1 diff -urNp linux-3.0.9/arch/alpha/include/asm/elf.h linux-3.0.9/arch/alpha/include/asm/elf.h
2 --- linux-3.0.9/arch/alpha/include/asm/elf.h 2011-11-11 13:12:24.000000000 -0500
3 +++ linux-3.0.9/arch/alpha/include/asm/elf.h 2011-11-15 20:02:59.000000000 -0500
4 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
6 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
8 +#ifdef CONFIG_PAX_ASLR
9 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
11 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
12 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
15 /* $0 is set by ld.so to a pointer to a function which might be
16 registered using atexit. This provides a mean for the dynamic
17 linker to call DT_FINI functions for shared libraries that have
18 diff -urNp linux-3.0.9/arch/alpha/include/asm/pgtable.h linux-3.0.9/arch/alpha/include/asm/pgtable.h
19 --- linux-3.0.9/arch/alpha/include/asm/pgtable.h 2011-11-11 13:12:24.000000000 -0500
20 +++ linux-3.0.9/arch/alpha/include/asm/pgtable.h 2011-11-15 20:02:59.000000000 -0500
21 @@ -101,6 +101,17 @@ struct vm_area_struct;
22 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
23 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
24 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
26 +#ifdef CONFIG_PAX_PAGEEXEC
27 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
28 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
29 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
31 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
32 +# define PAGE_COPY_NOEXEC PAGE_COPY
33 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
36 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
38 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
39 diff -urNp linux-3.0.9/arch/alpha/kernel/module.c linux-3.0.9/arch/alpha/kernel/module.c
40 --- linux-3.0.9/arch/alpha/kernel/module.c 2011-11-11 13:12:24.000000000 -0500
41 +++ linux-3.0.9/arch/alpha/kernel/module.c 2011-11-15 20:02:59.000000000 -0500
42 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
44 /* The small sections were sorted to the end of the segment.
45 The following should definitely cover them. */
46 - gp = (u64)me->module_core + me->core_size - 0x8000;
47 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
48 got = sechdrs[me->arch.gotsecindex].sh_addr;
50 for (i = 0; i < n; i++) {
51 diff -urNp linux-3.0.9/arch/alpha/kernel/osf_sys.c linux-3.0.9/arch/alpha/kernel/osf_sys.c
52 --- linux-3.0.9/arch/alpha/kernel/osf_sys.c 2011-11-11 13:12:24.000000000 -0500
53 +++ linux-3.0.9/arch/alpha/kernel/osf_sys.c 2011-11-15 20:02:59.000000000 -0500
54 @@ -1145,7 +1145,7 @@ arch_get_unmapped_area_1(unsigned long a
55 /* At this point: (!vma || addr < vma->vm_end). */
56 if (limit - len < addr)
58 - if (!vma || addr + len <= vma->vm_start)
59 + if (check_heap_stack_gap(vma, addr, len))
63 @@ -1181,6 +1181,10 @@ arch_get_unmapped_area(struct file *filp
64 merely specific addresses, but regions of memory -- perhaps
65 this feature should be incorporated into all ports? */
67 +#ifdef CONFIG_PAX_RANDMMAP
68 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
72 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
73 if (addr != (unsigned long) -ENOMEM)
74 @@ -1188,8 +1192,8 @@ arch_get_unmapped_area(struct file *filp
77 /* Next, try allocating at TASK_UNMAPPED_BASE. */
78 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
80 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
82 if (addr != (unsigned long) -ENOMEM)
85 diff -urNp linux-3.0.9/arch/alpha/mm/fault.c linux-3.0.9/arch/alpha/mm/fault.c
86 --- linux-3.0.9/arch/alpha/mm/fault.c 2011-11-11 13:12:24.000000000 -0500
87 +++ linux-3.0.9/arch/alpha/mm/fault.c 2011-11-15 20:02:59.000000000 -0500
88 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
92 +#ifdef CONFIG_PAX_PAGEEXEC
94 + * PaX: decide what to do with offenders (regs->pc = fault address)
96 + * returns 1 when task should be killed
97 + * 2 when patched PLT trampoline was detected
98 + * 3 when unpatched PLT trampoline was detected
100 +static int pax_handle_fetch_fault(struct pt_regs *regs)
103 +#ifdef CONFIG_PAX_EMUPLT
106 + do { /* PaX: patched PLT emulation #1 */
107 + unsigned int ldah, ldq, jmp;
109 + err = get_user(ldah, (unsigned int *)regs->pc);
110 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
111 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
116 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
117 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
118 + jmp == 0x6BFB0000U)
120 + unsigned long r27, addr;
121 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
122 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
124 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
125 + err = get_user(r27, (unsigned long *)addr);
135 + do { /* PaX: patched PLT emulation #2 */
136 + unsigned int ldah, lda, br;
138 + err = get_user(ldah, (unsigned int *)regs->pc);
139 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
140 + err |= get_user(br, (unsigned int *)(regs->pc+8));
145 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
146 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
147 + (br & 0xFFE00000U) == 0xC3E00000U)
149 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
150 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
151 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
153 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
154 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
159 + do { /* PaX: unpatched PLT emulation */
162 + err = get_user(br, (unsigned int *)regs->pc);
164 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
165 + unsigned int br2, ldq, nop, jmp;
166 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
168 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
169 + err = get_user(br2, (unsigned int *)addr);
170 + err |= get_user(ldq, (unsigned int *)(addr+4));
171 + err |= get_user(nop, (unsigned int *)(addr+8));
172 + err |= get_user(jmp, (unsigned int *)(addr+12));
173 + err |= get_user(resolver, (unsigned long *)(addr+16));
178 + if (br2 == 0xC3600000U &&
179 + ldq == 0xA77B000CU &&
180 + nop == 0x47FF041FU &&
181 + jmp == 0x6B7B0000U)
183 + regs->r28 = regs->pc+4;
184 + regs->r27 = addr+16;
185 + regs->pc = resolver;
195 +void pax_report_insns(void *pc, void *sp)
199 + printk(KERN_ERR "PAX: bytes at PC: ");
200 + for (i = 0; i < 5; i++) {
202 + if (get_user(c, (unsigned int *)pc+i))
203 + printk(KERN_CONT "???????? ");
205 + printk(KERN_CONT "%08x ", c);
212 * This routine handles page faults. It determines the address,
213 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
215 si_code = SEGV_ACCERR;
217 - if (!(vma->vm_flags & VM_EXEC))
218 + if (!(vma->vm_flags & VM_EXEC)) {
220 +#ifdef CONFIG_PAX_PAGEEXEC
221 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
224 + up_read(&mm->mmap_sem);
225 + switch (pax_handle_fetch_fault(regs)) {
227 +#ifdef CONFIG_PAX_EMUPLT
234 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
235 + do_group_exit(SIGKILL);
242 /* Allow reads even for write-only mappings */
243 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
244 diff -urNp linux-3.0.9/arch/arm/include/asm/elf.h linux-3.0.9/arch/arm/include/asm/elf.h
245 --- linux-3.0.9/arch/arm/include/asm/elf.h 2011-11-11 13:12:24.000000000 -0500
246 +++ linux-3.0.9/arch/arm/include/asm/elf.h 2011-11-15 20:02:59.000000000 -0500
247 @@ -116,7 +116,14 @@ int dump_task_regs(struct task_struct *t
248 the loader. We need to make sure that it is out of the way of the program
249 that it will "exec", and that there is sufficient room for the brk. */
251 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
252 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
254 +#ifdef CONFIG_PAX_ASLR
255 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
257 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
258 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
261 /* When the program starts, a1 contains a pointer to a function to be
262 registered with atexit, as per the SVR4 ABI. A value of 0 means we
263 @@ -126,10 +133,6 @@ int dump_task_regs(struct task_struct *t
264 extern void elf_set_personality(const struct elf32_hdr *);
265 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
268 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
269 -#define arch_randomize_brk arch_randomize_brk
271 extern int vectors_user_mapping(void);
272 #define arch_setup_additional_pages(bprm, uses_interp) vectors_user_mapping()
273 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES
274 diff -urNp linux-3.0.9/arch/arm/include/asm/kmap_types.h linux-3.0.9/arch/arm/include/asm/kmap_types.h
275 --- linux-3.0.9/arch/arm/include/asm/kmap_types.h 2011-11-11 13:12:24.000000000 -0500
276 +++ linux-3.0.9/arch/arm/include/asm/kmap_types.h 2011-11-15 20:02:59.000000000 -0500
277 @@ -21,6 +21,7 @@ enum km_type {
285 diff -urNp linux-3.0.9/arch/arm/include/asm/uaccess.h linux-3.0.9/arch/arm/include/asm/uaccess.h
286 --- linux-3.0.9/arch/arm/include/asm/uaccess.h 2011-11-11 13:12:24.000000000 -0500
287 +++ linux-3.0.9/arch/arm/include/asm/uaccess.h 2011-11-15 20:02:59.000000000 -0500
289 #define VERIFY_READ 0
290 #define VERIFY_WRITE 1
292 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
295 * The exception table consists of pairs of addresses: the first is the
296 * address of an instruction that is allowed to fault, and the second is
297 @@ -387,8 +389,23 @@ do { \
301 -extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
302 -extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
303 +extern unsigned long __must_check ___copy_from_user(void *to, const void __user *from, unsigned long n);
304 +extern unsigned long __must_check ___copy_to_user(void __user *to, const void *from, unsigned long n);
306 +static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n)
308 + if (!__builtin_constant_p(n))
309 + check_object_size(to, n, false);
310 + return ___copy_from_user(to, from, n);
313 +static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
315 + if (!__builtin_constant_p(n))
316 + check_object_size(from, n, true);
317 + return ___copy_to_user(to, from, n);
320 extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
321 extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
322 extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
323 @@ -403,6 +420,9 @@ extern unsigned long __must_check __strn
325 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
330 if (access_ok(VERIFY_READ, from, n))
331 n = __copy_from_user(to, from, n);
332 else /* security hole - plug it */
333 @@ -412,6 +432,9 @@ static inline unsigned long __must_check
335 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
340 if (access_ok(VERIFY_WRITE, to, n))
341 n = __copy_to_user(to, from, n);
343 diff -urNp linux-3.0.9/arch/arm/kernel/armksyms.c linux-3.0.9/arch/arm/kernel/armksyms.c
344 --- linux-3.0.9/arch/arm/kernel/armksyms.c 2011-11-11 13:12:24.000000000 -0500
345 +++ linux-3.0.9/arch/arm/kernel/armksyms.c 2011-11-15 20:02:59.000000000 -0500
346 @@ -98,8 +98,8 @@ EXPORT_SYMBOL(__strncpy_from_user);
348 EXPORT_SYMBOL(copy_page);
350 -EXPORT_SYMBOL(__copy_from_user);
351 -EXPORT_SYMBOL(__copy_to_user);
352 +EXPORT_SYMBOL(___copy_from_user);
353 +EXPORT_SYMBOL(___copy_to_user);
354 EXPORT_SYMBOL(__clear_user);
356 EXPORT_SYMBOL(__get_user_1);
357 diff -urNp linux-3.0.9/arch/arm/kernel/process.c linux-3.0.9/arch/arm/kernel/process.c
358 --- linux-3.0.9/arch/arm/kernel/process.c 2011-11-11 13:12:24.000000000 -0500
359 +++ linux-3.0.9/arch/arm/kernel/process.c 2011-11-15 20:02:59.000000000 -0500
361 #include <linux/tick.h>
362 #include <linux/utsname.h>
363 #include <linux/uaccess.h>
364 -#include <linux/random.h>
365 #include <linux/hw_breakpoint.h>
367 #include <asm/cacheflush.h>
368 @@ -479,12 +478,6 @@ unsigned long get_wchan(struct task_stru
372 -unsigned long arch_randomize_brk(struct mm_struct *mm)
374 - unsigned long range_end = mm->brk + 0x02000000;
375 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
380 * The vectors page is always readable from user space for the
381 diff -urNp linux-3.0.9/arch/arm/kernel/traps.c linux-3.0.9/arch/arm/kernel/traps.c
382 --- linux-3.0.9/arch/arm/kernel/traps.c 2011-11-11 13:12:24.000000000 -0500
383 +++ linux-3.0.9/arch/arm/kernel/traps.c 2011-11-15 20:02:59.000000000 -0500
384 @@ -257,6 +257,8 @@ static int __die(const char *str, int er
386 static DEFINE_SPINLOCK(die_lock);
388 +extern void gr_handle_kernel_exploit(void);
391 * This function is protected against re-entrancy.
393 @@ -284,6 +286,9 @@ void die(const char *str, struct pt_regs
394 panic("Fatal exception in interrupt");
396 panic("Fatal exception");
398 + gr_handle_kernel_exploit();
400 if (ret != NOTIFY_STOP)
403 diff -urNp linux-3.0.9/arch/arm/lib/copy_from_user.S linux-3.0.9/arch/arm/lib/copy_from_user.S
404 --- linux-3.0.9/arch/arm/lib/copy_from_user.S 2011-11-11 13:12:24.000000000 -0500
405 +++ linux-3.0.9/arch/arm/lib/copy_from_user.S 2011-11-15 20:02:59.000000000 -0500
410 - * size_t __copy_from_user(void *to, const void *from, size_t n)
411 + * size_t ___copy_from_user(void *to, const void *from, size_t n)
419 -ENTRY(__copy_from_user)
420 +ENTRY(___copy_from_user)
422 #include "copy_template.S"
424 -ENDPROC(__copy_from_user)
425 +ENDPROC(___copy_from_user)
427 .pushsection .fixup,"ax"
429 diff -urNp linux-3.0.9/arch/arm/lib/copy_to_user.S linux-3.0.9/arch/arm/lib/copy_to_user.S
430 --- linux-3.0.9/arch/arm/lib/copy_to_user.S 2011-11-11 13:12:24.000000000 -0500
431 +++ linux-3.0.9/arch/arm/lib/copy_to_user.S 2011-11-15 20:02:59.000000000 -0500
436 - * size_t __copy_to_user(void *to, const void *from, size_t n)
437 + * size_t ___copy_to_user(void *to, const void *from, size_t n)
444 ENTRY(__copy_to_user_std)
445 -WEAK(__copy_to_user)
446 +WEAK(___copy_to_user)
448 #include "copy_template.S"
450 -ENDPROC(__copy_to_user)
451 +ENDPROC(___copy_to_user)
452 ENDPROC(__copy_to_user_std)
454 .pushsection .fixup,"ax"
455 diff -urNp linux-3.0.9/arch/arm/lib/uaccess.S linux-3.0.9/arch/arm/lib/uaccess.S
456 --- linux-3.0.9/arch/arm/lib/uaccess.S 2011-11-11 13:12:24.000000000 -0500
457 +++ linux-3.0.9/arch/arm/lib/uaccess.S 2011-11-15 20:02:59.000000000 -0500
460 #define PAGE_SHIFT 12
462 -/* Prototype: int __copy_to_user(void *to, const char *from, size_t n)
463 +/* Prototype: int ___copy_to_user(void *to, const char *from, size_t n)
464 * Purpose : copy a block to user memory from kernel memory
465 * Params : to - user memory
466 * : from - kernel memory
467 @@ -40,7 +40,7 @@ USER( T(strgtb) r3, [r0], #1) @ May f
471 -ENTRY(__copy_to_user)
472 +ENTRY(___copy_to_user)
473 stmfd sp!, {r2, r4 - r7, lr}
476 @@ -278,14 +278,14 @@ USER( T(strgeb) r3, [r0], #1) @ May f
478 USER( T(strgtb) r3, [r0], #1) @ May fault
480 -ENDPROC(__copy_to_user)
481 +ENDPROC(___copy_to_user)
483 .pushsection .fixup,"ax"
485 9001: ldmfd sp!, {r0, r4 - r7, pc}
488 -/* Prototype: unsigned long __copy_from_user(void *to,const void *from,unsigned long n);
489 +/* Prototype: unsigned long ___copy_from_user(void *to,const void *from,unsigned long n);
490 * Purpose : copy a block from user memory to kernel memory
491 * Params : to - kernel memory
492 * : from - user memory
493 @@ -304,7 +304,7 @@ USER( T(ldrgtb) r3, [r1], #1) @ May f
497 -ENTRY(__copy_from_user)
498 +ENTRY(___copy_from_user)
499 stmfd sp!, {r0, r2, r4 - r7, lr}
502 @@ -544,7 +544,7 @@ USER( T(ldrgeb) r3, [r1], #1) @ May f
503 USER( T(ldrgtb) r3, [r1], #1) @ May fault
506 -ENDPROC(__copy_from_user)
507 +ENDPROC(___copy_from_user)
509 .pushsection .fixup,"ax"
511 diff -urNp linux-3.0.9/arch/arm/lib/uaccess_with_memcpy.c linux-3.0.9/arch/arm/lib/uaccess_with_memcpy.c
512 --- linux-3.0.9/arch/arm/lib/uaccess_with_memcpy.c 2011-11-11 13:12:24.000000000 -0500
513 +++ linux-3.0.9/arch/arm/lib/uaccess_with_memcpy.c 2011-11-15 20:02:59.000000000 -0500
514 @@ -103,7 +103,7 @@ out:
518 -__copy_to_user(void __user *to, const void *from, unsigned long n)
519 +___copy_to_user(void __user *to, const void *from, unsigned long n)
522 * This test is stubbed out of the main function above to keep
523 diff -urNp linux-3.0.9/arch/arm/mach-ux500/mbox-db5500.c linux-3.0.9/arch/arm/mach-ux500/mbox-db5500.c
524 --- linux-3.0.9/arch/arm/mach-ux500/mbox-db5500.c 2011-11-11 13:12:24.000000000 -0500
525 +++ linux-3.0.9/arch/arm/mach-ux500/mbox-db5500.c 2011-11-15 20:02:59.000000000 -0500
526 @@ -168,7 +168,7 @@ static ssize_t mbox_read_fifo(struct dev
527 return sprintf(buf, "0x%X\n", mbox_value);
530 -static DEVICE_ATTR(fifo, S_IWUGO | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
531 +static DEVICE_ATTR(fifo, S_IWUSR | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
533 static int mbox_show(struct seq_file *s, void *data)
535 diff -urNp linux-3.0.9/arch/arm/mm/fault.c linux-3.0.9/arch/arm/mm/fault.c
536 --- linux-3.0.9/arch/arm/mm/fault.c 2011-11-11 13:12:24.000000000 -0500
537 +++ linux-3.0.9/arch/arm/mm/fault.c 2011-11-15 20:02:59.000000000 -0500
538 @@ -182,6 +182,13 @@ __do_user_fault(struct task_struct *tsk,
542 +#ifdef CONFIG_PAX_PAGEEXEC
543 + if (fsr & FSR_LNX_PF) {
544 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
545 + do_group_exit(SIGKILL);
549 tsk->thread.address = addr;
550 tsk->thread.error_code = fsr;
551 tsk->thread.trap_no = 14;
552 @@ -379,6 +386,33 @@ do_page_fault(unsigned long addr, unsign
554 #endif /* CONFIG_MMU */
556 +#ifdef CONFIG_PAX_PAGEEXEC
557 +void pax_report_insns(void *pc, void *sp)
561 + printk(KERN_ERR "PAX: bytes at PC: ");
562 + for (i = 0; i < 20; i++) {
564 + if (get_user(c, (__force unsigned char __user *)pc+i))
565 + printk(KERN_CONT "?? ");
567 + printk(KERN_CONT "%02x ", c);
571 + printk(KERN_ERR "PAX: bytes at SP-4: ");
572 + for (i = -1; i < 20; i++) {
574 + if (get_user(c, (__force unsigned long __user *)sp+i))
575 + printk(KERN_CONT "???????? ");
577 + printk(KERN_CONT "%08lx ", c);
584 * First Level Translation Fault Handler
586 diff -urNp linux-3.0.9/arch/arm/mm/mmap.c linux-3.0.9/arch/arm/mm/mmap.c
587 --- linux-3.0.9/arch/arm/mm/mmap.c 2011-11-11 13:12:24.000000000 -0500
588 +++ linux-3.0.9/arch/arm/mm/mmap.c 2011-11-15 20:02:59.000000000 -0500
589 @@ -65,6 +65,10 @@ arch_get_unmapped_area(struct file *filp
593 +#ifdef CONFIG_PAX_RANDMMAP
594 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
599 addr = COLOUR_ALIGN(addr, pgoff);
600 @@ -72,15 +76,14 @@ arch_get_unmapped_area(struct file *filp
601 addr = PAGE_ALIGN(addr);
603 vma = find_vma(mm, addr);
604 - if (TASK_SIZE - len >= addr &&
605 - (!vma || addr + len <= vma->vm_start))
606 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
609 if (len > mm->cached_hole_size) {
610 - start_addr = addr = mm->free_area_cache;
611 + start_addr = addr = mm->free_area_cache;
613 - start_addr = addr = TASK_UNMAPPED_BASE;
614 - mm->cached_hole_size = 0;
615 + start_addr = addr = mm->mmap_base;
616 + mm->cached_hole_size = 0;
618 /* 8 bits of randomness in 20 address space bits */
619 if ((current->flags & PF_RANDOMIZE) &&
620 @@ -100,14 +103,14 @@ full_search:
621 * Start a new search - just in case we missed
624 - if (start_addr != TASK_UNMAPPED_BASE) {
625 - start_addr = addr = TASK_UNMAPPED_BASE;
626 + if (start_addr != mm->mmap_base) {
627 + start_addr = addr = mm->mmap_base;
628 mm->cached_hole_size = 0;
633 - if (!vma || addr + len <= vma->vm_start) {
634 + if (check_heap_stack_gap(vma, addr, len)) {
636 * Remember the place where we stopped the search:
638 diff -urNp linux-3.0.9/arch/avr32/include/asm/elf.h linux-3.0.9/arch/avr32/include/asm/elf.h
639 --- linux-3.0.9/arch/avr32/include/asm/elf.h 2011-11-11 13:12:24.000000000 -0500
640 +++ linux-3.0.9/arch/avr32/include/asm/elf.h 2011-11-15 20:02:59.000000000 -0500
641 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
642 the loader. We need to make sure that it is out of the way of the program
643 that it will "exec", and that there is sufficient room for the brk. */
645 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
646 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
648 +#ifdef CONFIG_PAX_ASLR
649 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
651 +#define PAX_DELTA_MMAP_LEN 15
652 +#define PAX_DELTA_STACK_LEN 15
655 /* This yields a mask that user programs can use to figure out what
656 instruction set this CPU supports. This could be done in user space,
657 diff -urNp linux-3.0.9/arch/avr32/include/asm/kmap_types.h linux-3.0.9/arch/avr32/include/asm/kmap_types.h
658 --- linux-3.0.9/arch/avr32/include/asm/kmap_types.h 2011-11-11 13:12:24.000000000 -0500
659 +++ linux-3.0.9/arch/avr32/include/asm/kmap_types.h 2011-11-15 20:02:59.000000000 -0500
660 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
670 diff -urNp linux-3.0.9/arch/avr32/mm/fault.c linux-3.0.9/arch/avr32/mm/fault.c
671 --- linux-3.0.9/arch/avr32/mm/fault.c 2011-11-11 13:12:24.000000000 -0500
672 +++ linux-3.0.9/arch/avr32/mm/fault.c 2011-11-15 20:02:59.000000000 -0500
673 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
675 int exception_trace = 1;
677 +#ifdef CONFIG_PAX_PAGEEXEC
678 +void pax_report_insns(void *pc, void *sp)
682 + printk(KERN_ERR "PAX: bytes at PC: ");
683 + for (i = 0; i < 20; i++) {
685 + if (get_user(c, (unsigned char *)pc+i))
686 + printk(KERN_CONT "???????? ");
688 + printk(KERN_CONT "%02x ", c);
695 * This routine handles page faults. It determines the address and the
696 * problem, and then passes it off to one of the appropriate routines.
697 @@ -156,6 +173,16 @@ bad_area:
698 up_read(&mm->mmap_sem);
700 if (user_mode(regs)) {
702 +#ifdef CONFIG_PAX_PAGEEXEC
703 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
704 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
705 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
706 + do_group_exit(SIGKILL);
711 if (exception_trace && printk_ratelimit())
712 printk("%s%s[%d]: segfault at %08lx pc %08lx "
713 "sp %08lx ecr %lu\n",
714 diff -urNp linux-3.0.9/arch/frv/include/asm/kmap_types.h linux-3.0.9/arch/frv/include/asm/kmap_types.h
715 --- linux-3.0.9/arch/frv/include/asm/kmap_types.h 2011-11-11 13:12:24.000000000 -0500
716 +++ linux-3.0.9/arch/frv/include/asm/kmap_types.h 2011-11-15 20:02:59.000000000 -0500
717 @@ -23,6 +23,7 @@ enum km_type {
725 diff -urNp linux-3.0.9/arch/frv/mm/elf-fdpic.c linux-3.0.9/arch/frv/mm/elf-fdpic.c
726 --- linux-3.0.9/arch/frv/mm/elf-fdpic.c 2011-11-11 13:12:24.000000000 -0500
727 +++ linux-3.0.9/arch/frv/mm/elf-fdpic.c 2011-11-15 20:02:59.000000000 -0500
728 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
730 addr = PAGE_ALIGN(addr);
731 vma = find_vma(current->mm, addr);
732 - if (TASK_SIZE - len >= addr &&
733 - (!vma || addr + len <= vma->vm_start))
734 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
738 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
739 for (; vma; vma = vma->vm_next) {
742 - if (addr + len <= vma->vm_start)
743 + if (check_heap_stack_gap(vma, addr, len))
747 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
748 for (; vma; vma = vma->vm_next) {
751 - if (addr + len <= vma->vm_start)
752 + if (check_heap_stack_gap(vma, addr, len))
756 diff -urNp linux-3.0.9/arch/ia64/include/asm/elf.h linux-3.0.9/arch/ia64/include/asm/elf.h
757 --- linux-3.0.9/arch/ia64/include/asm/elf.h 2011-11-11 13:12:24.000000000 -0500
758 +++ linux-3.0.9/arch/ia64/include/asm/elf.h 2011-11-15 20:02:59.000000000 -0500
761 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
763 +#ifdef CONFIG_PAX_ASLR
764 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
766 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
767 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
770 #define PT_IA_64_UNWIND 0x70000001
772 /* IA-64 relocations: */
773 diff -urNp linux-3.0.9/arch/ia64/include/asm/pgtable.h linux-3.0.9/arch/ia64/include/asm/pgtable.h
774 --- linux-3.0.9/arch/ia64/include/asm/pgtable.h 2011-11-11 13:12:24.000000000 -0500
775 +++ linux-3.0.9/arch/ia64/include/asm/pgtable.h 2011-11-15 20:02:59.000000000 -0500
777 * David Mosberger-Tang <davidm@hpl.hp.com>
781 +#include <linux/const.h>
782 #include <asm/mman.h>
783 #include <asm/page.h>
784 #include <asm/processor.h>
786 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
787 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
788 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
790 +#ifdef CONFIG_PAX_PAGEEXEC
791 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
792 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
793 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
795 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
796 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
797 +# define PAGE_COPY_NOEXEC PAGE_COPY
800 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
801 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
802 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
803 diff -urNp linux-3.0.9/arch/ia64/include/asm/spinlock.h linux-3.0.9/arch/ia64/include/asm/spinlock.h
804 --- linux-3.0.9/arch/ia64/include/asm/spinlock.h 2011-11-11 13:12:24.000000000 -0500
805 +++ linux-3.0.9/arch/ia64/include/asm/spinlock.h 2011-11-15 20:02:59.000000000 -0500
806 @@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
807 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
809 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
810 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
811 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
814 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
815 diff -urNp linux-3.0.9/arch/ia64/include/asm/uaccess.h linux-3.0.9/arch/ia64/include/asm/uaccess.h
816 --- linux-3.0.9/arch/ia64/include/asm/uaccess.h 2011-11-11 13:12:24.000000000 -0500
817 +++ linux-3.0.9/arch/ia64/include/asm/uaccess.h 2011-11-15 20:02:59.000000000 -0500
818 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
819 const void *__cu_from = (from); \
820 long __cu_len = (n); \
822 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
823 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
824 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
827 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
828 long __cu_len = (n); \
830 __chk_user_ptr(__cu_from); \
831 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
832 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
833 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
836 diff -urNp linux-3.0.9/arch/ia64/kernel/module.c linux-3.0.9/arch/ia64/kernel/module.c
837 --- linux-3.0.9/arch/ia64/kernel/module.c 2011-11-11 13:12:24.000000000 -0500
838 +++ linux-3.0.9/arch/ia64/kernel/module.c 2011-11-15 20:02:59.000000000 -0500
839 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
841 module_free (struct module *mod, void *module_region)
843 - if (mod && mod->arch.init_unw_table &&
844 - module_region == mod->module_init) {
845 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
846 unw_remove_unwind_table(mod->arch.init_unw_table);
847 mod->arch.init_unw_table = NULL;
849 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
853 +in_init_rx (const struct module *mod, uint64_t addr)
855 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
859 +in_init_rw (const struct module *mod, uint64_t addr)
861 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
865 in_init (const struct module *mod, uint64_t addr)
867 - return addr - (uint64_t) mod->module_init < mod->init_size;
868 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
872 +in_core_rx (const struct module *mod, uint64_t addr)
874 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
878 +in_core_rw (const struct module *mod, uint64_t addr)
880 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
884 in_core (const struct module *mod, uint64_t addr)
886 - return addr - (uint64_t) mod->module_core < mod->core_size;
887 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
891 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
895 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
896 + if (in_init_rx(mod, val))
897 + val -= (uint64_t) mod->module_init_rx;
898 + else if (in_init_rw(mod, val))
899 + val -= (uint64_t) mod->module_init_rw;
900 + else if (in_core_rx(mod, val))
901 + val -= (uint64_t) mod->module_core_rx;
902 + else if (in_core_rw(mod, val))
903 + val -= (uint64_t) mod->module_core_rw;
907 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
908 * addresses have been selected...
911 - if (mod->core_size > MAX_LTOFF)
912 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
914 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
915 * at the end of the module.
917 - gp = mod->core_size - MAX_LTOFF / 2;
918 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
920 - gp = mod->core_size / 2;
921 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
922 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
923 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
925 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
927 diff -urNp linux-3.0.9/arch/ia64/kernel/sys_ia64.c linux-3.0.9/arch/ia64/kernel/sys_ia64.c
928 --- linux-3.0.9/arch/ia64/kernel/sys_ia64.c 2011-11-11 13:12:24.000000000 -0500
929 +++ linux-3.0.9/arch/ia64/kernel/sys_ia64.c 2011-11-15 20:02:59.000000000 -0500
930 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
931 if (REGION_NUMBER(addr) == RGN_HPAGE)
935 +#ifdef CONFIG_PAX_RANDMMAP
936 + if (mm->pax_flags & MF_PAX_RANDMMAP)
937 + addr = mm->free_area_cache;
942 addr = mm->free_area_cache;
944 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
945 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
946 /* At this point: (!vma || addr < vma->vm_end). */
947 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
948 - if (start_addr != TASK_UNMAPPED_BASE) {
949 + if (start_addr != mm->mmap_base) {
950 /* Start a new search --- just in case we missed some holes. */
951 - addr = TASK_UNMAPPED_BASE;
952 + addr = mm->mmap_base;
957 - if (!vma || addr + len <= vma->vm_start) {
958 + if (check_heap_stack_gap(vma, addr, len)) {
959 /* Remember the address where we stopped this search: */
960 mm->free_area_cache = addr + len;
962 diff -urNp linux-3.0.9/arch/ia64/kernel/vmlinux.lds.S linux-3.0.9/arch/ia64/kernel/vmlinux.lds.S
963 --- linux-3.0.9/arch/ia64/kernel/vmlinux.lds.S 2011-11-11 13:12:24.000000000 -0500
964 +++ linux-3.0.9/arch/ia64/kernel/vmlinux.lds.S 2011-11-15 20:02:59.000000000 -0500
965 @@ -199,7 +199,7 @@ SECTIONS {
967 . = ALIGN(PERCPU_PAGE_SIZE);
968 PERCPU_VADDR(SMP_CACHE_BYTES, PERCPU_ADDR, :percpu)
969 - __phys_per_cpu_start = __per_cpu_load;
970 + __phys_per_cpu_start = per_cpu_load;
972 * ensure percpu data fits
973 * into percpu page size
974 diff -urNp linux-3.0.9/arch/ia64/mm/fault.c linux-3.0.9/arch/ia64/mm/fault.c
975 --- linux-3.0.9/arch/ia64/mm/fault.c 2011-11-11 13:12:24.000000000 -0500
976 +++ linux-3.0.9/arch/ia64/mm/fault.c 2011-11-15 20:02:59.000000000 -0500
977 @@ -73,6 +73,23 @@ mapped_kernel_page_is_present (unsigned
978 return pte_present(pte);
981 +#ifdef CONFIG_PAX_PAGEEXEC
982 +void pax_report_insns(void *pc, void *sp)
986 + printk(KERN_ERR "PAX: bytes at PC: ");
987 + for (i = 0; i < 8; i++) {
989 + if (get_user(c, (unsigned int *)pc+i))
990 + printk(KERN_CONT "???????? ");
992 + printk(KERN_CONT "%08x ", c);
999 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1001 @@ -146,9 +163,23 @@ ia64_do_page_fault (unsigned long addres
1002 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1003 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1005 - if ((vma->vm_flags & mask) != mask)
1006 + if ((vma->vm_flags & mask) != mask) {
1008 +#ifdef CONFIG_PAX_PAGEEXEC
1009 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1010 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1013 + up_read(&mm->mmap_sem);
1014 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1015 + do_group_exit(SIGKILL);
1024 * If for any reason at all we couldn't handle the fault, make
1025 * sure we exit gracefully rather than endlessly redo the
1026 diff -urNp linux-3.0.9/arch/ia64/mm/hugetlbpage.c linux-3.0.9/arch/ia64/mm/hugetlbpage.c
1027 --- linux-3.0.9/arch/ia64/mm/hugetlbpage.c 2011-11-11 13:12:24.000000000 -0500
1028 +++ linux-3.0.9/arch/ia64/mm/hugetlbpage.c 2011-11-15 20:02:59.000000000 -0500
1029 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1030 /* At this point: (!vmm || addr < vmm->vm_end). */
1031 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1033 - if (!vmm || (addr + len) <= vmm->vm_start)
1034 + if (check_heap_stack_gap(vmm, addr, len))
1036 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1038 diff -urNp linux-3.0.9/arch/ia64/mm/init.c linux-3.0.9/arch/ia64/mm/init.c
1039 --- linux-3.0.9/arch/ia64/mm/init.c 2011-11-11 13:12:24.000000000 -0500
1040 +++ linux-3.0.9/arch/ia64/mm/init.c 2011-11-15 20:02:59.000000000 -0500
1041 @@ -120,6 +120,19 @@ ia64_init_addr_space (void)
1042 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1043 vma->vm_end = vma->vm_start + PAGE_SIZE;
1044 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1046 +#ifdef CONFIG_PAX_PAGEEXEC
1047 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1048 + vma->vm_flags &= ~VM_EXEC;
1050 +#ifdef CONFIG_PAX_MPROTECT
1051 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1052 + vma->vm_flags &= ~VM_MAYEXEC;
1058 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1059 down_write(¤t->mm->mmap_sem);
1060 if (insert_vm_struct(current->mm, vma)) {
1061 diff -urNp linux-3.0.9/arch/m32r/lib/usercopy.c linux-3.0.9/arch/m32r/lib/usercopy.c
1062 --- linux-3.0.9/arch/m32r/lib/usercopy.c 2011-11-11 13:12:24.000000000 -0500
1063 +++ linux-3.0.9/arch/m32r/lib/usercopy.c 2011-11-15 20:02:59.000000000 -0500
1066 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1072 if (access_ok(VERIFY_WRITE, to, n))
1073 __copy_user(to,from,n);
1074 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1076 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1082 if (access_ok(VERIFY_READ, from, n))
1083 __copy_user_zeroing(to,from,n);
1084 diff -urNp linux-3.0.9/arch/mips/include/asm/elf.h linux-3.0.9/arch/mips/include/asm/elf.h
1085 --- linux-3.0.9/arch/mips/include/asm/elf.h 2011-11-11 13:12:24.000000000 -0500
1086 +++ linux-3.0.9/arch/mips/include/asm/elf.h 2011-11-15 20:02:59.000000000 -0500
1087 @@ -372,13 +372,16 @@ extern const char *__elf_platform;
1088 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1091 +#ifdef CONFIG_PAX_ASLR
1092 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
1094 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1095 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1098 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1099 struct linux_binprm;
1100 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1104 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1105 -#define arch_randomize_brk arch_randomize_brk
1107 #endif /* _ASM_ELF_H */
1108 diff -urNp linux-3.0.9/arch/mips/include/asm/page.h linux-3.0.9/arch/mips/include/asm/page.h
1109 --- linux-3.0.9/arch/mips/include/asm/page.h 2011-11-11 13:12:24.000000000 -0500
1110 +++ linux-3.0.9/arch/mips/include/asm/page.h 2011-11-15 20:02:59.000000000 -0500
1111 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1112 #ifdef CONFIG_CPU_MIPS32
1113 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1114 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1115 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1116 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1118 typedef struct { unsigned long long pte; } pte_t;
1119 #define pte_val(x) ((x).pte)
1120 diff -urNp linux-3.0.9/arch/mips/include/asm/system.h linux-3.0.9/arch/mips/include/asm/system.h
1121 --- linux-3.0.9/arch/mips/include/asm/system.h 2011-11-11 13:12:24.000000000 -0500
1122 +++ linux-3.0.9/arch/mips/include/asm/system.h 2011-11-15 20:02:59.000000000 -0500
1123 @@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
1125 #define __ARCH_WANT_UNLOCKED_CTXSW
1127 -extern unsigned long arch_align_stack(unsigned long sp);
1128 +#define arch_align_stack(x) ((x) & ~0xfUL)
1130 #endif /* _ASM_SYSTEM_H */
1131 diff -urNp linux-3.0.9/arch/mips/kernel/binfmt_elfn32.c linux-3.0.9/arch/mips/kernel/binfmt_elfn32.c
1132 --- linux-3.0.9/arch/mips/kernel/binfmt_elfn32.c 2011-11-11 13:12:24.000000000 -0500
1133 +++ linux-3.0.9/arch/mips/kernel/binfmt_elfn32.c 2011-11-15 20:02:59.000000000 -0500
1134 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1135 #undef ELF_ET_DYN_BASE
1136 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1138 +#ifdef CONFIG_PAX_ASLR
1139 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
1141 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1142 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1145 #include <asm/processor.h>
1146 #include <linux/module.h>
1147 #include <linux/elfcore.h>
1148 diff -urNp linux-3.0.9/arch/mips/kernel/binfmt_elfo32.c linux-3.0.9/arch/mips/kernel/binfmt_elfo32.c
1149 --- linux-3.0.9/arch/mips/kernel/binfmt_elfo32.c 2011-11-11 13:12:24.000000000 -0500
1150 +++ linux-3.0.9/arch/mips/kernel/binfmt_elfo32.c 2011-11-15 20:02:59.000000000 -0500
1151 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1152 #undef ELF_ET_DYN_BASE
1153 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1155 +#ifdef CONFIG_PAX_ASLR
1156 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
1158 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1159 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1162 #include <asm/processor.h>
1165 diff -urNp linux-3.0.9/arch/mips/kernel/process.c linux-3.0.9/arch/mips/kernel/process.c
1166 --- linux-3.0.9/arch/mips/kernel/process.c 2011-11-11 13:12:24.000000000 -0500
1167 +++ linux-3.0.9/arch/mips/kernel/process.c 2011-11-15 20:02:59.000000000 -0500
1168 @@ -473,15 +473,3 @@ unsigned long get_wchan(struct task_stru
1174 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1175 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1177 -unsigned long arch_align_stack(unsigned long sp)
1179 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1180 - sp -= get_random_int() & ~PAGE_MASK;
1182 - return sp & ALMASK;
1184 diff -urNp linux-3.0.9/arch/mips/mm/fault.c linux-3.0.9/arch/mips/mm/fault.c
1185 --- linux-3.0.9/arch/mips/mm/fault.c 2011-11-11 13:12:24.000000000 -0500
1186 +++ linux-3.0.9/arch/mips/mm/fault.c 2011-11-15 20:02:59.000000000 -0500
1188 #include <asm/highmem.h> /* For VMALLOC_END */
1189 #include <linux/kdebug.h>
1191 +#ifdef CONFIG_PAX_PAGEEXEC
1192 +void pax_report_insns(void *pc, void *sp)
1196 + printk(KERN_ERR "PAX: bytes at PC: ");
1197 + for (i = 0; i < 5; i++) {
1199 + if (get_user(c, (unsigned int *)pc+i))
1200 + printk(KERN_CONT "???????? ");
1202 + printk(KERN_CONT "%08x ", c);
1209 * This routine handles page faults. It determines the address,
1210 * and the problem, and then passes it off to one of the appropriate
1211 diff -urNp linux-3.0.9/arch/mips/mm/mmap.c linux-3.0.9/arch/mips/mm/mmap.c
1212 --- linux-3.0.9/arch/mips/mm/mmap.c 2011-11-11 13:12:24.000000000 -0500
1213 +++ linux-3.0.9/arch/mips/mm/mmap.c 2011-11-15 20:02:59.000000000 -0500
1214 @@ -48,14 +48,18 @@ unsigned long arch_get_unmapped_area(str
1216 if (filp || (flags & MAP_SHARED))
1219 +#ifdef CONFIG_PAX_RANDMMAP
1220 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1225 addr = COLOUR_ALIGN(addr, pgoff);
1227 addr = PAGE_ALIGN(addr);
1228 vmm = find_vma(current->mm, addr);
1229 - if (TASK_SIZE - len >= addr &&
1230 - (!vmm || addr + len <= vmm->vm_start))
1231 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vmm, addr, len))
1234 addr = current->mm->mmap_base;
1235 @@ -68,7 +72,7 @@ unsigned long arch_get_unmapped_area(str
1236 /* At this point: (!vmm || addr < vmm->vm_end). */
1237 if (TASK_SIZE - len < addr)
1239 - if (!vmm || addr + len <= vmm->vm_start)
1240 + if (check_heap_stack_gap(vmm, addr, len))
1244 @@ -93,30 +97,3 @@ void arch_pick_mmap_layout(struct mm_str
1245 mm->get_unmapped_area = arch_get_unmapped_area;
1246 mm->unmap_area = arch_unmap_area;
1249 -static inline unsigned long brk_rnd(void)
1251 - unsigned long rnd = get_random_int();
1253 - rnd = rnd << PAGE_SHIFT;
1254 - /* 8MB for 32bit, 256MB for 64bit */
1255 - if (TASK_IS_32BIT_ADDR)
1256 - rnd = rnd & 0x7ffffful;
1258 - rnd = rnd & 0xffffffful;
1263 -unsigned long arch_randomize_brk(struct mm_struct *mm)
1265 - unsigned long base = mm->brk;
1266 - unsigned long ret;
1268 - ret = PAGE_ALIGN(base + brk_rnd());
1270 - if (ret < mm->brk)
1275 diff -urNp linux-3.0.9/arch/parisc/include/asm/elf.h linux-3.0.9/arch/parisc/include/asm/elf.h
1276 --- linux-3.0.9/arch/parisc/include/asm/elf.h 2011-11-11 13:12:24.000000000 -0500
1277 +++ linux-3.0.9/arch/parisc/include/asm/elf.h 2011-11-15 20:02:59.000000000 -0500
1278 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1280 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1282 +#ifdef CONFIG_PAX_ASLR
1283 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1285 +#define PAX_DELTA_MMAP_LEN 16
1286 +#define PAX_DELTA_STACK_LEN 16
1289 /* This yields a mask that user programs can use to figure out what
1290 instruction set this CPU supports. This could be done in user space,
1291 but it's not easy, and we've already done it here. */
1292 diff -urNp linux-3.0.9/arch/parisc/include/asm/pgtable.h linux-3.0.9/arch/parisc/include/asm/pgtable.h
1293 --- linux-3.0.9/arch/parisc/include/asm/pgtable.h 2011-11-11 13:12:24.000000000 -0500
1294 +++ linux-3.0.9/arch/parisc/include/asm/pgtable.h 2011-11-15 20:02:59.000000000 -0500
1295 @@ -210,6 +210,17 @@ struct vm_area_struct;
1296 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1297 #define PAGE_COPY PAGE_EXECREAD
1298 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1300 +#ifdef CONFIG_PAX_PAGEEXEC
1301 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1302 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1303 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1305 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1306 +# define PAGE_COPY_NOEXEC PAGE_COPY
1307 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1310 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1311 #define PAGE_KERNEL_EXEC __pgprot(_PAGE_KERNEL_EXEC)
1312 #define PAGE_KERNEL_RWX __pgprot(_PAGE_KERNEL_RWX)
1313 diff -urNp linux-3.0.9/arch/parisc/kernel/module.c linux-3.0.9/arch/parisc/kernel/module.c
1314 --- linux-3.0.9/arch/parisc/kernel/module.c 2011-11-11 13:12:24.000000000 -0500
1315 +++ linux-3.0.9/arch/parisc/kernel/module.c 2011-11-15 20:02:59.000000000 -0500
1318 /* three functions to determine where in the module core
1319 * or init pieces the location is */
1320 +static inline int in_init_rx(struct module *me, void *loc)
1322 + return (loc >= me->module_init_rx &&
1323 + loc < (me->module_init_rx + me->init_size_rx));
1326 +static inline int in_init_rw(struct module *me, void *loc)
1328 + return (loc >= me->module_init_rw &&
1329 + loc < (me->module_init_rw + me->init_size_rw));
1332 static inline int in_init(struct module *me, void *loc)
1334 - return (loc >= me->module_init &&
1335 - loc <= (me->module_init + me->init_size));
1336 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1339 +static inline int in_core_rx(struct module *me, void *loc)
1341 + return (loc >= me->module_core_rx &&
1342 + loc < (me->module_core_rx + me->core_size_rx));
1345 +static inline int in_core_rw(struct module *me, void *loc)
1347 + return (loc >= me->module_core_rw &&
1348 + loc < (me->module_core_rw + me->core_size_rw));
1351 static inline int in_core(struct module *me, void *loc)
1353 - return (loc >= me->module_core &&
1354 - loc <= (me->module_core + me->core_size));
1355 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1358 static inline int in_local(struct module *me, void *loc)
1359 @@ -373,13 +395,13 @@ int module_frob_arch_sections(CONST Elf_
1362 /* align things a bit */
1363 - me->core_size = ALIGN(me->core_size, 16);
1364 - me->arch.got_offset = me->core_size;
1365 - me->core_size += gots * sizeof(struct got_entry);
1367 - me->core_size = ALIGN(me->core_size, 16);
1368 - me->arch.fdesc_offset = me->core_size;
1369 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1370 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1371 + me->arch.got_offset = me->core_size_rw;
1372 + me->core_size_rw += gots * sizeof(struct got_entry);
1374 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1375 + me->arch.fdesc_offset = me->core_size_rw;
1376 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1378 me->arch.got_max = gots;
1379 me->arch.fdesc_max = fdescs;
1380 @@ -397,7 +419,7 @@ static Elf64_Word get_got(struct module
1384 - got = me->module_core + me->arch.got_offset;
1385 + got = me->module_core_rw + me->arch.got_offset;
1386 for (i = 0; got[i].addr; i++)
1387 if (got[i].addr == value)
1389 @@ -415,7 +437,7 @@ static Elf64_Word get_got(struct module
1391 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1393 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1394 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1397 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1398 @@ -433,7 +455,7 @@ static Elf_Addr get_fdesc(struct module
1400 /* Create new one */
1401 fdesc->addr = value;
1402 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1403 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1404 return (Elf_Addr)fdesc;
1406 #endif /* CONFIG_64BIT */
1407 @@ -857,7 +879,7 @@ register_unwind_table(struct module *me,
1409 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1410 end = table + sechdrs[me->arch.unwind_section].sh_size;
1411 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1412 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1414 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1415 me->arch.unwind_section, table, end, gp);
1416 diff -urNp linux-3.0.9/arch/parisc/kernel/sys_parisc.c linux-3.0.9/arch/parisc/kernel/sys_parisc.c
1417 --- linux-3.0.9/arch/parisc/kernel/sys_parisc.c 2011-11-11 13:12:24.000000000 -0500
1418 +++ linux-3.0.9/arch/parisc/kernel/sys_parisc.c 2011-11-15 20:02:59.000000000 -0500
1419 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1420 /* At this point: (!vma || addr < vma->vm_end). */
1421 if (TASK_SIZE - len < addr)
1423 - if (!vma || addr + len <= vma->vm_start)
1424 + if (check_heap_stack_gap(vma, addr, len))
1428 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1429 /* At this point: (!vma || addr < vma->vm_end). */
1430 if (TASK_SIZE - len < addr)
1432 - if (!vma || addr + len <= vma->vm_start)
1433 + if (check_heap_stack_gap(vma, addr, len))
1435 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1436 if (addr < vma->vm_end) /* handle wraparound */
1437 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1438 if (flags & MAP_FIXED)
1441 - addr = TASK_UNMAPPED_BASE;
1442 + addr = current->mm->mmap_base;
1445 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1446 diff -urNp linux-3.0.9/arch/parisc/kernel/traps.c linux-3.0.9/arch/parisc/kernel/traps.c
1447 --- linux-3.0.9/arch/parisc/kernel/traps.c 2011-11-11 13:12:24.000000000 -0500
1448 +++ linux-3.0.9/arch/parisc/kernel/traps.c 2011-11-15 20:02:59.000000000 -0500
1449 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1451 down_read(¤t->mm->mmap_sem);
1452 vma = find_vma(current->mm,regs->iaoq[0]);
1453 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1454 - && (vma->vm_flags & VM_EXEC)) {
1456 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1457 fault_address = regs->iaoq[0];
1458 fault_space = regs->iasq[0];
1460 diff -urNp linux-3.0.9/arch/parisc/mm/fault.c linux-3.0.9/arch/parisc/mm/fault.c
1461 --- linux-3.0.9/arch/parisc/mm/fault.c 2011-11-11 13:12:24.000000000 -0500
1462 +++ linux-3.0.9/arch/parisc/mm/fault.c 2011-11-15 20:02:59.000000000 -0500
1464 #include <linux/sched.h>
1465 #include <linux/interrupt.h>
1466 #include <linux/module.h>
1467 +#include <linux/unistd.h>
1469 #include <asm/uaccess.h>
1470 #include <asm/traps.h>
1471 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1472 static unsigned long
1473 parisc_acctyp(unsigned long code, unsigned int inst)
1475 - if (code == 6 || code == 16)
1476 + if (code == 6 || code == 7 || code == 16)
1479 switch (inst & 0xf0000000) {
1480 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1484 +#ifdef CONFIG_PAX_PAGEEXEC
1486 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1488 + * returns 1 when task should be killed
1489 + * 2 when rt_sigreturn trampoline was detected
1490 + * 3 when unpatched PLT trampoline was detected
1492 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1495 +#ifdef CONFIG_PAX_EMUPLT
1498 + do { /* PaX: unpatched PLT emulation */
1499 + unsigned int bl, depwi;
1501 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1502 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1507 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1508 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1510 + err = get_user(ldw, (unsigned int *)addr);
1511 + err |= get_user(bv, (unsigned int *)(addr+4));
1512 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1517 + if (ldw == 0x0E801096U &&
1518 + bv == 0xEAC0C000U &&
1519 + ldw2 == 0x0E881095U)
1521 + unsigned int resolver, map;
1523 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1524 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1528 + regs->gr[20] = instruction_pointer(regs)+8;
1529 + regs->gr[21] = map;
1530 + regs->gr[22] = resolver;
1531 + regs->iaoq[0] = resolver | 3UL;
1532 + regs->iaoq[1] = regs->iaoq[0] + 4;
1539 +#ifdef CONFIG_PAX_EMUTRAMP
1541 +#ifndef CONFIG_PAX_EMUSIGRT
1542 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1546 + do { /* PaX: rt_sigreturn emulation */
1547 + unsigned int ldi1, ldi2, bel, nop;
1549 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1550 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1551 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1552 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1557 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1558 + ldi2 == 0x3414015AU &&
1559 + bel == 0xE4008200U &&
1560 + nop == 0x08000240U)
1562 + regs->gr[25] = (ldi1 & 2) >> 1;
1563 + regs->gr[20] = __NR_rt_sigreturn;
1564 + regs->gr[31] = regs->iaoq[1] + 16;
1565 + regs->sr[0] = regs->iasq[1];
1566 + regs->iaoq[0] = 0x100UL;
1567 + regs->iaoq[1] = regs->iaoq[0] + 4;
1568 + regs->iasq[0] = regs->sr[2];
1569 + regs->iasq[1] = regs->sr[2];
1578 +void pax_report_insns(void *pc, void *sp)
1582 + printk(KERN_ERR "PAX: bytes at PC: ");
1583 + for (i = 0; i < 5; i++) {
1585 + if (get_user(c, (unsigned int *)pc+i))
1586 + printk(KERN_CONT "???????? ");
1588 + printk(KERN_CONT "%08x ", c);
1594 int fixup_exception(struct pt_regs *regs)
1596 const struct exception_table_entry *fix;
1597 @@ -192,8 +303,33 @@ good_area:
1599 acc_type = parisc_acctyp(code,regs->iir);
1601 - if ((vma->vm_flags & acc_type) != acc_type)
1602 + if ((vma->vm_flags & acc_type) != acc_type) {
1604 +#ifdef CONFIG_PAX_PAGEEXEC
1605 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1606 + (address & ~3UL) == instruction_pointer(regs))
1608 + up_read(&mm->mmap_sem);
1609 + switch (pax_handle_fetch_fault(regs)) {
1611 +#ifdef CONFIG_PAX_EMUPLT
1616 +#ifdef CONFIG_PAX_EMUTRAMP
1622 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1623 + do_group_exit(SIGKILL);
1631 * If for any reason at all we couldn't handle the fault, make
1632 diff -urNp linux-3.0.9/arch/powerpc/include/asm/elf.h linux-3.0.9/arch/powerpc/include/asm/elf.h
1633 --- linux-3.0.9/arch/powerpc/include/asm/elf.h 2011-11-11 13:12:24.000000000 -0500
1634 +++ linux-3.0.9/arch/powerpc/include/asm/elf.h 2011-11-15 20:02:59.000000000 -0500
1635 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
1636 the loader. We need to make sure that it is out of the way of the program
1637 that it will "exec", and that there is sufficient room for the brk. */
1639 -extern unsigned long randomize_et_dyn(unsigned long base);
1640 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
1641 +#define ELF_ET_DYN_BASE (0x20000000)
1643 +#ifdef CONFIG_PAX_ASLR
1644 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
1646 +#ifdef __powerpc64__
1647 +#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
1648 +#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
1650 +#define PAX_DELTA_MMAP_LEN 15
1651 +#define PAX_DELTA_STACK_LEN 15
1656 * Our registers are always unsigned longs, whether we're a 32 bit
1657 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
1658 (0x7ff >> (PAGE_SHIFT - 12)) : \
1659 (0x3ffff >> (PAGE_SHIFT - 12)))
1661 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1662 -#define arch_randomize_brk arch_randomize_brk
1664 #endif /* __KERNEL__ */
1667 diff -urNp linux-3.0.9/arch/powerpc/include/asm/kmap_types.h linux-3.0.9/arch/powerpc/include/asm/kmap_types.h
1668 --- linux-3.0.9/arch/powerpc/include/asm/kmap_types.h 2011-11-11 13:12:24.000000000 -0500
1669 +++ linux-3.0.9/arch/powerpc/include/asm/kmap_types.h 2011-11-15 20:02:59.000000000 -0500
1670 @@ -27,6 +27,7 @@ enum km_type {
1678 diff -urNp linux-3.0.9/arch/powerpc/include/asm/mman.h linux-3.0.9/arch/powerpc/include/asm/mman.h
1679 --- linux-3.0.9/arch/powerpc/include/asm/mman.h 2011-11-11 13:12:24.000000000 -0500
1680 +++ linux-3.0.9/arch/powerpc/include/asm/mman.h 2011-11-15 20:02:59.000000000 -0500
1681 @@ -44,7 +44,7 @@ static inline unsigned long arch_calc_vm
1683 #define arch_calc_vm_prot_bits(prot) arch_calc_vm_prot_bits(prot)
1685 -static inline pgprot_t arch_vm_get_page_prot(unsigned long vm_flags)
1686 +static inline pgprot_t arch_vm_get_page_prot(vm_flags_t vm_flags)
1688 return (vm_flags & VM_SAO) ? __pgprot(_PAGE_SAO) : __pgprot(0);
1690 diff -urNp linux-3.0.9/arch/powerpc/include/asm/page_64.h linux-3.0.9/arch/powerpc/include/asm/page_64.h
1691 --- linux-3.0.9/arch/powerpc/include/asm/page_64.h 2011-11-11 13:12:24.000000000 -0500
1692 +++ linux-3.0.9/arch/powerpc/include/asm/page_64.h 2011-11-15 20:02:59.000000000 -0500
1693 @@ -155,15 +155,18 @@ do { \
1694 * stack by default, so in the absence of a PT_GNU_STACK program header
1695 * we turn execute permission off.
1697 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
1698 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1699 +#define VM_STACK_DEFAULT_FLAGS32 \
1700 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
1701 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1703 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
1704 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1706 +#ifndef CONFIG_PAX_PAGEEXEC
1707 #define VM_STACK_DEFAULT_FLAGS \
1708 (is_32bit_task() ? \
1709 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
1712 #include <asm-generic/getorder.h>
1714 diff -urNp linux-3.0.9/arch/powerpc/include/asm/page.h linux-3.0.9/arch/powerpc/include/asm/page.h
1715 --- linux-3.0.9/arch/powerpc/include/asm/page.h 2011-11-11 13:12:24.000000000 -0500
1716 +++ linux-3.0.9/arch/powerpc/include/asm/page.h 2011-11-15 20:02:59.000000000 -0500
1717 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
1718 * and needs to be executable. This means the whole heap ends
1719 * up being executable.
1721 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
1722 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1723 +#define VM_DATA_DEFAULT_FLAGS32 \
1724 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
1725 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1727 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
1728 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1729 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
1730 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
1733 +#define ktla_ktva(addr) (addr)
1734 +#define ktva_ktla(addr) (addr)
1736 #ifndef __ASSEMBLY__
1738 #undef STRICT_MM_TYPECHECKS
1739 diff -urNp linux-3.0.9/arch/powerpc/include/asm/pgtable.h linux-3.0.9/arch/powerpc/include/asm/pgtable.h
1740 --- linux-3.0.9/arch/powerpc/include/asm/pgtable.h 2011-11-11 13:12:24.000000000 -0500
1741 +++ linux-3.0.9/arch/powerpc/include/asm/pgtable.h 2011-11-15 20:02:59.000000000 -0500
1743 #define _ASM_POWERPC_PGTABLE_H
1746 +#include <linux/const.h>
1747 #ifndef __ASSEMBLY__
1748 #include <asm/processor.h> /* For TASK_SIZE */
1749 #include <asm/mmu.h>
1750 diff -urNp linux-3.0.9/arch/powerpc/include/asm/pte-hash32.h linux-3.0.9/arch/powerpc/include/asm/pte-hash32.h
1751 --- linux-3.0.9/arch/powerpc/include/asm/pte-hash32.h 2011-11-11 13:12:24.000000000 -0500
1752 +++ linux-3.0.9/arch/powerpc/include/asm/pte-hash32.h 2011-11-15 20:02:59.000000000 -0500
1754 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
1755 #define _PAGE_USER 0x004 /* usermode access allowed */
1756 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
1757 +#define _PAGE_EXEC _PAGE_GUARDED
1758 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
1759 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
1760 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
1761 diff -urNp linux-3.0.9/arch/powerpc/include/asm/reg.h linux-3.0.9/arch/powerpc/include/asm/reg.h
1762 --- linux-3.0.9/arch/powerpc/include/asm/reg.h 2011-11-11 13:12:24.000000000 -0500
1763 +++ linux-3.0.9/arch/powerpc/include/asm/reg.h 2011-11-15 20:02:59.000000000 -0500
1765 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
1766 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
1767 #define DSISR_NOHPTE 0x40000000 /* no translation found */
1768 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
1769 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
1770 #define DSISR_ISSTORE 0x02000000 /* access was a store */
1771 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
1772 diff -urNp linux-3.0.9/arch/powerpc/include/asm/system.h linux-3.0.9/arch/powerpc/include/asm/system.h
1773 --- linux-3.0.9/arch/powerpc/include/asm/system.h 2011-11-11 13:12:24.000000000 -0500
1774 +++ linux-3.0.9/arch/powerpc/include/asm/system.h 2011-11-15 20:02:59.000000000 -0500
1775 @@ -531,7 +531,7 @@ __cmpxchg_local(volatile void *ptr, unsi
1776 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
1779 -extern unsigned long arch_align_stack(unsigned long sp);
1780 +#define arch_align_stack(x) ((x) & ~0xfUL)
1782 /* Used in very early kernel initialization. */
1783 extern unsigned long reloc_offset(void);
1784 diff -urNp linux-3.0.9/arch/powerpc/include/asm/uaccess.h linux-3.0.9/arch/powerpc/include/asm/uaccess.h
1785 --- linux-3.0.9/arch/powerpc/include/asm/uaccess.h 2011-11-11 13:12:24.000000000 -0500
1786 +++ linux-3.0.9/arch/powerpc/include/asm/uaccess.h 2011-11-15 20:02:59.000000000 -0500
1788 #define VERIFY_READ 0
1789 #define VERIFY_WRITE 1
1791 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
1794 * The fs value determines whether argument validity checking should be
1795 * performed or not. If get_fs() == USER_DS, checking is performed, with
1796 @@ -327,52 +329,6 @@ do { \
1797 extern unsigned long __copy_tofrom_user(void __user *to,
1798 const void __user *from, unsigned long size);
1800 -#ifndef __powerpc64__
1802 -static inline unsigned long copy_from_user(void *to,
1803 - const void __user *from, unsigned long n)
1805 - unsigned long over;
1807 - if (access_ok(VERIFY_READ, from, n))
1808 - return __copy_tofrom_user((__force void __user *)to, from, n);
1809 - if ((unsigned long)from < TASK_SIZE) {
1810 - over = (unsigned long)from + n - TASK_SIZE;
1811 - return __copy_tofrom_user((__force void __user *)to, from,
1817 -static inline unsigned long copy_to_user(void __user *to,
1818 - const void *from, unsigned long n)
1820 - unsigned long over;
1822 - if (access_ok(VERIFY_WRITE, to, n))
1823 - return __copy_tofrom_user(to, (__force void __user *)from, n);
1824 - if ((unsigned long)to < TASK_SIZE) {
1825 - over = (unsigned long)to + n - TASK_SIZE;
1826 - return __copy_tofrom_user(to, (__force void __user *)from,
1832 -#else /* __powerpc64__ */
1834 -#define __copy_in_user(to, from, size) \
1835 - __copy_tofrom_user((to), (from), (size))
1837 -extern unsigned long copy_from_user(void *to, const void __user *from,
1839 -extern unsigned long copy_to_user(void __user *to, const void *from,
1841 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
1844 -#endif /* __powerpc64__ */
1846 static inline unsigned long __copy_from_user_inatomic(void *to,
1847 const void __user *from, unsigned long n)
1849 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
1854 + if (!__builtin_constant_p(n))
1855 + check_object_size(to, n, false);
1857 return __copy_tofrom_user((__force void __user *)to, from, n);
1860 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
1865 + if (!__builtin_constant_p(n))
1866 + check_object_size(from, n, true);
1868 return __copy_tofrom_user(to, (__force const void __user *)from, n);
1871 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
1872 return __copy_to_user_inatomic(to, from, size);
1875 +#ifndef __powerpc64__
1877 +static inline unsigned long __must_check copy_from_user(void *to,
1878 + const void __user *from, unsigned long n)
1880 + unsigned long over;
1885 + if (access_ok(VERIFY_READ, from, n)) {
1886 + if (!__builtin_constant_p(n))
1887 + check_object_size(to, n, false);
1888 + return __copy_tofrom_user((__force void __user *)to, from, n);
1890 + if ((unsigned long)from < TASK_SIZE) {
1891 + over = (unsigned long)from + n - TASK_SIZE;
1892 + if (!__builtin_constant_p(n - over))
1893 + check_object_size(to, n - over, false);
1894 + return __copy_tofrom_user((__force void __user *)to, from,
1900 +static inline unsigned long __must_check copy_to_user(void __user *to,
1901 + const void *from, unsigned long n)
1903 + unsigned long over;
1908 + if (access_ok(VERIFY_WRITE, to, n)) {
1909 + if (!__builtin_constant_p(n))
1910 + check_object_size(from, n, true);
1911 + return __copy_tofrom_user(to, (__force void __user *)from, n);
1913 + if ((unsigned long)to < TASK_SIZE) {
1914 + over = (unsigned long)to + n - TASK_SIZE;
1915 + if (!__builtin_constant_p(n))
1916 + check_object_size(from, n - over, true);
1917 + return __copy_tofrom_user(to, (__force void __user *)from,
1923 +#else /* __powerpc64__ */
1925 +#define __copy_in_user(to, from, size) \
1926 + __copy_tofrom_user((to), (from), (size))
1928 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
1930 + if ((long)n < 0 || n > INT_MAX)
1933 + if (!__builtin_constant_p(n))
1934 + check_object_size(to, n, false);
1936 + if (likely(access_ok(VERIFY_READ, from, n)))
1937 + n = __copy_from_user(to, from, n);
1943 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
1945 + if ((long)n < 0 || n > INT_MAX)
1948 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
1949 + if (!__builtin_constant_p(n))
1950 + check_object_size(from, n, true);
1951 + n = __copy_to_user(to, from, n);
1956 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
1959 +#endif /* __powerpc64__ */
1961 extern unsigned long __clear_user(void __user *addr, unsigned long size);
1963 static inline unsigned long clear_user(void __user *addr, unsigned long size)
1964 diff -urNp linux-3.0.9/arch/powerpc/kernel/exceptions-64e.S linux-3.0.9/arch/powerpc/kernel/exceptions-64e.S
1965 --- linux-3.0.9/arch/powerpc/kernel/exceptions-64e.S 2011-11-11 13:12:24.000000000 -0500
1966 +++ linux-3.0.9/arch/powerpc/kernel/exceptions-64e.S 2011-11-15 20:02:59.000000000 -0500
1967 @@ -567,6 +567,7 @@ storage_fault_common:
1970 addi r3,r1,STACK_FRAME_OVERHEAD
1974 ld r14,PACA_EXGEN+EX_R14(r13)
1975 @@ -576,8 +577,7 @@ storage_fault_common:
1978 b .ret_from_except_lite
1982 addi r3,r1,STACK_FRAME_OVERHEAD
1985 diff -urNp linux-3.0.9/arch/powerpc/kernel/exceptions-64s.S linux-3.0.9/arch/powerpc/kernel/exceptions-64s.S
1986 --- linux-3.0.9/arch/powerpc/kernel/exceptions-64s.S 2011-11-11 13:12:24.000000000 -0500
1987 +++ linux-3.0.9/arch/powerpc/kernel/exceptions-64s.S 2011-11-15 20:02:59.000000000 -0500
1988 @@ -956,10 +956,10 @@ handle_page_fault:
1991 addi r3,r1,STACK_FRAME_OVERHEAD
1998 addi r3,r1,STACK_FRAME_OVERHEAD
2000 diff -urNp linux-3.0.9/arch/powerpc/kernel/module_32.c linux-3.0.9/arch/powerpc/kernel/module_32.c
2001 --- linux-3.0.9/arch/powerpc/kernel/module_32.c 2011-11-11 13:12:24.000000000 -0500
2002 +++ linux-3.0.9/arch/powerpc/kernel/module_32.c 2011-11-15 20:02:59.000000000 -0500
2003 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2004 me->arch.core_plt_section = i;
2006 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2007 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2008 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2012 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2014 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2015 /* Init, or core PLT? */
2016 - if (location >= mod->module_core
2017 - && location < mod->module_core + mod->core_size)
2018 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2019 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2020 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2022 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2023 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2024 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2026 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2030 /* Find this entry, or if that fails, the next avail. entry */
2031 while (entry->jump[0]) {
2032 diff -urNp linux-3.0.9/arch/powerpc/kernel/module.c linux-3.0.9/arch/powerpc/kernel/module.c
2033 --- linux-3.0.9/arch/powerpc/kernel/module.c 2011-11-11 13:12:24.000000000 -0500
2034 +++ linux-3.0.9/arch/powerpc/kernel/module.c 2011-11-15 20:02:59.000000000 -0500
2037 LIST_HEAD(module_bug_list);
2039 +#ifdef CONFIG_PAX_KERNEXEC
2040 void *module_alloc(unsigned long size)
2045 + return vmalloc(size);
2048 +void *module_alloc_exec(unsigned long size)
2050 +void *module_alloc(unsigned long size)
2057 return vmalloc_exec(size);
2060 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2061 vfree(module_region);
2064 +#ifdef CONFIG_PAX_KERNEXEC
2065 +void module_free_exec(struct module *mod, void *module_region)
2067 + module_free(mod, module_region);
2071 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2072 const Elf_Shdr *sechdrs,
2074 diff -urNp linux-3.0.9/arch/powerpc/kernel/process.c linux-3.0.9/arch/powerpc/kernel/process.c
2075 --- linux-3.0.9/arch/powerpc/kernel/process.c 2011-11-11 13:12:24.000000000 -0500
2076 +++ linux-3.0.9/arch/powerpc/kernel/process.c 2011-11-15 20:02:59.000000000 -0500
2077 @@ -676,8 +676,8 @@ void show_regs(struct pt_regs * regs)
2078 * Lookup NIP late so we have the best change of getting the
2079 * above info out without failing
2081 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2082 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2083 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2084 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2086 show_stack(current, (unsigned long *) regs->gpr[1]);
2087 if (!user_mode(regs))
2088 @@ -1183,10 +1183,10 @@ void show_stack(struct task_struct *tsk,
2090 ip = stack[STACK_FRAME_LR_SAVE];
2091 if (!firstframe || ip != lr) {
2092 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2093 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2094 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2095 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2098 (void *)current->ret_stack[curr_frame].ret);
2101 @@ -1206,7 +1206,7 @@ void show_stack(struct task_struct *tsk,
2102 struct pt_regs *regs = (struct pt_regs *)
2103 (sp + STACK_FRAME_OVERHEAD);
2105 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
2106 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
2107 regs->trap, (void *)regs->nip, (void *)lr);
2110 @@ -1281,58 +1281,3 @@ void thread_info_cache_init(void)
2113 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2115 -unsigned long arch_align_stack(unsigned long sp)
2117 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2118 - sp -= get_random_int() & ~PAGE_MASK;
2122 -static inline unsigned long brk_rnd(void)
2124 - unsigned long rnd = 0;
2126 - /* 8MB for 32bit, 1GB for 64bit */
2127 - if (is_32bit_task())
2128 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2130 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2132 - return rnd << PAGE_SHIFT;
2135 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2137 - unsigned long base = mm->brk;
2138 - unsigned long ret;
2140 -#ifdef CONFIG_PPC_STD_MMU_64
2142 - * If we are using 1TB segments and we are allowed to randomise
2143 - * the heap, we can put it above 1TB so it is backed by a 1TB
2144 - * segment. Otherwise the heap will be in the bottom 1TB
2145 - * which always uses 256MB segments and this may result in a
2146 - * performance penalty.
2148 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2149 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2152 - ret = PAGE_ALIGN(base + brk_rnd());
2154 - if (ret < mm->brk)
2160 -unsigned long randomize_et_dyn(unsigned long base)
2162 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2169 diff -urNp linux-3.0.9/arch/powerpc/kernel/signal_32.c linux-3.0.9/arch/powerpc/kernel/signal_32.c
2170 --- linux-3.0.9/arch/powerpc/kernel/signal_32.c 2011-11-11 13:12:24.000000000 -0500
2171 +++ linux-3.0.9/arch/powerpc/kernel/signal_32.c 2011-11-15 20:02:59.000000000 -0500
2172 @@ -859,7 +859,7 @@ int handle_rt_signal32(unsigned long sig
2173 /* Save user registers on the stack */
2174 frame = &rt_sf->uc.uc_mcontext;
2176 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2177 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2178 if (save_user_regs(regs, frame, 0, 1))
2180 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2181 diff -urNp linux-3.0.9/arch/powerpc/kernel/signal_64.c linux-3.0.9/arch/powerpc/kernel/signal_64.c
2182 --- linux-3.0.9/arch/powerpc/kernel/signal_64.c 2011-11-11 13:12:24.000000000 -0500
2183 +++ linux-3.0.9/arch/powerpc/kernel/signal_64.c 2011-11-15 20:02:59.000000000 -0500
2184 @@ -430,7 +430,7 @@ int handle_rt_signal64(int signr, struct
2185 current->thread.fpscr.val = 0;
2187 /* Set up to return from userspace. */
2188 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2189 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2190 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2192 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2193 diff -urNp linux-3.0.9/arch/powerpc/kernel/traps.c linux-3.0.9/arch/powerpc/kernel/traps.c
2194 --- linux-3.0.9/arch/powerpc/kernel/traps.c 2011-11-11 13:12:24.000000000 -0500
2195 +++ linux-3.0.9/arch/powerpc/kernel/traps.c 2011-11-15 20:02:59.000000000 -0500
2196 @@ -98,6 +98,8 @@ static void pmac_backlight_unblank(void)
2197 static inline void pmac_backlight_unblank(void) { }
2200 +extern void gr_handle_kernel_exploit(void);
2202 int die(const char *str, struct pt_regs *regs, long err)
2205 @@ -171,6 +173,8 @@ int die(const char *str, struct pt_regs
2207 panic("Fatal exception");
2209 + gr_handle_kernel_exploit();
2214 diff -urNp linux-3.0.9/arch/powerpc/kernel/vdso.c linux-3.0.9/arch/powerpc/kernel/vdso.c
2215 --- linux-3.0.9/arch/powerpc/kernel/vdso.c 2011-11-11 13:12:24.000000000 -0500
2216 +++ linux-3.0.9/arch/powerpc/kernel/vdso.c 2011-11-15 20:02:59.000000000 -0500
2218 #include <asm/firmware.h>
2219 #include <asm/vdso.h>
2220 #include <asm/vdso_datapage.h>
2221 +#include <asm/mman.h>
2225 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2226 vdso_base = VDSO32_MBASE;
2229 - current->mm->context.vdso_base = 0;
2230 + current->mm->context.vdso_base = ~0UL;
2232 /* vDSO has a problem and was disabled, just don't "enable" it for the
2234 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2235 vdso_base = get_unmapped_area(NULL, vdso_base,
2236 (vdso_pages << PAGE_SHIFT) +
2237 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2239 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2240 if (IS_ERR_VALUE(vdso_base)) {
2243 diff -urNp linux-3.0.9/arch/powerpc/lib/usercopy_64.c linux-3.0.9/arch/powerpc/lib/usercopy_64.c
2244 --- linux-3.0.9/arch/powerpc/lib/usercopy_64.c 2011-11-11 13:12:24.000000000 -0500
2245 +++ linux-3.0.9/arch/powerpc/lib/usercopy_64.c 2011-11-15 20:02:59.000000000 -0500
2247 #include <linux/module.h>
2248 #include <asm/uaccess.h>
2250 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2252 - if (likely(access_ok(VERIFY_READ, from, n)))
2253 - n = __copy_from_user(to, from, n);
2259 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2261 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2262 - n = __copy_to_user(to, from, n);
2266 unsigned long copy_in_user(void __user *to, const void __user *from,
2269 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2273 -EXPORT_SYMBOL(copy_from_user);
2274 -EXPORT_SYMBOL(copy_to_user);
2275 EXPORT_SYMBOL(copy_in_user);
2277 diff -urNp linux-3.0.9/arch/powerpc/mm/fault.c linux-3.0.9/arch/powerpc/mm/fault.c
2278 --- linux-3.0.9/arch/powerpc/mm/fault.c 2011-11-11 13:12:24.000000000 -0500
2279 +++ linux-3.0.9/arch/powerpc/mm/fault.c 2011-11-15 20:02:59.000000000 -0500
2281 #include <linux/perf_event.h>
2282 #include <linux/magic.h>
2283 #include <linux/ratelimit.h>
2284 +#include <linux/slab.h>
2285 +#include <linux/pagemap.h>
2286 +#include <linux/compiler.h>
2287 +#include <linux/unistd.h>
2289 #include <asm/firmware.h>
2290 #include <asm/page.h>
2292 #include <asm/tlbflush.h>
2293 #include <asm/siginfo.h>
2294 #include <mm/mmu_decl.h>
2295 +#include <asm/ptrace.h>
2297 #ifdef CONFIG_KPROBES
2298 static inline int notify_page_fault(struct pt_regs *regs)
2299 @@ -66,6 +71,33 @@ static inline int notify_page_fault(stru
2303 +#ifdef CONFIG_PAX_PAGEEXEC
2305 + * PaX: decide what to do with offenders (regs->nip = fault address)
2307 + * returns 1 when task should be killed
2309 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2314 +void pax_report_insns(void *pc, void *sp)
2318 + printk(KERN_ERR "PAX: bytes at PC: ");
2319 + for (i = 0; i < 5; i++) {
2321 + if (get_user(c, (unsigned int __user *)pc+i))
2322 + printk(KERN_CONT "???????? ");
2324 + printk(KERN_CONT "%08x ", c);
2331 * Check whether the instruction at regs->nip is a store using
2332 * an update addressing form which will update r1.
2333 @@ -136,7 +168,7 @@ int __kprobes do_page_fault(struct pt_re
2334 * indicate errors in DSISR but can validly be set in SRR1.
2337 - error_code &= 0x48200000;
2338 + error_code &= 0x58200000;
2340 is_write = error_code & DSISR_ISSTORE;
2342 @@ -259,7 +291,7 @@ good_area:
2343 * "undefined". Of those that can be set, this is the only
2344 * one which seems bad.
2346 - if (error_code & 0x10000000)
2347 + if (error_code & DSISR_GUARDED)
2348 /* Guarded storage error. */
2350 #endif /* CONFIG_8xx */
2351 @@ -274,7 +306,7 @@ good_area:
2352 * processors use the same I/D cache coherency mechanism
2355 - if (error_code & DSISR_PROTFAULT)
2356 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2358 #endif /* CONFIG_PPC_STD_MMU */
2360 @@ -343,6 +375,23 @@ bad_area:
2361 bad_area_nosemaphore:
2362 /* User mode accesses cause a SIGSEGV */
2363 if (user_mode(regs)) {
2365 +#ifdef CONFIG_PAX_PAGEEXEC
2366 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2367 +#ifdef CONFIG_PPC_STD_MMU
2368 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2370 + if (is_exec && regs->nip == address) {
2372 + switch (pax_handle_fetch_fault(regs)) {
2375 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2376 + do_group_exit(SIGKILL);
2381 _exception(SIGSEGV, regs, code, address);
2384 diff -urNp linux-3.0.9/arch/powerpc/mm/mmap_64.c linux-3.0.9/arch/powerpc/mm/mmap_64.c
2385 --- linux-3.0.9/arch/powerpc/mm/mmap_64.c 2011-11-11 13:12:24.000000000 -0500
2386 +++ linux-3.0.9/arch/powerpc/mm/mmap_64.c 2011-11-15 20:02:59.000000000 -0500
2387 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2389 if (mmap_is_legacy()) {
2390 mm->mmap_base = TASK_UNMAPPED_BASE;
2392 +#ifdef CONFIG_PAX_RANDMMAP
2393 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2394 + mm->mmap_base += mm->delta_mmap;
2397 mm->get_unmapped_area = arch_get_unmapped_area;
2398 mm->unmap_area = arch_unmap_area;
2400 mm->mmap_base = mmap_base();
2402 +#ifdef CONFIG_PAX_RANDMMAP
2403 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2404 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2407 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2408 mm->unmap_area = arch_unmap_area_topdown;
2410 diff -urNp linux-3.0.9/arch/powerpc/mm/slice.c linux-3.0.9/arch/powerpc/mm/slice.c
2411 --- linux-3.0.9/arch/powerpc/mm/slice.c 2011-11-11 13:12:24.000000000 -0500
2412 +++ linux-3.0.9/arch/powerpc/mm/slice.c 2011-11-15 20:02:59.000000000 -0500
2413 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
2414 if ((mm->task_size - len) < addr)
2416 vma = find_vma(mm, addr);
2417 - return (!vma || (addr + len) <= vma->vm_start);
2418 + return check_heap_stack_gap(vma, addr, len);
2421 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
2422 @@ -256,7 +256,7 @@ full_search:
2423 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
2426 - if (!vma || addr + len <= vma->vm_start) {
2427 + if (check_heap_stack_gap(vma, addr, len)) {
2429 * Remember the place where we stopped the search:
2431 @@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
2435 - addr = mm->mmap_base;
2436 - while (addr > len) {
2437 + if (mm->mmap_base < len)
2440 + addr = mm->mmap_base - len;
2442 + while (!IS_ERR_VALUE(addr)) {
2443 /* Go down by chunk size */
2444 - addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
2445 + addr = _ALIGN_DOWN(addr, 1ul << pshift);
2447 /* Check for hit with different page size */
2448 mask = slice_range_to_mask(addr, len);
2449 @@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
2450 * return with success:
2452 vma = find_vma(mm, addr);
2453 - if (!vma || (addr + len) <= vma->vm_start) {
2454 + if (check_heap_stack_gap(vma, addr, len)) {
2455 /* remember the address as a hint for next time */
2457 mm->free_area_cache = addr;
2458 @@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
2459 mm->cached_hole_size = vma->vm_start - addr;
2461 /* try just below the current vma->vm_start */
2462 - addr = vma->vm_start;
2463 + addr = skip_heap_stack_gap(vma, len);
2467 @@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
2468 if (fixed && addr > (mm->task_size - len))
2471 +#ifdef CONFIG_PAX_RANDMMAP
2472 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
2476 /* If hint, make sure it matches our alignment restrictions */
2477 if (!fixed && addr) {
2478 addr = _ALIGN_UP(addr, 1ul << pshift);
2479 diff -urNp linux-3.0.9/arch/s390/include/asm/elf.h linux-3.0.9/arch/s390/include/asm/elf.h
2480 --- linux-3.0.9/arch/s390/include/asm/elf.h 2011-11-11 13:12:24.000000000 -0500
2481 +++ linux-3.0.9/arch/s390/include/asm/elf.h 2011-11-15 20:02:59.000000000 -0500
2482 @@ -162,8 +162,14 @@ extern unsigned int vdso_enabled;
2483 the loader. We need to make sure that it is out of the way of the program
2484 that it will "exec", and that there is sufficient room for the brk. */
2486 -extern unsigned long randomize_et_dyn(unsigned long base);
2487 -#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2))
2488 +#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
2490 +#ifdef CONFIG_PAX_ASLR
2491 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
2493 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2494 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2497 /* This yields a mask that user programs can use to figure out what
2498 instruction set this CPU supports. */
2499 @@ -210,7 +216,4 @@ struct linux_binprm;
2500 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
2501 int arch_setup_additional_pages(struct linux_binprm *, int);
2503 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2504 -#define arch_randomize_brk arch_randomize_brk
2507 diff -urNp linux-3.0.9/arch/s390/include/asm/system.h linux-3.0.9/arch/s390/include/asm/system.h
2508 --- linux-3.0.9/arch/s390/include/asm/system.h 2011-11-11 13:12:24.000000000 -0500
2509 +++ linux-3.0.9/arch/s390/include/asm/system.h 2011-11-15 20:02:59.000000000 -0500
2510 @@ -255,7 +255,7 @@ extern void (*_machine_restart)(char *co
2511 extern void (*_machine_halt)(void);
2512 extern void (*_machine_power_off)(void);
2514 -extern unsigned long arch_align_stack(unsigned long sp);
2515 +#define arch_align_stack(x) ((x) & ~0xfUL)
2517 static inline int tprot(unsigned long addr)
2519 diff -urNp linux-3.0.9/arch/s390/include/asm/uaccess.h linux-3.0.9/arch/s390/include/asm/uaccess.h
2520 --- linux-3.0.9/arch/s390/include/asm/uaccess.h 2011-11-11 13:12:24.000000000 -0500
2521 +++ linux-3.0.9/arch/s390/include/asm/uaccess.h 2011-11-15 20:02:59.000000000 -0500
2522 @@ -235,6 +235,10 @@ static inline unsigned long __must_check
2523 copy_to_user(void __user *to, const void *from, unsigned long n)
2530 if (access_ok(VERIFY_WRITE, to, n))
2531 n = __copy_to_user(to, from, n);
2533 @@ -260,6 +264,9 @@ copy_to_user(void __user *to, const void
2534 static inline unsigned long __must_check
2535 __copy_from_user(void *to, const void __user *from, unsigned long n)
2540 if (__builtin_constant_p(n) && (n <= 256))
2541 return uaccess.copy_from_user_small(n, from, to);
2543 @@ -294,6 +301,10 @@ copy_from_user(void *to, const void __us
2544 unsigned int sz = __compiletime_object_size(to);
2551 if (unlikely(sz != -1 && sz < n)) {
2552 copy_from_user_overflow();
2554 diff -urNp linux-3.0.9/arch/s390/kernel/module.c linux-3.0.9/arch/s390/kernel/module.c
2555 --- linux-3.0.9/arch/s390/kernel/module.c 2011-11-11 13:12:24.000000000 -0500
2556 +++ linux-3.0.9/arch/s390/kernel/module.c 2011-11-15 20:02:59.000000000 -0500
2557 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
2559 /* Increase core size by size of got & plt and set start
2560 offsets for got and plt. */
2561 - me->core_size = ALIGN(me->core_size, 4);
2562 - me->arch.got_offset = me->core_size;
2563 - me->core_size += me->arch.got_size;
2564 - me->arch.plt_offset = me->core_size;
2565 - me->core_size += me->arch.plt_size;
2566 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
2567 + me->arch.got_offset = me->core_size_rw;
2568 + me->core_size_rw += me->arch.got_size;
2569 + me->arch.plt_offset = me->core_size_rx;
2570 + me->core_size_rx += me->arch.plt_size;
2574 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2575 if (info->got_initialized == 0) {
2578 - gotent = me->module_core + me->arch.got_offset +
2579 + gotent = me->module_core_rw + me->arch.got_offset +
2582 info->got_initialized = 1;
2583 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2584 else if (r_type == R_390_GOTENT ||
2585 r_type == R_390_GOTPLTENT)
2586 *(unsigned int *) loc =
2587 - (val + (Elf_Addr) me->module_core - loc) >> 1;
2588 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
2589 else if (r_type == R_390_GOT64 ||
2590 r_type == R_390_GOTPLT64)
2591 *(unsigned long *) loc = val;
2592 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2593 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
2594 if (info->plt_initialized == 0) {
2596 - ip = me->module_core + me->arch.plt_offset +
2597 + ip = me->module_core_rx + me->arch.plt_offset +
2599 #ifndef CONFIG_64BIT
2600 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
2601 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2602 val - loc + 0xffffUL < 0x1ffffeUL) ||
2603 (r_type == R_390_PLT32DBL &&
2604 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
2605 - val = (Elf_Addr) me->module_core +
2606 + val = (Elf_Addr) me->module_core_rx +
2607 me->arch.plt_offset +
2609 val += rela->r_addend - loc;
2610 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2611 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
2612 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
2613 val = val + rela->r_addend -
2614 - ((Elf_Addr) me->module_core + me->arch.got_offset);
2615 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
2616 if (r_type == R_390_GOTOFF16)
2617 *(unsigned short *) loc = val;
2618 else if (r_type == R_390_GOTOFF32)
2619 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2621 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
2622 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
2623 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
2624 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
2625 rela->r_addend - loc;
2626 if (r_type == R_390_GOTPC)
2627 *(unsigned int *) loc = val;
2628 diff -urNp linux-3.0.9/arch/s390/kernel/process.c linux-3.0.9/arch/s390/kernel/process.c
2629 --- linux-3.0.9/arch/s390/kernel/process.c 2011-11-11 13:12:24.000000000 -0500
2630 +++ linux-3.0.9/arch/s390/kernel/process.c 2011-11-15 20:02:59.000000000 -0500
2631 @@ -319,39 +319,3 @@ unsigned long get_wchan(struct task_stru
2636 -unsigned long arch_align_stack(unsigned long sp)
2638 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2639 - sp -= get_random_int() & ~PAGE_MASK;
2643 -static inline unsigned long brk_rnd(void)
2645 - /* 8MB for 32bit, 1GB for 64bit */
2646 - if (is_32bit_task())
2647 - return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
2649 - return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
2652 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2654 - unsigned long ret = PAGE_ALIGN(mm->brk + brk_rnd());
2656 - if (ret < mm->brk)
2661 -unsigned long randomize_et_dyn(unsigned long base)
2663 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2665 - if (!(current->flags & PF_RANDOMIZE))
2671 diff -urNp linux-3.0.9/arch/s390/kernel/setup.c linux-3.0.9/arch/s390/kernel/setup.c
2672 --- linux-3.0.9/arch/s390/kernel/setup.c 2011-11-11 13:12:24.000000000 -0500
2673 +++ linux-3.0.9/arch/s390/kernel/setup.c 2011-11-15 20:02:59.000000000 -0500
2674 @@ -271,7 +271,7 @@ static int __init early_parse_mem(char *
2676 early_param("mem", early_parse_mem);
2678 -unsigned int user_mode = HOME_SPACE_MODE;
2679 +unsigned int user_mode = SECONDARY_SPACE_MODE;
2680 EXPORT_SYMBOL_GPL(user_mode);
2682 static int set_amode_and_uaccess(unsigned long user_amode,
2683 diff -urNp linux-3.0.9/arch/s390/mm/mmap.c linux-3.0.9/arch/s390/mm/mmap.c
2684 --- linux-3.0.9/arch/s390/mm/mmap.c 2011-11-11 13:12:24.000000000 -0500
2685 +++ linux-3.0.9/arch/s390/mm/mmap.c 2011-11-15 20:02:59.000000000 -0500
2686 @@ -91,10 +91,22 @@ void arch_pick_mmap_layout(struct mm_str
2688 if (mmap_is_legacy()) {
2689 mm->mmap_base = TASK_UNMAPPED_BASE;
2691 +#ifdef CONFIG_PAX_RANDMMAP
2692 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2693 + mm->mmap_base += mm->delta_mmap;
2696 mm->get_unmapped_area = arch_get_unmapped_area;
2697 mm->unmap_area = arch_unmap_area;
2699 mm->mmap_base = mmap_base();
2701 +#ifdef CONFIG_PAX_RANDMMAP
2702 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2703 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2706 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2707 mm->unmap_area = arch_unmap_area_topdown;
2709 @@ -166,10 +178,22 @@ void arch_pick_mmap_layout(struct mm_str
2711 if (mmap_is_legacy()) {
2712 mm->mmap_base = TASK_UNMAPPED_BASE;
2714 +#ifdef CONFIG_PAX_RANDMMAP
2715 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2716 + mm->mmap_base += mm->delta_mmap;
2719 mm->get_unmapped_area = s390_get_unmapped_area;
2720 mm->unmap_area = arch_unmap_area;
2722 mm->mmap_base = mmap_base();
2724 +#ifdef CONFIG_PAX_RANDMMAP
2725 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2726 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2729 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
2730 mm->unmap_area = arch_unmap_area_topdown;
2732 diff -urNp linux-3.0.9/arch/score/include/asm/system.h linux-3.0.9/arch/score/include/asm/system.h
2733 --- linux-3.0.9/arch/score/include/asm/system.h 2011-11-11 13:12:24.000000000 -0500
2734 +++ linux-3.0.9/arch/score/include/asm/system.h 2011-11-15 20:02:59.000000000 -0500
2735 @@ -17,7 +17,7 @@ do { \
2736 #define finish_arch_switch(prev) do {} while (0)
2738 typedef void (*vi_handler_t)(void);
2739 -extern unsigned long arch_align_stack(unsigned long sp);
2740 +#define arch_align_stack(x) (x)
2742 #define mb() barrier()
2743 #define rmb() barrier()
2744 diff -urNp linux-3.0.9/arch/score/kernel/process.c linux-3.0.9/arch/score/kernel/process.c
2745 --- linux-3.0.9/arch/score/kernel/process.c 2011-11-11 13:12:24.000000000 -0500
2746 +++ linux-3.0.9/arch/score/kernel/process.c 2011-11-15 20:02:59.000000000 -0500
2747 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
2749 return task_pt_regs(task)->cp0_epc;
2752 -unsigned long arch_align_stack(unsigned long sp)
2756 diff -urNp linux-3.0.9/arch/sh/mm/mmap.c linux-3.0.9/arch/sh/mm/mmap.c
2757 --- linux-3.0.9/arch/sh/mm/mmap.c 2011-11-11 13:12:24.000000000 -0500
2758 +++ linux-3.0.9/arch/sh/mm/mmap.c 2011-11-15 20:02:59.000000000 -0500
2759 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
2760 addr = PAGE_ALIGN(addr);
2762 vma = find_vma(mm, addr);
2763 - if (TASK_SIZE - len >= addr &&
2764 - (!vma || addr + len <= vma->vm_start))
2765 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
2769 @@ -106,7 +105,7 @@ full_search:
2773 - if (likely(!vma || addr + len <= vma->vm_start)) {
2774 + if (likely(check_heap_stack_gap(vma, addr, len))) {
2776 * Remember the place where we stopped the search:
2778 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
2779 addr = PAGE_ALIGN(addr);
2781 vma = find_vma(mm, addr);
2782 - if (TASK_SIZE - len >= addr &&
2783 - (!vma || addr + len <= vma->vm_start))
2784 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
2788 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
2789 /* make sure it can fit in the remaining address space */
2790 if (likely(addr > len)) {
2791 vma = find_vma(mm, addr-len);
2792 - if (!vma || addr <= vma->vm_start) {
2793 + if (check_heap_stack_gap(vma, addr - len, len)) {
2794 /* remember the address as a hint for next time */
2795 return (mm->free_area_cache = addr-len);
2797 @@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
2798 if (unlikely(mm->mmap_base < len))
2801 - addr = mm->mmap_base-len;
2802 - if (do_colour_align)
2803 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
2804 + addr = mm->mmap_base - len;
2807 + if (do_colour_align)
2808 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
2810 * Lookup failure means no vma is above this address,
2811 * else if new region fits below vma->vm_start,
2812 * return with success:
2814 vma = find_vma(mm, addr);
2815 - if (likely(!vma || addr+len <= vma->vm_start)) {
2816 + if (likely(check_heap_stack_gap(vma, addr, len))) {
2817 /* remember the address as a hint for next time */
2818 return (mm->free_area_cache = addr);
2820 @@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
2821 mm->cached_hole_size = vma->vm_start - addr;
2823 /* try just below the current vma->vm_start */
2824 - addr = vma->vm_start-len;
2825 - if (do_colour_align)
2826 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
2827 - } while (likely(len < vma->vm_start));
2828 + addr = skip_heap_stack_gap(vma, len);
2829 + } while (!IS_ERR_VALUE(addr));
2833 diff -urNp linux-3.0.9/arch/sparc/include/asm/atomic_64.h linux-3.0.9/arch/sparc/include/asm/atomic_64.h
2834 --- linux-3.0.9/arch/sparc/include/asm/atomic_64.h 2011-11-11 13:12:24.000000000 -0500
2835 +++ linux-3.0.9/arch/sparc/include/asm/atomic_64.h 2011-11-15 20:02:59.000000000 -0500
2837 #define ATOMIC64_INIT(i) { (i) }
2839 #define atomic_read(v) (*(volatile int *)&(v)->counter)
2840 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
2842 + return v->counter;
2844 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
2845 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
2847 + return v->counter;
2850 #define atomic_set(v, i) (((v)->counter) = i)
2851 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
2855 #define atomic64_set(v, i) (((v)->counter) = i)
2856 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
2861 extern void atomic_add(int, atomic_t *);
2862 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
2863 extern void atomic64_add(long, atomic64_t *);
2864 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
2865 extern void atomic_sub(int, atomic_t *);
2866 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
2867 extern void atomic64_sub(long, atomic64_t *);
2868 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
2870 extern int atomic_add_ret(int, atomic_t *);
2871 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
2872 extern long atomic64_add_ret(long, atomic64_t *);
2873 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
2874 extern int atomic_sub_ret(int, atomic_t *);
2875 extern long atomic64_sub_ret(long, atomic64_t *);
2877 @@ -33,13 +55,29 @@ extern long atomic64_sub_ret(long, atomi
2878 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
2880 #define atomic_inc_return(v) atomic_add_ret(1, v)
2881 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
2883 + return atomic_add_ret_unchecked(1, v);
2885 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
2886 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
2888 + return atomic64_add_ret_unchecked(1, v);
2891 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
2892 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
2894 #define atomic_add_return(i, v) atomic_add_ret(i, v)
2895 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
2897 + return atomic_add_ret_unchecked(i, v);
2899 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
2900 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
2902 + return atomic64_add_ret_unchecked(i, v);
2906 * atomic_inc_and_test - increment and test
2907 @@ -50,6 +88,10 @@ extern long atomic64_sub_ret(long, atomi
2910 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
2911 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
2913 + return atomic_inc_return_unchecked(v) == 0;
2915 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
2917 #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
2918 @@ -59,30 +101,65 @@ extern long atomic64_sub_ret(long, atomi
2919 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
2921 #define atomic_inc(v) atomic_add(1, v)
2922 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
2924 + atomic_add_unchecked(1, v);
2926 #define atomic64_inc(v) atomic64_add(1, v)
2927 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
2929 + atomic64_add_unchecked(1, v);
2932 #define atomic_dec(v) atomic_sub(1, v)
2933 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
2935 + atomic_sub_unchecked(1, v);
2937 #define atomic64_dec(v) atomic64_sub(1, v)
2938 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
2940 + atomic64_sub_unchecked(1, v);
2943 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
2944 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
2946 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
2947 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
2949 + return cmpxchg(&v->counter, old, new);
2951 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
2952 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
2954 + return xchg(&v->counter, new);
2957 static inline int atomic_add_unless(atomic_t *v, int a, int u)
2963 - if (unlikely(c == (u)))
2964 + if (unlikely(c == u))
2966 - old = atomic_cmpxchg((v), c, c + (a));
2968 + asm volatile("addcc %2, %0, %0\n"
2970 +#ifdef CONFIG_PAX_REFCOUNT
2975 + : "0" (c), "ir" (a)
2978 + old = atomic_cmpxchg(v, c, new);
2979 if (likely(old == c))
2987 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
2988 @@ -90,20 +167,35 @@ static inline int atomic_add_unless(atom
2989 #define atomic64_cmpxchg(v, o, n) \
2990 ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
2991 #define atomic64_xchg(v, new) (xchg(&((v)->counter), new))
2992 +static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
2994 + return xchg(&v->counter, new);
2997 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3001 c = atomic64_read(v);
3003 - if (unlikely(c == (u)))
3004 + if (unlikely(c == u))
3006 - old = atomic64_cmpxchg((v), c, c + (a));
3008 + asm volatile("addcc %2, %0, %0\n"
3010 +#ifdef CONFIG_PAX_REFCOUNT
3015 + : "0" (c), "ir" (a)
3018 + old = atomic64_cmpxchg(v, c, new);
3019 if (likely(old == c))
3027 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3028 diff -urNp linux-3.0.9/arch/sparc/include/asm/cache.h linux-3.0.9/arch/sparc/include/asm/cache.h
3029 --- linux-3.0.9/arch/sparc/include/asm/cache.h 2011-11-11 13:12:24.000000000 -0500
3030 +++ linux-3.0.9/arch/sparc/include/asm/cache.h 2011-11-15 20:02:59.000000000 -0500
3032 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long long)
3034 #define L1_CACHE_SHIFT 5
3035 -#define L1_CACHE_BYTES 32
3036 +#define L1_CACHE_BYTES 32UL
3038 #ifdef CONFIG_SPARC32
3039 #define SMP_CACHE_BYTES_SHIFT 5
3040 diff -urNp linux-3.0.9/arch/sparc/include/asm/elf_32.h linux-3.0.9/arch/sparc/include/asm/elf_32.h
3041 --- linux-3.0.9/arch/sparc/include/asm/elf_32.h 2011-11-11 13:12:24.000000000 -0500
3042 +++ linux-3.0.9/arch/sparc/include/asm/elf_32.h 2011-11-15 20:02:59.000000000 -0500
3043 @@ -114,6 +114,13 @@ typedef struct {
3045 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3047 +#ifdef CONFIG_PAX_ASLR
3048 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3050 +#define PAX_DELTA_MMAP_LEN 16
3051 +#define PAX_DELTA_STACK_LEN 16
3054 /* This yields a mask that user programs can use to figure out what
3055 instruction set this cpu supports. This can NOT be done in userspace
3057 diff -urNp linux-3.0.9/arch/sparc/include/asm/elf_64.h linux-3.0.9/arch/sparc/include/asm/elf_64.h
3058 --- linux-3.0.9/arch/sparc/include/asm/elf_64.h 2011-11-11 13:12:24.000000000 -0500
3059 +++ linux-3.0.9/arch/sparc/include/asm/elf_64.h 2011-11-15 20:02:59.000000000 -0500
3060 @@ -180,6 +180,13 @@ typedef struct {
3061 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3062 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3064 +#ifdef CONFIG_PAX_ASLR
3065 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3067 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3068 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3071 extern unsigned long sparc64_elf_hwcap;
3072 #define ELF_HWCAP sparc64_elf_hwcap
3074 diff -urNp linux-3.0.9/arch/sparc/include/asm/pgtable_32.h linux-3.0.9/arch/sparc/include/asm/pgtable_32.h
3075 --- linux-3.0.9/arch/sparc/include/asm/pgtable_32.h 2011-11-11 13:12:24.000000000 -0500
3076 +++ linux-3.0.9/arch/sparc/include/asm/pgtable_32.h 2011-11-15 20:02:59.000000000 -0500
3077 @@ -45,6 +45,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3078 BTFIXUPDEF_INT(page_none)
3079 BTFIXUPDEF_INT(page_copy)
3080 BTFIXUPDEF_INT(page_readonly)
3082 +#ifdef CONFIG_PAX_PAGEEXEC
3083 +BTFIXUPDEF_INT(page_shared_noexec)
3084 +BTFIXUPDEF_INT(page_copy_noexec)
3085 +BTFIXUPDEF_INT(page_readonly_noexec)
3088 BTFIXUPDEF_INT(page_kernel)
3090 #define PMD_SHIFT SUN4C_PMD_SHIFT
3091 @@ -66,6 +73,16 @@ extern pgprot_t PAGE_SHARED;
3092 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3093 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3095 +#ifdef CONFIG_PAX_PAGEEXEC
3096 +extern pgprot_t PAGE_SHARED_NOEXEC;
3097 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3098 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3100 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3101 +# define PAGE_COPY_NOEXEC PAGE_COPY
3102 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3105 extern unsigned long page_kernel;
3108 diff -urNp linux-3.0.9/arch/sparc/include/asm/pgtsrmmu.h linux-3.0.9/arch/sparc/include/asm/pgtsrmmu.h
3109 --- linux-3.0.9/arch/sparc/include/asm/pgtsrmmu.h 2011-11-11 13:12:24.000000000 -0500
3110 +++ linux-3.0.9/arch/sparc/include/asm/pgtsrmmu.h 2011-11-15 20:02:59.000000000 -0500
3111 @@ -115,6 +115,13 @@
3112 SRMMU_EXEC | SRMMU_REF)
3113 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3114 SRMMU_EXEC | SRMMU_REF)
3116 +#ifdef CONFIG_PAX_PAGEEXEC
3117 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3118 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3119 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3122 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3123 SRMMU_DIRTY | SRMMU_REF)
3125 diff -urNp linux-3.0.9/arch/sparc/include/asm/spinlock_64.h linux-3.0.9/arch/sparc/include/asm/spinlock_64.h
3126 --- linux-3.0.9/arch/sparc/include/asm/spinlock_64.h 2011-11-11 13:12:24.000000000 -0500
3127 +++ linux-3.0.9/arch/sparc/include/asm/spinlock_64.h 2011-11-15 20:02:59.000000000 -0500
3128 @@ -92,14 +92,19 @@ static inline void arch_spin_lock_flags(
3130 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
3132 -static void inline arch_read_lock(arch_rwlock_t *lock)
3133 +static inline void arch_read_lock(arch_rwlock_t *lock)
3135 unsigned long tmp1, tmp2;
3137 __asm__ __volatile__ (
3138 "1: ldsw [%2], %0\n"
3140 -"4: add %0, 1, %1\n"
3141 +"4: addcc %0, 1, %1\n"
3143 +#ifdef CONFIG_PAX_REFCOUNT
3147 " cas [%2], %0, %1\n"
3149 " bne,pn %%icc, 1b\n"
3150 @@ -112,10 +117,10 @@ static void inline arch_read_lock(arch_r
3152 : "=&r" (tmp1), "=&r" (tmp2)
3155 + : "memory", "cc");
3158 -static int inline arch_read_trylock(arch_rwlock_t *lock)
3159 +static inline int arch_read_trylock(arch_rwlock_t *lock)
3163 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3164 "1: ldsw [%2], %0\n"
3165 " brlz,a,pn %0, 2f\n"
3168 +" addcc %0, 1, %1\n"
3170 +#ifdef CONFIG_PAX_REFCOUNT
3174 " cas [%2], %0, %1\n"
3176 " bne,pn %%icc, 1b\n"
3177 @@ -136,13 +146,18 @@ static int inline arch_read_trylock(arch
3181 -static void inline arch_read_unlock(arch_rwlock_t *lock)
3182 +static inline void arch_read_unlock(arch_rwlock_t *lock)
3184 unsigned long tmp1, tmp2;
3186 __asm__ __volatile__(
3187 "1: lduw [%2], %0\n"
3189 +" subcc %0, 1, %1\n"
3191 +#ifdef CONFIG_PAX_REFCOUNT
3195 " cas [%2], %0, %1\n"
3197 " bne,pn %%xcc, 1b\n"
3198 @@ -152,7 +167,7 @@ static void inline arch_read_unlock(arch
3202 -static void inline arch_write_lock(arch_rwlock_t *lock)
3203 +static inline void arch_write_lock(arch_rwlock_t *lock)
3205 unsigned long mask, tmp1, tmp2;
3207 @@ -177,7 +192,7 @@ static void inline arch_write_lock(arch_
3211 -static void inline arch_write_unlock(arch_rwlock_t *lock)
3212 +static inline void arch_write_unlock(arch_rwlock_t *lock)
3214 __asm__ __volatile__(
3216 @@ -186,7 +201,7 @@ static void inline arch_write_unlock(arc
3220 -static int inline arch_write_trylock(arch_rwlock_t *lock)
3221 +static inline int arch_write_trylock(arch_rwlock_t *lock)
3223 unsigned long mask, tmp1, tmp2, result;
3225 diff -urNp linux-3.0.9/arch/sparc/include/asm/thread_info_32.h linux-3.0.9/arch/sparc/include/asm/thread_info_32.h
3226 --- linux-3.0.9/arch/sparc/include/asm/thread_info_32.h 2011-11-11 13:12:24.000000000 -0500
3227 +++ linux-3.0.9/arch/sparc/include/asm/thread_info_32.h 2011-11-15 20:02:59.000000000 -0500
3228 @@ -50,6 +50,8 @@ struct thread_info {
3229 unsigned long w_saved;
3231 struct restart_block restart_block;
3233 + unsigned long lowest_stack;
3237 diff -urNp linux-3.0.9/arch/sparc/include/asm/thread_info_64.h linux-3.0.9/arch/sparc/include/asm/thread_info_64.h
3238 --- linux-3.0.9/arch/sparc/include/asm/thread_info_64.h 2011-11-11 13:12:24.000000000 -0500
3239 +++ linux-3.0.9/arch/sparc/include/asm/thread_info_64.h 2011-11-15 20:02:59.000000000 -0500
3240 @@ -63,6 +63,8 @@ struct thread_info {
3241 struct pt_regs *kern_una_regs;
3242 unsigned int kern_una_insn;
3244 + unsigned long lowest_stack;
3246 unsigned long fpregs[0] __attribute__ ((aligned(64)));
3249 diff -urNp linux-3.0.9/arch/sparc/include/asm/uaccess_32.h linux-3.0.9/arch/sparc/include/asm/uaccess_32.h
3250 --- linux-3.0.9/arch/sparc/include/asm/uaccess_32.h 2011-11-11 13:12:24.000000000 -0500
3251 +++ linux-3.0.9/arch/sparc/include/asm/uaccess_32.h 2011-11-15 20:02:59.000000000 -0500
3252 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
3254 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3256 - if (n && __access_ok((unsigned long) to, n))
3260 + if (n && __access_ok((unsigned long) to, n)) {
3261 + if (!__builtin_constant_p(n))
3262 + check_object_size(from, n, true);
3263 return __copy_user(to, (__force void __user *) from, n);
3269 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3274 + if (!__builtin_constant_p(n))
3275 + check_object_size(from, n, true);
3277 return __copy_user(to, (__force void __user *) from, n);
3280 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
3282 - if (n && __access_ok((unsigned long) from, n))
3286 + if (n && __access_ok((unsigned long) from, n)) {
3287 + if (!__builtin_constant_p(n))
3288 + check_object_size(to, n, false);
3289 return __copy_user((__force void __user *) to, from, n);
3295 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3300 return __copy_user((__force void __user *) to, from, n);
3303 diff -urNp linux-3.0.9/arch/sparc/include/asm/uaccess_64.h linux-3.0.9/arch/sparc/include/asm/uaccess_64.h
3304 --- linux-3.0.9/arch/sparc/include/asm/uaccess_64.h 2011-11-11 13:12:24.000000000 -0500
3305 +++ linux-3.0.9/arch/sparc/include/asm/uaccess_64.h 2011-11-15 20:02:59.000000000 -0500
3307 #include <linux/compiler.h>
3308 #include <linux/string.h>
3309 #include <linux/thread_info.h>
3310 +#include <linux/kernel.h>
3311 #include <asm/asi.h>
3312 #include <asm/system.h>
3313 #include <asm/spitfire.h>
3314 @@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
3315 static inline unsigned long __must_check
3316 copy_from_user(void *to, const void __user *from, unsigned long size)
3318 - unsigned long ret = ___copy_from_user(to, from, size);
3319 + unsigned long ret;
3321 + if ((long)size < 0 || size > INT_MAX)
3324 + if (!__builtin_constant_p(size))
3325 + check_object_size(to, size, false);
3327 + ret = ___copy_from_user(to, from, size);
3329 ret = copy_from_user_fixup(to, from, size);
3331 @@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
3332 static inline unsigned long __must_check
3333 copy_to_user(void __user *to, const void *from, unsigned long size)
3335 - unsigned long ret = ___copy_to_user(to, from, size);
3336 + unsigned long ret;
3338 + if ((long)size < 0 || size > INT_MAX)
3341 + if (!__builtin_constant_p(size))
3342 + check_object_size(from, size, true);
3344 + ret = ___copy_to_user(to, from, size);
3346 ret = copy_to_user_fixup(to, from, size);
3348 diff -urNp linux-3.0.9/arch/sparc/include/asm/uaccess.h linux-3.0.9/arch/sparc/include/asm/uaccess.h
3349 --- linux-3.0.9/arch/sparc/include/asm/uaccess.h 2011-11-11 13:12:24.000000000 -0500
3350 +++ linux-3.0.9/arch/sparc/include/asm/uaccess.h 2011-11-15 20:02:59.000000000 -0500
3352 #ifndef ___ASM_SPARC_UACCESS_H
3353 #define ___ASM_SPARC_UACCESS_H
3356 +#ifndef __ASSEMBLY__
3357 +#include <linux/types.h>
3358 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
3362 #if defined(__sparc__) && defined(__arch64__)
3363 #include <asm/uaccess_64.h>
3365 diff -urNp linux-3.0.9/arch/sparc/kernel/Makefile linux-3.0.9/arch/sparc/kernel/Makefile
3366 --- linux-3.0.9/arch/sparc/kernel/Makefile 2011-11-11 13:12:24.000000000 -0500
3367 +++ linux-3.0.9/arch/sparc/kernel/Makefile 2011-11-15 20:02:59.000000000 -0500
3372 -ccflags-y := -Werror
3373 +#ccflags-y := -Werror
3375 extra-y := head_$(BITS).o
3376 extra-y += init_task.o
3377 diff -urNp linux-3.0.9/arch/sparc/kernel/process_32.c linux-3.0.9/arch/sparc/kernel/process_32.c
3378 --- linux-3.0.9/arch/sparc/kernel/process_32.c 2011-11-11 13:12:24.000000000 -0500
3379 +++ linux-3.0.9/arch/sparc/kernel/process_32.c 2011-11-15 20:02:59.000000000 -0500
3380 @@ -204,7 +204,7 @@ void __show_backtrace(unsigned long fp)
3381 rw->ins[4], rw->ins[5],
3384 - printk("%pS\n", (void *) rw->ins[7]);
3385 + printk("%pA\n", (void *) rw->ins[7]);
3386 rw = (struct reg_window32 *) rw->ins[6];
3388 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
3389 @@ -271,14 +271,14 @@ void show_regs(struct pt_regs *r)
3391 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
3392 r->psr, r->pc, r->npc, r->y, print_tainted());
3393 - printk("PC: <%pS>\n", (void *) r->pc);
3394 + printk("PC: <%pA>\n", (void *) r->pc);
3395 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
3396 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
3397 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
3398 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
3399 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
3400 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
3401 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
3402 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
3404 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
3405 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
3406 @@ -313,7 +313,7 @@ void show_stack(struct task_struct *tsk,
3407 rw = (struct reg_window32 *) fp;
3409 printk("[%08lx : ", pc);
3410 - printk("%pS ] ", (void *) pc);
3411 + printk("%pA ] ", (void *) pc);
3413 } while (++count < 16);
3415 diff -urNp linux-3.0.9/arch/sparc/kernel/process_64.c linux-3.0.9/arch/sparc/kernel/process_64.c
3416 --- linux-3.0.9/arch/sparc/kernel/process_64.c 2011-11-11 13:12:24.000000000 -0500
3417 +++ linux-3.0.9/arch/sparc/kernel/process_64.c 2011-11-15 20:02:59.000000000 -0500
3418 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
3419 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
3420 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
3421 if (regs->tstate & TSTATE_PRIV)
3422 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
3423 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
3426 void show_regs(struct pt_regs *regs)
3428 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
3429 regs->tpc, regs->tnpc, regs->y, print_tainted());
3430 - printk("TPC: <%pS>\n", (void *) regs->tpc);
3431 + printk("TPC: <%pA>\n", (void *) regs->tpc);
3432 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
3433 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
3435 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
3436 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
3437 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
3439 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
3440 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
3441 show_regwindow(regs);
3442 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
3444 @@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
3445 ((tp && tp->task) ? tp->task->pid : -1));
3447 if (gp->tstate & TSTATE_PRIV) {
3448 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
3449 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
3453 diff -urNp linux-3.0.9/arch/sparc/kernel/sys_sparc_32.c linux-3.0.9/arch/sparc/kernel/sys_sparc_32.c
3454 --- linux-3.0.9/arch/sparc/kernel/sys_sparc_32.c 2011-11-11 13:12:24.000000000 -0500
3455 +++ linux-3.0.9/arch/sparc/kernel/sys_sparc_32.c 2011-11-15 20:02:59.000000000 -0500
3456 @@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str
3457 if (ARCH_SUN4C && len > 0x20000000)
3460 - addr = TASK_UNMAPPED_BASE;
3461 + addr = current->mm->mmap_base;
3463 if (flags & MAP_SHARED)
3464 addr = COLOUR_ALIGN(addr);
3465 @@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(str
3467 if (TASK_SIZE - PAGE_SIZE - len < addr)
3469 - if (!vmm || addr + len <= vmm->vm_start)
3470 + if (check_heap_stack_gap(vmm, addr, len))
3473 if (flags & MAP_SHARED)
3474 diff -urNp linux-3.0.9/arch/sparc/kernel/sys_sparc_64.c linux-3.0.9/arch/sparc/kernel/sys_sparc_64.c
3475 --- linux-3.0.9/arch/sparc/kernel/sys_sparc_64.c 2011-11-11 13:12:24.000000000 -0500
3476 +++ linux-3.0.9/arch/sparc/kernel/sys_sparc_64.c 2011-11-15 20:02:59.000000000 -0500
3477 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
3478 /* We do not accept a shared mapping if it would violate
3479 * cache aliasing constraints.
3481 - if ((flags & MAP_SHARED) &&
3482 + if ((filp || (flags & MAP_SHARED)) &&
3483 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3486 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
3487 if (filp || (flags & MAP_SHARED))
3490 +#ifdef CONFIG_PAX_RANDMMAP
3491 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
3496 addr = COLOUR_ALIGN(addr, pgoff);
3497 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
3498 addr = PAGE_ALIGN(addr);
3500 vma = find_vma(mm, addr);
3501 - if (task_size - len >= addr &&
3502 - (!vma || addr + len <= vma->vm_start))
3503 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
3507 if (len > mm->cached_hole_size) {
3508 - start_addr = addr = mm->free_area_cache;
3509 + start_addr = addr = mm->free_area_cache;
3511 - start_addr = addr = TASK_UNMAPPED_BASE;
3512 + start_addr = addr = mm->mmap_base;
3513 mm->cached_hole_size = 0;
3516 @@ -174,14 +177,14 @@ full_search:
3517 vma = find_vma(mm, VA_EXCLUDE_END);
3519 if (unlikely(task_size < addr)) {
3520 - if (start_addr != TASK_UNMAPPED_BASE) {
3521 - start_addr = addr = TASK_UNMAPPED_BASE;
3522 + if (start_addr != mm->mmap_base) {
3523 + start_addr = addr = mm->mmap_base;
3524 mm->cached_hole_size = 0;
3529 - if (likely(!vma || addr + len <= vma->vm_start)) {
3530 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3532 * Remember the place where we stopped the search:
3534 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
3535 /* We do not accept a shared mapping if it would violate
3536 * cache aliasing constraints.
3538 - if ((flags & MAP_SHARED) &&
3539 + if ((filp || (flags & MAP_SHARED)) &&
3540 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3543 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
3544 addr = PAGE_ALIGN(addr);
3546 vma = find_vma(mm, addr);
3547 - if (task_size - len >= addr &&
3548 - (!vma || addr + len <= vma->vm_start))
3549 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
3553 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
3554 /* make sure it can fit in the remaining address space */
3555 if (likely(addr > len)) {
3556 vma = find_vma(mm, addr-len);
3557 - if (!vma || addr <= vma->vm_start) {
3558 + if (check_heap_stack_gap(vma, addr - len, len)) {
3559 /* remember the address as a hint for next time */
3560 return (mm->free_area_cache = addr-len);
3562 @@ -267,18 +269,18 @@ arch_get_unmapped_area_topdown(struct fi
3563 if (unlikely(mm->mmap_base < len))
3566 - addr = mm->mmap_base-len;
3567 - if (do_color_align)
3568 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3569 + addr = mm->mmap_base - len;
3572 + if (do_color_align)
3573 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3575 * Lookup failure means no vma is above this address,
3576 * else if new region fits below vma->vm_start,
3577 * return with success:
3579 vma = find_vma(mm, addr);
3580 - if (likely(!vma || addr+len <= vma->vm_start)) {
3581 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3582 /* remember the address as a hint for next time */
3583 return (mm->free_area_cache = addr);
3585 @@ -288,10 +290,8 @@ arch_get_unmapped_area_topdown(struct fi
3586 mm->cached_hole_size = vma->vm_start - addr;
3588 /* try just below the current vma->vm_start */
3589 - addr = vma->vm_start-len;
3590 - if (do_color_align)
3591 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3592 - } while (likely(len < vma->vm_start));
3593 + addr = skip_heap_stack_gap(vma, len);
3594 + } while (!IS_ERR_VALUE(addr));
3598 @@ -390,6 +390,12 @@ void arch_pick_mmap_layout(struct mm_str
3599 gap == RLIM_INFINITY ||
3600 sysctl_legacy_va_layout) {
3601 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
3603 +#ifdef CONFIG_PAX_RANDMMAP
3604 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3605 + mm->mmap_base += mm->delta_mmap;
3608 mm->get_unmapped_area = arch_get_unmapped_area;
3609 mm->unmap_area = arch_unmap_area;
3611 @@ -402,6 +408,12 @@ void arch_pick_mmap_layout(struct mm_str
3612 gap = (task_size / 6 * 5);
3614 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
3616 +#ifdef CONFIG_PAX_RANDMMAP
3617 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3618 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3621 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3622 mm->unmap_area = arch_unmap_area_topdown;
3624 diff -urNp linux-3.0.9/arch/sparc/kernel/traps_32.c linux-3.0.9/arch/sparc/kernel/traps_32.c
3625 --- linux-3.0.9/arch/sparc/kernel/traps_32.c 2011-11-11 13:12:24.000000000 -0500
3626 +++ linux-3.0.9/arch/sparc/kernel/traps_32.c 2011-11-15 20:02:59.000000000 -0500
3627 @@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo
3628 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
3629 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
3631 +extern void gr_handle_kernel_exploit(void);
3633 void die_if_kernel(char *str, struct pt_regs *regs)
3635 static int die_counter;
3636 @@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_
3638 (((unsigned long) rw) >= PAGE_OFFSET) &&
3639 !(((unsigned long) rw) & 0x7)) {
3640 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
3641 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
3642 (void *) rw->ins[7]);
3643 rw = (struct reg_window32 *)rw->ins[6];
3646 printk("Instruction DUMP:");
3647 instruction_dump ((unsigned long *) regs->pc);
3648 - if(regs->psr & PSR_PS)
3649 + if(regs->psr & PSR_PS) {
3650 + gr_handle_kernel_exploit();
3656 diff -urNp linux-3.0.9/arch/sparc/kernel/traps_64.c linux-3.0.9/arch/sparc/kernel/traps_64.c
3657 --- linux-3.0.9/arch/sparc/kernel/traps_64.c 2011-11-11 13:12:24.000000000 -0500
3658 +++ linux-3.0.9/arch/sparc/kernel/traps_64.c 2011-11-15 20:02:59.000000000 -0500
3659 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
3661 p->trapstack[i].tstate, p->trapstack[i].tpc,
3662 p->trapstack[i].tnpc, p->trapstack[i].tt);
3663 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
3664 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
3668 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
3671 if (regs->tstate & TSTATE_PRIV) {
3673 +#ifdef CONFIG_PAX_REFCOUNT
3675 + pax_report_refcount_overflow(regs);
3678 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
3679 die_if_kernel(buffer, regs);
3681 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
3682 void bad_trap_tl1(struct pt_regs *regs, long lvl)
3687 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
3688 0, lvl, SIGTRAP) == NOTIFY_STOP)
3691 +#ifdef CONFIG_PAX_REFCOUNT
3693 + pax_report_refcount_overflow(regs);
3696 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
3698 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
3699 @@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
3700 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
3701 printk("%s" "ERROR(%d): ",
3702 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
3703 - printk("TPC<%pS>\n", (void *) regs->tpc);
3704 + printk("TPC<%pA>\n", (void *) regs->tpc);
3705 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
3706 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
3707 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
3708 @@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
3710 (type & 0x1) ? 'I' : 'D',
3712 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
3713 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
3714 panic("Irrecoverable Cheetah+ parity error.");
3717 @@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
3719 (type & 0x1) ? 'I' : 'D',
3721 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
3722 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
3725 struct sun4v_error_entry {
3726 @@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
3728 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
3730 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
3731 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
3732 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
3733 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
3734 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
3735 (void *) regs->u_regs[UREG_I7]);
3736 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
3737 "pte[%lx] error[%lx]\n",
3738 @@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
3740 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
3742 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
3743 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
3744 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
3745 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
3746 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
3747 (void *) regs->u_regs[UREG_I7]);
3748 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
3749 "pte[%lx] error[%lx]\n",
3750 @@ -2195,13 +2206,13 @@ void show_stack(struct task_struct *tsk,
3751 fp = (unsigned long)sf->fp + STACK_BIAS;
3754 - printk(" [%016lx] %pS\n", pc, (void *) pc);
3755 + printk(" [%016lx] %pA\n", pc, (void *) pc);
3756 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
3757 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
3758 int index = tsk->curr_ret_stack;
3759 if (tsk->ret_stack && index >= graph) {
3760 pc = tsk->ret_stack[index - graph].ret;
3761 - printk(" [%016lx] %pS\n", pc, (void *) pc);
3762 + printk(" [%016lx] %pA\n", pc, (void *) pc);
3766 @@ -2226,6 +2237,8 @@ static inline struct reg_window *kernel_
3767 return (struct reg_window *) (fp + STACK_BIAS);
3770 +extern void gr_handle_kernel_exploit(void);
3772 void die_if_kernel(char *str, struct pt_regs *regs)
3774 static int die_counter;
3775 @@ -2254,7 +2267,7 @@ void die_if_kernel(char *str, struct pt_
3778 kstack_valid(tp, (unsigned long) rw)) {
3779 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
3780 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
3781 (void *) rw->ins[7]);
3783 rw = kernel_stack_up(rw);
3784 @@ -2267,8 +2280,10 @@ void die_if_kernel(char *str, struct pt_
3786 user_instruction_dump ((unsigned int __user *) regs->tpc);
3788 - if (regs->tstate & TSTATE_PRIV)
3789 + if (regs->tstate & TSTATE_PRIV) {
3790 + gr_handle_kernel_exploit();
3795 EXPORT_SYMBOL(die_if_kernel);
3796 diff -urNp linux-3.0.9/arch/sparc/kernel/unaligned_64.c linux-3.0.9/arch/sparc/kernel/unaligned_64.c
3797 --- linux-3.0.9/arch/sparc/kernel/unaligned_64.c 2011-11-11 13:12:24.000000000 -0500
3798 +++ linux-3.0.9/arch/sparc/kernel/unaligned_64.c 2011-11-15 20:02:59.000000000 -0500
3799 @@ -279,7 +279,7 @@ static void log_unaligned(struct pt_regs
3800 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
3802 if (__ratelimit(&ratelimit)) {
3803 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
3804 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
3805 regs->tpc, (void *) regs->tpc);
3808 diff -urNp linux-3.0.9/arch/sparc/lib/atomic_64.S linux-3.0.9/arch/sparc/lib/atomic_64.S
3809 --- linux-3.0.9/arch/sparc/lib/atomic_64.S 2011-11-11 13:12:24.000000000 -0500
3810 +++ linux-3.0.9/arch/sparc/lib/atomic_64.S 2011-11-15 20:02:59.000000000 -0500
3812 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
3816 + addcc %g1, %o0, %g7
3818 +#ifdef CONFIG_PAX_REFCOUNT
3824 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
3825 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
3826 2: BACKOFF_SPIN(%o2, %o3, 1b)
3827 .size atomic_add, .-atomic_add
3829 + .globl atomic_add_unchecked
3830 + .type atomic_add_unchecked,#function
3831 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3832 + BACKOFF_SETUP(%o2)
3835 + cas [%o1], %g1, %g7
3841 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3842 + .size atomic_add_unchecked, .-atomic_add_unchecked
3845 .type atomic_sub,#function
3846 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
3850 + subcc %g1, %o0, %g7
3852 +#ifdef CONFIG_PAX_REFCOUNT
3858 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
3859 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
3860 2: BACKOFF_SPIN(%o2, %o3, 1b)
3861 .size atomic_sub, .-atomic_sub
3863 + .globl atomic_sub_unchecked
3864 + .type atomic_sub_unchecked,#function
3865 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
3866 + BACKOFF_SETUP(%o2)
3869 + cas [%o1], %g1, %g7
3875 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3876 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
3878 .globl atomic_add_ret
3879 .type atomic_add_ret,#function
3880 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
3884 + addcc %g1, %o0, %g7
3886 +#ifdef CONFIG_PAX_REFCOUNT
3892 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
3893 @@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
3894 2: BACKOFF_SPIN(%o2, %o3, 1b)
3895 .size atomic_add_ret, .-atomic_add_ret
3897 + .globl atomic_add_ret_unchecked
3898 + .type atomic_add_ret_unchecked,#function
3899 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3900 + BACKOFF_SETUP(%o2)
3902 + addcc %g1, %o0, %g7
3903 + cas [%o1], %g1, %g7
3910 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3911 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
3913 .globl atomic_sub_ret
3914 .type atomic_sub_ret,#function
3915 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
3919 + subcc %g1, %o0, %g7
3921 +#ifdef CONFIG_PAX_REFCOUNT
3927 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
3928 @@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
3929 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
3933 + addcc %g1, %o0, %g7
3935 +#ifdef CONFIG_PAX_REFCOUNT
3939 casx [%o1], %g1, %g7
3941 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
3942 @@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
3943 2: BACKOFF_SPIN(%o2, %o3, 1b)
3944 .size atomic64_add, .-atomic64_add
3946 + .globl atomic64_add_unchecked
3947 + .type atomic64_add_unchecked,#function
3948 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3949 + BACKOFF_SETUP(%o2)
3951 + addcc %g1, %o0, %g7
3952 + casx [%o1], %g1, %g7
3958 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3959 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
3962 .type atomic64_sub,#function
3963 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
3967 + subcc %g1, %o0, %g7
3969 +#ifdef CONFIG_PAX_REFCOUNT
3973 casx [%o1], %g1, %g7
3975 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
3976 @@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
3977 2: BACKOFF_SPIN(%o2, %o3, 1b)
3978 .size atomic64_sub, .-atomic64_sub
3980 + .globl atomic64_sub_unchecked
3981 + .type atomic64_sub_unchecked,#function
3982 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
3983 + BACKOFF_SETUP(%o2)
3985 + subcc %g1, %o0, %g7
3986 + casx [%o1], %g1, %g7
3992 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3993 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
3995 .globl atomic64_add_ret
3996 .type atomic64_add_ret,#function
3997 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4001 + addcc %g1, %o0, %g7
4003 +#ifdef CONFIG_PAX_REFCOUNT
4007 casx [%o1], %g1, %g7
4009 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4010 @@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4011 2: BACKOFF_SPIN(%o2, %o3, 1b)
4012 .size atomic64_add_ret, .-atomic64_add_ret
4014 + .globl atomic64_add_ret_unchecked
4015 + .type atomic64_add_ret_unchecked,#function
4016 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4017 + BACKOFF_SETUP(%o2)
4019 + addcc %g1, %o0, %g7
4020 + casx [%o1], %g1, %g7
4027 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4028 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4030 .globl atomic64_sub_ret
4031 .type atomic64_sub_ret,#function
4032 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4036 + subcc %g1, %o0, %g7
4038 +#ifdef CONFIG_PAX_REFCOUNT
4042 casx [%o1], %g1, %g7
4044 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4045 diff -urNp linux-3.0.9/arch/sparc/lib/ksyms.c linux-3.0.9/arch/sparc/lib/ksyms.c
4046 --- linux-3.0.9/arch/sparc/lib/ksyms.c 2011-11-11 13:12:24.000000000 -0500
4047 +++ linux-3.0.9/arch/sparc/lib/ksyms.c 2011-11-15 20:02:59.000000000 -0500
4048 @@ -142,12 +142,18 @@ EXPORT_SYMBOL(__downgrade_write);
4050 /* Atomic counter implementation. */
4051 EXPORT_SYMBOL(atomic_add);
4052 +EXPORT_SYMBOL(atomic_add_unchecked);
4053 EXPORT_SYMBOL(atomic_add_ret);
4054 +EXPORT_SYMBOL(atomic_add_ret_unchecked);
4055 EXPORT_SYMBOL(atomic_sub);
4056 +EXPORT_SYMBOL(atomic_sub_unchecked);
4057 EXPORT_SYMBOL(atomic_sub_ret);
4058 EXPORT_SYMBOL(atomic64_add);
4059 +EXPORT_SYMBOL(atomic64_add_unchecked);
4060 EXPORT_SYMBOL(atomic64_add_ret);
4061 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4062 EXPORT_SYMBOL(atomic64_sub);
4063 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4064 EXPORT_SYMBOL(atomic64_sub_ret);
4066 /* Atomic bit operations. */
4067 diff -urNp linux-3.0.9/arch/sparc/lib/Makefile linux-3.0.9/arch/sparc/lib/Makefile
4068 --- linux-3.0.9/arch/sparc/lib/Makefile 2011-11-11 13:12:24.000000000 -0500
4069 +++ linux-3.0.9/arch/sparc/lib/Makefile 2011-11-15 20:02:59.000000000 -0500
4073 asflags-y := -ansi -DST_DIV0=0x02
4074 -ccflags-y := -Werror
4075 +#ccflags-y := -Werror
4077 lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o
4078 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
4079 diff -urNp linux-3.0.9/arch/sparc/Makefile linux-3.0.9/arch/sparc/Makefile
4080 --- linux-3.0.9/arch/sparc/Makefile 2011-11-11 13:12:24.000000000 -0500
4081 +++ linux-3.0.9/arch/sparc/Makefile 2011-11-15 20:02:59.000000000 -0500
4082 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4083 # Export what is needed by arch/sparc/boot/Makefile
4084 export VMLINUX_INIT VMLINUX_MAIN
4085 VMLINUX_INIT := $(head-y) $(init-y)
4086 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4087 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4088 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4089 VMLINUX_MAIN += $(drivers-y) $(net-y)
4091 diff -urNp linux-3.0.9/arch/sparc/mm/fault_32.c linux-3.0.9/arch/sparc/mm/fault_32.c
4092 --- linux-3.0.9/arch/sparc/mm/fault_32.c 2011-11-11 13:12:24.000000000 -0500
4093 +++ linux-3.0.9/arch/sparc/mm/fault_32.c 2011-11-15 20:02:59.000000000 -0500
4095 #include <linux/interrupt.h>
4096 #include <linux/module.h>
4097 #include <linux/kdebug.h>
4098 +#include <linux/slab.h>
4099 +#include <linux/pagemap.h>
4100 +#include <linux/compiler.h>
4102 #include <asm/system.h>
4103 #include <asm/page.h>
4104 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4105 return safe_compute_effective_address(regs, insn);
4108 +#ifdef CONFIG_PAX_PAGEEXEC
4109 +#ifdef CONFIG_PAX_DLRESOLVE
4110 +static void pax_emuplt_close(struct vm_area_struct *vma)
4112 + vma->vm_mm->call_dl_resolve = 0UL;
4115 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4117 + unsigned int *kaddr;
4119 + vmf->page = alloc_page(GFP_HIGHUSER);
4121 + return VM_FAULT_OOM;
4123 + kaddr = kmap(vmf->page);
4124 + memset(kaddr, 0, PAGE_SIZE);
4125 + kaddr[0] = 0x9DE3BFA8U; /* save */
4126 + flush_dcache_page(vmf->page);
4127 + kunmap(vmf->page);
4128 + return VM_FAULT_MAJOR;
4131 +static const struct vm_operations_struct pax_vm_ops = {
4132 + .close = pax_emuplt_close,
4133 + .fault = pax_emuplt_fault
4136 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4140 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4141 + vma->vm_mm = current->mm;
4142 + vma->vm_start = addr;
4143 + vma->vm_end = addr + PAGE_SIZE;
4144 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4145 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4146 + vma->vm_ops = &pax_vm_ops;
4148 + ret = insert_vm_struct(current->mm, vma);
4152 + ++current->mm->total_vm;
4158 + * PaX: decide what to do with offenders (regs->pc = fault address)
4160 + * returns 1 when task should be killed
4161 + * 2 when patched PLT trampoline was detected
4162 + * 3 when unpatched PLT trampoline was detected
4164 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4167 +#ifdef CONFIG_PAX_EMUPLT
4170 + do { /* PaX: patched PLT emulation #1 */
4171 + unsigned int sethi1, sethi2, jmpl;
4173 + err = get_user(sethi1, (unsigned int *)regs->pc);
4174 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4175 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4180 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4181 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4182 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4184 + unsigned int addr;
4186 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4187 + addr = regs->u_regs[UREG_G1];
4188 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4190 + regs->npc = addr+4;
4195 + { /* PaX: patched PLT emulation #2 */
4198 + err = get_user(ba, (unsigned int *)regs->pc);
4200 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4201 + unsigned int addr;
4203 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4205 + regs->npc = addr+4;
4210 + do { /* PaX: patched PLT emulation #3 */
4211 + unsigned int sethi, jmpl, nop;
4213 + err = get_user(sethi, (unsigned int *)regs->pc);
4214 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4215 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4220 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4221 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4222 + nop == 0x01000000U)
4224 + unsigned int addr;
4226 + addr = (sethi & 0x003FFFFFU) << 10;
4227 + regs->u_regs[UREG_G1] = addr;
4228 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4230 + regs->npc = addr+4;
4235 + do { /* PaX: unpatched PLT emulation step 1 */
4236 + unsigned int sethi, ba, nop;
4238 + err = get_user(sethi, (unsigned int *)regs->pc);
4239 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
4240 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4245 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4246 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4247 + nop == 0x01000000U)
4249 + unsigned int addr, save, call;
4251 + if ((ba & 0xFFC00000U) == 0x30800000U)
4252 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4254 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4256 + err = get_user(save, (unsigned int *)addr);
4257 + err |= get_user(call, (unsigned int *)(addr+4));
4258 + err |= get_user(nop, (unsigned int *)(addr+8));
4262 +#ifdef CONFIG_PAX_DLRESOLVE
4263 + if (save == 0x9DE3BFA8U &&
4264 + (call & 0xC0000000U) == 0x40000000U &&
4265 + nop == 0x01000000U)
4267 + struct vm_area_struct *vma;
4268 + unsigned long call_dl_resolve;
4270 + down_read(¤t->mm->mmap_sem);
4271 + call_dl_resolve = current->mm->call_dl_resolve;
4272 + up_read(¤t->mm->mmap_sem);
4273 + if (likely(call_dl_resolve))
4276 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4278 + down_write(¤t->mm->mmap_sem);
4279 + if (current->mm->call_dl_resolve) {
4280 + call_dl_resolve = current->mm->call_dl_resolve;
4281 + up_write(¤t->mm->mmap_sem);
4283 + kmem_cache_free(vm_area_cachep, vma);
4287 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4288 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4289 + up_write(¤t->mm->mmap_sem);
4291 + kmem_cache_free(vm_area_cachep, vma);
4295 + if (pax_insert_vma(vma, call_dl_resolve)) {
4296 + up_write(¤t->mm->mmap_sem);
4297 + kmem_cache_free(vm_area_cachep, vma);
4301 + current->mm->call_dl_resolve = call_dl_resolve;
4302 + up_write(¤t->mm->mmap_sem);
4305 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4306 + regs->pc = call_dl_resolve;
4307 + regs->npc = addr+4;
4312 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4313 + if ((save & 0xFFC00000U) == 0x05000000U &&
4314 + (call & 0xFFFFE000U) == 0x85C0A000U &&
4315 + nop == 0x01000000U)
4317 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4318 + regs->u_regs[UREG_G2] = addr + 4;
4319 + addr = (save & 0x003FFFFFU) << 10;
4320 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4322 + regs->npc = addr+4;
4328 + do { /* PaX: unpatched PLT emulation step 2 */
4329 + unsigned int save, call, nop;
4331 + err = get_user(save, (unsigned int *)(regs->pc-4));
4332 + err |= get_user(call, (unsigned int *)regs->pc);
4333 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
4337 + if (save == 0x9DE3BFA8U &&
4338 + (call & 0xC0000000U) == 0x40000000U &&
4339 + nop == 0x01000000U)
4341 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
4343 + regs->u_regs[UREG_RETPC] = regs->pc;
4344 + regs->pc = dl_resolve;
4345 + regs->npc = dl_resolve+4;
4354 +void pax_report_insns(void *pc, void *sp)
4358 + printk(KERN_ERR "PAX: bytes at PC: ");
4359 + for (i = 0; i < 8; i++) {
4361 + if (get_user(c, (unsigned int *)pc+i))
4362 + printk(KERN_CONT "???????? ");
4364 + printk(KERN_CONT "%08x ", c);
4370 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
4373 @@ -281,6 +546,24 @@ good_area:
4374 if(!(vma->vm_flags & VM_WRITE))
4378 +#ifdef CONFIG_PAX_PAGEEXEC
4379 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
4380 + up_read(&mm->mmap_sem);
4381 + switch (pax_handle_fetch_fault(regs)) {
4383 +#ifdef CONFIG_PAX_EMUPLT
4390 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
4391 + do_group_exit(SIGKILL);
4395 /* Allow reads even for write-only mappings */
4396 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
4398 diff -urNp linux-3.0.9/arch/sparc/mm/fault_64.c linux-3.0.9/arch/sparc/mm/fault_64.c
4399 --- linux-3.0.9/arch/sparc/mm/fault_64.c 2011-11-11 13:12:24.000000000 -0500
4400 +++ linux-3.0.9/arch/sparc/mm/fault_64.c 2011-11-15 20:02:59.000000000 -0500
4402 #include <linux/kprobes.h>
4403 #include <linux/kdebug.h>
4404 #include <linux/percpu.h>
4405 +#include <linux/slab.h>
4406 +#include <linux/pagemap.h>
4407 +#include <linux/compiler.h>
4409 #include <asm/page.h>
4410 #include <asm/pgtable.h>
4411 @@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
4412 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
4414 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
4415 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
4416 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
4417 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
4419 unhandled_fault(regs->tpc, current, regs);
4420 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
4424 +#ifdef CONFIG_PAX_PAGEEXEC
4425 +#ifdef CONFIG_PAX_DLRESOLVE
4426 +static void pax_emuplt_close(struct vm_area_struct *vma)
4428 + vma->vm_mm->call_dl_resolve = 0UL;
4431 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4433 + unsigned int *kaddr;
4435 + vmf->page = alloc_page(GFP_HIGHUSER);
4437 + return VM_FAULT_OOM;
4439 + kaddr = kmap(vmf->page);
4440 + memset(kaddr, 0, PAGE_SIZE);
4441 + kaddr[0] = 0x9DE3BFA8U; /* save */
4442 + flush_dcache_page(vmf->page);
4443 + kunmap(vmf->page);
4444 + return VM_FAULT_MAJOR;
4447 +static const struct vm_operations_struct pax_vm_ops = {
4448 + .close = pax_emuplt_close,
4449 + .fault = pax_emuplt_fault
4452 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4456 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4457 + vma->vm_mm = current->mm;
4458 + vma->vm_start = addr;
4459 + vma->vm_end = addr + PAGE_SIZE;
4460 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4461 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4462 + vma->vm_ops = &pax_vm_ops;
4464 + ret = insert_vm_struct(current->mm, vma);
4468 + ++current->mm->total_vm;
4474 + * PaX: decide what to do with offenders (regs->tpc = fault address)
4476 + * returns 1 when task should be killed
4477 + * 2 when patched PLT trampoline was detected
4478 + * 3 when unpatched PLT trampoline was detected
4480 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4483 +#ifdef CONFIG_PAX_EMUPLT
4486 + do { /* PaX: patched PLT emulation #1 */
4487 + unsigned int sethi1, sethi2, jmpl;
4489 + err = get_user(sethi1, (unsigned int *)regs->tpc);
4490 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
4491 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
4496 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4497 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4498 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4500 + unsigned long addr;
4502 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4503 + addr = regs->u_regs[UREG_G1];
4504 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4506 + if (test_thread_flag(TIF_32BIT))
4507 + addr &= 0xFFFFFFFFUL;
4510 + regs->tnpc = addr+4;
4515 + { /* PaX: patched PLT emulation #2 */
4518 + err = get_user(ba, (unsigned int *)regs->tpc);
4520 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4521 + unsigned long addr;
4523 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4525 + if (test_thread_flag(TIF_32BIT))
4526 + addr &= 0xFFFFFFFFUL;
4529 + regs->tnpc = addr+4;
4534 + do { /* PaX: patched PLT emulation #3 */
4535 + unsigned int sethi, jmpl, nop;
4537 + err = get_user(sethi, (unsigned int *)regs->tpc);
4538 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
4539 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4544 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4545 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4546 + nop == 0x01000000U)
4548 + unsigned long addr;
4550 + addr = (sethi & 0x003FFFFFU) << 10;
4551 + regs->u_regs[UREG_G1] = addr;
4552 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4554 + if (test_thread_flag(TIF_32BIT))
4555 + addr &= 0xFFFFFFFFUL;
4558 + regs->tnpc = addr+4;
4563 + do { /* PaX: patched PLT emulation #4 */
4564 + unsigned int sethi, mov1, call, mov2;
4566 + err = get_user(sethi, (unsigned int *)regs->tpc);
4567 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
4568 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
4569 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
4574 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4575 + mov1 == 0x8210000FU &&
4576 + (call & 0xC0000000U) == 0x40000000U &&
4577 + mov2 == 0x9E100001U)
4579 + unsigned long addr;
4581 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
4582 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4584 + if (test_thread_flag(TIF_32BIT))
4585 + addr &= 0xFFFFFFFFUL;
4588 + regs->tnpc = addr+4;
4593 + do { /* PaX: patched PLT emulation #5 */
4594 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
4596 + err = get_user(sethi, (unsigned int *)regs->tpc);
4597 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
4598 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
4599 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
4600 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
4601 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
4602 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
4603 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
4608 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4609 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
4610 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4611 + (or1 & 0xFFFFE000U) == 0x82106000U &&
4612 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
4613 + sllx == 0x83287020U &&
4614 + jmpl == 0x81C04005U &&
4615 + nop == 0x01000000U)
4617 + unsigned long addr;
4619 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
4620 + regs->u_regs[UREG_G1] <<= 32;
4621 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
4622 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
4624 + regs->tnpc = addr+4;
4629 + do { /* PaX: patched PLT emulation #6 */
4630 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
4632 + err = get_user(sethi, (unsigned int *)regs->tpc);
4633 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
4634 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
4635 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
4636 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
4637 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
4638 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
4643 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4644 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
4645 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4646 + sllx == 0x83287020U &&
4647 + (or & 0xFFFFE000U) == 0x8A116000U &&
4648 + jmpl == 0x81C04005U &&
4649 + nop == 0x01000000U)
4651 + unsigned long addr;
4653 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
4654 + regs->u_regs[UREG_G1] <<= 32;
4655 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
4656 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
4658 + regs->tnpc = addr+4;
4663 + do { /* PaX: unpatched PLT emulation step 1 */
4664 + unsigned int sethi, ba, nop;
4666 + err = get_user(sethi, (unsigned int *)regs->tpc);
4667 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
4668 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4673 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4674 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4675 + nop == 0x01000000U)
4677 + unsigned long addr;
4678 + unsigned int save, call;
4679 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
4681 + if ((ba & 0xFFC00000U) == 0x30800000U)
4682 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4684 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
4686 + if (test_thread_flag(TIF_32BIT))
4687 + addr &= 0xFFFFFFFFUL;
4689 + err = get_user(save, (unsigned int *)addr);
4690 + err |= get_user(call, (unsigned int *)(addr+4));
4691 + err |= get_user(nop, (unsigned int *)(addr+8));
4695 +#ifdef CONFIG_PAX_DLRESOLVE
4696 + if (save == 0x9DE3BFA8U &&
4697 + (call & 0xC0000000U) == 0x40000000U &&
4698 + nop == 0x01000000U)
4700 + struct vm_area_struct *vma;
4701 + unsigned long call_dl_resolve;
4703 + down_read(¤t->mm->mmap_sem);
4704 + call_dl_resolve = current->mm->call_dl_resolve;
4705 + up_read(¤t->mm->mmap_sem);
4706 + if (likely(call_dl_resolve))
4709 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4711 + down_write(¤t->mm->mmap_sem);
4712 + if (current->mm->call_dl_resolve) {
4713 + call_dl_resolve = current->mm->call_dl_resolve;
4714 + up_write(¤t->mm->mmap_sem);
4716 + kmem_cache_free(vm_area_cachep, vma);
4720 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4721 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4722 + up_write(¤t->mm->mmap_sem);
4724 + kmem_cache_free(vm_area_cachep, vma);
4728 + if (pax_insert_vma(vma, call_dl_resolve)) {
4729 + up_write(¤t->mm->mmap_sem);
4730 + kmem_cache_free(vm_area_cachep, vma);
4734 + current->mm->call_dl_resolve = call_dl_resolve;
4735 + up_write(¤t->mm->mmap_sem);
4738 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4739 + regs->tpc = call_dl_resolve;
4740 + regs->tnpc = addr+4;
4745 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4746 + if ((save & 0xFFC00000U) == 0x05000000U &&
4747 + (call & 0xFFFFE000U) == 0x85C0A000U &&
4748 + nop == 0x01000000U)
4750 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4751 + regs->u_regs[UREG_G2] = addr + 4;
4752 + addr = (save & 0x003FFFFFU) << 10;
4753 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4755 + if (test_thread_flag(TIF_32BIT))
4756 + addr &= 0xFFFFFFFFUL;
4759 + regs->tnpc = addr+4;
4763 + /* PaX: 64-bit PLT stub */
4764 + err = get_user(sethi1, (unsigned int *)addr);
4765 + err |= get_user(sethi2, (unsigned int *)(addr+4));
4766 + err |= get_user(or1, (unsigned int *)(addr+8));
4767 + err |= get_user(or2, (unsigned int *)(addr+12));
4768 + err |= get_user(sllx, (unsigned int *)(addr+16));
4769 + err |= get_user(add, (unsigned int *)(addr+20));
4770 + err |= get_user(jmpl, (unsigned int *)(addr+24));
4771 + err |= get_user(nop, (unsigned int *)(addr+28));
4775 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
4776 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4777 + (or1 & 0xFFFFE000U) == 0x88112000U &&
4778 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
4779 + sllx == 0x89293020U &&
4780 + add == 0x8A010005U &&
4781 + jmpl == 0x89C14000U &&
4782 + nop == 0x01000000U)
4784 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4785 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
4786 + regs->u_regs[UREG_G4] <<= 32;
4787 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
4788 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
4789 + regs->u_regs[UREG_G4] = addr + 24;
4790 + addr = regs->u_regs[UREG_G5];
4792 + regs->tnpc = addr+4;
4798 +#ifdef CONFIG_PAX_DLRESOLVE
4799 + do { /* PaX: unpatched PLT emulation step 2 */
4800 + unsigned int save, call, nop;
4802 + err = get_user(save, (unsigned int *)(regs->tpc-4));
4803 + err |= get_user(call, (unsigned int *)regs->tpc);
4804 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
4808 + if (save == 0x9DE3BFA8U &&
4809 + (call & 0xC0000000U) == 0x40000000U &&
4810 + nop == 0x01000000U)
4812 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4814 + if (test_thread_flag(TIF_32BIT))
4815 + dl_resolve &= 0xFFFFFFFFUL;
4817 + regs->u_regs[UREG_RETPC] = regs->tpc;
4818 + regs->tpc = dl_resolve;
4819 + regs->tnpc = dl_resolve+4;
4825 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
4826 + unsigned int sethi, ba, nop;
4828 + err = get_user(sethi, (unsigned int *)regs->tpc);
4829 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
4830 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4835 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4836 + (ba & 0xFFF00000U) == 0x30600000U &&
4837 + nop == 0x01000000U)
4839 + unsigned long addr;
4841 + addr = (sethi & 0x003FFFFFU) << 10;
4842 + regs->u_regs[UREG_G1] = addr;
4843 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
4845 + if (test_thread_flag(TIF_32BIT))
4846 + addr &= 0xFFFFFFFFUL;
4849 + regs->tnpc = addr+4;
4859 +void pax_report_insns(void *pc, void *sp)
4863 + printk(KERN_ERR "PAX: bytes at PC: ");
4864 + for (i = 0; i < 8; i++) {
4866 + if (get_user(c, (unsigned int *)pc+i))
4867 + printk(KERN_CONT "???????? ");
4869 + printk(KERN_CONT "%08x ", c);
4875 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
4877 struct mm_struct *mm = current->mm;
4878 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
4882 +#ifdef CONFIG_PAX_PAGEEXEC
4883 + /* PaX: detect ITLB misses on non-exec pages */
4884 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
4885 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
4887 + if (address != regs->tpc)
4890 + up_read(&mm->mmap_sem);
4891 + switch (pax_handle_fetch_fault(regs)) {
4893 +#ifdef CONFIG_PAX_EMUPLT
4900 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
4901 + do_group_exit(SIGKILL);
4905 /* Pure DTLB misses do not tell us whether the fault causing
4906 * load/store/atomic was a write or not, it only says that there
4907 * was no match. So in such a case we (carefully) read the
4908 diff -urNp linux-3.0.9/arch/sparc/mm/hugetlbpage.c linux-3.0.9/arch/sparc/mm/hugetlbpage.c
4909 --- linux-3.0.9/arch/sparc/mm/hugetlbpage.c 2011-11-11 13:12:24.000000000 -0500
4910 +++ linux-3.0.9/arch/sparc/mm/hugetlbpage.c 2011-11-15 20:02:59.000000000 -0500
4911 @@ -68,7 +68,7 @@ full_search:
4915 - if (likely(!vma || addr + len <= vma->vm_start)) {
4916 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4918 * Remember the place where we stopped the search:
4920 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
4921 /* make sure it can fit in the remaining address space */
4922 if (likely(addr > len)) {
4923 vma = find_vma(mm, addr-len);
4924 - if (!vma || addr <= vma->vm_start) {
4925 + if (check_heap_stack_gap(vma, addr - len, len)) {
4926 /* remember the address as a hint for next time */
4927 return (mm->free_area_cache = addr-len);
4929 @@ -116,16 +116,17 @@ hugetlb_get_unmapped_area_topdown(struct
4930 if (unlikely(mm->mmap_base < len))
4933 - addr = (mm->mmap_base-len) & HPAGE_MASK;
4934 + addr = mm->mmap_base - len;
4937 + addr &= HPAGE_MASK;
4939 * Lookup failure means no vma is above this address,
4940 * else if new region fits below vma->vm_start,
4941 * return with success:
4943 vma = find_vma(mm, addr);
4944 - if (likely(!vma || addr+len <= vma->vm_start)) {
4945 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4946 /* remember the address as a hint for next time */
4947 return (mm->free_area_cache = addr);
4949 @@ -135,8 +136,8 @@ hugetlb_get_unmapped_area_topdown(struct
4950 mm->cached_hole_size = vma->vm_start - addr;
4952 /* try just below the current vma->vm_start */
4953 - addr = (vma->vm_start-len) & HPAGE_MASK;
4954 - } while (likely(len < vma->vm_start));
4955 + addr = skip_heap_stack_gap(vma, len);
4956 + } while (!IS_ERR_VALUE(addr));
4960 @@ -182,8 +183,7 @@ hugetlb_get_unmapped_area(struct file *f
4962 addr = ALIGN(addr, HPAGE_SIZE);
4963 vma = find_vma(mm, addr);
4964 - if (task_size - len >= addr &&
4965 - (!vma || addr + len <= vma->vm_start))
4966 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4969 if (mm->get_unmapped_area == arch_get_unmapped_area)
4970 diff -urNp linux-3.0.9/arch/sparc/mm/init_32.c linux-3.0.9/arch/sparc/mm/init_32.c
4971 --- linux-3.0.9/arch/sparc/mm/init_32.c 2011-11-11 13:12:24.000000000 -0500
4972 +++ linux-3.0.9/arch/sparc/mm/init_32.c 2011-11-15 20:02:59.000000000 -0500
4973 @@ -316,6 +316,9 @@ extern void device_scan(void);
4974 pgprot_t PAGE_SHARED __read_mostly;
4975 EXPORT_SYMBOL(PAGE_SHARED);
4977 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
4978 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
4980 void __init paging_init(void)
4982 switch(sparc_cpu_model) {
4983 @@ -344,17 +347,17 @@ void __init paging_init(void)
4985 /* Initialize the protection map with non-constant, MMU dependent values. */
4986 protection_map[0] = PAGE_NONE;
4987 - protection_map[1] = PAGE_READONLY;
4988 - protection_map[2] = PAGE_COPY;
4989 - protection_map[3] = PAGE_COPY;
4990 + protection_map[1] = PAGE_READONLY_NOEXEC;
4991 + protection_map[2] = PAGE_COPY_NOEXEC;
4992 + protection_map[3] = PAGE_COPY_NOEXEC;
4993 protection_map[4] = PAGE_READONLY;
4994 protection_map[5] = PAGE_READONLY;
4995 protection_map[6] = PAGE_COPY;
4996 protection_map[7] = PAGE_COPY;
4997 protection_map[8] = PAGE_NONE;
4998 - protection_map[9] = PAGE_READONLY;
4999 - protection_map[10] = PAGE_SHARED;
5000 - protection_map[11] = PAGE_SHARED;
5001 + protection_map[9] = PAGE_READONLY_NOEXEC;
5002 + protection_map[10] = PAGE_SHARED_NOEXEC;
5003 + protection_map[11] = PAGE_SHARED_NOEXEC;
5004 protection_map[12] = PAGE_READONLY;
5005 protection_map[13] = PAGE_READONLY;
5006 protection_map[14] = PAGE_SHARED;
5007 diff -urNp linux-3.0.9/arch/sparc/mm/Makefile linux-3.0.9/arch/sparc/mm/Makefile
5008 --- linux-3.0.9/arch/sparc/mm/Makefile 2011-11-11 13:12:24.000000000 -0500
5009 +++ linux-3.0.9/arch/sparc/mm/Makefile 2011-11-15 20:02:59.000000000 -0500
5014 -ccflags-y := -Werror
5015 +#ccflags-y := -Werror
5017 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5018 obj-y += fault_$(BITS).o
5019 diff -urNp linux-3.0.9/arch/sparc/mm/srmmu.c linux-3.0.9/arch/sparc/mm/srmmu.c
5020 --- linux-3.0.9/arch/sparc/mm/srmmu.c 2011-11-11 13:12:24.000000000 -0500
5021 +++ linux-3.0.9/arch/sparc/mm/srmmu.c 2011-11-15 20:02:59.000000000 -0500
5022 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
5023 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5024 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5025 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5027 +#ifdef CONFIG_PAX_PAGEEXEC
5028 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5029 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5030 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5033 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5034 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5036 diff -urNp linux-3.0.9/arch/um/include/asm/kmap_types.h linux-3.0.9/arch/um/include/asm/kmap_types.h
5037 --- linux-3.0.9/arch/um/include/asm/kmap_types.h 2011-11-11 13:12:24.000000000 -0500
5038 +++ linux-3.0.9/arch/um/include/asm/kmap_types.h 2011-11-15 20:02:59.000000000 -0500
5039 @@ -23,6 +23,7 @@ enum km_type {
5047 diff -urNp linux-3.0.9/arch/um/include/asm/page.h linux-3.0.9/arch/um/include/asm/page.h
5048 --- linux-3.0.9/arch/um/include/asm/page.h 2011-11-11 13:12:24.000000000 -0500
5049 +++ linux-3.0.9/arch/um/include/asm/page.h 2011-11-15 20:02:59.000000000 -0500
5051 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5052 #define PAGE_MASK (~(PAGE_SIZE-1))
5054 +#define ktla_ktva(addr) (addr)
5055 +#define ktva_ktla(addr) (addr)
5057 #ifndef __ASSEMBLY__
5060 diff -urNp linux-3.0.9/arch/um/kernel/process.c linux-3.0.9/arch/um/kernel/process.c
5061 --- linux-3.0.9/arch/um/kernel/process.c 2011-11-11 13:12:24.000000000 -0500
5062 +++ linux-3.0.9/arch/um/kernel/process.c 2011-11-15 20:02:59.000000000 -0500
5063 @@ -404,22 +404,6 @@ int singlestepping(void * t)
5068 - * Only x86 and x86_64 have an arch_align_stack().
5069 - * All other arches have "#define arch_align_stack(x) (x)"
5070 - * in their asm/system.h
5071 - * As this is included in UML from asm-um/system-generic.h,
5072 - * we can use it to behave as the subarch does.
5074 -#ifndef arch_align_stack
5075 -unsigned long arch_align_stack(unsigned long sp)
5077 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
5078 - sp -= get_random_int() % 8192;
5083 unsigned long get_wchan(struct task_struct *p)
5085 unsigned long stack_page, sp, ip;
5086 diff -urNp linux-3.0.9/arch/um/Makefile linux-3.0.9/arch/um/Makefile
5087 --- linux-3.0.9/arch/um/Makefile 2011-11-11 13:12:24.000000000 -0500
5088 +++ linux-3.0.9/arch/um/Makefile 2011-11-15 20:02:59.000000000 -0500
5089 @@ -49,6 +49,10 @@ USER_CFLAGS = $(patsubst $(KERNEL_DEFINE
5090 $(patsubst -I%,,$(KBUILD_CFLAGS)))) $(ARCH_INCLUDE) $(MODE_INCLUDE) \
5091 $(filter -I%,$(CFLAGS)) -D_FILE_OFFSET_BITS=64
5093 +ifdef CONSTIFY_PLUGIN
5094 +USER_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
5097 include $(srctree)/$(ARCH_DIR)/Makefile-$(SUBARCH)
5099 #This will adjust *FLAGS accordingly to the platform.
5100 diff -urNp linux-3.0.9/arch/um/sys-i386/shared/sysdep/system.h linux-3.0.9/arch/um/sys-i386/shared/sysdep/system.h
5101 --- linux-3.0.9/arch/um/sys-i386/shared/sysdep/system.h 2011-11-11 13:12:24.000000000 -0500
5102 +++ linux-3.0.9/arch/um/sys-i386/shared/sysdep/system.h 2011-11-15 20:02:59.000000000 -0500
5104 # define AT_VECTOR_SIZE_ARCH 1
5107 -extern unsigned long arch_align_stack(unsigned long sp);
5108 +#define arch_align_stack(x) ((x) & ~0xfUL)
5110 void default_idle(void);
5112 diff -urNp linux-3.0.9/arch/um/sys-i386/syscalls.c linux-3.0.9/arch/um/sys-i386/syscalls.c
5113 --- linux-3.0.9/arch/um/sys-i386/syscalls.c 2011-11-11 13:12:24.000000000 -0500
5114 +++ linux-3.0.9/arch/um/sys-i386/syscalls.c 2011-11-15 20:02:59.000000000 -0500
5116 #include "asm/uaccess.h"
5117 #include "asm/unistd.h"
5119 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5121 + unsigned long pax_task_size = TASK_SIZE;
5123 +#ifdef CONFIG_PAX_SEGMEXEC
5124 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5125 + pax_task_size = SEGMEXEC_TASK_SIZE;
5128 + if (len > pax_task_size || addr > pax_task_size - len)
5135 * The prototype on i386 is:
5137 diff -urNp linux-3.0.9/arch/um/sys-x86_64/shared/sysdep/system.h linux-3.0.9/arch/um/sys-x86_64/shared/sysdep/system.h
5138 --- linux-3.0.9/arch/um/sys-x86_64/shared/sysdep/system.h 2011-11-11 13:12:24.000000000 -0500
5139 +++ linux-3.0.9/arch/um/sys-x86_64/shared/sysdep/system.h 2011-11-15 20:02:59.000000000 -0500
5141 # define AT_VECTOR_SIZE_ARCH 1
5144 -extern unsigned long arch_align_stack(unsigned long sp);
5145 +#define arch_align_stack(x) ((x) & ~0xfUL)
5147 void default_idle(void);
5149 diff -urNp linux-3.0.9/arch/x86/boot/bitops.h linux-3.0.9/arch/x86/boot/bitops.h
5150 --- linux-3.0.9/arch/x86/boot/bitops.h 2011-11-11 13:12:24.000000000 -0500
5151 +++ linux-3.0.9/arch/x86/boot/bitops.h 2011-11-15 20:02:59.000000000 -0500
5152 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5154 const u32 *p = (const u32 *)addr;
5156 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5157 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5161 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5163 static inline void set_bit(int nr, void *addr)
5165 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5166 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5169 #endif /* BOOT_BITOPS_H */
5170 diff -urNp linux-3.0.9/arch/x86/boot/boot.h linux-3.0.9/arch/x86/boot/boot.h
5171 --- linux-3.0.9/arch/x86/boot/boot.h 2011-11-11 13:12:24.000000000 -0500
5172 +++ linux-3.0.9/arch/x86/boot/boot.h 2011-11-15 20:02:59.000000000 -0500
5173 @@ -85,7 +85,7 @@ static inline void io_delay(void)
5174 static inline u16 ds(void)
5177 - asm("movw %%ds,%0" : "=rm" (seg));
5178 + asm volatile("movw %%ds,%0" : "=rm" (seg));
5182 @@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
5183 static inline int memcmp(const void *s1, const void *s2, size_t len)
5186 - asm("repe; cmpsb; setnz %0"
5187 + asm volatile("repe; cmpsb; setnz %0"
5188 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5191 diff -urNp linux-3.0.9/arch/x86/boot/compressed/head_32.S linux-3.0.9/arch/x86/boot/compressed/head_32.S
5192 --- linux-3.0.9/arch/x86/boot/compressed/head_32.S 2011-11-11 13:12:24.000000000 -0500
5193 +++ linux-3.0.9/arch/x86/boot/compressed/head_32.S 2011-11-15 20:02:59.000000000 -0500
5194 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5198 - movl $LOAD_PHYSICAL_ADDR, %ebx
5199 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5202 /* Target address to relocate to for decompression */
5203 @@ -162,7 +162,7 @@ relocated:
5204 * and where it was actually loaded.
5207 - subl $LOAD_PHYSICAL_ADDR, %ebx
5208 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5209 jz 2f /* Nothing to be done if loaded at compiled addr. */
5211 * Process relocations.
5212 @@ -170,8 +170,7 @@ relocated:
5219 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5222 diff -urNp linux-3.0.9/arch/x86/boot/compressed/head_64.S linux-3.0.9/arch/x86/boot/compressed/head_64.S
5223 --- linux-3.0.9/arch/x86/boot/compressed/head_64.S 2011-11-11 13:12:24.000000000 -0500
5224 +++ linux-3.0.9/arch/x86/boot/compressed/head_64.S 2011-11-15 20:02:59.000000000 -0500
5225 @@ -91,7 +91,7 @@ ENTRY(startup_32)
5229 - movl $LOAD_PHYSICAL_ADDR, %ebx
5230 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5233 /* Target address to relocate to for decompression */
5234 @@ -233,7 +233,7 @@ ENTRY(startup_64)
5238 - movq $LOAD_PHYSICAL_ADDR, %rbp
5239 + movq $____LOAD_PHYSICAL_ADDR, %rbp
5242 /* Target address to relocate to for decompression */
5243 diff -urNp linux-3.0.9/arch/x86/boot/compressed/Makefile linux-3.0.9/arch/x86/boot/compressed/Makefile
5244 --- linux-3.0.9/arch/x86/boot/compressed/Makefile 2011-11-11 13:12:24.000000000 -0500
5245 +++ linux-3.0.9/arch/x86/boot/compressed/Makefile 2011-11-15 20:02:59.000000000 -0500
5246 @@ -14,6 +14,9 @@ cflags-$(CONFIG_X86_64) := -mcmodel=smal
5247 KBUILD_CFLAGS += $(cflags-y)
5248 KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
5249 KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
5250 +ifdef CONSTIFY_PLUGIN
5251 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
5254 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
5256 diff -urNp linux-3.0.9/arch/x86/boot/compressed/misc.c linux-3.0.9/arch/x86/boot/compressed/misc.c
5257 --- linux-3.0.9/arch/x86/boot/compressed/misc.c 2011-11-11 13:12:24.000000000 -0500
5258 +++ linux-3.0.9/arch/x86/boot/compressed/misc.c 2011-11-15 20:02:59.000000000 -0500
5259 @@ -310,7 +310,7 @@ static void parse_elf(void *output)
5261 #ifdef CONFIG_RELOCATABLE
5263 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5264 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5266 dest = (void *)(phdr->p_paddr);
5268 @@ -363,7 +363,7 @@ asmlinkage void decompress_kernel(void *
5269 error("Destination address too large");
5271 #ifndef CONFIG_RELOCATABLE
5272 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5273 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5274 error("Wrong destination address");
5277 diff -urNp linux-3.0.9/arch/x86/boot/compressed/relocs.c linux-3.0.9/arch/x86/boot/compressed/relocs.c
5278 --- linux-3.0.9/arch/x86/boot/compressed/relocs.c 2011-11-11 13:12:24.000000000 -0500
5279 +++ linux-3.0.9/arch/x86/boot/compressed/relocs.c 2011-11-15 20:02:59.000000000 -0500
5282 static void die(char *fmt, ...);
5284 +#include "../../../../include/generated/autoconf.h"
5286 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5287 static Elf32_Ehdr ehdr;
5288 +static Elf32_Phdr *phdr;
5289 static unsigned long reloc_count, reloc_idx;
5290 static unsigned long *relocs;
5292 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
5296 +static void read_phdrs(FILE *fp)
5300 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5302 + die("Unable to allocate %d program headers\n",
5305 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5306 + die("Seek to %d failed: %s\n",
5307 + ehdr.e_phoff, strerror(errno));
5309 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5310 + die("Cannot read ELF program headers: %s\n",
5313 + for(i = 0; i < ehdr.e_phnum; i++) {
5314 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5315 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5316 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5317 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5318 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5319 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5320 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5321 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5326 static void read_shdrs(FILE *fp)
5332 secs = calloc(ehdr.e_shnum, sizeof(struct section));
5333 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
5335 static void read_strtabs(FILE *fp)
5339 for (i = 0; i < ehdr.e_shnum; i++) {
5340 struct section *sec = &secs[i];
5341 if (sec->shdr.sh_type != SHT_STRTAB) {
5342 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
5344 static void read_symtabs(FILE *fp)
5348 for (i = 0; i < ehdr.e_shnum; i++) {
5349 struct section *sec = &secs[i];
5350 if (sec->shdr.sh_type != SHT_SYMTAB) {
5351 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
5353 static void read_relocs(FILE *fp)
5359 for (i = 0; i < ehdr.e_shnum; i++) {
5360 struct section *sec = &secs[i];
5361 if (sec->shdr.sh_type != SHT_REL) {
5362 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
5363 die("Cannot read symbol table: %s\n",
5367 + for (j = 0; j < ehdr.e_phnum; j++) {
5368 + if (phdr[j].p_type != PT_LOAD )
5370 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
5372 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
5375 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
5376 Elf32_Rel *rel = &sec->reltab[j];
5377 - rel->r_offset = elf32_to_cpu(rel->r_offset);
5378 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
5379 rel->r_info = elf32_to_cpu(rel->r_info);
5382 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
5384 static void print_absolute_symbols(void)
5388 printf("Absolute symbols\n");
5389 printf(" Num: Value Size Type Bind Visibility Name\n");
5390 for (i = 0; i < ehdr.e_shnum; i++) {
5391 struct section *sec = &secs[i];
5393 Elf32_Sym *sh_symtab;
5397 if (sec->shdr.sh_type != SHT_SYMTAB) {
5399 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
5401 static void print_absolute_relocs(void)
5403 - int i, printed = 0;
5404 + unsigned int i, printed = 0;
5406 for (i = 0; i < ehdr.e_shnum; i++) {
5407 struct section *sec = &secs[i];
5408 struct section *sec_applies, *sec_symtab;
5410 Elf32_Sym *sh_symtab;
5413 if (sec->shdr.sh_type != SHT_REL) {
5416 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
5418 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
5422 /* Walk through the relocations */
5423 for (i = 0; i < ehdr.e_shnum; i++) {
5425 Elf32_Sym *sh_symtab;
5426 struct section *sec_applies, *sec_symtab;
5429 struct section *sec = &secs[i];
5431 if (sec->shdr.sh_type != SHT_REL) {
5432 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
5433 !is_rel_reloc(sym_name(sym_strtab, sym))) {
5436 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
5437 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
5440 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
5441 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
5442 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
5444 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
5446 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
5448 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
5455 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
5457 static void emit_relocs(int as_text)
5461 /* Count how many relocations I have and allocate space for them. */
5463 walk_relocs(count_reloc);
5464 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
5465 fname, strerror(errno));
5472 diff -urNp linux-3.0.9/arch/x86/boot/cpucheck.c linux-3.0.9/arch/x86/boot/cpucheck.c
5473 --- linux-3.0.9/arch/x86/boot/cpucheck.c 2011-11-11 13:12:24.000000000 -0500
5474 +++ linux-3.0.9/arch/x86/boot/cpucheck.c 2011-11-15 20:02:59.000000000 -0500
5475 @@ -74,7 +74,7 @@ static int has_fpu(void)
5476 u16 fcw = -1, fsw = -1;
5479 - asm("movl %%cr0,%0" : "=r" (cr0));
5480 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
5481 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
5482 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
5483 asm volatile("movl %0,%%cr0" : : "r" (cr0));
5484 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
5489 + asm volatile("pushfl ; "
5493 @@ -115,7 +115,7 @@ static void get_flags(void)
5494 set_bit(X86_FEATURE_FPU, cpu.flags);
5496 if (has_eflag(X86_EFLAGS_ID)) {
5498 + asm volatile("cpuid"
5499 : "=a" (max_intel_level),
5500 "=b" (cpu_vendor[0]),
5501 "=d" (cpu_vendor[1]),
5502 @@ -124,7 +124,7 @@ static void get_flags(void)
5504 if (max_intel_level >= 0x00000001 &&
5505 max_intel_level <= 0x0000ffff) {
5507 + asm volatile("cpuid"
5509 "=c" (cpu.flags[4]),
5511 @@ -136,7 +136,7 @@ static void get_flags(void)
5512 cpu.model += ((tfms >> 16) & 0xf) << 4;
5516 + asm volatile("cpuid"
5517 : "=a" (max_amd_level)
5519 : "ebx", "ecx", "edx");
5520 @@ -144,7 +144,7 @@ static void get_flags(void)
5521 if (max_amd_level >= 0x80000001 &&
5522 max_amd_level <= 0x8000ffff) {
5523 u32 eax = 0x80000001;
5525 + asm volatile("cpuid"
5527 "=c" (cpu.flags[6]),
5529 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5530 u32 ecx = MSR_K7_HWCR;
5533 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5534 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5536 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5537 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5539 get_flags(); /* Make sure it really did something */
5540 err = check_flags();
5541 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5542 u32 ecx = MSR_VIA_FCR;
5545 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5546 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5547 eax |= (1<<1)|(1<<7);
5548 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5549 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5551 set_bit(X86_FEATURE_CX8, cpu.flags);
5552 err = check_flags();
5553 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
5557 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5558 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5560 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5561 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5562 + asm volatile("cpuid"
5563 : "+a" (level), "=d" (cpu.flags[0])
5565 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5566 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5568 err = check_flags();
5570 diff -urNp linux-3.0.9/arch/x86/boot/header.S linux-3.0.9/arch/x86/boot/header.S
5571 --- linux-3.0.9/arch/x86/boot/header.S 2011-11-11 13:12:24.000000000 -0500
5572 +++ linux-3.0.9/arch/x86/boot/header.S 2011-11-15 20:02:59.000000000 -0500
5573 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
5574 # single linked list of
5577 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
5578 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
5580 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
5581 #define VO_INIT_SIZE (VO__end - VO__text)
5582 diff -urNp linux-3.0.9/arch/x86/boot/Makefile linux-3.0.9/arch/x86/boot/Makefile
5583 --- linux-3.0.9/arch/x86/boot/Makefile 2011-11-11 13:12:24.000000000 -0500
5584 +++ linux-3.0.9/arch/x86/boot/Makefile 2011-11-15 20:02:59.000000000 -0500
5585 @@ -69,6 +69,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
5586 $(call cc-option, -fno-stack-protector) \
5587 $(call cc-option, -mpreferred-stack-boundary=2)
5588 KBUILD_CFLAGS += $(call cc-option, -m32)
5589 +ifdef CONSTIFY_PLUGIN
5590 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
5592 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
5595 diff -urNp linux-3.0.9/arch/x86/boot/memory.c linux-3.0.9/arch/x86/boot/memory.c
5596 --- linux-3.0.9/arch/x86/boot/memory.c 2011-11-11 13:12:24.000000000 -0500
5597 +++ linux-3.0.9/arch/x86/boot/memory.c 2011-11-15 20:02:59.000000000 -0500
5600 static int detect_memory_e820(void)
5603 + unsigned int count = 0;
5604 struct biosregs ireg, oreg;
5605 struct e820entry *desc = boot_params.e820_map;
5606 static struct e820entry buf; /* static so it is zeroed */
5607 diff -urNp linux-3.0.9/arch/x86/boot/video.c linux-3.0.9/arch/x86/boot/video.c
5608 --- linux-3.0.9/arch/x86/boot/video.c 2011-11-11 13:12:24.000000000 -0500
5609 +++ linux-3.0.9/arch/x86/boot/video.c 2011-11-15 20:02:59.000000000 -0500
5610 @@ -96,7 +96,7 @@ static void store_mode_params(void)
5611 static unsigned int get_entry(void)
5615 + unsigned int i, len = 0;
5619 diff -urNp linux-3.0.9/arch/x86/boot/video-vesa.c linux-3.0.9/arch/x86/boot/video-vesa.c
5620 --- linux-3.0.9/arch/x86/boot/video-vesa.c 2011-11-11 13:12:24.000000000 -0500
5621 +++ linux-3.0.9/arch/x86/boot/video-vesa.c 2011-11-15 20:02:59.000000000 -0500
5622 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
5624 boot_params.screen_info.vesapm_seg = oreg.es;
5625 boot_params.screen_info.vesapm_off = oreg.di;
5626 + boot_params.screen_info.vesapm_size = oreg.cx;
5630 diff -urNp linux-3.0.9/arch/x86/crypto/aes-x86_64-asm_64.S linux-3.0.9/arch/x86/crypto/aes-x86_64-asm_64.S
5631 --- linux-3.0.9/arch/x86/crypto/aes-x86_64-asm_64.S 2011-11-11 13:12:24.000000000 -0500
5632 +++ linux-3.0.9/arch/x86/crypto/aes-x86_64-asm_64.S 2011-11-15 20:02:59.000000000 -0500
5634 * including this sentence is retained in full.
