-04-18 17:27:18.000000000 -0400
60910 +++ linux-2.6.38.4/sound/pci/hda/patch_hdmi.c 2011-04-17 16:54:08.000000000 -0400
60911 @@ -733,10 +733,10 @@ static void hdmi_non_intrinsic_event(str
60926 diff -urNp linux-2.6.38.4/sound/pci/intel8x0.c linux-2.6.38.4/sound/pci/intel8x0.c
60927 --- linux-2.6.38.4/sound/pci/intel8x0.c 2011-03-14 21:20:32.000000000 -0400
60928 +++ linux-2.6.38.4/sound/pci/intel8x0.c 2011-04-17 15:57:33.000000000 -0400
60929 @@ -444,7 +444,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
60930 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
60931 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
60932 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
60934 + { 0, 0, 0, 0, 0, 0, 0 }
60937 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
60938 @@ -2141,7 +2141,7 @@ static struct ac97_quirk ac97_quirks[] _
60939 .type = AC97_TUNE_HP_ONLY
60942 - { } /* terminator */
60943 + { 0, 0, 0, 0, NULL, 0 } /* terminator */
60946 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
60947 diff -urNp linux-2.6.38.4/sound/pci/intel8x0m.c linux-2.6.38.4/sound/pci/intel8x0m.c
60948 --- linux-2.6.38.4/sound/pci/intel8x0m.c 2011-03-14 21:20:32.000000000 -0400
60949 +++ linux-2.6.38.4/sound/pci/intel8x0m.c 2011-04-17 15:57:33.000000000 -0400
60950 @@ -239,7 +239,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
60951 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
60952 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
60955 + { 0, 0, 0, 0, 0, 0, 0 }
60958 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
60959 @@ -1264,7 +1264,7 @@ static struct shortname_table {
60960 { 0x5455, "ALi M5455" },
60961 { 0x746d, "AMD AMD8111" },
60967 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
60968 diff -urNp linux-2.6.38.4/usr/gen_init_cpio.c linux-2.6.38.4/usr/gen_init_cpio.c
60969 --- linux-2.6.38.4/usr/gen_init_cpio.c 2011-03-14 21:20:32.000000000 -0400
60970 +++ linux-2.6.38.4/usr/gen_init_cpio.c 2011-04-17 15:57:33.000000000 -0400
60971 @@ -305,7 +305,7 @@ static int cpio_mkfile(const char *name,
60980 @@ -394,9 +394,10 @@ static char *cpio_replace_env(char *new_
60981 *env_var = *expanded = '\0';
60982 strncat(env_var, start + 2, end - start - 2);
60983 strncat(expanded, new_location, start - new_location);
60984 - strncat(expanded, getenv(env_var), PATH_MAX);
60985 - strncat(expanded, end + 1, PATH_MAX);
60986 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
60987 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
60988 strncpy(new_location, expanded, PATH_MAX);
60989 + new_location[PATH_MAX] = 0;
60993 diff -urNp linux-2.6.38.4/virt/kvm/kvm_main.c linux-2.6.38.4/virt/kvm/kvm_main.c
60994 --- linux-2.6.38.4/virt/kvm/kvm_main.c 2011-03-14 21:20:32.000000000 -0400
60995 +++ linux-2.6.38.4/virt/kvm/kvm_main.c 2011-04-17 15:57:33.000000000 -0400
60996 @@ -1521,7 +1521,7 @@ static int kvm_vcpu_release(struct inode
61000 -static struct file_operations kvm_vcpu_fops = {
61001 +static struct file_operations kvm_vcpu_fops = { /* cannot be const */
61002 .release = kvm_vcpu_release,
61003 .unlocked_ioctl = kvm_vcpu_ioctl,
61004 .compat_ioctl = kvm_vcpu_ioctl,
61005 @@ -1990,7 +1990,7 @@ static int kvm_vm_mmap(struct file *file
61009 -static struct file_operations kvm_vm_fops = {
61010 +static struct file_operations kvm_vm_fops = { /* cannot be const */
61011 .release = kvm_vm_release,
61012 .unlocked_ioctl = kvm_vm_ioctl,
61013 #ifdef CONFIG_COMPAT
61014 @@ -2088,7 +2088,7 @@ out:
61018 -static struct file_operations kvm_chardev_ops = {
61019 +static struct file_operations kvm_chardev_ops = { /* cannot be const */
61020 .unlocked_ioctl = kvm_dev_ioctl,
61021 .compat_ioctl = kvm_dev_ioctl,
61022 .llseek = noop_llseek,
61023 @@ -2098,6 +2098,9 @@ static struct miscdevice kvm_dev = {
61032 static void hardware_enable_nolock(void *junk)
61033 @@ -2443,7 +2446,7 @@ static void kvm_sched_out(struct preempt
61034 kvm_arch_vcpu_put(vcpu);
61037 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
61038 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
61039 struct module *module)