5637 +#include <asm/alternative-asm.h>
5639 .extern crypto_ft_tab
5640 .extern crypto_it_tab
5641 .extern crypto_fl_tab
5642 @@ -71,6 +73,8 @@ FUNC: movq r1,r2; \
5646 +#define ret pax_force_retaddr; ret
5648 #define epilogue(r1,r2,r3,r4,r5,r6,r7,r8,r9) \
5651 diff -urNp linux-3.0.9/arch/x86/crypto/salsa20-x86_64-asm_64.S linux-3.0.9/arch/x86/crypto/salsa20-x86_64-asm_64.S
5652 --- linux-3.0.9/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-11-11 13:12:24.000000000 -0500
5653 +++ linux-3.0.9/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-11-15 20:02:59.000000000 -0500
5655 +#include <asm/alternative-asm.h>
5657 # enter ECRYPT_encrypt_bytes
5660 @@ -790,6 +792,7 @@ ECRYPT_encrypt_bytes:
5668 @@ -891,6 +894,7 @@ ECRYPT_keysetup:
5674 # enter ECRYPT_ivsetup
5676 @@ -917,4 +921,5 @@ ECRYPT_ivsetup:
5682 diff -urNp linux-3.0.9/arch/x86/crypto/twofish-x86_64-asm_64.S linux-3.0.9/arch/x86/crypto/twofish-x86_64-asm_64.S
5683 --- linux-3.0.9/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-11-11 13:12:24.000000000 -0500
5684 +++ linux-3.0.9/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-11-15 20:02:59.000000000 -0500
5688 #include <asm/asm-offsets.h>
5689 +#include <asm/alternative-asm.h>
5693 @@ -269,6 +270,7 @@ twofish_enc_blk:
5701 @@ -321,4 +323,5 @@ twofish_dec_blk:
5707 diff -urNp linux-3.0.9/arch/x86/ia32/ia32_aout.c linux-3.0.9/arch/x86/ia32/ia32_aout.c
5708 --- linux-3.0.9/arch/x86/ia32/ia32_aout.c 2011-11-11 13:12:24.000000000 -0500
5709 +++ linux-3.0.9/arch/x86/ia32/ia32_aout.c 2011-11-15 20:02:59.000000000 -0500
5710 @@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
5711 unsigned long dump_start, dump_size;
5714 + memset(&dump, 0, sizeof(dump));
5719 diff -urNp linux-3.0.9/arch/x86/ia32/ia32entry.S linux-3.0.9/arch/x86/ia32/ia32entry.S
5720 --- linux-3.0.9/arch/x86/ia32/ia32entry.S 2011-11-11 13:12:24.000000000 -0500
5721 +++ linux-3.0.9/arch/x86/ia32/ia32entry.S 2011-11-15 20:02:59.000000000 -0500
5723 #include <asm/thread_info.h>
5724 #include <asm/segment.h>
5725 #include <asm/irqflags.h>
5726 +#include <asm/pgtable.h>
5727 #include <linux/linkage.h>
5728 +#include <asm/alternative-asm.h>
5730 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
5731 #include <linux/elf-em.h>
5732 @@ -95,6 +97,29 @@ ENTRY(native_irq_enable_sysexit)
5733 ENDPROC(native_irq_enable_sysexit)
5736 + .macro pax_enter_kernel_user
5737 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5738 + call pax_enter_kernel_user
5742 + .macro pax_exit_kernel_user
5743 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5744 + call pax_exit_kernel_user
5746 +#ifdef CONFIG_PAX_RANDKSTACK
5748 + call pax_randomize_kstack
5753 + .macro pax_erase_kstack
5754 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
5755 + call pax_erase_kstack
5760 * 32bit SYSENTER instruction entry.
5762 @@ -121,7 +146,7 @@ ENTRY(ia32_sysenter_target)
5763 CFI_REGISTER rsp,rbp
5765 movq PER_CPU_VAR(kernel_stack), %rsp
5766 - addq $(KERNEL_STACK_OFFSET),%rsp
5767 + pax_enter_kernel_user
5769 * No need to follow this irqs on/off section: the syscall
5770 * disabled irqs, here we enable it straight after entry:
5771 @@ -134,7 +159,8 @@ ENTRY(ia32_sysenter_target)
5772 CFI_REL_OFFSET rsp,0
5774 /*CFI_REL_OFFSET rflags,0*/
5775 - movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
5776 + GET_THREAD_INFO(%r10)
5777 + movl TI_sysenter_return(%r10), %r10d
5778 CFI_REGISTER rip,r10
5779 pushq_cfi $__USER32_CS
5780 /*CFI_REL_OFFSET cs,0*/
5781 @@ -146,6 +172,12 @@ ENTRY(ia32_sysenter_target)
5783 /* no need to do an access_ok check here because rbp has been
5784 32bit zero extended */
5786 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5787 + mov $PAX_USER_SHADOW_BASE,%r10
5792 .section __ex_table,"a"
5793 .quad 1b,ia32_badarg
5794 @@ -168,6 +200,8 @@ sysenter_dispatch:
5795 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
5797 sysexit_from_sys_call:
5798 + pax_exit_kernel_user
5800 andl $~TS_COMPAT,TI_status(%r10)
5801 /* clear IF, that popfq doesn't enable interrupts early */
5802 andl $~0x200,EFLAGS-R11(%rsp)
5803 @@ -194,6 +228,9 @@ sysexit_from_sys_call:
5804 movl %eax,%esi /* 2nd arg: syscall number */
5805 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
5806 call audit_syscall_entry
5810 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
5811 cmpq $(IA32_NR_syscalls-1),%rax
5813 @@ -246,6 +283,9 @@ sysenter_tracesys:
5814 movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
5815 movq %rsp,%rdi /* &pt_regs -> arg1 */
5816 call syscall_trace_enter
5820 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
5822 cmpq $(IA32_NR_syscalls-1),%rax
5823 @@ -277,19 +317,24 @@ ENDPROC(ia32_sysenter_target)
5824 ENTRY(ia32_cstar_target)
5825 CFI_STARTPROC32 simple
5827 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
5829 CFI_REGISTER rip,rcx
5830 /*CFI_REGISTER rflags,r11*/
5834 movq PER_CPU_VAR(kernel_stack),%rsp
5836 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5837 + pax_enter_kernel_user
5841 * No need to follow this irqs on/off section: the syscall
5842 * disabled irqs and here we enable it straight after entry:
5844 ENABLE_INTERRUPTS(CLBR_NONE)
5847 movl %eax,%eax /* zero extension */
5848 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
5849 movq %rcx,RIP-ARGOFFSET(%rsp)
5850 @@ -305,6 +350,12 @@ ENTRY(ia32_cstar_target)
5851 /* no need to do an access_ok check here because r8 has been
5852 32bit zero extended */
5853 /* hardware stack frame is complete now */
5855 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5856 + mov $PAX_USER_SHADOW_BASE,%r10
5861 .section __ex_table,"a"
5862 .quad 1b,ia32_badarg
5863 @@ -327,6 +378,8 @@ cstar_dispatch:
5864 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
5866 sysretl_from_sys_call:
5867 + pax_exit_kernel_user
5869 andl $~TS_COMPAT,TI_status(%r10)
5870 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
5871 movl RIP-ARGOFFSET(%rsp),%ecx
5872 @@ -364,6 +417,9 @@ cstar_tracesys:
5873 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
5874 movq %rsp,%rdi /* &pt_regs -> arg1 */
5875 call syscall_trace_enter
5879 LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
5882 @@ -409,6 +465,7 @@ ENTRY(ia32_syscall)
5883 CFI_REL_OFFSET rip,RIP-RIP
5884 PARAVIRT_ADJUST_EXCEPTION_FRAME
5886 + pax_enter_kernel_user
5888 * No need to follow this irqs on/off section: the syscall
5889 * disabled irqs and here we enable it straight after entry:
5890 @@ -441,6 +498,9 @@ ia32_tracesys:
5891 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
5892 movq %rsp,%rdi /* &pt_regs -> arg1 */
5893 call syscall_trace_enter
5897 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
5899 cmpq $(IA32_NR_syscalls-1),%rax
5900 @@ -455,6 +515,7 @@ ia32_badsys:
5908 diff -urNp linux-3.0.9/arch/x86/ia32/ia32_signal.c linux-3.0.9/arch/x86/ia32/ia32_signal.c
5909 --- linux-3.0.9/arch/x86/ia32/ia32_signal.c 2011-11-11 13:12:24.000000000 -0500
5910 +++ linux-3.0.9/arch/x86/ia32/ia32_signal.c 2011-11-15 20:02:59.000000000 -0500
5911 @@ -167,7 +167,7 @@ asmlinkage long sys32_sigaltstack(const
5915 - ret = do_sigaltstack(uss_ptr ? &uss : NULL, &uoss, regs->sp);
5916 + ret = do_sigaltstack(uss_ptr ? (const stack_t __force_user *)&uss : NULL, (stack_t __force_user *)&uoss, regs->sp);
5918 if (ret >= 0 && uoss_ptr) {
5919 if (!access_ok(VERIFY_WRITE, uoss_ptr, sizeof(stack_ia32_t)))
5920 @@ -374,7 +374,7 @@ static int ia32_setup_sigcontext(struct
5922 static void __user *get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
5925 + void __user **fpstate)
5929 @@ -395,7 +395,7 @@ static void __user *get_sigframe(struct
5932 sp = sp - sig_xstate_ia32_size;
5933 - *fpstate = (struct _fpstate_ia32 *) sp;
5934 + *fpstate = (struct _fpstate_ia32 __user *) sp;
5935 if (save_i387_xstate_ia32(*fpstate) < 0)
5936 return (void __user *) -1L;
5938 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
5940 /* Align the stack pointer according to the i386 ABI,
5941 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
5942 - sp = ((sp + 4) & -16ul) - 4;
5943 + sp = ((sp - 12) & -16ul) - 4;
5944 return (void __user *) sp;
5947 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
5948 * These are actually not used anymore, but left because some
5949 * gdb versions depend on them as a marker.
5951 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
5952 + put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
5953 } put_user_catch(err);
5956 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
5958 __NR_ia32_rt_sigreturn,
5964 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
5965 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
5967 if (ka->sa.sa_flags & SA_RESTORER)
5968 restorer = ka->sa.sa_restorer;
5969 + else if (current->mm->context.vdso)
5970 + /* Return stub is in 32bit vsyscall page */
5971 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
5973 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
5975 + restorer = &frame->retcode;
5976 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
5979 * Not actually used anymore, but left because some gdb
5982 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
5983 + put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
5984 } put_user_catch(err);
5987 diff -urNp linux-3.0.9/arch/x86/ia32/sys_ia32.c linux-3.0.9/arch/x86/ia32/sys_ia32.c
5988 --- linux-3.0.9/arch/x86/ia32/sys_ia32.c 2011-11-11 13:12:24.000000000 -0500
5989 +++ linux-3.0.9/arch/x86/ia32/sys_ia32.c 2011-11-15 20:02:59.000000000 -0500
5990 @@ -69,8 +69,8 @@ asmlinkage long sys32_ftruncate64(unsign
5992 static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat)
5994 - typeof(ubuf->st_uid) uid = 0;
5995 - typeof(ubuf->st_gid) gid = 0;
5996 + typeof(((struct stat64 *)0)->st_uid) uid = 0;
5997 + typeof(((struct stat64 *)0)->st_gid) gid = 0;
5998 SET_UID(uid, stat->uid);
5999 SET_GID(gid, stat->gid);
6000 if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) ||
6001 @@ -308,8 +308,8 @@ asmlinkage long sys32_rt_sigprocmask(int
6004 ret = sys_rt_sigprocmask(how,
6005 - set ? (sigset_t __user *)&s : NULL,
6006 - oset ? (sigset_t __user *)&s : NULL,
6007 + set ? (sigset_t __force_user *)&s : NULL,
6008 + oset ? (sigset_t __force_user *)&s : NULL,
6012 @@ -332,7 +332,7 @@ asmlinkage long sys32_alarm(unsigned int
6013 return alarm_setitimer(seconds);
6016 -asmlinkage long sys32_waitpid(compat_pid_t pid, unsigned int *stat_addr,
6017 +asmlinkage long sys32_waitpid(compat_pid_t pid, unsigned int __user *stat_addr,
6020 return compat_sys_wait4(pid, stat_addr, options, NULL);
6021 @@ -353,7 +353,7 @@ asmlinkage long sys32_sched_rr_get_inter
6022 mm_segment_t old_fs = get_fs();
6025 - ret = sys_sched_rr_get_interval(pid, (struct timespec __user *)&t);
6026 + ret = sys_sched_rr_get_interval(pid, (struct timespec __force_user *)&t);
6028 if (put_compat_timespec(&t, interval))
6030 @@ -369,7 +369,7 @@ asmlinkage long sys32_rt_sigpending(comp
6031 mm_segment_t old_fs = get_fs();
6034 - ret = sys_rt_sigpending((sigset_t __user *)&s, sigsetsize);
6035 + ret = sys_rt_sigpending((sigset_t __force_user *)&s, sigsetsize);
6038 switch (_NSIG_WORDS) {
6039 @@ -394,7 +394,7 @@ asmlinkage long sys32_rt_sigqueueinfo(in
6040 if (copy_siginfo_from_user32(&info, uinfo))
6043 - ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __user *)&info);
6044 + ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __force_user *)&info);
6048 @@ -439,7 +439,7 @@ asmlinkage long sys32_sendfile(int out_f
6052 - ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __user *)&of : NULL,
6053 + ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __force_user *)&of : NULL,
6057 diff -urNp linux-3.0.9/arch/x86/include/asm/alternative-asm.h linux-3.0.9/arch/x86/include/asm/alternative-asm.h
6058 --- linux-3.0.9/arch/x86/include/asm/alternative-asm.h 2011-11-11 13:12:24.000000000 -0500
6059 +++ linux-3.0.9/arch/x86/include/asm/alternative-asm.h 2011-11-15 20:02:59.000000000 -0500
6064 +#ifdef CONFIG_PAX_KERNEXEC_PLUGIN
6065 + .macro pax_force_retaddr rip=0
6066 + btsq $63,\rip(%rsp)
6068 + .macro pax_force_fptr ptr
6072 + .macro pax_force_retaddr rip=0
6074 + .macro pax_force_fptr ptr
6078 .macro altinstruction_entry orig alt feature orig_len alt_len
6081 diff -urNp linux-3.0.9/arch/x86/include/asm/alternative.h linux-3.0.9/arch/x86/include/asm/alternative.h
6082 --- linux-3.0.9/arch/x86/include/asm/alternative.h 2011-11-11 13:12:24.000000000 -0500
6083 +++ linux-3.0.9/arch/x86/include/asm/alternative.h 2011-11-15 20:02:59.000000000 -0500
6084 @@ -93,7 +93,7 @@ static inline int alternatives_text_rese
6085 ".section .discard,\"aw\",@progbits\n" \
6086 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6088 - ".section .altinstr_replacement, \"ax\"\n" \
6089 + ".section .altinstr_replacement, \"a\"\n" \
6090 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6093 diff -urNp linux-3.0.9/arch/x86/include/asm/apic.h linux-3.0.9/arch/x86/include/asm/apic.h
6094 --- linux-3.0.9/arch/x86/include/asm/apic.h 2011-11-11 13:12:24.000000000 -0500
6095 +++ linux-3.0.9/arch/x86/include/asm/apic.h 2011-11-15 20:02:59.000000000 -0500
6096 @@ -45,7 +45,7 @@ static inline void generic_apic_probe(vo
6098 #ifdef CONFIG_X86_LOCAL_APIC
6100 -extern unsigned int apic_verbosity;
6101 +extern int apic_verbosity;
6102 extern int local_apic_timer_c2_ok;
6104 extern int disable_apic;
6105 diff -urNp linux-3.0.9/arch/x86/include/asm/apm.h linux-3.0.9/arch/x86/include/asm/apm.h
6106 --- linux-3.0.9/arch/x86/include/asm/apm.h 2011-11-11 13:12:24.000000000 -0500
6107 +++ linux-3.0.9/arch/x86/include/asm/apm.h 2011-11-15 20:02:59.000000000 -0500
6108 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6109 __asm__ __volatile__(APM_DO_ZERO_SEGS
6112 - "lcall *%%cs:apm_bios_entry\n\t"
6113 + "lcall *%%ss:apm_bios_entry\n\t"
6117 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6118 __asm__ __volatile__(APM_DO_ZERO_SEGS
6121 - "lcall *%%cs:apm_bios_entry\n\t"
6122 + "lcall *%%ss:apm_bios_entry\n\t"
6126 diff -urNp linux-3.0.9/arch/x86/include/asm/atomic64_32.h linux-3.0.9/arch/x86/include/asm/atomic64_32.h
6127 --- linux-3.0.9/arch/x86/include/asm/atomic64_32.h 2011-11-11 13:12:24.000000000 -0500
6128 +++ linux-3.0.9/arch/x86/include/asm/atomic64_32.h 2011-11-15 20:02:59.000000000 -0500
6129 @@ -12,6 +12,14 @@ typedef struct {
6130 u64 __aligned(8) counter;
6133 +#ifdef CONFIG_PAX_REFCOUNT
6135 + u64 __aligned(8) counter;
6136 +} atomic64_unchecked_t;
6138 +typedef atomic64_t atomic64_unchecked_t;
6141 #define ATOMIC64_INIT(val) { (val) }
6143 #ifdef CONFIG_X86_CMPXCHG64
6144 @@ -38,6 +46,21 @@ static inline long long atomic64_cmpxchg
6148 + * atomic64_cmpxchg_unchecked - cmpxchg atomic64 variable
6149 + * @p: pointer to type atomic64_unchecked_t
6150 + * @o: expected value
6153 + * Atomically sets @v to @n if it was equal to @o and returns
6157 +static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long long o, long long n)
6159 + return cmpxchg64(&v->counter, o, n);
6163 * atomic64_xchg - xchg atomic64 variable
6164 * @v: pointer to type atomic64_t
6165 * @n: value to assign
6166 @@ -77,6 +100,24 @@ static inline void atomic64_set(atomic64
6170 + * atomic64_set_unchecked - set atomic64 variable
6171 + * @v: pointer to type atomic64_unchecked_t
6172 + * @n: value to assign
6174 + * Atomically sets the value of @v to @n.
6176 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
6178 + unsigned high = (unsigned)(i >> 32);
6179 + unsigned low = (unsigned)i;
6180 + asm volatile(ATOMIC64_ALTERNATIVE(set)
6181 + : "+b" (low), "+c" (high)
6183 + : "eax", "edx", "memory"
6188 * atomic64_read - read atomic64 variable
6189 * @v: pointer to type atomic64_t
6191 @@ -93,6 +134,22 @@ static inline long long atomic64_read(at
6195 + * atomic64_read_unchecked - read atomic64 variable
6196 + * @v: pointer to type atomic64_unchecked_t
6198 + * Atomically reads the value of @v and returns it.
6200 +static inline long long atomic64_read_unchecked(atomic64_unchecked_t *v)
6203 + asm volatile(ATOMIC64_ALTERNATIVE(read_unchecked)
6204 + : "=A" (r), "+c" (v)
6211 * atomic64_add_return - add and return
6212 * @i: integer value to add
6213 * @v: pointer to type atomic64_t
6214 @@ -108,6 +165,22 @@ static inline long long atomic64_add_ret
6219 + * atomic64_add_return_unchecked - add and return
6220 + * @i: integer value to add
6221 + * @v: pointer to type atomic64_unchecked_t
6223 + * Atomically adds @i to @v and returns @i + *@v
6225 +static inline long long atomic64_add_return_unchecked(long long i, atomic64_unchecked_t *v)
6227 + asm volatile(ATOMIC64_ALTERNATIVE(add_return_unchecked)
6228 + : "+A" (i), "+c" (v)
6235 * Other variants with different arithmetic operators:
6237 @@ -131,6 +204,17 @@ static inline long long atomic64_inc_ret
6241 +static inline long long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6244 + asm volatile(ATOMIC64_ALTERNATIVE(inc_return_unchecked)
6252 static inline long long atomic64_dec_return(atomic64_t *v)
6255 @@ -159,6 +243,22 @@ static inline long long atomic64_add(lon
6259 + * atomic64_add_unchecked - add integer to atomic64 variable
6260 + * @i: integer value to add
6261 + * @v: pointer to type atomic64_unchecked_t
6263 + * Atomically adds @i to @v.
6265 +static inline long long atomic64_add_unchecked(long long i, atomic64_unchecked_t *v)
6267 + asm volatile(ATOMIC64_ALTERNATIVE_(add_unchecked, add_return_unchecked)
6268 + : "+A" (i), "+c" (v)
6275 * atomic64_sub - subtract the atomic64 variable
6276 * @i: integer value to subtract
6277 * @v: pointer to type atomic64_t
6278 diff -urNp linux-3.0.9/arch/x86/include/asm/atomic64_64.h linux-3.0.9/arch/x86/include/asm/atomic64_64.h
6279 --- linux-3.0.9/arch/x86/include/asm/atomic64_64.h 2011-11-11 13:12:24.000000000 -0500
6280 +++ linux-3.0.9/arch/x86/include/asm/atomic64_64.h 2011-11-15 20:02:59.000000000 -0500
6283 static inline long atomic64_read(const atomic64_t *v)
6285 - return (*(volatile long *)&(v)->counter);
6286 + return (*(volatile const long *)&(v)->counter);
6290 + * atomic64_read_unchecked - read atomic64 variable
6291 + * @v: pointer of type atomic64_unchecked_t
6293 + * Atomically reads the value of @v.
6294 + * Doesn't imply a read memory barrier.
6296 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6298 + return (*(volatile const long *)&(v)->counter);
6302 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
6306 + * atomic64_set_unchecked - set atomic64 variable
6307 + * @v: pointer to type atomic64_unchecked_t
6308 + * @i: required value
6310 + * Atomically sets the value of @v to @i.
6312 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6318 * atomic64_add - add integer to atomic64 variable
6319 * @i: integer value to add
6320 * @v: pointer to type atomic64_t
6321 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
6323 static inline void atomic64_add(long i, atomic64_t *v)
6325 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6327 +#ifdef CONFIG_PAX_REFCOUNT
6329 + LOCK_PREFIX "subq %1,%0\n"
6331 + _ASM_EXTABLE(0b, 0b)
6334 + : "=m" (v->counter)
6335 + : "er" (i), "m" (v->counter));
6339 + * atomic64_add_unchecked - add integer to atomic64 variable
6340 + * @i: integer value to add
6341 + * @v: pointer to type atomic64_unchecked_t
6343 + * Atomically adds @i to @v.
6345 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6347 asm volatile(LOCK_PREFIX "addq %1,%0"
6349 : "er" (i), "m" (v->counter));
6350 @@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
6352 static inline void atomic64_sub(long i, atomic64_t *v)
6354 - asm volatile(LOCK_PREFIX "subq %1,%0"
6355 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6357 +#ifdef CONFIG_PAX_REFCOUNT
6359 + LOCK_PREFIX "addq %1,%0\n"
6361 + _ASM_EXTABLE(0b, 0b)
6364 + : "=m" (v->counter)
6365 + : "er" (i), "m" (v->counter));
6369 + * atomic64_sub_unchecked - subtract the atomic64 variable
6370 + * @i: integer value to subtract
6371 + * @v: pointer to type atomic64_unchecked_t
6373 + * Atomically subtracts @i from @v.
6375 +static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
6377 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6379 : "er" (i), "m" (v->counter));
6381 @@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
6385 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6386 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6388 +#ifdef CONFIG_PAX_REFCOUNT
6390 + LOCK_PREFIX "addq %2,%0\n"
6392 + _ASM_EXTABLE(0b, 0b)
6396 : "=m" (v->counter), "=qm" (c)
6397 : "er" (i), "m" (v->counter) : "memory");
6399 @@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
6401 static inline void atomic64_inc(atomic64_t *v)
6403 + asm volatile(LOCK_PREFIX "incq %0\n"
6405 +#ifdef CONFIG_PAX_REFCOUNT
6407 + LOCK_PREFIX "decq %0\n"
6409 + _ASM_EXTABLE(0b, 0b)
6412 + : "=m" (v->counter)
6413 + : "m" (v->counter));
6417 + * atomic64_inc_unchecked - increment atomic64 variable
6418 + * @v: pointer to type atomic64_unchecked_t
6420 + * Atomically increments @v by 1.
6422 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6424 asm volatile(LOCK_PREFIX "incq %0"
6426 : "m" (v->counter));
6427 @@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
6429 static inline void atomic64_dec(atomic64_t *v)
6431 - asm volatile(LOCK_PREFIX "decq %0"
6432 + asm volatile(LOCK_PREFIX "decq %0\n"
6434 +#ifdef CONFIG_PAX_REFCOUNT
6436 + LOCK_PREFIX "incq %0\n"
6438 + _ASM_EXTABLE(0b, 0b)
6441 + : "=m" (v->counter)
6442 + : "m" (v->counter));
6446 + * atomic64_dec_unchecked - decrement atomic64 variable
6447 + * @v: pointer to type atomic64_t
6449 + * Atomically decrements @v by 1.
6451 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6453 + asm volatile(LOCK_PREFIX "decq %0\n"
6455 : "m" (v->counter));
6457 @@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
6461 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6462 + asm volatile(LOCK_PREFIX "decq %0\n"
6464 +#ifdef CONFIG_PAX_REFCOUNT
6466 + LOCK_PREFIX "incq %0\n"
6468 + _ASM_EXTABLE(0b, 0b)
6472 : "=m" (v->counter), "=qm" (c)
6473 : "m" (v->counter) : "memory");
6475 @@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
6479 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6480 + asm volatile(LOCK_PREFIX "incq %0\n"
6482 +#ifdef CONFIG_PAX_REFCOUNT
6484 + LOCK_PREFIX "decq %0\n"
6486 + _ASM_EXTABLE(0b, 0b)
6490 : "=m" (v->counter), "=qm" (c)
6491 : "m" (v->counter) : "memory");
6493 @@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
6497 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6498 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6500 +#ifdef CONFIG_PAX_REFCOUNT
6502 + LOCK_PREFIX "subq %2,%0\n"
6504 + _ASM_EXTABLE(0b, 0b)
6508 : "=m" (v->counter), "=qm" (c)
6509 : "er" (i), "m" (v->counter) : "memory");
6511 @@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
6512 static inline long atomic64_add_return(long i, atomic64_t *v)
6515 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6516 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6518 +#ifdef CONFIG_PAX_REFCOUNT
6522 + _ASM_EXTABLE(0b, 0b)
6525 + : "+r" (i), "+m" (v->counter)
6531 + * atomic64_add_return_unchecked - add and return
6532 + * @i: integer value to add
6533 + * @v: pointer to type atomic64_unchecked_t
6535 + * Atomically adds @i to @v and returns @i + @v
6537 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6540 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
6541 : "+r" (i), "+m" (v->counter)
6544 @@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
6547 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6548 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6550 + return atomic64_add_return_unchecked(1, v);
6552 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6554 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6555 @@ -190,6 +364,11 @@ static inline long atomic64_cmpxchg(atom
6556 return cmpxchg(&v->counter, old, new);
6559 +static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
6561 + return cmpxchg(&v->counter, old, new);
6564 static inline long atomic64_xchg(atomic64_t *v, long new)
6566 return xchg(&v->counter, new);
6567 @@ -206,17 +385,30 @@ static inline long atomic64_xchg(atomic6
6569 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6573 c = atomic64_read(v);
6575 - if (unlikely(c == (u)))
6576 + if (unlikely(c == u))
6578 - old = atomic64_cmpxchg((v), c, c + (a));
6580 + asm volatile("add %2,%0\n"
6582 +#ifdef CONFIG_PAX_REFCOUNT
6586 + _ASM_EXTABLE(0b, 0b)
6590 + : "0" (c), "ir" (a));
6592 + old = atomic64_cmpxchg(v, c, new);
6593 if (likely(old == c))
6601 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
6602 diff -urNp linux-3.0.9/arch/x86/include/asm/atomic.h linux-3.0.9/arch/x86/include/asm/atomic.h
6603 --- linux-3.0.9/arch/x86/include/asm/atomic.h 2011-11-11 13:12:24.000000000 -0500
6604 +++ linux-3.0.9/arch/x86/include/asm/atomic.h 2011-11-15 20:02:59.000000000 -0500
6607 static inline int atomic_read(const atomic_t *v)
6609 - return (*(volatile int *)&(v)->counter);
6610 + return (*(volatile const int *)&(v)->counter);
6614 + * atomic_read_unchecked - read atomic variable
6615 + * @v: pointer of type atomic_unchecked_t
6617 + * Atomically reads the value of @v.
6619 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6621 + return (*(volatile const int *)&(v)->counter);
6625 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6629 + * atomic_set_unchecked - set atomic variable
6630 + * @v: pointer of type atomic_unchecked_t
6631 + * @i: required value
6633 + * Atomically sets the value of @v to @i.
6635 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6641 * atomic_add - add integer to atomic variable
6642 * @i: integer value to add
6643 * @v: pointer of type atomic_t
6644 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6646 static inline void atomic_add(int i, atomic_t *v)
6648 - asm volatile(LOCK_PREFIX "addl %1,%0"
6649 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6651 +#ifdef CONFIG_PAX_REFCOUNT
6653 + LOCK_PREFIX "subl %1,%0\n"
6655 + _ASM_EXTABLE(0b, 0b)
6658 + : "+m" (v->counter)
6663 + * atomic_add_unchecked - add integer to atomic variable
6664 + * @i: integer value to add
6665 + * @v: pointer of type atomic_unchecked_t
6667 + * Atomically adds @i to @v.
6669 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6671 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6675 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6677 static inline void atomic_sub(int i, atomic_t *v)
6679 - asm volatile(LOCK_PREFIX "subl %1,%0"
6680 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6682 +#ifdef CONFIG_PAX_REFCOUNT
6684 + LOCK_PREFIX "addl %1,%0\n"
6686 + _ASM_EXTABLE(0b, 0b)
6689 + : "+m" (v->counter)
6694 + * atomic_sub_unchecked - subtract integer from atomic variable
6695 + * @i: integer value to subtract
6696 + * @v: pointer of type atomic_unchecked_t
6698 + * Atomically subtracts @i from @v.
6700 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
6702 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6706 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
6710 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
6711 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
6713 +#ifdef CONFIG_PAX_REFCOUNT
6715 + LOCK_PREFIX "addl %2,%0\n"
6717 + _ASM_EXTABLE(0b, 0b)
6721 : "+m" (v->counter), "=qm" (c)
6722 : "ir" (i) : "memory");
6724 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
6726 static inline void atomic_inc(atomic_t *v)
6728 - asm volatile(LOCK_PREFIX "incl %0"
6729 + asm volatile(LOCK_PREFIX "incl %0\n"
6731 +#ifdef CONFIG_PAX_REFCOUNT
6733 + LOCK_PREFIX "decl %0\n"
6735 + _ASM_EXTABLE(0b, 0b)
6738 + : "+m" (v->counter));
6742 + * atomic_inc_unchecked - increment atomic variable
6743 + * @v: pointer of type atomic_unchecked_t
6745 + * Atomically increments @v by 1.
6747 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
6749 + asm volatile(LOCK_PREFIX "incl %0\n"
6750 : "+m" (v->counter));
6753 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
6755 static inline void atomic_dec(atomic_t *v)
6757 - asm volatile(LOCK_PREFIX "decl %0"
6758 + asm volatile(LOCK_PREFIX "decl %0\n"
6760 +#ifdef CONFIG_PAX_REFCOUNT
6762 + LOCK_PREFIX "incl %0\n"
6764 + _ASM_EXTABLE(0b, 0b)
6767 + : "+m" (v->counter));
6771 + * atomic_dec_unchecked - decrement atomic variable
6772 + * @v: pointer of type atomic_unchecked_t
6774 + * Atomically decrements @v by 1.
6776 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
6778 + asm volatile(LOCK_PREFIX "decl %0\n"
6779 : "+m" (v->counter));
6782 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
6786 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
6787 + asm volatile(LOCK_PREFIX "decl %0\n"
6789 +#ifdef CONFIG_PAX_REFCOUNT
6791 + LOCK_PREFIX "incl %0\n"
6793 + _ASM_EXTABLE(0b, 0b)
6797 : "+m" (v->counter), "=qm" (c)
6800 @@ -138,7 +263,35 @@ static inline int atomic_inc_and_test(at
6804 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
6805 + asm volatile(LOCK_PREFIX "incl %0\n"
6807 +#ifdef CONFIG_PAX_REFCOUNT
6809 + LOCK_PREFIX "decl %0\n"
6811 + _ASM_EXTABLE(0b, 0b)
6815 + : "+m" (v->counter), "=qm" (c)
6821 + * atomic_inc_and_test_unchecked - increment and test
6822 + * @v: pointer of type atomic_unchecked_t
6824 + * Atomically increments @v by 1
6825 + * and returns true if the result is zero, or false for all
6828 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
6832 + asm volatile(LOCK_PREFIX "incl %0\n"
6834 : "+m" (v->counter), "=qm" (c)
6837 @@ -157,7 +310,16 @@ static inline int atomic_add_negative(in
6841 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
6842 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
6844 +#ifdef CONFIG_PAX_REFCOUNT
6846 + LOCK_PREFIX "subl %2,%0\n"
6848 + _ASM_EXTABLE(0b, 0b)
6852 : "+m" (v->counter), "=qm" (c)
6853 : "ir" (i) : "memory");
6855 @@ -180,6 +342,46 @@ static inline int atomic_add_return(int
6857 /* Modern 486+ processor */
6859 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
6861 +#ifdef CONFIG_PAX_REFCOUNT
6865 + _ASM_EXTABLE(0b, 0b)
6868 + : "+r" (i), "+m" (v->counter)
6873 +no_xadd: /* Legacy 386 processor */
6874 + local_irq_save(flags);
6875 + __i = atomic_read(v);
6876 + atomic_set(v, i + __i);
6877 + local_irq_restore(flags);
6883 + * atomic_add_return_unchecked - add integer and return
6884 + * @v: pointer of type atomic_unchecked_t
6885 + * @i: integer value to add
6887 + * Atomically adds @i to @v and returns @i + @v
6889 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
6893 + unsigned long flags;
6894 + if (unlikely(boot_cpu_data.x86 <= 3))
6897 + /* Modern 486+ processor */
6899 asm volatile(LOCK_PREFIX "xaddl %0, %1"
6900 : "+r" (i), "+m" (v->counter)
6902 @@ -208,6 +410,10 @@ static inline int atomic_sub_return(int
6905 #define atomic_inc_return(v) (atomic_add_return(1, v))
6906 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
6908 + return atomic_add_return_unchecked(1, v);
6910 #define atomic_dec_return(v) (atomic_sub_return(1, v))
6912 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
6913 @@ -215,11 +421,21 @@ static inline int atomic_cmpxchg(atomic_
6914 return cmpxchg(&v->counter, old, new);
6917 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
6919 + return cmpxchg(&v->counter, old, new);
6922 static inline int atomic_xchg(atomic_t *v, int new)
6924 return xchg(&v->counter, new);
6927 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
6929 + return xchg(&v->counter, new);
6933 * atomic_add_unless - add unless the number is already a given value
6934 * @v: pointer of type atomic_t
6935 @@ -231,21 +447,77 @@ static inline int atomic_xchg(atomic_t *
6937 static inline int atomic_add_unless(atomic_t *v, int a, int u)
6943 - if (unlikely(c == (u)))
6944 + if (unlikely(c == u))
6946 - old = atomic_cmpxchg((v), c, c + (a));
6948 + asm volatile("addl %2,%0\n"
6950 +#ifdef CONFIG_PAX_REFCOUNT
6954 + _ASM_EXTABLE(0b, 0b)
6958 + : "0" (c), "ir" (a));
6960 + old = atomic_cmpxchg(v, c, new);
6961 if (likely(old == c))
6969 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
6972 + * atomic_inc_not_zero_hint - increment if not null
6973 + * @v: pointer of type atomic_t
6974 + * @hint: probable value of the atomic before the increment
6976 + * This version of atomic_inc_not_zero() gives a hint of probable
6977 + * value of the atomic. This helps processor to not read the memory
6978 + * before doing the atomic read/modify/write cycle, lowering
6979 + * number of bus transactions on some arches.
6981 + * Returns: 0 if increment was not done, 1 otherwise.
6983 +#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
6984 +static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
6986 + int val, c = hint, new;
6988 + /* sanity test, should be removed by compiler if hint is a constant */
6990 + return atomic_inc_not_zero(v);
6993 + asm volatile("incl %0\n"
6995 +#ifdef CONFIG_PAX_REFCOUNT
6999 + _ASM_EXTABLE(0b, 0b)
7005 + val = atomic_cmpxchg(v, c, new);
7015 * atomic_dec_if_positive - decrement by 1 if old value positive
7016 * @v: pointer of type atomic_t
7017 diff -urNp linux-3.0.9/arch/x86/include/asm/bitops.h linux-3.0.9/arch/x86/include/asm/bitops.h
7018 --- linux-3.0.9/arch/x86/include/asm/bitops.h 2011-11-11 13:12:24.000000000 -0500
7019 +++ linux-3.0.9/arch/x86/include/asm/bitops.h 2011-11-15 20:02:59.000000000 -0500
7021 * a mask operation on a byte.
7023 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
7024 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
7025 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
7026 #define CONST_MASK(nr) (1 << ((nr) & 7))
7029 diff -urNp linux-3.0.9/arch/x86/include/asm/boot.h linux-3.0.9/arch/x86/include/asm/boot.h
7030 --- linux-3.0.9/arch/x86/include/asm/boot.h 2011-11-11 13:12:24.000000000 -0500
7031 +++ linux-3.0.9/arch/x86/include/asm/boot.h 2011-11-15 20:02:59.000000000 -0500
7033 #include <asm/pgtable_types.h>
7035 /* Physical address where kernel should be loaded. */
7036 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7037 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7038 + (CONFIG_PHYSICAL_ALIGN - 1)) \
7039 & ~(CONFIG_PHYSICAL_ALIGN - 1))
7041 +#ifndef __ASSEMBLY__
7042 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
7043 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
7046 /* Minimum kernel alignment, as a power of two */
7047 #ifdef CONFIG_X86_64
7048 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
7049 diff -urNp linux-3.0.9/arch/x86/include/asm/cacheflush.h linux-3.0.9/arch/x86/include/asm/cacheflush.h
7050 --- linux-3.0.9/arch/x86/include/asm/cacheflush.h 2011-11-11 13:12:24.000000000 -0500
7051 +++ linux-3.0.9/arch/x86/include/asm/cacheflush.h 2011-11-15 20:02:59.000000000 -0500
7052 @@ -26,7 +26,7 @@ static inline unsigned long get_page_mem
7053 unsigned long pg_flags = pg->flags & _PGMT_MASK;
7055 if (pg_flags == _PGMT_DEFAULT)
7058 else if (pg_flags == _PGMT_WC)
7059 return _PAGE_CACHE_WC;
7060 else if (pg_flags == _PGMT_UC_MINUS)
7061 diff -urNp linux-3.0.9/arch/x86/include/asm/cache.h linux-3.0.9/arch/x86/include/asm/cache.h
7062 --- linux-3.0.9/arch/x86/include/asm/cache.h 2011-11-11 13:12:24.000000000 -0500
7063 +++ linux-3.0.9/arch/x86/include/asm/cache.h 2011-11-15 20:02:59.000000000 -0500
7066 /* L1 cache line size */
7067 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
7068 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
7069 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
7071 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
7072 +#define __read_only __attribute__((__section__(".data..read_only")))
7074 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
7075 -#define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
7076 +#define INTERNODE_CACHE_BYTES (_AC(1,UL) << INTERNODE_CACHE_SHIFT)
7078 #ifdef CONFIG_X86_VSMP
7080 diff -urNp linux-3.0.9/arch/x86/include/asm/checksum_32.h linux-3.0.9/arch/x86/include/asm/checksum_32.h
7081 --- linux-3.0.9/arch/x86/include/asm/checksum_32.h 2011-11-11 13:12:24.000000000 -0500
7082 +++ linux-3.0.9/arch/x86/include/asm/checksum_32.h 2011-11-15 20:02:59.000000000 -0500
7083 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
7084 int len, __wsum sum,
7085 int *src_err_ptr, int *dst_err_ptr);
7087 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
7088 + int len, __wsum sum,
7089 + int *src_err_ptr, int *dst_err_ptr);
7091 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
7092 + int len, __wsum sum,
7093 + int *src_err_ptr, int *dst_err_ptr);
7096 * Note: when you get a NULL pointer exception here this means someone
7097 * passed in an incorrect kernel address to one of these functions.
7098 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
7102 - return csum_partial_copy_generic((__force void *)src, dst,
7103 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
7104 len, sum, err_ptr, NULL);
7107 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
7110 if (access_ok(VERIFY_WRITE, dst, len))
7111 - return csum_partial_copy_generic(src, (__force void *)dst,
7112 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
7113 len, sum, NULL, err_ptr);
7116 diff -urNp linux-3.0.9/arch/x86/include/asm/cpufeature.h linux-3.0.9/arch/x86/include/asm/cpufeature.h
7117 --- linux-3.0.9/arch/x86/include/asm/cpufeature.h 2011-11-11 13:12:24.000000000 -0500
7118 +++ linux-3.0.9/arch/x86/include/asm/cpufeature.h 2011-11-15 20:02:59.000000000 -0500
7119 @@ -358,7 +358,7 @@ static __always_inline __pure bool __sta
7120 ".section .discard,\"aw\",@progbits\n"
7121 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
7123 - ".section .altinstr_replacement,\"ax\"\n"
7124 + ".section .altinstr_replacement,\"a\"\n"
7128 diff -urNp linux-3.0.9/arch/x86/include/asm/desc_defs.h linux-3.0.9/arch/x86/include/asm/desc_defs.h
7129 --- linux-3.0.9/arch/x86/include/asm/desc_defs.h 2011-11-11 13:12:24.000000000 -0500
7130 +++ linux-3.0.9/arch/x86/include/asm/desc_defs.h 2011-11-15 20:02:59.000000000 -0500
7131 @@ -31,6 +31,12 @@ struct desc_struct {
7132 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
7133 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
7138 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
7139 + unsigned offset_high: 16;
7142 } __attribute__((packed));
7144 diff -urNp linux-3.0.9/arch/x86/include/asm/desc.h linux-3.0.9/arch/x86/include/asm/desc.h
7145 --- linux-3.0.9/arch/x86/include/asm/desc.h 2011-11-11 13:12:24.000000000 -0500
7146 +++ linux-3.0.9/arch/x86/include/asm/desc.h 2011-11-15 20:02:59.000000000 -0500
7148 #include <asm/desc_defs.h>
7149 #include <asm/ldt.h>
7150 #include <asm/mmu.h>
7151 +#include <asm/pgtable.h>
7153 #include <linux/smp.h>
7155 @@ -16,6 +17,7 @@ static inline void fill_ldt(struct desc_
7157 desc->type = (info->read_exec_only ^ 1) << 1;
7158 desc->type |= info->contents << 2;
7159 + desc->type |= info->seg_not_present ^ 1;
7163 @@ -34,17 +36,12 @@ static inline void fill_ldt(struct desc_
7166 extern struct desc_ptr idt_descr;
7167 -extern gate_desc idt_table[];
7170 - struct desc_struct gdt[GDT_ENTRIES];
7171 -} __attribute__((aligned(PAGE_SIZE)));
7173 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
7174 +extern gate_desc idt_table[256];
7176 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
7177 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
7179 - return per_cpu(gdt_page, cpu).gdt;
7180 + return cpu_gdt_table[cpu];
7183 #ifdef CONFIG_X86_64
7184 @@ -69,8 +66,14 @@ static inline void pack_gate(gate_desc *
7185 unsigned long base, unsigned dpl, unsigned flags,
7188 - gate->a = (seg << 16) | (base & 0xffff);
7189 - gate->b = (base & 0xffff0000) | (((0x80 | type | (dpl << 5)) & 0xff) << 8);
7190 + gate->gate.offset_low = base;
7191 + gate->gate.seg = seg;
7192 + gate->gate.reserved = 0;
7193 + gate->gate.type = type;
7195 + gate->gate.dpl = dpl;
7197 + gate->gate.offset_high = base >> 16;
7201 @@ -115,12 +118,16 @@ static inline void paravirt_free_ldt(str
7203 static inline void native_write_idt_entry(gate_desc *idt, int entry, const gate_desc *gate)
7205 + pax_open_kernel();
7206 memcpy(&idt[entry], gate, sizeof(*gate));
7207 + pax_close_kernel();
7210 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry, const void *desc)
7212 + pax_open_kernel();
7213 memcpy(&ldt[entry], desc, 8);
7214 + pax_close_kernel();
7218 @@ -134,7 +141,9 @@ native_write_gdt_entry(struct desc_struc
7219 default: size = sizeof(*gdt); break;
7222 + pax_open_kernel();
7223 memcpy(&gdt[entry], desc, size);
7224 + pax_close_kernel();
7227 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
7228 @@ -207,7 +216,9 @@ static inline void native_set_ldt(const
7230 static inline void native_load_tr_desc(void)
7232 + pax_open_kernel();
7233 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
7234 + pax_close_kernel();
7237 static inline void native_load_gdt(const struct desc_ptr *dtr)
7238 @@ -244,8 +255,10 @@ static inline void native_load_tls(struc
7239 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
7242 + pax_open_kernel();
7243 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
7244 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
7245 + pax_close_kernel();
7248 #define _LDT_empty(info) \
7249 @@ -307,7 +320,7 @@ static inline void set_desc_limit(struct
7250 desc->limit = (limit >> 16) & 0xf;
7253 -static inline void _set_gate(int gate, unsigned type, void *addr,
7254 +static inline void _set_gate(int gate, unsigned type, const void *addr,
7255 unsigned dpl, unsigned ist, unsigned seg)
7258 @@ -326,7 +339,7 @@ static inline void _set_gate(int gate, u
7259 * Pentium F0 0F bugfix can have resulted in the mapped
7260 * IDT being write-protected.
7262 -static inline void set_intr_gate(unsigned int n, void *addr)
7263 +static inline void set_intr_gate(unsigned int n, const void *addr)
7265 BUG_ON((unsigned)n > 0xFF);
7266 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
7267 @@ -356,19 +369,19 @@ static inline void alloc_intr_gate(unsig
7269 * This routine sets up an interrupt gate at directory privilege level 3.
7271 -static inline void set_system_intr_gate(unsigned int n, void *addr)
7272 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
7274 BUG_ON((unsigned)n > 0xFF);
7275 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
7278 -static inline void set_system_trap_gate(unsigned int n, void *addr)
7279 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
7281 BUG_ON((unsigned)n > 0xFF);
7282 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7285 -static inline void set_trap_gate(unsigned int n, void *addr)
7286 +static inline void set_trap_gate(unsigned int n, const void *addr)
7288 BUG_ON((unsigned)n > 0xFF);
7289 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7290 @@ -377,19 +390,31 @@ static inline void set_trap_gate(unsigne
7291 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7293 BUG_ON((unsigned)n > 0xFF);
7294 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7295 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7298 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7299 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7301 BUG_ON((unsigned)n > 0xFF);
7302 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7305 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7306 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7308 BUG_ON((unsigned)n > 0xFF);
7309 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7312 +#ifdef CONFIG_X86_32
7313 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7315 + struct desc_struct d;
7317 + if (likely(limit))
7318 + limit = (limit - 1UL) >> PAGE_SHIFT;
7319 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
7320 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7324 #endif /* _ASM_X86_DESC_H */
7325 diff -urNp linux-3.0.9/arch/x86/include/asm/e820.h linux-3.0.9/arch/x86/include/asm/e820.h
7326 --- linux-3.0.9/arch/x86/include/asm/e820.h 2011-11-11 13:12:24.000000000 -0500
7327 +++ linux-3.0.9/arch/x86/include/asm/e820.h 2011-11-15 20:02:59.000000000 -0500
7328 @@ -69,7 +69,7 @@ struct e820map {
7329 #define ISA_START_ADDRESS 0xa0000
7330 #define ISA_END_ADDRESS 0x100000
7332 -#define BIOS_BEGIN 0x000a0000
7333 +#define BIOS_BEGIN 0x000c0000
7334 #define BIOS_END 0x00100000
7336 #define BIOS_ROM_BASE 0xffe00000
7337 diff -urNp linux-3.0.9/arch/x86/include/asm/elf.h linux-3.0.9/arch/x86/include/asm/elf.h
7338 --- linux-3.0.9/arch/x86/include/asm/elf.h 2011-11-11 13:12:24.000000000 -0500
7339 +++ linux-3.0.9/arch/x86/include/asm/elf.h 2011-11-15 20:02:59.000000000 -0500
7340 @@ -237,7 +237,25 @@ extern int force_personality32;
7341 the loader. We need to make sure that it is out of the way of the program
7342 that it will "exec", and that there is sufficient room for the brk. */
7344 +#ifdef CONFIG_PAX_SEGMEXEC
7345 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7347 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7350 +#ifdef CONFIG_PAX_ASLR
7351 +#ifdef CONFIG_X86_32
7352 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7354 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7355 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7357 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
7359 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7360 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7364 /* This yields a mask that user programs can use to figure out what
7365 instruction set this CPU supports. This could be done in user space,
7366 @@ -290,9 +308,7 @@ do { \
7368 #define ARCH_DLINFO \
7370 - if (vdso_enabled) \
7371 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7372 - (unsigned long)current->mm->context.vdso); \
7373 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \
7376 #define AT_SYSINFO 32
7377 @@ -303,7 +319,7 @@ do { \
7379 #endif /* !CONFIG_X86_32 */
7381 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7382 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7384 #define VDSO_ENTRY \
7385 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7386 @@ -317,7 +333,4 @@ extern int arch_setup_additional_pages(s
7387 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7388 #define compat_arch_setup_additional_pages syscall32_setup_pages
7390 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7391 -#define arch_randomize_brk arch_randomize_brk
7393 #endif /* _ASM_X86_ELF_H */
7394 diff -urNp linux-3.0.9/arch/x86/include/asm/emergency-restart.h linux-3.0.9/arch/x86/include/asm/emergency-restart.h
7395 --- linux-3.0.9/arch/x86/include/asm/emergency-restart.h 2011-11-11 13:12:24.000000000 -0500
7396 +++ linux-3.0.9/arch/x86/include/asm/emergency-restart.h 2011-11-15 20:02:59.000000000 -0500
7397 @@ -15,6 +15,6 @@ enum reboot_type {
7399 extern enum reboot_type reboot_type;
7401 -extern void machine_emergency_restart(void);
7402 +extern void machine_emergency_restart(void) __noreturn;
7404 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
7405 diff -urNp linux-3.0.9/arch/x86/include/asm/futex.h linux-3.0.9/arch/x86/include/asm/futex.h
7406 --- linux-3.0.9/arch/x86/include/asm/futex.h 2011-11-11 13:12:24.000000000 -0500
7407 +++ linux-3.0.9/arch/x86/include/asm/futex.h 2011-11-15 20:02:59.000000000 -0500
7409 #include <asm/system.h>
7411 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7412 + typecheck(u32 __user *, uaddr); \
7413 asm volatile("1:\t" insn "\n" \
7414 "2:\t.section .fixup,\"ax\"\n" \
7415 "3:\tmov\t%3, %1\n" \
7418 _ASM_EXTABLE(1b, 3b) \
7419 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7420 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 __user *)____m(uaddr))\
7421 : "i" (-EFAULT), "0" (oparg), "1" (0))
7423 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7424 + typecheck(u32 __user *, uaddr); \
7425 asm volatile("1:\tmovl %2, %0\n" \
7426 "\tmovl\t%0, %3\n" \
7429 _ASM_EXTABLE(1b, 4b) \
7430 _ASM_EXTABLE(2b, 4b) \
7431 : "=&a" (oldval), "=&r" (ret), \
7432 - "+m" (*uaddr), "=&r" (tem) \
7433 + "+m" (*(u32 __user *)____m(uaddr)), "=&r" (tem) \
7434 : "r" (oparg), "i" (-EFAULT), "1" (0))
7436 static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7437 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
7441 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7442 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
7445 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7446 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
7450 @@ -123,13 +125,13 @@ static inline int futex_atomic_cmpxchg_i
7451 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7454 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n"
7455 + asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n"
7456 "2:\t.section .fixup, \"ax\"\n"
7460 _ASM_EXTABLE(1b, 3b)
7461 - : "+r" (ret), "=a" (oldval), "+m" (*uaddr)
7462 + : "+r" (ret), "=a" (oldval), "+m" (*(u32 __user *)____m(uaddr))
7463 : "i" (-EFAULT), "r" (newval), "1" (oldval)
7466 diff -urNp linux-3.0.9/arch/x86/include/asm/hw_irq.h linux-3.0.9/arch/x86/include/asm/hw_irq.h
7467 --- linux-3.0.9/arch/x86/include/asm/hw_irq.h 2011-11-11 13:12:24.000000000 -0500
7468 +++ linux-3.0.9/arch/x86/include/asm/hw_irq.h 2011-11-15 20:02:59.000000000 -0500
7469 @@ -137,8 +137,8 @@ extern void setup_ioapic_dest(void);
7470 extern void enable_IO_APIC(void);
7473 -extern atomic_t irq_err_count;
7474 -extern atomic_t irq_mis_count;
7475 +extern atomic_unchecked_t irq_err_count;
7476 +extern atomic_unchecked_t irq_mis_count;
7479 extern void eisa_set_level_irq(unsigned int irq);
7480 diff -urNp linux-3.0.9/arch/x86/include/asm/i387.h linux-3.0.9/arch/x86/include/asm/i387.h
7481 --- linux-3.0.9/arch/x86/include/asm/i387.h 2011-11-11 13:12:24.000000000 -0500
7482 +++ linux-3.0.9/arch/x86/include/asm/i387.h 2011-11-15 20:02:59.000000000 -0500
7483 @@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc
7487 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7488 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7489 + fx = (struct i387_fxsave_struct __user *)((void *)fx + PAX_USER_SHADOW_BASE);
7492 /* See comment in fxsave() below. */
7493 #ifdef CONFIG_AS_FXSAVEQ
7494 asm volatile("1: fxrstorq %[fx]\n\t"
7495 @@ -121,6 +126,11 @@ static inline int fxsave_user(struct i38
7499 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7500 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7501 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7505 * Clear the bytes not touched by the fxsave and reserved
7507 @@ -424,7 +434,7 @@ static inline bool interrupted_kernel_fpu_idle(void)
7508 static inline bool interrupted_user_mode(void)
7510 struct pt_regs *regs = get_irq_regs();
7511 - return regs && user_mode_vm(regs);
7512 + return regs && user_mode(regs);
7516 diff -urNp linux-3.0.9/arch/x86/include/asm/io.h linux-3.0.9/arch/x86/include/asm/io.h
7517 --- linux-3.0.9/arch/x86/include/asm/io.h 2011-11-11 13:12:24.000000000 -0500
7518 +++ linux-3.0.9/arch/x86/include/asm/io.h 2011-11-15 20:02:59.000000000 -0500
7519 @@ -196,6 +196,17 @@ extern void set_iounmap_nonlazy(void);
7521 #include <linux/vmalloc.h>
7523 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
7524 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
7526 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7529 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
7531 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7535 * Convert a virtual cached pointer to an uncached pointer
7537 diff -urNp linux-3.0.9/arch/x86/include/asm/irqflags.h linux-3.0.9/arch/x86/include/asm/irqflags.h
7538 --- linux-3.0.9/arch/x86/include/asm/irqflags.h 2011-11-11 13:12:24.000000000 -0500
7539 +++ linux-3.0.9/arch/x86/include/asm/irqflags.h 2011-11-15 20:02:59.000000000 -0500
7540 @@ -140,6 +140,11 @@ static inline unsigned long arch_local_i
7544 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
7545 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7546 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
7547 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
7550 #define INTERRUPT_RETURN iret
7551 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
7552 diff -urNp linux-3.0.9/arch/x86/include/asm/kprobes.h linux-3.0.9/arch/x86/include/asm/kprobes.h
7553 --- linux-3.0.9/arch/x86/include/asm/kprobes.h 2011-11-11 13:12:24.000000000 -0500
7554 +++ linux-3.0.9/arch/x86/include/asm/kprobes.h 2011-11-15 20:02:59.000000000 -0500
7555 @@ -37,13 +37,8 @@ typedef u8 kprobe_opcode_t;
7556 #define RELATIVEJUMP_SIZE 5
7557 #define RELATIVECALL_OPCODE 0xe8
7558 #define RELATIVE_ADDR_SIZE 4
7559 -#define MAX_STACK_SIZE 64
7560 -#define MIN_STACK_SIZE(ADDR) \
7561 - (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
7562 - THREAD_SIZE - (unsigned long)(ADDR))) \
7563 - ? (MAX_STACK_SIZE) \
7564 - : (((unsigned long)current_thread_info()) + \
7565 - THREAD_SIZE - (unsigned long)(ADDR)))
7566 +#define MAX_STACK_SIZE 64UL
7567 +#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
7569 #define flush_insn_slot(p) do { } while (0)
7571 diff -urNp linux-3.0.9/arch/x86/include/asm/kvm_host.h linux-3.0.9/arch/x86/include/asm/kvm_host.h
7572 --- linux-3.0.9/arch/x86/include/asm/kvm_host.h 2011-11-11 13:12:24.000000000 -0500
7573 +++ linux-3.0.9/arch/x86/include/asm/kvm_host.h 2011-11-15 20:02:59.000000000 -0500
7574 @@ -441,7 +441,7 @@ struct kvm_arch {
7575 unsigned int n_used_mmu_pages;
7576 unsigned int n_requested_mmu_pages;
7577 unsigned int n_max_mmu_pages;
7578 - atomic_t invlpg_counter;
7579 + atomic_unchecked_t invlpg_counter;
7580 struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES];
7582 * Hash table of struct kvm_mmu_page.
7583 @@ -619,7 +619,7 @@ struct kvm_x86_ops {
7584 enum x86_intercept_stage stage);
7586 const struct trace_print_flags *exit_reasons_str;
7590 struct kvm_arch_async_pf {
7592 diff -urNp linux-3.0.9/arch/x86/include/asm/local.h linux-3.0.9/arch/x86/include/asm/local.h
7593 --- linux-3.0.9/arch/x86/include/asm/local.h 2011-11-11 13:12:24.000000000 -0500
7594 +++ linux-3.0.9/arch/x86/include/asm/local.h 2011-11-15 20:02:59.000000000 -0500
7595 @@ -18,26 +18,58 @@ typedef struct {
7597 static inline void local_inc(local_t *l)
7599 - asm volatile(_ASM_INC "%0"
7600 + asm volatile(_ASM_INC "%0\n"
7602 +#ifdef CONFIG_PAX_REFCOUNT
7606 + _ASM_EXTABLE(0b, 0b)
7609 : "+m" (l->a.counter));
7612 static inline void local_dec(local_t *l)
7614 - asm volatile(_ASM_DEC "%0"
7615 + asm volatile(_ASM_DEC "%0\n"
7617 +#ifdef CONFIG_PAX_REFCOUNT
7621 + _ASM_EXTABLE(0b, 0b)
7624 : "+m" (l->a.counter));
7627 static inline void local_add(long i, local_t *l)
7629 - asm volatile(_ASM_ADD "%1,%0"
7630 + asm volatile(_ASM_ADD "%1,%0\n"
7632 +#ifdef CONFIG_PAX_REFCOUNT
7634 + _ASM_SUB "%1,%0\n"
7636 + _ASM_EXTABLE(0b, 0b)
7639 : "+m" (l->a.counter)
7643 static inline void local_sub(long i, local_t *l)
7645 - asm volatile(_ASM_SUB "%1,%0"
7646 + asm volatile(_ASM_SUB "%1,%0\n"
7648 +#ifdef CONFIG_PAX_REFCOUNT
7650 + _ASM_ADD "%1,%0\n"
7652 + _ASM_EXTABLE(0b, 0b)
7655 : "+m" (l->a.counter)
7658 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
7662 - asm volatile(_ASM_SUB "%2,%0; sete %1"
7663 + asm volatile(_ASM_SUB "%2,%0\n"
7665 +#ifdef CONFIG_PAX_REFCOUNT
7667 + _ASM_ADD "%2,%0\n"
7669 + _ASM_EXTABLE(0b, 0b)
7673 : "+m" (l->a.counter), "=qm" (c)
7674 : "ir" (i) : "memory");
7676 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
7680 - asm volatile(_ASM_DEC "%0; sete %1"
7681 + asm volatile(_ASM_DEC "%0\n"
7683 +#ifdef CONFIG_PAX_REFCOUNT
7687 + _ASM_EXTABLE(0b, 0b)
7691 : "+m" (l->a.counter), "=qm" (c)
7694 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
7698 - asm volatile(_ASM_INC "%0; sete %1"
7699 + asm volatile(_ASM_INC "%0\n"
7701 +#ifdef CONFIG_PAX_REFCOUNT
7705 + _ASM_EXTABLE(0b, 0b)
7709 : "+m" (l->a.counter), "=qm" (c)
7712 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
7716 - asm volatile(_ASM_ADD "%2,%0; sets %1"
7717 + asm volatile(_ASM_ADD "%2,%0\n"
7719 +#ifdef CONFIG_PAX_REFCOUNT
7721 + _ASM_SUB "%2,%0\n"
7723 + _ASM_EXTABLE(0b, 0b)
7727 : "+m" (l->a.counter), "=qm" (c)
7728 : "ir" (i) : "memory");
7730 @@ -133,7 +201,15 @@ static inline long local_add_return(long
7732 /* Modern 486+ processor */
7734 - asm volatile(_ASM_XADD "%0, %1;"
7735 + asm volatile(_ASM_XADD "%0, %1\n"
7737 +#ifdef CONFIG_PAX_REFCOUNT
7739 + _ASM_MOV "%0,%1\n"
7741 + _ASM_EXTABLE(0b, 0b)
7744 : "+r" (i), "+m" (l->a.counter)
7747 diff -urNp linux-3.0.9/arch/x86/include/asm/mman.h linux-3.0.9/arch/x86/include/asm/mman.h
7748 --- linux-3.0.9/arch/x86/include/asm/mman.h 2011-11-11 13:12:24.000000000 -0500
7749 +++ linux-3.0.9/arch/x86/include/asm/mman.h 2011-11-15 20:02:59.000000000 -0500
7752 #include <asm-generic/mman.h>
7755 +#ifndef __ASSEMBLY__
7756 +#ifdef CONFIG_X86_32
7757 +#define arch_mmap_check i386_mmap_check
7758 +int i386_mmap_check(unsigned long addr, unsigned long len,
7759 + unsigned long flags);
7764 #endif /* _ASM_X86_MMAN_H */
7765 diff -urNp linux-3.0.9/arch/x86/include/asm/mmu_context.h linux-3.0.9/arch/x86/include/asm/mmu_context.h
7766 --- linux-3.0.9/arch/x86/include/asm/mmu_context.h 2011-11-11 13:12:24.000000000 -0500
7767 +++ linux-3.0.9/arch/x86/include/asm/mmu_context.h 2011-11-15 20:02:59.000000000 -0500
7768 @@ -24,6 +24,18 @@ void destroy_context(struct mm_struct *m
7770 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
7773 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7777 + pax_open_kernel();
7778 + pgd = get_cpu_pgd(smp_processor_id());
7779 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
7780 + set_pgd_batched(pgd+i, native_make_pgd(0));
7781 + pax_close_kernel();
7785 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
7786 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
7787 @@ -34,16 +46,30 @@ static inline void switch_mm(struct mm_s
7788 struct task_struct *tsk)
7790 unsigned cpu = smp_processor_id();
7791 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7792 + int tlbstate = TLBSTATE_OK;
7795 if (likely(prev != next)) {
7797 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7798 + tlbstate = percpu_read(cpu_tlbstate.state);
7800 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7801 percpu_write(cpu_tlbstate.active_mm, next);
7803 cpumask_set_cpu(cpu, mm_cpumask(next));
7805 /* Re-load page tables */
7806 +#ifdef CONFIG_PAX_PER_CPU_PGD
7807 + pax_open_kernel();
7808 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7809 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7810 + pax_close_kernel();
7811 + load_cr3(get_cpu_pgd(cpu));
7813 load_cr3(next->pgd);
7816 /* stop flush ipis for the previous mm */
7817 cpumask_clear_cpu(cpu, mm_cpumask(prev));
7818 @@ -53,9 +79,38 @@ static inline void switch_mm(struct mm_s
7820 if (unlikely(prev->context.ldt != next->context.ldt))
7821 load_LDT_nolock(&next->context);
7824 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7825 + if (!(__supported_pte_mask & _PAGE_NX)) {
7826 + smp_mb__before_clear_bit();
7827 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
7828 + smp_mb__after_clear_bit();
7829 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7833 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7834 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
7835 + prev->context.user_cs_limit != next->context.user_cs_limit))
7836 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7838 + else if (unlikely(tlbstate != TLBSTATE_OK))
7839 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7846 +#ifdef CONFIG_PAX_PER_CPU_PGD
7847 + pax_open_kernel();
7848 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7849 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7850 + pax_close_kernel();
7851 + load_cr3(get_cpu_pgd(cpu));
7855 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7856 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
7858 @@ -64,11 +119,28 @@ static inline void switch_mm(struct mm_s
7859 * tlb flush IPI delivery. We must reload CR3
7860 * to make sure to use no freed page tables.
7863 +#ifndef CONFIG_PAX_PER_CPU_PGD
7864 load_cr3(next->pgd);
7867 load_LDT_nolock(&next->context);
7869 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
7870 + if (!(__supported_pte_mask & _PAGE_NX))
7871 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7874 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7875 +#ifdef CONFIG_PAX_PAGEEXEC
7876 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
7878 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7887 #define activate_mm(prev, next) \
7888 diff -urNp linux-3.0.9/arch/x86/include/asm/mmu.h linux-3.0.9/arch/x86/include/asm/mmu.h
7889 --- linux-3.0.9/arch/x86/include/asm/mmu.h 2011-11-11 13:12:24.000000000 -0500
7890 +++ linux-3.0.9/arch/x86/include/asm/mmu.h 2011-11-15 20:02:59.000000000 -0500
7892 * we put the segment information here.
7896 + struct desc_struct *ldt;
7899 #ifdef CONFIG_X86_64
7900 @@ -18,7 +18,19 @@ typedef struct {
7905 + unsigned long vdso;
7907 +#ifdef CONFIG_X86_32
7908 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7909 + unsigned long user_cs_base;
7910 + unsigned long user_cs_limit;
7912 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7913 + cpumask_t cpu_user_cs_mask;
7921 diff -urNp linux-3.0.9/arch/x86/include/asm/module.h linux-3.0.9/arch/x86/include/asm/module.h
7922 --- linux-3.0.9/arch/x86/include/asm/module.h 2011-11-11 13:12:24.000000000 -0500
7923 +++ linux-3.0.9/arch/x86/include/asm/module.h 2011-11-15 20:02:59.000000000 -0500
7926 #ifdef CONFIG_X86_64
7927 /* X86_64 does not define MODULE_PROC_FAMILY */
7928 +#define MODULE_PROC_FAMILY ""
7929 #elif defined CONFIG_M386
7930 #define MODULE_PROC_FAMILY "386 "
7931 #elif defined CONFIG_M486
7933 #error unknown processor family
7936 -#ifdef CONFIG_X86_32
7937 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
7938 +#ifdef CONFIG_PAX_KERNEXEC
7939 +#define MODULE_PAX_KERNEXEC "KERNEXEC "
7941 +#define MODULE_PAX_KERNEXEC ""
7944 +#ifdef CONFIG_PAX_MEMORY_UDEREF
7945 +#define MODULE_PAX_UDEREF "UDEREF "
7947 +#define MODULE_PAX_UDEREF ""
7950 +#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
7952 #endif /* _ASM_X86_MODULE_H */
7953 diff -urNp linux-3.0.9/arch/x86/include/asm/page_64_types.h linux-3.0.9/arch/x86/include/asm/page_64_types.h
7954 --- linux-3.0.9/arch/x86/include/asm/page_64_types.h 2011-11-11 13:12:24.000000000 -0500
7955 +++ linux-3.0.9/arch/x86/include/asm/page_64_types.h 2011-11-15 20:02:59.000000000 -0500
7956 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
7958 /* duplicated to the one in bootmem.h */
7959 extern unsigned long max_pfn;
7960 -extern unsigned long phys_base;
7961 +extern const unsigned long phys_base;
7963 extern unsigned long __phys_addr(unsigned long);
7964 #define __phys_reloc_hide(x) (x)
7965 diff -urNp linux-3.0.9/arch/x86/include/asm/paravirt.h linux-3.0.9/arch/x86/include/asm/paravirt.h
7966 --- linux-3.0.9/arch/x86/include/asm/paravirt.h 2011-11-11 13:12:24.000000000 -0500
7967 +++ linux-3.0.9/arch/x86/include/asm/paravirt.h 2011-11-15 20:02:59.000000000 -0500
7968 @@ -658,6 +658,18 @@ static inline void set_pgd(pgd_t *pgdp,
7972 +static inline void set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
7974 + pgdval_t val = native_pgd_val(pgd);
7976 + if (sizeof(pgdval_t) > sizeof(long))
7977 + PVOP_VCALL3(pv_mmu_ops.set_pgd_batched, pgdp,
7978 + val, (u64)val >> 32);
7980 + PVOP_VCALL2(pv_mmu_ops.set_pgd_batched, pgdp,
7984 static inline void pgd_clear(pgd_t *pgdp)
7986 set_pgd(pgdp, __pgd(0));
7987 @@ -739,6 +751,21 @@ static inline void __set_fixmap(unsigned
7988 pv_mmu_ops.set_fixmap(idx, phys, flags);
7991 +#ifdef CONFIG_PAX_KERNEXEC
7992 +static inline unsigned long pax_open_kernel(void)
7994 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
7997 +static inline unsigned long pax_close_kernel(void)
7999 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
8002 +static inline unsigned long pax_open_kernel(void) { return 0; }
8003 +static inline unsigned long pax_close_kernel(void) { return 0; }
8006 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
8008 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
8009 @@ -955,7 +982,7 @@ extern void default_banner(void);
8011 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
8012 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
8013 -#define PARA_INDIRECT(addr) *%cs:addr
8014 +#define PARA_INDIRECT(addr) *%ss:addr
8017 #define INTERRUPT_RETURN \
8018 @@ -1032,6 +1059,21 @@ extern void default_banner(void);
8019 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
8021 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
8023 +#define GET_CR0_INTO_RDI \
8024 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
8027 +#define SET_RDI_INTO_CR0 \
8028 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
8030 +#define GET_CR3_INTO_RDI \
8031 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
8034 +#define SET_RDI_INTO_CR3 \
8035 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
8037 #endif /* CONFIG_X86_32 */
8039 #endif /* __ASSEMBLY__ */
8040 diff -urNp linux-3.0.9/arch/x86/include/asm/paravirt_types.h linux-3.0.9/arch/x86/include/asm/paravirt_types.h
8041 --- linux-3.0.9/arch/x86/include/asm/paravirt_types.h 2011-11-11 13:12:24.000000000 -0500
8042 +++ linux-3.0.9/arch/x86/include/asm/paravirt_types.h 2011-11-15 20:02:59.000000000 -0500
8043 @@ -78,19 +78,19 @@ struct pv_init_ops {
8045 unsigned (*patch)(u8 type, u16 clobber, void *insnbuf,
8046 unsigned long addr, unsigned len);
8051 struct pv_lazy_ops {
8052 /* Set deferred update mode, used for batching operations. */
8053 void (*enter)(void);
8054 void (*leave)(void);
8058 struct pv_time_ops {
8059 unsigned long long (*sched_clock)(void);
8060 unsigned long (*get_tsc_khz)(void);
8065 /* hooks for various privileged instructions */
8066 @@ -186,7 +186,7 @@ struct pv_cpu_ops {
8068 void (*start_context_switch)(struct task_struct *prev);
8069 void (*end_context_switch)(struct task_struct *next);
8075 @@ -217,7 +217,7 @@ struct pv_apic_ops {
8076 unsigned long start_eip,
8077 unsigned long start_esp);
8083 unsigned long (*read_cr2)(void);
8084 @@ -306,6 +306,7 @@ struct pv_mmu_ops {
8085 struct paravirt_callee_save make_pud;
8087 void (*set_pgd)(pgd_t *pudp, pgd_t pgdval);
8088 + void (*set_pgd_batched)(pgd_t *pudp, pgd_t pgdval);
8089 #endif /* PAGETABLE_LEVELS == 4 */
8090 #endif /* PAGETABLE_LEVELS >= 3 */
8092 @@ -317,6 +318,12 @@ struct pv_mmu_ops {
8093 an mfn. We can tell which is which from the index. */
8094 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
8095 phys_addr_t phys, pgprot_t flags);
8097 +#ifdef CONFIG_PAX_KERNEXEC
8098 + unsigned long (*pax_open_kernel)(void);
8099 + unsigned long (*pax_close_kernel)(void);
8104 struct arch_spinlock;
8105 @@ -327,7 +334,7 @@ struct pv_lock_ops {
8106 void (*spin_lock_flags)(struct arch_spinlock *lock, unsigned long flags);
8107 int (*spin_trylock)(struct arch_spinlock *lock);
8108 void (*spin_unlock)(struct arch_spinlock *lock);
8112 /* This contains all the paravirt structures: we get a convenient
8113 * number for each function using the offset which we use to indicate
8114 diff -urNp linux-3.0.9/arch/x86/include/asm/pgalloc.h linux-3.0.9/arch/x86/include/asm/pgalloc.h
8115 --- linux-3.0.9/arch/x86/include/asm/pgalloc.h 2011-11-11 13:12:24.000000000 -0500
8116 +++ linux-3.0.9/arch/x86/include/asm/pgalloc.h 2011-11-15 20:02:59.000000000 -0500
8117 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
8118 pmd_t *pmd, pte_t *pte)
8120 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8121 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8124 +static inline void pmd_populate_user(struct mm_struct *mm,
8125 + pmd_t *pmd, pte_t *pte)
8127 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8128 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8131 diff -urNp linux-3.0.9/arch/x86/include/asm/pgtable-2level.h linux-3.0.9/arch/x86/include/asm/pgtable-2level.h
8132 --- linux-3.0.9/arch/x86/include/asm/pgtable-2level.h 2011-11-11 13:12:24.000000000 -0500
8133 +++ linux-3.0.9/arch/x86/include/asm/pgtable-2level.h 2011-11-15 20:02:59.000000000 -0500
8134 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8136 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8138 + pax_open_kernel();
8140 + pax_close_kernel();
8143 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8144 diff -urNp linux-3.0.9/arch/x86/include/asm/pgtable_32.h linux-3.0.9/arch/x86/include/asm/pgtable_32.h
8145 --- linux-3.0.9/arch/x86/include/asm/pgtable_32.h 2011-11-11 13:12:24.000000000 -0500
8146 +++ linux-3.0.9/arch/x86/include/asm/pgtable_32.h 2011-11-15 20:02:59.000000000 -0500
8149 struct vm_area_struct;
8151 -extern pgd_t swapper_pg_dir[1024];
8152 -extern pgd_t initial_page_table[1024];
8154 static inline void pgtable_cache_init(void) { }
8155 static inline void check_pgt_cache(void) { }
8156 void paging_init(void);
8157 @@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
8158 # include <asm/pgtable-2level.h>
8161 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8162 +extern pgd_t initial_page_table[PTRS_PER_PGD];
8163 +#ifdef CONFIG_X86_PAE
8164 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8167 #if defined(CONFIG_HIGHPTE)
8168 #define pte_offset_map(dir, address) \
8169 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
8170 @@ -62,7 +65,9 @@ extern void set_pmd_pfn(unsigned long, u
8171 /* Clear a kernel PTE and flush it from the TLB */
8172 #define kpte_clear_flush(ptep, vaddr) \
8174 + pax_open_kernel(); \
8175 pte_clear(&init_mm, (vaddr), (ptep)); \
8176 + pax_close_kernel(); \
8177 __flush_tlb_one((vaddr)); \
8180 @@ -74,6 +79,9 @@ do { \
8182 #endif /* !__ASSEMBLY__ */
8184 +#define HAVE_ARCH_UNMAPPED_AREA
8185 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8188 * kern_addr_valid() is (1) for FLATMEM and (0) for
8189 * SPARSEMEM and DISCONTIGMEM
8190 diff -urNp linux-3.0.9/arch/x86/include/asm/pgtable_32_types.h linux-3.0.9/arch/x86/include/asm/pgtable_32_types.h
8191 --- linux-3.0.9/arch/x86/include/asm/pgtable_32_types.h 2011-11-11 13:12:24.000000000 -0500
8192 +++ linux-3.0.9/arch/x86/include/asm/pgtable_32_types.h 2011-11-15 20:02:59.000000000 -0500
8195 #ifdef CONFIG_X86_PAE
8196 # include <asm/pgtable-3level_types.h>
8197 -# define PMD_SIZE (1UL << PMD_SHIFT)
8198 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8199 # define PMD_MASK (~(PMD_SIZE - 1))
8201 # include <asm/pgtable-2level_types.h>
8202 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8203 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8206 +#ifdef CONFIG_PAX_KERNEXEC
8207 +#ifndef __ASSEMBLY__
8208 +extern unsigned char MODULES_EXEC_VADDR[];
8209 +extern unsigned char MODULES_EXEC_END[];
8211 +#include <asm/boot.h>
8212 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8213 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8215 +#define ktla_ktva(addr) (addr)
8216 +#define ktva_ktla(addr) (addr)
8219 #define MODULES_VADDR VMALLOC_START
8220 #define MODULES_END VMALLOC_END
8221 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8222 diff -urNp linux-3.0.9/arch/x86/include/asm/pgtable-3level.h linux-3.0.9/arch/x86/include/asm/pgtable-3level.h
8223 --- linux-3.0.9/arch/x86/include/asm/pgtable-3level.h 2011-11-11 13:12:24.000000000 -0500
8224 +++ linux-3.0.9/arch/x86/include/asm/pgtable-3level.h 2011-11-15 20:02:59.000000000 -0500
8225 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8227 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8229 + pax_open_kernel();
8230 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8231 + pax_close_kernel();
8234 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8236 + pax_open_kernel();
8237 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8238 + pax_close_kernel();
8242 diff -urNp linux-3.0.9/arch/x86/include/asm/pgtable_64.h linux-3.0.9/arch/x86/include/asm/pgtable_64.h
8243 --- linux-3.0.9/arch/x86/include/asm/pgtable_64.h 2011-11-11 13:12:24.000000000 -0500
8244 +++ linux-3.0.9/arch/x86/include/asm/pgtable_64.h 2011-11-15 20:02:59.000000000 -0500
8247 extern pud_t level3_kernel_pgt[512];
8248 extern pud_t level3_ident_pgt[512];
8249 +extern pud_t level3_vmalloc_pgt[512];
8250 +extern pud_t level3_vmemmap_pgt[512];
8251 +extern pud_t level2_vmemmap_pgt[512];
8252 extern pmd_t level2_kernel_pgt[512];
8253 extern pmd_t level2_fixmap_pgt[512];
8254 -extern pmd_t level2_ident_pgt[512];
8255 -extern pgd_t init_level4_pgt[];
8256 +extern pmd_t level2_ident_pgt[512*2];
8257 +extern pgd_t init_level4_pgt[512];
8259 #define swapper_pg_dir init_level4_pgt
8261 @@ -61,7 +64,9 @@ static inline void native_set_pte_atomic
8263 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8265 + pax_open_kernel();
8267 + pax_close_kernel();
8270 static inline void native_pmd_clear(pmd_t *pmd)
8271 @@ -107,6 +112,13 @@ static inline void native_pud_clear(pud_
8273 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8275 + pax_open_kernel();
8277 + pax_close_kernel();
8280 +static inline void native_set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
8285 diff -urNp linux-3.0.9/arch/x86/include/asm/pgtable_64_types.h linux-3.0.9/arch/x86/include/asm/pgtable_64_types.h
8286 --- linux-3.0.9/arch/x86/include/asm/pgtable_64_types.h 2011-11-11 13:12:24.000000000 -0500
8287 +++ linux-3.0.9/arch/x86/include/asm/pgtable_64_types.h 2011-11-15 20:02:59.000000000 -0500
8288 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8289 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8290 #define MODULES_END _AC(0xffffffffff000000, UL)
8291 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8292 +#define MODULES_EXEC_VADDR MODULES_VADDR
8293 +#define MODULES_EXEC_END MODULES_END
8295 +#define ktla_ktva(addr) (addr)
8296 +#define ktva_ktla(addr) (addr)
8298 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8299 diff -urNp linux-3.0.9/arch/x86/include/asm/pgtable.h linux-3.0.9/arch/x86/include/asm/pgtable.h
8300 --- linux-3.0.9/arch/x86/include/asm/pgtable.h 2011-11-11 13:12:24.000000000 -0500
8301 +++ linux-3.0.9/arch/x86/include/asm/pgtable.h 2011-11-15 20:02:59.000000000 -0500
8302 @@ -44,6 +44,7 @@ extern struct mm_struct *pgd_page_get_mm
8304 #ifndef __PAGETABLE_PUD_FOLDED
8305 #define set_pgd(pgdp, pgd) native_set_pgd(pgdp, pgd)
8306 +#define set_pgd_batched(pgdp, pgd) native_set_pgd_batched(pgdp, pgd)
8307 #define pgd_clear(pgd) native_pgd_clear(pgd)
8310 @@ -81,12 +82,51 @@ extern struct mm_struct *pgd_page_get_mm
8312 #define arch_end_context_switch(prev) do {} while(0)
8314 +#define pax_open_kernel() native_pax_open_kernel()
8315 +#define pax_close_kernel() native_pax_close_kernel()
8316 #endif /* CONFIG_PARAVIRT */
8318 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
8319 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8321 +#ifdef CONFIG_PAX_KERNEXEC
8322 +static inline unsigned long native_pax_open_kernel(void)
8324 + unsigned long cr0;
8326 + preempt_disable();
8328 + cr0 = read_cr0() ^ X86_CR0_WP;
8329 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
8331 + return cr0 ^ X86_CR0_WP;
8334 +static inline unsigned long native_pax_close_kernel(void)
8336 + unsigned long cr0;
8338 + cr0 = read_cr0() ^ X86_CR0_WP;
8339 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8342 + preempt_enable_no_resched();
8343 + return cr0 ^ X86_CR0_WP;
8346 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
8347 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
8351 * The following only work if pte_present() is true.
8352 * Undefined behaviour if not..
8354 +static inline int pte_user(pte_t pte)
8356 + return pte_val(pte) & _PAGE_USER;
8359 static inline int pte_dirty(pte_t pte)
8361 return pte_flags(pte) & _PAGE_DIRTY;
8362 @@ -196,9 +236,29 @@ static inline pte_t pte_wrprotect(pte_t
8363 return pte_clear_flags(pte, _PAGE_RW);
8366 +static inline pte_t pte_mkread(pte_t pte)
8368 + return __pte(pte_val(pte) | _PAGE_USER);
8371 static inline pte_t pte_mkexec(pte_t pte)
8373 - return pte_clear_flags(pte, _PAGE_NX);
8374 +#ifdef CONFIG_X86_PAE
8375 + if (__supported_pte_mask & _PAGE_NX)
8376 + return pte_clear_flags(pte, _PAGE_NX);
8379 + return pte_set_flags(pte, _PAGE_USER);
8382 +static inline pte_t pte_exprotect(pte_t pte)
8384 +#ifdef CONFIG_X86_PAE
8385 + if (__supported_pte_mask & _PAGE_NX)
8386 + return pte_set_flags(pte, _PAGE_NX);
8389 + return pte_clear_flags(pte, _PAGE_USER);
8392 static inline pte_t pte_mkdirty(pte_t pte)
8393 @@ -390,6 +450,15 @@ pte_t *populate_extra_pte(unsigned long
8396 #ifndef __ASSEMBLY__
8398 +#ifdef CONFIG_PAX_PER_CPU_PGD
8399 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8400 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8402 + return cpu_pgd[cpu];
8406 #include <linux/mm_types.h>
8408 static inline int pte_none(pte_t pte)
8409 @@ -560,7 +629,7 @@ static inline pud_t *pud_offset(pgd_t *p
8411 static inline int pgd_bad(pgd_t pgd)
8413 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8414 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8417 static inline int pgd_none(pgd_t pgd)
8418 @@ -583,7 +652,12 @@ static inline int pgd_none(pgd_t pgd)
8419 * pgd_offset() returns a (pgd_t *)
8420 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8422 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8423 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8425 +#ifdef CONFIG_PAX_PER_CPU_PGD
8426 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8430 * a shortcut which implies the use of the kernel's pgd, instead
8432 @@ -594,6 +668,20 @@ static inline int pgd_none(pgd_t pgd)
8433 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8434 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8436 +#ifdef CONFIG_X86_32
8437 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8439 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8440 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8442 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8443 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8445 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8450 #ifndef __ASSEMBLY__
8452 extern int direct_gbpages;
8453 @@ -758,11 +846,23 @@ static inline void pmdp_set_wrprotect(st
8454 * dst and src can be on the same page, but the range must not overlap,
8455 * and must not cross a page boundary.
8457 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8458 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
8460 - memcpy(dst, src, count * sizeof(pgd_t));
8461 + pax_open_kernel();
8464 + pax_close_kernel();
8467 +#ifdef CONFIG_PAX_PER_CPU_PGD
8468 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8471 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8472 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8474 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8477 #include <asm-generic/pgtable.h>
8478 #endif /* __ASSEMBLY__ */
8479 diff -urNp linux-3.0.9/arch/x86/include/asm/pgtable_types.h linux-3.0.9/arch/x86/include/asm/pgtable_types.h
8480 --- linux-3.0.9/arch/x86/include/asm/pgtable_types.h 2011-11-11 13:12:24.000000000 -0500
8481 +++ linux-3.0.9/arch/x86/include/asm/pgtable_types.h 2011-11-15 20:02:59.000000000 -0500
8483 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8484 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8485 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8486 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8487 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8488 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8489 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8490 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8491 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8492 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8493 -#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /* only valid on a PSE pmd */
8494 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8495 +#define _PAGE_BIT_SPLITTING _PAGE_BIT_SPECIAL /* only valid on a PSE pmd */
8496 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8498 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8500 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8501 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8502 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8503 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8504 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8505 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8506 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8509 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8510 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8512 +#elif defined(CONFIG_KMEMCHECK)
8513 #define _PAGE_NX (_AT(pteval_t, 0))
8515 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8518 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8520 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8523 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
8524 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
8526 #define __PAGE_KERNEL_EXEC \
8527 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8528 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8530 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8531 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8532 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8533 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8534 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
8535 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8536 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
8537 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8538 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
8539 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
8541 * bits are combined, this will alow user to access the high address mapped
8542 * VDSO in the presence of CONFIG_COMPAT_VDSO
8544 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8545 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8546 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8547 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8548 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8551 @@ -205,7 +208,17 @@ static inline pgdval_t pgd_flags(pgd_t p
8553 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
8557 +#if PAGETABLE_LEVELS == 3
8558 +#include <asm-generic/pgtable-nopud.h>
8561 +#if PAGETABLE_LEVELS == 2
8562 +#include <asm-generic/pgtable-nopmd.h>
8565 +#ifndef __ASSEMBLY__
8566 #if PAGETABLE_LEVELS > 3
8567 typedef struct { pudval_t pud; } pud_t;
8569 @@ -219,8 +232,6 @@ static inline pudval_t native_pud_val(pu
8573 -#include <asm-generic/pgtable-nopud.h>
8575 static inline pudval_t native_pud_val(pud_t pud)
8577 return native_pgd_val(pud.pgd);
8578 @@ -240,8 +251,6 @@ static inline pmdval_t native_pmd_val(pm
8582 -#include <asm-generic/pgtable-nopmd.h>
8584 static inline pmdval_t native_pmd_val(pmd_t pmd)
8586 return native_pgd_val(pmd.pud.pgd);
8587 @@ -281,7 +290,6 @@ typedef struct page *pgtable_t;
8589 extern pteval_t __supported_pte_mask;
8590 extern void set_nx(void);
8591 -extern int nx_enabled;
8593 #define pgprot_writecombine pgprot_writecombine
8594 extern pgprot_t pgprot_writecombine(pgprot_t prot);
8595 diff -urNp linux-3.0.9/arch/x86/include/asm/processor.h linux-3.0.9/arch/x86/include/asm/processor.h
8596 --- linux-3.0.9/arch/x86/include/asm/processor.h 2011-11-11 13:12:24.000000000 -0500
8597 +++ linux-3.0.9/arch/x86/include/asm/processor.h 2011-11-15 20:02:59.000000000 -0500
8598 @@ -266,7 +266,7 @@ struct tss_struct {
8600 } ____cacheline_aligned;
8602 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
8603 +extern struct tss_struct init_tss[NR_CPUS];
8606 * Save the original ist values for checking stack pointers during debugging
8607 @@ -860,11 +860,18 @@ static inline void spin_lock_prefetch(co
8609 #define TASK_SIZE PAGE_OFFSET
8610 #define TASK_SIZE_MAX TASK_SIZE
8612 +#ifdef CONFIG_PAX_SEGMEXEC
8613 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
8614 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
8616 #define STACK_TOP TASK_SIZE
8617 -#define STACK_TOP_MAX STACK_TOP
8620 +#define STACK_TOP_MAX TASK_SIZE
8622 #define INIT_THREAD { \
8623 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
8624 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8625 .vm86_info = NULL, \
8626 .sysenter_cs = __KERNEL_CS, \
8627 .io_bitmap_ptr = NULL, \
8628 @@ -878,7 +885,7 @@ static inline void spin_lock_prefetch(co
8630 #define INIT_TSS { \
8632 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
8633 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8634 .ss0 = __KERNEL_DS, \
8635 .ss1 = __KERNEL_CS, \
8636 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
8637 @@ -889,11 +896,7 @@ static inline void spin_lock_prefetch(co
8638 extern unsigned long thread_saved_pc(struct task_struct *tsk);
8640 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
8641 -#define KSTK_TOP(info) \
8643 - unsigned long *__ptr = (unsigned long *)(info); \
8644 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
8646 +#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
8649 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
8650 @@ -908,7 +911,7 @@ extern unsigned long thread_saved_pc(str
8651 #define task_pt_regs(task) \
8653 struct pt_regs *__regs__; \
8654 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
8655 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
8659 @@ -918,13 +921,13 @@ extern unsigned long thread_saved_pc(str
8661 * User space process size. 47bits minus one guard page.
8663 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
8664 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
8666 /* This decides where the kernel will search for a free chunk of vm
8667 * space during mmap's.
8669 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
8670 - 0xc0000000 : 0xFFFFe000)
8671 + 0xc0000000 : 0xFFFFf000)
8673 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
8674 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
8675 @@ -935,11 +938,11 @@ extern unsigned long thread_saved_pc(str
8676 #define STACK_TOP_MAX TASK_SIZE_MAX
8678 #define INIT_THREAD { \
8679 - .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
8680 + .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
8683 #define INIT_TSS { \
8684 - .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
8685 + .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
8689 @@ -961,6 +964,10 @@ extern void start_thread(struct pt_regs
8691 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
8693 +#ifdef CONFIG_PAX_SEGMEXEC
8694 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
8697 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
8699 /* Get/set a process' ability to use the timestamp counter instruction */
8700 diff -urNp linux-3.0.9/arch/x86/include/asm/ptrace.h linux-3.0.9/arch/x86/include/asm/ptrace.h
8701 --- linux-3.0.9/arch/x86/include/asm/ptrace.h 2011-11-11 13:12:24.000000000 -0500
8702 +++ linux-3.0.9/arch/x86/include/asm/ptrace.h 2011-11-15 20:02:59.000000000 -0500
8703 @@ -153,28 +153,29 @@ static inline unsigned long regs_return_
8707 - * user_mode_vm(regs) determines whether a register set came from user mode.
8708 + * user_mode(regs) determines whether a register set came from user mode.
8709 * This is true if V8086 mode was enabled OR if the register set was from
8710 * protected mode with RPL-3 CS value. This tricky test checks that with
8711 * one comparison. Many places in the kernel can bypass this full check
8712 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
8713 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
8716 -static inline int user_mode(struct pt_regs *regs)
8717 +static inline int user_mode_novm(struct pt_regs *regs)
8719 #ifdef CONFIG_X86_32
8720 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
8722 - return !!(regs->cs & 3);
8723 + return !!(regs->cs & SEGMENT_RPL_MASK);
8727 -static inline int user_mode_vm(struct pt_regs *regs)
8728 +static inline int user_mode(struct pt_regs *regs)
8730 #ifdef CONFIG_X86_32
8731 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
8734 - return user_mode(regs);
8735 + return user_mode_novm(regs);
8739 diff -urNp linux-3.0.9/arch/x86/include/asm/reboot.h linux-3.0.9/arch/x86/include/asm/reboot.h
8740 --- linux-3.0.9/arch/x86/include/asm/reboot.h 2011-11-11 13:12:24.000000000 -0500
8741 +++ linux-3.0.9/arch/x86/include/asm/reboot.h 2011-11-15 20:02:59.000000000 -0500
8745 struct machine_ops {
8746 - void (*restart)(char *cmd);
8747 - void (*halt)(void);
8748 - void (*power_off)(void);
8749 + void (* __noreturn restart)(char *cmd);
8750 + void (* __noreturn halt)(void);
8751 + void (* __noreturn power_off)(void);
8752 void (*shutdown)(void);
8753 void (*crash_shutdown)(struct pt_regs *);
8754 - void (*emergency_restart)(void);
8756 + void (* __noreturn emergency_restart)(void);
8759 extern struct machine_ops machine_ops;
8761 void native_machine_crash_shutdown(struct pt_regs *regs);
8762 void native_machine_shutdown(void);
8763 -void machine_real_restart(unsigned int type);
8764 +void machine_real_restart(unsigned int type) __noreturn;
8765 /* These must match dispatch_table in reboot_32.S */
8768 diff -urNp linux-3.0.9/arch/x86/include/asm/rwsem.h linux-3.0.9/arch/x86/include/asm/rwsem.h
8769 --- linux-3.0.9/arch/x86/include/asm/rwsem.h 2011-11-11 13:12:24.000000000 -0500
8770 +++ linux-3.0.9/arch/x86/include/asm/rwsem.h 2011-11-15 20:02:59.000000000 -0500
8771 @@ -64,6 +64,14 @@ static inline void __down_read(struct rw
8773 asm volatile("# beginning down_read\n\t"
8774 LOCK_PREFIX _ASM_INC "(%1)\n\t"
8776 +#ifdef CONFIG_PAX_REFCOUNT
8778 + LOCK_PREFIX _ASM_DEC "(%1)\n"
8780 + _ASM_EXTABLE(0b, 0b)
8783 /* adds 0x00000001 */
8785 " call call_rwsem_down_read_failed\n"
8786 @@ -85,6 +93,14 @@ static inline int __down_read_trylock(st
8791 +#ifdef CONFIG_PAX_REFCOUNT
8795 + _ASM_EXTABLE(0b, 0b)
8799 LOCK_PREFIX " cmpxchg %2,%0\n\t"
8801 @@ -104,6 +120,14 @@ static inline void __down_write_nested(s
8803 asm volatile("# beginning down_write\n\t"
8804 LOCK_PREFIX " xadd %1,(%2)\n\t"
8806 +#ifdef CONFIG_PAX_REFCOUNT
8810 + _ASM_EXTABLE(0b, 0b)
8813 /* adds 0xffff0001, returns the old value */
8815 /* was the count 0 before? */
8816 @@ -141,6 +165,14 @@ static inline void __up_read(struct rw_s
8818 asm volatile("# beginning __up_read\n\t"
8819 LOCK_PREFIX " xadd %1,(%2)\n\t"
8821 +#ifdef CONFIG_PAX_REFCOUNT
8825 + _ASM_EXTABLE(0b, 0b)
8828 /* subtracts 1, returns the old value */
8830 " call call_rwsem_wake\n" /* expects old value in %edx */
8831 @@ -159,6 +191,14 @@ static inline void __up_write(struct rw_
8833 asm volatile("# beginning __up_write\n\t"
8834 LOCK_PREFIX " xadd %1,(%2)\n\t"
8836 +#ifdef CONFIG_PAX_REFCOUNT
8840 + _ASM_EXTABLE(0b, 0b)
8843 /* subtracts 0xffff0001, returns the old value */
8845 " call call_rwsem_wake\n" /* expects old value in %edx */
8846 @@ -176,6 +216,14 @@ static inline void __downgrade_write(str
8848 asm volatile("# beginning __downgrade_write\n\t"
8849 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
8851 +#ifdef CONFIG_PAX_REFCOUNT
8853 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
8855 + _ASM_EXTABLE(0b, 0b)
8859 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
8860 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
8861 @@ -194,7 +242,15 @@ static inline void __downgrade_write(str
8863 static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem)
8865 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
8866 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
8868 +#ifdef CONFIG_PAX_REFCOUNT
8870 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
8872 + _ASM_EXTABLE(0b, 0b)
8878 @@ -206,7 +262,15 @@ static inline long rwsem_atomic_update(l
8882 - asm volatile(LOCK_PREFIX "xadd %0,%1"
8883 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
8885 +#ifdef CONFIG_PAX_REFCOUNT
8889 + _ASM_EXTABLE(0b, 0b)
8892 : "+r" (tmp), "+m" (sem->count)
8895 diff -urNp linux-3.0.9/arch/x86/include/asm/segment.h linux-3.0.9/arch/x86/include/asm/segment.h
8896 --- linux-3.0.9/arch/x86/include/asm/segment.h 2011-11-11 13:12:24.000000000 -0500
8897 +++ linux-3.0.9/arch/x86/include/asm/segment.h 2011-11-15 20:02:59.000000000 -0500
8899 * 26 - ESPFIX small SS
8900 * 27 - per-cpu [ offset to per-cpu data area ]
8901 * 28 - stack_canary-20 [ for stack protector ]
8904 + * 29 - PCI BIOS CS
8905 + * 30 - PCI BIOS DS
8906 * 31 - TSS for double fault handler
8908 +#define GDT_ENTRY_KERNEXEC_EFI_CS (1)
8909 +#define GDT_ENTRY_KERNEXEC_EFI_DS (2)
8910 +#define __KERNEXEC_EFI_CS (GDT_ENTRY_KERNEXEC_EFI_CS*8)
8911 +#define __KERNEXEC_EFI_DS (GDT_ENTRY_KERNEXEC_EFI_DS*8)
8913 #define GDT_ENTRY_TLS_MIN 6
8914 #define GDT_ENTRY_TLS_MAX (GDT_ENTRY_TLS_MIN + GDT_ENTRY_TLS_ENTRIES - 1)
8918 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0)
8920 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
8922 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1)
8924 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4)
8925 @@ -104,6 +111,12 @@
8926 #define __KERNEL_STACK_CANARY 0
8929 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17)
8930 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
8932 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18)
8933 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
8935 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
8941 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
8942 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
8943 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
8948 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
8949 #define __USER32_DS __USER_DS
8951 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
8953 #define GDT_ENTRY_TSS 8 /* needs two entries */
8954 #define GDT_ENTRY_LDT 10 /* needs two entries */
8955 #define GDT_ENTRY_TLS_MIN 12
8959 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
8960 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
8961 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
8962 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
8963 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
8964 diff -urNp linux-3.0.9/arch/x86/include/asm/smp.h linux-3.0.9/arch/x86/include/asm/smp.h
8965 --- linux-3.0.9/arch/x86/include/asm/smp.h 2011-11-11 13:12:24.000000000 -0500
8966 +++ linux-3.0.9/arch/x86/include/asm/smp.h 2011-11-15 20:02:59.000000000 -0500
8967 @@ -36,7 +36,7 @@ DECLARE_PER_CPU(cpumask_var_t, cpu_core_
8968 /* cpus sharing the last level cache: */
8969 DECLARE_PER_CPU(cpumask_var_t, cpu_llc_shared_map);
8970 DECLARE_PER_CPU(u16, cpu_llc_id);
8971 -DECLARE_PER_CPU(int, cpu_number);
8972 +DECLARE_PER_CPU(unsigned int, cpu_number);
8974 static inline struct cpumask *cpu_sibling_mask(int cpu)
8976 @@ -77,7 +77,7 @@ struct smp_ops {
8978 void (*send_call_func_ipi)(const struct cpumask *mask);
8979 void (*send_call_func_single_ipi)(int cpu);
8983 /* Globals due to paravirt */
8984 extern void set_cpu_sibling_map(int cpu);
8985 @@ -192,14 +192,8 @@ extern unsigned disabled_cpus __cpuinitd
8986 extern int safe_smp_processor_id(void);
8988 #elif defined(CONFIG_X86_64_SMP)
8989 -#define raw_smp_processor_id() (percpu_read(cpu_number))
8991 -#define stack_smp_processor_id() \
8993 - struct thread_info *ti; \
8994 - __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
8997 +#define raw_smp_processor_id() (percpu_read(cpu_number))
8998 +#define stack_smp_processor_id() raw_smp_processor_id()
8999 #define safe_smp_processor_id() smp_processor_id()
9002 diff -urNp linux-3.0.9/arch/x86/include/asm/spinlock.h linux-3.0.9/arch/x86/include/asm/spinlock.h
9003 --- linux-3.0.9/arch/x86/include/asm/spinlock.h 2011-11-11 13:12:24.000000000 -0500
9004 +++ linux-3.0.9/arch/x86/include/asm/spinlock.h 2011-11-15 20:02:59.000000000 -0500
9005 @@ -249,6 +249,14 @@ static inline int arch_write_can_lock(ar
9006 static inline void arch_read_lock(arch_rwlock_t *rw)
9008 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
9010 +#ifdef CONFIG_PAX_REFCOUNT
9012 + LOCK_PREFIX " addl $1,(%0)\n"
9014 + _ASM_EXTABLE(0b, 0b)
9018 "call __read_lock_failed\n\t"
9020 @@ -258,6 +266,14 @@ static inline void arch_read_lock(arch_r
9021 static inline void arch_write_lock(arch_rwlock_t *rw)
9023 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
9025 +#ifdef CONFIG_PAX_REFCOUNT
9027 + LOCK_PREFIX " addl %1,(%0)\n"
9029 + _ASM_EXTABLE(0b, 0b)
9033 "call __write_lock_failed\n\t"
9035 @@ -286,12 +302,29 @@ static inline int arch_write_trylock(arc
9037 static inline void arch_read_unlock(arch_rwlock_t *rw)
9039 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
9040 + asm volatile(LOCK_PREFIX "incl %0\n"
9042 +#ifdef CONFIG_PAX_REFCOUNT
9044 + LOCK_PREFIX "decl %0\n"
9046 + _ASM_EXTABLE(0b, 0b)
9049 + :"+m" (rw->lock) : : "memory");
9052 static inline void arch_write_unlock(arch_rwlock_t *rw)
9054 - asm volatile(LOCK_PREFIX "addl %1, %0"
9055 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
9057 +#ifdef CONFIG_PAX_REFCOUNT
9059 + LOCK_PREFIX "subl %1, %0\n"
9061 + _ASM_EXTABLE(0b, 0b)
9064 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
9067 diff -urNp linux-3.0.9/arch/x86/include/asm/stackprotector.h linux-3.0.9/arch/x86/include/asm/stackprotector.h
9068 --- linux-3.0.9/arch/x86/include/asm/stackprotector.h 2011-11-11 13:12:24.000000000 -0500
9069 +++ linux-3.0.9/arch/x86/include/asm/stackprotector.h 2011-11-15 20:02:59.000000000 -0500
9071 * head_32 for boot CPU and setup_per_cpu_areas() for others.
9073 #define GDT_STACK_CANARY_INIT \
9074 - [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18),
9075 + [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17),
9078 * Initialize the stackprotector canary value.
9079 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
9081 static inline void load_stack_canary_segment(void)
9083 -#ifdef CONFIG_X86_32
9084 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
9085 asm volatile ("mov %0, %%gs" : : "r" (0));
9088 diff -urNp linux-3.0.9/arch/x86/include/asm/stacktrace.h linux-3.0.9/arch/x86/include/asm/stacktrace.h
9089 --- linux-3.0.9/arch/x86/include/asm/stacktrace.h 2011-11-11 13:12:24.000000000 -0500
9090 +++ linux-3.0.9/arch/x86/include/asm/stacktrace.h 2011-11-15 20:02:59.000000000 -0500
9093 extern int kstack_depth_to_print;
9095 -struct thread_info;
9096 +struct task_struct;
9097 struct stacktrace_ops;
9099 -typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo,
9100 - unsigned long *stack,
9102 - const struct stacktrace_ops *ops,
9104 - unsigned long *end,
9107 -extern unsigned long
9108 -print_context_stack(struct thread_info *tinfo,
9109 - unsigned long *stack, unsigned long bp,
9110 - const struct stacktrace_ops *ops, void *data,
9111 - unsigned long *end, int *graph);
9113 -extern unsigned long
9114 -print_context_stack_bp(struct thread_info *tinfo,
9115 - unsigned long *stack, unsigned long bp,
9116 - const struct stacktrace_ops *ops, void *data,
9117 - unsigned long *end, int *graph);
9118 +typedef unsigned long walk_stack_t(struct task_struct *task,
9119 + void *stack_start,
9120 + unsigned long *stack,
9122 + const struct stacktrace_ops *ops,
9124 + unsigned long *end,
9127 +extern walk_stack_t print_context_stack;
9128 +extern walk_stack_t print_context_stack_bp;
9130 /* Generic stack tracer with callbacks */
9132 @@ -40,7 +32,7 @@ struct stacktrace_ops {
9133 void (*address)(void *data, unsigned long address, int reliable);
9134 /* On negative return stop dumping */
9135 int (*stack)(void *data, char *name);
9136 - walk_stack_t walk_stack;
9137 + walk_stack_t *walk_stack;
9140 void dump_trace(struct task_struct *tsk, struct pt_regs *regs,
9141 diff -urNp linux-3.0.9/arch/x86/include/asm/sys_ia32.h linux-3.0.9/arch/x86/include/asm/sys_ia32.h
9142 --- linux-3.0.9/arch/x86/include/asm/sys_ia32.h 2011-11-11 13:12:24.000000000 -0500
9143 +++ linux-3.0.9/arch/x86/include/asm/sys_ia32.h 2011-11-15 20:02:59.000000000 -0500
9144 @@ -40,7 +40,7 @@ asmlinkage long sys32_rt_sigprocmask(int
9145 compat_sigset_t __user *, unsigned int);
9146 asmlinkage long sys32_alarm(unsigned int);
9148 -asmlinkage long sys32_waitpid(compat_pid_t, unsigned int *, int);
9149 +asmlinkage long sys32_waitpid(compat_pid_t, unsigned int __user *, int);
9150 asmlinkage long sys32_sysfs(int, u32, u32);
9152 asmlinkage long sys32_sched_rr_get_interval(compat_pid_t,
9153 diff -urNp linux-3.0.9/arch/x86/include/asm/system.h linux-3.0.9/arch/x86/include/asm/system.h
9154 --- linux-3.0.9/arch/x86/include/asm/system.h 2011-11-11 13:12:24.000000000 -0500
9155 +++ linux-3.0.9/arch/x86/include/asm/system.h 2011-11-15 20:02:59.000000000 -0500
9156 @@ -129,7 +129,7 @@ do { \
9157 "call __switch_to\n\t" \
9158 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
9160 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
9161 + "movq "__percpu_arg([thread_info])",%%r8\n\t" \
9162 "movq %%rax,%%rdi\n\t" \
9163 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
9164 "jnz ret_from_fork\n\t" \
9165 @@ -140,7 +140,7 @@ do { \
9166 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
9167 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
9168 [_tif_fork] "i" (_TIF_FORK), \
9169 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
9170 + [thread_info] "m" (current_tinfo), \
9171 [current_task] "m" (current_task) \
9172 __switch_canary_iparam \
9173 : "memory", "cc" __EXTRA_CLOBBER)
9174 @@ -200,7 +200,7 @@ static inline unsigned long get_limit(un
9176 unsigned long __limit;
9177 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9178 - return __limit + 1;
9182 static inline void native_clts(void)
9183 @@ -397,12 +397,12 @@ void enable_hlt(void);
9185 void cpu_idle_wait(void);
9187 -extern unsigned long arch_align_stack(unsigned long sp);
9188 +#define arch_align_stack(x) ((x) & ~0xfUL)
9189 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9191 void default_idle(void);
9193 -void stop_this_cpu(void *dummy);
9194 +void stop_this_cpu(void *dummy) __noreturn;
9197 * Force strict CPU ordering.
9198 diff -urNp linux-3.0.9/arch/x86/include/asm/thread_info.h linux-3.0.9/arch/x86/include/asm/thread_info.h
9199 --- linux-3.0.9/arch/x86/include/asm/thread_info.h 2011-11-11 13:12:24.000000000 -0500
9200 +++ linux-3.0.9/arch/x86/include/asm/thread_info.h 2011-11-15 20:02:59.000000000 -0500
9202 #include <linux/compiler.h>
9203 #include <asm/page.h>
9204 #include <asm/types.h>
9205 +#include <asm/percpu.h>
9208 * low level task data that entry.S needs immediate access to
9209 @@ -24,7 +25,6 @@ struct exec_domain;
9210 #include <asm/atomic.h>
9212 struct thread_info {
9213 - struct task_struct *task; /* main task structure */
9214 struct exec_domain *exec_domain; /* execution domain */
9215 __u32 flags; /* low level flags */
9216 __u32 status; /* thread synchronous flags */
9217 @@ -34,18 +34,12 @@ struct thread_info {
9218 mm_segment_t addr_limit;
9219 struct restart_block restart_block;
9220 void __user *sysenter_return;
9221 -#ifdef CONFIG_X86_32
9222 - unsigned long previous_esp; /* ESP of the previous stack in
9223 - case of nested (IRQ) stacks
9225 - __u8 supervisor_stack[0];
9227 + unsigned long lowest_stack;
9231 -#define INIT_THREAD_INFO(tsk) \
9232 +#define INIT_THREAD_INFO \
9235 .exec_domain = &default_exec_domain, \
9238 @@ -56,7 +50,7 @@ struct thread_info {
9242 -#define init_thread_info (init_thread_union.thread_info)
9243 +#define init_thread_info (init_thread_union.stack)
9244 #define init_stack (init_thread_union.stack)
9246 #else /* !__ASSEMBLY__ */
9247 @@ -170,6 +164,23 @@ struct thread_info {
9251 +#ifdef __ASSEMBLY__
9252 +/* how to get the thread information struct from ASM */
9253 +#define GET_THREAD_INFO(reg) \
9254 + mov PER_CPU_VAR(current_tinfo), reg
9256 +/* use this one if reg already contains %esp */
9257 +#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
9259 +/* how to get the thread information struct from C */
9260 +DECLARE_PER_CPU(struct thread_info *, current_tinfo);
9262 +static __always_inline struct thread_info *current_thread_info(void)
9264 + return percpu_read_stable(current_tinfo);
9268 #ifdef CONFIG_X86_32
9270 #define STACK_WARN (THREAD_SIZE/8)
9271 @@ -180,35 +191,13 @@ struct thread_info {
9273 #ifndef __ASSEMBLY__
9276 /* how to get the current stack pointer from C */
9277 register unsigned long current_stack_pointer asm("esp") __used;
9279 -/* how to get the thread information struct from C */
9280 -static inline struct thread_info *current_thread_info(void)
9282 - return (struct thread_info *)
9283 - (current_stack_pointer & ~(THREAD_SIZE - 1));
9286 -#else /* !__ASSEMBLY__ */
9288 -/* how to get the thread information struct from ASM */
9289 -#define GET_THREAD_INFO(reg) \
9290 - movl $-THREAD_SIZE, reg; \
9293 -/* use this one if reg already contains %esp */
9294 -#define GET_THREAD_INFO_WITH_ESP(reg) \
9295 - andl $-THREAD_SIZE, reg
9301 -#include <asm/percpu.h>
9302 -#define KERNEL_STACK_OFFSET (5*8)
9305 * macros/functions for gaining access to the thread information structure
9306 * preempt_count needs to be 1 initially, until the scheduler is functional.
9307 @@ -216,21 +205,8 @@ static inline struct thread_info *curren
9308 #ifndef __ASSEMBLY__
9309 DECLARE_PER_CPU(unsigned long, kernel_stack);
9311 -static inline struct thread_info *current_thread_info(void)
9313 - struct thread_info *ti;
9314 - ti = (void *)(percpu_read_stable(kernel_stack) +
9315 - KERNEL_STACK_OFFSET - THREAD_SIZE);
9319 -#else /* !__ASSEMBLY__ */
9321 -/* how to get the thread information struct from ASM */
9322 -#define GET_THREAD_INFO(reg) \
9323 - movq PER_CPU_VAR(kernel_stack),reg ; \
9324 - subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
9326 +/* how to get the current stack pointer from C */
9327 +register unsigned long current_stack_pointer asm("rsp") __used;
9330 #endif /* !X86_32 */
9331 @@ -266,5 +242,16 @@ extern void arch_task_cache_init(void);
9332 extern void free_thread_info(struct thread_info *ti);
9333 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
9334 #define arch_task_cache_init arch_task_cache_init
9336 +#define __HAVE_THREAD_FUNCTIONS
9337 +#define task_thread_info(task) (&(task)->tinfo)
9338 +#define task_stack_page(task) ((task)->stack)
9339 +#define setup_thread_stack(p, org) do {} while (0)
9340 +#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
9342 +#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
9343 +extern struct task_struct *alloc_task_struct_node(int node);
9344 +extern void free_task_struct(struct task_struct *);
9347 #endif /* _ASM_X86_THREAD_INFO_H */
9348 diff -urNp linux-3.0.9/arch/x86/include/asm/uaccess_32.h linux-3.0.9/arch/x86/include/asm/uaccess_32.h
9349 --- linux-3.0.9/arch/x86/include/asm/uaccess_32.h 2011-11-11 13:12:24.000000000 -0500
9350 +++ linux-3.0.9/arch/x86/include/asm/uaccess_32.h 2011-11-15 20:02:59.000000000 -0500
9351 @@ -43,6 +43,11 @@ unsigned long __must_check __copy_from_u
9352 static __always_inline unsigned long __must_check
9353 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9355 + pax_track_stack();
9360 if (__builtin_constant_p(n)) {
9363 @@ -61,6 +66,8 @@ __copy_to_user_inatomic(void __user *to,
9367 + if (!__builtin_constant_p(n))
9368 + check_object_size(from, n, true);
9369 return __copy_to_user_ll(to, from, n);
9372 @@ -82,12 +89,16 @@ static __always_inline unsigned long __m
9373 __copy_to_user(void __user *to, const void *from, unsigned long n)
9377 return __copy_to_user_inatomic(to, from, n);
9380 static __always_inline unsigned long
9381 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9386 /* Avoid zeroing the tail if the copy fails..
9387 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9388 * but as the zeroing behaviour is only significant when n is not
9389 @@ -137,6 +148,12 @@ static __always_inline unsigned long
9390 __copy_from_user(void *to, const void __user *from, unsigned long n)
9394 + pax_track_stack();
9399 if (__builtin_constant_p(n)) {
9402 @@ -152,6 +169,8 @@ __copy_from_user(void *to, const void __
9406 + if (!__builtin_constant_p(n))
9407 + check_object_size(to, n, false);
9408 return __copy_from_user_ll(to, from, n);
9411 @@ -159,6 +178,10 @@ static __always_inline unsigned long __c
9412 const void __user *from, unsigned long n)
9419 if (__builtin_constant_p(n)) {
9422 @@ -181,15 +204,19 @@ static __always_inline unsigned long
9423 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9426 - return __copy_from_user_ll_nocache_nozero(to, from, n);
9431 -unsigned long __must_check copy_to_user(void __user *to,
9432 - const void *from, unsigned long n);
9433 -unsigned long __must_check _copy_from_user(void *to,
9434 - const void __user *from,
9436 + return __copy_from_user_ll_nocache_nozero(to, from, n);
9439 +extern void copy_to_user_overflow(void)
9440 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9441 + __compiletime_error("copy_to_user() buffer size is not provably correct")
9443 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
9447 extern void copy_from_user_overflow(void)
9448 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9449 @@ -199,17 +226,61 @@ extern void copy_from_user_overflow(void
9453 -static inline unsigned long __must_check copy_from_user(void *to,
9454 - const void __user *from,
9457 + * copy_to_user: - Copy a block of data into user space.
9458 + * @to: Destination address, in user space.
9459 + * @from: Source address, in kernel space.
9460 + * @n: Number of bytes to copy.
9462 + * Context: User context only. This function may sleep.
9464 + * Copy data from kernel space to user space.
9466 + * Returns number of bytes that could not be copied.
9467 + * On success, this will be zero.
9469 +static inline unsigned long __must_check
9470 +copy_to_user(void __user *to, const void *from, unsigned long n)
9472 + int sz = __compiletime_object_size(from);
9474 + if (unlikely(sz != -1 && sz < n))
9475 + copy_to_user_overflow();
9476 + else if (access_ok(VERIFY_WRITE, to, n))
9477 + n = __copy_to_user(to, from, n);
9482 + * copy_from_user: - Copy a block of data from user space.
9483 + * @to: Destination address, in kernel space.
9484 + * @from: Source address, in user space.
9485 + * @n: Number of bytes to copy.
9487 + * Context: User context only. This function may sleep.
9489 + * Copy data from user space to kernel space.
9491 + * Returns number of bytes that could not be copied.
9492 + * On success, this will be zero.
9494 + * If some data could not be copied, this function will pad the copied
9495 + * data to the requested size using zero bytes.
9497 +static inline unsigned long __must_check
9498 +copy_from_user(void *to, const void __user *from, unsigned long n)
9500 int sz = __compiletime_object_size(to);
9502 - if (likely(sz == -1 || sz >= n))
9503 - n = _copy_from_user(to, from, n);
9505 + if (unlikely(sz != -1 && sz < n))
9506 copy_from_user_overflow();
9508 + else if (access_ok(VERIFY_READ, from, n))
9509 + n = __copy_from_user(to, from, n);
9510 + else if ((long)n > 0) {
9511 + if (!__builtin_constant_p(n))
9512 + check_object_size(to, n, false);
9518 diff -urNp linux-3.0.9/arch/x86/include/asm/uaccess_64.h linux-3.0.9/arch/x86/include/asm/uaccess_64.h
9519 --- linux-3.0.9/arch/x86/include/asm/uaccess_64.h 2011-11-11 13:12:24.000000000 -0500
9520 +++ linux-3.0.9/arch/x86/include/asm/uaccess_64.h 2011-11-15 20:02:59.000000000 -0500
9522 #include <asm/alternative.h>
9523 #include <asm/cpufeature.h>
9524 #include <asm/page.h>
9525 +#include <asm/pgtable.h>
9527 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
9530 * Copy To/From Userspace
9531 @@ -36,26 +39,26 @@ copy_user_generic(void *to, const void *
9535 -__must_check unsigned long
9536 -_copy_to_user(void __user *to, const void *from, unsigned len);
9537 -__must_check unsigned long
9538 -_copy_from_user(void *to, const void __user *from, unsigned len);
9539 +static __always_inline __must_check unsigned long
9540 +__copy_to_user(void __user *to, const void *from, unsigned len);
9541 +static __always_inline __must_check unsigned long
9542 +__copy_from_user(void *to, const void __user *from, unsigned len);
9543 __must_check unsigned long
9544 copy_in_user(void __user *to, const void __user *from, unsigned len);
9546 static inline unsigned long __must_check copy_from_user(void *to,
9547 const void __user *from,
9551 - int sz = __compiletime_object_size(to);
9554 - if (likely(sz == -1 || sz >= n))
9555 - n = _copy_from_user(to, from, n);
9556 -#ifdef CONFIG_DEBUG_VM
9558 - WARN(1, "Buffer overflow detected!\n");
9561 + if (access_ok(VERIFY_READ, from, n))
9562 + n = __copy_from_user(to, from, n);
9563 + else if ((int)n > 0) {
9564 + if (!__builtin_constant_p(n))
9565 + check_object_size(to, n, false);
9571 @@ -64,110 +67,198 @@ int copy_to_user(void __user *dst, const
9575 - return _copy_to_user(dst, src, size);
9576 + if (access_ok(VERIFY_WRITE, dst, size))
9577 + size = __copy_to_user(dst, src, size);
9581 static __always_inline __must_check
9582 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
9583 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
9586 + int sz = __compiletime_object_size(dst);
9590 - if (!__builtin_constant_p(size))
9591 - return copy_user_generic(dst, (__force void *)src, size);
9593 + pax_track_stack();
9595 + if ((int)size < 0)
9598 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9599 + if (!__access_ok(VERIFY_READ, src, size))
9603 + if (unlikely(sz != -1 && sz < size)) {
9604 +#ifdef CONFIG_DEBUG_VM
9605 + WARN(1, "Buffer overflow detected!\n");
9610 + if (!__builtin_constant_p(size)) {
9611 + check_object_size(dst, size, false);
9613 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9614 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9615 + src += PAX_USER_SHADOW_BASE;
9618 + return copy_user_generic(dst, (__force_kernel const void *)src, size);
9621 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
9622 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
9623 ret, "b", "b", "=q", 1);
9625 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
9626 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
9627 ret, "w", "w", "=r", 2);
9629 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
9630 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
9631 ret, "l", "k", "=r", 4);
9633 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
9634 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9635 ret, "q", "", "=r", 8);
9638 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9639 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9640 ret, "q", "", "=r", 10);
9643 __get_user_asm(*(u16 *)(8 + (char *)dst),
9644 - (u16 __user *)(8 + (char __user *)src),
9645 + (const u16 __user *)(8 + (const char __user *)src),
9646 ret, "w", "w", "=r", 2);
9649 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9650 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9651 ret, "q", "", "=r", 16);
9654 __get_user_asm(*(u64 *)(8 + (char *)dst),
9655 - (u64 __user *)(8 + (char __user *)src),
9656 + (const u64 __user *)(8 + (const char __user *)src),
9657 ret, "q", "", "=r", 8);
9660 - return copy_user_generic(dst, (__force void *)src, size);
9662 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9663 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9664 + src += PAX_USER_SHADOW_BASE;
9667 + return copy_user_generic(dst, (__force_kernel const void *)src, size);
9671 static __always_inline __must_check
9672 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
9673 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
9676 + int sz = __compiletime_object_size(src);
9680 - if (!__builtin_constant_p(size))
9681 - return copy_user_generic((__force void *)dst, src, size);
9683 + pax_track_stack();
9685 + if ((int)size < 0)
9688 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9689 + if (!__access_ok(VERIFY_WRITE, dst, size))
9693 + if (unlikely(sz != -1 && sz < size)) {
9694 +#ifdef CONFIG_DEBUG_VM
9695 + WARN(1, "Buffer overflow detected!\n");
9700 + if (!__builtin_constant_p(size)) {
9701 + check_object_size(src, size, true);
9703 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9704 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9705 + dst += PAX_USER_SHADOW_BASE;
9708 + return copy_user_generic((__force_kernel void *)dst, src, size);
9711 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
9712 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
9713 ret, "b", "b", "iq", 1);
9715 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
9716 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
9717 ret, "w", "w", "ir", 2);
9719 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
9720 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
9721 ret, "l", "k", "ir", 4);
9723 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
9724 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9725 ret, "q", "", "er", 8);
9728 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9729 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9730 ret, "q", "", "er", 10);
9734 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
9735 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
9736 ret, "w", "w", "ir", 2);
9739 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9740 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9741 ret, "q", "", "er", 16);
9745 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
9746 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
9747 ret, "q", "", "er", 8);
9750 - return copy_user_generic((__force void *)dst, src, size);
9752 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9753 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9754 + dst += PAX_USER_SHADOW_BASE;
9757 + return copy_user_generic((__force_kernel void *)dst, src, size);
9761 static __always_inline __must_check
9762 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9763 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9769 - if (!__builtin_constant_p(size))
9770 - return copy_user_generic((__force void *)dst,
9771 - (__force void *)src, size);
9773 + if ((int)size < 0)
9776 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9777 + if (!__access_ok(VERIFY_READ, src, size))
9779 + if (!__access_ok(VERIFY_WRITE, dst, size))
9783 + if (!__builtin_constant_p(size)) {
9785 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9786 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9787 + src += PAX_USER_SHADOW_BASE;
9788 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9789 + dst += PAX_USER_SHADOW_BASE;
9792 + return copy_user_generic((__force_kernel void *)dst,
9793 + (__force_kernel const void *)src, size);
9798 - __get_user_asm(tmp, (u8 __user *)src,
9799 + __get_user_asm(tmp, (const u8 __user *)src,
9800 ret, "b", "b", "=q", 1);
9802 __put_user_asm(tmp, (u8 __user *)dst,
9803 @@ -176,7 +267,7 @@ int __copy_in_user(void __user *dst, con
9807 - __get_user_asm(tmp, (u16 __user *)src,
9808 + __get_user_asm(tmp, (const u16 __user *)src,
9809 ret, "w", "w", "=r", 2);
9811 __put_user_asm(tmp, (u16 __user *)dst,
9812 @@ -186,7 +277,7 @@ int __copy_in_user(void __user *dst, con
9816 - __get_user_asm(tmp, (u32 __user *)src,
9817 + __get_user_asm(tmp, (const u32 __user *)src,
9818 ret, "l", "k", "=r", 4);
9820 __put_user_asm(tmp, (u32 __user *)dst,
9821 @@ -195,7 +286,7 @@ int __copy_in_user(void __user *dst, con
9825 - __get_user_asm(tmp, (u64 __user *)src,
9826 + __get_user_asm(tmp, (const u64 __user *)src,
9827 ret, "q", "", "=r", 8);
9829 __put_user_asm(tmp, (u64 __user *)dst,
9830 @@ -203,8 +294,16 @@ int __copy_in_user(void __user *dst, con
9834 - return copy_user_generic((__force void *)dst,
9835 - (__force void *)src, size);
9837 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9838 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9839 + src += PAX_USER_SHADOW_BASE;
9840 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9841 + dst += PAX_USER_SHADOW_BASE;
9844 + return copy_user_generic((__force_kernel void *)dst,
9845 + (__force_kernel const void *)src, size);
9849 @@ -221,33 +320,72 @@ __must_check unsigned long __clear_user(
9850 static __must_check __always_inline int
9851 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
9853 - return copy_user_generic(dst, (__force const void *)src, size);
9854 + pax_track_stack();
9856 + if ((int)size < 0)
9859 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9860 + if (!__access_ok(VERIFY_READ, src, size))
9863 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9864 + src += PAX_USER_SHADOW_BASE;
9867 + return copy_user_generic(dst, (__force_kernel const void *)src, size);
9870 -static __must_check __always_inline int
9871 +static __must_check __always_inline unsigned long
9872 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
9874 - return copy_user_generic((__force void *)dst, src, size);
9875 + if ((int)size < 0)
9878 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9879 + if (!__access_ok(VERIFY_WRITE, dst, size))
9882 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9883 + dst += PAX_USER_SHADOW_BASE;
9886 + return copy_user_generic((__force_kernel void *)dst, src, size);
9889 -extern long __copy_user_nocache(void *dst, const void __user *src,
9890 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
9891 unsigned size, int zerorest);
9894 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9895 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9899 + if ((int)size < 0)
9902 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9903 + if (!__access_ok(VERIFY_READ, src, size))
9907 return __copy_user_nocache(dst, src, size, 1);
9911 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9912 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9915 + if ((int)size < 0)
9918 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9919 + if (!__access_ok(VERIFY_READ, src, size))
9923 return __copy_user_nocache(dst, src, size, 0);
9927 -copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
9928 +extern unsigned long
9929 +copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest);
9931 #endif /* _ASM_X86_UACCESS_64_H */
9932 diff -urNp linux-3.0.9/arch/x86/include/asm/uaccess.h linux-3.0.9/arch/x86/include/asm/uaccess.h
9933 --- linux-3.0.9/arch/x86/include/asm/uaccess.h 2011-11-11 13:12:24.000000000 -0500
9934 +++ linux-3.0.9/arch/x86/include/asm/uaccess.h 2011-11-15 20:02:59.000000000 -0500
9936 #include <linux/compiler.h>
9937 #include <linux/thread_info.h>
9938 #include <linux/string.h>
9939 +#include <linux/sched.h>
9940 #include <asm/asm.h>
9941 #include <asm/page.h>
9943 #define VERIFY_READ 0
9944 #define VERIFY_WRITE 1
9946 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
9949 * The fs value determines whether argument validity checking should be
9950 * performed or not. If get_fs() == USER_DS, checking is performed, with
9953 #define get_ds() (KERNEL_DS)
9954 #define get_fs() (current_thread_info()->addr_limit)
9955 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
9956 +void __set_fs(mm_segment_t x);
9957 +void set_fs(mm_segment_t x);
9959 #define set_fs(x) (current_thread_info()->addr_limit = (x))
9962 #define segment_eq(a, b) ((a).seg == (b).seg)
9965 * checks that the pointer is in the user space range - after calling
9966 * this function, memory access functions may still return -EFAULT.
9968 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9969 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9970 +#define access_ok(type, addr, size) \
9972 + long __size = size; \
9973 + unsigned long __addr = (unsigned long)addr; \
9974 + unsigned long __addr_ao = __addr & PAGE_MASK; \
9975 + unsigned long __end_ao = __addr + __size - 1; \
9976 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
9977 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
9978 + while(__addr_ao <= __end_ao) { \
9980 + __addr_ao += PAGE_SIZE; \
9981 + if (__size > PAGE_SIZE) \
9983 + if (__get_user(__c_ao, (char __user *)__addr)) \
9985 + if (type != VERIFY_WRITE) { \
9986 + __addr = __addr_ao; \
9989 + if (__put_user(__c_ao, (char __user *)__addr)) \
9991 + __addr = __addr_ao; \
9998 * The exception table consists of pairs of addresses: the first is the
9999 @@ -182,12 +216,20 @@ extern int __get_user_bad(void);
10000 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
10001 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
10004 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
10005 +#define __copyuser_seg "gs;"
10006 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
10007 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
10009 +#define __copyuser_seg
10010 +#define __COPYUSER_SET_ES
10011 +#define __COPYUSER_RESTORE_ES
10014 #ifdef CONFIG_X86_32
10015 #define __put_user_asm_u64(x, addr, err, errret) \
10016 - asm volatile("1: movl %%eax,0(%2)\n" \
10017 - "2: movl %%edx,4(%2)\n" \
10018 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
10019 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
10021 ".section .fixup,\"ax\"\n" \
10022 "4: movl %3,%0\n" \
10023 @@ -199,8 +241,8 @@ extern int __get_user_bad(void);
10024 : "A" (x), "r" (addr), "i" (errret), "0" (err))
10026 #define __put_user_asm_ex_u64(x, addr) \
10027 - asm volatile("1: movl %%eax,0(%1)\n" \
10028 - "2: movl %%edx,4(%1)\n" \
10029 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
10030 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
10032 _ASM_EXTABLE(1b, 2b - 1b) \
10033 _ASM_EXTABLE(2b, 3b - 2b) \
10034 @@ -252,7 +294,7 @@ extern void __put_user_8(void);
10035 __typeof__(*(ptr)) __pu_val; \
10036 __chk_user_ptr(ptr); \
10039 + __pu_val = (x); \
10040 switch (sizeof(*(ptr))) { \
10042 __put_user_x(1, __pu_val, ptr, __ret_pu); \
10043 @@ -373,7 +415,7 @@ do { \
10046 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
10047 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
10048 + asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
10050 ".section .fixup,\"ax\"\n" \
10052 @@ -381,7 +423,7 @@ do { \
10055 _ASM_EXTABLE(1b, 3b) \
10056 - : "=r" (err), ltype(x) \
10057 + : "=r" (err), ltype (x) \
10058 : "m" (__m(addr)), "i" (errret), "0" (err))
10060 #define __get_user_size_ex(x, ptr, size) \
10061 @@ -406,7 +448,7 @@ do { \
10064 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
10065 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
10066 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
10068 _ASM_EXTABLE(1b, 2b - 1b) \
10069 : ltype(x) : "m" (__m(addr)))
10070 @@ -423,13 +465,24 @@ do { \
10072 unsigned long __gu_val; \
10073 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
10074 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
10075 + (x) = (__typeof__(*(ptr)))__gu_val; \
10079 /* FIXME: this hack is definitely wrong -AK */
10080 struct __large_struct { unsigned long buf[100]; };
10081 -#define __m(x) (*(struct __large_struct __user *)(x))
10082 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10083 +#define ____m(x) \
10085 + unsigned long ____x = (unsigned long)(x); \
10086 + if (____x < PAX_USER_SHADOW_BASE) \
10087 + ____x += PAX_USER_SHADOW_BASE; \
10088 + (void __user *)____x; \
10091 +#define ____m(x) (x)
10093 +#define __m(x) (*(struct __large_struct __user *)____m(x))
10096 * Tell gcc we read from memory instead of writing: this is because
10097 @@ -437,7 +490,7 @@ struct __large_struct { unsigned long bu
10100 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
10101 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
10102 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
10104 ".section .fixup,\"ax\"\n" \
10106 @@ -445,10 +498,10 @@ struct __large_struct { unsigned long bu
10108 _ASM_EXTABLE(1b, 3b) \
10110 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
10111 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
10113 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
10114 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
10115 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
10117 _ASM_EXTABLE(1b, 2b - 1b) \
10118 : : ltype(x), "m" (__m(addr)))
10119 @@ -487,8 +540,12 @@ struct __large_struct { unsigned long bu
10120 * On error, the variable @x is set to zero.
10123 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10124 +#define __get_user(x, ptr) get_user((x), (ptr))
10126 #define __get_user(x, ptr) \
10127 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
10131 * __put_user: - Write a simple value into user space, with less checking.
10132 @@ -510,8 +567,12 @@ struct __large_struct { unsigned long bu
10133 * Returns zero on success, or -EFAULT on error.
10136 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10137 +#define __put_user(x, ptr) put_user((x), (ptr))
10139 #define __put_user(x, ptr) \
10140 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
10143 #define __get_user_unaligned __get_user
10144 #define __put_user_unaligned __put_user
10145 @@ -529,7 +590,7 @@ struct __large_struct { unsigned long bu
10146 #define get_user_ex(x, ptr) do { \
10147 unsigned long __gue_val; \
10148 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
10149 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
10150 + (x) = (__typeof__(*(ptr)))__gue_val; \
10153 #ifdef CONFIG_X86_WP_WORKS_OK
10154 diff -urNp linux-3.0.9/arch/x86/include/asm/vdso.h linux-3.0.9/arch/x86/include/asm/vdso.h
10155 --- linux-3.0.9/arch/x86/include/asm/vdso.h 2011-11-11 13:12:24.000000000 -0500
10156 +++ linux-3.0.9/arch/x86/include/asm/vdso.h 2011-11-15 20:02:59.000000000 -0500
10157 @@ -11,7 +11,7 @@ extern const char VDSO32_PRELINK[];
10158 #define VDSO32_SYMBOL(base, name) \
10160 extern const char VDSO32_##name[]; \
10161 - (void *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \
10162 + (void __user *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \
10166 diff -urNp linux-3.0.9/arch/x86/include/asm/x86_init.h linux-3.0.9/arch/x86/include/asm/x86_init.h
10167 --- linux-3.0.9/arch/x86/include/asm/x86_init.h 2011-11-11 13:12:24.000000000 -0500
10168 +++ linux-3.0.9/arch/x86/include/asm/x86_init.h 2011-11-15 20:02:59.000000000 -0500
10169 @@ -28,7 +28,7 @@ struct x86_init_mpparse {
10170 void (*mpc_oem_bus_info)(struct mpc_bus *m, char *name);
10171 void (*find_smp_config)(void);
10172 void (*get_smp_config)(unsigned int early);
10177 * struct x86_init_resources - platform specific resource related ops
10178 @@ -42,7 +42,7 @@ struct x86_init_resources {
10179 void (*probe_roms)(void);
10180 void (*reserve_resources)(void);
10181 char *(*memory_setup)(void);
10186 * struct x86_init_irqs - platform specific interrupt setup
10187 @@ -55,7 +55,7 @@ struct x86_init_irqs {
10188 void (*pre_vector_init)(void);
10189 void (*intr_init)(void);
10190 void (*trap_init)(void);
10195 * struct x86_init_oem - oem platform specific customizing functions
10196 @@ -65,7 +65,7 @@ struct x86_init_irqs {
10197 struct x86_init_oem {
10198 void (*arch_setup)(void);
10199 void (*banner)(void);
10204 * struct x86_init_mapping - platform specific initial kernel pagetable setup
10205 @@ -76,7 +76,7 @@ struct x86_init_oem {
10207 struct x86_init_mapping {
10208 void (*pagetable_reserve)(u64 start, u64 end);
10213 * struct x86_init_paging - platform specific paging functions
10214 @@ -86,7 +86,7 @@ struct x86_init_mapping {
10215 struct x86_init_paging {
10216 void (*pagetable_setup_start)(pgd_t *base);
10217 void (*pagetable_setup_done)(pgd_t *base);
10222 * struct x86_init_timers - platform specific timer setup
10223 @@ -101,7 +101,7 @@ struct x86_init_timers {
10224 void (*tsc_pre_init)(void);
10225 void (*timer_init)(void);
10226 void (*wallclock_init)(void);
10231 * struct x86_init_iommu - platform specific iommu setup
10232 @@ -109,7 +109,7 @@ struct x86_init_timers {
10234 struct x86_init_iommu {
10235 int (*iommu_init)(void);
10240 * struct x86_init_pci - platform specific pci init functions
10241 @@ -123,7 +123,7 @@ struct x86_init_pci {
10243 void (*init_irq)(void);
10244 void (*fixup_irqs)(void);
10249 * struct x86_init_ops - functions for platform specific setup
10250 @@ -139,7 +139,7 @@ struct x86_init_ops {
10251 struct x86_init_timers timers;
10252 struct x86_init_iommu iommu;
10253 struct x86_init_pci pci;
10258 * struct x86_cpuinit_ops - platform specific cpu hotplug setups
10259 @@ -147,7 +147,7 @@ struct x86_init_ops {
10261 struct x86_cpuinit_ops {
10262 void (*setup_percpu_clockev)(void);
10267 * struct x86_platform_ops - platform specific runtime functions
10268 @@ -166,7 +166,7 @@ struct x86_platform_ops {
10269 bool (*is_untracked_pat_range)(u64 start, u64 end);
10270 void (*nmi_init)(void);
10271 int (*i8042_detect)(void);
10277 @@ -174,7 +174,7 @@ struct x86_msi_ops {
10278 int (*setup_msi_irqs)(struct pci_dev *dev, int nvec, int type);
10279 void (*teardown_msi_irq)(unsigned int irq);
10280 void (*teardown_msi_irqs)(struct pci_dev *dev);
10284 extern struct x86_init_ops x86_init;
10285 extern struct x86_cpuinit_ops x86_cpuinit;
10286 diff -urNp linux-3.0.9/arch/x86/include/asm/xsave.h linux-3.0.9/arch/x86/include/asm/xsave.h
10287 --- linux-3.0.9/arch/x86/include/asm/xsave.h 2011-11-11 13:12:24.000000000 -0500
10288 +++ linux-3.0.9/arch/x86/include/asm/xsave.h 2011-11-15 20:02:59.000000000 -0500
10289 @@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
10293 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10294 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
10295 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
10299 * Clear the xsave header first, so that reserved fields are
10300 * initialized to zero.
10301 @@ -96,10 +101,15 @@ static inline int xsave_user(struct xsav
10302 static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask)
10305 - struct xsave_struct *xstate = ((__force struct xsave_struct *)buf);
10306 + struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)buf);
10308 u32 hmask = mask >> 32;
10310 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10311 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
10312 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
10315 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
10317 ".section .fixup,\"ax\"\n"
10318 diff -urNp linux-3.0.9/arch/x86/Kconfig linux-3.0.9/arch/x86/Kconfig
10319 --- linux-3.0.9/arch/x86/Kconfig 2011-11-11 13:12:24.000000000 -0500
10320 +++ linux-3.0.9/arch/x86/Kconfig 2011-11-15 20:02:59.000000000 -0500
10321 @@ -229,7 +229,7 @@ config X86_HT
10323 config X86_32_LAZY_GS
10325 - depends on X86_32 && !CC_STACKPROTECTOR
10326 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
10328 config ARCH_HWEIGHT_CFLAGS
10330 @@ -1018,7 +1018,7 @@ choice
10334 - depends on !X86_NUMAQ
10335 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10337 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
10338 However, the address space of 32-bit x86 processors is only 4
10339 @@ -1055,7 +1055,7 @@ config NOHIGHMEM
10343 - depends on !X86_NUMAQ
10344 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10346 Select this if you have a 32-bit processor and between 1 and 4
10347 gigabytes of physical RAM.
10348 @@ -1109,7 +1109,7 @@ config PAGE_OFFSET
10350 default 0xB0000000 if VMSPLIT_3G_OPT
10351 default 0x80000000 if VMSPLIT_2G
10352 - default 0x78000000 if VMSPLIT_2G_OPT
10353 + default 0x70000000 if VMSPLIT_2G_OPT
10354 default 0x40000000 if VMSPLIT_1G
10357 @@ -1483,6 +1483,7 @@ config SECCOMP
10359 config CC_STACKPROTECTOR
10360 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
10361 + depends on X86_64 || !PAX_MEMORY_UDEREF
10363 This option turns on the -fstack-protector GCC feature. This
10364 feature puts, at the beginning of functions, a canary value on
10365 @@ -1540,6 +1541,7 @@ config KEXEC_JUMP
10366 config PHYSICAL_START
10367 hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
10368 default "0x1000000"
10369 + range 0x400000 0x40000000
10371 This gives the physical address where the kernel is loaded.
10373 @@ -1603,6 +1605,7 @@ config X86_NEED_RELOCS
10374 config PHYSICAL_ALIGN
10375 hex "Alignment value to which kernel should be aligned" if X86_32
10376 default "0x1000000"
10377 + range 0x400000 0x1000000 if PAX_KERNEXEC
10378 range 0x2000 0x1000000
10380 This value puts the alignment restrictions on physical address
10381 @@ -1634,9 +1637,10 @@ config HOTPLUG_CPU
10382 Say N if you want to disable CPU hotplug.
10387 prompt "Compat VDSO support"
10388 depends on X86_32 || IA32_EMULATION
10389 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
10391 Map the 32-bit VDSO to the predictable old-style address too.
10393 diff -urNp linux-3.0.9/arch/x86/Kconfig.cpu linux-3.0.9/arch/x86/Kconfig.cpu
10394 --- linux-3.0.9/arch/x86/Kconfig.cpu 2011-11-11 13:12:24.000000000 -0500
10395 +++ linux-3.0.9/arch/x86/Kconfig.cpu 2011-11-15 20:02:59.000000000 -0500
10396 @@ -338,7 +338,7 @@ config X86_PPRO_FENCE
10398 config X86_F00F_BUG
10400 - depends on M586MMX || M586TSC || M586 || M486 || M386
10401 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
10403 config X86_INVD_BUG
10405 @@ -362,7 +362,7 @@ config X86_POPAD_OK
10407 config X86_ALIGNMENT_16
10409 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || MELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10410 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10412 config X86_INTEL_USERCOPY
10414 @@ -408,7 +408,7 @@ config X86_CMPXCHG64
10418 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10419 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10421 config X86_MINIMUM_CPU_FAMILY
10423 diff -urNp linux-3.0.9/arch/x86/Kconfig.debug linux-3.0.9/arch/x86/Kconfig.debug
10424 --- linux-3.0.9/arch/x86/Kconfig.debug 2011-11-11 13:12:24.000000000 -0500
10425 +++ linux-3.0.9/arch/x86/Kconfig.debug 2011-11-15 20:02:59.000000000 -0500
10426 @@ -81,7 +81,7 @@ config X86_PTDUMP
10427 config DEBUG_RODATA
10428 bool "Write protect kernel read-only data structures"
10430 - depends on DEBUG_KERNEL
10431 + depends on DEBUG_KERNEL && BROKEN
10433 Mark the kernel read-only data as write-protected in the pagetables,
10434 in order to catch accidental (and incorrect) writes to such const
10435 @@ -99,7 +99,7 @@ config DEBUG_RODATA_TEST
10437 config DEBUG_SET_MODULE_RONX
10438 bool "Set loadable kernel module data as NX and text as RO"
10439 - depends on MODULES
10440 + depends on MODULES && BROKEN
10442 This option helps catch unintended modifications to loadable
10443 kernel module's text and read-only data. It also prevents execution
10444 diff -urNp linux-3.0.9/arch/x86/kernel/acpi/realmode/Makefile linux-3.0.9/arch/x86/kernel/acpi/realmode/Makefile
10445 --- linux-3.0.9/arch/x86/kernel/acpi/realmode/Makefile 2011-11-11 13:12:24.000000000 -0500
10446 +++ linux-3.0.9/arch/x86/kernel/acpi/realmode/Makefile 2011-11-15 20:02:59.000000000 -0500
10447 @@ -41,6 +41,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
10448 $(call cc-option, -fno-stack-protector) \
10449 $(call cc-option, -mpreferred-stack-boundary=2)
10450 KBUILD_CFLAGS += $(call cc-option, -m32)
10451 +ifdef CONSTIFY_PLUGIN
10452 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
10454 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
10457 diff -urNp linux-3.0.9/arch/x86/kernel/acpi/realmode/wakeup.S linux-3.0.9/arch/x86/kernel/acpi/realmode/wakeup.S
10458 --- linux-3.0.9/arch/x86/kernel/acpi/realmode/wakeup.S 2011-11-11 13:12:24.000000000 -0500
10459 +++ linux-3.0.9/arch/x86/kernel/acpi/realmode/wakeup.S 2011-11-15 20:02:59.000000000 -0500
10460 @@ -108,6 +108,9 @@ wakeup_code:
10461 /* Do any other stuff... */
10463 #ifndef CONFIG_64BIT
10464 + /* Recheck NX bit overrides (64bit path does this in trampoline */
10467 /* This could also be done in C code... */
10468 movl pmode_cr3, %eax
10470 @@ -131,6 +134,7 @@ wakeup_code:
10471 movl pmode_cr0, %eax
10474 +# include "../../verify_cpu.S"
10477 pushw trampoline_segment
10478 diff -urNp linux-3.0.9/arch/x86/kernel/acpi/sleep.c linux-3.0.9/arch/x86/kernel/acpi/sleep.c
10479 --- linux-3.0.9/arch/x86/kernel/acpi/sleep.c 2011-11-11 13:12:24.000000000 -0500
10480 +++ linux-3.0.9/arch/x86/kernel/acpi/sleep.c 2011-11-15 20:02:59.000000000 -0500
10481 @@ -94,8 +94,12 @@ int acpi_suspend_lowlevel(void)
10482 header->trampoline_segment = trampoline_address() >> 4;
10484 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
10486 + pax_open_kernel();
10487 early_gdt_descr.address =
10488 (unsigned long)get_cpu_gdt_table(smp_processor_id());
10489 + pax_close_kernel();
10491 initial_gs = per_cpu_offset(smp_processor_id());
10493 initial_code = (unsigned long)wakeup_long64;
10494 diff -urNp linux-3.0.9/arch/x86/kernel/acpi/wakeup_32.S linux-3.0.9/arch/x86/kernel/acpi/wakeup_32.S
10495 --- linux-3.0.9/arch/x86/kernel/acpi/wakeup_32.S 2011-11-11 13:12:24.000000000 -0500
10496 +++ linux-3.0.9/arch/x86/kernel/acpi/wakeup_32.S 2011-11-15 20:02:59.000000000 -0500
10497 @@ -30,13 +30,11 @@ wakeup_pmode_return:
10498 # and restore the stack ... but you need gdt for this to work
10499 movl saved_context_esp, %esp
10501 - movl %cs:saved_magic, %eax
10502 - cmpl $0x12345678, %eax
10503 + cmpl $0x12345678, saved_magic
10506 # jump to place where we left off
10507 - movl saved_eip, %eax
10513 diff -urNp linux-3.0.9/arch/x86/kernel/alternative.c linux-3.0.9/arch/x86/kernel/alternative.c
10514 --- linux-3.0.9/arch/x86/kernel/alternative.c 2011-11-11 13:12:24.000000000 -0500
10515 +++ linux-3.0.9/arch/x86/kernel/alternative.c 2011-11-15 20:02:59.000000000 -0500
10516 @@ -313,7 +313,7 @@ static void alternatives_smp_lock(const
10517 if (!*poff || ptr < text || ptr >= text_end)
10519 /* turn DS segment override prefix into lock prefix */
10520 - if (*ptr == 0x3e)
10521 + if (*ktla_ktva(ptr) == 0x3e)
10522 text_poke(ptr, ((unsigned char []){0xf0}), 1);
10524 mutex_unlock(&text_mutex);
10525 @@ -334,7 +334,7 @@ static void alternatives_smp_unlock(cons
10526 if (!*poff || ptr < text || ptr >= text_end)
10528 /* turn lock prefix into DS segment override prefix */
10529 - if (*ptr == 0xf0)
10530 + if (*ktla_ktva(ptr) == 0xf0)
10531 text_poke(ptr, ((unsigned char []){0x3E}), 1);
10533 mutex_unlock(&text_mutex);
10534 @@ -503,7 +503,7 @@ void __init_or_module apply_paravirt(str
10536 BUG_ON(p->len > MAX_PATCH_LEN);
10537 /* prep the buffer with the original instructions */
10538 - memcpy(insnbuf, p->instr, p->len);
10539 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
10540 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
10541 (unsigned long)p->instr, p->len);
10543 @@ -571,7 +571,7 @@ void __init alternative_instructions(voi
10545 free_init_pages("SMP alternatives",
10546 (unsigned long)__smp_locks,
10547 - (unsigned long)__smp_locks_end);
10548 + PAGE_ALIGN((unsigned long)__smp_locks_end));
10552 @@ -588,13 +588,17 @@ void __init alternative_instructions(voi
10553 * instructions. And on the local CPU you need to be protected again NMI or MCE
10554 * handlers seeing an inconsistent instruction while you patch.
10556 -void *__init_or_module text_poke_early(void *addr, const void *opcode,
10557 +void *__kprobes text_poke_early(void *addr, const void *opcode,
10560 unsigned long flags;
10561 local_irq_save(flags);
10562 - memcpy(addr, opcode, len);
10564 + pax_open_kernel();
10565 + memcpy(ktla_ktva(addr), opcode, len);
10567 + pax_close_kernel();
10569 local_irq_restore(flags);
10570 /* Could also do a CLFLUSH here to speed up CPU recovery; but
10571 that causes hangs on some VIA CPUs. */
10572 @@ -616,36 +620,22 @@ void *__init_or_module text_poke_early(v
10574 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
10576 - unsigned long flags;
10578 + unsigned char *vaddr = ktla_ktva(addr);
10579 struct page *pages[2];
10583 if (!core_kernel_text((unsigned long)addr)) {
10584 - pages[0] = vmalloc_to_page(addr);
10585 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
10586 + pages[0] = vmalloc_to_page(vaddr);
10587 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10589 - pages[0] = virt_to_page(addr);
10590 + pages[0] = virt_to_page(vaddr);
10591 WARN_ON(!PageReserved(pages[0]));
10592 - pages[1] = virt_to_page(addr + PAGE_SIZE);
10593 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
10596 - local_irq_save(flags);
10597 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
10599 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
10600 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
10601 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10602 - clear_fixmap(FIX_TEXT_POKE0);
10604 - clear_fixmap(FIX_TEXT_POKE1);
10605 - local_flush_tlb();
10607 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
10608 - that causes hangs on some VIA CPUs. */
10609 + text_poke_early(addr, opcode, len);
10610 for (i = 0; i < len; i++)
10611 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10612 - local_irq_restore(flags);
10613 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
10617 diff -urNp linux-3.0.9/arch/x86/kernel/apic/apic.c linux-3.0.9/arch/x86/kernel/apic/apic.c
10618 --- linux-3.0.9/arch/x86/kernel/apic/apic.c 2011-11-11 13:12:24.000000000 -0500
10619 +++ linux-3.0.9/arch/x86/kernel/apic/apic.c 2011-11-15 20:02:59.000000000 -0500
10620 @@ -173,7 +173,7 @@ int first_system_vector = 0xfe;
10622 * Debug level, exported for io_apic.c
10624 -unsigned int apic_verbosity;
10625 +int apic_verbosity;
10629 @@ -1834,7 +1834,7 @@ void smp_error_interrupt(struct pt_regs
10630 apic_write(APIC_ESR, 0);
10631 v1 = apic_read(APIC_ESR);
10633 - atomic_inc(&irq_err_count);
10634 + atomic_inc_unchecked(&irq_err_count);
10636 apic_printk(APIC_DEBUG, KERN_DEBUG "APIC error on CPU%d: %02x(%02x)",
10637 smp_processor_id(), v0 , v1);
10638 @@ -2190,6 +2190,8 @@ static int __cpuinit apic_cluster_num(vo
10639 u16 *bios_cpu_apicid;
10640 DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS);
10642 + pax_track_stack();
10644 bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid);
10645 bitmap_zero(clustermap, NUM_APIC_CLUSTERS);
10647 diff -urNp linux-3.0.9/arch/x86/kernel/apic/io_apic.c linux-3.0.9/arch/x86/kernel/apic/io_apic.c
10648 --- linux-3.0.9/arch/x86/kernel/apic/io_apic.c 2011-11-11 13:12:24.000000000 -0500
10649 +++ linux-3.0.9/arch/x86/kernel/apic/io_apic.c 2011-11-15 20:02:59.000000000 -0500
10650 @@ -1028,7 +1028,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
10652 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10654 -void lock_vector_lock(void)
10655 +void lock_vector_lock(void) __acquires(vector_lock)
10657 /* Used to the online set of cpus does not change
10658 * during assign_irq_vector.
10659 @@ -1036,7 +1036,7 @@ void lock_vector_lock(void)
10660 raw_spin_lock(&vector_lock);
10663 -void unlock_vector_lock(void)
10664 +void unlock_vector_lock(void) __releases(vector_lock)
10666 raw_spin_unlock(&vector_lock);
10668 @@ -2364,7 +2364,7 @@ static void ack_apic_edge(struct irq_dat
10672 -atomic_t irq_mis_count;
10673 +atomic_unchecked_t irq_mis_count;
10676 * IO-APIC versions below 0x20 don't support EOI register.
10677 @@ -2472,7 +2472,7 @@ static void ack_apic_level(struct irq_da
10680 if (!(v & (1 << (i & 0x1f)))) {
10681 - atomic_inc(&irq_mis_count);
10682 + atomic_inc_unchecked(&irq_mis_count);
10684 eoi_ioapic_irq(irq, cfg);
10686 diff -urNp linux-3.0.9/arch/x86/kernel/apm_32.c linux-3.0.9/arch/x86/kernel/apm_32.c
10687 --- linux-3.0.9/arch/x86/kernel/apm_32.c 2011-11-11 13:12:24.000000000 -0500
10688 +++ linux-3.0.9/arch/x86/kernel/apm_32.c 2011-11-15 20:02:59.000000000 -0500
10689 @@ -413,7 +413,7 @@ static DEFINE_MUTEX(apm_mutex);
10690 * This is for buggy BIOS's that refer to (real mode) segment 0x40
10691 * even though they are called in protected mode.
10693 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
10694 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
10695 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
10697 static const char driver_version[] = "1.16ac"; /* no spaces */
10698 @@ -591,7 +591,10 @@ static long __apm_bios_call(void *_call)
10700 gdt = get_cpu_gdt_table(cpu);
10701 save_desc_40 = gdt[0x40 / 8];
10703 + pax_open_kernel();
10704 gdt[0x40 / 8] = bad_bios_desc;
10705 + pax_close_kernel();
10707 apm_irq_save(flags);
10709 @@ -600,7 +603,11 @@ static long __apm_bios_call(void *_call)
10711 APM_DO_RESTORE_SEGS;
10712 apm_irq_restore(flags);
10714 + pax_open_kernel();
10715 gdt[0x40 / 8] = save_desc_40;
10716 + pax_close_kernel();
10720 return call->eax & 0xff;
10721 @@ -667,7 +674,10 @@ static long __apm_bios_call_simple(void
10723 gdt = get_cpu_gdt_table(cpu);
10724 save_desc_40 = gdt[0x40 / 8];
10726 + pax_open_kernel();
10727 gdt[0x40 / 8] = bad_bios_desc;
10728 + pax_close_kernel();
10730 apm_irq_save(flags);
10732 @@ -675,7 +685,11 @@ static long __apm_bios_call_simple(void
10734 APM_DO_RESTORE_SEGS;
10735 apm_irq_restore(flags);
10737 + pax_open_kernel();
10738 gdt[0x40 / 8] = save_desc_40;
10739 + pax_close_kernel();
10744 @@ -2349,12 +2363,15 @@ static int __init apm_init(void)
10745 * code to that CPU.
10747 gdt = get_cpu_gdt_table(0);
10749 + pax_open_kernel();
10750 set_desc_base(&gdt[APM_CS >> 3],
10751 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
10752 set_desc_base(&gdt[APM_CS_16 >> 3],
10753 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
10754 set_desc_base(&gdt[APM_DS >> 3],
10755 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
10756 + pax_close_kernel();
10758 proc_create("apm", 0, NULL, &apm_file_ops);
10760 diff -urNp linux-3.0.9/arch/x86/kernel/asm-offsets_64.c linux-3.0.9/arch/x86/kernel/asm-offsets_64.c
10761 --- linux-3.0.9/arch/x86/kernel/asm-offsets_64.c 2011-11-11 13:12:24.000000000 -0500
10762 +++ linux-3.0.9/arch/x86/kernel/asm-offsets_64.c 2011-11-15 20:02:59.000000000 -0500
10763 @@ -69,6 +69,7 @@ int main(void)
10767 + DEFINE(TSS_size, sizeof(struct tss_struct));
10768 OFFSET(TSS_ist, tss_struct, x86_tss.ist);
10771 diff -urNp linux-3.0.9/arch/x86/kernel/asm-offsets.c linux-3.0.9/arch/x86/kernel/asm-offsets.c
10772 --- linux-3.0.9/arch/x86/kernel/asm-offsets.c 2011-11-11 13:12:24.000000000 -0500
10773 +++ linux-3.0.9/arch/x86/kernel/asm-offsets.c 2011-11-15 20:02:59.000000000 -0500
10774 @@ -33,6 +33,8 @@ void common(void) {
10775 OFFSET(TI_status, thread_info, status);
10776 OFFSET(TI_addr_limit, thread_info, addr_limit);
10777 OFFSET(TI_preempt_count, thread_info, preempt_count);
10778 + OFFSET(TI_lowest_stack, thread_info, lowest_stack);
10779 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
10782 OFFSET(crypto_tfm_ctx_offset, crypto_tfm, __crt_ctx);
10783 @@ -53,8 +55,26 @@ void common(void) {
10784 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10785 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10786 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
10788 +#ifdef CONFIG_PAX_KERNEXEC
10789 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10792 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10793 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
10794 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
10795 +#ifdef CONFIG_X86_64
10796 + OFFSET(PV_MMU_set_pgd_batched, pv_mmu_ops, set_pgd_batched);
10803 + DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
10804 + DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
10805 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
10809 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
10810 diff -urNp linux-3.0.9/arch/x86/kernel/cpu/amd.c linux-3.0.9/arch/x86/kernel/cpu/amd.c
10811 --- linux-3.0.9/arch/x86/kernel/cpu/amd.c 2011-11-11 13:12:24.000000000 -0500
10812 +++ linux-3.0.9/arch/x86/kernel/cpu/amd.c 2011-11-15 20:02:59.000000000 -0500
10813 @@ -647,7 +647,7 @@ static unsigned int __cpuinit amd_size_c
10816 /* AMD errata T13 (order #21922) */
10817 - if ((c->x86 == 6)) {
10818 + if (c->x86 == 6) {
10820 if (c->x86_model == 3 && c->x86_mask == 0)
10822 diff -urNp linux-3.0.9/arch/x86/kernel/cpu/common.c linux-3.0.9/arch/x86/kernel/cpu/common.c
10823 --- linux-3.0.9/arch/x86/kernel/cpu/common.c 2011-11-11 13:12:24.000000000 -0500
10824 +++ linux-3.0.9/arch/x86/kernel/cpu/common.c 2011-11-15 20:02:59.000000000 -0500
10825 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
10827 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
10829 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
10830 -#ifdef CONFIG_X86_64
10832 - * We need valid kernel segments for data and code in long mode too
10833 - * IRET will check the segment types kkeil 2000/10/28
10834 - * Also sysret mandates a special GDT layout
10836 - * TLS descriptors are currently at a different place compared to i386.
10837 - * Hopefully nobody expects them at a fixed place (Wine?)
10839 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
10840 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
10841 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
10842 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
10843 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
10844 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
10846 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
10847 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10848 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
10849 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
10851 - * Segments used for calling PnP BIOS have byte granularity.
10852 - * They code segments and data segments have fixed 64k limits,
10853 - * the transfer segment sizes are set at run time.
10855 - /* 32-bit code */
10856 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10857 - /* 16-bit code */
10858 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10859 - /* 16-bit data */
10860 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
10861 - /* 16-bit data */
10862 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
10863 - /* 16-bit data */
10864 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
10866 - * The APM segments have byte granularity and their bases
10867 - * are set at run time. All have 64k limits.
10869 - /* 32-bit code */
10870 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10871 - /* 16-bit code */
10872 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10874 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
10876 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10877 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10878 - GDT_STACK_CANARY_INIT
10881 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
10883 static int __init x86_xsave_setup(char *s)
10885 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
10886 @@ -371,7 +317,7 @@ void switch_to_new_gdt(int cpu)
10888 struct desc_ptr gdt_descr;
10890 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
10891 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10892 gdt_descr.size = GDT_SIZE - 1;
10893 load_gdt(&gdt_descr);
10894 /* Reload the per-cpu base */
10895 @@ -840,6 +786,10 @@ static void __cpuinit identify_cpu(struc
10896 /* Filter out anything that depends on CPUID levels we don't have */
10897 filter_cpuid_features(c, true);
10899 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
10900 + setup_clear_cpu_cap(X86_FEATURE_SEP);
10903 /* If the model name is still unset, do table lookup. */
10904 if (!c->x86_model_id[0]) {
10906 @@ -1019,6 +969,9 @@ static __init int setup_disablecpuid(cha
10908 __setup("clearcpuid=", setup_disablecpuid);
10910 +DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
10911 +EXPORT_PER_CPU_SYMBOL(current_tinfo);
10913 #ifdef CONFIG_X86_64
10914 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
10916 @@ -1034,7 +987,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
10917 EXPORT_PER_CPU_SYMBOL(current_task);
10919 DEFINE_PER_CPU(unsigned long, kernel_stack) =
10920 - (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
10921 + (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
10922 EXPORT_PER_CPU_SYMBOL(kernel_stack);
10924 DEFINE_PER_CPU(char *, irq_stack_ptr) =
10925 @@ -1099,7 +1052,7 @@ struct pt_regs * __cpuinit idle_regs(str
10927 memset(regs, 0, sizeof(struct pt_regs));
10928 regs->fs = __KERNEL_PERCPU;
10929 - regs->gs = __KERNEL_STACK_CANARY;
10930 + savesegment(gs, regs->gs);
10934 @@ -1154,7 +1107,7 @@ void __cpuinit cpu_init(void)
10937 cpu = stack_smp_processor_id();
10938 - t = &per_cpu(init_tss, cpu);
10939 + t = init_tss + cpu;
10940 oist = &per_cpu(orig_ist, cpu);
10943 @@ -1180,7 +1133,7 @@ void __cpuinit cpu_init(void)
10944 switch_to_new_gdt(cpu);
10945 loadsegment(fs, 0);
10947 - load_idt((const struct desc_ptr *)&idt_descr);
10948 + load_idt(&idt_descr);
10950 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
10952 @@ -1189,7 +1142,6 @@ void __cpuinit cpu_init(void)
10953 wrmsrl(MSR_KERNEL_GS_BASE, 0);
10956 - x86_configure_nx();
10960 @@ -1243,7 +1195,7 @@ void __cpuinit cpu_init(void)
10962 int cpu = smp_processor_id();
10963 struct task_struct *curr = current;
10964 - struct tss_struct *t = &per_cpu(init_tss, cpu);
10965 + struct tss_struct *t = init_tss + cpu;
10966 struct thread_struct *thread = &curr->thread;
10968 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
10969 diff -urNp linux-3.0.9/arch/x86/kernel/cpu/intel.c linux-3.0.9/arch/x86/kernel/cpu/intel.c
10970 --- linux-3.0.9/arch/x86/kernel/cpu/intel.c 2011-11-11 13:12:24.000000000 -0500
10971 +++ linux-3.0.9/arch/x86/kernel/cpu/intel.c 2011-11-15 20:02:59.000000000 -0500
10972 @@ -172,7 +172,7 @@ static void __cpuinit trap_init_f00f_bug
10973 * Update the IDT descriptor and reload the IDT so that
10974 * it uses the read-only mapped virtual address.
10976 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
10977 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
10978 load_idt(&idt_descr);
10981 diff -urNp linux-3.0.9/arch/x86/kernel/cpu/Makefile linux-3.0.9/arch/x86/kernel/cpu/Makefile
10982 --- linux-3.0.9/arch/x86/kernel/cpu/Makefile 2011-11-11 13:12:24.000000000 -0500
10983 +++ linux-3.0.9/arch/x86/kernel/cpu/Makefile 2011-11-15 20:02:59.000000000 -0500
10984 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
10985 CFLAGS_REMOVE_perf_event.o = -pg
10988 -# Make sure load_percpu_segment has no stackprotector
10989 -nostackp := $(call cc-option, -fno-stack-protector)
10990 -CFLAGS_common.o := $(nostackp)
10992 obj-y := intel_cacheinfo.o scattered.o topology.o
10993 obj-y += proc.o capflags.o powerflags.o common.o
10994 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
10995 diff -urNp linux-3.0.9/arch/x86/kernel/cpu/mcheck/mce.c linux-3.0.9/arch/x86/kernel/cpu/mcheck/mce.c
10996 --- linux-3.0.9/arch/x86/kernel/cpu/mcheck/mce.c 2011-11-11 13:12:24.000000000 -0500
10997 +++ linux-3.0.9/arch/x86/kernel/cpu/mcheck/mce.c 2011-11-15 20:02:59.000000000 -0500
10999 #include <asm/ipi.h>
11000 #include <asm/mce.h>
11001 #include <asm/msr.h>
11002 +#include <asm/local.h>
11004 #include "mce-internal.h"
11006 @@ -208,7 +209,7 @@ static void print_mce(struct mce *m)
11007 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
11010 - if (m->cs == __KERNEL_CS)
11011 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
11012 print_symbol("{%s}", m->ip);
11015 @@ -236,10 +237,10 @@ static void print_mce(struct mce *m)
11017 #define PANIC_TIMEOUT 5 /* 5 seconds */
11019 -static atomic_t mce_paniced;
11020 +static atomic_unchecked_t mce_paniced;
11022 static int fake_panic;
11023 -static atomic_t mce_fake_paniced;
11024 +static atomic_unchecked_t mce_fake_paniced;
11026 /* Panic in progress. Enable interrupts and wait for final IPI */
11027 static void wait_for_panic(void)
11028 @@ -263,7 +264,7 @@ static void mce_panic(char *msg, struct
11030 * Make sure only one CPU runs in machine check panic
11032 - if (atomic_inc_return(&mce_paniced) > 1)
11033 + if (atomic_inc_return_unchecked(&mce_paniced) > 1)
11037 @@ -271,7 +272,7 @@ static void mce_panic(char *msg, struct
11040 /* Don't log too much for fake panic */
11041 - if (atomic_inc_return(&mce_fake_paniced) > 1)
11042 + if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
11045 /* First print corrected ones that are still unlogged */
11046 @@ -638,7 +639,7 @@ static int mce_timed_out(u64 *t)
11047 * might have been modified by someone else.
11050 - if (atomic_read(&mce_paniced))
11051 + if (atomic_read_unchecked(&mce_paniced))
11053 if (!monarch_timeout)
11055 @@ -1452,14 +1453,14 @@ void __cpuinit mcheck_cpu_init(struct cp
11058 static DEFINE_SPINLOCK(mce_state_lock);
11059 -static int open_count; /* #times opened */
11060 +static local_t open_count; /* #times opened */
11061 static int open_exclu; /* already open exclusive? */
11063 static int mce_open(struct inode *inode, struct file *file)
11065 spin_lock(&mce_state_lock);
11067 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
11068 + if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
11069 spin_unlock(&mce_state_lock);
11072 @@ -1467,7 +1468,7 @@ static int mce_open(struct inode *inode,
11074 if (file->f_flags & O_EXCL)
11077 + local_inc(&open_count);
11079 spin_unlock(&mce_state_lock);
11081 @@ -1478,7 +1479,7 @@ static int mce_release(struct inode *ino
11083 spin_lock(&mce_state_lock);
11086 + local_dec(&open_count);
11089 spin_unlock(&mce_state_lock);
11090 @@ -2163,7 +2164,7 @@ struct dentry *mce_get_debugfs_dir(void)
11091 static void mce_reset(void)
11094 - atomic_set(&mce_fake_paniced, 0);
11095 + atomic_set_unchecked(&mce_fake_paniced, 0);
11096 atomic_set(&mce_executing, 0);
11097 atomic_set(&mce_callin, 0);
11098 atomic_set(&global_nwo, 0);
11099 diff -urNp linux-3.0.9/arch/x86/kernel/cpu/mcheck/mce-inject.c linux-3.0.9/arch/x86/kernel/cpu/mcheck/mce-inject.c
11100 --- linux-3.0.9/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-11-11 13:12:24.000000000 -0500
11101 +++ linux-3.0.9/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-11-15 20:02:59.000000000 -0500
11102 @@ -215,7 +215,9 @@ static int inject_init(void)
11103 if (!alloc_cpumask_var(&mce_inject_cpumask, GFP_KERNEL))
11105 printk(KERN_INFO "Machine check injector initialized\n");
11106 - mce_chrdev_ops.write = mce_write;
11107 + pax_open_kernel();
11108 + *(void **)&mce_chrdev_ops.write = mce_write;
11109 + pax_close_kernel();
11110 register_die_notifier(&mce_raise_nb);
11113 diff -urNp linux-3.0.9/arch/x86/kernel/cpu/mtrr/main.c linux-3.0.9/arch/x86/kernel/cpu/mtrr/main.c
11114 --- linux-3.0.9/arch/x86/kernel/cpu/mtrr/main.c 2011-11-11 13:12:24.000000000 -0500
11115 +++ linux-3.0.9/arch/x86/kernel/cpu/mtrr/main.c 2011-11-15 20:02:59.000000000 -0500
11116 @@ -62,7 +62,7 @@ static DEFINE_MUTEX(mtrr_mutex);
11117 u64 size_or_mask, size_and_mask;
11118 static bool mtrr_aps_delayed_init;
11120 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
11121 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
11123 const struct mtrr_ops *mtrr_if;
11125 diff -urNp linux-3.0.9/arch/x86/kernel/cpu/mtrr/mtrr.h linux-3.0.9/arch/x86/kernel/cpu/mtrr/mtrr.h
11126 --- linux-3.0.9/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-11-11 13:12:24.000000000 -0500
11127 +++ linux-3.0.9/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-11-15 20:02:59.000000000 -0500
11128 @@ -25,7 +25,7 @@ struct mtrr_ops {
11129 int (*validate_add_page)(unsigned long base, unsigned long size,
11130 unsigned int type);
11131 int (*have_wrcomb)(void);
11135 extern int generic_get_free_region(unsigned long base, unsigned long size,
11137 diff -urNp linux-3.0.9/arch/x86/kernel/cpu/perf_event.c linux-3.0.9/arch/x86/kernel/cpu/perf_event.c
11138 --- linux-3.0.9/arch/x86/kernel/cpu/perf_event.c 2011-11-11 13:12:24.000000000 -0500
11139 +++ linux-3.0.9/arch/x86/kernel/cpu/perf_event.c 2011-11-15 20:02:59.000000000 -0500
11140 @@ -781,6 +781,8 @@ static int x86_schedule_events(struct cp
11141 int i, j, w, wmax, num = 0;
11142 struct hw_perf_event *hwc;
11144 + pax_track_stack();
11146 bitmap_zero(used_mask, X86_PMC_IDX_MAX);
11148 for (i = 0; i < n; i++) {
11149 @@ -1875,7 +1877,7 @@ perf_callchain_user(struct perf_callchai
11152 perf_callchain_store(entry, frame.return_address);
11153 - fp = frame.next_frame;
11154 + fp = (const void __force_user *)frame.next_frame;
11158 diff -urNp linux-3.0.9/arch/x86/kernel/crash.c linux-3.0.9/arch/x86/kernel/crash.c
11159 --- linux-3.0.9/arch/x86/kernel/crash.c 2011-11-11 13:12:24.000000000 -0500
11160 +++ linux-3.0.9/arch/x86/kernel/crash.c 2011-11-15 20:02:59.000000000 -0500
11161 @@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
11164 #ifdef CONFIG_X86_32
11165 - if (!user_mode_vm(regs)) {
11166 + if (!user_mode(regs)) {
11167 crash_fixup_ss_esp(&fixed_regs, regs);
11168 regs = &fixed_regs;
11170 diff -urNp linux-3.0.9/arch/x86/kernel/doublefault_32.c linux-3.0.9/arch/x86/kernel/doublefault_32.c
11171 --- linux-3.0.9/arch/x86/kernel/doublefault_32.c 2011-11-11 13:12:24.000000000 -0500
11172 +++ linux-3.0.9/arch/x86/kernel/doublefault_32.c 2011-11-15 20:02:59.000000000 -0500
11175 #define DOUBLEFAULT_STACKSIZE (1024)
11176 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
11177 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
11178 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
11180 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
11182 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
11183 unsigned long gdt, tss;
11185 store_gdt(&gdt_desc);
11186 - gdt = gdt_desc.address;
11187 + gdt = (unsigned long)gdt_desc.address;
11189 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
11191 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
11192 /* 0x2 bit is always set */
11193 .flags = X86_EFLAGS_SF | 0x2,
11196 + .es = __KERNEL_DS,
11200 + .ds = __KERNEL_DS,
11201 .fs = __KERNEL_PERCPU,
11203 .__cr3 = __pa_nodebug(swapper_pg_dir),
11204 diff -urNp linux-3.0.9/arch/x86/kernel/dumpstack_32.c linux-3.0.9/arch/x86/kernel/dumpstack_32.c
11205 --- linux-3.0.9/arch/x86/kernel/dumpstack_32.c 2011-11-11 13:12:24.000000000 -0500
11206 +++ linux-3.0.9/arch/x86/kernel/dumpstack_32.c 2011-11-15 20:02:59.000000000 -0500
11207 @@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task
11208 bp = stack_frame(task, regs);
11211 - struct thread_info *context;
11212 + void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
11214 - context = (struct thread_info *)
11215 - ((unsigned long)stack & (~(THREAD_SIZE - 1)));
11216 - bp = ops->walk_stack(context, stack, bp, ops, data, NULL, &graph);
11217 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
11219 - stack = (unsigned long *)context->previous_esp;
11221 + if (stack_start == task_stack_page(task))
11223 + stack = *(unsigned long **)stack_start;
11224 if (ops->stack(data, "IRQ") < 0)
11226 touch_nmi_watchdog();
11227 @@ -96,21 +94,22 @@ void show_registers(struct pt_regs *regs
11228 * When in-kernel, we also print out the stack and code at the
11229 * time of the fault..
11231 - if (!user_mode_vm(regs)) {
11232 + if (!user_mode(regs)) {
11233 unsigned int code_prologue = code_bytes * 43 / 64;
11234 unsigned int code_len = code_bytes;
11237 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
11239 printk(KERN_EMERG "Stack:\n");
11240 show_stack_log_lvl(NULL, regs, ®s->sp, 0, KERN_EMERG);
11242 printk(KERN_EMERG "Code: ");
11244 - ip = (u8 *)regs->ip - code_prologue;
11245 + ip = (u8 *)regs->ip - code_prologue + cs_base;
11246 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
11247 /* try starting at IP */
11248 - ip = (u8 *)regs->ip;
11249 + ip = (u8 *)regs->ip + cs_base;
11250 code_len = code_len - code_prologue + 1;
11252 for (i = 0; i < code_len; i++, ip++) {
11253 @@ -119,7 +118,7 @@ void show_registers(struct pt_regs *regs
11254 printk(" Bad EIP value.");
11257 - if (ip == (u8 *)regs->ip)
11258 + if (ip == (u8 *)regs->ip + cs_base)
11259 printk("<%02x> ", c);
11261 printk("%02x ", c);
11262 @@ -132,6 +131,7 @@ int is_valid_bugaddr(unsigned long ip)
11264 unsigned short ud2;
11266 + ip = ktla_ktva(ip);
11267 if (ip < PAGE_OFFSET)
11269 if (probe_kernel_address((unsigned short *)ip, ud2))
11270 diff -urNp linux-3.0.9/arch/x86/kernel/dumpstack_64.c linux-3.0.9/arch/x86/kernel/dumpstack_64.c
11271 --- linux-3.0.9/arch/x86/kernel/dumpstack_64.c 2011-11-11 13:12:24.000000000 -0500
11272 +++ linux-3.0.9/arch/x86/kernel/dumpstack_64.c 2011-11-15 20:02:59.000000000 -0500
11273 @@ -147,9 +147,9 @@ void dump_trace(struct task_struct *task
11274 unsigned long *irq_stack_end =
11275 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
11277 - struct thread_info *tinfo;
11279 unsigned long dummy;
11280 + void *stack_start;
11284 @@ -167,10 +167,10 @@ void dump_trace(struct task_struct *task
11285 * current stack address. If the stacks consist of nested
11288 - tinfo = task_thread_info(task);
11291 unsigned long *estack_end;
11293 estack_end = in_exception_stack(cpu, (unsigned long)stack,
11296 @@ -178,7 +178,7 @@ void dump_trace(struct task_struct *task
11297 if (ops->stack(data, id) < 0)
11300 - bp = ops->walk_stack(tinfo, stack, bp, ops,
11301 + bp = ops->walk_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
11302 data, estack_end, &graph);
11303 ops->stack(data, "<EOE>");
11305 @@ -197,7 +197,7 @@ void dump_trace(struct task_struct *task
11306 if (in_irq_stack(stack, irq_stack, irq_stack_end)) {
11307 if (ops->stack(data, "IRQ") < 0)
11309 - bp = ops->walk_stack(tinfo, stack, bp,
11310 + bp = ops->walk_stack(task, irq_stack, stack, bp,
11311 ops, data, irq_stack_end, &graph);
11313 * We link to the next stack (which would be
11314 @@ -218,7 +218,8 @@ void dump_trace(struct task_struct *task
11316 * This handles the process stack:
11318 - bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph);
11319 + stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
11320 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
11323 EXPORT_SYMBOL(dump_trace);
11324 diff -urNp linux-3.0.9/arch/x86/kernel/dumpstack.c linux-3.0.9/arch/x86/kernel/dumpstack.c
11325 --- linux-3.0.9/arch/x86/kernel/dumpstack.c 2011-11-11 13:12:24.000000000 -0500
11326 +++ linux-3.0.9/arch/x86/kernel/dumpstack.c 2011-11-15 20:02:59.000000000 -0500
11328 * Copyright (C) 1991, 1992 Linus Torvalds
11329 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
11331 +#ifdef CONFIG_GRKERNSEC_HIDESYM
11332 +#define __INCLUDED_BY_HIDESYM 1
11334 #include <linux/kallsyms.h>
11335 #include <linux/kprobes.h>
11336 #include <linux/uaccess.h>
11337 @@ -35,9 +38,8 @@ void printk_address(unsigned long addres
11339 print_ftrace_graph_addr(unsigned long addr, void *data,
11340 const struct stacktrace_ops *ops,
11341 - struct thread_info *tinfo, int *graph)
11342 + struct task_struct *task, int *graph)
11344 - struct task_struct *task = tinfo->task;
11345 unsigned long ret_addr;
11346 int index = task->curr_ret_stack;
11348 @@ -58,7 +60,7 @@ print_ftrace_graph_addr(unsigned long ad
11350 print_ftrace_graph_addr(unsigned long addr, void *data,
11351 const struct stacktrace_ops *ops,
11352 - struct thread_info *tinfo, int *graph)
11353 + struct task_struct *task, int *graph)
11357 @@ -69,10 +71,8 @@ print_ftrace_graph_addr(unsigned long ad
11358 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
11361 -static inline int valid_stack_ptr(struct thread_info *tinfo,
11362 - void *p, unsigned int size, void *end)
11363 +static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
11367 if (p < end && p >= (end-THREAD_SIZE))
11369 @@ -83,14 +83,14 @@ static inline int valid_stack_ptr(struct
11373 -print_context_stack(struct thread_info *tinfo,
11374 +print_context_stack(struct task_struct *task, void *stack_start,
11375 unsigned long *stack, unsigned long bp,
11376 const struct stacktrace_ops *ops, void *data,
11377 unsigned long *end, int *graph)
11379 struct stack_frame *frame = (struct stack_frame *)bp;
11381 - while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
11382 + while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
11383 unsigned long addr;
11386 @@ -102,7 +102,7 @@ print_context_stack(struct thread_info *
11388 ops->address(data, addr, 0);
11390 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
11391 + print_ftrace_graph_addr(addr, data, ops, task, graph);
11395 @@ -111,7 +111,7 @@ print_context_stack(struct thread_info *
11396 EXPORT_SYMBOL_GPL(print_context_stack);
11399 -print_context_stack_bp(struct thread_info *tinfo,
11400 +print_context_stack_bp(struct task_struct *task, void *stack_start,
11401 unsigned long *stack, unsigned long bp,
11402 const struct stacktrace_ops *ops, void *data,
11403 unsigned long *end, int *graph)
11404 @@ -119,7 +119,7 @@ print_context_stack_bp(struct thread_inf
11405 struct stack_frame *frame = (struct stack_frame *)bp;
11406 unsigned long *ret_addr = &frame->return_address;
11408 - while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) {
11409 + while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) {
11410 unsigned long addr = *ret_addr;
11412 if (!__kernel_text_address(addr))
11413 @@ -128,7 +128,7 @@ print_context_stack_bp(struct thread_inf
11414 ops->address(data, addr, 1);
11415 frame = frame->next_frame;
11416 ret_addr = &frame->return_address;
11417 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
11418 + print_ftrace_graph_addr(addr, data, ops, task, graph);
11421 return (unsigned long)frame;
11422 @@ -186,7 +186,7 @@ void dump_stack(void)
11424 bp = stack_frame(current, NULL);
11425 printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
11426 - current->pid, current->comm, current->xid, print_tainted(),
11427 + task_pid_nr(current), current->comm, current->xid, print_tainted(),
11428 init_utsname()->release,
11429 (int)strcspn(init_utsname()->version, " "),
11430 init_utsname()->version);
11431 @@ -222,6 +222,8 @@ unsigned __kprobes long oops_begin(void)
11433 EXPORT_SYMBOL_GPL(oops_begin);
11435 +extern void gr_handle_kernel_exploit(void);
11437 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
11439 if (regs && kexec_should_crash(current))
11440 @@ -243,7 +245,10 @@ void __kprobes oops_end(unsigned long fl
11441 panic("Fatal exception in interrupt");
11443 panic("Fatal exception");
11446 + gr_handle_kernel_exploit();
11448 + do_group_exit(signr);
11451 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
11452 @@ -269,7 +274,7 @@ int __kprobes __die(const char *str, str
11454 show_registers(regs);
11455 #ifdef CONFIG_X86_32
11456 - if (user_mode_vm(regs)) {
11457 + if (user_mode(regs)) {
11459 ss = regs->ss & 0xffff;
11461 @@ -297,7 +302,7 @@ void die(const char *str, struct pt_regs
11462 unsigned long flags = oops_begin();
11465 - if (!user_mode_vm(regs))
11466 + if (!user_mode(regs))
11467 report_bug(regs->ip, regs);
11469 if (__die(str, regs, err))
11470 diff -urNp linux-3.0.9/arch/x86/kernel/early_printk.c linux-3.0.9/arch/x86/kernel/early_printk.c
11471 --- linux-3.0.9/arch/x86/kernel/early_printk.c 2011-11-11 13:12:24.000000000 -0500
11472 +++ linux-3.0.9/arch/x86/kernel/early_printk.c 2011-11-15 20:02:59.000000000 -0500
11474 #include <linux/pci_regs.h>
11475 #include <linux/pci_ids.h>
11476 #include <linux/errno.h>
11477 +#include <linux/sched.h>
11478 #include <asm/io.h>
11479 #include <asm/processor.h>
11480 #include <asm/fcntl.h>
11481 @@ -179,6 +180,8 @@ asmlinkage void early_printk(const char
11485 + pax_track_stack();
11488 n = vscnprintf(buf, sizeof(buf), fmt, ap);
11489 early_console->write(early_console, buf, n);
11490 diff -urNp linux-3.0.9/arch/x86/kernel/entry_32.S linux-3.0.9/arch/x86/kernel/entry_32.S
11491 --- linux-3.0.9/arch/x86/kernel/entry_32.S 2011-11-11 13:12:24.000000000 -0500
11492 +++ linux-3.0.9/arch/x86/kernel/entry_32.S 2011-11-15 20:02:59.000000000 -0500
11493 @@ -185,13 +185,146 @@
11494 /*CFI_REL_OFFSET gs, PT_GS*/
11496 .macro SET_KERNEL_GS reg
11498 +#ifdef CONFIG_CC_STACKPROTECTOR
11499 movl $(__KERNEL_STACK_CANARY), \reg
11500 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
11501 + movl $(__USER_DS), \reg
11509 #endif /* CONFIG_X86_32_LAZY_GS */
11512 +.macro pax_enter_kernel
11513 +#ifdef CONFIG_PAX_KERNEXEC
11514 + call pax_enter_kernel
11518 +.macro pax_exit_kernel
11519 +#ifdef CONFIG_PAX_KERNEXEC
11520 + call pax_exit_kernel
11524 +#ifdef CONFIG_PAX_KERNEXEC
11525 +ENTRY(pax_enter_kernel)
11526 +#ifdef CONFIG_PARAVIRT
11529 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
11537 + cmp $__KERNEL_CS, %esi
11539 + ljmp $__KERNEL_CS, $3f
11540 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
11542 +#ifdef CONFIG_PARAVIRT
11544 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
11549 +#ifdef CONFIG_PARAVIRT
11554 +ENDPROC(pax_enter_kernel)
11556 +ENTRY(pax_exit_kernel)
11557 +#ifdef CONFIG_PARAVIRT
11562 + cmp $__KERNEXEC_KERNEL_CS, %esi
11564 +#ifdef CONFIG_PARAVIRT
11565 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
11571 + ljmp $__KERNEL_CS, $1f
11573 +#ifdef CONFIG_PARAVIRT
11575 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
11580 +#ifdef CONFIG_PARAVIRT
11585 +ENDPROC(pax_exit_kernel)
11588 +.macro pax_erase_kstack
11589 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
11590 + call pax_erase_kstack
11594 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
11596 + * ebp: thread_info
11597 + * ecx, edx: can be clobbered
11599 +ENTRY(pax_erase_kstack)
11603 + mov TI_lowest_stack(%ebp), %edi
11604 + mov $-0xBEEF, %eax
11608 + and $THREAD_SIZE_asm - 1, %ecx
11627 + mov TI_task_thread_sp0(%ebp), %edi
11629 + mov %edi, TI_lowest_stack(%ebp)
11634 +ENDPROC(pax_erase_kstack)
11637 +.macro __SAVE_ALL _DS
11641 @@ -214,7 +347,7 @@
11642 CFI_REL_OFFSET ecx, 0
11644 CFI_REL_OFFSET ebx, 0
11645 - movl $(__USER_DS), %edx
11649 movl $(__KERNEL_PERCPU), %edx
11650 @@ -222,6 +355,15 @@
11655 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
11656 + __SAVE_ALL __KERNEL_DS
11659 + __SAVE_ALL __USER_DS
11663 .macro RESTORE_INT_REGS
11666 @@ -307,7 +449,7 @@ ENTRY(ret_from_fork)
11670 -END(ret_from_fork)
11671 +ENDPROC(ret_from_fork)
11674 * Interrupt exit functions should be protected against kprobes
11675 @@ -332,7 +474,15 @@ check_userspace:
11676 movb PT_CS(%esp), %al
11677 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
11678 cmpl $USER_RPL, %eax
11680 +#ifdef CONFIG_PAX_KERNEXEC
11681 + jae resume_userspace
11684 + jmp resume_kernel
11686 jb resume_kernel # not returning to v8086 or userspace
11689 ENTRY(resume_userspace)
11691 @@ -344,8 +494,8 @@ ENTRY(resume_userspace)
11692 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
11693 # int/exception return?
11696 -END(ret_from_exception)
11697 + jmp restore_all_pax
11698 +ENDPROC(ret_from_exception)
11700 #ifdef CONFIG_PREEMPT
11701 ENTRY(resume_kernel)
11702 @@ -360,7 +510,7 @@ need_resched:
11704 call preempt_schedule_irq
11706 -END(resume_kernel)
11707 +ENDPROC(resume_kernel)
11711 @@ -394,23 +544,34 @@ sysenter_past_esp:
11712 /*CFI_REL_OFFSET cs, 0*/
11714 * Push current_thread_info()->sysenter_return to the stack.
11715 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
11716 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
11718 - pushl_cfi ((TI_sysenter_return)-THREAD_SIZE+8+4*4)(%esp)
11720 CFI_REL_OFFSET eip, 0
11724 + GET_THREAD_INFO(%ebp)
11725 + movl TI_sysenter_return(%ebp),%ebp
11726 + movl %ebp,PT_EIP(%esp)
11727 ENABLE_INTERRUPTS(CLBR_NONE)
11730 * Load the potential sixth argument from user stack.
11731 * Careful about security.
11733 + movl PT_OLDESP(%esp),%ebp
11735 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11736 + mov PT_OLDSS(%esp),%ds
11737 +1: movl %ds:(%ebp),%ebp
11741 cmpl $__PAGE_OFFSET-3,%ebp
11743 1: movl (%ebp),%ebp
11746 movl %ebp,PT_EBP(%esp)
11747 .section __ex_table,"a"
11749 @@ -433,12 +594,24 @@ sysenter_do_call:
11750 testl $_TIF_ALLWORK_MASK, %ecx
11754 +#ifdef CONFIG_PAX_RANDKSTACK
11757 + call pax_randomize_kstack
11763 /* if something modifies registers it must also disable sysexit */
11764 movl PT_EIP(%esp), %edx
11765 movl PT_OLDESP(%esp), %ecx
11768 1: mov PT_FS(%esp), %fs
11769 +2: mov PT_DS(%esp), %ds
11770 +3: mov PT_ES(%esp), %es
11772 ENABLE_INTERRUPTS_SYSEXIT
11774 @@ -455,6 +628,9 @@ sysenter_audit:
11775 movl %eax,%edx /* 2nd arg: syscall number */
11776 movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
11777 call audit_syscall_entry
11782 movl PT_EAX(%esp),%eax /* reload syscall number */
11783 jmp sysenter_do_call
11784 @@ -481,11 +657,17 @@ sysexit_audit:
11787 .pushsection .fixup,"ax"
11788 -2: movl $0,PT_FS(%esp)
11789 +4: movl $0,PT_FS(%esp)
11791 +5: movl $0,PT_DS(%esp)
11793 +6: movl $0,PT_ES(%esp)
11795 .section __ex_table,"a"
11803 ENDPROC(ia32_sysenter_target)
11804 @@ -518,6 +700,15 @@ syscall_exit:
11805 testl $_TIF_ALLWORK_MASK, %ecx # current->work
11806 jne syscall_exit_work
11810 +#ifdef CONFIG_PAX_RANDKSTACK
11812 + call pax_randomize_kstack
11819 restore_all_notrace:
11820 @@ -577,14 +768,34 @@ ldt_ss:
11821 * compensating for the offset by changing to the ESPFIX segment with
11822 * a base address that matches for the difference.
11824 -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
11825 +#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
11826 mov %esp, %edx /* load kernel esp */
11827 mov PT_OLDESP(%esp), %eax /* load userspace esp */
11828 mov %dx, %ax /* eax: new kernel esp */
11829 sub %eax, %edx /* offset (low word is 0) */
11831 + movl PER_CPU_VAR(cpu_number), %ebx
11832 + shll $PAGE_SHIFT_asm, %ebx
11833 + addl $cpu_gdt_table, %ebx
11835 + movl $cpu_gdt_table, %ebx
11838 - mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
11839 - mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
11841 +#ifdef CONFIG_PAX_KERNEXEC
11847 + mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
11848 + mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
11850 +#ifdef CONFIG_PAX_KERNEXEC
11855 pushl_cfi $__ESPFIX_SS
11856 pushl_cfi %eax /* new kernel esp */
11857 /* Disable interrupts, but do not irqtrace this section: we
11858 @@ -613,34 +824,28 @@ work_resched:
11859 movl TI_flags(%ebp), %ecx
11860 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
11861 # than syscall tracing?
11863 + jz restore_all_pax
11864 testb $_TIF_NEED_RESCHED, %cl
11867 work_notifysig: # deal with pending signals and
11868 # notify-resume requests
11871 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
11873 - jne work_notifysig_v86 # returning to kernel-space or
11874 + jz 1f # returning to kernel-space or
11877 - call do_notify_resume
11878 - jmp resume_userspace_sig
11881 -work_notifysig_v86:
11882 pushl_cfi %ecx # save ti_flags for do_notify_resume
11883 call save_v86_state # %eax contains pt_regs pointer
11891 call do_notify_resume
11892 jmp resume_userspace_sig
11894 +ENDPROC(work_pending)
11896 # perform syscall exit tracing
11898 @@ -648,11 +853,14 @@ syscall_trace_entry:
11899 movl $-ENOSYS,PT_EAX(%esp)
11901 call syscall_trace_enter
11905 /* What it returned is what we'll actually use. */
11906 cmpl $(nr_syscalls), %eax
11909 -END(syscall_trace_entry)
11910 +ENDPROC(syscall_trace_entry)
11912 # perform syscall exit tracing
11914 @@ -665,20 +873,24 @@ syscall_exit_work:
11916 call syscall_trace_leave
11917 jmp resume_userspace
11918 -END(syscall_exit_work)
11919 +ENDPROC(syscall_exit_work)
11922 RING0_INT_FRAME # can't unwind into user space anyway
11924 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11928 GET_THREAD_INFO(%ebp)
11929 movl $-EFAULT,PT_EAX(%esp)
11930 jmp resume_userspace
11931 -END(syscall_fault)
11932 +ENDPROC(syscall_fault)
11935 movl $-ENOSYS,PT_EAX(%esp)
11936 jmp resume_userspace
11937 -END(syscall_badsys)
11938 +ENDPROC(syscall_badsys)
11941 * End of kprobes section
11942 @@ -752,6 +964,36 @@ ptregs_clone:
11944 ENDPROC(ptregs_clone)
11947 +ENTRY(kernel_execve)
11950 + sub $PT_OLDSS+4,%esp
11954 + lea 3*4(%esp),%edi
11955 + mov $PT_OLDSS/4+1,%ecx
11961 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
11965 + CFI_ADJUST_CFA_OFFSET -4
11966 + GET_THREAD_INFO(%ebp)
11969 + add $PT_OLDSS+4,%esp
11970 + CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4
11974 +ENDPROC(kernel_execve)
11976 .macro FIXUP_ESPFIX_STACK
11978 * Switch back for ESPFIX stack to the normal zerobased stack
11979 @@ -761,8 +1003,15 @@ ENDPROC(ptregs_clone)
11980 * normal stack and adjusts ESP with the matching offset.
11982 /* fixup the stack */
11983 - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
11984 - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
11986 + movl PER_CPU_VAR(cpu_number), %ebx
11987 + shll $PAGE_SHIFT_asm, %ebx
11988 + addl $cpu_gdt_table, %ebx
11990 + movl $cpu_gdt_table, %ebx
11992 + mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
11993 + mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
11995 addl %esp, %eax /* the adjusted stack pointer */
11996 pushl_cfi $__KERNEL_DS
11997 @@ -815,7 +1064,7 @@ vector=vector+1
11999 2: jmp common_interrupt
12001 -END(irq_entries_start)
12002 +ENDPROC(irq_entries_start)
12006 @@ -863,7 +1112,7 @@ ENTRY(coprocessor_error)
12007 pushl_cfi $do_coprocessor_error
12010 -END(coprocessor_error)
12011 +ENDPROC(coprocessor_error)
12013 ENTRY(simd_coprocessor_error)
12015 @@ -889,7 +1138,7 @@ ENTRY(simd_coprocessor_error)
12019 -END(simd_coprocessor_error)
12020 +ENDPROC(simd_coprocessor_error)
12022 ENTRY(device_not_available)
12024 @@ -897,7 +1146,7 @@ ENTRY(device_not_available)
12025 pushl_cfi $do_device_not_available
12028 -END(device_not_available)
12029 +ENDPROC(device_not_available)
12031 #ifdef CONFIG_PARAVIRT
12033 @@ -906,12 +1155,12 @@ ENTRY(native_iret)
12035 .long native_iret, iret_exc
12038 +ENDPROC(native_iret)
12040 ENTRY(native_irq_enable_sysexit)
12043 -END(native_irq_enable_sysexit)
12044 +ENDPROC(native_irq_enable_sysexit)
12048 @@ -920,7 +1169,7 @@ ENTRY(overflow)
12049 pushl_cfi $do_overflow
12057 @@ -928,7 +1177,7 @@ ENTRY(bounds)
12058 pushl_cfi $do_bounds
12066 @@ -936,7 +1185,7 @@ ENTRY(invalid_op)
12067 pushl_cfi $do_invalid_op
12071 +ENDPROC(invalid_op)
12073 ENTRY(coprocessor_segment_overrun)
12075 @@ -944,35 +1193,35 @@ ENTRY(coprocessor_segment_overrun)
12076 pushl_cfi $do_coprocessor_segment_overrun
12079 -END(coprocessor_segment_overrun)
12080 +ENDPROC(coprocessor_segment_overrun)
12084 pushl_cfi $do_invalid_TSS
12088 +ENDPROC(invalid_TSS)
12090 ENTRY(segment_not_present)
12092 pushl_cfi $do_segment_not_present
12095 -END(segment_not_present)
12096 +ENDPROC(segment_not_present)
12098 ENTRY(stack_segment)
12100 pushl_cfi $do_stack_segment
12103 -END(stack_segment)
12104 +ENDPROC(stack_segment)
12106 ENTRY(alignment_check)
12108 pushl_cfi $do_alignment_check
12111 -END(alignment_check)
12112 +ENDPROC(alignment_check)
12114 ENTRY(divide_error)
12116 @@ -980,7 +1229,7 @@ ENTRY(divide_error)
12117 pushl_cfi $do_divide_error
12121 +ENDPROC(divide_error)
12123 #ifdef CONFIG_X86_MCE
12124 ENTRY(machine_check)
12125 @@ -989,7 +1238,7 @@ ENTRY(machine_check)
12126 pushl_cfi machine_check_vector
12129 -END(machine_check)
12130 +ENDPROC(machine_check)
12133 ENTRY(spurious_interrupt_bug)
12134 @@ -998,7 +1247,7 @@ ENTRY(spurious_interrupt_bug)
12135 pushl_cfi $do_spurious_interrupt_bug
12138 -END(spurious_interrupt_bug)
12139 +ENDPROC(spurious_interrupt_bug)
12141 * End of kprobes section
12143 @@ -1113,7 +1362,7 @@ BUILD_INTERRUPT3(xen_hvm_callback_vector
12150 ENTRY(ftrace_caller)
12151 cmpl $0, function_trace_stop
12152 @@ -1142,7 +1391,7 @@ ftrace_graph_call:
12156 -END(ftrace_caller)
12157 +ENDPROC(ftrace_caller)
12159 #else /* ! CONFIG_DYNAMIC_FTRACE */
12161 @@ -1178,7 +1427,7 @@ trace:
12167 #endif /* CONFIG_DYNAMIC_FTRACE */
12168 #endif /* CONFIG_FUNCTION_TRACER */
12170 @@ -1199,7 +1448,7 @@ ENTRY(ftrace_graph_caller)
12174 -END(ftrace_graph_caller)
12175 +ENDPROC(ftrace_graph_caller)
12177 .globl return_to_handler
12179 @@ -1213,7 +1462,6 @@ return_to_handler:
12183 -.section .rodata,"a"
12184 #include "syscall_table_32.S"
12186 syscall_table_size=(.-sys_call_table)
12187 @@ -1259,15 +1507,18 @@ error_code:
12188 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
12191 - movl $(__USER_DS), %ecx
12192 + movl $(__KERNEL_DS), %ecx
12199 movl %esp,%eax # pt_regs pointer
12201 jmp ret_from_exception
12204 +ENDPROC(page_fault)
12207 * Debug traps and NMI can happen at the one SYSENTER instruction
12208 @@ -1309,7 +1560,7 @@ debug_stack_correct:
12210 jmp ret_from_exception
12216 * NMI is doubly nasty. It can happen _while_ we're handling
12217 @@ -1346,6 +1597,9 @@ nmi_stack_correct:
12218 xorl %edx,%edx # zero error code
12219 movl %esp,%eax # pt_regs pointer
12224 jmp restore_all_notrace
12227 @@ -1382,12 +1636,15 @@ nmi_espfix_stack:
12228 FIXUP_ESPFIX_STACK # %eax == %esp
12229 xorl %edx,%edx # zero error code
12235 lss 12+4(%esp), %esp # back to espfix stack
12236 CFI_ADJUST_CFA_OFFSET -24
12244 @@ -1399,14 +1656,14 @@ ENTRY(int3)
12246 jmp ret_from_exception
12251 ENTRY(general_protection)
12253 pushl_cfi $do_general_protection
12256 -END(general_protection)
12257 +ENDPROC(general_protection)
12259 #ifdef CONFIG_KVM_GUEST
12260 ENTRY(async_page_fault)
12261 @@ -1414,7 +1671,7 @@ ENTRY(async_page_fault)
12262 pushl_cfi $do_async_page_fault
12265 -END(async_page_fault)
12266 +ENDPROC(async_page_fault)
12270 diff -urNp linux-3.0.9/arch/x86/kernel/entry_64.S linux-3.0.9/arch/x86/kernel/entry_64.S
12271 --- linux-3.0.9/arch/x86/kernel/entry_64.S 2011-11-11 13:12:24.000000000 -0500
12272 +++ linux-3.0.9/arch/x86/kernel/entry_64.S 2011-11-15 20:02:59.000000000 -0500
12274 #include <asm/paravirt.h>
12275 #include <asm/ftrace.h>
12276 #include <asm/percpu.h>
12277 +#include <asm/pgtable.h>
12278 +#include <asm/alternative-asm.h>
12280 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
12281 #include <linux/elf-em.h>
12283 #ifdef CONFIG_FUNCTION_TRACER
12284 #ifdef CONFIG_DYNAMIC_FTRACE
12286 + pax_force_retaddr
12291 ENTRY(ftrace_caller)
12292 cmpl $0, function_trace_stop
12293 @@ -90,8 +93,9 @@ GLOBAL(ftrace_graph_call)
12296 GLOBAL(ftrace_stub)
12297 + pax_force_retaddr
12299 -END(ftrace_caller)
12300 +ENDPROC(ftrace_caller)
12302 #else /* ! CONFIG_DYNAMIC_FTRACE */
12304 @@ -110,6 +114,7 @@ ENTRY(mcount)
12307 GLOBAL(ftrace_stub)
12308 + pax_force_retaddr
12312 @@ -119,12 +124,13 @@ trace:
12314 subq $MCOUNT_INSN_SIZE, %rdi
12316 + pax_force_fptr ftrace_trace_function
12317 call *ftrace_trace_function
12319 MCOUNT_RESTORE_FRAME
12324 #endif /* CONFIG_DYNAMIC_FTRACE */
12325 #endif /* CONFIG_FUNCTION_TRACER */
12327 @@ -144,8 +150,9 @@ ENTRY(ftrace_graph_caller)
12329 MCOUNT_RESTORE_FRAME
12331 + pax_force_retaddr
12333 -END(ftrace_graph_caller)
12334 +ENDPROC(ftrace_graph_caller)
12336 GLOBAL(return_to_handler)
12338 @@ -161,6 +168,7 @@ GLOBAL(return_to_handler)
12342 + pax_force_fptr %rdi
12346 @@ -176,6 +184,269 @@ ENTRY(native_usergs_sysret64)
12347 ENDPROC(native_usergs_sysret64)
12348 #endif /* CONFIG_PARAVIRT */
12350 + .macro ljmpq sel, off
12351 +#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
12352 + .byte 0x48; ljmp *1234f(%rip)
12353 + .pushsection .rodata
12355 + 1234: .quad \off; .word \sel
12364 + .macro pax_enter_kernel
12365 +#ifdef CONFIG_PAX_KERNEXEC
12366 + call pax_enter_kernel
12370 + .macro pax_exit_kernel
12371 +#ifdef CONFIG_PAX_KERNEXEC
12372 + call pax_exit_kernel
12376 +#ifdef CONFIG_PAX_KERNEXEC
12377 +ENTRY(pax_enter_kernel)
12380 +#ifdef CONFIG_PARAVIRT
12381 + PV_SAVE_REGS(CLBR_RDI)
12388 + cmp $__KERNEL_CS,%edi
12390 + ljmpq __KERNEL_CS,3f
12391 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
12392 +2: SET_RDI_INTO_CR0
12395 +#ifdef CONFIG_PARAVIRT
12396 + PV_RESTORE_REGS(CLBR_RDI)
12400 + pax_force_retaddr
12402 +ENDPROC(pax_enter_kernel)
12404 +ENTRY(pax_exit_kernel)
12407 +#ifdef CONFIG_PARAVIRT
12408 + PV_SAVE_REGS(CLBR_RDI)
12412 + cmp $__KERNEXEC_KERNEL_CS,%edi
12416 + ljmpq __KERNEL_CS,1f
12417 +1: SET_RDI_INTO_CR0
12420 +#ifdef CONFIG_PARAVIRT
12421 + PV_RESTORE_REGS(CLBR_RDI);
12425 + pax_force_retaddr
12427 +ENDPROC(pax_exit_kernel)
12430 + .macro pax_enter_kernel_user
12431 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12432 + call pax_enter_kernel_user
12436 + .macro pax_exit_kernel_user
12437 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12438 + call pax_exit_kernel_user
12440 +#ifdef CONFIG_PAX_RANDKSTACK
12442 + call pax_randomize_kstack
12447 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12448 +ENTRY(pax_enter_kernel_user)
12452 +#ifdef CONFIG_PARAVIRT
12453 + PV_SAVE_REGS(CLBR_RDI)
12458 + add $__START_KERNEL_map,%rbx
12459 + sub phys_base(%rip),%rbx
12461 +#ifdef CONFIG_PARAVIRT
12463 + cmpl $0, pv_info+PARAVIRT_enabled
12466 + .rept USER_PGD_PTRS
12467 + mov i*8(%rbx),%rsi
12469 + lea i*8(%rbx),%rdi
12470 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
12478 + .rept USER_PGD_PTRS
12479 + movb $0,i*8(%rbx)
12483 +#ifdef CONFIG_PARAVIRT
12488 +#ifdef CONFIG_PAX_KERNEXEC
12494 +#ifdef CONFIG_PARAVIRT
12495 + PV_RESTORE_REGS(CLBR_RDI)
12500 + pax_force_retaddr
12502 +ENDPROC(pax_enter_kernel_user)
12504 +ENTRY(pax_exit_kernel_user)
12507 +#ifdef CONFIG_PARAVIRT
12509 + PV_SAVE_REGS(CLBR_RDI)
12512 +#ifdef CONFIG_PAX_KERNEXEC
12519 + add $__START_KERNEL_map,%rdi
12520 + sub phys_base(%rip),%rdi
12522 +#ifdef CONFIG_PARAVIRT
12523 + cmpl $0, pv_info+PARAVIRT_enabled
12527 + .rept USER_PGD_PTRS
12528 + mov i*8(%rbx),%rsi
12530 + lea i*8(%rbx),%rdi
12531 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
12539 + .rept USER_PGD_PTRS
12540 + movb $0x67,i*8(%rdi)
12544 +#ifdef CONFIG_PARAVIRT
12545 +2: PV_RESTORE_REGS(CLBR_RDI)
12550 + pax_force_retaddr
12552 +ENDPROC(pax_exit_kernel_user)
12555 + .macro pax_erase_kstack
12556 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
12557 + call pax_erase_kstack
12561 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
12563 + * r10: thread_info
12564 + * rcx, rdx: can be clobbered
12566 +ENTRY(pax_erase_kstack)
12571 + GET_THREAD_INFO(%r10)
12572 + mov TI_lowest_stack(%r10), %rdi
12573 + mov $-0xBEEF, %rax
12577 + and $THREAD_SIZE_asm - 1, %ecx
12594 + cmp $THREAD_SIZE_asm, %rcx
12602 + mov TI_task_thread_sp0(%r10), %rdi
12604 + mov %rdi, TI_lowest_stack(%r10)
12609 + pax_force_retaddr
12611 +ENDPROC(pax_erase_kstack)
12614 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
12615 #ifdef CONFIG_TRACE_IRQFLAGS
12616 @@ -318,7 +589,7 @@ ENTRY(save_args)
12617 leaq -RBP+8(%rsp),%rdi /* arg1 for handler */
12618 movq_cfi rbp, 8 /* push %rbp */
12619 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
12620 - testl $3, CS(%rdi)
12621 + testb $3, CS(%rdi)
12625 @@ -338,9 +609,10 @@ ENTRY(save_args)
12626 * We entered an interrupt context - irqs are off:
12629 + pax_force_retaddr
12633 +ENDPROC(save_args)
12637 @@ -354,9 +626,10 @@ ENTRY(save_rest)
12638 movq_cfi r15, R15+16
12639 movq %r11, 8(%rsp) /* return address */
12640 FIXUP_TOP_OF_STACK %r11, 16
12641 + pax_force_retaddr
12645 +ENDPROC(save_rest)
12647 /* save complete stack frame */
12648 .pushsection .kprobes.text, "ax"
12649 @@ -385,9 +658,10 @@ ENTRY(save_paranoid)
12650 js 1f /* negative -> in kernel */
12654 +1: pax_force_retaddr
12657 -END(save_paranoid)
12658 +ENDPROC(save_paranoid)
12662 @@ -409,7 +683,7 @@ ENTRY(ret_from_fork)
12666 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
12667 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
12668 je int_ret_from_sys_call
12670 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
12671 @@ -419,7 +693,7 @@ ENTRY(ret_from_fork)
12672 jmp ret_from_sys_call # go to the SYSRET fastpath
12675 -END(ret_from_fork)
12676 +ENDPROC(ret_from_fork)
12679 * System call entry. Up to 6 arguments in registers are supported.
12680 @@ -455,7 +729,7 @@ END(ret_from_fork)
12682 CFI_STARTPROC simple
12684 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
12685 + CFI_DEF_CFA rsp,0
12686 CFI_REGISTER rip,rcx
12687 /*CFI_REGISTER rflags,r11*/
12688 SWAPGS_UNSAFE_STACK
12689 @@ -468,12 +742,13 @@ ENTRY(system_call_after_swapgs)
12691 movq %rsp,PER_CPU_VAR(old_rsp)
12692 movq PER_CPU_VAR(kernel_stack),%rsp
12693 + pax_enter_kernel_user
12695 * No need to follow this irqs off/on section - it's straight
12698 ENABLE_INTERRUPTS(CLBR_NONE)
12701 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
12702 movq %rcx,RIP-ARGOFFSET(%rsp)
12703 CFI_REL_OFFSET rip,RIP-ARGOFFSET
12704 @@ -502,6 +777,8 @@ sysret_check:
12708 + pax_exit_kernel_user
12711 * sysretq will re-enable interrupts:
12713 @@ -560,6 +837,9 @@ auditsys:
12714 movq %rax,%rsi /* 2nd arg: syscall number */
12715 movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
12716 call audit_syscall_entry
12720 LOAD_ARGS 0 /* reload call-clobbered registers */
12721 jmp system_call_fastpath
12723 @@ -590,6 +870,9 @@ tracesys:
12724 FIXUP_TOP_OF_STACK %rdi
12726 call syscall_trace_enter
12731 * Reload arg registers from stack in case ptrace changed them.
12732 * We don't reload %rax because syscall_trace_enter() returned
12733 @@ -611,7 +894,7 @@ tracesys:
12734 GLOBAL(int_ret_from_sys_call)
12735 DISABLE_INTERRUPTS(CLBR_NONE)
12737 - testl $3,CS-ARGOFFSET(%rsp)
12738 + testb $3,CS-ARGOFFSET(%rsp)
12739 je retint_restore_args
12740 movl $_TIF_ALLWORK_MASK,%edi
12741 /* edi: mask to check */
12742 @@ -668,7 +951,7 @@ int_restore_rest:
12747 +ENDPROC(system_call)
12750 * Certain special system calls that need to save a complete full stack frame.
12751 @@ -684,7 +967,7 @@ ENTRY(\label)
12753 jmp ptregscall_common
12759 PTREGSCALL stub_clone, sys_clone, %r8
12760 @@ -702,9 +985,10 @@ ENTRY(ptregscall_common)
12761 movq_cfi_restore R12+8, r12
12762 movq_cfi_restore RBP+8, rbp
12763 movq_cfi_restore RBX+8, rbx
12764 + pax_force_retaddr
12765 ret $REST_SKIP /* pop extended registers */
12767 -END(ptregscall_common)
12768 +ENDPROC(ptregscall_common)
12772 @@ -719,7 +1003,7 @@ ENTRY(stub_execve)
12774 jmp int_ret_from_sys_call
12777 +ENDPROC(stub_execve)
12780 * sigreturn is special because it needs to restore all registers on return.
12781 @@ -737,7 +1021,7 @@ ENTRY(stub_rt_sigreturn)
12783 jmp int_ret_from_sys_call
12785 -END(stub_rt_sigreturn)
12786 +ENDPROC(stub_rt_sigreturn)
12789 * Build the entry stubs and pointer table with some assembler magic.
12790 @@ -772,7 +1056,7 @@ vector=vector+1
12791 2: jmp common_interrupt
12794 -END(irq_entries_start)
12795 +ENDPROC(irq_entries_start)
12799 @@ -793,6 +1077,16 @@ END(interrupt)
12800 CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
12803 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12804 + testb $3, CS(%rdi)
12808 +1: pax_enter_kernel_user
12816 @@ -825,7 +1119,7 @@ ret_from_intr:
12817 CFI_ADJUST_CFA_OFFSET -8
12819 GET_THREAD_INFO(%rcx)
12820 - testl $3,CS-ARGOFFSET(%rsp)
12821 + testb $3,CS-ARGOFFSET(%rsp)
12824 /* Interrupt came from user space */
12825 @@ -847,12 +1141,16 @@ retint_swapgs: /* return to user-space
12826 * The iretq could re-enable interrupts:
12828 DISABLE_INTERRUPTS(CLBR_ANY)
12829 + pax_exit_kernel_user
12835 retint_restore_args: /* return to kernel space */
12836 DISABLE_INTERRUPTS(CLBR_ANY)
12838 + pax_force_retaddr RIP-ARGOFFSET
12840 * The iretq could re-enable interrupts:
12842 @@ -941,7 +1239,7 @@ ENTRY(retint_kernel)
12846 -END(common_interrupt)
12847 +ENDPROC(common_interrupt)
12849 * End of kprobes section
12851 @@ -957,7 +1255,7 @@ ENTRY(\sym)
12860 @@ -1027,12 +1325,22 @@ ENTRY(\sym)
12861 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12864 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12865 + testb $3, CS(%rsp)
12869 +1: pax_enter_kernel_user
12874 movq %rsp,%rdi /* pt_regs pointer */
12875 xorl %esi,%esi /* no error code */
12877 jmp error_exit /* %ebx: no swapgs flag */
12883 .macro paranoidzeroentry sym do_sym
12884 @@ -1044,15 +1352,25 @@ ENTRY(\sym)
12885 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12888 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12889 + testb $3, CS(%rsp)
12893 +1: pax_enter_kernel_user
12898 movq %rsp,%rdi /* pt_regs pointer */
12899 xorl %esi,%esi /* no error code */
12901 jmp paranoid_exit /* %ebx: no swapgs flag */
12907 -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
12908 +#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
12909 .macro paranoidzeroentry_ist sym do_sym ist
12912 @@ -1062,14 +1380,30 @@ ENTRY(\sym)
12913 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12916 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12917 + testb $3, CS(%rsp)
12921 +1: pax_enter_kernel_user
12926 movq %rsp,%rdi /* pt_regs pointer */
12927 xorl %esi,%esi /* no error code */
12929 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
12930 + lea init_tss(%r12), %r12
12932 + lea init_tss(%rip), %r12
12934 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
12936 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
12937 jmp paranoid_exit /* %ebx: no swapgs flag */
12943 .macro errorentry sym do_sym
12944 @@ -1080,13 +1414,23 @@ ENTRY(\sym)
12945 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12948 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12949 + testb $3, CS(%rsp)
12953 +1: pax_enter_kernel_user
12958 movq %rsp,%rdi /* pt_regs pointer */
12959 movq ORIG_RAX(%rsp),%rsi /* get error code */
12960 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
12962 jmp error_exit /* %ebx: no swapgs flag */
12968 /* error code is on the stack already */
12969 @@ -1099,13 +1443,23 @@ ENTRY(\sym)
12973 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12974 + testb $3, CS(%rsp)
12978 +1: pax_enter_kernel_user
12983 movq %rsp,%rdi /* pt_regs pointer */
12984 movq ORIG_RAX(%rsp),%rsi /* get error code */
12985 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
12987 jmp paranoid_exit /* %ebx: no swapgs flag */
12993 zeroentry divide_error do_divide_error
12994 @@ -1134,9 +1488,10 @@ gs_change:
12995 2: mfence /* workaround */
12998 + pax_force_retaddr
13001 -END(native_load_gs_index)
13002 +ENDPROC(native_load_gs_index)
13004 .section __ex_table,"a"
13006 @@ -1158,13 +1513,14 @@ ENTRY(kernel_thread_helper)
13007 * Here we are in the child and the registers are set as they were
13008 * at kernel_thread() invocation in the parent.
13010 + pax_force_fptr %rsi
13015 ud2 # padding for call trace
13017 -END(kernel_thread_helper)
13018 +ENDPROC(kernel_thread_helper)
13021 * execve(). This function needs to use IRET, not SYSRET, to set up all state properly.
13022 @@ -1193,9 +1549,10 @@ ENTRY(kernel_execve)
13023 je int_ret_from_sys_call
13026 + pax_force_retaddr
13029 -END(kernel_execve)
13030 +ENDPROC(kernel_execve)
13032 /* Call softirq on interrupt stack. Interrupts are off. */
13033 ENTRY(call_softirq)
13034 @@ -1213,9 +1570,10 @@ ENTRY(call_softirq)
13035 CFI_DEF_CFA_REGISTER rsp
13036 CFI_ADJUST_CFA_OFFSET -8
13037 decl PER_CPU_VAR(irq_count)
13038 + pax_force_retaddr
13042 +ENDPROC(call_softirq)
13045 zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
13046 @@ -1253,7 +1611,7 @@ ENTRY(xen_do_hypervisor_callback) # do
13047 decl PER_CPU_VAR(irq_count)
13050 -END(xen_do_hypervisor_callback)
13051 +ENDPROC(xen_do_hypervisor_callback)
13054 * Hypervisor uses this for application faults while it executes.
13055 @@ -1312,7 +1670,7 @@ ENTRY(xen_failsafe_callback)
13059 -END(xen_failsafe_callback)
13060 +ENDPROC(xen_failsafe_callback)
13062 apicinterrupt XEN_HVM_EVTCHN_CALLBACK \
13063 xen_hvm_callback_vector xen_evtchn_do_upcall
13064 @@ -1361,16 +1719,31 @@ ENTRY(paranoid_exit)
13066 testl %ebx,%ebx /* swapgs needed? */
13067 jnz paranoid_restore
13068 - testl $3,CS(%rsp)
13069 + testb $3,CS(%rsp)
13070 jnz paranoid_userspace
13071 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13073 + TRACE_IRQS_IRETQ 0
13074 + SWAPGS_UNSAFE_STACK
13076 + pax_force_retaddr
13080 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13081 + pax_exit_kernel_user
13086 SWAPGS_UNSAFE_STACK
13093 + pax_force_retaddr
13095 paranoid_userspace:
13096 GET_THREAD_INFO(%rcx)
13097 @@ -1399,7 +1772,7 @@ paranoid_schedule:
13099 jmp paranoid_userspace
13101 -END(paranoid_exit)
13102 +ENDPROC(paranoid_exit)
13105 * Exception entry point. This expects an error code/orig_rax on the stack.
13106 @@ -1426,12 +1799,13 @@ ENTRY(error_entry)
13107 movq_cfi r14, R14+8
13108 movq_cfi r15, R15+8
13110 - testl $3,CS+8(%rsp)
13111 + testb $3,CS+8(%rsp)
13112 je error_kernelspace
13117 + pax_force_retaddr
13121 @@ -1458,7 +1832,7 @@ bstep_iret:
13122 movq %rcx,RIP+8(%rsp)
13126 +ENDPROC(error_entry)
13129 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */
13130 @@ -1478,7 +1852,7 @@ ENTRY(error_exit)
13135 +ENDPROC(error_exit)
13138 /* runs on exception stack */
13139 @@ -1490,6 +1864,16 @@ ENTRY(nmi)
13140 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
13143 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13144 + testb $3, CS(%rsp)
13148 +1: pax_enter_kernel_user
13153 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
13156 @@ -1500,12 +1884,28 @@ ENTRY(nmi)
13157 DISABLE_INTERRUPTS(CLBR_NONE)
13158 testl %ebx,%ebx /* swapgs needed? */
13160 - testl $3,CS(%rsp)
13161 + testb $3,CS(%rsp)
13163 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13165 + SWAPGS_UNSAFE_STACK
13167 + pax_force_retaddr
13171 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13172 + pax_exit_kernel_user
13176 SWAPGS_UNSAFE_STACK
13182 + pax_force_retaddr
13185 GET_THREAD_INFO(%rcx)
13186 @@ -1534,14 +1934,14 @@ nmi_schedule:
13193 ENTRY(ignore_sysret)
13198 -END(ignore_sysret)
13199 +ENDPROC(ignore_sysret)
13202 * End of kprobes section
13203 diff -urNp linux-3.0.9/arch/x86/kernel/ftrace.c linux-3.0.9/arch/x86/kernel/ftrace.c
13204 --- linux-3.0.9/arch/x86/kernel/ftrace.c 2011-11-11 13:12:24.000000000 -0500
13205 +++ linux-3.0.9/arch/x86/kernel/ftrace.c 2011-11-15 20:02:59.000000000 -0500
13206 @@ -126,7 +126,7 @@ static void *mod_code_ip; /* holds the
13207 static const void *mod_code_newcode; /* holds the text to write to the IP */
13209 static unsigned nmi_wait_count;
13210 -static atomic_t nmi_update_count = ATOMIC_INIT(0);
13211 +static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0);
13213 int ftrace_arch_read_dyn_info(char *buf, int size)
13215 @@ -134,7 +134,7 @@ int ftrace_arch_read_dyn_info(char *buf,
13217 r = snprintf(buf, size, "%u %u",
13219 - atomic_read(&nmi_update_count));
13220 + atomic_read_unchecked(&nmi_update_count));
13224 @@ -177,8 +177,10 @@ void ftrace_nmi_enter(void)
13226 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
13228 + pax_open_kernel();
13230 - atomic_inc(&nmi_update_count);
13231 + pax_close_kernel();
13232 + atomic_inc_unchecked(&nmi_update_count);
13234 /* Must have previous changes seen before executions */
13236 @@ -271,6 +273,8 @@ ftrace_modify_code(unsigned long ip, uns
13238 unsigned char replaced[MCOUNT_INSN_SIZE];
13240 + ip = ktla_ktva(ip);
13243 * Note: Due to modules and __init, code can
13244 * disappear and change, we need to protect against faulting
13245 @@ -327,7 +331,7 @@ int ftrace_update_ftrace_func(ftrace_fun
13246 unsigned char old[MCOUNT_INSN_SIZE], *new;
13249 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
13250 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
13251 new = ftrace_call_replace(ip, (unsigned long)func);
13252 ret = ftrace_modify_code(ip, old, new);
13254 @@ -353,6 +357,8 @@ static int ftrace_mod_jmp(unsigned long
13256 unsigned char code[MCOUNT_INSN_SIZE];
13258 + ip = ktla_ktva(ip);
13260 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
13263 diff -urNp linux-3.0.9/arch/x86/kernel/head32.c linux-3.0.9/arch/x86/kernel/head32.c
13264 --- linux-3.0.9/arch/x86/kernel/head32.c 2011-11-11 13:12:24.000000000 -0500
13265 +++ linux-3.0.9/arch/x86/kernel/head32.c 2011-11-15 20:02:59.000000000 -0500
13267 #include <asm/io_apic.h>
13268 #include <asm/bios_ebda.h>
13269 #include <asm/tlbflush.h>
13270 +#include <asm/boot.h>
13272 static void __init i386_default_early_setup(void)
13274 @@ -33,7 +34,7 @@ void __init i386_start_kernel(void)
13278 - memblock_x86_reserve_range(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
13279 + memblock_x86_reserve_range(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
13281 #ifdef CONFIG_BLK_DEV_INITRD
13282 /* Reserve INITRD */
13283 diff -urNp linux-3.0.9/arch/x86/kernel/head_32.S linux-3.0.9/arch/x86/kernel/head_32.S
13284 --- linux-3.0.9/arch/x86/kernel/head_32.S 2011-11-11 13:12:24.000000000 -0500
13285 +++ linux-3.0.9/arch/x86/kernel/head_32.S 2011-11-15 20:02:59.000000000 -0500
13287 /* Physical address */
13288 #define pa(X) ((X) - __PAGE_OFFSET)
13290 +#ifdef CONFIG_PAX_KERNEXEC
13293 +#define ta(X) ((X) - __PAGE_OFFSET)
13297 * References to members of the new_cpu_data structure.
13300 * and small than max_low_pfn, otherwise will waste some page table entries
13303 -#if PTRS_PER_PMD > 1
13304 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
13306 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
13308 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
13310 /* Number of possible pages in the lowmem region */
13311 LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT)
13312 @@ -77,6 +79,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
13313 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
13316 + * Real beginning of normal "text" segment
13322 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
13323 * %esi points to the real-mode code as a 32-bit pointer.
13324 * CS and DS must be 4 GB flat segments, but we don't depend on
13325 @@ -84,6 +92,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
13330 +#ifdef CONFIG_PAX_KERNEXEC
13332 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
13333 +.fill PAGE_SIZE-5,1,0xcc
13337 movl pa(stack_start),%ecx
13339 @@ -105,6 +120,57 @@ ENTRY(startup_32)
13341 leal -__PAGE_OFFSET(%ecx),%esp
13344 + movl $pa(cpu_gdt_table),%edi
13345 + movl $__per_cpu_load,%eax
13346 + movw %ax,__KERNEL_PERCPU + 2(%edi)
13348 + movb %al,__KERNEL_PERCPU + 4(%edi)
13349 + movb %ah,__KERNEL_PERCPU + 7(%edi)
13350 + movl $__per_cpu_end - 1,%eax
13351 + subl $__per_cpu_start,%eax
13352 + movw %ax,__KERNEL_PERCPU + 0(%edi)
13355 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13356 + movl $NR_CPUS,%ecx
13357 + movl $pa(cpu_gdt_table),%edi
13359 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
13360 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
13361 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
13362 + addl $PAGE_SIZE_asm,%edi
13366 +#ifdef CONFIG_PAX_KERNEXEC
13367 + movl $pa(boot_gdt),%edi
13368 + movl $__LOAD_PHYSICAL_ADDR,%eax
13369 + movw %ax,__BOOT_CS + 2(%edi)
13371 + movb %al,__BOOT_CS + 4(%edi)
13372 + movb %ah,__BOOT_CS + 7(%edi)
13375 + ljmp $(__BOOT_CS),$1f
13378 + movl $NR_CPUS,%ecx
13379 + movl $pa(cpu_gdt_table),%edi
13380 + addl $__PAGE_OFFSET,%eax
13382 + movw %ax,__KERNEL_CS + 2(%edi)
13383 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
13385 + movb %al,__KERNEL_CS + 4(%edi)
13386 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
13387 + movb %ah,__KERNEL_CS + 7(%edi)
13388 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
13390 + addl $PAGE_SIZE_asm,%edi
13395 * Clear BSS first so that there are no surprises...
13397 @@ -195,8 +261,11 @@ ENTRY(startup_32)
13398 movl %eax, pa(max_pfn_mapped)
13400 /* Do early initialization of the fixmap area */
13401 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
13402 - movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
13403 +#ifdef CONFIG_COMPAT_VDSO
13404 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
13406 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
13408 #else /* Not PAE */
13410 page_pde_offset = (__PAGE_OFFSET >> 20);
13411 @@ -226,8 +295,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
13412 movl %eax, pa(max_pfn_mapped)
13414 /* Do early initialization of the fixmap area */
13415 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
13416 - movl %eax,pa(initial_page_table+0xffc)
13417 +#ifdef CONFIG_COMPAT_VDSO
13418 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
13420 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
13424 #ifdef CONFIG_PARAVIRT
13425 @@ -241,9 +313,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
13426 cmpl $num_subarch_entries, %eax
13429 - movl pa(subarch_entries)(,%eax,4), %eax
13430 - subl $__PAGE_OFFSET, %eax
13432 + jmp *pa(subarch_entries)(,%eax,4)
13436 @@ -255,10 +325,10 @@ WEAK(xen_entry)
13440 - .long default_entry /* normal x86/PC */
13441 - .long lguest_entry /* lguest hypervisor */
13442 - .long xen_entry /* Xen hypervisor */
13443 - .long default_entry /* Moorestown MID */
13444 + .long ta(default_entry) /* normal x86/PC */
13445 + .long ta(lguest_entry) /* lguest hypervisor */
13446 + .long ta(xen_entry) /* Xen hypervisor */
13447 + .long ta(default_entry) /* Moorestown MID */
13448 num_subarch_entries = (. - subarch_entries) / 4
13451 @@ -312,6 +382,7 @@ default_entry:
13455 +#ifdef CONFIG_X86_PAE
13456 testb $X86_CR4_PAE, %al # check if PAE is enabled
13459 @@ -340,6 +411,9 @@ default_entry:
13460 /* Make changes effective */
13463 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
13469 @@ -443,7 +517,7 @@ is386: movl $2,%ecx # set MP
13470 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
13471 movl %eax,%ss # after changing gdt.
13473 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
13474 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
13478 @@ -457,15 +531,22 @@ is386: movl $2,%ecx # set MP
13482 - movl $gdt_page,%eax
13483 + movl $cpu_gdt_table,%eax
13484 movl $stack_canary,%ecx
13486 + addl $__per_cpu_load,%ecx
13488 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
13490 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
13491 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
13494 movl $(__KERNEL_STACK_CANARY),%eax
13495 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
13496 + movl $(__USER_DS),%eax
13502 xorl %eax,%eax # Clear LDT
13503 @@ -558,22 +639,22 @@ early_page_fault:
13508 #ifdef CONFIG_PRINTK
13509 + cmpl $1,%ss:early_recursion_flag
13511 + incl %ss:early_recursion_flag
13514 movl $(__KERNEL_DS),%eax
13517 - cmpl $2,early_recursion_flag
13519 - incl early_recursion_flag
13522 pushl %edx /* trapno */
13531 @@ -581,8 +662,11 @@ hlt_loop:
13532 /* This is the default interrupt "handler" :-) */
13536 #ifdef CONFIG_PRINTK
13537 + cmpl $2,%ss:early_recursion_flag
13539 + incl %ss:early_recursion_flag
13544 @@ -591,9 +675,6 @@ ignore_int:
13545 movl $(__KERNEL_DS),%eax
13548 - cmpl $2,early_recursion_flag
13550 - incl early_recursion_flag
13554 @@ -622,29 +703,43 @@ ENTRY(initial_code)
13558 -__PAGE_ALIGNED_BSS
13560 #ifdef CONFIG_X86_PAE
13561 +.section .initial_pg_pmd,"a",@progbits
13563 .fill 1024*KPMDS,4,0
13565 +.section .initial_page_table,"a",@progbits
13566 ENTRY(initial_page_table)
13569 +.section .initial_pg_fixmap,"a",@progbits
13572 +.section .empty_zero_page,"a",@progbits
13573 ENTRY(empty_zero_page)
13575 +.section .swapper_pg_dir,"a",@progbits
13576 ENTRY(swapper_pg_dir)
13577 +#ifdef CONFIG_X86_PAE
13584 + * The IDT has to be page-aligned to simplify the Pentium
13585 + * F0 0F bug workaround.. We have a special link segment
13588 +.section .idt,"a",@progbits
13593 * This starts the data section.
13595 #ifdef CONFIG_X86_PAE
13596 -__PAGE_ALIGNED_DATA
13597 - /* Page-aligned for the benefit of paravirt? */
13599 +.section .initial_page_table,"a",@progbits
13600 ENTRY(initial_page_table)
13601 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
13603 @@ -663,18 +758,27 @@ ENTRY(initial_page_table)
13604 # error "Kernel PMDs should be 1, 2 or 3"
13606 .align PAGE_SIZE /* needs to be page-sized too */
13608 +#ifdef CONFIG_PAX_PER_CPU_PGD
13620 - .long init_thread_union+THREAD_SIZE
13621 + .long init_thread_union+THREAD_SIZE-8
13625 +.section .rodata,"a",@progbits
13626 early_recursion_flag:
13632 .asciz "Unknown interrupt or fault at: %p %p %p\n"
13634 @@ -707,7 +811,7 @@ fault_msg:
13635 .word 0 # 32 bit align gdt_desc.address
13638 - .long boot_gdt - __PAGE_OFFSET
13639 + .long pa(boot_gdt)
13641 .word 0 # 32-bit align idt_desc.address
13643 @@ -718,7 +822,7 @@ idt_descr:
13644 .word 0 # 32 bit align gdt_desc.address
13645 ENTRY(early_gdt_descr)
13646 .word GDT_ENTRIES*8-1
13647 - .long gdt_page /* Overwritten for secondary CPUs */
13648 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
13651 * The boot_gdt must mirror the equivalent in setup.S and is
13652 @@ -727,5 +831,65 @@ ENTRY(early_gdt_descr)
13653 .align L1_CACHE_BYTES
13655 .fill GDT_ENTRY_BOOT_CS,8,0
13656 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
13657 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
13658 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
13659 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
13661 + .align PAGE_SIZE_asm
13662 +ENTRY(cpu_gdt_table)
13664 + .quad 0x0000000000000000 /* NULL descriptor */
13665 + .quad 0x0000000000000000 /* 0x0b reserved */
13666 + .quad 0x0000000000000000 /* 0x13 reserved */
13667 + .quad 0x0000000000000000 /* 0x1b reserved */
13669 +#ifdef CONFIG_PAX_KERNEXEC
13670 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
13672 + .quad 0x0000000000000000 /* 0x20 unused */
13675 + .quad 0x0000000000000000 /* 0x28 unused */
13676 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
13677 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
13678 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
13679 + .quad 0x0000000000000000 /* 0x4b reserved */
13680 + .quad 0x0000000000000000 /* 0x53 reserved */
13681 + .quad 0x0000000000000000 /* 0x5b reserved */
13683 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
13684 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
13685 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
13686 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
13688 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
13689 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
13692 + * Segments used for calling PnP BIOS have byte granularity.
13693 + * The code segments and data segments have fixed 64k limits,
13694 + * the transfer segment sizes are set at run time.
13696 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
13697 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
13698 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
13699 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
13700 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
13703 + * The APM segments have byte granularity and their bases
13704 + * are set at run time. All have 64k limits.
13706 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
13707 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
13708 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
13710 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
13711 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
13712 + .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */
13713 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
13714 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
13715 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
13717 + /* Be sure this is zeroed to avoid false validations in Xen */
13718 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
13720 diff -urNp linux-3.0.9/arch/x86/kernel/head_64.S linux-3.0.9/arch/x86/kernel/head_64.S
13721 --- linux-3.0.9/arch/x86/kernel/head_64.S 2011-11-11 13:12:24.000000000 -0500
13722 +++ linux-3.0.9/arch/x86/kernel/head_64.S 2011-11-15 20:02:59.000000000 -0500
13724 #include <asm/cache.h>
13725 #include <asm/processor-flags.h>
13726 #include <asm/percpu.h>
13727 +#include <asm/cpufeature.h>
13729 #ifdef CONFIG_PARAVIRT
13730 #include <asm/asm-offsets.h>
13731 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
13732 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
13733 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
13734 L3_START_KERNEL = pud_index(__START_KERNEL_map)
13735 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
13736 +L3_VMALLOC_START = pud_index(VMALLOC_START)
13737 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
13738 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
13742 @@ -85,35 +90,22 @@ startup_64:
13744 addq %rbp, init_level4_pgt + 0(%rip)
13745 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
13746 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
13747 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
13748 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
13750 addq %rbp, level3_ident_pgt + 0(%rip)
13751 +#ifndef CONFIG_XEN
13752 + addq %rbp, level3_ident_pgt + 8(%rip)
13755 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
13756 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
13757 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
13759 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
13760 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
13761 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
13763 - /* Add an Identity mapping if I am above 1G */
13764 - leaq _text(%rip), %rdi
13765 - andq $PMD_PAGE_MASK, %rdi
13768 - shrq $PUD_SHIFT, %rax
13769 - andq $(PTRS_PER_PUD - 1), %rax
13770 - jz ident_complete
13772 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
13773 - leaq level3_ident_pgt(%rip), %rbx
13774 - movq %rdx, 0(%rbx, %rax, 8)
13777 - shrq $PMD_SHIFT, %rax
13778 - andq $(PTRS_PER_PMD - 1), %rax
13779 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
13780 - leaq level2_spare_pgt(%rip), %rbx
13781 - movq %rdx, 0(%rbx, %rax, 8)
13783 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
13784 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
13787 * Fixup the kernel text+data virtual addresses. Note that
13788 @@ -160,8 +152,8 @@ ENTRY(secondary_startup_64)
13789 * after the boot processor executes this code.
13792 - /* Enable PAE mode and PGE */
13793 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
13794 + /* Enable PAE mode and PSE/PGE */
13795 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
13798 /* Setup early boot stage 4 level pagetables. */
13799 @@ -183,9 +175,14 @@ ENTRY(secondary_startup_64)
13800 movl $MSR_EFER, %ecx
13802 btsl $_EFER_SCE, %eax /* Enable System Call */
13803 - btl $20,%edi /* No Execute supported? */
13804 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
13806 btsl $_EFER_NX, %eax
13807 + leaq init_level4_pgt(%rip), %rdi
13808 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
13809 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
13810 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
13811 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
13812 1: wrmsr /* Make changes effective */
13815 @@ -269,7 +266,7 @@ ENTRY(secondary_startup_64)
13819 - .section ".init.text","ax"
13821 #ifdef CONFIG_EARLY_PRINTK
13822 .globl early_idt_handlers
13823 early_idt_handlers:
13824 @@ -314,18 +311,23 @@ ENTRY(early_idt_handler)
13825 #endif /* EARLY_PRINTK */
13830 #ifdef CONFIG_EARLY_PRINTK
13832 early_recursion_flag:
13836 + .section .rodata,"a",@progbits
13838 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
13841 -#endif /* CONFIG_EARLY_PRINTK */
13843 +#endif /* CONFIG_EARLY_PRINTK */
13845 + .section .rodata,"a",@progbits
13846 #define NEXT_PAGE(name) \
13847 .balign PAGE_SIZE; \
13849 @@ -338,7 +340,6 @@ ENTRY(name)
13855 * This default setting generates an ident mapping at address 0x100000
13856 * and a mapping for the kernel that precisely maps virtual address
13857 @@ -349,13 +350,36 @@ NEXT_PAGE(init_level4_pgt)
13858 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13859 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
13860 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13861 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
13862 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
13863 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
13864 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
13865 .org init_level4_pgt + L4_START_KERNEL*8, 0
13866 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
13867 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
13869 +#ifdef CONFIG_PAX_PER_CPU_PGD
13870 +NEXT_PAGE(cpu_pgd)
13876 NEXT_PAGE(level3_ident_pgt)
13877 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13881 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
13885 +NEXT_PAGE(level3_vmalloc_pgt)
13888 +NEXT_PAGE(level3_vmemmap_pgt)
13889 + .fill L3_VMEMMAP_START,8,0
13890 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
13892 NEXT_PAGE(level3_kernel_pgt)
13893 .fill L3_START_KERNEL,8,0
13894 @@ -363,20 +387,23 @@ NEXT_PAGE(level3_kernel_pgt)
13895 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
13896 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
13898 +NEXT_PAGE(level2_vmemmap_pgt)
13901 NEXT_PAGE(level2_fixmap_pgt)
13903 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
13904 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
13907 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
13908 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
13911 -NEXT_PAGE(level1_fixmap_pgt)
13912 +NEXT_PAGE(level1_vsyscall_pgt)
13915 -NEXT_PAGE(level2_ident_pgt)
13916 - /* Since I easily can, map the first 1G.
13917 + /* Since I easily can, map the first 2G.
13918 * Don't set NX because code runs from these pages.
13920 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
13921 +NEXT_PAGE(level2_ident_pgt)
13922 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
13924 NEXT_PAGE(level2_kernel_pgt)
13926 @@ -389,33 +416,55 @@ NEXT_PAGE(level2_kernel_pgt)
13927 * If you want to increase this then increase MODULES_VADDR
13930 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
13931 - KERNEL_IMAGE_SIZE/PMD_SIZE)
13933 -NEXT_PAGE(level2_spare_pgt)
13935 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
13942 +ENTRY(cpu_gdt_table)
13944 + .quad 0x0000000000000000 /* NULL descriptor */
13945 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
13946 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
13947 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
13948 + .quad 0x00cffb000000ffff /* __USER32_CS */
13949 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
13950 + .quad 0x00affb000000ffff /* __USER_CS */
13952 +#ifdef CONFIG_PAX_KERNEXEC
13953 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
13955 + .quad 0x0 /* unused */
13958 + .quad 0,0 /* TSS */
13959 + .quad 0,0 /* LDT */
13960 + .quad 0,0,0 /* three TLS descriptors */
13961 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
13962 + /* asm/segment.h:GDT_ENTRIES must match this */
13964 + /* zero the remaining page */
13965 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
13969 .globl early_gdt_descr
13971 .word GDT_ENTRIES*8-1
13972 early_gdt_descr_base:
13973 - .quad INIT_PER_CPU_VAR(gdt_page)
13974 + .quad cpu_gdt_table
13977 /* This must match the first entry in level2_kernel_pgt */
13978 .quad 0x0000000000000000
13980 #include "../../x86/xen/xen-head.S"
13982 - .section .bss, "aw", @nobits
13984 + .section .rodata,"a",@progbits
13985 .align L1_CACHE_BYTES
13987 - .skip IDT_ENTRIES * 16
13992 diff -urNp linux-3.0.9/arch/x86/kernel/i386_ksyms_32.c linux-3.0.9/arch/x86/kernel/i386_ksyms_32.c
13993 --- linux-3.0.9/arch/x86/kernel/i386_ksyms_32.c 2011-11-11 13:12:24.000000000 -0500
13994 +++ linux-3.0.9/arch/x86/kernel/i386_ksyms_32.c 2011-11-15 20:02:59.000000000 -0500
13995 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
13996 EXPORT_SYMBOL(cmpxchg8b_emu);
13999 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
14001 /* Networking helper routines. */
14002 EXPORT_SYMBOL(csum_partial_copy_generic);
14003 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
14004 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
14006 EXPORT_SYMBOL(__get_user_1);
14007 EXPORT_SYMBOL(__get_user_2);
14008 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
14010 EXPORT_SYMBOL(csum_partial);
14011 EXPORT_SYMBOL(empty_zero_page);
14013 +#ifdef CONFIG_PAX_KERNEXEC
14014 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
14016 diff -urNp linux-3.0.9/arch/x86/kernel/i8259.c linux-3.0.9/arch/x86/kernel/i8259.c
14017 --- linux-3.0.9/arch/x86/kernel/i8259.c 2011-11-11 13:12:24.000000000 -0500
14018 +++ linux-3.0.9/arch/x86/kernel/i8259.c 2011-11-15 20:02:59.000000000 -0500
14019 @@ -210,7 +210,7 @@ spurious_8259A_irq:
14020 "spurious 8259A interrupt: IRQ%d.\n", irq);
14021 spurious_irq_mask |= irqmask;
14023 - atomic_inc(&irq_err_count);
14024 + atomic_inc_unchecked(&irq_err_count);
14026 * Theoretically we do not have to handle this IRQ,
14027 * but in Linux this does not cause problems and is
14028 diff -urNp linux-3.0.9/arch/x86/kernel/init_task.c linux-3.0.9/arch/x86/kernel/init_task.c
14029 --- linux-3.0.9/arch/x86/kernel/init_task.c 2011-11-11 13:12:24.000000000 -0500
14030 +++ linux-3.0.9/arch/x86/kernel/init_task.c 2011-11-15 20:02:59.000000000 -0500
14031 @@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
14032 * way process stacks are handled. This is done by having a special
14033 * "init_task" linker map entry..
14035 -union thread_union init_thread_union __init_task_data =
14036 - { INIT_THREAD_INFO(init_task) };
14037 +union thread_union init_thread_union __init_task_data;
14040 * Initial task structure.
14041 @@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
14042 * section. Since TSS's are completely CPU-local, we want them
14043 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
14045 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
14047 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
14048 +EXPORT_SYMBOL(init_tss);
14049 diff -urNp linux-3.0.9/arch/x86/kernel/ioport.c linux-3.0.9/arch/x86/kernel/ioport.c
14050 --- linux-3.0.9/arch/x86/kernel/ioport.c 2011-11-11 13:12:24.000000000 -0500
14051 +++ linux-3.0.9/arch/x86/kernel/ioport.c 2011-11-15 20:02:59.000000000 -0500
14053 #include <linux/sched.h>
14054 #include <linux/kernel.h>
14055 #include <linux/capability.h>
14056 +#include <linux/security.h>
14057 #include <linux/errno.h>
14058 #include <linux/types.h>
14059 #include <linux/ioport.h>
14060 @@ -28,6 +29,12 @@ asmlinkage long sys_ioperm(unsigned long
14062 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
14064 +#ifdef CONFIG_GRKERNSEC_IO
14065 + if (turn_on && grsec_disable_privio) {
14066 + gr_handle_ioperm();
14070 if (turn_on && !capable(CAP_SYS_RAWIO))
14073 @@ -54,7 +61,7 @@ asmlinkage long sys_ioperm(unsigned long
14074 * because the ->io_bitmap_max value must match the bitmap
14077 - tss = &per_cpu(init_tss, get_cpu());
14078 + tss = init_tss + get_cpu();
14081 bitmap_clear(t->io_bitmap_ptr, from, num);
14082 @@ -102,6 +109,12 @@ long sys_iopl(unsigned int level, struct
14084 /* Trying to gain more privileges? */
14086 +#ifdef CONFIG_GRKERNSEC_IO
14087 + if (grsec_disable_privio) {
14088 + gr_handle_iopl();
14092 if (!capable(CAP_SYS_RAWIO))
14095 diff -urNp linux-3.0.9/arch/x86/kernel/irq_32.c linux-3.0.9/arch/x86/kernel/irq_32.c
14096 --- linux-3.0.9/arch/x86/kernel/irq_32.c 2011-11-11 13:12:24.000000000 -0500
14097 +++ linux-3.0.9/arch/x86/kernel/irq_32.c 2011-11-15 20:02:59.000000000 -0500
14098 @@ -36,7 +36,7 @@ static int check_stack_overflow(void)
14099 __asm__ __volatile__("andl %%esp,%0" :
14100 "=r" (sp) : "0" (THREAD_SIZE - 1));
14102 - return sp < (sizeof(struct thread_info) + STACK_WARN);
14103 + return sp < STACK_WARN;
14106 static void print_stack_overflow(void)
14107 @@ -54,8 +54,8 @@ static inline void print_stack_overflow(
14108 * per-CPU IRQ handling contexts (thread information and stack)
14111 - struct thread_info tinfo;
14112 - u32 stack[THREAD_SIZE/sizeof(u32)];
14113 + unsigned long previous_esp;
14114 + u32 stack[THREAD_SIZE/sizeof(u32)];
14115 } __attribute__((aligned(THREAD_SIZE)));
14117 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
14118 @@ -75,10 +75,9 @@ static void call_on_stack(void *func, vo
14120 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
14122 - union irq_ctx *curctx, *irqctx;
14123 + union irq_ctx *irqctx;
14124 u32 *isp, arg1, arg2;
14126 - curctx = (union irq_ctx *) current_thread_info();
14127 irqctx = __this_cpu_read(hardirq_ctx);
14130 @@ -87,21 +86,16 @@ execute_on_irq_stack(int overflow, struc
14131 * handler) we can't do that and just have to keep using the
14132 * current stack (which is the irq stack already after all)
14134 - if (unlikely(curctx == irqctx))
14135 + if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
14138 /* build the stack frame on the IRQ stack */
14139 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
14140 - irqctx->tinfo.task = curctx->tinfo.task;
14141 - irqctx->tinfo.previous_esp = current_stack_pointer;
14142 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
14143 + irqctx->previous_esp = current_stack_pointer;
14146 - * Copy the softirq bits in preempt_count so that the
14147 - * softirq checks work in the hardirq context.
14149 - irqctx->tinfo.preempt_count =
14150 - (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
14151 - (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
14152 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14153 + __set_fs(MAKE_MM_SEG(0));
14156 if (unlikely(overflow))
14157 call_on_stack(print_stack_overflow, isp);
14158 @@ -113,6 +107,11 @@ execute_on_irq_stack(int overflow, struc
14159 : "0" (irq), "1" (desc), "2" (isp),
14160 "D" (desc->handle_irq)
14161 : "memory", "cc", "ecx");
14163 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14164 + __set_fs(current_thread_info()->addr_limit);
14170 @@ -121,29 +120,11 @@ execute_on_irq_stack(int overflow, struc
14172 void __cpuinit irq_ctx_init(int cpu)
14174 - union irq_ctx *irqctx;
14176 if (per_cpu(hardirq_ctx, cpu))
14179 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
14182 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
14183 - irqctx->tinfo.cpu = cpu;
14184 - irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
14185 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
14187 - per_cpu(hardirq_ctx, cpu) = irqctx;
14189 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
14192 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
14193 - irqctx->tinfo.cpu = cpu;
14194 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
14196 - per_cpu(softirq_ctx, cpu) = irqctx;
14197 + per_cpu(hardirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
14198 + per_cpu(softirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
14200 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
14201 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
14202 @@ -152,7 +133,6 @@ void __cpuinit irq_ctx_init(int cpu)
14203 asmlinkage void do_softirq(void)
14205 unsigned long flags;
14206 - struct thread_info *curctx;
14207 union irq_ctx *irqctx;
14210 @@ -162,15 +142,22 @@ asmlinkage void do_softirq(void)
14211 local_irq_save(flags);
14213 if (local_softirq_pending()) {
14214 - curctx = current_thread_info();
14215 irqctx = __this_cpu_read(softirq_ctx);
14216 - irqctx->tinfo.task = curctx->task;
14217 - irqctx->tinfo.previous_esp = current_stack_pointer;
14218 + irqctx->previous_esp = current_stack_pointer;
14220 /* build the stack frame on the softirq stack */
14221 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
14222 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
14224 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14225 + __set_fs(MAKE_MM_SEG(0));
14228 call_on_stack(__do_softirq, isp);
14230 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14231 + __set_fs(current_thread_info()->addr_limit);
14235 * Shouldn't happen, we returned above if in_interrupt():
14237 diff -urNp linux-3.0.9/arch/x86/kernel/irq.c linux-3.0.9/arch/x86/kernel/irq.c
14238 --- linux-3.0.9/arch/x86/kernel/irq.c 2011-11-11 13:12:24.000000000 -0500
14239 +++ linux-3.0.9/arch/x86/kernel/irq.c 2011-11-15 20:02:59.000000000 -0500
14241 #include <asm/mce.h>
14242 #include <asm/hw_irq.h>
14244 -atomic_t irq_err_count;
14245 +atomic_unchecked_t irq_err_count;
14247 /* Function pointer for generic interrupt vector handling */
14248 void (*x86_platform_ipi_callback)(void) = NULL;
14249 @@ -116,9 +116,9 @@ int arch_show_interrupts(struct seq_file
14250 seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
14251 seq_printf(p, " Machine check polls\n");
14253 - seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
14254 + seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
14255 #if defined(CONFIG_X86_IO_APIC)
14256 - seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
14257 + seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
14261 @@ -158,10 +158,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
14263 u64 arch_irq_stat(void)
14265 - u64 sum = atomic_read(&irq_err_count);
14266 + u64 sum = atomic_read_unchecked(&irq_err_count);
14268 #ifdef CONFIG_X86_IO_APIC
14269 - sum += atomic_read(&irq_mis_count);
14270 + sum += atomic_read_unchecked(&irq_mis_count);
14274 diff -urNp linux-3.0.9/arch/x86/kernel/kgdb.c linux-3.0.9/arch/x86/kernel/kgdb.c
14275 --- linux-3.0.9/arch/x86/kernel/kgdb.c 2011-11-11 13:12:24.000000000 -0500
14276 +++ linux-3.0.9/arch/x86/kernel/kgdb.c 2011-11-15 20:02:59.000000000 -0500
14277 @@ -124,11 +124,11 @@ char *dbg_get_reg(int regno, void *mem,
14278 #ifdef CONFIG_X86_32
14281 - if (!user_mode_vm(regs))
14282 + if (!user_mode(regs))
14283 *(unsigned long *)mem = __KERNEL_DS;
14286 - if (!user_mode_vm(regs))
14287 + if (!user_mode(regs))
14288 *(unsigned long *)mem = kernel_stack_pointer(regs);
14291 @@ -473,12 +473,12 @@ int kgdb_arch_handle_exception(int e_vec
14293 /* clear the trace bit */
14294 linux_regs->flags &= ~X86_EFLAGS_TF;
14295 - atomic_set(&kgdb_cpu_doing_single_step, -1);
14296 + atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
14298 /* set the trace bit if we're stepping */
14299 if (remcomInBuffer[0] == 's') {
14300 linux_regs->flags |= X86_EFLAGS_TF;
14301 - atomic_set(&kgdb_cpu_doing_single_step,
14302 + atomic_set_unchecked(&kgdb_cpu_doing_single_step,
14303 raw_smp_processor_id());
14306 @@ -534,7 +534,7 @@ static int __kgdb_notify(struct die_args
14307 return NOTIFY_DONE;
14310 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
14311 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
14312 if (user_mode(regs))
14313 return single_step_cont(regs, args);
14315 diff -urNp linux-3.0.9/arch/x86/kernel/kprobes.c linux-3.0.9/arch/x86/kernel/kprobes.c
14316 --- linux-3.0.9/arch/x86/kernel/kprobes.c 2011-11-11 13:12:24.000000000 -0500
14317 +++ linux-3.0.9/arch/x86/kernel/kprobes.c 2011-11-15 20:02:59.000000000 -0500
14318 @@ -117,8 +117,11 @@ static void __kprobes __synthesize_relat
14319 } __attribute__((packed)) *insn;
14321 insn = (struct __arch_relative_insn *)from;
14323 + pax_open_kernel();
14324 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
14326 + pax_close_kernel();
14329 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
14330 @@ -155,7 +158,7 @@ static int __kprobes can_boost(kprobe_op
14331 kprobe_opcode_t opcode;
14332 kprobe_opcode_t *orig_opcodes = opcodes;
14334 - if (search_exception_tables((unsigned long)opcodes))
14335 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
14336 return 0; /* Page fault may occur on this address. */
14339 @@ -316,7 +319,9 @@ static int __kprobes __copy_instruction(
14342 insn_get_length(&insn);
14343 + pax_open_kernel();
14344 memcpy(dest, insn.kaddr, insn.length);
14345 + pax_close_kernel();
14347 #ifdef CONFIG_X86_64
14348 if (insn_rip_relative(&insn)) {
14349 @@ -340,7 +345,9 @@ static int __kprobes __copy_instruction(
14351 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
14352 disp = (u8 *) dest + insn_offset_displacement(&insn);
14353 + pax_open_kernel();
14354 *(s32 *) disp = (s32) newdisp;
14355 + pax_close_kernel();
14358 return insn.length;
14359 @@ -354,12 +361,12 @@ static void __kprobes arch_copy_kprobe(s
14361 __copy_instruction(p->ainsn.insn, p->addr, 0);
14363 - if (can_boost(p->addr))
14364 + if (can_boost(ktla_ktva(p->addr)))
14365 p->ainsn.boostable = 0;
14367 p->ainsn.boostable = -1;
14369 - p->opcode = *p->addr;
14370 + p->opcode = *(ktla_ktva(p->addr));
14373 int __kprobes arch_prepare_kprobe(struct kprobe *p)
14374 @@ -476,7 +483,7 @@ static void __kprobes setup_singlestep(s
14375 * nor set current_kprobe, because it doesn't use single
14378 - regs->ip = (unsigned long)p->ainsn.insn;
14379 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
14380 preempt_enable_no_resched();
14383 @@ -495,7 +502,7 @@ static void __kprobes setup_singlestep(s
14384 if (p->opcode == BREAKPOINT_INSTRUCTION)
14385 regs->ip = (unsigned long)p->addr;
14387 - regs->ip = (unsigned long)p->ainsn.insn;
14388 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
14392 @@ -574,7 +581,7 @@ static int __kprobes kprobe_handler(stru
14393 setup_singlestep(p, regs, kcb, 0);
14396 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
14397 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
14399 * The breakpoint instruction was removed right
14400 * after we hit it. Another cpu has removed
14401 @@ -682,6 +689,9 @@ static void __used __kprobes kretprobe_t
14402 " movq %rax, 152(%rsp)\n"
14403 RESTORE_REGS_STRING
14405 +#ifdef CONFIG_PAX_KERNEXEC_PLUGIN
14406 + " btsq $63,(%rsp)\n"
14411 @@ -819,7 +829,7 @@ static void __kprobes resume_execution(s
14412 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
14414 unsigned long *tos = stack_addr(regs);
14415 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
14416 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
14417 unsigned long orig_ip = (unsigned long)p->addr;
14418 kprobe_opcode_t *insn = p->ainsn.insn;
14420 @@ -1001,7 +1011,7 @@ int __kprobes kprobe_exceptions_notify(s
14421 struct die_args *args = data;
14422 int ret = NOTIFY_DONE;
14424 - if (args->regs && user_mode_vm(args->regs))
14425 + if (args->regs && user_mode(args->regs))
14429 @@ -1383,7 +1393,7 @@ int __kprobes arch_prepare_optimized_kpr
14430 * Verify if the address gap is in 2GB range, because this uses
14433 - rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
14434 + rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
14435 if (abs(rel) > 0x7fffffff)
14438 @@ -1404,11 +1414,11 @@ int __kprobes arch_prepare_optimized_kpr
14439 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
14441 /* Set probe function call */
14442 - synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
14443 + synthesize_relcall(buf + TMPL_CALL_IDX, ktla_ktva(optimized_callback));
14445 /* Set returning jmp instruction at the tail of out-of-line buffer */
14446 synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
14447 - (u8 *)op->kp.addr + op->optinsn.size);
14448 + (u8 *)ktla_ktva(op->kp.addr) + op->optinsn.size);
14450 flush_icache_range((unsigned long) buf,
14451 (unsigned long) buf + TMPL_END_IDX +
14452 @@ -1430,7 +1440,7 @@ static void __kprobes setup_optimize_kpr
14453 ((long)op->kp.addr + RELATIVEJUMP_SIZE));
14455 /* Backup instructions which will be replaced by jump address */
14456 - memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
14457 + memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
14458 RELATIVE_ADDR_SIZE);
14460 insn_buf[0] = RELATIVEJUMP_OPCODE;
14461 diff -urNp linux-3.0.9/arch/x86/kernel/kvm.c linux-3.0.9/arch/x86/kernel/kvm.c
14462 --- linux-3.0.9/arch/x86/kernel/kvm.c 2011-11-11 13:12:24.000000000 -0500
14463 +++ linux-3.0.9/arch/x86/kernel/kvm.c 2011-11-15 20:02:59.000000000 -0500
14464 @@ -426,6 +426,7 @@ static void __init paravirt_ops_setup(vo
14465 pv_mmu_ops.set_pud = kvm_set_pud;
14466 #if PAGETABLE_LEVELS == 4
14467 pv_mmu_ops.set_pgd = kvm_set_pgd;
14468 + pv_mmu_ops.set_pgd_batched = kvm_set_pgd;
14471 pv_mmu_ops.flush_tlb_user = kvm_flush_tlb;
14472 diff -urNp linux-3.0.9/arch/x86/kernel/ldt.c linux-3.0.9/arch/x86/kernel/ldt.c
14473 --- linux-3.0.9/arch/x86/kernel/ldt.c 2011-11-11 13:12:24.000000000 -0500
14474 +++ linux-3.0.9/arch/x86/kernel/ldt.c 2011-11-15 20:02:59.000000000 -0500
14475 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
14480 + load_LDT_nolock(pc);
14481 if (!cpumask_equal(mm_cpumask(current->mm),
14482 cpumask_of(smp_processor_id())))
14483 smp_call_function(flush_ldt, current->mm, 1);
14487 + load_LDT_nolock(pc);
14491 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
14494 for (i = 0; i < old->size; i++)
14495 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
14496 + write_ldt_entry(new->ldt, i, old->ldt + i);
14500 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
14501 retval = copy_ldt(&mm->context, &old_mm->context);
14502 mutex_unlock(&old_mm->context.lock);
14505 + if (tsk == current) {
14506 + mm->context.vdso = 0;
14508 +#ifdef CONFIG_X86_32
14509 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
14510 + mm->context.user_cs_base = 0UL;
14511 + mm->context.user_cs_limit = ~0UL;
14513 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
14514 + cpus_clear(mm->context.cpu_user_cs_mask);
14525 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
14529 +#ifdef CONFIG_PAX_SEGMEXEC
14530 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
14536 fill_ldt(&ldt, &ldt_info);
14539 diff -urNp linux-3.0.9/arch/x86/kernel/machine_kexec_32.c linux-3.0.9/arch/x86/kernel/machine_kexec_32.c
14540 --- linux-3.0.9/arch/x86/kernel/machine_kexec_32.c 2011-11-11 13:12:24.000000000 -0500
14541 +++ linux-3.0.9/arch/x86/kernel/machine_kexec_32.c 2011-11-15 20:02:59.000000000 -0500
14543 #include <asm/cacheflush.h>
14544 #include <asm/debugreg.h>
14546 -static void set_idt(void *newidt, __u16 limit)
14547 +static void set_idt(struct desc_struct *newidt, __u16 limit)
14549 struct desc_ptr curidt;
14551 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
14555 -static void set_gdt(void *newgdt, __u16 limit)
14556 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
14558 struct desc_ptr curgdt;
14560 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
14563 control_page = page_address(image->control_code_page);
14564 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
14565 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
14567 relocate_kernel_ptr = control_page;
14568 page_list[PA_CONTROL_PAGE] = __pa(control_page);
14569 diff -urNp linux-3.0.9/arch/x86/kernel/microcode_intel.c linux-3.0.9/arch/x86/kernel/microcode_intel.c
14570 --- linux-3.0.9/arch/x86/kernel/microcode_intel.c 2011-11-11 13:12:24.000000000 -0500
14571 +++ linux-3.0.9/arch/x86/kernel/microcode_intel.c 2011-11-15 20:02:59.000000000 -0500
14572 @@ -440,13 +440,13 @@ static enum ucode_state request_microcod
14574 static int get_ucode_user(void *to, const void *from, size_t n)
14576 - return copy_from_user(to, from, n);
14577 + return copy_from_user(to, (const void __force_user *)from, n);
14580 static enum ucode_state
14581 request_microcode_user(int cpu, const void __user *buf, size_t size)
14583 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
14584 + return generic_load_microcode(cpu, (__force_kernel void *)buf, size, &get_ucode_user);
14587 static void microcode_fini_cpu(int cpu)
14588 diff -urNp linux-3.0.9/arch/x86/kernel/module.c linux-3.0.9/arch/x86/kernel/module.c
14589 --- linux-3.0.9/arch/x86/kernel/module.c 2011-11-11 13:12:24.000000000 -0500
14590 +++ linux-3.0.9/arch/x86/kernel/module.c 2011-11-15 20:02:59.000000000 -0500
14591 @@ -36,21 +36,66 @@
14592 #define DEBUGP(fmt...)
14595 -void *module_alloc(unsigned long size)
14596 +static inline void *__module_alloc(unsigned long size, pgprot_t prot)
14598 if (PAGE_ALIGN(size) > MODULES_LEN)
14600 return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
14601 - GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
14602 + GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot,
14603 -1, __builtin_return_address(0));
14606 +void *module_alloc(unsigned long size)
14609 +#ifdef CONFIG_PAX_KERNEXEC
14610 + return __module_alloc(size, PAGE_KERNEL);
14612 + return __module_alloc(size, PAGE_KERNEL_EXEC);
14617 /* Free memory returned from module_alloc */
14618 void module_free(struct module *mod, void *module_region)
14620 vfree(module_region);
14623 +#ifdef CONFIG_PAX_KERNEXEC
14624 +#ifdef CONFIG_X86_32
14625 +void *module_alloc_exec(unsigned long size)
14627 + struct vm_struct *area;
14632 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
14633 + return area ? area->addr : NULL;
14635 +EXPORT_SYMBOL(module_alloc_exec);
14637 +void module_free_exec(struct module *mod, void *module_region)
14639 + vunmap(module_region);
14641 +EXPORT_SYMBOL(module_free_exec);
14643 +void module_free_exec(struct module *mod, void *module_region)
14645 + module_free(mod, module_region);
14647 +EXPORT_SYMBOL(module_free_exec);
14649 +void *module_alloc_exec(unsigned long size)
14651 + return __module_alloc(size, PAGE_KERNEL_RX);
14653 +EXPORT_SYMBOL(module_alloc_exec);
14657 /* We don't need anything special. */
14658 int module_frob_arch_sections(Elf_Ehdr *hdr,
14660 @@ -70,14 +115,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
14662 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
14664 - uint32_t *location;
14665 + uint32_t *plocation, location;
14667 DEBUGP("Applying relocate section %u to %u\n", relsec,
14668 sechdrs[relsec].sh_info);
14669 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
14670 /* This is where to make the change */
14671 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
14672 - + rel[i].r_offset;
14673 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
14674 + location = (uint32_t)plocation;
14675 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
14676 + plocation = ktla_ktva((void *)plocation);
14677 /* This is the symbol it is referring to. Note that all
14678 undefined symbols have been resolved. */
14679 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
14680 @@ -86,11 +133,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
14681 switch (ELF32_R_TYPE(rel[i].r_info)) {
14683 /* We add the value into the location given */
14684 - *location += sym->st_value;
14685 + pax_open_kernel();
14686 + *plocation += sym->st_value;
14687 + pax_close_kernel();
14690 /* Add the value, subtract its postition */
14691 - *location += sym->st_value - (uint32_t)location;
14692 + pax_open_kernel();
14693 + *plocation += sym->st_value - location;
14694 + pax_close_kernel();
14697 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
14698 @@ -146,21 +197,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
14699 case R_X86_64_NONE:
14702 + pax_open_kernel();
14704 + pax_close_kernel();
14707 + pax_open_kernel();
14709 + pax_close_kernel();
14710 if (val != *(u32 *)loc)
14714 + pax_open_kernel();
14716 + pax_close_kernel();
14717 if ((s64)val != *(s32 *)loc)
14720 case R_X86_64_PC32:
14722 + pax_open_kernel();
14724 + pax_close_kernel();
14727 if ((s64)val != *(s32 *)loc)
14729 diff -urNp linux-3.0.9/arch/x86/kernel/paravirt.c linux-3.0.9/arch/x86/kernel/paravirt.c
14730 --- linux-3.0.9/arch/x86/kernel/paravirt.c 2011-11-11 13:12:24.000000000 -0500
14731 +++ linux-3.0.9/arch/x86/kernel/paravirt.c 2011-11-15 20:02:59.000000000 -0500
14732 @@ -53,6 +53,9 @@ u64 _paravirt_ident_64(u64 x)
14736 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
14737 +PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64);
14740 void __init default_banner(void)
14742 @@ -122,7 +125,7 @@ unsigned paravirt_patch_jmp(void *insnbu
14743 * corresponding structure. */
14744 static void *get_call_destination(u8 type)
14746 - struct paravirt_patch_template tmpl = {
14747 + const struct paravirt_patch_template tmpl = {
14748 .pv_init_ops = pv_init_ops,
14749 .pv_time_ops = pv_time_ops,
14750 .pv_cpu_ops = pv_cpu_ops,
14751 @@ -133,6 +136,9 @@ static void *get_call_destination(u8 typ
14752 .pv_lock_ops = pv_lock_ops,
14756 + pax_track_stack();
14758 return *((void **)&tmpl + type);
14761 @@ -145,15 +151,19 @@ unsigned paravirt_patch_default(u8 type,
14762 if (opfunc == NULL)
14763 /* If there's no function, patch it with a ud2a (BUG) */
14764 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
14765 - else if (opfunc == _paravirt_nop)
14766 + else if (opfunc == (void *)_paravirt_nop)
14767 /* If the operation is a nop, then nop the callsite */
14768 ret = paravirt_patch_nop();
14770 /* identity functions just return their single argument */
14771 - else if (opfunc == _paravirt_ident_32)
14772 + else if (opfunc == (void *)_paravirt_ident_32)
14773 ret = paravirt_patch_ident_32(insnbuf, len);
14774 - else if (opfunc == _paravirt_ident_64)
14775 + else if (opfunc == (void *)_paravirt_ident_64)
14776 ret = paravirt_patch_ident_64(insnbuf, len);
14777 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
14778 + else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64)
14779 + ret = paravirt_patch_ident_64(insnbuf, len);
14782 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
14783 type == PARAVIRT_PATCH(pv_cpu_ops.irq_enable_sysexit) ||
14784 @@ -178,7 +188,7 @@ unsigned paravirt_patch_insns(void *insn
14785 if (insn_len > len || start == NULL)
14788 - memcpy(insnbuf, start, insn_len);
14789 + memcpy(insnbuf, ktla_ktva(start), insn_len);
14793 @@ -294,22 +304,22 @@ void arch_flush_lazy_mmu_mode(void)
14797 -struct pv_info pv_info = {
14798 +struct pv_info pv_info __read_only = {
14799 .name = "bare hardware",
14800 .paravirt_enabled = 0,
14802 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
14805 -struct pv_init_ops pv_init_ops = {
14806 +struct pv_init_ops pv_init_ops __read_only = {
14807 .patch = native_patch,
14810 -struct pv_time_ops pv_time_ops = {
14811 +struct pv_time_ops pv_time_ops __read_only = {
14812 .sched_clock = native_sched_clock,
14815 -struct pv_irq_ops pv_irq_ops = {
14816 +struct pv_irq_ops pv_irq_ops __read_only = {
14817 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
14818 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
14819 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
14820 @@ -321,7 +331,7 @@ struct pv_irq_ops pv_irq_ops = {
14824 -struct pv_cpu_ops pv_cpu_ops = {
14825 +struct pv_cpu_ops pv_cpu_ops __read_only = {
14826 .cpuid = native_cpuid,
14827 .get_debugreg = native_get_debugreg,
14828 .set_debugreg = native_set_debugreg,
14829 @@ -382,21 +392,26 @@ struct pv_cpu_ops pv_cpu_ops = {
14830 .end_context_switch = paravirt_nop,
14833 -struct pv_apic_ops pv_apic_ops = {
14834 +struct pv_apic_ops pv_apic_ops __read_only = {
14835 #ifdef CONFIG_X86_LOCAL_APIC
14836 .startup_ipi_hook = paravirt_nop,
14840 -#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE)
14841 +#ifdef CONFIG_X86_32
14842 +#ifdef CONFIG_X86_PAE
14843 +/* 64-bit pagetable entries */
14844 +#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64)
14846 /* 32-bit pagetable entries */
14847 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32)
14850 /* 64-bit pagetable entries */
14851 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
14854 -struct pv_mmu_ops pv_mmu_ops = {
14855 +struct pv_mmu_ops pv_mmu_ops __read_only = {
14857 .read_cr2 = native_read_cr2,
14858 .write_cr2 = native_write_cr2,
14859 @@ -446,6 +461,7 @@ struct pv_mmu_ops pv_mmu_ops = {
14860 .make_pud = PTE_IDENT,
14862 .set_pgd = native_set_pgd,
14863 + .set_pgd_batched = native_set_pgd_batched,
14865 #endif /* PAGETABLE_LEVELS >= 3 */
14867 @@ -465,6 +481,12 @@ struct pv_mmu_ops pv_mmu_ops = {
14870 .set_fixmap = native_set_fixmap,
14872 +#ifdef CONFIG_PAX_KERNEXEC
14873 + .pax_open_kernel = native_pax_open_kernel,
14874 + .pax_close_kernel = native_pax_close_kernel,
14879 EXPORT_SYMBOL_GPL(pv_time_ops);
14880 diff -urNp linux-3.0.9/arch/x86/kernel/paravirt-spinlocks.c linux-3.0.9/arch/x86/kernel/paravirt-spinlocks.c
14881 --- linux-3.0.9/arch/x86/kernel/paravirt-spinlocks.c 2011-11-11 13:12:24.000000000 -0500
14882 +++ linux-3.0.9/arch/x86/kernel/paravirt-spinlocks.c 2011-11-15 20:02:59.000000000 -0500
14883 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
14884 arch_spin_lock(lock);
14887 -struct pv_lock_ops pv_lock_ops = {
14888 +struct pv_lock_ops pv_lock_ops __read_only = {
14890 .spin_is_locked = __ticket_spin_is_locked,
14891 .spin_is_contended = __ticket_spin_is_contended,
14892 diff -urNp linux-3.0.9/arch/x86/kernel/pci-iommu_table.c linux-3.0.9/arch/x86/kernel/pci-iommu_table.c
14893 --- linux-3.0.9/arch/x86/kernel/pci-iommu_table.c 2011-11-11 13:12:24.000000000 -0500
14894 +++ linux-3.0.9/arch/x86/kernel/pci-iommu_table.c 2011-11-15 20:02:59.000000000 -0500
14896 #include <asm/iommu_table.h>
14897 #include <linux/string.h>
14898 #include <linux/kallsyms.h>
14900 +#include <linux/sched.h>
14904 @@ -51,6 +51,8 @@ void __init check_iommu_entries(struct i
14906 struct iommu_table_entry *p, *q, *x;
14908 + pax_track_stack();
14910 /* Simple cyclic dependency checker. */
14911 for (p = start; p < finish; p++) {
14912 q = find_dependents_of(start, finish, p);
14913 diff -urNp linux-3.0.9/arch/x86/kernel/process_32.c linux-3.0.9/arch/x86/kernel/process_32.c
14914 --- linux-3.0.9/arch/x86/kernel/process_32.c 2011-11-11 13:12:24.000000000 -0500
14915 +++ linux-3.0.9/arch/x86/kernel/process_32.c 2011-11-15 20:02:59.000000000 -0500
14916 @@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
14917 unsigned long thread_saved_pc(struct task_struct *tsk)
14919 return ((unsigned long *)tsk->thread.sp)[3];
14920 +//XXX return tsk->thread.eip;
14924 @@ -126,15 +127,14 @@ void __show_regs(struct pt_regs *regs, i
14926 unsigned short ss, gs;
14928 - if (user_mode_vm(regs)) {
14929 + if (user_mode(regs)) {
14931 ss = regs->ss & 0xffff;
14932 - gs = get_user_gs(regs);
14934 sp = kernel_stack_pointer(regs);
14935 savesegment(ss, ss);
14936 - savesegment(gs, gs);
14938 + gs = get_user_gs(regs);
14940 show_regs_common();
14942 @@ -196,13 +196,14 @@ int copy_thread(unsigned long clone_flag
14943 struct task_struct *tsk;
14946 - childregs = task_pt_regs(p);
14947 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
14948 *childregs = *regs;
14950 childregs->sp = sp;
14952 p->thread.sp = (unsigned long) childregs;
14953 p->thread.sp0 = (unsigned long) (childregs+1);
14954 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
14956 p->thread.ip = (unsigned long) ret_from_fork;
14958 @@ -292,7 +293,7 @@ __switch_to(struct task_struct *prev_p,
14959 struct thread_struct *prev = &prev_p->thread,
14960 *next = &next_p->thread;
14961 int cpu = smp_processor_id();
14962 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
14963 + struct tss_struct *tss = init_tss + cpu;
14966 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
14967 @@ -327,6 +328,10 @@ __switch_to(struct task_struct *prev_p,
14969 lazy_save_gs(prev->gs);
14971 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14972 + __set_fs(task_thread_info(next_p)->addr_limit);
14976 * Load the per-thread Thread-Local Storage descriptor.
14978 @@ -362,6 +367,9 @@ __switch_to(struct task_struct *prev_p,
14980 arch_end_context_switch(next_p);
14982 + percpu_write(current_task, next_p);
14983 + percpu_write(current_tinfo, &next_p->tinfo);
14986 * Restore %gs if needed (which is common)
14988 @@ -371,8 +379,6 @@ __switch_to(struct task_struct *prev_p,
14989 if (prev->gs | next->gs)
14990 lazy_load_gs(next->gs);
14992 - percpu_write(current_task, next_p);
14997 @@ -402,4 +408,3 @@ unsigned long get_wchan(struct task_stru
14998 } while (count++ < 16);
15002 diff -urNp linux-3.0.9/arch/x86/kernel/process_64.c linux-3.0.9/arch/x86/kernel/process_64.c
15003 --- linux-3.0.9/arch/x86/kernel/process_64.c 2011-11-11 13:12:24.000000000 -0500
15004 +++ linux-3.0.9/arch/x86/kernel/process_64.c 2011-11-15 20:02:59.000000000 -0500
15005 @@ -87,7 +87,7 @@ static void __exit_idle(void)
15006 void exit_idle(void)
15008 /* idle loop has pid 0 */
15009 - if (current->pid)
15010 + if (task_pid_nr(current))
15014 @@ -260,8 +260,7 @@ int copy_thread(unsigned long clone_flag
15015 struct pt_regs *childregs;
15016 struct task_struct *me = current;
15018 - childregs = ((struct pt_regs *)
15019 - (THREAD_SIZE + task_stack_page(p))) - 1;
15020 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16;
15021 *childregs = *regs;
15024 @@ -273,6 +272,7 @@ int copy_thread(unsigned long clone_flag
15025 p->thread.sp = (unsigned long) childregs;
15026 p->thread.sp0 = (unsigned long) (childregs+1);
15027 p->thread.usersp = me->thread.usersp;
15028 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
15030 set_tsk_thread_flag(p, TIF_FORK);
15032 @@ -375,7 +375,7 @@ __switch_to(struct task_struct *prev_p,
15033 struct thread_struct *prev = &prev_p->thread;
15034 struct thread_struct *next = &next_p->thread;
15035 int cpu = smp_processor_id();
15036 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
15037 + struct tss_struct *tss = init_tss + cpu;
15038 unsigned fsindex, gsindex;
15041 @@ -471,10 +471,9 @@ __switch_to(struct task_struct *prev_p,
15042 prev->usersp = percpu_read(old_rsp);
15043 percpu_write(old_rsp, next->usersp);
15044 percpu_write(current_task, next_p);
15045 + percpu_write(current_tinfo, &next_p->tinfo);
15047 - percpu_write(kernel_stack,
15048 - (unsigned long)task_stack_page(next_p) +
15049 - THREAD_SIZE - KERNEL_STACK_OFFSET);
15050 + percpu_write(kernel_stack, next->sp0);
15053 * Now maybe reload the debug registers and handle I/O bitmaps
15054 @@ -536,12 +535,11 @@ unsigned long get_wchan(struct task_stru
15055 if (!p || p == current || p->state == TASK_RUNNING)
15057 stack = (unsigned long)task_stack_page(p);
15058 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
15059 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
15061 fp = *(u64 *)(p->thread.sp);
15063 - if (fp < (unsigned long)stack ||
15064 - fp >= (unsigned long)stack+THREAD_SIZE)
15065 + if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
15067 ip = *(u64 *)(fp+8);
15068 if (!in_sched_functions(ip))
15069 diff -urNp linux-3.0.9/arch/x86/kernel/process.c linux-3.0.9/arch/x86/kernel/process.c
15070 --- linux-3.0.9/arch/x86/kernel/process.c 2011-11-11 13:12:24.000000000 -0500
15071 +++ linux-3.0.9/arch/x86/kernel/process.c 2011-11-15 20:02:59.000000000 -0500
15072 @@ -48,16 +48,33 @@ void free_thread_xstate(struct task_stru
15074 void free_thread_info(struct thread_info *ti)
15076 - free_thread_xstate(ti->task);
15077 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
15080 +static struct kmem_cache *task_struct_cachep;
15082 void arch_task_cache_init(void)
15084 - task_xstate_cachep =
15085 - kmem_cache_create("task_xstate", xstate_size,
15086 + /* create a slab on which task_structs can be allocated */
15087 + task_struct_cachep =
15088 + kmem_cache_create("task_struct", sizeof(struct task_struct),
15089 + ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
15091 + task_xstate_cachep =
15092 + kmem_cache_create("task_xstate", xstate_size,
15093 __alignof__(union thread_xstate),
15094 - SLAB_PANIC | SLAB_NOTRACK, NULL);
15095 + SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
15098 +struct task_struct *alloc_task_struct_node(int node)
15100 + return kmem_cache_alloc_node(task_struct_cachep, GFP_KERNEL, node);
15103 +void free_task_struct(struct task_struct *task)
15105 + free_thread_xstate(task);
15106 + kmem_cache_free(task_struct_cachep, task);
15110 @@ -70,7 +87,7 @@ void exit_thread(void)
15111 unsigned long *bp = t->io_bitmap_ptr;
15114 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
15115 + struct tss_struct *tss = init_tss + get_cpu();
15117 t->io_bitmap_ptr = NULL;
15118 clear_thread_flag(TIF_IO_BITMAP);
15119 @@ -106,7 +123,7 @@ void show_regs_common(void)
15121 printk(KERN_CONT "\n");
15122 printk(KERN_DEFAULT "Pid: %d, xid: #%u, comm: %.20s %s %s %.*s",
15123 - current->pid, current->xid, current->comm, print_tainted(),
15124 + task_pid_nr(current), current->xid, current->comm, print_tainted(),
15125 init_utsname()->release,
15126 (int)strcspn(init_utsname()->version, " "),
15127 init_utsname()->version);
15128 @@ -120,6 +137,9 @@ void flush_thread(void)
15130 struct task_struct *tsk = current;
15132 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
15133 + loadsegment(gs, 0);
15135 flush_ptrace_hw_breakpoint(tsk);
15136 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
15138 @@ -282,10 +302,10 @@ int kernel_thread(int (*fn)(void *), voi
15139 regs.di = (unsigned long) arg;
15141 #ifdef CONFIG_X86_32
15142 - regs.ds = __USER_DS;
15143 - regs.es = __USER_DS;
15144 + regs.ds = __KERNEL_DS;
15145 + regs.es = __KERNEL_DS;
15146 regs.fs = __KERNEL_PERCPU;
15147 - regs.gs = __KERNEL_STACK_CANARY;
15148 + savesegment(gs, regs.gs);
15150 regs.ss = __KERNEL_DS;
15152 @@ -403,7 +423,7 @@ void default_idle(void)
15153 EXPORT_SYMBOL(default_idle);
15156 -void stop_this_cpu(void *dummy)
15157 +__noreturn void stop_this_cpu(void *dummy)
15159 local_irq_disable();
15161 @@ -668,16 +688,37 @@ static int __init idle_setup(char *str)
15163 early_param("idle", idle_setup);
15165 -unsigned long arch_align_stack(unsigned long sp)
15166 +#ifdef CONFIG_PAX_RANDKSTACK
15167 +void pax_randomize_kstack(struct pt_regs *regs)
15169 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
15170 - sp -= get_random_int() % 8192;
15171 - return sp & ~0xf;
15173 + struct thread_struct *thread = ¤t->thread;
15174 + unsigned long time;
15176 -unsigned long arch_randomize_brk(struct mm_struct *mm)
15178 - unsigned long range_end = mm->brk + 0x02000000;
15179 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
15181 + if (!randomize_va_space)
15184 + if (v8086_mode(regs))
15189 + /* P4 seems to return a 0 LSB, ignore it */
15190 +#ifdef CONFIG_MPENTIUM4
15193 +#elif defined(CONFIG_X86_64)
15201 + thread->sp0 ^= time;
15202 + load_sp0(init_tss + smp_processor_id(), thread);
15204 +#ifdef CONFIG_X86_64
15205 + percpu_write(kernel_stack, thread->sp0);
15209 diff -urNp linux-3.0.9/arch/x86/kernel/ptrace.c linux-3.0.9/arch/x86/kernel/ptrace.c
15210 --- linux-3.0.9/arch/x86/kernel/ptrace.c 2011-11-11 13:12:24.000000000 -0500
15211 +++ linux-3.0.9/arch/x86/kernel/ptrace.c 2011-11-15 20:02:59.000000000 -0500
15212 @@ -821,7 +821,7 @@ long arch_ptrace(struct task_struct *chi
15213 unsigned long addr, unsigned long data)
15216 - unsigned long __user *datap = (unsigned long __user *)data;
15217 + unsigned long __user *datap = (__force unsigned long __user *)data;
15220 /* read the word at location addr in the USER area. */
15221 @@ -906,14 +906,14 @@ long arch_ptrace(struct task_struct *chi
15222 if ((int) addr < 0)
15224 ret = do_get_thread_area(child, addr,
15225 - (struct user_desc __user *)data);
15226 + (__force struct user_desc __user *) data);
15229 case PTRACE_SET_THREAD_AREA:
15230 if ((int) addr < 0)
15232 ret = do_set_thread_area(child, addr,
15233 - (struct user_desc __user *)data, 0);
15234 + (__force struct user_desc __user *) data, 0);
15238 @@ -1330,7 +1330,7 @@ static void fill_sigtrap_info(struct tas
15239 memset(info, 0, sizeof(*info));
15240 info->si_signo = SIGTRAP;
15241 info->si_code = si_code;
15242 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
15243 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
15246 void user_single_step_siginfo(struct task_struct *tsk,
15247 diff -urNp linux-3.0.9/arch/x86/kernel/pvclock.c linux-3.0.9/arch/x86/kernel/pvclock.c
15248 --- linux-3.0.9/arch/x86/kernel/pvclock.c 2011-11-11 13:12:24.000000000 -0500
15249 +++ linux-3.0.9/arch/x86/kernel/pvclock.c 2011-11-15 20:02:59.000000000 -0500
15250 @@ -81,11 +81,11 @@ unsigned long pvclock_tsc_khz(struct pvc
15254 -static atomic64_t last_value = ATOMIC64_INIT(0);
15255 +static atomic64_unchecked_t last_value = ATOMIC64_INIT(0);
15257 void pvclock_resume(void)
15259 - atomic64_set(&last_value, 0);
15260 + atomic64_set_unchecked(&last_value, 0);
15263 cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src)
15264 @@ -121,11 +121,11 @@ cycle_t pvclock_clocksource_read(struct
15265 * updating at the same time, and one of them could be slightly behind,
15266 * making the assumption that last_value always go forward fail to hold.
15268 - last = atomic64_read(&last_value);
15269 + last = atomic64_read_unchecked(&last_value);
15273 - last = atomic64_cmpxchg(&last_value, last, ret);
15274 + last = atomic64_cmpxchg_unchecked(&last_value, last, ret);
15275 } while (unlikely(last != ret));
15278 diff -urNp linux-3.0.9/arch/x86/kernel/reboot.c linux-3.0.9/arch/x86/kernel/reboot.c
15279 --- linux-3.0.9/arch/x86/kernel/reboot.c 2011-11-11 13:12:24.000000000 -0500
15280 +++ linux-3.0.9/arch/x86/kernel/reboot.c 2011-11-15 20:02:59.000000000 -0500
15281 @@ -35,7 +35,7 @@ void (*pm_power_off)(void);
15282 EXPORT_SYMBOL(pm_power_off);
15284 static const struct desc_ptr no_idt = {};
15285 -static int reboot_mode;
15286 +static unsigned short reboot_mode;
15287 enum reboot_type reboot_type = BOOT_ACPI;
15290 @@ -315,13 +315,17 @@ core_initcall(reboot_init);
15291 extern const unsigned char machine_real_restart_asm[];
15292 extern const u64 machine_real_restart_gdt[3];
15294 -void machine_real_restart(unsigned int type)
15295 +__noreturn void machine_real_restart(unsigned int type)
15298 unsigned long restart_pa;
15299 - void (*restart_lowmem)(unsigned int);
15300 + void (* __noreturn restart_lowmem)(unsigned int);
15303 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
15304 + struct desc_struct *gdt;
15307 local_irq_disable();
15309 /* Write zero to CMOS register number 0x0f, which the BIOS POST
15310 @@ -347,14 +351,14 @@ void machine_real_restart(unsigned int t
15311 boot)". This seems like a fairly standard thing that gets set by
15312 REBOOT.COM programs, and the previous reset routine did this
15314 - *((unsigned short *)0x472) = reboot_mode;
15315 + *(unsigned short *)(__va(0x472)) = reboot_mode;
15317 /* Patch the GDT in the low memory trampoline */
15318 lowmem_gdt = TRAMPOLINE_SYM(machine_real_restart_gdt);
15320 restart_va = TRAMPOLINE_SYM(machine_real_restart_asm);
15321 restart_pa = virt_to_phys(restart_va);
15322 - restart_lowmem = (void (*)(unsigned int))restart_pa;
15323 + restart_lowmem = (void *)restart_pa;
15325 /* GDT[0]: GDT self-pointer */
15327 @@ -365,7 +369,33 @@ void machine_real_restart(unsigned int t
15328 GDT_ENTRY(0x009b, restart_pa, 0xffff);
15330 /* Jump to the identity-mapped low memory code */
15332 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
15333 + gdt = get_cpu_gdt_table(smp_processor_id());
15334 + pax_open_kernel();
15335 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15336 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
15337 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
15338 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
15340 +#ifdef CONFIG_PAX_KERNEXEC
15341 + gdt[GDT_ENTRY_KERNEL_CS].base0 = 0;
15342 + gdt[GDT_ENTRY_KERNEL_CS].base1 = 0;
15343 + gdt[GDT_ENTRY_KERNEL_CS].base2 = 0;
15344 + gdt[GDT_ENTRY_KERNEL_CS].limit0 = 0xffff;
15345 + gdt[GDT_ENTRY_KERNEL_CS].limit = 0xf;
15346 + gdt[GDT_ENTRY_KERNEL_CS].g = 1;
15348 + pax_close_kernel();
15351 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15352 + asm volatile("push %0; push %1; lret\n" : : "i" (__KERNEL_CS), "rm" (restart_lowmem), "a" (type));
15355 restart_lowmem(type);
15359 #ifdef CONFIG_APM_MODULE
15360 EXPORT_SYMBOL(machine_real_restart);
15361 @@ -523,7 +553,7 @@ void __attribute__((weak)) mach_reboot_f
15362 * try to force a triple fault and then cycle between hitting the keyboard
15363 * controller and doing that
15365 -static void native_machine_emergency_restart(void)
15366 +__noreturn static void native_machine_emergency_restart(void)
15370 @@ -647,13 +677,13 @@ void native_machine_shutdown(void)
15374 -static void __machine_emergency_restart(int emergency)
15375 +static __noreturn void __machine_emergency_restart(int emergency)
15377 reboot_emergency = emergency;
15378 machine_ops.emergency_restart();
15381 -static void native_machine_restart(char *__unused)
15382 +static __noreturn void native_machine_restart(char *__unused)
15384 printk("machine restart\n");
15386 @@ -662,7 +692,7 @@ static void native_machine_restart(char
15387 __machine_emergency_restart(0);
15390 -static void native_machine_halt(void)
15391 +static __noreturn void native_machine_halt(void)
15393 /* stop other cpus and apics */
15394 machine_shutdown();
15395 @@ -673,7 +703,7 @@ static void native_machine_halt(void)
15396 stop_this_cpu(NULL);
15399 -static void native_machine_power_off(void)
15400 +__noreturn static void native_machine_power_off(void)
15402 if (pm_power_off) {
15404 @@ -682,6 +712,7 @@ static void native_machine_power_off(voi
15406 /* a fallback in case there is no PM info available */
15407 tboot_shutdown(TB_SHUTDOWN_HALT);
15411 struct machine_ops machine_ops = {
15412 diff -urNp linux-3.0.9/arch/x86/kernel/setup.c linux-3.0.9/arch/x86/kernel/setup.c
15413 --- linux-3.0.9/arch/x86/kernel/setup.c 2011-11-11 13:12:24.000000000 -0500
15414 +++ linux-3.0.9/arch/x86/kernel/setup.c 2011-11-15 20:02:59.000000000 -0500
15415 @@ -447,7 +447,7 @@ static void __init parse_setup_data(void
15417 switch (data->type) {
15418 case SETUP_E820_EXT:
15419 - parse_e820_ext(data);
15420 + parse_e820_ext((struct setup_data __force_kernel *)data);
15424 @@ -650,7 +650,7 @@ static void __init trim_bios_range(void)
15425 * area (640->1Mb) as ram even though it is not.
15428 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
15429 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
15430 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
15433 @@ -773,14 +773,14 @@ void __init setup_arch(char **cmdline_p)
15435 if (!boot_params.hdr.root_flags)
15436 root_mountflags &= ~MS_RDONLY;
15437 - init_mm.start_code = (unsigned long) _text;
15438 - init_mm.end_code = (unsigned long) _etext;
15439 + init_mm.start_code = ktla_ktva((unsigned long) _text);
15440 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
15441 init_mm.end_data = (unsigned long) _edata;
15442 init_mm.brk = _brk_end;
15444 - code_resource.start = virt_to_phys(_text);
15445 - code_resource.end = virt_to_phys(_etext)-1;
15446 - data_resource.start = virt_to_phys(_etext);
15447 + code_resource.start = virt_to_phys(ktla_ktva(_text));
15448 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
15449 + data_resource.start = virt_to_phys(_sdata);
15450 data_resource.end = virt_to_phys(_edata)-1;
15451 bss_resource.start = virt_to_phys(&__bss_start);
15452 bss_resource.end = virt_to_phys(&__bss_stop)-1;
15453 diff -urNp linux-3.0.9/arch/x86/kernel/setup_percpu.c linux-3.0.9/arch/x86/kernel/setup_percpu.c
15454 --- linux-3.0.9/arch/x86/kernel/setup_percpu.c 2011-11-11 13:12:24.000000000 -0500
15455 +++ linux-3.0.9/arch/x86/kernel/setup_percpu.c 2011-11-15 20:02:59.000000000 -0500
15456 @@ -21,19 +21,17 @@
15457 #include <asm/cpu.h>
15458 #include <asm/stackprotector.h>
15460 -DEFINE_PER_CPU(int, cpu_number);
15462 +DEFINE_PER_CPU(unsigned int, cpu_number);
15463 EXPORT_PER_CPU_SYMBOL(cpu_number);
15466 -#ifdef CONFIG_X86_64
15467 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
15469 -#define BOOT_PERCPU_OFFSET 0
15472 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
15473 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
15475 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
15476 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
15477 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
15479 EXPORT_SYMBOL(__per_cpu_offset);
15480 @@ -155,10 +153,10 @@ static inline void setup_percpu_segment(
15482 #ifdef CONFIG_X86_32
15483 struct desc_struct gdt;
15484 + unsigned long base = per_cpu_offset(cpu);
15486 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
15487 - 0x2 | DESCTYPE_S, 0x8);
15489 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
15490 + 0x83 | DESCTYPE_S, 0xC);
15491 write_gdt_entry(get_cpu_gdt_table(cpu),
15492 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
15494 @@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void)
15495 /* alrighty, percpu areas up and running */
15496 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
15497 for_each_possible_cpu(cpu) {
15498 +#ifdef CONFIG_CC_STACKPROTECTOR
15499 +#ifdef CONFIG_X86_32
15500 + unsigned long canary = per_cpu(stack_canary.canary, cpu);
15503 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
15504 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
15505 per_cpu(cpu_number, cpu) = cpu;
15506 @@ -247,6 +250,12 @@ void __init setup_per_cpu_areas(void)
15508 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
15510 +#ifdef CONFIG_CC_STACKPROTECTOR
15511 +#ifdef CONFIG_X86_32
15513 + per_cpu(stack_canary.canary, cpu) = canary;
15517 * Up to this point, the boot CPU has been using .init.data
15518 * area. Reload any changed state for the boot CPU.
15519 diff -urNp linux-3.0.9/arch/x86/kernel/signal.c linux-3.0.9/arch/x86/kernel/signal.c
15520 --- linux-3.0.9/arch/x86/kernel/signal.c 2011-11-11 13:12:24.000000000 -0500
15521 +++ linux-3.0.9/arch/x86/kernel/signal.c 2011-11-15 20:02:59.000000000 -0500
15522 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
15523 * Align the stack pointer according to the i386 ABI,
15524 * i.e. so that on function entry ((sp + 4) & 15) == 0.
15526 - sp = ((sp + 4) & -16ul) - 4;
15527 + sp = ((sp - 12) & -16ul) - 4;
15528 #else /* !CONFIG_X86_32 */
15529 sp = round_down(sp, 16) - 8;
15531 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
15532 * Return an always-bogus address instead so we will die with SIGSEGV.
15534 if (onsigstack && !likely(on_sig_stack(sp)))
15535 - return (void __user *)-1L;
15536 + return (__force void __user *)-1L;
15538 /* save i387 state */
15539 if (used_math() && save_i387_xstate(*fpstate) < 0)
15540 - return (void __user *)-1L;
15541 + return (__force void __user *)-1L;
15543 return (void __user *)sp;
15545 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
15548 if (current->mm->context.vdso)
15549 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
15550 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
15552 - restorer = &frame->retcode;
15553 + restorer = (void __user *)&frame->retcode;
15554 if (ka->sa.sa_flags & SA_RESTORER)
15555 restorer = ka->sa.sa_restorer;
15557 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
15558 * reasons and because gdb uses it as a signature to notice
15559 * signal handler stack frames.
15561 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
15562 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
15566 @@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
15567 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
15569 /* Set up to return from userspace. */
15570 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
15571 + if (current->mm->context.vdso)
15572 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
15574 + restorer = (void __user *)&frame->retcode;
15575 if (ka->sa.sa_flags & SA_RESTORER)
15576 restorer = ka->sa.sa_restorer;
15577 put_user_ex(restorer, &frame->pretcode);
15578 @@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
15579 * reasons and because gdb uses it as a signature to notice
15580 * signal handler stack frames.
15582 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
15583 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
15584 } put_user_catch(err);
15587 @@ -769,6 +772,8 @@ static void do_signal(struct pt_regs *re
15591 + pax_track_stack();
15594 * We want the common case to go fast, which is why we may in certain
15595 * cases get here from kernel mode. Just return without doing anything
15596 @@ -776,7 +781,7 @@ static void do_signal(struct pt_regs *re
15597 * X86_32: vm86 regs switched out by assembly code before reaching
15598 * here, so testing against kernel CS suffices.
15600 - if (!user_mode(regs))
15601 + if (!user_mode_novm(regs))
15604 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
15605 diff -urNp linux-3.0.9/arch/x86/kernel/smpboot.c linux-3.0.9/arch/x86/kernel/smpboot.c
15606 --- linux-3.0.9/arch/x86/kernel/smpboot.c 2011-11-11 13:12:24.000000000 -0500
15607 +++ linux-3.0.9/arch/x86/kernel/smpboot.c 2011-11-15 20:02:59.000000000 -0500
15608 @@ -709,17 +709,20 @@ static int __cpuinit do_boot_cpu(int api
15609 set_idle_for_cpu(cpu, c_idle.idle);
15611 per_cpu(current_task, cpu) = c_idle.idle;
15612 + per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
15613 #ifdef CONFIG_X86_32
15614 /* Stack for startup_32 can be just as for start_secondary onwards */
15617 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
15618 initial_gs = per_cpu_offset(cpu);
15619 - per_cpu(kernel_stack, cpu) =
15620 - (unsigned long)task_stack_page(c_idle.idle) -
15621 - KERNEL_STACK_OFFSET + THREAD_SIZE;
15622 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE;
15625 + pax_open_kernel();
15626 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
15627 + pax_close_kernel();
15629 initial_code = (unsigned long)start_secondary;
15630 stack_start = c_idle.idle->thread.sp;
15632 @@ -861,6 +864,12 @@ int __cpuinit native_cpu_up(unsigned int
15634 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
15636 +#ifdef CONFIG_PAX_PER_CPU_PGD
15637 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
15638 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
15639 + KERNEL_PGD_PTRS);
15642 err = do_boot_cpu(apicid, cpu);
15644 pr_debug("do_boot_cpu failed %d\n", err);
15645 diff -urNp linux-3.0.9/arch/x86/kernel/step.c linux-3.0.9/arch/x86/kernel/step.c
15646 --- linux-3.0.9/arch/x86/kernel/step.c 2011-11-11 13:12:24.000000000 -0500
15647 +++ linux-3.0.9/arch/x86/kernel/step.c 2011-11-15 20:02:59.000000000 -0500
15648 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
15649 struct desc_struct *desc;
15650 unsigned long base;
15655 mutex_lock(&child->mm->context.lock);
15656 - if (unlikely((seg >> 3) >= child->mm->context.size))
15657 + if (unlikely(seg >= child->mm->context.size))
15658 addr = -1L; /* bogus selector, access would fault */
15660 desc = child->mm->context.ldt + seg;
15661 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
15664 mutex_unlock(&child->mm->context.lock);
15666 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
15667 + addr = ktla_ktva(addr);
15671 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
15672 unsigned char opcode[15];
15673 unsigned long addr = convert_ip_to_linear(child, regs);
15675 + if (addr == -EINVAL)
15678 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
15679 for (i = 0; i < copied; i++) {
15680 switch (opcode[i]) {
15681 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
15683 #ifdef CONFIG_X86_64
15684 case 0x40 ... 0x4f:
15685 - if (regs->cs != __USER_CS)
15686 + if ((regs->cs & 0xffff) != __USER_CS)
15687 /* 32-bit mode: register increment */
15689 /* 64-bit mode: REX prefix */
15690 diff -urNp linux-3.0.9/arch/x86/kernel/syscall_table_32.S linux-3.0.9/arch/x86/kernel/syscall_table_32.S
15691 --- linux-3.0.9/arch/x86/kernel/syscall_table_32.S 2011-11-11 13:12:24.000000000 -0500
15692 +++ linux-3.0.9/arch/x86/kernel/syscall_table_32.S 2011-11-15 20:02:59.000000000 -0500
15694 +.section .rodata,"a",@progbits
15695 ENTRY(sys_call_table)
15696 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
15698 diff -urNp linux-3.0.9/arch/x86/kernel/sys_i386_32.c linux-3.0.9/arch/x86/kernel/sys_i386_32.c
15699 --- linux-3.0.9/arch/x86/kernel/sys_i386_32.c 2011-11-11 13:12:24.000000000 -0500
15700 +++ linux-3.0.9/arch/x86/kernel/sys_i386_32.c 2011-11-15 20:02:59.000000000 -0500
15701 @@ -24,17 +24,224 @@
15703 #include <asm/syscalls.h>
15706 - * Do a system call from kernel instead of calling sys_execve so we
15707 - * end up with proper pt_regs.
15709 -int kernel_execve(const char *filename,
15710 - const char *const argv[],
15711 - const char *const envp[])
15712 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
15715 - asm volatile ("int $0x80"
15717 - : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory");
15719 + unsigned long pax_task_size = TASK_SIZE;
15721 +#ifdef CONFIG_PAX_SEGMEXEC
15722 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
15723 + pax_task_size = SEGMEXEC_TASK_SIZE;
15726 + if (len > pax_task_size || addr > pax_task_size - len)
15733 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
15734 + unsigned long len, unsigned long pgoff, unsigned long flags)
15736 + struct mm_struct *mm = current->mm;
15737 + struct vm_area_struct *vma;
15738 + unsigned long start_addr, pax_task_size = TASK_SIZE;
15740 +#ifdef CONFIG_PAX_SEGMEXEC
15741 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
15742 + pax_task_size = SEGMEXEC_TASK_SIZE;
15745 + pax_task_size -= PAGE_SIZE;
15747 + if (len > pax_task_size)
15750 + if (flags & MAP_FIXED)
15753 +#ifdef CONFIG_PAX_RANDMMAP
15754 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15758 + addr = PAGE_ALIGN(addr);
15759 + if (pax_task_size - len >= addr) {
15760 + vma = find_vma(mm, addr);
15761 + if (check_heap_stack_gap(vma, addr, len))
15765 + if (len > mm->cached_hole_size) {
15766 + start_addr = addr = mm->free_area_cache;
15768 + start_addr = addr = mm->mmap_base;
15769 + mm->cached_hole_size = 0;
15772 +#ifdef CONFIG_PAX_PAGEEXEC
15773 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
15774 + start_addr = 0x00110000UL;
15776 +#ifdef CONFIG_PAX_RANDMMAP
15777 + if (mm->pax_flags & MF_PAX_RANDMMAP)
15778 + start_addr += mm->delta_mmap & 0x03FFF000UL;
15781 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
15782 + start_addr = addr = mm->mmap_base;
15784 + addr = start_addr;
15789 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
15790 + /* At this point: (!vma || addr < vma->vm_end). */
15791 + if (pax_task_size - len < addr) {
15793 + * Start a new search - just in case we missed
15796 + if (start_addr != mm->mmap_base) {
15797 + start_addr = addr = mm->mmap_base;
15798 + mm->cached_hole_size = 0;
15799 + goto full_search;
15803 + if (check_heap_stack_gap(vma, addr, len))
15805 + if (addr + mm->cached_hole_size < vma->vm_start)
15806 + mm->cached_hole_size = vma->vm_start - addr;
15807 + addr = vma->vm_end;
15808 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
15809 + start_addr = addr = mm->mmap_base;
15810 + mm->cached_hole_size = 0;
15811 + goto full_search;
15816 + * Remember the place where we stopped the search:
15818 + mm->free_area_cache = addr + len;
15823 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
15824 + const unsigned long len, const unsigned long pgoff,
15825 + const unsigned long flags)
15827 + struct vm_area_struct *vma;
15828 + struct mm_struct *mm = current->mm;
15829 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
15831 +#ifdef CONFIG_PAX_SEGMEXEC
15832 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
15833 + pax_task_size = SEGMEXEC_TASK_SIZE;
15836 + pax_task_size -= PAGE_SIZE;
15838 + /* requested length too big for entire address space */
15839 + if (len > pax_task_size)
15842 + if (flags & MAP_FIXED)
15845 +#ifdef CONFIG_PAX_PAGEEXEC
15846 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
15850 +#ifdef CONFIG_PAX_RANDMMAP
15851 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15854 + /* requesting a specific address */
15856 + addr = PAGE_ALIGN(addr);
15857 + if (pax_task_size - len >= addr) {
15858 + vma = find_vma(mm, addr);
15859 + if (check_heap_stack_gap(vma, addr, len))
15864 + /* check if free_area_cache is useful for us */
15865 + if (len <= mm->cached_hole_size) {
15866 + mm->cached_hole_size = 0;
15867 + mm->free_area_cache = mm->mmap_base;
15870 + /* either no address requested or can't fit in requested address hole */
15871 + addr = mm->free_area_cache;
15873 + /* make sure it can fit in the remaining address space */
15874 + if (addr > len) {
15875 + vma = find_vma(mm, addr-len);
15876 + if (check_heap_stack_gap(vma, addr - len, len))
15877 + /* remember the address as a hint for next time */
15878 + return (mm->free_area_cache = addr-len);
15881 + if (mm->mmap_base < len)
15884 + addr = mm->mmap_base-len;
15888 + * Lookup failure means no vma is above this address,
15889 + * else if new region fits below vma->vm_start,
15890 + * return with success:
15892 + vma = find_vma(mm, addr);
15893 + if (check_heap_stack_gap(vma, addr, len))
15894 + /* remember the address as a hint for next time */
15895 + return (mm->free_area_cache = addr);
15897 + /* remember the largest hole we saw so far */
15898 + if (addr + mm->cached_hole_size < vma->vm_start)
15899 + mm->cached_hole_size = vma->vm_start - addr;
15901 + /* try just below the current vma->vm_start */
15902 + addr = skip_heap_stack_gap(vma, len);
15903 + } while (!IS_ERR_VALUE(addr));
15907 + * A failed mmap() very likely causes application failure,
15908 + * so fall back to the bottom-up function here. This scenario
15909 + * can happen with large stack limits and large mmap()
15913 +#ifdef CONFIG_PAX_SEGMEXEC
15914 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
15915 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
15919 + mm->mmap_base = TASK_UNMAPPED_BASE;
15921 +#ifdef CONFIG_PAX_RANDMMAP
15922 + if (mm->pax_flags & MF_PAX_RANDMMAP)
15923 + mm->mmap_base += mm->delta_mmap;
15926 + mm->free_area_cache = mm->mmap_base;
15927 + mm->cached_hole_size = ~0UL;
15928 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
15930 + * Restore the topdown base:
15932 + mm->mmap_base = base;
15933 + mm->free_area_cache = base;
15934 + mm->cached_hole_size = ~0UL;
15938 diff -urNp linux-3.0.9/arch/x86/kernel/sys_x86_64.c linux-3.0.9/arch/x86/kernel/sys_x86_64.c
15939 --- linux-3.0.9/arch/x86/kernel/sys_x86_64.c 2011-11-11 13:12:24.000000000 -0500
15940 +++ linux-3.0.9/arch/x86/kernel/sys_x86_64.c 2011-11-15 20:02:59.000000000 -0500
15941 @@ -32,8 +32,8 @@ out:
15945 -static void find_start_end(unsigned long flags, unsigned long *begin,
15946 - unsigned long *end)
15947 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
15948 + unsigned long *begin, unsigned long *end)
15950 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
15951 unsigned long new_begin;
15952 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
15953 *begin = new_begin;
15956 - *begin = TASK_UNMAPPED_BASE;
15957 + *begin = mm->mmap_base;
15961 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
15962 if (flags & MAP_FIXED)
15965 - find_start_end(flags, &begin, &end);
15966 + find_start_end(mm, flags, &begin, &end);
15971 +#ifdef CONFIG_PAX_RANDMMAP
15972 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15976 addr = PAGE_ALIGN(addr);
15977 vma = find_vma(mm, addr);
15978 - if (end - len >= addr &&
15979 - (!vma || addr + len <= vma->vm_start))
15980 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
15983 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
15984 @@ -106,7 +109,7 @@ full_search:
15988 - if (!vma || addr + len <= vma->vm_start) {
15989 + if (check_heap_stack_gap(vma, addr, len)) {
15991 * Remember the place where we stopped the search:
15993 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
15995 struct vm_area_struct *vma;
15996 struct mm_struct *mm = current->mm;
15997 - unsigned long addr = addr0;
15998 + unsigned long base = mm->mmap_base, addr = addr0;
16000 /* requested length too big for entire address space */
16001 if (len > TASK_SIZE)
16002 @@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
16003 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
16006 +#ifdef CONFIG_PAX_RANDMMAP
16007 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
16010 /* requesting a specific address */
16012 addr = PAGE_ALIGN(addr);
16013 - vma = find_vma(mm, addr);
16014 - if (TASK_SIZE - len >= addr &&
16015 - (!vma || addr + len <= vma->vm_start))
16017 + if (TASK_SIZE - len >= addr) {
16018 + vma = find_vma(mm, addr);
16019 + if (check_heap_stack_gap(vma, addr, len))
16024 /* check if free_area_cache is useful for us */
16025 @@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
16026 /* make sure it can fit in the remaining address space */
16028 vma = find_vma(mm, addr-len);
16029 - if (!vma || addr <= vma->vm_start)
16030 + if (check_heap_stack_gap(vma, addr - len, len))
16031 /* remember the address as a hint for next time */
16032 return mm->free_area_cache = addr-len;
16034 @@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
16035 * return with success:
16037 vma = find_vma(mm, addr);
16038 - if (!vma || addr+len <= vma->vm_start)
16039 + if (check_heap_stack_gap(vma, addr, len))
16040 /* remember the address as a hint for next time */
16041 return mm->free_area_cache = addr;
16043 @@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
16044 mm->cached_hole_size = vma->vm_start - addr;
16046 /* try just below the current vma->vm_start */
16047 - addr = vma->vm_start-len;
16048 - } while (len < vma->vm_start);
16049 + addr = skip_heap_stack_gap(vma, len);
16050 + } while (!IS_ERR_VALUE(addr));
16054 @@ -198,13 +206,21 @@ bottomup:
16055 * can happen with large stack limits and large mmap()
16058 + mm->mmap_base = TASK_UNMAPPED_BASE;
16060 +#ifdef CONFIG_PAX_RANDMMAP
16061 + if (mm->pax_flags & MF_PAX_RANDMMAP)
16062 + mm->mmap_base += mm->delta_mmap;
16065 + mm->free_area_cache = mm->mmap_base;
16066 mm->cached_hole_size = ~0UL;
16067 - mm->free_area_cache = TASK_UNMAPPED_BASE;
16068 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
16070 * Restore the topdown base:
16072 - mm->free_area_cache = mm->mmap_base;
16073 + mm->mmap_base = base;
16074 + mm->free_area_cache = base;
16075 mm->cached_hole_size = ~0UL;
16078 diff -urNp linux-3.0.9/arch/x86/kernel/tboot.c linux-3.0.9/arch/x86/kernel/tboot.c
16079 --- linux-3.0.9/arch/x86/kernel/tboot.c 2011-11-11 13:12:24.000000000 -0500
16080 +++ linux-3.0.9/arch/x86/kernel/tboot.c 2011-11-15 20:02:59.000000000 -0500
16081 @@ -217,7 +217,7 @@ static int tboot_setup_sleep(void)
16083 void tboot_shutdown(u32 shutdown_type)
16085 - void (*shutdown)(void);
16086 + void (* __noreturn shutdown)(void);
16088 if (!tboot_enabled())
16090 @@ -239,7 +239,7 @@ void tboot_shutdown(u32 shutdown_type)
16092 switch_to_tboot_pt();
16094 - shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
16095 + shutdown = (void *)tboot->shutdown_entry;
16098 /* should not reach here */
16099 @@ -296,7 +296,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1
16100 tboot_shutdown(acpi_shutdown_map[sleep_state]);
16103 -static atomic_t ap_wfs_count;
16104 +static atomic_unchecked_t ap_wfs_count;
16106 static int tboot_wait_for_aps(int num_aps)
16108 @@ -320,9 +320,9 @@ static int __cpuinit tboot_cpu_callback(
16112 - atomic_inc(&ap_wfs_count);
16113 + atomic_inc_unchecked(&ap_wfs_count);
16114 if (num_online_cpus() == 1)
16115 - if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
16116 + if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
16120 @@ -341,7 +341,7 @@ static __init int tboot_late_init(void)
16122 tboot_create_trampoline();
16124 - atomic_set(&ap_wfs_count, 0);
16125 + atomic_set_unchecked(&ap_wfs_count, 0);
16126 register_hotcpu_notifier(&tboot_cpu_notifier);
16129 diff -urNp linux-3.0.9/arch/x86/kernel/time.c linux-3.0.9/arch/x86/kernel/time.c
16130 --- linux-3.0.9/arch/x86/kernel/time.c 2011-11-11 13:12:24.000000000 -0500
16131 +++ linux-3.0.9/arch/x86/kernel/time.c 2011-11-15 20:02:59.000000000 -0500
16132 @@ -30,9 +30,9 @@ unsigned long profile_pc(struct pt_regs
16134 unsigned long pc = instruction_pointer(regs);
16136 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
16137 + if (!user_mode(regs) && in_lock_functions(pc)) {
16138 #ifdef CONFIG_FRAME_POINTER
16139 - return *(unsigned long *)(regs->bp + sizeof(long));
16140 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
16142 unsigned long *sp =
16143 (unsigned long *)kernel_stack_pointer(regs);
16144 @@ -41,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
16145 * or above a saved flags. Eflags has bits 22-31 zero,
16146 * kernel addresses don't.
16149 +#ifdef CONFIG_PAX_KERNEXEC
16150 + return ktla_ktva(sp[0]);
16162 diff -urNp linux-3.0.9/arch/x86/kernel/tls.c linux-3.0.9/arch/x86/kernel/tls.c
16163 --- linux-3.0.9/arch/x86/kernel/tls.c 2011-11-11 13:12:24.000000000 -0500
16164 +++ linux-3.0.9/arch/x86/kernel/tls.c 2011-11-15 20:02:59.000000000 -0500
16165 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
16166 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
16169 +#ifdef CONFIG_PAX_SEGMEXEC
16170 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
16174 set_tls_desc(p, idx, &info, 1);
16177 diff -urNp linux-3.0.9/arch/x86/kernel/trampoline_32.S linux-3.0.9/arch/x86/kernel/trampoline_32.S
16178 --- linux-3.0.9/arch/x86/kernel/trampoline_32.S 2011-11-11 13:12:24.000000000 -0500
16179 +++ linux-3.0.9/arch/x86/kernel/trampoline_32.S 2011-11-15 20:02:59.000000000 -0500
16181 #include <asm/segment.h>
16182 #include <asm/page_types.h>
16184 +#ifdef CONFIG_PAX_KERNEXEC
16187 +#define ta(X) ((X) - __PAGE_OFFSET)
16192 .section ".x86_trampoline","a"
16193 @@ -62,7 +68,7 @@ r_base = .
16194 inc %ax # protected mode (PE) bit
16195 lmsw %ax # into protected mode
16196 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
16197 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
16198 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
16200 # These need to be in the same 64K segment as the above;
16201 # hence we don't use the boot_gdt_descr defined in head.S
16202 diff -urNp linux-3.0.9/arch/x86/kernel/trampoline_64.S linux-3.0.9/arch/x86/kernel/trampoline_64.S
16203 --- linux-3.0.9/arch/x86/kernel/trampoline_64.S 2011-11-11 13:12:24.000000000 -0500
16204 +++ linux-3.0.9/arch/x86/kernel/trampoline_64.S 2011-11-15 20:02:59.000000000 -0500
16205 @@ -90,7 +90,7 @@ startup_32:
16206 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
16209 - movl $X86_CR4_PAE, %eax
16210 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
16211 movl %eax, %cr4 # Enable PAE mode
16213 # Setup trampoline 4 level pagetables
16214 @@ -138,7 +138,7 @@ tidt:
16215 # so the kernel can live anywhere
16218 - .short tgdt_end - tgdt # gdt limit
16219 + .short tgdt_end - tgdt - 1 # gdt limit
16220 .long tgdt - r_base
16222 .quad 0x00cf9b000000ffff # __KERNEL32_CS
16223 diff -urNp linux-3.0.9/arch/x86/kernel/traps.c linux-3.0.9/arch/x86/kernel/traps.c
16224 --- linux-3.0.9/arch/x86/kernel/traps.c 2011-11-11 13:12:24.000000000 -0500
16225 +++ linux-3.0.9/arch/x86/kernel/traps.c 2011-11-15 20:02:59.000000000 -0500
16226 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
16228 /* Do we ignore FPU interrupts ? */
16229 char ignore_fpu_irq;
16232 - * The IDT has to be page-aligned to simplify the Pentium
16233 - * F0 0F bug workaround.
16235 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
16238 DECLARE_BITMAP(used_vectors, NR_VECTORS);
16239 @@ -117,13 +111,13 @@ static inline void preempt_conditional_c
16242 static void __kprobes
16243 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
16244 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
16245 long error_code, siginfo_t *info)
16247 struct task_struct *tsk = current;
16249 #ifdef CONFIG_X86_32
16250 - if (regs->flags & X86_VM_MASK) {
16251 + if (v8086_mode(regs)) {
16253 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
16254 * On nmi (interrupt 2), do_trap should not be called.
16255 @@ -134,7 +128,7 @@ do_trap(int trapnr, int signr, char *str
16259 - if (!user_mode(regs))
16260 + if (!user_mode_novm(regs))
16263 #ifdef CONFIG_X86_32
16264 @@ -157,7 +151,7 @@ trap_signal:
16265 printk_ratelimit()) {
16267 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
16268 - tsk->comm, tsk->pid, str,
16269 + tsk->comm, task_pid_nr(tsk), str,
16270 regs->ip, regs->sp, error_code);
16271 print_vma_addr(" in ", regs->ip);
16273 @@ -174,8 +168,20 @@ kernel_trap:
16274 if (!fixup_exception(regs)) {
16275 tsk->thread.error_code = error_code;
16276 tsk->thread.trap_no = trapnr;
16278 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16279 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
16280 + str = "PAX: suspicious stack segment fault";
16283 die(str, regs, error_code);
16286 +#ifdef CONFIG_PAX_REFCOUNT
16288 + pax_report_refcount_overflow(regs);
16293 #ifdef CONFIG_X86_32
16294 @@ -264,14 +270,30 @@ do_general_protection(struct pt_regs *re
16295 conditional_sti(regs);
16297 #ifdef CONFIG_X86_32
16298 - if (regs->flags & X86_VM_MASK)
16299 + if (v8086_mode(regs))
16304 - if (!user_mode(regs))
16305 + if (!user_mode_novm(regs))
16308 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
16309 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
16310 + struct mm_struct *mm = tsk->mm;
16311 + unsigned long limit;
16313 + down_write(&mm->mmap_sem);
16314 + limit = mm->context.user_cs_limit;
16315 + if (limit < TASK_SIZE) {
16316 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
16317 + up_write(&mm->mmap_sem);
16320 + up_write(&mm->mmap_sem);
16324 tsk->thread.error_code = error_code;
16325 tsk->thread.trap_no = 13;
16327 @@ -304,6 +326,13 @@ gp_in_kernel:
16328 if (notify_die(DIE_GPF, "general protection fault", regs,
16329 error_code, 13, SIGSEGV) == NOTIFY_STOP)
16332 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16333 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
16334 + die("PAX: suspicious general protection fault", regs, error_code);
16338 die("general protection fault", regs, error_code);
16341 @@ -433,6 +462,17 @@ static notrace __kprobes void default_do
16342 dotraplinkage notrace __kprobes void
16343 do_nmi(struct pt_regs *regs, long error_code)
16346 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16347 + if (!user_mode(regs)) {
16348 + unsigned long cs = regs->cs & 0xFFFF;
16349 + unsigned long ip = ktva_ktla(regs->ip);
16351 + if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext)
16358 inc_irq_stat(__nmi_count);
16359 @@ -569,7 +609,7 @@ dotraplinkage void __kprobes do_debug(st
16360 /* It's safe to allow irq's after DR6 has been saved */
16361 preempt_conditional_sti(regs);
16363 - if (regs->flags & X86_VM_MASK) {
16364 + if (v8086_mode(regs)) {
16365 handle_vm86_trap((struct kernel_vm86_regs *) regs,
16367 preempt_conditional_cli(regs);
16368 @@ -583,7 +623,7 @@ dotraplinkage void __kprobes do_debug(st
16369 * We already checked v86 mode above, so we can check for kernel mode
16370 * by just checking the CPL of CS.
16372 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
16373 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
16374 tsk->thread.debugreg6 &= ~DR_STEP;
16375 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
16376 regs->flags &= ~X86_EFLAGS_TF;
16377 @@ -612,7 +652,7 @@ void math_error(struct pt_regs *regs, in
16379 conditional_sti(regs);
16381 - if (!user_mode_vm(regs))
16382 + if (!user_mode(regs))
16384 if (!fixup_exception(regs)) {
16385 task->thread.error_code = error_code;
16386 @@ -569,8 +598,8 @@ asmlinkage void __attribute__((weak)) smp_threshold_interrupt(void)
16387 void __math_state_restore(struct task_struct *tsk)
16389 /* We need a safe address that is cheap to find and that is already
16390 - in L1. We've just brought in "tsk->thread.has_fpu", so use that */
16391 -#define safe_address (tsk->thread.has_fpu)
16393 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
16395 /* AMD K7/K8 CPUs don't save/restore FDP/FIP/FOP unless an exception
16396 is pending. Clear the x87 state here by setting it to fixed
16397 diff -urNp linux-3.0.9/arch/x86/kernel/verify_cpu.S linux-3.0.9/arch/x86/kernel/verify_cpu.S
16398 --- linux-3.0.9/arch/x86/kernel/verify_cpu.S 2011-11-11 13:12:24.000000000 -0500
16399 +++ linux-3.0.9/arch/x86/kernel/verify_cpu.S 2011-11-15 20:02:59.000000000 -0500
16401 * arch/x86/boot/compressed/head_64.S: Boot cpu verification
16402 * arch/x86/kernel/trampoline_64.S: secondary processor verification
16403 * arch/x86/kernel/head_32.S: processor startup
16404 + * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
16406 * verify_cpu, returns the status of longmode and SSE in register %eax.
16407 * 0: Success 1: Failure
16408 diff -urNp linux-3.0.9/arch/x86/kernel/vm86_32.c linux-3.0.9/arch/x86/kernel/vm86_32.c
16409 --- linux-3.0.9/arch/x86/kernel/vm86_32.c 2011-11-11 13:12:24.000000000 -0500
16410 +++ linux-3.0.9/arch/x86/kernel/vm86_32.c 2011-11-15 20:02:59.000000000 -0500
16412 #include <linux/ptrace.h>
16413 #include <linux/audit.h>
16414 #include <linux/stddef.h>
16415 +#include <linux/grsecurity.h>
16417 #include <asm/uaccess.h>
16418 #include <asm/io.h>
16419 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
16423 - tss = &per_cpu(init_tss, get_cpu());
16424 + tss = init_tss + get_cpu();
16425 current->thread.sp0 = current->thread.saved_sp0;
16426 current->thread.sysenter_cs = __KERNEL_CS;
16427 load_sp0(tss, ¤t->thread);
16428 @@ -208,6 +209,13 @@ int sys_vm86old(struct vm86_struct __use
16429 struct task_struct *tsk;
16430 int tmp, ret = -EPERM;
16432 +#ifdef CONFIG_GRKERNSEC_VM86
16433 + if (!capable(CAP_SYS_RAWIO)) {
16434 + gr_handle_vm86();
16440 if (tsk->thread.saved_sp0)
16442 @@ -238,6 +246,14 @@ int sys_vm86(unsigned long cmd, unsigned
16444 struct vm86plus_struct __user *v86;
16446 +#ifdef CONFIG_GRKERNSEC_VM86
16447 + if (!capable(CAP_SYS_RAWIO)) {
16448 + gr_handle_vm86();
16456 case VM86_REQUEST_IRQ:
16457 @@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
16458 tsk->thread.saved_fs = info->regs32->fs;
16459 tsk->thread.saved_gs = get_user_gs(info->regs32);
16461 - tss = &per_cpu(init_tss, get_cpu());
16462 + tss = init_tss + get_cpu();
16463 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
16465 tsk->thread.sysenter_cs = 0;
16466 @@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
16467 goto cannot_handle;
16468 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
16469 goto cannot_handle;
16470 - intr_ptr = (unsigned long __user *) (i << 2);
16471 + intr_ptr = (__force unsigned long __user *) (i << 2);
16472 if (get_user(segoffs, intr_ptr))
16473 goto cannot_handle;
16474 if ((segoffs >> 16) == BIOSSEG)
16475 diff -urNp linux-3.0.9/arch/x86/kernel/vmlinux.lds.S linux-3.0.9/arch/x86/kernel/vmlinux.lds.S
16476 --- linux-3.0.9/arch/x86/kernel/vmlinux.lds.S 2011-11-11 13:12:24.000000000 -0500
16477 +++ linux-3.0.9/arch/x86/kernel/vmlinux.lds.S 2011-11-15 20:02:59.000000000 -0500
16479 #include <asm/page_types.h>
16480 #include <asm/cache.h>
16481 #include <asm/boot.h>
16482 +#include <asm/segment.h>
16484 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16485 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
16487 +#define __KERNEL_TEXT_OFFSET 0
16490 #undef i386 /* in case the preprocessor is a 32bit one */
16492 @@ -69,31 +76,46 @@ jiffies_64 = jiffies;
16495 text PT_LOAD FLAGS(5); /* R_E */
16496 +#ifdef CONFIG_X86_32
16497 + module PT_LOAD FLAGS(5); /* R_E */
16500 + rodata PT_LOAD FLAGS(5); /* R_E */
16502 + rodata PT_LOAD FLAGS(4); /* R__ */
16504 data PT_LOAD FLAGS(6); /* RW_ */
16505 #ifdef CONFIG_X86_64
16506 user PT_LOAD FLAGS(5); /* R_E */
16508 + init.begin PT_LOAD FLAGS(6); /* RW_ */
16510 percpu PT_LOAD FLAGS(6); /* RW_ */
16512 + text.init PT_LOAD FLAGS(5); /* R_E */
16513 + text.exit PT_LOAD FLAGS(5); /* R_E */
16514 init PT_LOAD FLAGS(7); /* RWE */
16516 note PT_NOTE FLAGS(0); /* ___ */
16521 #ifdef CONFIG_X86_32
16522 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
16523 - phys_startup_32 = startup_32 - LOAD_OFFSET;
16524 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
16526 - . = __START_KERNEL;
16527 - phys_startup_64 = startup_64 - LOAD_OFFSET;
16528 + . = __START_KERNEL;
16531 /* Text and read-only data */
16532 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
16534 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
16535 /* bootstrapping code */
16536 +#ifdef CONFIG_X86_32
16537 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
16539 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
16541 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
16544 #ifdef CONFIG_X86_32
16545 . = ALIGN(PAGE_SIZE);
16546 @@ -109,13 +131,47 @@ SECTIONS
16550 - /* End of text section */
16554 - NOTES :text :note
16555 + . += __KERNEL_TEXT_OFFSET;
16557 +#ifdef CONFIG_X86_32
16558 + . = ALIGN(PAGE_SIZE);
16559 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
16561 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
16562 + MODULES_EXEC_VADDR = .;
16564 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
16565 + . = ALIGN(HPAGE_SIZE);
16566 + MODULES_EXEC_END = . - 1;
16572 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
16573 + /* End of text section */
16574 + _etext = . - __KERNEL_TEXT_OFFSET;
16577 +#ifdef CONFIG_X86_32
16578 + . = ALIGN(PAGE_SIZE);
16579 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
16581 + . = ALIGN(PAGE_SIZE);
16582 + *(.empty_zero_page)
16583 + *(.initial_pg_fixmap)
16584 + *(.initial_pg_pmd)
16585 + *(.initial_page_table)
16586 + *(.swapper_pg_dir)
16590 + . = ALIGN(PAGE_SIZE);
16591 + NOTES :rodata :note
16593 - EXCEPTION_TABLE(16) :text = 0x9090
16594 + EXCEPTION_TABLE(16) :rodata
16596 #if defined(CONFIG_DEBUG_RODATA)
16597 /* .text should occupy whole number of pages */
16598 @@ -127,16 +183,20 @@ SECTIONS
16601 .data : AT(ADDR(.data) - LOAD_OFFSET) {
16603 +#ifdef CONFIG_PAX_KERNEXEC
16604 + . = ALIGN(HPAGE_SIZE);
16606 + . = ALIGN(PAGE_SIZE);
16609 /* Start of data section */
16613 INIT_TASK_DATA(THREAD_SIZE)
16615 -#ifdef CONFIG_X86_32
16616 - /* 32 bit has nosave before _edata */
16620 PAGE_ALIGNED_DATA(PAGE_SIZE)
16622 @@ -208,12 +268,19 @@ SECTIONS
16623 #endif /* CONFIG_X86_64 */
16625 /* Init code and data - will be freed after init */
16626 - . = ALIGN(PAGE_SIZE);
16627 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
16630 +#ifdef CONFIG_PAX_KERNEXEC
16631 + . = ALIGN(HPAGE_SIZE);
16633 + . = ALIGN(PAGE_SIZE);
16636 __init_begin = .; /* paired with __init_end */
16640 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
16643 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
16644 * output PHDR, so the next output section - .init.text - should
16645 @@ -222,12 +289,27 @@ SECTIONS
16646 PERCPU_VADDR(INTERNODE_CACHE_BYTES, 0, :percpu)
16649 - INIT_TEXT_SECTION(PAGE_SIZE)
16650 -#ifdef CONFIG_X86_64
16653 + . = ALIGN(PAGE_SIZE);
16655 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
16656 + VMLINUX_SYMBOL(_sinittext) = .;
16658 + VMLINUX_SYMBOL(_einittext) = .;
16659 + . = ALIGN(PAGE_SIZE);
16662 - INIT_DATA_SECTION(16)
16664 + * .exit.text is discard at runtime, not link time, to deal with
16665 + * references from .altinstructions and .eh_frame
16667 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
16671 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
16673 + . = ALIGN(PAGE_SIZE);
16674 + INIT_DATA_SECTION(16) :init
16677 * Code and data for a variety of lowlevel trampolines, to be
16678 @@ -301,19 +383,12 @@ SECTIONS
16683 - * .exit.text is discard at runtime, not link time, to deal with
16684 - * references from .altinstructions and .eh_frame
16686 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
16690 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
16694 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
16695 +#ifndef CONFIG_SMP
16696 PERCPU_SECTION(INTERNODE_CACHE_BYTES)
16699 @@ -332,16 +407,10 @@ SECTIONS
16700 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
16703 - . = ALIGN(PAGE_SIZE);
16704 __smp_locks_end = .;
16705 + . = ALIGN(PAGE_SIZE);
16708 -#ifdef CONFIG_X86_64
16709 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
16715 . = ALIGN(PAGE_SIZE);
16716 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
16717 @@ -357,6 +426,7 @@ SECTIONS
16719 . += 64 * 1024; /* 64k alignment slop space */
16720 *(.brk_reservation) /* areas brk users have reserved */
16721 + . = ALIGN(HPAGE_SIZE);
16725 @@ -383,13 +453,12 @@ SECTIONS
16726 * for the boot processor.
16728 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
16729 -INIT_PER_CPU(gdt_page);
16730 INIT_PER_CPU(irq_stack_union);
16733 * Build-time check on the image size:
16735 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
16736 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
16737 "kernel image bigger than KERNEL_IMAGE_SIZE");
16740 diff -urNp linux-3.0.9/arch/x86/kernel/vsyscall_64.c linux-3.0.9/arch/x86/kernel/vsyscall_64.c
16741 --- linux-3.0.9/arch/x86/kernel/vsyscall_64.c 2011-11-11 13:12:24.000000000 -0500
16742 +++ linux-3.0.9/arch/x86/kernel/vsyscall_64.c 2011-11-15 20:02:59.000000000 -0500
16743 @@ -53,7 +53,7 @@ DEFINE_VVAR(int, vgetcpu_mode);
16744 DEFINE_VVAR(struct vsyscall_gtod_data, vsyscall_gtod_data) =
16746 .lock = __SEQLOCK_UNLOCKED(__vsyscall_gtod_data.lock),
16747 - .sysctl_enabled = 1,
16748 + .sysctl_enabled = 0,
16751 void update_vsyscall_tz(void)
16752 @@ -231,7 +231,7 @@ static long __vsyscall(3) venosys_1(void
16753 static ctl_table kernel_table2[] = {
16754 { .procname = "vsyscall64",
16755 .data = &vsyscall_gtod_data.sysctl_enabled, .maxlen = sizeof(int),
16758 .proc_handler = proc_dointvec },
16761 diff -urNp linux-3.0.9/arch/x86/kernel/x8664_ksyms_64.c linux-3.0.9/arch/x86/kernel/x8664_ksyms_64.c
16762 --- linux-3.0.9/arch/x86/kernel/x8664_ksyms_64.c 2011-11-11 13:12:24.000000000 -0500
16763 +++ linux-3.0.9/arch/x86/kernel/x8664_ksyms_64.c 2011-11-15 20:02:59.000000000 -0500
16764 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
16765 EXPORT_SYMBOL(copy_user_generic_string);
16766 EXPORT_SYMBOL(copy_user_generic_unrolled);
16767 EXPORT_SYMBOL(__copy_user_nocache);
16768 -EXPORT_SYMBOL(_copy_from_user);
16769 -EXPORT_SYMBOL(_copy_to_user);
16771 EXPORT_SYMBOL(copy_page);
16772 EXPORT_SYMBOL(clear_page);
16773 diff -urNp linux-3.0.9/arch/x86/kernel/xsave.c linux-3.0.9/arch/x86/kernel/xsave.c
16774 --- linux-3.0.9/arch/x86/kernel/xsave.c 2011-11-11 13:12:24.000000000 -0500
16775 +++ linux-3.0.9/arch/x86/kernel/xsave.c 2011-11-15 20:02:59.000000000 -0500
16776 @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
16777 fx_sw_user->xstate_size > fx_sw_user->extended_size)
16780 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
16781 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
16782 fx_sw_user->extended_size -
16783 FP_XSTATE_MAGIC2_SIZE));
16785 @@ -267,7 +267,7 @@ fx_only:
16786 * the other extended state.
16788 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
16789 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
16790 + return fxrstor_checking((struct i387_fxsave_struct __force_kernel *)buf);
16794 @@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
16796 err = restore_user_xstate(buf);
16798 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
16799 + err = fxrstor_checking((struct i387_fxsave_struct __force_kernel *)
16801 if (unlikely(err)) {
16803 diff -urNp linux-3.0.9/arch/x86/kvm/emulate.c linux-3.0.9/arch/x86/kvm/emulate.c
16804 --- linux-3.0.9/arch/x86/kvm/emulate.c 2011-11-11 13:12:24.000000000 -0500
16805 +++ linux-3.0.9/arch/x86/kvm/emulate.c 2011-11-15 20:02:59.000000000 -0500
16807 #define Src2ImmByte (2<<29)
16808 #define Src2One (3<<29)
16809 #define Src2Imm (4<<29)
16810 -#define Src2Mask (7<<29)
16811 +#define Src2Mask (7U<<29)
16813 #define X2(x...) x, x
16814 #define X3(x...) X2(x), x
16815 @@ -207,6 +207,7 @@ struct gprefix {
16817 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
16819 + unsigned long _tmp; \
16820 __asm__ __volatile__ ( \
16821 _PRE_EFLAGS("0", "4", "2") \
16822 _op _suffix " %"_x"3,%1; " \
16823 @@ -220,8 +221,6 @@ struct gprefix {
16824 /* Raw emulation: instruction has two explicit operands. */
16825 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
16827 - unsigned long _tmp; \
16829 switch ((_dst).bytes) { \
16831 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
16832 @@ -237,7 +236,6 @@ struct gprefix {
16834 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
16836 - unsigned long _tmp; \
16837 switch ((_dst).bytes) { \
16839 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
16840 diff -urNp linux-3.0.9/arch/x86/kvm/lapic.c linux-3.0.9/arch/x86/kvm/lapic.c
16841 --- linux-3.0.9/arch/x86/kvm/lapic.c 2011-11-11 13:12:24.000000000 -0500
16842 +++ linux-3.0.9/arch/x86/kvm/lapic.c 2011-11-15 20:02:59.000000000 -0500
16844 #define APIC_BUS_CYCLE_NS 1
16846 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
16847 -#define apic_debug(fmt, arg...)
16848 +#define apic_debug(fmt, arg...) do {} while (0)
16850 #define APIC_LVT_NUM 6
16851 /* 14 is the version for Xeon and Pentium 8.4.8*/
16852 diff -urNp linux-3.0.9/arch/x86/kvm/mmu.c linux-3.0.9/arch/x86/kvm/mmu.c
16853 --- linux-3.0.9/arch/x86/kvm/mmu.c 2011-11-11 13:12:24.000000000 -0500
16854 +++ linux-3.0.9/arch/x86/kvm/mmu.c 2011-11-15 20:02:59.000000000 -0500
16855 @@ -3238,7 +3238,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
16857 pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
16859 - invlpg_counter = atomic_read(&vcpu->kvm->arch.invlpg_counter);
16860 + invlpg_counter = atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter);
16863 * Assume that the pte write on a page table of the same type
16864 @@ -3270,7 +3270,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
16867 spin_lock(&vcpu->kvm->mmu_lock);
16868 - if (atomic_read(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
16869 + if (atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
16871 kvm_mmu_free_some_pages(vcpu);
16872 ++vcpu->kvm->stat.mmu_pte_write;
16873 diff -urNp linux-3.0.9/arch/x86/kvm/paging_tmpl.h linux-3.0.9/arch/x86/kvm/paging_tmpl.h
16874 --- linux-3.0.9/arch/x86/kvm/paging_tmpl.h 2011-11-11 13:12:24.000000000 -0500
16875 +++ linux-3.0.9/arch/x86/kvm/paging_tmpl.h 2011-11-15 20:02:59.000000000 -0500
16876 @@ -182,7 +182,7 @@ walk:
16880 - ptep_user = (pt_element_t __user *)((void *)host_addr + offset);
16881 + ptep_user = (pt_element_t __force_user *)((void *)host_addr + offset);
16882 if (unlikely(__copy_from_user(&pte, ptep_user, sizeof(pte)))) {
16885 @@ -583,6 +583,8 @@ static int FNAME(page_fault)(struct kvm_
16886 unsigned long mmu_seq;
16889 + pax_track_stack();
16891 pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
16893 r = mmu_topup_memory_caches(vcpu);
16894 @@ -703,7 +705,7 @@ static void FNAME(invlpg)(struct kvm_vcp
16896 kvm_flush_remote_tlbs(vcpu->kvm);
16898 - atomic_inc(&vcpu->kvm->arch.invlpg_counter);
16899 + atomic_inc_unchecked(&vcpu->kvm->arch.invlpg_counter);
16901 spin_unlock(&vcpu->kvm->mmu_lock);
16903 diff -urNp linux-3.0.9/arch/x86/kvm/svm.c linux-3.0.9/arch/x86/kvm/svm.c
16904 --- linux-3.0.9/arch/x86/kvm/svm.c 2011-11-11 13:12:24.000000000 -0500
16905 +++ linux-3.0.9/arch/x86/kvm/svm.c 2011-11-15 20:02:59.000000000 -0500
16906 @@ -3377,7 +3377,11 @@ static void reload_tss(struct kvm_vcpu *
16907 int cpu = raw_smp_processor_id();
16909 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
16911 + pax_open_kernel();
16912 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
16913 + pax_close_kernel();
16918 @@ -3755,6 +3759,10 @@ static void svm_vcpu_run(struct kvm_vcpu
16922 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16923 + __set_fs(current_thread_info()->addr_limit);
16928 local_irq_disable();
16929 diff -urNp linux-3.0.9/arch/x86/kvm/vmx.c linux-3.0.9/arch/x86/kvm/vmx.c
16930 --- linux-3.0.9/arch/x86/kvm/vmx.c 2011-11-11 13:12:24.000000000 -0500
16931 +++ linux-3.0.9/arch/x86/kvm/vmx.c 2011-11-15 20:02:59.000000000 -0500
16932 @@ -797,7 +797,11 @@ static void reload_tss(void)
16933 struct desc_struct *descs;
16935 descs = (void *)gdt->address;
16937 + pax_open_kernel();
16938 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
16939 + pax_close_kernel();
16944 @@ -1747,8 +1751,11 @@ static __init int hardware_setup(void)
16945 if (!cpu_has_vmx_flexpriority())
16946 flexpriority_enabled = 0;
16948 - if (!cpu_has_vmx_tpr_shadow())
16949 - kvm_x86_ops->update_cr8_intercept = NULL;
16950 + if (!cpu_has_vmx_tpr_shadow()) {
16951 + pax_open_kernel();
16952 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
16953 + pax_close_kernel();
16956 if (enable_ept && !cpu_has_vmx_ept_2m_page())
16957 kvm_disable_largepages();
16958 @@ -2814,7 +2821,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
16959 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
16961 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
16962 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
16963 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
16964 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
16965 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
16966 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
16967 @@ -4211,6 +4218,12 @@ static void __noclone vmx_vcpu_run(struc
16968 "jmp .Lkvm_vmx_return \n\t"
16969 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
16970 ".Lkvm_vmx_return: "
16972 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16973 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
16974 + ".Lkvm_vmx_return2: "
16977 /* Save guest registers, load host registers, keep flags */
16978 "mov %0, %c[wordsize](%%"R"sp) \n\t"
16980 @@ -4259,6 +4272,11 @@ static void __noclone vmx_vcpu_run(struc
16982 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
16983 [wordsize]"i"(sizeof(ulong))
16985 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16986 + ,[cs]"i"(__KERNEL_CS)
16990 , R"ax", R"bx", R"di", R"si"
16991 #ifdef CONFIG_X86_64
16992 @@ -4276,7 +4294,16 @@ static void __noclone vmx_vcpu_run(struc
16994 vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD);
16996 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
16997 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
16999 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17000 + loadsegment(fs, __KERNEL_PERCPU);
17003 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
17004 + __set_fs(current_thread_info()->addr_limit);
17009 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
17010 diff -urNp linux-3.0.9/arch/x86/kvm/x86.c linux-3.0.9/arch/x86/kvm/x86.c
17011 --- linux-3.0.9/arch/x86/kvm/x86.c 2011-11-11 13:12:24.000000000 -0500
17012 +++ linux-3.0.9/arch/x86/kvm/x86.c 2011-11-15 20:02:59.000000000 -0500
17013 @@ -1313,8 +1313,8 @@ static int xen_hvm_config(struct kvm_vcp
17015 struct kvm *kvm = vcpu->kvm;
17016 int lm = is_long_mode(vcpu);
17017 - u8 *blob_addr = lm ? (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_64
17018 - : (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_32;
17019 + u8 __user *blob_addr = lm ? (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_64
17020 + : (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_32;
17021 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
17022 : kvm->arch.xen_hvm_config.blob_size_32;
17023 u32 page_num = data & ~PAGE_MASK;
17024 @@ -2057,6 +2057,8 @@ long kvm_arch_dev_ioctl(struct file *fil
17025 if (n < msr_list.nmsrs)
17028 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
17030 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
17031 num_msrs_to_save * sizeof(u32)))
17033 @@ -2229,15 +2231,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
17034 struct kvm_cpuid2 *cpuid,
17035 struct kvm_cpuid_entry2 __user *entries)
17041 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
17044 - if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
17045 - cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
17046 + if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
17048 + for (i = 0; i < cpuid->nent; ++i) {
17049 + struct kvm_cpuid_entry2 cpuid_entry;
17050 + if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
17052 + vcpu->arch.cpuid_entries[i] = cpuid_entry;
17054 vcpu->arch.cpuid_nent = cpuid->nent;
17055 kvm_apic_set_version(vcpu);
17056 kvm_x86_ops->cpuid_update(vcpu);
17057 @@ -2252,15 +2259,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
17058 struct kvm_cpuid2 *cpuid,
17059 struct kvm_cpuid_entry2 __user *entries)
17065 if (cpuid->nent < vcpu->arch.cpuid_nent)
17068 - if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
17069 - vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
17070 + if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
17072 + for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
17073 + struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
17074 + if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
17080 @@ -2579,7 +2590,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
17081 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
17082 struct kvm_interrupt *irq)
17084 - if (irq->irq < 0 || irq->irq >= 256)
17085 + if (irq->irq >= 256)
17087 if (irqchip_in_kernel(vcpu->kvm))
17089 @@ -4878,7 +4889,7 @@ void kvm_after_handle_nmi(struct kvm_vcp
17091 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
17093 -int kvm_arch_init(void *opaque)
17094 +int kvm_arch_init(const void *opaque)
17097 struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
17098 diff -urNp linux-3.0.9/arch/x86/lguest/boot.c linux-3.0.9/arch/x86/lguest/boot.c
17099 --- linux-3.0.9/arch/x86/lguest/boot.c 2011-11-11 13:12:24.000000000 -0500
17100 +++ linux-3.0.9/arch/x86/lguest/boot.c 2011-11-15 20:02:59.000000000 -0500
17101 @@ -1176,9 +1176,10 @@ static __init int early_put_chars(u32 vt
17102 * Rebooting also tells the Host we're finished, but the RESTART flag tells the
17103 * Launcher to reboot us.
17105 -static void lguest_restart(char *reason)
17106 +static __noreturn void lguest_restart(char *reason)
17108 hcall(LHCALL_SHUTDOWN, __pa(reason), LGUEST_SHUTDOWN_RESTART, 0, 0);
17113 diff -urNp linux-3.0.9/arch/x86/lib/atomic64_32.c linux-3.0.9/arch/x86/lib/atomic64_32.c
17114 --- linux-3.0.9/arch/x86/lib/atomic64_32.c 2011-11-11 13:12:24.000000000 -0500
17115 +++ linux-3.0.9/arch/x86/lib/atomic64_32.c 2011-11-15 20:02:59.000000000 -0500
17118 long long atomic64_read_cx8(long long, const atomic64_t *v);
17119 EXPORT_SYMBOL(atomic64_read_cx8);
17120 +long long atomic64_read_unchecked_cx8(long long, const atomic64_unchecked_t *v);
17121 +EXPORT_SYMBOL(atomic64_read_unchecked_cx8);
17122 long long atomic64_set_cx8(long long, const atomic64_t *v);
17123 EXPORT_SYMBOL(atomic64_set_cx8);
17124 +long long atomic64_set_unchecked_cx8(long long, const atomic64_unchecked_t *v);
17125 +EXPORT_SYMBOL(atomic64_set_unchecked_cx8);
17126 long long atomic64_xchg_cx8(long long, unsigned high);
17127 EXPORT_SYMBOL(atomic64_xchg_cx8);
17128 long long atomic64_add_return_cx8(long long a, atomic64_t *v);
17129 EXPORT_SYMBOL(atomic64_add_return_cx8);
17130 +long long atomic64_add_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
17131 +EXPORT_SYMBOL(atomic64_add_return_unchecked_cx8);
17132 long long atomic64_sub_return_cx8(long long a, atomic64_t *v);
17133 EXPORT_SYMBOL(atomic64_sub_return_cx8);
17134 +long long atomic64_sub_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
17135 +EXPORT_SYMBOL(atomic64_sub_return_unchecked_cx8);
17136 long long atomic64_inc_return_cx8(long long a, atomic64_t *v);
17137 EXPORT_SYMBOL(atomic64_inc_return_cx8);
17138 +long long atomic64_inc_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
17139 +EXPORT_SYMBOL(atomic64_inc_return_unchecked_cx8);
17140 long long atomic64_dec_return_cx8(long long a, atomic64_t *v);
17141 EXPORT_SYMBOL(atomic64_dec_return_cx8);
17142 +long long atomic64_dec_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
17143 +EXPORT_SYMBOL(atomic64_dec_return_unchecked_cx8);
17144 long long atomic64_dec_if_positive_cx8(atomic64_t *v);
17145 EXPORT_SYMBOL(atomic64_dec_if_positive_cx8);
17146 int atomic64_inc_not_zero_cx8(atomic64_t *v);
17147 @@ -30,26 +42,46 @@ EXPORT_SYMBOL(atomic64_add_unless_cx8);
17148 #ifndef CONFIG_X86_CMPXCHG64
17149 long long atomic64_read_386(long long, const atomic64_t *v);
17150 EXPORT_SYMBOL(atomic64_read_386);
17151 +long long atomic64_read_unchecked_386(long long, const atomic64_unchecked_t *v);
17152 +EXPORT_SYMBOL(atomic64_read_unchecked_386);
17153 long long atomic64_set_386(long long, const atomic64_t *v);
17154 EXPORT_SYMBOL(atomic64_set_386);
17155 +long long atomic64_set_unchecked_386(long long, const atomic64_unchecked_t *v);
17156 +EXPORT_SYMBOL(atomic64_set_unchecked_386);
17157 long long atomic64_xchg_386(long long, unsigned high);
17158 EXPORT_SYMBOL(atomic64_xchg_386);
17159 long long atomic64_add_return_386(long long a, atomic64_t *v);
17160 EXPORT_SYMBOL(atomic64_add_return_386);
17161 +long long atomic64_add_return_unchecked_386(long long a, atomic64_unchecked_t *v);
17162 +EXPORT_SYMBOL(atomic64_add_return_unchecked_386);
17163 long long atomic64_sub_return_386(long long a, atomic64_t *v);
17164 EXPORT_SYMBOL(atomic64_sub_return_386);
17165 +long long atomic64_sub_return_unchecked_386(long long a, atomic64_unchecked_t *v);
17166 +EXPORT_SYMBOL(atomic64_sub_return_unchecked_386);
17167 long long atomic64_inc_return_386(long long a, atomic64_t *v);
17168 EXPORT_SYMBOL(atomic64_inc_return_386);
17169 +long long atomic64_inc_return_unchecked_386(long long a, atomic64_unchecked_t *v);
17170 +EXPORT_SYMBOL(atomic64_inc_return_unchecked_386);
17171 long long atomic64_dec_return_386(long long a, atomic64_t *v);
17172 EXPORT_SYMBOL(atomic64_dec_return_386);
17173 +long long atomic64_dec_return_unchecked_386(long long a, atomic64_unchecked_t *v);
17174 +EXPORT_SYMBOL(atomic64_dec_return_unchecked_386);
17175 long long atomic64_add_386(long long a, atomic64_t *v);
17176 EXPORT_SYMBOL(atomic64_add_386);
17177 +long long atomic64_add_unchecked_386(long long a, atomic64_unchecked_t *v);
17178 +EXPORT_SYMBOL(atomic64_add_unchecked_386);
17179 long long atomic64_sub_386(long long a, atomic64_t *v);
17180 EXPORT_SYMBOL(atomic64_sub_386);
17181 +long long atomic64_sub_unchecked_386(long long a, atomic64_unchecked_t *v);
17182 +EXPORT_SYMBOL(atomic64_sub_unchecked_386);
17183 long long atomic64_inc_386(long long a, atomic64_t *v);
17184 EXPORT_SYMBOL(atomic64_inc_386);
17185 +long long atomic64_inc_unchecked_386(long long a, atomic64_unchecked_t *v);
17186 +EXPORT_SYMBOL(atomic64_inc_unchecked_386);
17187 long long atomic64_dec_386(long long a, atomic64_t *v);
17188 EXPORT_SYMBOL(atomic64_dec_386);
17189 +long long atomic64_dec_unchecked_386(long long a, atomic64_unchecked_t *v);
17190 +EXPORT_SYMBOL(atomic64_dec_unchecked_386);
17191 long long atomic64_dec_if_positive_386(atomic64_t *v);
17192 EXPORT_SYMBOL(atomic64_dec_if_positive_386);
17193 int atomic64_inc_not_zero_386(atomic64_t *v);
17194 diff -urNp linux-3.0.9/arch/x86/lib/atomic64_386_32.S linux-3.0.9/arch/x86/lib/atomic64_386_32.S
17195 --- linux-3.0.9/arch/x86/lib/atomic64_386_32.S 2011-11-11 13:12:24.000000000 -0500
17196 +++ linux-3.0.9/arch/x86/lib/atomic64_386_32.S 2011-11-15 20:02:59.000000000 -0500
17197 @@ -48,6 +48,10 @@ BEGIN(read)
17201 +BEGIN(read_unchecked)
17208 @@ -55,6 +59,10 @@ BEGIN(set)
17212 +BEGIN(set_unchecked)
17219 @@ -70,6 +78,20 @@ RET_ENDP
17224 +#ifdef CONFIG_PAX_REFCOUNT
17230 + _ASM_EXTABLE(0b, 0b)
17234 +BEGIN(add_unchecked)
17240 @@ -77,6 +99,24 @@ RET_ENDP
17245 +#ifdef CONFIG_PAX_REFCOUNT
17248 + _ASM_EXTABLE(1234b, 2f)
17254 +#ifdef CONFIG_PAX_REFCOUNT
17259 +BEGIN(add_return_unchecked)
17265 @@ -86,6 +126,20 @@ RET_ENDP
17270 +#ifdef CONFIG_PAX_REFCOUNT
17276 + _ASM_EXTABLE(0b, 0b)
17280 +BEGIN(sub_unchecked)
17286 @@ -96,6 +150,27 @@ BEGIN(sub_return)
17291 +#ifdef CONFIG_PAX_REFCOUNT
17294 + _ASM_EXTABLE(1234b, 2f)
17300 +#ifdef CONFIG_PAX_REFCOUNT
17305 +BEGIN(sub_return_unchecked)
17314 @@ -105,6 +180,20 @@ RET_ENDP
17319 +#ifdef CONFIG_PAX_REFCOUNT
17325 + _ASM_EXTABLE(0b, 0b)
17329 +BEGIN(inc_unchecked)
17335 @@ -114,6 +203,26 @@ BEGIN(inc_return)
17340 +#ifdef CONFIG_PAX_REFCOUNT
17343 + _ASM_EXTABLE(1234b, 2f)
17349 +#ifdef CONFIG_PAX_REFCOUNT
17354 +BEGIN(inc_return_unchecked)
17362 @@ -123,6 +232,20 @@ RET_ENDP
17367 +#ifdef CONFIG_PAX_REFCOUNT
17373 + _ASM_EXTABLE(0b, 0b)
17377 +BEGIN(dec_unchecked)
17383 @@ -132,6 +255,26 @@ BEGIN(dec_return)
17388 +#ifdef CONFIG_PAX_REFCOUNT
17391 + _ASM_EXTABLE(1234b, 2f)
17397 +#ifdef CONFIG_PAX_REFCOUNT
17402 +BEGIN(dec_return_unchecked)
17410 @@ -143,6 +286,13 @@ BEGIN(add_unless)
17415 +#ifdef CONFIG_PAX_REFCOUNT
17418 + _ASM_EXTABLE(1234b, 2f)
17424 @@ -168,6 +318,13 @@ BEGIN(inc_not_zero)
17429 +#ifdef CONFIG_PAX_REFCOUNT
17432 + _ASM_EXTABLE(1234b, 2f)
17438 @@ -186,6 +343,13 @@ BEGIN(dec_if_positive)
17443 +#ifdef CONFIG_PAX_REFCOUNT
17446 + _ASM_EXTABLE(1234b, 1f)
17452 diff -urNp linux-3.0.9/arch/x86/lib/atomic64_cx8_32.S linux-3.0.9/arch/x86/lib/atomic64_cx8_32.S
17453 --- linux-3.0.9/arch/x86/lib/atomic64_cx8_32.S 2011-11-11 13:12:24.000000000 -0500
17454 +++ linux-3.0.9/arch/x86/lib/atomic64_cx8_32.S 2011-11-15 20:02:59.000000000 -0500
17455 @@ -35,10 +35,20 @@ ENTRY(atomic64_read_cx8)
17459 + pax_force_retaddr
17462 ENDPROC(atomic64_read_cx8)
17464 +ENTRY(atomic64_read_unchecked_cx8)
17468 + pax_force_retaddr
17471 +ENDPROC(atomic64_read_unchecked_cx8)
17473 ENTRY(atomic64_set_cx8)
17476 @@ -48,10 +58,25 @@ ENTRY(atomic64_set_cx8)
17480 + pax_force_retaddr
17483 ENDPROC(atomic64_set_cx8)
17485 +ENTRY(atomic64_set_unchecked_cx8)
17489 +/* we don't need LOCK_PREFIX since aligned 64-bit writes
17490 + * are atomic on 586 and newer */
17494 + pax_force_retaddr
17497 +ENDPROC(atomic64_set_unchecked_cx8)
17499 ENTRY(atomic64_xchg_cx8)
17502 @@ -62,12 +87,13 @@ ENTRY(atomic64_xchg_cx8)
17506 + pax_force_retaddr
17509 ENDPROC(atomic64_xchg_cx8)
17511 -.macro addsub_return func ins insc
17512 -ENTRY(atomic64_\func\()_return_cx8)
17513 +.macro addsub_return func ins insc unchecked=""
17514 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
17518 @@ -84,27 +110,44 @@ ENTRY(atomic64_\func\()_return_cx8)
17520 \ins\()l %esi, %ebx
17521 \insc\()l %edi, %ecx
17524 +#ifdef CONFIG_PAX_REFCOUNT
17527 + _ASM_EXTABLE(2b, 3f)
17540 +#ifdef CONFIG_PAX_REFCOUNT
17549 + pax_force_retaddr
17552 -ENDPROC(atomic64_\func\()_return_cx8)
17553 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
17556 addsub_return add add adc
17557 addsub_return sub sub sbb
17558 +addsub_return add add adc _unchecked
17559 +addsub_return sub sub sbb _unchecked
17561 -.macro incdec_return func ins insc
17562 -ENTRY(atomic64_\func\()_return_cx8)
17563 +.macro incdec_return func ins insc unchecked
17564 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
17568 @@ -114,21 +157,39 @@ ENTRY(atomic64_\func\()_return_cx8)
17574 +#ifdef CONFIG_PAX_REFCOUNT
17577 + _ASM_EXTABLE(2b, 3f)
17590 +#ifdef CONFIG_PAX_REFCOUNT
17596 + pax_force_retaddr
17599 -ENDPROC(atomic64_\func\()_return_cx8)
17600 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
17603 incdec_return inc add adc
17604 incdec_return dec sub sbb
17605 +incdec_return inc add adc _unchecked
17606 +incdec_return dec sub sbb _unchecked
17608 ENTRY(atomic64_dec_if_positive_cx8)
17610 @@ -140,6 +201,13 @@ ENTRY(atomic64_dec_if_positive_cx8)
17615 +#ifdef CONFIG_PAX_REFCOUNT
17618 + _ASM_EXTABLE(1234b, 2f)
17624 @@ -149,6 +217,7 @@ ENTRY(atomic64_dec_if_positive_cx8)
17628 + pax_force_retaddr
17631 ENDPROC(atomic64_dec_if_positive_cx8)
17632 @@ -174,6 +243,13 @@ ENTRY(atomic64_add_unless_cx8)
17637 +#ifdef CONFIG_PAX_REFCOUNT
17640 + _ASM_EXTABLE(1234b, 3f)
17646 @@ -184,6 +260,7 @@ ENTRY(atomic64_add_unless_cx8)
17647 CFI_ADJUST_CFA_OFFSET -8
17650 + pax_force_retaddr
17654 @@ -206,6 +283,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
17659 +#ifdef CONFIG_PAX_REFCOUNT
17662 + _ASM_EXTABLE(1234b, 3f)
17668 @@ -213,6 +297,7 @@ ENTRY(atomic64_inc_not_zero_cx8)
17672 + pax_force_retaddr
17676 diff -urNp linux-3.0.9/arch/x86/lib/checksum_32.S linux-3.0.9/arch/x86/lib/checksum_32.S
17677 --- linux-3.0.9/arch/x86/lib/checksum_32.S 2011-11-11 13:12:24.000000000 -0500
17678 +++ linux-3.0.9/arch/x86/lib/checksum_32.S 2011-11-15 20:02:59.000000000 -0500
17680 #include <linux/linkage.h>
17681 #include <asm/dwarf2.h>
17682 #include <asm/errno.h>
17684 +#include <asm/segment.h>
17687 * computes a partial checksum, e.g. for TCP/UDP fragments
17689 @@ -296,9 +297,24 @@ unsigned int csum_partial_copy_generic (
17694 -ENTRY(csum_partial_copy_generic)
17696 +ENTRY(csum_partial_copy_generic_to_user)
17699 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17702 + jmp csum_partial_copy_generic
17705 +ENTRY(csum_partial_copy_generic_from_user)
17707 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17712 +ENTRY(csum_partial_copy_generic)
17714 CFI_ADJUST_CFA_OFFSET 4
17716 @@ -320,7 +336,7 @@ ENTRY(csum_partial_copy_generic)
17718 SRC(1: movw (%esi), %bx )
17720 -DST( movw %bx, (%edi) )
17721 +DST( movw %bx, %es:(%edi) )
17725 @@ -332,30 +348,30 @@ DST( movw %bx, (%edi) )
17726 SRC(1: movl (%esi), %ebx )
17727 SRC( movl 4(%esi), %edx )
17729 -DST( movl %ebx, (%edi) )
17730 +DST( movl %ebx, %es:(%edi) )
17732 -DST( movl %edx, 4(%edi) )
17733 +DST( movl %edx, %es:4(%edi) )
17735 SRC( movl 8(%esi), %ebx )
17736 SRC( movl 12(%esi), %edx )
17738 -DST( movl %ebx, 8(%edi) )
17739 +DST( movl %ebx, %es:8(%edi) )
17741 -DST( movl %edx, 12(%edi) )
17742 +DST( movl %edx, %es:12(%edi) )
17744 SRC( movl 16(%esi), %ebx )
17745 SRC( movl 20(%esi), %edx )
17747 -DST( movl %ebx, 16(%edi) )
17748 +DST( movl %ebx, %es:16(%edi) )
17750 -DST( movl %edx, 20(%edi) )
17751 +DST( movl %edx, %es:20(%edi) )
17753 SRC( movl 24(%esi), %ebx )
17754 SRC( movl 28(%esi), %edx )
17756 -DST( movl %ebx, 24(%edi) )
17757 +DST( movl %ebx, %es:24(%edi) )
17759 -DST( movl %edx, 28(%edi) )
17760 +DST( movl %edx, %es:28(%edi) )
17764 @@ -369,7 +385,7 @@ DST( movl %edx, 28(%edi) )
17765 shrl $2, %edx # This clears CF
17766 SRC(3: movl (%esi), %ebx )
17768 -DST( movl %ebx, (%edi) )
17769 +DST( movl %ebx, %es:(%edi) )
17773 @@ -381,12 +397,12 @@ DST( movl %ebx, (%edi) )
17775 SRC( movw (%esi), %cx )
17777 -DST( movw %cx, (%edi) )
17778 +DST( movw %cx, %es:(%edi) )
17782 SRC(5: movb (%esi), %cl )
17783 -DST( movb %cl, (%edi) )
17784 +DST( movb %cl, %es:(%edi) )
17788 @@ -397,7 +413,7 @@ DST( movb %cl, (%edi) )
17791 movl ARGBASE+20(%esp), %ebx # src_err_ptr
17792 - movl $-EFAULT, (%ebx)
17793 + movl $-EFAULT, %ss:(%ebx)
17795 # zero the complete destination - computing the rest
17797 @@ -410,11 +426,15 @@ DST( movb %cl, (%edi) )
17800 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
17801 - movl $-EFAULT,(%ebx)
17802 + movl $-EFAULT,%ss:(%ebx)
17814 @@ -424,26 +444,43 @@ DST( movb %cl, (%edi) )
17815 popl_cfi %ecx # equivalent to addl $4,%esp
17818 -ENDPROC(csum_partial_copy_generic)
17819 +ENDPROC(csum_partial_copy_generic_to_user)
17823 /* Version for PentiumII/PPro */
17825 #define ROUND1(x) \
17827 SRC(movl x(%esi), %ebx ) ; \
17828 addl %ebx, %eax ; \
17829 - DST(movl %ebx, x(%edi) ) ;
17830 + DST(movl %ebx, %es:x(%edi)) ;
17834 SRC(movl x(%esi), %ebx ) ; \
17835 adcl %ebx, %eax ; \
17836 - DST(movl %ebx, x(%edi) ) ;
17837 + DST(movl %ebx, %es:x(%edi)) ;
17841 -ENTRY(csum_partial_copy_generic)
17843 +ENTRY(csum_partial_copy_generic_to_user)
17846 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17849 + jmp csum_partial_copy_generic
17852 +ENTRY(csum_partial_copy_generic_from_user)
17854 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17859 +ENTRY(csum_partial_copy_generic)
17861 CFI_REL_OFFSET ebx, 0
17863 @@ -464,7 +501,7 @@ ENTRY(csum_partial_copy_generic)
17867 - lea 3f(%ebx,%ebx), %ebx
17868 + lea 3f(%ebx,%ebx,2), %ebx
17872 @@ -485,19 +522,19 @@ ENTRY(csum_partial_copy_generic)
17874 SRC( movw (%esi), %dx )
17876 -DST( movw %dx, (%edi) )
17877 +DST( movw %dx, %es:(%edi) )
17882 SRC( movb (%esi), %dl )
17883 -DST( movb %dl, (%edi) )
17884 +DST( movb %dl, %es:(%edi) )
17888 .section .fixup, "ax"
17889 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
17890 - movl $-EFAULT, (%ebx)
17891 + movl $-EFAULT, %ss:(%ebx)
17892 # zero the complete destination (computing the rest is too much work)
17893 movl ARGBASE+8(%esp),%edi # dst
17894 movl ARGBASE+12(%esp),%ecx # len
17895 @@ -505,10 +542,17 @@ DST( movb %dl, (%edi) )
17898 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
17899 - movl $-EFAULT, (%ebx)
17900 + movl $-EFAULT, %ss:(%ebx)
17904 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17914 @@ -517,7 +561,7 @@ DST( movb %dl, (%edi) )
17918 -ENDPROC(csum_partial_copy_generic)
17919 +ENDPROC(csum_partial_copy_generic_to_user)
17923 diff -urNp linux-3.0.9/arch/x86/lib/clear_page_64.S linux-3.0.9/arch/x86/lib/clear_page_64.S
17924 --- linux-3.0.9/arch/x86/lib/clear_page_64.S 2011-11-11 13:12:24.000000000 -0500
17925 +++ linux-3.0.9/arch/x86/lib/clear_page_64.S 2011-11-15 20:02:59.000000000 -0500
17926 @@ -11,6 +11,7 @@ ENTRY(clear_page_c)
17930 + pax_force_retaddr
17933 ENDPROC(clear_page_c)
17934 @@ -20,6 +21,7 @@ ENTRY(clear_page_c_e)
17938 + pax_force_retaddr
17941 ENDPROC(clear_page_c_e)
17942 @@ -43,6 +45,7 @@ ENTRY(clear_page)
17946 + pax_force_retaddr
17950 @@ -58,7 +61,7 @@ ENDPROC(clear_page)
17952 #include <asm/cpufeature.h>
17954 - .section .altinstr_replacement,"ax"
17955 + .section .altinstr_replacement,"a"
17956 1: .byte 0xeb /* jmp <disp8> */
17957 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
17958 2: .byte 0xeb /* jmp <disp8> */
17959 diff -urNp linux-3.0.9/arch/x86/lib/cmpxchg16b_emu.S linux-3.0.9/arch/x86/lib/cmpxchg16b_emu.S
17960 --- linux-3.0.9/arch/x86/lib/cmpxchg16b_emu.S 2011-11-11 13:12:24.000000000 -0500
17961 +++ linux-3.0.9/arch/x86/lib/cmpxchg16b_emu.S 2011-11-15 20:02:59.000000000 -0500
17962 @@ -53,11 +53,13 @@ this_cpu_cmpxchg16b_emu:
17966 + pax_force_retaddr
17972 + pax_force_retaddr
17976 diff -urNp linux-3.0.9/arch/x86/lib/copy_page_64.S linux-3.0.9/arch/x86/lib/copy_page_64.S
17977 --- linux-3.0.9/arch/x86/lib/copy_page_64.S 2011-11-11 13:12:24.000000000 -0500
17978 +++ linux-3.0.9/arch/x86/lib/copy_page_64.S 2011-11-15 20:02:59.000000000 -0500
17981 #include <linux/linkage.h>
17982 #include <asm/dwarf2.h>
17983 +#include <asm/alternative-asm.h>
17990 + pax_force_retaddr
17993 ENDPROC(copy_page_c)
17994 @@ -94,6 +96,7 @@ ENTRY(copy_page)
17997 CFI_ADJUST_CFA_OFFSET -3*8
17998 + pax_force_retaddr
18002 @@ -104,7 +107,7 @@ ENDPROC(copy_page)
18004 #include <asm/cpufeature.h>
18006 - .section .altinstr_replacement,"ax"
18007 + .section .altinstr_replacement,"a"
18008 1: .byte 0xeb /* jmp <disp8> */
18009 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
18011 diff -urNp linux-3.0.9/arch/x86/lib/copy_user_64.S linux-3.0.9/arch/x86/lib/copy_user_64.S
18012 --- linux-3.0.9/arch/x86/lib/copy_user_64.S 2011-11-11 13:12:24.000000000 -0500
18013 +++ linux-3.0.9/arch/x86/lib/copy_user_64.S 2011-11-15 20:02:59.000000000 -0500
18015 #include <asm/thread_info.h>
18016 #include <asm/cpufeature.h>
18017 #include <asm/alternative-asm.h>
18018 +#include <asm/pgtable.h>
18021 * By placing feature2 after feature1 in altinstructions section, we logically
18023 .byte 0xe9 /* 32bit jump */
18024 .long \orig-1f /* by default jump to orig */
18026 - .section .altinstr_replacement,"ax"
18027 + .section .altinstr_replacement,"a"
18028 2: .byte 0xe9 /* near jump with 32bit immediate */
18029 .long \alt1-1b /* offset */ /* or alternatively to alt1 */
18030 3: .byte 0xe9 /* near jump with 32bit immediate */
18031 @@ -71,47 +72,20 @@
18035 -/* Standard copy_to_user with segment limit checking */
18036 -ENTRY(_copy_to_user)
18038 - GET_THREAD_INFO(%rax)
18042 - cmpq TI_addr_limit(%rax),%rcx
18044 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,X86_FEATURE_ERMS, \
18045 - copy_user_generic_unrolled,copy_user_generic_string, \
18046 - copy_user_enhanced_fast_string
18048 -ENDPROC(_copy_to_user)
18050 -/* Standard copy_from_user with segment limit checking */
18051 -ENTRY(_copy_from_user)
18053 - GET_THREAD_INFO(%rax)
18057 - cmpq TI_addr_limit(%rax),%rcx
18059 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,X86_FEATURE_ERMS, \
18060 - copy_user_generic_unrolled,copy_user_generic_string, \
18061 - copy_user_enhanced_fast_string
18063 -ENDPROC(_copy_from_user)
18065 .section .fixup,"ax"
18066 /* must zero dest */
18067 ENTRY(bad_from_user)
18078 + pax_force_retaddr
18081 ENDPROC(bad_from_user)
18082 @@ -179,6 +153,7 @@ ENTRY(copy_user_generic_unrolled)
18086 + pax_force_retaddr
18089 .section .fixup,"ax"
18090 @@ -251,6 +226,7 @@ ENTRY(copy_user_generic_string)
18094 + pax_force_retaddr
18097 .section .fixup,"ax"
18098 @@ -287,6 +263,7 @@ ENTRY(copy_user_enhanced_fast_string)
18102 + pax_force_retaddr
18105 .section .fixup,"ax"
18106 diff -urNp linux-3.0.9/arch/x86/lib/copy_user_nocache_64.S linux-3.0.9/arch/x86/lib/copy_user_nocache_64.S
18107 --- linux-3.0.9/arch/x86/lib/copy_user_nocache_64.S 2011-11-11 13:12:24.000000000 -0500
18108 +++ linux-3.0.9/arch/x86/lib/copy_user_nocache_64.S 2011-11-15 20:02:59.000000000 -0500
18111 #include <linux/linkage.h>
18112 #include <asm/dwarf2.h>
18113 +#include <asm/alternative-asm.h>
18115 #define FIX_ALIGNMENT 1
18117 #include <asm/current.h>
18118 #include <asm/asm-offsets.h>
18119 #include <asm/thread_info.h>
18120 +#include <asm/pgtable.h>
18122 .macro ALIGN_DESTINATION
18123 #ifdef FIX_ALIGNMENT
18126 ENTRY(__copy_user_nocache)
18129 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18130 + mov $PAX_USER_SHADOW_BASE,%rcx
18138 jb 20f /* less then 8 bytes, go to byte copy loop */
18140 @@ -98,6 +109,7 @@ ENTRY(__copy_user_nocache)
18144 + pax_force_retaddr
18147 .section .fixup,"ax"
18148 diff -urNp linux-3.0.9/arch/x86/lib/csum-copy_64.S linux-3.0.9/arch/x86/lib/csum-copy_64.S
18149 --- linux-3.0.9/arch/x86/lib/csum-copy_64.S 2011-11-11 13:12:24.000000000 -0500
18150 +++ linux-3.0.9/arch/x86/lib/csum-copy_64.S 2011-11-15 20:02:59.000000000 -0500
18152 #include <linux/linkage.h>
18153 #include <asm/dwarf2.h>
18154 #include <asm/errno.h>
18155 +#include <asm/alternative-asm.h>
18158 * Checksum copy with exception handling.
18159 @@ -228,6 +229,7 @@ ENTRY(csum_partial_copy_generic)
18162 CFI_ADJUST_CFA_OFFSET -7*8
18163 + pax_force_retaddr
18167 diff -urNp linux-3.0.9/arch/x86/lib/csum-wrappers_64.c linux-3.0.9/arch/x86/lib/csum-wrappers_64.c
18168 --- linux-3.0.9/arch/x86/lib/csum-wrappers_64.c 2011-11-11 13:12:24.000000000 -0500
18169 +++ linux-3.0.9/arch/x86/lib/csum-wrappers_64.c 2011-11-15 20:02:59.000000000 -0500
18170 @@ -52,7 +52,13 @@ csum_partial_copy_from_user(const void _
18174 - isum = csum_partial_copy_generic((__force const void *)src,
18176 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18177 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
18178 + src += PAX_USER_SHADOW_BASE;
18181 + isum = csum_partial_copy_generic((const void __force_kernel *)src,
18182 dst, len, isum, errp, NULL);
18183 if (unlikely(*errp))
18185 @@ -105,7 +111,13 @@ csum_partial_copy_to_user(const void *sr
18189 - return csum_partial_copy_generic(src, (void __force *)dst,
18191 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18192 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
18193 + dst += PAX_USER_SHADOW_BASE;
18196 + return csum_partial_copy_generic(src, (void __force_kernel *)dst,
18197 len, isum, NULL, errp);
18199 EXPORT_SYMBOL(csum_partial_copy_to_user);
18200 diff -urNp linux-3.0.9/arch/x86/lib/getuser.S linux-3.0.9/arch/x86/lib/getuser.S
18201 --- linux-3.0.9/arch/x86/lib/getuser.S 2011-11-11 13:12:24.000000000 -0500
18202 +++ linux-3.0.9/arch/x86/lib/getuser.S 2011-11-15 20:02:59.000000000 -0500
18203 @@ -33,15 +33,38 @@
18204 #include <asm/asm-offsets.h>
18205 #include <asm/thread_info.h>
18206 #include <asm/asm.h>
18207 +#include <asm/segment.h>
18208 +#include <asm/pgtable.h>
18209 +#include <asm/alternative-asm.h>
18211 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18212 +#define __copyuser_seg gs;
18214 +#define __copyuser_seg
18218 ENTRY(__get_user_1)
18221 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18222 GET_THREAD_INFO(%_ASM_DX)
18223 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18225 -1: movzb (%_ASM_AX),%edx
18227 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18228 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18229 + cmp %_ASM_DX,%_ASM_AX
18231 + add %_ASM_DX,%_ASM_AX
18237 +1: __copyuser_seg movzb (%_ASM_AX),%edx
18239 + pax_force_retaddr
18242 ENDPROC(__get_user_1)
18243 @@ -49,12 +72,26 @@ ENDPROC(__get_user_1)
18244 ENTRY(__get_user_2)
18248 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18250 GET_THREAD_INFO(%_ASM_DX)
18251 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18253 -2: movzwl -1(%_ASM_AX),%edx
18255 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18256 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18257 + cmp %_ASM_DX,%_ASM_AX
18259 + add %_ASM_DX,%_ASM_AX
18265 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
18267 + pax_force_retaddr
18270 ENDPROC(__get_user_2)
18271 @@ -62,12 +99,26 @@ ENDPROC(__get_user_2)
18272 ENTRY(__get_user_4)
18276 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18278 GET_THREAD_INFO(%_ASM_DX)
18279 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18281 -3: mov -3(%_ASM_AX),%edx
18283 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18284 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18285 + cmp %_ASM_DX,%_ASM_AX
18287 + add %_ASM_DX,%_ASM_AX
18293 +3: __copyuser_seg mov -3(%_ASM_AX),%edx
18295 + pax_force_retaddr
18298 ENDPROC(__get_user_4)
18299 @@ -80,8 +131,18 @@ ENTRY(__get_user_8)
18300 GET_THREAD_INFO(%_ASM_DX)
18301 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18304 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18305 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18306 + cmp %_ASM_DX,%_ASM_AX
18308 + add %_ASM_DX,%_ASM_AX
18312 4: movq -7(%_ASM_AX),%_ASM_DX
18314 + pax_force_retaddr
18317 ENDPROC(__get_user_8)
18318 @@ -91,6 +152,7 @@ bad_get_user:
18321 mov $(-EFAULT),%_ASM_AX
18322 + pax_force_retaddr
18326 diff -urNp linux-3.0.9/arch/x86/lib/insn.c linux-3.0.9/arch/x86/lib/insn.c
18327 --- linux-3.0.9/arch/x86/lib/insn.c 2011-11-11 13:12:24.000000000 -0500
18328 +++ linux-3.0.9/arch/x86/lib/insn.c 2011-11-15 20:02:59.000000000 -0500
18330 #include <linux/string.h>
18331 #include <asm/inat.h>
18332 #include <asm/insn.h>
18334 +#include <asm/pgtable_types.h>
18336 +#define ktla_ktva(addr) addr
18339 #define get_next(t, insn) \
18340 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
18342 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
18344 memset(insn, 0, sizeof(*insn));
18345 - insn->kaddr = kaddr;
18346 - insn->next_byte = kaddr;
18347 + insn->kaddr = ktla_ktva(kaddr);
18348 + insn->next_byte = ktla_ktva(kaddr);
18349 insn->x86_64 = x86_64 ? 1 : 0;
18350 insn->opnd_bytes = 4;
18352 diff -urNp linux-3.0.9/arch/x86/lib/iomap_copy_64.S linux-3.0.9/arch/x86/lib/iomap_copy_64.S
18353 --- linux-3.0.9/arch/x86/lib/iomap_copy_64.S 2011-11-11 13:12:24.000000000 -0500
18354 +++ linux-3.0.9/arch/x86/lib/iomap_copy_64.S 2011-11-15 20:02:59.000000000 -0500
18357 #include <linux/linkage.h>
18358 #include <asm/dwarf2.h>
18359 +#include <asm/alternative-asm.h>
18362 * override generic version in lib/iomap_copy.c
18363 @@ -25,6 +26,7 @@ ENTRY(__iowrite32_copy)
18367 + pax_force_retaddr
18370 ENDPROC(__iowrite32_copy)
18371 diff -urNp linux-3.0.9/arch/x86/lib/memcpy_64.S linux-3.0.9/arch/x86/lib/memcpy_64.S
18372 --- linux-3.0.9/arch/x86/lib/memcpy_64.S 2011-11-11 13:12:24.000000000 -0500
18373 +++ linux-3.0.9/arch/x86/lib/memcpy_64.S 2011-11-15 20:02:59.000000000 -0500
18378 + pax_force_retaddr
18386 + pax_force_retaddr
18390 @@ -141,6 +143,7 @@ ENTRY(memcpy)
18391 movq %r9, 1*8(%rdi)
18392 movq %r10, -2*8(%rdi, %rdx)
18393 movq %r11, -1*8(%rdi, %rdx)
18394 + pax_force_retaddr
18398 @@ -153,6 +156,7 @@ ENTRY(memcpy)
18399 movq -1*8(%rsi, %rdx), %r9
18400 movq %r8, 0*8(%rdi)
18401 movq %r9, -1*8(%rdi, %rdx)
18402 + pax_force_retaddr
18406 @@ -166,6 +170,7 @@ ENTRY(memcpy)
18407 movl -4(%rsi, %rdx), %r8d
18409 movl %r8d, -4(%rdi, %rdx)
18410 + pax_force_retaddr
18414 @@ -183,6 +188,7 @@ ENTRY(memcpy)
18418 + pax_force_retaddr
18422 diff -urNp linux-3.0.9/arch/x86/lib/memmove_64.S linux-3.0.9/arch/x86/lib/memmove_64.S
18423 --- linux-3.0.9/arch/x86/lib/memmove_64.S 2011-11-11 13:12:24.000000000 -0500
18424 +++ linux-3.0.9/arch/x86/lib/memmove_64.S 2011-11-15 20:02:59.000000000 -0500
18426 #include <linux/linkage.h>
18427 #include <asm/dwarf2.h>
18428 #include <asm/cpufeature.h>
18429 +#include <asm/alternative-asm.h>
18433 @@ -201,6 +202,7 @@ ENTRY(memmove)
18437 + pax_force_retaddr
18441 @@ -209,6 +211,7 @@ ENTRY(memmove)
18442 /* Forward moving data. */
18445 + pax_force_retaddr
18447 .Lmemmove_end_forward_efs:
18449 diff -urNp linux-3.0.9/arch/x86/lib/memset_64.S linux-3.0.9/arch/x86/lib/memset_64.S
18450 --- linux-3.0.9/arch/x86/lib/memset_64.S 2011-11-11 13:12:24.000000000 -0500
18451 +++ linux-3.0.9/arch/x86/lib/memset_64.S 2011-11-15 20:02:59.000000000 -0500
18456 + pax_force_retaddr
18464 + pax_force_retaddr
18468 @@ -121,6 +123,7 @@ ENTRY(__memset)
18472 + pax_force_retaddr
18476 diff -urNp linux-3.0.9/arch/x86/lib/mmx_32.c linux-3.0.9/arch/x86/lib/mmx_32.c
18477 --- linux-3.0.9/arch/x86/lib/mmx_32.c 2011-11-11 13:12:24.000000000 -0500
18478 +++ linux-3.0.9/arch/x86/lib/mmx_32.c 2011-11-15 20:02:59.000000000 -0500
18479 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
18483 + unsigned long cr0;
18485 if (unlikely(in_interrupt()))
18486 return __memcpy(to, from, len);
18487 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
18488 kernel_fpu_begin();
18490 __asm__ __volatile__ (
18491 - "1: prefetch (%0)\n" /* This set is 28 bytes */
18492 - " prefetch 64(%0)\n"
18493 - " prefetch 128(%0)\n"
18494 - " prefetch 192(%0)\n"
18495 - " prefetch 256(%0)\n"
18496 + "1: prefetch (%1)\n" /* This set is 28 bytes */
18497 + " prefetch 64(%1)\n"
18498 + " prefetch 128(%1)\n"
18499 + " prefetch 192(%1)\n"
18500 + " prefetch 256(%1)\n"
18502 ".section .fixup, \"ax\"\n"
18503 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18506 +#ifdef CONFIG_PAX_KERNEXEC
18507 + " movl %%cr0, %0\n"
18508 + " movl %0, %%eax\n"
18509 + " andl $0xFFFEFFFF, %%eax\n"
18510 + " movl %%eax, %%cr0\n"
18513 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18515 +#ifdef CONFIG_PAX_KERNEXEC
18516 + " movl %0, %%cr0\n"
18521 _ASM_EXTABLE(1b, 3b)
18523 + : "=&r" (cr0) : "r" (from) : "ax");
18525 for ( ; i > 5; i--) {
18526 __asm__ __volatile__ (
18527 - "1: prefetch 320(%0)\n"
18528 - "2: movq (%0), %%mm0\n"
18529 - " movq 8(%0), %%mm1\n"
18530 - " movq 16(%0), %%mm2\n"
18531 - " movq 24(%0), %%mm3\n"
18532 - " movq %%mm0, (%1)\n"
18533 - " movq %%mm1, 8(%1)\n"
18534 - " movq %%mm2, 16(%1)\n"
18535 - " movq %%mm3, 24(%1)\n"
18536 - " movq 32(%0), %%mm0\n"
18537 - " movq 40(%0), %%mm1\n"
18538 - " movq 48(%0), %%mm2\n"
18539 - " movq 56(%0), %%mm3\n"
18540 - " movq %%mm0, 32(%1)\n"
18541 - " movq %%mm1, 40(%1)\n"
18542 - " movq %%mm2, 48(%1)\n"
18543 - " movq %%mm3, 56(%1)\n"
18544 + "1: prefetch 320(%1)\n"
18545 + "2: movq (%1), %%mm0\n"
18546 + " movq 8(%1), %%mm1\n"
18547 + " movq 16(%1), %%mm2\n"
18548 + " movq 24(%1), %%mm3\n"
18549 + " movq %%mm0, (%2)\n"
18550 + " movq %%mm1, 8(%2)\n"
18551 + " movq %%mm2, 16(%2)\n"
18552 + " movq %%mm3, 24(%2)\n"
18553 + " movq 32(%1), %%mm0\n"
18554 + " movq 40(%1), %%mm1\n"
18555 + " movq 48(%1), %%mm2\n"
18556 + " movq 56(%1), %%mm3\n"
18557 + " movq %%mm0, 32(%2)\n"
18558 + " movq %%mm1, 40(%2)\n"
18559 + " movq %%mm2, 48(%2)\n"
18560 + " movq %%mm3, 56(%2)\n"
18561 ".section .fixup, \"ax\"\n"
18562 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18565 +#ifdef CONFIG_PAX_KERNEXEC
18566 + " movl %%cr0, %0\n"
18567 + " movl %0, %%eax\n"
18568 + " andl $0xFFFEFFFF, %%eax\n"
18569 + " movl %%eax, %%cr0\n"
18572 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18574 +#ifdef CONFIG_PAX_KERNEXEC
18575 + " movl %0, %%cr0\n"
18580 _ASM_EXTABLE(1b, 3b)
18581 - : : "r" (from), "r" (to) : "memory");
18582 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18586 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
18587 static void fast_copy_page(void *to, void *from)
18590 + unsigned long cr0;
18592 kernel_fpu_begin();
18594 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
18595 * but that is for later. -AV
18597 __asm__ __volatile__(
18598 - "1: prefetch (%0)\n"
18599 - " prefetch 64(%0)\n"
18600 - " prefetch 128(%0)\n"
18601 - " prefetch 192(%0)\n"
18602 - " prefetch 256(%0)\n"
18603 + "1: prefetch (%1)\n"
18604 + " prefetch 64(%1)\n"
18605 + " prefetch 128(%1)\n"
18606 + " prefetch 192(%1)\n"
18607 + " prefetch 256(%1)\n"
18609 ".section .fixup, \"ax\"\n"
18610 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18613 +#ifdef CONFIG_PAX_KERNEXEC
18614 + " movl %%cr0, %0\n"
18615 + " movl %0, %%eax\n"
18616 + " andl $0xFFFEFFFF, %%eax\n"
18617 + " movl %%eax, %%cr0\n"
18620 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18622 +#ifdef CONFIG_PAX_KERNEXEC
18623 + " movl %0, %%cr0\n"
18628 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
18629 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
18631 for (i = 0; i < (4096-320)/64; i++) {
18632 __asm__ __volatile__ (
18633 - "1: prefetch 320(%0)\n"
18634 - "2: movq (%0), %%mm0\n"
18635 - " movntq %%mm0, (%1)\n"
18636 - " movq 8(%0), %%mm1\n"
18637 - " movntq %%mm1, 8(%1)\n"
18638 - " movq 16(%0), %%mm2\n"
18639 - " movntq %%mm2, 16(%1)\n"
18640 - " movq 24(%0), %%mm3\n"
18641 - " movntq %%mm3, 24(%1)\n"
18642 - " movq 32(%0), %%mm4\n"
18643 - " movntq %%mm4, 32(%1)\n"
18644 - " movq 40(%0), %%mm5\n"
18645 - " movntq %%mm5, 40(%1)\n"
18646 - " movq 48(%0), %%mm6\n"
18647 - " movntq %%mm6, 48(%1)\n"
18648 - " movq 56(%0), %%mm7\n"
18649 - " movntq %%mm7, 56(%1)\n"
18650 + "1: prefetch 320(%1)\n"
18651 + "2: movq (%1), %%mm0\n"
18652 + " movntq %%mm0, (%2)\n"
18653 + " movq 8(%1), %%mm1\n"
18654 + " movntq %%mm1, 8(%2)\n"
18655 + " movq 16(%1), %%mm2\n"
18656 + " movntq %%mm2, 16(%2)\n"
18657 + " movq 24(%1), %%mm3\n"
18658 + " movntq %%mm3, 24(%2)\n"
18659 + " movq 32(%1), %%mm4\n"
18660 + " movntq %%mm4, 32(%2)\n"
18661 + " movq 40(%1), %%mm5\n"
18662 + " movntq %%mm5, 40(%2)\n"
18663 + " movq 48(%1), %%mm6\n"
18664 + " movntq %%mm6, 48(%2)\n"
18665 + " movq 56(%1), %%mm7\n"
18666 + " movntq %%mm7, 56(%2)\n"
18667 ".section .fixup, \"ax\"\n"
18668 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18671 +#ifdef CONFIG_PAX_KERNEXEC
18672 + " movl %%cr0, %0\n"
18673 + " movl %0, %%eax\n"
18674 + " andl $0xFFFEFFFF, %%eax\n"
18675 + " movl %%eax, %%cr0\n"
18678 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18680 +#ifdef CONFIG_PAX_KERNEXEC
18681 + " movl %0, %%cr0\n"
18686 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
18687 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18691 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
18692 static void fast_copy_page(void *to, void *from)
18695 + unsigned long cr0;
18697 kernel_fpu_begin();
18699 __asm__ __volatile__ (
18700 - "1: prefetch (%0)\n"
18701 - " prefetch 64(%0)\n"
18702 - " prefetch 128(%0)\n"
18703 - " prefetch 192(%0)\n"
18704 - " prefetch 256(%0)\n"
18705 + "1: prefetch (%1)\n"
18706 + " prefetch 64(%1)\n"
18707 + " prefetch 128(%1)\n"
18708 + " prefetch 192(%1)\n"
18709 + " prefetch 256(%1)\n"
18711 ".section .fixup, \"ax\"\n"
18712 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18715 +#ifdef CONFIG_PAX_KERNEXEC
18716 + " movl %%cr0, %0\n"
18717 + " movl %0, %%eax\n"
18718 + " andl $0xFFFEFFFF, %%eax\n"
18719 + " movl %%eax, %%cr0\n"
18722 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18724 +#ifdef CONFIG_PAX_KERNEXEC
18725 + " movl %0, %%cr0\n"
18730 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
18731 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
18733 for (i = 0; i < 4096/64; i++) {
18734 __asm__ __volatile__ (
18735 - "1: prefetch 320(%0)\n"
18736 - "2: movq (%0), %%mm0\n"
18737 - " movq 8(%0), %%mm1\n"
18738 - " movq 16(%0), %%mm2\n"
18739 - " movq 24(%0), %%mm3\n"
18740 - " movq %%mm0, (%1)\n"
18741 - " movq %%mm1, 8(%1)\n"
18742 - " movq %%mm2, 16(%1)\n"
18743 - " movq %%mm3, 24(%1)\n"
18744 - " movq 32(%0), %%mm0\n"
18745 - " movq 40(%0), %%mm1\n"
18746 - " movq 48(%0), %%mm2\n"
18747 - " movq 56(%0), %%mm3\n"
18748 - " movq %%mm0, 32(%1)\n"
18749 - " movq %%mm1, 40(%1)\n"
18750 - " movq %%mm2, 48(%1)\n"
18751 - " movq %%mm3, 56(%1)\n"
18752 + "1: prefetch 320(%1)\n"
18753 + "2: movq (%1), %%mm0\n"
18754 + " movq 8(%1), %%mm1\n"
18755 + " movq 16(%1), %%mm2\n"
18756 + " movq 24(%1), %%mm3\n"
18757 + " movq %%mm0, (%2)\n"
18758 + " movq %%mm1, 8(%2)\n"
18759 + " movq %%mm2, 16(%2)\n"
18760 + " movq %%mm3, 24(%2)\n"
18761 + " movq 32(%1), %%mm0\n"
18762 + " movq 40(%1), %%mm1\n"
18763 + " movq 48(%1), %%mm2\n"
18764 + " movq 56(%1), %%mm3\n"
18765 + " movq %%mm0, 32(%2)\n"
18766 + " movq %%mm1, 40(%2)\n"
18767 + " movq %%mm2, 48(%2)\n"
18768 + " movq %%mm3, 56(%2)\n"
18769 ".section .fixup, \"ax\"\n"
18770 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18773 +#ifdef CONFIG_PAX_KERNEXEC
18774 + " movl %%cr0, %0\n"
18775 + " movl %0, %%eax\n"
18776 + " andl $0xFFFEFFFF, %%eax\n"
18777 + " movl %%eax, %%cr0\n"
18780 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18782 +#ifdef CONFIG_PAX_KERNEXEC
18783 + " movl %0, %%cr0\n"
18788 _ASM_EXTABLE(1b, 3b)
18789 - : : "r" (from), "r" (to) : "memory");
18790 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18794 diff -urNp linux-3.0.9/arch/x86/lib/msr-reg.S linux-3.0.9/arch/x86/lib/msr-reg.S
18795 --- linux-3.0.9/arch/x86/lib/msr-reg.S 2011-11-11 13:12:24.000000000 -0500
18796 +++ linux-3.0.9/arch/x86/lib/msr-reg.S 2011-11-15 20:02:59.000000000 -0500
18798 #include <asm/dwarf2.h>
18799 #include <asm/asm.h>
18800 #include <asm/msr.h>
18801 +#include <asm/alternative-asm.h>
18803 #ifdef CONFIG_X86_64
18805 @@ -37,6 +38,7 @@ ENTRY(native_\op\()_safe_regs)
18806 movl %edi, 28(%r10)
18809 + pax_force_retaddr
18813 diff -urNp linux-3.0.9/arch/x86/lib/putuser.S linux-3.0.9/arch/x86/lib/putuser.S
18814 --- linux-3.0.9/arch/x86/lib/putuser.S 2011-11-11 13:12:24.000000000 -0500
18815 +++ linux-3.0.9/arch/x86/lib/putuser.S 2011-11-15 20:02:59.000000000 -0500
18817 #include <asm/thread_info.h>
18818 #include <asm/errno.h>
18819 #include <asm/asm.h>
18821 +#include <asm/segment.h>
18822 +#include <asm/pgtable.h>
18823 +#include <asm/alternative-asm.h>
18827 @@ -29,52 +31,119 @@
18828 * as they get called from within inline assembly.
18831 -#define ENTER CFI_STARTPROC ; \
18832 - GET_THREAD_INFO(%_ASM_BX)
18833 -#define EXIT ret ; \
18834 +#define ENTER CFI_STARTPROC
18835 +#define EXIT pax_force_retaddr; ret ; \
18838 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18839 +#define _DEST %_ASM_CX,%_ASM_BX
18841 +#define _DEST %_ASM_CX
18844 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18845 +#define __copyuser_seg gs;
18847 +#define __copyuser_seg
18851 ENTRY(__put_user_1)
18854 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18855 + GET_THREAD_INFO(%_ASM_BX)
18856 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
18858 -1: movb %al,(%_ASM_CX)
18860 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18861 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
18862 + cmp %_ASM_BX,%_ASM_CX
18870 +1: __copyuser_seg movb %al,(_DEST)
18873 ENDPROC(__put_user_1)
18875 ENTRY(__put_user_2)
18878 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18879 + GET_THREAD_INFO(%_ASM_BX)
18880 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
18882 cmp %_ASM_BX,%_ASM_CX
18884 -2: movw %ax,(%_ASM_CX)
18886 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18887 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
18888 + cmp %_ASM_BX,%_ASM_CX
18896 +2: __copyuser_seg movw %ax,(_DEST)
18899 ENDPROC(__put_user_2)
18901 ENTRY(__put_user_4)
18904 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18905 + GET_THREAD_INFO(%_ASM_BX)
18906 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
18908 cmp %_ASM_BX,%_ASM_CX
18910 -3: movl %eax,(%_ASM_CX)
18912 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18913 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
18914 + cmp %_ASM_BX,%_ASM_CX
18922 +3: __copyuser_seg movl %eax,(_DEST)
18925 ENDPROC(__put_user_4)
18927 ENTRY(__put_user_8)
18930 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18931 + GET_THREAD_INFO(%_ASM_BX)
18932 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
18934 cmp %_ASM_BX,%_ASM_CX
18936 -4: mov %_ASM_AX,(%_ASM_CX)
18938 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18939 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
18940 + cmp %_ASM_BX,%_ASM_CX
18948 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
18949 #ifdef CONFIG_X86_32
18950 -5: movl %edx,4(%_ASM_CX)
18951 +5: __copyuser_seg movl %edx,4(_DEST)
18955 diff -urNp linux-3.0.9/arch/x86/lib/rwlock_64.S linux-3.0.9/arch/x86/lib/rwlock_64.S
18956 --- linux-3.0.9/arch/x86/lib/rwlock_64.S 2011-11-11 13:12:24.000000000 -0500
18957 +++ linux-3.0.9/arch/x86/lib/rwlock_64.S 2011-11-15 20:02:59.000000000 -0500
18958 @@ -17,6 +17,7 @@ ENTRY(__write_lock_failed)
18960 subl $RW_LOCK_BIAS,(%rdi)
18961 jnz __write_lock_failed
18962 + pax_force_retaddr
18965 END(__write_lock_failed)
18966 @@ -33,6 +34,7 @@ ENTRY(__read_lock_failed)
18969 js __read_lock_failed
18970 + pax_force_retaddr
18973 END(__read_lock_failed)
18974 diff -urNp linux-3.0.9/arch/x86/lib/rwsem_64.S linux-3.0.9/arch/x86/lib/rwsem_64.S
18975 --- linux-3.0.9/arch/x86/lib/rwsem_64.S 2011-11-11 13:12:24.000000000 -0500
18976 +++ linux-3.0.9/arch/x86/lib/rwsem_64.S 2011-11-15 20:02:59.000000000 -0500
18977 @@ -51,6 +51,7 @@ ENTRY(call_rwsem_down_read_failed)
18980 restore_common_regs
18981 + pax_force_retaddr
18984 ENDPROC(call_rwsem_down_read_failed)
18985 @@ -61,6 +62,7 @@ ENTRY(call_rwsem_down_write_failed)
18987 call rwsem_down_write_failed
18988 restore_common_regs
18989 + pax_force_retaddr
18992 ENDPROC(call_rwsem_down_write_failed)
18993 @@ -73,7 +75,8 @@ ENTRY(call_rwsem_wake)
18996 restore_common_regs
18998 +1: pax_force_retaddr
19001 ENDPROC(call_rwsem_wake)
19003 @@ -88,6 +91,7 @@ ENTRY(call_rwsem_downgrade_wake)
19006 restore_common_regs
19007 + pax_force_retaddr
19010 ENDPROC(call_rwsem_downgrade_wake)
19011 diff -urNp linux-3.0.9/arch/x86/lib/thunk_64.S linux-3.0.9/arch/x86/lib/thunk_64.S
19012 --- linux-3.0.9/arch/x86/lib/thunk_64.S 2011-11-11 13:12:24.000000000 -0500
19013 +++ linux-3.0.9/arch/x86/lib/thunk_64.S 2011-11-15 20:02:59.000000000 -0500
19015 #include <asm/dwarf2.h>
19016 #include <asm/calling.h>
19017 #include <asm/rwlock.h>
19019 + #include <asm/alternative-asm.h>
19021 /* rdi: arg1 ... normal C conventions. rax is saved/restored. */
19022 .macro thunk name,func
19029 + pax_force_retaddr
19032 diff -urNp linux-3.0.9/arch/x86/lib/usercopy_32.c linux-3.0.9/arch/x86/lib/usercopy_32.c
19033 --- linux-3.0.9/arch/x86/lib/usercopy_32.c 2011-11-11 13:12:24.000000000 -0500
19034 +++ linux-3.0.9/arch/x86/lib/usercopy_32.c 2011-11-15 20:02:59.000000000 -0500
19035 @@ -43,7 +43,7 @@ do { \
19036 __asm__ __volatile__( \
19040 + "0: "__copyuser_seg"lodsb\n" \
19042 " testb %%al,%%al\n" \
19044 @@ -128,10 +128,12 @@ do { \
19047 __asm__ __volatile__( \
19048 + __COPYUSER_SET_ES \
19049 "0: rep; stosl\n" \
19051 "1: rep; stosb\n" \
19053 + __COPYUSER_RESTORE_ES \
19054 ".section .fixup,\"ax\"\n" \
19055 "3: lea 0(%2,%0,4),%0\n" \
19057 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
19060 __asm__ __volatile__(
19061 + __COPYUSER_SET_ES
19065 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
19069 + __COPYUSER_RESTORE_ES
19070 ".section .fixup,\"ax\"\n"
19071 "2: xorl %%eax,%%eax\n"
19073 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
19075 #ifdef CONFIG_X86_INTEL_USERCOPY
19076 static unsigned long
19077 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
19078 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
19081 __asm__ __volatile__(
19082 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
19084 "3: movl 0(%4), %%eax\n"
19085 "4: movl 4(%4), %%edx\n"
19086 - "5: movl %%eax, 0(%3)\n"
19087 - "6: movl %%edx, 4(%3)\n"
19088 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
19089 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
19090 "7: movl 8(%4), %%eax\n"
19091 "8: movl 12(%4),%%edx\n"
19092 - "9: movl %%eax, 8(%3)\n"
19093 - "10: movl %%edx, 12(%3)\n"
19094 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
19095 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
19096 "11: movl 16(%4), %%eax\n"
19097 "12: movl 20(%4), %%edx\n"
19098 - "13: movl %%eax, 16(%3)\n"
19099 - "14: movl %%edx, 20(%3)\n"
19100 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
19101 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
19102 "15: movl 24(%4), %%eax\n"
19103 "16: movl 28(%4), %%edx\n"
19104 - "17: movl %%eax, 24(%3)\n"
19105 - "18: movl %%edx, 28(%3)\n"
19106 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
19107 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
19108 "19: movl 32(%4), %%eax\n"
19109 "20: movl 36(%4), %%edx\n"
19110 - "21: movl %%eax, 32(%3)\n"
19111 - "22: movl %%edx, 36(%3)\n"
19112 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
19113 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
19114 "23: movl 40(%4), %%eax\n"
19115 "24: movl 44(%4), %%edx\n"
19116 - "25: movl %%eax, 40(%3)\n"
19117 - "26: movl %%edx, 44(%3)\n"
19118 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
19119 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
19120 "27: movl 48(%4), %%eax\n"
19121 "28: movl 52(%4), %%edx\n"
19122 - "29: movl %%eax, 48(%3)\n"
19123 - "30: movl %%edx, 52(%3)\n"
19124 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
19125 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
19126 "31: movl 56(%4), %%eax\n"
19127 "32: movl 60(%4), %%edx\n"
19128 - "33: movl %%eax, 56(%3)\n"
19129 - "34: movl %%edx, 60(%3)\n"
19130 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
19131 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
19135 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
19137 " andl $3, %%eax\n"
19139 + __COPYUSER_SET_ES
19141 "36: movl %%eax, %0\n"
19144 + __COPYUSER_RESTORE_ES
19145 + ".section .fixup,\"ax\"\n"
19146 + "101: lea 0(%%eax,%0,4),%0\n"
19149 + ".section __ex_table,\"a\"\n"
19151 + " .long 1b,100b\n"
19152 + " .long 2b,100b\n"
19153 + " .long 3b,100b\n"
19154 + " .long 4b,100b\n"
19155 + " .long 5b,100b\n"
19156 + " .long 6b,100b\n"
19157 + " .long 7b,100b\n"
19158 + " .long 8b,100b\n"
19159 + " .long 9b,100b\n"
19160 + " .long 10b,100b\n"
19161 + " .long 11b,100b\n"
19162 + " .long 12b,100b\n"
19163 + " .long 13b,100b\n"
19164 + " .long 14b,100b\n"
19165 + " .long 15b,100b\n"
19166 + " .long 16b,100b\n"
19167 + " .long 17b,100b\n"
19168 + " .long 18b,100b\n"
19169 + " .long 19b,100b\n"
19170 + " .long 20b,100b\n"
19171 + " .long 21b,100b\n"
19172 + " .long 22b,100b\n"
19173 + " .long 23b,100b\n"
19174 + " .long 24b,100b\n"
19175 + " .long 25b,100b\n"
19176 + " .long 26b,100b\n"
19177 + " .long 27b,100b\n"
19178 + " .long 28b,100b\n"
19179 + " .long 29b,100b\n"
19180 + " .long 30b,100b\n"
19181 + " .long 31b,100b\n"
19182 + " .long 32b,100b\n"
19183 + " .long 33b,100b\n"
19184 + " .long 34b,100b\n"
19185 + " .long 35b,100b\n"
19186 + " .long 36b,100b\n"
19187 + " .long 37b,100b\n"
19188 + " .long 99b,101b\n"
19190 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
19191 + : "1"(to), "2"(from), "0"(size)
19192 + : "eax", "edx", "memory");
19196 +static unsigned long
19197 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
19200 + __asm__ __volatile__(
19201 + " .align 2,0x90\n"
19202 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
19203 + " cmpl $67, %0\n"
19205 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
19206 + " .align 2,0x90\n"
19207 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
19208 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
19209 + "5: movl %%eax, 0(%3)\n"
19210 + "6: movl %%edx, 4(%3)\n"
19211 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
19212 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
19213 + "9: movl %%eax, 8(%3)\n"
19214 + "10: movl %%edx, 12(%3)\n"
19215 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
19216 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
19217 + "13: movl %%eax, 16(%3)\n"
19218 + "14: movl %%edx, 20(%3)\n"
19219 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
19220 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
19221 + "17: movl %%eax, 24(%3)\n"
19222 + "18: movl %%edx, 28(%3)\n"
19223 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
19224 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
19225 + "21: movl %%eax, 32(%3)\n"
19226 + "22: movl %%edx, 36(%3)\n"
19227 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
19228 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
19229 + "25: movl %%eax, 40(%3)\n"
19230 + "26: movl %%edx, 44(%3)\n"
19231 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
19232 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
19233 + "29: movl %%eax, 48(%3)\n"
19234 + "30: movl %%edx, 52(%3)\n"
19235 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
19236 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
19237 + "33: movl %%eax, 56(%3)\n"
19238 + "34: movl %%edx, 60(%3)\n"
19239 + " addl $-64, %0\n"
19240 + " addl $64, %4\n"
19241 + " addl $64, %3\n"
19242 + " cmpl $63, %0\n"
19244 + "35: movl %0, %%eax\n"
19246 + " andl $3, %%eax\n"
19248 + "99: rep; "__copyuser_seg" movsl\n"
19249 + "36: movl %%eax, %0\n"
19250 + "37: rep; "__copyuser_seg" movsb\n"
19252 ".section .fixup,\"ax\"\n"
19253 "101: lea 0(%%eax,%0,4),%0\n"
19255 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
19257 __asm__ __volatile__(
19259 - "0: movl 32(%4), %%eax\n"
19260 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
19263 - "1: movl 64(%4), %%eax\n"
19264 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
19266 - "2: movl 0(%4), %%eax\n"
19267 - "21: movl 4(%4), %%edx\n"
19268 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
19269 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
19270 " movl %%eax, 0(%3)\n"
19271 " movl %%edx, 4(%3)\n"
19272 - "3: movl 8(%4), %%eax\n"
19273 - "31: movl 12(%4),%%edx\n"
19274 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
19275 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
19276 " movl %%eax, 8(%3)\n"
19277 " movl %%edx, 12(%3)\n"
19278 - "4: movl 16(%4), %%eax\n"
19279 - "41: movl 20(%4), %%edx\n"
19280 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
19281 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
19282 " movl %%eax, 16(%3)\n"
19283 " movl %%edx, 20(%3)\n"
19284 - "10: movl 24(%4), %%eax\n"
19285 - "51: movl 28(%4), %%edx\n"
19286 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
19287 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
19288 " movl %%eax, 24(%3)\n"
19289 " movl %%edx, 28(%3)\n"
19290 - "11: movl 32(%4), %%eax\n"
19291 - "61: movl 36(%4), %%edx\n"
19292 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
19293 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
19294 " movl %%eax, 32(%3)\n"
19295 " movl %%edx, 36(%3)\n"
19296 - "12: movl 40(%4), %%eax\n"
19297 - "71: movl 44(%4), %%edx\n"
19298 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
19299 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
19300 " movl %%eax, 40(%3)\n"
19301 " movl %%edx, 44(%3)\n"
19302 - "13: movl 48(%4), %%eax\n"
19303 - "81: movl 52(%4), %%edx\n"
19304 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
19305 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
19306 " movl %%eax, 48(%3)\n"
19307 " movl %%edx, 52(%3)\n"
19308 - "14: movl 56(%4), %%eax\n"
19309 - "91: movl 60(%4), %%edx\n"
19310 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
19311 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
19312 " movl %%eax, 56(%3)\n"
19313 " movl %%edx, 60(%3)\n"
19315 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
19317 " andl $3, %%eax\n"
19319 - "6: rep; movsl\n"
19320 + "6: rep; "__copyuser_seg" movsl\n"
19322 - "7: rep; movsb\n"
19323 + "7: rep; "__copyuser_seg" movsb\n"
19325 ".section .fixup,\"ax\"\n"
19326 "9: lea 0(%%eax,%0,4),%0\n"
19327 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
19329 __asm__ __volatile__(
19331 - "0: movl 32(%4), %%eax\n"
19332 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
19335 - "1: movl 64(%4), %%eax\n"
19336 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
19338 - "2: movl 0(%4), %%eax\n"
19339 - "21: movl 4(%4), %%edx\n"
19340 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
19341 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
19342 " movnti %%eax, 0(%3)\n"
19343 " movnti %%edx, 4(%3)\n"
19344 - "3: movl 8(%4), %%eax\n"
19345 - "31: movl 12(%4),%%edx\n"
19346 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
19347 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
19348 " movnti %%eax, 8(%3)\n"
19349 " movnti %%edx, 12(%3)\n"
19350 - "4: movl 16(%4), %%eax\n"
19351 - "41: movl 20(%4), %%edx\n"
19352 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
19353 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
19354 " movnti %%eax, 16(%3)\n"
19355 " movnti %%edx, 20(%3)\n"
19356 - "10: movl 24(%4), %%eax\n"
19357 - "51: movl 28(%4), %%edx\n"
19358 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
19359 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
19360 " movnti %%eax, 24(%3)\n"
19361 " movnti %%edx, 28(%3)\n"
19362 - "11: movl 32(%4), %%eax\n"
19363 - "61: movl 36(%4), %%edx\n"
19364 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
19365 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
19366 " movnti %%eax, 32(%3)\n"
19367 " movnti %%edx, 36(%3)\n"
19368 - "12: movl 40(%4), %%eax\n"
19369 - "71: movl 44(%4), %%edx\n"
19370 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
19371 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
19372 " movnti %%eax, 40(%3)\n"
19373 " movnti %%edx, 44(%3)\n"
19374 - "13: movl 48(%4), %%eax\n"
19375 - "81: movl 52(%4), %%edx\n"
19376 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
19377 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
19378 " movnti %%eax, 48(%3)\n"
19379 " movnti %%edx, 52(%3)\n"
19380 - "14: movl 56(%4), %%eax\n"
19381 - "91: movl 60(%4), %%edx\n"
19382 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
19383 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
19384 " movnti %%eax, 56(%3)\n"
19385 " movnti %%edx, 60(%3)\n"
19387 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
19389 " andl $3, %%eax\n"
19391 - "6: rep; movsl\n"
19392 + "6: rep; "__copyuser_seg" movsl\n"
19394 - "7: rep; movsb\n"
19395 + "7: rep; "__copyuser_seg" movsb\n"
19397 ".section .fixup,\"ax\"\n"
19398 "9: lea 0(%%eax,%0,4),%0\n"
19399 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
19401 __asm__ __volatile__(
19403 - "0: movl 32(%4), %%eax\n"
19404 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
19407 - "1: movl 64(%4), %%eax\n"
19408 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
19410 - "2: movl 0(%4), %%eax\n"
19411 - "21: movl 4(%4), %%edx\n"
19412 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
19413 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
19414 " movnti %%eax, 0(%3)\n"
19415 " movnti %%edx, 4(%3)\n"
19416 - "3: movl 8(%4), %%eax\n"
19417 - "31: movl 12(%4),%%edx\n"
19418 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
19419 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
19420 " movnti %%eax, 8(%3)\n"
19421 " movnti %%edx, 12(%3)\n"
19422 - "4: movl 16(%4), %%eax\n"
19423 - "41: movl 20(%4), %%edx\n"
19424 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
19425 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
19426 " movnti %%eax, 16(%3)\n"
19427 " movnti %%edx, 20(%3)\n"
19428 - "10: movl 24(%4), %%eax\n"
19429 - "51: movl 28(%4), %%edx\n"
19430 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
19431 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
19432 " movnti %%eax, 24(%3)\n"
19433 " movnti %%edx, 28(%3)\n"
19434 - "11: movl 32(%4), %%eax\n"
19435 - "61: movl 36(%4), %%edx\n"
19436 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
19437 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
19438 " movnti %%eax, 32(%3)\n"
19439 " movnti %%edx, 36(%3)\n"
19440 - "12: movl 40(%4), %%eax\n"
19441 - "71: movl 44(%4), %%edx\n"
19442 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
19443 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
19444 " movnti %%eax, 40(%3)\n"
19445 " movnti %%edx, 44(%3)\n"
19446 - "13: movl 48(%4), %%eax\n"
19447 - "81: movl 52(%4), %%edx\n"
19448 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
19449 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
19450 " movnti %%eax, 48(%3)\n"
19451 " movnti %%edx, 52(%3)\n"
19452 - "14: movl 56(%4), %%eax\n"
19453 - "91: movl 60(%4), %%edx\n"
19454 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
19455 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
19456 " movnti %%eax, 56(%3)\n"
19457 " movnti %%edx, 60(%3)\n"
19459 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
19461 " andl $3, %%eax\n"
19463 - "6: rep; movsl\n"
19464 + "6: rep; "__copyuser_seg" movsl\n"
19466 - "7: rep; movsb\n"
19467 + "7: rep; "__copyuser_seg" movsb\n"
19469 ".section .fixup,\"ax\"\n"
19470 "9: lea 0(%%eax,%0,4),%0\n"
19471 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
19473 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
19474 unsigned long size);
19475 -unsigned long __copy_user_intel(void __user *to, const void *from,
19476 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
19477 + unsigned long size);
19478 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
19479 unsigned long size);
19480 unsigned long __copy_user_zeroing_intel_nocache(void *to,
19481 const void __user *from, unsigned long size);
19482 #endif /* CONFIG_X86_INTEL_USERCOPY */
19484 /* Generic arbitrary sized copy. */
19485 -#define __copy_user(to, from, size) \
19486 +#define __copy_user(to, from, size, prefix, set, restore) \
19488 int __d0, __d1, __d2; \
19489 __asm__ __volatile__( \
19497 - "4: rep; movsb\n" \
19498 + "4: rep; "prefix"movsb\n" \
19502 " .align 2,0x90\n" \
19503 - "0: rep; movsl\n" \
19504 + "0: rep; "prefix"movsl\n" \
19506 - "1: rep; movsb\n" \
19507 + "1: rep; "prefix"movsb\n" \
19510 ".section .fixup,\"ax\"\n" \
19511 "5: addl %3,%0\n" \
19513 @@ -682,14 +799,14 @@ do { \
19517 - "4: rep; movsb\n" \
19518 + "4: rep; "__copyuser_seg"movsb\n" \
19522 " .align 2,0x90\n" \
19523 - "0: rep; movsl\n" \
19524 + "0: rep; "__copyuser_seg"movsl\n" \
19526 - "1: rep; movsb\n" \
19527 + "1: rep; "__copyuser_seg"movsb\n" \
19529 ".section .fixup,\"ax\"\n" \
19530 "5: addl %3,%0\n" \
19531 @@ -775,9 +892,9 @@ survive:
19534 if (movsl_is_ok(to, from, n))
19535 - __copy_user(to, from, n);
19536 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
19538 - n = __copy_user_intel(to, from, n);
19539 + n = __generic_copy_to_user_intel(to, from, n);
19542 EXPORT_SYMBOL(__copy_to_user_ll);
19543 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
19546 if (movsl_is_ok(to, from, n))
19547 - __copy_user(to, from, n);
19548 + __copy_user(to, from, n, __copyuser_seg, "", "");
19550 - n = __copy_user_intel((void __user *)to,
19551 - (const void *)from, n);
19552 + n = __generic_copy_from_user_intel(to, from, n);
19555 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
19556 @@ -827,65 +943,50 @@ unsigned long __copy_from_user_ll_nocach
19557 if (n > 64 && cpu_has_xmm2)
19558 n = __copy_user_intel_nocache(to, from, n);
19560 - __copy_user(to, from, n);
19561 + __copy_user(to, from, n, __copyuser_seg, "", "");
19563 - __copy_user(to, from, n);
19564 + __copy_user(to, from, n, __copyuser_seg, "", "");
19568 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
19571 - * copy_to_user: - Copy a block of data into user space.
19572 - * @to: Destination address, in user space.
19573 - * @from: Source address, in kernel space.
19574 - * @n: Number of bytes to copy.
19576 - * Context: User context only. This function may sleep.
19578 - * Copy data from kernel space to user space.
19580 - * Returns number of bytes that could not be copied.
19581 - * On success, this will be zero.
19584 -copy_to_user(void __user *to, const void *from, unsigned long n)
19585 +void copy_from_user_overflow(void)
19587 - if (access_ok(VERIFY_WRITE, to, n))
19588 - n = __copy_to_user(to, from, n);
19590 + WARN(1, "Buffer overflow detected!\n");
19592 -EXPORT_SYMBOL(copy_to_user);
19593 +EXPORT_SYMBOL(copy_from_user_overflow);
19596 - * copy_from_user: - Copy a block of data from user space.
19597 - * @to: Destination address, in kernel space.
19598 - * @from: Source address, in user space.
19599 - * @n: Number of bytes to copy.
19601 - * Context: User context only. This function may sleep.
19603 - * Copy data from user space to kernel space.
19605 - * Returns number of bytes that could not be copied.
19606 - * On success, this will be zero.
19608 - * If some data could not be copied, this function will pad the copied
19609 - * data to the requested size using zero bytes.
19612 -_copy_from_user(void *to, const void __user *from, unsigned long n)
19613 +void copy_to_user_overflow(void)
19615 - if (access_ok(VERIFY_READ, from, n))
19616 - n = __copy_from_user(to, from, n);
19618 - memset(to, 0, n);
19620 + WARN(1, "Buffer overflow detected!\n");
19622 -EXPORT_SYMBOL(_copy_from_user);
19623 +EXPORT_SYMBOL(copy_to_user_overflow);
19625 -void copy_from_user_overflow(void)
19626 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19627 +void __set_fs(mm_segment_t x)
19629 - WARN(1, "Buffer overflow detected!\n");
19632 + loadsegment(gs, 0);
19634 + case TASK_SIZE_MAX:
19635 + loadsegment(gs, __USER_DS);
19638 + loadsegment(gs, __KERNEL_DS);
19645 -EXPORT_SYMBOL(copy_from_user_overflow);
19646 +EXPORT_SYMBOL(__set_fs);
19648 +void set_fs(mm_segment_t x)
19650 + current_thread_info()->addr_limit = x;
19653 +EXPORT_SYMBOL(set_fs);
19655 diff -urNp linux-3.0.9/arch/x86/lib/usercopy_64.c linux-3.0.9/arch/x86/lib/usercopy_64.c
19656 --- linux-3.0.9/arch/x86/lib/usercopy_64.c 2011-11-11 13:12:24.000000000 -0500
19657 +++ linux-3.0.9/arch/x86/lib/usercopy_64.c 2011-11-15 20:02:59.000000000 -0500
19658 @@ -42,6 +42,12 @@ long
19659 __strncpy_from_user(char *dst, const char __user *src, long count)
19663 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19664 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
19665 + src += PAX_USER_SHADOW_BASE;
19668 __do_strncpy_from_user(dst, src, count, res);
19671 @@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *
19676 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19677 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
19678 + addr += PAX_USER_SHADOW_BASE;
19681 /* no memory constraint because it doesn't change any memory gcc knows
19684 @@ -151,10 +163,18 @@ EXPORT_SYMBOL(strlen_user);
19686 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
19688 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
19689 - return copy_user_generic((__force void *)to, (__force void *)from, len);
19692 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
19694 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19695 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
19696 + to += PAX_USER_SHADOW_BASE;
19697 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
19698 + from += PAX_USER_SHADOW_BASE;
19701 + return copy_user_generic((void __force_kernel *)to, (void __force_kernel *)from, len);
19705 EXPORT_SYMBOL(copy_in_user);
19707 @@ -164,7 +184,7 @@ EXPORT_SYMBOL(copy_in_user);
19708 * it is not necessary to optimize tail handling.
19711 -copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest)
19712 +copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest)
19716 diff -urNp linux-3.0.9/arch/x86/Makefile linux-3.0.9/arch/x86/Makefile
19717 --- linux-3.0.9/arch/x86/Makefile 2011-11-11 13:12:24.000000000 -0500
19718 +++ linux-3.0.9/arch/x86/Makefile 2011-11-15 20:02:59.000000000 -0500
19719 @@ -44,6 +44,7 @@ ifeq ($(CONFIG_X86_32),y)
19722 UTS_MACHINE := x86_64
19723 + biarch := $(call cc-option,-m64)
19724 CHECKFLAGS += -D__x86_64__ -m64
19726 KBUILD_AFLAGS += -m64
19727 @@ -195,3 +196,12 @@ define archhelp
19728 echo ' FDARGS="..." arguments for the booted kernel'
19729 echo ' FDINITRD=file initrd for the booted kernel'
19734 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
19735 +*** Please upgrade your binutils to 2.18 or newer
19739 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
19740 diff -urNp linux-3.0.9/arch/x86/mm/extable.c linux-3.0.9/arch/x86/mm/extable.c
19741 --- linux-3.0.9/arch/x86/mm/extable.c 2011-11-11 13:12:24.000000000 -0500
19742 +++ linux-3.0.9/arch/x86/mm/extable.c 2011-11-15 20:02:59.000000000 -0500
19743 @@ -8,7 +8,7 @@ int fixup_exception(struct pt_regs *regs
19744 const struct exception_table_entry *fixup;
19746 #ifdef CONFIG_PNPBIOS
19747 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
19748 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
19749 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
19750 extern u32 pnp_bios_is_utter_crap;
19751 pnp_bios_is_utter_crap = 1;
19752 diff -urNp linux-3.0.9/arch/x86/mm/fault.c linux-3.0.9/arch/x86/mm/fault.c
19753 --- linux-3.0.9/arch/x86/mm/fault.c 2011-11-11 13:12:24.000000000 -0500
19754 +++ linux-3.0.9/arch/x86/mm/fault.c 2011-11-15 20:02:59.000000000 -0500
19755 @@ -13,10 +13,18 @@
19756 #include <linux/perf_event.h> /* perf_sw_event */
19757 #include <linux/hugetlb.h> /* hstate_index_to_shift */
19758 #include <linux/prefetch.h> /* prefetchw */
19759 +#include <linux/unistd.h>
19760 +#include <linux/compiler.h>
19762 #include <asm/traps.h> /* dotraplinkage, ... */
19763 #include <asm/pgalloc.h> /* pgd_*(), ... */
19764 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
19765 +#include <asm/vsyscall.h>
19766 +#include <asm/tlbflush.h>
19768 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19769 +#include <asm/stacktrace.h>
19773 * Page fault error code bits:
19774 @@ -54,7 +62,7 @@ static inline int __kprobes notify_page_
19777 /* kprobe_running() needs smp_processor_id() */
19778 - if (kprobes_built_in() && !user_mode_vm(regs)) {
19779 + if (kprobes_built_in() && !user_mode(regs)) {
19781 if (kprobe_running() && kprobe_fault_handler(regs, 14))
19783 @@ -115,7 +123,10 @@ check_prefetch_opcode(struct pt_regs *re
19784 return !instr_lo || (instr_lo>>1) == 1;
19786 /* Prefetch instruction is 0x0F0D or 0x0F18 */
19787 - if (probe_kernel_address(instr, opcode))
19788 + if (user_mode(regs)) {
19789 + if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
19791 + } else if (probe_kernel_address(instr, opcode))
19794 *prefetch = (instr_lo == 0xF) &&
19795 @@ -149,7 +160,10 @@ is_prefetch(struct pt_regs *regs, unsign
19796 while (instr < max_instr) {
19797 unsigned char opcode;
19799 - if (probe_kernel_address(instr, opcode))
19800 + if (user_mode(regs)) {
19801 + if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
19803 + } else if (probe_kernel_address(instr, opcode))
19807 @@ -180,6 +194,30 @@ force_sig_info_fault(int si_signo, int s
19808 force_sig_info(si_signo, &info, tsk);
19811 +#ifdef CONFIG_PAX_EMUTRAMP
19812 +static int pax_handle_fetch_fault(struct pt_regs *regs);
19815 +#ifdef CONFIG_PAX_PAGEEXEC
19816 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
19822 + pgd = pgd_offset(mm, address);
19823 + if (!pgd_present(*pgd))
19825 + pud = pud_offset(pgd, address);
19826 + if (!pud_present(*pud))
19828 + pmd = pmd_offset(pud, address);
19829 + if (!pmd_present(*pmd))
19835 DEFINE_SPINLOCK(pgd_lock);
19836 LIST_HEAD(pgd_list);
19838 @@ -230,10 +268,22 @@ void vmalloc_sync_all(void)
19839 for (address = VMALLOC_START & PMD_MASK;
19840 address >= TASK_SIZE && address < FIXADDR_TOP;
19841 address += PMD_SIZE) {
19843 +#ifdef CONFIG_PAX_PER_CPU_PGD
19844 + unsigned long cpu;
19849 spin_lock(&pgd_lock);
19851 +#ifdef CONFIG_PAX_PER_CPU_PGD
19852 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
19853 + pgd_t *pgd = get_cpu_pgd(cpu);
19856 list_for_each_entry(page, &pgd_list, lru) {
19857 + pgd_t *pgd = page_address(page);
19858 spinlock_t *pgt_lock;
19861 @@ -241,8 +291,13 @@ void vmalloc_sync_all(void)
19862 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
19864 spin_lock(pgt_lock);
19865 - ret = vmalloc_sync_one(page_address(page), address);
19868 + ret = vmalloc_sync_one(pgd, address);
19870 +#ifndef CONFIG_PAX_PER_CPU_PGD
19871 spin_unlock(pgt_lock);
19876 @@ -276,6 +331,11 @@ static noinline __kprobes int vmalloc_fa
19877 * an interrupt in the middle of a task switch..
19879 pgd_paddr = read_cr3();
19881 +#ifdef CONFIG_PAX_PER_CPU_PGD
19882 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
19885 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
19888 @@ -371,7 +431,14 @@ static noinline __kprobes int vmalloc_fa
19889 * happen within a race in page table update. In the later
19893 +#ifdef CONFIG_PAX_PER_CPU_PGD
19894 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
19895 + pgd = pgd_offset_cpu(smp_processor_id(), address);
19897 pgd = pgd_offset(current->active_mm, address);
19900 pgd_ref = pgd_offset_k(address);
19901 if (pgd_none(*pgd_ref))
19903 @@ -533,7 +600,7 @@ static int is_errata93(struct pt_regs *r
19904 static int is_errata100(struct pt_regs *regs, unsigned long address)
19906 #ifdef CONFIG_X86_64
19907 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
19908 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
19912 @@ -560,7 +627,7 @@ static int is_f00f_bug(struct pt_regs *r
19915 static const char nx_warning[] = KERN_CRIT
19916 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
19917 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
19920 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
19921 @@ -569,14 +636,25 @@ show_fault_oops(struct pt_regs *regs, un
19922 if (!oops_may_print())
19925 - if (error_code & PF_INSTR) {
19926 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
19927 unsigned int level;
19929 pte_t *pte = lookup_address(address, &level);
19931 if (pte && pte_present(*pte) && !pte_exec(*pte))
19932 - printk(nx_warning, current_uid());
19933 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
19936 +#ifdef CONFIG_PAX_KERNEXEC
19937 + if (init_mm.start_code <= address && address < init_mm.end_code) {
19938 + if (current->signal->curr_ip)
19939 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
19940 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
19942 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
19943 + current->comm, task_pid_nr(current), current_uid(), current_euid());
19947 printk(KERN_ALERT "BUG: unable to handle kernel ");
19948 if (address < PAGE_SIZE)
19949 @@ -702,6 +780,66 @@ __bad_area_nosemaphore(struct pt_regs *r
19950 unsigned long address, int si_code)
19952 struct task_struct *tsk = current;
19953 +#if defined(CONFIG_X86_64) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
19954 + struct mm_struct *mm = tsk->mm;
19957 +#ifdef CONFIG_X86_64
19958 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
19959 + if (regs->ip == VSYSCALL_ADDR(__NR_vgettimeofday) ||
19960 + regs->ip == VSYSCALL_ADDR(__NR_vtime) ||
19961 + regs->ip == VSYSCALL_ADDR(__NR_vgetcpu)) {
19962 + regs->ip += mm->context.vdso - PAGE_SIZE - VSYSCALL_START;
19968 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
19969 + if (mm && (error_code & PF_USER)) {
19970 + unsigned long ip = regs->ip;
19972 + if (v8086_mode(regs))
19973 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
19976 + * It's possible to have interrupts off here:
19978 + local_irq_enable();
19980 +#ifdef CONFIG_PAX_PAGEEXEC
19981 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
19982 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
19984 +#ifdef CONFIG_PAX_EMUTRAMP
19985 + switch (pax_handle_fetch_fault(regs)) {
19991 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
19992 + do_group_exit(SIGKILL);
19996 +#ifdef CONFIG_PAX_SEGMEXEC
19997 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
19999 +#ifdef CONFIG_PAX_EMUTRAMP
20000 + switch (pax_handle_fetch_fault(regs)) {
20006 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
20007 + do_group_exit(SIGKILL);
20014 /* User mode accesses just cause a SIGSEGV */
20015 if (error_code & PF_USER) {
20016 @@ -871,6 +1009,99 @@ static int spurious_fault_check(unsigned
20020 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
20021 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
20026 + unsigned char pte_mask;
20028 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
20029 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
20032 + /* PaX: it's our fault, let's handle it if we can */
20034 + /* PaX: take a look at read faults before acquiring any locks */
20035 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
20036 + /* instruction fetch attempt from a protected page in user mode */
20037 + up_read(&mm->mmap_sem);
20039 +#ifdef CONFIG_PAX_EMUTRAMP
20040 + switch (pax_handle_fetch_fault(regs)) {
20046 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
20047 + do_group_exit(SIGKILL);
20050 + pmd = pax_get_pmd(mm, address);
20051 + if (unlikely(!pmd))
20054 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
20055 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
20056 + pte_unmap_unlock(pte, ptl);
20060 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
20061 + /* write attempt to a protected page in user mode */
20062 + pte_unmap_unlock(pte, ptl);
20067 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
20069 + if (likely(address > get_limit(regs->cs)))
20072 + set_pte(pte, pte_mkread(*pte));
20073 + __flush_tlb_one(address);
20074 + pte_unmap_unlock(pte, ptl);
20075 + up_read(&mm->mmap_sem);
20079 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
20082 + * PaX: fill DTLB with user rights and retry
20084 + __asm__ __volatile__ (
20086 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
20088 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
20089 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
20090 + * page fault when examined during a TLB load attempt. this is true not only
20091 + * for PTEs holding a non-present entry but also present entries that will
20092 + * raise a page fault (such as those set up by PaX, or the copy-on-write
20093 + * mechanism). in effect it means that we do *not* need to flush the TLBs
20094 + * for our target pages since their PTEs are simply not in the TLBs at all.
20096 + * the best thing in omitting it is that we gain around 15-20% speed in the
20097 + * fast path of the page fault handler and can get rid of tracing since we
20098 + * can no longer flush unintended entries.
20102 + __copyuser_seg"testb $0,(%0)\n"
20105 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
20106 + : "memory", "cc");
20107 + pte_unmap_unlock(pte, ptl);
20108 + up_read(&mm->mmap_sem);
20114 * Handle a spurious fault caused by a stale TLB entry.
20116 @@ -943,6 +1174,9 @@ int show_unhandled_signals = 1;
20118 access_error(unsigned long error_code, struct vm_area_struct *vma)
20120 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
20123 if (error_code & PF_WRITE) {
20124 /* write, present and write, not present: */
20125 if (unlikely(!(vma->vm_flags & VM_WRITE)))
20126 @@ -976,19 +1210,33 @@ do_page_fault(struct pt_regs *regs, unsi
20128 struct vm_area_struct *vma;
20129 struct task_struct *tsk;
20130 - unsigned long address;
20131 struct mm_struct *mm;
20133 int write = error_code & PF_WRITE;
20134 unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE |
20135 (write ? FAULT_FLAG_WRITE : 0);
20137 + /* Get the faulting address: */
20138 + unsigned long address = read_cr2();
20140 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20141 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
20142 + if (!search_exception_tables(regs->ip)) {
20143 + bad_area_nosemaphore(regs, error_code, address);
20146 + if (address < PAX_USER_SHADOW_BASE) {
20147 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
20148 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
20149 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
20151 + address -= PAX_USER_SHADOW_BASE;
20158 - /* Get the faulting address: */
20159 - address = read_cr2();
20162 * Detect and handle instructions that would cause a page fault for
20163 * both a tracked kernel page and a userspace page.
20164 @@ -1048,7 +1296,7 @@ do_page_fault(struct pt_regs *regs, unsi
20165 * User-mode registers count as a user access even for any
20166 * potential system fault or CPU buglet:
20168 - if (user_mode_vm(regs)) {
20169 + if (user_mode(regs)) {
20170 local_irq_enable();
20171 error_code |= PF_USER;
20173 @@ -1103,6 +1351,11 @@ retry:
20177 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
20178 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
20182 vma = find_vma(mm, address);
20183 if (unlikely(!vma)) {
20184 bad_area(regs, error_code, address);
20185 @@ -1114,18 +1367,24 @@ retry:
20186 bad_area(regs, error_code, address);
20189 - if (error_code & PF_USER) {
20191 - * Accessing the stack below %sp is always a bug.
20192 - * The large cushion allows instructions like enter
20193 - * and pusha to work. ("enter $65535, $31" pushes
20194 - * 32 pointers and then decrements %sp by 65535.)
20196 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
20197 - bad_area(regs, error_code, address);
20201 + * Accessing the stack below %sp is always a bug.
20202 + * The large cushion allows instructions like enter
20203 + * and pusha to work. ("enter $65535, $31" pushes
20204 + * 32 pointers and then decrements %sp by 65535.)
20206 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
20207 + bad_area(regs, error_code, address);
20211 +#ifdef CONFIG_PAX_SEGMEXEC
20212 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
20213 + bad_area(regs, error_code, address);
20218 if (unlikely(expand_stack(vma, address))) {
20219 bad_area(regs, error_code, address);
20221 @@ -1180,3 +1439,199 @@ good_area:
20223 up_read(&mm->mmap_sem);
20226 +#ifdef CONFIG_PAX_EMUTRAMP
20227 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
20231 + do { /* PaX: gcc trampoline emulation #1 */
20232 + unsigned char mov1, mov2;
20233 + unsigned short jmp;
20234 + unsigned int addr1, addr2;
20236 +#ifdef CONFIG_X86_64
20237 + if ((regs->ip + 11) >> 32)
20241 + err = get_user(mov1, (unsigned char __user *)regs->ip);
20242 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
20243 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
20244 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
20245 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
20250 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
20251 + regs->cx = addr1;
20252 + regs->ax = addr2;
20253 + regs->ip = addr2;
20258 + do { /* PaX: gcc trampoline emulation #2 */
20259 + unsigned char mov, jmp;
20260 + unsigned int addr1, addr2;
20262 +#ifdef CONFIG_X86_64
20263 + if ((regs->ip + 9) >> 32)
20267 + err = get_user(mov, (unsigned char __user *)regs->ip);
20268 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
20269 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
20270 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
20275 + if (mov == 0xB9 && jmp == 0xE9) {
20276 + regs->cx = addr1;
20277 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
20282 + return 1; /* PaX in action */
20285 +#ifdef CONFIG_X86_64
20286 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
20290 + do { /* PaX: gcc trampoline emulation #1 */
20291 + unsigned short mov1, mov2, jmp1;
20292 + unsigned char jmp2;
20293 + unsigned int addr1;
20294 + unsigned long addr2;
20296 + err = get_user(mov1, (unsigned short __user *)regs->ip);
20297 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
20298 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
20299 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
20300 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
20301 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
20306 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
20307 + regs->r11 = addr1;
20308 + regs->r10 = addr2;
20309 + regs->ip = addr1;
20314 + do { /* PaX: gcc trampoline emulation #2 */
20315 + unsigned short mov1, mov2, jmp1;
20316 + unsigned char jmp2;
20317 + unsigned long addr1, addr2;
20319 + err = get_user(mov1, (unsigned short __user *)regs->ip);
20320 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
20321 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
20322 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
20323 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
20324 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
20329 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
20330 + regs->r11 = addr1;
20331 + regs->r10 = addr2;
20332 + regs->ip = addr1;
20337 + return 1; /* PaX in action */
20342 + * PaX: decide what to do with offenders (regs->ip = fault address)
20344 + * returns 1 when task should be killed
20345 + * 2 when gcc trampoline was detected
20347 +static int pax_handle_fetch_fault(struct pt_regs *regs)
20349 + if (v8086_mode(regs))
20352 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
20355 +#ifdef CONFIG_X86_32
20356 + return pax_handle_fetch_fault_32(regs);
20358 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
20359 + return pax_handle_fetch_fault_32(regs);
20361 + return pax_handle_fetch_fault_64(regs);
20366 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
20367 +void pax_report_insns(void *pc, void *sp)
20371 + printk(KERN_ERR "PAX: bytes at PC: ");
20372 + for (i = 0; i < 20; i++) {
20374 + if (get_user(c, (unsigned char __force_user *)pc+i))
20375 + printk(KERN_CONT "?? ");
20377 + printk(KERN_CONT "%02x ", c);
20381 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
20382 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
20384 + if (get_user(c, (unsigned long __force_user *)sp+i))
20385 +#ifdef CONFIG_X86_32
20386 + printk(KERN_CONT "???????? ");
20388 + printk(KERN_CONT "???????????????? ");
20391 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
20398 + * probe_kernel_write(): safely attempt to write to a location
20399 + * @dst: address to write to
20400 + * @src: pointer to the data that shall be written
20401 + * @size: size of the data chunk
20403 + * Safely write to address @dst from the buffer at @src. If a kernel fault
20404 + * happens, handle that and return -EFAULT.
20406 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
20409 + mm_segment_t old_fs = get_fs();
20411 + set_fs(KERNEL_DS);
20412 + pagefault_disable();
20413 + pax_open_kernel();
20414 + ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
20415 + pax_close_kernel();
20416 + pagefault_enable();
20419 + return ret ? -EFAULT : 0;
20421 diff -urNp linux-3.0.9/arch/x86/mm/gup.c linux-3.0.9/arch/x86/mm/gup.c
20422 --- linux-3.0.9/arch/x86/mm/gup.c 2011-11-11 13:12:24.000000000 -0500
20423 +++ linux-3.0.9/arch/x86/mm/gup.c 2011-11-15 20:02:59.000000000 -0500
20424 @@ -253,7 +253,7 @@ int __get_user_pages_fast(unsigned long
20426 len = (unsigned long) nr_pages << PAGE_SHIFT;
20428 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
20429 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
20430 (void __user *)start, len)))
20433 diff -urNp linux-3.0.9/arch/x86/mm/highmem_32.c linux-3.0.9/arch/x86/mm/highmem_32.c
20434 --- linux-3.0.9/arch/x86/mm/highmem_32.c 2011-11-11 13:12:24.000000000 -0500
20435 +++ linux-3.0.9/arch/x86/mm/highmem_32.c 2011-11-15 20:02:59.000000000 -0500
20436 @@ -44,7 +44,11 @@ void *kmap_atomic_prot(struct page *page
20437 idx = type + KM_TYPE_NR*smp_processor_id();
20438 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
20439 BUG_ON(!pte_none(*(kmap_pte-idx)));
20441 + pax_open_kernel();
20442 set_pte(kmap_pte-idx, mk_pte(page, prot));
20443 + pax_close_kernel();
20445 arch_flush_lazy_mmu_mode();
20447 return (void *)vaddr;
20448 diff -urNp linux-3.0.9/arch/x86/mm/hugetlbpage.c linux-3.0.9/arch/x86/mm/hugetlbpage.c
20449 --- linux-3.0.9/arch/x86/mm/hugetlbpage.c 2011-11-11 13:12:24.000000000 -0500
20450 +++ linux-3.0.9/arch/x86/mm/hugetlbpage.c 2011-11-15 20:02:59.000000000 -0500
20451 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
20452 struct hstate *h = hstate_file(file);
20453 struct mm_struct *mm = current->mm;
20454 struct vm_area_struct *vma;
20455 - unsigned long start_addr;
20456 + unsigned long start_addr, pax_task_size = TASK_SIZE;
20458 +#ifdef CONFIG_PAX_SEGMEXEC
20459 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
20460 + pax_task_size = SEGMEXEC_TASK_SIZE;
20463 + pax_task_size -= PAGE_SIZE;
20465 if (len > mm->cached_hole_size) {
20466 - start_addr = mm->free_area_cache;
20467 + start_addr = mm->free_area_cache;
20469 - start_addr = TASK_UNMAPPED_BASE;
20470 - mm->cached_hole_size = 0;
20471 + start_addr = mm->mmap_base;
20472 + mm->cached_hole_size = 0;
20476 @@ -280,26 +287,27 @@ full_search:
20478 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
20479 /* At this point: (!vma || addr < vma->vm_end). */
20480 - if (TASK_SIZE - len < addr) {
20481 + if (pax_task_size - len < addr) {
20483 * Start a new search - just in case we missed
20486 - if (start_addr != TASK_UNMAPPED_BASE) {
20487 - start_addr = TASK_UNMAPPED_BASE;
20488 + if (start_addr != mm->mmap_base) {
20489 + start_addr = mm->mmap_base;
20490 mm->cached_hole_size = 0;
20495 - if (!vma || addr + len <= vma->vm_start) {
20496 - mm->free_area_cache = addr + len;
20499 + if (check_heap_stack_gap(vma, addr, len))
20501 if (addr + mm->cached_hole_size < vma->vm_start)
20502 mm->cached_hole_size = vma->vm_start - addr;
20503 addr = ALIGN(vma->vm_end, huge_page_size(h));
20506 + mm->free_area_cache = addr + len;
20510 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
20511 @@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
20513 struct hstate *h = hstate_file(file);
20514 struct mm_struct *mm = current->mm;
20515 - struct vm_area_struct *vma, *prev_vma;
20516 - unsigned long base = mm->mmap_base, addr = addr0;
20517 + struct vm_area_struct *vma;
20518 + unsigned long base = mm->mmap_base, addr;
20519 unsigned long largest_hole = mm->cached_hole_size;
20520 - int first_time = 1;
20522 /* don't allow allocations above current base */
20523 if (mm->free_area_cache > base)
20524 @@ -321,64 +328,63 @@ static unsigned long hugetlb_get_unmappe
20526 mm->free_area_cache = base;
20530 /* make sure it can fit in the remaining address space */
20531 if (mm->free_area_cache < len)
20534 /* either no address requested or can't fit in requested address hole */
20535 - addr = (mm->free_area_cache - len) & huge_page_mask(h);
20536 + addr = (mm->free_area_cache - len);
20538 + addr &= huge_page_mask(h);
20539 + vma = find_vma(mm, addr);
20541 * Lookup failure means no vma is above this address,
20542 * i.e. return with success:
20544 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
20548 * new region fits between prev_vma->vm_end and
20549 * vma->vm_start, use it:
20551 - if (addr + len <= vma->vm_start &&
20552 - (!prev_vma || (addr >= prev_vma->vm_end))) {
20553 + if (check_heap_stack_gap(vma, addr, len)) {
20554 /* remember the address as a hint for next time */
20555 - mm->cached_hole_size = largest_hole;
20556 - return (mm->free_area_cache = addr);
20558 - /* pull free_area_cache down to the first hole */
20559 - if (mm->free_area_cache == vma->vm_end) {
20560 - mm->free_area_cache = vma->vm_start;
20561 - mm->cached_hole_size = largest_hole;
20563 + mm->cached_hole_size = largest_hole;
20564 + return (mm->free_area_cache = addr);
20566 + /* pull free_area_cache down to the first hole */
20567 + if (mm->free_area_cache == vma->vm_end) {
20568 + mm->free_area_cache = vma->vm_start;
20569 + mm->cached_hole_size = largest_hole;
20572 /* remember the largest hole we saw so far */
20573 if (addr + largest_hole < vma->vm_start)
20574 - largest_hole = vma->vm_start - addr;
20575 + largest_hole = vma->vm_start - addr;
20577 /* try just below the current vma->vm_start */
20578 - addr = (vma->vm_start - len) & huge_page_mask(h);
20579 - } while (len <= vma->vm_start);
20580 + addr = skip_heap_stack_gap(vma, len);
20581 + } while (!IS_ERR_VALUE(addr));
20585 - * if hint left us with no space for the requested
20586 - * mapping then try again:
20588 - if (first_time) {
20589 - mm->free_area_cache = base;
20590 - largest_hole = 0;
20595 * A failed mmap() very likely causes application failure,
20596 * so fall back to the bottom-up function here. This scenario
20597 * can happen with large stack limits and large mmap()
20600 - mm->free_area_cache = TASK_UNMAPPED_BASE;
20602 +#ifdef CONFIG_PAX_SEGMEXEC
20603 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
20604 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
20608 + mm->mmap_base = TASK_UNMAPPED_BASE;
20610 +#ifdef CONFIG_PAX_RANDMMAP
20611 + if (mm->pax_flags & MF_PAX_RANDMMAP)
20612 + mm->mmap_base += mm->delta_mmap;
20615 + mm->free_area_cache = mm->mmap_base;
20616 mm->cached_hole_size = ~0UL;
20617 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
20618 len, pgoff, flags);
20619 @@ -386,6 +392,7 @@ fail:
20621 * Restore the topdown base:
20623 + mm->mmap_base = base;
20624 mm->free_area_cache = base;
20625 mm->cached_hole_size = ~0UL;
20627 @@ -399,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *f
20628 struct hstate *h = hstate_file(file);
20629 struct mm_struct *mm = current->mm;
20630 struct vm_area_struct *vma;
20631 + unsigned long pax_task_size = TASK_SIZE;
20633 if (len & ~huge_page_mask(h))
20635 - if (len > TASK_SIZE)
20637 +#ifdef CONFIG_PAX_SEGMEXEC
20638 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
20639 + pax_task_size = SEGMEXEC_TASK_SIZE;
20642 + pax_task_size -= PAGE_SIZE;
20644 + if (len > pax_task_size)
20647 if (flags & MAP_FIXED) {
20648 @@ -414,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *f
20650 addr = ALIGN(addr, huge_page_size(h));
20651 vma = find_vma(mm, addr);
20652 - if (TASK_SIZE - len >= addr &&
20653 - (!vma || addr + len <= vma->vm_start))
20654 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
20657 if (mm->get_unmapped_area == arch_get_unmapped_area)
20658 diff -urNp linux-3.0.9/arch/x86/mm/init_32.c linux-3.0.9/arch/x86/mm/init_32.c
20659 --- linux-3.0.9/arch/x86/mm/init_32.c 2011-11-11 13:12:24.000000000 -0500
20660 +++ linux-3.0.9/arch/x86/mm/init_32.c 2011-11-15 20:02:59.000000000 -0500
20661 @@ -74,36 +74,6 @@ static __init void *alloc_low_page(void)
20665 - * Creates a middle page table and puts a pointer to it in the
20666 - * given global directory entry. This only returns the gd entry
20667 - * in non-PAE compilation mode, since the middle layer is folded.
20669 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
20672 - pmd_t *pmd_table;
20674 -#ifdef CONFIG_X86_PAE
20675 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
20676 - if (after_bootmem)
20677 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
20679 - pmd_table = (pmd_t *)alloc_low_page();
20680 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
20681 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
20682 - pud = pud_offset(pgd, 0);
20683 - BUG_ON(pmd_table != pmd_offset(pud, 0));
20685 - return pmd_table;
20688 - pud = pud_offset(pgd, 0);
20689 - pmd_table = pmd_offset(pud, 0);
20691 - return pmd_table;
20695 * Create a page table and place a pointer to it in a middle page
20698 @@ -123,13 +93,28 @@ static pte_t * __init one_page_table_ini
20699 page_table = (pte_t *)alloc_low_page();
20701 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
20702 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
20703 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
20705 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
20707 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
20710 return pte_offset_kernel(pmd, 0);
20713 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
20716 + pmd_t *pmd_table;
20718 + pud = pud_offset(pgd, 0);
20719 + pmd_table = pmd_offset(pud, 0);
20721 + return pmd_table;
20724 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
20726 int pgd_idx = pgd_index(vaddr);
20727 @@ -203,6 +188,7 @@ page_table_range_init(unsigned long star
20728 int pgd_idx, pmd_idx;
20729 unsigned long vaddr;
20735 @@ -212,8 +198,13 @@ page_table_range_init(unsigned long star
20736 pgd = pgd_base + pgd_idx;
20738 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
20739 - pmd = one_md_table_init(pgd);
20740 - pmd = pmd + pmd_index(vaddr);
20741 + pud = pud_offset(pgd, vaddr);
20742 + pmd = pmd_offset(pud, vaddr);
20744 +#ifdef CONFIG_X86_PAE
20745 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
20748 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
20749 pmd++, pmd_idx++) {
20750 pte = page_table_kmap_check(one_page_table_init(pmd),
20751 @@ -225,11 +216,20 @@ page_table_range_init(unsigned long star
20755 -static inline int is_kernel_text(unsigned long addr)
20756 +static inline int is_kernel_text(unsigned long start, unsigned long end)
20758 - if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
20761 + if ((start > ktla_ktva((unsigned long)_etext) ||
20762 + end <= ktla_ktva((unsigned long)_stext)) &&
20763 + (start > ktla_ktva((unsigned long)_einittext) ||
20764 + end <= ktla_ktva((unsigned long)_sinittext)) &&
20766 +#ifdef CONFIG_ACPI_SLEEP
20767 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
20770 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
20776 @@ -246,9 +246,10 @@ kernel_physical_mapping_init(unsigned lo
20777 unsigned long last_map_addr = end;
20778 unsigned long start_pfn, end_pfn;
20779 pgd_t *pgd_base = swapper_pg_dir;
20780 - int pgd_idx, pmd_idx, pte_ofs;
20781 + unsigned int pgd_idx, pmd_idx, pte_ofs;
20787 unsigned pages_2m, pages_4k;
20788 @@ -281,8 +282,13 @@ repeat:
20790 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
20791 pgd = pgd_base + pgd_idx;
20792 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
20793 - pmd = one_md_table_init(pgd);
20794 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
20795 + pud = pud_offset(pgd, 0);
20796 + pmd = pmd_offset(pud, 0);
20798 +#ifdef CONFIG_X86_PAE
20799 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
20802 if (pfn >= end_pfn)
20804 @@ -294,14 +300,13 @@ repeat:
20806 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
20807 pmd++, pmd_idx++) {
20808 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
20809 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
20812 * Map with big pages if possible, otherwise
20813 * create normal page tables:
20816 - unsigned int addr2;
20817 pgprot_t prot = PAGE_KERNEL_LARGE;
20819 * first pass will use the same initial
20820 @@ -311,11 +316,7 @@ repeat:
20821 __pgprot(PTE_IDENT_ATTR |
20824 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
20825 - PAGE_OFFSET + PAGE_SIZE-1;
20827 - if (is_kernel_text(addr) ||
20828 - is_kernel_text(addr2))
20829 + if (is_kernel_text(address, address + PMD_SIZE))
20830 prot = PAGE_KERNEL_LARGE_EXEC;
20833 @@ -332,7 +333,7 @@ repeat:
20834 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
20836 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
20837 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
20838 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
20839 pgprot_t prot = PAGE_KERNEL;
20841 * first pass will use the same initial
20842 @@ -340,7 +341,7 @@ repeat:
20844 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
20846 - if (is_kernel_text(addr))
20847 + if (is_kernel_text(address, address + PAGE_SIZE))
20848 prot = PAGE_KERNEL_EXEC;
20851 @@ -472,7 +473,7 @@ void __init native_pagetable_setup_start
20853 pud = pud_offset(pgd, va);
20854 pmd = pmd_offset(pud, va);
20855 - if (!pmd_present(*pmd))
20856 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
20859 pte = pte_offset_kernel(pmd, va);
20860 @@ -524,12 +525,10 @@ void __init early_ioremap_page_table_ran
20862 static void __init pagetable_init(void)
20864 - pgd_t *pgd_base = swapper_pg_dir;
20866 - permanent_kmaps_init(pgd_base);
20867 + permanent_kmaps_init(swapper_pg_dir);
20870 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
20871 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
20872 EXPORT_SYMBOL_GPL(__supported_pte_mask);
20874 /* user-defined highmem size */
20875 @@ -757,6 +756,12 @@ void __init mem_init(void)
20879 +#ifdef CONFIG_PAX_PER_CPU_PGD
20880 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
20881 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
20882 + KERNEL_PGD_PTRS);
20885 #ifdef CONFIG_FLATMEM
20888 @@ -774,7 +779,7 @@ void __init mem_init(void)
20889 set_highmem_pages_init();
20891 codesize = (unsigned long) &_etext - (unsigned long) &_text;
20892 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
20893 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
20894 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
20896 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
20897 @@ -815,10 +820,10 @@ void __init mem_init(void)
20898 ((unsigned long)&__init_end -
20899 (unsigned long)&__init_begin) >> 10,
20901 - (unsigned long)&_etext, (unsigned long)&_edata,
20902 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
20903 + (unsigned long)&_sdata, (unsigned long)&_edata,
20904 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
20906 - (unsigned long)&_text, (unsigned long)&_etext,
20907 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
20908 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
20911 @@ -896,6 +901,7 @@ void set_kernel_text_rw(void)
20912 if (!kernel_set_to_readonly)
20915 + start = ktla_ktva(start);
20916 pr_debug("Set kernel text: %lx - %lx for read write\n",
20917 start, start+size);
20919 @@ -910,6 +916,7 @@ void set_kernel_text_ro(void)
20920 if (!kernel_set_to_readonly)
20923 + start = ktla_ktva(start);
20924 pr_debug("Set kernel text: %lx - %lx for read only\n",
20925 start, start+size);
20927 @@ -938,6 +945,7 @@ void mark_rodata_ro(void)
20928 unsigned long start = PFN_ALIGN(_text);
20929 unsigned long size = PFN_ALIGN(_etext) - start;
20931 + start = ktla_ktva(start);
20932 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
20933 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
20935 diff -urNp linux-3.0.9/arch/x86/mm/init_64.c linux-3.0.9/arch/x86/mm/init_64.c
20936 --- linux-3.0.9/arch/x86/mm/init_64.c 2011-11-11 13:12:24.000000000 -0500
20937 +++ linux-3.0.9/arch/x86/mm/init_64.c 2011-11-15 20:02:59.000000000 -0500
20938 @@ -75,7 +75,7 @@ early_param("gbpages", parse_direct_gbpa
20939 * around without checking the pgd every time.
20942 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
20943 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
20944 EXPORT_SYMBOL_GPL(__supported_pte_mask);
20946 int force_personality32;
20947 @@ -108,12 +108,22 @@ void sync_global_pgds(unsigned long star
20949 for (address = start; address <= end; address += PGDIR_SIZE) {
20950 const pgd_t *pgd_ref = pgd_offset_k(address);
20952 +#ifdef CONFIG_PAX_PER_CPU_PGD
20953 + unsigned long cpu;
20958 if (pgd_none(*pgd_ref))
20961 spin_lock(&pgd_lock);
20963 +#ifdef CONFIG_PAX_PER_CPU_PGD
20964 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
20965 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
20967 list_for_each_entry(page, &pgd_list, lru) {
20969 spinlock_t *pgt_lock;
20970 @@ -122,6 +132,7 @@ void sync_global_pgds(unsigned long star
20971 /* the pgt_lock only for Xen */
20972 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
20973 spin_lock(pgt_lock);
20976 if (pgd_none(*pgd))
20977 set_pgd(pgd, *pgd_ref);
20978 @@ -129,7 +140,10 @@ void sync_global_pgds(unsigned long star
20979 BUG_ON(pgd_page_vaddr(*pgd)
20980 != pgd_page_vaddr(*pgd_ref));
20982 +#ifndef CONFIG_PAX_PER_CPU_PGD
20983 spin_unlock(pgt_lock);
20987 spin_unlock(&pgd_lock);
20989 @@ -203,7 +217,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
20990 pmd = fill_pmd(pud, vaddr);
20991 pte = fill_pte(pmd, vaddr);
20993 + pax_open_kernel();
20994 set_pte(pte, new_pte);
20995 + pax_close_kernel();
20998 * It's enough to flush this one mapping.
20999 @@ -262,14 +278,12 @@ static void __init __init_extra_mapping(
21000 pgd = pgd_offset_k((unsigned long)__va(phys));
21001 if (pgd_none(*pgd)) {
21002 pud = (pud_t *) spp_getpage();
21003 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
21005 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
21007 pud = pud_offset(pgd, (unsigned long)__va(phys));
21008 if (pud_none(*pud)) {
21009 pmd = (pmd_t *) spp_getpage();
21010 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
21012 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
21014 pmd = pmd_offset(pud, phys);
21015 BUG_ON(!pmd_none(*pmd));
21016 @@ -330,7 +344,7 @@ static __ref void *alloc_low_page(unsign
21017 if (pfn >= pgt_buf_top)
21018 panic("alloc_low_page: ran out of memory");
21020 - adr = early_memremap(pfn * PAGE_SIZE, PAGE_SIZE);
21021 + adr = (void __force_kernel *)early_memremap(pfn * PAGE_SIZE, PAGE_SIZE);
21023 *phys = pfn * PAGE_SIZE;
21025 @@ -346,7 +360,7 @@ static __ref void *map_low_page(void *vi
21028 left = phys & (PAGE_SIZE - 1);
21029 - adr = early_memremap(phys & PAGE_MASK, PAGE_SIZE);
21030 + adr = (void __force_kernel *)early_memremap(phys & PAGE_MASK, PAGE_SIZE);
21031 adr = (void *)(((unsigned long)adr) | left);
21034 @@ -693,6 +707,12 @@ void __init mem_init(void)
21038 +#ifdef CONFIG_PAX_PER_CPU_PGD
21039 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
21040 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
21041 + KERNEL_PGD_PTRS);
21044 /* clear_bss() already clear the empty_zero_page */
21047 @@ -853,8 +873,8 @@ int kern_addr_valid(unsigned long addr)
21048 static struct vm_area_struct gate_vma = {
21049 .vm_start = VSYSCALL_START,
21050 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
21051 - .vm_page_prot = PAGE_READONLY_EXEC,
21052 - .vm_flags = VM_READ | VM_EXEC
21053 + .vm_page_prot = PAGE_READONLY,
21054 + .vm_flags = VM_READ
21057 struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
21058 @@ -888,7 +908,7 @@ int in_gate_area_no_mm(unsigned long add
21060 const char *arch_vma_name(struct vm_area_struct *vma)
21062 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
21063 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
21065 if (vma == &gate_vma)
21066 return "[vsyscall]";
21067 diff -urNp linux-3.0.9/arch/x86/mm/init.c linux-3.0.9/arch/x86/mm/init.c
21068 --- linux-3.0.9/arch/x86/mm/init.c 2011-11-11 13:12:24.000000000 -0500
21069 +++ linux-3.0.9/arch/x86/mm/init.c 2011-11-15 20:02:59.000000000 -0500
21070 @@ -31,7 +31,7 @@ int direct_gbpages
21071 static void __init find_early_table_space(unsigned long end, int use_pse,
21074 - unsigned long puds, pmds, ptes, tables, start = 0, good_end = end;
21075 + unsigned long puds, pmds, ptes, tables, start = 0x100000, good_end = end;
21078 puds = (end + PUD_SIZE - 1) >> PUD_SHIFT;
21079 @@ -312,12 +312,34 @@ unsigned long __init_refok init_memory_m
21081 int devmem_is_allowed(unsigned long pagenr)
21083 - if (pagenr <= 256)
21084 +#ifdef CONFIG_GRKERNSEC_KMEM
21089 + if ((0x9f000 >> PAGE_SHIFT) == pagenr)
21094 +#ifdef CONFIG_VM86
21095 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
21100 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
21102 +#ifdef CONFIG_GRKERNSEC_KMEM
21103 + /* throw out everything else below 1MB */
21104 + if (pagenr <= 256)
21107 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
21109 if (!page_is_ram(pagenr))
21115 @@ -372,6 +394,86 @@ void free_init_pages(char *what, unsigne
21117 void free_initmem(void)
21120 +#ifdef CONFIG_PAX_KERNEXEC
21121 +#ifdef CONFIG_X86_32
21122 + /* PaX: limit KERNEL_CS to actual size */
21123 + unsigned long addr, limit;
21124 + struct desc_struct d;
21127 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
21128 + limit = (limit - 1UL) >> PAGE_SHIFT;
21130 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
21131 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
21132 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
21133 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
21136 + /* PaX: make KERNEL_CS read-only */
21137 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
21138 + if (!paravirt_enabled())
21139 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
21141 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
21142 + pgd = pgd_offset_k(addr);
21143 + pud = pud_offset(pgd, addr);
21144 + pmd = pmd_offset(pud, addr);
21145 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
21148 +#ifdef CONFIG_X86_PAE
21149 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
21151 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
21152 + pgd = pgd_offset_k(addr);
21153 + pud = pud_offset(pgd, addr);
21154 + pmd = pmd_offset(pud, addr);
21155 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
21160 +#ifdef CONFIG_MODULES
21161 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
21168 + unsigned long addr, end;
21170 + /* PaX: make kernel code/rodata read-only, rest non-executable */
21171 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
21172 + pgd = pgd_offset_k(addr);
21173 + pud = pud_offset(pgd, addr);
21174 + pmd = pmd_offset(pud, addr);
21175 + if (!pmd_present(*pmd))
21177 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
21178 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
21180 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
21183 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
21184 + end = addr + KERNEL_IMAGE_SIZE;
21185 + for (; addr < end; addr += PMD_SIZE) {
21186 + pgd = pgd_offset_k(addr);
21187 + pud = pud_offset(pgd, addr);
21188 + pmd = pmd_offset(pud, addr);
21189 + if (!pmd_present(*pmd))
21191 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
21192 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
21199 free_init_pages("unused kernel memory",
21200 (unsigned long)(&__init_begin),
21201 (unsigned long)(&__init_end));
21202 diff -urNp linux-3.0.9/arch/x86/mm/iomap_32.c linux-3.0.9/arch/x86/mm/iomap_32.c
21203 --- linux-3.0.9/arch/x86/mm/iomap_32.c 2011-11-11 13:12:24.000000000 -0500
21204 +++ linux-3.0.9/arch/x86/mm/iomap_32.c 2011-11-15 20:02:59.000000000 -0500
21205 @@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long
21206 type = kmap_atomic_idx_push();
21207 idx = type + KM_TYPE_NR * smp_processor_id();
21208 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
21210 + pax_open_kernel();
21211 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
21212 + pax_close_kernel();
21214 arch_flush_lazy_mmu_mode();
21216 return (void *)vaddr;
21217 diff -urNp linux-3.0.9/arch/x86/mm/ioremap.c linux-3.0.9/arch/x86/mm/ioremap.c
21218 --- linux-3.0.9/arch/x86/mm/ioremap.c 2011-11-11 13:12:24.000000000 -0500
21219 +++ linux-3.0.9/arch/x86/mm/ioremap.c 2011-11-15 20:02:59.000000000 -0500
21220 @@ -97,7 +97,7 @@ static void __iomem *__ioremap_caller(re
21221 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
21222 int is_ram = page_is_ram(pfn);
21224 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
21225 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
21227 WARN_ON_ONCE(is_ram);
21229 @@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
21230 early_param("early_ioremap_debug", early_ioremap_debug_setup);
21232 static __initdata int after_paging_init;
21233 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
21234 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
21236 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
21238 @@ -381,8 +381,7 @@ void __init early_ioremap_init(void)
21239 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
21241 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
21242 - memset(bm_pte, 0, sizeof(bm_pte));
21243 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
21244 + pmd_populate_user(&init_mm, pmd, bm_pte);
21247 * The boot-ioremap range spans multiple pmds, for which
21248 diff -urNp linux-3.0.9/arch/x86/mm/kmemcheck/kmemcheck.c linux-3.0.9/arch/x86/mm/kmemcheck/kmemcheck.c
21249 --- linux-3.0.9/arch/x86/mm/kmemcheck/kmemcheck.c 2011-11-11 13:12:24.000000000 -0500
21250 +++ linux-3.0.9/arch/x86/mm/kmemcheck/kmemcheck.c 2011-11-15 20:02:59.000000000 -0500
21251 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
21252 * memory (e.g. tracked pages)? For now, we need this to avoid
21253 * invoking kmemcheck for PnP BIOS calls.
21255 - if (regs->flags & X86_VM_MASK)
21256 + if (v8086_mode(regs))
21258 - if (regs->cs != __KERNEL_CS)
21259 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
21262 pte = kmemcheck_pte_lookup(address);
21263 diff -urNp linux-3.0.9/arch/x86/mm/mmap.c linux-3.0.9/arch/x86/mm/mmap.c
21264 --- linux-3.0.9/arch/x86/mm/mmap.c 2011-11-11 13:12:24.000000000 -0500
21265 +++ linux-3.0.9/arch/x86/mm/mmap.c 2011-11-15 20:02:59.000000000 -0500
21266 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
21267 * Leave an at least ~128 MB hole with possible stack randomization.
21269 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
21270 -#define MAX_GAP (TASK_SIZE/6*5)
21271 +#define MAX_GAP (pax_task_size/6*5)
21274 * True on X86_32 or when emulating IA32 on X86_64
21275 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
21276 return rnd << PAGE_SHIFT;
21279 -static unsigned long mmap_base(void)
21280 +static unsigned long mmap_base(struct mm_struct *mm)
21282 unsigned long gap = rlimit(RLIMIT_STACK);
21283 + unsigned long pax_task_size = TASK_SIZE;
21285 +#ifdef CONFIG_PAX_SEGMEXEC
21286 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21287 + pax_task_size = SEGMEXEC_TASK_SIZE;
21292 else if (gap > MAX_GAP)
21295 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
21296 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
21300 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
21301 * does, but not when emulating X86_32
21303 -static unsigned long mmap_legacy_base(void)
21304 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
21306 - if (mmap_is_ia32())
21307 + if (mmap_is_ia32()) {
21309 +#ifdef CONFIG_PAX_SEGMEXEC
21310 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21311 + return SEGMEXEC_TASK_UNMAPPED_BASE;
21315 return TASK_UNMAPPED_BASE;
21318 return TASK_UNMAPPED_BASE + mmap_rnd();
21321 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
21322 void arch_pick_mmap_layout(struct mm_struct *mm)
21324 if (mmap_is_legacy()) {
21325 - mm->mmap_base = mmap_legacy_base();
21326 + mm->mmap_base = mmap_legacy_base(mm);
21328 +#ifdef CONFIG_PAX_RANDMMAP
21329 + if (mm->pax_flags & MF_PAX_RANDMMAP)
21330 + mm->mmap_base += mm->delta_mmap;
21333 mm->get_unmapped_area = arch_get_unmapped_area;
21334 mm->unmap_area = arch_unmap_area;
21336 - mm->mmap_base = mmap_base();
21337 + mm->mmap_base = mmap_base(mm);
21339 +#ifdef CONFIG_PAX_RANDMMAP
21340 + if (mm->pax_flags & MF_PAX_RANDMMAP)
21341 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
21344 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
21345 mm->unmap_area = arch_unmap_area_topdown;
21347 diff -urNp linux-3.0.9/arch/x86/mm/mmio-mod.c linux-3.0.9/arch/x86/mm/mmio-mod.c
21348 --- linux-3.0.9/arch/x86/mm/mmio-mod.c 2011-11-11 13:12:24.000000000 -0500
21349 +++ linux-3.0.9/arch/x86/mm/mmio-mod.c 2011-11-15 20:02:59.000000000 -0500
21350 @@ -195,7 +195,7 @@ static void pre(struct kmmio_probe *p, s
21354 - unsigned char *ip = (unsigned char *)instptr;
21355 + unsigned char *ip = (unsigned char *)ktla_ktva(instptr);
21356 my_trace->opcode = MMIO_UNKNOWN_OP;
21357 my_trace->width = 0;
21358 my_trace->value = (*ip) << 16 | *(ip + 1) << 8 |
21359 @@ -235,7 +235,7 @@ static void post(struct kmmio_probe *p,
21360 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
21361 void __iomem *addr)
21363 - static atomic_t next_id;
21364 + static atomic_unchecked_t next_id;
21365 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
21366 /* These are page-unaligned. */
21367 struct mmiotrace_map map = {
21368 @@ -259,7 +259,7 @@ static void ioremap_trace_core(resource_
21372 - .id = atomic_inc_return(&next_id)
21373 + .id = atomic_inc_return_unchecked(&next_id)
21375 map.map_id = trace->id;
21377 diff -urNp linux-3.0.9/arch/x86/mm/pageattr.c linux-3.0.9/arch/x86/mm/pageattr.c
21378 --- linux-3.0.9/arch/x86/mm/pageattr.c 2011-11-11 13:12:24.000000000 -0500
21379 +++ linux-3.0.9/arch/x86/mm/pageattr.c 2011-11-15 20:02:59.000000000 -0500
21380 @@ -261,7 +261,7 @@ static inline pgprot_t static_protection
21382 #ifdef CONFIG_PCI_BIOS
21383 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
21384 - pgprot_val(forbidden) |= _PAGE_NX;
21385 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
21389 @@ -269,9 +269,10 @@ static inline pgprot_t static_protection
21390 * Does not cover __inittext since that is gone later on. On
21391 * 64bit we do not enforce !NX on the low mapping
21393 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
21394 - pgprot_val(forbidden) |= _PAGE_NX;
21395 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
21396 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
21398 +#ifdef CONFIG_DEBUG_RODATA
21400 * The .rodata section needs to be read-only. Using the pfn
21401 * catches all aliases.
21402 @@ -279,6 +280,7 @@ static inline pgprot_t static_protection
21403 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
21404 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
21405 pgprot_val(forbidden) |= _PAGE_RW;
21408 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
21410 @@ -317,6 +319,13 @@ static inline pgprot_t static_protection
21414 +#ifdef CONFIG_PAX_KERNEXEC
21415 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
21416 + pgprot_val(forbidden) |= _PAGE_RW;
21417 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
21421 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
21424 @@ -369,23 +378,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
21425 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
21427 /* change init_mm */
21428 + pax_open_kernel();
21429 set_pte_atomic(kpte, pte);
21431 #ifdef CONFIG_X86_32
21432 if (!SHARED_KERNEL_PMD) {
21434 +#ifdef CONFIG_PAX_PER_CPU_PGD
21435 + unsigned long cpu;
21440 +#ifdef CONFIG_PAX_PER_CPU_PGD
21441 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
21442 + pgd_t *pgd = get_cpu_pgd(cpu);
21444 list_for_each_entry(page, &pgd_list, lru) {
21446 + pgd_t *pgd = (pgd_t *)page_address(page);
21452 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
21453 + pgd += pgd_index(address);
21454 pud = pud_offset(pgd, address);
21455 pmd = pmd_offset(pud, address);
21456 set_pte_atomic((pte_t *)pmd, pte);
21460 + pax_close_kernel();
21464 diff -urNp linux-3.0.9/arch/x86/mm/pageattr-test.c linux-3.0.9/arch/x86/mm/pageattr-test.c
21465 --- linux-3.0.9/arch/x86/mm/pageattr-test.c 2011-11-11 13:12:24.000000000 -0500
21466 +++ linux-3.0.9/arch/x86/mm/pageattr-test.c 2011-11-15 20:02:59.000000000 -0500
21467 @@ -36,7 +36,7 @@ enum {
21469 static int pte_testbit(pte_t pte)
21471 - return pte_flags(pte) & _PAGE_UNUSED1;
21472 + return pte_flags(pte) & _PAGE_CPA_TEST;
21475 struct split_state {
21476 diff -urNp linux-3.0.9/arch/x86/mm/pat.c linux-3.0.9/arch/x86/mm/pat.c
21477 --- linux-3.0.9/arch/x86/mm/pat.c 2011-11-11 13:12:24.000000000 -0500
21478 +++ linux-3.0.9/arch/x86/mm/pat.c 2011-11-15 20:02:59.000000000 -0500
21479 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
21482 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
21483 - current->comm, current->pid, start, end);
21484 + current->comm, task_pid_nr(current), start, end);
21488 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
21489 while (cursor < to) {
21490 if (!devmem_is_allowed(pfn)) {
21492 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
21493 - current->comm, from, to);
21494 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
21495 + current->comm, from, to, cursor);
21498 cursor += PAGE_SIZE;
21499 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
21501 "%s:%d ioremap_change_attr failed %s "
21503 - current->comm, current->pid,
21504 + current->comm, task_pid_nr(current),
21506 base, (unsigned long long)(base + size));
21508 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
21509 if (want_flags != flags) {
21510 printk(KERN_WARNING
21511 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
21512 - current->comm, current->pid,
21513 + current->comm, task_pid_nr(current),
21514 cattr_name(want_flags),
21515 (unsigned long long)paddr,
21516 (unsigned long long)(paddr + size),
21517 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
21518 free_memtype(paddr, paddr + size);
21519 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
21520 " for %Lx-%Lx, got %s\n",
21521 - current->comm, current->pid,
21522 + current->comm, task_pid_nr(current),
21523 cattr_name(want_flags),
21524 (unsigned long long)paddr,
21525 (unsigned long long)(paddr + size),
21526 diff -urNp linux-3.0.9/arch/x86/mm/pf_in.c linux-3.0.9/arch/x86/mm/pf_in.c
21527 --- linux-3.0.9/arch/x86/mm/pf_in.c 2011-11-11 13:12:24.000000000 -0500
21528 +++ linux-3.0.9/arch/x86/mm/pf_in.c 2011-11-15 20:02:59.000000000 -0500
21529 @@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned l
21531 enum reason_type rv = OTHERS;
21533 - p = (unsigned char *)ins_addr;
21534 + p = (unsigned char *)ktla_ktva(ins_addr);
21535 p += skip_prefix(p, &prf);
21536 p += get_opcode(p, &opcode);
21538 @@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(un
21539 struct prefix_bits prf;
21542 - p = (unsigned char *)ins_addr;
21543 + p = (unsigned char *)ktla_ktva(ins_addr);
21544 p += skip_prefix(p, &prf);
21545 p += get_opcode(p, &opcode);
21547 @@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned
21548 struct prefix_bits prf;
21551 - p = (unsigned char *)ins_addr;
21552 + p = (unsigned char *)ktla_ktva(ins_addr);
21553 p += skip_prefix(p, &prf);
21554 p += get_opcode(p, &opcode);
21556 @@ -415,7 +415,7 @@ unsigned long get_ins_reg_val(unsigned l
21557 struct prefix_bits prf;
21560 - p = (unsigned char *)ins_addr;
21561 + p = (unsigned char *)ktla_ktva(ins_addr);
21562 p += skip_prefix(p, &prf);
21563 p += get_opcode(p, &opcode);
21564 for (i = 0; i < ARRAY_SIZE(reg_rop); i++)
21565 @@ -470,7 +470,7 @@ unsigned long get_ins_imm_val(unsigned l
21566 struct prefix_bits prf;
21569 - p = (unsigned char *)ins_addr;
21570 + p = (unsigned char *)ktla_ktva(ins_addr);
21571 p += skip_prefix(p, &prf);
21572 p += get_opcode(p, &opcode);
21573 for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
21574 diff -urNp linux-3.0.9/arch/x86/mm/pgtable_32.c linux-3.0.9/arch/x86/mm/pgtable_32.c
21575 --- linux-3.0.9/arch/x86/mm/pgtable_32.c 2011-11-11 13:12:24.000000000 -0500
21576 +++ linux-3.0.9/arch/x86/mm/pgtable_32.c 2011-11-15 20:02:59.000000000 -0500
21577 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
21580 pte = pte_offset_kernel(pmd, vaddr);
21582 + pax_open_kernel();
21583 if (pte_val(pteval))
21584 set_pte_at(&init_mm, vaddr, pte, pteval);
21586 pte_clear(&init_mm, vaddr, pte);
21587 + pax_close_kernel();
21590 * It's enough to flush this one mapping.
21591 diff -urNp linux-3.0.9/arch/x86/mm/pgtable.c linux-3.0.9/arch/x86/mm/pgtable.c
21592 --- linux-3.0.9/arch/x86/mm/pgtable.c 2011-11-11 13:12:24.000000000 -0500
21593 +++ linux-3.0.9/arch/x86/mm/pgtable.c 2011-11-15 20:02:59.000000000 -0500
21594 @@ -84,10 +84,52 @@ static inline void pgd_list_del(pgd_t *p
21595 list_del(&page->lru);
21598 -#define UNSHARED_PTRS_PER_PGD \
21599 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
21600 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21601 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
21603 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
21606 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
21610 +#ifdef CONFIG_PAX_PER_CPU_PGD
21611 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
21615 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21616 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
21624 +#ifdef CONFIG_X86_64
21625 +#define pxd_t pud_t
21626 +#define pyd_t pgd_t
21627 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
21628 +#define pxd_free(mm, pud) pud_free((mm), (pud))
21629 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
21630 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
21631 +#define PYD_SIZE PGDIR_SIZE
21633 +#define pxd_t pmd_t
21634 +#define pyd_t pud_t
21635 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
21636 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
21637 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
21638 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
21639 +#define PYD_SIZE PUD_SIZE
21642 +#ifdef CONFIG_PAX_PER_CPU_PGD
21643 +static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
21644 +static inline void pgd_dtor(pgd_t *pgd) {}
21646 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
21648 BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm));
21649 @@ -128,6 +170,7 @@ static void pgd_dtor(pgd_t *pgd)
21651 spin_unlock(&pgd_lock);
21656 * List of all pgd's needed for non-PAE so it can invalidate entries
21657 @@ -140,7 +183,7 @@ static void pgd_dtor(pgd_t *pgd)
21661 -#ifdef CONFIG_X86_PAE
21662 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
21664 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
21665 * updating the top-level pagetable entries to guarantee the
21666 @@ -152,7 +195,7 @@ static void pgd_dtor(pgd_t *pgd)
21667 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
21668 * and initialize the kernel pmds here.
21670 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
21671 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
21673 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
21675 @@ -170,36 +213,38 @@ void pud_populate(struct mm_struct *mm,
21679 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
21680 +#define PREALLOCATED_PXDS USER_PGD_PTRS
21681 #else /* !CONFIG_X86_PAE */
21683 /* No need to prepopulate any pagetable entries in non-PAE modes. */
21684 -#define PREALLOCATED_PMDS 0
21685 +#define PREALLOCATED_PXDS 0
21687 #endif /* CONFIG_X86_PAE */
21689 -static void free_pmds(pmd_t *pmds[])
21690 +static void free_pxds(pxd_t *pxds[])
21694 - for(i = 0; i < PREALLOCATED_PMDS; i++)
21696 - free_page((unsigned long)pmds[i]);
21697 + for(i = 0; i < PREALLOCATED_PXDS; i++)
21699 + free_page((unsigned long)pxds[i]);
21702 -static int preallocate_pmds(pmd_t *pmds[])
21703 +static int preallocate_pxds(pxd_t *pxds[])
21706 bool failed = false;
21708 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
21709 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
21711 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
21712 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
21725 @@ -212,51 +257,55 @@ static int preallocate_pmds(pmd_t *pmds[
21726 * preallocate which never got a corresponding vma will need to be
21729 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
21730 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
21734 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
21735 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
21736 pgd_t pgd = pgdp[i];
21738 if (pgd_val(pgd) != 0) {
21739 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
21740 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
21742 - pgdp[i] = native_make_pgd(0);
21743 + set_pgd(pgdp + i, native_make_pgd(0));
21745 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
21746 - pmd_free(mm, pmd);
21747 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
21748 + pxd_free(mm, pxd);
21753 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
21754 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
21758 unsigned long addr;
21761 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
21762 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
21765 - pud = pud_offset(pgd, 0);
21766 +#ifdef CONFIG_X86_64
21767 + pyd = pyd_offset(mm, 0L);
21769 + pyd = pyd_offset(pgd, 0L);
21772 - for (addr = i = 0; i < PREALLOCATED_PMDS;
21773 - i++, pud++, addr += PUD_SIZE) {
21774 - pmd_t *pmd = pmds[i];
21775 + for (addr = i = 0; i < PREALLOCATED_PXDS;
21776 + i++, pyd++, addr += PYD_SIZE) {
21777 + pxd_t *pxd = pxds[i];
21779 if (i >= KERNEL_PGD_BOUNDARY)
21780 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
21781 - sizeof(pmd_t) * PTRS_PER_PMD);
21782 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
21783 + sizeof(pxd_t) * PTRS_PER_PMD);
21785 - pud_populate(mm, pud, pmd);
21786 + pyd_populate(mm, pyd, pxd);
21790 pgd_t *pgd_alloc(struct mm_struct *mm)
21793 - pmd_t *pmds[PREALLOCATED_PMDS];
21794 + pxd_t *pxds[PREALLOCATED_PXDS];
21796 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
21798 @@ -265,11 +314,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
21802 - if (preallocate_pmds(pmds) != 0)
21803 + if (preallocate_pxds(pxds) != 0)
21806 if (paravirt_pgd_alloc(mm) != 0)
21807 - goto out_free_pmds;
21808 + goto out_free_pxds;
21811 * Make sure that pre-populating the pmds is atomic with
21812 @@ -279,14 +328,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
21813 spin_lock(&pgd_lock);
21816 - pgd_prepopulate_pmd(mm, pgd, pmds);
21817 + pgd_prepopulate_pxd(mm, pgd, pxds);
21819 spin_unlock(&pgd_lock);
21828 free_page((unsigned long)pgd);
21830 @@ -295,7 +344,7 @@ out:
21832 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
21834 - pgd_mop_up_pmds(mm, pgd);
21835 + pgd_mop_up_pxds(mm, pgd);
21837 paravirt_pgd_free(mm, pgd);
21838 free_page((unsigned long)pgd);
21839 diff -urNp linux-3.0.9/arch/x86/mm/setup_nx.c linux-3.0.9/arch/x86/mm/setup_nx.c
21840 --- linux-3.0.9/arch/x86/mm/setup_nx.c 2011-11-11 13:12:24.000000000 -0500
21841 +++ linux-3.0.9/arch/x86/mm/setup_nx.c 2011-11-15 20:02:59.000000000 -0500
21843 #include <asm/pgtable.h>
21844 #include <asm/proto.h>
21846 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
21847 static int disable_nx __cpuinitdata;
21849 +#ifndef CONFIG_PAX_PAGEEXEC
21853 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
21856 early_param("noexec", noexec_setup);
21861 void __cpuinit x86_configure_nx(void)
21863 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
21864 if (cpu_has_nx && !disable_nx)
21865 __supported_pte_mask |= _PAGE_NX;
21868 __supported_pte_mask &= ~_PAGE_NX;
21871 diff -urNp linux-3.0.9/arch/x86/mm/tlb.c linux-3.0.9/arch/x86/mm/tlb.c
21872 --- linux-3.0.9/arch/x86/mm/tlb.c 2011-11-11 13:12:24.000000000 -0500
21873 +++ linux-3.0.9/arch/x86/mm/tlb.c 2011-11-15 20:02:59.000000000 -0500
21874 @@ -65,7 +65,11 @@ void leave_mm(int cpu)
21876 cpumask_clear_cpu(cpu,
21877 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
21879 +#ifndef CONFIG_PAX_PER_CPU_PGD
21880 load_cr3(swapper_pg_dir);
21884 EXPORT_SYMBOL_GPL(leave_mm);
21886 diff -urNp linux-3.0.9/arch/x86/net/bpf_jit_comp.c linux-3.0.9/arch/x86/net/bpf_jit_comp.c
21887 --- linux-3.0.9/arch/x86/net/bpf_jit_comp.c 2011-11-11 13:12:24.000000000 -0500
21888 +++ linux-3.0.9/arch/x86/net/bpf_jit_comp.c 2011-11-15 20:02:59.000000000 -0500
21889 @@ -589,7 +589,9 @@ cond_branch: f_offset = addrs[i + filt
21890 module_free(NULL, image);
21893 + pax_open_kernel();
21894 memcpy(image + proglen, temp, ilen);
21895 + pax_close_kernel();
21898 addrs[i] = proglen;
21899 @@ -609,7 +611,7 @@ cond_branch: f_offset = addrs[i + filt
21902 if (proglen == oldproglen) {
21903 - image = module_alloc(max_t(unsigned int,
21904 + image = module_alloc_exec(max_t(unsigned int,
21906 sizeof(struct work_struct)));
21908 diff -urNp linux-3.0.9/arch/x86/net/bpf_jit.S linux-3.0.9/arch/x86/net/bpf_jit.S
21909 --- linux-3.0.9/arch/x86/net/bpf_jit.S 2011-11-11 13:12:24.000000000 -0500
21910 +++ linux-3.0.9/arch/x86/net/bpf_jit.S 2011-11-15 20:02:59.000000000 -0500
21913 #include <linux/linkage.h>
21914 #include <asm/dwarf2.h>
21915 +#include <asm/alternative-asm.h>
21918 * Calling convention :
21919 @@ -35,6 +36,7 @@ sk_load_word:
21920 jle bpf_slow_path_word
21921 mov (SKBDATA,%rsi),%eax
21922 bswap %eax /* ntohl() */
21923 + pax_force_retaddr
21927 @@ -53,6 +55,7 @@ sk_load_half:
21928 jle bpf_slow_path_half
21929 movzwl (SKBDATA,%rsi),%eax
21930 rol $8,%ax # ntohs()
21931 + pax_force_retaddr
21935 @@ -66,6 +69,7 @@ sk_load_byte:
21936 cmp %esi,%r9d /* if (offset >= hlen) goto bpf_slow_path_byte */
21937 jle bpf_slow_path_byte
21938 movzbl (SKBDATA,%rsi),%eax
21939 + pax_force_retaddr
21943 @@ -82,6 +86,7 @@ ENTRY(sk_load_byte_msh)
21944 movzbl (SKBDATA,%rsi),%ebx
21947 + pax_force_retaddr
21950 ENDPROC(sk_load_byte_msh)
21951 @@ -91,6 +96,7 @@ bpf_error:
21955 + pax_force_retaddr
21958 /* rsi contains offset and can be scratched */
21959 @@ -113,6 +119,7 @@ bpf_slow_path_word:
21963 + pax_force_retaddr
21966 bpf_slow_path_half:
21967 @@ -121,12 +128,14 @@ bpf_slow_path_half:
21971 + pax_force_retaddr
21974 bpf_slow_path_byte:
21975 bpf_slow_path_common(1)
21977 movzbl -12(%rbp),%eax
21978 + pax_force_retaddr
21981 bpf_slow_path_byte_msh:
21982 @@ -137,4 +146,5 @@ bpf_slow_path_byte_msh:
21986 + pax_force_retaddr
21988 diff -urNp linux-3.0.9/arch/x86/oprofile/backtrace.c linux-3.0.9/arch/x86/oprofile/backtrace.c
21989 --- linux-3.0.9/arch/x86/oprofile/backtrace.c 2011-11-11 13:12:24.000000000 -0500
21990 +++ linux-3.0.9/arch/x86/oprofile/backtrace.c 2011-11-15 20:02:59.000000000 -0500
21991 @@ -83,11 +83,11 @@ dump_user_backtrace_32(struct stack_fram
21992 struct stack_frame_ia32 *fp;
21993 unsigned long bytes;
21995 - bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead));
21996 + bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead));
21997 if (bytes != sizeof(bufhead))
22000 - fp = (struct stack_frame_ia32 *) compat_ptr(bufhead[0].next_frame);
22001 + fp = (struct stack_frame_ia32 __force_kernel *) compat_ptr(bufhead[0].next_frame);
22003 oprofile_add_trace(bufhead[0].return_address);
22005 @@ -129,7 +129,7 @@ static struct stack_frame *dump_user_bac
22006 struct stack_frame bufhead[2];
22007 unsigned long bytes;
22009 - bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead));
22010 + bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead));
22011 if (bytes != sizeof(bufhead))
22014 @@ -148,7 +148,7 @@ x86_backtrace(struct pt_regs * const reg
22016 struct stack_frame *head = (struct stack_frame *)frame_pointer(regs);
22018 - if (!user_mode_vm(regs)) {
22019 + if (!user_mode(regs)) {
22020 unsigned long stack = kernel_stack_pointer(regs);
22022 dump_trace(NULL, regs, (unsigned long *)stack, 0,
22023 diff -urNp linux-3.0.9/arch/x86/pci/mrst.c linux-3.0.9/arch/x86/pci/mrst.c
22024 --- linux-3.0.9/arch/x86/pci/mrst.c 2011-11-11 13:12:24.000000000 -0500
22025 +++ linux-3.0.9/arch/x86/pci/mrst.c 2011-11-15 20:02:59.000000000 -0500
22026 @@ -234,7 +234,9 @@ int __init pci_mrst_init(void)
22027 printk(KERN_INFO "Moorestown platform detected, using MRST PCI ops\n");
22028 pci_mmcfg_late_init();
22029 pcibios_enable_irq = mrst_pci_irq_enable;
22030 - pci_root_ops = pci_mrst_ops;
22031 + pax_open_kernel();
22032 + memcpy((void *)&pci_root_ops, &pci_mrst_ops, sizeof(pci_mrst_ops));
22033 + pax_close_kernel();
22034 /* Continue with standard init */
22037 diff -urNp linux-3.0.9/arch/x86/pci/pcbios.c linux-3.0.9/arch/x86/pci/pcbios.c
22038 --- linux-3.0.9/arch/x86/pci/pcbios.c 2011-11-11 13:12:24.000000000 -0500
22039 +++ linux-3.0.9/arch/x86/pci/pcbios.c 2011-11-15 20:02:59.000000000 -0500
22040 @@ -79,50 +79,93 @@ union bios32 {
22042 unsigned long address;
22043 unsigned short segment;
22044 -} bios32_indirect = { 0, __KERNEL_CS };
22045 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
22048 * Returns the entry point for the given service, NULL on error
22051 -static unsigned long bios32_service(unsigned long service)
22052 +static unsigned long __devinit bios32_service(unsigned long service)
22054 unsigned char return_code; /* %al */
22055 unsigned long address; /* %ebx */
22056 unsigned long length; /* %ecx */
22057 unsigned long entry; /* %edx */
22058 unsigned long flags;
22059 + struct desc_struct d, *gdt;
22061 local_irq_save(flags);
22062 - __asm__("lcall *(%%edi); cld"
22064 + gdt = get_cpu_gdt_table(smp_processor_id());
22066 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
22067 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
22068 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
22069 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
22071 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
22072 : "=a" (return_code),
22078 - "D" (&bios32_indirect));
22079 + "D" (&bios32_indirect),
22080 + "r"(__PCIBIOS_DS)
22083 + pax_open_kernel();
22084 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
22085 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
22086 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
22087 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
22088 + pax_close_kernel();
22090 local_irq_restore(flags);
22092 switch (return_code) {
22094 - return address + entry;
22095 - case 0x80: /* Not present */
22096 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
22098 - default: /* Shouldn't happen */
22099 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
22100 - service, return_code);
22103 + unsigned char flags;
22105 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
22106 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
22107 + printk(KERN_WARNING "bios32_service: not valid\n");
22110 + address = address + PAGE_OFFSET;
22111 + length += 16UL; /* some BIOSs underreport this... */
22113 + if (length >= 64*1024*1024) {
22114 + length >>= PAGE_SHIFT;
22118 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
22119 + gdt = get_cpu_gdt_table(cpu);
22120 + pack_descriptor(&d, address, length, 0x9b, flags);
22121 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
22122 + pack_descriptor(&d, address, length, 0x93, flags);
22123 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
22127 + case 0x80: /* Not present */
22128 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
22130 + default: /* Shouldn't happen */
22131 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
22132 + service, return_code);
22138 unsigned long address;
22139 unsigned short segment;
22140 -} pci_indirect = { 0, __KERNEL_CS };
22141 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
22143 -static int pci_bios_present;
22144 +static int pci_bios_present __read_only;
22146 static int __devinit check_pcibios(void)
22148 @@ -131,11 +174,13 @@ static int __devinit check_pcibios(void)
22149 unsigned long flags, pcibios_entry;
22151 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
22152 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
22153 + pci_indirect.address = pcibios_entry;
22155 local_irq_save(flags);
22157 - "lcall *(%%edi); cld\n\t"
22158 + __asm__("movw %w6, %%ds\n\t"
22159 + "lcall *%%ss:(%%edi); cld\n\t"
22165 @@ -144,7 +189,8 @@ static int __devinit check_pcibios(void)
22168 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
22169 - "D" (&pci_indirect)
22170 + "D" (&pci_indirect),
22171 + "r" (__PCIBIOS_DS)
22173 local_irq_restore(flags);
22175 @@ -188,7 +234,10 @@ static int pci_bios_read(unsigned int se
22179 - __asm__("lcall *(%%esi); cld\n\t"
22180 + __asm__("movw %w6, %%ds\n\t"
22181 + "lcall *%%ss:(%%esi); cld\n\t"
22187 @@ -197,7 +246,8 @@ static int pci_bios_read(unsigned int se
22188 : "1" (PCIBIOS_READ_CONFIG_BYTE),
22191 - "S" (&pci_indirect));
22192 + "S" (&pci_indirect),
22193 + "r" (__PCIBIOS_DS));
22195 * Zero-extend the result beyond 8 bits, do not trust the
22196 * BIOS having done it:
22197 @@ -205,7 +255,10 @@ static int pci_bios_read(unsigned int se
22201 - __asm__("lcall *(%%esi); cld\n\t"
22202 + __asm__("movw %w6, %%ds\n\t"
22203 + "lcall *%%ss:(%%esi); cld\n\t"
22209 @@ -214,7 +267,8 @@ static int pci_bios_read(unsigned int se
22210 : "1" (PCIBIOS_READ_CONFIG_WORD),
22213 - "S" (&pci_indirect));
22214 + "S" (&pci_indirect),
22215 + "r" (__PCIBIOS_DS));
22217 * Zero-extend the result beyond 16 bits, do not trust the
22218 * BIOS having done it:
22219 @@ -222,7 +276,10 @@ static int pci_bios_read(unsigned int se
22223 - __asm__("lcall *(%%esi); cld\n\t"
22224 + __asm__("movw %w6, %%ds\n\t"
22225 + "lcall *%%ss:(%%esi); cld\n\t"
22231 @@ -231,7 +288,8 @@ static int pci_bios_read(unsigned int se
22232 : "1" (PCIBIOS_READ_CONFIG_DWORD),
22235 - "S" (&pci_indirect));
22236 + "S" (&pci_indirect),
22237 + "r" (__PCIBIOS_DS));
22241 @@ -254,7 +312,10 @@ static int pci_bios_write(unsigned int s
22245 - __asm__("lcall *(%%esi); cld\n\t"
22246 + __asm__("movw %w6, %%ds\n\t"
22247 + "lcall *%%ss:(%%esi); cld\n\t"
22253 @@ -263,10 +324,14 @@ static int pci_bios_write(unsigned int s
22257 - "S" (&pci_indirect));
22258 + "S" (&pci_indirect),
22259 + "r" (__PCIBIOS_DS));
22262 - __asm__("lcall *(%%esi); cld\n\t"
22263 + __asm__("movw %w6, %%ds\n\t"
22264 + "lcall *%%ss:(%%esi); cld\n\t"
22270 @@ -275,10 +340,14 @@ static int pci_bios_write(unsigned int s
22274 - "S" (&pci_indirect));
22275 + "S" (&pci_indirect),
22276 + "r" (__PCIBIOS_DS));
22279 - __asm__("lcall *(%%esi); cld\n\t"
22280 + __asm__("movw %w6, %%ds\n\t"
22281 + "lcall *%%ss:(%%esi); cld\n\t"
22287 @@ -287,7 +356,8 @@ static int pci_bios_write(unsigned int s
22291 - "S" (&pci_indirect));
22292 + "S" (&pci_indirect),
22293 + "r" (__PCIBIOS_DS));
22297 @@ -392,10 +462,13 @@ struct irq_routing_table * pcibios_get_i
22299 DBG("PCI: Fetching IRQ routing table... ");
22300 __asm__("push %%es\n\t"
22301 + "movw %w8, %%ds\n\t"
22304 - "lcall *(%%esi); cld\n\t"
22305 + "lcall *%%ss:(%%esi); cld\n\t"
22312 @@ -406,7 +479,8 @@ struct irq_routing_table * pcibios_get_i
22315 "S" (&pci_indirect),
22318 + "r" (__PCIBIOS_DS)
22320 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
22322 @@ -430,7 +504,10 @@ int pcibios_set_irq_routing(struct pci_d
22326 - __asm__("lcall *(%%esi); cld\n\t"
22327 + __asm__("movw %w5, %%ds\n\t"
22328 + "lcall *%%ss:(%%esi); cld\n\t"
22334 @@ -438,7 +515,8 @@ int pcibios_set_irq_routing(struct pci_d
22335 : "0" (PCIBIOS_SET_PCI_HW_INT),
22336 "b" ((dev->bus->number << 8) | dev->devfn),
22337 "c" ((irq << 8) | (pin + 10)),
22338 - "S" (&pci_indirect));
22339 + "S" (&pci_indirect),
22340 + "r" (__PCIBIOS_DS));
22341 return !(ret & 0xff00);
22343 EXPORT_SYMBOL(pcibios_set_irq_routing);
22344 diff -urNp linux-3.0.9/arch/x86/platform/efi/efi_32.c linux-3.0.9/arch/x86/platform/efi/efi_32.c
22345 --- linux-3.0.9/arch/x86/platform/efi/efi_32.c 2011-11-11 13:12:24.000000000 -0500
22346 +++ linux-3.0.9/arch/x86/platform/efi/efi_32.c 2011-11-15 20:02:59.000000000 -0500
22347 @@ -38,70 +38,56 @@
22350 static unsigned long efi_rt_eflags;
22351 -static pgd_t efi_bak_pg_dir_pointer[2];
22352 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
22354 -void efi_call_phys_prelog(void)
22355 +void __init efi_call_phys_prelog(void)
22357 - unsigned long cr4;
22358 - unsigned long temp;
22359 struct desc_ptr gdt_descr;
22361 - local_irq_save(efi_rt_eflags);
22362 +#ifdef CONFIG_PAX_KERNEXEC
22363 + struct desc_struct d;
22367 - * If I don't have PAE, I should just duplicate two entries in page
22368 - * directory. If I have PAE, I just need to duplicate one entry in
22369 - * page directory.
22371 - cr4 = read_cr4_safe();
22372 + local_irq_save(efi_rt_eflags);
22374 - if (cr4 & X86_CR4_PAE) {
22375 - efi_bak_pg_dir_pointer[0].pgd =
22376 - swapper_pg_dir[pgd_index(0)].pgd;
22377 - swapper_pg_dir[0].pgd =
22378 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
22380 - efi_bak_pg_dir_pointer[0].pgd =
22381 - swapper_pg_dir[pgd_index(0)].pgd;
22382 - efi_bak_pg_dir_pointer[1].pgd =
22383 - swapper_pg_dir[pgd_index(0x400000)].pgd;
22384 - swapper_pg_dir[pgd_index(0)].pgd =
22385 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
22386 - temp = PAGE_OFFSET + 0x400000;
22387 - swapper_pg_dir[pgd_index(0x400000)].pgd =
22388 - swapper_pg_dir[pgd_index(temp)].pgd;
22390 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
22391 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22392 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
22395 * After the lock is released, the original page table is restored.
22399 +#ifdef CONFIG_PAX_KERNEXEC
22400 + pack_descriptor(&d, 0, 0xFFFFF, 0x9B, 0xC);
22401 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
22402 + pack_descriptor(&d, 0, 0xFFFFF, 0x93, 0xC);
22403 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
22406 gdt_descr.address = __pa(get_cpu_gdt_table(0));
22407 gdt_descr.size = GDT_SIZE - 1;
22408 load_gdt(&gdt_descr);
22411 -void efi_call_phys_epilog(void)
22412 +void __init efi_call_phys_epilog(void)
22414 - unsigned long cr4;
22415 struct desc_ptr gdt_descr;
22417 +#ifdef CONFIG_PAX_KERNEXEC
22418 + struct desc_struct d;
22420 + memset(&d, 0, sizeof d);
22421 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
22422 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
22425 gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
22426 gdt_descr.size = GDT_SIZE - 1;
22427 load_gdt(&gdt_descr);
22429 - cr4 = read_cr4_safe();
22431 - if (cr4 & X86_CR4_PAE) {
22432 - swapper_pg_dir[pgd_index(0)].pgd =
22433 - efi_bak_pg_dir_pointer[0].pgd;
22435 - swapper_pg_dir[pgd_index(0)].pgd =
22436 - efi_bak_pg_dir_pointer[0].pgd;
22437 - swapper_pg_dir[pgd_index(0x400000)].pgd =
22438 - efi_bak_pg_dir_pointer[1].pgd;
22440 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
22443 * After the lock is released, the original page table is restored.
22444 diff -urNp linux-3.0.9/arch/x86/platform/efi/efi_stub_32.S linux-3.0.9/arch/x86/platform/efi/efi_stub_32.S
22445 --- linux-3.0.9/arch/x86/platform/efi/efi_stub_32.S 2011-11-11 13:12:24.000000000 -0500
22446 +++ linux-3.0.9/arch/x86/platform/efi/efi_stub_32.S 2011-11-15 20:02:59.000000000 -0500
22450 #include <linux/linkage.h>
22451 +#include <linux/init.h>
22452 #include <asm/page_types.h>
22453 +#include <asm/segment.h>
22456 * efi_call_phys(void *, ...) is a function with variable parameters.
22458 * service functions will comply with gcc calling convention, too.
22463 ENTRY(efi_call_phys)
22465 * 0. The function can only be called in Linux kernel. So CS has been
22466 @@ -36,9 +38,11 @@ ENTRY(efi_call_phys)
22467 * The mapping of lower virtual memory has been created in prelog and
22471 - subl $__PAGE_OFFSET, %edx
22473 + movl $(__KERNEXEC_EFI_DS), %edx
22477 + ljmp $(__KERNEXEC_EFI_CS),$1f-__PAGE_OFFSET
22481 @@ -47,14 +51,8 @@ ENTRY(efi_call_phys)
22482 * parameter 2, ..., param n. To make things easy, we save the return
22483 * address of efi_call_phys in a global variable.
22486 - movl %edx, saved_return_addr
22487 - /* get the function pointer into ECX*/
22489 - movl %ecx, efi_rt_function_ptr
22491 - subl $__PAGE_OFFSET, %edx
22493 + popl (saved_return_addr)
22494 + popl (efi_rt_function_ptr)
22497 * 3. Clear PG bit in %CR0.
22498 @@ -73,9 +71,8 @@ ENTRY(efi_call_phys)
22500 * 5. Call the physical function.
22503 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
22507 * 6. After EFI runtime service returns, control will return to
22508 * following instruction. We'd better readjust stack pointer first.
22509 @@ -88,35 +85,32 @@ ENTRY(efi_call_phys)
22511 orl $0x80000000, %edx
22517 * 8. Now restore the virtual mode from flat mode by
22518 * adding EIP with PAGE_OFFSET.
22522 + ljmp $(__KERNEL_CS),$1f+__PAGE_OFFSET
22524 + movl $(__KERNEL_DS), %edx
22530 * 9. Balance the stack. And because EAX contain the return value,
22531 * we'd better not clobber it.
22533 - leal efi_rt_function_ptr, %edx
22534 - movl (%edx), %ecx
22536 + pushl (efi_rt_function_ptr)
22539 - * 10. Push the saved return address onto the stack and return.
22540 + * 10. Return to the saved return address.
22542 - leal saved_return_addr, %edx
22543 - movl (%edx), %ecx
22546 + jmpl *(saved_return_addr)
22547 ENDPROC(efi_call_phys)
22554 efi_rt_function_ptr:
22555 diff -urNp linux-3.0.9/arch/x86/platform/efi/efi_stub_64.S linux-3.0.9/arch/x86/platform/efi/efi_stub_64.S
22556 --- linux-3.0.9/arch/x86/platform/efi/efi_stub_64.S 2011-11-11 13:12:24.000000000 -0500
22557 +++ linux-3.0.9/arch/x86/platform/efi/efi_stub_64.S 2011-11-15 20:02:59.000000000 -0500
22561 #include <linux/linkage.h>
22562 +#include <asm/alternative-asm.h>
22566 @@ -40,6 +41,7 @@ ENTRY(efi_call0)
22570 + pax_force_retaddr
22574 @@ -50,6 +52,7 @@ ENTRY(efi_call1)
22578 + pax_force_retaddr
22582 @@ -60,6 +63,7 @@ ENTRY(efi_call2)
22586 + pax_force_retaddr
22590 @@ -71,6 +75,7 @@ ENTRY(efi_call3)
22594 + pax_force_retaddr
22598 @@ -83,6 +88,7 @@ ENTRY(efi_call4)
22602 + pax_force_retaddr
22606 @@ -96,6 +102,7 @@ ENTRY(efi_call5)
22610 + pax_force_retaddr
22614 @@ -112,5 +119,6 @@ ENTRY(efi_call6)
22618 + pax_force_retaddr
22621 diff -urNp linux-3.0.9/arch/x86/platform/mrst/mrst.c linux-3.0.9/arch/x86/platform/mrst/mrst.c
22622 --- linux-3.0.9/arch/x86/platform/mrst/mrst.c 2011-11-11 13:12:24.000000000 -0500
22623 +++ linux-3.0.9/arch/x86/platform/mrst/mrst.c 2011-11-15 20:02:59.000000000 -0500
22624 @@ -239,14 +239,16 @@ static int mrst_i8042_detect(void)
22627 /* Reboot and power off are handled by the SCU on a MID device */
22628 -static void mrst_power_off(void)
22629 +static __noreturn void mrst_power_off(void)
22631 intel_scu_ipc_simple_command(0xf1, 1);
22635 -static void mrst_reboot(void)
22636 +static __noreturn void mrst_reboot(void)
22638 intel_scu_ipc_simple_command(0xf1, 0);
22643 diff -urNp linux-3.0.9/arch/x86/platform/uv/tlb_uv.c linux-3.0.9/arch/x86/platform/uv/tlb_uv.c
22644 --- linux-3.0.9/arch/x86/platform/uv/tlb_uv.c 2011-11-11 13:12:24.000000000 -0500
22645 +++ linux-3.0.9/arch/x86/platform/uv/tlb_uv.c 2011-11-15 20:02:59.000000000 -0500
22646 @@ -370,6 +370,8 @@ static void reset_with_ipi(struct bau_ta
22648 struct reset_args reset_args;
22650 + pax_track_stack();
22652 reset_args.sender = sender;
22654 /* find a single cpu for each uvhub in this distribution mask */
22655 diff -urNp linux-3.0.9/arch/x86/power/cpu.c linux-3.0.9/arch/x86/power/cpu.c
22656 --- linux-3.0.9/arch/x86/power/cpu.c 2011-11-11 13:12:24.000000000 -0500
22657 +++ linux-3.0.9/arch/x86/power/cpu.c 2011-11-15 20:02:59.000000000 -0500
22658 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
22659 static void fix_processor_context(void)
22661 int cpu = smp_processor_id();
22662 - struct tss_struct *t = &per_cpu(init_tss, cpu);
22663 + struct tss_struct *t = init_tss + cpu;
22665 set_tss_desc(cpu, t); /*
22666 * This just modifies memory; should not be
22667 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
22670 #ifdef CONFIG_X86_64
22671 + pax_open_kernel();
22672 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
22673 + pax_close_kernel();
22675 syscall_init(); /* This sets MSR_*STAR and related */
22677 diff -urNp linux-3.0.9/arch/x86/vdso/Makefile linux-3.0.9/arch/x86/vdso/Makefile
22678 --- linux-3.0.9/arch/x86/vdso/Makefile 2011-11-11 13:12:24.000000000 -0500
22679 +++ linux-3.0.9/arch/x86/vdso/Makefile 2011-11-15 20:02:59.000000000 -0500
22680 @@ -136,7 +136,7 @@ quiet_cmd_vdso = VDSO $@
22681 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
22682 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
22684 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
22685 +VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
22689 diff -urNp linux-3.0.9/arch/x86/vdso/vdso32-setup.c linux-3.0.9/arch/x86/vdso/vdso32-setup.c
22690 --- linux-3.0.9/arch/x86/vdso/vdso32-setup.c 2011-11-11 13:12:24.000000000 -0500
22691 +++ linux-3.0.9/arch/x86/vdso/vdso32-setup.c 2011-11-15 20:02:59.000000000 -0500
22693 #include <asm/tlbflush.h>
22694 #include <asm/vdso.h>
22695 #include <asm/proto.h>
22696 +#include <asm/mman.h>
22700 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
22701 void enable_sep_cpu(void)
22703 int cpu = get_cpu();
22704 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
22705 + struct tss_struct *tss = init_tss + cpu;
22707 if (!boot_cpu_has(X86_FEATURE_SEP)) {
22709 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
22710 gate_vma.vm_start = FIXADDR_USER_START;
22711 gate_vma.vm_end = FIXADDR_USER_END;
22712 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
22713 - gate_vma.vm_page_prot = __P101;
22714 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
22716 * Make sure the vDSO gets into every core dump.
22717 * Dumping its contents makes post-mortem fully interpretable later
22718 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
22720 addr = VDSO_HIGH_BASE;
22722 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
22723 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
22724 if (IS_ERR_VALUE(addr)) {
22730 - current->mm->context.vdso = (void *)addr;
22731 + current->mm->context.vdso = addr;
22733 if (compat_uses_vma || !compat) {
22735 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
22738 current_thread_info()->sysenter_return =
22739 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
22740 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
22744 - current->mm->context.vdso = NULL;
22745 + current->mm->context.vdso = 0;
22747 up_write(&mm->mmap_sem);
22749 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
22751 const char *arch_vma_name(struct vm_area_struct *vma)
22753 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
22754 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
22757 +#ifdef CONFIG_PAX_SEGMEXEC
22758 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
22765 @@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(stru
22766 * Check to see if the corresponding task was created in compat vdso
22769 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
22770 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
22774 diff -urNp linux-3.0.9/arch/x86/vdso/vma.c linux-3.0.9/arch/x86/vdso/vma.c
22775 --- linux-3.0.9/arch/x86/vdso/vma.c 2011-11-11 13:12:24.000000000 -0500
22776 +++ linux-3.0.9/arch/x86/vdso/vma.c 2011-11-15 20:02:59.000000000 -0500
22777 @@ -15,18 +15,19 @@
22778 #include <asm/proto.h>
22779 #include <asm/vdso.h>
22781 -unsigned int __read_mostly vdso_enabled = 1;
22783 extern char vdso_start[], vdso_end[];
22784 extern unsigned short vdso_sync_cpuid;
22785 +extern char __vsyscall_0;
22787 static struct page **vdso_pages;
22788 +static struct page *vsyscall_page;
22789 static unsigned vdso_size;
22791 static int __init init_vdso_vars(void)
22793 - int npages = (vdso_end - vdso_start + PAGE_SIZE - 1) / PAGE_SIZE;
22795 + size_t nbytes = vdso_end - vdso_start;
22796 + size_t npages = (nbytes + PAGE_SIZE - 1) / PAGE_SIZE;
22799 vdso_size = npages << PAGE_SHIFT;
22800 vdso_pages = kmalloc(sizeof(struct page *) * npages, GFP_KERNEL);
22801 @@ -34,19 +35,19 @@ static int __init init_vdso_vars(void)
22803 for (i = 0; i < npages; i++) {
22805 - p = alloc_page(GFP_KERNEL);
22806 + p = alloc_page(GFP_KERNEL | __GFP_ZERO);
22810 - copy_page(page_address(p), vdso_start + i*PAGE_SIZE);
22811 + memcpy(page_address(p), vdso_start + i*PAGE_SIZE, nbytes > PAGE_SIZE ? PAGE_SIZE : nbytes);
22812 + nbytes -= PAGE_SIZE;
22814 + vsyscall_page = pfn_to_page((__pa_symbol(&__vsyscall_0)) >> PAGE_SHIFT);
22819 - printk("Cannot allocate vdso\n");
22820 - vdso_enabled = 0;
22822 + panic("Cannot allocate vdso\n");
22824 subsys_initcall(init_vdso_vars);
22826 @@ -80,37 +81,35 @@ int arch_setup_additional_pages(struct l
22827 unsigned long addr;
22830 - if (!vdso_enabled)
22833 down_write(&mm->mmap_sem);
22834 - addr = vdso_addr(mm->start_stack, vdso_size);
22835 - addr = get_unmapped_area(NULL, addr, vdso_size, 0, 0);
22836 + addr = vdso_addr(mm->start_stack, vdso_size + PAGE_SIZE);
22837 + addr = get_unmapped_area(NULL, addr, vdso_size + PAGE_SIZE, 0, 0);
22838 if (IS_ERR_VALUE(addr)) {
22843 - current->mm->context.vdso = (void *)addr;
22844 + mm->context.vdso = addr + PAGE_SIZE;
22846 - ret = install_special_mapping(mm, addr, vdso_size,
22847 + ret = install_special_mapping(mm, addr, PAGE_SIZE,
22849 - VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC|
22850 + VM_MAYREAD|VM_MAYEXEC|
22855 - current->mm->context.vdso = NULL;
22856 + mm->context.vdso = 0;
22860 + ret = install_special_mapping(mm, addr + PAGE_SIZE, vdso_size,
22862 + VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC|
22866 + mm->context.vdso = 0;
22869 up_write(&mm->mmap_sem);
22873 -static __init int vdso_setup(char *s)
22875 - vdso_enabled = simple_strtoul(s, NULL, 0);
22878 -__setup("vdso=", vdso_setup);
22879 diff -urNp linux-3.0.9/arch/x86/xen/enlighten.c linux-3.0.9/arch/x86/xen/enlighten.c
22880 --- linux-3.0.9/arch/x86/xen/enlighten.c 2011-11-11 13:12:24.000000000 -0500
22881 +++ linux-3.0.9/arch/x86/xen/enlighten.c 2011-11-15 20:02:59.000000000 -0500
22882 @@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
22884 struct shared_info xen_dummy_shared_info;
22886 -void *xen_initial_gdt;
22888 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
22889 __read_mostly int xen_have_vector_callback;
22890 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
22891 @@ -1010,7 +1008,7 @@ static const struct pv_apic_ops xen_apic
22895 -static void xen_reboot(int reason)
22896 +static __noreturn void xen_reboot(int reason)
22898 struct sched_shutdown r = { .reason = reason };
22900 @@ -1018,17 +1016,17 @@ static void xen_reboot(int reason)
22904 -static void xen_restart(char *msg)
22905 +static __noreturn void xen_restart(char *msg)
22907 xen_reboot(SHUTDOWN_reboot);
22910 -static void xen_emergency_restart(void)
22911 +static __noreturn void xen_emergency_restart(void)
22913 xen_reboot(SHUTDOWN_reboot);
22916 -static void xen_machine_halt(void)
22917 +static __noreturn void xen_machine_halt(void)
22919 xen_reboot(SHUTDOWN_poweroff);
22921 @@ -1134,7 +1132,17 @@ asmlinkage void __init xen_start_kernel(
22922 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
22924 /* Work out if we support NX */
22925 - x86_configure_nx();
22926 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
22927 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
22928 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
22931 + __supported_pte_mask |= _PAGE_NX;
22932 + rdmsr(MSR_EFER, l, h);
22934 + wrmsr(MSR_EFER, l, h);
22938 xen_setup_features();
22940 @@ -1165,13 +1173,6 @@ asmlinkage void __init xen_start_kernel(
22942 machine_ops = xen_machine_ops;
22945 - * The only reliable way to retain the initial address of the
22946 - * percpu gdt_page is to remember it here, so we can go and
22947 - * mark it RW later, when the initial percpu area is freed.
22949 - xen_initial_gdt = &per_cpu(gdt_page, 0);
22953 #ifdef CONFIG_ACPI_NUMA
22954 diff -urNp linux-3.0.9/arch/x86/xen/mmu.c linux-3.0.9/arch/x86/xen/mmu.c
22955 --- linux-3.0.9/arch/x86/xen/mmu.c 2011-11-11 13:12:24.000000000 -0500
22956 +++ linux-3.0.9/arch/x86/xen/mmu.c 2011-11-15 20:02:59.000000000 -0500
22957 @@ -1683,6 +1683,8 @@ pgd_t * __init xen_setup_kernel_pagetabl
22958 convert_pfn_mfn(init_level4_pgt);
22959 convert_pfn_mfn(level3_ident_pgt);
22960 convert_pfn_mfn(level3_kernel_pgt);
22961 + convert_pfn_mfn(level3_vmalloc_pgt);
22962 + convert_pfn_mfn(level3_vmemmap_pgt);
22964 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
22965 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
22966 @@ -1701,7 +1703,10 @@ pgd_t * __init xen_setup_kernel_pagetabl
22967 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
22968 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
22969 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
22970 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
22971 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
22972 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
22973 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
22974 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
22975 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
22977 @@ -1913,6 +1918,7 @@ static void __init xen_post_allocator_in
22978 pv_mmu_ops.set_pud = xen_set_pud;
22979 #if PAGETABLE_LEVELS == 4
22980 pv_mmu_ops.set_pgd = xen_set_pgd;
22981 + pv_mmu_ops.set_pgd_batched = xen_set_pgd;
22984 /* This will work as long as patching hasn't happened yet
22985 @@ -1994,6 +2000,7 @@ static const struct pv_mmu_ops xen_mmu_o
22986 .pud_val = PV_CALLEE_SAVE(xen_pud_val),
22987 .make_pud = PV_CALLEE_SAVE(xen_make_pud),
22988 .set_pgd = xen_set_pgd_hyper,
22989 + .set_pgd_batched = xen_set_pgd_hyper,
22991 .alloc_pud = xen_alloc_pmd_init,
22992 .release_pud = xen_release_pmd_init,
22993 diff -urNp linux-3.0.9/arch/x86/xen/smp.c linux-3.0.9/arch/x86/xen/smp.c
22994 --- linux-3.0.9/arch/x86/xen/smp.c 2011-11-11 13:12:24.000000000 -0500
22995 +++ linux-3.0.9/arch/x86/xen/smp.c 2011-11-15 20:02:59.000000000 -0500
22996 @@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_
22998 BUG_ON(smp_processor_id() != 0);
22999 native_smp_prepare_boot_cpu();
23001 - /* We've switched to the "real" per-cpu gdt, so make sure the
23002 - old memory can be recycled */
23003 - make_lowmem_page_readwrite(xen_initial_gdt);
23005 xen_filter_cpu_maps();
23006 xen_setup_vcpu_info_placement();
23008 @@ -275,12 +270,12 @@ cpu_initialize_context(unsigned int cpu,
23009 gdt = get_cpu_gdt_table(cpu);
23011 ctxt->flags = VGCF_IN_KERNEL;
23012 - ctxt->user_regs.ds = __USER_DS;
23013 - ctxt->user_regs.es = __USER_DS;
23014 + ctxt->user_regs.ds = __KERNEL_DS;
23015 + ctxt->user_regs.es = __KERNEL_DS;
23016 ctxt->user_regs.ss = __KERNEL_DS;
23017 #ifdef CONFIG_X86_32
23018 ctxt->user_regs.fs = __KERNEL_PERCPU;
23019 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
23020 + savesegment(gs, ctxt->user_regs.gs);
23022 ctxt->gs_base_kernel = per_cpu_offset(cpu);
23024 @@ -331,13 +326,12 @@ static int __cpuinit xen_cpu_up(unsigned
23027 per_cpu(current_task, cpu) = idle;
23028 + per_cpu(current_tinfo, cpu) = &idle->tinfo;
23029 #ifdef CONFIG_X86_32
23032 clear_tsk_thread_flag(idle, TIF_FORK);
23033 - per_cpu(kernel_stack, cpu) =
23034 - (unsigned long)task_stack_page(idle) -
23035 - KERNEL_STACK_OFFSET + THREAD_SIZE;
23036 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
23038 xen_setup_runstate_info(cpu);
23039 xen_setup_timer(cpu);
23040 diff -urNp linux-3.0.9/arch/x86/xen/xen-asm_32.S linux-3.0.9/arch/x86/xen/xen-asm_32.S
23041 --- linux-3.0.9/arch/x86/xen/xen-asm_32.S 2011-11-11 13:12:24.000000000 -0500
23042 +++ linux-3.0.9/arch/x86/xen/xen-asm_32.S 2011-11-15 20:02:59.000000000 -0500
23043 @@ -83,14 +83,14 @@ ENTRY(xen_iret)
23044 ESP_OFFSET=4 # bytes pushed onto stack
23047 - * Store vcpu_info pointer for easy access. Do it this way to
23048 - * avoid having to reload %fs
23049 + * Store vcpu_info pointer for easy access.
23052 - GET_THREAD_INFO(%eax)
23053 - movl TI_cpu(%eax), %eax
23054 - movl __per_cpu_offset(,%eax,4), %eax
23055 - mov xen_vcpu(%eax), %eax
23057 + mov $(__KERNEL_PERCPU), %eax
23059 + mov PER_CPU_VAR(xen_vcpu), %eax
23062 movl xen_vcpu, %eax
23064 diff -urNp linux-3.0.9/arch/x86/xen/xen-head.S linux-3.0.9/arch/x86/xen/xen-head.S
23065 --- linux-3.0.9/arch/x86/xen/xen-head.S 2011-11-11 13:12:24.000000000 -0500
23066 +++ linux-3.0.9/arch/x86/xen/xen-head.S 2011-11-15 20:02:59.000000000 -0500
23067 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
23068 #ifdef CONFIG_X86_32
23069 mov %esi,xen_start_info
23070 mov $init_thread_union+THREAD_SIZE,%esp
23072 + movl $cpu_gdt_table,%edi
23073 + movl $__per_cpu_load,%eax
23074 + movw %ax,__KERNEL_PERCPU + 2(%edi)
23076 + movb %al,__KERNEL_PERCPU + 4(%edi)
23077 + movb %ah,__KERNEL_PERCPU + 7(%edi)
23078 + movl $__per_cpu_end - 1,%eax
23079 + subl $__per_cpu_start,%eax
23080 + movw %ax,__KERNEL_PERCPU + 0(%edi)
23083 mov %rsi,xen_start_info
23084 mov $init_thread_union+THREAD_SIZE,%rsp
23085 diff -urNp linux-3.0.9/arch/x86/xen/xen-ops.h linux-3.0.9/arch/x86/xen/xen-ops.h
23086 --- linux-3.0.9/arch/x86/xen/xen-ops.h 2011-11-11 13:12:24.000000000 -0500
23087 +++ linux-3.0.9/arch/x86/xen/xen-ops.h 2011-11-15 20:02:59.000000000 -0500
23089 extern const char xen_hypervisor_callback[];
23090 extern const char xen_failsafe_callback[];
23092 -extern void *xen_initial_gdt;
23095 void xen_copy_trap_info(struct trap_info *traps);
23097 diff -urNp linux-3.0.9/block/blk-iopoll.c linux-3.0.9/block/blk-iopoll.c
23098 --- linux-3.0.9/block/blk-iopoll.c 2011-11-11 13:12:24.000000000 -0500
23099 +++ linux-3.0.9/block/blk-iopoll.c 2011-11-15 20:02:59.000000000 -0500
23100 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
23102 EXPORT_SYMBOL(blk_iopoll_complete);
23104 -static void blk_iopoll_softirq(struct softirq_action *h)
23105 +static void blk_iopoll_softirq(void)
23107 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
23108 int rearm = 0, budget = blk_iopoll_budget;
23109 diff -urNp linux-3.0.9/block/blk-map.c linux-3.0.9/block/blk-map.c
23110 --- linux-3.0.9/block/blk-map.c 2011-11-11 13:12:24.000000000 -0500
23111 +++ linux-3.0.9/block/blk-map.c 2011-11-15 20:02:59.000000000 -0500
23112 @@ -301,7 +301,7 @@ int blk_rq_map_kern(struct request_queue
23116 - do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
23117 + do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
23119 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
23121 diff -urNp linux-3.0.9/block/blk-softirq.c linux-3.0.9/block/blk-softirq.c
23122 --- linux-3.0.9/block/blk-softirq.c 2011-11-11 13:12:24.000000000 -0500
23123 +++ linux-3.0.9/block/blk-softirq.c 2011-11-15 20:02:59.000000000 -0500
23124 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
23125 * Softirq action handler - move entries to local list and loop over them
23126 * while passing them to the queue registered handler.
23128 -static void blk_done_softirq(struct softirq_action *h)
23129 +static void blk_done_softirq(void)
23131 struct list_head *cpu_list, local_list;
23133 diff -urNp linux-3.0.9/block/bsg.c linux-3.0.9/block/bsg.c
23134 --- linux-3.0.9/block/bsg.c 2011-11-11 13:12:24.000000000 -0500
23135 +++ linux-3.0.9/block/bsg.c 2011-11-15 20:02:59.000000000 -0500
23136 @@ -176,16 +176,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
23137 struct sg_io_v4 *hdr, struct bsg_device *bd,
23138 fmode_t has_write_perm)
23140 + unsigned char tmpcmd[sizeof(rq->__cmd)];
23141 + unsigned char *cmdptr;
23143 if (hdr->request_len > BLK_MAX_CDB) {
23144 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
23148 + cmdptr = rq->cmd;
23152 - if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request,
23153 + if (copy_from_user(cmdptr, (void __user *)(unsigned long)hdr->request,
23157 + if (cmdptr != rq->cmd)
23158 + memcpy(rq->cmd, cmdptr, hdr->request_len);
23160 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
23161 if (blk_verify_command(rq->cmd, has_write_perm))
23163 @@ -249,7 +257,7 @@ bsg_map_hdr(struct bsg_device *bd, struc
23164 struct request *rq, *next_rq = NULL;
23166 unsigned int dxfer_len;
23167 - void *dxferp = NULL;
23168 + void __user *dxferp = NULL;
23169 struct bsg_class_device *bcd = &q->bsg_dev;
23171 /* if the LLD has been removed then the bsg_unregister_queue will
23172 @@ -291,7 +299,7 @@ bsg_map_hdr(struct bsg_device *bd, struc
23173 rq->next_rq = next_rq;
23174 next_rq->cmd_type = rq->cmd_type;
23176 - dxferp = (void*)(unsigned long)hdr->din_xferp;
23177 + dxferp = (void __user *)(unsigned long)hdr->din_xferp;
23178 ret = blk_rq_map_user(q, next_rq, NULL, dxferp,
23179 hdr->din_xfer_len, GFP_KERNEL);
23181 @@ -300,10 +308,10 @@ bsg_map_hdr(struct bsg_device *bd, struc
23183 if (hdr->dout_xfer_len) {
23184 dxfer_len = hdr->dout_xfer_len;
23185 - dxferp = (void*)(unsigned long)hdr->dout_xferp;
23186 + dxferp = (void __user *)(unsigned long)hdr->dout_xferp;
23187 } else if (hdr->din_xfer_len) {
23188 dxfer_len = hdr->din_xfer_len;
23189 - dxferp = (void*)(unsigned long)hdr->din_xferp;
23190 + dxferp = (void __user *)(unsigned long)hdr->din_xferp;
23194 @@ -445,7 +453,7 @@ static int blk_complete_sgv4_hdr_rq(stru
23195 int len = min_t(unsigned int, hdr->max_response_len,
23198 - ret = copy_to_user((void*)(unsigned long)hdr->response,
23199 + ret = copy_to_user((void __user *)(unsigned long)hdr->response,
23202 hdr->response_len = len;
23203 diff -urNp linux-3.0.9/block/compat_ioctl.c linux-3.0.9/block/compat_ioctl.c
23204 --- linux-3.0.9/block/compat_ioctl.c 2011-11-11 13:12:24.000000000 -0500
23205 +++ linux-3.0.9/block/compat_ioctl.c 2011-11-15 20:02:59.000000000 -0500
23206 @@ -354,7 +354,7 @@ static int compat_fd_ioctl(struct block_
23207 err |= __get_user(f->spec1, &uf->spec1);
23208 err |= __get_user(f->fmt_gap, &uf->fmt_gap);
23209 err |= __get_user(name, &uf->name);
23210 - f->name = compat_ptr(name);
23211 + f->name = (void __force_kernel *)compat_ptr(name);
23215 diff -urNp linux-3.0.9/block/scsi_ioctl.c linux-3.0.9/block/scsi_ioctl.c
23216 --- linux-3.0.9/block/scsi_ioctl.c 2011-11-11 13:12:24.000000000 -0500
23217 +++ linux-3.0.9/block/scsi_ioctl.c 2011-11-15 20:02:59.000000000 -0500
23218 @@ -222,8 +222,20 @@ EXPORT_SYMBOL(blk_verify_command);
23219 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
23220 struct sg_io_hdr *hdr, fmode_t mode)
23222 - if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
23223 + unsigned char tmpcmd[sizeof(rq->__cmd)];
23224 + unsigned char *cmdptr;
23226 + if (rq->cmd != rq->__cmd)
23227 + cmdptr = rq->cmd;
23231 + if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
23234 + if (cmdptr != rq->cmd)
23235 + memcpy(rq->cmd, cmdptr, hdr->cmd_len);
23237 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
23240 @@ -432,6 +444,8 @@ int sg_scsi_ioctl(struct request_queue *
23242 unsigned int in_len, out_len, bytes, opcode, cmdlen;
23243 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
23244 + unsigned char tmpcmd[sizeof(rq->__cmd)];
23245 + unsigned char *cmdptr;
23249 @@ -465,9 +479,18 @@ int sg_scsi_ioctl(struct request_queue *
23252 rq->cmd_len = cmdlen;
23253 - if (copy_from_user(rq->cmd, sic->data, cmdlen))
23255 + if (rq->cmd != rq->__cmd)
23256 + cmdptr = rq->cmd;
23260 + if (copy_from_user(cmdptr, sic->data, cmdlen))
23263 + if (rq->cmd != cmdptr)
23264 + memcpy(rq->cmd, cmdptr, cmdlen);
23266 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
23269 diff -urNp linux-3.0.9/crypto/cryptd.c linux-3.0.9/crypto/cryptd.c
23270 --- linux-3.0.9/crypto/cryptd.c 2011-11-11 13:12:24.000000000 -0500
23271 +++ linux-3.0.9/crypto/cryptd.c 2011-11-15 20:02:59.000000000 -0500
23272 @@ -63,7 +63,7 @@ struct cryptd_blkcipher_ctx {
23274 struct cryptd_blkcipher_request_ctx {
23275 crypto_completion_t complete;
23279 struct cryptd_hash_ctx {
23280 struct crypto_shash *child;
23281 @@ -80,7 +80,7 @@ struct cryptd_aead_ctx {
23283 struct cryptd_aead_request_ctx {
23284 crypto_completion_t complete;
23288 static void cryptd_queue_worker(struct work_struct *work);
23290 diff -urNp linux-3.0.9/crypto/gf128mul.c linux-3.0.9/crypto/gf128mul.c
23291 --- linux-3.0.9/crypto/gf128mul.c 2011-11-11 13:12:24.000000000 -0500
23292 +++ linux-3.0.9/crypto/gf128mul.c 2011-11-15 20:02:59.000000000 -0500
23293 @@ -182,7 +182,7 @@ void gf128mul_lle(be128 *r, const be128
23294 for (i = 0; i < 7; ++i)
23295 gf128mul_x_lle(&p[i + 1], &p[i]);
23297 - memset(r, 0, sizeof(r));
23298 + memset(r, 0, sizeof(*r));
23300 u8 ch = ((u8 *)b)[15 - i];
23302 @@ -220,7 +220,7 @@ void gf128mul_bbe(be128 *r, const be128
23303 for (i = 0; i < 7; ++i)
23304 gf128mul_x_bbe(&p[i + 1], &p[i]);
23306 - memset(r, 0, sizeof(r));
23307 + memset(r, 0, sizeof(*r));
23309 u8 ch = ((u8 *)b)[i];
23311 diff -urNp linux-3.0.9/crypto/serpent.c linux-3.0.9/crypto/serpent.c
23312 --- linux-3.0.9/crypto/serpent.c 2011-11-11 13:12:24.000000000 -0500
23313 +++ linux-3.0.9/crypto/serpent.c 2011-11-15 20:02:59.000000000 -0500
23314 @@ -224,6 +224,8 @@ static int serpent_setkey(struct crypto_
23315 u32 r0,r1,r2,r3,r4;
23318 + pax_track_stack();
23320 /* Copy key, add padding */
23322 for (i = 0; i < keylen; ++i)
23323 diff -urNp linux-3.0.9/Documentation/dontdiff linux-3.0.9/Documentation/dontdiff
23324 --- linux-3.0.9/Documentation/dontdiff 2011-11-11 13:12:24.000000000 -0500
23325 +++ linux-3.0.9/Documentation/dontdiff 2011-11-15 20:02:59.000000000 -0500
23346 @@ -70,6 +73,7 @@ Kerntypes
23354 @@ -98,14 +102,18 @@ bzImage*
23371 consolemap_deftbl.c*
23373 @@ -126,12 +134,14 @@ fore200e_pca_fw.c*
23388 @@ -146,7 +156,7 @@ int32.c
23397 @@ -154,7 +164,6 @@ kxgettext
23405 @@ -166,7 +175,6 @@ machtypes.h
23413 @@ -174,6 +182,7 @@ mkboot
23421 @@ -209,6 +218,7 @@ r300_reg_safe.h
23429 @@ -219,6 +229,7 @@ setup
23437 @@ -229,6 +240,7 @@ tftpboot.img
23445 @@ -246,7 +258,9 @@ vmlinux
23455 @@ -254,6 +268,7 @@ vsyscall_32.lds
23463 diff -urNp linux-3.0.9/Documentation/kernel-parameters.txt linux-3.0.9/Documentation/kernel-parameters.txt
23464 --- linux-3.0.9/Documentation/kernel-parameters.txt 2011-11-11 13:12:24.000000000 -0500
23465 +++ linux-3.0.9/Documentation/kernel-parameters.txt 2011-11-15 20:02:59.000000000 -0500
23466 @@ -1883,6 +1883,13 @@ bytes respectively. Such letter suffixes
23467 the specified number of seconds. This is to be used if
23468 your oopses keep scrolling off the screen.
23470 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
23471 + virtualization environments that don't cope well with the
23472 + expand down segment used by UDEREF on X86-32 or the frequent
23473 + page table updates on X86-64.
23475 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
23480 diff -urNp linux-3.0.9/drivers/acpi/apei/cper.c linux-3.0.9/drivers/acpi/apei/cper.c
23481 --- linux-3.0.9/drivers/acpi/apei/cper.c 2011-11-11 13:12:24.000000000 -0500
23482 +++ linux-3.0.9/drivers/acpi/apei/cper.c 2011-11-15 20:02:59.000000000 -0500
23483 @@ -38,12 +38,12 @@
23485 u64 cper_next_record_id(void)
23487 - static atomic64_t seq;
23488 + static atomic64_unchecked_t seq;
23490 - if (!atomic64_read(&seq))
23491 - atomic64_set(&seq, ((u64)get_seconds()) << 32);
23492 + if (!atomic64_read_unchecked(&seq))
23493 + atomic64_set_unchecked(&seq, ((u64)get_seconds()) << 32);
23495 - return atomic64_inc_return(&seq);
23496 + return atomic64_inc_return_unchecked(&seq);
23498 EXPORT_SYMBOL_GPL(cper_next_record_id);
23500 diff -urNp linux-3.0.9/drivers/acpi/ec_sys.c linux-3.0.9/drivers/acpi/ec_sys.c
23501 --- linux-3.0.9/drivers/acpi/ec_sys.c 2011-11-11 13:12:24.000000000 -0500
23502 +++ linux-3.0.9/drivers/acpi/ec_sys.c 2011-11-15 20:02:59.000000000 -0500
23504 #include <linux/kernel.h>
23505 #include <linux/acpi.h>
23506 #include <linux/debugfs.h>
23507 +#include <asm/uaccess.h>
23508 #include "internal.h"
23510 MODULE_AUTHOR("Thomas Renninger <trenn@suse.de>");
23511 @@ -39,7 +40,7 @@ static ssize_t acpi_ec_read_io(struct fi
23512 * struct acpi_ec *ec = ((struct seq_file *)f->private_data)->private;
23514 unsigned int size = EC_SPACE_SIZE;
23515 - u8 *data = (u8 *) buf;
23517 loff_t init_off = *off;
23520 @@ -52,9 +53,11 @@ static ssize_t acpi_ec_read_io(struct fi
23524 - err = ec_read(*off, &data[*off - init_off]);
23525 + err = ec_read(*off, &data);
23528 + if (put_user(data, &buf[*off - init_off]))
23533 @@ -70,7 +73,6 @@ static ssize_t acpi_ec_write_io(struct f
23535 unsigned int size = count;
23536 loff_t init_off = *off;
23537 - u8 *data = (u8 *) buf;
23540 if (*off >= EC_SPACE_SIZE)
23541 @@ -81,7 +83,9 @@ static ssize_t acpi_ec_write_io(struct f
23545 - u8 byte_write = data[*off - init_off];
23547 + if (get_user(byte_write, &buf[*off - init_off]))
23549 err = ec_write(*off, byte_write);
23552 diff -urNp linux-3.0.9/drivers/acpi/proc.c linux-3.0.9/drivers/acpi/proc.c
23553 --- linux-3.0.9/drivers/acpi/proc.c 2011-11-11 13:12:24.000000000 -0500
23554 +++ linux-3.0.9/drivers/acpi/proc.c 2011-11-15 20:02:59.000000000 -0500
23555 @@ -342,19 +342,13 @@ acpi_system_write_wakeup_device(struct f
23556 size_t count, loff_t * ppos)
23558 struct list_head *node, *next;
23560 - char str[5] = "";
23561 - unsigned int len = count;
23567 + char strbuf[5] = {0};
23569 - if (copy_from_user(strbuf, buffer, len))
23572 + if (copy_from_user(strbuf, buffer, count))
23574 - strbuf[len] = '\0';
23575 - sscanf(strbuf, "%s", str);
23576 + strbuf[count] = '\0';
23578 mutex_lock(&acpi_device_lock);
23579 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
23580 @@ -363,7 +357,7 @@ acpi_system_write_wakeup_device(struct f
23581 if (!dev->wakeup.flags.valid)
23584 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
23585 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
23586 if (device_can_wakeup(&dev->dev)) {
23587 bool enable = !device_may_wakeup(&dev->dev);
23588 device_set_wakeup_enable(&dev->dev, enable);
23589 diff -urNp linux-3.0.9/drivers/acpi/processor_driver.c linux-3.0.9/drivers/acpi/processor_driver.c
23590 --- linux-3.0.9/drivers/acpi/processor_driver.c 2011-11-11 13:12:24.000000000 -0500
23591 +++ linux-3.0.9/drivers/acpi/processor_driver.c 2011-11-15 20:02:59.000000000 -0500
23592 @@ -473,7 +473,7 @@ static int __cpuinit acpi_processor_add(
23596 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
23597 + BUG_ON(pr->id >= nr_cpu_ids);
23601 diff -urNp linux-3.0.9/drivers/ata/libata-core.c linux-3.0.9/drivers/ata/libata-core.c
23602 --- linux-3.0.9/drivers/ata/libata-core.c 2011-11-11 13:12:24.000000000 -0500
23603 +++ linux-3.0.9/drivers/ata/libata-core.c 2011-11-15 20:02:59.000000000 -0500
23604 @@ -4753,7 +4753,7 @@ void ata_qc_free(struct ata_queued_cmd *
23605 struct ata_port *ap;
23608 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23609 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23613 @@ -4769,7 +4769,7 @@ void __ata_qc_complete(struct ata_queued
23614 struct ata_port *ap;
23615 struct ata_link *link;
23617 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23618 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23619 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
23621 link = qc->dev->link;
23622 @@ -5774,6 +5774,7 @@ static void ata_finalize_port_ops(struct
23626 + pax_open_kernel();
23628 for (cur = ops->inherits; cur; cur = cur->inherits) {
23629 void **inherit = (void **)cur;
23630 @@ -5787,8 +5788,9 @@ static void ata_finalize_port_ops(struct
23634 - ops->inherits = NULL;
23635 + *(struct ata_port_operations **)&ops->inherits = NULL;
23637 + pax_close_kernel();
23638 spin_unlock(&lock);
23641 diff -urNp linux-3.0.9/drivers/ata/libata-eh.c linux-3.0.9/drivers/ata/libata-eh.c
23642 --- linux-3.0.9/drivers/ata/libata-eh.c 2011-11-11 13:12:24.000000000 -0500
23643 +++ linux-3.0.9/drivers/ata/libata-eh.c 2011-11-15 20:02:59.000000000 -0500
23644 @@ -2518,6 +2518,8 @@ void ata_eh_report(struct ata_port *ap)
23646 struct ata_link *link;
23648 + pax_track_stack();
23650 ata_for_each_link(link, ap, HOST_FIRST)
23651 ata_eh_link_report(link);
23653 diff -urNp linux-3.0.9/drivers/ata/pata_arasan_cf.c linux-3.0.9/drivers/ata/pata_arasan_cf.c
23654 --- linux-3.0.9/drivers/ata/pata_arasan_cf.c 2011-11-11 13:12:24.000000000 -0500
23655 +++ linux-3.0.9/drivers/ata/pata_arasan_cf.c 2011-11-15 20:02:59.000000000 -0500
23656 @@ -862,7 +862,9 @@ static int __devinit arasan_cf_probe(str
23657 /* Handle platform specific quirks */
23658 if (pdata->quirk) {
23659 if (pdata->quirk & CF_BROKEN_PIO) {
23660 - ap->ops->set_piomode = NULL;
23661 + pax_open_kernel();
23662 + *(void **)&ap->ops->set_piomode = NULL;
23663 + pax_close_kernel();
23666 if (pdata->quirk & CF_BROKEN_MWDMA)
23667 diff -urNp linux-3.0.9/drivers/atm/adummy.c linux-3.0.9/drivers/atm/adummy.c
23668 --- linux-3.0.9/drivers/atm/adummy.c 2011-11-11 13:12:24.000000000 -0500
23669 +++ linux-3.0.9/drivers/atm/adummy.c 2011-11-15 20:02:59.000000000 -0500
23670 @@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
23671 vcc->pop(vcc, skb);
23673 dev_kfree_skb_any(skb);
23674 - atomic_inc(&vcc->stats->tx);
23675 + atomic_inc_unchecked(&vcc->stats->tx);
23679 diff -urNp linux-3.0.9/drivers/atm/ambassador.c linux-3.0.9/drivers/atm/ambassador.c
23680 --- linux-3.0.9/drivers/atm/ambassador.c 2011-11-11 13:12:24.000000000 -0500
23681 +++ linux-3.0.9/drivers/atm/ambassador.c 2011-11-15 20:02:59.000000000 -0500
23682 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
23683 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
23686 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23687 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23689 // free the descriptor
23691 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
23692 dump_skb ("<<<", vc, skb);
23695 - atomic_inc(&atm_vcc->stats->rx);
23696 + atomic_inc_unchecked(&atm_vcc->stats->rx);
23697 __net_timestamp(skb);
23698 // end of our responsibility
23699 atm_vcc->push (atm_vcc, skb);
23700 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
23702 PRINTK (KERN_INFO, "dropped over-size frame");
23703 // should we count this?
23704 - atomic_inc(&atm_vcc->stats->rx_drop);
23705 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23709 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
23712 if (check_area (skb->data, skb->len)) {
23713 - atomic_inc(&atm_vcc->stats->tx_err);
23714 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
23715 return -ENOMEM; // ?
23718 diff -urNp linux-3.0.9/drivers/atm/atmtcp.c linux-3.0.9/drivers/atm/atmtcp.c
23719 --- linux-3.0.9/drivers/atm/atmtcp.c 2011-11-11 13:12:24.000000000 -0500
23720 +++ linux-3.0.9/drivers/atm/atmtcp.c 2011-11-15 20:02:59.000000000 -0500
23721 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
23722 if (vcc->pop) vcc->pop(vcc,skb);
23723 else dev_kfree_skb(skb);
23724 if (dev_data) return 0;
23725 - atomic_inc(&vcc->stats->tx_err);
23726 + atomic_inc_unchecked(&vcc->stats->tx_err);
23729 size = skb->len+sizeof(struct atmtcp_hdr);
23730 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
23732 if (vcc->pop) vcc->pop(vcc,skb);
23733 else dev_kfree_skb(skb);
23734 - atomic_inc(&vcc->stats->tx_err);
23735 + atomic_inc_unchecked(&vcc->stats->tx_err);
23738 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
23739 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
23740 if (vcc->pop) vcc->pop(vcc,skb);
23741 else dev_kfree_skb(skb);
23742 out_vcc->push(out_vcc,new_skb);
23743 - atomic_inc(&vcc->stats->tx);
23744 - atomic_inc(&out_vcc->stats->rx);
23745 + atomic_inc_unchecked(&vcc->stats->tx);
23746 + atomic_inc_unchecked(&out_vcc->stats->rx);
23750 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
23751 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
23752 read_unlock(&vcc_sklist_lock);
23754 - atomic_inc(&vcc->stats->tx_err);
23755 + atomic_inc_unchecked(&vcc->stats->tx_err);
23758 skb_pull(skb,sizeof(struct atmtcp_hdr));
23759 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
23760 __net_timestamp(new_skb);
23761 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
23762 out_vcc->push(out_vcc,new_skb);
23763 - atomic_inc(&vcc->stats->tx);
23764 - atomic_inc(&out_vcc->stats->rx);
23765 + atomic_inc_unchecked(&vcc->stats->tx);
23766 + atomic_inc_unchecked(&out_vcc->stats->rx);
23768 if (vcc->pop) vcc->pop(vcc,skb);
23769 else dev_kfree_skb(skb);
23770 diff -urNp linux-3.0.9/drivers/atm/eni.c linux-3.0.9/drivers/atm/eni.c
23771 --- linux-3.0.9/drivers/atm/eni.c 2011-11-11 13:12:24.000000000 -0500
23772 +++ linux-3.0.9/drivers/atm/eni.c 2011-11-15 20:02:59.000000000 -0500
23773 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
23774 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
23777 - atomic_inc(&vcc->stats->rx_err);
23778 + atomic_inc_unchecked(&vcc->stats->rx_err);
23781 length = ATM_CELL_SIZE-1; /* no HEC */
23782 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
23786 - atomic_inc(&vcc->stats->rx_err);
23787 + atomic_inc_unchecked(&vcc->stats->rx_err);
23790 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
23791 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
23792 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
23793 vcc->dev->number,vcc->vci,length,size << 2,descr);
23795 - atomic_inc(&vcc->stats->rx_err);
23796 + atomic_inc_unchecked(&vcc->stats->rx_err);
23799 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
23800 @@ -771,7 +771,7 @@ rx_dequeued++;
23801 vcc->push(vcc,skb);
23804 - atomic_inc(&vcc->stats->rx);
23805 + atomic_inc_unchecked(&vcc->stats->rx);
23807 wake_up(&eni_dev->rx_wait);
23809 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
23811 if (vcc->pop) vcc->pop(vcc,skb);
23812 else dev_kfree_skb_irq(skb);
23813 - atomic_inc(&vcc->stats->tx);
23814 + atomic_inc_unchecked(&vcc->stats->tx);
23815 wake_up(&eni_dev->tx_wait);
23818 @@ -1568,7 +1568,7 @@ tx_complete++;
23819 /*--------------------------------- entries ---------------------------------*/
23822 -static const char *media_name[] __devinitdata = {
23823 +static const char *media_name[] __devinitconst = {
23824 "MMF", "SMF", "MMF", "03?", /* 0- 3 */
23825 "UTP", "05?", "06?", "07?", /* 4- 7 */
23826 "TAXI","09?", "10?", "11?", /* 8-11 */
23827 diff -urNp linux-3.0.9/drivers/atm/firestream.c linux-3.0.9/drivers/atm/firestream.c
23828 --- linux-3.0.9/drivers/atm/firestream.c 2011-11-11 13:12:24.000000000 -0500
23829 +++ linux-3.0.9/drivers/atm/firestream.c 2011-11-15 20:02:59.000000000 -0500
23830 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
23834 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23835 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23837 fs_dprintk (FS_DEBUG_TXMEM, "i");
23838 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
23839 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
23841 skb_put (skb, qe->p1 & 0xffff);
23842 ATM_SKB(skb)->vcc = atm_vcc;
23843 - atomic_inc(&atm_vcc->stats->rx);
23844 + atomic_inc_unchecked(&atm_vcc->stats->rx);
23845 __net_timestamp(skb);
23846 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
23847 atm_vcc->push (atm_vcc, skb);
23848 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
23852 - atomic_inc(&atm_vcc->stats->rx_drop);
23853 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23855 case 0x1f: /* Reassembly abort: no buffers. */
23856 /* Silently increment error counter. */
23858 - atomic_inc(&atm_vcc->stats->rx_drop);
23859 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23861 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
23862 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
23863 diff -urNp linux-3.0.9/drivers/atm/fore200e.c linux-3.0.9/drivers/atm/fore200e.c
23864 --- linux-3.0.9/drivers/atm/fore200e.c 2011-11-11 13:12:24.000000000 -0500
23865 +++ linux-3.0.9/drivers/atm/fore200e.c 2011-11-15 20:02:59.000000000 -0500
23866 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
23868 /* check error condition */
23869 if (*entry->status & STATUS_ERROR)
23870 - atomic_inc(&vcc->stats->tx_err);
23871 + atomic_inc_unchecked(&vcc->stats->tx_err);
23873 - atomic_inc(&vcc->stats->tx);
23874 + atomic_inc_unchecked(&vcc->stats->tx);
23878 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
23880 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
23882 - atomic_inc(&vcc->stats->rx_drop);
23883 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23887 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
23889 dev_kfree_skb_any(skb);
23891 - atomic_inc(&vcc->stats->rx_drop);
23892 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23896 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
23898 vcc->push(vcc, skb);
23899 - atomic_inc(&vcc->stats->rx);
23900 + atomic_inc_unchecked(&vcc->stats->rx);
23902 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
23904 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
23905 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
23906 fore200e->atm_dev->number,
23907 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
23908 - atomic_inc(&vcc->stats->rx_err);
23909 + atomic_inc_unchecked(&vcc->stats->rx_err);
23913 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
23917 - atomic_inc(&vcc->stats->tx_err);
23918 + atomic_inc_unchecked(&vcc->stats->tx_err);
23920 fore200e->tx_sat++;
23921 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
23922 diff -urNp linux-3.0.9/drivers/atm/he.c linux-3.0.9/drivers/atm/he.c
23923 --- linux-3.0.9/drivers/atm/he.c 2011-11-11 13:12:24.000000000 -0500
23924 +++ linux-3.0.9/drivers/atm/he.c 2011-11-15 20:02:59.000000000 -0500
23925 @@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23927 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
23928 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
23929 - atomic_inc(&vcc->stats->rx_drop);
23930 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23931 goto return_host_buffers;
23934 @@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23935 RBRQ_LEN_ERR(he_dev->rbrq_head)
23937 vcc->vpi, vcc->vci);
23938 - atomic_inc(&vcc->stats->rx_err);
23939 + atomic_inc_unchecked(&vcc->stats->rx_err);
23940 goto return_host_buffers;
23943 @@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23944 vcc->push(vcc, skb);
23945 spin_lock(&he_dev->global_lock);
23947 - atomic_inc(&vcc->stats->rx);
23948 + atomic_inc_unchecked(&vcc->stats->rx);
23950 return_host_buffers:
23952 @@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
23953 tpd->vcc->pop(tpd->vcc, tpd->skb);
23955 dev_kfree_skb_any(tpd->skb);
23956 - atomic_inc(&tpd->vcc->stats->tx_err);
23957 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
23959 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
23961 @@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23962 vcc->pop(vcc, skb);
23964 dev_kfree_skb_any(skb);
23965 - atomic_inc(&vcc->stats->tx_err);
23966 + atomic_inc_unchecked(&vcc->stats->tx_err);
23970 @@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23971 vcc->pop(vcc, skb);
23973 dev_kfree_skb_any(skb);
23974 - atomic_inc(&vcc->stats->tx_err);
23975 + atomic_inc_unchecked(&vcc->stats->tx_err);
23979 @@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23980 vcc->pop(vcc, skb);
23982 dev_kfree_skb_any(skb);
23983 - atomic_inc(&vcc->stats->tx_err);
23984 + atomic_inc_unchecked(&vcc->stats->tx_err);
23985 spin_unlock_irqrestore(&he_dev->global_lock, flags);
23988 @@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23989 vcc->pop(vcc, skb);
23991 dev_kfree_skb_any(skb);
23992 - atomic_inc(&vcc->stats->tx_err);
23993 + atomic_inc_unchecked(&vcc->stats->tx_err);
23994 spin_unlock_irqrestore(&he_dev->global_lock, flags);
23997 @@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23998 __enqueue_tpd(he_dev, tpd, cid);
23999 spin_unlock_irqrestore(&he_dev->global_lock, flags);
24001 - atomic_inc(&vcc->stats->tx);
24002 + atomic_inc_unchecked(&vcc->stats->tx);
24006 diff -urNp linux-3.0.9/drivers/atm/horizon.c linux-3.0.9/drivers/atm/horizon.c
24007 --- linux-3.0.9/drivers/atm/horizon.c 2011-11-11 13:12:24.000000000 -0500
24008 +++ linux-3.0.9/drivers/atm/horizon.c 2011-11-15 20:02:59.000000000 -0500
24009 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
24011 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
24013 - atomic_inc(&vcc->stats->rx);
24014 + atomic_inc_unchecked(&vcc->stats->rx);
24015 __net_timestamp(skb);
24016 // end of our responsibility
24017 vcc->push (vcc, skb);
24018 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
24019 dev->tx_iovec = NULL;
24022 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
24023 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
24026 hrz_kfree_skb (skb);
24027 diff -urNp linux-3.0.9/drivers/atm/idt77252.c linux-3.0.9/drivers/atm/idt77252.c
24028 --- linux-3.0.9/drivers/atm/idt77252.c 2011-11-11 13:12:24.000000000 -0500
24029 +++ linux-3.0.9/drivers/atm/idt77252.c 2011-11-15 20:02:59.000000000 -0500
24030 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
24032 dev_kfree_skb(skb);
24034 - atomic_inc(&vcc->stats->tx);
24035 + atomic_inc_unchecked(&vcc->stats->tx);
24038 atomic_dec(&scq->used);
24039 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
24040 if ((sb = dev_alloc_skb(64)) == NULL) {
24041 printk("%s: Can't allocate buffers for aal0.\n",
24043 - atomic_add(i, &vcc->stats->rx_drop);
24044 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
24047 if (!atm_charge(vcc, sb->truesize)) {
24048 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
24050 - atomic_add(i - 1, &vcc->stats->rx_drop);
24051 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
24055 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
24056 ATM_SKB(sb)->vcc = vcc;
24057 __net_timestamp(sb);
24058 vcc->push(vcc, sb);
24059 - atomic_inc(&vcc->stats->rx);
24060 + atomic_inc_unchecked(&vcc->stats->rx);
24062 cell += ATM_CELL_PAYLOAD;
24064 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
24066 card->name, len, rpp->len, readl(SAR_REG_CDC));
24067 recycle_rx_pool_skb(card, rpp);
24068 - atomic_inc(&vcc->stats->rx_err);
24069 + atomic_inc_unchecked(&vcc->stats->rx_err);
24072 if (stat & SAR_RSQE_CRC) {
24073 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
24074 recycle_rx_pool_skb(card, rpp);
24075 - atomic_inc(&vcc->stats->rx_err);
24076 + atomic_inc_unchecked(&vcc->stats->rx_err);
24079 if (skb_queue_len(&rpp->queue) > 1) {
24080 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
24081 RXPRINTK("%s: Can't alloc RX skb.\n",
24083 recycle_rx_pool_skb(card, rpp);
24084 - atomic_inc(&vcc->stats->rx_err);
24085 + atomic_inc_unchecked(&vcc->stats->rx_err);
24088 if (!atm_charge(vcc, skb->truesize)) {
24089 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
24090 __net_timestamp(skb);
24092 vcc->push(vcc, skb);
24093 - atomic_inc(&vcc->stats->rx);
24094 + atomic_inc_unchecked(&vcc->stats->rx);
24098 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
24099 __net_timestamp(skb);
24101 vcc->push(vcc, skb);
24102 - atomic_inc(&vcc->stats->rx);
24103 + atomic_inc_unchecked(&vcc->stats->rx);
24105 if (skb->truesize > SAR_FB_SIZE_3)
24106 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
24107 @@ -1303,14 +1303,14 @@ idt77252_rx_raw(struct idt77252_dev *car
24108 if (vcc->qos.aal != ATM_AAL0) {
24109 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
24110 card->name, vpi, vci);
24111 - atomic_inc(&vcc->stats->rx_drop);
24112 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24116 if ((sb = dev_alloc_skb(64)) == NULL) {
24117 printk("%s: Can't allocate buffers for AAL0.\n",
24119 - atomic_inc(&vcc->stats->rx_err);
24120 + atomic_inc_unchecked(&vcc->stats->rx_err);
24124 @@ -1329,7 +1329,7 @@ idt77252_rx_raw(struct idt77252_dev *car
24125 ATM_SKB(sb)->vcc = vcc;
24126 __net_timestamp(sb);
24127 vcc->push(vcc, sb);
24128 - atomic_inc(&vcc->stats->rx);
24129 + atomic_inc_unchecked(&vcc->stats->rx);
24132 skb_pull(queue, 64);
24133 @@ -1954,13 +1954,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
24136 printk("%s: NULL connection in send().\n", card->name);
24137 - atomic_inc(&vcc->stats->tx_err);
24138 + atomic_inc_unchecked(&vcc->stats->tx_err);
24139 dev_kfree_skb(skb);
24142 if (!test_bit(VCF_TX, &vc->flags)) {
24143 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
24144 - atomic_inc(&vcc->stats->tx_err);
24145 + atomic_inc_unchecked(&vcc->stats->tx_err);
24146 dev_kfree_skb(skb);
24149 @@ -1972,14 +1972,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
24152 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
24153 - atomic_inc(&vcc->stats->tx_err);
24154 + atomic_inc_unchecked(&vcc->stats->tx_err);
24155 dev_kfree_skb(skb);
24159 if (skb_shinfo(skb)->nr_frags != 0) {
24160 printk("%s: No scatter-gather yet.\n", card->name);
24161 - atomic_inc(&vcc->stats->tx_err);
24162 + atomic_inc_unchecked(&vcc->stats->tx_err);
24163 dev_kfree_skb(skb);
24166 @@ -1987,7 +1987,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
24168 err = queue_skb(card, vc, skb, oam);
24170 - atomic_inc(&vcc->stats->tx_err);
24171 + atomic_inc_unchecked(&vcc->stats->tx_err);
24172 dev_kfree_skb(skb);
24175 @@ -2010,7 +2010,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
24176 skb = dev_alloc_skb(64);
24178 printk("%s: Out of memory in send_oam().\n", card->name);
24179 - atomic_inc(&vcc->stats->tx_err);
24180 + atomic_inc_unchecked(&vcc->stats->tx_err);
24183 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
24184 diff -urNp linux-3.0.9/drivers/atm/iphase.c linux-3.0.9/drivers/atm/iphase.c
24185 --- linux-3.0.9/drivers/atm/iphase.c 2011-11-11 13:12:24.000000000 -0500
24186 +++ linux-3.0.9/drivers/atm/iphase.c 2011-11-15 20:02:59.000000000 -0500
24187 @@ -1120,7 +1120,7 @@ static int rx_pkt(struct atm_dev *dev)
24188 status = (u_short) (buf_desc_ptr->desc_mode);
24189 if (status & (RX_CER | RX_PTE | RX_OFL))
24191 - atomic_inc(&vcc->stats->rx_err);
24192 + atomic_inc_unchecked(&vcc->stats->rx_err);
24193 IF_ERR(printk("IA: bad packet, dropping it");)
24194 if (status & RX_CER) {
24195 IF_ERR(printk(" cause: packet CRC error\n");)
24196 @@ -1143,7 +1143,7 @@ static int rx_pkt(struct atm_dev *dev)
24197 len = dma_addr - buf_addr;
24198 if (len > iadev->rx_buf_sz) {
24199 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
24200 - atomic_inc(&vcc->stats->rx_err);
24201 + atomic_inc_unchecked(&vcc->stats->rx_err);
24202 goto out_free_desc;
24205 @@ -1293,7 +1293,7 @@ static void rx_dle_intr(struct atm_dev *
24206 ia_vcc = INPH_IA_VCC(vcc);
24207 if (ia_vcc == NULL)
24209 - atomic_inc(&vcc->stats->rx_err);
24210 + atomic_inc_unchecked(&vcc->stats->rx_err);
24211 dev_kfree_skb_any(skb);
24212 atm_return(vcc, atm_guess_pdu2truesize(len));
24214 @@ -1305,7 +1305,7 @@ static void rx_dle_intr(struct atm_dev *
24215 if ((length > iadev->rx_buf_sz) || (length >
24216 (skb->len - sizeof(struct cpcs_trailer))))
24218 - atomic_inc(&vcc->stats->rx_err);
24219 + atomic_inc_unchecked(&vcc->stats->rx_err);
24220 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
24221 length, skb->len);)
24222 dev_kfree_skb_any(skb);
24223 @@ -1321,7 +1321,7 @@ static void rx_dle_intr(struct atm_dev *
24225 IF_RX(printk("rx_dle_intr: skb push");)
24226 vcc->push(vcc,skb);
24227 - atomic_inc(&vcc->stats->rx);
24228 + atomic_inc_unchecked(&vcc->stats->rx);
24229 iadev->rx_pkt_cnt++;
24232 @@ -2801,15 +2801,15 @@ static int ia_ioctl(struct atm_dev *dev,
24234 struct k_sonet_stats *stats;
24235 stats = &PRIV(_ia_dev[board])->sonet_stats;
24236 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
24237 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
24238 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
24239 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
24240 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
24241 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
24242 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
24243 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
24244 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
24245 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
24246 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
24247 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
24248 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
24249 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
24250 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
24251 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
24252 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
24253 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
24255 ia_cmds.status = 0;
24257 @@ -2914,7 +2914,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
24258 if ((desc == 0) || (desc > iadev->num_tx_desc))
24260 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
24261 - atomic_inc(&vcc->stats->tx);
24262 + atomic_inc_unchecked(&vcc->stats->tx);
24264 vcc->pop(vcc, skb);
24266 @@ -3019,14 +3019,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
24267 ATM_DESC(skb) = vcc->vci;
24268 skb_queue_tail(&iadev->tx_dma_q, skb);
24270 - atomic_inc(&vcc->stats->tx);
24271 + atomic_inc_unchecked(&vcc->stats->tx);
24272 iadev->tx_pkt_cnt++;
24273 /* Increment transaction counter */
24274 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
24277 /* add flow control logic */
24278 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
24279 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
24280 if (iavcc->vc_desc_cnt > 10) {
24281 vcc->tx_quota = vcc->tx_quota * 3 / 4;
24282 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
24283 diff -urNp linux-3.0.9/drivers/atm/lanai.c linux-3.0.9/drivers/atm/lanai.c
24284 --- linux-3.0.9/drivers/atm/lanai.c 2011-11-11 13:12:24.000000000 -0500
24285 +++ linux-3.0.9/drivers/atm/lanai.c 2011-11-15 20:02:59.000000000 -0500
24286 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
24287 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
24288 lanai_endtx(lanai, lvcc);
24289 lanai_free_skb(lvcc->tx.atmvcc, skb);
24290 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
24291 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
24294 /* Try to fill the buffer - don't call unless there is backlog */
24295 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
24296 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
24297 __net_timestamp(skb);
24298 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
24299 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
24300 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
24302 lvcc->rx.buf.ptr = end;
24303 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
24304 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
24305 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
24306 "vcc %d\n", lanai->number, (unsigned int) s, vci);
24307 lanai->stats.service_rxnotaal5++;
24308 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
24309 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
24312 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
24313 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
24315 read_unlock(&vcc_sklist_lock);
24316 DPRINTK("got trashed rx pdu on vci %d\n", vci);
24317 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
24318 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
24319 lvcc->stats.x.aal5.service_trash++;
24320 bytes = (SERVICE_GET_END(s) * 16) -
24321 (((unsigned long) lvcc->rx.buf.ptr) -
24322 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
24324 if (s & SERVICE_STREAM) {
24325 read_unlock(&vcc_sklist_lock);
24326 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
24327 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
24328 lvcc->stats.x.aal5.service_stream++;
24329 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
24330 "PDU on VCI %d!\n", lanai->number, vci);
24331 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
24334 DPRINTK("got rx crc error on vci %d\n", vci);
24335 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
24336 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
24337 lvcc->stats.x.aal5.service_rxcrc++;
24338 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
24339 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
24340 diff -urNp linux-3.0.9/drivers/atm/nicstar.c linux-3.0.9/drivers/atm/nicstar.c
24341 --- linux-3.0.9/drivers/atm/nicstar.c 2011-11-11 13:12:24.000000000 -0500
24342 +++ linux-3.0.9/drivers/atm/nicstar.c 2011-11-15 20:02:59.000000000 -0500
24343 @@ -1654,7 +1654,7 @@ static int ns_send(struct atm_vcc *vcc,
24344 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
24345 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
24347 - atomic_inc(&vcc->stats->tx_err);
24348 + atomic_inc_unchecked(&vcc->stats->tx_err);
24349 dev_kfree_skb_any(skb);
24352 @@ -1662,7 +1662,7 @@ static int ns_send(struct atm_vcc *vcc,
24354 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
24356 - atomic_inc(&vcc->stats->tx_err);
24357 + atomic_inc_unchecked(&vcc->stats->tx_err);
24358 dev_kfree_skb_any(skb);
24361 @@ -1670,14 +1670,14 @@ static int ns_send(struct atm_vcc *vcc,
24362 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
24363 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
24365 - atomic_inc(&vcc->stats->tx_err);
24366 + atomic_inc_unchecked(&vcc->stats->tx_err);
24367 dev_kfree_skb_any(skb);
24371 if (skb_shinfo(skb)->nr_frags != 0) {
24372 printk("nicstar%d: No scatter-gather yet.\n", card->index);
24373 - atomic_inc(&vcc->stats->tx_err);
24374 + atomic_inc_unchecked(&vcc->stats->tx_err);
24375 dev_kfree_skb_any(skb);
24378 @@ -1725,11 +1725,11 @@ static int ns_send(struct atm_vcc *vcc,
24381 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
24382 - atomic_inc(&vcc->stats->tx_err);
24383 + atomic_inc_unchecked(&vcc->stats->tx_err);
24384 dev_kfree_skb_any(skb);
24387 - atomic_inc(&vcc->stats->tx);
24388 + atomic_inc_unchecked(&vcc->stats->tx);
24392 @@ -2046,14 +2046,14 @@ static void dequeue_rx(ns_dev * card, ns
24394 ("nicstar%d: Can't allocate buffers for aal0.\n",
24396 - atomic_add(i, &vcc->stats->rx_drop);
24397 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
24400 if (!atm_charge(vcc, sb->truesize)) {
24402 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
24404 - atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
24405 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
24406 dev_kfree_skb_any(sb);
24409 @@ -2068,7 +2068,7 @@ static void dequeue_rx(ns_dev * card, ns
24410 ATM_SKB(sb)->vcc = vcc;
24411 __net_timestamp(sb);
24412 vcc->push(vcc, sb);
24413 - atomic_inc(&vcc->stats->rx);
24414 + atomic_inc_unchecked(&vcc->stats->rx);
24415 cell += ATM_CELL_PAYLOAD;
24418 @@ -2085,7 +2085,7 @@ static void dequeue_rx(ns_dev * card, ns
24419 if (iovb == NULL) {
24420 printk("nicstar%d: Out of iovec buffers.\n",
24422 - atomic_inc(&vcc->stats->rx_drop);
24423 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24424 recycle_rx_buf(card, skb);
24427 @@ -2109,7 +2109,7 @@ static void dequeue_rx(ns_dev * card, ns
24428 small or large buffer itself. */
24429 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
24430 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
24431 - atomic_inc(&vcc->stats->rx_err);
24432 + atomic_inc_unchecked(&vcc->stats->rx_err);
24433 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24435 NS_PRV_IOVCNT(iovb) = 0;
24436 @@ -2129,7 +2129,7 @@ static void dequeue_rx(ns_dev * card, ns
24437 ("nicstar%d: Expected a small buffer, and this is not one.\n",
24439 which_list(card, skb);
24440 - atomic_inc(&vcc->stats->rx_err);
24441 + atomic_inc_unchecked(&vcc->stats->rx_err);
24442 recycle_rx_buf(card, skb);
24444 recycle_iov_buf(card, iovb);
24445 @@ -2142,7 +2142,7 @@ static void dequeue_rx(ns_dev * card, ns
24446 ("nicstar%d: Expected a large buffer, and this is not one.\n",
24448 which_list(card, skb);
24449 - atomic_inc(&vcc->stats->rx_err);
24450 + atomic_inc_unchecked(&vcc->stats->rx_err);
24451 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24452 NS_PRV_IOVCNT(iovb));
24454 @@ -2165,7 +2165,7 @@ static void dequeue_rx(ns_dev * card, ns
24455 printk(" - PDU size mismatch.\n");
24458 - atomic_inc(&vcc->stats->rx_err);
24459 + atomic_inc_unchecked(&vcc->stats->rx_err);
24460 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24461 NS_PRV_IOVCNT(iovb));
24463 @@ -2179,7 +2179,7 @@ static void dequeue_rx(ns_dev * card, ns
24464 /* skb points to a small buffer */
24465 if (!atm_charge(vcc, skb->truesize)) {
24466 push_rxbufs(card, skb);
24467 - atomic_inc(&vcc->stats->rx_drop);
24468 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24471 dequeue_sm_buf(card, skb);
24472 @@ -2189,7 +2189,7 @@ static void dequeue_rx(ns_dev * card, ns
24473 ATM_SKB(skb)->vcc = vcc;
24474 __net_timestamp(skb);
24475 vcc->push(vcc, skb);
24476 - atomic_inc(&vcc->stats->rx);
24477 + atomic_inc_unchecked(&vcc->stats->rx);
24479 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
24480 struct sk_buff *sb;
24481 @@ -2200,7 +2200,7 @@ static void dequeue_rx(ns_dev * card, ns
24482 if (len <= NS_SMBUFSIZE) {
24483 if (!atm_charge(vcc, sb->truesize)) {
24484 push_rxbufs(card, sb);
24485 - atomic_inc(&vcc->stats->rx_drop);
24486 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24489 dequeue_sm_buf(card, sb);
24490 @@ -2210,7 +2210,7 @@ static void dequeue_rx(ns_dev * card, ns
24491 ATM_SKB(sb)->vcc = vcc;
24492 __net_timestamp(sb);
24493 vcc->push(vcc, sb);
24494 - atomic_inc(&vcc->stats->rx);
24495 + atomic_inc_unchecked(&vcc->stats->rx);
24498 push_rxbufs(card, skb);
24499 @@ -2219,7 +2219,7 @@ static void dequeue_rx(ns_dev * card, ns
24501 if (!atm_charge(vcc, skb->truesize)) {
24502 push_rxbufs(card, skb);
24503 - atomic_inc(&vcc->stats->rx_drop);
24504 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24506 dequeue_lg_buf(card, skb);
24507 #ifdef NS_USE_DESTRUCTORS
24508 @@ -2232,7 +2232,7 @@ static void dequeue_rx(ns_dev * card, ns
24509 ATM_SKB(skb)->vcc = vcc;
24510 __net_timestamp(skb);
24511 vcc->push(vcc, skb);
24512 - atomic_inc(&vcc->stats->rx);
24513 + atomic_inc_unchecked(&vcc->stats->rx);
24516 push_rxbufs(card, sb);
24517 @@ -2253,7 +2253,7 @@ static void dequeue_rx(ns_dev * card, ns
24519 ("nicstar%d: Out of huge buffers.\n",
24521 - atomic_inc(&vcc->stats->rx_drop);
24522 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24523 recycle_iovec_rx_bufs(card,
24526 @@ -2304,7 +2304,7 @@ static void dequeue_rx(ns_dev * card, ns
24527 card->hbpool.count++;
24529 dev_kfree_skb_any(hb);
24530 - atomic_inc(&vcc->stats->rx_drop);
24531 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24533 /* Copy the small buffer to the huge buffer */
24534 sb = (struct sk_buff *)iov->iov_base;
24535 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev * card, ns
24536 #endif /* NS_USE_DESTRUCTORS */
24537 __net_timestamp(hb);
24538 vcc->push(vcc, hb);
24539 - atomic_inc(&vcc->stats->rx);
24540 + atomic_inc_unchecked(&vcc->stats->rx);
24544 diff -urNp linux-3.0.9/drivers/atm/solos-pci.c linux-3.0.9/drivers/atm/solos-pci.c
24545 --- linux-3.0.9/drivers/atm/solos-pci.c 2011-11-11 13:12:24.000000000 -0500
24546 +++ linux-3.0.9/drivers/atm/solos-pci.c 2011-11-15 20:02:59.000000000 -0500
24547 @@ -714,7 +714,7 @@ void solos_bh(unsigned long card_arg)
24549 atm_charge(vcc, skb->truesize);
24550 vcc->push(vcc, skb);
24551 - atomic_inc(&vcc->stats->rx);
24552 + atomic_inc_unchecked(&vcc->stats->rx);
24556 @@ -899,6 +899,8 @@ static int print_buffer(struct sk_buff *
24560 + pax_track_stack();
24563 for (i = 0; i < len; i++){
24565 @@ -1008,7 +1010,7 @@ static uint32_t fpga_tx(struct solos_car
24566 vcc = SKB_CB(oldskb)->vcc;
24569 - atomic_inc(&vcc->stats->tx);
24570 + atomic_inc_unchecked(&vcc->stats->tx);
24571 solos_pop(vcc, oldskb);
24573 dev_kfree_skb_irq(oldskb);
24574 diff -urNp linux-3.0.9/drivers/atm/suni.c linux-3.0.9/drivers/atm/suni.c
24575 --- linux-3.0.9/drivers/atm/suni.c 2011-11-11 13:12:24.000000000 -0500
24576 +++ linux-3.0.9/drivers/atm/suni.c 2011-11-15 20:02:59.000000000 -0500
24577 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
24580 #define ADD_LIMITED(s,v) \
24581 - atomic_add((v),&stats->s); \
24582 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
24583 + atomic_add_unchecked((v),&stats->s); \
24584 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
24587 static void suni_hz(unsigned long from_timer)
24588 diff -urNp linux-3.0.9/drivers/atm/uPD98402.c linux-3.0.9/drivers/atm/uPD98402.c
24589 --- linux-3.0.9/drivers/atm/uPD98402.c 2011-11-11 13:12:24.000000000 -0500
24590 +++ linux-3.0.9/drivers/atm/uPD98402.c 2011-11-15 20:02:59.000000000 -0500
24591 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
24592 struct sonet_stats tmp;
24595 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
24596 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
24597 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
24598 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
24599 if (zero && !error) {
24600 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
24603 #define ADD_LIMITED(s,v) \
24604 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
24605 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
24606 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
24607 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
24608 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
24609 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
24612 static void stat_event(struct atm_dev *dev)
24613 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
24614 if (reason & uPD98402_INT_PFM) stat_event(dev);
24615 if (reason & uPD98402_INT_PCO) {
24616 (void) GET(PCOCR); /* clear interrupt cause */
24617 - atomic_add(GET(HECCT),
24618 + atomic_add_unchecked(GET(HECCT),
24619 &PRIV(dev)->sonet_stats.uncorr_hcs);
24621 if ((reason & uPD98402_INT_RFO) &&
24622 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
24623 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
24624 uPD98402_INT_LOS),PIMR); /* enable them */
24625 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
24626 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
24627 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
24628 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
24629 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
24630 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
24631 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
24635 diff -urNp linux-3.0.9/drivers/atm/zatm.c linux-3.0.9/drivers/atm/zatm.c
24636 --- linux-3.0.9/drivers/atm/zatm.c 2011-11-11 13:12:24.000000000 -0500
24637 +++ linux-3.0.9/drivers/atm/zatm.c 2011-11-15 20:02:59.000000000 -0500
24638 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
24641 dev_kfree_skb_irq(skb);
24642 - if (vcc) atomic_inc(&vcc->stats->rx_err);
24643 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
24646 if (!atm_charge(vcc,skb->truesize)) {
24647 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
24649 ATM_SKB(skb)->vcc = vcc;
24650 vcc->push(vcc,skb);
24651 - atomic_inc(&vcc->stats->rx);
24652 + atomic_inc_unchecked(&vcc->stats->rx);
24654 zout(pos & 0xffff,MTA(mbx));
24655 #if 0 /* probably a stupid idea */
24656 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
24657 skb_queue_head(&zatm_vcc->backlog,skb);
24660 - atomic_inc(&vcc->stats->tx);
24661 + atomic_inc_unchecked(&vcc->stats->tx);
24662 wake_up(&zatm_vcc->tx_wait);
24665 diff -urNp linux-3.0.9/drivers/base/devtmpfs.c linux-3.0.9/drivers/base/devtmpfs.c
24666 --- linux-3.0.9/drivers/base/devtmpfs.c 2011-11-11 13:12:24.000000000 -0500
24667 +++ linux-3.0.9/drivers/base/devtmpfs.c 2011-11-15 20:02:59.000000000 -0500
24668 @@ -357,7 +357,7 @@ int devtmpfs_mount(const char *mntdir)
24672 - err = sys_mount("devtmpfs", (char *)mntdir, "devtmpfs", MS_SILENT, NULL);
24673 + err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)mntdir, (char __force_user *)"devtmpfs", MS_SILENT, NULL);
24675 printk(KERN_INFO "devtmpfs: error mounting %i\n", err);
24677 diff -urNp linux-3.0.9/drivers/base/power/wakeup.c linux-3.0.9/drivers/base/power/wakeup.c
24678 --- linux-3.0.9/drivers/base/power/wakeup.c 2011-11-11 13:12:24.000000000 -0500
24679 +++ linux-3.0.9/drivers/base/power/wakeup.c 2011-11-15 20:02:59.000000000 -0500
24680 @@ -29,14 +29,14 @@ bool events_check_enabled;
24681 * They need to be modified together atomically, so it's better to use one
24682 * atomic variable to hold them both.
24684 -static atomic_t combined_event_count = ATOMIC_INIT(0);
24685 +static atomic_unchecked_t combined_event_count = ATOMIC_INIT(0);
24687 #define IN_PROGRESS_BITS (sizeof(int) * 4)
24688 #define MAX_IN_PROGRESS ((1 << IN_PROGRESS_BITS) - 1)
24690 static void split_counters(unsigned int *cnt, unsigned int *inpr)
24692 - unsigned int comb = atomic_read(&combined_event_count);
24693 + unsigned int comb = atomic_read_unchecked(&combined_event_count);
24695 *cnt = (comb >> IN_PROGRESS_BITS);
24696 *inpr = comb & MAX_IN_PROGRESS;
24697 @@ -350,7 +350,7 @@ static void wakeup_source_activate(struc
24698 ws->last_time = ktime_get();
24700 /* Increment the counter of events in progress. */
24701 - atomic_inc(&combined_event_count);
24702 + atomic_inc_unchecked(&combined_event_count);
24706 @@ -440,7 +440,7 @@ static void wakeup_source_deactivate(str
24707 * Increment the counter of registered wakeup events and decrement the
24708 * couter of wakeup events in progress simultaneously.
24710 - atomic_add(MAX_IN_PROGRESS, &combined_event_count);
24711 + atomic_add_unchecked(MAX_IN_PROGRESS, &combined_event_count);
24715 diff -urNp linux-3.0.9/drivers/block/cciss.c linux-3.0.9/drivers/block/cciss.c
24716 --- linux-3.0.9/drivers/block/cciss.c 2011-11-11 13:12:24.000000000 -0500
24717 +++ linux-3.0.9/drivers/block/cciss.c 2011-11-15 20:02:59.000000000 -0500
24718 @@ -1179,6 +1179,8 @@ static int cciss_ioctl32_passthru(struct
24722 + memset(&arg64, 0, sizeof(arg64));
24726 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
24727 @@ -2986,7 +2988,7 @@ static void start_io(ctlr_info_t *h)
24728 while (!list_empty(&h->reqQ)) {
24729 c = list_entry(h->reqQ.next, CommandList_struct, list);
24730 /* can't do anything if fifo is full */
24731 - if ((h->access.fifo_full(h))) {
24732 + if ((h->access->fifo_full(h))) {
24733 dev_warn(&h->pdev->dev, "fifo full\n");
24736 @@ -2996,7 +2998,7 @@ static void start_io(ctlr_info_t *h)
24739 /* Tell the controller execute command */
24740 - h->access.submit_command(h, c);
24741 + h->access->submit_command(h, c);
24743 /* Put job onto the completed Q */
24745 @@ -3422,17 +3424,17 @@ startio:
24747 static inline unsigned long get_next_completion(ctlr_info_t *h)
24749 - return h->access.command_completed(h);
24750 + return h->access->command_completed(h);
24753 static inline int interrupt_pending(ctlr_info_t *h)
24755 - return h->access.intr_pending(h);
24756 + return h->access->intr_pending(h);
24759 static inline long interrupt_not_for_us(ctlr_info_t *h)
24761 - return ((h->access.intr_pending(h) == 0) ||
24762 + return ((h->access->intr_pending(h) == 0) ||
24763 (h->interrupts_enabled == 0));
24766 @@ -3465,7 +3467,7 @@ static inline u32 next_command(ctlr_info
24769 if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
24770 - return h->access.command_completed(h);
24771 + return h->access->command_completed(h);
24773 if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
24774 a = *(h->reply_pool_head); /* Next cmd in ring buffer */
24775 @@ -4020,7 +4022,7 @@ static void __devinit cciss_put_controll
24776 trans_support & CFGTBL_Trans_use_short_tags);
24778 /* Change the access methods to the performant access methods */
24779 - h->access = SA5_performant_access;
24780 + h->access = &SA5_performant_access;
24781 h->transMethod = CFGTBL_Trans_Performant;
24784 @@ -4292,7 +4294,7 @@ static int __devinit cciss_pci_init(ctlr
24785 if (prod_index < 0)
24787 h->product_name = products[prod_index].product_name;
24788 - h->access = *(products[prod_index].access);
24789 + h->access = products[prod_index].access;
24791 if (cciss_board_disabled(h)) {
24792 dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
24793 @@ -5009,7 +5011,7 @@ reinit_after_soft_reset:
24796 /* make sure the board interrupts are off */
24797 - h->access.set_intr_mask(h, CCISS_INTR_OFF);
24798 + h->access->set_intr_mask(h, CCISS_INTR_OFF);
24799 rc = cciss_request_irq(h, do_cciss_msix_intr, do_cciss_intx);
24802 @@ -5061,7 +5063,7 @@ reinit_after_soft_reset:
24803 * fake ones to scoop up any residual completions.
24805 spin_lock_irqsave(&h->lock, flags);
24806 - h->access.set_intr_mask(h, CCISS_INTR_OFF);
24807 + h->access->set_intr_mask(h, CCISS_INTR_OFF);
24808 spin_unlock_irqrestore(&h->lock, flags);
24809 free_irq(h->intr[PERF_MODE_INT], h);
24810 rc = cciss_request_irq(h, cciss_msix_discard_completions,
24811 @@ -5081,9 +5083,9 @@ reinit_after_soft_reset:
24812 dev_info(&h->pdev->dev, "Board READY.\n");
24813 dev_info(&h->pdev->dev,
24814 "Waiting for stale completions to drain.\n");
24815 - h->access.set_intr_mask(h, CCISS_INTR_ON);
24816 + h->access->set_intr_mask(h, CCISS_INTR_ON);
24818 - h->access.set_intr_mask(h, CCISS_INTR_OFF);
24819 + h->access->set_intr_mask(h, CCISS_INTR_OFF);
24821 rc = controller_reset_failed(h->cfgtable);
24823 @@ -5106,7 +5108,7 @@ reinit_after_soft_reset:
24824 cciss_scsi_setup(h);
24826 /* Turn the interrupts on so we can service requests */
24827 - h->access.set_intr_mask(h, CCISS_INTR_ON);
24828 + h->access->set_intr_mask(h, CCISS_INTR_ON);
24830 /* Get the firmware version */
24831 inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
24832 @@ -5178,7 +5180,7 @@ static void cciss_shutdown(struct pci_de
24834 if (return_code != IO_OK)
24835 dev_warn(&h->pdev->dev, "Error flushing cache\n");
24836 - h->access.set_intr_mask(h, CCISS_INTR_OFF);
24837 + h->access->set_intr_mask(h, CCISS_INTR_OFF);
24838 free_irq(h->intr[PERF_MODE_INT], h);
24841 diff -urNp linux-3.0.9/drivers/block/cciss.h linux-3.0.9/drivers/block/cciss.h
24842 --- linux-3.0.9/drivers/block/cciss.h 2011-11-11 13:12:24.000000000 -0500
24843 +++ linux-3.0.9/drivers/block/cciss.h 2011-11-15 20:02:59.000000000 -0500
24844 @@ -100,7 +100,7 @@ struct ctlr_info
24845 /* information about each logical volume */
24846 drive_info_struct *drv[CISS_MAX_LUN];
24848 - struct access_method access;
24849 + struct access_method *access;
24851 /* queue and queue Info */
24852 struct list_head reqQ;
24853 diff -urNp linux-3.0.9/drivers/block/cpqarray.c linux-3.0.9/drivers/block/cpqarray.c
24854 --- linux-3.0.9/drivers/block/cpqarray.c 2011-11-11 13:12:24.000000000 -0500
24855 +++ linux-3.0.9/drivers/block/cpqarray.c 2011-11-15 20:02:59.000000000 -0500
24856 @@ -404,7 +404,7 @@ static int __devinit cpqarray_register_c
24857 if (register_blkdev(COMPAQ_SMART2_MAJOR+i, hba[i]->devname)) {
24860 - hba[i]->access.set_intr_mask(hba[i], 0);
24861 + hba[i]->access->set_intr_mask(hba[i], 0);
24862 if (request_irq(hba[i]->intr, do_ida_intr,
24863 IRQF_DISABLED|IRQF_SHARED, hba[i]->devname, hba[i]))
24865 @@ -459,7 +459,7 @@ static int __devinit cpqarray_register_c
24866 add_timer(&hba[i]->timer);
24868 /* Enable IRQ now that spinlock and rate limit timer are set up */
24869 - hba[i]->access.set_intr_mask(hba[i], FIFO_NOT_EMPTY);
24870 + hba[i]->access->set_intr_mask(hba[i], FIFO_NOT_EMPTY);
24872 for(j=0; j<NWD; j++) {
24873 struct gendisk *disk = ida_gendisk[i][j];
24874 @@ -694,7 +694,7 @@ DBGINFO(
24875 for(i=0; i<NR_PRODUCTS; i++) {
24876 if (board_id == products[i].board_id) {
24877 c->product_name = products[i].product_name;
24878 - c->access = *(products[i].access);
24879 + c->access = products[i].access;
24883 @@ -792,7 +792,7 @@ static int __devinit cpqarray_eisa_detec
24884 hba[ctlr]->intr = intr;
24885 sprintf(hba[ctlr]->devname, "ida%d", nr_ctlr);
24886 hba[ctlr]->product_name = products[j].product_name;
24887 - hba[ctlr]->access = *(products[j].access);
24888 + hba[ctlr]->access = products[j].access;
24889 hba[ctlr]->ctlr = ctlr;
24890 hba[ctlr]->board_id = board_id;
24891 hba[ctlr]->pci_dev = NULL; /* not PCI */
24892 @@ -911,6 +911,8 @@ static void do_ida_request(struct reques
24893 struct scatterlist tmp_sg[SG_MAX];
24896 + pax_track_stack();
24899 creq = blk_peek_request(q);
24901 @@ -980,7 +982,7 @@ static void start_io(ctlr_info_t *h)
24903 while((c = h->reqQ) != NULL) {
24904 /* Can't do anything if we're busy */
24905 - if (h->access.fifo_full(h) == 0)
24906 + if (h->access->fifo_full(h) == 0)
24909 /* Get the first entry from the request Q */
24910 @@ -988,7 +990,7 @@ static void start_io(ctlr_info_t *h)
24913 /* Tell the controller to do our bidding */
24914 - h->access.submit_command(h, c);
24915 + h->access->submit_command(h, c);
24917 /* Get onto the completion Q */
24919 @@ -1050,7 +1052,7 @@ static irqreturn_t do_ida_intr(int irq,
24920 unsigned long flags;
24923 - istat = h->access.intr_pending(h);
24924 + istat = h->access->intr_pending(h);
24925 /* Is this interrupt for us? */
24928 @@ -1061,7 +1063,7 @@ static irqreturn_t do_ida_intr(int irq,
24930 spin_lock_irqsave(IDA_LOCK(h->ctlr), flags);
24931 if (istat & FIFO_NOT_EMPTY) {
24932 - while((a = h->access.command_completed(h))) {
24933 + while((a = h->access->command_completed(h))) {
24935 if ((c = h->cmpQ) == NULL)
24937 @@ -1449,11 +1451,11 @@ static int sendcmd(
24939 * Disable interrupt
24941 - info_p->access.set_intr_mask(info_p, 0);
24942 + info_p->access->set_intr_mask(info_p, 0);
24943 /* Make sure there is room in the command FIFO */
24944 /* Actually it should be completely empty at this time. */
24945 for (i = 200000; i > 0; i--) {
24946 - temp = info_p->access.fifo_full(info_p);
24947 + temp = info_p->access->fifo_full(info_p);
24951 @@ -1466,7 +1468,7 @@ DBG(
24955 - info_p->access.submit_command(info_p, c);
24956 + info_p->access->submit_command(info_p, c);
24957 complete = pollcomplete(ctlr);
24959 pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr,
24960 @@ -1549,9 +1551,9 @@ static int revalidate_allvol(ctlr_info_t
24961 * we check the new geometry. Then turn interrupts back on when
24964 - host->access.set_intr_mask(host, 0);
24965 + host->access->set_intr_mask(host, 0);
24967 - host->access.set_intr_mask(host, FIFO_NOT_EMPTY);
24968 + host->access->set_intr_mask(host, FIFO_NOT_EMPTY);
24970 for(i=0; i<NWD; i++) {
24971 struct gendisk *disk = ida_gendisk[ctlr][i];
24972 @@ -1591,7 +1593,7 @@ static int pollcomplete(int ctlr)
24973 /* Wait (up to 2 seconds) for a command to complete */
24975 for (i = 200000; i > 0; i--) {
24976 - done = hba[ctlr]->access.command_completed(hba[ctlr]);
24977 + done = hba[ctlr]->access->command_completed(hba[ctlr]);
24979 udelay(10); /* a short fixed delay */
24981 diff -urNp linux-3.0.9/drivers/block/cpqarray.h linux-3.0.9/drivers/block/cpqarray.h
24982 --- linux-3.0.9/drivers/block/cpqarray.h 2011-11-11 13:12:24.000000000 -0500
24983 +++ linux-3.0.9/drivers/block/cpqarray.h 2011-11-15 20:02:59.000000000 -0500
24984 @@ -99,7 +99,7 @@ struct ctlr_info {
24985 drv_info_t drv[NWD];
24986 struct proc_dir_entry *proc;
24988 - struct access_method access;
24989 + struct access_method *access;
24993 diff -urNp linux-3.0.9/drivers/block/DAC960.c linux-3.0.9/drivers/block/DAC960.c
24994 --- linux-3.0.9/drivers/block/DAC960.c 2011-11-11 13:12:24.000000000 -0500
24995 +++ linux-3.0.9/drivers/block/DAC960.c 2011-11-15 20:02:59.000000000 -0500
24996 @@ -1980,6 +1980,8 @@ static bool DAC960_V1_ReadDeviceConfigur
24997 unsigned long flags;
24998 int Channel, TargetID;
25000 + pax_track_stack();
25002 if (!init_dma_loaf(Controller->PCIDevice, &local_dma,
25003 DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
25004 sizeof(DAC960_SCSI_Inquiry_T) +
25005 diff -urNp linux-3.0.9/drivers/block/drbd/drbd_int.h linux-3.0.9/drivers/block/drbd/drbd_int.h
25006 --- linux-3.0.9/drivers/block/drbd/drbd_int.h 2011-11-11 13:12:24.000000000 -0500
25007 +++ linux-3.0.9/drivers/block/drbd/drbd_int.h 2011-11-15 20:02:59.000000000 -0500
25008 @@ -737,7 +737,7 @@ struct drbd_request;
25009 struct drbd_epoch {
25010 struct list_head list;
25011 unsigned int barrier_nr;
25012 - atomic_t epoch_size; /* increased on every request added. */
25013 + atomic_unchecked_t epoch_size; /* increased on every request added. */
25014 atomic_t active; /* increased on every req. added, and dec on every finished. */
25015 unsigned long flags;
25017 @@ -1109,7 +1109,7 @@ struct drbd_conf {
25020 wait_queue_head_t seq_wait;
25021 - atomic_t packet_seq;
25022 + atomic_unchecked_t packet_seq;
25023 unsigned int peer_seq;
25024 spinlock_t peer_seq_lock;
25025 unsigned int minor;
25026 @@ -1618,30 +1618,30 @@ static inline int drbd_setsockopt(struct
25028 static inline void drbd_tcp_cork(struct socket *sock)
25030 - int __user val = 1;
25032 (void) drbd_setsockopt(sock, SOL_TCP, TCP_CORK,
25033 - (char __user *)&val, sizeof(val));
25034 + (char __force_user *)&val, sizeof(val));
25037 static inline void drbd_tcp_uncork(struct socket *sock)
25039 - int __user val = 0;
25041 (void) drbd_setsockopt(sock, SOL_TCP, TCP_CORK,
25042 - (char __user *)&val, sizeof(val));
25043 + (char __force_user *)&val, sizeof(val));
25046 static inline void drbd_tcp_nodelay(struct socket *sock)
25048 - int __user val = 1;
25050 (void) drbd_setsockopt(sock, SOL_TCP, TCP_NODELAY,
25051 - (char __user *)&val, sizeof(val));
25052 + (char __force_user *)&val, sizeof(val));
25055 static inline void drbd_tcp_quickack(struct socket *sock)
25057 - int __user val = 2;
25059 (void) drbd_setsockopt(sock, SOL_TCP, TCP_QUICKACK,
25060 - (char __user *)&val, sizeof(val));
25061 + (char __force_user *)&val, sizeof(val));
25064 void drbd_bump_write_ordering(struct drbd_conf *mdev, enum write_ordering_e wo);
25065 diff -urNp linux-3.0.9/drivers/block/drbd/drbd_main.c linux-3.0.9/drivers/block/drbd/drbd_main.c
25066 --- linux-3.0.9/drivers/block/drbd/drbd_main.c 2011-11-11 13:12:24.000000000 -0500
25067 +++ linux-3.0.9/drivers/block/drbd/drbd_main.c 2011-11-15 20:02:59.000000000 -0500
25068 @@ -2397,7 +2397,7 @@ static int _drbd_send_ack(struct drbd_co
25070 p.block_id = block_id;
25071 p.blksize = blksize;
25072 - p.seq_num = cpu_to_be32(atomic_add_return(1, &mdev->packet_seq));
25073 + p.seq_num = cpu_to_be32(atomic_add_return_unchecked(1, &mdev->packet_seq));
25075 if (!mdev->meta.socket || mdev->state.conn < C_CONNECTED)
25077 @@ -2696,7 +2696,7 @@ int drbd_send_dblock(struct drbd_conf *m
25078 p.sector = cpu_to_be64(req->sector);
25079 p.block_id = (unsigned long)req;
25080 p.seq_num = cpu_to_be32(req->seq_num =
25081 - atomic_add_return(1, &mdev->packet_seq));
25082 + atomic_add_return_unchecked(1, &mdev->packet_seq));
25084 dp_flags = bio_flags_to_wire(mdev, req->master_bio->bi_rw);
25086 @@ -2981,7 +2981,7 @@ void drbd_init_set_defaults(struct drbd_
25087 atomic_set(&mdev->unacked_cnt, 0);
25088 atomic_set(&mdev->local_cnt, 0);
25089 atomic_set(&mdev->net_cnt, 0);
25090 - atomic_set(&mdev->packet_seq, 0);
25091 + atomic_set_unchecked(&mdev->packet_seq, 0);
25092 atomic_set(&mdev->pp_in_use, 0);
25093 atomic_set(&mdev->pp_in_use_by_net, 0);
25094 atomic_set(&mdev->rs_sect_in, 0);
25095 @@ -3063,8 +3063,8 @@ void drbd_mdev_cleanup(struct drbd_conf
25096 mdev->receiver.t_state);
25098 /* no need to lock it, I'm the only thread alive */
25099 - if (atomic_read(&mdev->current_epoch->epoch_size) != 0)
25100 - dev_err(DEV, "epoch_size:%d\n", atomic_read(&mdev->current_epoch->epoch_size));
25101 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size) != 0)
25102 + dev_err(DEV, "epoch_size:%d\n", atomic_read_unchecked(&mdev->current_epoch->epoch_size));
25103 mdev->al_writ_cnt =
25104 mdev->bm_writ_cnt =
25106 diff -urNp linux-3.0.9/drivers/block/drbd/drbd_nl.c linux-3.0.9/drivers/block/drbd/drbd_nl.c
25107 --- linux-3.0.9/drivers/block/drbd/drbd_nl.c 2011-11-11 13:12:24.000000000 -0500
25108 +++ linux-3.0.9/drivers/block/drbd/drbd_nl.c 2011-11-15 20:02:59.000000000 -0500
25109 @@ -2359,7 +2359,7 @@ static void drbd_connector_callback(stru
25110 module_put(THIS_MODULE);
25113 -static atomic_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
25114 +static atomic_unchecked_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
25116 static unsigned short *
25117 __tl_add_blob(unsigned short *tl, enum drbd_tags tag, const void *data,
25118 @@ -2430,7 +2430,7 @@ void drbd_bcast_state(struct drbd_conf *
25119 cn_reply->id.idx = CN_IDX_DRBD;
25120 cn_reply->id.val = CN_VAL_DRBD;
25122 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
25123 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
25124 cn_reply->ack = 0; /* not used here. */
25125 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
25126 (int)((char *)tl - (char *)reply->tag_list);
25127 @@ -2462,7 +2462,7 @@ void drbd_bcast_ev_helper(struct drbd_co
25128 cn_reply->id.idx = CN_IDX_DRBD;
25129 cn_reply->id.val = CN_VAL_DRBD;
25131 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
25132 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
25133 cn_reply->ack = 0; /* not used here. */
25134 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
25135 (int)((char *)tl - (char *)reply->tag_list);
25136 @@ -2540,7 +2540,7 @@ void drbd_bcast_ee(struct drbd_conf *mde
25137 cn_reply->id.idx = CN_IDX_DRBD;
25138 cn_reply->id.val = CN_VAL_DRBD;
25140 - cn_reply->seq = atomic_add_return(1,&drbd_nl_seq);
25141 + cn_reply->seq = atomic_add_return_unchecked(1,&drbd_nl_seq);
25142 cn_reply->ack = 0; // not used here.
25143 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
25144 (int)((char*)tl - (char*)reply->tag_list);
25145 @@ -2579,7 +2579,7 @@ void drbd_bcast_sync_progress(struct drb
25146 cn_reply->id.idx = CN_IDX_DRBD;
25147 cn_reply->id.val = CN_VAL_DRBD;
25149 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
25150 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
25151 cn_reply->ack = 0; /* not used here. */
25152 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
25153 (int)((char *)tl - (char *)reply->tag_list);
25154 diff -urNp linux-3.0.9/drivers/block/drbd/drbd_receiver.c linux-3.0.9/drivers/block/drbd/drbd_receiver.c
25155 --- linux-3.0.9/drivers/block/drbd/drbd_receiver.c 2011-11-11 13:12:24.000000000 -0500
25156 +++ linux-3.0.9/drivers/block/drbd/drbd_receiver.c 2011-11-15 20:02:59.000000000 -0500
25157 @@ -894,7 +894,7 @@ retry:
25158 sock->sk->sk_sndtimeo = mdev->net_conf->timeout*HZ/10;
25159 sock->sk->sk_rcvtimeo = MAX_SCHEDULE_TIMEOUT;
25161 - atomic_set(&mdev->packet_seq, 0);
25162 + atomic_set_unchecked(&mdev->packet_seq, 0);
25163 mdev->peer_seq = 0;
25165 drbd_thread_start(&mdev->asender);
25166 @@ -985,7 +985,7 @@ static enum finish_epoch drbd_may_finish
25170 - epoch_size = atomic_read(&epoch->epoch_size);
25171 + epoch_size = atomic_read_unchecked(&epoch->epoch_size);
25173 switch (ev & ~EV_CLEANUP) {
25175 @@ -1020,7 +1020,7 @@ static enum finish_epoch drbd_may_finish
25179 - atomic_set(&epoch->epoch_size, 0);
25180 + atomic_set_unchecked(&epoch->epoch_size, 0);
25181 /* atomic_set(&epoch->active, 0); is already zero */
25182 if (rv == FE_STILL_LIVE)
25184 @@ -1191,14 +1191,14 @@ static int receive_Barrier(struct drbd_c
25185 drbd_wait_ee_list_empty(mdev, &mdev->active_ee);
25188 - if (atomic_read(&mdev->current_epoch->epoch_size)) {
25189 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
25190 epoch = kmalloc(sizeof(struct drbd_epoch), GFP_NOIO);
25195 epoch = mdev->current_epoch;
25196 - wait_event(mdev->ee_wait, atomic_read(&epoch->epoch_size) == 0);
25197 + wait_event(mdev->ee_wait, atomic_read_unchecked(&epoch->epoch_size) == 0);
25199 D_ASSERT(atomic_read(&epoch->active) == 0);
25200 D_ASSERT(epoch->flags == 0);
25201 @@ -1210,11 +1210,11 @@ static int receive_Barrier(struct drbd_c
25205 - atomic_set(&epoch->epoch_size, 0);
25206 + atomic_set_unchecked(&epoch->epoch_size, 0);
25207 atomic_set(&epoch->active, 0);
25209 spin_lock(&mdev->epoch_lock);
25210 - if (atomic_read(&mdev->current_epoch->epoch_size)) {
25211 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
25212 list_add(&epoch->list, &mdev->current_epoch->list);
25213 mdev->current_epoch = epoch;
25215 @@ -1663,7 +1663,7 @@ static int receive_Data(struct drbd_conf
25216 spin_unlock(&mdev->peer_seq_lock);
25218 drbd_send_ack_dp(mdev, P_NEG_ACK, p, data_size);
25219 - atomic_inc(&mdev->current_epoch->epoch_size);
25220 + atomic_inc_unchecked(&mdev->current_epoch->epoch_size);
25221 return drbd_drain_block(mdev, data_size);
25224 @@ -1689,7 +1689,7 @@ static int receive_Data(struct drbd_conf
25226 spin_lock(&mdev->epoch_lock);
25227 e->epoch = mdev->current_epoch;
25228 - atomic_inc(&e->epoch->epoch_size);
25229 + atomic_inc_unchecked(&e->epoch->epoch_size);
25230 atomic_inc(&e->epoch->active);
25231 spin_unlock(&mdev->epoch_lock);
25233 @@ -3885,7 +3885,7 @@ static void drbd_disconnect(struct drbd_
25234 D_ASSERT(list_empty(&mdev->done_ee));
25236 /* ok, no more ee's on the fly, it is safe to reset the epoch_size */
25237 - atomic_set(&mdev->current_epoch->epoch_size, 0);
25238 + atomic_set_unchecked(&mdev->current_epoch->epoch_size, 0);
25239 D_ASSERT(list_empty(&mdev->current_epoch->list));
25242 diff -urNp linux-3.0.9/drivers/block/loop.c linux-3.0.9/drivers/block/loop.c
25243 --- linux-3.0.9/drivers/block/loop.c 2011-11-11 13:12:24.000000000 -0500
25244 +++ linux-3.0.9/drivers/block/loop.c 2011-11-15 20:02:59.000000000 -0500
25245 @@ -283,7 +283,7 @@ static int __do_lo_send_write(struct fil
25246 mm_segment_t old_fs = get_fs();
25249 - bw = file->f_op->write(file, buf, len, &pos);
25250 + bw = file->f_op->write(file, (const char __force_user *)buf, len, &pos);
25252 if (likely(bw == len))
25254 diff -urNp linux-3.0.9/drivers/block/nbd.c linux-3.0.9/drivers/block/nbd.c
25255 --- linux-3.0.9/drivers/block/nbd.c 2011-11-11 13:12:24.000000000 -0500
25256 +++ linux-3.0.9/drivers/block/nbd.c 2011-11-15 20:02:59.000000000 -0500
25257 @@ -157,6 +157,8 @@ static int sock_xmit(struct nbd_device *
25259 sigset_t blocked, oldset;
25261 + pax_track_stack();
25263 if (unlikely(!sock)) {
25264 printk(KERN_ERR "%s: Attempted %s on closed socket in sock_xmit\n",
25265 lo->disk->disk_name, (send ? "send" : "recv"));
25266 @@ -572,6 +574,8 @@ static void do_nbd_request(struct reques
25267 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo,
25268 unsigned int cmd, unsigned long arg)
25270 + pax_track_stack();
25273 case NBD_DISCONNECT: {
25274 struct request sreq;
25275 diff -urNp linux-3.0.9/drivers/char/agp/frontend.c linux-3.0.9/drivers/char/agp/frontend.c
25276 --- linux-3.0.9/drivers/char/agp/frontend.c 2011-11-11 13:12:24.000000000 -0500
25277 +++ linux-3.0.9/drivers/char/agp/frontend.c 2011-11-15 20:02:59.000000000 -0500
25278 @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct ag
25279 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
25282 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
25283 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
25286 client = agp_find_client_by_pid(reserve.pid);
25287 diff -urNp linux-3.0.9/drivers/char/briq_panel.c linux-3.0.9/drivers/char/briq_panel.c
25288 --- linux-3.0.9/drivers/char/briq_panel.c 2011-11-11 13:12:24.000000000 -0500
25289 +++ linux-3.0.9/drivers/char/briq_panel.c 2011-11-15 20:02:59.000000000 -0500
25291 #include <linux/types.h>
25292 #include <linux/errno.h>
25293 #include <linux/tty.h>
25294 +#include <linux/mutex.h>
25295 #include <linux/timer.h>
25296 #include <linux/kernel.h>
25297 #include <linux/wait.h>
25298 @@ -34,6 +35,7 @@ static int vfd_is_open;
25299 static unsigned char vfd[40];
25300 static int vfd_cursor;
25301 static unsigned char ledpb, led;
25302 +static DEFINE_MUTEX(vfd_mutex);
25304 static void update_vfd(void)
25306 @@ -140,12 +142,15 @@ static ssize_t briq_panel_write(struct f
25310 + mutex_lock(&vfd_mutex);
25315 - if (get_user(c, buf))
25316 + if (get_user(c, buf)) {
25317 + mutex_unlock(&vfd_mutex);
25323 @@ -175,6 +180,7 @@ static ssize_t briq_panel_write(struct f
25327 + mutex_unlock(&vfd_mutex);
25331 diff -urNp linux-3.0.9/drivers/char/genrtc.c linux-3.0.9/drivers/char/genrtc.c
25332 --- linux-3.0.9/drivers/char/genrtc.c 2011-11-11 13:12:24.000000000 -0500
25333 +++ linux-3.0.9/drivers/char/genrtc.c 2011-11-15 20:02:59.000000000 -0500
25334 @@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *fi
25338 + memset(&pll, 0, sizeof(pll));
25339 if (get_rtc_pll(&pll))
25342 diff -urNp linux-3.0.9/drivers/char/hpet.c linux-3.0.9/drivers/char/hpet.c
25343 --- linux-3.0.9/drivers/char/hpet.c 2011-11-11 13:12:24.000000000 -0500
25344 +++ linux-3.0.9/drivers/char/hpet.c 2011-11-15 20:02:59.000000000 -0500
25345 @@ -572,7 +572,7 @@ static inline unsigned long hpet_time_di
25349 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
25350 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
25351 struct hpet_info *info)
25353 struct hpet_timer __iomem *timer;
25354 diff -urNp linux-3.0.9/drivers/char/ipmi/ipmi_msghandler.c linux-3.0.9/drivers/char/ipmi/ipmi_msghandler.c
25355 --- linux-3.0.9/drivers/char/ipmi/ipmi_msghandler.c 2011-11-11 13:12:24.000000000 -0500
25356 +++ linux-3.0.9/drivers/char/ipmi/ipmi_msghandler.c 2011-11-15 20:02:59.000000000 -0500
25357 @@ -415,7 +415,7 @@ struct ipmi_smi {
25358 struct proc_dir_entry *proc_dir;
25359 char proc_dir_name[10];
25361 - atomic_t stats[IPMI_NUM_STATS];
25362 + atomic_unchecked_t stats[IPMI_NUM_STATS];
25365 * run_to_completion duplicate of smb_info, smi_info
25366 @@ -448,9 +448,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
25369 #define ipmi_inc_stat(intf, stat) \
25370 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
25371 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
25372 #define ipmi_get_stat(intf, stat) \
25373 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
25374 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
25376 static int is_lan_addr(struct ipmi_addr *addr)
25378 @@ -2868,7 +2868,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
25379 INIT_LIST_HEAD(&intf->cmd_rcvrs);
25380 init_waitqueue_head(&intf->waitq);
25381 for (i = 0; i < IPMI_NUM_STATS; i++)
25382 - atomic_set(&intf->stats[i], 0);
25383 + atomic_set_unchecked(&intf->stats[i], 0);
25385 intf->proc_dir = NULL;
25387 @@ -4220,6 +4220,8 @@ static void send_panic_events(char *str)
25388 struct ipmi_smi_msg smi_msg;
25389 struct ipmi_recv_msg recv_msg;
25391 + pax_track_stack();
25393 si = (struct ipmi_system_interface_addr *) &addr;
25394 si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
25395 si->channel = IPMI_BMC_CHANNEL;
25396 diff -urNp linux-3.0.9/drivers/char/ipmi/ipmi_si_intf.c linux-3.0.9/drivers/char/ipmi/ipmi_si_intf.c
25397 --- linux-3.0.9/drivers/char/ipmi/ipmi_si_intf.c 2011-11-11 13:12:24.000000000 -0500
25398 +++ linux-3.0.9/drivers/char/ipmi/ipmi_si_intf.c 2011-11-15 20:02:59.000000000 -0500
25399 @@ -277,7 +277,7 @@ struct smi_info {
25400 unsigned char slave_addr;
25402 /* Counters and things for the proc filesystem. */
25403 - atomic_t stats[SI_NUM_STATS];
25404 + atomic_unchecked_t stats[SI_NUM_STATS];
25406 struct task_struct *thread;
25408 @@ -286,9 +286,9 @@ struct smi_info {
25411 #define smi_inc_stat(smi, stat) \
25412 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
25413 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
25414 #define smi_get_stat(smi, stat) \
25415 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
25416 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
25418 #define SI_MAX_PARMS 4
25420 @@ -3230,7 +3230,7 @@ static int try_smi_init(struct smi_info
25421 atomic_set(&new_smi->req_events, 0);
25422 new_smi->run_to_completion = 0;
25423 for (i = 0; i < SI_NUM_STATS; i++)
25424 - atomic_set(&new_smi->stats[i], 0);
25425 + atomic_set_unchecked(&new_smi->stats[i], 0);
25427 new_smi->interrupt_disabled = 1;
25428 atomic_set(&new_smi->stop_operation, 0);
25429 diff -urNp linux-3.0.9/drivers/char/Kconfig linux-3.0.9/drivers/char/Kconfig
25430 --- linux-3.0.9/drivers/char/Kconfig 2011-11-11 13:12:24.000000000 -0500
25431 +++ linux-3.0.9/drivers/char/Kconfig 2011-11-15 20:02:59.000000000 -0500
25432 @@ -8,7 +8,8 @@ source "drivers/tty/Kconfig"
25435 bool "/dev/kmem virtual device support"
25438 + depends on !GRKERNSEC_KMEM
25440 Say Y here if you want to support the /dev/kmem device. The
25441 /dev/kmem device is rarely used, but can be used for certain
25442 @@ -596,6 +597,7 @@ config DEVPORT
25445 depends on ISA || PCI
25446 + depends on !GRKERNSEC_KMEM
25449 source "drivers/s390/char/Kconfig"
25450 diff -urNp linux-3.0.9/drivers/char/mbcs.c linux-3.0.9/drivers/char/mbcs.c
25451 --- linux-3.0.9/drivers/char/mbcs.c 2011-11-11 13:12:24.000000000 -0500
25452 +++ linux-3.0.9/drivers/char/mbcs.c 2011-11-15 20:02:59.000000000 -0500
25453 @@ -800,7 +800,7 @@ static int mbcs_remove(struct cx_dev *de
25457 -static const struct cx_device_id __devinitdata mbcs_id_table[] = {
25458 +static const struct cx_device_id __devinitconst mbcs_id_table[] = {
25460 .part_num = MBCS_PART_NUM,
25461 .mfg_num = MBCS_MFG_NUM,
25462 diff -urNp linux-3.0.9/drivers/char/mem.c linux-3.0.9/drivers/char/mem.c
25463 --- linux-3.0.9/drivers/char/mem.c 2011-11-11 13:12:24.000000000 -0500
25464 +++ linux-3.0.9/drivers/char/mem.c 2011-11-15 20:02:59.000000000 -0500
25466 #include <linux/raw.h>
25467 #include <linux/tty.h>
25468 #include <linux/capability.h>
25469 +#include <linux/security.h>
25470 #include <linux/ptrace.h>
25471 #include <linux/device.h>
25472 #include <linux/highmem.h>
25474 # include <linux/efi.h>
25477 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
25478 +extern struct file_operations grsec_fops;
25481 static inline unsigned long size_inside_page(unsigned long start,
25482 unsigned long size)
25484 @@ -65,9 +70,13 @@ static inline int range_is_allowed(unsig
25486 while (cursor < to) {
25487 if (!devmem_is_allowed(pfn)) {
25488 +#ifdef CONFIG_GRKERNSEC_KMEM
25489 + gr_handle_mem_readwrite(from, to);
25492 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
25493 current->comm, from, to);
25497 cursor += PAGE_SIZE;
25498 @@ -75,6 +84,11 @@ static inline int range_is_allowed(unsig
25502 +#elif defined(CONFIG_GRKERNSEC_KMEM)
25503 +static inline int range_is_allowed(unsigned long pfn, unsigned long size)
25508 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
25510 @@ -117,6 +131,7 @@ static ssize_t read_mem(struct file *fil
25512 while (count > 0) {
25513 unsigned long remaining;
25516 sz = size_inside_page(p, count);
25518 @@ -132,7 +147,23 @@ static ssize_t read_mem(struct file *fil
25522 - remaining = copy_to_user(buf, ptr, sz);
25523 +#ifdef CONFIG_PAX_USERCOPY
25524 + temp = kmalloc(sz, GFP_KERNEL);
25526 + unxlate_dev_mem_ptr(p, ptr);
25529 + memcpy(temp, ptr, sz);
25534 + remaining = copy_to_user(buf, temp, sz);
25536 +#ifdef CONFIG_PAX_USERCOPY
25540 unxlate_dev_mem_ptr(p, ptr);
25543 @@ -395,9 +426,8 @@ static ssize_t read_kmem(struct file *fi
25544 size_t count, loff_t *ppos)
25546 unsigned long p = *ppos;
25547 - ssize_t low_count, read, sz;
25548 + ssize_t low_count, read, sz, err = 0;
25549 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
25553 if (p < (unsigned long) high_memory) {
25554 @@ -419,6 +449,8 @@ static ssize_t read_kmem(struct file *fi
25557 while (low_count > 0) {
25560 sz = size_inside_page(p, low_count);
25563 @@ -428,7 +460,22 @@ static ssize_t read_kmem(struct file *fi
25565 kbuf = xlate_dev_kmem_ptr((char *)p);
25567 - if (copy_to_user(buf, kbuf, sz))
25568 +#ifdef CONFIG_PAX_USERCOPY
25569 + temp = kmalloc(sz, GFP_KERNEL);
25572 + memcpy(temp, kbuf, sz);
25577 + err = copy_to_user(buf, temp, sz);
25579 +#ifdef CONFIG_PAX_USERCOPY
25587 @@ -866,6 +913,9 @@ static const struct memdev {
25588 #ifdef CONFIG_CRASH_DUMP
25589 [12] = { "oldmem", 0, &oldmem_fops, NULL },
25591 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
25592 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
25596 static int memory_open(struct inode *inode, struct file *filp)
25597 diff -urNp linux-3.0.9/drivers/char/nvram.c linux-3.0.9/drivers/char/nvram.c
25598 --- linux-3.0.9/drivers/char/nvram.c 2011-11-11 13:12:24.000000000 -0500
25599 +++ linux-3.0.9/drivers/char/nvram.c 2011-11-15 20:02:59.000000000 -0500
25600 @@ -246,7 +246,7 @@ static ssize_t nvram_read(struct file *f
25602 spin_unlock_irq(&rtc_lock);
25604 - if (copy_to_user(buf, contents, tmp - contents))
25605 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
25609 diff -urNp linux-3.0.9/drivers/char/random.c linux-3.0.9/drivers/char/random.c
25610 --- linux-3.0.9/drivers/char/random.c 2011-11-11 13:12:24.000000000 -0500
25611 +++ linux-3.0.9/drivers/char/random.c 2011-11-15 20:02:59.000000000 -0500
25612 @@ -261,8 +261,13 @@
25614 * Configuration information
25616 +#ifdef CONFIG_GRKERNSEC_RANDNET
25617 +#define INPUT_POOL_WORDS 512
25618 +#define OUTPUT_POOL_WORDS 128
25620 #define INPUT_POOL_WORDS 128
25621 #define OUTPUT_POOL_WORDS 32
25623 #define SEC_XFER_SIZE 512
25624 #define EXTRACT_SIZE 10
25626 @@ -300,10 +305,17 @@ static struct poolinfo {
25628 int tap1, tap2, tap3, tap4, tap5;
25629 } poolinfo_table[] = {
25630 +#ifdef CONFIG_GRKERNSEC_RANDNET
25631 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
25632 + { 512, 411, 308, 208, 104, 1 },
25633 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
25634 + { 128, 103, 76, 51, 25, 1 },
25636 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
25637 { 128, 103, 76, 51, 25, 1 },
25638 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
25639 { 32, 26, 20, 14, 7, 1 },
25642 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
25643 { 2048, 1638, 1231, 819, 411, 1 },
25644 @@ -539,8 +539,8 @@
25645 input_rotate += i ? 7 : 14;
25648 - ACCESS_ONCE(r->input_rotate) = input_rotate;
25649 - ACCESS_ONCE(r->add_ptr) = i;
25650 + ACCESS_ONCE_RW(r->input_rotate) = input_rotate;
25651 + ACCESS_ONCE_RW(r->add_ptr) = i;
25655 @@ -909,7 +921,7 @@ static ssize_t extract_entropy_user(stru
25657 extract_buf(r, tmp);
25658 i = min_t(int, nbytes, EXTRACT_SIZE);
25659 - if (copy_to_user(buf, tmp, i)) {
25660 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
25664 @@ -1214,7 +1226,7 @@ EXPORT_SYMBOL(generate_random_uuid);
25665 #include <linux/sysctl.h>
25667 static int min_read_thresh = 8, min_write_thresh;
25668 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
25669 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
25670 static int max_write_thresh = INPUT_POOL_WORDS * 32;
25671 static char sysctl_bootid[16];
25673 diff -urNp linux-3.0.9/drivers/char/sonypi.c linux-3.0.9/drivers/char/sonypi.c
25674 --- linux-3.0.9/drivers/char/sonypi.c 2011-11-11 13:12:24.000000000 -0500
25675 +++ linux-3.0.9/drivers/char/sonypi.c 2011-11-15 20:02:59.000000000 -0500
25677 #include <asm/uaccess.h>
25678 #include <asm/io.h>
25679 #include <asm/system.h>
25680 +#include <asm/local.h>
25682 #include <linux/sonypi.h>
25684 @@ -491,7 +492,7 @@ static struct sonypi_device {
25685 spinlock_t fifo_lock;
25686 wait_queue_head_t fifo_proc_list;
25687 struct fasync_struct *fifo_async;
25689 + local_t open_count;
25691 struct input_dev *input_jog_dev;
25692 struct input_dev *input_key_dev;
25693 @@ -898,7 +899,7 @@ static int sonypi_misc_fasync(int fd, st
25694 static int sonypi_misc_release(struct inode *inode, struct file *file)
25696 mutex_lock(&sonypi_device.lock);
25697 - sonypi_device.open_count--;
25698 + local_dec(&sonypi_device.open_count);
25699 mutex_unlock(&sonypi_device.lock);
25702 @@ -907,9 +908,9 @@ static int sonypi_misc_open(struct inode
25704 mutex_lock(&sonypi_device.lock);
25705 /* Flush input queue on first open */
25706 - if (!sonypi_device.open_count)
25707 + if (!local_read(&sonypi_device.open_count))
25708 kfifo_reset(&sonypi_device.fifo);
25709 - sonypi_device.open_count++;
25710 + local_inc(&sonypi_device.open_count);
25711 mutex_unlock(&sonypi_device.lock);
25714 diff -urNp linux-3.0.9/drivers/char/tpm/tpm_bios.c linux-3.0.9/drivers/char/tpm/tpm_bios.c
25715 --- linux-3.0.9/drivers/char/tpm/tpm_bios.c 2011-11-11 13:12:24.000000000 -0500
25716 +++ linux-3.0.9/drivers/char/tpm/tpm_bios.c 2011-11-15 20:02:59.000000000 -0500
25717 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
25720 if ((event->event_type == 0 && event->event_size == 0) ||
25721 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
25722 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
25726 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
25729 if ((event->event_type == 0 && event->event_size == 0) ||
25730 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
25731 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
25735 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
25738 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
25739 - seq_putc(m, data[i]);
25740 + if (!seq_putc(m, data[i]))
25745 @@ -410,8 +411,13 @@ static int read_log(struct tpm_bios_log
25746 log->bios_event_log_end = log->bios_event_log + len;
25748 virt = acpi_os_map_memory(start, len);
25750 + kfree(log->bios_event_log);
25751 + log->bios_event_log = NULL;
25755 - memcpy(log->bios_event_log, virt, len);
25756 + memcpy(log->bios_event_log, (const char __force_kernel *)virt, len);
25758 acpi_os_unmap_memory(virt, len);
25760 diff -urNp linux-3.0.9/drivers/char/tpm/tpm.c linux-3.0.9/drivers/char/tpm/tpm.c
25761 --- linux-3.0.9/drivers/char/tpm/tpm.c 2011-11-11 13:12:24.000000000 -0500
25762 +++ linux-3.0.9/drivers/char/tpm/tpm.c 2011-11-15 20:02:59.000000000 -0500
25763 @@ -414,7 +414,7 @@ static ssize_t tpm_transmit(struct tpm_c
25764 chip->vendor.req_complete_val)
25767 - if ((status == chip->vendor.req_canceled)) {
25768 + if (status == chip->vendor.req_canceled) {
25769 dev_err(chip->dev, "Operation Canceled\n");
25772 @@ -847,6 +847,8 @@ ssize_t tpm_show_pubek(struct device *de
25774 struct tpm_chip *chip = dev_get_drvdata(dev);
25776 + pax_track_stack();
25778 tpm_cmd.header.in = tpm_readpubek_header;
25779 err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
25780 "attempting to read the PUBEK");
25781 diff -urNp linux-3.0.9/drivers/char/virtio_console.c linux-3.0.9/drivers/char/virtio_console.c
25782 --- linux-3.0.9/drivers/char/virtio_console.c 2011-11-11 13:12:24.000000000 -0500
25783 +++ linux-3.0.9/drivers/char/virtio_console.c 2011-11-15 20:02:59.000000000 -0500
25784 @@ -555,7 +555,7 @@ static ssize_t fill_readbuf(struct port
25788 - ret = copy_to_user(out_buf, buf->buf + buf->offset, out_count);
25789 + ret = copy_to_user((char __force_user *)out_buf, buf->buf + buf->offset, out_count);
25793 @@ -654,7 +654,7 @@ static ssize_t port_fops_read(struct fil
25794 if (!port_has_data(port) && !port->host_connected)
25797 - return fill_readbuf(port, ubuf, count, true);
25798 + return fill_readbuf(port, (char __force_kernel *)ubuf, count, true);
25801 static ssize_t port_fops_write(struct file *filp, const char __user *ubuf,
25802 diff -urNp linux-3.0.9/drivers/crypto/hifn_795x.c linux-3.0.9/drivers/crypto/hifn_795x.c
25803 --- linux-3.0.9/drivers/crypto/hifn_795x.c 2011-11-11 13:12:24.000000000 -0500
25804 +++ linux-3.0.9/drivers/crypto/hifn_795x.c 2011-11-15 20:02:59.000000000 -0500
25805 @@ -1655,6 +1655,8 @@ static int hifn_test(struct hifn_device
25806 0xCA, 0x34, 0x2B, 0x2E};
25807 struct scatterlist sg;
25809 + pax_track_stack();
25811 memset(src, 0, sizeof(src));
25812 memset(ctx.key, 0, sizeof(ctx.key));
25814 diff -urNp linux-3.0.9/drivers/crypto/padlock-aes.c linux-3.0.9/drivers/crypto/padlock-aes.c
25815 --- linux-3.0.9/drivers/crypto/padlock-aes.c 2011-11-11 13:12:24.000000000 -0500
25816 +++ linux-3.0.9/drivers/crypto/padlock-aes.c 2011-11-15 20:02:59.000000000 -0500
25817 @@ -109,6 +109,8 @@ static int aes_set_key(struct crypto_tfm
25818 struct crypto_aes_ctx gen_aes;
25821 + pax_track_stack();
25824 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
25826 diff -urNp linux-3.0.9/drivers/dma/ioat/dma_v3.c linux-3.0.9/drivers/dma/ioat/dma_v3.c
25827 --- linux-3.0.9/drivers/dma/ioat/dma_v3.c 2011-11-11 13:12:24.000000000 -0500
25828 +++ linux-3.0.9/drivers/dma/ioat/dma_v3.c 2011-11-15 20:02:59.000000000 -0500
25829 @@ -73,10 +73,10 @@
25830 /* provide a lookup table for setting the source address in the base or
25831 * extended descriptor of an xor or pq descriptor
25833 -static const u8 xor_idx_to_desc __read_mostly = 0xd0;
25834 -static const u8 xor_idx_to_field[] __read_mostly = { 1, 4, 5, 6, 7, 0, 1, 2 };
25835 -static const u8 pq_idx_to_desc __read_mostly = 0xf8;
25836 -static const u8 pq_idx_to_field[] __read_mostly = { 1, 4, 5, 0, 1, 2, 4, 5 };
25837 +static const u8 xor_idx_to_desc = 0xd0;
25838 +static const u8 xor_idx_to_field[] = { 1, 4, 5, 6, 7, 0, 1, 2 };
25839 +static const u8 pq_idx_to_desc = 0xf8;
25840 +static const u8 pq_idx_to_field[] = { 1, 4, 5, 0, 1, 2, 4, 5 };
25842 static dma_addr_t xor_get_src(struct ioat_raw_descriptor *descs[2], int idx)
25844 diff -urNp linux-3.0.9/drivers/edac/amd64_edac.c linux-3.0.9/drivers/edac/amd64_edac.c
25845 --- linux-3.0.9/drivers/edac/amd64_edac.c 2011-11-11 13:12:24.000000000 -0500
25846 +++ linux-3.0.9/drivers/edac/amd64_edac.c 2011-11-15 20:02:59.000000000 -0500
25847 @@ -2670,7 +2670,7 @@ static void __devexit amd64_remove_one_i
25848 * PCI core identifies what devices are on a system during boot, and then
25849 * inquiry this table to see if this driver is for a given device found.
25851 -static const struct pci_device_id amd64_pci_table[] __devinitdata = {
25852 +static const struct pci_device_id amd64_pci_table[] __devinitconst = {
25854 .vendor = PCI_VENDOR_ID_AMD,
25855 .device = PCI_DEVICE_ID_AMD_K8_NB_MEMCTL,
25856 diff -urNp linux-3.0.9/drivers/edac/amd76x_edac.c linux-3.0.9/drivers/edac/amd76x_edac.c
25857 --- linux-3.0.9/drivers/edac/amd76x_edac.c 2011-11-11 13:12:24.000000000 -0500
25858 +++ linux-3.0.9/drivers/edac/amd76x_edac.c 2011-11-15 20:02:59.000000000 -0500
25859 @@ -321,7 +321,7 @@ static void __devexit amd76x_remove_one(
25863 -static const struct pci_device_id amd76x_pci_tbl[] __devinitdata = {
25864 +static const struct pci_device_id amd76x_pci_tbl[] __devinitconst = {
25866 PCI_VEND_DEV(AMD, FE_GATE_700C), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25868 diff -urNp linux-3.0.9/drivers/edac/e752x_edac.c linux-3.0.9/drivers/edac/e752x_edac.c
25869 --- linux-3.0.9/drivers/edac/e752x_edac.c 2011-11-11 13:12:24.000000000 -0500
25870 +++ linux-3.0.9/drivers/edac/e752x_edac.c 2011-11-15 20:02:59.000000000 -0500
25871 @@ -1380,7 +1380,7 @@ static void __devexit e752x_remove_one(s
25875 -static const struct pci_device_id e752x_pci_tbl[] __devinitdata = {
25876 +static const struct pci_device_id e752x_pci_tbl[] __devinitconst = {
25878 PCI_VEND_DEV(INTEL, 7520_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25880 diff -urNp linux-3.0.9/drivers/edac/e7xxx_edac.c linux-3.0.9/drivers/edac/e7xxx_edac.c
25881 --- linux-3.0.9/drivers/edac/e7xxx_edac.c 2011-11-11 13:12:24.000000000 -0500
25882 +++ linux-3.0.9/drivers/edac/e7xxx_edac.c 2011-11-15 20:02:59.000000000 -0500
25883 @@ -525,7 +525,7 @@ static void __devexit e7xxx_remove_one(s
25887 -static const struct pci_device_id e7xxx_pci_tbl[] __devinitdata = {
25888 +static const struct pci_device_id e7xxx_pci_tbl[] __devinitconst = {
25890 PCI_VEND_DEV(INTEL, 7205_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25892 diff -urNp linux-3.0.9/drivers/edac/edac_pci_sysfs.c linux-3.0.9/drivers/edac/edac_pci_sysfs.c
25893 --- linux-3.0.9/drivers/edac/edac_pci_sysfs.c 2011-11-11 13:12:24.000000000 -0500
25894 +++ linux-3.0.9/drivers/edac/edac_pci_sysfs.c 2011-11-15 20:02:59.000000000 -0500
25895 @@ -26,8 +26,8 @@ static int edac_pci_log_pe = 1; /* log
25896 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
25897 static int edac_pci_poll_msec = 1000; /* one second workq period */
25899 -static atomic_t pci_parity_count = ATOMIC_INIT(0);
25900 -static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
25901 +static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
25902 +static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
25904 static struct kobject *edac_pci_top_main_kobj;
25905 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
25906 @@ -582,7 +582,7 @@ static void edac_pci_dev_parity_test(str
25907 edac_printk(KERN_CRIT, EDAC_PCI,
25908 "Signaled System Error on %s\n",
25910 - atomic_inc(&pci_nonparity_count);
25911 + atomic_inc_unchecked(&pci_nonparity_count);
25914 if (status & (PCI_STATUS_PARITY)) {
25915 @@ -590,7 +590,7 @@ static void edac_pci_dev_parity_test(str
25916 "Master Data Parity Error on %s\n",
25919 - atomic_inc(&pci_parity_count);
25920 + atomic_inc_unchecked(&pci_parity_count);
25923 if (status & (PCI_STATUS_DETECTED_PARITY)) {
25924 @@ -598,7 +598,7 @@ static void edac_pci_dev_parity_test(str
25925 "Detected Parity Error on %s\n",
25928 - atomic_inc(&pci_parity_count);
25929 + atomic_inc_unchecked(&pci_parity_count);
25933 @@ -619,7 +619,7 @@ static void edac_pci_dev_parity_test(str
25934 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
25935 "Signaled System Error on %s\n",
25937 - atomic_inc(&pci_nonparity_count);
25938 + atomic_inc_unchecked(&pci_nonparity_count);
25941 if (status & (PCI_STATUS_PARITY)) {
25942 @@ -627,7 +627,7 @@ static void edac_pci_dev_parity_test(str
25943 "Master Data Parity Error on "
25944 "%s\n", pci_name(dev));
25946 - atomic_inc(&pci_parity_count);
25947 + atomic_inc_unchecked(&pci_parity_count);
25950 if (status & (PCI_STATUS_DETECTED_PARITY)) {
25951 @@ -635,7 +635,7 @@ static void edac_pci_dev_parity_test(str
25952 "Detected Parity Error on %s\n",
25955 - atomic_inc(&pci_parity_count);
25956 + atomic_inc_unchecked(&pci_parity_count);
25960 @@ -677,7 +677,7 @@ void edac_pci_do_parity_check(void)
25961 if (!check_pci_errors)
25964 - before_count = atomic_read(&pci_parity_count);
25965 + before_count = atomic_read_unchecked(&pci_parity_count);
25967 /* scan all PCI devices looking for a Parity Error on devices and
25969 @@ -689,7 +689,7 @@ void edac_pci_do_parity_check(void)
25970 /* Only if operator has selected panic on PCI Error */
25971 if (edac_pci_get_panic_on_pe()) {
25972 /* If the count is different 'after' from 'before' */
25973 - if (before_count != atomic_read(&pci_parity_count))
25974 + if (before_count != atomic_read_unchecked(&pci_parity_count))
25975 panic("EDAC: PCI Parity Error");
25978 diff -urNp linux-3.0.9/drivers/edac/i3000_edac.c linux-3.0.9/drivers/edac/i3000_edac.c
25979 --- linux-3.0.9/drivers/edac/i3000_edac.c 2011-11-11 13:12:24.000000000 -0500
25980 +++ linux-3.0.9/drivers/edac/i3000_edac.c 2011-11-15 20:02:59.000000000 -0500
25981 @@ -470,7 +470,7 @@ static void __devexit i3000_remove_one(s
25985 -static const struct pci_device_id i3000_pci_tbl[] __devinitdata = {
25986 +static const struct pci_device_id i3000_pci_tbl[] __devinitconst = {
25988 PCI_VEND_DEV(INTEL, 3000_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25990 diff -urNp linux-3.0.9/drivers/edac/i3200_edac.c linux-3.0.9/drivers/edac/i3200_edac.c
25991 --- linux-3.0.9/drivers/edac/i3200_edac.c 2011-11-11 13:12:24.000000000 -0500
25992 +++ linux-3.0.9/drivers/edac/i3200_edac.c 2011-11-15 20:02:59.000000000 -0500
25993 @@ -456,7 +456,7 @@ static void __devexit i3200_remove_one(s
25997 -static const struct pci_device_id i3200_pci_tbl[] __devinitdata = {
25998 +static const struct pci_device_id i3200_pci_tbl[] __devinitconst = {
26000 PCI_VEND_DEV(INTEL, 3200_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
26002 diff -urNp linux-3.0.9/drivers/edac/i5000_edac.c linux-3.0.9/drivers/edac/i5000_edac.c
26003 --- linux-3.0.9/drivers/edac/i5000_edac.c 2011-11-11 13:12:24.000000000 -0500
26004 +++ linux-3.0.9/drivers/edac/i5000_edac.c 2011-11-15 20:02:59.000000000 -0500
26005 @@ -1516,7 +1516,7 @@ static void __devexit i5000_remove_one(s
26007 * The "E500P" device is the first device supported.
26009 -static const struct pci_device_id i5000_pci_tbl[] __devinitdata = {
26010 +static const struct pci_device_id i5000_pci_tbl[] __devinitconst = {
26011 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_I5000_DEV16),
26012 .driver_data = I5000P},
26014 diff -urNp linux-3.0.9/drivers/edac/i5100_edac.c linux-3.0.9/drivers/edac/i5100_edac.c
26015 --- linux-3.0.9/drivers/edac/i5100_edac.c 2011-11-11 13:12:24.000000000 -0500
26016 +++ linux-3.0.9/drivers/edac/i5100_edac.c 2011-11-15 20:02:59.000000000 -0500
26017 @@ -1051,7 +1051,7 @@ static void __devexit i5100_remove_one(s
26021 -static const struct pci_device_id i5100_pci_tbl[] __devinitdata = {
26022 +static const struct pci_device_id i5100_pci_tbl[] __devinitconst = {
26023 /* Device 16, Function 0, Channel 0 Memory Map, Error Flag/Mask, ... */
26024 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_5100_16) },
26026 diff -urNp linux-3.0.9/drivers/edac/i5400_edac.c linux-3.0.9/drivers/edac/i5400_edac.c
26027 --- linux-3.0.9/drivers/edac/i5400_edac.c 2011-11-11 13:12:24.000000000 -0500
26028 +++ linux-3.0.9/drivers/edac/i5400_edac.c 2011-11-15 20:02:59.000000000 -0500
26029 @@ -1383,7 +1383,7 @@ static void __devexit i5400_remove_one(s
26031 * The "E500P" device is the first device supported.
26033 -static const struct pci_device_id i5400_pci_tbl[] __devinitdata = {
26034 +static const struct pci_device_id i5400_pci_tbl[] __devinitconst = {
26035 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_5400_ERR)},
26036 {0,} /* 0 terminated list. */
26038 diff -urNp linux-3.0.9/drivers/edac/i7300_edac.c linux-3.0.9/drivers/edac/i7300_edac.c
26039 --- linux-3.0.9/drivers/edac/i7300_edac.c 2011-11-11 13:12:24.000000000 -0500
26040 +++ linux-3.0.9/drivers/edac/i7300_edac.c 2011-11-15 20:02:59.000000000 -0500
26041 @@ -1191,7 +1191,7 @@ static void __devexit i7300_remove_one(s
26043 * Has only 8086:360c PCI ID
26045 -static const struct pci_device_id i7300_pci_tbl[] __devinitdata = {
26046 +static const struct pci_device_id i7300_pci_tbl[] __devinitconst = {
26047 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_I7300_MCH_ERR)},
26048 {0,} /* 0 terminated list. */
26050 diff -urNp linux-3.0.9/drivers/edac/i7core_edac.c linux-3.0.9/drivers/edac/i7core_edac.c
26051 --- linux-3.0.9/drivers/edac/i7core_edac.c 2011-11-11 13:12:24.000000000 -0500
26052 +++ linux-3.0.9/drivers/edac/i7core_edac.c 2011-11-15 20:02:59.000000000 -0500
26053 @@ -359,7 +359,7 @@ static const struct pci_id_table pci_dev
26055 * pci_device_id table for which devices we are looking for
26057 -static const struct pci_device_id i7core_pci_tbl[] __devinitdata = {
26058 +static const struct pci_device_id i7core_pci_tbl[] __devinitconst = {
26059 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_X58_HUB_MGMT)},
26060 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_LYNNFIELD_QPI_LINK0)},
26061 {0,} /* 0 terminated list. */
26062 diff -urNp linux-3.0.9/drivers/edac/i82443bxgx_edac.c linux-3.0.9/drivers/edac/i82443bxgx_edac.c
26063 --- linux-3.0.9/drivers/edac/i82443bxgx_edac.c 2011-11-11 13:12:24.000000000 -0500
26064 +++ linux-3.0.9/drivers/edac/i82443bxgx_edac.c 2011-11-15 20:02:59.000000000 -0500
26065 @@ -380,7 +380,7 @@ static void __devexit i82443bxgx_edacmc_
26067 EXPORT_SYMBOL_GPL(i82443bxgx_edacmc_remove_one);
26069 -static const struct pci_device_id i82443bxgx_pci_tbl[] __devinitdata = {
26070 +static const struct pci_device_id i82443bxgx_pci_tbl[] __devinitconst = {
26071 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443BX_0)},
26072 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443BX_2)},
26073 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0)},
26074 diff -urNp linux-3.0.9/drivers/edac/i82860_edac.c linux-3.0.9/drivers/edac/i82860_edac.c
26075 --- linux-3.0.9/drivers/edac/i82860_edac.c 2011-11-11 13:12:24.000000000 -0500
26076 +++ linux-3.0.9/drivers/edac/i82860_edac.c 2011-11-15 20:02:59.000000000 -0500
26077 @@ -270,7 +270,7 @@ static void __devexit i82860_remove_one(
26081 -static const struct pci_device_id i82860_pci_tbl[] __devinitdata = {
26082 +static const struct pci_device_id i82860_pci_tbl[] __devinitconst = {
26084 PCI_VEND_DEV(INTEL, 82860_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
26086 diff -urNp linux-3.0.9/drivers/edac/i82875p_edac.c linux-3.0.9/drivers/edac/i82875p_edac.c
26087 --- linux-3.0.9/drivers/edac/i82875p_edac.c 2011-11-11 13:12:24.000000000 -0500
26088 +++ linux-3.0.9/drivers/edac/i82875p_edac.c 2011-11-15 20:02:59.000000000 -0500
26089 @@ -511,7 +511,7 @@ static void __devexit i82875p_remove_one
26093 -static const struct pci_device_id i82875p_pci_tbl[] __devinitdata = {
26094 +static const struct pci_device_id i82875p_pci_tbl[] __devinitconst = {
26096 PCI_VEND_DEV(INTEL, 82875_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
26098 diff -urNp linux-3.0.9/drivers/edac/i82975x_edac.c linux-3.0.9/drivers/edac/i82975x_edac.c
26099 --- linux-3.0.9/drivers/edac/i82975x_edac.c 2011-11-11 13:12:24.000000000 -0500
26100 +++ linux-3.0.9/drivers/edac/i82975x_edac.c 2011-11-15 20:02:59.000000000 -0500
26101 @@ -604,7 +604,7 @@ static void __devexit i82975x_remove_one
26105 -static const struct pci_device_id i82975x_pci_tbl[] __devinitdata = {
26106 +static const struct pci_device_id i82975x_pci_tbl[] __devinitconst = {
26108 PCI_VEND_DEV(INTEL, 82975_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
26110 diff -urNp linux-3.0.9/drivers/edac/mce_amd.h linux-3.0.9/drivers/edac/mce_amd.h
26111 --- linux-3.0.9/drivers/edac/mce_amd.h 2011-11-11 13:12:24.000000000 -0500
26112 +++ linux-3.0.9/drivers/edac/mce_amd.h 2011-11-15 20:02:59.000000000 -0500
26113 @@ -83,7 +83,7 @@ struct amd_decoder_ops {
26114 bool (*dc_mce)(u16, u8);
26115 bool (*ic_mce)(u16, u8);
26116 bool (*nb_mce)(u16, u8);
26120 void amd_report_gart_errors(bool);
26121 void amd_register_ecc_decoder(void (*f)(int, struct mce *, u32));
26122 diff -urNp linux-3.0.9/drivers/edac/r82600_edac.c linux-3.0.9/drivers/edac/r82600_edac.c
26123 --- linux-3.0.9/drivers/edac/r82600_edac.c 2011-11-11 13:12:24.000000000 -0500
26124 +++ linux-3.0.9/drivers/edac/r82600_edac.c 2011-11-15 20:02:59.000000000 -0500
26125 @@ -373,7 +373,7 @@ static void __devexit r82600_remove_one(
26129 -static const struct pci_device_id r82600_pci_tbl[] __devinitdata = {
26130 +static const struct pci_device_id r82600_pci_tbl[] __devinitconst = {
26132 PCI_DEVICE(PCI_VENDOR_ID_RADISYS, R82600_BRIDGE_ID)
26134 diff -urNp linux-3.0.9/drivers/edac/x38_edac.c linux-3.0.9/drivers/edac/x38_edac.c
26135 --- linux-3.0.9/drivers/edac/x38_edac.c 2011-11-11 13:12:24.000000000 -0500
26136 +++ linux-3.0.9/drivers/edac/x38_edac.c 2011-11-15 20:02:59.000000000 -0500
26137 @@ -440,7 +440,7 @@ static void __devexit x38_remove_one(str
26141 -static const struct pci_device_id x38_pci_tbl[] __devinitdata = {
26142 +static const struct pci_device_id x38_pci_tbl[] __devinitconst = {
26144 PCI_VEND_DEV(INTEL, X38_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
26146 diff -urNp linux-3.0.9/drivers/firewire/core-card.c linux-3.0.9/drivers/firewire/core-card.c
26147 --- linux-3.0.9/drivers/firewire/core-card.c 2011-11-11 13:12:24.000000000 -0500
26148 +++ linux-3.0.9/drivers/firewire/core-card.c 2011-11-15 20:02:59.000000000 -0500
26149 @@ -657,7 +657,7 @@ void fw_card_release(struct kref *kref)
26151 void fw_core_remove_card(struct fw_card *card)
26153 - struct fw_card_driver dummy_driver = dummy_driver_template;
26154 + fw_card_driver_no_const dummy_driver = dummy_driver_template;
26156 card->driver->update_phy_reg(card, 4,
26157 PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
26158 diff -urNp linux-3.0.9/drivers/firewire/core-cdev.c linux-3.0.9/drivers/firewire/core-cdev.c
26159 --- linux-3.0.9/drivers/firewire/core-cdev.c 2011-11-11 13:12:24.000000000 -0500
26160 +++ linux-3.0.9/drivers/firewire/core-cdev.c 2011-11-15 20:02:59.000000000 -0500
26161 @@ -1313,8 +1313,7 @@ static int init_iso_resource(struct clie
26164 if ((request->channels == 0 && request->bandwidth == 0) ||
26165 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
26166 - request->bandwidth < 0)
26167 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
26170 r = kmalloc(sizeof(*r), GFP_KERNEL);
26171 diff -urNp linux-3.0.9/drivers/firewire/core.h linux-3.0.9/drivers/firewire/core.h
26172 --- linux-3.0.9/drivers/firewire/core.h 2011-11-11 13:12:24.000000000 -0500
26173 +++ linux-3.0.9/drivers/firewire/core.h 2011-11-15 20:02:59.000000000 -0500
26174 @@ -101,6 +101,7 @@ struct fw_card_driver {
26176 int (*stop_iso)(struct fw_iso_context *ctx);
26178 +typedef struct fw_card_driver __no_const fw_card_driver_no_const;
26180 void fw_card_initialize(struct fw_card *card,
26181 const struct fw_card_driver *driver, struct device *device);
26182 diff -urNp linux-3.0.9/drivers/firewire/core-transaction.c linux-3.0.9/drivers/firewire/core-transaction.c
26183 --- linux-3.0.9/drivers/firewire/core-transaction.c 2011-11-11 13:12:24.000000000 -0500
26184 +++ linux-3.0.9/drivers/firewire/core-transaction.c 2011-11-15 20:02:59.000000000 -0500
26186 #include <linux/timer.h>
26187 #include <linux/types.h>
26188 #include <linux/workqueue.h>
26189 +#include <linux/sched.h>
26191 #include <asm/byteorder.h>
26193 @@ -422,6 +423,8 @@ int fw_run_transaction(struct fw_card *c
26194 struct transaction_callback_data d;
26195 struct fw_transaction t;
26197 + pax_track_stack();
26199 init_timer_on_stack(&t.split_timeout_timer);
26200 init_completion(&d.done);
26201 d.payload = payload;
26202 diff -urNp linux-3.0.9/drivers/firmware/dmi_scan.c linux-3.0.9/drivers/firmware/dmi_scan.c
26203 --- linux-3.0.9/drivers/firmware/dmi_scan.c 2011-11-11 13:12:24.000000000 -0500
26204 +++ linux-3.0.9/drivers/firmware/dmi_scan.c 2011-11-15 20:02:59.000000000 -0500
26205 @@ -449,11 +449,6 @@ void __init dmi_scan_machine(void)
26210 - * no iounmap() for that ioremap(); it would be a no-op, but
26211 - * it's so early in setup that sucker gets confused into doing
26212 - * what it shouldn't if we actually call it.
26214 p = dmi_ioremap(0xF0000, 0x10000);
26217 @@ -725,7 +720,7 @@ int dmi_walk(void (*decode)(const struct
26221 - dmi_table(buf, dmi_len, dmi_num, decode, private_data);
26222 + dmi_table((char __force_kernel *)buf, dmi_len, dmi_num, decode, private_data);
26226 diff -urNp linux-3.0.9/drivers/gpio/vr41xx_giu.c linux-3.0.9/drivers/gpio/vr41xx_giu.c
26227 --- linux-3.0.9/drivers/gpio/vr41xx_giu.c 2011-11-11 13:12:24.000000000 -0500
26228 +++ linux-3.0.9/drivers/gpio/vr41xx_giu.c 2011-11-15 20:02:59.000000000 -0500
26229 @@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
26230 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
26231 maskl, pendl, maskh, pendh);
26233 - atomic_inc(&irq_err_count);
26234 + atomic_inc_unchecked(&irq_err_count);
26238 diff -urNp linux-3.0.9/drivers/gpu/drm/drm_crtc.c linux-3.0.9/drivers/gpu/drm/drm_crtc.c
26239 --- linux-3.0.9/drivers/gpu/drm/drm_crtc.c 2011-11-11 13:12:24.000000000 -0500
26240 +++ linux-3.0.9/drivers/gpu/drm/drm_crtc.c 2011-11-15 20:02:59.000000000 -0500
26241 @@ -1372,7 +1372,7 @@ int drm_mode_getconnector(struct drm_dev
26243 if ((out_resp->count_modes >= mode_count) && mode_count) {
26245 - mode_ptr = (struct drm_mode_modeinfo *)(unsigned long)out_resp->modes_ptr;
26246 + mode_ptr = (struct drm_mode_modeinfo __user *)(unsigned long)out_resp->modes_ptr;
26247 list_for_each_entry(mode, &connector->modes, head) {
26248 drm_crtc_convert_to_umode(&u_mode, mode);
26249 if (copy_to_user(mode_ptr + copied,
26250 @@ -1387,8 +1387,8 @@ int drm_mode_getconnector(struct drm_dev
26252 if ((out_resp->count_props >= props_count) && props_count) {
26254 - prop_ptr = (uint32_t *)(unsigned long)(out_resp->props_ptr);
26255 - prop_values = (uint64_t *)(unsigned long)(out_resp->prop_values_ptr);
26256 + prop_ptr = (uint32_t __user *)(unsigned long)(out_resp->props_ptr);
26257 + prop_values = (uint64_t __user *)(unsigned long)(out_resp->prop_values_ptr);
26258 for (i = 0; i < DRM_CONNECTOR_MAX_PROPERTY; i++) {
26259 if (connector->property_ids[i] != 0) {
26260 if (put_user(connector->property_ids[i],
26261 @@ -1410,7 +1410,7 @@ int drm_mode_getconnector(struct drm_dev
26263 if ((out_resp->count_encoders >= encoders_count) && encoders_count) {
26265 - encoder_ptr = (uint32_t *)(unsigned long)(out_resp->encoders_ptr);
26266 + encoder_ptr = (uint32_t __user *)(unsigned long)(out_resp->encoders_ptr);
26267 for (i = 0; i < DRM_CONNECTOR_MAX_ENCODER; i++) {
26268 if (connector->encoder_ids[i] != 0) {
26269 if (put_user(connector->encoder_ids[i],
26270 @@ -1569,7 +1569,7 @@ int drm_mode_setcrtc(struct drm_device *
26273 for (i = 0; i < crtc_req->count_connectors; i++) {
26274 - set_connectors_ptr = (uint32_t *)(unsigned long)crtc_req->set_connectors_ptr;
26275 + set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr;
26276 if (get_user(out_id, &set_connectors_ptr[i])) {
26279 @@ -1850,7 +1850,7 @@ int drm_mode_dirtyfb_ioctl(struct drm_de
26280 fb = obj_to_fb(obj);
26282 num_clips = r->num_clips;
26283 - clips_ptr = (struct drm_clip_rect *)(unsigned long)r->clips_ptr;
26284 + clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr;
26286 if (!num_clips != !clips_ptr) {
26288 @@ -2270,7 +2270,7 @@ int drm_mode_getproperty_ioctl(struct dr
26289 out_resp->flags = property->flags;
26291 if ((out_resp->count_values >= value_count) && value_count) {
26292 - values_ptr = (uint64_t *)(unsigned long)out_resp->values_ptr;
26293 + values_ptr = (uint64_t __user *)(unsigned long)out_resp->values_ptr;
26294 for (i = 0; i < value_count; i++) {
26295 if (copy_to_user(values_ptr + i, &property->values[i], sizeof(uint64_t))) {
26297 @@ -2283,7 +2283,7 @@ int drm_mode_getproperty_ioctl(struct dr
26298 if (property->flags & DRM_MODE_PROP_ENUM) {
26299 if ((out_resp->count_enum_blobs >= enum_count) && enum_count) {
26301 - enum_ptr = (struct drm_mode_property_enum *)(unsigned long)out_resp->enum_blob_ptr;
26302 + enum_ptr = (struct drm_mode_property_enum __user *)(unsigned long)out_resp->enum_blob_ptr;
26303 list_for_each_entry(prop_enum, &property->enum_blob_list, head) {
26305 if (copy_to_user(&enum_ptr[copied].value, &prop_enum->value, sizeof(uint64_t))) {
26306 @@ -2306,7 +2306,7 @@ int drm_mode_getproperty_ioctl(struct dr
26307 if ((out_resp->count_enum_blobs >= blob_count) && blob_count) {
26309 blob_id_ptr = (uint32_t *)(unsigned long)out_resp->enum_blob_ptr;
26310 - blob_length_ptr = (uint32_t *)(unsigned long)out_resp->values_ptr;
26311 + blob_length_ptr = (uint32_t __user *)(unsigned long)out_resp->values_ptr;
26313 list_for_each_entry(prop_blob, &property->enum_blob_list, head) {
26314 if (put_user(prop_blob->base.id, blob_id_ptr + copied)) {
26315 @@ -2367,7 +2367,7 @@ int drm_mode_getblob_ioctl(struct drm_de
26316 struct drm_mode_get_blob *out_resp = data;
26317 struct drm_property_blob *blob;
26320 + void __user *blob_ptr;
26322 if (!drm_core_check_feature(dev, DRIVER_MODESET))
26324 @@ -2381,7 +2381,7 @@ int drm_mode_getblob_ioctl(struct drm_de
26325 blob = obj_to_blob(obj);
26327 if (out_resp->length == blob->length) {
26328 - blob_ptr = (void *)(unsigned long)out_resp->data;
26329 + blob_ptr = (void __user *)(unsigned long)out_resp->data;
26330 if (copy_to_user(blob_ptr, blob->data, blob->length)){
26333 diff -urNp linux-3.0.9/drivers/gpu/drm/drm_crtc_helper.c linux-3.0.9/drivers/gpu/drm/drm_crtc_helper.c
26334 --- linux-3.0.9/drivers/gpu/drm/drm_crtc_helper.c 2011-11-11 13:12:24.000000000 -0500
26335 +++ linux-3.0.9/drivers/gpu/drm/drm_crtc_helper.c 2011-11-15 20:02:59.000000000 -0500
26336 @@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
26337 struct drm_crtc *tmp;
26340 - WARN(!crtc, "checking null crtc?\n");
26345 @@ -343,6 +343,8 @@ bool drm_crtc_helper_set_mode(struct drm
26346 struct drm_encoder *encoder;
26349 + pax_track_stack();
26351 crtc->enabled = drm_helper_crtc_in_use(crtc);
26352 if (!crtc->enabled)
26354 diff -urNp linux-3.0.9/drivers/gpu/drm/drm_drv.c linux-3.0.9/drivers/gpu/drm/drm_drv.c
26355 --- linux-3.0.9/drivers/gpu/drm/drm_drv.c 2011-11-11 13:12:24.000000000 -0500
26356 +++ linux-3.0.9/drivers/gpu/drm/drm_drv.c 2011-11-15 20:02:59.000000000 -0500
26357 @@ -307,7 +307,7 @@ module_exit(drm_core_exit);
26359 * Copy and IOCTL return string to user space
26361 -static int drm_copy_field(char *buf, size_t *buf_len, const char *value)
26362 +static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value)
26366 @@ -386,7 +386,7 @@ long drm_ioctl(struct file *filp,
26368 dev = file_priv->minor->dev;
26369 atomic_inc(&dev->ioctl_count);
26370 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
26371 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
26372 ++file_priv->ioctl_count;
26374 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
26375 diff -urNp linux-3.0.9/drivers/gpu/drm/drm_fops.c linux-3.0.9/drivers/gpu/drm/drm_fops.c
26376 --- linux-3.0.9/drivers/gpu/drm/drm_fops.c 2011-11-11 13:12:24.000000000 -0500
26377 +++ linux-3.0.9/drivers/gpu/drm/drm_fops.c 2011-11-15 20:02:59.000000000 -0500
26378 @@ -70,7 +70,7 @@ static int drm_setup(struct drm_device *
26381 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
26382 - atomic_set(&dev->counts[i], 0);
26383 + atomic_set_unchecked(&dev->counts[i], 0);
26385 dev->sigdata.lock = NULL;
26387 @@ -134,8 +134,8 @@ int drm_open(struct inode *inode, struct
26389 retcode = drm_open_helper(inode, filp, dev);
26391 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
26392 - if (!dev->open_count++)
26393 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
26394 + if (local_inc_return(&dev->open_count) == 1)
26395 retcode = drm_setup(dev);
26398 @@ -472,7 +472,7 @@ int drm_release(struct inode *inode, str
26400 mutex_lock(&drm_global_mutex);
26402 - DRM_DEBUG("open_count = %d\n", dev->open_count);
26403 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
26405 if (dev->driver->preclose)
26406 dev->driver->preclose(dev, file_priv);
26407 @@ -484,7 +484,7 @@ int drm_release(struct inode *inode, str
26408 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
26409 task_pid_nr(current),
26410 (long)old_encode_dev(file_priv->minor->device),
26411 - dev->open_count);
26412 + local_read(&dev->open_count));
26414 /* if the master has gone away we can't do anything with the lock */
26415 if (file_priv->minor->master)
26416 @@ -565,8 +565,8 @@ int drm_release(struct inode *inode, str
26417 * End inline drm_release
26420 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
26421 - if (!--dev->open_count) {
26422 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
26423 + if (local_dec_and_test(&dev->open_count)) {
26424 if (atomic_read(&dev->ioctl_count)) {
26425 DRM_ERROR("Device busy: %d\n",
26426 atomic_read(&dev->ioctl_count));
26427 diff -urNp linux-3.0.9/drivers/gpu/drm/drm_global.c linux-3.0.9/drivers/gpu/drm/drm_global.c
26428 --- linux-3.0.9/drivers/gpu/drm/drm_global.c 2011-11-11 13:12:24.000000000 -0500
26429 +++ linux-3.0.9/drivers/gpu/drm/drm_global.c 2011-11-15 20:02:59.000000000 -0500
26431 struct drm_global_item {
26432 struct mutex mutex;
26435 + atomic_t refcount;
26438 static struct drm_global_item glob[DRM_GLOBAL_NUM];
26439 @@ -49,7 +49,7 @@ void drm_global_init(void)
26440 struct drm_global_item *item = &glob[i];
26441 mutex_init(&item->mutex);
26442 item->object = NULL;
26443 - item->refcount = 0;
26444 + atomic_set(&item->refcount, 0);
26448 @@ -59,7 +59,7 @@ void drm_global_release(void)
26449 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
26450 struct drm_global_item *item = &glob[i];
26451 BUG_ON(item->object != NULL);
26452 - BUG_ON(item->refcount != 0);
26453 + BUG_ON(atomic_read(&item->refcount) != 0);
26457 @@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
26460 mutex_lock(&item->mutex);
26461 - if (item->refcount == 0) {
26462 + if (atomic_read(&item->refcount) == 0) {
26463 item->object = kzalloc(ref->size, GFP_KERNEL);
26464 if (unlikely(item->object == NULL)) {
26466 @@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
26470 - ++item->refcount;
26471 + atomic_inc(&item->refcount);
26472 ref->object = item->object;
26473 object = item->object;
26474 mutex_unlock(&item->mutex);
26475 @@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
26476 struct drm_global_item *item = &glob[ref->global_type];
26478 mutex_lock(&item->mutex);
26479 - BUG_ON(item->refcount == 0);
26480 + BUG_ON(atomic_read(&item->refcount) == 0);
26481 BUG_ON(ref->object != item->object);
26482 - if (--item->refcount == 0) {
26483 + if (atomic_dec_and_test(&item->refcount)) {
26485 item->object = NULL;
26487 diff -urNp linux-3.0.9/drivers/gpu/drm/drm_info.c linux-3.0.9/drivers/gpu/drm/drm_info.c
26488 --- linux-3.0.9/drivers/gpu/drm/drm_info.c 2011-11-11 13:12:24.000000000 -0500
26489 +++ linux-3.0.9/drivers/gpu/drm/drm_info.c 2011-11-15 20:02:59.000000000 -0500
26490 @@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void
26491 struct drm_local_map *map;
26492 struct drm_map_list *r_list;
26494 - /* Hardcoded from _DRM_FRAME_BUFFER,
26495 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
26496 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
26497 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
26498 + static const char * const types[] = {
26499 + [_DRM_FRAME_BUFFER] = "FB",
26500 + [_DRM_REGISTERS] = "REG",
26501 + [_DRM_SHM] = "SHM",
26502 + [_DRM_AGP] = "AGP",
26503 + [_DRM_SCATTER_GATHER] = "SG",
26504 + [_DRM_CONSISTENT] = "PCI",
26505 + [_DRM_GEM] = "GEM" };
26509 @@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void
26513 - if (map->type < 0 || map->type > 5)
26514 + if (map->type >= ARRAY_SIZE(types))
26517 type = types[map->type];
26518 @@ -290,7 +294,11 @@ int drm_vma_info(struct seq_file *m, voi
26519 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
26520 vma->vm_flags & VM_LOCKED ? 'l' : '-',
26521 vma->vm_flags & VM_IO ? 'i' : '-',
26522 +#ifdef CONFIG_GRKERNSEC_HIDESYM
26528 #if defined(__i386__)
26529 pgprot = pgprot_val(vma->vm_page_prot);
26530 diff -urNp linux-3.0.9/drivers/gpu/drm/drm_ioc32.c linux-3.0.9/drivers/gpu/drm/drm_ioc32.c
26531 --- linux-3.0.9/drivers/gpu/drm/drm_ioc32.c 2011-11-11 13:12:24.000000000 -0500
26532 +++ linux-3.0.9/drivers/gpu/drm/drm_ioc32.c 2011-11-15 20:02:59.000000000 -0500
26533 @@ -455,7 +455,7 @@ static int compat_drm_infobufs(struct fi
26534 request = compat_alloc_user_space(nbytes);
26535 if (!access_ok(VERIFY_WRITE, request, nbytes))
26537 - list = (struct drm_buf_desc *) (request + 1);
26538 + list = (struct drm_buf_desc __user *) (request + 1);
26540 if (__put_user(count, &request->count)
26541 || __put_user(list, &request->list))
26542 @@ -516,7 +516,7 @@ static int compat_drm_mapbufs(struct fil
26543 request = compat_alloc_user_space(nbytes);
26544 if (!access_ok(VERIFY_WRITE, request, nbytes))
26546 - list = (struct drm_buf_pub *) (request + 1);
26547 + list = (struct drm_buf_pub __user *) (request + 1);
26549 if (__put_user(count, &request->count)
26550 || __put_user(list, &request->list))
26551 diff -urNp linux-3.0.9/drivers/gpu/drm/drm_ioctl.c linux-3.0.9/drivers/gpu/drm/drm_ioctl.c
26552 --- linux-3.0.9/drivers/gpu/drm/drm_ioctl.c 2011-11-11 13:12:24.000000000 -0500
26553 +++ linux-3.0.9/drivers/gpu/drm/drm_ioctl.c 2011-11-15 20:02:59.000000000 -0500
26554 @@ -256,7 +256,7 @@ int drm_getstats(struct drm_device *dev,
26555 stats->data[i].value =
26556 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
26558 - stats->data[i].value = atomic_read(&dev->counts[i]);
26559 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
26560 stats->data[i].type = dev->types[i];
26563 diff -urNp linux-3.0.9/drivers/gpu/drm/drm_lock.c linux-3.0.9/drivers/gpu/drm/drm_lock.c
26564 --- linux-3.0.9/drivers/gpu/drm/drm_lock.c 2011-11-11 13:12:24.000000000 -0500
26565 +++ linux-3.0.9/drivers/gpu/drm/drm_lock.c 2011-11-15 20:02:59.000000000 -0500
26566 @@ -89,7 +89,7 @@ int drm_lock(struct drm_device *dev, voi
26567 if (drm_lock_take(&master->lock, lock->context)) {
26568 master->lock.file_priv = file_priv;
26569 master->lock.lock_time = jiffies;
26570 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
26571 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
26572 break; /* Got lock */
26575 @@ -160,7 +160,7 @@ int drm_unlock(struct drm_device *dev, v
26579 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
26580 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
26582 if (drm_lock_free(&master->lock, lock->context)) {
26583 /* FIXME: Should really bail out here. */
26584 diff -urNp linux-3.0.9/drivers/gpu/drm/i810/i810_dma.c linux-3.0.9/drivers/gpu/drm/i810/i810_dma.c
26585 --- linux-3.0.9/drivers/gpu/drm/i810/i810_dma.c 2011-11-11 13:12:24.000000000 -0500
26586 +++ linux-3.0.9/drivers/gpu/drm/i810/i810_dma.c 2011-11-15 20:02:59.000000000 -0500
26587 @@ -950,8 +950,8 @@ static int i810_dma_vertex(struct drm_de
26588 dma->buflist[vertex->idx],
26589 vertex->discard, vertex->used);
26591 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
26592 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
26593 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
26594 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
26595 sarea_priv->last_enqueue = dev_priv->counter - 1;
26596 sarea_priv->last_dispatch = (int)hw_status[5];
26598 @@ -1111,8 +1111,8 @@ static int i810_dma_mc(struct drm_device
26599 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
26602 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
26603 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
26604 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
26605 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
26606 sarea_priv->last_enqueue = dev_priv->counter - 1;
26607 sarea_priv->last_dispatch = (int)hw_status[5];
26609 diff -urNp linux-3.0.9/drivers/gpu/drm/i810/i810_drv.h linux-3.0.9/drivers/gpu/drm/i810/i810_drv.h
26610 --- linux-3.0.9/drivers/gpu/drm/i810/i810_drv.h 2011-11-11 13:12:24.000000000 -0500
26611 +++ linux-3.0.9/drivers/gpu/drm/i810/i810_drv.h 2011-11-15 20:02:59.000000000 -0500
26612 @@ -108,8 +108,8 @@ typedef struct drm_i810_private {
26615 wait_queue_head_t irq_queue;
26616 - atomic_t irq_received;
26617 - atomic_t irq_emitted;
26618 + atomic_unchecked_t irq_received;
26619 + atomic_unchecked_t irq_emitted;
26622 } drm_i810_private_t;
26623 diff -urNp linux-3.0.9/drivers/gpu/drm/i915/i915_debugfs.c linux-3.0.9/drivers/gpu/drm/i915/i915_debugfs.c
26624 --- linux-3.0.9/drivers/gpu/drm/i915/i915_debugfs.c 2011-11-11 13:12:24.000000000 -0500
26625 +++ linux-3.0.9/drivers/gpu/drm/i915/i915_debugfs.c 2011-11-15 20:02:59.000000000 -0500
26626 @@ -497,7 +497,7 @@ static int i915_interrupt_info(struct se
26629 seq_printf(m, "Interrupts received: %d\n",
26630 - atomic_read(&dev_priv->irq_received));
26631 + atomic_read_unchecked(&dev_priv->irq_received));
26632 for (i = 0; i < I915_NUM_RINGS; i++) {
26633 if (IS_GEN6(dev)) {
26634 seq_printf(m, "Graphics Interrupt mask (%s): %08x\n",
26635 @@ -1147,7 +1147,7 @@ static int i915_opregion(struct seq_file
26638 if (opregion->header)
26639 - seq_write(m, opregion->header, OPREGION_SIZE);
26640 + seq_write(m, (const void __force_kernel *)opregion->header, OPREGION_SIZE);
26642 mutex_unlock(&dev->struct_mutex);
26644 diff -urNp linux-3.0.9/drivers/gpu/drm/i915/i915_dma.c linux-3.0.9/drivers/gpu/drm/i915/i915_dma.c
26645 --- linux-3.0.9/drivers/gpu/drm/i915/i915_dma.c 2011-11-11 13:12:24.000000000 -0500
26646 +++ linux-3.0.9/drivers/gpu/drm/i915/i915_dma.c 2011-11-15 20:02:59.000000000 -0500
26647 @@ -1169,7 +1169,7 @@ static bool i915_switcheroo_can_switch(s
26650 spin_lock(&dev->count_lock);
26651 - can_switch = (dev->open_count == 0);
26652 + can_switch = (local_read(&dev->open_count) == 0);
26653 spin_unlock(&dev->count_lock);
26656 diff -urNp linux-3.0.9/drivers/gpu/drm/i915/i915_drv.h linux-3.0.9/drivers/gpu/drm/i915/i915_drv.h
26657 --- linux-3.0.9/drivers/gpu/drm/i915/i915_drv.h 2011-11-11 13:12:24.000000000 -0500
26658 +++ linux-3.0.9/drivers/gpu/drm/i915/i915_drv.h 2011-11-15 20:02:59.000000000 -0500
26659 @@ -219,7 +219,7 @@ struct drm_i915_display_funcs {
26660 /* render clock increase/decrease */
26661 /* display clock increase/decrease */
26662 /* pll clock increase/decrease */
26666 struct intel_device_info {
26668 @@ -300,7 +300,7 @@ typedef struct drm_i915_private {
26672 - atomic_t irq_received;
26673 + atomic_unchecked_t irq_received;
26675 /* protects the irq masks */
26676 spinlock_t irq_lock;
26677 @@ -874,7 +874,7 @@ struct drm_i915_gem_object {
26678 * will be page flipped away on the next vblank. When it
26679 * reaches 0, dev_priv->pending_flip_queue will be woken up.
26681 - atomic_t pending_flip;
26682 + atomic_unchecked_t pending_flip;
26685 #define to_intel_bo(x) container_of(x, struct drm_i915_gem_object, base)
26686 @@ -1247,7 +1247,7 @@ extern int intel_setup_gmbus(struct drm_
26687 extern void intel_teardown_gmbus(struct drm_device *dev);
26688 extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed);
26689 extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit);
26690 -extern inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
26691 +static inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
26693 return container_of(adapter, struct intel_gmbus, adapter)->force_bit;
26695 diff -urNp linux-3.0.9/drivers/gpu/drm/i915/i915_gem_execbuffer.c linux-3.0.9/drivers/gpu/drm/i915/i915_gem_execbuffer.c
26696 --- linux-3.0.9/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-11-11 13:12:24.000000000 -0500
26697 +++ linux-3.0.9/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-11-15 20:02:59.000000000 -0500
26698 @@ -188,7 +188,7 @@ i915_gem_object_set_to_gpu_domain(struct
26699 i915_gem_clflush_object(obj);
26701 if (obj->base.pending_write_domain)
26702 - cd->flips |= atomic_read(&obj->pending_flip);
26703 + cd->flips |= atomic_read_unchecked(&obj->pending_flip);
26705 /* The actual obj->write_domain will be updated with
26706 * pending_write_domain after we emit the accumulated flush for all
26707 diff -urNp linux-3.0.9/drivers/gpu/drm/i915/i915_irq.c linux-3.0.9/drivers/gpu/drm/i915/i915_irq.c
26708 --- linux-3.0.9/drivers/gpu/drm/i915/i915_irq.c 2011-11-11 13:12:24.000000000 -0500
26709 +++ linux-3.0.9/drivers/gpu/drm/i915/i915_irq.c 2011-11-15 20:02:59.000000000 -0500
26710 @@ -473,7 +473,7 @@ static irqreturn_t ivybridge_irq_handler
26711 u32 de_iir, gt_iir, de_ier, pch_iir, pm_iir;
26712 struct drm_i915_master_private *master_priv;
26714 - atomic_inc(&dev_priv->irq_received);
26715 + atomic_inc_unchecked(&dev_priv->irq_received);
26717 /* disable master interrupt before clearing iir */
26718 de_ier = I915_READ(DEIER);
26719 @@ -563,7 +563,7 @@ static irqreturn_t ironlake_irq_handler(
26720 struct drm_i915_master_private *master_priv;
26721 u32 bsd_usr_interrupt = GT_BSD_USER_INTERRUPT;
26723 - atomic_inc(&dev_priv->irq_received);
26724 + atomic_inc_unchecked(&dev_priv->irq_received);
26727 bsd_usr_interrupt = GT_GEN6_BSD_USER_INTERRUPT;
26728 @@ -1226,7 +1226,7 @@ static irqreturn_t i915_driver_irq_handl
26729 int ret = IRQ_NONE, pipe;
26730 bool blc_event = false;
26732 - atomic_inc(&dev_priv->irq_received);
26733 + atomic_inc_unchecked(&dev_priv->irq_received);
26735 iir = I915_READ(IIR);
26737 @@ -1735,7 +1735,7 @@ static void ironlake_irq_preinstall(stru
26739 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
26741 - atomic_set(&dev_priv->irq_received, 0);
26742 + atomic_set_unchecked(&dev_priv->irq_received, 0);
26744 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
26745 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
26746 @@ -1899,7 +1899,7 @@ static void i915_driver_irq_preinstall(s
26747 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
26750 - atomic_set(&dev_priv->irq_received, 0);
26751 + atomic_set_unchecked(&dev_priv->irq_received, 0);
26753 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
26754 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
26755 diff -urNp linux-3.0.9/drivers/gpu/drm/i915/intel_display.c linux-3.0.9/drivers/gpu/drm/i915/intel_display.c
26756 --- linux-3.0.9/drivers/gpu/drm/i915/intel_display.c 2011-11-11 13:12:24.000000000 -0500
26757 +++ linux-3.0.9/drivers/gpu/drm/i915/intel_display.c 2011-11-15 20:02:59.000000000 -0500
26758 @@ -1961,7 +1961,7 @@ intel_pipe_set_base(struct drm_crtc *crt
26760 wait_event(dev_priv->pending_flip_queue,
26761 atomic_read(&dev_priv->mm.wedged) ||
26762 - atomic_read(&obj->pending_flip) == 0);
26763 + atomic_read_unchecked(&obj->pending_flip) == 0);
26765 /* Big Hammer, we also need to ensure that any pending
26766 * MI_WAIT_FOR_EVENT inside a user batch buffer on the
26767 @@ -2548,7 +2548,7 @@ static void intel_crtc_wait_for_pending_
26768 obj = to_intel_framebuffer(crtc->fb)->obj;
26769 dev_priv = crtc->dev->dev_private;
26770 wait_event(dev_priv->pending_flip_queue,
26771 - atomic_read(&obj->pending_flip) == 0);
26772 + atomic_read_unchecked(&obj->pending_flip) == 0);
26775 static bool intel_crtc_driving_pch(struct drm_crtc *crtc)
26776 @@ -6225,7 +6225,7 @@ static void do_intel_finish_page_flip(st
26778 atomic_clear_mask(1 << intel_crtc->plane,
26779 &obj->pending_flip.counter);
26780 - if (atomic_read(&obj->pending_flip) == 0)
26781 + if (atomic_read_unchecked(&obj->pending_flip) == 0)
26782 wake_up(&dev_priv->pending_flip_queue);
26784 schedule_work(&work->work);
26785 @@ -6514,7 +6514,7 @@ static int intel_crtc_page_flip(struct d
26786 /* Block clients from rendering to the new back buffer until
26787 * the flip occurs and the object is no longer visible.
26789 - atomic_add(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
26790 + atomic_add_unchecked(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
26792 ret = dev_priv->display.queue_flip(dev, crtc, fb, obj);
26794 @@ -6527,7 +6527,7 @@ static int intel_crtc_page_flip(struct d
26798 - atomic_sub(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
26799 + atomic_sub_unchecked(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
26801 drm_gem_object_unreference(&work->old_fb_obj->base);
26802 drm_gem_object_unreference(&obj->base);
26803 diff -urNp linux-3.0.9/drivers/gpu/drm/mga/mga_drv.h linux-3.0.9/drivers/gpu/drm/mga/mga_drv.h
26804 --- linux-3.0.9/drivers/gpu/drm/mga/mga_drv.h 2011-11-11 13:12:24.000000000 -0500
26805 +++ linux-3.0.9/drivers/gpu/drm/mga/mga_drv.h 2011-11-15 20:02:59.000000000 -0500
26806 @@ -120,9 +120,9 @@ typedef struct drm_mga_private {
26810 - atomic_t vbl_received; /**< Number of vblanks received. */
26811 + atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
26812 wait_queue_head_t fence_queue;
26813 - atomic_t last_fence_retired;
26814 + atomic_unchecked_t last_fence_retired;
26815 u32 next_fence_to_post;
26817 unsigned int fb_cpp;
26818 diff -urNp linux-3.0.9/drivers/gpu/drm/mga/mga_irq.c linux-3.0.9/drivers/gpu/drm/mga/mga_irq.c
26819 --- linux-3.0.9/drivers/gpu/drm/mga/mga_irq.c 2011-11-11 13:12:24.000000000 -0500
26820 +++ linux-3.0.9/drivers/gpu/drm/mga/mga_irq.c 2011-11-15 20:02:59.000000000 -0500
26821 @@ -44,7 +44,7 @@ u32 mga_get_vblank_counter(struct drm_de
26825 - return atomic_read(&dev_priv->vbl_received);
26826 + return atomic_read_unchecked(&dev_priv->vbl_received);
26830 @@ -60,7 +60,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
26831 /* VBLANK interrupt */
26832 if (status & MGA_VLINEPEN) {
26833 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
26834 - atomic_inc(&dev_priv->vbl_received);
26835 + atomic_inc_unchecked(&dev_priv->vbl_received);
26836 drm_handle_vblank(dev, 0);
26839 @@ -79,7 +79,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
26840 if ((prim_start & ~0x03) != (prim_end & ~0x03))
26841 MGA_WRITE(MGA_PRIMEND, prim_end);
26843 - atomic_inc(&dev_priv->last_fence_retired);
26844 + atomic_inc_unchecked(&dev_priv->last_fence_retired);
26845 DRM_WAKEUP(&dev_priv->fence_queue);
26848 @@ -130,7 +130,7 @@ int mga_driver_fence_wait(struct drm_dev
26851 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
26852 - (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
26853 + (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
26854 - *sequence) <= (1 << 23)));
26856 *sequence = cur_fence;
26857 diff -urNp linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_bios.c linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_bios.c
26858 --- linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_bios.c 2011-11-11 13:12:24.000000000 -0500
26859 +++ linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_bios.c 2011-11-15 20:02:59.000000000 -0500
26860 @@ -200,7 +200,7 @@ struct methods {
26861 const char desc[8];
26862 void (*loadbios)(struct drm_device *, uint8_t *);
26867 static struct methods shadow_methods[] = {
26868 { "PRAMIN", load_vbios_pramin, true },
26869 @@ -5488,7 +5488,7 @@ parse_bit_displayport_tbl_entry(struct d
26872 int (* const parse_fn)(struct drm_device *, struct nvbios *, struct bit_entry *);
26876 #define BIT_TABLE(id, funcid) ((struct bit_table){ id, parse_bit_##funcid##_tbl_entry })
26878 diff -urNp linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_drv.h linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_drv.h
26879 --- linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-11-11 13:12:24.000000000 -0500
26880 +++ linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-11-15 20:02:59.000000000 -0500
26881 @@ -227,7 +227,7 @@ struct nouveau_channel {
26882 struct list_head pending;
26884 uint32_t sequence_ack;
26885 - atomic_t last_sequence_irq;
26886 + atomic_unchecked_t last_sequence_irq;
26889 /* DMA push buffer */
26890 @@ -304,7 +304,7 @@ struct nouveau_exec_engine {
26891 u32 handle, u16 class);
26892 void (*set_tile_region)(struct drm_device *dev, int i);
26893 void (*tlb_flush)(struct drm_device *, int engine);
26897 struct nouveau_instmem_engine {
26899 @@ -325,13 +325,13 @@ struct nouveau_instmem_engine {
26900 struct nouveau_mc_engine {
26901 int (*init)(struct drm_device *dev);
26902 void (*takedown)(struct drm_device *dev);
26906 struct nouveau_timer_engine {
26907 int (*init)(struct drm_device *dev);
26908 void (*takedown)(struct drm_device *dev);
26909 uint64_t (*read)(struct drm_device *dev);
26913 struct nouveau_fb_engine {
26915 @@ -494,7 +494,7 @@ struct nouveau_vram_engine {
26916 void (*put)(struct drm_device *, struct nouveau_mem **);
26918 bool (*flags_valid)(struct drm_device *, u32 tile_flags);
26922 struct nouveau_engine {
26923 struct nouveau_instmem_engine instmem;
26924 @@ -640,7 +640,7 @@ struct drm_nouveau_private {
26925 struct drm_global_reference mem_global_ref;
26926 struct ttm_bo_global_ref bo_global_ref;
26927 struct ttm_bo_device bdev;
26928 - atomic_t validate_sequence;
26929 + atomic_unchecked_t validate_sequence;
26933 diff -urNp linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_fence.c linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_fence.c
26934 --- linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-11-11 13:12:24.000000000 -0500
26935 +++ linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-11-15 20:02:59.000000000 -0500
26936 @@ -85,7 +85,7 @@ nouveau_fence_update(struct nouveau_chan
26937 if (USE_REFCNT(dev))
26938 sequence = nvchan_rd32(chan, 0x48);
26940 - sequence = atomic_read(&chan->fence.last_sequence_irq);
26941 + sequence = atomic_read_unchecked(&chan->fence.last_sequence_irq);
26943 if (chan->fence.sequence_ack == sequence)
26945 @@ -542,7 +542,7 @@ nouveau_fence_channel_init(struct nouvea
26949 - atomic_set(&chan->fence.last_sequence_irq, 0);
26950 + atomic_set_unchecked(&chan->fence.last_sequence_irq, 0);
26954 diff -urNp linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_gem.c linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_gem.c
26955 --- linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-11-11 13:12:24.000000000 -0500
26956 +++ linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-11-15 20:02:59.000000000 -0500
26957 @@ -249,7 +249,7 @@ validate_init(struct nouveau_channel *ch
26961 - sequence = atomic_add_return(1, &dev_priv->ttm.validate_sequence);
26962 + sequence = atomic_add_return_unchecked(1, &dev_priv->ttm.validate_sequence);
26964 if (++trycnt > 100000) {
26965 NV_ERROR(dev, "%s failed and gave up.\n", __func__);
26966 diff -urNp linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_state.c linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_state.c
26967 --- linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_state.c 2011-11-11 13:12:24.000000000 -0500
26968 +++ linux-3.0.9/drivers/gpu/drm/nouveau/nouveau_state.c 2011-11-15 20:02:59.000000000 -0500
26969 @@ -488,7 +488,7 @@ static bool nouveau_switcheroo_can_switc
26972 spin_lock(&dev->count_lock);
26973 - can_switch = (dev->open_count == 0);
26974 + can_switch = (local_read(&dev->open_count) == 0);
26975 spin_unlock(&dev->count_lock);
26978 diff -urNp linux-3.0.9/drivers/gpu/drm/nouveau/nv04_graph.c linux-3.0.9/drivers/gpu/drm/nouveau/nv04_graph.c
26979 --- linux-3.0.9/drivers/gpu/drm/nouveau/nv04_graph.c 2011-11-11 13:12:24.000000000 -0500
26980 +++ linux-3.0.9/drivers/gpu/drm/nouveau/nv04_graph.c 2011-11-15 20:02:59.000000000 -0500
26981 @@ -560,7 +560,7 @@ static int
26982 nv04_graph_mthd_set_ref(struct nouveau_channel *chan,
26983 u32 class, u32 mthd, u32 data)
26985 - atomic_set(&chan->fence.last_sequence_irq, data);
26986 + atomic_set_unchecked(&chan->fence.last_sequence_irq, data);
26990 diff -urNp linux-3.0.9/drivers/gpu/drm/r128/r128_cce.c linux-3.0.9/drivers/gpu/drm/r128/r128_cce.c
26991 --- linux-3.0.9/drivers/gpu/drm/r128/r128_cce.c 2011-11-11 13:12:24.000000000 -0500
26992 +++ linux-3.0.9/drivers/gpu/drm/r128/r128_cce.c 2011-11-15 20:02:59.000000000 -0500
26993 @@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_d
26995 /* GH: Simple idle check.
26997 - atomic_set(&dev_priv->idle_count, 0);
26998 + atomic_set_unchecked(&dev_priv->idle_count, 0);
27000 /* We don't support anything other than bus-mastering ring mode,
27001 * but the ring can be in either AGP or PCI space for the ring
27002 diff -urNp linux-3.0.9/drivers/gpu/drm/r128/r128_drv.h linux-3.0.9/drivers/gpu/drm/r128/r128_drv.h
27003 --- linux-3.0.9/drivers/gpu/drm/r128/r128_drv.h 2011-11-11 13:12:24.000000000 -0500
27004 +++ linux-3.0.9/drivers/gpu/drm/r128/r128_drv.h 2011-11-15 20:02:59.000000000 -0500
27005 @@ -90,14 +90,14 @@ typedef struct drm_r128_private {
27007 unsigned long cce_buffers_offset;
27009 - atomic_t idle_count;
27010 + atomic_unchecked_t idle_count;
27015 u32 crtc_offset_cntl;
27017 - atomic_t vbl_received;
27018 + atomic_unchecked_t vbl_received;
27021 unsigned int front_offset;
27022 diff -urNp linux-3.0.9/drivers/gpu/drm/r128/r128_irq.c linux-3.0.9/drivers/gpu/drm/r128/r128_irq.c
27023 --- linux-3.0.9/drivers/gpu/drm/r128/r128_irq.c 2011-11-11 13:12:24.000000000 -0500
27024 +++ linux-3.0.9/drivers/gpu/drm/r128/r128_irq.c 2011-11-15 20:02:59.000000000 -0500
27025 @@ -42,7 +42,7 @@ u32 r128_get_vblank_counter(struct drm_d
27029 - return atomic_read(&dev_priv->vbl_received);
27030 + return atomic_read_unchecked(&dev_priv->vbl_received);
27033 irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
27034 @@ -56,7 +56,7 @@ irqreturn_t r128_driver_irq_handler(DRM_
27035 /* VBLANK interrupt */
27036 if (status & R128_CRTC_VBLANK_INT) {
27037 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
27038 - atomic_inc(&dev_priv->vbl_received);
27039 + atomic_inc_unchecked(&dev_priv->vbl_received);
27040 drm_handle_vblank(dev, 0);
27041 return IRQ_HANDLED;
27043 diff -urNp linux-3.0.9/drivers/gpu/drm/r128/r128_state.c linux-3.0.9/drivers/gpu/drm/r128/r128_state.c
27044 --- linux-3.0.9/drivers/gpu/drm/r128/r128_state.c 2011-11-11 13:12:24.000000000 -0500
27045 +++ linux-3.0.9/drivers/gpu/drm/r128/r128_state.c 2011-11-15 20:02:59.000000000 -0500
27046 @@ -321,10 +321,10 @@ static void r128_clear_box(drm_r128_priv
27048 static void r128_cce_performance_boxes(drm_r128_private_t *dev_priv)
27050 - if (atomic_read(&dev_priv->idle_count) == 0)
27051 + if (atomic_read_unchecked(&dev_priv->idle_count) == 0)
27052 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
27054 - atomic_set(&dev_priv->idle_count, 0);
27055 + atomic_set_unchecked(&dev_priv->idle_count, 0);
27059 diff -urNp linux-3.0.9/drivers/gpu/drm/radeon/atom.c linux-3.0.9/drivers/gpu/drm/radeon/atom.c
27060 --- linux-3.0.9/drivers/gpu/drm/radeon/atom.c 2011-11-11 13:12:24.000000000 -0500
27061 +++ linux-3.0.9/drivers/gpu/drm/radeon/atom.c 2011-11-15 20:02:59.000000000 -0500
27062 @@ -1254,6 +1254,8 @@ struct atom_context *atom_parse(struct c
27066 + pax_track_stack();
27071 diff -urNp linux-3.0.9/drivers/gpu/drm/radeon/mkregtable.c linux-3.0.9/drivers/gpu/drm/radeon/mkregtable.c
27072 --- linux-3.0.9/drivers/gpu/drm/radeon/mkregtable.c 2011-11-11 13:12:24.000000000 -0500
27073 +++ linux-3.0.9/drivers/gpu/drm/radeon/mkregtable.c 2011-11-15 20:02:59.000000000 -0500
27074 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
27076 regmatch_t match[4];
27084 struct offset *offset;
27085 char last_reg_s[10];
27087 + unsigned long last_reg;
27090 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
27091 diff -urNp linux-3.0.9/drivers/gpu/drm/radeon/radeon_atombios.c linux-3.0.9/drivers/gpu/drm/radeon/radeon_atombios.c
27092 --- linux-3.0.9/drivers/gpu/drm/radeon/radeon_atombios.c 2011-11-11 13:12:24.000000000 -0500
27093 +++ linux-3.0.9/drivers/gpu/drm/radeon/radeon_atombios.c 2011-11-15 20:02:59.000000000 -0500
27094 @@ -545,6 +545,8 @@ bool radeon_get_atom_connector_info_from
27095 struct radeon_gpio_rec gpio;
27096 struct radeon_hpd hpd;
27098 + pax_track_stack();
27100 if (!atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset))
27103 diff -urNp linux-3.0.9/drivers/gpu/drm/radeon/radeon_device.c linux-3.0.9/drivers/gpu/drm/radeon/radeon_device.c
27104 --- linux-3.0.9/drivers/gpu/drm/radeon/radeon_device.c 2011-11-11 13:12:24.000000000 -0500
27105 +++ linux-3.0.9/drivers/gpu/drm/radeon/radeon_device.c 2011-11-15 20:02:59.000000000 -0500
27106 @@ -678,7 +678,7 @@ static bool radeon_switcheroo_can_switch
27109 spin_lock(&dev->count_lock);
27110 - can_switch = (dev->open_count == 0);
27111 + can_switch = (local_read(&dev->open_count) == 0);
27112 spin_unlock(&dev->count_lock);
27115 diff -urNp linux-3.0.9/drivers/gpu/drm/radeon/radeon_display.c linux-3.0.9/drivers/gpu/drm/radeon/radeon_display.c
27116 --- linux-3.0.9/drivers/gpu/drm/radeon/radeon_display.c 2011-11-11 13:12:24.000000000 -0500
27117 +++ linux-3.0.9/drivers/gpu/drm/radeon/radeon_display.c 2011-11-15 20:02:59.000000000 -0500
27118 @@ -946,6 +946,8 @@ void radeon_compute_pll_legacy(struct ra
27120 u32 pll_out_min, pll_out_max;
27122 + pax_track_stack();
27124 DRM_DEBUG_KMS("PLL freq %llu %u %u\n", freq, pll->min_ref_div, pll->max_ref_div);
27125 freq = freq * 1000;
27127 diff -urNp linux-3.0.9/drivers/gpu/drm/radeon/radeon_drv.h linux-3.0.9/drivers/gpu/drm/radeon/radeon_drv.h
27128 --- linux-3.0.9/drivers/gpu/drm/radeon/radeon_drv.h 2011-11-11 13:12:24.000000000 -0500
27129 +++ linux-3.0.9/drivers/gpu/drm/radeon/radeon_drv.h 2011-11-15 20:02:59.000000000 -0500
27130 @@ -255,7 +255,7 @@ typedef struct drm_radeon_private {
27133 wait_queue_head_t swi_queue;
27134 - atomic_t swi_emitted;
27135 + atomic_unchecked_t swi_emitted;
27137 uint32_t irq_enable_reg;
27138 uint32_t r500_disp_irq_reg;
27139 diff -urNp linux-3.0.9/drivers/gpu/drm/radeon/radeon_fence.c linux-3.0.9/drivers/gpu/drm/radeon/radeon_fence.c
27140 --- linux-3.0.9/drivers/gpu/drm/radeon/radeon_fence.c 2011-11-11 13:12:24.000000000 -0500
27141 +++ linux-3.0.9/drivers/gpu/drm/radeon/radeon_fence.c 2011-11-15 20:02:59.000000000 -0500
27142 @@ -78,7 +78,7 @@ int radeon_fence_emit(struct radeon_devi
27143 write_unlock_irqrestore(&rdev->fence_drv.lock, irq_flags);
27146 - fence->seq = atomic_add_return(1, &rdev->fence_drv.seq);
27147 + fence->seq = atomic_add_return_unchecked(1, &rdev->fence_drv.seq);
27148 if (!rdev->cp.ready)
27149 /* FIXME: cp is not running assume everythings is done right
27151 @@ -373,7 +373,7 @@ int radeon_fence_driver_init(struct rade
27154 radeon_fence_write(rdev, 0);
27155 - atomic_set(&rdev->fence_drv.seq, 0);
27156 + atomic_set_unchecked(&rdev->fence_drv.seq, 0);
27157 INIT_LIST_HEAD(&rdev->fence_drv.created);
27158 INIT_LIST_HEAD(&rdev->fence_drv.emited);
27159 INIT_LIST_HEAD(&rdev->fence_drv.signaled);
27160 diff -urNp linux-3.0.9/drivers/gpu/drm/radeon/radeon.h linux-3.0.9/drivers/gpu/drm/radeon/radeon.h
27161 --- linux-3.0.9/drivers/gpu/drm/radeon/radeon.h 2011-11-11 13:12:24.000000000 -0500
27162 +++ linux-3.0.9/drivers/gpu/drm/radeon/radeon.h 2011-11-15 20:02:59.000000000 -0500
27163 @@ -192,7 +192,7 @@ extern int sumo_get_temp(struct radeon_d
27165 struct radeon_fence_driver {
27166 uint32_t scratch_reg;
27168 + atomic_unchecked_t seq;
27170 unsigned long last_jiffies;
27171 unsigned long last_timeout;
27172 @@ -962,7 +962,7 @@ struct radeon_asic {
27173 void (*pre_page_flip)(struct radeon_device *rdev, int crtc);
27174 u32 (*page_flip)(struct radeon_device *rdev, int crtc, u64 crtc_base);
27175 void (*post_page_flip)(struct radeon_device *rdev, int crtc);
27181 diff -urNp linux-3.0.9/drivers/gpu/drm/radeon/radeon_ioc32.c linux-3.0.9/drivers/gpu/drm/radeon/radeon_ioc32.c
27182 --- linux-3.0.9/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-11-11 13:12:24.000000000 -0500
27183 +++ linux-3.0.9/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-11-15 20:02:59.000000000 -0500
27184 @@ -359,7 +359,7 @@ static int compat_radeon_cp_setparam(str
27185 request = compat_alloc_user_space(sizeof(*request));
27186 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
27187 || __put_user(req32.param, &request->param)
27188 - || __put_user((void __user *)(unsigned long)req32.value,
27189 + || __put_user((unsigned long)req32.value,
27193 diff -urNp linux-3.0.9/drivers/gpu/drm/radeon/radeon_irq.c linux-3.0.9/drivers/gpu/drm/radeon/radeon_irq.c
27194 --- linux-3.0.9/drivers/gpu/drm/radeon/radeon_irq.c 2011-11-11 13:12:24.000000000 -0500
27195 +++ linux-3.0.9/drivers/gpu/drm/radeon/radeon_irq.c 2011-11-15 20:02:59.000000000 -0500
27196 @@ -225,8 +225,8 @@ static int radeon_emit_irq(struct drm_de
27200 - atomic_inc(&dev_priv->swi_emitted);
27201 - ret = atomic_read(&dev_priv->swi_emitted);
27202 + atomic_inc_unchecked(&dev_priv->swi_emitted);
27203 + ret = atomic_read_unchecked(&dev_priv->swi_emitted);
27206 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
27207 @@ -352,7 +352,7 @@ int radeon_driver_irq_postinstall(struct
27208 drm_radeon_private_t *dev_priv =
27209 (drm_radeon_private_t *) dev->dev_private;
27211 - atomic_set(&dev_priv->swi_emitted, 0);
27212 + atomic_set_unchecked(&dev_priv->swi_emitted, 0);
27213 DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
27215 dev->max_vblank_count = 0x001fffff;
27216 diff -urNp linux-3.0.9/drivers/gpu/drm/radeon/radeon_state.c linux-3.0.9/drivers/gpu/drm/radeon/radeon_state.c
27217 --- linux-3.0.9/drivers/gpu/drm/radeon/radeon_state.c 2011-11-11 13:12:24.000000000 -0500
27218 +++ linux-3.0.9/drivers/gpu/drm/radeon/radeon_state.c 2011-11-15 20:02:59.000000000 -0500
27219 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
27220 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
27221 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
27223 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
27224 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
27225 sarea_priv->nbox * sizeof(depth_boxes[0])))
27228 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
27230 drm_radeon_private_t *dev_priv = dev->dev_private;
27231 drm_radeon_getparam_t *param = data;
27235 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
27237 diff -urNp linux-3.0.9/drivers/gpu/drm/radeon/radeon_ttm.c linux-3.0.9/drivers/gpu/drm/radeon/radeon_ttm.c
27238 --- linux-3.0.9/drivers/gpu/drm/radeon/radeon_ttm.c 2011-11-11 13:12:24.000000000 -0500
27239 +++ linux-3.0.9/drivers/gpu/drm/radeon/radeon_ttm.c 2011-11-15 20:02:59.000000000 -0500
27240 @@ -649,8 +649,10 @@ int radeon_mmap(struct file *filp, struc
27242 if (unlikely(ttm_vm_ops == NULL)) {
27243 ttm_vm_ops = vma->vm_ops;
27244 - radeon_ttm_vm_ops = *ttm_vm_ops;
27245 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
27246 + pax_open_kernel();
27247 + memcpy((void *)&radeon_ttm_vm_ops, ttm_vm_ops, sizeof(radeon_ttm_vm_ops));
27248 + *(void **)&radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
27249 + pax_close_kernel();
27251 vma->vm_ops = &radeon_ttm_vm_ops;
27253 diff -urNp linux-3.0.9/drivers/gpu/drm/radeon/rs690.c linux-3.0.9/drivers/gpu/drm/radeon/rs690.c
27254 --- linux-3.0.9/drivers/gpu/drm/radeon/rs690.c 2011-11-11 13:12:24.000000000 -0500
27255 +++ linux-3.0.9/drivers/gpu/drm/radeon/rs690.c 2011-11-15 20:02:59.000000000 -0500
27256 @@ -304,9 +304,11 @@ void rs690_crtc_bandwidth_compute(struct
27257 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
27258 rdev->pm.sideport_bandwidth.full)
27259 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
27260 - read_delay_latency.full = dfixed_const(370 * 800 * 1000);
27261 + read_delay_latency.full = dfixed_const(800 * 1000);
27262 read_delay_latency.full = dfixed_div(read_delay_latency,
27263 rdev->pm.igp_sideport_mclk);
27264 + a.full = dfixed_const(370);
27265 + read_delay_latency.full = dfixed_mul(read_delay_latency, a);
27267 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
27268 rdev->pm.k8_bandwidth.full)
27269 diff -urNp linux-3.0.9/drivers/gpu/drm/ttm/ttm_page_alloc.c linux-3.0.9/drivers/gpu/drm/ttm/ttm_page_alloc.c
27270 --- linux-3.0.9/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-11-11 13:12:24.000000000 -0500
27271 +++ linux-3.0.9/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-11-15 20:02:59.000000000 -0500
27272 @@ -398,9 +398,9 @@ static int ttm_pool_get_num_unused_pages
27273 static int ttm_pool_mm_shrink(struct shrinker *shrink,
27274 struct shrink_control *sc)
27276 - static atomic_t start_pool = ATOMIC_INIT(0);
27277 + static atomic_unchecked_t start_pool = ATOMIC_INIT(0);
27279 - unsigned pool_offset = atomic_add_return(1, &start_pool);
27280 + unsigned pool_offset = atomic_add_return_unchecked(1, &start_pool);
27281 struct ttm_page_pool *pool;
27282 int shrink_pages = sc->nr_to_scan;
27284 diff -urNp linux-3.0.9/drivers/gpu/drm/via/via_drv.h linux-3.0.9/drivers/gpu/drm/via/via_drv.h
27285 --- linux-3.0.9/drivers/gpu/drm/via/via_drv.h 2011-11-11 13:12:24.000000000 -0500
27286 +++ linux-3.0.9/drivers/gpu/drm/via/via_drv.h 2011-11-15 20:02:59.000000000 -0500
27287 @@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
27288 typedef uint32_t maskarray_t[5];
27290 typedef struct drm_via_irq {
27291 - atomic_t irq_received;
27292 + atomic_unchecked_t irq_received;
27293 uint32_t pending_mask;
27294 uint32_t enable_mask;
27295 wait_queue_head_t irq_queue;
27296 @@ -75,7 +75,7 @@ typedef struct drm_via_private {
27297 struct timeval last_vblank;
27298 int last_vblank_valid;
27299 unsigned usec_per_vblank;
27300 - atomic_t vbl_received;
27301 + atomic_unchecked_t vbl_received;
27302 drm_via_state_t hc_state;
27303 char pci_buf[VIA_PCI_BUF_SIZE];
27304 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
27305 diff -urNp linux-3.0.9/drivers/gpu/drm/via/via_irq.c linux-3.0.9/drivers/gpu/drm/via/via_irq.c
27306 --- linux-3.0.9/drivers/gpu/drm/via/via_irq.c 2011-11-11 13:12:24.000000000 -0500
27307 +++ linux-3.0.9/drivers/gpu/drm/via/via_irq.c 2011-11-15 20:02:59.000000000 -0500
27308 @@ -102,7 +102,7 @@ u32 via_get_vblank_counter(struct drm_de
27312 - return atomic_read(&dev_priv->vbl_received);
27313 + return atomic_read_unchecked(&dev_priv->vbl_received);
27316 irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
27317 @@ -117,8 +117,8 @@ irqreturn_t via_driver_irq_handler(DRM_I
27319 status = VIA_READ(VIA_REG_INTERRUPT);
27320 if (status & VIA_IRQ_VBLANK_PENDING) {
27321 - atomic_inc(&dev_priv->vbl_received);
27322 - if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
27323 + atomic_inc_unchecked(&dev_priv->vbl_received);
27324 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
27325 do_gettimeofday(&cur_vblank);
27326 if (dev_priv->last_vblank_valid) {
27327 dev_priv->usec_per_vblank =
27328 @@ -128,7 +128,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
27329 dev_priv->last_vblank = cur_vblank;
27330 dev_priv->last_vblank_valid = 1;
27332 - if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
27333 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
27334 DRM_DEBUG("US per vblank is: %u\n",
27335 dev_priv->usec_per_vblank);
27337 @@ -138,7 +138,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
27339 for (i = 0; i < dev_priv->num_irqs; ++i) {
27340 if (status & cur_irq->pending_mask) {
27341 - atomic_inc(&cur_irq->irq_received);
27342 + atomic_inc_unchecked(&cur_irq->irq_received);
27343 DRM_WAKEUP(&cur_irq->irq_queue);
27345 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i)
27346 @@ -243,11 +243,11 @@ via_driver_irq_wait(struct drm_device *d
27347 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
27348 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
27350 - cur_irq_sequence = atomic_read(&cur_irq->irq_received);
27351 + cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
27353 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
27354 (((cur_irq_sequence =
27355 - atomic_read(&cur_irq->irq_received)) -
27356 + atomic_read_unchecked(&cur_irq->irq_received)) -
27357 *sequence) <= (1 << 23)));
27359 *sequence = cur_irq_sequence;
27360 @@ -285,7 +285,7 @@ void via_driver_irq_preinstall(struct dr
27363 for (i = 0; i < dev_priv->num_irqs; ++i) {
27364 - atomic_set(&cur_irq->irq_received, 0);
27365 + atomic_set_unchecked(&cur_irq->irq_received, 0);
27366 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
27367 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
27368 DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
27369 @@ -367,7 +367,7 @@ int via_wait_irq(struct drm_device *dev,
27370 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
27371 case VIA_IRQ_RELATIVE:
27372 irqwait->request.sequence +=
27373 - atomic_read(&cur_irq->irq_received);
27374 + atomic_read_unchecked(&cur_irq->irq_received);
27375 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
27376 case VIA_IRQ_ABSOLUTE:
27378 diff -urNp linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
27379 --- linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-11-11 13:12:24.000000000 -0500
27380 +++ linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-11-15 20:02:59.000000000 -0500
27381 @@ -240,7 +240,7 @@ struct vmw_private {
27382 * Fencing and IRQs.
27385 - atomic_t fence_seq;
27386 + atomic_unchecked_t fence_seq;
27387 wait_queue_head_t fence_queue;
27388 wait_queue_head_t fifo_queue;
27389 atomic_t fence_queue_waiters;
27390 diff -urNp linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
27391 --- linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c 2011-11-11 13:12:24.000000000 -0500
27392 +++ linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c 2011-11-15 20:02:59.000000000 -0500
27393 @@ -610,7 +610,7 @@ int vmw_execbuf_ioctl(struct drm_device
27394 struct drm_vmw_fence_rep fence_rep;
27395 struct drm_vmw_fence_rep __user *user_fence_rep;
27398 + void __user *user_cmd;
27401 struct vmw_sw_context *sw_context = &dev_priv->ctx;
27402 diff -urNp linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
27403 --- linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-11-11 13:12:24.000000000 -0500
27404 +++ linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-11-15 20:02:59.000000000 -0500
27405 @@ -151,7 +151,7 @@ int vmw_wait_lag(struct vmw_private *dev
27406 while (!vmw_lag_lt(queue, us)) {
27407 spin_lock(&queue->lock);
27408 if (list_empty(&queue->head))
27409 - sequence = atomic_read(&dev_priv->fence_seq);
27410 + sequence = atomic_read_unchecked(&dev_priv->fence_seq);
27412 fence = list_first_entry(&queue->head,
27413 struct vmw_fence, head);
27414 diff -urNp linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
27415 --- linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-11-11 13:12:24.000000000 -0500
27416 +++ linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-11-15 20:02:59.000000000 -0500
27417 @@ -137,7 +137,7 @@ int vmw_fifo_init(struct vmw_private *de
27418 (unsigned int) min,
27419 (unsigned int) fifo->capabilities);
27421 - atomic_set(&dev_priv->fence_seq, dev_priv->last_read_sequence);
27422 + atomic_set_unchecked(&dev_priv->fence_seq, dev_priv->last_read_sequence);
27423 iowrite32(dev_priv->last_read_sequence, fifo_mem + SVGA_FIFO_FENCE);
27424 vmw_fence_queue_init(&fifo->fence_queue);
27425 return vmw_fifo_send_fence(dev_priv, &dummy);
27426 @@ -356,7 +356,7 @@ void *vmw_fifo_reserve(struct vmw_privat
27428 iowrite32(bytes, fifo_mem +
27429 SVGA_FIFO_RESERVED);
27430 - return fifo_mem + (next_cmd >> 2);
27431 + return (__le32 __force_kernel *)fifo_mem + (next_cmd >> 2);
27433 need_bounce = true;
27435 @@ -476,7 +476,7 @@ int vmw_fifo_send_fence(struct vmw_priva
27437 fm = vmw_fifo_reserve(dev_priv, bytes);
27438 if (unlikely(fm == NULL)) {
27439 - *sequence = atomic_read(&dev_priv->fence_seq);
27440 + *sequence = atomic_read_unchecked(&dev_priv->fence_seq);
27442 (void)vmw_fallback_wait(dev_priv, false, true, *sequence,
27444 @@ -484,7 +484,7 @@ int vmw_fifo_send_fence(struct vmw_priva
27448 - *sequence = atomic_add_return(1, &dev_priv->fence_seq);
27449 + *sequence = atomic_add_return_unchecked(1, &dev_priv->fence_seq);
27450 } while (*sequence == 0);
27452 if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) {
27453 diff -urNp linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
27454 --- linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-11-11 13:12:24.000000000 -0500
27455 +++ linux-3.0.9/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-11-15 20:02:59.000000000 -0500
27456 @@ -100,7 +100,7 @@ bool vmw_fence_signaled(struct vmw_priva
27457 * emitted. Then the fence is stale and signaled.
27460 - ret = ((atomic_read(&dev_priv->fence_seq) - sequence)
27461 + ret = ((atomic_read_unchecked(&dev_priv->fence_seq) - sequence)
27465 @@ -131,7 +131,7 @@ int vmw_fallback_wait(struct vmw_private
27468 down_read(&fifo_state->rwsem);
27469 - signal_seq = atomic_read(&dev_priv->fence_seq);
27470 + signal_seq = atomic_read_unchecked(&dev_priv->fence_seq);
27474 diff -urNp linux-3.0.9/drivers/hid/hid-core.c linux-3.0.9/drivers/hid/hid-core.c
27475 --- linux-3.0.9/drivers/hid/hid-core.c 2011-11-11 13:12:24.000000000 -0500
27476 +++ linux-3.0.9/drivers/hid/hid-core.c 2011-11-15 20:02:59.000000000 -0500
27477 @@ -1940,7 +1940,7 @@ static bool hid_ignore(struct hid_device
27479 int hid_add_device(struct hid_device *hdev)
27481 - static atomic_t id = ATOMIC_INIT(0);
27482 + static atomic_unchecked_t id = ATOMIC_INIT(0);
27485 if (WARN_ON(hdev->status & HID_STAT_ADDED))
27486 @@ -1955,7 +1955,7 @@ int hid_add_device(struct hid_device *hd
27487 /* XXX hack, any other cleaner solution after the driver core
27488 * is converted to allow more than 20 bytes as the device name? */
27489 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
27490 - hdev->vendor, hdev->product, atomic_inc_return(&id));
27491 + hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
27493 hid_debug_register(hdev, dev_name(&hdev->dev));
27494 ret = device_add(&hdev->dev);
27495 diff -urNp linux-3.0.9/drivers/hid/usbhid/hiddev.c linux-3.0.9/drivers/hid/usbhid/hiddev.c
27496 --- linux-3.0.9/drivers/hid/usbhid/hiddev.c 2011-11-11 13:12:24.000000000 -0500
27497 +++ linux-3.0.9/drivers/hid/usbhid/hiddev.c 2011-11-15 20:02:59.000000000 -0500
27498 @@ -624,7 +624,7 @@ static long hiddev_ioctl(struct file *fi
27501 case HIDIOCAPPLICATION:
27502 - if (arg < 0 || arg >= hid->maxapplication)
27503 + if (arg >= hid->maxapplication)
27506 for (i = 0; i < hid->maxcollection; i++)
27507 diff -urNp linux-3.0.9/drivers/hwmon/acpi_power_meter.c linux-3.0.9/drivers/hwmon/acpi_power_meter.c
27508 --- linux-3.0.9/drivers/hwmon/acpi_power_meter.c 2011-11-11 13:12:24.000000000 -0500
27509 +++ linux-3.0.9/drivers/hwmon/acpi_power_meter.c 2011-11-15 20:02:59.000000000 -0500
27510 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
27517 mutex_lock(&resource->lock);
27518 resource->trip[attr->index - 7] = temp;
27519 diff -urNp linux-3.0.9/drivers/hwmon/sht15.c linux-3.0.9/drivers/hwmon/sht15.c
27520 --- linux-3.0.9/drivers/hwmon/sht15.c 2011-11-11 13:12:24.000000000 -0500
27521 +++ linux-3.0.9/drivers/hwmon/sht15.c 2011-11-15 20:02:59.000000000 -0500
27522 @@ -166,7 +166,7 @@ struct sht15_data {
27524 bool supply_uV_valid;
27525 struct work_struct update_supply_work;
27526 - atomic_t interrupt_handled;
27527 + atomic_unchecked_t interrupt_handled;
27531 @@ -509,13 +509,13 @@ static int sht15_measurement(struct sht1
27534 gpio_direction_input(data->pdata->gpio_data);
27535 - atomic_set(&data->interrupt_handled, 0);
27536 + atomic_set_unchecked(&data->interrupt_handled, 0);
27538 enable_irq(gpio_to_irq(data->pdata->gpio_data));
27539 if (gpio_get_value(data->pdata->gpio_data) == 0) {
27540 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
27541 /* Only relevant if the interrupt hasn't occurred. */
27542 - if (!atomic_read(&data->interrupt_handled))
27543 + if (!atomic_read_unchecked(&data->interrupt_handled))
27544 schedule_work(&data->read_work);
27546 ret = wait_event_timeout(data->wait_queue,
27547 @@ -782,7 +782,7 @@ static irqreturn_t sht15_interrupt_fired
27549 /* First disable the interrupt */
27550 disable_irq_nosync(irq);
27551 - atomic_inc(&data->interrupt_handled);
27552 + atomic_inc_unchecked(&data->interrupt_handled);
27553 /* Then schedule a reading work struct */
27554 if (data->state != SHT15_READING_NOTHING)
27555 schedule_work(&data->read_work);
27556 @@ -804,11 +804,11 @@ static void sht15_bh_read_data(struct wo
27557 * If not, then start the interrupt again - care here as could
27558 * have gone low in meantime so verify it hasn't!
27560 - atomic_set(&data->interrupt_handled, 0);
27561 + atomic_set_unchecked(&data->interrupt_handled, 0);
27562 enable_irq(gpio_to_irq(data->pdata->gpio_data));
27563 /* If still not occurred or another handler has been scheduled */
27564 if (gpio_get_value(data->pdata->gpio_data)
27565 - || atomic_read(&data->interrupt_handled))
27566 + || atomic_read_unchecked(&data->interrupt_handled))
27570 diff -urNp linux-3.0.9/drivers/hwmon/w83791d.c linux-3.0.9/drivers/hwmon/w83791d.c
27571 --- linux-3.0.9/drivers/hwmon/w83791d.c 2011-11-11 13:12:24.000000000 -0500
27572 +++ linux-3.0.9/drivers/hwmon/w83791d.c 2011-11-15 20:02:59.000000000 -0500
27573 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
27574 struct i2c_board_info *info);
27575 static int w83791d_remove(struct i2c_client *client);
27577 -static int w83791d_read(struct i2c_client *client, u8 register);
27578 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
27579 +static int w83791d_read(struct i2c_client *client, u8 reg);
27580 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
27581 static struct w83791d_data *w83791d_update_device(struct device *dev);
27584 diff -urNp linux-3.0.9/drivers/i2c/busses/i2c-amd756-s4882.c linux-3.0.9/drivers/i2c/busses/i2c-amd756-s4882.c
27585 --- linux-3.0.9/drivers/i2c/busses/i2c-amd756-s4882.c 2011-11-11 13:12:24.000000000 -0500
27586 +++ linux-3.0.9/drivers/i2c/busses/i2c-amd756-s4882.c 2011-11-15 20:02:59.000000000 -0500
27588 extern struct i2c_adapter amd756_smbus;
27590 static struct i2c_adapter *s4882_adapter;
27591 -static struct i2c_algorithm *s4882_algo;
27592 +static i2c_algorithm_no_const *s4882_algo;
27594 /* Wrapper access functions for multiplexed SMBus */
27595 static DEFINE_MUTEX(amd756_lock);
27596 diff -urNp linux-3.0.9/drivers/i2c/busses/i2c-nforce2-s4985.c linux-3.0.9/drivers/i2c/busses/i2c-nforce2-s4985.c
27597 --- linux-3.0.9/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-11-11 13:12:24.000000000 -0500
27598 +++ linux-3.0.9/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-11-15 20:02:59.000000000 -0500
27600 extern struct i2c_adapter *nforce2_smbus;
27602 static struct i2c_adapter *s4985_adapter;
27603 -static struct i2c_algorithm *s4985_algo;
27604 +static i2c_algorithm_no_const *s4985_algo;
27606 /* Wrapper access functions for multiplexed SMBus */
27607 static DEFINE_MUTEX(nforce2_lock);
27608 diff -urNp linux-3.0.9/drivers/i2c/i2c-mux.c linux-3.0.9/drivers/i2c/i2c-mux.c
27609 --- linux-3.0.9/drivers/i2c/i2c-mux.c 2011-11-11 13:12:24.000000000 -0500
27610 +++ linux-3.0.9/drivers/i2c/i2c-mux.c 2011-11-15 20:02:59.000000000 -0500
27612 /* multiplexer per channel data */
27613 struct i2c_mux_priv {
27614 struct i2c_adapter adap;
27615 - struct i2c_algorithm algo;
27616 + i2c_algorithm_no_const algo;
27618 struct i2c_adapter *parent;
27619 void *mux_dev; /* the mux chip/device */
27620 diff -urNp linux-3.0.9/drivers/ide/aec62xx.c linux-3.0.9/drivers/ide/aec62xx.c
27621 --- linux-3.0.9/drivers/ide/aec62xx.c 2011-11-11 13:12:24.000000000 -0500
27622 +++ linux-3.0.9/drivers/ide/aec62xx.c 2011-11-15 20:02:59.000000000 -0500
27623 @@ -181,7 +181,7 @@ static const struct ide_port_ops atp86x_
27624 .cable_detect = atp86x_cable_detect,
27627 -static const struct ide_port_info aec62xx_chipsets[] __devinitdata = {
27628 +static const struct ide_port_info aec62xx_chipsets[] __devinitconst = {
27631 .init_chipset = init_chipset_aec62xx,
27632 diff -urNp linux-3.0.9/drivers/ide/alim15x3.c linux-3.0.9/drivers/ide/alim15x3.c
27633 --- linux-3.0.9/drivers/ide/alim15x3.c 2011-11-11 13:12:24.000000000 -0500
27634 +++ linux-3.0.9/drivers/ide/alim15x3.c 2011-11-15 20:02:59.000000000 -0500
27635 @@ -512,7 +512,7 @@ static const struct ide_dma_ops ali_dma_
27636 .dma_sff_read_status = ide_dma_sff_read_status,
27639 -static const struct ide_port_info ali15x3_chipset __devinitdata = {
27640 +static const struct ide_port_info ali15x3_chipset __devinitconst = {
27642 .init_chipset = init_chipset_ali15x3,
27643 .init_hwif = init_hwif_ali15x3,
27644 diff -urNp linux-3.0.9/drivers/ide/amd74xx.c linux-3.0.9/drivers/ide/amd74xx.c
27645 --- linux-3.0.9/drivers/ide/amd74xx.c 2011-11-11 13:12:24.000000000 -0500
27646 +++ linux-3.0.9/drivers/ide/amd74xx.c 2011-11-15 20:02:59.000000000 -0500
27647 @@ -223,7 +223,7 @@ static const struct ide_port_ops amd_por
27648 .udma_mask = udma, \
27651 -static const struct ide_port_info amd74xx_chipsets[] __devinitdata = {
27652 +static const struct ide_port_info amd74xx_chipsets[] __devinitconst = {
27653 /* 0: AMD7401 */ DECLARE_AMD_DEV(0x00, ATA_UDMA2),
27654 /* 1: AMD7409 */ DECLARE_AMD_DEV(ATA_SWDMA2, ATA_UDMA4),
27655 /* 2: AMD7411/7441 */ DECLARE_AMD_DEV(ATA_SWDMA2, ATA_UDMA5),
27656 diff -urNp linux-3.0.9/drivers/ide/atiixp.c linux-3.0.9/drivers/ide/atiixp.c
27657 --- linux-3.0.9/drivers/ide/atiixp.c 2011-11-11 13:12:24.000000000 -0500
27658 +++ linux-3.0.9/drivers/ide/atiixp.c 2011-11-15 20:02:59.000000000 -0500
27659 @@ -139,7 +139,7 @@ static const struct ide_port_ops atiixp_
27660 .cable_detect = atiixp_cable_detect,
27663 -static const struct ide_port_info atiixp_pci_info[] __devinitdata = {
27664 +static const struct ide_port_info atiixp_pci_info[] __devinitconst = {
27665 { /* 0: IXP200/300/400/700 */
27667 .enablebits = {{0x48,0x01,0x00}, {0x48,0x08,0x00}},
27668 diff -urNp linux-3.0.9/drivers/ide/cmd64x.c linux-3.0.9/drivers/ide/cmd64x.c
27669 --- linux-3.0.9/drivers/ide/cmd64x.c 2011-11-11 13:12:24.000000000 -0500
27670 +++ linux-3.0.9/drivers/ide/cmd64x.c 2011-11-15 20:02:59.000000000 -0500
27671 @@ -327,7 +327,7 @@ static const struct ide_dma_ops cmd646_r
27672 .dma_sff_read_status = ide_dma_sff_read_status,
27675 -static const struct ide_port_info cmd64x_chipsets[] __devinitdata = {
27676 +static const struct ide_port_info cmd64x_chipsets[] __devinitconst = {
27679 .init_chipset = init_chipset_cmd64x,
27680 diff -urNp linux-3.0.9/drivers/ide/cs5520.c linux-3.0.9/drivers/ide/cs5520.c
27681 --- linux-3.0.9/drivers/ide/cs5520.c 2011-11-11 13:12:24.000000000 -0500
27682 +++ linux-3.0.9/drivers/ide/cs5520.c 2011-11-15 20:02:59.000000000 -0500
27683 @@ -94,7 +94,7 @@ static const struct ide_port_ops cs5520_
27684 .set_dma_mode = cs5520_set_dma_mode,
27687 -static const struct ide_port_info cyrix_chipset __devinitdata = {
27688 +static const struct ide_port_info cyrix_chipset __devinitconst = {
27690 .enablebits = { { 0x60, 0x01, 0x01 }, { 0x60, 0x02, 0x02 } },
27691 .port_ops = &cs5520_port_ops,
27692 diff -urNp linux-3.0.9/drivers/ide/cs5530.c linux-3.0.9/drivers/ide/cs5530.c
27693 --- linux-3.0.9/drivers/ide/cs5530.c 2011-11-11 13:12:24.000000000 -0500
27694 +++ linux-3.0.9/drivers/ide/cs5530.c 2011-11-15 20:02:59.000000000 -0500
27695 @@ -245,7 +245,7 @@ static const struct ide_port_ops cs5530_
27696 .udma_filter = cs5530_udma_filter,
27699 -static const struct ide_port_info cs5530_chipset __devinitdata = {
27700 +static const struct ide_port_info cs5530_chipset __devinitconst = {
27702 .init_chipset = init_chipset_cs5530,
27703 .init_hwif = init_hwif_cs5530,
27704 diff -urNp linux-3.0.9/drivers/ide/cs5535.c linux-3.0.9/drivers/ide/cs5535.c
27705 --- linux-3.0.9/drivers/ide/cs5535.c 2011-11-11 13:12:24.000000000 -0500
27706 +++ linux-3.0.9/drivers/ide/cs5535.c 2011-11-15 20:02:59.000000000 -0500
27707 @@ -170,7 +170,7 @@ static const struct ide_port_ops cs5535_
27708 .cable_detect = cs5535_cable_detect,
27711 -static const struct ide_port_info cs5535_chipset __devinitdata = {
27712 +static const struct ide_port_info cs5535_chipset __devinitconst = {
27714 .port_ops = &cs5535_port_ops,
27715 .host_flags = IDE_HFLAG_SINGLE | IDE_HFLAG_POST_SET_MODE,
27716 diff -urNp linux-3.0.9/drivers/ide/cy82c693.c linux-3.0.9/drivers/ide/cy82c693.c
27717 --- linux-3.0.9/drivers/ide/cy82c693.c 2011-11-11 13:12:24.000000000 -0500
27718 +++ linux-3.0.9/drivers/ide/cy82c693.c 2011-11-15 20:02:59.000000000 -0500
27719 @@ -161,7 +161,7 @@ static const struct ide_port_ops cy82c69
27720 .set_dma_mode = cy82c693_set_dma_mode,
27723 -static const struct ide_port_info cy82c693_chipset __devinitdata = {
27724 +static const struct ide_port_info cy82c693_chipset __devinitconst = {
27726 .init_iops = init_iops_cy82c693,
27727 .port_ops = &cy82c693_port_ops,
27728 diff -urNp linux-3.0.9/drivers/ide/hpt366.c linux-3.0.9/drivers/ide/hpt366.c
27729 --- linux-3.0.9/drivers/ide/hpt366.c 2011-11-11 13:12:24.000000000 -0500
27730 +++ linux-3.0.9/drivers/ide/hpt366.c 2011-11-15 20:02:59.000000000 -0500
27731 @@ -443,7 +443,7 @@ static struct hpt_timings hpt37x_timings
27735 -static const struct hpt_info hpt36x __devinitdata = {
27736 +static const struct hpt_info hpt36x __devinitconst = {
27737 .chip_name = "HPT36x",
27738 .chip_type = HPT36x,
27739 .udma_mask = HPT366_ALLOW_ATA66_3 ? (HPT366_ALLOW_ATA66_4 ? ATA_UDMA4 : ATA_UDMA3) : ATA_UDMA2,
27740 @@ -451,7 +451,7 @@ static const struct hpt_info hpt36x __de
27741 .timings = &hpt36x_timings
27744 -static const struct hpt_info hpt370 __devinitdata = {
27745 +static const struct hpt_info hpt370 __devinitconst = {
27746 .chip_name = "HPT370",
27747 .chip_type = HPT370,
27748 .udma_mask = HPT370_ALLOW_ATA100_5 ? ATA_UDMA5 : ATA_UDMA4,
27749 @@ -459,7 +459,7 @@ static const struct hpt_info hpt370 __de
27750 .timings = &hpt37x_timings
27753 -static const struct hpt_info hpt370a __devinitdata = {
27754 +static const struct hpt_info hpt370a __devinitconst = {
27755 .chip_name = "HPT370A",
27756 .chip_type = HPT370A,
27757 .udma_mask = HPT370_ALLOW_ATA100_5 ? ATA_UDMA5 : ATA_UDMA4,
27758 @@ -467,7 +467,7 @@ static const struct hpt_info hpt370a __d
27759 .timings = &hpt37x_timings
27762 -static const struct hpt_info hpt374 __devinitdata = {
27763 +static const struct hpt_info hpt374 __devinitconst = {
27764 .chip_name = "HPT374",
27765 .chip_type = HPT374,
27766 .udma_mask = ATA_UDMA5,
27767 @@ -475,7 +475,7 @@ static const struct hpt_info hpt374 __de
27768 .timings = &hpt37x_timings
27771 -static const struct hpt_info hpt372 __devinitdata = {
27772 +static const struct hpt_info hpt372 __devinitconst = {
27773 .chip_name = "HPT372",
27774 .chip_type = HPT372,
27775 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27776 @@ -483,7 +483,7 @@ static const struct hpt_info hpt372 __de
27777 .timings = &hpt37x_timings
27780 -static const struct hpt_info hpt372a __devinitdata = {
27781 +static const struct hpt_info hpt372a __devinitconst = {
27782 .chip_name = "HPT372A",
27783 .chip_type = HPT372A,
27784 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27785 @@ -491,7 +491,7 @@ static const struct hpt_info hpt372a __d
27786 .timings = &hpt37x_timings
27789 -static const struct hpt_info hpt302 __devinitdata = {
27790 +static const struct hpt_info hpt302 __devinitconst = {
27791 .chip_name = "HPT302",
27792 .chip_type = HPT302,
27793 .udma_mask = HPT302_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27794 @@ -499,7 +499,7 @@ static const struct hpt_info hpt302 __de
27795 .timings = &hpt37x_timings
27798 -static const struct hpt_info hpt371 __devinitdata = {
27799 +static const struct hpt_info hpt371 __devinitconst = {
27800 .chip_name = "HPT371",
27801 .chip_type = HPT371,
27802 .udma_mask = HPT371_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27803 @@ -507,7 +507,7 @@ static const struct hpt_info hpt371 __de
27804 .timings = &hpt37x_timings
27807 -static const struct hpt_info hpt372n __devinitdata = {
27808 +static const struct hpt_info hpt372n __devinitconst = {
27809 .chip_name = "HPT372N",
27810 .chip_type = HPT372N,
27811 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27812 @@ -515,7 +515,7 @@ static const struct hpt_info hpt372n __d
27813 .timings = &hpt37x_timings
27816 -static const struct hpt_info hpt302n __devinitdata = {
27817 +static const struct hpt_info hpt302n __devinitconst = {
27818 .chip_name = "HPT302N",
27819 .chip_type = HPT302N,
27820 .udma_mask = HPT302_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27821 @@ -523,7 +523,7 @@ static const struct hpt_info hpt302n __d
27822 .timings = &hpt37x_timings
27825 -static const struct hpt_info hpt371n __devinitdata = {
27826 +static const struct hpt_info hpt371n __devinitconst = {
27827 .chip_name = "HPT371N",
27828 .chip_type = HPT371N,
27829 .udma_mask = HPT371_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27830 @@ -1361,7 +1361,7 @@ static const struct ide_dma_ops hpt36x_d
27831 .dma_sff_read_status = ide_dma_sff_read_status,
27834 -static const struct ide_port_info hpt366_chipsets[] __devinitdata = {
27835 +static const struct ide_port_info hpt366_chipsets[] __devinitconst = {
27838 .init_chipset = init_chipset_hpt366,
27839 diff -urNp linux-3.0.9/drivers/ide/ide-cd.c linux-3.0.9/drivers/ide/ide-cd.c
27840 --- linux-3.0.9/drivers/ide/ide-cd.c 2011-11-11 13:12:24.000000000 -0500
27841 +++ linux-3.0.9/drivers/ide/ide-cd.c 2011-11-15 20:02:59.000000000 -0500
27842 @@ -769,7 +769,7 @@ static void cdrom_do_block_pc(ide_drive_
27843 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
27844 if ((unsigned long)buf & alignment
27845 || blk_rq_bytes(rq) & q->dma_pad_mask
27846 - || object_is_on_stack(buf))
27847 + || object_starts_on_stack(buf))
27851 diff -urNp linux-3.0.9/drivers/ide/ide-floppy.c linux-3.0.9/drivers/ide/ide-floppy.c
27852 --- linux-3.0.9/drivers/ide/ide-floppy.c 2011-11-11 13:12:24.000000000 -0500
27853 +++ linux-3.0.9/drivers/ide/ide-floppy.c 2011-11-15 20:02:59.000000000 -0500
27854 @@ -379,6 +379,8 @@ static int ide_floppy_get_capacity(ide_d
27855 u8 pc_buf[256], header_len, desc_cnt;
27856 int i, rc = 1, blocks, length;
27858 + pax_track_stack();
27860 ide_debug_log(IDE_DBG_FUNC, "enter");
27862 drive->bios_cyl = 0;
27863 diff -urNp linux-3.0.9/drivers/ide/ide-pci-generic.c linux-3.0.9/drivers/ide/ide-pci-generic.c
27864 --- linux-3.0.9/drivers/ide/ide-pci-generic.c 2011-11-11 13:12:24.000000000 -0500
27865 +++ linux-3.0.9/drivers/ide/ide-pci-generic.c 2011-11-15 20:02:59.000000000 -0500
27866 @@ -53,7 +53,7 @@ static const struct ide_port_ops netcell
27867 .udma_mask = ATA_UDMA6, \
27870 -static const struct ide_port_info generic_chipsets[] __devinitdata = {
27871 +static const struct ide_port_info generic_chipsets[] __devinitconst = {
27873 DECLARE_GENERIC_PCI_DEV(0),
27875 diff -urNp linux-3.0.9/drivers/ide/it8172.c linux-3.0.9/drivers/ide/it8172.c
27876 --- linux-3.0.9/drivers/ide/it8172.c 2011-11-11 13:12:24.000000000 -0500
27877 +++ linux-3.0.9/drivers/ide/it8172.c 2011-11-15 20:02:59.000000000 -0500
27878 @@ -115,7 +115,7 @@ static const struct ide_port_ops it8172_
27879 .set_dma_mode = it8172_set_dma_mode,
27882 -static const struct ide_port_info it8172_port_info __devinitdata = {
27883 +static const struct ide_port_info it8172_port_info __devinitconst = {
27885 .port_ops = &it8172_port_ops,
27886 .enablebits = { {0x41, 0x80, 0x80}, {0x00, 0x00, 0x00} },
27887 diff -urNp linux-3.0.9/drivers/ide/it8213.c linux-3.0.9/drivers/ide/it8213.c
27888 --- linux-3.0.9/drivers/ide/it8213.c 2011-11-11 13:12:24.000000000 -0500
27889 +++ linux-3.0.9/drivers/ide/it8213.c 2011-11-15 20:02:59.000000000 -0500
27890 @@ -156,7 +156,7 @@ static const struct ide_port_ops it8213_
27891 .cable_detect = it8213_cable_detect,
27894 -static const struct ide_port_info it8213_chipset __devinitdata = {
27895 +static const struct ide_port_info it8213_chipset __devinitconst = {
27897 .enablebits = { {0x41, 0x80, 0x80} },
27898 .port_ops = &it8213_port_ops,
27899 diff -urNp linux-3.0.9/drivers/ide/it821x.c linux-3.0.9/drivers/ide/it821x.c
27900 --- linux-3.0.9/drivers/ide/it821x.c 2011-11-11 13:12:24.000000000 -0500
27901 +++ linux-3.0.9/drivers/ide/it821x.c 2011-11-15 20:02:59.000000000 -0500
27902 @@ -630,7 +630,7 @@ static const struct ide_port_ops it821x_
27903 .cable_detect = it821x_cable_detect,
27906 -static const struct ide_port_info it821x_chipset __devinitdata = {
27907 +static const struct ide_port_info it821x_chipset __devinitconst = {
27909 .init_chipset = init_chipset_it821x,
27910 .init_hwif = init_hwif_it821x,
27911 diff -urNp linux-3.0.9/drivers/ide/jmicron.c linux-3.0.9/drivers/ide/jmicron.c
27912 --- linux-3.0.9/drivers/ide/jmicron.c 2011-11-11 13:12:24.000000000 -0500
27913 +++ linux-3.0.9/drivers/ide/jmicron.c 2011-11-15 20:02:59.000000000 -0500
27914 @@ -102,7 +102,7 @@ static const struct ide_port_ops jmicron
27915 .cable_detect = jmicron_cable_detect,
27918 -static const struct ide_port_info jmicron_chipset __devinitdata = {
27919 +static const struct ide_port_info jmicron_chipset __devinitconst = {
27921 .enablebits = { { 0x40, 0x01, 0x01 }, { 0x40, 0x10, 0x10 } },
27922 .port_ops = &jmicron_port_ops,
27923 diff -urNp linux-3.0.9/drivers/ide/ns87415.c linux-3.0.9/drivers/ide/ns87415.c
27924 --- linux-3.0.9/drivers/ide/ns87415.c 2011-11-11 13:12:24.000000000 -0500
27925 +++ linux-3.0.9/drivers/ide/ns87415.c 2011-11-15 20:02:59.000000000 -0500
27926 @@ -293,7 +293,7 @@ static const struct ide_dma_ops ns87415_
27927 .dma_sff_read_status = superio_dma_sff_read_status,
27930 -static const struct ide_port_info ns87415_chipset __devinitdata = {
27931 +static const struct ide_port_info ns87415_chipset __devinitconst = {
27933 .init_hwif = init_hwif_ns87415,
27934 .tp_ops = &ns87415_tp_ops,
27935 diff -urNp linux-3.0.9/drivers/ide/opti621.c linux-3.0.9/drivers/ide/opti621.c
27936 --- linux-3.0.9/drivers/ide/opti621.c 2011-11-11 13:12:24.000000000 -0500
27937 +++ linux-3.0.9/drivers/ide/opti621.c 2011-11-15 20:02:59.000000000 -0500
27938 @@ -131,7 +131,7 @@ static const struct ide_port_ops opti621
27939 .set_pio_mode = opti621_set_pio_mode,
27942 -static const struct ide_port_info opti621_chipset __devinitdata = {
27943 +static const struct ide_port_info opti621_chipset __devinitconst = {
27945 .enablebits = { {0x45, 0x80, 0x00}, {0x40, 0x08, 0x00} },
27946 .port_ops = &opti621_port_ops,
27947 diff -urNp linux-3.0.9/drivers/ide/pdc202xx_new.c linux-3.0.9/drivers/ide/pdc202xx_new.c
27948 --- linux-3.0.9/drivers/ide/pdc202xx_new.c 2011-11-11 13:12:24.000000000 -0500
27949 +++ linux-3.0.9/drivers/ide/pdc202xx_new.c 2011-11-15 20:02:59.000000000 -0500
27950 @@ -465,7 +465,7 @@ static const struct ide_port_ops pdcnew_
27951 .udma_mask = udma, \
27954 -static const struct ide_port_info pdcnew_chipsets[] __devinitdata = {
27955 +static const struct ide_port_info pdcnew_chipsets[] __devinitconst = {
27956 /* 0: PDC202{68,70} */ DECLARE_PDCNEW_DEV(ATA_UDMA5),
27957 /* 1: PDC202{69,71,75,76,77} */ DECLARE_PDCNEW_DEV(ATA_UDMA6),
27959 diff -urNp linux-3.0.9/drivers/ide/pdc202xx_old.c linux-3.0.9/drivers/ide/pdc202xx_old.c
27960 --- linux-3.0.9/drivers/ide/pdc202xx_old.c 2011-11-11 13:12:24.000000000 -0500
27961 +++ linux-3.0.9/drivers/ide/pdc202xx_old.c 2011-11-15 20:02:59.000000000 -0500
27962 @@ -270,7 +270,7 @@ static const struct ide_dma_ops pdc2026x
27963 .max_sectors = sectors, \
27966 -static const struct ide_port_info pdc202xx_chipsets[] __devinitdata = {
27967 +static const struct ide_port_info pdc202xx_chipsets[] __devinitconst = {
27968 { /* 0: PDC20246 */
27970 .init_chipset = init_chipset_pdc202xx,
27971 diff -urNp linux-3.0.9/drivers/ide/piix.c linux-3.0.9/drivers/ide/piix.c
27972 --- linux-3.0.9/drivers/ide/piix.c 2011-11-11 13:12:24.000000000 -0500
27973 +++ linux-3.0.9/drivers/ide/piix.c 2011-11-15 20:02:59.000000000 -0500
27974 @@ -344,7 +344,7 @@ static const struct ide_port_ops ich_por
27975 .udma_mask = udma, \
27978 -static const struct ide_port_info piix_pci_info[] __devinitdata = {
27979 +static const struct ide_port_info piix_pci_info[] __devinitconst = {
27982 * MPIIX actually has only a single IDE channel mapped to
27983 diff -urNp linux-3.0.9/drivers/ide/rz1000.c linux-3.0.9/drivers/ide/rz1000.c
27984 --- linux-3.0.9/drivers/ide/rz1000.c 2011-11-11 13:12:24.000000000 -0500
27985 +++ linux-3.0.9/drivers/ide/rz1000.c 2011-11-15 20:02:59.000000000 -0500
27986 @@ -38,7 +38,7 @@ static int __devinit rz1000_disable_read
27990 -static const struct ide_port_info rz1000_chipset __devinitdata = {
27991 +static const struct ide_port_info rz1000_chipset __devinitconst = {
27993 .host_flags = IDE_HFLAG_NO_DMA,
27995 diff -urNp linux-3.0.9/drivers/ide/sc1200.c linux-3.0.9/drivers/ide/sc1200.c
27996 --- linux-3.0.9/drivers/ide/sc1200.c 2011-11-11 13:12:24.000000000 -0500
27997 +++ linux-3.0.9/drivers/ide/sc1200.c 2011-11-15 20:02:59.000000000 -0500
27998 @@ -291,7 +291,7 @@ static const struct ide_dma_ops sc1200_d
27999 .dma_sff_read_status = ide_dma_sff_read_status,
28002 -static const struct ide_port_info sc1200_chipset __devinitdata = {
28003 +static const struct ide_port_info sc1200_chipset __devinitconst = {
28005 .port_ops = &sc1200_port_ops,
28006 .dma_ops = &sc1200_dma_ops,
28007 diff -urNp linux-3.0.9/drivers/ide/scc_pata.c linux-3.0.9/drivers/ide/scc_pata.c
28008 --- linux-3.0.9/drivers/ide/scc_pata.c 2011-11-11 13:12:24.000000000 -0500
28009 +++ linux-3.0.9/drivers/ide/scc_pata.c 2011-11-15 20:02:59.000000000 -0500
28010 @@ -811,7 +811,7 @@ static const struct ide_dma_ops scc_dma_
28011 .dma_sff_read_status = scc_dma_sff_read_status,
28014 -static const struct ide_port_info scc_chipset __devinitdata = {
28015 +static const struct ide_port_info scc_chipset __devinitconst = {
28017 .init_iops = init_iops_scc,
28018 .init_dma = scc_init_dma,
28019 diff -urNp linux-3.0.9/drivers/ide/serverworks.c linux-3.0.9/drivers/ide/serverworks.c
28020 --- linux-3.0.9/drivers/ide/serverworks.c 2011-11-11 13:12:24.000000000 -0500
28021 +++ linux-3.0.9/drivers/ide/serverworks.c 2011-11-15 20:02:59.000000000 -0500
28022 @@ -337,7 +337,7 @@ static const struct ide_port_ops svwks_p
28023 .cable_detect = svwks_cable_detect,
28026 -static const struct ide_port_info serverworks_chipsets[] __devinitdata = {
28027 +static const struct ide_port_info serverworks_chipsets[] __devinitconst = {
28030 .init_chipset = init_chipset_svwks,
28031 diff -urNp linux-3.0.9/drivers/ide/setup-pci.c linux-3.0.9/drivers/ide/setup-pci.c
28032 --- linux-3.0.9/drivers/ide/setup-pci.c 2011-11-11 13:12:24.000000000 -0500
28033 +++ linux-3.0.9/drivers/ide/setup-pci.c 2011-11-15 20:02:59.000000000 -0500
28034 @@ -542,6 +542,8 @@ int ide_pci_init_two(struct pci_dev *dev
28035 int ret, i, n_ports = dev2 ? 4 : 2;
28036 struct ide_hw hw[4], *hws[] = { NULL, NULL, NULL, NULL };
28038 + pax_track_stack();
28040 for (i = 0; i < n_ports / 2; i++) {
28041 ret = ide_setup_pci_controller(pdev[i], d, !i);
28043 diff -urNp linux-3.0.9/drivers/ide/siimage.c linux-3.0.9/drivers/ide/siimage.c
28044 --- linux-3.0.9/drivers/ide/siimage.c 2011-11-11 13:12:24.000000000 -0500
28045 +++ linux-3.0.9/drivers/ide/siimage.c 2011-11-15 20:02:59.000000000 -0500
28046 @@ -719,7 +719,7 @@ static const struct ide_dma_ops sil_dma_
28047 .udma_mask = ATA_UDMA6, \
28050 -static const struct ide_port_info siimage_chipsets[] __devinitdata = {
28051 +static const struct ide_port_info siimage_chipsets[] __devinitconst = {
28052 /* 0: SiI680 */ DECLARE_SII_DEV(&sil_pata_port_ops),
28053 /* 1: SiI3112 */ DECLARE_SII_DEV(&sil_sata_port_ops)
28055 diff -urNp linux-3.0.9/drivers/ide/sis5513.c linux-3.0.9/drivers/ide/sis5513.c
28056 --- linux-3.0.9/drivers/ide/sis5513.c 2011-11-11 13:12:24.000000000 -0500
28057 +++ linux-3.0.9/drivers/ide/sis5513.c 2011-11-15 20:02:59.000000000 -0500
28058 @@ -563,7 +563,7 @@ static const struct ide_port_ops sis_ata
28059 .cable_detect = sis_cable_detect,
28062 -static const struct ide_port_info sis5513_chipset __devinitdata = {
28063 +static const struct ide_port_info sis5513_chipset __devinitconst = {
28065 .init_chipset = init_chipset_sis5513,
28066 .enablebits = { {0x4a, 0x02, 0x02}, {0x4a, 0x04, 0x04} },
28067 diff -urNp linux-3.0.9/drivers/ide/sl82c105.c linux-3.0.9/drivers/ide/sl82c105.c
28068 --- linux-3.0.9/drivers/ide/sl82c105.c 2011-11-11 13:12:24.000000000 -0500
28069 +++ linux-3.0.9/drivers/ide/sl82c105.c 2011-11-15 20:02:59.000000000 -0500
28070 @@ -299,7 +299,7 @@ static const struct ide_dma_ops sl82c105
28071 .dma_sff_read_status = ide_dma_sff_read_status,
28074 -static const struct ide_port_info sl82c105_chipset __devinitdata = {
28075 +static const struct ide_port_info sl82c105_chipset __devinitconst = {
28077 .init_chipset = init_chipset_sl82c105,
28078 .enablebits = {{0x40,0x01,0x01}, {0x40,0x10,0x10}},
28079 diff -urNp linux-3.0.9/drivers/ide/slc90e66.c linux-3.0.9/drivers/ide/slc90e66.c
28080 --- linux-3.0.9/drivers/ide/slc90e66.c 2011-11-11 13:12:24.000000000 -0500
28081 +++ linux-3.0.9/drivers/ide/slc90e66.c 2011-11-15 20:02:59.000000000 -0500
28082 @@ -132,7 +132,7 @@ static const struct ide_port_ops slc90e6
28083 .cable_detect = slc90e66_cable_detect,
28086 -static const struct ide_port_info slc90e66_chipset __devinitdata = {
28087 +static const struct ide_port_info slc90e66_chipset __devinitconst = {
28089 .enablebits = { {0x41, 0x80, 0x80}, {0x43, 0x80, 0x80} },
28090 .port_ops = &slc90e66_port_ops,
28091 diff -urNp linux-3.0.9/drivers/ide/tc86c001.c linux-3.0.9/drivers/ide/tc86c001.c
28092 --- linux-3.0.9/drivers/ide/tc86c001.c 2011-11-11 13:12:24.000000000 -0500
28093 +++ linux-3.0.9/drivers/ide/tc86c001.c 2011-11-15 20:02:59.000000000 -0500
28094 @@ -191,7 +191,7 @@ static const struct ide_dma_ops tc86c001
28095 .dma_sff_read_status = ide_dma_sff_read_status,
28098 -static const struct ide_port_info tc86c001_chipset __devinitdata = {
28099 +static const struct ide_port_info tc86c001_chipset __devinitconst = {
28101 .init_hwif = init_hwif_tc86c001,
28102 .port_ops = &tc86c001_port_ops,
28103 diff -urNp linux-3.0.9/drivers/ide/triflex.c linux-3.0.9/drivers/ide/triflex.c
28104 --- linux-3.0.9/drivers/ide/triflex.c 2011-11-11 13:12:24.000000000 -0500
28105 +++ linux-3.0.9/drivers/ide/triflex.c 2011-11-15 20:02:59.000000000 -0500
28106 @@ -92,7 +92,7 @@ static const struct ide_port_ops triflex
28107 .set_dma_mode = triflex_set_mode,
28110 -static const struct ide_port_info triflex_device __devinitdata = {
28111 +static const struct ide_port_info triflex_device __devinitconst = {
28113 .enablebits = {{0x80, 0x01, 0x01}, {0x80, 0x02, 0x02}},
28114 .port_ops = &triflex_port_ops,
28115 diff -urNp linux-3.0.9/drivers/ide/trm290.c linux-3.0.9/drivers/ide/trm290.c
28116 --- linux-3.0.9/drivers/ide/trm290.c 2011-11-11 13:12:24.000000000 -0500
28117 +++ linux-3.0.9/drivers/ide/trm290.c 2011-11-15 20:02:59.000000000 -0500
28118 @@ -324,7 +324,7 @@ static struct ide_dma_ops trm290_dma_ops
28119 .dma_check = trm290_dma_check,
28122 -static const struct ide_port_info trm290_chipset __devinitdata = {
28123 +static const struct ide_port_info trm290_chipset __devinitconst = {
28125 .init_hwif = init_hwif_trm290,
28126 .tp_ops = &trm290_tp_ops,
28127 diff -urNp linux-3.0.9/drivers/ide/via82cxxx.c linux-3.0.9/drivers/ide/via82cxxx.c
28128 --- linux-3.0.9/drivers/ide/via82cxxx.c 2011-11-11 13:12:24.000000000 -0500
28129 +++ linux-3.0.9/drivers/ide/via82cxxx.c 2011-11-15 20:02:59.000000000 -0500
28130 @@ -403,7 +403,7 @@ static const struct ide_port_ops via_por
28131 .cable_detect = via82cxxx_cable_detect,
28134 -static const struct ide_port_info via82cxxx_chipset __devinitdata = {
28135 +static const struct ide_port_info via82cxxx_chipset __devinitconst = {
28137 .init_chipset = init_chipset_via82cxxx,
28138 .enablebits = { { 0x40, 0x02, 0x02 }, { 0x40, 0x01, 0x01 } },
28139 diff -urNp linux-3.0.9/drivers/infiniband/core/cm.c linux-3.0.9/drivers/infiniband/core/cm.c
28140 --- linux-3.0.9/drivers/infiniband/core/cm.c 2011-11-11 13:12:24.000000000 -0500
28141 +++ linux-3.0.9/drivers/infiniband/core/cm.c 2011-11-15 20:02:59.000000000 -0500
28142 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
28144 struct cm_counter_group {
28145 struct kobject obj;
28146 - atomic_long_t counter[CM_ATTR_COUNT];
28147 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
28150 struct cm_counter_attribute {
28151 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
28152 struct ib_mad_send_buf *msg = NULL;
28155 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28156 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28157 counter[CM_REQ_COUNTER]);
28159 /* Quick state check to discard duplicate REQs. */
28160 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
28164 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28165 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28166 counter[CM_REP_COUNTER]);
28167 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
28169 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
28170 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
28171 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
28172 spin_unlock_irq(&cm_id_priv->lock);
28173 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28174 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28175 counter[CM_RTU_COUNTER]);
28178 @@ -2115,7 +2115,7 @@ static int cm_dreq_handler(struct cm_wor
28179 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
28180 dreq_msg->local_comm_id);
28182 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28183 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28184 counter[CM_DREQ_COUNTER]);
28185 cm_issue_drep(work->port, work->mad_recv_wc);
28187 @@ -2140,7 +2140,7 @@ static int cm_dreq_handler(struct cm_wor
28188 case IB_CM_MRA_REP_RCVD:
28190 case IB_CM_TIMEWAIT:
28191 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28192 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28193 counter[CM_DREQ_COUNTER]);
28194 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
28196 @@ -2154,7 +2154,7 @@ static int cm_dreq_handler(struct cm_wor
28199 case IB_CM_DREQ_RCVD:
28200 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28201 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28202 counter[CM_DREQ_COUNTER]);
28205 @@ -2521,7 +2521,7 @@ static int cm_mra_handler(struct cm_work
28206 ib_modify_mad(cm_id_priv->av.port->mad_agent,
28207 cm_id_priv->msg, timeout)) {
28208 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
28209 - atomic_long_inc(&work->port->
28210 + atomic_long_inc_unchecked(&work->port->
28211 counter_group[CM_RECV_DUPLICATES].
28212 counter[CM_MRA_COUNTER]);
28214 @@ -2530,7 +2530,7 @@ static int cm_mra_handler(struct cm_work
28216 case IB_CM_MRA_REQ_RCVD:
28217 case IB_CM_MRA_REP_RCVD:
28218 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28219 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28220 counter[CM_MRA_COUNTER]);
28223 @@ -2692,7 +2692,7 @@ static int cm_lap_handler(struct cm_work
28224 case IB_CM_LAP_IDLE:
28226 case IB_CM_MRA_LAP_SENT:
28227 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28228 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28229 counter[CM_LAP_COUNTER]);
28230 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
28232 @@ -2708,7 +2708,7 @@ static int cm_lap_handler(struct cm_work
28235 case IB_CM_LAP_RCVD:
28236 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28237 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28238 counter[CM_LAP_COUNTER]);
28241 @@ -2992,7 +2992,7 @@ static int cm_sidr_req_handler(struct cm
28242 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
28243 if (cur_cm_id_priv) {
28244 spin_unlock_irq(&cm.lock);
28245 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28246 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28247 counter[CM_SIDR_REQ_COUNTER]);
28248 goto out; /* Duplicate message. */
28250 @@ -3204,10 +3204,10 @@ static void cm_send_handler(struct ib_ma
28251 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
28254 - atomic_long_add(1 + msg->retries,
28255 + atomic_long_add_unchecked(1 + msg->retries,
28256 &port->counter_group[CM_XMIT].counter[attr_index]);
28258 - atomic_long_add(msg->retries,
28259 + atomic_long_add_unchecked(msg->retries,
28260 &port->counter_group[CM_XMIT_RETRIES].
28261 counter[attr_index]);
28263 @@ -3417,7 +3417,7 @@ static void cm_recv_handler(struct ib_ma
28266 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
28267 - atomic_long_inc(&port->counter_group[CM_RECV].
28268 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
28269 counter[attr_id - CM_ATTR_ID_OFFSET]);
28271 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
28272 @@ -3615,7 +3615,7 @@ static ssize_t cm_show_counter(struct ko
28273 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
28275 return sprintf(buf, "%ld\n",
28276 - atomic_long_read(&group->counter[cm_attr->index]));
28277 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
28280 static const struct sysfs_ops cm_counter_ops = {
28281 diff -urNp linux-3.0.9/drivers/infiniband/core/fmr_pool.c linux-3.0.9/drivers/infiniband/core/fmr_pool.c
28282 --- linux-3.0.9/drivers/infiniband/core/fmr_pool.c 2011-11-11 13:12:24.000000000 -0500
28283 +++ linux-3.0.9/drivers/infiniband/core/fmr_pool.c 2011-11-15 20:02:59.000000000 -0500
28284 @@ -97,8 +97,8 @@ struct ib_fmr_pool {
28286 struct task_struct *thread;
28288 - atomic_t req_ser;
28289 - atomic_t flush_ser;
28290 + atomic_unchecked_t req_ser;
28291 + atomic_unchecked_t flush_ser;
28293 wait_queue_head_t force_wait;
28295 @@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *p
28296 struct ib_fmr_pool *pool = pool_ptr;
28299 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
28300 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
28301 ib_fmr_batch_release(pool);
28303 - atomic_inc(&pool->flush_ser);
28304 + atomic_inc_unchecked(&pool->flush_ser);
28305 wake_up_interruptible(&pool->force_wait);
28307 if (pool->flush_function)
28308 @@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *p
28311 set_current_state(TASK_INTERRUPTIBLE);
28312 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
28313 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
28314 !kthread_should_stop())
28316 __set_current_state(TASK_RUNNING);
28317 @@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(s
28318 pool->dirty_watermark = params->dirty_watermark;
28319 pool->dirty_len = 0;
28320 spin_lock_init(&pool->pool_lock);
28321 - atomic_set(&pool->req_ser, 0);
28322 - atomic_set(&pool->flush_ser, 0);
28323 + atomic_set_unchecked(&pool->req_ser, 0);
28324 + atomic_set_unchecked(&pool->flush_ser, 0);
28325 init_waitqueue_head(&pool->force_wait);
28327 pool->thread = kthread_run(ib_fmr_cleanup_thread,
28328 @@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool
28330 spin_unlock_irq(&pool->pool_lock);
28332 - serial = atomic_inc_return(&pool->req_ser);
28333 + serial = atomic_inc_return_unchecked(&pool->req_ser);
28334 wake_up_process(pool->thread);
28336 if (wait_event_interruptible(pool->force_wait,
28337 - atomic_read(&pool->flush_ser) - serial >= 0))
28338 + atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
28342 @@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr
28344 list_add_tail(&fmr->list, &pool->dirty_list);
28345 if (++pool->dirty_len >= pool->dirty_watermark) {
28346 - atomic_inc(&pool->req_ser);
28347 + atomic_inc_unchecked(&pool->req_ser);
28348 wake_up_process(pool->thread);
28351 diff -urNp linux-3.0.9/drivers/infiniband/hw/cxgb4/mem.c linux-3.0.9/drivers/infiniband/hw/cxgb4/mem.c
28352 --- linux-3.0.9/drivers/infiniband/hw/cxgb4/mem.c 2011-11-11 13:12:24.000000000 -0500
28353 +++ linux-3.0.9/drivers/infiniband/hw/cxgb4/mem.c 2011-11-15 20:02:59.000000000 -0500
28354 @@ -122,7 +122,7 @@ static int write_tpt_entry(struct c4iw_r
28356 struct fw_ri_tpte tpt;
28358 - static atomic_t key;
28359 + static atomic_unchecked_t key;
28361 if (c4iw_fatal_error(rdev))
28363 @@ -135,7 +135,7 @@ static int write_tpt_entry(struct c4iw_r
28364 &rdev->resource.tpt_fifo_lock);
28367 - *stag = (stag_idx << 8) | (atomic_inc_return(&key) & 0xff);
28368 + *stag = (stag_idx << 8) | (atomic_inc_return_unchecked(&key) & 0xff);
28370 PDBG("%s stag_state 0x%0x type 0x%0x pdid 0x%0x, stag_idx 0x%x\n",
28371 __func__, stag_state, type, pdid, stag_idx);
28372 diff -urNp linux-3.0.9/drivers/infiniband/hw/ipath/ipath_fs.c linux-3.0.9/drivers/infiniband/hw/ipath/ipath_fs.c
28373 --- linux-3.0.9/drivers/infiniband/hw/ipath/ipath_fs.c 2011-11-11 13:12:24.000000000 -0500
28374 +++ linux-3.0.9/drivers/infiniband/hw/ipath/ipath_fs.c 2011-11-15 20:02:59.000000000 -0500
28375 @@ -113,6 +113,8 @@ static ssize_t atomic_counters_read(stru
28376 struct infinipath_counters counters;
28377 struct ipath_devdata *dd;
28379 + pax_track_stack();
28381 dd = file->f_path.dentry->d_inode->i_private;
28382 dd->ipath_f_read_counters(dd, &counters);
28384 diff -urNp linux-3.0.9/drivers/infiniband/hw/ipath/ipath_rc.c linux-3.0.9/drivers/infiniband/hw/ipath/ipath_rc.c
28385 --- linux-3.0.9/drivers/infiniband/hw/ipath/ipath_rc.c 2011-11-11 13:12:24.000000000 -0500
28386 +++ linux-3.0.9/drivers/infiniband/hw/ipath/ipath_rc.c 2011-11-15 20:02:59.000000000 -0500
28387 @@ -1868,7 +1868,7 @@ void ipath_rc_rcv(struct ipath_ibdev *de
28388 struct ib_atomic_eth *ateth;
28389 struct ipath_ack_entry *e;
28391 - atomic64_t *maddr;
28392 + atomic64_unchecked_t *maddr;
28396 @@ -1903,11 +1903,11 @@ void ipath_rc_rcv(struct ipath_ibdev *de
28397 IB_ACCESS_REMOTE_ATOMIC)))
28398 goto nack_acc_unlck;
28399 /* Perform atomic OP and save result. */
28400 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
28401 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
28402 sdata = be64_to_cpu(ateth->swap_data);
28403 e = &qp->s_ack_queue[qp->r_head_ack_queue];
28404 e->atomic_data = (opcode == OP(FETCH_ADD)) ?
28405 - (u64) atomic64_add_return(sdata, maddr) - sdata :
28406 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
28407 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
28408 be64_to_cpu(ateth->compare_data),
28410 diff -urNp linux-3.0.9/drivers/infiniband/hw/ipath/ipath_ruc.c linux-3.0.9/drivers/infiniband/hw/ipath/ipath_ruc.c
28411 --- linux-3.0.9/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-11-11 13:12:24.000000000 -0500
28412 +++ linux-3.0.9/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-11-15 20:02:59.000000000 -0500
28413 @@ -266,7 +266,7 @@ static void ipath_ruc_loopback(struct ip
28414 unsigned long flags;
28417 - atomic64_t *maddr;
28418 + atomic64_unchecked_t *maddr;
28419 enum ib_wc_status send_status;
28422 @@ -382,11 +382,11 @@ again:
28423 IB_ACCESS_REMOTE_ATOMIC)))
28425 /* Perform atomic OP and save result. */
28426 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
28427 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
28428 sdata = wqe->wr.wr.atomic.compare_add;
28429 *(u64 *) sqp->s_sge.sge.vaddr =
28430 (wqe->wr.opcode == IB_WR_ATOMIC_FETCH_AND_ADD) ?
28431 - (u64) atomic64_add_return(sdata, maddr) - sdata :
28432 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
28433 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
28434 sdata, wqe->wr.wr.atomic.swap);
28436 diff -urNp linux-3.0.9/drivers/infiniband/hw/nes/nes.c linux-3.0.9/drivers/infiniband/hw/nes/nes.c
28437 --- linux-3.0.9/drivers/infiniband/hw/nes/nes.c 2011-11-11 13:12:24.000000000 -0500
28438 +++ linux-3.0.9/drivers/infiniband/hw/nes/nes.c 2011-11-15 20:02:59.000000000 -0500
28439 @@ -103,7 +103,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limi
28440 LIST_HEAD(nes_adapter_list);
28441 static LIST_HEAD(nes_dev_list);
28443 -atomic_t qps_destroyed;
28444 +atomic_unchecked_t qps_destroyed;
28446 static unsigned int ee_flsh_adapter;
28447 static unsigned int sysfs_nonidx_addr;
28448 @@ -275,7 +275,7 @@ static void nes_cqp_rem_ref_callback(str
28449 struct nes_qp *nesqp = cqp_request->cqp_callback_pointer;
28450 struct nes_adapter *nesadapter = nesdev->nesadapter;
28452 - atomic_inc(&qps_destroyed);
28453 + atomic_inc_unchecked(&qps_destroyed);
28455 /* Free the control structures */
28457 diff -urNp linux-3.0.9/drivers/infiniband/hw/nes/nes_cm.c linux-3.0.9/drivers/infiniband/hw/nes/nes_cm.c
28458 --- linux-3.0.9/drivers/infiniband/hw/nes/nes_cm.c 2011-11-11 13:12:24.000000000 -0500
28459 +++ linux-3.0.9/drivers/infiniband/hw/nes/nes_cm.c 2011-11-15 20:02:59.000000000 -0500
28460 @@ -68,14 +68,14 @@ u32 cm_packets_dropped;
28461 u32 cm_packets_retrans;
28462 u32 cm_packets_created;
28463 u32 cm_packets_received;
28464 -atomic_t cm_listens_created;
28465 -atomic_t cm_listens_destroyed;
28466 +atomic_unchecked_t cm_listens_created;
28467 +atomic_unchecked_t cm_listens_destroyed;
28468 u32 cm_backlog_drops;
28469 -atomic_t cm_loopbacks;
28470 -atomic_t cm_nodes_created;
28471 -atomic_t cm_nodes_destroyed;
28472 -atomic_t cm_accel_dropped_pkts;
28473 -atomic_t cm_resets_recvd;
28474 +atomic_unchecked_t cm_loopbacks;
28475 +atomic_unchecked_t cm_nodes_created;
28476 +atomic_unchecked_t cm_nodes_destroyed;
28477 +atomic_unchecked_t cm_accel_dropped_pkts;
28478 +atomic_unchecked_t cm_resets_recvd;
28480 static inline int mini_cm_accelerated(struct nes_cm_core *,
28481 struct nes_cm_node *);
28482 @@ -151,13 +151,13 @@ static struct nes_cm_ops nes_cm_api = {
28484 static struct nes_cm_core *g_cm_core;
28486 -atomic_t cm_connects;
28487 -atomic_t cm_accepts;
28488 -atomic_t cm_disconnects;
28489 -atomic_t cm_closes;
28490 -atomic_t cm_connecteds;
28491 -atomic_t cm_connect_reqs;
28492 -atomic_t cm_rejects;
28493 +atomic_unchecked_t cm_connects;
28494 +atomic_unchecked_t cm_accepts;
28495 +atomic_unchecked_t cm_disconnects;
28496 +atomic_unchecked_t cm_closes;
28497 +atomic_unchecked_t cm_connecteds;
28498 +atomic_unchecked_t cm_connect_reqs;
28499 +atomic_unchecked_t cm_rejects;
28503 @@ -1045,7 +1045,7 @@ static int mini_cm_dec_refcnt_listen(str
28507 - atomic_inc(&cm_listens_destroyed);
28508 + atomic_inc_unchecked(&cm_listens_destroyed);
28510 spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);
28512 @@ -1240,7 +1240,7 @@ static struct nes_cm_node *make_cm_node(
28515 add_hte_node(cm_core, cm_node);
28516 - atomic_inc(&cm_nodes_created);
28517 + atomic_inc_unchecked(&cm_nodes_created);
28521 @@ -1298,7 +1298,7 @@ static int rem_ref_cm_node(struct nes_cm
28524 atomic_dec(&cm_core->node_cnt);
28525 - atomic_inc(&cm_nodes_destroyed);
28526 + atomic_inc_unchecked(&cm_nodes_destroyed);
28527 nesqp = cm_node->nesqp;
28529 nesqp->cm_node = NULL;
28530 @@ -1365,7 +1365,7 @@ static int process_options(struct nes_cm
28532 static void drop_packet(struct sk_buff *skb)
28534 - atomic_inc(&cm_accel_dropped_pkts);
28535 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
28536 dev_kfree_skb_any(skb);
28539 @@ -1428,7 +1428,7 @@ static void handle_rst_pkt(struct nes_cm
28542 int reset = 0; /* whether to send reset in case of err.. */
28543 - atomic_inc(&cm_resets_recvd);
28544 + atomic_inc_unchecked(&cm_resets_recvd);
28545 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
28546 " refcnt=%d\n", cm_node, cm_node->state,
28547 atomic_read(&cm_node->ref_count));
28548 @@ -2057,7 +2057,7 @@ static struct nes_cm_node *mini_cm_conne
28549 rem_ref_cm_node(cm_node->cm_core, cm_node);
28552 - atomic_inc(&cm_loopbacks);
28553 + atomic_inc_unchecked(&cm_loopbacks);
28554 loopbackremotenode->loopbackpartner = cm_node;
28555 loopbackremotenode->tcp_cntxt.rcv_wscale =
28556 NES_CM_DEFAULT_RCV_WND_SCALE;
28557 @@ -2332,7 +2332,7 @@ static int mini_cm_recv_pkt(struct nes_c
28558 add_ref_cm_node(cm_node);
28559 } else if (cm_node->state == NES_CM_STATE_TSA) {
28560 rem_ref_cm_node(cm_core, cm_node);
28561 - atomic_inc(&cm_accel_dropped_pkts);
28562 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
28563 dev_kfree_skb_any(skb);
28566 @@ -2638,7 +2638,7 @@ static int nes_cm_disconn_true(struct ne
28568 if ((cm_id) && (cm_id->event_handler)) {
28569 if (issue_disconn) {
28570 - atomic_inc(&cm_disconnects);
28571 + atomic_inc_unchecked(&cm_disconnects);
28572 cm_event.event = IW_CM_EVENT_DISCONNECT;
28573 cm_event.status = disconn_status;
28574 cm_event.local_addr = cm_id->local_addr;
28575 @@ -2660,7 +2660,7 @@ static int nes_cm_disconn_true(struct ne
28579 - atomic_inc(&cm_closes);
28580 + atomic_inc_unchecked(&cm_closes);
28581 nes_disconnect(nesqp, 1);
28583 cm_id->provider_data = nesqp;
28584 @@ -2791,7 +2791,7 @@ int nes_accept(struct iw_cm_id *cm_id, s
28586 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
28587 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
28588 - atomic_inc(&cm_accepts);
28589 + atomic_inc_unchecked(&cm_accepts);
28591 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
28592 netdev_refcnt_read(nesvnic->netdev));
28593 @@ -3001,7 +3001,7 @@ int nes_reject(struct iw_cm_id *cm_id, c
28595 struct nes_cm_core *cm_core;
28597 - atomic_inc(&cm_rejects);
28598 + atomic_inc_unchecked(&cm_rejects);
28599 cm_node = (struct nes_cm_node *) cm_id->provider_data;
28600 loopback = cm_node->loopbackpartner;
28601 cm_core = cm_node->cm_core;
28602 @@ -3067,7 +3067,7 @@ int nes_connect(struct iw_cm_id *cm_id,
28603 ntohl(cm_id->local_addr.sin_addr.s_addr),
28604 ntohs(cm_id->local_addr.sin_port));
28606 - atomic_inc(&cm_connects);
28607 + atomic_inc_unchecked(&cm_connects);
28608 nesqp->active_conn = 1;
28610 /* cache the cm_id in the qp */
28611 @@ -3173,7 +3173,7 @@ int nes_create_listen(struct iw_cm_id *c
28612 g_cm_core->api->stop_listener(g_cm_core, (void *)cm_node);
28615 - atomic_inc(&cm_listens_created);
28616 + atomic_inc_unchecked(&cm_listens_created);
28619 cm_id->add_ref(cm_id);
28620 @@ -3278,7 +3278,7 @@ static void cm_event_connected(struct ne
28621 if (nesqp->destroyed) {
28624 - atomic_inc(&cm_connecteds);
28625 + atomic_inc_unchecked(&cm_connecteds);
28626 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
28627 " local port 0x%04X. jiffies = %lu.\n",
28629 @@ -3493,7 +3493,7 @@ static void cm_event_reset(struct nes_cm
28631 cm_id->add_ref(cm_id);
28632 ret = cm_id->event_handler(cm_id, &cm_event);
28633 - atomic_inc(&cm_closes);
28634 + atomic_inc_unchecked(&cm_closes);
28635 cm_event.event = IW_CM_EVENT_CLOSE;
28636 cm_event.status = 0;
28637 cm_event.provider_data = cm_id->provider_data;
28638 @@ -3529,7 +3529,7 @@ static void cm_event_mpa_req(struct nes_
28640 cm_id = cm_node->cm_id;
28642 - atomic_inc(&cm_connect_reqs);
28643 + atomic_inc_unchecked(&cm_connect_reqs);
28644 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
28645 cm_node, cm_id, jiffies);
28647 @@ -3567,7 +3567,7 @@ static void cm_event_mpa_reject(struct n
28649 cm_id = cm_node->cm_id;
28651 - atomic_inc(&cm_connect_reqs);
28652 + atomic_inc_unchecked(&cm_connect_reqs);
28653 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
28654 cm_node, cm_id, jiffies);
28656 diff -urNp linux-3.0.9/drivers/infiniband/hw/nes/nes.h linux-3.0.9/drivers/infiniband/hw/nes/nes.h
28657 --- linux-3.0.9/drivers/infiniband/hw/nes/nes.h 2011-11-11 13:12:24.000000000 -0500
28658 +++ linux-3.0.9/drivers/infiniband/hw/nes/nes.h 2011-11-15 20:02:59.000000000 -0500
28659 @@ -175,17 +175,17 @@ extern unsigned int nes_debug_level;
28660 extern unsigned int wqm_quanta;
28661 extern struct list_head nes_adapter_list;
28663 -extern atomic_t cm_connects;
28664 -extern atomic_t cm_accepts;
28665 -extern atomic_t cm_disconnects;
28666 -extern atomic_t cm_closes;
28667 -extern atomic_t cm_connecteds;
28668 -extern atomic_t cm_connect_reqs;
28669 -extern atomic_t cm_rejects;
28670 -extern atomic_t mod_qp_timouts;
28671 -extern atomic_t qps_created;
28672 -extern atomic_t qps_destroyed;
28673 -extern atomic_t sw_qps_destroyed;
28674 +extern atomic_unchecked_t cm_connects;
28675 +extern atomic_unchecked_t cm_accepts;
28676 +extern atomic_unchecked_t cm_disconnects;
28677 +extern atomic_unchecked_t cm_closes;
28678 +extern atomic_unchecked_t cm_connecteds;
28679 +extern atomic_unchecked_t cm_connect_reqs;
28680 +extern atomic_unchecked_t cm_rejects;
28681 +extern atomic_unchecked_t mod_qp_timouts;
28682 +extern atomic_unchecked_t qps_created;
28683 +extern atomic_unchecked_t qps_destroyed;
28684 +extern atomic_unchecked_t sw_qps_destroyed;
28685 extern u32 mh_detected;
28686 extern u32 mh_pauses_sent;
28687 extern u32 cm_packets_sent;
28688 @@ -194,14 +194,14 @@ extern u32 cm_packets_created;
28689 extern u32 cm_packets_received;
28690 extern u32 cm_packets_dropped;
28691 extern u32 cm_packets_retrans;
28692 -extern atomic_t cm_listens_created;
28693 -extern atomic_t cm_listens_destroyed;
28694 +extern atomic_unchecked_t cm_listens_created;
28695 +extern atomic_unchecked_t cm_listens_destroyed;
28696 extern u32 cm_backlog_drops;
28697 -extern atomic_t cm_loopbacks;
28698 -extern atomic_t cm_nodes_created;
28699 -extern atomic_t cm_nodes_destroyed;
28700 -extern atomic_t cm_accel_dropped_pkts;
28701 -extern atomic_t cm_resets_recvd;
28702 +extern atomic_unchecked_t cm_loopbacks;
28703 +extern atomic_unchecked_t cm_nodes_created;
28704 +extern atomic_unchecked_t cm_nodes_destroyed;
28705 +extern atomic_unchecked_t cm_accel_dropped_pkts;
28706 +extern atomic_unchecked_t cm_resets_recvd;
28708 extern u32 int_mod_timer_init;
28709 extern u32 int_mod_cq_depth_256;
28710 diff -urNp linux-3.0.9/drivers/infiniband/hw/nes/nes_nic.c linux-3.0.9/drivers/infiniband/hw/nes/nes_nic.c
28711 --- linux-3.0.9/drivers/infiniband/hw/nes/nes_nic.c 2011-11-11 13:12:24.000000000 -0500
28712 +++ linux-3.0.9/drivers/infiniband/hw/nes/nes_nic.c 2011-11-15 20:02:59.000000000 -0500
28713 @@ -1274,31 +1274,31 @@ static void nes_netdev_get_ethtool_stats
28714 target_stat_values[++index] = mh_detected;
28715 target_stat_values[++index] = mh_pauses_sent;
28716 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
28717 - target_stat_values[++index] = atomic_read(&cm_connects);
28718 - target_stat_values[++index] = atomic_read(&cm_accepts);
28719 - target_stat_values[++index] = atomic_read(&cm_disconnects);
28720 - target_stat_values[++index] = atomic_read(&cm_connecteds);
28721 - target_stat_values[++index] = atomic_read(&cm_connect_reqs);
28722 - target_stat_values[++index] = atomic_read(&cm_rejects);
28723 - target_stat_values[++index] = atomic_read(&mod_qp_timouts);
28724 - target_stat_values[++index] = atomic_read(&qps_created);
28725 - target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
28726 - target_stat_values[++index] = atomic_read(&qps_destroyed);
28727 - target_stat_values[++index] = atomic_read(&cm_closes);
28728 + target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
28729 + target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
28730 + target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
28731 + target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
28732 + target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
28733 + target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
28734 + target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
28735 + target_stat_values[++index] = atomic_read_unchecked(&qps_created);
28736 + target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
28737 + target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
28738 + target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
28739 target_stat_values[++index] = cm_packets_sent;
28740 target_stat_values[++index] = cm_packets_bounced;
28741 target_stat_values[++index] = cm_packets_created;
28742 target_stat_values[++index] = cm_packets_received;
28743 target_stat_values[++index] = cm_packets_dropped;
28744 target_stat_values[++index] = cm_packets_retrans;
28745 - target_stat_values[++index] = atomic_read(&cm_listens_created);
28746 - target_stat_values[++index] = atomic_read(&cm_listens_destroyed);
28747 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_created);
28748 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_destroyed);
28749 target_stat_values[++index] = cm_backlog_drops;
28750 - target_stat_values[++index] = atomic_read(&cm_loopbacks);
28751 - target_stat_values[++index] = atomic_read(&cm_nodes_created);
28752 - target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
28753 - target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
28754 - target_stat_values[++index] = atomic_read(&cm_resets_recvd);
28755 + target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
28756 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
28757 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
28758 + target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
28759 + target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
28760 target_stat_values[++index] = nesadapter->free_4kpbl;
28761 target_stat_values[++index] = nesadapter->free_256pbl;
28762 target_stat_values[++index] = int_mod_timer_init;
28763 diff -urNp linux-3.0.9/drivers/infiniband/hw/nes/nes_verbs.c linux-3.0.9/drivers/infiniband/hw/nes/nes_verbs.c
28764 --- linux-3.0.9/drivers/infiniband/hw/nes/nes_verbs.c 2011-11-11 13:12:24.000000000 -0500
28765 +++ linux-3.0.9/drivers/infiniband/hw/nes/nes_verbs.c 2011-11-15 20:02:59.000000000 -0500
28768 #include <rdma/ib_umem.h>
28770 -atomic_t mod_qp_timouts;
28771 -atomic_t qps_created;
28772 -atomic_t sw_qps_destroyed;
28773 +atomic_unchecked_t mod_qp_timouts;
28774 +atomic_unchecked_t qps_created;
28775 +atomic_unchecked_t sw_qps_destroyed;
28777 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
28779 @@ -1141,7 +1141,7 @@ static struct ib_qp *nes_create_qp(struc
28780 if (init_attr->create_flags)
28781 return ERR_PTR(-EINVAL);
28783 - atomic_inc(&qps_created);
28784 + atomic_inc_unchecked(&qps_created);
28785 switch (init_attr->qp_type) {
28787 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
28788 @@ -1470,7 +1470,7 @@ static int nes_destroy_qp(struct ib_qp *
28789 struct iw_cm_event cm_event;
28792 - atomic_inc(&sw_qps_destroyed);
28793 + atomic_inc_unchecked(&sw_qps_destroyed);
28794 nesqp->destroyed = 1;
28796 /* Blow away the connection if it exists. */
28797 diff -urNp linux-3.0.9/drivers/infiniband/hw/qib/qib.h linux-3.0.9/drivers/infiniband/hw/qib/qib.h
28798 --- linux-3.0.9/drivers/infiniband/hw/qib/qib.h 2011-11-11 13:12:24.000000000 -0500
28799 +++ linux-3.0.9/drivers/infiniband/hw/qib/qib.h 2011-11-15 20:02:59.000000000 -0500
28801 #include <linux/completion.h>
28802 #include <linux/kref.h>
28803 #include <linux/sched.h>
28804 +#include <linux/slab.h>
28806 #include "qib_common.h"
28807 #include "qib_verbs.h"
28808 diff -urNp linux-3.0.9/drivers/input/gameport/gameport.c linux-3.0.9/drivers/input/gameport/gameport.c
28809 --- linux-3.0.9/drivers/input/gameport/gameport.c 2011-11-11 13:12:24.000000000 -0500
28810 +++ linux-3.0.9/drivers/input/gameport/gameport.c 2011-11-15 20:02:59.000000000 -0500
28811 @@ -488,14 +488,14 @@ EXPORT_SYMBOL(gameport_set_phys);
28813 static void gameport_init_port(struct gameport *gameport)
28815 - static atomic_t gameport_no = ATOMIC_INIT(0);
28816 + static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
28818 __module_get(THIS_MODULE);
28820 mutex_init(&gameport->drv_mutex);
28821 device_initialize(&gameport->dev);
28822 dev_set_name(&gameport->dev, "gameport%lu",
28823 - (unsigned long)atomic_inc_return(&gameport_no) - 1);
28824 + (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
28825 gameport->dev.bus = &gameport_bus;
28826 gameport->dev.release = gameport_release_port;
28827 if (gameport->parent)
28828 diff -urNp linux-3.0.9/drivers/input/input.c linux-3.0.9/drivers/input/input.c
28829 --- linux-3.0.9/drivers/input/input.c 2011-11-11 13:12:24.000000000 -0500
28830 +++ linux-3.0.9/drivers/input/input.c 2011-11-15 20:02:59.000000000 -0500
28831 @@ -1814,7 +1814,7 @@ static void input_cleanse_bitmasks(struc
28833 int input_register_device(struct input_dev *dev)
28835 - static atomic_t input_no = ATOMIC_INIT(0);
28836 + static atomic_unchecked_t input_no = ATOMIC_INIT(0);
28837 struct input_handler *handler;
28840 @@ -1851,7 +1851,7 @@ int input_register_device(struct input_d
28841 dev->setkeycode = input_default_setkeycode;
28843 dev_set_name(&dev->dev, "input%ld",
28844 - (unsigned long) atomic_inc_return(&input_no) - 1);
28845 + (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
28847 error = device_add(&dev->dev);
28849 diff -urNp linux-3.0.9/drivers/input/joystick/sidewinder.c linux-3.0.9/drivers/input/joystick/sidewinder.c
28850 --- linux-3.0.9/drivers/input/joystick/sidewinder.c 2011-11-11 13:12:24.000000000 -0500
28851 +++ linux-3.0.9/drivers/input/joystick/sidewinder.c 2011-11-15 20:02:59.000000000 -0500
28853 #include <linux/kernel.h>
28854 #include <linux/module.h>
28855 #include <linux/slab.h>
28856 +#include <linux/sched.h>
28857 #include <linux/init.h>
28858 #include <linux/input.h>
28859 #include <linux/gameport.h>
28860 @@ -428,6 +429,8 @@ static int sw_read(struct sw *sw)
28861 unsigned char buf[SW_LENGTH];
28864 + pax_track_stack();
28866 i = sw_read_packet(sw->gameport, buf, sw->length, 0);
28868 if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
28869 diff -urNp linux-3.0.9/drivers/input/joystick/xpad.c linux-3.0.9/drivers/input/joystick/xpad.c
28870 --- linux-3.0.9/drivers/input/joystick/xpad.c 2011-11-11 13:12:24.000000000 -0500
28871 +++ linux-3.0.9/drivers/input/joystick/xpad.c 2011-11-15 20:02:59.000000000 -0500
28872 @@ -689,7 +689,7 @@ static void xpad_led_set(struct led_clas
28874 static int xpad_led_probe(struct usb_xpad *xpad)
28876 - static atomic_t led_seq = ATOMIC_INIT(0);
28877 + static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
28879 struct xpad_led *led;
28880 struct led_classdev *led_cdev;
28881 @@ -702,7 +702,7 @@ static int xpad_led_probe(struct usb_xpa
28885 - led_no = (long)atomic_inc_return(&led_seq) - 1;
28886 + led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
28888 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
28890 diff -urNp linux-3.0.9/drivers/input/mousedev.c linux-3.0.9/drivers/input/mousedev.c
28891 --- linux-3.0.9/drivers/input/mousedev.c 2011-11-11 13:12:24.000000000 -0500
28892 +++ linux-3.0.9/drivers/input/mousedev.c 2011-11-15 20:02:59.000000000 -0500
28893 @@ -763,7 +763,7 @@ static ssize_t mousedev_read(struct file
28895 spin_unlock_irq(&client->packet_lock);
28897 - if (copy_to_user(buffer, data, count))
28898 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
28902 diff -urNp linux-3.0.9/drivers/input/serio/serio.c linux-3.0.9/drivers/input/serio/serio.c
28903 --- linux-3.0.9/drivers/input/serio/serio.c 2011-11-11 13:12:24.000000000 -0500
28904 +++ linux-3.0.9/drivers/input/serio/serio.c 2011-11-15 20:02:59.000000000 -0500
28905 @@ -497,7 +497,7 @@ static void serio_release_port(struct de
28907 static void serio_init_port(struct serio *serio)
28909 - static atomic_t serio_no = ATOMIC_INIT(0);
28910 + static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
28912 __module_get(THIS_MODULE);
28914 @@ -508,7 +508,7 @@ static void serio_init_port(struct serio
28915 mutex_init(&serio->drv_mutex);
28916 device_initialize(&serio->dev);
28917 dev_set_name(&serio->dev, "serio%ld",
28918 - (long)atomic_inc_return(&serio_no) - 1);
28919 + (long)atomic_inc_return_unchecked(&serio_no) - 1);
28920 serio->dev.bus = &serio_bus;
28921 serio->dev.release = serio_release_port;
28922 serio->dev.groups = serio_device_attr_groups;
28923 diff -urNp linux-3.0.9/drivers/isdn/capi/capi.c linux-3.0.9/drivers/isdn/capi/capi.c
28924 --- linux-3.0.9/drivers/isdn/capi/capi.c 2011-11-11 13:12:24.000000000 -0500
28925 +++ linux-3.0.9/drivers/isdn/capi/capi.c 2011-11-15 20:02:59.000000000 -0500
28926 @@ -83,8 +83,8 @@ struct capiminor {
28928 struct capi20_appl *ap;
28930 - atomic_t datahandle;
28932 + atomic_unchecked_t datahandle;
28933 + atomic_unchecked_t msgid;
28935 struct tty_port port;
28937 @@ -397,7 +397,7 @@ gen_data_b3_resp_for(struct capiminor *m
28938 capimsg_setu16(s, 2, mp->ap->applid);
28939 capimsg_setu8 (s, 4, CAPI_DATA_B3);
28940 capimsg_setu8 (s, 5, CAPI_RESP);
28941 - capimsg_setu16(s, 6, atomic_inc_return(&mp->msgid));
28942 + capimsg_setu16(s, 6, atomic_inc_return_unchecked(&mp->msgid));
28943 capimsg_setu32(s, 8, mp->ncci);
28944 capimsg_setu16(s, 12, datahandle);
28946 @@ -518,14 +518,14 @@ static void handle_minor_send(struct cap
28947 mp->outbytes -= len;
28948 spin_unlock_bh(&mp->outlock);
28950 - datahandle = atomic_inc_return(&mp->datahandle);
28951 + datahandle = atomic_inc_return_unchecked(&mp->datahandle);
28952 skb_push(skb, CAPI_DATA_B3_REQ_LEN);
28953 memset(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
28954 capimsg_setu16(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
28955 capimsg_setu16(skb->data, 2, mp->ap->applid);
28956 capimsg_setu8 (skb->data, 4, CAPI_DATA_B3);
28957 capimsg_setu8 (skb->data, 5, CAPI_REQ);
28958 - capimsg_setu16(skb->data, 6, atomic_inc_return(&mp->msgid));
28959 + capimsg_setu16(skb->data, 6, atomic_inc_return_unchecked(&mp->msgid));
28960 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
28961 capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
28962 capimsg_setu16(skb->data, 16, len); /* Data length */
28963 diff -urNp linux-3.0.9/drivers/isdn/gigaset/common.c linux-3.0.9/drivers/isdn/gigaset/common.c
28964 --- linux-3.0.9/drivers/isdn/gigaset/common.c 2011-11-11 13:12:24.000000000 -0500
28965 +++ linux-3.0.9/drivers/isdn/gigaset/common.c 2011-11-15 20:02:59.000000000 -0500
28966 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
28967 cs->commands_pending = 0;
28968 cs->cur_at_seq = 0;
28970 - cs->open_count = 0;
28971 + local_set(&cs->open_count, 0);
28974 cs->tty_dev = NULL;
28975 diff -urNp linux-3.0.9/drivers/isdn/gigaset/gigaset.h linux-3.0.9/drivers/isdn/gigaset/gigaset.h
28976 --- linux-3.0.9/drivers/isdn/gigaset/gigaset.h 2011-11-11 13:12:24.000000000 -0500
28977 +++ linux-3.0.9/drivers/isdn/gigaset/gigaset.h 2011-11-15 20:02:59.000000000 -0500
28979 #include <linux/tty_driver.h>
28980 #include <linux/list.h>
28981 #include <asm/atomic.h>
28982 +#include <asm/local.h>
28984 #define GIG_VERSION {0, 5, 0, 0}
28985 #define GIG_COMPAT {0, 4, 0, 0}
28986 @@ -433,7 +434,7 @@ struct cardstate {
28987 spinlock_t cmdlock;
28988 unsigned curlen, cmdbytes;
28990 - unsigned open_count;
28991 + local_t open_count;
28992 struct tty_struct *tty;
28993 struct tasklet_struct if_wake_tasklet;
28994 unsigned control_state;
28995 diff -urNp linux-3.0.9/drivers/isdn/gigaset/interface.c linux-3.0.9/drivers/isdn/gigaset/interface.c
28996 --- linux-3.0.9/drivers/isdn/gigaset/interface.c 2011-11-11 13:12:24.000000000 -0500
28997 +++ linux-3.0.9/drivers/isdn/gigaset/interface.c 2011-11-15 20:02:59.000000000 -0500
28998 @@ -162,9 +162,7 @@ static int if_open(struct tty_struct *tt
29000 tty->driver_data = cs;
29002 - ++cs->open_count;
29004 - if (cs->open_count == 1) {
29005 + if (local_inc_return(&cs->open_count) == 1) {
29006 spin_lock_irqsave(&cs->lock, flags);
29008 spin_unlock_irqrestore(&cs->lock, flags);
29009 @@ -192,10 +190,10 @@ static void if_close(struct tty_struct *
29011 if (!cs->connected)
29012 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
29013 - else if (!cs->open_count)
29014 + else if (!local_read(&cs->open_count))
29015 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29017 - if (!--cs->open_count) {
29018 + if (!local_dec_return(&cs->open_count)) {
29019 spin_lock_irqsave(&cs->lock, flags);
29021 spin_unlock_irqrestore(&cs->lock, flags);
29022 @@ -230,7 +228,7 @@ static int if_ioctl(struct tty_struct *t
29023 if (!cs->connected) {
29024 gig_dbg(DEBUG_IF, "not connected");
29026 - } else if (!cs->open_count)
29027 + } else if (!local_read(&cs->open_count))
29028 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29031 @@ -360,7 +358,7 @@ static int if_write(struct tty_struct *t
29035 - if (!cs->open_count) {
29036 + if (!local_read(&cs->open_count)) {
29037 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29040 @@ -413,7 +411,7 @@ static int if_write_room(struct tty_stru
29041 if (!cs->connected) {
29042 gig_dbg(DEBUG_IF, "not connected");
29044 - } else if (!cs->open_count)
29045 + } else if (!local_read(&cs->open_count))
29046 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29047 else if (cs->mstate != MS_LOCKED) {
29048 dev_warn(cs->dev, "can't write to unlocked device\n");
29049 @@ -443,7 +441,7 @@ static int if_chars_in_buffer(struct tty
29051 if (!cs->connected)
29052 gig_dbg(DEBUG_IF, "not connected");
29053 - else if (!cs->open_count)
29054 + else if (!local_read(&cs->open_count))
29055 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29056 else if (cs->mstate != MS_LOCKED)
29057 dev_warn(cs->dev, "can't write to unlocked device\n");
29058 @@ -471,7 +469,7 @@ static void if_throttle(struct tty_struc
29060 if (!cs->connected)
29061 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
29062 - else if (!cs->open_count)
29063 + else if (!local_read(&cs->open_count))
29064 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29066 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
29067 @@ -495,7 +493,7 @@ static void if_unthrottle(struct tty_str
29069 if (!cs->connected)
29070 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
29071 - else if (!cs->open_count)
29072 + else if (!local_read(&cs->open_count))
29073 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29075 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
29076 @@ -526,7 +524,7 @@ static void if_set_termios(struct tty_st
29080 - if (!cs->open_count) {
29081 + if (!local_read(&cs->open_count)) {
29082 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29085 diff -urNp linux-3.0.9/drivers/isdn/hardware/avm/b1.c linux-3.0.9/drivers/isdn/hardware/avm/b1.c
29086 --- linux-3.0.9/drivers/isdn/hardware/avm/b1.c 2011-11-11 13:12:24.000000000 -0500
29087 +++ linux-3.0.9/drivers/isdn/hardware/avm/b1.c 2011-11-15 20:02:59.000000000 -0500
29088 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
29091 if (t4file->user) {
29092 - if (copy_from_user(buf, dp, left))
29093 + if (left > sizeof buf || copy_from_user(buf, dp, left))
29096 memcpy(buf, dp, left);
29097 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
29100 if (config->user) {
29101 - if (copy_from_user(buf, dp, left))
29102 + if (left > sizeof buf || copy_from_user(buf, dp, left))
29105 memcpy(buf, dp, left);
29106 diff -urNp linux-3.0.9/drivers/isdn/hardware/eicon/capidtmf.c linux-3.0.9/drivers/isdn/hardware/eicon/capidtmf.c
29107 --- linux-3.0.9/drivers/isdn/hardware/eicon/capidtmf.c 2011-11-11 13:12:24.000000000 -0500
29108 +++ linux-3.0.9/drivers/isdn/hardware/eicon/capidtmf.c 2011-11-15 20:02:59.000000000 -0500
29109 @@ -498,6 +498,7 @@ void capidtmf_recv_block (t_capidtmf_sta
29110 byte goertzel_result_buffer[CAPIDTMF_RECV_TOTAL_FREQUENCY_COUNT];
29111 short windowed_sample_buffer[CAPIDTMF_RECV_WINDOWED_SAMPLES];
29113 + pax_track_stack();
29115 if (p_state->recv.state & CAPIDTMF_RECV_STATE_DTMF_ACTIVE)
29117 diff -urNp linux-3.0.9/drivers/isdn/hardware/eicon/capifunc.c linux-3.0.9/drivers/isdn/hardware/eicon/capifunc.c
29118 --- linux-3.0.9/drivers/isdn/hardware/eicon/capifunc.c 2011-11-11 13:12:24.000000000 -0500
29119 +++ linux-3.0.9/drivers/isdn/hardware/eicon/capifunc.c 2011-11-15 20:02:59.000000000 -0500
29120 @@ -1055,6 +1055,8 @@ static int divacapi_connect_didd(void)
29122 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29124 + pax_track_stack();
29126 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29128 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29129 diff -urNp linux-3.0.9/drivers/isdn/hardware/eicon/diddfunc.c linux-3.0.9/drivers/isdn/hardware/eicon/diddfunc.c
29130 --- linux-3.0.9/drivers/isdn/hardware/eicon/diddfunc.c 2011-11-11 13:12:24.000000000 -0500
29131 +++ linux-3.0.9/drivers/isdn/hardware/eicon/diddfunc.c 2011-11-15 20:02:59.000000000 -0500
29132 @@ -54,6 +54,8 @@ static int DIVA_INIT_FUNCTION connect_di
29134 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29136 + pax_track_stack();
29138 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29140 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29141 diff -urNp linux-3.0.9/drivers/isdn/hardware/eicon/divasfunc.c linux-3.0.9/drivers/isdn/hardware/eicon/divasfunc.c
29142 --- linux-3.0.9/drivers/isdn/hardware/eicon/divasfunc.c 2011-11-11 13:12:24.000000000 -0500
29143 +++ linux-3.0.9/drivers/isdn/hardware/eicon/divasfunc.c 2011-11-15 20:02:59.000000000 -0500
29144 @@ -160,6 +160,8 @@ static int DIVA_INIT_FUNCTION connect_di
29146 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29148 + pax_track_stack();
29150 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29152 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29153 diff -urNp linux-3.0.9/drivers/isdn/hardware/eicon/divasync.h linux-3.0.9/drivers/isdn/hardware/eicon/divasync.h
29154 --- linux-3.0.9/drivers/isdn/hardware/eicon/divasync.h 2011-11-11 13:12:24.000000000 -0500
29155 +++ linux-3.0.9/drivers/isdn/hardware/eicon/divasync.h 2011-11-15 20:02:59.000000000 -0500
29156 @@ -146,7 +146,7 @@ typedef struct _diva_didd_add_adapter {
29157 } diva_didd_add_adapter_t;
29158 typedef struct _diva_didd_remove_adapter {
29159 IDI_CALL p_request;
29160 -} diva_didd_remove_adapter_t;
29161 +} __no_const diva_didd_remove_adapter_t;
29162 typedef struct _diva_didd_read_adapter_array {
29165 diff -urNp linux-3.0.9/drivers/isdn/hardware/eicon/idifunc.c linux-3.0.9/drivers/isdn/hardware/eicon/idifunc.c
29166 --- linux-3.0.9/drivers/isdn/hardware/eicon/idifunc.c 2011-11-11 13:12:24.000000000 -0500
29167 +++ linux-3.0.9/drivers/isdn/hardware/eicon/idifunc.c 2011-11-15 20:02:59.000000000 -0500
29168 @@ -188,6 +188,8 @@ static int DIVA_INIT_FUNCTION connect_di
29170 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29172 + pax_track_stack();
29174 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29176 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29177 diff -urNp linux-3.0.9/drivers/isdn/hardware/eicon/message.c linux-3.0.9/drivers/isdn/hardware/eicon/message.c
29178 --- linux-3.0.9/drivers/isdn/hardware/eicon/message.c 2011-11-11 13:12:24.000000000 -0500
29179 +++ linux-3.0.9/drivers/isdn/hardware/eicon/message.c 2011-11-15 20:02:59.000000000 -0500
29180 @@ -4886,6 +4886,8 @@ static void sig_ind(PLCI *plci)
29184 + pax_track_stack();
29187 Id = ((word)plci->Id<<8)|a->Id;
29188 PUT_WORD(&SS_Ind[4],0x0000);
29189 @@ -7480,6 +7482,8 @@ static word add_b1(PLCI *plci, API_PARSE
29193 + pax_track_stack();
29196 for(i=0;i<8;i++) bp_parms[i].length = 0;
29197 for(i=0;i<2;i++) global_config[i].length = 0;
29198 @@ -7954,6 +7958,8 @@ static word add_b23(PLCI *plci, API_PARS
29199 const byte llc3[] = {4,3,2,2,6,6,0};
29200 const byte header[] = {0,2,3,3,0,0,0};
29202 + pax_track_stack();
29204 for(i=0;i<8;i++) bp_parms[i].length = 0;
29205 for(i=0;i<6;i++) b2_config_parms[i].length = 0;
29206 for(i=0;i<5;i++) b3_config_parms[i].length = 0;
29207 @@ -14741,6 +14747,8 @@ static void group_optimization(DIVA_CAPI
29208 word appl_number_group_type[MAX_APPL];
29211 + pax_track_stack();
29213 set_group_ind_mask (plci); /* all APPLs within this inc. call are allowed to dial in */
29215 if(!a->group_optimization_enabled)
29216 diff -urNp linux-3.0.9/drivers/isdn/hardware/eicon/mntfunc.c linux-3.0.9/drivers/isdn/hardware/eicon/mntfunc.c
29217 --- linux-3.0.9/drivers/isdn/hardware/eicon/mntfunc.c 2011-11-11 13:12:24.000000000 -0500
29218 +++ linux-3.0.9/drivers/isdn/hardware/eicon/mntfunc.c 2011-11-15 20:02:59.000000000 -0500
29219 @@ -79,6 +79,8 @@ static int DIVA_INIT_FUNCTION connect_di
29221 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29223 + pax_track_stack();
29225 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29227 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29228 diff -urNp linux-3.0.9/drivers/isdn/hardware/eicon/xdi_adapter.h linux-3.0.9/drivers/isdn/hardware/eicon/xdi_adapter.h
29229 --- linux-3.0.9/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-11-11 13:12:24.000000000 -0500
29230 +++ linux-3.0.9/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-11-15 20:02:59.000000000 -0500
29231 @@ -44,7 +44,7 @@ typedef struct _xdi_mbox_t {
29232 typedef struct _diva_os_idi_adapter_interface {
29233 diva_init_card_proc_t cleanup_adapter_proc;
29234 diva_cmd_card_proc_t cmd_proc;
29235 -} diva_os_idi_adapter_interface_t;
29236 +} __no_const diva_os_idi_adapter_interface_t;
29238 typedef struct _diva_os_xdi_adapter {
29239 struct list_head link;
29240 diff -urNp linux-3.0.9/drivers/isdn/i4l/isdn_common.c linux-3.0.9/drivers/isdn/i4l/isdn_common.c
29241 --- linux-3.0.9/drivers/isdn/i4l/isdn_common.c 2011-11-11 13:12:24.000000000 -0500
29242 +++ linux-3.0.9/drivers/isdn/i4l/isdn_common.c 2011-11-15 20:02:59.000000000 -0500
29243 @@ -1286,6 +1286,8 @@ isdn_ioctl(struct file *file, uint cmd,
29245 void __user *argp = (void __user *)arg;
29247 + pax_track_stack();
29249 #define name iocpar.name
29250 #define bname iocpar.bname
29251 #define iocts iocpar.iocts
29252 diff -urNp linux-3.0.9/drivers/isdn/icn/icn.c linux-3.0.9/drivers/isdn/icn/icn.c
29253 --- linux-3.0.9/drivers/isdn/icn/icn.c 2011-11-11 13:12:24.000000000 -0500
29254 +++ linux-3.0.9/drivers/isdn/icn/icn.c 2011-11-15 20:02:59.000000000 -0500
29255 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
29259 - if (copy_from_user(msg, buf, count))
29260 + if (count > sizeof msg || copy_from_user(msg, buf, count))
29263 memcpy(msg, buf, count);
29264 diff -urNp linux-3.0.9/drivers/lguest/core.c linux-3.0.9/drivers/lguest/core.c
29265 --- linux-3.0.9/drivers/lguest/core.c 2011-11-11 13:12:24.000000000 -0500
29266 +++ linux-3.0.9/drivers/lguest/core.c 2011-11-15 20:02:59.000000000 -0500
29267 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
29268 * it's worked so far. The end address needs +1 because __get_vm_area
29269 * allocates an extra guard page, so we need space for that.
29272 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
29273 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
29274 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
29275 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
29277 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
29278 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
29279 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
29282 if (!switcher_vma) {
29284 printk("lguest: could not map switcher pages high\n");
29285 @@ -119,7 +127,7 @@ static __init int map_switcher(void)
29286 * Now the Switcher is mapped at the right address, we can't fail!
29287 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
29289 - memcpy(switcher_vma->addr, start_switcher_text,
29290 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
29291 end_switcher_text - start_switcher_text);
29293 printk(KERN_INFO "lguest: mapped switcher at %p\n",
29294 diff -urNp linux-3.0.9/drivers/lguest/x86/core.c linux-3.0.9/drivers/lguest/x86/core.c
29295 --- linux-3.0.9/drivers/lguest/x86/core.c 2011-11-11 13:12:24.000000000 -0500
29296 +++ linux-3.0.9/drivers/lguest/x86/core.c 2011-11-15 20:02:59.000000000 -0500
29297 @@ -59,7 +59,7 @@ static struct {
29298 /* Offset from where switcher.S was compiled to where we've copied it */
29299 static unsigned long switcher_offset(void)
29301 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
29302 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
29305 /* This cpu's struct lguest_pages. */
29306 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
29307 * These copies are pretty cheap, so we do them unconditionally: */
29308 /* Save the current Host top-level page directory.
29311 +#ifdef CONFIG_PAX_PER_CPU_PGD
29312 + pages->state.host_cr3 = read_cr3();
29314 pages->state.host_cr3 = __pa(current->mm->pgd);
29318 * Set up the Guest's page tables to see this CPU's pages (and no
29319 * other CPU's pages).
29320 @@ -547,7 +553,7 @@ void __init lguest_arch_host_init(void)
29321 * compiled-in switcher code and the high-mapped copy we just made.
29323 for (i = 0; i < IDT_ENTRIES; i++)
29324 - default_idt_entries[i] += switcher_offset();
29325 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
29328 * Set up the Switcher's per-cpu areas.
29329 @@ -630,7 +636,7 @@ void __init lguest_arch_host_init(void)
29330 * it will be undisturbed when we switch. To change %cs and jump we
29331 * need this structure to feed to Intel's "lcall" instruction.
29333 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
29334 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
29335 lguest_entry.segment = LGUEST_CS;
29338 diff -urNp linux-3.0.9/drivers/lguest/x86/switcher_32.S linux-3.0.9/drivers/lguest/x86/switcher_32.S
29339 --- linux-3.0.9/drivers/lguest/x86/switcher_32.S 2011-11-11 13:12:24.000000000 -0500
29340 +++ linux-3.0.9/drivers/lguest/x86/switcher_32.S 2011-11-15 20:02:59.000000000 -0500
29342 #include <asm/page.h>
29343 #include <asm/segment.h>
29344 #include <asm/lguest.h>
29345 +#include <asm/processor-flags.h>
29347 // We mark the start of the code to copy
29348 // It's placed in .text tho it's never run here
29349 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
29350 // Changes type when we load it: damn Intel!
29351 // For after we switch over our page tables
29352 // That entry will be read-only: we'd crash.
29354 +#ifdef CONFIG_PAX_KERNEXEC
29356 + xor $X86_CR0_WP, %edx
29360 movl $(GDT_ENTRY_TSS*8), %edx
29363 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
29364 // Let's clear it again for our return.
29365 // The GDT descriptor of the Host
29366 // Points to the table after two "size" bytes
29367 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
29368 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
29369 // Clear "used" from type field (byte 5, bit 2)
29370 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
29371 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
29373 +#ifdef CONFIG_PAX_KERNEXEC
29375 + xor $X86_CR0_WP, %eax
29379 // Once our page table's switched, the Guest is live!
29380 // The Host fades as we run this final step.
29381 @@ -295,13 +309,12 @@ deliver_to_host:
29382 // I consulted gcc, and it gave
29383 // These instructions, which I gladly credit:
29384 leal (%edx,%ebx,8), %eax
29385 - movzwl (%eax),%edx
29386 - movl 4(%eax), %eax
29389 + movl 4(%eax), %edx
29391 // Now the address of the handler's in %edx
29392 // We call it now: its "iret" drops us home.
29394 + ljmp $__KERNEL_CS, $1f
29397 // Every interrupt can come to us here
29398 // But we must truly tell each apart.
29399 diff -urNp linux-3.0.9/drivers/macintosh/macio_asic.c linux-3.0.9/drivers/macintosh/macio_asic.c
29400 --- linux-3.0.9/drivers/macintosh/macio_asic.c 2011-11-11 13:12:24.000000000 -0500
29401 +++ linux-3.0.9/drivers/macintosh/macio_asic.c 2011-11-15 20:02:59.000000000 -0500
29402 @@ -748,7 +748,7 @@ static void __devexit macio_pci_remove(s
29403 * MacIO is matched against any Apple ID, it's probe() function
29404 * will then decide wether it applies or not
29406 -static const struct pci_device_id __devinitdata pci_ids [] = { {
29407 +static const struct pci_device_id __devinitconst pci_ids [] = { {
29408 .vendor = PCI_VENDOR_ID_APPLE,
29409 .device = PCI_ANY_ID,
29410 .subvendor = PCI_ANY_ID,
29411 diff -urNp linux-3.0.9/drivers/md/dm.c linux-3.0.9/drivers/md/dm.c
29412 --- linux-3.0.9/drivers/md/dm.c 2011-11-11 13:12:24.000000000 -0500
29413 +++ linux-3.0.9/drivers/md/dm.c 2011-11-15 20:02:59.000000000 -0500
29414 @@ -164,9 +164,9 @@ struct mapped_device {
29418 - atomic_t event_nr;
29419 + atomic_unchecked_t event_nr;
29420 wait_queue_head_t eventq;
29421 - atomic_t uevent_seq;
29422 + atomic_unchecked_t uevent_seq;
29423 struct list_head uevent_list;
29424 spinlock_t uevent_lock; /* Protect access to uevent_list */
29426 @@ -1842,8 +1842,8 @@ static struct mapped_device *alloc_dev(i
29427 rwlock_init(&md->map_lock);
29428 atomic_set(&md->holders, 1);
29429 atomic_set(&md->open_count, 0);
29430 - atomic_set(&md->event_nr, 0);
29431 - atomic_set(&md->uevent_seq, 0);
29432 + atomic_set_unchecked(&md->event_nr, 0);
29433 + atomic_set_unchecked(&md->uevent_seq, 0);
29434 INIT_LIST_HEAD(&md->uevent_list);
29435 spin_lock_init(&md->uevent_lock);
29437 @@ -1977,7 +1977,7 @@ static void event_callback(void *context
29439 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
29441 - atomic_inc(&md->event_nr);
29442 + atomic_inc_unchecked(&md->event_nr);
29443 wake_up(&md->eventq);
29446 @@ -2553,18 +2553,18 @@ int dm_kobject_uevent(struct mapped_devi
29448 uint32_t dm_next_uevent_seq(struct mapped_device *md)
29450 - return atomic_add_return(1, &md->uevent_seq);
29451 + return atomic_add_return_unchecked(1, &md->uevent_seq);
29454 uint32_t dm_get_event_nr(struct mapped_device *md)
29456 - return atomic_read(&md->event_nr);
29457 + return atomic_read_unchecked(&md->event_nr);
29460 int dm_wait_event(struct mapped_device *md, int event_nr)
29462 return wait_event_interruptible(md->eventq,
29463 - (event_nr != atomic_read(&md->event_nr)));
29464 + (event_nr != atomic_read_unchecked(&md->event_nr)));
29467 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
29468 diff -urNp linux-3.0.9/drivers/md/dm-ioctl.c linux-3.0.9/drivers/md/dm-ioctl.c
29469 --- linux-3.0.9/drivers/md/dm-ioctl.c 2011-11-11 13:12:24.000000000 -0500
29470 +++ linux-3.0.9/drivers/md/dm-ioctl.c 2011-11-15 20:02:59.000000000 -0500
29471 @@ -1551,7 +1551,7 @@ static int validate_params(uint cmd, str
29472 cmd == DM_LIST_VERSIONS_CMD)
29475 - if ((cmd == DM_DEV_CREATE_CMD)) {
29476 + if (cmd == DM_DEV_CREATE_CMD) {
29477 if (!*param->name) {
29478 DMWARN("name not supplied when creating device");
29480 diff -urNp linux-3.0.9/drivers/md/dm-raid1.c linux-3.0.9/drivers/md/dm-raid1.c
29481 --- linux-3.0.9/drivers/md/dm-raid1.c 2011-11-11 13:12:24.000000000 -0500
29482 +++ linux-3.0.9/drivers/md/dm-raid1.c 2011-11-15 20:02:59.000000000 -0500
29483 @@ -40,7 +40,7 @@ enum dm_raid1_error {
29486 struct mirror_set *ms;
29487 - atomic_t error_count;
29488 + atomic_unchecked_t error_count;
29489 unsigned long error_type;
29490 struct dm_dev *dev;
29492 @@ -185,7 +185,7 @@ static struct mirror *get_valid_mirror(s
29495 for (m = ms->mirror; m < ms->mirror + ms->nr_mirrors; m++)
29496 - if (!atomic_read(&m->error_count))
29497 + if (!atomic_read_unchecked(&m->error_count))
29501 @@ -217,7 +217,7 @@ static void fail_mirror(struct mirror *m
29502 * simple way to tell if a device has encountered
29505 - atomic_inc(&m->error_count);
29506 + atomic_inc_unchecked(&m->error_count);
29508 if (test_and_set_bit(error_type, &m->error_type))
29510 @@ -408,7 +408,7 @@ static struct mirror *choose_mirror(stru
29511 struct mirror *m = get_default_mirror(ms);
29514 - if (likely(!atomic_read(&m->error_count)))
29515 + if (likely(!atomic_read_unchecked(&m->error_count)))
29518 if (m-- == ms->mirror)
29519 @@ -422,7 +422,7 @@ static int default_ok(struct mirror *m)
29521 struct mirror *default_mirror = get_default_mirror(m->ms);
29523 - return !atomic_read(&default_mirror->error_count);
29524 + return !atomic_read_unchecked(&default_mirror->error_count);
29527 static int mirror_available(struct mirror_set *ms, struct bio *bio)
29528 @@ -559,7 +559,7 @@ static void do_reads(struct mirror_set *
29530 if (likely(region_in_sync(ms, region, 1)))
29531 m = choose_mirror(ms, bio->bi_sector);
29532 - else if (m && atomic_read(&m->error_count))
29533 + else if (m && atomic_read_unchecked(&m->error_count))
29537 @@ -937,7 +937,7 @@ static int get_mirror(struct mirror_set
29540 ms->mirror[mirror].ms = ms;
29541 - atomic_set(&(ms->mirror[mirror].error_count), 0);
29542 + atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
29543 ms->mirror[mirror].error_type = 0;
29544 ms->mirror[mirror].offset = offset;
29546 @@ -1347,7 +1347,7 @@ static void mirror_resume(struct dm_targ
29548 static char device_status_char(struct mirror *m)
29550 - if (!atomic_read(&(m->error_count)))
29551 + if (!atomic_read_unchecked(&(m->error_count)))
29554 return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' :
29555 diff -urNp linux-3.0.9/drivers/md/dm-stripe.c linux-3.0.9/drivers/md/dm-stripe.c
29556 --- linux-3.0.9/drivers/md/dm-stripe.c 2011-11-11 13:12:24.000000000 -0500
29557 +++ linux-3.0.9/drivers/md/dm-stripe.c 2011-11-15 20:02:59.000000000 -0500
29558 @@ -20,7 +20,7 @@ struct stripe {
29559 struct dm_dev *dev;
29560 sector_t physical_start;
29562 - atomic_t error_count;
29563 + atomic_unchecked_t error_count;
29567 @@ -192,7 +192,7 @@ static int stripe_ctr(struct dm_target *
29571 - atomic_set(&(sc->stripe[i].error_count), 0);
29572 + atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
29576 @@ -314,7 +314,7 @@ static int stripe_status(struct dm_targe
29577 DMEMIT("%d ", sc->stripes);
29578 for (i = 0; i < sc->stripes; i++) {
29579 DMEMIT("%s ", sc->stripe[i].dev->name);
29580 - buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
29581 + buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
29585 @@ -361,8 +361,8 @@ static int stripe_end_io(struct dm_targe
29587 for (i = 0; i < sc->stripes; i++)
29588 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
29589 - atomic_inc(&(sc->stripe[i].error_count));
29590 - if (atomic_read(&(sc->stripe[i].error_count)) <
29591 + atomic_inc_unchecked(&(sc->stripe[i].error_count));
29592 + if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
29593 DM_IO_ERROR_THRESHOLD)
29594 schedule_work(&sc->trigger_event);
29596 diff -urNp linux-3.0.9/drivers/md/dm-table.c linux-3.0.9/drivers/md/dm-table.c
29597 --- linux-3.0.9/drivers/md/dm-table.c 2011-11-11 13:12:24.000000000 -0500
29598 +++ linux-3.0.9/drivers/md/dm-table.c 2011-11-15 20:02:59.000000000 -0500
29599 @@ -390,7 +390,7 @@ static int device_area_is_invalid(struct
29603 - if ((start >= dev_size) || (start + len > dev_size)) {
29604 + if ((start >= dev_size) || (len > dev_size - start)) {
29605 DMWARN("%s: %s too small for target: "
29606 "start=%llu, len=%llu, dev_size=%llu",
29607 dm_device_name(ti->table->md), bdevname(bdev, b),
29608 diff -urNp linux-3.0.9/drivers/md/md.c linux-3.0.9/drivers/md/md.c
29609 --- linux-3.0.9/drivers/md/md.c 2011-11-11 13:12:24.000000000 -0500
29610 +++ linux-3.0.9/drivers/md/md.c 2011-11-15 20:02:59.000000000 -0500
29611 @@ -231,10 +231,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
29612 * start build, activate spare
29614 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
29615 -static atomic_t md_event_count;
29616 +static atomic_unchecked_t md_event_count;
29617 void md_new_event(mddev_t *mddev)
29619 - atomic_inc(&md_event_count);
29620 + atomic_inc_unchecked(&md_event_count);
29621 wake_up(&md_event_waiters);
29623 EXPORT_SYMBOL_GPL(md_new_event);
29624 @@ -244,7 +244,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
29626 static void md_new_event_inintr(mddev_t *mddev)
29628 - atomic_inc(&md_event_count);
29629 + atomic_inc_unchecked(&md_event_count);
29630 wake_up(&md_event_waiters);
29633 @@ -1475,7 +1475,7 @@ static int super_1_load(mdk_rdev_t *rdev
29635 rdev->preferred_minor = 0xffff;
29636 rdev->data_offset = le64_to_cpu(sb->data_offset);
29637 - atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
29638 + atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
29640 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
29641 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
29642 @@ -1653,7 +1653,7 @@ static void super_1_sync(mddev_t *mddev,
29644 sb->resync_offset = cpu_to_le64(0);
29646 - sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
29647 + sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
29649 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
29650 sb->size = cpu_to_le64(mddev->dev_sectors);
29651 @@ -2446,7 +2446,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_sho
29653 errors_show(mdk_rdev_t *rdev, char *page)
29655 - return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
29656 + return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
29660 @@ -2455,7 +2455,7 @@ errors_store(mdk_rdev_t *rdev, const cha
29662 unsigned long n = simple_strtoul(buf, &e, 10);
29663 if (*buf && (*e == 0 || *e == '\n')) {
29664 - atomic_set(&rdev->corrected_errors, n);
29665 + atomic_set_unchecked(&rdev->corrected_errors, n);
29669 @@ -2811,8 +2811,8 @@ void md_rdev_init(mdk_rdev_t *rdev)
29670 rdev->last_read_error.tv_sec = 0;
29671 rdev->last_read_error.tv_nsec = 0;
29672 atomic_set(&rdev->nr_pending, 0);
29673 - atomic_set(&rdev->read_errors, 0);
29674 - atomic_set(&rdev->corrected_errors, 0);
29675 + atomic_set_unchecked(&rdev->read_errors, 0);
29676 + atomic_set_unchecked(&rdev->corrected_errors, 0);
29678 INIT_LIST_HEAD(&rdev->same_set);
29679 init_waitqueue_head(&rdev->blocked_wait);
29680 @@ -6440,7 +6440,7 @@ static int md_seq_show(struct seq_file *
29682 spin_unlock(&pers_lock);
29683 seq_printf(seq, "\n");
29684 - mi->event = atomic_read(&md_event_count);
29685 + mi->event = atomic_read_unchecked(&md_event_count);
29688 if (v == (void*)2) {
29689 @@ -6529,7 +6529,7 @@ static int md_seq_show(struct seq_file *
29690 chunk_kb ? "KB" : "B");
29691 if (bitmap->file) {
29692 seq_printf(seq, ", file: ");
29693 - seq_path(seq, &bitmap->file->f_path, " \t\n");
29694 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
29697 seq_printf(seq, "\n");
29698 @@ -6563,7 +6563,7 @@ static int md_seq_open(struct inode *ino
29700 struct seq_file *p = file->private_data;
29702 - mi->event = atomic_read(&md_event_count);
29703 + mi->event = atomic_read_unchecked(&md_event_count);
29707 @@ -6579,7 +6579,7 @@ static unsigned int mdstat_poll(struct f
29708 /* always allow read */
29709 mask = POLLIN | POLLRDNORM;
29711 - if (mi->event != atomic_read(&md_event_count))
29712 + if (mi->event != atomic_read_unchecked(&md_event_count))
29713 mask |= POLLERR | POLLPRI;
29716 @@ -6623,7 +6623,7 @@ static int is_mddev_idle(mddev_t *mddev,
29717 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
29718 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
29719 (int)part_stat_read(&disk->part0, sectors[1]) -
29720 - atomic_read(&disk->sync_io);
29721 + atomic_read_unchecked(&disk->sync_io);
29722 /* sync IO will cause sync_io to increase before the disk_stats
29723 * as sync_io is counted when a request starts, and
29724 * disk_stats is counted when it completes.
29725 diff -urNp linux-3.0.9/drivers/md/md.h linux-3.0.9/drivers/md/md.h
29726 --- linux-3.0.9/drivers/md/md.h 2011-11-11 13:12:24.000000000 -0500
29727 +++ linux-3.0.9/drivers/md/md.h 2011-11-15 20:02:59.000000000 -0500
29728 @@ -97,13 +97,13 @@ struct mdk_rdev_s
29729 * only maintained for arrays that
29730 * support hot removal
29732 - atomic_t read_errors; /* number of consecutive read errors that
29733 + atomic_unchecked_t read_errors; /* number of consecutive read errors that
29734 * we have tried to ignore.
29736 struct timespec last_read_error; /* monotonic time since our
29739 - atomic_t corrected_errors; /* number of corrected read errors,
29740 + atomic_unchecked_t corrected_errors; /* number of corrected read errors,
29741 * for reporting to userspace and storing
29744 @@ -344,7 +344,7 @@ static inline void rdev_dec_pending(mdk_
29746 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
29748 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
29749 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
29752 struct mdk_personality
29753 diff -urNp linux-3.0.9/drivers/md/raid10.c linux-3.0.9/drivers/md/raid10.c
29754 --- linux-3.0.9/drivers/md/raid10.c 2011-11-11 13:12:24.000000000 -0500
29755 +++ linux-3.0.9/drivers/md/raid10.c 2011-11-15 20:02:59.000000000 -0500
29756 @@ -1186,7 +1186,7 @@ static void end_sync_read(struct bio *bi
29757 if (test_bit(BIO_UPTODATE, &bio->bi_flags))
29758 set_bit(R10BIO_Uptodate, &r10_bio->state);
29760 - atomic_add(r10_bio->sectors,
29761 + atomic_add_unchecked(r10_bio->sectors,
29762 &conf->mirrors[d].rdev->corrected_errors);
29763 if (!test_bit(MD_RECOVERY_SYNC, &conf->mddev->recovery))
29764 md_error(r10_bio->mddev,
29765 @@ -1394,7 +1394,7 @@ static void check_decay_read_errors(mdde
29767 struct timespec cur_time_mon;
29768 unsigned long hours_since_last;
29769 - unsigned int read_errors = atomic_read(&rdev->read_errors);
29770 + unsigned int read_errors = atomic_read_unchecked(&rdev->read_errors);
29772 ktime_get_ts(&cur_time_mon);
29774 @@ -1416,9 +1416,9 @@ static void check_decay_read_errors(mdde
29775 * overflowing the shift of read_errors by hours_since_last.
29777 if (hours_since_last >= 8 * sizeof(read_errors))
29778 - atomic_set(&rdev->read_errors, 0);
29779 + atomic_set_unchecked(&rdev->read_errors, 0);
29781 - atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
29782 + atomic_set_unchecked(&rdev->read_errors, read_errors >> hours_since_last);
29786 @@ -1448,8 +1448,8 @@ static void fix_read_error(conf_t *conf,
29789 check_decay_read_errors(mddev, rdev);
29790 - atomic_inc(&rdev->read_errors);
29791 - if (atomic_read(&rdev->read_errors) > max_read_errors) {
29792 + atomic_inc_unchecked(&rdev->read_errors);
29793 + if (atomic_read_unchecked(&rdev->read_errors) > max_read_errors) {
29794 char b[BDEVNAME_SIZE];
29795 bdevname(rdev->bdev, b);
29797 @@ -1457,7 +1457,7 @@ static void fix_read_error(conf_t *conf,
29798 "md/raid10:%s: %s: Raid device exceeded "
29799 "read_error threshold [cur %d:max %d]\n",
29801 - atomic_read(&rdev->read_errors), max_read_errors);
29802 + atomic_read_unchecked(&rdev->read_errors), max_read_errors);
29804 "md/raid10:%s: %s: Failing raid device\n",
29806 @@ -1520,7 +1520,7 @@ static void fix_read_error(conf_t *conf,
29807 test_bit(In_sync, &rdev->flags)) {
29808 atomic_inc(&rdev->nr_pending);
29810 - atomic_add(s, &rdev->corrected_errors);
29811 + atomic_add_unchecked(s, &rdev->corrected_errors);
29812 if (sync_page_io(rdev,
29813 r10_bio->devs[sl].addr +
29815 diff -urNp linux-3.0.9/drivers/md/raid1.c linux-3.0.9/drivers/md/raid1.c
29816 --- linux-3.0.9/drivers/md/raid1.c 2011-11-11 13:12:24.000000000 -0500
29817 +++ linux-3.0.9/drivers/md/raid1.c 2011-11-15 20:02:59.000000000 -0500
29818 @@ -1263,7 +1263,7 @@ static int fix_sync_read_error(r1bio_t *
29819 rdev_dec_pending(rdev, mddev);
29820 md_error(mddev, rdev);
29822 - atomic_add(s, &rdev->corrected_errors);
29823 + atomic_add_unchecked(s, &rdev->corrected_errors);
29826 while (d != r1_bio->read_disk) {
29827 @@ -1492,7 +1492,7 @@ static void fix_read_error(conf_t *conf,
29828 /* Well, this device is dead */
29829 md_error(mddev, rdev);
29831 - atomic_add(s, &rdev->corrected_errors);
29832 + atomic_add_unchecked(s, &rdev->corrected_errors);
29834 "md/raid1:%s: read error corrected "
29835 "(%d sectors at %llu on %s)\n",
29836 diff -urNp linux-3.0.9/drivers/md/raid5.c linux-3.0.9/drivers/md/raid5.c
29837 --- linux-3.0.9/drivers/md/raid5.c 2011-11-11 13:12:24.000000000 -0500
29838 +++ linux-3.0.9/drivers/md/raid5.c 2011-11-15 20:02:59.000000000 -0500
29839 @@ -550,7 +550,7 @@ static void ops_run_io(struct stripe_hea
29840 bi->bi_next = NULL;
29841 if ((rw & WRITE) &&
29842 test_bit(R5_ReWrite, &sh->dev[i].flags))
29843 - atomic_add(STRIPE_SECTORS,
29844 + atomic_add_unchecked(STRIPE_SECTORS,
29845 &rdev->corrected_errors);
29846 generic_make_request(bi);
29848 @@ -1596,15 +1596,15 @@ static void raid5_end_read_request(struc
29849 clear_bit(R5_ReadError, &sh->dev[i].flags);
29850 clear_bit(R5_ReWrite, &sh->dev[i].flags);
29852 - if (atomic_read(&conf->disks[i].rdev->read_errors))
29853 - atomic_set(&conf->disks[i].rdev->read_errors, 0);
29854 + if (atomic_read_unchecked(&conf->disks[i].rdev->read_errors))
29855 + atomic_set_unchecked(&conf->disks[i].rdev->read_errors, 0);
29857 const char *bdn = bdevname(conf->disks[i].rdev->bdev, b);
29859 rdev = conf->disks[i].rdev;
29861 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
29862 - atomic_inc(&rdev->read_errors);
29863 + atomic_inc_unchecked(&rdev->read_errors);
29864 if (conf->mddev->degraded >= conf->max_degraded)
29865 printk_rl(KERN_WARNING
29866 "md/raid:%s: read error not correctable "
29867 @@ -1622,7 +1622,7 @@ static void raid5_end_read_request(struc
29868 (unsigned long long)(sh->sector
29869 + rdev->data_offset),
29871 - else if (atomic_read(&rdev->read_errors)
29872 + else if (atomic_read_unchecked(&rdev->read_errors)
29873 > conf->max_nr_stripes)
29874 printk(KERN_WARNING
29875 "md/raid:%s: Too many read errors, failing device %s.\n",
29876 @@ -1945,6 +1945,7 @@ static sector_t compute_blocknr(struct s
29878 struct stripe_head sh2;
29880 + pax_track_stack();
29882 chunk_offset = sector_div(new_sector, sectors_per_chunk);
29883 stripe = new_sector;
29884 diff -urNp linux-3.0.9/drivers/media/common/saa7146_hlp.c linux-3.0.9/drivers/media/common/saa7146_hlp.c
29885 --- linux-3.0.9/drivers/media/common/saa7146_hlp.c 2011-11-11 13:12:24.000000000 -0500
29886 +++ linux-3.0.9/drivers/media/common/saa7146_hlp.c 2011-11-15 20:02:59.000000000 -0500
29887 @@ -353,6 +353,8 @@ static void calculate_clipping_registers
29889 int x[32], y[32], w[32], h[32];
29891 + pax_track_stack();
29893 /* clear out memory */
29894 memset(&line_list[0], 0x00, sizeof(u32)*32);
29895 memset(&pixel_list[0], 0x00, sizeof(u32)*32);
29896 diff -urNp linux-3.0.9/drivers/media/dvb/dvb-core/dvb_ca_en50221.c linux-3.0.9/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
29897 --- linux-3.0.9/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-11-11 13:12:24.000000000 -0500
29898 +++ linux-3.0.9/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-11-15 20:02:59.000000000 -0500
29899 @@ -590,6 +590,8 @@ static int dvb_ca_en50221_read_data(stru
29900 u8 buf[HOST_LINK_BUF_SIZE];
29903 + pax_track_stack();
29905 dprintk("%s\n", __func__);
29907 /* check if we have space for a link buf in the rx_buffer */
29908 @@ -1285,6 +1287,8 @@ static ssize_t dvb_ca_en50221_io_write(s
29909 unsigned long timeout;
29912 + pax_track_stack();
29914 dprintk("%s\n", __func__);
29916 /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */
29917 diff -urNp linux-3.0.9/drivers/media/dvb/dvb-core/dvb_demux.h linux-3.0.9/drivers/media/dvb/dvb-core/dvb_demux.h
29918 --- linux-3.0.9/drivers/media/dvb/dvb-core/dvb_demux.h 2011-11-11 13:12:24.000000000 -0500
29919 +++ linux-3.0.9/drivers/media/dvb/dvb-core/dvb_demux.h 2011-11-15 20:02:59.000000000 -0500
29920 @@ -68,12 +68,12 @@ struct dvb_demux_feed {
29922 struct dmx_ts_feed ts;
29923 struct dmx_section_feed sec;
29925 + } __no_const feed;
29929 dmx_section_cb sec;
29933 struct dvb_demux *demux;
29935 diff -urNp linux-3.0.9/drivers/media/dvb/dvb-core/dvbdev.c linux-3.0.9/drivers/media/dvb/dvb-core/dvbdev.c
29936 --- linux-3.0.9/drivers/media/dvb/dvb-core/dvbdev.c 2011-11-11 13:12:24.000000000 -0500
29937 +++ linux-3.0.9/drivers/media/dvb/dvb-core/dvbdev.c 2011-11-15 20:02:59.000000000 -0500
29938 @@ -192,7 +192,7 @@ int dvb_register_device(struct dvb_adapt
29939 const struct dvb_device *template, void *priv, int type)
29941 struct dvb_device *dvbdev;
29942 - struct file_operations *dvbdevfops;
29943 + file_operations_no_const *dvbdevfops;
29944 struct device *clsdev;
29947 diff -urNp linux-3.0.9/drivers/media/dvb/dvb-usb/cxusb.c linux-3.0.9/drivers/media/dvb/dvb-usb/cxusb.c
29948 --- linux-3.0.9/drivers/media/dvb/dvb-usb/cxusb.c 2011-11-11 13:12:24.000000000 -0500
29949 +++ linux-3.0.9/drivers/media/dvb/dvb-usb/cxusb.c 2011-11-15 20:02:59.000000000 -0500
29950 @@ -1059,7 +1059,7 @@ static struct dib0070_config dib7070p_di
29951 struct dib0700_adapter_state {
29952 int (*set_param_save) (struct dvb_frontend *,
29953 struct dvb_frontend_parameters *);
29957 static int dib7070_set_param_override(struct dvb_frontend *fe,
29958 struct dvb_frontend_parameters *fep)
29959 diff -urNp linux-3.0.9/drivers/media/dvb/dvb-usb/dib0700_core.c linux-3.0.9/drivers/media/dvb/dvb-usb/dib0700_core.c
29960 --- linux-3.0.9/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-11-11 13:12:24.000000000 -0500
29961 +++ linux-3.0.9/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-11-15 20:02:59.000000000 -0500
29962 @@ -478,6 +478,8 @@ int dib0700_download_firmware(struct usb
29966 + pax_track_stack();
29968 while ((ret = dvb_usb_get_hexline(fw, &hx, &pos)) > 0) {
29969 deb_fwdata("writing to address 0x%08x (buffer: 0x%02x %02x)\n",
29970 hx.addr, hx.len, hx.chk);
29971 diff -urNp linux-3.0.9/drivers/media/dvb/dvb-usb/dibusb.h linux-3.0.9/drivers/media/dvb/dvb-usb/dibusb.h
29972 --- linux-3.0.9/drivers/media/dvb/dvb-usb/dibusb.h 2011-11-11 13:12:24.000000000 -0500
29973 +++ linux-3.0.9/drivers/media/dvb/dvb-usb/dibusb.h 2011-11-15 20:02:59.000000000 -0500
29975 #define DIBUSB_IOCTL_CMD_DISABLE_STREAM 0x02
29977 struct dibusb_state {
29978 - struct dib_fe_xfer_ops ops;
29979 + dib_fe_xfer_ops_no_const ops;
29980 int mt2060_present;
29983 diff -urNp linux-3.0.9/drivers/media/dvb/dvb-usb/dw2102.c linux-3.0.9/drivers/media/dvb/dvb-usb/dw2102.c
29984 --- linux-3.0.9/drivers/media/dvb/dvb-usb/dw2102.c 2011-11-11 13:12:24.000000000 -0500
29985 +++ linux-3.0.9/drivers/media/dvb/dvb-usb/dw2102.c 2011-11-15 20:02:59.000000000 -0500
29986 @@ -95,7 +95,7 @@ struct su3000_state {
29988 struct s6x0_state {
29989 int (*old_set_voltage)(struct dvb_frontend *f, fe_sec_voltage_t v);
29994 static int dvb_usb_dw2102_debug;
29995 diff -urNp linux-3.0.9/drivers/media/dvb/dvb-usb/lmedm04.c linux-3.0.9/drivers/media/dvb/dvb-usb/lmedm04.c
29996 --- linux-3.0.9/drivers/media/dvb/dvb-usb/lmedm04.c 2011-11-11 13:12:24.000000000 -0500
29997 +++ linux-3.0.9/drivers/media/dvb/dvb-usb/lmedm04.c 2011-11-15 20:02:59.000000000 -0500
29998 @@ -742,6 +742,7 @@ static int lme2510_download_firmware(str
29999 usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
30000 0x06, 0x80, 0x0200, 0x00, data, 0x0109, 1000);
30002 + pax_track_stack();
30006 @@ -764,6 +765,8 @@ static void lme_coldreset(struct usb_dev
30007 int ret = 0, len_in;
30008 u8 data[512] = {0};
30010 + pax_track_stack();
30014 info("FRM Firmware Cold Reset");
30015 diff -urNp linux-3.0.9/drivers/media/dvb/frontends/dib3000.h linux-3.0.9/drivers/media/dvb/frontends/dib3000.h
30016 --- linux-3.0.9/drivers/media/dvb/frontends/dib3000.h 2011-11-11 13:12:24.000000000 -0500
30017 +++ linux-3.0.9/drivers/media/dvb/frontends/dib3000.h 2011-11-15 20:02:59.000000000 -0500
30018 @@ -40,10 +40,11 @@ struct dib_fe_xfer_ops
30019 int (*pid_ctrl)(struct dvb_frontend *fe, int index, int pid, int onoff);
30020 int (*tuner_pass_ctrl)(struct dvb_frontend *fe, int onoff, u8 pll_ctrl);
30022 +typedef struct dib_fe_xfer_ops __no_const dib_fe_xfer_ops_no_const;
30024 #if defined(CONFIG_DVB_DIB3000MB) || (defined(CONFIG_DVB_DIB3000MB_MODULE) && defined(MODULE))
30025 extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
30026 - struct i2c_adapter* i2c, struct dib_fe_xfer_ops *xfer_ops);
30027 + struct i2c_adapter* i2c, dib_fe_xfer_ops_no_const *xfer_ops);
30029 static inline struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
30030 struct i2c_adapter* i2c, struct dib_fe_xfer_ops *xfer_ops)
30031 diff -urNp linux-3.0.9/drivers/media/dvb/frontends/dib3000mb.c linux-3.0.9/drivers/media/dvb/frontends/dib3000mb.c
30032 --- linux-3.0.9/drivers/media/dvb/frontends/dib3000mb.c 2011-11-11 13:12:24.000000000 -0500
30033 +++ linux-3.0.9/drivers/media/dvb/frontends/dib3000mb.c 2011-11-15 20:02:59.000000000 -0500
30034 @@ -756,7 +756,7 @@ static int dib3000mb_tuner_pass_ctrl(str
30035 static struct dvb_frontend_ops dib3000mb_ops;
30037 struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
30038 - struct i2c_adapter* i2c, struct dib_fe_xfer_ops *xfer_ops)
30039 + struct i2c_adapter* i2c, dib_fe_xfer_ops_no_const *xfer_ops)
30041 struct dib3000_state* state = NULL;
30043 diff -urNp linux-3.0.9/drivers/media/dvb/frontends/mb86a16.c linux-3.0.9/drivers/media/dvb/frontends/mb86a16.c
30044 --- linux-3.0.9/drivers/media/dvb/frontends/mb86a16.c 2011-11-11 13:12:24.000000000 -0500
30045 +++ linux-3.0.9/drivers/media/dvb/frontends/mb86a16.c 2011-11-15 20:02:59.000000000 -0500
30046 @@ -1060,6 +1060,8 @@ static int mb86a16_set_fe(struct mb86a16
30050 + pax_track_stack();
30052 dprintk(verbose, MB86A16_INFO, 1, "freq=%d Mhz, symbrt=%d Ksps", state->frequency, state->srate);
30055 diff -urNp linux-3.0.9/drivers/media/dvb/frontends/or51211.c linux-3.0.9/drivers/media/dvb/frontends/or51211.c
30056 --- linux-3.0.9/drivers/media/dvb/frontends/or51211.c 2011-11-11 13:12:24.000000000 -0500
30057 +++ linux-3.0.9/drivers/media/dvb/frontends/or51211.c 2011-11-15 20:02:59.000000000 -0500
30058 @@ -113,6 +113,8 @@ static int or51211_load_firmware (struct
30062 + pax_track_stack();
30064 dprintk("Firmware is %zd bytes\n",fw->size);
30066 /* Get eprom data */
30067 diff -urNp linux-3.0.9/drivers/media/dvb/ngene/ngene-cards.c linux-3.0.9/drivers/media/dvb/ngene/ngene-cards.c
30068 --- linux-3.0.9/drivers/media/dvb/ngene/ngene-cards.c 2011-11-11 13:12:24.000000000 -0500
30069 +++ linux-3.0.9/drivers/media/dvb/ngene/ngene-cards.c 2011-11-15 20:02:59.000000000 -0500
30070 @@ -379,7 +379,7 @@ static struct ngene_info ngene_info_m780
30072 /****************************************************************************/
30074 -static const struct pci_device_id ngene_id_tbl[] __devinitdata = {
30075 +static const struct pci_device_id ngene_id_tbl[] __devinitconst = {
30076 NGENE_ID(0x18c3, 0xabc3, ngene_info_cineS2),
30077 NGENE_ID(0x18c3, 0xabc4, ngene_info_cineS2),
30078 NGENE_ID(0x18c3, 0xdb01, ngene_info_satixS2),
30079 diff -urNp linux-3.0.9/drivers/media/video/cx18/cx18-driver.c linux-3.0.9/drivers/media/video/cx18/cx18-driver.c
30080 --- linux-3.0.9/drivers/media/video/cx18/cx18-driver.c 2011-11-11 13:12:24.000000000 -0500
30081 +++ linux-3.0.9/drivers/media/video/cx18/cx18-driver.c 2011-11-15 20:02:59.000000000 -0500
30082 @@ -327,6 +327,8 @@ void cx18_read_eeprom(struct cx18 *cx, s
30083 struct i2c_client c;
30086 + pax_track_stack();
30088 memset(&c, 0, sizeof(c));
30089 strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
30090 c.adapter = &cx->i2c_adap[0];
30091 diff -urNp linux-3.0.9/drivers/media/video/cx23885/cx23885-input.c linux-3.0.9/drivers/media/video/cx23885/cx23885-input.c
30092 --- linux-3.0.9/drivers/media/video/cx23885/cx23885-input.c 2011-11-11 13:12:24.000000000 -0500
30093 +++ linux-3.0.9/drivers/media/video/cx23885/cx23885-input.c 2011-11-15 20:02:59.000000000 -0500
30094 @@ -53,6 +53,8 @@ static void cx23885_input_process_measur
30095 bool handle = false;
30096 struct ir_raw_event ir_core_event[64];
30098 + pax_track_stack();
30102 v4l2_subdev_call(dev->sd_ir, ir, rx_read, (u8 *) ir_core_event,
30103 diff -urNp linux-3.0.9/drivers/media/video/cx88/cx88-alsa.c linux-3.0.9/drivers/media/video/cx88/cx88-alsa.c
30104 --- linux-3.0.9/drivers/media/video/cx88/cx88-alsa.c 2011-11-11 13:12:24.000000000 -0500
30105 +++ linux-3.0.9/drivers/media/video/cx88/cx88-alsa.c 2011-11-15 20:02:59.000000000 -0500
30106 @@ -764,7 +764,7 @@ static struct snd_kcontrol_new snd_cx88_
30107 * Only boards with eeprom and byte 1 at eeprom=1 have it
30110 -static const struct pci_device_id const cx88_audio_pci_tbl[] __devinitdata = {
30111 +static const struct pci_device_id const cx88_audio_pci_tbl[] __devinitconst = {
30112 {0x14f1,0x8801,PCI_ANY_ID,PCI_ANY_ID,0,0,0},
30113 {0x14f1,0x8811,PCI_ANY_ID,PCI_ANY_ID,0,0,0},
30115 diff -urNp linux-3.0.9/drivers/media/video/pvrusb2/pvrusb2-eeprom.c linux-3.0.9/drivers/media/video/pvrusb2/pvrusb2-eeprom.c
30116 --- linux-3.0.9/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-11-11 13:12:24.000000000 -0500
30117 +++ linux-3.0.9/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-11-15 20:02:59.000000000 -0500
30118 @@ -120,6 +120,8 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
30120 struct tveeprom tvdata;
30122 + pax_track_stack();
30124 memset(&tvdata,0,sizeof(tvdata));
30126 eeprom = pvr2_eeprom_fetch(hdw);
30127 diff -urNp linux-3.0.9/drivers/media/video/saa7134/saa6752hs.c linux-3.0.9/drivers/media/video/saa7134/saa6752hs.c
30128 --- linux-3.0.9/drivers/media/video/saa7134/saa6752hs.c 2011-11-11 13:12:24.000000000 -0500
30129 +++ linux-3.0.9/drivers/media/video/saa7134/saa6752hs.c 2011-11-15 20:02:59.000000000 -0500
30130 @@ -682,6 +682,8 @@ static int saa6752hs_init(struct v4l2_su
30131 unsigned char localPAT[256];
30132 unsigned char localPMT[256];
30134 + pax_track_stack();
30136 /* Set video format - must be done first as it resets other settings */
30137 set_reg8(client, 0x41, h->video_format);
30139 diff -urNp linux-3.0.9/drivers/media/video/saa7164/saa7164-cmd.c linux-3.0.9/drivers/media/video/saa7164/saa7164-cmd.c
30140 --- linux-3.0.9/drivers/media/video/saa7164/saa7164-cmd.c 2011-11-11 13:12:24.000000000 -0500
30141 +++ linux-3.0.9/drivers/media/video/saa7164/saa7164-cmd.c 2011-11-15 20:02:59.000000000 -0500
30142 @@ -88,6 +88,8 @@ int saa7164_irq_dequeue(struct saa7164_d
30144 dprintk(DBGLVL_CMD, "%s()\n", __func__);
30146 + pax_track_stack();
30148 /* While any outstand message on the bus exists... */
30151 @@ -141,6 +143,8 @@ int saa7164_cmd_dequeue(struct saa7164_d
30153 dprintk(DBGLVL_CMD, "%s()\n", __func__);
30155 + pax_track_stack();
30159 struct tmComResInfo tRsp = { 0, 0, 0, 0, 0, 0 };
30160 diff -urNp linux-3.0.9/drivers/media/video/timblogiw.c linux-3.0.9/drivers/media/video/timblogiw.c
30161 --- linux-3.0.9/drivers/media/video/timblogiw.c 2011-11-11 13:12:24.000000000 -0500
30162 +++ linux-3.0.9/drivers/media/video/timblogiw.c 2011-11-15 20:02:59.000000000 -0500
30163 @@ -745,7 +745,7 @@ static int timblogiw_mmap(struct file *f
30165 /* Platform device functions */
30167 -static __devinitconst struct v4l2_ioctl_ops timblogiw_ioctl_ops = {
30168 +static __devinitconst v4l2_ioctl_ops_no_const timblogiw_ioctl_ops = {
30169 .vidioc_querycap = timblogiw_querycap,
30170 .vidioc_enum_fmt_vid_cap = timblogiw_enum_fmt,
30171 .vidioc_g_fmt_vid_cap = timblogiw_g_fmt,
30172 diff -urNp linux-3.0.9/drivers/media/video/usbvision/usbvision-core.c linux-3.0.9/drivers/media/video/usbvision/usbvision-core.c
30173 --- linux-3.0.9/drivers/media/video/usbvision/usbvision-core.c 2011-11-11 13:12:24.000000000 -0500
30174 +++ linux-3.0.9/drivers/media/video/usbvision/usbvision-core.c 2011-11-15 20:02:59.000000000 -0500
30175 @@ -707,6 +707,8 @@ static enum parse_state usbvision_parse_
30176 unsigned char rv, gv, bv;
30177 static unsigned char *Y, *U, *V;
30179 + pax_track_stack();
30181 frame = usbvision->cur_frame;
30182 image_size = frame->frmwidth * frame->frmheight;
30183 if ((frame->v4l2_format.format == V4L2_PIX_FMT_YUV422P) ||
30184 diff -urNp linux-3.0.9/drivers/media/video/videobuf-dma-sg.c linux-3.0.9/drivers/media/video/videobuf-dma-sg.c
30185 --- linux-3.0.9/drivers/media/video/videobuf-dma-sg.c 2011-11-11 13:12:24.000000000 -0500
30186 +++ linux-3.0.9/drivers/media/video/videobuf-dma-sg.c 2011-11-15 20:02:59.000000000 -0500
30187 @@ -606,6 +606,8 @@ void *videobuf_sg_alloc(size_t size)
30189 struct videobuf_queue q;
30191 + pax_track_stack();
30193 /* Required to make generic handler to call __videobuf_alloc */
30194 q.int_ops = &sg_ops;
30196 diff -urNp linux-3.0.9/drivers/message/fusion/mptbase.c linux-3.0.9/drivers/message/fusion/mptbase.c
30197 --- linux-3.0.9/drivers/message/fusion/mptbase.c 2011-11-11 13:12:24.000000000 -0500
30198 +++ linux-3.0.9/drivers/message/fusion/mptbase.c 2011-11-15 20:02:59.000000000 -0500
30199 @@ -6681,8 +6681,13 @@ static int mpt_iocinfo_proc_show(struct
30200 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
30201 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
30203 +#ifdef CONFIG_GRKERNSEC_HIDESYM
30204 + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
30206 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
30207 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
30211 * Rounding UP to nearest 4-kB boundary here...
30213 diff -urNp linux-3.0.9/drivers/message/fusion/mptsas.c linux-3.0.9/drivers/message/fusion/mptsas.c
30214 --- linux-3.0.9/drivers/message/fusion/mptsas.c 2011-11-11 13:12:24.000000000 -0500
30215 +++ linux-3.0.9/drivers/message/fusion/mptsas.c 2011-11-15 20:02:59.000000000 -0500
30216 @@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
30220 +static inline void
30221 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
30223 + if (phy_info->port_details) {
30224 + phy_info->port_details->rphy = rphy;
30225 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
30226 + ioc->name, rphy));
30230 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
30231 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
30232 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
30233 + ioc->name, rphy, rphy->dev.release));
30239 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
30240 @@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
30244 -static inline void
30245 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
30247 - if (phy_info->port_details) {
30248 - phy_info->port_details->rphy = rphy;
30249 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
30250 - ioc->name, rphy));
30254 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
30255 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
30256 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
30257 - ioc->name, rphy, rphy->dev.release));
30261 static inline struct sas_port *
30262 mptsas_get_port(struct mptsas_phyinfo *phy_info)
30264 diff -urNp linux-3.0.9/drivers/message/fusion/mptscsih.c linux-3.0.9/drivers/message/fusion/mptscsih.c
30265 --- linux-3.0.9/drivers/message/fusion/mptscsih.c 2011-11-11 13:12:24.000000000 -0500
30266 +++ linux-3.0.9/drivers/message/fusion/mptscsih.c 2011-11-15 20:02:59.000000000 -0500
30267 @@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
30269 h = shost_priv(SChost);
30272 - if (h->info_kbuf == NULL)
30273 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
30274 - return h->info_kbuf;
30275 - h->info_kbuf[0] = '\0';
30279 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
30280 - h->info_kbuf[size-1] = '\0';
30282 + if (h->info_kbuf == NULL)
30283 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
30284 + return h->info_kbuf;
30285 + h->info_kbuf[0] = '\0';
30287 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
30288 + h->info_kbuf[size-1] = '\0';
30290 return h->info_kbuf;
30292 diff -urNp linux-3.0.9/drivers/message/i2o/i2o_config.c linux-3.0.9/drivers/message/i2o/i2o_config.c
30293 --- linux-3.0.9/drivers/message/i2o/i2o_config.c 2011-11-11 13:12:24.000000000 -0500
30294 +++ linux-3.0.9/drivers/message/i2o/i2o_config.c 2011-11-15 20:02:59.000000000 -0500
30295 @@ -781,6 +781,8 @@ static int i2o_cfg_passthru(unsigned lon
30296 struct i2o_message *msg;
30299 + pax_track_stack();
30301 if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
30304 diff -urNp linux-3.0.9/drivers/message/i2o/i2o_proc.c linux-3.0.9/drivers/message/i2o/i2o_proc.c
30305 --- linux-3.0.9/drivers/message/i2o/i2o_proc.c 2011-11-11 13:12:24.000000000 -0500
30306 +++ linux-3.0.9/drivers/message/i2o/i2o_proc.c 2011-11-15 20:02:59.000000000 -0500
30307 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
30308 "Array Controller Device"
30311 -static char *chtostr(u8 * chars, int n)
30315 - return strncat(tmp, (char *)chars, n);
30318 static int i2o_report_query_status(struct seq_file *seq, int block_status,
30321 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
30323 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
30324 seq_printf(seq, "%-#8x", ddm_table.module_id);
30325 - seq_printf(seq, "%-29s",
30326 - chtostr(ddm_table.module_name_version, 28));
30327 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
30328 seq_printf(seq, "%9d ", ddm_table.data_size);
30329 seq_printf(seq, "%8d", ddm_table.code_size);
30331 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
30333 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
30334 seq_printf(seq, "%-#8x", dst->module_id);
30335 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
30336 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
30337 + seq_printf(seq, "%-.28s", dst->module_name_version);
30338 + seq_printf(seq, "%-.8s", dst->date);
30339 seq_printf(seq, "%8d ", dst->module_size);
30340 seq_printf(seq, "%8d ", dst->mpb_size);
30341 seq_printf(seq, "0x%04x", dst->module_flags);
30342 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
30343 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
30344 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
30345 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
30346 - seq_printf(seq, "Vendor info : %s\n",
30347 - chtostr((u8 *) (work32 + 2), 16));
30348 - seq_printf(seq, "Product info : %s\n",
30349 - chtostr((u8 *) (work32 + 6), 16));
30350 - seq_printf(seq, "Description : %s\n",
30351 - chtostr((u8 *) (work32 + 10), 16));
30352 - seq_printf(seq, "Product rev. : %s\n",
30353 - chtostr((u8 *) (work32 + 14), 8));
30354 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
30355 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
30356 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
30357 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
30359 seq_printf(seq, "Serial number : ");
30360 print_serial_number(seq, (u8 *) (work32 + 16),
30361 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
30364 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
30365 - seq_printf(seq, "Module name : %s\n",
30366 - chtostr(result.module_name, 24));
30367 - seq_printf(seq, "Module revision : %s\n",
30368 - chtostr(result.module_rev, 8));
30369 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
30370 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
30372 seq_printf(seq, "Serial number : ");
30373 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
30374 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
30378 - seq_printf(seq, "Device name : %s\n",
30379 - chtostr(result.device_name, 64));
30380 - seq_printf(seq, "Service name : %s\n",
30381 - chtostr(result.service_name, 64));
30382 - seq_printf(seq, "Physical name : %s\n",
30383 - chtostr(result.physical_location, 64));
30384 - seq_printf(seq, "Instance number : %s\n",
30385 - chtostr(result.instance_number, 4));
30386 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
30387 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
30388 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
30389 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
30393 diff -urNp linux-3.0.9/drivers/message/i2o/iop.c linux-3.0.9/drivers/message/i2o/iop.c
30394 --- linux-3.0.9/drivers/message/i2o/iop.c 2011-11-11 13:12:24.000000000 -0500
30395 +++ linux-3.0.9/drivers/message/i2o/iop.c 2011-11-15 20:02:59.000000000 -0500
30396 @@ -111,10 +111,10 @@ u32 i2o_cntxt_list_add(struct i2o_contro
30398 spin_lock_irqsave(&c->context_list_lock, flags);
30400 - if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
30401 - atomic_inc(&c->context_list_counter);
30402 + if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
30403 + atomic_inc_unchecked(&c->context_list_counter);
30405 - entry->context = atomic_read(&c->context_list_counter);
30406 + entry->context = atomic_read_unchecked(&c->context_list_counter);
30408 list_add(&entry->list, &c->context_list);
30410 @@ -1077,7 +1077,7 @@ struct i2o_controller *i2o_iop_alloc(voi
30412 #if BITS_PER_LONG == 64
30413 spin_lock_init(&c->context_list_lock);
30414 - atomic_set(&c->context_list_counter, 0);
30415 + atomic_set_unchecked(&c->context_list_counter, 0);
30416 INIT_LIST_HEAD(&c->context_list);
30419 diff -urNp linux-3.0.9/drivers/mfd/ab3100-core.c linux-3.0.9/drivers/mfd/ab3100-core.c
30420 --- linux-3.0.9/drivers/mfd/ab3100-core.c 2011-11-11 13:12:24.000000000 -0500
30421 +++ linux-3.0.9/drivers/mfd/ab3100-core.c 2011-11-15 20:02:59.000000000 -0500
30422 @@ -809,7 +809,7 @@ struct ab_family_id {
30426 -static const struct ab_family_id ids[] __devinitdata = {
30427 +static const struct ab_family_id ids[] __devinitconst = {
30431 diff -urNp linux-3.0.9/drivers/mfd/abx500-core.c linux-3.0.9/drivers/mfd/abx500-core.c
30432 --- linux-3.0.9/drivers/mfd/abx500-core.c 2011-11-11 13:12:24.000000000 -0500
30433 +++ linux-3.0.9/drivers/mfd/abx500-core.c 2011-11-15 20:02:59.000000000 -0500
30434 @@ -14,7 +14,7 @@ static LIST_HEAD(abx500_list);
30436 struct abx500_device_entry {
30437 struct list_head list;
30438 - struct abx500_ops ops;
30439 + abx500_ops_no_const ops;
30440 struct device *dev;
30443 diff -urNp linux-3.0.9/drivers/mfd/janz-cmodio.c linux-3.0.9/drivers/mfd/janz-cmodio.c
30444 --- linux-3.0.9/drivers/mfd/janz-cmodio.c 2011-11-11 13:12:24.000000000 -0500
30445 +++ linux-3.0.9/drivers/mfd/janz-cmodio.c 2011-11-15 20:02:59.000000000 -0500
30448 #include <linux/kernel.h>
30449 #include <linux/module.h>
30450 +#include <linux/slab.h>
30451 #include <linux/init.h>
30452 #include <linux/pci.h>
30453 #include <linux/interrupt.h>
30454 diff -urNp linux-3.0.9/drivers/mfd/wm8350-i2c.c linux-3.0.9/drivers/mfd/wm8350-i2c.c
30455 --- linux-3.0.9/drivers/mfd/wm8350-i2c.c 2011-11-11 13:12:24.000000000 -0500
30456 +++ linux-3.0.9/drivers/mfd/wm8350-i2c.c 2011-11-15 20:02:59.000000000 -0500
30457 @@ -44,6 +44,8 @@ static int wm8350_i2c_write_device(struc
30458 u8 msg[(WM8350_MAX_REGISTER << 1) + 1];
30461 + pax_track_stack();
30463 if (bytes > ((WM8350_MAX_REGISTER << 1) + 1))
30466 diff -urNp linux-3.0.9/drivers/misc/lis3lv02d/lis3lv02d.c linux-3.0.9/drivers/misc/lis3lv02d/lis3lv02d.c
30467 --- linux-3.0.9/drivers/misc/lis3lv02d/lis3lv02d.c 2011-11-11 13:12:24.000000000 -0500
30468 +++ linux-3.0.9/drivers/misc/lis3lv02d/lis3lv02d.c 2011-11-15 20:02:59.000000000 -0500
30469 @@ -437,7 +437,7 @@ static irqreturn_t lis302dl_interrupt(in
30470 * the lid is closed. This leads to interrupts as soon as a little move
30473 - atomic_inc(&lis3_dev.count);
30474 + atomic_inc_unchecked(&lis3_dev.count);
30476 wake_up_interruptible(&lis3_dev.misc_wait);
30477 kill_fasync(&lis3_dev.async_queue, SIGIO, POLL_IN);
30478 @@ -520,7 +520,7 @@ static int lis3lv02d_misc_open(struct in
30479 if (lis3_dev.pm_dev)
30480 pm_runtime_get_sync(lis3_dev.pm_dev);
30482 - atomic_set(&lis3_dev.count, 0);
30483 + atomic_set_unchecked(&lis3_dev.count, 0);
30487 @@ -547,7 +547,7 @@ static ssize_t lis3lv02d_misc_read(struc
30488 add_wait_queue(&lis3_dev.misc_wait, &wait);
30490 set_current_state(TASK_INTERRUPTIBLE);
30491 - data = atomic_xchg(&lis3_dev.count, 0);
30492 + data = atomic_xchg_unchecked(&lis3_dev.count, 0);
30496 @@ -585,7 +585,7 @@ out:
30497 static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
30499 poll_wait(file, &lis3_dev.misc_wait, wait);
30500 - if (atomic_read(&lis3_dev.count))
30501 + if (atomic_read_unchecked(&lis3_dev.count))
30502 return POLLIN | POLLRDNORM;
30505 diff -urNp linux-3.0.9/drivers/misc/lis3lv02d/lis3lv02d.h linux-3.0.9/drivers/misc/lis3lv02d/lis3lv02d.h
30506 --- linux-3.0.9/drivers/misc/lis3lv02d/lis3lv02d.h 2011-11-11 13:12:24.000000000 -0500
30507 +++ linux-3.0.9/drivers/misc/lis3lv02d/lis3lv02d.h 2011-11-15 20:02:59.000000000 -0500
30508 @@ -265,7 +265,7 @@ struct lis3lv02d {
30509 struct input_polled_dev *idev; /* input device */
30510 struct platform_device *pdev; /* platform device */
30511 struct regulator_bulk_data regulators[2];
30512 - atomic_t count; /* interrupt count after last read */
30513 + atomic_unchecked_t count; /* interrupt count after last read */
30514 union axis_conversion ac; /* hw -> logical axis */
30515 int mapped_btns[3];
30517 diff -urNp linux-3.0.9/drivers/misc/sgi-gru/gruhandles.c linux-3.0.9/drivers/misc/sgi-gru/gruhandles.c
30518 --- linux-3.0.9/drivers/misc/sgi-gru/gruhandles.c 2011-11-11 13:12:24.000000000 -0500
30519 +++ linux-3.0.9/drivers/misc/sgi-gru/gruhandles.c 2011-11-15 20:02:59.000000000 -0500
30520 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
30521 unsigned long nsec;
30523 nsec = CLKS2NSEC(clks);
30524 - atomic_long_inc(&mcs_op_statistics[op].count);
30525 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
30526 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
30527 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
30528 if (mcs_op_statistics[op].max < nsec)
30529 mcs_op_statistics[op].max = nsec;
30531 diff -urNp linux-3.0.9/drivers/misc/sgi-gru/gruprocfs.c linux-3.0.9/drivers/misc/sgi-gru/gruprocfs.c
30532 --- linux-3.0.9/drivers/misc/sgi-gru/gruprocfs.c 2011-11-11 13:12:24.000000000 -0500
30533 +++ linux-3.0.9/drivers/misc/sgi-gru/gruprocfs.c 2011-11-15 20:02:59.000000000 -0500
30536 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
30538 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
30539 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
30541 - unsigned long val = atomic_long_read(v);
30542 + unsigned long val = atomic_long_read_unchecked(v);
30544 seq_printf(s, "%16lu %s\n", val, id);
30546 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
30548 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
30549 for (op = 0; op < mcsop_last; op++) {
30550 - count = atomic_long_read(&mcs_op_statistics[op].count);
30551 - total = atomic_long_read(&mcs_op_statistics[op].total);
30552 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
30553 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
30554 max = mcs_op_statistics[op].max;
30555 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
30556 count ? total / count : 0, max);
30557 diff -urNp linux-3.0.9/drivers/misc/sgi-gru/grutables.h linux-3.0.9/drivers/misc/sgi-gru/grutables.h
30558 --- linux-3.0.9/drivers/misc/sgi-gru/grutables.h 2011-11-11 13:12:24.000000000 -0500
30559 +++ linux-3.0.9/drivers/misc/sgi-gru/grutables.h 2011-11-15 20:02:59.000000000 -0500
30560 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
30563 struct gru_stats_s {
30564 - atomic_long_t vdata_alloc;
30565 - atomic_long_t vdata_free;
30566 - atomic_long_t gts_alloc;
30567 - atomic_long_t gts_free;
30568 - atomic_long_t gms_alloc;
30569 - atomic_long_t gms_free;
30570 - atomic_long_t gts_double_allocate;
30571 - atomic_long_t assign_context;
30572 - atomic_long_t assign_context_failed;
30573 - atomic_long_t free_context;
30574 - atomic_long_t load_user_context;
30575 - atomic_long_t load_kernel_context;
30576 - atomic_long_t lock_kernel_context;
30577 - atomic_long_t unlock_kernel_context;
30578 - atomic_long_t steal_user_context;
30579 - atomic_long_t steal_kernel_context;
30580 - atomic_long_t steal_context_failed;
30581 - atomic_long_t nopfn;
30582 - atomic_long_t asid_new;
30583 - atomic_long_t asid_next;
30584 - atomic_long_t asid_wrap;
30585 - atomic_long_t asid_reuse;
30586 - atomic_long_t intr;
30587 - atomic_long_t intr_cbr;
30588 - atomic_long_t intr_tfh;
30589 - atomic_long_t intr_spurious;
30590 - atomic_long_t intr_mm_lock_failed;
30591 - atomic_long_t call_os;
30592 - atomic_long_t call_os_wait_queue;
30593 - atomic_long_t user_flush_tlb;
30594 - atomic_long_t user_unload_context;
30595 - atomic_long_t user_exception;
30596 - atomic_long_t set_context_option;
30597 - atomic_long_t check_context_retarget_intr;
30598 - atomic_long_t check_context_unload;
30599 - atomic_long_t tlb_dropin;
30600 - atomic_long_t tlb_preload_page;
30601 - atomic_long_t tlb_dropin_fail_no_asid;
30602 - atomic_long_t tlb_dropin_fail_upm;
30603 - atomic_long_t tlb_dropin_fail_invalid;
30604 - atomic_long_t tlb_dropin_fail_range_active;
30605 - atomic_long_t tlb_dropin_fail_idle;
30606 - atomic_long_t tlb_dropin_fail_fmm;
30607 - atomic_long_t tlb_dropin_fail_no_exception;
30608 - atomic_long_t tfh_stale_on_fault;
30609 - atomic_long_t mmu_invalidate_range;
30610 - atomic_long_t mmu_invalidate_page;
30611 - atomic_long_t flush_tlb;
30612 - atomic_long_t flush_tlb_gru;
30613 - atomic_long_t flush_tlb_gru_tgh;
30614 - atomic_long_t flush_tlb_gru_zero_asid;
30616 - atomic_long_t copy_gpa;
30617 - atomic_long_t read_gpa;
30619 - atomic_long_t mesq_receive;
30620 - atomic_long_t mesq_receive_none;
30621 - atomic_long_t mesq_send;
30622 - atomic_long_t mesq_send_failed;
30623 - atomic_long_t mesq_noop;
30624 - atomic_long_t mesq_send_unexpected_error;
30625 - atomic_long_t mesq_send_lb_overflow;
30626 - atomic_long_t mesq_send_qlimit_reached;
30627 - atomic_long_t mesq_send_amo_nacked;
30628 - atomic_long_t mesq_send_put_nacked;
30629 - atomic_long_t mesq_page_overflow;
30630 - atomic_long_t mesq_qf_locked;
30631 - atomic_long_t mesq_qf_noop_not_full;
30632 - atomic_long_t mesq_qf_switch_head_failed;
30633 - atomic_long_t mesq_qf_unexpected_error;
30634 - atomic_long_t mesq_noop_unexpected_error;
30635 - atomic_long_t mesq_noop_lb_overflow;
30636 - atomic_long_t mesq_noop_qlimit_reached;
30637 - atomic_long_t mesq_noop_amo_nacked;
30638 - atomic_long_t mesq_noop_put_nacked;
30639 - atomic_long_t mesq_noop_page_overflow;
30640 + atomic_long_unchecked_t vdata_alloc;
30641 + atomic_long_unchecked_t vdata_free;
30642 + atomic_long_unchecked_t gts_alloc;
30643 + atomic_long_unchecked_t gts_free;
30644 + atomic_long_unchecked_t gms_alloc;
30645 + atomic_long_unchecked_t gms_free;
30646 + atomic_long_unchecked_t gts_double_allocate;
30647 + atomic_long_unchecked_t assign_context;
30648 + atomic_long_unchecked_t assign_context_failed;
30649 + atomic_long_unchecked_t free_context;
30650 + atomic_long_unchecked_t load_user_context;
30651 + atomic_long_unchecked_t load_kernel_context;
30652 + atomic_long_unchecked_t lock_kernel_context;
30653 + atomic_long_unchecked_t unlock_kernel_context;
30654 + atomic_long_unchecked_t steal_user_context;
30655 + atomic_long_unchecked_t steal_kernel_context;
30656 + atomic_long_unchecked_t steal_context_failed;
30657 + atomic_long_unchecked_t nopfn;
30658 + atomic_long_unchecked_t asid_new;
30659 + atomic_long_unchecked_t asid_next;
30660 + atomic_long_unchecked_t asid_wrap;
30661 + atomic_long_unchecked_t asid_reuse;
30662 + atomic_long_unchecked_t intr;
30663 + atomic_long_unchecked_t intr_cbr;
30664 + atomic_long_unchecked_t intr_tfh;
30665 + atomic_long_unchecked_t intr_spurious;
30666 + atomic_long_unchecked_t intr_mm_lock_failed;
30667 + atomic_long_unchecked_t call_os;
30668 + atomic_long_unchecked_t call_os_wait_queue;
30669 + atomic_long_unchecked_t user_flush_tlb;
30670 + atomic_long_unchecked_t user_unload_context;
30671 + atomic_long_unchecked_t user_exception;
30672 + atomic_long_unchecked_t set_context_option;
30673 + atomic_long_unchecked_t check_context_retarget_intr;
30674 + atomic_long_unchecked_t check_context_unload;
30675 + atomic_long_unchecked_t tlb_dropin;
30676 + atomic_long_unchecked_t tlb_preload_page;
30677 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
30678 + atomic_long_unchecked_t tlb_dropin_fail_upm;
30679 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
30680 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
30681 + atomic_long_unchecked_t tlb_dropin_fail_idle;
30682 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
30683 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
30684 + atomic_long_unchecked_t tfh_stale_on_fault;
30685 + atomic_long_unchecked_t mmu_invalidate_range;
30686 + atomic_long_unchecked_t mmu_invalidate_page;
30687 + atomic_long_unchecked_t flush_tlb;
30688 + atomic_long_unchecked_t flush_tlb_gru;
30689 + atomic_long_unchecked_t flush_tlb_gru_tgh;
30690 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
30692 + atomic_long_unchecked_t copy_gpa;
30693 + atomic_long_unchecked_t read_gpa;
30695 + atomic_long_unchecked_t mesq_receive;
30696 + atomic_long_unchecked_t mesq_receive_none;
30697 + atomic_long_unchecked_t mesq_send;
30698 + atomic_long_unchecked_t mesq_send_failed;
30699 + atomic_long_unchecked_t mesq_noop;
30700 + atomic_long_unchecked_t mesq_send_unexpected_error;
30701 + atomic_long_unchecked_t mesq_send_lb_overflow;
30702 + atomic_long_unchecked_t mesq_send_qlimit_reached;
30703 + atomic_long_unchecked_t mesq_send_amo_nacked;
30704 + atomic_long_unchecked_t mesq_send_put_nacked;
30705 + atomic_long_unchecked_t mesq_page_overflow;
30706 + atomic_long_unchecked_t mesq_qf_locked;
30707 + atomic_long_unchecked_t mesq_qf_noop_not_full;
30708 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
30709 + atomic_long_unchecked_t mesq_qf_unexpected_error;
30710 + atomic_long_unchecked_t mesq_noop_unexpected_error;
30711 + atomic_long_unchecked_t mesq_noop_lb_overflow;
30712 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
30713 + atomic_long_unchecked_t mesq_noop_amo_nacked;
30714 + atomic_long_unchecked_t mesq_noop_put_nacked;
30715 + atomic_long_unchecked_t mesq_noop_page_overflow;
30719 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
30720 tghop_invalidate, mcsop_last};
30722 struct mcs_op_statistic {
30723 - atomic_long_t count;
30724 - atomic_long_t total;
30725 + atomic_long_unchecked_t count;
30726 + atomic_long_unchecked_t total;
30730 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
30732 #define STAT(id) do { \
30733 if (gru_options & OPT_STATS) \
30734 - atomic_long_inc(&gru_stats.id); \
30735 + atomic_long_inc_unchecked(&gru_stats.id); \
30738 #ifdef CONFIG_SGI_GRU_DEBUG
30739 diff -urNp linux-3.0.9/drivers/misc/sgi-xp/xpc.h linux-3.0.9/drivers/misc/sgi-xp/xpc.h
30740 --- linux-3.0.9/drivers/misc/sgi-xp/xpc.h 2011-11-11 13:12:24.000000000 -0500
30741 +++ linux-3.0.9/drivers/misc/sgi-xp/xpc.h 2011-11-15 20:02:59.000000000 -0500
30742 @@ -835,6 +835,7 @@ struct xpc_arch_operations {
30743 void (*received_payload) (struct xpc_channel *, void *);
30744 void (*notify_senders_of_disconnect) (struct xpc_channel *);
30746 +typedef struct xpc_arch_operations __no_const xpc_arch_operations_no_const;
30748 /* struct xpc_partition act_state values (for XPC HB) */
30750 @@ -876,7 +877,7 @@ extern struct xpc_registration xpc_regis
30751 /* found in xpc_main.c */
30752 extern struct device *xpc_part;
30753 extern struct device *xpc_chan;
30754 -extern struct xpc_arch_operations xpc_arch_ops;
30755 +extern xpc_arch_operations_no_const xpc_arch_ops;
30756 extern int xpc_disengage_timelimit;
30757 extern int xpc_disengage_timedout;
30758 extern int xpc_activate_IRQ_rcvd;
30759 diff -urNp linux-3.0.9/drivers/misc/sgi-xp/xpc_main.c linux-3.0.9/drivers/misc/sgi-xp/xpc_main.c
30760 --- linux-3.0.9/drivers/misc/sgi-xp/xpc_main.c 2011-11-11 13:12:24.000000000 -0500
30761 +++ linux-3.0.9/drivers/misc/sgi-xp/xpc_main.c 2011-11-15 20:02:59.000000000 -0500
30762 @@ -162,7 +162,7 @@ static struct notifier_block xpc_die_not
30763 .notifier_call = xpc_system_die,
30766 -struct xpc_arch_operations xpc_arch_ops;
30767 +xpc_arch_operations_no_const xpc_arch_ops;
30770 * Timer function to enforce the timelimit on the partition disengage.
30771 diff -urNp linux-3.0.9/drivers/misc/sgi-xp/xp.h linux-3.0.9/drivers/misc/sgi-xp/xp.h
30772 --- linux-3.0.9/drivers/misc/sgi-xp/xp.h 2011-11-11 13:12:24.000000000 -0500
30773 +++ linux-3.0.9/drivers/misc/sgi-xp/xp.h 2011-11-15 20:02:59.000000000 -0500
30774 @@ -289,7 +289,7 @@ struct xpc_interface {
30775 xpc_notify_func, void *);
30776 void (*received) (short, int, void *);
30777 enum xp_retval (*partid_to_nasids) (short, void *);
30781 extern struct xpc_interface xpc_interface;
30783 diff -urNp linux-3.0.9/drivers/mmc/host/sdhci-pci.c linux-3.0.9/drivers/mmc/host/sdhci-pci.c
30784 --- linux-3.0.9/drivers/mmc/host/sdhci-pci.c 2011-11-11 13:12:24.000000000 -0500
30785 +++ linux-3.0.9/drivers/mmc/host/sdhci-pci.c 2011-11-15 20:02:59.000000000 -0500
30786 @@ -524,7 +524,7 @@ static const struct sdhci_pci_fixes sdhc
30787 .probe = via_probe,
30790 -static const struct pci_device_id pci_ids[] __devinitdata = {
30791 +static const struct pci_device_id pci_ids[] __devinitconst = {
30793 .vendor = PCI_VENDOR_ID_RICOH,
30794 .device = PCI_DEVICE_ID_RICOH_R5C822,
30795 diff -urNp linux-3.0.9/drivers/mtd/chips/cfi_cmdset_0001.c linux-3.0.9/drivers/mtd/chips/cfi_cmdset_0001.c
30796 --- linux-3.0.9/drivers/mtd/chips/cfi_cmdset_0001.c 2011-11-11 13:12:24.000000000 -0500
30797 +++ linux-3.0.9/drivers/mtd/chips/cfi_cmdset_0001.c 2011-11-15 20:02:59.000000000 -0500
30798 @@ -757,6 +757,8 @@ static int chip_ready (struct map_info *
30799 struct cfi_pri_intelext *cfip = cfi->cmdset_priv;
30800 unsigned long timeo = jiffies + HZ;
30802 + pax_track_stack();
30804 /* Prevent setting state FL_SYNCING for chip in suspended state. */
30805 if (mode == FL_SYNCING && chip->oldstate != FL_READY)
30807 @@ -1653,6 +1655,8 @@ static int __xipram do_write_buffer(stru
30808 unsigned long initial_adr;
30809 int initial_len = len;
30811 + pax_track_stack();
30813 wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
30814 adr += chip->start;
30816 @@ -1871,6 +1875,8 @@ static int __xipram do_erase_oneblock(st
30820 + pax_track_stack();
30822 adr += chip->start;
30825 diff -urNp linux-3.0.9/drivers/mtd/chips/cfi_cmdset_0020.c linux-3.0.9/drivers/mtd/chips/cfi_cmdset_0020.c
30826 --- linux-3.0.9/drivers/mtd/chips/cfi_cmdset_0020.c 2011-11-11 13:12:24.000000000 -0500
30827 +++ linux-3.0.9/drivers/mtd/chips/cfi_cmdset_0020.c 2011-11-15 20:02:59.000000000 -0500
30828 @@ -255,6 +255,8 @@ static inline int do_read_onechip(struct
30829 unsigned long cmd_addr;
30830 struct cfi_private *cfi = map->fldrv_priv;
30832 + pax_track_stack();
30834 adr += chip->start;
30836 /* Ensure cmd read/writes are aligned. */
30837 @@ -429,6 +431,8 @@ static inline int do_write_buffer(struct
30838 DECLARE_WAITQUEUE(wait, current);
30841 + pax_track_stack();
30843 /* M58LW064A requires bus alignment for buffer wriets -- saw */
30844 if (adr & (map_bankwidth(map)-1))
30846 @@ -743,6 +747,8 @@ static inline int do_erase_oneblock(stru
30847 DECLARE_WAITQUEUE(wait, current);
30850 + pax_track_stack();
30852 adr += chip->start;
30854 /* Let's determine this according to the interleave only once */
30855 @@ -1048,6 +1054,8 @@ static inline int do_lock_oneblock(struc
30856 unsigned long timeo = jiffies + HZ;
30857 DECLARE_WAITQUEUE(wait, current);
30859 + pax_track_stack();
30861 adr += chip->start;
30863 /* Let's determine this according to the interleave only once */
30864 @@ -1197,6 +1205,8 @@ static inline int do_unlock_oneblock(str
30865 unsigned long timeo = jiffies + HZ;
30866 DECLARE_WAITQUEUE(wait, current);
30868 + pax_track_stack();
30870 adr += chip->start;
30872 /* Let's determine this according to the interleave only once */
30873 diff -urNp linux-3.0.9/drivers/mtd/devices/doc2000.c linux-3.0.9/drivers/mtd/devices/doc2000.c
30874 --- linux-3.0.9/drivers/mtd/devices/doc2000.c 2011-11-11 13:12:24.000000000 -0500
30875 +++ linux-3.0.9/drivers/mtd/devices/doc2000.c 2011-11-15 20:02:59.000000000 -0500
30876 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
30878 /* The ECC will not be calculated correctly if less than 512 is written */
30880 - if (len != 0x200 && eccbuf)
30881 + if (len != 0x200)
30882 printk(KERN_WARNING
30883 "ECC needs a full sector write (adr: %lx size %lx)\n",
30884 (long) to, (long) len);
30885 diff -urNp linux-3.0.9/drivers/mtd/devices/doc2001.c linux-3.0.9/drivers/mtd/devices/doc2001.c
30886 --- linux-3.0.9/drivers/mtd/devices/doc2001.c 2011-11-11 13:12:24.000000000 -0500
30887 +++ linux-3.0.9/drivers/mtd/devices/doc2001.c 2011-11-15 20:02:59.000000000 -0500
30888 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
30889 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
30891 /* Don't allow read past end of device */
30892 - if (from >= this->totlen)
30893 + if (from >= this->totlen || !len)
30896 /* Don't allow a single read to cross a 512-byte block boundary */
30897 diff -urNp linux-3.0.9/drivers/mtd/ftl.c linux-3.0.9/drivers/mtd/ftl.c
30898 --- linux-3.0.9/drivers/mtd/ftl.c 2011-11-11 13:12:24.000000000 -0500
30899 +++ linux-3.0.9/drivers/mtd/ftl.c 2011-11-15 20:02:59.000000000 -0500
30900 @@ -474,6 +474,8 @@ static int copy_erase_unit(partition_t *
30902 uint16_t srcunitswap = cpu_to_le16(srcunit);
30904 + pax_track_stack();
30906 eun = &part->EUNInfo[srcunit];
30907 xfer = &part->XferInfo[xferunit];
30908 DEBUG(2, "ftl_cs: copying block 0x%x to 0x%x\n",
30909 diff -urNp linux-3.0.9/drivers/mtd/inftlcore.c linux-3.0.9/drivers/mtd/inftlcore.c
30910 --- linux-3.0.9/drivers/mtd/inftlcore.c 2011-11-11 13:12:24.000000000 -0500
30911 +++ linux-3.0.9/drivers/mtd/inftlcore.c 2011-11-15 20:02:59.000000000 -0500
30912 @@ -259,6 +259,8 @@ static u16 INFTL_foldchain(struct INFTLr
30913 struct inftl_oob oob;
30916 + pax_track_stack();
30918 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_foldchain(inftl=%p,thisVUC=%d,"
30919 "pending=%d)\n", inftl, thisVUC, pendingblock);
30921 diff -urNp linux-3.0.9/drivers/mtd/inftlmount.c linux-3.0.9/drivers/mtd/inftlmount.c
30922 --- linux-3.0.9/drivers/mtd/inftlmount.c 2011-11-11 13:12:24.000000000 -0500
30923 +++ linux-3.0.9/drivers/mtd/inftlmount.c 2011-11-15 20:02:59.000000000 -0500
30924 @@ -53,6 +53,8 @@ static int find_boot_record(struct INFTL
30925 struct INFTLPartition *ip;
30928 + pax_track_stack();
30930 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: find_boot_record(inftl=%p)\n", inftl);
30933 diff -urNp linux-3.0.9/drivers/mtd/lpddr/qinfo_probe.c linux-3.0.9/drivers/mtd/lpddr/qinfo_probe.c
30934 --- linux-3.0.9/drivers/mtd/lpddr/qinfo_probe.c 2011-11-11 13:12:24.000000000 -0500
30935 +++ linux-3.0.9/drivers/mtd/lpddr/qinfo_probe.c 2011-11-15 20:02:59.000000000 -0500
30936 @@ -106,6 +106,8 @@ static int lpddr_pfow_present(struct map
30938 map_word pfow_val[4];
30940 + pax_track_stack();
30942 /* Check identification string */
30943 pfow_val[0] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_P);
30944 pfow_val[1] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_F);
30945 diff -urNp linux-3.0.9/drivers/mtd/mtdchar.c linux-3.0.9/drivers/mtd/mtdchar.c
30946 --- linux-3.0.9/drivers/mtd/mtdchar.c 2011-11-11 13:12:24.000000000 -0500
30947 +++ linux-3.0.9/drivers/mtd/mtdchar.c 2011-11-15 20:02:59.000000000 -0500
30948 @@ -554,6 +554,8 @@ static int mtd_ioctl(struct file *file,
30950 struct mtd_info_user info;
30952 + pax_track_stack();
30954 DEBUG(MTD_DEBUG_LEVEL0, "MTD_ioctl\n");
30956 size = (cmd & IOCSIZE_MASK) >> IOCSIZE_SHIFT;
30957 diff -urNp linux-3.0.9/drivers/mtd/nand/denali.c linux-3.0.9/drivers/mtd/nand/denali.c
30958 --- linux-3.0.9/drivers/mtd/nand/denali.c 2011-11-11 13:12:24.000000000 -0500
30959 +++ linux-3.0.9/drivers/mtd/nand/denali.c 2011-11-15 20:02:59.000000000 -0500
30961 #include <linux/pci.h>
30962 #include <linux/mtd/mtd.h>
30963 #include <linux/module.h>
30964 +#include <linux/slab.h>
30966 #include "denali.h"
30968 diff -urNp linux-3.0.9/drivers/mtd/nftlcore.c linux-3.0.9/drivers/mtd/nftlcore.c
30969 --- linux-3.0.9/drivers/mtd/nftlcore.c 2011-11-11 13:12:24.000000000 -0500
30970 +++ linux-3.0.9/drivers/mtd/nftlcore.c 2011-11-15 20:02:59.000000000 -0500
30971 @@ -264,6 +264,8 @@ static u16 NFTL_foldchain (struct NFTLre
30975 + pax_track_stack();
30977 memset(BlockMap, 0xff, sizeof(BlockMap));
30978 memset(BlockFreeFound, 0, sizeof(BlockFreeFound));
30980 diff -urNp linux-3.0.9/drivers/mtd/nftlmount.c linux-3.0.9/drivers/mtd/nftlmount.c
30981 --- linux-3.0.9/drivers/mtd/nftlmount.c 2011-11-11 13:12:24.000000000 -0500
30982 +++ linux-3.0.9/drivers/mtd/nftlmount.c 2011-11-15 20:02:59.000000000 -0500
30984 #include <asm/errno.h>
30985 #include <linux/delay.h>
30986 #include <linux/slab.h>
30987 +#include <linux/sched.h>
30988 #include <linux/mtd/mtd.h>
30989 #include <linux/mtd/nand.h>
30990 #include <linux/mtd/nftl.h>
30991 @@ -45,6 +46,8 @@ static int find_boot_record(struct NFTLr
30992 struct mtd_info *mtd = nftl->mbd.mtd;
30995 + pax_track_stack();
30997 /* Assume logical EraseSize == physical erasesize for starting the scan.
30998 We'll sort it out later if we find a MediaHeader which says otherwise */
30999 /* Actually, we won't. The new DiskOnChip driver has already scanned
31000 diff -urNp linux-3.0.9/drivers/mtd/ubi/build.c linux-3.0.9/drivers/mtd/ubi/build.c
31001 --- linux-3.0.9/drivers/mtd/ubi/build.c 2011-11-11 13:12:24.000000000 -0500
31002 +++ linux-3.0.9/drivers/mtd/ubi/build.c 2011-11-15 20:02:59.000000000 -0500
31003 @@ -1287,7 +1287,7 @@ module_exit(ubi_exit);
31004 static int __init bytes_str_to_int(const char *str)
31007 - unsigned long result;
31008 + unsigned long result, scale = 1;
31010 result = simple_strtoul(str, &endp, 0);
31011 if (str == endp || result >= INT_MAX) {
31012 @@ -1298,11 +1298,11 @@ static int __init bytes_str_to_int(const
31024 if (endp[1] == 'i' && endp[2] == 'B')
31027 @@ -1313,7 +1313,13 @@ static int __init bytes_str_to_int(const
31032 + if ((intoverflow_t)result*scale >= INT_MAX) {
31033 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
31038 + return result*scale;
31042 diff -urNp linux-3.0.9/drivers/net/atlx/atl2.c linux-3.0.9/drivers/net/atlx/atl2.c
31043 --- linux-3.0.9/drivers/net/atlx/atl2.c 2011-11-11 13:12:24.000000000 -0500
31044 +++ linux-3.0.9/drivers/net/atlx/atl2.c 2011-11-15 20:02:59.000000000 -0500
31045 @@ -2840,7 +2840,7 @@ static void atl2_force_ps(struct atl2_hw
31048 #define ATL2_PARAM(X, desc) \
31049 - static const int __devinitdata X[ATL2_MAX_NIC + 1] = ATL2_PARAM_INIT; \
31050 + static const int __devinitconst X[ATL2_MAX_NIC + 1] = ATL2_PARAM_INIT; \
31051 MODULE_PARM(X, "1-" __MODULE_STRING(ATL2_MAX_NIC) "i"); \
31052 MODULE_PARM_DESC(X, desc);
31054 diff -urNp linux-3.0.9/drivers/net/bna/bfa_ioc_ct.c linux-3.0.9/drivers/net/bna/bfa_ioc_ct.c
31055 --- linux-3.0.9/drivers/net/bna/bfa_ioc_ct.c 2011-11-11 13:12:24.000000000 -0500
31056 +++ linux-3.0.9/drivers/net/bna/bfa_ioc_ct.c 2011-11-15 20:02:59.000000000 -0500
31057 @@ -48,7 +48,21 @@ static void bfa_ioc_ct_sync_ack(struct b
31058 static bool bfa_ioc_ct_sync_complete(struct bfa_ioc *ioc);
31059 static enum bfa_status bfa_ioc_ct_pll_init(void __iomem *rb, bool fcmode);
31061 -static struct bfa_ioc_hwif nw_hwif_ct;
31062 +static struct bfa_ioc_hwif nw_hwif_ct = {
31063 + .ioc_pll_init = bfa_ioc_ct_pll_init,
31064 + .ioc_firmware_lock = bfa_ioc_ct_firmware_lock,
31065 + .ioc_firmware_unlock = bfa_ioc_ct_firmware_unlock,
31066 + .ioc_reg_init = bfa_ioc_ct_reg_init,
31067 + .ioc_map_port = bfa_ioc_ct_map_port,
31068 + .ioc_isr_mode_set = bfa_ioc_ct_isr_mode_set,
31069 + .ioc_notify_fail = bfa_ioc_ct_notify_fail,
31070 + .ioc_ownership_reset = bfa_ioc_ct_ownership_reset,
31071 + .ioc_sync_start = bfa_ioc_ct_sync_start,
31072 + .ioc_sync_join = bfa_ioc_ct_sync_join,
31073 + .ioc_sync_leave = bfa_ioc_ct_sync_leave,
31074 + .ioc_sync_ack = bfa_ioc_ct_sync_ack,
31075 + .ioc_sync_complete = bfa_ioc_ct_sync_complete
31079 * Called from bfa_ioc_attach() to map asic specific calls.
31080 @@ -56,20 +70,6 @@ static struct bfa_ioc_hwif nw_hwif_ct;
31082 bfa_nw_ioc_set_ct_hwif(struct bfa_ioc *ioc)
31084 - nw_hwif_ct.ioc_pll_init = bfa_ioc_ct_pll_init;
31085 - nw_hwif_ct.ioc_firmware_lock = bfa_ioc_ct_firmware_lock;
31086 - nw_hwif_ct.ioc_firmware_unlock = bfa_ioc_ct_firmware_unlock;
31087 - nw_hwif_ct.ioc_reg_init = bfa_ioc_ct_reg_init;
31088 - nw_hwif_ct.ioc_map_port = bfa_ioc_ct_map_port;
31089 - nw_hwif_ct.ioc_isr_mode_set = bfa_ioc_ct_isr_mode_set;
31090 - nw_hwif_ct.ioc_notify_fail = bfa_ioc_ct_notify_fail;
31091 - nw_hwif_ct.ioc_ownership_reset = bfa_ioc_ct_ownership_reset;
31092 - nw_hwif_ct.ioc_sync_start = bfa_ioc_ct_sync_start;
31093 - nw_hwif_ct.ioc_sync_join = bfa_ioc_ct_sync_join;
31094 - nw_hwif_ct.ioc_sync_leave = bfa_ioc_ct_sync_leave;
31095 - nw_hwif_ct.ioc_sync_ack = bfa_ioc_ct_sync_ack;
31096 - nw_hwif_ct.ioc_sync_complete = bfa_ioc_ct_sync_complete;
31098 ioc->ioc_hwif = &nw_hwif_ct;
31101 diff -urNp linux-3.0.9/drivers/net/bna/bnad.c linux-3.0.9/drivers/net/bna/bnad.c
31102 --- linux-3.0.9/drivers/net/bna/bnad.c 2011-11-11 13:12:24.000000000 -0500
31103 +++ linux-3.0.9/drivers/net/bna/bnad.c 2011-11-15 20:02:59.000000000 -0500
31104 @@ -1681,7 +1681,14 @@ bnad_setup_tx(struct bnad *bnad, uint tx
31105 struct bna_intr_info *intr_info =
31106 &res_info[BNA_TX_RES_INTR_T_TXCMPL].res_u.intr_info;
31107 struct bna_tx_config *tx_config = &bnad->tx_config[tx_id];
31108 - struct bna_tx_event_cbfn tx_cbfn;
31109 + static struct bna_tx_event_cbfn tx_cbfn = {
31110 + /* Initialize the tx event handlers */
31111 + .tcb_setup_cbfn = bnad_cb_tcb_setup,
31112 + .tcb_destroy_cbfn = bnad_cb_tcb_destroy,
31113 + .tx_stall_cbfn = bnad_cb_tx_stall,
31114 + .tx_resume_cbfn = bnad_cb_tx_resume,
31115 + .tx_cleanup_cbfn = bnad_cb_tx_cleanup
31118 unsigned long flags;
31120 @@ -1690,13 +1697,6 @@ bnad_setup_tx(struct bnad *bnad, uint tx
31121 tx_config->txq_depth = bnad->txq_depth;
31122 tx_config->tx_type = BNA_TX_T_REGULAR;
31124 - /* Initialize the tx event handlers */
31125 - tx_cbfn.tcb_setup_cbfn = bnad_cb_tcb_setup;
31126 - tx_cbfn.tcb_destroy_cbfn = bnad_cb_tcb_destroy;
31127 - tx_cbfn.tx_stall_cbfn = bnad_cb_tx_stall;
31128 - tx_cbfn.tx_resume_cbfn = bnad_cb_tx_resume;
31129 - tx_cbfn.tx_cleanup_cbfn = bnad_cb_tx_cleanup;
31131 /* Get BNA's resource requirement for one tx object */
31132 spin_lock_irqsave(&bnad->bna_lock, flags);
31133 bna_tx_res_req(bnad->num_txq_per_tx,
31134 @@ -1827,21 +1827,21 @@ bnad_setup_rx(struct bnad *bnad, uint rx
31135 struct bna_intr_info *intr_info =
31136 &res_info[BNA_RX_RES_T_INTR].res_u.intr_info;
31137 struct bna_rx_config *rx_config = &bnad->rx_config[rx_id];
31138 - struct bna_rx_event_cbfn rx_cbfn;
31139 + static struct bna_rx_event_cbfn rx_cbfn = {
31140 + /* Initialize the Rx event handlers */
31141 + .rcb_setup_cbfn = bnad_cb_rcb_setup,
31142 + .rcb_destroy_cbfn = bnad_cb_rcb_destroy,
31143 + .ccb_setup_cbfn = bnad_cb_ccb_setup,
31144 + .ccb_destroy_cbfn = bnad_cb_ccb_destroy,
31145 + .rx_cleanup_cbfn = bnad_cb_rx_cleanup,
31146 + .rx_post_cbfn = bnad_cb_rx_post
31149 unsigned long flags;
31151 /* Initialize the Rx object configuration */
31152 bnad_init_rx_config(bnad, rx_config);
31154 - /* Initialize the Rx event handlers */
31155 - rx_cbfn.rcb_setup_cbfn = bnad_cb_rcb_setup;
31156 - rx_cbfn.rcb_destroy_cbfn = bnad_cb_rcb_destroy;
31157 - rx_cbfn.ccb_setup_cbfn = bnad_cb_ccb_setup;
31158 - rx_cbfn.ccb_destroy_cbfn = bnad_cb_ccb_destroy;
31159 - rx_cbfn.rx_cleanup_cbfn = bnad_cb_rx_cleanup;
31160 - rx_cbfn.rx_post_cbfn = bnad_cb_rx_post;
31162 /* Get BNA's resource requirement for one Rx object */
31163 spin_lock_irqsave(&bnad->bna_lock, flags);
31164 bna_rx_res_req(rx_config, res_info);
31165 diff -urNp linux-3.0.9/drivers/net/bnx2.c linux-3.0.9/drivers/net/bnx2.c
31166 --- linux-3.0.9/drivers/net/bnx2.c 2011-11-11 13:12:24.000000000 -0500
31167 +++ linux-3.0.9/drivers/net/bnx2.c 2011-11-15 20:02:59.000000000 -0500
31168 @@ -5831,6 +5831,8 @@ bnx2_test_nvram(struct bnx2 *bp)
31172 + pax_track_stack();
31174 if ((rc = bnx2_nvram_read(bp, 0, data, 4)) != 0)
31175 goto test_nvram_done;
31177 diff -urNp linux-3.0.9/drivers/net/bnx2x/bnx2x_ethtool.c linux-3.0.9/drivers/net/bnx2x/bnx2x_ethtool.c
31178 --- linux-3.0.9/drivers/net/bnx2x/bnx2x_ethtool.c 2011-11-11 13:12:24.000000000 -0500
31179 +++ linux-3.0.9/drivers/net/bnx2x/bnx2x_ethtool.c 2011-11-15 20:02:59.000000000 -0500
31180 @@ -1705,6 +1705,8 @@ static int bnx2x_test_nvram(struct bnx2x
31184 + pax_track_stack();
31189 diff -urNp linux-3.0.9/drivers/net/can/mscan/mscan.c linux-3.0.9/drivers/net/can/mscan/mscan.c
31190 --- linux-3.0.9/drivers/net/can/mscan/mscan.c 2011-11-11 13:12:24.000000000 -0500
31191 +++ linux-3.0.9/drivers/net/can/mscan/mscan.c 2011-11-15 20:02:59.000000000 -0500
31192 @@ -261,11 +261,13 @@ static netdev_tx_t mscan_start_xmit(stru
31193 void __iomem *data = ®s->tx.dsr1_0;
31194 u16 *payload = (u16 *)frame->data;
31196 - /* It is safe to write into dsr[dlc+1] */
31197 - for (i = 0; i < (frame->can_dlc + 1) / 2; i++) {
31198 + for (i = 0; i < frame->can_dlc / 2; i++) {
31199 out_be16(data, *payload++);
31200 data += 2 + _MSCAN_RESERVED_DSR_SIZE;
31202 + /* write remaining byte if necessary */
31203 + if (frame->can_dlc & 1)
31204 + out_8(data, frame->data[frame->can_dlc - 1]);
31207 out_8(®s->tx.dlr, frame->can_dlc);
31208 @@ -330,10 +332,13 @@ static void mscan_get_rx_frame(struct ne
31209 void __iomem *data = ®s->rx.dsr1_0;
31210 u16 *payload = (u16 *)frame->data;
31212 - for (i = 0; i < (frame->can_dlc + 1) / 2; i++) {
31213 + for (i = 0; i < frame->can_dlc / 2; i++) {
31214 *payload++ = in_be16(data);
31215 data += 2 + _MSCAN_RESERVED_DSR_SIZE;
31217 + /* read remaining byte if necessary */
31218 + if (frame->can_dlc & 1)
31219 + frame->data[frame->can_dlc - 1] = in_8(data);
31222 out_8(®s->canrflg, MSCAN_RXF);
31223 diff -urNp linux-3.0.9/drivers/net/cxgb3/l2t.h linux-3.0.9/drivers/net/cxgb3/l2t.h
31224 --- linux-3.0.9/drivers/net/cxgb3/l2t.h 2011-11-11 13:12:24.000000000 -0500
31225 +++ linux-3.0.9/drivers/net/cxgb3/l2t.h 2011-11-15 20:02:59.000000000 -0500
31226 @@ -87,7 +87,7 @@ typedef void (*arp_failure_handler_func)
31228 struct l2t_skb_cb {
31229 arp_failure_handler_func arp_failure_handler;
31233 #define L2T_SKB_CB(skb) ((struct l2t_skb_cb *)(skb)->cb)
31235 diff -urNp linux-3.0.9/drivers/net/cxgb4/cxgb4_main.c linux-3.0.9/drivers/net/cxgb4/cxgb4_main.c
31236 --- linux-3.0.9/drivers/net/cxgb4/cxgb4_main.c 2011-11-11 13:12:24.000000000 -0500
31237 +++ linux-3.0.9/drivers/net/cxgb4/cxgb4_main.c 2011-11-15 20:02:59.000000000 -0500
31238 @@ -3396,6 +3396,8 @@ static int __devinit enable_msix(struct
31239 unsigned int nchan = adap->params.nports;
31240 struct msix_entry entries[MAX_INGQ + 1];
31242 + pax_track_stack();
31244 for (i = 0; i < ARRAY_SIZE(entries); ++i)
31245 entries[i].entry = i;
31247 diff -urNp linux-3.0.9/drivers/net/cxgb4/t4_hw.c linux-3.0.9/drivers/net/cxgb4/t4_hw.c
31248 --- linux-3.0.9/drivers/net/cxgb4/t4_hw.c 2011-11-11 13:12:24.000000000 -0500
31249 +++ linux-3.0.9/drivers/net/cxgb4/t4_hw.c 2011-11-15 20:02:59.000000000 -0500
31250 @@ -362,6 +362,8 @@ static int get_vpd_params(struct adapter
31251 u8 vpd[VPD_LEN], csum;
31252 unsigned int vpdr_len, kw_offset, id_len;
31254 + pax_track_stack();
31256 ret = pci_read_vpd(adapter->pdev, VPD_BASE, sizeof(vpd), vpd);
31259 diff -urNp linux-3.0.9/drivers/net/e1000e/82571.c linux-3.0.9/drivers/net/e1000e/82571.c
31260 --- linux-3.0.9/drivers/net/e1000e/82571.c 2011-11-11 13:12:24.000000000 -0500
31261 +++ linux-3.0.9/drivers/net/e1000e/82571.c 2011-11-15 20:02:59.000000000 -0500
31262 @@ -239,7 +239,7 @@ static s32 e1000_init_mac_params_82571(s
31264 struct e1000_hw *hw = &adapter->hw;
31265 struct e1000_mac_info *mac = &hw->mac;
31266 - struct e1000_mac_operations *func = &mac->ops;
31267 + e1000_mac_operations_no_const *func = &mac->ops;
31270 bool force_clear_smbi = false;
31271 diff -urNp linux-3.0.9/drivers/net/e1000e/es2lan.c linux-3.0.9/drivers/net/e1000e/es2lan.c
31272 --- linux-3.0.9/drivers/net/e1000e/es2lan.c 2011-11-11 13:12:24.000000000 -0500
31273 +++ linux-3.0.9/drivers/net/e1000e/es2lan.c 2011-11-15 20:02:59.000000000 -0500
31274 @@ -205,7 +205,7 @@ static s32 e1000_init_mac_params_80003es
31276 struct e1000_hw *hw = &adapter->hw;
31277 struct e1000_mac_info *mac = &hw->mac;
31278 - struct e1000_mac_operations *func = &mac->ops;
31279 + e1000_mac_operations_no_const *func = &mac->ops;
31281 /* Set media type */
31282 switch (adapter->pdev->device) {
31283 diff -urNp linux-3.0.9/drivers/net/e1000e/hw.h linux-3.0.9/drivers/net/e1000e/hw.h
31284 --- linux-3.0.9/drivers/net/e1000e/hw.h 2011-11-11 13:12:24.000000000 -0500
31285 +++ linux-3.0.9/drivers/net/e1000e/hw.h 2011-11-15 20:02:59.000000000 -0500
31286 @@ -776,6 +776,7 @@ struct e1000_mac_operations {
31287 void (*write_vfta)(struct e1000_hw *, u32, u32);
31288 s32 (*read_mac_addr)(struct e1000_hw *);
31290 +typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
31292 /* Function pointers for the PHY. */
31293 struct e1000_phy_operations {
31294 @@ -799,6 +800,7 @@ struct e1000_phy_operations {
31295 void (*power_up)(struct e1000_hw *);
31296 void (*power_down)(struct e1000_hw *);
31298 +typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
31300 /* Function pointers for the NVM. */
31301 struct e1000_nvm_operations {
31302 @@ -810,9 +812,10 @@ struct e1000_nvm_operations {
31303 s32 (*validate)(struct e1000_hw *);
31304 s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
31306 +typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
31308 struct e1000_mac_info {
31309 - struct e1000_mac_operations ops;
31310 + e1000_mac_operations_no_const ops;
31312 u8 perm_addr[ETH_ALEN];
31314 @@ -853,7 +856,7 @@ struct e1000_mac_info {
31317 struct e1000_phy_info {
31318 - struct e1000_phy_operations ops;
31319 + e1000_phy_operations_no_const ops;
31321 enum e1000_phy_type type;
31323 @@ -887,7 +890,7 @@ struct e1000_phy_info {
31326 struct e1000_nvm_info {
31327 - struct e1000_nvm_operations ops;
31328 + e1000_nvm_operations_no_const ops;
31330 enum e1000_nvm_type type;
31331 enum e1000_nvm_override override;
31332 diff -urNp linux-3.0.9/drivers/net/fealnx.c linux-3.0.9/drivers/net/fealnx.c
31333 --- linux-3.0.9/drivers/net/fealnx.c 2011-11-11 13:12:24.000000000 -0500
31334 +++ linux-3.0.9/drivers/net/fealnx.c 2011-11-15 20:02:59.000000000 -0500
31335 @@ -150,7 +150,7 @@ struct chip_info {
31339 -static const struct chip_info skel_netdrv_tbl[] __devinitdata = {
31340 +static const struct chip_info skel_netdrv_tbl[] __devinitconst = {
31341 { "100/10M Ethernet PCI Adapter", HAS_MII_XCVR },
31342 { "100/10M Ethernet PCI Adapter", HAS_CHIP_XCVR },
31343 { "1000/100/10M Ethernet PCI Adapter", HAS_MII_XCVR },
31344 diff -urNp linux-3.0.9/drivers/net/hamradio/6pack.c linux-3.0.9/drivers/net/hamradio/6pack.c
31345 --- linux-3.0.9/drivers/net/hamradio/6pack.c 2011-11-11 13:12:24.000000000 -0500
31346 +++ linux-3.0.9/drivers/net/hamradio/6pack.c 2011-11-15 20:02:59.000000000 -0500
31347 @@ -463,6 +463,8 @@ static void sixpack_receive_buf(struct t
31348 unsigned char buf[512];
31351 + pax_track_stack();
31356 diff -urNp linux-3.0.9/drivers/net/igb/e1000_hw.h linux-3.0.9/drivers/net/igb/e1000_hw.h
31357 --- linux-3.0.9/drivers/net/igb/e1000_hw.h 2011-11-11 13:12:24.000000000 -0500
31358 +++ linux-3.0.9/drivers/net/igb/e1000_hw.h 2011-11-15 20:02:59.000000000 -0500
31359 @@ -314,6 +314,7 @@ struct e1000_mac_operations {
31360 s32 (*read_mac_addr)(struct e1000_hw *);
31361 s32 (*get_speed_and_duplex)(struct e1000_hw *, u16 *, u16 *);
31363 +typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
31365 struct e1000_phy_operations {
31366 s32 (*acquire)(struct e1000_hw *);
31367 @@ -330,6 +331,7 @@ struct e1000_phy_operations {
31368 s32 (*set_d3_lplu_state)(struct e1000_hw *, bool);
31369 s32 (*write_reg)(struct e1000_hw *, u32, u16);
31371 +typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
31373 struct e1000_nvm_operations {
31374 s32 (*acquire)(struct e1000_hw *);
31375 @@ -339,6 +341,7 @@ struct e1000_nvm_operations {
31376 s32 (*update)(struct e1000_hw *);
31377 s32 (*validate)(struct e1000_hw *);
31379 +typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
31381 struct e1000_info {
31382 s32 (*get_invariants)(struct e1000_hw *);
31383 @@ -350,7 +353,7 @@ struct e1000_info {
31384 extern const struct e1000_info e1000_82575_info;
31386 struct e1000_mac_info {
31387 - struct e1000_mac_operations ops;
31388 + e1000_mac_operations_no_const ops;
31392 @@ -388,7 +391,7 @@ struct e1000_mac_info {
31395 struct e1000_phy_info {
31396 - struct e1000_phy_operations ops;
31397 + e1000_phy_operations_no_const ops;
31399 enum e1000_phy_type type;
31401 @@ -423,7 +426,7 @@ struct e1000_phy_info {
31404 struct e1000_nvm_info {
31405 - struct e1000_nvm_operations ops;
31406 + e1000_nvm_operations_no_const ops;
31407 enum e1000_nvm_type type;
31408 enum e1000_nvm_override override;
31410 @@ -468,6 +471,7 @@ struct e1000_mbx_operations {
31411 s32 (*check_for_ack)(struct e1000_hw *, u16);
31412 s32 (*check_for_rst)(struct e1000_hw *, u16);
31414 +typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
31416 struct e1000_mbx_stats {
31418 @@ -479,7 +483,7 @@ struct e1000_mbx_stats {
31421 struct e1000_mbx_info {
31422 - struct e1000_mbx_operations ops;
31423 + e1000_mbx_operations_no_const ops;
31424 struct e1000_mbx_stats stats;
31427 diff -urNp linux-3.0.9/drivers/net/igbvf/vf.h linux-3.0.9/drivers/net/igbvf/vf.h
31428 --- linux-3.0.9/drivers/net/igbvf/vf.h 2011-11-11 13:12:24.000000000 -0500
31429 +++ linux-3.0.9/drivers/net/igbvf/vf.h 2011-11-15 20:02:59.000000000 -0500
31430 @@ -189,9 +189,10 @@ struct e1000_mac_operations {
31431 s32 (*read_mac_addr)(struct e1000_hw *);
31432 s32 (*set_vfta)(struct e1000_hw *, u16, bool);
31434 +typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
31436 struct e1000_mac_info {
31437 - struct e1000_mac_operations ops;
31438 + e1000_mac_operations_no_const ops;
31442 @@ -213,6 +214,7 @@ struct e1000_mbx_operations {
31443 s32 (*check_for_ack)(struct e1000_hw *);
31444 s32 (*check_for_rst)(struct e1000_hw *);
31446 +typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
31448 struct e1000_mbx_stats {
31450 @@ -224,7 +226,7 @@ struct e1000_mbx_stats {
31453 struct e1000_mbx_info {
31454 - struct e1000_mbx_operations ops;
31455 + e1000_mbx_operations_no_const ops;
31456 struct e1000_mbx_stats stats;
31459 diff -urNp linux-3.0.9/drivers/net/ixgb/ixgb_main.c linux-3.0.9/drivers/net/ixgb/ixgb_main.c
31460 --- linux-3.0.9/drivers/net/ixgb/ixgb_main.c 2011-11-11 13:12:24.000000000 -0500
31461 +++ linux-3.0.9/drivers/net/ixgb/ixgb_main.c 2011-11-15 20:02:59.000000000 -0500
31462 @@ -1070,6 +1070,8 @@ ixgb_set_multi(struct net_device *netdev
31466 + pax_track_stack();
31468 /* Check for Promiscuous and All Multicast modes */
31470 rctl = IXGB_READ_REG(hw, RCTL);
31471 diff -urNp linux-3.0.9/drivers/net/ixgb/ixgb_param.c linux-3.0.9/drivers/net/ixgb/ixgb_param.c
31472 --- linux-3.0.9/drivers/net/ixgb/ixgb_param.c 2011-11-11 13:12:24.000000000 -0500
31473 +++ linux-3.0.9/drivers/net/ixgb/ixgb_param.c 2011-11-15 20:02:59.000000000 -0500
31474 @@ -261,6 +261,9 @@ void __devinit
31475 ixgb_check_options(struct ixgb_adapter *adapter)
31477 int bd = adapter->bd_number;
31479 + pax_track_stack();
31481 if (bd >= IXGB_MAX_NIC) {
31482 pr_notice("Warning: no configuration for board #%i\n", bd);
31483 pr_notice("Using defaults for all values\n");
31484 diff -urNp linux-3.0.9/drivers/net/ixgbe/ixgbe_type.h linux-3.0.9/drivers/net/ixgbe/ixgbe_type.h
31485 --- linux-3.0.9/drivers/net/ixgbe/ixgbe_type.h 2011-11-11 13:12:24.000000000 -0500
31486 +++ linux-3.0.9/drivers/net/ixgbe/ixgbe_type.h 2011-11-15 20:02:59.000000000 -0500
31487 @@ -2584,6 +2584,7 @@ struct ixgbe_eeprom_operations {
31488 s32 (*update_checksum)(struct ixgbe_hw *);
31489 u16 (*calc_checksum)(struct ixgbe_hw *);
31491 +typedef struct ixgbe_eeprom_operations __no_const ixgbe_eeprom_operations_no_const;
31493 struct ixgbe_mac_operations {
31494 s32 (*init_hw)(struct ixgbe_hw *);
31495 @@ -2639,6 +2640,7 @@ struct ixgbe_mac_operations {
31497 s32 (*fc_enable)(struct ixgbe_hw *, s32);
31499 +typedef struct ixgbe_mac_operations __no_const ixgbe_mac_operations_no_const;
31501 struct ixgbe_phy_operations {
31502 s32 (*identify)(struct ixgbe_hw *);
31503 @@ -2658,9 +2660,10 @@ struct ixgbe_phy_operations {
31504 s32 (*write_i2c_eeprom)(struct ixgbe_hw *, u8, u8);
31505 s32 (*check_overtemp)(struct ixgbe_hw *);
31507 +typedef struct ixgbe_phy_operations __no_const ixgbe_phy_operations_no_const;
31509 struct ixgbe_eeprom_info {
31510 - struct ixgbe_eeprom_operations ops;
31511 + ixgbe_eeprom_operations_no_const ops;
31512 enum ixgbe_eeprom_type type;
31513 u32 semaphore_delay;
31515 @@ -2670,7 +2673,7 @@ struct ixgbe_eeprom_info {
31517 #define IXGBE_FLAGS_DOUBLE_RESET_REQUIRED 0x01
31518 struct ixgbe_mac_info {
31519 - struct ixgbe_mac_operations ops;
31520 + ixgbe_mac_operations_no_const ops;
31521 enum ixgbe_mac_type type;
31522 u8 addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
31523 u8 perm_addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
31524 @@ -2698,7 +2701,7 @@ struct ixgbe_mac_info {
31527 struct ixgbe_phy_info {
31528 - struct ixgbe_phy_operations ops;
31529 + ixgbe_phy_operations_no_const ops;
31530 struct mdio_if_info mdio;
31531 enum ixgbe_phy_type type;
31533 @@ -2726,6 +2729,7 @@ struct ixgbe_mbx_operations {
31534 s32 (*check_for_ack)(struct ixgbe_hw *, u16);
31535 s32 (*check_for_rst)(struct ixgbe_hw *, u16);
31537 +typedef struct ixgbe_mbx_operations __no_const ixgbe_mbx_operations_no_const;
31539 struct ixgbe_mbx_stats {
31541 @@ -2737,7 +2741,7 @@ struct ixgbe_mbx_stats {
31544 struct ixgbe_mbx_info {
31545 - struct ixgbe_mbx_operations ops;
31546 + ixgbe_mbx_operations_no_const ops;
31547 struct ixgbe_mbx_stats stats;
31550 diff -urNp linux-3.0.9/drivers/net/ixgbevf/vf.h linux-3.0.9/drivers/net/ixgbevf/vf.h
31551 --- linux-3.0.9/drivers/net/ixgbevf/vf.h 2011-11-11 13:12:24.000000000 -0500
31552 +++ linux-3.0.9/drivers/net/ixgbevf/vf.h 2011-11-15 20:02:59.000000000 -0500
31553 @@ -70,6 +70,7 @@ struct ixgbe_mac_operations {
31554 s32 (*clear_vfta)(struct ixgbe_hw *);
31555 s32 (*set_vfta)(struct ixgbe_hw *, u32, u32, bool);
31557 +typedef struct ixgbe_mac_operations __no_const ixgbe_mac_operations_no_const;
31559 enum ixgbe_mac_type {
31560 ixgbe_mac_unknown = 0,
31561 @@ -79,7 +80,7 @@ enum ixgbe_mac_type {
31564 struct ixgbe_mac_info {
31565 - struct ixgbe_mac_operations ops;
31566 + ixgbe_mac_operations_no_const ops;
31570 @@ -103,6 +104,7 @@ struct ixgbe_mbx_operations {
31571 s32 (*check_for_ack)(struct ixgbe_hw *);
31572 s32 (*check_for_rst)(struct ixgbe_hw *);
31574 +typedef struct ixgbe_mbx_operations __no_const ixgbe_mbx_operations_no_const;
31576 struct ixgbe_mbx_stats {
31578 @@ -114,7 +116,7 @@ struct ixgbe_mbx_stats {
31581 struct ixgbe_mbx_info {
31582 - struct ixgbe_mbx_operations ops;
31583 + ixgbe_mbx_operations_no_const ops;
31584 struct ixgbe_mbx_stats stats;
31587 diff -urNp linux-3.0.9/drivers/net/ksz884x.c linux-3.0.9/drivers/net/ksz884x.c
31588 --- linux-3.0.9/drivers/net/ksz884x.c 2011-11-11 13:12:24.000000000 -0500
31589 +++ linux-3.0.9/drivers/net/ksz884x.c 2011-11-15 20:02:59.000000000 -0500
31590 @@ -6534,6 +6534,8 @@ static void netdev_get_ethtool_stats(str
31592 u64 counter[TOTAL_PORT_COUNTER_NUM];
31594 + pax_track_stack();
31596 mutex_lock(&hw_priv->lock);
31597 n = SWITCH_PORT_NUM;
31598 for (i = 0, p = port->first_port; i < port->mib_port_cnt; i++, p++) {
31599 diff -urNp linux-3.0.9/drivers/net/mlx4/main.c linux-3.0.9/drivers/net/mlx4/main.c
31600 --- linux-3.0.9/drivers/net/mlx4/main.c 2011-11-11 13:12:24.000000000 -0500
31601 +++ linux-3.0.9/drivers/net/mlx4/main.c 2011-11-15 20:02:59.000000000 -0500
31603 #include <linux/dma-mapping.h>
31604 #include <linux/slab.h>
31605 #include <linux/io-mapping.h>
31606 +#include <linux/sched.h>
31608 #include <linux/mlx4/device.h>
31609 #include <linux/mlx4/doorbell.h>
31610 @@ -764,6 +765,8 @@ static int mlx4_init_hca(struct mlx4_dev
31614 + pax_track_stack();
31616 err = mlx4_QUERY_FW(dev);
31618 if (err == -EACCES)
31619 diff -urNp linux-3.0.9/drivers/net/niu.c linux-3.0.9/drivers/net/niu.c
31620 --- linux-3.0.9/drivers/net/niu.c 2011-11-11 13:12:24.000000000 -0500
31621 +++ linux-3.0.9/drivers/net/niu.c 2011-11-15 20:02:59.000000000 -0500
31622 @@ -9056,6 +9056,8 @@ static void __devinit niu_try_msix(struc
31623 int i, num_irqs, err;
31626 + pax_track_stack();
31628 first_ldg = (NIU_NUM_LDG / parent->num_ports) * np->port;
31629 for (i = 0; i < (NIU_NUM_LDG / parent->num_ports); i++)
31630 ldg_num_map[i] = first_ldg + i;
31631 diff -urNp linux-3.0.9/drivers/net/pcnet32.c linux-3.0.9/drivers/net/pcnet32.c
31632 --- linux-3.0.9/drivers/net/pcnet32.c 2011-11-11 13:12:24.000000000 -0500
31633 +++ linux-3.0.9/drivers/net/pcnet32.c 2011-11-15 20:02:59.000000000 -0500
31634 @@ -82,7 +82,7 @@ static int cards_found;
31636 * VLB I/O addresses
31638 -static unsigned int pcnet32_portlist[] __initdata =
31639 +static unsigned int pcnet32_portlist[] __devinitdata =
31640 { 0x300, 0x320, 0x340, 0x360, 0 };
31642 static int pcnet32_debug;
31643 @@ -270,7 +270,7 @@ struct pcnet32_private {
31644 struct sk_buff **rx_skbuff;
31645 dma_addr_t *tx_dma_addr;
31646 dma_addr_t *rx_dma_addr;
31647 - struct pcnet32_access a;
31648 + struct pcnet32_access *a;
31649 spinlock_t lock; /* Guard lock */
31650 unsigned int cur_rx, cur_tx; /* The next free ring entry */
31651 unsigned int rx_ring_size; /* current rx ring size */
31652 @@ -460,9 +460,9 @@ static void pcnet32_netif_start(struct n
31655 netif_wake_queue(dev);
31656 - val = lp->a.read_csr(ioaddr, CSR3);
31657 + val = lp->a->read_csr(ioaddr, CSR3);
31659 - lp->a.write_csr(ioaddr, CSR3, val);
31660 + lp->a->write_csr(ioaddr, CSR3, val);
31661 napi_enable(&lp->napi);
31664 @@ -730,7 +730,7 @@ static u32 pcnet32_get_link(struct net_d
31665 r = mii_link_ok(&lp->mii_if);
31666 } else if (lp->chip_version >= PCNET32_79C970A) {
31667 ulong ioaddr = dev->base_addr; /* card base I/O address */
31668 - r = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
31669 + r = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
31670 } else { /* can not detect link on really old chips */
31673 @@ -792,7 +792,7 @@ static int pcnet32_set_ringparam(struct
31674 pcnet32_netif_stop(dev);
31676 spin_lock_irqsave(&lp->lock, flags);
31677 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
31678 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
31680 size = min(ering->tx_pending, (unsigned int)TX_MAX_RING_SIZE);
31682 @@ -868,7 +868,7 @@ static void pcnet32_ethtool_test(struct
31683 static int pcnet32_loopback_test(struct net_device *dev, uint64_t * data1)
31685 struct pcnet32_private *lp = netdev_priv(dev);
31686 - struct pcnet32_access *a = &lp->a; /* access to registers */
31687 + struct pcnet32_access *a = lp->a; /* access to registers */
31688 ulong ioaddr = dev->base_addr; /* card base I/O address */
31689 struct sk_buff *skb; /* sk buff */
31690 int x, i; /* counters */
31691 @@ -888,21 +888,21 @@ static int pcnet32_loopback_test(struct
31692 pcnet32_netif_stop(dev);
31694 spin_lock_irqsave(&lp->lock, flags);
31695 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
31696 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
31698 numbuffs = min(numbuffs, (int)min(lp->rx_ring_size, lp->tx_ring_size));
31700 /* Reset the PCNET32 */
31701 - lp->a.reset(ioaddr);
31702 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31703 + lp->a->reset(ioaddr);
31704 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31706 /* switch pcnet32 to 32bit mode */
31707 - lp->a.write_bcr(ioaddr, 20, 2);
31708 + lp->a->write_bcr(ioaddr, 20, 2);
31710 /* purge & init rings but don't actually restart */
31711 pcnet32_restart(dev, 0x0000);
31713 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
31714 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
31716 /* Initialize Transmit buffers. */
31717 size = data_len + 15;
31718 @@ -947,10 +947,10 @@ static int pcnet32_loopback_test(struct
31720 /* set int loopback in CSR15 */
31721 x = a->read_csr(ioaddr, CSR15) & 0xfffc;
31722 - lp->a.write_csr(ioaddr, CSR15, x | 0x0044);
31723 + lp->a->write_csr(ioaddr, CSR15, x | 0x0044);
31725 teststatus = cpu_to_le16(0x8000);
31726 - lp->a.write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
31727 + lp->a->write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
31729 /* Check status of descriptors */
31730 for (x = 0; x < numbuffs; x++) {
31731 @@ -969,7 +969,7 @@ static int pcnet32_loopback_test(struct
31735 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
31736 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
31738 if (netif_msg_hw(lp) && netif_msg_pktdata(lp)) {
31739 netdev_printk(KERN_DEBUG, dev, "RX loopback packets:\n");
31740 @@ -1015,7 +1015,7 @@ clean_up:
31741 pcnet32_restart(dev, CSR0_NORMAL);
31743 pcnet32_purge_rx_ring(dev);
31744 - lp->a.write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
31745 + lp->a->write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
31747 spin_unlock_irqrestore(&lp->lock, flags);
31749 @@ -1026,7 +1026,7 @@ static int pcnet32_set_phys_id(struct ne
31750 enum ethtool_phys_id_state state)
31752 struct pcnet32_private *lp = netdev_priv(dev);
31753 - struct pcnet32_access *a = &lp->a;
31754 + struct pcnet32_access *a = lp->a;
31755 ulong ioaddr = dev->base_addr;
31756 unsigned long flags;
31758 @@ -1067,7 +1067,7 @@ static int pcnet32_suspend(struct net_de
31761 struct pcnet32_private *lp = netdev_priv(dev);
31762 - struct pcnet32_access *a = &lp->a;
31763 + struct pcnet32_access *a = lp->a;
31764 ulong ioaddr = dev->base_addr;
31767 @@ -1324,8 +1324,8 @@ static int pcnet32_poll(struct napi_stru
31768 spin_lock_irqsave(&lp->lock, flags);
31769 if (pcnet32_tx(dev)) {
31770 /* reset the chip to clear the error condition, then restart */
31771 - lp->a.reset(ioaddr);
31772 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31773 + lp->a->reset(ioaddr);
31774 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31775 pcnet32_restart(dev, CSR0_START);
31776 netif_wake_queue(dev);
31778 @@ -1337,12 +1337,12 @@ static int pcnet32_poll(struct napi_stru
31779 __napi_complete(napi);
31781 /* clear interrupt masks */
31782 - val = lp->a.read_csr(ioaddr, CSR3);
31783 + val = lp->a->read_csr(ioaddr, CSR3);
31785 - lp->a.write_csr(ioaddr, CSR3, val);
31786 + lp->a->write_csr(ioaddr, CSR3, val);
31788 /* Set interrupt enable. */
31789 - lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN);
31790 + lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN);
31792 spin_unlock_irqrestore(&lp->lock, flags);
31794 @@ -1365,7 +1365,7 @@ static void pcnet32_get_regs(struct net_
31797 struct pcnet32_private *lp = netdev_priv(dev);
31798 - struct pcnet32_access *a = &lp->a;
31799 + struct pcnet32_access *a = lp->a;
31800 ulong ioaddr = dev->base_addr;
31801 unsigned long flags;
31803 @@ -1401,9 +1401,9 @@ static void pcnet32_get_regs(struct net_
31804 for (j = 0; j < PCNET32_MAX_PHYS; j++) {
31805 if (lp->phymask & (1 << j)) {
31806 for (i = 0; i < PCNET32_REGS_PER_PHY; i++) {
31807 - lp->a.write_bcr(ioaddr, 33,
31808 + lp->a->write_bcr(ioaddr, 33,
31810 - *buff++ = lp->a.read_bcr(ioaddr, 34);
31811 + *buff++ = lp->a->read_bcr(ioaddr, 34);
31815 @@ -1785,7 +1785,7 @@ pcnet32_probe1(unsigned long ioaddr, int
31816 ((cards_found >= MAX_UNITS) || full_duplex[cards_found]))
31817 lp->options |= PCNET32_PORT_FD;
31822 /* prior to register_netdev, dev->name is not yet correct */
31823 if (pcnet32_alloc_ring(dev, pci_name(lp->pci_dev))) {
31824 @@ -1844,7 +1844,7 @@ pcnet32_probe1(unsigned long ioaddr, int
31826 /* lp->phycount and lp->phymask are set to 0 by memset above */
31828 - lp->mii_if.phy_id = ((lp->a.read_bcr(ioaddr, 33)) >> 5) & 0x1f;
31829 + lp->mii_if.phy_id = ((lp->a->read_bcr(ioaddr, 33)) >> 5) & 0x1f;
31830 /* scan for PHYs */
31831 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
31832 unsigned short id1, id2;
31833 @@ -1864,7 +1864,7 @@ pcnet32_probe1(unsigned long ioaddr, int
31834 pr_info("Found PHY %04x:%04x at address %d\n",
31837 - lp->a.write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
31838 + lp->a->write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
31839 if (lp->phycount > 1)
31840 lp->options |= PCNET32_PORT_MII;
31842 @@ -2020,10 +2020,10 @@ static int pcnet32_open(struct net_devic
31845 /* Reset the PCNET32 */
31846 - lp->a.reset(ioaddr);
31847 + lp->a->reset(ioaddr);
31849 /* switch pcnet32 to 32bit mode */
31850 - lp->a.write_bcr(ioaddr, 20, 2);
31851 + lp->a->write_bcr(ioaddr, 20, 2);
31853 netif_printk(lp, ifup, KERN_DEBUG, dev,
31854 "%s() irq %d tx/rx rings %#x/%#x init %#x\n",
31855 @@ -2032,14 +2032,14 @@ static int pcnet32_open(struct net_devic
31856 (u32) (lp->init_dma_addr));
31858 /* set/reset autoselect bit */
31859 - val = lp->a.read_bcr(ioaddr, 2) & ~2;
31860 + val = lp->a->read_bcr(ioaddr, 2) & ~2;
31861 if (lp->options & PCNET32_PORT_ASEL)
31863 - lp->a.write_bcr(ioaddr, 2, val);
31864 + lp->a->write_bcr(ioaddr, 2, val);
31866 /* handle full duplex setting */
31867 if (lp->mii_if.full_duplex) {
31868 - val = lp->a.read_bcr(ioaddr, 9) & ~3;
31869 + val = lp->a->read_bcr(ioaddr, 9) & ~3;
31870 if (lp->options & PCNET32_PORT_FD) {
31872 if (lp->options == (PCNET32_PORT_FD | PCNET32_PORT_AUI))
31873 @@ -2049,14 +2049,14 @@ static int pcnet32_open(struct net_devic
31874 if (lp->chip_version == 0x2627)
31877 - lp->a.write_bcr(ioaddr, 9, val);
31878 + lp->a->write_bcr(ioaddr, 9, val);
31881 /* set/reset GPSI bit in test register */
31882 - val = lp->a.read_csr(ioaddr, 124) & ~0x10;
31883 + val = lp->a->read_csr(ioaddr, 124) & ~0x10;
31884 if ((lp->options & PCNET32_PORT_PORTSEL) == PCNET32_PORT_GPSI)
31886 - lp->a.write_csr(ioaddr, 124, val);
31887 + lp->a->write_csr(ioaddr, 124, val);
31889 /* Allied Telesyn AT 2700/2701 FX are 100Mbit only and do not negotiate */
31890 if (pdev && pdev->subsystem_vendor == PCI_VENDOR_ID_AT &&
31891 @@ -2075,24 +2075,24 @@ static int pcnet32_open(struct net_devic
31892 * duplex, and/or enable auto negotiation, and clear DANAS
31894 if (lp->mii && !(lp->options & PCNET32_PORT_ASEL)) {
31895 - lp->a.write_bcr(ioaddr, 32,
31896 - lp->a.read_bcr(ioaddr, 32) | 0x0080);
31897 + lp->a->write_bcr(ioaddr, 32,
31898 + lp->a->read_bcr(ioaddr, 32) | 0x0080);
31899 /* disable Auto Negotiation, set 10Mpbs, HD */
31900 - val = lp->a.read_bcr(ioaddr, 32) & ~0xb8;
31901 + val = lp->a->read_bcr(ioaddr, 32) & ~0xb8;
31902 if (lp->options & PCNET32_PORT_FD)
31904 if (lp->options & PCNET32_PORT_100)
31906 - lp->a.write_bcr(ioaddr, 32, val);
31907 + lp->a->write_bcr(ioaddr, 32, val);
31909 if (lp->options & PCNET32_PORT_ASEL) {
31910 - lp->a.write_bcr(ioaddr, 32,
31911 - lp->a.read_bcr(ioaddr,
31912 + lp->a->write_bcr(ioaddr, 32,
31913 + lp->a->read_bcr(ioaddr,
31915 /* enable auto negotiate, setup, disable fd */
31916 - val = lp->a.read_bcr(ioaddr, 32) & ~0x98;
31917 + val = lp->a->read_bcr(ioaddr, 32) & ~0x98;
31919 - lp->a.write_bcr(ioaddr, 32, val);
31920 + lp->a->write_bcr(ioaddr, 32, val);
31924 @@ -2105,10 +2105,10 @@ static int pcnet32_open(struct net_devic
31925 * There is really no good other way to handle multiple PHYs
31926 * other than turning off all automatics
31928 - val = lp->a.read_bcr(ioaddr, 2);
31929 - lp->a.write_bcr(ioaddr, 2, val & ~2);
31930 - val = lp->a.read_bcr(ioaddr, 32);
31931 - lp->a.write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
31932 + val = lp->a->read_bcr(ioaddr, 2);
31933 + lp->a->write_bcr(ioaddr, 2, val & ~2);
31934 + val = lp->a->read_bcr(ioaddr, 32);
31935 + lp->a->write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
31937 if (!(lp->options & PCNET32_PORT_ASEL)) {
31939 @@ -2118,7 +2118,7 @@ static int pcnet32_open(struct net_devic
31940 ethtool_cmd_speed_set(&ecmd,
31941 (lp->options & PCNET32_PORT_100) ?
31942 SPEED_100 : SPEED_10);
31943 - bcr9 = lp->a.read_bcr(ioaddr, 9);
31944 + bcr9 = lp->a->read_bcr(ioaddr, 9);
31946 if (lp->options & PCNET32_PORT_FD) {
31947 ecmd.duplex = DUPLEX_FULL;
31948 @@ -2127,7 +2127,7 @@ static int pcnet32_open(struct net_devic
31949 ecmd.duplex = DUPLEX_HALF;
31952 - lp->a.write_bcr(ioaddr, 9, bcr9);
31953 + lp->a->write_bcr(ioaddr, 9, bcr9);
31956 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
31957 @@ -2158,9 +2158,9 @@ static int pcnet32_open(struct net_devic
31960 if (lp->dxsuflo) { /* Disable transmit stop on underflow */
31961 - val = lp->a.read_csr(ioaddr, CSR3);
31962 + val = lp->a->read_csr(ioaddr, CSR3);
31964 - lp->a.write_csr(ioaddr, CSR3, val);
31965 + lp->a->write_csr(ioaddr, CSR3, val);
31969 @@ -2176,11 +2176,11 @@ static int pcnet32_open(struct net_devic
31970 napi_enable(&lp->napi);
31972 /* Re-initialize the PCNET32, and start it when done. */
31973 - lp->a.write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
31974 - lp->a.write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
31975 + lp->a->write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
31976 + lp->a->write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
31978 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31979 - lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
31980 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31981 + lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
31983 netif_start_queue(dev);
31985 @@ -2192,19 +2192,19 @@ static int pcnet32_open(struct net_devic
31989 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
31990 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
31993 * We used to clear the InitDone bit, 0x0100, here but Mark Stockton
31994 * reports that doing so triggers a bug in the '974.
31996 - lp->a.write_csr(ioaddr, CSR0, CSR0_NORMAL);
31997 + lp->a->write_csr(ioaddr, CSR0, CSR0_NORMAL);
31999 netif_printk(lp, ifup, KERN_DEBUG, dev,
32000 "pcnet32 open after %d ticks, init block %#x csr0 %4.4x\n",
32002 (u32) (lp->init_dma_addr),
32003 - lp->a.read_csr(ioaddr, CSR0));
32004 + lp->a->read_csr(ioaddr, CSR0));
32006 spin_unlock_irqrestore(&lp->lock, flags);
32008 @@ -2218,7 +2218,7 @@ err_free_ring:
32009 * Switch back to 16bit mode to avoid problems with dumb
32010 * DOS packet driver after a warm reboot
32012 - lp->a.write_bcr(ioaddr, 20, 4);
32013 + lp->a->write_bcr(ioaddr, 20, 4);
32016 spin_unlock_irqrestore(&lp->lock, flags);
32017 @@ -2323,7 +2323,7 @@ static void pcnet32_restart(struct net_d
32019 /* wait for stop */
32020 for (i = 0; i < 100; i++)
32021 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_STOP)
32022 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_STOP)
32026 @@ -2335,13 +2335,13 @@ static void pcnet32_restart(struct net_d
32030 - lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
32031 + lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
32034 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
32035 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
32038 - lp->a.write_csr(ioaddr, CSR0, csr0_bits);
32039 + lp->a->write_csr(ioaddr, CSR0, csr0_bits);
32042 static void pcnet32_tx_timeout(struct net_device *dev)
32043 @@ -2353,8 +2353,8 @@ static void pcnet32_tx_timeout(struct ne
32044 /* Transmitter timeout, serious problems. */
32045 if (pcnet32_debug & NETIF_MSG_DRV)
32046 pr_err("%s: transmit timed out, status %4.4x, resetting\n",
32047 - dev->name, lp->a.read_csr(ioaddr, CSR0));
32048 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
32049 + dev->name, lp->a->read_csr(ioaddr, CSR0));
32050 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
32051 dev->stats.tx_errors++;
32052 if (netif_msg_tx_err(lp)) {
32054 @@ -2397,7 +2397,7 @@ static netdev_tx_t pcnet32_start_xmit(st
32056 netif_printk(lp, tx_queued, KERN_DEBUG, dev,
32057 "%s() called, csr0 %4.4x\n",
32058 - __func__, lp->a.read_csr(ioaddr, CSR0));
32059 + __func__, lp->a->read_csr(ioaddr, CSR0));
32061 /* Default status -- will not enable Successful-TxDone
32062 * interrupt when that option is available to us.
32063 @@ -2427,7 +2427,7 @@ static netdev_tx_t pcnet32_start_xmit(st
32064 dev->stats.tx_bytes += skb->len;
32066 /* Trigger an immediate send poll. */
32067 - lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
32068 + lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
32070 if (lp->tx_ring[(entry + 1) & lp->tx_mod_mask].base != 0) {
32072 @@ -2452,16 +2452,16 @@ pcnet32_interrupt(int irq, void *dev_id)
32074 spin_lock(&lp->lock);
32076 - csr0 = lp->a.read_csr(ioaddr, CSR0);
32077 + csr0 = lp->a->read_csr(ioaddr, CSR0);
32078 while ((csr0 & 0x8f00) && --boguscnt >= 0) {
32079 if (csr0 == 0xffff)
32080 break; /* PCMCIA remove happened */
32081 /* Acknowledge all of the current interrupt sources ASAP. */
32082 - lp->a.write_csr(ioaddr, CSR0, csr0 & ~0x004f);
32083 + lp->a->write_csr(ioaddr, CSR0, csr0 & ~0x004f);
32085 netif_printk(lp, intr, KERN_DEBUG, dev,
32086 "interrupt csr0=%#2.2x new csr=%#2.2x\n",
32087 - csr0, lp->a.read_csr(ioaddr, CSR0));
32088 + csr0, lp->a->read_csr(ioaddr, CSR0));
32090 /* Log misc errors. */
32092 @@ -2488,19 +2488,19 @@ pcnet32_interrupt(int irq, void *dev_id)
32093 if (napi_schedule_prep(&lp->napi)) {
32095 /* set interrupt masks */
32096 - val = lp->a.read_csr(ioaddr, CSR3);
32097 + val = lp->a->read_csr(ioaddr, CSR3);
32099 - lp->a.write_csr(ioaddr, CSR3, val);
32100 + lp->a->write_csr(ioaddr, CSR3, val);
32102 __napi_schedule(&lp->napi);
32105 - csr0 = lp->a.read_csr(ioaddr, CSR0);
32106 + csr0 = lp->a->read_csr(ioaddr, CSR0);
32109 netif_printk(lp, intr, KERN_DEBUG, dev,
32110 "exiting interrupt, csr0=%#4.4x\n",
32111 - lp->a.read_csr(ioaddr, CSR0));
32112 + lp->a->read_csr(ioaddr, CSR0));
32114 spin_unlock(&lp->lock);
32116 @@ -2520,20 +2520,20 @@ static int pcnet32_close(struct net_devi
32118 spin_lock_irqsave(&lp->lock, flags);
32120 - dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
32121 + dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
32123 netif_printk(lp, ifdown, KERN_DEBUG, dev,
32124 "Shutting down ethercard, status was %2.2x\n",
32125 - lp->a.read_csr(ioaddr, CSR0));
32126 + lp->a->read_csr(ioaddr, CSR0));
32128 /* We stop the PCNET32 here -- it occasionally polls memory if we don't. */
32129 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
32130 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
32133 * Switch back to 16bit mode to avoid problems with dumb
32134 * DOS packet driver after a warm reboot
32136 - lp->a.write_bcr(ioaddr, 20, 4);
32137 + lp->a->write_bcr(ioaddr, 20, 4);
32139 spin_unlock_irqrestore(&lp->lock, flags);
32141 @@ -2556,7 +2556,7 @@ static struct net_device_stats *pcnet32_
32142 unsigned long flags;
32144 spin_lock_irqsave(&lp->lock, flags);
32145 - dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
32146 + dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
32147 spin_unlock_irqrestore(&lp->lock, flags);
32149 return &dev->stats;
32150 @@ -2578,10 +2578,10 @@ static void pcnet32_load_multicast(struc
32151 if (dev->flags & IFF_ALLMULTI) {
32152 ib->filter[0] = cpu_to_le32(~0U);
32153 ib->filter[1] = cpu_to_le32(~0U);
32154 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
32155 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
32156 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
32157 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
32158 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
32159 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
32160 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
32161 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
32164 /* clear the multicast filter */
32165 @@ -2601,7 +2601,7 @@ static void pcnet32_load_multicast(struc
32166 mcast_table[crc >> 4] |= cpu_to_le16(1 << (crc & 0xf));
32168 for (i = 0; i < 4; i++)
32169 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER + i,
32170 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER + i,
32171 le16_to_cpu(mcast_table[i]));
32174 @@ -2616,28 +2616,28 @@ static void pcnet32_set_multicast_list(s
32176 spin_lock_irqsave(&lp->lock, flags);
32177 suspended = pcnet32_suspend(dev, &flags, 0);
32178 - csr15 = lp->a.read_csr(ioaddr, CSR15);
32179 + csr15 = lp->a->read_csr(ioaddr, CSR15);
32180 if (dev->flags & IFF_PROMISC) {
32181 /* Log any net taps. */
32182 netif_info(lp, hw, dev, "Promiscuous mode enabled\n");
32183 lp->init_block->mode =
32184 cpu_to_le16(0x8000 | (lp->options & PCNET32_PORT_PORTSEL) <<
32186 - lp->a.write_csr(ioaddr, CSR15, csr15 | 0x8000);
32187 + lp->a->write_csr(ioaddr, CSR15, csr15 | 0x8000);
32189 lp->init_block->mode =
32190 cpu_to_le16((lp->options & PCNET32_PORT_PORTSEL) << 7);
32191 - lp->a.write_csr(ioaddr, CSR15, csr15 & 0x7fff);
32192 + lp->a->write_csr(ioaddr, CSR15, csr15 & 0x7fff);
32193 pcnet32_load_multicast(dev);
32198 /* clear SUSPEND (SPND) - CSR5 bit 0 */
32199 - csr5 = lp->a.read_csr(ioaddr, CSR5);
32200 - lp->a.write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
32201 + csr5 = lp->a->read_csr(ioaddr, CSR5);
32202 + lp->a->write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
32204 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
32205 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
32206 pcnet32_restart(dev, CSR0_NORMAL);
32207 netif_wake_queue(dev);
32209 @@ -2655,8 +2655,8 @@ static int mdio_read(struct net_device *
32213 - lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
32214 - val_out = lp->a.read_bcr(ioaddr, 34);
32215 + lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
32216 + val_out = lp->a->read_bcr(ioaddr, 34);
32220 @@ -2670,8 +2670,8 @@ static void mdio_write(struct net_device
32224 - lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
32225 - lp->a.write_bcr(ioaddr, 34, val);
32226 + lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
32227 + lp->a->write_bcr(ioaddr, 34, val);
32230 static int pcnet32_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
32231 @@ -2748,7 +2748,7 @@ static void pcnet32_check_media(struct n
32232 curr_link = mii_link_ok(&lp->mii_if);
32234 ulong ioaddr = dev->base_addr; /* card base I/O address */
32235 - curr_link = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
32236 + curr_link = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
32239 if (prev_link || verbose) {
32240 @@ -2771,13 +2771,13 @@ static void pcnet32_check_media(struct n
32241 (ecmd.duplex == DUPLEX_FULL)
32242 ? "full" : "half");
32244 - bcr9 = lp->a.read_bcr(dev->base_addr, 9);
32245 + bcr9 = lp->a->read_bcr(dev->base_addr, 9);
32246 if ((bcr9 & (1 << 0)) != lp->mii_if.full_duplex) {
32247 if (lp->mii_if.full_duplex)
32251 - lp->a.write_bcr(dev->base_addr, 9, bcr9);
32252 + lp->a->write_bcr(dev->base_addr, 9, bcr9);
32255 netif_info(lp, link, dev, "link up\n");
32256 diff -urNp linux-3.0.9/drivers/net/ppp_generic.c linux-3.0.9/drivers/net/ppp_generic.c
32257 --- linux-3.0.9/drivers/net/ppp_generic.c 2011-11-11 13:12:24.000000000 -0500
32258 +++ linux-3.0.9/drivers/net/ppp_generic.c 2011-11-15 20:02:59.000000000 -0500
32259 @@ -987,7 +987,6 @@ ppp_net_ioctl(struct net_device *dev, st
32260 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
32261 struct ppp_stats stats;
32262 struct ppp_comp_stats cstats;
32266 case SIOCGPPPSTATS:
32267 @@ -1009,8 +1008,7 @@ ppp_net_ioctl(struct net_device *dev, st
32271 - vers = PPP_VERSION;
32272 - if (copy_to_user(addr, vers, strlen(vers) + 1))
32273 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
32277 diff -urNp linux-3.0.9/drivers/net/r8169.c linux-3.0.9/drivers/net/r8169.c
32278 --- linux-3.0.9/drivers/net/r8169.c 2011-11-11 13:12:24.000000000 -0500
32279 +++ linux-3.0.9/drivers/net/r8169.c 2011-11-15 20:02:59.000000000 -0500
32280 @@ -645,12 +645,12 @@ struct rtl8169_private {
32282 void (*write)(void __iomem *, int, int);
32283 int (*read)(void __iomem *, int);
32285 + } __no_const mdio_ops;
32287 struct pll_power_ops {
32288 void (*down)(struct rtl8169_private *);
32289 void (*up)(struct rtl8169_private *);
32291 + } __no_const pll_power_ops;
32293 int (*set_speed)(struct net_device *, u8 aneg, u16 sp, u8 dpx, u32 adv);
32294 int (*get_settings)(struct net_device *, struct ethtool_cmd *);
32295 diff -urNp linux-3.0.9/drivers/net/sis190.c linux-3.0.9/drivers/net/sis190.c
32296 --- linux-3.0.9/drivers/net/sis190.c 2011-11-11 13:12:24.000000000 -0500
32297 +++ linux-3.0.9/drivers/net/sis190.c 2011-11-15 20:02:59.000000000 -0500
32298 @@ -1623,7 +1623,7 @@ static int __devinit sis190_get_mac_addr
32299 static int __devinit sis190_get_mac_addr_from_apc(struct pci_dev *pdev,
32300 struct net_device *dev)
32302 - static const u16 __devinitdata ids[] = { 0x0965, 0x0966, 0x0968 };
32303 + static const u16 __devinitconst ids[] = { 0x0965, 0x0966, 0x0968 };
32304 struct sis190_private *tp = netdev_priv(dev);
32305 struct pci_dev *isa_bridge;
32307 diff -urNp linux-3.0.9/drivers/net/sundance.c linux-3.0.9/drivers/net/sundance.c
32308 --- linux-3.0.9/drivers/net/sundance.c 2011-11-11 13:12:24.000000000 -0500
32309 +++ linux-3.0.9/drivers/net/sundance.c 2011-11-15 20:02:59.000000000 -0500
32310 @@ -218,7 +218,7 @@ enum {
32311 struct pci_id_info {
32314 -static const struct pci_id_info pci_id_tbl[] __devinitdata = {
32315 +static const struct pci_id_info pci_id_tbl[] __devinitconst = {
32316 {"D-Link DFE-550TX FAST Ethernet Adapter"},
32317 {"D-Link DFE-550FX 100Mbps Fiber-optics Adapter"},
32318 {"D-Link DFE-580TX 4 port Server Adapter"},
32319 diff -urNp linux-3.0.9/drivers/net/tg3.h linux-3.0.9/drivers/net/tg3.h
32320 --- linux-3.0.9/drivers/net/tg3.h 2011-11-11 13:12:24.000000000 -0500
32321 +++ linux-3.0.9/drivers/net/tg3.h 2011-11-15 20:02:59.000000000 -0500
32322 @@ -134,6 +134,7 @@
32323 #define CHIPREV_ID_5750_A0 0x4000
32324 #define CHIPREV_ID_5750_A1 0x4001
32325 #define CHIPREV_ID_5750_A3 0x4003
32326 +#define CHIPREV_ID_5750_C1 0x4201
32327 #define CHIPREV_ID_5750_C2 0x4202
32328 #define CHIPREV_ID_5752_A0_HW 0x5000
32329 #define CHIPREV_ID_5752_A0 0x6000
32330 diff -urNp linux-3.0.9/drivers/net/tokenring/abyss.c linux-3.0.9/drivers/net/tokenring/abyss.c
32331 --- linux-3.0.9/drivers/net/tokenring/abyss.c 2011-11-11 13:12:24.000000000 -0500
32332 +++ linux-3.0.9/drivers/net/tokenring/abyss.c 2011-11-15 20:02:59.000000000 -0500
32333 @@ -451,10 +451,12 @@ static struct pci_driver abyss_driver =
32335 static int __init abyss_init (void)
32337 - abyss_netdev_ops = tms380tr_netdev_ops;
32338 + pax_open_kernel();
32339 + memcpy((void *)&abyss_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
32341 - abyss_netdev_ops.ndo_open = abyss_open;
32342 - abyss_netdev_ops.ndo_stop = abyss_close;
32343 + *(void **)&abyss_netdev_ops.ndo_open = abyss_open;
32344 + *(void **)&abyss_netdev_ops.ndo_stop = abyss_close;
32345 + pax_close_kernel();
32347 return pci_register_driver(&abyss_driver);
32349 diff -urNp linux-3.0.9/drivers/net/tokenring/madgemc.c linux-3.0.9/drivers/net/tokenring/madgemc.c
32350 --- linux-3.0.9/drivers/net/tokenring/madgemc.c 2011-11-11 13:12:24.000000000 -0500
32351 +++ linux-3.0.9/drivers/net/tokenring/madgemc.c 2011-11-15 20:02:59.000000000 -0500
32352 @@ -744,9 +744,11 @@ static struct mca_driver madgemc_driver
32354 static int __init madgemc_init (void)
32356 - madgemc_netdev_ops = tms380tr_netdev_ops;
32357 - madgemc_netdev_ops.ndo_open = madgemc_open;
32358 - madgemc_netdev_ops.ndo_stop = madgemc_close;
32359 + pax_open_kernel();
32360 + memcpy((void *)&madgemc_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
32361 + *(void **)&madgemc_netdev_ops.ndo_open = madgemc_open;
32362 + *(void **)&madgemc_netdev_ops.ndo_stop = madgemc_close;
32363 + pax_close_kernel();
32365 return mca_register_driver (&madgemc_driver);
32367 diff -urNp linux-3.0.9/drivers/net/tokenring/proteon.c linux-3.0.9/drivers/net/tokenring/proteon.c
32368 --- linux-3.0.9/drivers/net/tokenring/proteon.c 2011-11-11 13:12:24.000000000 -0500
32369 +++ linux-3.0.9/drivers/net/tokenring/proteon.c 2011-11-15 20:02:59.000000000 -0500
32370 @@ -353,9 +353,11 @@ static int __init proteon_init(void)
32371 struct platform_device *pdev;
32372 int i, num = 0, err = 0;
32374 - proteon_netdev_ops = tms380tr_netdev_ops;
32375 - proteon_netdev_ops.ndo_open = proteon_open;
32376 - proteon_netdev_ops.ndo_stop = tms380tr_close;
32377 + pax_open_kernel();
32378 + memcpy((void *)&proteon_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
32379 + *(void **)&proteon_netdev_ops.ndo_open = proteon_open;
32380 + *(void **)&proteon_netdev_ops.ndo_stop = tms380tr_close;
32381 + pax_close_kernel();
32383 err = platform_driver_register(&proteon_driver);
32385 diff -urNp linux-3.0.9/drivers/net/tokenring/skisa.c linux-3.0.9/drivers/net/tokenring/skisa.c
32386 --- linux-3.0.9/drivers/net/tokenring/skisa.c 2011-11-11 13:12:24.000000000 -0500
32387 +++ linux-3.0.9/drivers/net/tokenring/skisa.c 2011-11-15 20:02:59.000000000 -0500
32388 @@ -363,9 +363,11 @@ static int __init sk_isa_init(void)
32389 struct platform_device *pdev;
32390 int i, num = 0, err = 0;
32392 - sk_isa_netdev_ops = tms380tr_netdev_ops;
32393 - sk_isa_netdev_ops.ndo_open = sk_isa_open;
32394 - sk_isa_netdev_ops.ndo_stop = tms380tr_close;
32395 + pax_open_kernel();
32396 + memcpy((void *)&sk_isa_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
32397 + *(void **)&sk_isa_netdev_ops.ndo_open = sk_isa_open;
32398 + *(void **)&sk_isa_netdev_ops.ndo_stop = tms380tr_close;
32399 + pax_close_kernel();
32401 err = platform_driver_register(&sk_isa_driver);
32403 diff -urNp linux-3.0.9/drivers/net/tulip/de2104x.c linux-3.0.9/drivers/net/tulip/de2104x.c
32404 --- linux-3.0.9/drivers/net/tulip/de2104x.c 2011-11-11 13:12:24.000000000 -0500
32405 +++ linux-3.0.9/drivers/net/tulip/de2104x.c 2011-11-15 20:02:59.000000000 -0500
32406 @@ -1794,6 +1794,8 @@ static void __devinit de21041_get_srom_i
32407 struct de_srom_info_leaf *il;
32410 + pax_track_stack();
32412 /* download entire eeprom */
32413 for (i = 0; i < DE_EEPROM_WORDS; i++)
32414 ((__le16 *)ee_data)[i] =
32415 diff -urNp linux-3.0.9/drivers/net/tulip/de4x5.c linux-3.0.9/drivers/net/tulip/de4x5.c
32416 --- linux-3.0.9/drivers/net/tulip/de4x5.c 2011-11-11 13:12:24.000000000 -0500
32417 +++ linux-3.0.9/drivers/net/tulip/de4x5.c 2011-11-15 20:02:59.000000000 -0500
32418 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
32419 for (i=0; i<ETH_ALEN; i++) {
32420 tmp.addr[i] = dev->dev_addr[i];
32422 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
32423 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
32426 case DE4X5_SET_HWADDR: /* Set the hardware address */
32427 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
32428 spin_lock_irqsave(&lp->lock, flags);
32429 memcpy(&statbuf, &lp->pktStats, ioc->len);
32430 spin_unlock_irqrestore(&lp->lock, flags);
32431 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
32432 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
32436 diff -urNp linux-3.0.9/drivers/net/tulip/eeprom.c linux-3.0.9/drivers/net/tulip/eeprom.c
32437 --- linux-3.0.9/drivers/net/tulip/eeprom.c 2011-11-11 13:12:24.000000000 -0500
32438 +++ linux-3.0.9/drivers/net/tulip/eeprom.c 2011-11-15 20:02:59.000000000 -0500
32439 @@ -81,7 +81,7 @@ static struct eeprom_fixup eeprom_fixups
32443 -static const char *block_name[] __devinitdata = {
32444 +static const char *block_name[] __devinitconst = {
32447 "21142 Serial PHY",
32448 diff -urNp linux-3.0.9/drivers/net/tulip/winbond-840.c linux-3.0.9/drivers/net/tulip/winbond-840.c
32449 --- linux-3.0.9/drivers/net/tulip/winbond-840.c 2011-11-11 13:12:24.000000000 -0500
32450 +++ linux-3.0.9/drivers/net/tulip/winbond-840.c 2011-11-15 20:02:59.000000000 -0500
32451 @@ -236,7 +236,7 @@ struct pci_id_info {
32452 int drv_flags; /* Driver use, intended as capability flags. */
32455 -static const struct pci_id_info pci_id_tbl[] __devinitdata = {
32456 +static const struct pci_id_info pci_id_tbl[] __devinitconst = {
32457 { /* Sometime a Level-One switch card. */
32458 "Winbond W89c840", CanHaveMII | HasBrokenTx | FDXOnNoMII},
32459 { "Winbond W89c840", CanHaveMII | HasBrokenTx},
32460 diff -urNp linux-3.0.9/drivers/net/usb/hso.c linux-3.0.9/drivers/net/usb/hso.c
32461 --- linux-3.0.9/drivers/net/usb/hso.c 2011-11-11 13:12:24.000000000 -0500
32462 +++ linux-3.0.9/drivers/net/usb/hso.c 2011-11-15 20:02:59.000000000 -0500
32464 #include <asm/byteorder.h>
32465 #include <linux/serial_core.h>
32466 #include <linux/serial.h>
32468 +#include <asm/local.h>
32470 #define MOD_AUTHOR "Option Wireless"
32471 #define MOD_DESCRIPTION "USB High Speed Option driver"
32472 @@ -257,7 +257,7 @@ struct hso_serial {
32474 /* from usb_serial_port */
32475 struct tty_struct *tty;
32477 + local_t open_count;
32478 spinlock_t serial_lock;
32480 int (*write_data) (struct hso_serial *serial);
32481 @@ -1190,7 +1190,7 @@ static void put_rxbuf_data_and_resubmit_
32484 urb = serial->rx_urb[0];
32485 - if (serial->open_count > 0) {
32486 + if (local_read(&serial->open_count) > 0) {
32487 count = put_rxbuf_data(urb, serial);
32490 @@ -1226,7 +1226,7 @@ static void hso_std_serial_read_bulk_cal
32491 DUMP1(urb->transfer_buffer, urb->actual_length);
32493 /* Anyone listening? */
32494 - if (serial->open_count == 0)
32495 + if (local_read(&serial->open_count) == 0)
32499 @@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
32500 spin_unlock_irq(&serial->serial_lock);
32502 /* check for port already opened, if not set the termios */
32503 - serial->open_count++;
32504 - if (serial->open_count == 1) {
32505 + if (local_inc_return(&serial->open_count) == 1) {
32506 serial->rx_state = RX_IDLE;
32507 /* Force default termio settings */
32508 _hso_serial_set_termios(tty, NULL);
32509 @@ -1324,7 +1323,7 @@ static int hso_serial_open(struct tty_st
32510 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
32512 hso_stop_serial_device(serial->parent);
32513 - serial->open_count--;
32514 + local_dec(&serial->open_count);
32515 kref_put(&serial->parent->ref, hso_serial_ref_free);
32518 @@ -1361,10 +1360,10 @@ static void hso_serial_close(struct tty_
32520 /* reset the rts and dtr */
32521 /* do the actual close */
32522 - serial->open_count--;
32523 + local_dec(&serial->open_count);
32525 - if (serial->open_count <= 0) {
32526 - serial->open_count = 0;
32527 + if (local_read(&serial->open_count) <= 0) {
32528 + local_set(&serial->open_count, 0);
32529 spin_lock_irq(&serial->serial_lock);
32530 if (serial->tty == tty) {
32531 serial->tty->driver_data = NULL;
32532 @@ -1446,7 +1445,7 @@ static void hso_serial_set_termios(struc
32534 /* the actual setup */
32535 spin_lock_irqsave(&serial->serial_lock, flags);
32536 - if (serial->open_count)
32537 + if (local_read(&serial->open_count))
32538 _hso_serial_set_termios(tty, old);
32540 tty->termios = old;
32541 @@ -1905,7 +1904,7 @@ static void intr_callback(struct urb *ur
32542 D1("Pending read interrupt on port %d\n", i);
32543 spin_lock(&serial->serial_lock);
32544 if (serial->rx_state == RX_IDLE &&
32545 - serial->open_count > 0) {
32546 + local_read(&serial->open_count) > 0) {
32547 /* Setup and send a ctrl req read on
32549 if (!serial->rx_urb_filled[0]) {
32550 @@ -3098,7 +3097,7 @@ static int hso_resume(struct usb_interfa
32551 /* Start all serial ports */
32552 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
32553 if (serial_table[i] && (serial_table[i]->interface == iface)) {
32554 - if (dev2ser(serial_table[i])->open_count) {
32555 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
32557 hso_start_serial_device(serial_table[i], GFP_NOIO);
32558 hso_kick_transmit(dev2ser(serial_table[i]));
32559 diff -urNp linux-3.0.9/drivers/net/vmxnet3/vmxnet3_ethtool.c linux-3.0.9/drivers/net/vmxnet3/vmxnet3_ethtool.c
32560 --- linux-3.0.9/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-11-11 13:12:24.000000000 -0500
32561 +++ linux-3.0.9/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-11-15 20:02:59.000000000 -0500
32562 @@ -594,8 +594,7 @@ vmxnet3_set_rss_indir(struct net_device
32563 * Return with error code if any of the queue indices
32566 - if (p->ring_index[i] < 0 ||
32567 - p->ring_index[i] >= adapter->num_rx_queues)
32568 + if (p->ring_index[i] >= adapter->num_rx_queues)
32572 diff -urNp linux-3.0.9/drivers/net/vxge/vxge-config.h linux-3.0.9/drivers/net/vxge/vxge-config.h
32573 --- linux-3.0.9/drivers/net/vxge/vxge-config.h 2011-11-11 13:12:24.000000000 -0500
32574 +++ linux-3.0.9/drivers/net/vxge/vxge-config.h 2011-11-15 20:02:59.000000000 -0500
32575 @@ -512,7 +512,7 @@ struct vxge_hw_uld_cbs {
32576 void (*link_down)(struct __vxge_hw_device *devh);
32577 void (*crit_err)(struct __vxge_hw_device *devh,
32578 enum vxge_hw_event type, u64 ext_data);
32583 * struct __vxge_hw_blockpool_entry - Block private data structure
32584 diff -urNp linux-3.0.9/drivers/net/vxge/vxge-main.c linux-3.0.9/drivers/net/vxge/vxge-main.c
32585 --- linux-3.0.9/drivers/net/vxge/vxge-main.c 2011-11-11 13:12:24.000000000 -0500
32586 +++ linux-3.0.9/drivers/net/vxge/vxge-main.c 2011-11-15 20:02:59.000000000 -0500
32587 @@ -98,6 +98,8 @@ static inline void VXGE_COMPLETE_VPATH_T
32588 struct sk_buff *completed[NR_SKB_COMPLETED];
32591 + pax_track_stack();
32595 skb_ptr = completed;
32596 @@ -1920,6 +1922,8 @@ static enum vxge_hw_status vxge_rth_conf
32597 u8 mtable[256] = {0}; /* CPU to vpath mapping */
32600 + pax_track_stack();
32604 * - itable with bucket numbers
32605 diff -urNp linux-3.0.9/drivers/net/vxge/vxge-traffic.h linux-3.0.9/drivers/net/vxge/vxge-traffic.h
32606 --- linux-3.0.9/drivers/net/vxge/vxge-traffic.h 2011-11-11 13:12:24.000000000 -0500
32607 +++ linux-3.0.9/drivers/net/vxge/vxge-traffic.h 2011-11-15 20:02:59.000000000 -0500
32608 @@ -2088,7 +2088,7 @@ struct vxge_hw_mempool_cbs {
32609 struct vxge_hw_mempool_dma *dma_object,
32615 #define VXGE_HW_VIRTUAL_PATH_HANDLE(vpath) \
32616 ((struct __vxge_hw_vpath_handle *)(vpath)->vpath_handles.next)
32617 diff -urNp linux-3.0.9/drivers/net/wan/cycx_x25.c linux-3.0.9/drivers/net/wan/cycx_x25.c
32618 --- linux-3.0.9/drivers/net/wan/cycx_x25.c 2011-11-11 13:12:24.000000000 -0500
32619 +++ linux-3.0.9/drivers/net/wan/cycx_x25.c 2011-11-15 20:02:59.000000000 -0500
32620 @@ -1018,6 +1018,8 @@ static void hex_dump(char *msg, unsigned
32621 unsigned char hex[1024],
32624 + pax_track_stack();
32626 if (len >= (sizeof(hex) / 2))
32627 len = (sizeof(hex) / 2) - 1;
32629 diff -urNp linux-3.0.9/drivers/net/wan/hdlc_x25.c linux-3.0.9/drivers/net/wan/hdlc_x25.c
32630 --- linux-3.0.9/drivers/net/wan/hdlc_x25.c 2011-11-11 13:12:24.000000000 -0500
32631 +++ linux-3.0.9/drivers/net/wan/hdlc_x25.c 2011-11-15 20:02:59.000000000 -0500
32632 @@ -136,16 +136,16 @@ static netdev_tx_t x25_xmit(struct sk_bu
32634 static int x25_open(struct net_device *dev)
32636 - struct lapb_register_struct cb;
32637 + static struct lapb_register_struct cb = {
32638 + .connect_confirmation = x25_connected,
32639 + .connect_indication = x25_connected,
32640 + .disconnect_confirmation = x25_disconnected,
32641 + .disconnect_indication = x25_disconnected,
32642 + .data_indication = x25_data_indication,
32643 + .data_transmit = x25_data_transmit
32647 - cb.connect_confirmation = x25_connected;
32648 - cb.connect_indication = x25_connected;
32649 - cb.disconnect_confirmation = x25_disconnected;
32650 - cb.disconnect_indication = x25_disconnected;
32651 - cb.data_indication = x25_data_indication;
32652 - cb.data_transmit = x25_data_transmit;
32654 result = lapb_register(dev, &cb);
32655 if (result != LAPB_OK)
32657 diff -urNp linux-3.0.9/drivers/net/wimax/i2400m/usb-fw.c linux-3.0.9/drivers/net/wimax/i2400m/usb-fw.c
32658 --- linux-3.0.9/drivers/net/wimax/i2400m/usb-fw.c 2011-11-11 13:12:24.000000000 -0500
32659 +++ linux-3.0.9/drivers/net/wimax/i2400m/usb-fw.c 2011-11-15 20:02:59.000000000 -0500
32660 @@ -287,6 +287,8 @@ ssize_t i2400mu_bus_bm_wait_for_ack(stru
32662 DECLARE_COMPLETION_ONSTACK(notif_completion);
32664 + pax_track_stack();
32666 d_fnstart(8, dev, "(i2400m %p ack %p size %zu)\n",
32667 i2400m, ack, ack_size);
32668 BUG_ON(_ack == i2400m->bm_ack_buf);
32669 diff -urNp linux-3.0.9/drivers/net/wireless/airo.c linux-3.0.9/drivers/net/wireless/airo.c
32670 --- linux-3.0.9/drivers/net/wireless/airo.c 2011-11-11 13:12:24.000000000 -0500
32671 +++ linux-3.0.9/drivers/net/wireless/airo.c 2011-11-15 20:02:59.000000000 -0500
32672 @@ -3003,6 +3003,8 @@ static void airo_process_scan_results (s
32673 BSSListElement * loop_net;
32674 BSSListElement * tmp_net;
32676 + pax_track_stack();
32678 /* Blow away current list of scan results */
32679 list_for_each_entry_safe (loop_net, tmp_net, &ai->network_list, list) {
32680 list_move_tail (&loop_net->list, &ai->network_free_list);
32681 @@ -3794,6 +3796,8 @@ static u16 setup_card(struct airo_info *
32685 + pax_track_stack();
32687 memset( &mySsid, 0, sizeof( mySsid ) );
32690 @@ -4753,6 +4757,8 @@ static int proc_stats_rid_open( struct i
32691 __le32 *vals = stats.vals;
32694 + pax_track_stack();
32696 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
32698 data = file->private_data;
32699 @@ -5476,6 +5482,8 @@ static int proc_BSSList_open( struct ino
32700 /* If doLoseSync is not 1, we won't do a Lose Sync */
32701 int doLoseSync = -1;
32703 + pax_track_stack();
32705 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
32707 data = file->private_data;
32708 @@ -7181,6 +7189,8 @@ static int airo_get_aplist(struct net_de
32710 int loseSync = capable(CAP_NET_ADMIN) ? 1: -1;
32712 + pax_track_stack();
32714 qual = kmalloc(IW_MAX_AP * sizeof(*qual), GFP_KERNEL);
32717 @@ -7741,6 +7751,8 @@ static void airo_read_wireless_stats(str
32718 CapabilityRid cap_rid;
32719 __le32 *vals = stats_rid.vals;
32721 + pax_track_stack();
32723 /* Get stats out of the card */
32724 clear_bit(JOB_WSTATS, &local->jobs);
32725 if (local->power.event) {
32726 diff -urNp linux-3.0.9/drivers/net/wireless/ath/ath5k/debug.c linux-3.0.9/drivers/net/wireless/ath/ath5k/debug.c
32727 --- linux-3.0.9/drivers/net/wireless/ath/ath5k/debug.c 2011-11-11 13:12:24.000000000 -0500
32728 +++ linux-3.0.9/drivers/net/wireless/ath/ath5k/debug.c 2011-11-15 20:02:59.000000000 -0500
32729 @@ -204,6 +204,8 @@ static ssize_t read_file_beacon(struct f
32733 + pax_track_stack();
32735 v = ath5k_hw_reg_read(sc->ah, AR5K_BEACON);
32736 len += snprintf(buf+len, sizeof(buf)-len,
32737 "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n",
32738 @@ -323,6 +325,8 @@ static ssize_t read_file_debug(struct fi
32739 unsigned int len = 0;
32742 + pax_track_stack();
32744 len += snprintf(buf+len, sizeof(buf)-len,
32745 "DEBUG LEVEL: 0x%08x\n\n", sc->debug.level);
32747 @@ -384,6 +388,8 @@ static ssize_t read_file_antenna(struct
32751 + pax_track_stack();
32753 len += snprintf(buf+len, sizeof(buf)-len, "antenna mode\t%d\n",
32754 sc->ah->ah_ant_mode);
32755 len += snprintf(buf+len, sizeof(buf)-len, "default antenna\t%d\n",
32756 @@ -494,6 +500,8 @@ static ssize_t read_file_misc(struct fil
32757 unsigned int len = 0;
32758 u32 filt = ath5k_hw_get_rx_filter(sc->ah);
32760 + pax_track_stack();
32762 len += snprintf(buf+len, sizeof(buf)-len, "bssid-mask: %pM\n",
32764 len += snprintf(buf+len, sizeof(buf)-len, "filter-flags: 0x%x ",
32765 @@ -550,6 +558,8 @@ static ssize_t read_file_frameerrors(str
32766 unsigned int len = 0;
32769 + pax_track_stack();
32771 len += snprintf(buf+len, sizeof(buf)-len,
32772 "RX\n---------------------\n");
32773 len += snprintf(buf+len, sizeof(buf)-len, "CRC\t%u\t(%u%%)\n",
32774 @@ -667,6 +677,8 @@ static ssize_t read_file_ani(struct file
32776 unsigned int len = 0;
32778 + pax_track_stack();
32780 len += snprintf(buf+len, sizeof(buf)-len,
32781 "HW has PHY error counters:\t%s\n",
32782 sc->ah->ah_capabilities.cap_has_phyerr_counters ?
32783 @@ -827,6 +839,8 @@ static ssize_t read_file_queue(struct fi
32784 struct ath5k_buf *bf, *bf0;
32787 + pax_track_stack();
32789 len += snprintf(buf+len, sizeof(buf)-len,
32790 "available txbuffers: %d\n", sc->txbuf_len);
32792 diff -urNp linux-3.0.9/drivers/net/wireless/ath/ath9k/ar9003_calib.c linux-3.0.9/drivers/net/wireless/ath/ath9k/ar9003_calib.c
32793 --- linux-3.0.9/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-11-11 13:12:24.000000000 -0500
32794 +++ linux-3.0.9/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-11-15 20:02:59.000000000 -0500
32795 @@ -758,6 +758,8 @@ static void ar9003_hw_tx_iq_cal_post_pro
32799 + pax_track_stack();
32801 for (i = 0; i < AR9300_MAX_CHAINS; i++) {
32802 if (ah->txchainmask & (1 << i))
32804 diff -urNp linux-3.0.9/drivers/net/wireless/ath/ath9k/ar9003_paprd.c linux-3.0.9/drivers/net/wireless/ath/ath9k/ar9003_paprd.c
32805 --- linux-3.0.9/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-11-11 13:12:24.000000000 -0500
32806 +++ linux-3.0.9/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-11-15 20:02:59.000000000 -0500
32807 @@ -356,6 +356,8 @@ static bool create_pa_curve(u32 *data_L,
32808 int theta_low_bin = 0;
32811 + pax_track_stack();
32813 /* disregard any bin that contains <= 16 samples */
32814 thresh_accum_cnt = 16;
32816 diff -urNp linux-3.0.9/drivers/net/wireless/ath/ath9k/debug.c linux-3.0.9/drivers/net/wireless/ath/ath9k/debug.c
32817 --- linux-3.0.9/drivers/net/wireless/ath/ath9k/debug.c 2011-11-11 13:12:24.000000000 -0500
32818 +++ linux-3.0.9/drivers/net/wireless/ath/ath9k/debug.c 2011-11-15 20:02:59.000000000 -0500
32819 @@ -337,6 +337,8 @@ static ssize_t read_file_interrupt(struc
32821 unsigned int len = 0;
32823 + pax_track_stack();
32825 if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) {
32826 len += snprintf(buf + len, sizeof(buf) - len,
32827 "%8s: %10u\n", "RXLP", sc->debug.stats.istats.rxlp);
32828 @@ -427,6 +429,8 @@ static ssize_t read_file_wiphy(struct fi
32832 + pax_track_stack();
32834 len += snprintf(buf + len, sizeof(buf) - len,
32835 "%s (chan=%d center-freq: %d MHz channel-type: %d (%s))\n",
32836 wiphy_name(sc->hw->wiphy),
32837 diff -urNp linux-3.0.9/drivers/net/wireless/ath/ath9k/htc_drv_debug.c linux-3.0.9/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
32838 --- linux-3.0.9/drivers/net/wireless/ath/ath9k/htc_drv_debug.c 2011-11-11 13:12:24.000000000 -0500
32839 +++ linux-3.0.9/drivers/net/wireless/ath/ath9k/htc_drv_debug.c 2011-11-15 20:02:59.000000000 -0500
32840 @@ -31,6 +31,8 @@ static ssize_t read_file_tgt_int_stats(s
32841 unsigned int len = 0;
32844 + pax_track_stack();
32846 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
32848 ath9k_htc_ps_wakeup(priv);
32849 @@ -89,6 +91,8 @@ static ssize_t read_file_tgt_tx_stats(st
32850 unsigned int len = 0;
32853 + pax_track_stack();
32855 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
32857 ath9k_htc_ps_wakeup(priv);
32858 @@ -159,6 +163,8 @@ static ssize_t read_file_tgt_rx_stats(st
32859 unsigned int len = 0;
32862 + pax_track_stack();
32864 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
32866 ath9k_htc_ps_wakeup(priv);
32867 @@ -203,6 +209,8 @@ static ssize_t read_file_xmit(struct fil
32869 unsigned int len = 0;
32871 + pax_track_stack();
32873 len += snprintf(buf + len, sizeof(buf) - len,
32874 "%20s : %10u\n", "Buffers queued",
32875 priv->debug.tx_stats.buf_queued);
32876 @@ -376,6 +384,8 @@ static ssize_t read_file_slot(struct fil
32878 unsigned int len = 0;
32880 + pax_track_stack();
32882 spin_lock_bh(&priv->tx.tx_lock);
32884 len += snprintf(buf + len, sizeof(buf) - len, "TX slot bitmap : ");
32885 @@ -411,6 +421,8 @@ static ssize_t read_file_queue(struct fi
32887 unsigned int len = 0;
32889 + pax_track_stack();
32891 len += snprintf(buf + len, sizeof(buf) - len, "%20s : %10u\n",
32892 "Mgmt endpoint", skb_queue_len(&priv->tx.mgmt_ep_queue));
32894 diff -urNp linux-3.0.9/drivers/net/wireless/ath/ath9k/hw.h linux-3.0.9/drivers/net/wireless/ath/ath9k/hw.h
32895 --- linux-3.0.9/drivers/net/wireless/ath/ath9k/hw.h 2011-11-11 13:12:24.000000000 -0500
32896 +++ linux-3.0.9/drivers/net/wireless/ath/ath9k/hw.h 2011-11-15 20:02:59.000000000 -0500
32897 @@ -585,7 +585,7 @@ struct ath_hw_private_ops {
32900 void (*ani_cache_ini_regs)(struct ath_hw *ah);
32905 * struct ath_hw_ops - callbacks used by hardware code and driver code
32906 @@ -637,7 +637,7 @@ struct ath_hw_ops {
32907 void (*antdiv_comb_conf_set)(struct ath_hw *ah,
32908 struct ath_hw_antcomb_conf *antconf);
32913 struct ath_nf_limits {
32915 @@ -650,7 +650,7 @@ struct ath_nf_limits {
32916 #define AH_UNPLUGGED 0x2 /* The card has been physically removed. */
32919 - struct ath_ops reg_ops;
32920 + ath_ops_no_const reg_ops;
32922 struct ieee80211_hw *hw;
32923 struct ath_common common;
32924 diff -urNp linux-3.0.9/drivers/net/wireless/ath/ath.h linux-3.0.9/drivers/net/wireless/ath/ath.h
32925 --- linux-3.0.9/drivers/net/wireless/ath/ath.h 2011-11-11 13:12:24.000000000 -0500
32926 +++ linux-3.0.9/drivers/net/wireless/ath/ath.h 2011-11-15 20:02:59.000000000 -0500
32927 @@ -121,6 +121,7 @@ struct ath_ops {
32928 void (*write_flush) (void *);
32929 u32 (*rmw)(void *, u32 reg_offset, u32 set, u32 clr);
32931 +typedef struct ath_ops __no_const ath_ops_no_const;
32934 struct ath_bus_ops;
32935 diff -urNp linux-3.0.9/drivers/net/wireless/ipw2x00/ipw2100.c linux-3.0.9/drivers/net/wireless/ipw2x00/ipw2100.c
32936 --- linux-3.0.9/drivers/net/wireless/ipw2x00/ipw2100.c 2011-11-11 13:12:24.000000000 -0500
32937 +++ linux-3.0.9/drivers/net/wireless/ipw2x00/ipw2100.c 2011-11-15 20:02:59.000000000 -0500
32938 @@ -2100,6 +2100,8 @@ static int ipw2100_set_essid(struct ipw2
32940 DECLARE_SSID_BUF(ssid);
32942 + pax_track_stack();
32944 IPW_DEBUG_HC("SSID: '%s'\n", print_ssid(ssid, essid, ssid_len));
32947 @@ -5449,6 +5451,8 @@ static int ipw2100_set_key(struct ipw210
32948 struct ipw2100_wep_key *wep_key = (void *)cmd.host_command_parameters;
32951 + pax_track_stack();
32953 IPW_DEBUG_HC("WEP_KEY_INFO: index = %d, len = %d/%d\n",
32956 diff -urNp linux-3.0.9/drivers/net/wireless/ipw2x00/libipw_rx.c linux-3.0.9/drivers/net/wireless/ipw2x00/libipw_rx.c
32957 --- linux-3.0.9/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-11-11 13:12:24.000000000 -0500
32958 +++ linux-3.0.9/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-11-15 20:02:59.000000000 -0500
32959 @@ -1565,6 +1565,8 @@ static void libipw_process_probe_respons
32960 unsigned long flags;
32961 DECLARE_SSID_BUF(ssid);
32963 + pax_track_stack();
32965 LIBIPW_DEBUG_SCAN("'%s' (%pM"
32966 "): %c%c%c%c %c%c%c%c-%c%c%c%c %c%c%c%c\n",
32967 print_ssid(ssid, info_element->data, info_element->len),
32968 diff -urNp linux-3.0.9/drivers/net/wireless/iwlegacy/iwl3945-base.c linux-3.0.9/drivers/net/wireless/iwlegacy/iwl3945-base.c
32969 --- linux-3.0.9/drivers/net/wireless/iwlegacy/iwl3945-base.c 2011-11-11 13:12:24.000000000 -0500
32970 +++ linux-3.0.9/drivers/net/wireless/iwlegacy/iwl3945-base.c 2011-11-15 20:02:59.000000000 -0500
32971 @@ -3962,7 +3962,9 @@ static int iwl3945_pci_probe(struct pci_
32973 if (iwl3945_mod_params.disable_hw_scan) {
32974 IWL_DEBUG_INFO(priv, "Disabling hw_scan\n");
32975 - iwl3945_hw_ops.hw_scan = NULL;
32976 + pax_open_kernel();
32977 + *(void **)&iwl3945_hw_ops.hw_scan = NULL;
32978 + pax_close_kernel();
32981 IWL_DEBUG_INFO(priv, "*** LOAD DRIVER ***\n");
32982 diff -urNp linux-3.0.9/drivers/net/wireless/iwlwifi/iwl-agn-rs.c linux-3.0.9/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
32983 --- linux-3.0.9/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-11-11 13:12:24.000000000 -0500
32984 +++ linux-3.0.9/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-11-15 20:02:59.000000000 -0500
32985 @@ -910,6 +910,8 @@ static void rs_tx_status(void *priv_r, s
32986 struct iwl_station_priv *sta_priv = (void *)sta->drv_priv;
32987 struct iwl_rxon_context *ctx = sta_priv->common.ctx;
32989 + pax_track_stack();
32991 IWL_DEBUG_RATE_LIMIT(priv, "get frame ack response, update rate scale window\n");
32993 /* Treat uninitialized rate scaling data same as non-existing. */
32994 @@ -2918,6 +2920,8 @@ static void rs_fill_link_cmd(struct iwl_
32995 container_of(lq_sta, struct iwl_station_priv, lq_sta);
32996 struct iwl_link_quality_cmd *lq_cmd = &lq_sta->lq;
32998 + pax_track_stack();
33000 /* Override starting rate (index 0) if needed for debug purposes */
33001 rs_dbgfs_set_mcs(lq_sta, &new_rate, index);
33003 diff -urNp linux-3.0.9/drivers/net/wireless/iwlwifi/iwl-debugfs.c linux-3.0.9/drivers/net/wireless/iwlwifi/iwl-debugfs.c
33004 --- linux-3.0.9/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-11-11 13:12:24.000000000 -0500
33005 +++ linux-3.0.9/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-11-15 20:02:59.000000000 -0500
33006 @@ -548,6 +548,8 @@ static ssize_t iwl_dbgfs_status_read(str
33008 const size_t bufsz = sizeof(buf);
33010 + pax_track_stack();
33012 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_ACTIVE:\t %d\n",
33013 test_bit(STATUS_HCMD_ACTIVE, &priv->status));
33014 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_INT_ENABLED:\t %d\n",
33015 @@ -680,6 +682,8 @@ static ssize_t iwl_dbgfs_qos_read(struct
33016 char buf[256 * NUM_IWL_RXON_CTX];
33017 const size_t bufsz = sizeof(buf);
33019 + pax_track_stack();
33021 for_each_context(priv, ctx) {
33022 pos += scnprintf(buf + pos, bufsz - pos, "context %d:\n",
33024 diff -urNp linux-3.0.9/drivers/net/wireless/iwlwifi/iwl-debug.h linux-3.0.9/drivers/net/wireless/iwlwifi/iwl-debug.h
33025 --- linux-3.0.9/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-11-11 13:12:24.000000000 -0500
33026 +++ linux-3.0.9/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-11-15 20:02:59.000000000 -0500
33027 @@ -68,8 +68,8 @@ do {
33031 -#define IWL_DEBUG(__priv, level, fmt, args...)
33032 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
33033 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
33034 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
33035 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
33036 const void *p, u32 len)
33038 diff -urNp linux-3.0.9/drivers/net/wireless/iwmc3200wifi/debugfs.c linux-3.0.9/drivers/net/wireless/iwmc3200wifi/debugfs.c
33039 --- linux-3.0.9/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-11-11 13:12:24.000000000 -0500
33040 +++ linux-3.0.9/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-11-15 20:02:59.000000000 -0500
33041 @@ -327,6 +327,8 @@ static ssize_t iwm_debugfs_fw_err_read(s
33045 + pax_track_stack();
33049 if (count < sizeof(buf))
33050 diff -urNp linux-3.0.9/drivers/net/wireless/mac80211_hwsim.c linux-3.0.9/drivers/net/wireless/mac80211_hwsim.c
33051 --- linux-3.0.9/drivers/net/wireless/mac80211_hwsim.c 2011-11-11 13:12:24.000000000 -0500
33052 +++ linux-3.0.9/drivers/net/wireless/mac80211_hwsim.c 2011-11-15 20:02:59.000000000 -0500
33053 @@ -1260,9 +1260,11 @@ static int __init init_mac80211_hwsim(vo
33056 if (fake_hw_scan) {
33057 - mac80211_hwsim_ops.hw_scan = mac80211_hwsim_hw_scan;
33058 - mac80211_hwsim_ops.sw_scan_start = NULL;
33059 - mac80211_hwsim_ops.sw_scan_complete = NULL;
33060 + pax_open_kernel();
33061 + *(void **)&mac80211_hwsim_ops.hw_scan = mac80211_hwsim_hw_scan;
33062 + *(void **)&mac80211_hwsim_ops.sw_scan_start = NULL;
33063 + *(void **)&mac80211_hwsim_ops.sw_scan_complete = NULL;
33064 + pax_close_kernel();
33067 spin_lock_init(&hwsim_radio_lock);
33068 diff -urNp linux-3.0.9/drivers/net/wireless/rndis_wlan.c linux-3.0.9/drivers/net/wireless/rndis_wlan.c
33069 --- linux-3.0.9/drivers/net/wireless/rndis_wlan.c 2011-11-11 13:12:24.000000000 -0500
33070 +++ linux-3.0.9/drivers/net/wireless/rndis_wlan.c 2011-11-15 20:02:59.000000000 -0500
33071 @@ -1277,7 +1277,7 @@ static int set_rts_threshold(struct usbn
33073 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
33075 - if (rts_threshold < 0 || rts_threshold > 2347)
33076 + if (rts_threshold > 2347)
33077 rts_threshold = 2347;
33079 tmp = cpu_to_le32(rts_threshold);
33080 diff -urNp linux-3.0.9/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c linux-3.0.9/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c
33081 --- linux-3.0.9/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-11-11 13:12:24.000000000 -0500
33082 +++ linux-3.0.9/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-11-15 20:02:59.000000000 -0500
33083 @@ -837,6 +837,8 @@ bool _rtl92c_phy_sw_chnl_step_by_step(st
33085 u8 num_total_rfpath = rtlphy->num_total_rfpath;
33087 + pax_track_stack();
33089 precommoncmdcnt = 0;
33090 _rtl92c_phy_set_sw_chnl_cmdarray(precommoncmd, precommoncmdcnt++,
33092 diff -urNp linux-3.0.9/drivers/net/wireless/wl1251/wl1251.h linux-3.0.9/drivers/net/wireless/wl1251/wl1251.h
33093 --- linux-3.0.9/drivers/net/wireless/wl1251/wl1251.h 2011-11-11 13:12:24.000000000 -0500
33094 +++ linux-3.0.9/drivers/net/wireless/wl1251/wl1251.h 2011-11-15 20:02:59.000000000 -0500
33095 @@ -266,7 +266,7 @@ struct wl1251_if_operations {
33096 void (*reset)(struct wl1251 *wl);
33097 void (*enable_irq)(struct wl1251 *wl);
33098 void (*disable_irq)(struct wl1251 *wl);
33103 struct ieee80211_hw *hw;
33104 diff -urNp linux-3.0.9/drivers/net/wireless/wl12xx/spi.c linux-3.0.9/drivers/net/wireless/wl12xx/spi.c
33105 --- linux-3.0.9/drivers/net/wireless/wl12xx/spi.c 2011-11-11 13:12:24.000000000 -0500
33106 +++ linux-3.0.9/drivers/net/wireless/wl12xx/spi.c 2011-11-15 20:02:59.000000000 -0500
33107 @@ -280,6 +280,8 @@ static void wl1271_spi_raw_write(struct
33111 + pax_track_stack();
33113 WARN_ON(len > WL1271_AGGR_BUFFER_SIZE);
33115 spi_message_init(&m);
33116 diff -urNp linux-3.0.9/drivers/oprofile/buffer_sync.c linux-3.0.9/drivers/oprofile/buffer_sync.c
33117 --- linux-3.0.9/drivers/oprofile/buffer_sync.c 2011-11-11 13:12:24.000000000 -0500
33118 +++ linux-3.0.9/drivers/oprofile/buffer_sync.c 2011-11-15 20:02:59.000000000 -0500
33119 @@ -343,7 +343,7 @@ static void add_data(struct op_entry *en
33120 if (cookie == NO_COOKIE)
33122 if (cookie == INVALID_COOKIE) {
33123 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
33124 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
33127 if (cookie != last_cookie) {
33128 @@ -387,14 +387,14 @@ add_sample(struct mm_struct *mm, struct
33129 /* add userspace sample */
33132 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
33133 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
33137 cookie = lookup_dcookie(mm, s->eip, &offset);
33139 if (cookie == INVALID_COOKIE) {
33140 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
33141 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
33145 @@ -563,7 +563,7 @@ void sync_buffer(int cpu)
33146 /* ignore backtraces if failed to add a sample */
33147 if (state == sb_bt_start) {
33148 state = sb_bt_ignore;
33149 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
33150 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
33154 diff -urNp linux-3.0.9/drivers/oprofile/event_buffer.c linux-3.0.9/drivers/oprofile/event_buffer.c
33155 --- linux-3.0.9/drivers/oprofile/event_buffer.c 2011-11-11 13:12:24.000000000 -0500
33156 +++ linux-3.0.9/drivers/oprofile/event_buffer.c 2011-11-15 20:02:59.000000000 -0500
33157 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
33160 if (buffer_pos == buffer_size) {
33161 - atomic_inc(&oprofile_stats.event_lost_overflow);
33162 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
33166 diff -urNp linux-3.0.9/drivers/oprofile/oprof.c linux-3.0.9/drivers/oprofile/oprof.c
33167 --- linux-3.0.9/drivers/oprofile/oprof.c 2011-11-11 13:12:24.000000000 -0500
33168 +++ linux-3.0.9/drivers/oprofile/oprof.c 2011-11-15 20:02:59.000000000 -0500
33169 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
33170 if (oprofile_ops.switch_events())
33173 - atomic_inc(&oprofile_stats.multiplex_counter);
33174 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
33175 start_switch_worker();
33178 diff -urNp linux-3.0.9/drivers/oprofile/oprofilefs.c linux-3.0.9/drivers/oprofile/oprofilefs.c
33179 --- linux-3.0.9/drivers/oprofile/oprofilefs.c 2011-11-11 13:12:24.000000000 -0500
33180 +++ linux-3.0.9/drivers/oprofile/oprofilefs.c 2011-11-15 20:02:59.000000000 -0500
33181 @@ -186,7 +186,7 @@ static const struct file_operations atom
33184 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
33185 - char const *name, atomic_t *val)
33186 + char const *name, atomic_unchecked_t *val)
33188 return __oprofilefs_create_file(sb, root, name,
33189 &atomic_ro_fops, 0444, val);
33190 diff -urNp linux-3.0.9/drivers/oprofile/oprofile_stats.c linux-3.0.9/drivers/oprofile/oprofile_stats.c
33191 --- linux-3.0.9/drivers/oprofile/oprofile_stats.c 2011-11-11 13:12:24.000000000 -0500
33192 +++ linux-3.0.9/drivers/oprofile/oprofile_stats.c 2011-11-15 20:02:59.000000000 -0500
33193 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
33194 cpu_buf->sample_invalid_eip = 0;
33197 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
33198 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
33199 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
33200 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
33201 - atomic_set(&oprofile_stats.multiplex_counter, 0);
33202 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
33203 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
33204 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
33205 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
33206 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
33210 diff -urNp linux-3.0.9/drivers/oprofile/oprofile_stats.h linux-3.0.9/drivers/oprofile/oprofile_stats.h
33211 --- linux-3.0.9/drivers/oprofile/oprofile_stats.h 2011-11-11 13:12:24.000000000 -0500
33212 +++ linux-3.0.9/drivers/oprofile/oprofile_stats.h 2011-11-15 20:02:59.000000000 -0500
33213 @@ -13,11 +13,11 @@
33214 #include <asm/atomic.h>
33216 struct oprofile_stat_struct {
33217 - atomic_t sample_lost_no_mm;
33218 - atomic_t sample_lost_no_mapping;
33219 - atomic_t bt_lost_no_mapping;
33220 - atomic_t event_lost_overflow;
33221 - atomic_t multiplex_counter;
33222 + atomic_unchecked_t sample_lost_no_mm;
33223 + atomic_unchecked_t sample_lost_no_mapping;
33224 + atomic_unchecked_t bt_lost_no_mapping;
33225 + atomic_unchecked_t event_lost_overflow;
33226 + atomic_unchecked_t multiplex_counter;
33229 extern struct oprofile_stat_struct oprofile_stats;
33230 diff -urNp linux-3.0.9/drivers/parport/procfs.c linux-3.0.9/drivers/parport/procfs.c
33231 --- linux-3.0.9/drivers/parport/procfs.c 2011-11-11 13:12:24.000000000 -0500
33232 +++ linux-3.0.9/drivers/parport/procfs.c 2011-11-15 20:02:59.000000000 -0500
33233 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
33237 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
33238 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
33241 #ifdef CONFIG_PARPORT_1284
33242 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
33246 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
33247 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
33249 #endif /* IEEE1284.3 support. */
33251 diff -urNp linux-3.0.9/drivers/pci/hotplug/cpci_hotplug.h linux-3.0.9/drivers/pci/hotplug/cpci_hotplug.h
33252 --- linux-3.0.9/drivers/pci/hotplug/cpci_hotplug.h 2011-11-11 13:12:24.000000000 -0500
33253 +++ linux-3.0.9/drivers/pci/hotplug/cpci_hotplug.h 2011-11-15 20:02:59.000000000 -0500
33254 @@ -59,7 +59,7 @@ struct cpci_hp_controller_ops {
33255 int (*hardware_test) (struct slot* slot, u32 value);
33256 u8 (*get_power) (struct slot* slot);
33257 int (*set_power) (struct slot* slot, int value);
33261 struct cpci_hp_controller {
33263 diff -urNp linux-3.0.9/drivers/pci/hotplug/cpqphp_nvram.c linux-3.0.9/drivers/pci/hotplug/cpqphp_nvram.c
33264 --- linux-3.0.9/drivers/pci/hotplug/cpqphp_nvram.c 2011-11-11 13:12:24.000000000 -0500
33265 +++ linux-3.0.9/drivers/pci/hotplug/cpqphp_nvram.c 2011-11-15 20:02:59.000000000 -0500
33266 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
33268 void compaq_nvram_init (void __iomem *rom_start)
33271 +#ifndef CONFIG_PAX_KERNEXEC
33273 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
33277 dbg("int15 entry = %p\n", compaq_int15_entry_point);
33279 /* initialize our int15 lock */
33280 diff -urNp linux-3.0.9/drivers/pci/pcie/aspm.c linux-3.0.9/drivers/pci/pcie/aspm.c
33281 --- linux-3.0.9/drivers/pci/pcie/aspm.c 2011-11-11 13:12:24.000000000 -0500
33282 +++ linux-3.0.9/drivers/pci/pcie/aspm.c 2011-11-15 20:02:59.000000000 -0500
33284 #define MODULE_PARAM_PREFIX "pcie_aspm."
33286 /* Note: those are not register definitions */
33287 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
33288 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
33289 -#define ASPM_STATE_L1 (4) /* L1 state */
33290 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
33291 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
33292 +#define ASPM_STATE_L1 (4U) /* L1 state */
33293 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
33294 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
33296 diff -urNp linux-3.0.9/drivers/pci/probe.c linux-3.0.9/drivers/pci/probe.c
33297 --- linux-3.0.9/drivers/pci/probe.c 2011-11-11 13:12:24.000000000 -0500
33298 +++ linux-3.0.9/drivers/pci/probe.c 2011-11-15 20:02:59.000000000 -0500
33299 @@ -129,7 +129,7 @@ int __pci_read_base(struct pci_dev *dev,
33303 - mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
33304 + mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
33306 if (!dev->mmio_always_on) {
33307 pci_read_config_word(dev, PCI_COMMAND, &orig_cmd);
33308 diff -urNp linux-3.0.9/drivers/pci/proc.c linux-3.0.9/drivers/pci/proc.c
33309 --- linux-3.0.9/drivers/pci/proc.c 2011-11-11 13:12:24.000000000 -0500
33310 +++ linux-3.0.9/drivers/pci/proc.c 2011-11-15 20:02:59.000000000 -0500
33311 @@ -476,7 +476,16 @@ static const struct file_operations proc
33312 static int __init pci_proc_init(void)
33314 struct pci_dev *dev = NULL;
33316 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33317 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33318 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
33319 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33320 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
33323 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
33325 proc_create("devices", 0, proc_bus_pci_dir,
33326 &proc_bus_pci_dev_operations);
33327 proc_initialized = 1;
33328 diff -urNp linux-3.0.9/drivers/pci/xen-pcifront.c linux-3.0.9/drivers/pci/xen-pcifront.c
33329 --- linux-3.0.9/drivers/pci/xen-pcifront.c 2011-11-11 13:12:24.000000000 -0500
33330 +++ linux-3.0.9/drivers/pci/xen-pcifront.c 2011-11-15 20:02:59.000000000 -0500
33331 @@ -187,6 +187,8 @@ static int pcifront_bus_read(struct pci_
33332 struct pcifront_sd *sd = bus->sysdata;
33333 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33335 + pax_track_stack();
33337 if (verbose_request)
33338 dev_info(&pdev->xdev->dev,
33339 "read dev=%04x:%02x:%02x.%01x - offset %x size %d\n",
33340 @@ -226,6 +228,8 @@ static int pcifront_bus_write(struct pci
33341 struct pcifront_sd *sd = bus->sysdata;
33342 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33344 + pax_track_stack();
33346 if (verbose_request)
33347 dev_info(&pdev->xdev->dev,
33348 "write dev=%04x:%02x:%02x.%01x - "
33349 @@ -258,6 +262,8 @@ static int pci_frontend_enable_msix(stru
33350 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33351 struct msi_desc *entry;
33353 + pax_track_stack();
33355 if (nvec > SH_INFO_MAX_VEC) {
33356 dev_err(&dev->dev, "too much vector for pci frontend: %x."
33357 " Increase SH_INFO_MAX_VEC.\n", nvec);
33358 @@ -309,6 +315,8 @@ static void pci_frontend_disable_msix(st
33359 struct pcifront_sd *sd = dev->bus->sysdata;
33360 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33362 + pax_track_stack();
33364 err = do_pci_op(pdev, &op);
33366 /* What should do for error ? */
33367 @@ -328,6 +336,8 @@ static int pci_frontend_enable_msi(struc
33368 struct pcifront_sd *sd = dev->bus->sysdata;
33369 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33371 + pax_track_stack();
33373 err = do_pci_op(pdev, &op);
33374 if (likely(!err)) {
33375 vector[0] = op.value;
33376 diff -urNp linux-3.0.9/drivers/platform/x86/thinkpad_acpi.c linux-3.0.9/drivers/platform/x86/thinkpad_acpi.c
33377 --- linux-3.0.9/drivers/platform/x86/thinkpad_acpi.c 2011-11-11 13:12:24.000000000 -0500
33378 +++ linux-3.0.9/drivers/platform/x86/thinkpad_acpi.c 2011-11-15 20:02:59.000000000 -0500
33379 @@ -2094,7 +2094,7 @@ static int hotkey_mask_get(void)
33383 -void static hotkey_mask_warn_incomplete_mask(void)
33384 +static void hotkey_mask_warn_incomplete_mask(void)
33386 /* log only what the user can fix... */
33387 const u32 wantedmask = hotkey_driver_mask &
33388 diff -urNp linux-3.0.9/drivers/pnp/pnpbios/bioscalls.c linux-3.0.9/drivers/pnp/pnpbios/bioscalls.c
33389 --- linux-3.0.9/drivers/pnp/pnpbios/bioscalls.c 2011-11-11 13:12:24.000000000 -0500
33390 +++ linux-3.0.9/drivers/pnp/pnpbios/bioscalls.c 2011-11-15 20:02:59.000000000 -0500
33391 @@ -59,7 +59,7 @@ do { \
33392 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
33395 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
33396 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
33397 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
33400 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
33403 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
33405 + pax_open_kernel();
33406 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
33407 + pax_close_kernel();
33409 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
33410 spin_lock_irqsave(&pnp_bios_lock, flags);
33411 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
33413 spin_unlock_irqrestore(&pnp_bios_lock, flags);
33415 + pax_open_kernel();
33416 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
33417 + pax_close_kernel();
33421 /* If we get here and this is set then the PnP BIOS faulted on us. */
33422 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
33426 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
33427 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
33431 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
33432 pnp_bios_callpoint.offset = header->fields.pm16offset;
33433 pnp_bios_callpoint.segment = PNP_CS16;
33435 + pax_open_kernel();
33437 for_each_possible_cpu(i) {
33438 struct desc_struct *gdt = get_cpu_gdt_table(i);
33440 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
33441 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
33442 (unsigned long)__va(header->fields.pm16dseg));
33445 + pax_close_kernel();
33447 diff -urNp linux-3.0.9/drivers/pnp/resource.c linux-3.0.9/drivers/pnp/resource.c
33448 --- linux-3.0.9/drivers/pnp/resource.c 2011-11-11 13:12:24.000000000 -0500
33449 +++ linux-3.0.9/drivers/pnp/resource.c 2011-11-15 20:02:59.000000000 -0500
33450 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
33453 /* check if the resource is valid */
33454 - if (*irq < 0 || *irq > 15)
33458 /* check if the resource is reserved */
33459 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
33462 /* check if the resource is valid */
33463 - if (*dma < 0 || *dma == 4 || *dma > 7)
33464 + if (*dma == 4 || *dma > 7)
33467 /* check if the resource is reserved */
33468 diff -urNp linux-3.0.9/drivers/power/bq27x00_battery.c linux-3.0.9/drivers/power/bq27x00_battery.c
33469 --- linux-3.0.9/drivers/power/bq27x00_battery.c 2011-11-11 13:12:24.000000000 -0500
33470 +++ linux-3.0.9/drivers/power/bq27x00_battery.c 2011-11-15 20:02:59.000000000 -0500
33472 struct bq27x00_device_info;
33473 struct bq27x00_access_methods {
33474 int (*read)(struct bq27x00_device_info *di, u8 reg, bool single);
33478 enum bq27x00_chip { BQ27000, BQ27500 };
33480 diff -urNp linux-3.0.9/drivers/regulator/max8660.c linux-3.0.9/drivers/regulator/max8660.c
33481 --- linux-3.0.9/drivers/regulator/max8660.c 2011-11-11 13:12:24.000000000 -0500
33482 +++ linux-3.0.9/drivers/regulator/max8660.c 2011-11-15 20:02:59.000000000 -0500
33483 @@ -383,8 +383,10 @@ static int __devinit max8660_probe(struc
33484 max8660->shadow_regs[MAX8660_OVER1] = 5;
33486 /* Otherwise devices can be toggled via software */
33487 - max8660_dcdc_ops.enable = max8660_dcdc_enable;
33488 - max8660_dcdc_ops.disable = max8660_dcdc_disable;
33489 + pax_open_kernel();
33490 + *(void **)&max8660_dcdc_ops.enable = max8660_dcdc_enable;
33491 + *(void **)&max8660_dcdc_ops.disable = max8660_dcdc_disable;
33492 + pax_close_kernel();
33496 diff -urNp linux-3.0.9/drivers/regulator/mc13892-regulator.c linux-3.0.9/drivers/regulator/mc13892-regulator.c
33497 --- linux-3.0.9/drivers/regulator/mc13892-regulator.c 2011-11-11 13:12:24.000000000 -0500
33498 +++ linux-3.0.9/drivers/regulator/mc13892-regulator.c 2011-11-15 20:02:59.000000000 -0500
33499 @@ -564,10 +564,12 @@ static int __devinit mc13892_regulator_p
33501 mc13xxx_unlock(mc13892);
33503 - mc13892_regulators[MC13892_VCAM].desc.ops->set_mode
33504 + pax_open_kernel();
33505 + *(void **)&mc13892_regulators[MC13892_VCAM].desc.ops->set_mode
33506 = mc13892_vcam_set_mode;
33507 - mc13892_regulators[MC13892_VCAM].desc.ops->get_mode
33508 + *(void **)&mc13892_regulators[MC13892_VCAM].desc.ops->get_mode
33509 = mc13892_vcam_get_mode;
33510 + pax_close_kernel();
33511 for (i = 0; i < pdata->num_regulators; i++) {
33512 init_data = &pdata->regulators[i];
33513 priv->regulators[i] = regulator_register(
33514 diff -urNp linux-3.0.9/drivers/rtc/rtc-dev.c linux-3.0.9/drivers/rtc/rtc-dev.c
33515 --- linux-3.0.9/drivers/rtc/rtc-dev.c 2011-11-11 13:12:24.000000000 -0500
33516 +++ linux-3.0.9/drivers/rtc/rtc-dev.c 2011-11-15 20:02:59.000000000 -0500
33518 #include <linux/module.h>
33519 #include <linux/rtc.h>
33520 #include <linux/sched.h>
33521 +#include <linux/grsecurity.h>
33522 #include "rtc-core.h"
33524 static dev_t rtc_devt;
33525 @@ -345,6 +346,8 @@ static long rtc_dev_ioctl(struct file *f
33526 if (copy_from_user(&tm, uarg, sizeof(tm)))
33529 + gr_log_timechange();
33531 return rtc_set_time(rtc, &tm);
33534 diff -urNp linux-3.0.9/drivers/scsi/aacraid/aacraid.h linux-3.0.9/drivers/scsi/aacraid/aacraid.h
33535 --- linux-3.0.9/drivers/scsi/aacraid/aacraid.h 2011-11-11 13:12:24.000000000 -0500
33536 +++ linux-3.0.9/drivers/scsi/aacraid/aacraid.h 2011-11-15 20:02:59.000000000 -0500
33537 @@ -492,7 +492,7 @@ struct adapter_ops
33538 int (*adapter_scsi)(struct fib * fib, struct scsi_cmnd * cmd);
33539 /* Administrative operations */
33540 int (*adapter_comm)(struct aac_dev * dev, int comm);
33545 * Define which interrupt handler needs to be installed
33546 diff -urNp linux-3.0.9/drivers/scsi/aacraid/commctrl.c linux-3.0.9/drivers/scsi/aacraid/commctrl.c
33547 --- linux-3.0.9/drivers/scsi/aacraid/commctrl.c 2011-11-11 13:12:24.000000000 -0500
33548 +++ linux-3.0.9/drivers/scsi/aacraid/commctrl.c 2011-11-15 20:02:59.000000000 -0500
33549 @@ -482,6 +482,7 @@ static int aac_send_raw_srb(struct aac_d
33550 u32 actual_fibsize64, actual_fibsize = 0;
33553 + pax_track_stack();
33555 if (dev->in_reset) {
33556 dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
33557 diff -urNp linux-3.0.9/drivers/scsi/aacraid/linit.c linux-3.0.9/drivers/scsi/aacraid/linit.c
33558 --- linux-3.0.9/drivers/scsi/aacraid/linit.c 2011-11-11 13:12:24.000000000 -0500
33559 +++ linux-3.0.9/drivers/scsi/aacraid/linit.c 2011-11-15 20:02:59.000000000 -0500
33560 @@ -92,7 +92,7 @@ static DECLARE_PCI_DEVICE_TABLE(aac_pci_
33561 #elif defined(__devinitconst)
33562 static const struct pci_device_id aac_pci_tbl[] __devinitconst = {
33564 -static const struct pci_device_id aac_pci_tbl[] __devinitdata = {
33565 +static const struct pci_device_id aac_pci_tbl[] __devinitconst = {
33567 { 0x1028, 0x0001, 0x1028, 0x0001, 0, 0, 0 }, /* PERC 2/Si (Iguana/PERC2Si) */
33568 { 0x1028, 0x0002, 0x1028, 0x0002, 0, 0, 1 }, /* PERC 3/Di (Opal/PERC3Di) */
33569 diff -urNp linux-3.0.9/drivers/scsi/aic94xx/aic94xx_init.c linux-3.0.9/drivers/scsi/aic94xx/aic94xx_init.c
33570 --- linux-3.0.9/drivers/scsi/aic94xx/aic94xx_init.c 2011-11-11 13:12:24.000000000 -0500
33571 +++ linux-3.0.9/drivers/scsi/aic94xx/aic94xx_init.c 2011-11-15 20:02:59.000000000 -0500
33572 @@ -1012,7 +1012,7 @@ static struct sas_domain_function_templa
33573 .lldd_control_phy = asd_control_phy,
33576 -static const struct pci_device_id aic94xx_pci_table[] __devinitdata = {
33577 +static const struct pci_device_id aic94xx_pci_table[] __devinitconst = {
33578 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x410),0, 0, 1},
33579 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x412),0, 0, 1},
33580 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x416),0, 0, 1},
33581 diff -urNp linux-3.0.9/drivers/scsi/bfa/bfad.c linux-3.0.9/drivers/scsi/bfa/bfad.c
33582 --- linux-3.0.9/drivers/scsi/bfa/bfad.c 2011-11-11 13:12:24.000000000 -0500
33583 +++ linux-3.0.9/drivers/scsi/bfa/bfad.c 2011-11-15 20:02:59.000000000 -0500
33584 @@ -1032,6 +1032,8 @@ bfad_start_ops(struct bfad_s *bfad) {
33585 struct bfad_vport_s *vport, *vport_new;
33586 struct bfa_fcs_driver_info_s driver_info;
33588 + pax_track_stack();
33590 /* Fill the driver_info info to fcs*/
33591 memset(&driver_info, 0, sizeof(driver_info));
33592 strncpy(driver_info.version, BFAD_DRIVER_VERSION,
33593 diff -urNp linux-3.0.9/drivers/scsi/bfa/bfa_fcs_lport.c linux-3.0.9/drivers/scsi/bfa/bfa_fcs_lport.c
33594 --- linux-3.0.9/drivers/scsi/bfa/bfa_fcs_lport.c 2011-11-11 13:12:24.000000000 -0500
33595 +++ linux-3.0.9/drivers/scsi/bfa/bfa_fcs_lport.c 2011-11-15 20:02:59.000000000 -0500
33596 @@ -1559,6 +1559,8 @@ bfa_fcs_lport_fdmi_build_rhba_pyld(struc
33600 + pax_track_stack();
33603 * get hba attributes
33605 @@ -1836,6 +1838,8 @@ bfa_fcs_lport_fdmi_build_portattr_block(
33609 + pax_track_stack();
33612 * get port attributes
33614 diff -urNp linux-3.0.9/drivers/scsi/bfa/bfa_fcs_rport.c linux-3.0.9/drivers/scsi/bfa/bfa_fcs_rport.c
33615 --- linux-3.0.9/drivers/scsi/bfa/bfa_fcs_rport.c 2011-11-11 13:12:24.000000000 -0500
33616 +++ linux-3.0.9/drivers/scsi/bfa/bfa_fcs_rport.c 2011-11-15 20:02:59.000000000 -0500
33617 @@ -1844,6 +1844,8 @@ bfa_fcs_rport_process_rpsc(struct bfa_fc
33618 struct fc_rpsc_speed_info_s speeds;
33619 struct bfa_port_attr_s pport_attr;
33621 + pax_track_stack();
33623 bfa_trc(port->fcs, rx_fchs->s_id);
33624 bfa_trc(port->fcs, rx_fchs->d_id);
33626 diff -urNp linux-3.0.9/drivers/scsi/bfa/bfa.h linux-3.0.9/drivers/scsi/bfa/bfa.h
33627 --- linux-3.0.9/drivers/scsi/bfa/bfa.h 2011-11-11 13:12:24.000000000 -0500
33628 +++ linux-3.0.9/drivers/scsi/bfa/bfa.h 2011-11-15 20:02:59.000000000 -0500
33629 @@ -238,7 +238,7 @@ struct bfa_hwif_s {
33630 u32 *nvecs, u32 *maxvec);
33631 void (*hw_msix_get_rme_range) (struct bfa_s *bfa, u32 *start,
33635 typedef void (*bfa_cb_iocfc_t) (void *cbarg, enum bfa_status status);
33637 struct bfa_iocfc_s {
33638 diff -urNp linux-3.0.9/drivers/scsi/bfa/bfa_ioc.h linux-3.0.9/drivers/scsi/bfa/bfa_ioc.h
33639 --- linux-3.0.9/drivers/scsi/bfa/bfa_ioc.h 2011-11-11 13:12:24.000000000 -0500
33640 +++ linux-3.0.9/drivers/scsi/bfa/bfa_ioc.h 2011-11-15 20:02:59.000000000 -0500
33641 @@ -196,7 +196,7 @@ struct bfa_ioc_cbfn_s {
33642 bfa_ioc_disable_cbfn_t disable_cbfn;
33643 bfa_ioc_hbfail_cbfn_t hbfail_cbfn;
33644 bfa_ioc_reset_cbfn_t reset_cbfn;
33649 * Heartbeat failure notification queue element.
33650 @@ -268,7 +268,7 @@ struct bfa_ioc_hwif_s {
33651 void (*ioc_sync_leave) (struct bfa_ioc_s *ioc);
33652 void (*ioc_sync_ack) (struct bfa_ioc_s *ioc);
33653 bfa_boolean_t (*ioc_sync_complete) (struct bfa_ioc_s *ioc);
33657 #define bfa_ioc_pcifn(__ioc) ((__ioc)->pcidev.pci_func)
33658 #define bfa_ioc_devid(__ioc) ((__ioc)->pcidev.device_id)
33659 diff -urNp linux-3.0.9/drivers/scsi/BusLogic.c linux-3.0.9/drivers/scsi/BusLogic.c
33660 --- linux-3.0.9/drivers/scsi/BusLogic.c 2011-11-11 13:12:24.000000000 -0500
33661 +++ linux-3.0.9/drivers/scsi/BusLogic.c 2011-11-15 20:02:59.000000000 -0500
33662 @@ -962,6 +962,8 @@ static int __init BusLogic_InitializeFla
33663 static void __init BusLogic_InitializeProbeInfoList(struct BusLogic_HostAdapter
33664 *PrototypeHostAdapter)
33666 + pax_track_stack();
33669 If a PCI BIOS is present, interrogate it for MultiMaster and FlashPoint
33670 Host Adapters; otherwise, default to the standard ISA MultiMaster probe.
33671 diff -urNp linux-3.0.9/drivers/scsi/dpt_i2o.c linux-3.0.9/drivers/scsi/dpt_i2o.c
33672 --- linux-3.0.9/drivers/scsi/dpt_i2o.c 2011-11-11 13:12:24.000000000 -0500
33673 +++ linux-3.0.9/drivers/scsi/dpt_i2o.c 2011-11-15 20:02:59.000000000 -0500
33674 @@ -1811,6 +1811,8 @@ static int adpt_i2o_passthru(adpt_hba* p
33678 + pax_track_stack();
33680 memset(&msg, 0, MAX_MESSAGE_SIZE*4);
33681 // get user msg size in u32s
33682 if(get_user(size, &user_msg[0])){
33683 @@ -2317,6 +2319,8 @@ static s32 adpt_scsi_to_i2o(adpt_hba* pH
33687 + pax_track_stack();
33689 memset(msg, 0 , sizeof(msg));
33690 len = scsi_bufflen(cmd);
33691 direction = 0x00000000;
33692 diff -urNp linux-3.0.9/drivers/scsi/eata.c linux-3.0.9/drivers/scsi/eata.c
33693 --- linux-3.0.9/drivers/scsi/eata.c 2011-11-11 13:12:24.000000000 -0500
33694 +++ linux-3.0.9/drivers/scsi/eata.c 2011-11-15 20:02:59.000000000 -0500
33695 @@ -1087,6 +1087,8 @@ static int port_detect(unsigned long por
33696 struct hostdata *ha;
33699 + pax_track_stack();
33701 sprintf(name, "%s%d", driver_name, j);
33703 if (!request_region(port_base, REGION_SIZE, driver_name)) {
33704 diff -urNp linux-3.0.9/drivers/scsi/fcoe/fcoe_ctlr.c linux-3.0.9/drivers/scsi/fcoe/fcoe_ctlr.c
33705 --- linux-3.0.9/drivers/scsi/fcoe/fcoe_ctlr.c 2011-11-11 13:12:24.000000000 -0500
33706 +++ linux-3.0.9/drivers/scsi/fcoe/fcoe_ctlr.c 2011-11-15 20:02:59.000000000 -0500
33707 @@ -2503,6 +2503,8 @@ static int fcoe_ctlr_vn_recv(struct fcoe
33711 + pax_track_stack();
33713 fiph = (struct fip_header *)skb->data;
33714 sub = fiph->fip_subcode;
33716 diff -urNp linux-3.0.9/drivers/scsi/gdth.c linux-3.0.9/drivers/scsi/gdth.c
33717 --- linux-3.0.9/drivers/scsi/gdth.c 2011-11-11 13:12:24.000000000 -0500
33718 +++ linux-3.0.9/drivers/scsi/gdth.c 2011-11-15 20:02:59.000000000 -0500
33719 @@ -4107,6 +4107,8 @@ static int ioc_lockdrv(void __user *arg)
33720 unsigned long flags;
33723 + pax_track_stack();
33725 if (copy_from_user(&ldrv, arg, sizeof(gdth_ioctl_lockdrv)))
33727 ha = gdth_find_ha(ldrv.ionode);
33728 @@ -4139,6 +4141,8 @@ static int ioc_resetdrv(void __user *arg
33732 + pax_track_stack();
33734 if (copy_from_user(&res, arg, sizeof(gdth_ioctl_reset)) ||
33735 res.number >= MAX_HDRIVES)
33737 @@ -4174,6 +4178,8 @@ static int ioc_general(void __user *arg,
33741 + pax_track_stack();
33743 if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)))
33745 ha = gdth_find_ha(gen.ionode);
33746 @@ -4642,6 +4648,9 @@ static void gdth_flush(gdth_ha_str *ha)
33748 gdth_cmd_str gdtcmd;
33749 char cmnd[MAX_COMMAND_SIZE];
33751 + pax_track_stack();
33753 memset(cmnd, 0xff, MAX_COMMAND_SIZE);
33755 TRACE2(("gdth_flush() hanum %d\n", ha->hanum));
33756 diff -urNp linux-3.0.9/drivers/scsi/gdth_proc.c linux-3.0.9/drivers/scsi/gdth_proc.c
33757 --- linux-3.0.9/drivers/scsi/gdth_proc.c 2011-11-11 13:12:24.000000000 -0500
33758 +++ linux-3.0.9/drivers/scsi/gdth_proc.c 2011-11-15 20:02:59.000000000 -0500
33759 @@ -47,6 +47,9 @@ static int gdth_set_asc_info(struct Scsi
33762 char cmnd[MAX_COMMAND_SIZE];
33764 + pax_track_stack();
33766 memset(cmnd, 0xff, 12);
33767 memset(&gdtcmd, 0, sizeof(gdth_cmd_str));
33769 @@ -175,6 +178,8 @@ static int gdth_get_info(char *buffer,ch
33770 gdth_hget_str *phg;
33771 char cmnd[MAX_COMMAND_SIZE];
33773 + pax_track_stack();
33775 gdtcmd = kmalloc(sizeof(*gdtcmd), GFP_KERNEL);
33776 estr = kmalloc(sizeof(*estr), GFP_KERNEL);
33777 if (!gdtcmd || !estr)
33778 diff -urNp linux-3.0.9/drivers/scsi/hosts.c linux-3.0.9/drivers/scsi/hosts.c
33779 --- linux-3.0.9/drivers/scsi/hosts.c 2011-11-11 13:12:24.000000000 -0500
33780 +++ linux-3.0.9/drivers/scsi/hosts.c 2011-11-15 20:02:59.000000000 -0500
33782 #include "scsi_logging.h"
33785 -static atomic_t scsi_host_next_hn; /* host_no for next new host */
33786 +static atomic_unchecked_t scsi_host_next_hn; /* host_no for next new host */
33789 static void scsi_host_cls_release(struct device *dev)
33790 @@ -357,7 +357,7 @@ struct Scsi_Host *scsi_host_alloc(struct
33791 * subtract one because we increment first then return, but we need to
33792 * know what the next host number was before increment
33794 - shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
33795 + shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
33796 shost->dma_channel = 0xff;
33798 /* These three are default values which can be overridden */
33799 diff -urNp linux-3.0.9/drivers/scsi/hpsa.c linux-3.0.9/drivers/scsi/hpsa.c
33800 --- linux-3.0.9/drivers/scsi/hpsa.c 2011-11-11 13:12:24.000000000 -0500
33801 +++ linux-3.0.9/drivers/scsi/hpsa.c 2011-11-15 20:02:59.000000000 -0500
33802 @@ -498,7 +498,7 @@ static inline u32 next_command(struct ct
33805 if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
33806 - return h->access.command_completed(h);
33807 + return h->access->command_completed(h);
33809 if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
33810 a = *(h->reply_pool_head); /* Next cmd in ring buffer */
33811 @@ -2955,7 +2955,7 @@ static void start_io(struct ctlr_info *h
33812 while (!list_empty(&h->reqQ)) {
33813 c = list_entry(h->reqQ.next, struct CommandList, list);
33814 /* can't do anything if fifo is full */
33815 - if ((h->access.fifo_full(h))) {
33816 + if ((h->access->fifo_full(h))) {
33817 dev_warn(&h->pdev->dev, "fifo full\n");
33820 @@ -2965,7 +2965,7 @@ static void start_io(struct ctlr_info *h
33823 /* Tell the controller execute command */
33824 - h->access.submit_command(h, c);
33825 + h->access->submit_command(h, c);
33827 /* Put job onto the completed Q */
33829 @@ -2974,17 +2974,17 @@ static void start_io(struct ctlr_info *h
33831 static inline unsigned long get_next_completion(struct ctlr_info *h)
33833 - return h->access.command_completed(h);
33834 + return h->access->command_completed(h);
33837 static inline bool interrupt_pending(struct ctlr_info *h)
33839 - return h->access.intr_pending(h);
33840 + return h->access->intr_pending(h);
33843 static inline long interrupt_not_for_us(struct ctlr_info *h)
33845 - return (h->access.intr_pending(h) == 0) ||
33846 + return (h->access->intr_pending(h) == 0) ||
33847 (h->interrupts_enabled == 0);
33850 @@ -3881,7 +3881,7 @@ static int __devinit hpsa_pci_init(struc
33851 if (prod_index < 0)
33853 h->product_name = products[prod_index].product_name;
33854 - h->access = *(products[prod_index].access);
33855 + h->access = products[prod_index].access;
33857 if (hpsa_board_disabled(h->pdev)) {
33858 dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
33859 @@ -4158,7 +4158,7 @@ reinit_after_soft_reset:
33862 /* make sure the board interrupts are off */
33863 - h->access.set_intr_mask(h, HPSA_INTR_OFF);
33864 + h->access->set_intr_mask(h, HPSA_INTR_OFF);
33866 if (hpsa_request_irq(h, do_hpsa_intr_msi, do_hpsa_intr_intx))
33868 @@ -4192,7 +4192,7 @@ reinit_after_soft_reset:
33869 * fake ones to scoop up any residual completions.
33871 spin_lock_irqsave(&h->lock, flags);
33872 - h->access.set_intr_mask(h, HPSA_INTR_OFF);
33873 + h->access->set_intr_mask(h, HPSA_INTR_OFF);
33874 spin_unlock_irqrestore(&h->lock, flags);
33875 free_irq(h->intr[h->intr_mode], h);
33876 rc = hpsa_request_irq(h, hpsa_msix_discard_completions,
33877 @@ -4211,9 +4211,9 @@ reinit_after_soft_reset:
33878 dev_info(&h->pdev->dev, "Board READY.\n");
33879 dev_info(&h->pdev->dev,
33880 "Waiting for stale completions to drain.\n");
33881 - h->access.set_intr_mask(h, HPSA_INTR_ON);
33882 + h->access->set_intr_mask(h, HPSA_INTR_ON);
33884 - h->access.set_intr_mask(h, HPSA_INTR_OFF);
33885 + h->access->set_intr_mask(h, HPSA_INTR_OFF);
33887 rc = controller_reset_failed(h->cfgtable);
33889 @@ -4234,7 +4234,7 @@ reinit_after_soft_reset:
33892 /* Turn the interrupts on so we can service requests */
33893 - h->access.set_intr_mask(h, HPSA_INTR_ON);
33894 + h->access->set_intr_mask(h, HPSA_INTR_ON);
33896 hpsa_hba_inquiry(h);
33897 hpsa_register_scsi(h); /* hook ourselves into SCSI subsystem */
33898 @@ -4287,7 +4287,7 @@ static void hpsa_shutdown(struct pci_dev
33899 * To write all data in the battery backed cache to disks
33901 hpsa_flush_cache(h);
33902 - h->access.set_intr_mask(h, HPSA_INTR_OFF);
33903 + h->access->set_intr_mask(h, HPSA_INTR_OFF);
33904 free_irq(h->intr[h->intr_mode], h);
33905 #ifdef CONFIG_PCI_MSI
33906 if (h->msix_vector)
33907 @@ -4450,7 +4450,7 @@ static __devinit void hpsa_enter_perform
33910 /* Change the access methods to the performant access methods */
33911 - h->access = SA5_performant_access;
33912 + h->access = &SA5_performant_access;
33913 h->transMethod = CFGTBL_Trans_Performant;
33916 diff -urNp linux-3.0.9/drivers/scsi/hpsa.h linux-3.0.9/drivers/scsi/hpsa.h
33917 --- linux-3.0.9/drivers/scsi/hpsa.h 2011-11-11 13:12:24.000000000 -0500
33918 +++ linux-3.0.9/drivers/scsi/hpsa.h 2011-11-15 20:02:59.000000000 -0500
33919 @@ -73,7 +73,7 @@ struct ctlr_info {
33920 unsigned int msix_vector;
33921 unsigned int msi_vector;
33922 int intr_mode; /* either PERF_MODE_INT or SIMPLE_MODE_INT */
33923 - struct access_method access;
33924 + struct access_method *access;
33926 /* queue and queue Info */
33927 struct list_head reqQ;
33928 diff -urNp linux-3.0.9/drivers/scsi/ips.h linux-3.0.9/drivers/scsi/ips.h
33929 --- linux-3.0.9/drivers/scsi/ips.h 2011-11-11 13:12:24.000000000 -0500
33930 +++ linux-3.0.9/drivers/scsi/ips.h 2011-11-15 20:02:59.000000000 -0500
33931 @@ -1027,7 +1027,7 @@ typedef struct {
33932 int (*intr)(struct ips_ha *);
33933 void (*enableint)(struct ips_ha *);
33934 uint32_t (*statupd)(struct ips_ha *);
33936 +} __no_const ips_hw_func_t;
33938 typedef struct ips_ha {
33939 uint8_t ha_id[IPS_MAX_CHANNELS+1];
33940 diff -urNp linux-3.0.9/drivers/scsi/libfc/fc_exch.c linux-3.0.9/drivers/scsi/libfc/fc_exch.c
33941 --- linux-3.0.9/drivers/scsi/libfc/fc_exch.c 2011-11-11 13:12:24.000000000 -0500
33942 +++ linux-3.0.9/drivers/scsi/libfc/fc_exch.c 2011-11-15 20:02:59.000000000 -0500
33943 @@ -105,12 +105,12 @@ struct fc_exch_mgr {
33944 * all together if not used XXX
33947 - atomic_t no_free_exch;
33948 - atomic_t no_free_exch_xid;
33949 - atomic_t xid_not_found;
33950 - atomic_t xid_busy;
33951 - atomic_t seq_not_found;
33952 - atomic_t non_bls_resp;
33953 + atomic_unchecked_t no_free_exch;
33954 + atomic_unchecked_t no_free_exch_xid;
33955 + atomic_unchecked_t xid_not_found;
33956 + atomic_unchecked_t xid_busy;
33957 + atomic_unchecked_t seq_not_found;
33958 + atomic_unchecked_t non_bls_resp;
33962 @@ -700,7 +700,7 @@ static struct fc_exch *fc_exch_em_alloc(
33963 /* allocate memory for exchange */
33964 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
33966 - atomic_inc(&mp->stats.no_free_exch);
33967 + atomic_inc_unchecked(&mp->stats.no_free_exch);
33970 memset(ep, 0, sizeof(*ep));
33971 @@ -761,7 +761,7 @@ out:
33974 spin_unlock_bh(&pool->lock);
33975 - atomic_inc(&mp->stats.no_free_exch_xid);
33976 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
33977 mempool_free(ep, mp->ep_pool);
33980 @@ -906,7 +906,7 @@ static enum fc_pf_rjt_reason fc_seq_look
33981 xid = ntohs(fh->fh_ox_id); /* we originated exch */
33982 ep = fc_exch_find(mp, xid);
33984 - atomic_inc(&mp->stats.xid_not_found);
33985 + atomic_inc_unchecked(&mp->stats.xid_not_found);
33986 reject = FC_RJT_OX_ID;
33989 @@ -936,7 +936,7 @@ static enum fc_pf_rjt_reason fc_seq_look
33990 ep = fc_exch_find(mp, xid);
33991 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
33993 - atomic_inc(&mp->stats.xid_busy);
33994 + atomic_inc_unchecked(&mp->stats.xid_busy);
33995 reject = FC_RJT_RX_ID;
33998 @@ -947,7 +947,7 @@ static enum fc_pf_rjt_reason fc_seq_look
34000 xid = ep->xid; /* get our XID */
34002 - atomic_inc(&mp->stats.xid_not_found);
34003 + atomic_inc_unchecked(&mp->stats.xid_not_found);
34004 reject = FC_RJT_RX_ID; /* XID not found */
34007 @@ -964,7 +964,7 @@ static enum fc_pf_rjt_reason fc_seq_look
34010 if (sp->id != fh->fh_seq_id) {
34011 - atomic_inc(&mp->stats.seq_not_found);
34012 + atomic_inc_unchecked(&mp->stats.seq_not_found);
34013 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
34016 @@ -1392,22 +1392,22 @@ static void fc_exch_recv_seq_resp(struct
34018 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
34020 - atomic_inc(&mp->stats.xid_not_found);
34021 + atomic_inc_unchecked(&mp->stats.xid_not_found);
34024 if (ep->esb_stat & ESB_ST_COMPLETE) {
34025 - atomic_inc(&mp->stats.xid_not_found);
34026 + atomic_inc_unchecked(&mp->stats.xid_not_found);
34029 if (ep->rxid == FC_XID_UNKNOWN)
34030 ep->rxid = ntohs(fh->fh_rx_id);
34031 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
34032 - atomic_inc(&mp->stats.xid_not_found);
34033 + atomic_inc_unchecked(&mp->stats.xid_not_found);
34036 if (ep->did != ntoh24(fh->fh_s_id) &&
34037 ep->did != FC_FID_FLOGI) {
34038 - atomic_inc(&mp->stats.xid_not_found);
34039 + atomic_inc_unchecked(&mp->stats.xid_not_found);
34043 @@ -1416,7 +1416,7 @@ static void fc_exch_recv_seq_resp(struct
34044 sp->ssb_stat |= SSB_ST_RESP;
34045 sp->id = fh->fh_seq_id;
34046 } else if (sp->id != fh->fh_seq_id) {
34047 - atomic_inc(&mp->stats.seq_not_found);
34048 + atomic_inc_unchecked(&mp->stats.seq_not_found);
34052 @@ -1480,9 +1480,9 @@ static void fc_exch_recv_resp(struct fc_
34053 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
34056 - atomic_inc(&mp->stats.xid_not_found);
34057 + atomic_inc_unchecked(&mp->stats.xid_not_found);
34059 - atomic_inc(&mp->stats.non_bls_resp);
34060 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
34064 diff -urNp linux-3.0.9/drivers/scsi/libsas/sas_ata.c linux-3.0.9/drivers/scsi/libsas/sas_ata.c
34065 --- linux-3.0.9/drivers/scsi/libsas/sas_ata.c 2011-11-11 13:12:24.000000000 -0500
34066 +++ linux-3.0.9/drivers/scsi/libsas/sas_ata.c 2011-11-15 20:02:59.000000000 -0500
34067 @@ -368,7 +368,7 @@ static struct ata_port_operations sas_sa
34068 .postreset = ata_std_postreset,
34069 .error_handler = ata_std_error_handler,
34070 .post_internal_cmd = sas_ata_post_internal,
34071 - .qc_defer = ata_std_qc_defer,
34072 + .qc_defer = ata_std_qc_defer,
34073 .qc_prep = ata_noop_qc_prep,
34074 .qc_issue = sas_ata_qc_issue,
34075 .qc_fill_rtf = sas_ata_qc_fill_rtf,
34076 diff -urNp linux-3.0.9/drivers/scsi/lpfc/lpfc_debugfs.c linux-3.0.9/drivers/scsi/lpfc/lpfc_debugfs.c
34077 --- linux-3.0.9/drivers/scsi/lpfc/lpfc_debugfs.c 2011-11-11 13:12:24.000000000 -0500
34078 +++ linux-3.0.9/drivers/scsi/lpfc/lpfc_debugfs.c 2011-11-15 20:02:59.000000000 -0500
34079 @@ -104,7 +104,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_
34081 #include <linux/debugfs.h>
34083 -static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
34084 +static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
34085 static unsigned long lpfc_debugfs_start_time = 0L;
34088 @@ -141,7 +141,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_v
34089 lpfc_debugfs_enable = 0;
34092 - index = (atomic_read(&vport->disc_trc_cnt) + 1) &
34093 + index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
34094 (lpfc_debugfs_max_disc_trc - 1);
34095 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
34096 dtp = vport->disc_trc + i;
34097 @@ -202,7 +202,7 @@ lpfc_debugfs_slow_ring_trc_data(struct l
34098 lpfc_debugfs_enable = 0;
34101 - index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
34102 + index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
34103 (lpfc_debugfs_max_slow_ring_trc - 1);
34104 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
34105 dtp = phba->slow_ring_trc + i;
34106 @@ -380,6 +380,8 @@ lpfc_debugfs_dumpHBASlim_data(struct lpf
34110 + pax_track_stack();
34113 spin_lock_irq(&phba->hbalock);
34115 @@ -617,14 +619,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport
34116 !vport || !vport->disc_trc)
34119 - index = atomic_inc_return(&vport->disc_trc_cnt) &
34120 + index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
34121 (lpfc_debugfs_max_disc_trc - 1);
34122 dtp = vport->disc_trc + index;
34124 dtp->data1 = data1;
34125 dtp->data2 = data2;
34126 dtp->data3 = data3;
34127 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
34128 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
34129 dtp->jif = jiffies;
34132 @@ -655,14 +657,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_h
34133 !phba || !phba->slow_ring_trc)
34136 - index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
34137 + index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
34138 (lpfc_debugfs_max_slow_ring_trc - 1);
34139 dtp = phba->slow_ring_trc + index;
34141 dtp->data1 = data1;
34142 dtp->data2 = data2;
34143 dtp->data3 = data3;
34144 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
34145 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
34146 dtp->jif = jiffies;
34149 @@ -2606,7 +2608,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
34150 "slow_ring buffer\n");
34153 - atomic_set(&phba->slow_ring_trc_cnt, 0);
34154 + atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
34155 memset(phba->slow_ring_trc, 0,
34156 (sizeof(struct lpfc_debugfs_trc) *
34157 lpfc_debugfs_max_slow_ring_trc));
34158 @@ -2652,7 +2654,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
34162 - atomic_set(&vport->disc_trc_cnt, 0);
34163 + atomic_set_unchecked(&vport->disc_trc_cnt, 0);
34165 snprintf(name, sizeof(name), "discovery_trace");
34166 vport->debug_disc_trc =
34167 diff -urNp linux-3.0.9/drivers/scsi/lpfc/lpfc.h linux-3.0.9/drivers/scsi/lpfc/lpfc.h
34168 --- linux-3.0.9/drivers/scsi/lpfc/lpfc.h 2011-11-11 13:12:24.000000000 -0500
34169 +++ linux-3.0.9/drivers/scsi/lpfc/lpfc.h 2011-11-15 20:02:59.000000000 -0500
34170 @@ -425,7 +425,7 @@ struct lpfc_vport {
34171 struct dentry *debug_nodelist;
34172 struct dentry *vport_debugfs_root;
34173 struct lpfc_debugfs_trc *disc_trc;
34174 - atomic_t disc_trc_cnt;
34175 + atomic_unchecked_t disc_trc_cnt;
34177 uint8_t stat_data_enabled;
34178 uint8_t stat_data_blocked;
34179 @@ -832,8 +832,8 @@ struct lpfc_hba {
34180 struct timer_list fabric_block_timer;
34181 unsigned long bit_flags;
34182 #define FABRIC_COMANDS_BLOCKED 0
34183 - atomic_t num_rsrc_err;
34184 - atomic_t num_cmd_success;
34185 + atomic_unchecked_t num_rsrc_err;
34186 + atomic_unchecked_t num_cmd_success;
34187 unsigned long last_rsrc_error_time;
34188 unsigned long last_ramp_down_time;
34189 unsigned long last_ramp_up_time;
34190 @@ -847,7 +847,7 @@ struct lpfc_hba {
34191 struct dentry *debug_dumpDif; /* BlockGuard BPL*/
34192 struct dentry *debug_slow_ring_trc;
34193 struct lpfc_debugfs_trc *slow_ring_trc;
34194 - atomic_t slow_ring_trc_cnt;
34195 + atomic_unchecked_t slow_ring_trc_cnt;
34196 /* iDiag debugfs sub-directory */
34197 struct dentry *idiag_root;
34198 struct dentry *idiag_pci_cfg;
34199 diff -urNp linux-3.0.9/drivers/scsi/lpfc/lpfc_init.c linux-3.0.9/drivers/scsi/lpfc/lpfc_init.c
34200 --- linux-3.0.9/drivers/scsi/lpfc/lpfc_init.c 2011-11-11 13:12:24.000000000 -0500
34201 +++ linux-3.0.9/drivers/scsi/lpfc/lpfc_init.c 2011-11-15 20:02:59.000000000 -0500
34202 @@ -9971,8 +9971,10 @@ lpfc_init(void)
34203 printk(LPFC_COPYRIGHT "\n");
34205 if (lpfc_enable_npiv) {
34206 - lpfc_transport_functions.vport_create = lpfc_vport_create;
34207 - lpfc_transport_functions.vport_delete = lpfc_vport_delete;
34208 + pax_open_kernel();
34209 + *(void **)&lpfc_transport_functions.vport_create = lpfc_vport_create;
34210 + *(void **)&lpfc_transport_functions.vport_delete = lpfc_vport_delete;
34211 + pax_close_kernel();
34213 lpfc_transport_template =
34214 fc_attach_transport(&lpfc_transport_functions);
34215 diff -urNp linux-3.0.9/drivers/scsi/lpfc/lpfc_scsi.c linux-3.0.9/drivers/scsi/lpfc/lpfc_scsi.c
34216 --- linux-3.0.9/drivers/scsi/lpfc/lpfc_scsi.c 2011-11-11 13:12:24.000000000 -0500
34217 +++ linux-3.0.9/drivers/scsi/lpfc/lpfc_scsi.c 2011-11-15 20:02:59.000000000 -0500
34218 @@ -297,7 +297,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hb
34219 uint32_t evt_posted;
34221 spin_lock_irqsave(&phba->hbalock, flags);
34222 - atomic_inc(&phba->num_rsrc_err);
34223 + atomic_inc_unchecked(&phba->num_rsrc_err);
34224 phba->last_rsrc_error_time = jiffies;
34226 if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
34227 @@ -338,7 +338,7 @@ lpfc_rampup_queue_depth(struct lpfc_vpor
34228 unsigned long flags;
34229 struct lpfc_hba *phba = vport->phba;
34230 uint32_t evt_posted;
34231 - atomic_inc(&phba->num_cmd_success);
34232 + atomic_inc_unchecked(&phba->num_cmd_success);
34234 if (vport->cfg_lun_queue_depth <= queue_depth)
34236 @@ -382,8 +382,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
34237 unsigned long num_rsrc_err, num_cmd_success;
34240 - num_rsrc_err = atomic_read(&phba->num_rsrc_err);
34241 - num_cmd_success = atomic_read(&phba->num_cmd_success);
34242 + num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
34243 + num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
34245 vports = lpfc_create_vport_work_array(phba);
34246 if (vports != NULL)
34247 @@ -403,8 +403,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
34250 lpfc_destroy_vport_work_array(phba, vports);
34251 - atomic_set(&phba->num_rsrc_err, 0);
34252 - atomic_set(&phba->num_cmd_success, 0);
34253 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
34254 + atomic_set_unchecked(&phba->num_cmd_success, 0);
34258 @@ -438,8 +438,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_h
34261 lpfc_destroy_vport_work_array(phba, vports);
34262 - atomic_set(&phba->num_rsrc_err, 0);
34263 - atomic_set(&phba->num_cmd_success, 0);
34264 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
34265 + atomic_set_unchecked(&phba->num_cmd_success, 0);
34269 diff -urNp linux-3.0.9/drivers/scsi/megaraid/megaraid_mbox.c linux-3.0.9/drivers/scsi/megaraid/megaraid_mbox.c
34270 --- linux-3.0.9/drivers/scsi/megaraid/megaraid_mbox.c 2011-11-11 13:12:24.000000000 -0500
34271 +++ linux-3.0.9/drivers/scsi/megaraid/megaraid_mbox.c 2011-11-15 20:02:59.000000000 -0500
34272 @@ -3503,6 +3503,8 @@ megaraid_cmm_register(adapter_t *adapter
34276 + pax_track_stack();
34278 // Allocate memory for the base list of scb for management module.
34279 adapter->uscb_list = kcalloc(MBOX_MAX_USER_CMDS, sizeof(scb_t), GFP_KERNEL);
34281 diff -urNp linux-3.0.9/drivers/scsi/osd/osd_initiator.c linux-3.0.9/drivers/scsi/osd/osd_initiator.c
34282 --- linux-3.0.9/drivers/scsi/osd/osd_initiator.c 2011-11-11 13:12:24.000000000 -0500
34283 +++ linux-3.0.9/drivers/scsi/osd/osd_initiator.c 2011-11-15 20:02:59.000000000 -0500
34284 @@ -97,6 +97,8 @@ static int _osd_get_print_system_info(st
34285 int nelem = ARRAY_SIZE(get_attrs), a = 0;
34288 + pax_track_stack();
34290 or = osd_start_request(od, GFP_KERNEL);
34293 diff -urNp linux-3.0.9/drivers/scsi/pmcraid.c linux-3.0.9/drivers/scsi/pmcraid.c
34294 --- linux-3.0.9/drivers/scsi/pmcraid.c 2011-11-11 13:12:24.000000000 -0500
34295 +++ linux-3.0.9/drivers/scsi/pmcraid.c 2011-11-15 20:02:59.000000000 -0500
34296 @@ -201,8 +201,8 @@ static int pmcraid_slave_alloc(struct sc
34297 res->scsi_dev = scsi_dev;
34298 scsi_dev->hostdata = res;
34299 res->change_detected = 0;
34300 - atomic_set(&res->read_failures, 0);
34301 - atomic_set(&res->write_failures, 0);
34302 + atomic_set_unchecked(&res->read_failures, 0);
34303 + atomic_set_unchecked(&res->write_failures, 0);
34306 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
34307 @@ -2677,9 +2677,9 @@ static int pmcraid_error_handler(struct
34309 /* If this was a SCSI read/write command keep count of errors */
34310 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
34311 - atomic_inc(&res->read_failures);
34312 + atomic_inc_unchecked(&res->read_failures);
34313 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
34314 - atomic_inc(&res->write_failures);
34315 + atomic_inc_unchecked(&res->write_failures);
34317 if (!RES_IS_GSCSI(res->cfg_entry) &&
34318 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
34319 @@ -3535,7 +3535,7 @@ static int pmcraid_queuecommand_lck(
34320 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
34321 * hrrq_id assigned here in queuecommand
34323 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
34324 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
34325 pinstance->num_hrrq;
34326 cmd->cmd_done = pmcraid_io_done;
34328 @@ -3860,7 +3860,7 @@ static long pmcraid_ioctl_passthrough(
34329 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
34330 * hrrq_id assigned here in queuecommand
34332 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
34333 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
34334 pinstance->num_hrrq;
34336 if (request_size) {
34337 @@ -4498,7 +4498,7 @@ static void pmcraid_worker_function(stru
34339 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
34340 /* add resources only after host is added into system */
34341 - if (!atomic_read(&pinstance->expose_resources))
34342 + if (!atomic_read_unchecked(&pinstance->expose_resources))
34345 fw_version = be16_to_cpu(pinstance->inq_data->fw_version);
34346 @@ -5332,8 +5332,8 @@ static int __devinit pmcraid_init_instan
34347 init_waitqueue_head(&pinstance->reset_wait_q);
34349 atomic_set(&pinstance->outstanding_cmds, 0);
34350 - atomic_set(&pinstance->last_message_id, 0);
34351 - atomic_set(&pinstance->expose_resources, 0);
34352 + atomic_set_unchecked(&pinstance->last_message_id, 0);
34353 + atomic_set_unchecked(&pinstance->expose_resources, 0);
34355 INIT_LIST_HEAD(&pinstance->free_res_q);
34356 INIT_LIST_HEAD(&pinstance->used_res_q);
34357 @@ -6048,7 +6048,7 @@ static int __devinit pmcraid_probe(
34358 /* Schedule worker thread to handle CCN and take care of adding and
34359 * removing devices to OS
34361 - atomic_set(&pinstance->expose_resources, 1);
34362 + atomic_set_unchecked(&pinstance->expose_resources, 1);
34363 schedule_work(&pinstance->worker_q);
34366 diff -urNp linux-3.0.9/drivers/scsi/pmcraid.h linux-3.0.9/drivers/scsi/pmcraid.h
34367 --- linux-3.0.9/drivers/scsi/pmcraid.h 2011-11-11 13:12:24.000000000 -0500
34368 +++ linux-3.0.9/drivers/scsi/pmcraid.h 2011-11-15 20:02:59.000000000 -0500
34369 @@ -749,7 +749,7 @@ struct pmcraid_instance {
34370 struct pmcraid_isr_param hrrq_vector[PMCRAID_NUM_MSIX_VECTORS];
34372 /* Message id as filled in last fired IOARCB, used to identify HRRQ */
34373 - atomic_t last_message_id;
34374 + atomic_unchecked_t last_message_id;
34376 /* configuration table */
34377 struct pmcraid_config_table *cfg_table;
34378 @@ -778,7 +778,7 @@ struct pmcraid_instance {
34379 atomic_t outstanding_cmds;
34381 /* should add/delete resources to mid-layer now ?*/
34382 - atomic_t expose_resources;
34383 + atomic_unchecked_t expose_resources;
34387 @@ -814,8 +814,8 @@ struct pmcraid_resource_entry {
34388 struct pmcraid_config_table_entry_ext cfg_entry_ext;
34390 struct scsi_device *scsi_dev; /* Link scsi_device structure */
34391 - atomic_t read_failures; /* count of failed READ commands */
34392 - atomic_t write_failures; /* count of failed WRITE commands */
34393 + atomic_unchecked_t read_failures; /* count of failed READ commands */
34394 + atomic_unchecked_t write_failures; /* count of failed WRITE commands */
34396 /* To indicate add/delete/modify during CCN */
34397 u8 change_detected;
34398 diff -urNp linux-3.0.9/drivers/scsi/qla2xxx/qla_def.h linux-3.0.9/drivers/scsi/qla2xxx/qla_def.h
34399 --- linux-3.0.9/drivers/scsi/qla2xxx/qla_def.h 2011-11-11 13:12:24.000000000 -0500
34400 +++ linux-3.0.9/drivers/scsi/qla2xxx/qla_def.h 2011-11-15 20:02:59.000000000 -0500
34401 @@ -2244,7 +2244,7 @@ struct isp_operations {
34402 int (*get_flash_version) (struct scsi_qla_host *, void *);
34403 int (*start_scsi) (srb_t *);
34404 int (*abort_isp) (struct scsi_qla_host *);
34408 /* MSI-X Support *************************************************************/
34410 diff -urNp linux-3.0.9/drivers/scsi/qla4xxx/ql4_def.h linux-3.0.9/drivers/scsi/qla4xxx/ql4_def.h
34411 --- linux-3.0.9/drivers/scsi/qla4xxx/ql4_def.h 2011-11-11 13:12:24.000000000 -0500
34412 +++ linux-3.0.9/drivers/scsi/qla4xxx/ql4_def.h 2011-11-15 20:02:59.000000000 -0500
34413 @@ -256,7 +256,7 @@ struct ddb_entry {
34414 atomic_t retry_relogin_timer; /* Min Time between relogins
34416 atomic_t relogin_timer; /* Max Time to wait for relogin to complete */
34417 - atomic_t relogin_retry_count; /* Num of times relogin has been
34418 + atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
34422 diff -urNp linux-3.0.9/drivers/scsi/qla4xxx/ql4_init.c linux-3.0.9/drivers/scsi/qla4xxx/ql4_init.c
34423 --- linux-3.0.9/drivers/scsi/qla4xxx/ql4_init.c 2011-11-11 13:12:24.000000000 -0500
34424 +++ linux-3.0.9/drivers/scsi/qla4xxx/ql4_init.c 2011-11-15 20:02:59.000000000 -0500
34425 @@ -680,7 +680,7 @@ static struct ddb_entry * qla4xxx_alloc_
34426 ddb_entry->fw_ddb_index = fw_ddb_index;
34427 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
34428 atomic_set(&ddb_entry->relogin_timer, 0);
34429 - atomic_set(&ddb_entry->relogin_retry_count, 0);
34430 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
34431 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
34432 list_add_tail(&ddb_entry->list, &ha->ddb_list);
34433 ha->fw_ddb_index_map[fw_ddb_index] = ddb_entry;
34434 @@ -1433,7 +1433,7 @@ int qla4xxx_process_ddb_changed(struct s
34435 if ((ddb_entry->fw_ddb_device_state == DDB_DS_SESSION_ACTIVE) &&
34436 (atomic_read(&ddb_entry->state) != DDB_STATE_ONLINE)) {
34437 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
34438 - atomic_set(&ddb_entry->relogin_retry_count, 0);
34439 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
34440 atomic_set(&ddb_entry->relogin_timer, 0);
34441 clear_bit(DF_RELOGIN, &ddb_entry->flags);
34442 iscsi_unblock_session(ddb_entry->sess);
34443 diff -urNp linux-3.0.9/drivers/scsi/qla4xxx/ql4_os.c linux-3.0.9/drivers/scsi/qla4xxx/ql4_os.c
34444 --- linux-3.0.9/drivers/scsi/qla4xxx/ql4_os.c 2011-11-11 13:12:24.000000000 -0500
34445 +++ linux-3.0.9/drivers/scsi/qla4xxx/ql4_os.c 2011-11-15 20:02:59.000000000 -0500
34446 @@ -811,13 +811,13 @@ static void qla4xxx_timer(struct scsi_ql
34447 ddb_entry->fw_ddb_device_state ==
34448 DDB_DS_SESSION_FAILED) {
34449 /* Reset retry relogin timer */
34450 - atomic_inc(&ddb_entry->relogin_retry_count);
34451 + atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
34452 DEBUG2(printk("scsi%ld: ddb [%d] relogin"
34453 " timed out-retrying"
34456 ddb_entry->fw_ddb_index,
34457 - atomic_read(&ddb_entry->
34458 + atomic_read_unchecked(&ddb_entry->
34459 relogin_retry_count))
34462 diff -urNp linux-3.0.9/drivers/scsi/scsi.c linux-3.0.9/drivers/scsi/scsi.c
34463 --- linux-3.0.9/drivers/scsi/scsi.c 2011-11-11 13:12:24.000000000 -0500
34464 +++ linux-3.0.9/drivers/scsi/scsi.c 2011-11-15 20:02:59.000000000 -0500
34465 @@ -655,7 +655,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *
34466 unsigned long timeout;
34469 - atomic_inc(&cmd->device->iorequest_cnt);
34470 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
34472 /* check if the device is still usable */
34473 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
34474 diff -urNp linux-3.0.9/drivers/scsi/scsi_debug.c linux-3.0.9/drivers/scsi/scsi_debug.c
34475 --- linux-3.0.9/drivers/scsi/scsi_debug.c 2011-11-11 13:12:24.000000000 -0500
34476 +++ linux-3.0.9/drivers/scsi/scsi_debug.c 2011-11-15 20:02:59.000000000 -0500
34477 @@ -1493,6 +1493,8 @@ static int resp_mode_select(struct scsi_
34478 unsigned char arr[SDEBUG_MAX_MSELECT_SZ];
34479 unsigned char *cmd = (unsigned char *)scp->cmnd;
34481 + pax_track_stack();
34483 if ((errsts = check_readiness(scp, 1, devip)))
34485 memset(arr, 0, sizeof(arr));
34486 @@ -1590,6 +1592,8 @@ static int resp_log_sense(struct scsi_cm
34487 unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
34488 unsigned char *cmd = (unsigned char *)scp->cmnd;
34490 + pax_track_stack();
34492 if ((errsts = check_readiness(scp, 1, devip)))
34494 memset(arr, 0, sizeof(arr));
34495 diff -urNp linux-3.0.9/drivers/scsi/scsi_lib.c linux-3.0.9/drivers/scsi/scsi_lib.c
34496 --- linux-3.0.9/drivers/scsi/scsi_lib.c 2011-11-11 13:12:24.000000000 -0500
34497 +++ linux-3.0.9/drivers/scsi/scsi_lib.c 2011-11-15 20:02:59.000000000 -0500
34498 @@ -1412,7 +1412,7 @@ static void scsi_kill_request(struct req
34499 shost = sdev->host;
34500 scsi_init_cmd_errh(cmd);
34501 cmd->result = DID_NO_CONNECT << 16;
34502 - atomic_inc(&cmd->device->iorequest_cnt);
34503 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
34506 * SCSI request completion path will do scsi_device_unbusy(),
34507 @@ -1438,9 +1438,9 @@ static void scsi_softirq_done(struct req
34509 INIT_LIST_HEAD(&cmd->eh_entry);
34511 - atomic_inc(&cmd->device->iodone_cnt);
34512 + atomic_inc_unchecked(&cmd->device->iodone_cnt);
34514 - atomic_inc(&cmd->device->ioerr_cnt);
34515 + atomic_inc_unchecked(&cmd->device->ioerr_cnt);
34517 disposition = scsi_decide_disposition(cmd);
34518 if (disposition != SUCCESS &&
34519 diff -urNp linux-3.0.9/drivers/scsi/scsi_sysfs.c linux-3.0.9/drivers/scsi/scsi_sysfs.c
34520 --- linux-3.0.9/drivers/scsi/scsi_sysfs.c 2011-11-11 13:12:24.000000000 -0500
34521 +++ linux-3.0.9/drivers/scsi/scsi_sysfs.c 2011-11-15 20:02:59.000000000 -0500
34522 @@ -622,7 +622,7 @@ show_iostat_##field(struct device *dev,
34525 struct scsi_device *sdev = to_scsi_device(dev); \
34526 - unsigned long long count = atomic_read(&sdev->field); \
34527 + unsigned long long count = atomic_read_unchecked(&sdev->field); \
34528 return snprintf(buf, 20, "0x%llx\n", count); \
34530 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
34531 diff -urNp linux-3.0.9/drivers/scsi/scsi_tgt_lib.c linux-3.0.9/drivers/scsi/scsi_tgt_lib.c
34532 --- linux-3.0.9/drivers/scsi/scsi_tgt_lib.c 2011-11-11 13:12:24.000000000 -0500
34533 +++ linux-3.0.9/drivers/scsi/scsi_tgt_lib.c 2011-11-15 20:02:59.000000000 -0500
34534 @@ -362,7 +362,7 @@ static int scsi_map_user_pages(struct sc
34537 dprintk("%lx %u\n", uaddr, len);
34538 - err = blk_rq_map_user(q, rq, NULL, (void *)uaddr, len, GFP_KERNEL);
34539 + err = blk_rq_map_user(q, rq, NULL, (void __user *)uaddr, len, GFP_KERNEL);
34542 * TODO: need to fixup sg_tablesize, max_segment_size,
34543 diff -urNp linux-3.0.9/drivers/scsi/scsi_transport_fc.c linux-3.0.9/drivers/scsi/scsi_transport_fc.c
34544 --- linux-3.0.9/drivers/scsi/scsi_transport_fc.c 2011-11-11 13:12:24.000000000 -0500
34545 +++ linux-3.0.9/drivers/scsi/scsi_transport_fc.c 2011-11-15 20:02:59.000000000 -0500
34546 @@ -484,7 +484,7 @@ static DECLARE_TRANSPORT_CLASS(fc_vport_
34547 * Netlink Infrastructure
34550 -static atomic_t fc_event_seq;
34551 +static atomic_unchecked_t fc_event_seq;
34554 * fc_get_event_number - Obtain the next sequential FC event number
34555 @@ -497,7 +497,7 @@ static atomic_t fc_event_seq;
34557 fc_get_event_number(void)
34559 - return atomic_add_return(1, &fc_event_seq);
34560 + return atomic_add_return_unchecked(1, &fc_event_seq);
34562 EXPORT_SYMBOL(fc_get_event_number);
34564 @@ -645,7 +645,7 @@ static __init int fc_transport_init(void
34568 - atomic_set(&fc_event_seq, 0);
34569 + atomic_set_unchecked(&fc_event_seq, 0);
34571 error = transport_class_register(&fc_host_class);
34573 @@ -835,7 +835,7 @@ static int fc_str_to_dev_loss(const char
34576 *val = simple_strtoul(buf, &cp, 0);
34577 - if ((*cp && (*cp != '\n')) || (*val < 0))
34578 + if (*cp && (*cp != '\n'))
34581 * Check for overflow; dev_loss_tmo is u32
34582 diff -urNp linux-3.0.9/drivers/scsi/scsi_transport_iscsi.c linux-3.0.9/drivers/scsi/scsi_transport_iscsi.c
34583 --- linux-3.0.9/drivers/scsi/scsi_transport_iscsi.c 2011-11-11 13:12:24.000000000 -0500
34584 +++ linux-3.0.9/drivers/scsi/scsi_transport_iscsi.c 2011-11-15 20:02:59.000000000 -0500
34585 @@ -83,7 +83,7 @@ struct iscsi_internal {
34586 struct device_attribute *session_attrs[ISCSI_SESSION_ATTRS + 1];
34589 -static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
34590 +static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
34591 static struct workqueue_struct *iscsi_eh_timer_workq;
34594 @@ -761,7 +761,7 @@ int iscsi_add_session(struct iscsi_cls_s
34597 ihost = shost->shost_data;
34598 - session->sid = atomic_add_return(1, &iscsi_session_nr);
34599 + session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
34601 if (id == ISCSI_MAX_TARGET) {
34602 for (id = 0; id < ISCSI_MAX_TARGET; id++) {
34603 @@ -2200,7 +2200,7 @@ static __init int iscsi_transport_init(v
34604 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
34605 ISCSI_TRANSPORT_VERSION);
34607 - atomic_set(&iscsi_session_nr, 0);
34608 + atomic_set_unchecked(&iscsi_session_nr, 0);
34610 err = class_register(&iscsi_transport_class);
34612 diff -urNp linux-3.0.9/drivers/scsi/scsi_transport_srp.c linux-3.0.9/drivers/scsi/scsi_transport_srp.c
34613 --- linux-3.0.9/drivers/scsi/scsi_transport_srp.c 2011-11-11 13:12:24.000000000 -0500
34614 +++ linux-3.0.9/drivers/scsi/scsi_transport_srp.c 2011-11-15 20:02:59.000000000 -0500
34616 #include "scsi_transport_srp_internal.h"
34618 struct srp_host_attrs {
34619 - atomic_t next_port_id;
34620 + atomic_unchecked_t next_port_id;
34622 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
34624 @@ -62,7 +62,7 @@ static int srp_host_setup(struct transpo
34625 struct Scsi_Host *shost = dev_to_shost(dev);
34626 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
34628 - atomic_set(&srp_host->next_port_id, 0);
34629 + atomic_set_unchecked(&srp_host->next_port_id, 0);
34633 @@ -211,7 +211,7 @@ struct srp_rport *srp_rport_add(struct S
34634 memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
34635 rport->roles = ids->roles;
34637 - id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
34638 + id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
34639 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
34641 transport_setup_device(&rport->dev);
34642 diff -urNp linux-3.0.9/drivers/scsi/sg.c linux-3.0.9/drivers/scsi/sg.c
34643 --- linux-3.0.9/drivers/scsi/sg.c 2011-11-11 13:12:24.000000000 -0500
34644 +++ linux-3.0.9/drivers/scsi/sg.c 2011-11-15 20:02:59.000000000 -0500
34645 @@ -1075,7 +1075,7 @@ sg_ioctl(struct file *filp, unsigned int
34646 sdp->disk->disk_name,
34647 MKDEV(SCSI_GENERIC_MAJOR, sdp->index),
34650 + (char __user *)arg);
34651 case BLKTRACESTART:
34652 return blk_trace_startstop(sdp->device->request_queue, 1);
34654 @@ -2310,7 +2310,7 @@ struct sg_proc_leaf {
34655 const struct file_operations * fops;
34658 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
34659 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
34660 {"allow_dio", &adio_fops},
34661 {"debug", &debug_fops},
34662 {"def_reserved_size", &dressz_fops},
34663 @@ -2325,7 +2325,7 @@ sg_proc_init(void)
34666 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
34667 - struct sg_proc_leaf * leaf;
34668 + const struct sg_proc_leaf * leaf;
34670 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
34672 diff -urNp linux-3.0.9/drivers/scsi/sym53c8xx_2/sym_glue.c linux-3.0.9/drivers/scsi/sym53c8xx_2/sym_glue.c
34673 --- linux-3.0.9/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-11-11 13:12:24.000000000 -0500
34674 +++ linux-3.0.9/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-11-15 20:02:59.000000000 -0500
34675 @@ -1756,6 +1756,8 @@ static int __devinit sym2_probe(struct p
34676 int do_iounmap = 0;
34677 int do_disable_device = 1;
34679 + pax_track_stack();
34681 memset(&sym_dev, 0, sizeof(sym_dev));
34682 memset(&nvram, 0, sizeof(nvram));
34683 sym_dev.pdev = pdev;
34684 diff -urNp linux-3.0.9/drivers/scsi/vmw_pvscsi.c linux-3.0.9/drivers/scsi/vmw_pvscsi.c
34685 --- linux-3.0.9/drivers/scsi/vmw_pvscsi.c 2011-11-11 13:12:24.000000000 -0500
34686 +++ linux-3.0.9/drivers/scsi/vmw_pvscsi.c 2011-11-15 20:02:59.000000000 -0500
34687 @@ -447,6 +447,8 @@ static void pvscsi_setup_all_rings(const
34691 + pax_track_stack();
34693 cmd.ringsStatePPN = adapter->ringStatePA >> PAGE_SHIFT;
34694 cmd.reqRingNumPages = adapter->req_pages;
34695 cmd.cmpRingNumPages = adapter->cmp_pages;
34696 diff -urNp linux-3.0.9/drivers/spi/dw_spi_pci.c linux-3.0.9/drivers/spi/dw_spi_pci.c
34697 --- linux-3.0.9/drivers/spi/dw_spi_pci.c 2011-11-11 13:12:24.000000000 -0500
34698 +++ linux-3.0.9/drivers/spi/dw_spi_pci.c 2011-11-15 20:02:59.000000000 -0500
34699 @@ -148,7 +148,7 @@ static int spi_resume(struct pci_dev *pd
34700 #define spi_resume NULL
34703 -static const struct pci_device_id pci_ids[] __devinitdata = {
34704 +static const struct pci_device_id pci_ids[] __devinitconst = {
34705 /* Intel MID platform SPI controller 0 */
34706 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x0800) },
34708 diff -urNp linux-3.0.9/drivers/spi/spi.c linux-3.0.9/drivers/spi/spi.c
34709 --- linux-3.0.9/drivers/spi/spi.c 2011-11-11 13:12:24.000000000 -0500
34710 +++ linux-3.0.9/drivers/spi/spi.c 2011-11-15 20:02:59.000000000 -0500
34711 @@ -1023,7 +1023,7 @@ int spi_bus_unlock(struct spi_master *ma
34712 EXPORT_SYMBOL_GPL(spi_bus_unlock);
34714 /* portable code must never pass more than 32 bytes */
34715 -#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
34716 +#define SPI_BUFSIZ max(32UL,SMP_CACHE_BYTES)
34720 diff -urNp linux-3.0.9/drivers/staging/ath6kl/os/linux/ar6000_drv.c linux-3.0.9/drivers/staging/ath6kl/os/linux/ar6000_drv.c
34721 --- linux-3.0.9/drivers/staging/ath6kl/os/linux/ar6000_drv.c 2011-11-11 13:12:24.000000000 -0500
34722 +++ linux-3.0.9/drivers/staging/ath6kl/os/linux/ar6000_drv.c 2011-11-15 20:02:59.000000000 -0500
34723 @@ -362,7 +362,7 @@ static struct ar_cookie s_ar_cookie_mem[
34724 (((ar)->arTargetType == TARGET_TYPE_AR6003) ? AR6003_HOST_INTEREST_ITEM_ADDRESS(item) : 0))
34727 -static struct net_device_ops ar6000_netdev_ops = {
34728 +static net_device_ops_no_const ar6000_netdev_ops = {
34730 .ndo_open = ar6000_open,
34731 .ndo_stop = ar6000_close,
34732 diff -urNp linux-3.0.9/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h linux-3.0.9/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h
34733 --- linux-3.0.9/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h 2011-11-11 13:12:24.000000000 -0500
34734 +++ linux-3.0.9/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h 2011-11-15 20:02:59.000000000 -0500
34735 @@ -30,7 +30,7 @@ typedef bool (*ar6k_pal_recv_pkt_t)(void
34736 typedef struct ar6k_pal_config_s
34738 ar6k_pal_recv_pkt_t fpar6k_pal_recv_pkt;
34739 -}ar6k_pal_config_t;
34740 +} __no_const ar6k_pal_config_t;
34742 void register_pal_cb(ar6k_pal_config_t *palConfig_p);
34743 #endif /* _AR6K_PAL_H_ */
34744 diff -urNp linux-3.0.9/drivers/staging/brcm80211/brcmfmac/dhd_linux.c linux-3.0.9/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
34745 --- linux-3.0.9/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-11-11 13:12:24.000000000 -0500
34746 +++ linux-3.0.9/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-11-15 20:02:59.000000000 -0500
34747 @@ -853,14 +853,14 @@ static void dhd_op_if(dhd_if_t *ifp)
34748 free_netdev(ifp->net);
34750 /* Allocate etherdev, including space for private structure */
34751 - ifp->net = alloc_etherdev(sizeof(dhd));
34752 + ifp->net = alloc_etherdev(sizeof(*dhd));
34754 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
34758 strcpy(ifp->net->name, ifp->name);
34759 - memcpy(netdev_priv(ifp->net), &dhd, sizeof(dhd));
34760 + memcpy(netdev_priv(ifp->net), dhd, sizeof(*dhd));
34761 err = dhd_net_attach(&dhd->pub, ifp->idx);
34763 DHD_ERROR(("%s: dhd_net_attach failed, "
34764 @@ -1872,7 +1872,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
34765 strcpy(nv_path, nvram_path);
34767 /* Allocate etherdev, including space for private structure */
34768 - net = alloc_etherdev(sizeof(dhd));
34769 + net = alloc_etherdev(sizeof(*dhd));
34771 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
34773 @@ -1888,7 +1888,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
34775 * Save the dhd_info into the priv
34777 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
34778 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
34780 /* Set network interface name if it was provided as module parameter */
34781 if (iface_name[0]) {
34782 @@ -2004,7 +2004,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
34784 * Save the dhd_info into the priv
34786 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
34787 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
34789 #if defined(CUSTOMER_HW2) && defined(CONFIG_WIFI_CONTROL_FUNC)
34791 diff -urNp linux-3.0.9/drivers/staging/brcm80211/brcmsmac/phy/wlc_phy_int.h linux-3.0.9/drivers/staging/brcm80211/brcmsmac/phy/wlc_phy_int.h
34792 --- linux-3.0.9/drivers/staging/brcm80211/brcmsmac/phy/wlc_phy_int.h 2011-11-11 13:12:24.000000000 -0500
34793 +++ linux-3.0.9/drivers/staging/brcm80211/brcmsmac/phy/wlc_phy_int.h 2011-11-15 20:02:59.000000000 -0500
34794 @@ -593,7 +593,7 @@ struct phy_func_ptr {
34795 initfn_t carrsuppr;
34796 rxsigpwrfn_t rxsigpwr;
34800 typedef struct phy_func_ptr phy_func_ptr_t;
34803 diff -urNp linux-3.0.9/drivers/staging/brcm80211/include/bcmsdh.h linux-3.0.9/drivers/staging/brcm80211/include/bcmsdh.h
34804 --- linux-3.0.9/drivers/staging/brcm80211/include/bcmsdh.h 2011-11-11 13:12:24.000000000 -0500
34805 +++ linux-3.0.9/drivers/staging/brcm80211/include/bcmsdh.h 2011-11-15 20:02:59.000000000 -0500
34806 @@ -185,7 +185,7 @@ typedef struct {
34807 u16 func, uint bustype, void *regsva, void *param);
34808 /* detach from device */
34809 void (*detach) (void *ch);
34810 -} bcmsdh_driver_t;
34811 +} __no_const bcmsdh_driver_t;
34813 /* platform specific/high level functions */
34814 extern int bcmsdh_register(bcmsdh_driver_t *driver);
34815 diff -urNp linux-3.0.9/drivers/staging/et131x/et1310_tx.c linux-3.0.9/drivers/staging/et131x/et1310_tx.c
34816 --- linux-3.0.9/drivers/staging/et131x/et1310_tx.c 2011-11-11 13:12:24.000000000 -0500
34817 +++ linux-3.0.9/drivers/staging/et131x/et1310_tx.c 2011-11-15 20:02:59.000000000 -0500
34818 @@ -635,11 +635,11 @@ inline void et131x_free_send_packet(stru
34819 struct net_device_stats *stats = &etdev->net_stats;
34821 if (tcb->flags & fMP_DEST_BROAD)
34822 - atomic_inc(&etdev->Stats.brdcstxmt);
34823 + atomic_inc_unchecked(&etdev->Stats.brdcstxmt);
34824 else if (tcb->flags & fMP_DEST_MULTI)
34825 - atomic_inc(&etdev->Stats.multixmt);
34826 + atomic_inc_unchecked(&etdev->Stats.multixmt);
34828 - atomic_inc(&etdev->Stats.unixmt);
34829 + atomic_inc_unchecked(&etdev->Stats.unixmt);
34832 stats->tx_bytes += tcb->skb->len;
34833 diff -urNp linux-3.0.9/drivers/staging/et131x/et131x_adapter.h linux-3.0.9/drivers/staging/et131x/et131x_adapter.h
34834 --- linux-3.0.9/drivers/staging/et131x/et131x_adapter.h 2011-11-11 13:12:24.000000000 -0500
34835 +++ linux-3.0.9/drivers/staging/et131x/et131x_adapter.h 2011-11-15 20:02:59.000000000 -0500
34836 @@ -110,11 +110,11 @@ typedef struct _ce_stats_t {
34839 u32 unircv; /* # multicast packets received */
34840 - atomic_t unixmt; /* # multicast packets for Tx */
34841 + atomic_unchecked_t unixmt; /* # multicast packets for Tx */
34842 u32 multircv; /* # multicast packets received */
34843 - atomic_t multixmt; /* # multicast packets for Tx */
34844 + atomic_unchecked_t multixmt; /* # multicast packets for Tx */
34845 u32 brdcstrcv; /* # broadcast packets received */
34846 - atomic_t brdcstxmt; /* # broadcast packets for Tx */
34847 + atomic_unchecked_t brdcstxmt; /* # broadcast packets for Tx */
34848 u32 norcvbuf; /* # Rx packets discarded */
34849 u32 noxmtbuf; /* # Tx packets discarded */
34851 diff -urNp linux-3.0.9/drivers/staging/hv/channel.c linux-3.0.9/drivers/staging/hv/channel.c
34852 --- linux-3.0.9/drivers/staging/hv/channel.c 2011-11-11 13:12:24.000000000 -0500
34853 +++ linux-3.0.9/drivers/staging/hv/channel.c 2011-11-15 20:02:59.000000000 -0500
34854 @@ -433,8 +433,8 @@ int vmbus_establish_gpadl(struct vmbus_c
34858 - next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle);
34859 - atomic_inc(&vmbus_connection.next_gpadl_handle);
34860 + next_gpadl_handle = atomic_read_unchecked(&vmbus_connection.next_gpadl_handle);
34861 + atomic_inc_unchecked(&vmbus_connection.next_gpadl_handle);
34863 ret = create_gpadl_header(kbuffer, size, &msginfo, &msgcount);
34865 diff -urNp linux-3.0.9/drivers/staging/hv/hv.c linux-3.0.9/drivers/staging/hv/hv.c
34866 --- linux-3.0.9/drivers/staging/hv/hv.c 2011-11-11 13:12:24.000000000 -0500
34867 +++ linux-3.0.9/drivers/staging/hv/hv.c 2011-11-15 20:02:59.000000000 -0500
34868 @@ -132,7 +132,7 @@ static u64 do_hypercall(u64 control, voi
34869 u64 output_address = (output) ? virt_to_phys(output) : 0;
34870 u32 output_address_hi = output_address >> 32;
34871 u32 output_address_lo = output_address & 0xFFFFFFFF;
34872 - volatile void *hypercall_page = hv_context.hypercall_page;
34873 + volatile void *hypercall_page = ktva_ktla(hv_context.hypercall_page);
34875 __asm__ __volatile__ ("call *%8" : "=d"(hv_status_hi),
34876 "=a"(hv_status_lo) : "d" (control_hi),
34877 diff -urNp linux-3.0.9/drivers/staging/hv/hv_mouse.c linux-3.0.9/drivers/staging/hv/hv_mouse.c
34878 --- linux-3.0.9/drivers/staging/hv/hv_mouse.c 2011-11-11 13:12:24.000000000 -0500
34879 +++ linux-3.0.9/drivers/staging/hv/hv_mouse.c 2011-11-15 20:02:59.000000000 -0500
34880 @@ -879,8 +879,10 @@ static void reportdesc_callback(struct h
34882 DPRINT_INFO(INPUTVSC_DRV, "hid_device created");
34884 - hid_dev->ll_driver->open = mousevsc_hid_open;
34885 - hid_dev->ll_driver->close = mousevsc_hid_close;
34886 + pax_open_kernel();
34887 + *(void **)&hid_dev->ll_driver->open = mousevsc_hid_open;
34888 + *(void **)&hid_dev->ll_driver->close = mousevsc_hid_close;
34889 + pax_close_kernel();
34891 hid_dev->bus = BUS_VIRTUAL;
34892 hid_dev->vendor = input_device_ctx->device_info.vendor;
34893 diff -urNp linux-3.0.9/drivers/staging/hv/hyperv_vmbus.h linux-3.0.9/drivers/staging/hv/hyperv_vmbus.h
34894 --- linux-3.0.9/drivers/staging/hv/hyperv_vmbus.h 2011-11-11 13:12:24.000000000 -0500
34895 +++ linux-3.0.9/drivers/staging/hv/hyperv_vmbus.h 2011-11-15 20:02:59.000000000 -0500
34896 @@ -559,7 +559,7 @@ enum vmbus_connect_state {
34897 struct vmbus_connection {
34898 enum vmbus_connect_state conn_state;
34900 - atomic_t next_gpadl_handle;
34901 + atomic_unchecked_t next_gpadl_handle;
34904 * Represents channel interrupts. Each bit position represents a
34905 diff -urNp linux-3.0.9/drivers/staging/hv/rndis_filter.c linux-3.0.9/drivers/staging/hv/rndis_filter.c
34906 --- linux-3.0.9/drivers/staging/hv/rndis_filter.c 2011-11-11 13:12:24.000000000 -0500
34907 +++ linux-3.0.9/drivers/staging/hv/rndis_filter.c 2011-11-15 20:02:59.000000000 -0500
34908 @@ -43,7 +43,7 @@ struct rndis_device {
34910 enum rndis_device_state state;
34912 - atomic_t new_req_id;
34913 + atomic_unchecked_t new_req_id;
34915 spinlock_t request_lock;
34916 struct list_head req_list;
34917 @@ -117,7 +117,7 @@ static struct rndis_request *get_rndis_r
34920 set = &rndis_msg->msg.set_req;
34921 - set->req_id = atomic_inc_return(&dev->new_req_id);
34922 + set->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
34924 /* Add to the request list */
34925 spin_lock_irqsave(&dev->request_lock, flags);
34926 @@ -637,7 +637,7 @@ static void rndis_filter_halt_device(str
34928 /* Setup the rndis set */
34929 halt = &request->request_msg.msg.halt_req;
34930 - halt->req_id = atomic_inc_return(&dev->new_req_id);
34931 + halt->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
34933 /* Ignore return since this msg is optional. */
34934 rndis_filter_send_request(dev, request);
34935 diff -urNp linux-3.0.9/drivers/staging/hv/vmbus_drv.c linux-3.0.9/drivers/staging/hv/vmbus_drv.c
34936 --- linux-3.0.9/drivers/staging/hv/vmbus_drv.c 2011-11-11 13:12:24.000000000 -0500
34937 +++ linux-3.0.9/drivers/staging/hv/vmbus_drv.c 2011-11-15 20:02:59.000000000 -0500
34938 @@ -668,11 +668,11 @@ int vmbus_child_device_register(struct h
34942 - static atomic_t device_num = ATOMIC_INIT(0);
34943 + static atomic_unchecked_t device_num = ATOMIC_INIT(0);
34945 /* Set the device name. Otherwise, device_register() will fail. */
34946 dev_set_name(&child_device_obj->device, "vmbus_0_%d",
34947 - atomic_inc_return(&device_num));
34948 + atomic_inc_return_unchecked(&device_num));
34950 /* The new device belongs to this bus */
34951 child_device_obj->device.bus = &hv_bus; /* device->dev.bus; */
34952 diff -urNp linux-3.0.9/drivers/staging/iio/ring_generic.h linux-3.0.9/drivers/staging/iio/ring_generic.h
34953 --- linux-3.0.9/drivers/staging/iio/ring_generic.h 2011-11-11 13:12:24.000000000 -0500
34954 +++ linux-3.0.9/drivers/staging/iio/ring_generic.h 2011-11-15 20:02:59.000000000 -0500
34955 @@ -62,7 +62,7 @@ struct iio_ring_access_funcs {
34957 int (*is_enabled)(struct iio_ring_buffer *ring);
34958 int (*enable)(struct iio_ring_buffer *ring);
34962 struct iio_ring_setup_ops {
34963 int (*preenable)(struct iio_dev *);
34964 diff -urNp linux-3.0.9/drivers/staging/octeon/ethernet.c linux-3.0.9/drivers/staging/octeon/ethernet.c
34965 --- linux-3.0.9/drivers/staging/octeon/ethernet.c 2011-11-11 13:12:24.000000000 -0500
34966 +++ linux-3.0.9/drivers/staging/octeon/ethernet.c 2011-11-15 20:02:59.000000000 -0500
34967 @@ -258,11 +258,11 @@ static struct net_device_stats *cvm_oct_
34968 * since the RX tasklet also increments it.
34970 #ifdef CONFIG_64BIT
34971 - atomic64_add(rx_status.dropped_packets,
34972 - (atomic64_t *)&priv->stats.rx_dropped);
34973 + atomic64_add_unchecked(rx_status.dropped_packets,
34974 + (atomic64_unchecked_t *)&priv->stats.rx_dropped);
34976 - atomic_add(rx_status.dropped_packets,
34977 - (atomic_t *)&priv->stats.rx_dropped);
34978 + atomic_add_unchecked(rx_status.dropped_packets,
34979 + (atomic_unchecked_t *)&priv->stats.rx_dropped);
34983 diff -urNp linux-3.0.9/drivers/staging/octeon/ethernet-rx.c linux-3.0.9/drivers/staging/octeon/ethernet-rx.c
34984 --- linux-3.0.9/drivers/staging/octeon/ethernet-rx.c 2011-11-11 13:12:24.000000000 -0500
34985 +++ linux-3.0.9/drivers/staging/octeon/ethernet-rx.c 2011-11-15 20:02:59.000000000 -0500
34986 @@ -417,11 +417,11 @@ static int cvm_oct_napi_poll(struct napi
34987 /* Increment RX stats for virtual ports */
34988 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
34989 #ifdef CONFIG_64BIT
34990 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
34991 - atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
34992 + atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
34993 + atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
34995 - atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
34996 - atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
34997 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
34998 + atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
35001 netif_receive_skb(skb);
35002 @@ -433,9 +433,9 @@ static int cvm_oct_napi_poll(struct napi
35005 #ifdef CONFIG_64BIT
35006 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
35007 + atomic64_unchecked_add(1, (atomic64_unchecked_t *)&priv->stats.rx_dropped);
35009 - atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
35010 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_dropped);
35012 dev_kfree_skb_irq(skb);
35014 diff -urNp linux-3.0.9/drivers/staging/pohmelfs/inode.c linux-3.0.9/drivers/staging/pohmelfs/inode.c
35015 --- linux-3.0.9/drivers/staging/pohmelfs/inode.c 2011-11-11 13:12:24.000000000 -0500
35016 +++ linux-3.0.9/drivers/staging/pohmelfs/inode.c 2011-11-15 20:02:59.000000000 -0500
35017 @@ -1856,7 +1856,7 @@ static int pohmelfs_fill_super(struct su
35018 mutex_init(&psb->mcache_lock);
35019 psb->mcache_root = RB_ROOT;
35020 psb->mcache_timeout = msecs_to_jiffies(5000);
35021 - atomic_long_set(&psb->mcache_gen, 0);
35022 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
35024 psb->trans_max_pages = 100;
35026 @@ -1871,7 +1871,7 @@ static int pohmelfs_fill_super(struct su
35027 INIT_LIST_HEAD(&psb->crypto_ready_list);
35028 INIT_LIST_HEAD(&psb->crypto_active_list);
35030 - atomic_set(&psb->trans_gen, 1);
35031 + atomic_set_unchecked(&psb->trans_gen, 1);
35032 atomic_long_set(&psb->total_inodes, 0);
35034 mutex_init(&psb->state_lock);
35035 diff -urNp linux-3.0.9/drivers/staging/pohmelfs/mcache.c linux-3.0.9/drivers/staging/pohmelfs/mcache.c
35036 --- linux-3.0.9/drivers/staging/pohmelfs/mcache.c 2011-11-11 13:12:24.000000000 -0500
35037 +++ linux-3.0.9/drivers/staging/pohmelfs/mcache.c 2011-11-15 20:02:59.000000000 -0500
35038 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
35042 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
35043 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
35045 mutex_lock(&psb->mcache_lock);
35046 err = pohmelfs_mcache_insert(psb, m);
35047 diff -urNp linux-3.0.9/drivers/staging/pohmelfs/netfs.h linux-3.0.9/drivers/staging/pohmelfs/netfs.h
35048 --- linux-3.0.9/drivers/staging/pohmelfs/netfs.h 2011-11-11 13:12:24.000000000 -0500
35049 +++ linux-3.0.9/drivers/staging/pohmelfs/netfs.h 2011-11-15 20:02:59.000000000 -0500
35050 @@ -571,14 +571,14 @@ struct pohmelfs_config;
35051 struct pohmelfs_sb {
35052 struct rb_root mcache_root;
35053 struct mutex mcache_lock;
35054 - atomic_long_t mcache_gen;
35055 + atomic_long_unchecked_t mcache_gen;
35056 unsigned long mcache_timeout;
35060 unsigned int trans_retries;
35062 - atomic_t trans_gen;
35063 + atomic_unchecked_t trans_gen;
35065 unsigned int crypto_attached_size;
35066 unsigned int crypto_align_size;
35067 diff -urNp linux-3.0.9/drivers/staging/pohmelfs/trans.c linux-3.0.9/drivers/staging/pohmelfs/trans.c
35068 --- linux-3.0.9/drivers/staging/pohmelfs/trans.c 2011-11-11 13:12:24.000000000 -0500
35069 +++ linux-3.0.9/drivers/staging/pohmelfs/trans.c 2011-11-15 20:02:59.000000000 -0500
35070 @@ -492,7 +492,7 @@ int netfs_trans_finish(struct netfs_tran
35072 struct netfs_cmd *cmd = t->iovec.iov_base;
35074 - t->gen = atomic_inc_return(&psb->trans_gen);
35075 + t->gen = atomic_inc_return_unchecked(&psb->trans_gen);
35077 cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
35078 t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
35079 diff -urNp linux-3.0.9/drivers/staging/rtl8712/rtl871x_io.h linux-3.0.9/drivers/staging/rtl8712/rtl871x_io.h
35080 --- linux-3.0.9/drivers/staging/rtl8712/rtl871x_io.h 2011-11-11 13:12:24.000000000 -0500
35081 +++ linux-3.0.9/drivers/staging/rtl8712/rtl871x_io.h 2011-11-15 20:02:59.000000000 -0500
35082 @@ -83,7 +83,7 @@ struct _io_ops {
35084 u32 (*_write_port)(struct intf_hdl *pintfhdl, u32 addr, u32 cnt,
35090 struct list_head list;
35091 diff -urNp linux-3.0.9/drivers/staging/sbe-2t3e3/netdev.c linux-3.0.9/drivers/staging/sbe-2t3e3/netdev.c
35092 --- linux-3.0.9/drivers/staging/sbe-2t3e3/netdev.c 2011-11-11 13:12:24.000000000 -0500
35093 +++ linux-3.0.9/drivers/staging/sbe-2t3e3/netdev.c 2011-11-15 20:02:59.000000000 -0500
35094 @@ -51,7 +51,7 @@ int t3e3_ioctl(struct net_device *dev, s
35095 t3e3_if_config(sc, cmd_2t3e3, (char *)¶m, &resp, &rlen);
35098 - if (copy_to_user(data, &resp, rlen))
35099 + if (rlen > sizeof resp || copy_to_user(data, &resp, rlen))
35103 diff -urNp linux-3.0.9/drivers/staging/tty/stallion.c linux-3.0.9/drivers/staging/tty/stallion.c
35104 --- linux-3.0.9/drivers/staging/tty/stallion.c 2011-11-11 13:12:24.000000000 -0500
35105 +++ linux-3.0.9/drivers/staging/tty/stallion.c 2011-11-15 20:02:59.000000000 -0500
35106 @@ -2406,6 +2406,8 @@ static int stl_getportstruct(struct stlp
35107 struct stlport stl_dummyport;
35108 struct stlport *portp;
35110 + pax_track_stack();
35112 if (copy_from_user(&stl_dummyport, arg, sizeof(struct stlport)))
35114 portp = stl_getport(stl_dummyport.brdnr, stl_dummyport.panelnr,
35115 diff -urNp linux-3.0.9/drivers/staging/usbip/usbip_common.h linux-3.0.9/drivers/staging/usbip/usbip_common.h
35116 --- linux-3.0.9/drivers/staging/usbip/usbip_common.h 2011-11-11 13:12:24.000000000 -0500
35117 +++ linux-3.0.9/drivers/staging/usbip/usbip_common.h 2011-11-15 20:02:59.000000000 -0500
35118 @@ -315,7 +315,7 @@ struct usbip_device {
35119 void (*shutdown)(struct usbip_device *);
35120 void (*reset)(struct usbip_device *);
35121 void (*unusable)(struct usbip_device *);
35123 + } __no_const eh_ops;
35126 void usbip_pack_pdu(struct usbip_header *pdu, struct urb *urb, int cmd,
35127 diff -urNp linux-3.0.9/drivers/staging/usbip/vhci.h linux-3.0.9/drivers/staging/usbip/vhci.h
35128 --- linux-3.0.9/drivers/staging/usbip/vhci.h 2011-11-11 13:12:24.000000000 -0500
35129 +++ linux-3.0.9/drivers/staging/usbip/vhci.h 2011-11-15 20:02:59.000000000 -0500
35130 @@ -94,7 +94,7 @@ struct vhci_hcd {
35131 unsigned resuming:1;
35132 unsigned long re_timeout;
35135 + atomic_unchecked_t seqnum;
35139 diff -urNp linux-3.0.9/drivers/staging/usbip/vhci_hcd.c linux-3.0.9/drivers/staging/usbip/vhci_hcd.c
35140 --- linux-3.0.9/drivers/staging/usbip/vhci_hcd.c 2011-11-11 13:12:24.000000000 -0500
35141 +++ linux-3.0.9/drivers/staging/usbip/vhci_hcd.c 2011-11-15 20:02:59.000000000 -0500
35142 @@ -511,7 +511,7 @@ static void vhci_tx_urb(struct urb *urb)
35146 - priv->seqnum = atomic_inc_return(&the_controller->seqnum);
35147 + priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
35148 if (priv->seqnum == 0xffff)
35149 dev_info(&urb->dev->dev, "seqnum max\n");
35151 @@ -765,7 +765,7 @@ static int vhci_urb_dequeue(struct usb_h
35155 - unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
35156 + unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
35157 if (unlink->seqnum == 0xffff)
35158 pr_info("seqnum max\n");
35160 @@ -955,7 +955,7 @@ static int vhci_start(struct usb_hcd *hc
35161 vdev->rhport = rhport;
35164 - atomic_set(&vhci->seqnum, 0);
35165 + atomic_set_unchecked(&vhci->seqnum, 0);
35166 spin_lock_init(&vhci->lock);
35168 hcd->power_budget = 0; /* no limit */
35169 diff -urNp linux-3.0.9/drivers/staging/usbip/vhci_rx.c linux-3.0.9/drivers/staging/usbip/vhci_rx.c
35170 --- linux-3.0.9/drivers/staging/usbip/vhci_rx.c 2011-11-11 13:12:24.000000000 -0500
35171 +++ linux-3.0.9/drivers/staging/usbip/vhci_rx.c 2011-11-15 20:02:59.000000000 -0500
35172 @@ -76,7 +76,7 @@ static void vhci_recv_ret_submit(struct
35174 pr_err("cannot find a urb of seqnum %u\n", pdu->base.seqnum);
35175 pr_info("max seqnum %d\n",
35176 - atomic_read(&the_controller->seqnum));
35177 + atomic_read_unchecked(&the_controller->seqnum));
35178 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
35181 diff -urNp linux-3.0.9/drivers/staging/vt6655/hostap.c linux-3.0.9/drivers/staging/vt6655/hostap.c
35182 --- linux-3.0.9/drivers/staging/vt6655/hostap.c 2011-11-11 13:12:24.000000000 -0500
35183 +++ linux-3.0.9/drivers/staging/vt6655/hostap.c 2011-11-15 20:02:59.000000000 -0500
35184 @@ -79,14 +79,13 @@ static int msglevel
35188 +static net_device_ops_no_const apdev_netdev_ops;
35190 static int hostap_enable_hostapd(PSDevice pDevice, int rtnl_locked)
35192 PSDevice apdev_priv;
35193 struct net_device *dev = pDevice->dev;
35195 - const struct net_device_ops apdev_netdev_ops = {
35196 - .ndo_start_xmit = pDevice->tx_80211,
35199 DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "%s: Enabling hostapd mode\n", dev->name);
35201 @@ -98,6 +97,8 @@ static int hostap_enable_hostapd(PSDevic
35202 *apdev_priv = *pDevice;
35203 memcpy(pDevice->apdev->dev_addr, dev->dev_addr, ETH_ALEN);
35205 + /* only half broken now */
35206 + apdev_netdev_ops.ndo_start_xmit = pDevice->tx_80211;
35207 pDevice->apdev->netdev_ops = &apdev_netdev_ops;
35209 pDevice->apdev->type = ARPHRD_IEEE80211;
35210 diff -urNp linux-3.0.9/drivers/staging/vt6656/hostap.c linux-3.0.9/drivers/staging/vt6656/hostap.c
35211 --- linux-3.0.9/drivers/staging/vt6656/hostap.c 2011-11-11 13:12:24.000000000 -0500
35212 +++ linux-3.0.9/drivers/staging/vt6656/hostap.c 2011-11-15 20:02:59.000000000 -0500
35213 @@ -80,14 +80,13 @@ static int msglevel
35217 +static net_device_ops_no_const apdev_netdev_ops;
35219 static int hostap_enable_hostapd(PSDevice pDevice, int rtnl_locked)
35221 PSDevice apdev_priv;
35222 struct net_device *dev = pDevice->dev;
35224 - const struct net_device_ops apdev_netdev_ops = {
35225 - .ndo_start_xmit = pDevice->tx_80211,
35228 DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "%s: Enabling hostapd mode\n", dev->name);
35230 @@ -99,6 +98,8 @@ static int hostap_enable_hostapd(PSDevic
35231 *apdev_priv = *pDevice;
35232 memcpy(pDevice->apdev->dev_addr, dev->dev_addr, ETH_ALEN);
35234 + /* only half broken now */
35235 + apdev_netdev_ops.ndo_start_xmit = pDevice->tx_80211;
35236 pDevice->apdev->netdev_ops = &apdev_netdev_ops;
35238 pDevice->apdev->type = ARPHRD_IEEE80211;
35239 diff -urNp linux-3.0.9/drivers/staging/wlan-ng/hfa384x_usb.c linux-3.0.9/drivers/staging/wlan-ng/hfa384x_usb.c
35240 --- linux-3.0.9/drivers/staging/wlan-ng/hfa384x_usb.c 2011-11-11 13:12:24.000000000 -0500
35241 +++ linux-3.0.9/drivers/staging/wlan-ng/hfa384x_usb.c 2011-11-15 20:02:59.000000000 -0500
35242 @@ -204,7 +204,7 @@ static void unlocked_usbctlx_complete(hf
35244 struct usbctlx_completor {
35245 int (*complete) (struct usbctlx_completor *);
35250 hfa384x_usbctlx_complete_sync(hfa384x_t *hw,
35251 diff -urNp linux-3.0.9/drivers/staging/zcache/tmem.c linux-3.0.9/drivers/staging/zcache/tmem.c
35252 --- linux-3.0.9/drivers/staging/zcache/tmem.c 2011-11-11 13:12:24.000000000 -0500
35253 +++ linux-3.0.9/drivers/staging/zcache/tmem.c 2011-11-15 20:02:59.000000000 -0500
35255 * A tmem host implementation must use this function to register callbacks
35256 * for memory allocation.
35258 -static struct tmem_hostops tmem_hostops;
35259 +static tmem_hostops_no_const tmem_hostops;
35261 static void tmem_objnode_tree_init(void);
35263 @@ -53,7 +53,7 @@ void tmem_register_hostops(struct tmem_h
35264 * A tmem host implementation must use this function to register
35265 * callbacks for a page-accessible memory (PAM) implementation
35267 -static struct tmem_pamops tmem_pamops;
35268 +static tmem_pamops_no_const tmem_pamops;
35270 void tmem_register_pamops(struct tmem_pamops *m)
35272 diff -urNp linux-3.0.9/drivers/staging/zcache/tmem.h linux-3.0.9/drivers/staging/zcache/tmem.h
35273 --- linux-3.0.9/drivers/staging/zcache/tmem.h 2011-11-11 13:12:24.000000000 -0500
35274 +++ linux-3.0.9/drivers/staging/zcache/tmem.h 2011-11-15 20:02:59.000000000 -0500
35275 @@ -171,6 +171,7 @@ struct tmem_pamops {
35276 int (*get_data)(struct page *, void *, struct tmem_pool *);
35277 void (*free)(void *, struct tmem_pool *);
35279 +typedef struct tmem_pamops __no_const tmem_pamops_no_const;
35280 extern void tmem_register_pamops(struct tmem_pamops *m);
35282 /* memory allocation methods provided by the host implementation */
35283 @@ -180,6 +181,7 @@ struct tmem_hostops {
35284 struct tmem_objnode *(*objnode_alloc)(struct tmem_pool *);
35285 void (*objnode_free)(struct tmem_objnode *, struct tmem_pool *);
35287 +typedef struct tmem_hostops __no_const tmem_hostops_no_const;
35288 extern void tmem_register_hostops(struct tmem_hostops *m);
35290 /* core tmem accessor functions */
35291 diff -urNp linux-3.0.9/drivers/target/target_core_alua.c linux-3.0.9/drivers/target/target_core_alua.c
35292 --- linux-3.0.9/drivers/target/target_core_alua.c 2011-11-11 13:12:24.000000000 -0500
35293 +++ linux-3.0.9/drivers/target/target_core_alua.c 2011-11-15 20:02:59.000000000 -0500
35294 @@ -695,6 +695,8 @@ static int core_alua_update_tpg_primary_
35295 char path[ALUA_METADATA_PATH_LEN];
35298 + pax_track_stack();
35300 memset(path, 0, ALUA_METADATA_PATH_LEN);
35302 len = snprintf(md_buf, tg_pt_gp->tg_pt_gp_md_buf_len,
35303 @@ -958,6 +960,8 @@ static int core_alua_update_tpg_secondar
35304 char path[ALUA_METADATA_PATH_LEN], wwn[ALUA_SECONDARY_METADATA_WWN_LEN];
35307 + pax_track_stack();
35309 memset(path, 0, ALUA_METADATA_PATH_LEN);
35310 memset(wwn, 0, ALUA_SECONDARY_METADATA_WWN_LEN);
35312 diff -urNp linux-3.0.9/drivers/target/target_core_cdb.c linux-3.0.9/drivers/target/target_core_cdb.c
35313 --- linux-3.0.9/drivers/target/target_core_cdb.c 2011-11-11 13:12:24.000000000 -0500
35314 +++ linux-3.0.9/drivers/target/target_core_cdb.c 2011-11-15 20:02:59.000000000 -0500
35315 @@ -838,6 +838,8 @@ target_emulate_modesense(struct se_cmd *
35317 unsigned char buf[SE_MODE_PAGE_BUF];
35319 + pax_track_stack();
35321 memset(buf, 0, SE_MODE_PAGE_BUF);
35323 switch (cdb[2] & 0x3f) {
35324 diff -urNp linux-3.0.9/drivers/target/target_core_configfs.c linux-3.0.9/drivers/target/target_core_configfs.c
35325 --- linux-3.0.9/drivers/target/target_core_configfs.c 2011-11-11 13:12:24.000000000 -0500
35326 +++ linux-3.0.9/drivers/target/target_core_configfs.c 2011-11-15 20:02:59.000000000 -0500
35327 @@ -1276,6 +1276,8 @@ static ssize_t target_core_dev_pr_show_a
35329 int reg_count = 0, prf_isid;
35331 + pax_track_stack();
35333 if (!(su_dev->se_dev_ptr))
35336 diff -urNp linux-3.0.9/drivers/target/target_core_pr.c linux-3.0.9/drivers/target/target_core_pr.c
35337 --- linux-3.0.9/drivers/target/target_core_pr.c 2011-11-11 13:12:24.000000000 -0500
35338 +++ linux-3.0.9/drivers/target/target_core_pr.c 2011-11-15 20:02:59.000000000 -0500
35339 @@ -918,6 +918,8 @@ static int __core_scsi3_check_aptpl_regi
35340 unsigned char t_port[PR_APTPL_MAX_TPORT_LEN];
35343 + pax_track_stack();
35345 memset(i_port, 0, PR_APTPL_MAX_IPORT_LEN);
35346 memset(t_port, 0, PR_APTPL_MAX_TPORT_LEN);
35348 @@ -1861,6 +1863,8 @@ static int __core_scsi3_update_aptpl_buf
35352 + pax_track_stack();
35354 memset(buf, 0, pr_aptpl_buf_len);
35356 * Called to clear metadata once APTPL has been deactivated.
35357 @@ -1983,6 +1987,8 @@ static int __core_scsi3_write_aptpl_to_f
35361 + pax_track_stack();
35363 memset(iov, 0, sizeof(struct iovec));
35364 memset(path, 0, 512);
35366 diff -urNp linux-3.0.9/drivers/target/target_core_tmr.c linux-3.0.9/drivers/target/target_core_tmr.c
35367 --- linux-3.0.9/drivers/target/target_core_tmr.c 2011-11-11 13:12:24.000000000 -0500
35368 +++ linux-3.0.9/drivers/target/target_core_tmr.c 2011-11-15 20:02:59.000000000 -0500
35369 @@ -269,7 +269,7 @@ int core_tmr_lun_reset(
35370 CMD_TFO(cmd)->get_task_tag(cmd), cmd->pr_res_key,
35371 T_TASK(cmd)->t_task_cdbs,
35372 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
35373 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
35374 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
35375 atomic_read(&T_TASK(cmd)->t_transport_active),
35376 atomic_read(&T_TASK(cmd)->t_transport_stop),
35377 atomic_read(&T_TASK(cmd)->t_transport_sent));
35378 @@ -311,7 +311,7 @@ int core_tmr_lun_reset(
35379 DEBUG_LR("LUN_RESET: got t_transport_active = 1 for"
35380 " task: %p, t_fe_count: %d dev: %p\n", task,
35382 - atomic_set(&T_TASK(cmd)->t_transport_aborted, 1);
35383 + atomic_set_unchecked(&T_TASK(cmd)->t_transport_aborted, 1);
35384 spin_unlock_irqrestore(&T_TASK(cmd)->t_state_lock,
35386 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
35387 @@ -321,7 +321,7 @@ int core_tmr_lun_reset(
35389 DEBUG_LR("LUN_RESET: Got t_transport_active = 0 for task: %p,"
35390 " t_fe_count: %d dev: %p\n", task, fe_count, dev);
35391 - atomic_set(&T_TASK(cmd)->t_transport_aborted, 1);
35392 + atomic_set_unchecked(&T_TASK(cmd)->t_transport_aborted, 1);
35393 spin_unlock_irqrestore(&T_TASK(cmd)->t_state_lock, flags);
35394 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
35396 diff -urNp linux-3.0.9/drivers/target/target_core_transport.c linux-3.0.9/drivers/target/target_core_transport.c
35397 --- linux-3.0.9/drivers/target/target_core_transport.c 2011-11-11 13:12:24.000000000 -0500
35398 +++ linux-3.0.9/drivers/target/target_core_transport.c 2011-11-15 20:02:59.000000000 -0500
35399 @@ -1681,7 +1681,7 @@ struct se_device *transport_add_device_t
35401 dev->queue_depth = dev_limits->queue_depth;
35402 atomic_set(&dev->depth_left, dev->queue_depth);
35403 - atomic_set(&dev->dev_ordered_id, 0);
35404 + atomic_set_unchecked(&dev->dev_ordered_id, 0);
35406 se_dev_set_default_attribs(dev, dev_limits);
35408 @@ -1882,7 +1882,7 @@ static int transport_check_alloc_task_at
35409 * Used to determine when ORDERED commands should go from
35410 * Dormant to Active status.
35412 - cmd->se_ordered_id = atomic_inc_return(&SE_DEV(cmd)->dev_ordered_id);
35413 + cmd->se_ordered_id = atomic_inc_return_unchecked(&SE_DEV(cmd)->dev_ordered_id);
35414 smp_mb__after_atomic_inc();
35415 DEBUG_STA("Allocated se_ordered_id: %u for Task Attr: 0x%02x on %s\n",
35416 cmd->se_ordered_id, cmd->sam_task_attr,
35417 @@ -2169,7 +2169,7 @@ static void transport_generic_request_fa
35418 " t_transport_active: %d t_transport_stop: %d"
35419 " t_transport_sent: %d\n", T_TASK(cmd)->t_task_cdbs,
35420 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
35421 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
35422 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
35423 atomic_read(&T_TASK(cmd)->t_task_cdbs_ex_left),
35424 atomic_read(&T_TASK(cmd)->t_transport_active),
35425 atomic_read(&T_TASK(cmd)->t_transport_stop),
35426 @@ -2673,9 +2673,9 @@ check_depth:
35427 spin_lock_irqsave(&T_TASK(cmd)->t_state_lock, flags);
35428 atomic_set(&task->task_active, 1);
35429 atomic_set(&task->task_sent, 1);
35430 - atomic_inc(&T_TASK(cmd)->t_task_cdbs_sent);
35431 + atomic_inc_unchecked(&T_TASK(cmd)->t_task_cdbs_sent);
35433 - if (atomic_read(&T_TASK(cmd)->t_task_cdbs_sent) ==
35434 + if (atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent) ==
35435 T_TASK(cmd)->t_task_cdbs)
35436 atomic_set(&cmd->transport_sent, 1);
35438 @@ -5568,7 +5568,7 @@ static void transport_generic_wait_for_t
35439 atomic_set(&T_TASK(cmd)->transport_lun_stop, 0);
35441 if (!atomic_read(&T_TASK(cmd)->t_transport_active) ||
35442 - atomic_read(&T_TASK(cmd)->t_transport_aborted))
35443 + atomic_read_unchecked(&T_TASK(cmd)->t_transport_aborted))
35446 atomic_set(&T_TASK(cmd)->t_transport_stop, 1);
35447 @@ -5797,7 +5797,7 @@ int transport_check_aborted_status(struc
35451 - if (atomic_read(&T_TASK(cmd)->t_transport_aborted) != 0) {
35452 + if (atomic_read_unchecked(&T_TASK(cmd)->t_transport_aborted) != 0) {
35453 if (!(send_status) ||
35454 (cmd->se_cmd_flags & SCF_SENT_DELAYED_TAS))
35456 @@ -5825,7 +5825,7 @@ void transport_send_task_abort(struct se
35458 if (cmd->data_direction == DMA_TO_DEVICE) {
35459 if (CMD_TFO(cmd)->write_pending_status(cmd) != 0) {
35460 - atomic_inc(&T_TASK(cmd)->t_transport_aborted);
35461 + atomic_inc_unchecked(&T_TASK(cmd)->t_transport_aborted);
35462 smp_mb__after_atomic_inc();
35463 cmd->scsi_status = SAM_STAT_TASK_ABORTED;
35464 transport_new_cmd_failure(cmd);
35465 @@ -5949,7 +5949,7 @@ static void transport_processing_shutdow
35466 CMD_TFO(cmd)->get_task_tag(cmd),
35467 T_TASK(cmd)->t_task_cdbs,
35468 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
35469 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
35470 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
35471 atomic_read(&T_TASK(cmd)->t_transport_active),
35472 atomic_read(&T_TASK(cmd)->t_transport_stop),
35473 atomic_read(&T_TASK(cmd)->t_transport_sent));
35474 diff -urNp linux-3.0.9/drivers/telephony/ixj.c linux-3.0.9/drivers/telephony/ixj.c
35475 --- linux-3.0.9/drivers/telephony/ixj.c 2011-11-11 13:12:24.000000000 -0500
35476 +++ linux-3.0.9/drivers/telephony/ixj.c 2011-11-15 20:02:59.000000000 -0500
35477 @@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j)
35481 + pax_track_stack();
35483 if (!SCI_Prepare(j))
35486 diff -urNp linux-3.0.9/drivers/tty/hvc/hvcs.c linux-3.0.9/drivers/tty/hvc/hvcs.c
35487 --- linux-3.0.9/drivers/tty/hvc/hvcs.c 2011-11-11 13:12:24.000000000 -0500
35488 +++ linux-3.0.9/drivers/tty/hvc/hvcs.c 2011-11-15 20:02:59.000000000 -0500
35490 #include <asm/hvcserver.h>
35491 #include <asm/uaccess.h>
35492 #include <asm/vio.h>
35493 +#include <asm/local.h>
35496 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
35497 @@ -270,7 +271,7 @@ struct hvcs_struct {
35498 unsigned int index;
35500 struct tty_struct *tty;
35502 + local_t open_count;
35505 * Used to tell the driver kernel_thread what operations need to take
35506 @@ -422,7 +423,7 @@ static ssize_t hvcs_vterm_state_store(st
35508 spin_lock_irqsave(&hvcsd->lock, flags);
35510 - if (hvcsd->open_count > 0) {
35511 + if (local_read(&hvcsd->open_count) > 0) {
35512 spin_unlock_irqrestore(&hvcsd->lock, flags);
35513 printk(KERN_INFO "HVCS: vterm state unchanged. "
35514 "The hvcs device node is still in use.\n");
35515 @@ -1145,7 +1146,7 @@ static int hvcs_open(struct tty_struct *
35516 if ((retval = hvcs_partner_connect(hvcsd)))
35517 goto error_release;
35519 - hvcsd->open_count = 1;
35520 + local_set(&hvcsd->open_count, 1);
35522 tty->driver_data = hvcsd;
35524 @@ -1179,7 +1180,7 @@ fast_open:
35526 spin_lock_irqsave(&hvcsd->lock, flags);
35527 kref_get(&hvcsd->kref);
35528 - hvcsd->open_count++;
35529 + local_inc(&hvcsd->open_count);
35530 hvcsd->todo_mask |= HVCS_SCHED_READ;
35531 spin_unlock_irqrestore(&hvcsd->lock, flags);
35533 @@ -1223,7 +1224,7 @@ static void hvcs_close(struct tty_struct
35534 hvcsd = tty->driver_data;
35536 spin_lock_irqsave(&hvcsd->lock, flags);
35537 - if (--hvcsd->open_count == 0) {
35538 + if (local_dec_and_test(&hvcsd->open_count)) {
35540 vio_disable_interrupts(hvcsd->vdev);
35542 @@ -1249,10 +1250,10 @@ static void hvcs_close(struct tty_struct
35543 free_irq(irq, hvcsd);
35544 kref_put(&hvcsd->kref, destroy_hvcs_struct);
35546 - } else if (hvcsd->open_count < 0) {
35547 + } else if (local_read(&hvcsd->open_count) < 0) {
35548 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
35549 " is missmanaged.\n",
35550 - hvcsd->vdev->unit_address, hvcsd->open_count);
35551 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
35554 spin_unlock_irqrestore(&hvcsd->lock, flags);
35555 @@ -1268,7 +1269,7 @@ static void hvcs_hangup(struct tty_struc
35557 spin_lock_irqsave(&hvcsd->lock, flags);
35558 /* Preserve this so that we know how many kref refs to put */
35559 - temp_open_count = hvcsd->open_count;
35560 + temp_open_count = local_read(&hvcsd->open_count);
35563 * Don't kref put inside the spinlock because the destruction
35564 @@ -1283,7 +1284,7 @@ static void hvcs_hangup(struct tty_struc
35565 hvcsd->tty->driver_data = NULL;
35568 - hvcsd->open_count = 0;
35569 + local_set(&hvcsd->open_count, 0);
35571 /* This will drop any buffered data on the floor which is OK in a hangup
35573 @@ -1354,7 +1355,7 @@ static int hvcs_write(struct tty_struct
35574 * the middle of a write operation? This is a crummy place to do this
35575 * but we want to keep it all in the spinlock.
35577 - if (hvcsd->open_count <= 0) {
35578 + if (local_read(&hvcsd->open_count) <= 0) {
35579 spin_unlock_irqrestore(&hvcsd->lock, flags);
35582 @@ -1428,7 +1429,7 @@ static int hvcs_write_room(struct tty_st
35584 struct hvcs_struct *hvcsd = tty->driver_data;
35586 - if (!hvcsd || hvcsd->open_count <= 0)
35587 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
35590 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
35591 diff -urNp linux-3.0.9/drivers/tty/ipwireless/tty.c linux-3.0.9/drivers/tty/ipwireless/tty.c
35592 --- linux-3.0.9/drivers/tty/ipwireless/tty.c 2011-11-11 13:12:24.000000000 -0500
35593 +++ linux-3.0.9/drivers/tty/ipwireless/tty.c 2011-11-15 20:02:59.000000000 -0500
35595 #include <linux/tty_driver.h>
35596 #include <linux/tty_flip.h>
35597 #include <linux/uaccess.h>
35598 +#include <asm/local.h>
35601 #include "network.h"
35602 @@ -51,7 +52,7 @@ struct ipw_tty {
35604 struct ipw_network *network;
35605 struct tty_struct *linux_tty;
35607 + local_t open_count;
35608 unsigned int control_lines;
35609 struct mutex ipw_tty_mutex;
35610 int tx_bytes_queued;
35611 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
35612 mutex_unlock(&tty->ipw_tty_mutex);
35615 - if (tty->open_count == 0)
35616 + if (local_read(&tty->open_count) == 0)
35617 tty->tx_bytes_queued = 0;
35619 - tty->open_count++;
35620 + local_inc(&tty->open_count);
35622 tty->linux_tty = linux_tty;
35623 linux_tty->driver_data = tty;
35624 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
35626 static void do_ipw_close(struct ipw_tty *tty)
35628 - tty->open_count--;
35630 - if (tty->open_count == 0) {
35631 + if (local_dec_return(&tty->open_count) == 0) {
35632 struct tty_struct *linux_tty = tty->linux_tty;
35634 if (linux_tty != NULL) {
35635 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
35638 mutex_lock(&tty->ipw_tty_mutex);
35639 - if (tty->open_count == 0) {
35640 + if (local_read(&tty->open_count) == 0) {
35641 mutex_unlock(&tty->ipw_tty_mutex);
35644 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
35648 - if (!tty->open_count) {
35649 + if (!local_read(&tty->open_count)) {
35650 mutex_unlock(&tty->ipw_tty_mutex);
35653 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
35656 mutex_lock(&tty->ipw_tty_mutex);
35657 - if (!tty->open_count) {
35658 + if (!local_read(&tty->open_count)) {
35659 mutex_unlock(&tty->ipw_tty_mutex);
35662 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
35666 - if (!tty->open_count)
35667 + if (!local_read(&tty->open_count))
35670 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
35671 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
35675 - if (!tty->open_count)
35676 + if (!local_read(&tty->open_count))
35679 return tty->tx_bytes_queued;
35680 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
35684 - if (!tty->open_count)
35685 + if (!local_read(&tty->open_count))
35688 return get_control_lines(tty);
35689 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
35693 - if (!tty->open_count)
35694 + if (!local_read(&tty->open_count))
35697 return set_control_lines(tty, set, clear);
35698 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
35702 - if (!tty->open_count)
35703 + if (!local_read(&tty->open_count))
35706 /* FIXME: Exactly how is the tty object locked here .. */
35707 @@ -582,7 +581,7 @@ void ipwireless_tty_free(struct ipw_tty
35708 against a parallel ioctl etc */
35709 mutex_lock(&ttyj->ipw_tty_mutex);
35711 - while (ttyj->open_count)
35712 + while (local_read(&ttyj->open_count))
35713 do_ipw_close(ttyj);
35714 ipwireless_disassociate_network_ttys(network,
35715 ttyj->channel_idx);
35716 diff -urNp linux-3.0.9/drivers/tty/n_gsm.c linux-3.0.9/drivers/tty/n_gsm.c
35717 --- linux-3.0.9/drivers/tty/n_gsm.c 2011-11-11 13:12:24.000000000 -0500
35718 +++ linux-3.0.9/drivers/tty/n_gsm.c 2011-11-15 20:02:59.000000000 -0500
35719 @@ -1589,7 +1589,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
35721 spin_lock_init(&dlci->lock);
35722 dlci->fifo = &dlci->_fifo;
35723 - if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
35724 + if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
35728 diff -urNp linux-3.0.9/drivers/tty/n_tty.c linux-3.0.9/drivers/tty/n_tty.c
35729 --- linux-3.0.9/drivers/tty/n_tty.c 2011-11-11 13:12:24.000000000 -0500
35730 +++ linux-3.0.9/drivers/tty/n_tty.c 2011-11-15 20:02:59.000000000 -0500
35731 @@ -2123,6 +2123,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
35733 *ops = tty_ldisc_N_TTY;
35735 - ops->refcount = ops->flags = 0;
35736 + atomic_set(&ops->refcount, 0);
35739 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
35740 diff -urNp linux-3.0.9/drivers/tty/pty.c linux-3.0.9/drivers/tty/pty.c
35741 --- linux-3.0.9/drivers/tty/pty.c 2011-11-11 13:12:24.000000000 -0500
35742 +++ linux-3.0.9/drivers/tty/pty.c 2011-11-15 20:02:59.000000000 -0500
35743 @@ -773,8 +773,10 @@ static void __init unix98_pty_init(void)
35744 register_sysctl_table(pty_root_table);
35746 /* Now create the /dev/ptmx special device */
35747 + pax_open_kernel();
35748 tty_default_fops(&ptmx_fops);
35749 - ptmx_fops.open = ptmx_open;
35750 + *(void **)&ptmx_fops.open = ptmx_open;
35751 + pax_close_kernel();
35753 cdev_init(&ptmx_cdev, &ptmx_fops);
35754 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
35755 diff -urNp linux-3.0.9/drivers/tty/rocket.c linux-3.0.9/drivers/tty/rocket.c
35756 --- linux-3.0.9/drivers/tty/rocket.c 2011-11-11 13:12:24.000000000 -0500
35757 +++ linux-3.0.9/drivers/tty/rocket.c 2011-11-15 20:02:59.000000000 -0500
35758 @@ -1277,6 +1277,8 @@ static int get_ports(struct r_port *info
35759 struct rocket_ports tmp;
35762 + pax_track_stack();
35766 memset(&tmp, 0, sizeof (tmp));
35767 diff -urNp linux-3.0.9/drivers/tty/serial/kgdboc.c linux-3.0.9/drivers/tty/serial/kgdboc.c
35768 --- linux-3.0.9/drivers/tty/serial/kgdboc.c 2011-11-11 13:12:24.000000000 -0500
35769 +++ linux-3.0.9/drivers/tty/serial/kgdboc.c 2011-11-15 20:02:59.000000000 -0500
35771 #define MAX_CONFIG_LEN 40
35773 static struct kgdb_io kgdboc_io_ops;
35774 +static struct kgdb_io kgdboc_io_ops_console;
35776 -/* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
35777 +/* -1 = init not run yet, 0 = unconfigured, 1/2 = configured. */
35778 static int configured = -1;
35780 static char config[MAX_CONFIG_LEN];
35781 @@ -147,6 +148,8 @@ static void cleanup_kgdboc(void)
35782 kgdboc_unregister_kbd();
35783 if (configured == 1)
35784 kgdb_unregister_io_module(&kgdboc_io_ops);
35785 + else if (configured == 2)
35786 + kgdb_unregister_io_module(&kgdboc_io_ops_console);
35789 static int configure_kgdboc(void)
35790 @@ -156,13 +159,13 @@ static int configure_kgdboc(void)
35792 char *cptr = config;
35793 struct console *cons;
35794 + int is_console = 0;
35796 err = kgdboc_option_setup(config);
35797 if (err || !strlen(config) || isspace(config[0]))
35801 - kgdboc_io_ops.is_console = 0;
35802 kgdb_tty_driver = NULL;
35804 kgdboc_use_kms = 0;
35805 @@ -183,7 +186,7 @@ static int configure_kgdboc(void)
35807 if (cons->device && cons->device(cons, &idx) == p &&
35809 - kgdboc_io_ops.is_console = 1;
35814 @@ -193,12 +196,16 @@ static int configure_kgdboc(void)
35815 kgdb_tty_line = tty_line;
35818 - err = kgdb_register_io_module(&kgdboc_io_ops);
35819 + if (is_console) {
35820 + err = kgdb_register_io_module(&kgdboc_io_ops_console);
35823 + err = kgdb_register_io_module(&kgdboc_io_ops);
35834 @@ -212,7 +219,7 @@ noconfig:
35835 static int __init init_kgdboc(void)
35837 /* Already configured? */
35838 - if (configured == 1)
35839 + if (configured >= 1)
35842 return configure_kgdboc();
35843 @@ -261,7 +268,7 @@ static int param_set_kgdboc_var(const ch
35844 if (config[len - 1] == '\n')
35845 config[len - 1] = '\0';
35847 - if (configured == 1)
35848 + if (configured >= 1)
35851 /* Go and configure with the new params. */
35852 @@ -301,6 +308,15 @@ static struct kgdb_io kgdboc_io_ops = {
35853 .post_exception = kgdboc_post_exp_handler,
35856 +static struct kgdb_io kgdboc_io_ops_console = {
35857 + .name = "kgdboc",
35858 + .read_char = kgdboc_get_char,
35859 + .write_char = kgdboc_put_char,
35860 + .pre_exception = kgdboc_pre_exp_handler,
35861 + .post_exception = kgdboc_post_exp_handler,
35865 #ifdef CONFIG_KGDB_SERIAL_CONSOLE
35866 /* This is only available if kgdboc is a built in for early debugging */
35867 static int __init kgdboc_early_init(char *opt)
35868 diff -urNp linux-3.0.9/drivers/tty/serial/mfd.c linux-3.0.9/drivers/tty/serial/mfd.c
35869 --- linux-3.0.9/drivers/tty/serial/mfd.c 2011-11-11 13:12:24.000000000 -0500
35870 +++ linux-3.0.9/drivers/tty/serial/mfd.c 2011-11-15 20:02:59.000000000 -0500
35871 @@ -1423,7 +1423,7 @@ static void serial_hsu_remove(struct pci
35874 /* First 3 are UART ports, and the 4th is the DMA */
35875 -static const struct pci_device_id pci_ids[] __devinitdata = {
35876 +static const struct pci_device_id pci_ids[] __devinitconst = {
35877 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x081B) },
35878 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x081C) },
35879 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x081D) },
35880 diff -urNp linux-3.0.9/drivers/tty/serial/mrst_max3110.c linux-3.0.9/drivers/tty/serial/mrst_max3110.c
35881 --- linux-3.0.9/drivers/tty/serial/mrst_max3110.c 2011-11-11 13:12:24.000000000 -0500
35882 +++ linux-3.0.9/drivers/tty/serial/mrst_max3110.c 2011-11-15 20:02:59.000000000 -0500
35883 @@ -393,6 +393,8 @@ static void max3110_con_receive(struct u
35884 int loop = 1, num, total = 0;
35885 u8 recv_buf[512], *pbuf;
35887 + pax_track_stack();
35891 num = max3110_read_multi(max, pbuf);
35892 diff -urNp linux-3.0.9/drivers/tty/tty_io.c linux-3.0.9/drivers/tty/tty_io.c
35893 --- linux-3.0.9/drivers/tty/tty_io.c 2011-11-11 13:12:24.000000000 -0500
35894 +++ linux-3.0.9/drivers/tty/tty_io.c 2011-11-15 20:02:59.000000000 -0500
35895 @@ -3238,7 +3238,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
35897 void tty_default_fops(struct file_operations *fops)
35899 - *fops = tty_fops;
35900 + memcpy((void *)fops, &tty_fops, sizeof(tty_fops));
35904 diff -urNp linux-3.0.9/drivers/tty/tty_ldisc.c linux-3.0.9/drivers/tty/tty_ldisc.c
35905 --- linux-3.0.9/drivers/tty/tty_ldisc.c 2011-11-11 13:12:24.000000000 -0500
35906 +++ linux-3.0.9/drivers/tty/tty_ldisc.c 2011-11-15 20:02:59.000000000 -0500
35907 @@ -74,7 +74,7 @@ static void put_ldisc(struct tty_ldisc *
35908 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
35909 struct tty_ldisc_ops *ldo = ld->ops;
35912 + atomic_dec(&ldo->refcount);
35913 module_put(ldo->owner);
35914 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
35916 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
35917 spin_lock_irqsave(&tty_ldisc_lock, flags);
35918 tty_ldiscs[disc] = new_ldisc;
35919 new_ldisc->num = disc;
35920 - new_ldisc->refcount = 0;
35921 + atomic_set(&new_ldisc->refcount, 0);
35922 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
35925 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
35928 spin_lock_irqsave(&tty_ldisc_lock, flags);
35929 - if (tty_ldiscs[disc]->refcount)
35930 + if (atomic_read(&tty_ldiscs[disc]->refcount))
35933 tty_ldiscs[disc] = NULL;
35934 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
35936 ret = ERR_PTR(-EAGAIN);
35937 if (try_module_get(ldops->owner)) {
35938 - ldops->refcount++;
35939 + atomic_inc(&ldops->refcount);
35943 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
35944 unsigned long flags;
35946 spin_lock_irqsave(&tty_ldisc_lock, flags);
35947 - ldops->refcount--;
35948 + atomic_dec(&ldops->refcount);
35949 module_put(ldops->owner);
35950 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
35952 diff -urNp linux-3.0.9/drivers/tty/vt/keyboard.c linux-3.0.9/drivers/tty/vt/keyboard.c
35953 --- linux-3.0.9/drivers/tty/vt/keyboard.c 2011-11-11 13:12:24.000000000 -0500
35954 +++ linux-3.0.9/drivers/tty/vt/keyboard.c 2011-11-15 20:02:59.000000000 -0500
35955 @@ -656,6 +656,16 @@ static void k_spec(struct vc_data *vc, u
35956 kbd->kbdmode == VC_OFF) &&
35957 value != KVAL(K_SAK))
35958 return; /* SAK is allowed even in raw mode */
35960 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
35962 + void *func = fn_handler[value];
35963 + if (func == fn_show_state || func == fn_show_ptregs ||
35964 + func == fn_show_mem)
35969 fn_handler[value](vc);
35972 diff -urNp linux-3.0.9/drivers/tty/vt/vt.c linux-3.0.9/drivers/tty/vt/vt.c
35973 --- linux-3.0.9/drivers/tty/vt/vt.c 2011-11-11 13:12:24.000000000 -0500
35974 +++ linux-3.0.9/drivers/tty/vt/vt.c 2011-11-15 20:02:59.000000000 -0500
35975 @@ -259,7 +259,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
35977 static void notify_write(struct vc_data *vc, unsigned int unicode)
35979 - struct vt_notifier_param param = { .vc = vc, unicode = unicode };
35980 + struct vt_notifier_param param = { .vc = vc, .c = unicode };
35981 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, ¶m);
35984 diff -urNp linux-3.0.9/drivers/tty/vt/vt_ioctl.c linux-3.0.9/drivers/tty/vt/vt_ioctl.c
35985 --- linux-3.0.9/drivers/tty/vt/vt_ioctl.c 2011-11-11 13:12:24.000000000 -0500
35986 +++ linux-3.0.9/drivers/tty/vt/vt_ioctl.c 2011-11-15 20:02:59.000000000 -0500
35987 @@ -207,9 +207,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
35988 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
35991 - if (!capable(CAP_SYS_TTY_CONFIG))
35996 key_map = key_maps[s];
35997 @@ -221,6 +218,9 @@ do_kdsk_ioctl(int cmd, struct kbentry __
35998 val = (i ? K_HOLE : K_NOSUCHMAP);
35999 return put_user(val, &user_kbe->kb_value);
36001 + if (!capable(CAP_SYS_TTY_CONFIG))
36006 if (!i && v == K_NOSUCHMAP) {
36007 @@ -322,9 +322,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
36011 - if (!capable(CAP_SYS_TTY_CONFIG))
36014 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
36017 @@ -358,6 +355,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
36019 return ((p && *p) ? -EOVERFLOW : 0);
36021 + if (!capable(CAP_SYS_TTY_CONFIG))
36027 diff -urNp linux-3.0.9/drivers/uio/uio.c linux-3.0.9/drivers/uio/uio.c
36028 --- linux-3.0.9/drivers/uio/uio.c 2011-11-11 13:12:24.000000000 -0500
36029 +++ linux-3.0.9/drivers/uio/uio.c 2011-11-15 20:02:59.000000000 -0500
36031 #include <linux/kobject.h>
36032 #include <linux/cdev.h>
36033 #include <linux/uio_driver.h>
36034 +#include <asm/local.h>
36036 #define UIO_MAX_DEVICES (1U << MINORBITS)
36038 @@ -32,10 +33,10 @@ struct uio_device {
36039 struct module *owner;
36040 struct device *dev;
36043 + atomic_unchecked_t event;
36044 struct fasync_struct *async_queue;
36045 wait_queue_head_t wait;
36047 + local_t vma_count;
36048 struct uio_info *info;
36049 struct kobject *map_dir;
36050 struct kobject *portio_dir;
36051 @@ -242,7 +243,7 @@ static ssize_t show_event(struct device
36052 struct device_attribute *attr, char *buf)
36054 struct uio_device *idev = dev_get_drvdata(dev);
36055 - return sprintf(buf, "%u\n", (unsigned int)atomic_read(&idev->event));
36056 + return sprintf(buf, "%u\n", (unsigned int)atomic_read_unchecked(&idev->event));
36059 static struct device_attribute uio_class_attributes[] = {
36060 @@ -408,7 +409,7 @@ void uio_event_notify(struct uio_info *i
36062 struct uio_device *idev = info->uio_dev;
36064 - atomic_inc(&idev->event);
36065 + atomic_inc_unchecked(&idev->event);
36066 wake_up_interruptible(&idev->wait);
36067 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
36069 @@ -461,7 +462,7 @@ static int uio_open(struct inode *inode,
36072 listener->dev = idev;
36073 - listener->event_count = atomic_read(&idev->event);
36074 + listener->event_count = atomic_read_unchecked(&idev->event);
36075 filep->private_data = listener;
36077 if (idev->info->open) {
36078 @@ -512,7 +513,7 @@ static unsigned int uio_poll(struct file
36081 poll_wait(filep, &idev->wait, wait);
36082 - if (listener->event_count != atomic_read(&idev->event))
36083 + if (listener->event_count != atomic_read_unchecked(&idev->event))
36084 return POLLIN | POLLRDNORM;
36087 @@ -537,7 +538,7 @@ static ssize_t uio_read(struct file *fil
36089 set_current_state(TASK_INTERRUPTIBLE);
36091 - event_count = atomic_read(&idev->event);
36092 + event_count = atomic_read_unchecked(&idev->event);
36093 if (event_count != listener->event_count) {
36094 if (copy_to_user(buf, &event_count, count))
36096 @@ -606,13 +607,13 @@ static int uio_find_mem_index(struct vm_
36097 static void uio_vma_open(struct vm_area_struct *vma)
36099 struct uio_device *idev = vma->vm_private_data;
36100 - idev->vma_count++;
36101 + local_inc(&idev->vma_count);
36104 static void uio_vma_close(struct vm_area_struct *vma)
36106 struct uio_device *idev = vma->vm_private_data;
36107 - idev->vma_count--;
36108 + local_dec(&idev->vma_count);
36111 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
36112 @@ -823,7 +824,7 @@ int __uio_register_device(struct module
36113 idev->owner = owner;
36115 init_waitqueue_head(&idev->wait);
36116 - atomic_set(&idev->event, 0);
36117 + atomic_set_unchecked(&idev->event, 0);
36119 ret = uio_get_minor(idev);
36121 diff -urNp linux-3.0.9/drivers/usb/atm/cxacru.c linux-3.0.9/drivers/usb/atm/cxacru.c
36122 --- linux-3.0.9/drivers/usb/atm/cxacru.c 2011-11-11 13:12:24.000000000 -0500
36123 +++ linux-3.0.9/drivers/usb/atm/cxacru.c 2011-11-15 20:02:59.000000000 -0500
36124 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
36125 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
36128 - if (index < 0 || index > 0x7f)
36129 + if (index > 0x7f)
36133 diff -urNp linux-3.0.9/drivers/usb/atm/usbatm.c linux-3.0.9/drivers/usb/atm/usbatm.c
36134 --- linux-3.0.9/drivers/usb/atm/usbatm.c 2011-11-11 13:12:24.000000000 -0500
36135 +++ linux-3.0.9/drivers/usb/atm/usbatm.c 2011-11-15 20:02:59.000000000 -0500
36136 @@ -332,7 +332,7 @@ static void usbatm_extract_one_cell(stru
36137 if (printk_ratelimit())
36138 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
36139 __func__, vpi, vci);
36140 - atomic_inc(&vcc->stats->rx_err);
36141 + atomic_inc_unchecked(&vcc->stats->rx_err);
36145 @@ -360,7 +360,7 @@ static void usbatm_extract_one_cell(stru
36146 if (length > ATM_MAX_AAL5_PDU) {
36147 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
36148 __func__, length, vcc);
36149 - atomic_inc(&vcc->stats->rx_err);
36150 + atomic_inc_unchecked(&vcc->stats->rx_err);
36154 @@ -369,14 +369,14 @@ static void usbatm_extract_one_cell(stru
36155 if (sarb->len < pdu_length) {
36156 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
36157 __func__, pdu_length, sarb->len, vcc);
36158 - atomic_inc(&vcc->stats->rx_err);
36159 + atomic_inc_unchecked(&vcc->stats->rx_err);
36163 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
36164 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
36166 - atomic_inc(&vcc->stats->rx_err);
36167 + atomic_inc_unchecked(&vcc->stats->rx_err);
36171 @@ -386,7 +386,7 @@ static void usbatm_extract_one_cell(stru
36172 if (printk_ratelimit())
36173 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
36175 - atomic_inc(&vcc->stats->rx_drop);
36176 + atomic_inc_unchecked(&vcc->stats->rx_drop);
36180 @@ -411,7 +411,7 @@ static void usbatm_extract_one_cell(stru
36182 vcc->push(vcc, skb);
36184 - atomic_inc(&vcc->stats->rx);
36185 + atomic_inc_unchecked(&vcc->stats->rx);
36189 @@ -614,7 +614,7 @@ static void usbatm_tx_process(unsigned l
36190 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
36192 usbatm_pop(vcc, skb);
36193 - atomic_inc(&vcc->stats->tx);
36194 + atomic_inc_unchecked(&vcc->stats->tx);
36196 skb = skb_dequeue(&instance->sndqueue);
36198 @@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
36200 return sprintf(page,
36201 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
36202 - atomic_read(&atm_dev->stats.aal5.tx),
36203 - atomic_read(&atm_dev->stats.aal5.tx_err),
36204 - atomic_read(&atm_dev->stats.aal5.rx),
36205 - atomic_read(&atm_dev->stats.aal5.rx_err),
36206 - atomic_read(&atm_dev->stats.aal5.rx_drop));
36207 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
36208 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
36209 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
36210 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
36211 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
36214 if (instance->disconnected)
36215 diff -urNp linux-3.0.9/drivers/usb/core/devices.c linux-3.0.9/drivers/usb/core/devices.c
36216 --- linux-3.0.9/drivers/usb/core/devices.c 2011-11-11 13:12:24.000000000 -0500
36217 +++ linux-3.0.9/drivers/usb/core/devices.c 2011-11-15 20:02:59.000000000 -0500
36218 @@ -126,7 +126,7 @@ static const char format_endpt[] =
36219 * time it gets called.
36221 static struct device_connect_event {
36223 + atomic_unchecked_t count;
36224 wait_queue_head_t wait;
36226 .count = ATOMIC_INIT(1),
36227 @@ -164,7 +164,7 @@ static const struct class_info clas_info
36229 void usbfs_conn_disc_event(void)
36231 - atomic_add(2, &device_event.count);
36232 + atomic_add_unchecked(2, &device_event.count);
36233 wake_up(&device_event.wait);
36236 @@ -648,7 +648,7 @@ static unsigned int usb_device_poll(stru
36238 poll_wait(file, &device_event.wait, wait);
36240 - event_count = atomic_read(&device_event.count);
36241 + event_count = atomic_read_unchecked(&device_event.count);
36242 if (file->f_version != event_count) {
36243 file->f_version = event_count;
36244 return POLLIN | POLLRDNORM;
36245 diff -urNp linux-3.0.9/drivers/usb/core/message.c linux-3.0.9/drivers/usb/core/message.c
36246 --- linux-3.0.9/drivers/usb/core/message.c 2011-11-11 13:12:24.000000000 -0500
36247 +++ linux-3.0.9/drivers/usb/core/message.c 2011-11-15 20:02:59.000000000 -0500
36248 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
36249 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
36251 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
36253 - smallbuf = kmalloc(++len, GFP_NOIO);
36255 + smallbuf = kmalloc(len, GFP_NOIO);
36258 memcpy(smallbuf, buf, len);
36259 diff -urNp linux-3.0.9/drivers/usb/early/ehci-dbgp.c linux-3.0.9/drivers/usb/early/ehci-dbgp.c
36260 --- linux-3.0.9/drivers/usb/early/ehci-dbgp.c 2011-11-11 13:12:24.000000000 -0500
36261 +++ linux-3.0.9/drivers/usb/early/ehci-dbgp.c 2011-11-15 20:02:59.000000000 -0500
36262 @@ -97,7 +97,8 @@ static inline u32 dbgp_len_update(u32 x,
36265 static struct kgdb_io kgdbdbgp_io_ops;
36266 -#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
36267 +static struct kgdb_io kgdbdbgp_io_ops_console;
36268 +#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops || dbg_io_ops == &kgdbdbgp_io_ops_console)
36270 #define dbgp_kgdb_mode (0)
36272 @@ -1035,6 +1036,13 @@ static struct kgdb_io kgdbdbgp_io_ops =
36273 .write_char = kgdbdbgp_write_char,
36276 +static struct kgdb_io kgdbdbgp_io_ops_console = {
36277 + .name = "kgdbdbgp",
36278 + .read_char = kgdbdbgp_read_char,
36279 + .write_char = kgdbdbgp_write_char,
36283 static int kgdbdbgp_wait_time;
36285 static int __init kgdbdbgp_parse_config(char *str)
36286 @@ -1050,8 +1058,10 @@ static int __init kgdbdbgp_parse_config(
36288 kgdbdbgp_wait_time = simple_strtoul(ptr, &ptr, 10);
36290 - kgdb_register_io_module(&kgdbdbgp_io_ops);
36291 - kgdbdbgp_io_ops.is_console = early_dbgp_console.index != -1;
36292 + if (early_dbgp_console.index != -1)
36293 + kgdb_register_io_module(&kgdbdbgp_io_ops_console);
36295 + kgdb_register_io_module(&kgdbdbgp_io_ops);
36299 diff -urNp linux-3.0.9/drivers/usb/host/xhci-mem.c linux-3.0.9/drivers/usb/host/xhci-mem.c
36300 --- linux-3.0.9/drivers/usb/host/xhci-mem.c 2011-11-11 13:12:24.000000000 -0500
36301 +++ linux-3.0.9/drivers/usb/host/xhci-mem.c 2011-11-15 20:02:59.000000000 -0500
36302 @@ -1690,6 +1690,8 @@ static int xhci_check_trb_in_td_math(str
36303 unsigned int num_tests;
36306 + pax_track_stack();
36308 num_tests = ARRAY_SIZE(simple_test_vector);
36309 for (i = 0; i < num_tests; i++) {
36310 ret = xhci_test_trb_in_td(xhci,
36311 diff -urNp linux-3.0.9/drivers/usb/wusbcore/wa-hc.h linux-3.0.9/drivers/usb/wusbcore/wa-hc.h
36312 --- linux-3.0.9/drivers/usb/wusbcore/wa-hc.h 2011-11-11 13:12:24.000000000 -0500
36313 +++ linux-3.0.9/drivers/usb/wusbcore/wa-hc.h 2011-11-15 20:02:59.000000000 -0500
36314 @@ -192,7 +192,7 @@ struct wahc {
36315 struct list_head xfer_delayed_list;
36316 spinlock_t xfer_list_lock;
36317 struct work_struct xfer_work;
36318 - atomic_t xfer_id_count;
36319 + atomic_unchecked_t xfer_id_count;
36323 @@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *
36324 INIT_LIST_HEAD(&wa->xfer_delayed_list);
36325 spin_lock_init(&wa->xfer_list_lock);
36326 INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
36327 - atomic_set(&wa->xfer_id_count, 1);
36328 + atomic_set_unchecked(&wa->xfer_id_count, 1);
36332 diff -urNp linux-3.0.9/drivers/usb/wusbcore/wa-xfer.c linux-3.0.9/drivers/usb/wusbcore/wa-xfer.c
36333 --- linux-3.0.9/drivers/usb/wusbcore/wa-xfer.c 2011-11-11 13:12:24.000000000 -0500
36334 +++ linux-3.0.9/drivers/usb/wusbcore/wa-xfer.c 2011-11-15 20:02:59.000000000 -0500
36335 @@ -294,7 +294,7 @@ out:
36337 static void wa_xfer_id_init(struct wa_xfer *xfer)
36339 - xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
36340 + xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
36344 diff -urNp linux-3.0.9/drivers/vhost/vhost.c linux-3.0.9/drivers/vhost/vhost.c
36345 --- linux-3.0.9/drivers/vhost/vhost.c 2011-11-11 13:12:24.000000000 -0500
36346 +++ linux-3.0.9/drivers/vhost/vhost.c 2011-11-15 20:02:59.000000000 -0500
36347 @@ -589,7 +589,7 @@ static int init_used(struct vhost_virtqu
36348 return get_user(vq->last_used_idx, &used->idx);
36351 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
36352 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
36354 struct file *eventfp, *filep = NULL,
36355 *pollstart = NULL, *pollstop = NULL;
36356 diff -urNp linux-3.0.9/drivers/video/aty/aty128fb.c linux-3.0.9/drivers/video/aty/aty128fb.c
36357 --- linux-3.0.9/drivers/video/aty/aty128fb.c 2011-11-11 13:12:24.000000000 -0500
36358 +++ linux-3.0.9/drivers/video/aty/aty128fb.c 2011-11-15 20:02:59.000000000 -0500
36359 @@ -148,7 +148,7 @@ enum {
36362 /* Must match above enum */
36363 -static const char *r128_family[] __devinitdata = {
36364 +static const char *r128_family[] __devinitconst = {
36368 diff -urNp linux-3.0.9/drivers/video/fbcmap.c linux-3.0.9/drivers/video/fbcmap.c
36369 --- linux-3.0.9/drivers/video/fbcmap.c 2011-11-11 13:12:24.000000000 -0500
36370 +++ linux-3.0.9/drivers/video/fbcmap.c 2011-11-15 20:02:59.000000000 -0500
36371 @@ -285,8 +285,7 @@ int fb_set_user_cmap(struct fb_cmap_user
36375 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
36376 - !info->fbops->fb_setcmap)) {
36377 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
36381 diff -urNp linux-3.0.9/drivers/video/fbmem.c linux-3.0.9/drivers/video/fbmem.c
36382 --- linux-3.0.9/drivers/video/fbmem.c 2011-11-11 13:12:24.000000000 -0500
36383 +++ linux-3.0.9/drivers/video/fbmem.c 2011-11-15 20:02:59.000000000 -0500
36384 @@ -428,7 +428,7 @@ static void fb_do_show_logo(struct fb_in
36385 image->dx += image->width + 8;
36387 } else if (rotate == FB_ROTATE_UD) {
36388 - for (x = 0; x < num && image->dx >= 0; x++) {
36389 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
36390 info->fbops->fb_imageblit(info, image);
36391 image->dx -= image->width + 8;
36393 @@ -440,7 +440,7 @@ static void fb_do_show_logo(struct fb_in
36394 image->dy += image->height + 8;
36396 } else if (rotate == FB_ROTATE_CCW) {
36397 - for (x = 0; x < num && image->dy >= 0; x++) {
36398 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
36399 info->fbops->fb_imageblit(info, image);
36400 image->dy -= image->height + 8;
36402 @@ -939,6 +939,8 @@ fb_set_var(struct fb_info *info, struct
36403 int flags = info->flags;
36406 + pax_track_stack();
36408 if (var->activate & FB_ACTIVATE_INV_MODE) {
36409 struct fb_videomode mode1, mode2;
36411 @@ -1064,6 +1066,8 @@ static long do_fb_ioctl(struct fb_info *
36412 void __user *argp = (void __user *)arg;
36415 + pax_track_stack();
36418 case FBIOGET_VSCREENINFO:
36419 if (!lock_fb_info(info))
36420 @@ -1143,7 +1147,7 @@ static long do_fb_ioctl(struct fb_info *
36422 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
36424 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
36425 + if (con2fb.framebuffer >= FB_MAX)
36427 if (!registered_fb[con2fb.framebuffer])
36428 request_module("fb%d", con2fb.framebuffer);
36429 diff -urNp linux-3.0.9/drivers/video/geode/gx1fb_core.c linux-3.0.9/drivers/video/geode/gx1fb_core.c
36430 --- linux-3.0.9/drivers/video/geode/gx1fb_core.c 2011-11-11 13:12:24.000000000 -0500
36431 +++ linux-3.0.9/drivers/video/geode/gx1fb_core.c 2011-11-15 20:02:59.000000000 -0500
36432 @@ -29,7 +29,7 @@ static int crt_option = 1;
36433 static char panel_option[32] = "";
36435 /* Modes relevant to the GX1 (taken from modedb.c) */
36436 -static const struct fb_videomode __devinitdata gx1_modedb[] = {
36437 +static const struct fb_videomode __devinitconst gx1_modedb[] = {
36438 /* 640x480-60 VESA */
36439 { NULL, 60, 640, 480, 39682, 48, 16, 33, 10, 96, 2,
36440 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_VESA },
36441 diff -urNp linux-3.0.9/drivers/video/gxt4500.c linux-3.0.9/drivers/video/gxt4500.c
36442 --- linux-3.0.9/drivers/video/gxt4500.c 2011-11-11 13:12:24.000000000 -0500
36443 +++ linux-3.0.9/drivers/video/gxt4500.c 2011-11-15 20:02:59.000000000 -0500
36444 @@ -156,7 +156,7 @@ struct gxt4500_par {
36445 static char *mode_option;
36447 /* default mode: 1280x1024 @ 60 Hz, 8 bpp */
36448 -static const struct fb_videomode defaultmode __devinitdata = {
36449 +static const struct fb_videomode defaultmode __devinitconst = {
36453 @@ -581,7 +581,7 @@ static int gxt4500_blank(int blank, stru
36457 -static const struct fb_fix_screeninfo gxt4500_fix __devinitdata = {
36458 +static const struct fb_fix_screeninfo gxt4500_fix __devinitconst = {
36459 .id = "IBM GXT4500P",
36460 .type = FB_TYPE_PACKED_PIXELS,
36461 .visual = FB_VISUAL_PSEUDOCOLOR,
36462 diff -urNp linux-3.0.9/drivers/video/i810/i810_accel.c linux-3.0.9/drivers/video/i810/i810_accel.c
36463 --- linux-3.0.9/drivers/video/i810/i810_accel.c 2011-11-11 13:12:24.000000000 -0500
36464 +++ linux-3.0.9/drivers/video/i810/i810_accel.c 2011-11-15 20:02:59.000000000 -0500
36465 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
36468 printk("ringbuffer lockup!!!\n");
36469 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
36470 i810_report_error(mmio);
36471 par->dev_flags |= LOCKUP;
36472 info->pixmap.scan_align = 1;
36473 diff -urNp linux-3.0.9/drivers/video/i810/i810_main.c linux-3.0.9/drivers/video/i810/i810_main.c
36474 --- linux-3.0.9/drivers/video/i810/i810_main.c 2011-11-11 13:12:24.000000000 -0500
36475 +++ linux-3.0.9/drivers/video/i810/i810_main.c 2011-11-15 20:02:59.000000000 -0500
36476 @@ -97,7 +97,7 @@ static int i810fb_blank (int blank_
36477 static void i810fb_release_resource (struct fb_info *info, struct i810fb_par *par);
36480 -static const char *i810_pci_list[] __devinitdata = {
36481 +static const char *i810_pci_list[] __devinitconst = {
36482 "Intel(R) 810 Framebuffer Device" ,
36483 "Intel(R) 810-DC100 Framebuffer Device" ,
36484 "Intel(R) 810E Framebuffer Device" ,
36485 diff -urNp linux-3.0.9/drivers/video/jz4740_fb.c linux-3.0.9/drivers/video/jz4740_fb.c
36486 --- linux-3.0.9/drivers/video/jz4740_fb.c 2011-11-11 13:12:24.000000000 -0500
36487 +++ linux-3.0.9/drivers/video/jz4740_fb.c 2011-11-15 20:02:59.000000000 -0500
36488 @@ -136,7 +136,7 @@ struct jzfb {
36489 uint32_t pseudo_palette[16];
36492 -static const struct fb_fix_screeninfo jzfb_fix __devinitdata = {
36493 +static const struct fb_fix_screeninfo jzfb_fix __devinitconst = {
36495 .type = FB_TYPE_PACKED_PIXELS,
36496 .visual = FB_VISUAL_TRUECOLOR,
36497 diff -urNp linux-3.0.9/drivers/video/logo/logo_linux_clut224.ppm linux-3.0.9/drivers/video/logo/logo_linux_clut224.ppm
36498 --- linux-3.0.9/drivers/video/logo/logo_linux_clut224.ppm 2011-11-11 13:12:24.000000000 -0500
36499 +++ linux-3.0.9/drivers/video/logo/logo_linux_clut224.ppm 2011-11-15 20:02:59.000000000 -0500
36500 @@ -1,1604 +1,1123 @@
36502 -# Standard 224-color Linux logo
36505 - 0 0 0 0 0 0 0 0 0 0 0 0
36506 - 0 0 0 0 0 0 0 0 0 0 0 0
36507 - 0 0 0 0 0 0 0 0 0 0 0 0
36508 - 0 0 0 0 0 0 0 0 0 0 0 0
36509 - 0 0 0 0 0 0 0 0 0 0 0 0
36510 - 0 0 0 0 0 0 0 0 0 0 0 0
36511 - 0 0 0 0 0 0 0 0 0 0 0 0
36512 - 0 0 0 0 0 0 0 0 0 0 0 0
36513 - 0 0 0 0 0 0 0 0 0 0 0 0
36514 - 6 6 6 6 6 6 10 10 10 10 10 10
36515 - 10 10 10 6 6 6 6 6 6 6 6 6
36516 - 0 0 0 0 0 0 0 0 0 0 0 0
36517 - 0 0 0 0 0 0 0 0 0 0 0 0
36518 - 0 0 0 0 0 0 0 0 0 0 0 0
36519 - 0 0 0 0 0 0 0 0 0 0 0 0
36520 - 0 0 0 0 0 0 0 0 0 0 0 0
36521 - 0 0 0 0 0 0 0 0 0 0 0 0
36522 - 0 0 0 0 0 0 0 0 0 0 0 0
36523 - 0 0 0 0 0 0 0 0 0 0 0 0
36524 - 0 0 0 0 0 0 0 0 0 0 0 0
36525 - 0 0 0 0 0 0 0 0 0 0 0 0
36526 - 0 0 0 0 0 0 0 0 0 0 0 0
36527 - 0 0 0 0 0 0 0 0 0 0 0 0
36528 - 0 0 0 0 0 0 0 0 0 0 0 0
36529 - 0 0 0 0 0 0 0 0 0 0 0 0
36530 - 0 0 0 0 0 0 0 0 0 0 0 0
36531 - 0 0 0 0 0 0 0 0 0 0 0 0
36532 - 0 0 0 0 0 0 0 0 0 0 0 0
36533 - 0 0 0 6 6 6 10 10 10 14 14 14
36534 - 22 22 22 26 26 26 30 30 30 34 34 34
36535 - 30 30 30 30 30 30 26 26 26 18 18 18
36536 - 14 14 14 10 10 10 6 6 6 0 0 0
36537 - 0 0 0 0 0 0 0 0 0 0 0 0
36538 - 0 0 0 0 0 0 0 0 0 0 0 0
36539 - 0 0 0 0 0 0 0 0 0 0 0 0
36540 - 0 0 0 0 0 0 0 0 0 0 0 0
36541 - 0 0 0 0 0 0 0 0 0 0 0 0
36542 - 0 0 0 0 0 0 0 0 0 0 0 0
36543 - 0 0 0 0 0 0 0 0 0 0 0 0
36544 - 0 0 0 0 0 0 0 0 0 0 0 0
36545 - 0 0 0 0 0 0 0 0 0 0 0 0
36546 - 0 0 0 0 0 1 0 0 1 0 0 0
36547 - 0 0 0 0 0 0 0 0 0 0 0 0
36548 - 0 0 0 0 0 0 0 0 0 0 0 0
36549 - 0 0 0 0 0 0 0 0 0 0 0 0
36550 - 0 0 0 0 0 0 0 0 0 0 0 0
36551 - 0 0 0 0 0 0 0 0 0 0 0 0
36552 - 0 0 0 0 0 0 0 0 0 0 0 0
36553 - 6 6 6 14 14 14 26 26 26 42 42 42
36554 - 54 54 54 66 66 66 78 78 78 78 78 78
36555 - 78 78 78 74 74 74 66 66 66 54 54 54
36556 - 42 42 42 26 26 26 18 18 18 10 10 10
36557 - 6 6 6 0 0 0 0 0 0 0 0 0
36558 - 0 0 0 0 0 0 0 0 0 0 0 0
36559 - 0 0 0 0 0 0 0 0 0 0 0 0
36560 - 0 0 0 0 0 0 0 0 0 0 0 0
36561 - 0 0 0 0 0 0 0 0 0 0 0 0
36562 - 0 0 0 0 0 0 0 0 0 0 0 0
36563 - 0 0 0 0 0 0 0 0 0 0 0 0
36564 - 0 0 0 0 0 0 0 0 0 0 0 0
36565 - 0 0 0 0 0 0 0 0 0 0 0 0
36566 - 0 0 1 0 0 0 0 0 0 0 0 0
36567 - 0 0 0 0 0 0 0 0 0 0 0 0
36568 - 0 0 0 0 0 0 0 0 0 0 0 0
36569 - 0 0 0 0 0 0 0 0 0 0 0 0
36570 - 0 0 0 0 0 0 0 0 0 0 0 0
36571 - 0 0 0 0 0 0 0 0 0 0 0 0
36572 - 0 0 0 0 0 0 0 0 0 10 10 10
36573 - 22 22 22 42 42 42 66 66 66 86 86 86
36574 - 66 66 66 38 38 38 38 38 38 22 22 22
36575 - 26 26 26 34 34 34 54 54 54 66 66 66
36576 - 86 86 86 70 70 70 46 46 46 26 26 26
36577 - 14 14 14 6 6 6 0 0 0 0 0 0
36578 - 0 0 0 0 0 0 0 0 0 0 0 0
36579 - 0 0 0 0 0 0 0 0 0 0 0 0
36580 - 0 0 0 0 0 0 0 0 0 0 0 0
36581 - 0 0 0 0 0 0 0 0 0 0 0 0
36582 - 0 0 0 0 0 0 0 0 0 0 0 0
36583 - 0 0 0 0 0 0 0 0 0 0 0 0
36584 - 0 0 0 0 0 0 0 0 0 0 0 0
36585 - 0 0 0 0 0 0 0 0 0 0 0 0
36586 - 0 0 1 0 0 1 0 0 1 0 0 0
36587 - 0 0 0 0 0 0 0 0 0 0 0 0
36588 - 0 0 0 0 0 0 0 0 0 0 0 0
36589 - 0 0 0 0 0 0 0 0 0 0 0 0
36590 - 0 0 0 0 0 0 0 0 0 0 0 0
36591 - 0 0 0 0 0 0 0 0 0 0 0 0
36592 - 0 0 0 0 0 0 10 10 10 26 26 26
36593 - 50 50 50 82 82 82 58 58 58 6 6 6
36594 - 2 2 6 2 2 6 2 2 6 2 2 6
36595 - 2 2 6 2 2 6 2 2 6 2 2 6
36596 - 6 6 6 54 54 54 86 86 86 66 66 66
36597 - 38 38 38 18 18 18 6 6 6 0 0 0
36598 - 0 0 0 0 0 0 0 0 0 0 0 0
36599 - 0 0 0 0 0 0 0 0 0 0 0 0
36600 - 0 0 0 0 0 0 0 0 0 0 0 0
36601 - 0 0 0 0 0 0 0 0 0 0 0 0
36602 - 0 0 0 0 0 0 0 0 0 0 0 0
36603 - 0 0 0 0 0 0 0 0 0 0 0 0
36604 - 0 0 0 0 0 0 0 0 0 0 0 0
36605 - 0 0 0 0 0 0 0 0 0 0 0 0
36606 - 0 0 0 0 0 0 0 0 0 0 0 0
36607 - 0 0 0 0 0 0 0 0 0 0 0 0
36608 - 0 0 0 0 0 0 0 0 0 0 0 0
36609 - 0 0 0 0 0 0 0 0 0 0 0 0
36610 - 0 0 0 0 0 0 0 0 0 0 0 0
36611 - 0 0 0 0 0 0 0 0 0 0 0 0
36612 - 0 0 0 6 6 6 22 22 22 50 50 50
36613 - 78 78 78 34 34 34 2 2 6 2 2 6
36614 - 2 2 6 2 2 6 2 2 6 2 2 6
36615 - 2 2 6 2 2 6 2 2 6 2 2 6
36616 - 2 2 6 2 2 6 6 6 6 70 70 70
36617 - 78 78 78 46 46 46 22 22 22 6 6 6
36618 - 0 0 0 0 0 0 0 0 0 0 0 0
36619 - 0 0 0 0 0 0 0 0 0 0 0 0
36620 - 0 0 0 0 0 0 0 0 0 0 0 0
36621 - 0 0 0 0 0 0 0 0 0 0 0 0
36622 - 0 0 0 0 0 0 0 0 0 0 0 0
36623 - 0 0 0 0 0 0 0 0 0 0 0 0
36624 - 0 0 0 0 0 0 0 0 0 0 0 0
36625 - 0 0 0 0 0 0 0 0 0 0 0 0
36626 - 0 0 1 0 0 1 0 0 1 0 0 0
36627 - 0 0 0 0 0 0 0 0 0 0 0 0
36628 - 0 0 0 0 0 0 0 0 0 0 0 0
36629 - 0 0 0 0 0 0 0 0 0 0 0 0
36630 - 0 0 0 0 0 0 0 0 0 0 0 0
36631 - 0 0 0 0 0 0 0 0 0 0 0 0
36632 - 6 6 6 18 18 18 42 42 42 82 82 82
36633 - 26 26 26 2 2 6 2 2 6 2 2 6
36634 - 2 2 6 2 2 6 2 2 6 2 2 6
36635 - 2 2 6 2 2 6 2 2 6 14 14 14
36636 - 46 46 46 34 34 34 6 6 6 2 2 6
36637 - 42 42 42 78 78 78 42 42 42 18 18 18
36638 - 6 6 6 0 0 0 0 0 0 0 0 0
36639 - 0 0 0 0 0 0 0 0 0 0 0 0
36640 - 0 0 0 0 0 0 0 0 0 0 0 0
36641 - 0 0 0 0 0 0 0 0 0 0 0 0
36642 - 0 0 0 0 0 0 0 0 0 0 0 0
36643 - 0 0 0 0 0 0 0 0 0 0 0 0
36644 - 0 0 0 0 0 0 0 0 0 0 0 0
36645 - 0 0 0 0 0 0 0 0 0 0 0 0
36646 - 0 0 1 0 0 0 0 0 1 0 0 0
36647 - 0 0 0 0 0 0 0 0 0 0 0 0
36648 - 0 0 0 0 0 0 0 0 0 0 0 0
36649 - 0 0 0 0 0 0 0 0 0 0 0 0
36650 - 0 0 0 0 0 0 0 0 0 0 0 0
36651 - 0 0 0 0 0 0 0 0 0 0 0 0
36652 - 10 10 10 30 30 30 66 66 66 58 58 58
36653 - 2 2 6 2 2 6 2 2 6 2 2 6
36654 - 2 2 6 2 2 6 2 2 6 2 2 6
36655 - 2 2 6 2 2 6 2 2 6 26 26 26
36656 - 86 86 86 101 101 101 46 46 46 10 10 10
36657 - 2 2 6 58 58 58 70 70 70 34 34 34
36658 - 10 10 10 0 0 0 0 0 0 0 0 0
36659 - 0 0 0 0 0 0 0 0 0 0 0 0
36660 - 0 0 0 0 0 0 0 0 0 0 0 0
36661 - 0 0 0 0 0 0 0 0 0 0 0 0
36662 - 0 0 0 0 0 0 0 0 0 0 0 0
36663 - 0 0 0 0 0 0 0 0 0 0 0 0
36664 - 0 0 0 0 0 0 0 0 0 0 0 0
36665 - 0 0 0 0 0 0 0 0 0 0 0 0
36666 - 0 0 1 0 0 1 0 0 1 0 0 0
36667 - 0 0 0 0 0 0 0 0 0 0 0 0
36668 - 0 0 0 0 0 0 0 0 0 0 0 0
36669 - 0 0 0 0 0 0 0 0 0 0 0 0
36670 - 0 0 0 0 0 0 0 0 0 0 0 0
36671 - 0 0 0 0 0 0 0 0 0 0 0 0
36672 - 14 14 14 42 42 42 86 86 86 10 10 10
36673 - 2 2 6 2 2 6 2 2 6 2 2 6
36674 - 2 2 6 2 2 6 2 2 6 2 2 6
36675 - 2 2 6 2 2 6 2 2 6 30 30 30
36676 - 94 94 94 94 94 94 58 58 58 26 26 26
36677 - 2 2 6 6 6 6 78 78 78 54 54 54
36678 - 22 22 22 6 6 6 0 0 0 0 0 0
36679 - 0 0 0 0 0 0 0 0 0 0 0 0
36680 - 0 0 0 0 0 0 0 0 0 0 0 0
36681 - 0 0 0 0 0 0 0 0 0 0 0 0
36682 - 0 0 0 0 0 0 0 0 0 0 0 0
36683 - 0 0 0 0 0 0 0 0 0 0 0 0
36684 - 0 0 0 0 0 0 0 0 0 0 0 0
36685 - 0 0 0 0 0 0 0 0 0 0 0 0
36686 - 0 0 0 0 0 0 0 0 0 0 0 0
36687 - 0 0 0 0 0 0 0 0 0 0 0 0
36688 - 0 0 0 0 0 0 0 0 0 0 0 0
36689 - 0 0 0 0 0 0 0 0 0 0 0 0
36690 - 0 0 0 0 0 0 0 0 0 0 0 0
36691 - 0 0 0 0 0 0 0 0 0 6 6 6
36692 - 22 22 22 62 62 62 62 62 62 2 2 6
36693 - 2 2 6 2 2 6 2 2 6 2 2 6
36694 - 2 2 6 2 2 6 2 2 6 2 2 6
36695 - 2 2 6 2 2 6 2 2 6 26 26 26
36696 - 54 54 54 38 38 38 18 18 18 10 10 10
36697 - 2 2 6 2 2 6 34 34 34 82 82 82
36698 - 38 38 38 14 14 14 0 0 0 0 0 0
36699 - 0 0 0 0 0 0 0 0 0 0 0 0
36700 - 0 0 0 0 0 0 0 0 0 0 0 0
36701 - 0 0 0 0 0 0 0 0 0 0 0 0
36702 - 0 0 0 0 0 0 0 0 0 0 0 0
36703 - 0 0 0 0 0 0 0 0 0 0 0 0
36704 - 0 0 0 0 0 0 0 0 0 0 0 0
36705 - 0 0 0 0 0 0 0 0 0 0 0 0
36706 - 0 0 0 0 0 1 0 0 1 0 0 0
36707 - 0 0 0 0 0 0 0 0 0 0 0 0
36708 - 0 0 0 0 0 0 0 0 0 0 0 0
36709 - 0 0 0 0 0 0 0 0 0 0 0 0
36710 - 0 0 0 0 0 0 0 0 0 0 0 0
36711 - 0 0 0 0 0 0 0 0 0 6 6 6
36712 - 30 30 30 78 78 78 30 30 30 2 2 6
36713 - 2 2 6 2 2 6 2 2 6 2 2 6
36714 - 2 2 6 2 2 6 2 2 6 2 2 6
36715 - 2 2 6 2 2 6 2 2 6 10 10 10
36716 - 10 10 10 2 2 6 2 2 6 2 2 6
36717 - 2 2 6 2 2 6 2 2 6 78 78 78
36718 - 50 50 50 18 18 18 6 6 6 0 0 0
36719 - 0 0 0 0 0 0 0 0 0 0 0 0
36720 - 0 0 0 0 0 0 0 0 0 0 0 0
36721 - 0 0 0 0 0 0 0 0 0 0 0 0
36722 - 0 0 0 0 0 0 0 0 0 0 0 0
36723 - 0 0 0 0 0 0 0 0 0 0 0 0
36724 - 0 0 0 0 0 0 0 0 0 0 0 0
36725 - 0 0 0 0 0 0 0 0 0 0 0 0
36726 - 0 0 1 0 0 0 0 0 0 0 0 0
36727 - 0 0 0 0 0 0 0 0 0 0 0 0
36728 - 0 0 0 0 0 0 0 0 0 0 0 0
36729 - 0 0 0 0 0 0 0 0 0 0 0 0
36730 - 0 0 0 0 0 0 0 0 0 0 0 0
36731 - 0 0 0 0 0 0 0 0 0 10 10 10
36732 - 38 38 38 86 86 86 14 14 14 2 2 6
36733 - 2 2 6 2 2 6 2 2 6 2 2 6
36734 - 2 2 6 2 2 6 2 2 6 2 2 6
36735 - 2 2 6 2 2 6 2 2 6 2 2 6
36736 - 2 2 6 2 2 6 2 2 6 2 2 6
36737 - 2 2 6 2 2 6 2 2 6 54 54 54
36738 - 66 66 66 26 26 26 6 6 6 0 0 0
36739 - 0 0 0 0 0 0 0 0 0 0 0 0
36740 - 0 0 0 0 0 0 0 0 0 0 0 0
36741 - 0 0 0 0 0 0 0 0 0 0 0 0
36742 - 0 0 0 0 0 0 0 0 0 0 0 0
36743 - 0 0 0 0 0 0 0 0 0 0 0 0
36744 - 0 0 0 0 0 0 0 0 0 0 0 0
36745 - 0 0 0 0 0 0 0 0 0 0 0 0
36746 - 0 0 0 0 0 1 0 0 1 0 0 0
36747 - 0 0 0 0 0 0 0 0 0 0 0 0
36748 - 0 0 0 0 0 0 0 0 0 0 0 0
36749 - 0 0 0 0 0 0 0 0 0 0 0 0
36750 - 0 0 0 0 0 0 0 0 0 0 0 0
36751 - 0 0 0 0 0 0 0 0 0 14 14 14
36752 - 42 42 42 82 82 82 2 2 6 2 2 6
36753 - 2 2 6 6 6 6 10 10 10 2 2 6
36754 - 2 2 6 2 2 6 2 2 6 2 2 6
36755 - 2 2 6 2 2 6 2 2 6 6 6 6
36756 - 14 14 14 10 10 10 2 2 6 2 2 6
36757 - 2 2 6 2 2 6 2 2 6 18 18 18
36758 - 82 82 82 34 34 34 10 10 10 0 0 0
36759 - 0 0 0 0 0 0 0 0 0 0 0 0
36760 - 0 0 0 0 0 0 0 0 0 0 0 0
36761 - 0 0 0 0 0 0 0 0 0 0 0 0
36762 - 0 0 0 0 0 0 0 0 0 0 0 0
36763 - 0 0 0 0 0 0 0 0 0 0 0 0
36764 - 0 0 0 0 0 0 0 0 0 0 0 0
36765 - 0 0 0 0 0 0 0 0 0 0 0 0
36766 - 0 0 1 0 0 0 0 0 0 0 0 0
36767 - 0 0 0 0 0 0 0 0 0 0 0 0
36768 - 0 0 0 0 0 0 0 0 0 0 0 0
36769 - 0 0 0 0 0 0 0 0 0 0 0 0
36770 - 0 0 0 0 0 0 0 0 0 0 0 0
36771 - 0 0 0 0 0 0 0 0 0 14 14 14
36772 - 46 46 46 86 86 86 2 2 6 2 2 6
36773 - 6 6 6 6 6 6 22 22 22 34 34 34
36774 - 6 6 6 2 2 6 2 2 6 2 2 6
36775 - 2 2 6 2 2 6 18 18 18 34 34 34
36776 - 10 10 10 50 50 50 22 22 22 2 2 6
36777 - 2 2 6 2 2 6 2 2 6 10 10 10
36778 - 86 86 86 42 42 42 14 14 14 0 0 0
36779 - 0 0 0 0 0 0 0 0 0 0 0 0
36780 - 0 0 0 0 0 0 0 0 0 0 0 0
36781 - 0 0 0 0 0 0 0 0 0 0 0 0
36782 - 0 0 0 0 0 0 0 0 0 0 0 0
36783 - 0 0 0 0 0 0 0 0 0 0 0 0
36784 - 0 0 0 0 0 0 0 0 0 0 0 0
36785 - 0 0 0 0 0 0 0 0 0 0 0 0
36786 - 0 0 1 0 0 1 0 0 1 0 0 0
36787 - 0 0 0 0 0 0 0 0 0 0 0 0
36788 - 0 0 0 0 0 0 0 0 0 0 0 0
36789 - 0 0 0 0 0 0 0 0 0 0 0 0
36790 - 0 0 0 0 0 0 0 0 0 0 0 0
36791 - 0 0 0 0 0 0 0 0 0 14 14 14
36792 - 46 46 46 86 86 86 2 2 6 2 2 6
36793 - 38 38 38 116 116 116 94 94 94 22 22 22
36794 - 22 22 22 2 2 6 2 2 6 2 2 6
36795 - 14 14 14 86 86 86 138 138 138 162 162 162
36796 -154 154 154 38 38 38 26 26 26 6 6 6
36797 - 2 2 6 2 2 6 2 2 6 2 2 6
36798 - 86 86 86 46 46 46 14 14 14 0 0 0
36799 - 0 0 0 0 0 0 0 0 0 0 0 0
36800 - 0 0 0 0 0 0 0 0 0 0 0 0
36801 - 0 0 0 0 0 0 0 0 0 0 0 0
36802 - 0 0 0 0 0 0 0 0 0 0 0 0
36803 - 0 0 0 0 0 0 0 0 0 0 0 0
36804 - 0 0 0 0 0 0 0 0 0 0 0 0
36805 - 0 0 0 0 0 0 0 0 0 0 0 0
36806 - 0 0 0 0 0 0 0 0 0 0 0 0
36807 - 0 0 0 0 0 0 0 0 0 0 0 0
36808 - 0 0 0 0 0 0 0 0 0 0 0 0
36809 - 0 0 0 0 0 0 0 0 0 0 0 0
36810 - 0 0 0 0 0 0 0 0 0 0 0 0
36811 - 0 0 0 0 0 0 0 0 0 14 14 14
36812 - 46 46 46 86 86 86 2 2 6 14 14 14
36813 -134 134 134 198 198 198 195 195 195 116 116 116
36814 - 10 10 10 2 2 6 2 2 6 6 6 6
36815 -101 98 89 187 187 187 210 210 210 218 218 218
36816 -214 214 214 134 134 134 14 14 14 6 6 6
36817 - 2 2 6 2 2 6 2 2 6 2 2 6
36818 - 86 86 86 50 50 50 18 18 18 6 6 6
36819 - 0 0 0 0 0 0 0 0 0 0 0 0
36820 - 0 0 0 0 0 0 0 0 0 0 0 0
36821 - 0 0 0 0 0 0 0 0 0 0 0 0
36822 - 0 0 0 0 0 0 0 0 0 0 0 0
36823 - 0 0 0 0 0 0 0 0 0 0 0 0
36824 - 0 0 0 0 0 0 0 0 0 0 0 0
36825 - 0 0 0 0 0 0 0 0 1 0 0 0
36826 - 0 0 1 0 0 1 0 0 1 0 0 0
36827 - 0 0 0 0 0 0 0 0 0 0 0 0
36828 - 0 0 0 0 0 0 0 0 0 0 0 0
36829 - 0 0 0 0 0 0 0 0 0 0 0 0
36830 - 0 0 0 0 0 0 0 0 0 0 0 0
36831 - 0 0 0 0 0 0 0 0 0 14 14 14
36832 - 46 46 46 86 86 86 2 2 6 54 54 54
36833 -218 218 218 195 195 195 226 226 226 246 246 246
36834 - 58 58 58 2 2 6 2 2 6 30 30 30
36835 -210 210 210 253 253 253 174 174 174 123 123 123
36836 -221 221 221 234 234 234 74 74 74 2 2 6
36837 - 2 2 6 2 2 6 2 2 6 2 2 6
36838 - 70 70 70 58 58 58 22 22 22 6 6 6
36839 - 0 0 0 0 0 0 0 0 0 0 0 0
36840 - 0 0 0 0 0 0 0 0 0 0 0 0
36841 - 0 0 0 0 0 0 0 0 0 0 0 0
36842 - 0 0 0 0 0 0 0 0 0 0 0 0
36843 - 0 0 0 0 0 0 0 0 0 0 0 0
36844 - 0 0 0 0 0 0 0 0 0 0 0 0
36845 - 0 0 0 0 0 0 0 0 0 0 0 0
36846 - 0 0 0 0 0 0 0 0 0 0 0 0
36847 - 0 0 0 0 0 0 0 0 0 0 0 0
36848 - 0 0 0 0 0 0 0 0 0 0 0 0
36849 - 0 0 0 0 0 0 0 0 0 0 0 0
36850 - 0 0 0 0 0 0 0 0 0 0 0 0
36851 - 0 0 0 0 0 0 0 0 0 14 14 14
36852 - 46 46 46 82 82 82 2 2 6 106 106 106
36853 -170 170 170 26 26 26 86 86 86 226 226 226
36854 -123 123 123 10 10 10 14 14 14 46 46 46
36855 -231 231 231 190 190 190 6 6 6 70 70 70
36856 - 90 90 90 238 238 238 158 158 158 2 2 6
36857 - 2 2 6 2 2 6 2 2 6 2 2 6
36858 - 70 70 70 58 58 58 22 22 22 6 6 6
36859 - 0 0 0 0 0 0 0 0 0 0 0 0
36860 - 0 0 0 0 0 0 0 0 0 0 0 0
36861 - 0 0 0 0 0 0 0 0 0 0 0 0
36862 - 0 0 0 0 0 0 0 0 0 0 0 0
36863 - 0 0 0 0 0 0 0 0 0 0 0 0
36864 - 0 0 0 0 0 0 0 0 0 0 0 0
36865 - 0 0 0 0 0 0 0 0 1 0 0 0
36866 - 0 0 1 0 0 1 0 0 1 0 0 0
36867 - 0 0 0 0 0 0 0 0 0 0 0 0
36868 - 0 0 0 0 0 0 0 0 0 0 0 0
36869 - 0 0 0 0 0 0 0 0 0 0 0 0
36870 - 0 0 0 0 0 0 0 0 0 0 0 0
36871 - 0 0 0 0 0 0 0 0 0 14 14 14
36872 - 42 42 42 86 86 86 6 6 6 116 116 116
36873 -106 106 106 6 6 6 70 70 70 149 149 149
36874 -128 128 128 18 18 18 38 38 38 54 54 54
36875 -221 221 221 106 106 106 2 2 6 14 14 14
36876 - 46 46 46 190 190 190 198 198 198 2 2 6
36877 - 2 2 6 2 2 6 2 2 6 2 2 6
36878 - 74 74 74 62 62 62 22 22 22 6 6 6
36879 - 0 0 0 0 0 0 0 0 0 0 0 0
36880 - 0 0 0 0 0 0 0 0 0 0 0 0
36881 - 0 0 0 0 0 0 0 0 0 0 0 0
36882 - 0 0 0 0 0 0 0 0 0 0 0 0
36883 - 0 0 0 0 0 0 0 0 0 0 0 0
36884 - 0 0 0 0 0 0 0 0 0 0 0 0
36885 - 0 0 0 0 0 0 0 0 1 0 0 0
36886 - 0 0 1 0 0 0 0 0 1 0 0 0
36887 - 0 0 0 0 0 0 0 0 0 0 0 0
36888 - 0 0 0 0 0 0 0 0 0 0 0 0
36889 - 0 0 0 0 0 0 0 0 0 0 0 0
36890 - 0 0 0 0 0 0 0 0 0 0 0 0
36891 - 0 0 0 0 0 0 0 0 0 14 14 14
36892 - 42 42 42 94 94 94 14 14 14 101 101 101
36893 -128 128 128 2 2 6 18 18 18 116 116 116
36894 -118 98 46 121 92 8 121 92 8 98 78 10
36895 -162 162 162 106 106 106 2 2 6 2 2 6
36896 - 2 2 6 195 195 195 195 195 195 6 6 6
36897 - 2 2 6 2 2 6 2 2 6 2 2 6
36898 - 74 74 74 62 62 62 22 22 22 6 6 6
36899 - 0 0 0 0 0 0 0 0 0 0 0 0
36900 - 0 0 0 0 0 0 0 0 0 0 0 0
36901 - 0 0 0 0 0 0 0 0 0 0 0 0
36902 - 0 0 0 0 0 0 0 0 0 0 0 0
36903 - 0 0 0 0 0 0 0 0 0 0 0 0
36904 - 0 0 0 0 0 0 0 0 0 0 0 0
36905 - 0 0 0 0 0 0 0 0 1 0 0 1
36906 - 0 0 1 0 0 0 0 0 1 0 0 0
36907 - 0 0 0 0 0 0 0 0 0 0 0 0
36908 - 0 0 0 0 0 0 0 0 0 0 0 0
36909 - 0 0 0 0 0 0 0 0 0 0 0 0
36910 - 0 0 0 0 0 0 0 0 0 0 0 0
36911 - 0 0 0 0 0 0 0 0 0 10 10 10
36912 - 38 38 38 90 90 90 14 14 14 58 58 58
36913 -210 210 210 26 26 26 54 38 6 154 114 10
36914 -226 170 11 236 186 11 225 175 15 184 144 12
36915 -215 174 15 175 146 61 37 26 9 2 2 6
36916 - 70 70 70 246 246 246 138 138 138 2 2 6
36917 - 2 2 6 2 2 6 2 2 6 2 2 6
36918 - 70 70 70 66 66 66 26 26 26 6 6 6
36919 - 0 0 0 0 0 0 0 0 0 0 0 0
36920 - 0 0 0 0 0 0 0 0 0 0 0 0
36921 - 0 0 0 0 0 0 0 0 0 0 0 0
36922 - 0 0 0 0 0 0 0 0 0 0 0 0
36923 - 0 0 0 0 0 0 0 0 0 0 0 0
36924 - 0 0 0 0 0 0 0 0 0 0 0 0
36925 - 0 0 0 0 0 0 0 0 0 0 0 0
36926 - 0 0 0 0 0 0 0 0 0 0 0 0
36927 - 0 0 0 0 0 0 0 0 0 0 0 0
36928 - 0 0 0 0 0 0 0 0 0 0 0 0
36929 - 0 0 0 0 0 0 0 0 0 0 0 0
36930 - 0 0 0 0 0 0 0 0 0 0 0 0
36931 - 0 0 0 0 0 0 0 0 0 10 10 10
36932 - 38 38 38 86 86 86 14 14 14 10 10 10
36933 -195 195 195 188 164 115 192 133 9 225 175 15
36934 -239 182 13 234 190 10 232 195 16 232 200 30
36935 -245 207 45 241 208 19 232 195 16 184 144 12
36936 -218 194 134 211 206 186 42 42 42 2 2 6
36937 - 2 2 6 2 2 6 2 2 6 2 2 6
36938 - 50 50 50 74 74 74 30 30 30 6 6 6
36939 - 0 0 0 0 0 0 0 0 0 0 0 0
36940 - 0 0 0 0 0 0 0 0 0 0 0 0
36941 - 0 0 0 0 0 0 0 0 0 0 0 0
36942 - 0 0 0 0 0 0 0 0 0 0 0 0
36943 - 0 0 0 0 0 0 0 0 0 0 0 0
36944 - 0 0 0 0 0 0 0 0 0 0 0 0
36945 - 0 0 0 0 0 0 0 0 0 0 0 0
36946 - 0 0 0 0 0 0 0 0 0 0 0 0
36947 - 0 0 0 0 0 0 0 0 0 0 0 0
36948 - 0 0 0 0 0 0 0 0 0 0 0 0
36949 - 0 0 0 0 0 0 0 0 0 0 0 0
36950 - 0 0 0 0 0 0 0 0 0 0 0 0
36951 - 0 0 0 0 0 0 0 0 0 10 10 10
36952 - 34 34 34 86 86 86 14 14 14 2 2 6
36953 -121 87 25 192 133 9 219 162 10 239 182 13
36954 -236 186 11 232 195 16 241 208 19 244 214 54
36955 -246 218 60 246 218 38 246 215 20 241 208 19
36956 -241 208 19 226 184 13 121 87 25 2 2 6
36957 - 2 2 6 2 2 6 2 2 6 2 2 6
36958 - 50 50 50 82 82 82 34 34 34 10 10 10
36959 - 0 0 0 0 0 0 0 0 0 0 0 0
36960 - 0 0 0 0 0 0 0 0 0 0 0 0
36961 - 0 0 0 0 0 0 0 0 0 0 0 0
36962 - 0 0 0 0 0 0 0 0 0 0 0 0
36963 - 0 0 0 0 0 0 0 0 0 0 0 0
36964 - 0 0 0 0 0 0 0 0 0 0 0 0
36965 - 0 0 0 0 0 0 0 0 0 0 0 0
36966 - 0 0 0 0 0 0 0 0 0 0 0 0
36967 - 0 0 0 0 0 0 0 0 0 0 0 0
36968 - 0 0 0 0 0 0 0 0 0 0 0 0
36969 - 0 0 0 0 0 0 0 0 0 0 0 0
36970 - 0 0 0 0 0 0 0 0 0 0 0 0
36971 - 0 0 0 0 0 0 0 0 0 10 10 10
36972 - 34 34 34 82 82 82 30 30 30 61 42 6
36973 -180 123 7 206 145 10 230 174 11 239 182 13
36974 -234 190 10 238 202 15 241 208 19 246 218 74
36975 -246 218 38 246 215 20 246 215 20 246 215 20
36976 -226 184 13 215 174 15 184 144 12 6 6 6
36977 - 2 2 6 2 2 6 2 2 6 2 2 6
36978 - 26 26 26 94 94 94 42 42 42 14 14 14
36979 - 0 0 0 0 0 0 0 0 0 0 0 0
36980 - 0 0 0 0 0 0 0 0 0 0 0 0
36981 - 0 0 0 0 0 0 0 0 0 0 0 0
36982 - 0 0 0 0 0 0 0 0 0 0 0 0
36983 - 0 0 0 0 0 0 0 0 0 0 0 0
36984 - 0 0 0 0 0 0 0 0 0 0 0 0
36985 - 0 0 0 0 0 0 0 0 0 0 0 0
36986 - 0 0 0 0 0 0 0 0 0 0 0 0
36987 - 0 0 0 0 0 0 0 0 0 0 0 0
36988 - 0 0 0 0 0 0 0 0 0 0 0 0
36989 - 0 0 0 0 0 0 0 0 0 0 0 0
36990 - 0 0 0 0 0 0 0 0 0 0 0 0
36991 - 0 0 0 0 0 0 0 0 0 10 10 10
36992 - 30 30 30 78 78 78 50 50 50 104 69 6
36993 -192 133 9 216 158 10 236 178 12 236 186 11
36994 -232 195 16 241 208 19 244 214 54 245 215 43
36995 -246 215 20 246 215 20 241 208 19 198 155 10
36996 -200 144 11 216 158 10 156 118 10 2 2 6
36997 - 2 2 6 2 2 6 2 2 6 2 2 6
36998 - 6 6 6 90 90 90 54 54 54 18 18 18
36999 - 6 6 6 0 0 0 0 0 0 0 0 0
37000 - 0 0 0 0 0 0 0 0 0 0 0 0
37001 - 0 0 0 0 0 0 0 0 0 0 0 0
37002 - 0 0 0 0 0 0 0 0 0 0 0 0
37003 - 0 0 0 0 0 0 0 0 0 0 0 0
37004 - 0 0 0 0 0 0 0 0 0 0 0 0
37005 - 0 0 0 0 0 0 0 0 0 0 0 0
37006 - 0 0 0 0 0 0 0 0 0 0 0 0
37007 - 0 0 0 0 0 0 0 0 0 0 0 0
37008 - 0 0 0 0 0 0 0 0 0 0 0 0
37009 - 0 0 0 0 0 0 0 0 0 0 0 0
37010 - 0 0 0 0 0 0 0 0 0 0 0 0
37011 - 0 0 0 0 0 0 0 0 0 10 10 10
37012 - 30 30 30 78 78 78 46 46 46 22 22 22
37013 -137 92 6 210 162 10 239 182 13 238 190 10
37014 -238 202 15 241 208 19 246 215 20 246 215 20
37015 -241 208 19 203 166 17 185 133 11 210 150 10
37016 -216 158 10 210 150 10 102 78 10 2 2 6
37017 - 6 6 6 54 54 54 14 14 14 2 2 6
37018 - 2 2 6 62 62 62 74 74 74 30 30 30
37019 - 10 10 10 0 0 0 0 0 0 0 0 0
37020 - 0 0 0 0 0 0 0 0 0 0 0 0
37021 - 0 0 0 0 0 0 0 0 0 0 0 0
37022 - 0 0 0 0 0 0 0 0 0 0 0 0
37023 - 0 0 0 0 0 0 0 0 0 0 0 0
37024 - 0 0 0 0 0 0 0 0 0 0 0 0
37025 - 0 0 0 0 0 0 0 0 0 0 0 0
37026 - 0 0 0 0 0 0 0 0 0 0 0 0
37027 - 0 0 0 0 0 0 0 0 0 0 0 0
37028 - 0 0 0 0 0 0 0 0 0 0 0 0
37029 - 0 0 0 0 0 0 0 0 0 0 0 0
37030 - 0 0 0 0 0 0 0 0 0 0 0 0
37031 - 0 0 0 0 0 0 0 0 0 10 10 10
37032 - 34 34 34 78 78 78 50 50 50 6 6 6
37033 - 94 70 30 139 102 15 190 146 13 226 184 13
37034 -232 200 30 232 195 16 215 174 15 190 146 13
37035 -168 122 10 192 133 9 210 150 10 213 154 11
37036 -202 150 34 182 157 106 101 98 89 2 2 6
37037 - 2 2 6 78 78 78 116 116 116 58 58 58
37038 - 2 2 6 22 22 22 90 90 90 46 46 46
37039 - 18 18 18 6 6 6 0 0 0 0 0 0
37040 - 0 0 0 0 0 0 0 0 0 0 0 0
37041 - 0 0 0 0 0 0 0 0 0 0 0 0
37042 - 0 0 0 0 0 0 0 0 0 0 0 0
37043 - 0 0 0 0 0 0 0 0 0 0 0 0
37044 - 0 0 0 0 0 0 0 0 0 0 0 0
37045 - 0 0 0 0 0 0 0 0 0 0 0 0
37046 - 0 0 0 0 0 0 0 0 0 0 0 0
37047 - 0 0 0 0 0 0 0 0 0 0 0 0
37048 - 0 0 0 0 0 0 0 0 0 0 0 0
37049 - 0 0 0 0 0 0 0 0 0 0 0 0
37050 - 0 0 0 0 0 0 0 0 0 0 0 0
37051 - 0 0 0 0 0 0 0 0 0 10 10 10
37052 - 38 38 38 86 86 86 50 50 50 6 6 6
37053 -128 128 128 174 154 114 156 107 11 168 122 10
37054 -198 155 10 184 144 12 197 138 11 200 144 11
37055 -206 145 10 206 145 10 197 138 11 188 164 115
37056 -195 195 195 198 198 198 174 174 174 14 14 14
37057 - 2 2 6 22 22 22 116 116 116 116 116 116
37058 - 22 22 22 2 2 6 74 74 74 70 70 70
37059 - 30 30 30 10 10 10 0 0 0 0 0 0
37060 - 0 0 0 0 0 0 0 0 0 0 0 0
37061 - 0 0 0 0 0 0 0 0 0 0 0 0
37062 - 0 0 0 0 0 0 0 0 0 0 0 0
37063 - 0 0 0 0 0 0 0 0 0 0 0 0
37064 - 0 0 0 0 0 0 0 0 0 0 0 0
37065 - 0 0 0 0 0 0 0 0 0 0 0 0
37066 - 0 0 0 0 0 0 0 0 0 0 0 0
37067 - 0 0 0 0 0 0 0 0 0 0 0 0
37068 - 0 0 0 0 0 0 0 0 0 0 0 0
37069 - 0 0 0 0 0 0 0 0 0 0 0 0
37070 - 0 0 0 0 0 0 0 0 0 0 0 0
37071 - 0 0 0 0 0 0 6 6 6 18 18 18
37072 - 50 50 50 101 101 101 26 26 26 10 10 10
37073 -138 138 138 190 190 190 174 154 114 156 107 11
37074 -197 138 11 200 144 11 197 138 11 192 133 9
37075 -180 123 7 190 142 34 190 178 144 187 187 187
37076 -202 202 202 221 221 221 214 214 214 66 66 66
37077 - 2 2 6 2 2 6 50 50 50 62 62 62
37078 - 6 6 6 2 2 6 10 10 10 90 90 90
37079 - 50 50 50 18 18 18 6 6 6 0 0 0
37080 - 0 0 0 0 0 0 0 0 0 0 0 0
37081 - 0 0 0 0 0 0 0 0 0 0 0 0
37082 - 0 0 0 0 0 0 0 0 0 0 0 0
37083 - 0 0 0 0 0 0 0 0 0 0 0 0
37084 - 0 0 0 0 0 0 0 0 0 0 0 0
37085 - 0 0 0 0 0 0 0 0 0 0 0 0
37086 - 0 0 0 0 0 0 0 0 0 0 0 0
37087 - 0 0 0 0 0 0 0 0 0 0 0 0
37088 - 0 0 0 0 0 0 0 0 0 0 0 0
37089 - 0 0 0 0 0 0 0 0 0 0 0 0
37090 - 0 0 0 0 0 0 0 0 0 0 0 0
37091 - 0 0 0 0 0 0 10 10 10 34 34 34
37092 - 74 74 74 74 74 74 2 2 6 6 6 6
37093 -144 144 144 198 198 198 190 190 190 178 166 146
37094 -154 121 60 156 107 11 156 107 11 168 124 44
37095 -174 154 114 187 187 187 190 190 190 210 210 210
37096 -246 246 246 253 253 253 253 253 253 182 182 182
37097 - 6 6 6 2 2 6 2 2 6 2 2 6
37098 - 2 2 6 2 2 6 2 2 6 62 62 62
37099 - 74 74 74 34 34 34 14 14 14 0 0 0
37100 - 0 0 0 0 0 0 0 0 0 0 0 0
37101 - 0 0 0 0 0 0 0 0 0 0 0 0
37102 - 0 0 0 0 0 0 0 0 0 0 0 0
37103 - 0 0 0 0 0 0 0 0 0 0 0 0
37104 - 0 0 0 0 0 0 0 0 0 0 0 0
37105 - 0 0 0 0 0 0 0 0 0 0 0 0
37106 - 0 0 0 0 0 0 0 0 0 0 0 0
37107 - 0 0 0 0 0 0 0 0 0 0 0 0
37108 - 0 0 0 0 0 0 0 0 0 0 0 0
37109 - 0 0 0 0 0 0 0 0 0 0 0 0
37110 - 0 0 0 0 0 0 0 0 0 0 0 0
37111 - 0 0 0 10 10 10 22 22 22 54 54 54
37112 - 94 94 94 18 18 18 2 2 6 46 46 46
37113 -234 234 234 221 221 221 190 190 190 190 190 190
37114 -190 190 190 187 187 187 187 187 187 190 190 190
37115 -190 190 190 195 195 195 214 214 214 242 242 242
37116 -253 253 253 253 253 253 253 253 253 253 253 253
37117 - 82 82 82 2 2 6 2 2 6 2 2 6
37118 - 2 2 6 2 2 6 2 2 6 14 14 14
37119 - 86 86 86 54 54 54 22 22 22 6 6 6
37120 - 0 0 0 0 0 0 0 0 0 0 0 0
37121 - 0 0 0 0 0 0 0 0 0 0 0 0
37122 - 0 0 0 0 0 0 0 0 0 0 0 0
37123 - 0 0 0 0 0 0 0 0 0 0 0 0
37124 - 0 0 0 0 0 0 0 0 0 0 0 0
37125 - 0 0 0 0 0 0 0 0 0 0 0 0
37126 - 0 0 0 0 0 0 0 0 0 0 0 0
37127 - 0 0 0 0 0 0 0 0 0 0 0 0
37128 - 0 0 0 0 0 0 0 0 0 0 0 0
37129 - 0 0 0 0 0 0 0 0 0 0 0 0
37130 - 0 0 0 0 0 0 0 0 0 0 0 0
37131 - 6 6 6 18 18 18 46 46 46 90 90 90
37132 - 46 46 46 18 18 18 6 6 6 182 182 182
37133 -253 253 253 246 246 246 206 206 206 190 190 190
37134 -190 190 190 190 190 190 190 190 190 190 190 190
37135 -206 206 206 231 231 231 250 250 250 253 253 253
37136 -253 253 253 253 253 253 253 253 253 253 253 253
37137 -202 202 202 14 14 14 2 2 6 2 2 6
37138 - 2 2 6 2 2 6 2 2 6 2 2 6
37139 - 42 42 42 86 86 86 42 42 42 18 18 18
37140 - 6 6 6 0 0 0 0 0 0 0 0 0
37141 - 0 0 0 0 0 0 0 0 0 0 0 0
37142 - 0 0 0 0 0 0 0 0 0 0 0 0
37143 - 0 0 0 0 0 0 0 0 0 0 0 0
37144 - 0 0 0 0 0 0 0 0 0 0 0 0
37145 - 0 0 0 0 0 0 0 0 0 0 0 0
37146 - 0 0 0 0 0 0 0 0 0 0 0 0
37147 - 0 0 0 0 0 0 0 0 0 0 0 0
37148 - 0 0 0 0 0 0 0 0 0 0 0 0
37149 - 0 0 0 0 0 0 0 0 0 0 0 0
37150 - 0 0 0 0 0 0 0 0 0 6 6 6
37151 - 14 14 14 38 38 38 74 74 74 66 66 66
37152 - 2 2 6 6 6 6 90 90 90 250 250 250
37153 -253 253 253 253 253 253 238 238 238 198 198 198
37154 -190 190 190 190 190 190 195 195 195 221 221 221
37155 -246 246 246 253 253 253 253 253 253 253 253 253
37156 -253 253 253 253 253 253 253 253 253 253 253 253
37157 -253 253 253 82 82 82 2 2 6 2 2 6
37158 - 2 2 6 2 2 6 2 2 6 2 2 6
37159 - 2 2 6 78 78 78 70 70 70 34 34 34
37160 - 14 14 14 6 6 6 0 0 0 0 0 0
37161 - 0 0 0 0 0 0 0 0 0 0 0 0
37162 - 0 0 0 0 0 0 0 0 0 0 0 0
37163 - 0 0 0 0 0 0 0 0 0 0 0 0
37164 - 0 0 0 0 0 0 0 0 0 0 0 0
37165 - 0 0 0 0 0 0 0 0 0 0 0 0
37166 - 0 0 0 0 0 0 0 0 0 0 0 0
37167 - 0 0 0 0 0 0 0 0 0 0 0 0
37168 - 0 0 0 0 0 0 0 0 0 0 0 0
37169 - 0 0 0 0 0 0 0 0 0 0 0 0
37170 - 0 0 0 0 0 0 0 0 0 14 14 14
37171 - 34 34 34 66 66 66 78 78 78 6 6 6
37172 - 2 2 6 18 18 18 218 218 218 253 253 253
37173 -253 253 253 253 253 253 253 253 253 246 246 246
37174 -226 226 226 231 231 231 246 246 246 253 253 253
37175 -253 253 253 253 253 253 253 253 253 253 253 253
37176 -253 253 253 253 253 253 253 253 253 253 253 253
37177 -253 253 253 178 178 178 2 2 6 2 2 6
37178 - 2 2 6 2 2 6 2 2 6 2 2 6
37179 - 2 2 6 18 18 18 90 90 90 62 62 62
37180 - 30 30 30 10 10 10 0 0 0 0 0 0
37181 - 0 0 0 0 0 0 0 0 0 0 0 0
37182 - 0 0 0 0 0 0 0 0 0 0 0 0
37183 - 0 0 0 0 0 0 0 0 0 0 0 0
37184 - 0 0 0 0 0 0 0 0 0 0 0 0
37185 - 0 0 0 0 0 0 0 0 0 0 0 0
37186 - 0 0 0 0 0 0 0 0 0 0 0 0
37187 - 0 0 0 0 0 0 0 0 0 0 0 0
37188 - 0 0 0 0 0 0 0 0 0 0 0 0
37189 - 0 0 0 0 0 0 0 0 0 0 0 0
37190 - 0 0 0 0 0 0 10 10 10 26 26 26
37191 - 58 58 58 90 90 90 18 18 18 2 2 6
37192 - 2 2 6 110 110 110 253 253 253 253 253 253
37193 -253 253 253 253 253 253 253 253 253 253 253 253
37194 -250 250 250 253 253 253 253 253 253 253 253 253
37195 -253 253 253 253 253 253 253 253 253 253 253 253
37196 -253 253 253 253 253 253 253 253 253 253 253 253
37197 -253 253 253 231 231 231 18 18 18 2 2 6
37198 - 2 2 6 2 2 6 2 2 6 2 2 6
37199 - 2 2 6 2 2 6 18 18 18 94 94 94
37200 - 54 54 54 26 26 26 10 10 10 0 0 0
37201 - 0 0 0 0 0 0 0 0 0 0 0 0
37202 - 0 0 0 0 0 0 0 0 0 0 0 0
37203 - 0 0 0 0 0 0 0 0 0 0 0 0
37204 - 0 0 0 0 0 0 0 0 0 0 0 0
37205 - 0 0 0 0 0 0 0 0 0 0 0 0
37206 - 0 0 0 0 0 0 0 0 0 0 0 0
37207 - 0 0 0 0 0 0 0 0 0 0 0 0
37208 - 0 0 0 0 0 0 0 0 0 0 0 0
37209 - 0 0 0 0 0 0 0 0 0 0 0 0
37210 - 0 0 0 6 6 6 22 22 22 50 50 50
37211 - 90 90 90 26 26 26 2 2 6 2 2 6
37212 - 14 14 14 195 195 195 250 250 250 253 253 253
37213 -253 253 253 253 253 253 253 253 253 253 253 253
37214 -253 253 253 253 253 253 253 253 253 253 253 253
37215 -253 253 253 253 253 253 253 253 253 253 253 253
37216 -253 253 253 253 253 253 253 253 253 253 253 253
37217 -250 250 250 242 242 242 54 54 54 2 2 6
37218 - 2 2 6 2 2 6 2 2 6 2 2 6
37219 - 2 2 6 2 2 6 2 2 6 38 38 38
37220 - 86 86 86 50 50 50 22 22 22 6 6 6
37221 - 0 0 0 0 0 0 0 0 0 0 0 0
37222 - 0 0 0 0 0 0 0 0 0 0 0 0
37223 - 0 0 0 0 0 0 0 0 0 0 0 0
37224 - 0 0 0 0 0 0 0 0 0 0 0 0
37225 - 0 0 0 0 0 0 0 0 0 0 0 0
37226 - 0 0 0 0 0 0 0 0 0 0 0 0
37227 - 0 0 0 0 0 0 0 0 0 0 0 0
37228 - 0 0 0 0 0 0 0 0 0 0 0 0
37229 - 0 0 0 0 0 0 0 0 0 0 0 0
37230 - 6 6 6 14 14 14 38 38 38 82 82 82
37231 - 34 34 34 2 2 6 2 2 6 2 2 6
37232 - 42 42 42 195 195 195 246 246 246 253 253 253
37233 -253 253 253 253 253 253 253 253 253 250 250 250
37234 -242 242 242 242 242 242 250 250 250 253 253 253
37235 -253 253 253 253 253 253 253 253 253 253 253 253
37236 -253 253 253 250 250 250 246 246 246 238 238 238
37237 -226 226 226 231 231 231 101 101 101 6 6 6
37238 - 2 2 6 2 2 6 2 2 6 2 2 6
37239 - 2 2 6 2 2 6 2 2 6 2 2 6
37240 - 38 38 38 82 82 82 42 42 42 14 14 14
37241 - 6 6 6 0 0 0 0 0 0 0 0 0
37242 - 0 0 0 0 0 0 0 0 0 0 0 0
37243 - 0 0 0 0 0 0 0 0 0 0 0 0
37244 - 0 0 0 0 0 0 0 0 0 0 0 0
37245 - 0 0 0 0 0 0 0 0 0 0 0 0
37246 - 0 0 0 0 0 0 0 0 0 0 0 0
37247 - 0 0 0 0 0 0 0 0 0 0 0 0
37248 - 0 0 0 0 0 0 0 0 0 0 0 0
37249 - 0 0 0 0 0 0 0 0 0 0 0 0
37250 - 10 10 10 26 26 26 62 62 62 66 66 66
37251 - 2 2 6 2 2 6 2 2 6 6 6 6
37252 - 70 70 70 170 170 170 206 206 206 234 234 234
37253 -246 246 246 250 250 250 250 250 250 238 238 238
37254 -226 226 226 231 231 231 238 238 238 250 250 250
37255 -250 250 250 250 250 250 246 246 246 231 231 231
37256 -214 214 214 206 206 206 202 202 202 202 202 202
37257 -198 198 198 202 202 202 182 182 182 18 18 18
37258 - 2 2 6 2 2 6 2 2 6 2 2 6
37259 - 2 2 6 2 2 6 2 2 6 2 2 6
37260 - 2 2 6 62 62 62 66 66 66 30 30 30
37261 - 10 10 10 0 0 0 0 0 0 0 0 0
37262 - 0 0 0 0 0 0 0 0 0 0 0 0
37263 - 0 0 0 0 0 0 0 0 0 0 0 0
37264 - 0 0 0 0 0 0 0 0 0 0 0 0
37265 - 0 0 0 0 0 0 0 0 0 0 0 0
37266 - 0 0 0 0 0 0 0 0 0 0 0 0
37267 - 0 0 0 0 0 0 0 0 0 0 0 0
37268 - 0 0 0 0 0 0 0 0 0 0 0 0
37269 - 0 0 0 0 0 0 0 0 0 0 0 0
37270 - 14 14 14 42 42 42 82 82 82 18 18 18
37271 - 2 2 6 2 2 6 2 2 6 10 10 10
37272 - 94 94 94 182 182 182 218 218 218 242 242 242
37273 -250 250 250 253 253 253 253 253 253 250 250 250
37274 -234 234 234 253 253 253 253 253 253 253 253 253
37275 -253 253 253 253 253 253 253 253 253 246 246 246
37276 -238 238 238 226 226 226 210 210 210 202 202 202
37277 -195 195 195 195 195 195 210 210 210 158 158 158
37278 - 6 6 6 14 14 14 50 50 50 14 14 14
37279 - 2 2 6 2 2 6 2 2 6 2 2 6
37280 - 2 2 6 6 6 6 86 86 86 46 46 46
37281 - 18 18 18 6 6 6 0 0 0 0 0 0
37282 - 0 0 0 0 0 0 0 0 0 0 0 0
37283 - 0 0 0 0 0 0 0 0 0 0 0 0
37284 - 0 0 0 0 0 0 0 0 0 0 0 0
37285 - 0 0 0 0 0 0 0 0 0 0 0 0
37286 - 0 0 0 0 0 0 0 0 0 0 0 0
37287 - 0 0 0 0 0 0 0 0 0 0 0 0
37288 - 0 0 0 0 0 0 0 0 0 0 0 0
37289 - 0 0 0 0 0 0 0 0 0 6 6 6
37290 - 22 22 22 54 54 54 70 70 70 2 2 6
37291 - 2 2 6 10 10 10 2 2 6 22 22 22
37292 -166 166 166 231 231 231 250 250 250 253 253 253
37293 -253 253 253 253 253 253 253 253 253 250 250 250
37294 -242 242 242 253 253 253 253 253 253 253 253 253
37295 -253 253 253 253 253 253 253 253 253 253 253 253
37296 -253 253 253 253 253 253 253 253 253 246 246 246
37297 -231 231 231 206 206 206 198 198 198 226 226 226
37298 - 94 94 94 2 2 6 6 6 6 38 38 38
37299 - 30 30 30 2 2 6 2 2 6 2 2 6
37300 - 2 2 6 2 2 6 62 62 62 66 66 66
37301 - 26 26 26 10 10 10 0 0 0 0 0 0
37302 - 0 0 0 0 0 0 0 0 0 0 0 0
37303 - 0 0 0 0 0 0 0 0 0 0 0 0
37304 - 0 0 0 0 0 0 0 0 0 0 0 0
37305 - 0 0 0 0 0 0 0 0 0 0 0 0
37306 - 0 0 0 0 0 0 0 0 0 0 0 0
37307 - 0 0 0 0 0 0 0 0 0 0 0 0
37308 - 0 0 0 0 0 0 0 0 0 0 0 0
37309 - 0 0 0 0 0 0 0 0 0 10 10 10
37310 - 30 30 30 74 74 74 50 50 50 2 2 6
37311 - 26 26 26 26 26 26 2 2 6 106 106 106
37312 -238 238 238 253 253 253 253 253 253 253 253 253
37313 -253 253 253 253 253 253 253 253 253 253 253 253
37314 -253 253 253 253 253 253 253 253 253 253 253 253
37315 -253 253 253 253 253 253 253 253 253 253 253 253
37316 -253 253 253 253 253 253 253 253 253 253 253 253
37317 -253 253 253 246 246 246 218 218 218 202 202 202
37318 -210 210 210 14 14 14 2 2 6 2 2 6
37319 - 30 30 30 22 22 22 2 2 6 2 2 6
37320 - 2 2 6 2 2 6 18 18 18 86 86 86
37321 - 42 42 42 14 14 14 0 0 0 0 0 0
37322 - 0 0 0 0 0 0 0 0 0 0 0 0
37323 - 0 0 0 0 0 0 0 0 0 0 0 0
37324 - 0 0 0 0 0 0 0 0 0 0 0 0
37325 - 0 0 0 0 0 0 0 0 0 0 0 0
37326 - 0 0 0 0 0 0 0 0 0 0 0 0
37327 - 0 0 0 0 0 0 0 0 0 0 0 0
37328 - 0 0 0 0 0 0 0 0 0 0 0 0
37329 - 0 0 0 0 0 0 0 0 0 14 14 14
37330 - 42 42 42 90 90 90 22 22 22 2 2 6
37331 - 42 42 42 2 2 6 18 18 18 218 218 218
37332 -253 253 253 253 253 253 253 253 253 253 253 253
37333 -253 253 253 253 253 253 253 253 253 253 253 253
37334 -253 253 253 253 253 253 253 253 253 253 253 253
37335 -253 253 253 253 253 253 253 253 253 253 253 253
37336 -253 253 253 253 253 253 253 253 253 253 253 253
37337 -253 253 253 253 253 253 250 250 250 221 221 221
37338 -218 218 218 101 101 101 2 2 6 14 14 14
37339 - 18 18 18 38 38 38 10 10 10 2 2 6
37340 - 2 2 6 2 2 6 2 2 6 78 78 78
37341 - 58 58 58 22 22 22 6 6 6 0 0 0
37342 - 0 0 0 0 0 0 0 0 0 0 0 0
37343 - 0 0 0 0 0 0 0 0 0 0 0 0
37344 - 0 0 0 0 0 0 0 0 0 0 0 0
37345 - 0 0 0 0 0 0 0 0 0 0 0 0
37346 - 0 0 0 0 0 0 0 0 0 0 0 0
37347 - 0 0 0 0 0 0 0 0 0 0 0 0
37348 - 0 0 0 0 0 0 0 0 0 0 0 0
37349 - 0 0 0 0 0 0 6 6 6 18 18 18
37350 - 54 54 54 82 82 82 2 2 6 26 26 26
37351 - 22 22 22 2 2 6 123 123 123 253 253 253
37352 -253 253 253 253 253 253 253 253 253 253 253 253
37353 -253 253 253 253 253 253 253 253 253 253 253 253
37354 -253 253 253 253 253 253 253 253 253 253 253 253
37355 -253 253 253 253 253 253 253 253 253 253 253 253
37356 -253 253 253 253 253 253 253 253 253 253 253 253
37357 -253 253 253 253 253 253 253 253 253 250 250 250
37358 -238 238 238 198 198 198 6 6 6 38 38 38
37359 - 58 58 58 26 26 26 38 38 38 2 2 6
37360 - 2 2 6 2 2 6 2 2 6 46 46 46
37361 - 78 78 78 30 30 30 10 10 10 0 0 0
37362 - 0 0 0 0 0 0 0 0 0 0 0 0
37363 - 0 0 0 0 0 0 0 0 0 0 0 0
37364 - 0 0 0 0 0 0 0 0 0 0 0 0
37365 - 0 0 0 0 0 0 0 0 0 0 0 0
37366 - 0 0 0 0 0 0 0 0 0 0 0 0
37367 - 0 0 0 0 0 0 0 0 0 0 0 0
37368 - 0 0 0 0 0 0 0 0 0 0 0 0
37369 - 0 0 0 0 0 0 10 10 10 30 30 30
37370 - 74 74 74 58 58 58 2 2 6 42 42 42
37371 - 2 2 6 22 22 22 231 231 231 253 253 253
37372 -253 253 253 253 253 253 253 253 253 253 253 253
37373 -253 253 253 253 253 253 253 253 253 250 250 250
37374 -253 253 253 253 253 253 253 253 253 253 253 253
37375 -253 253 253 253 253 253 253 253 253 253 253 253
37376 -253 253 253 253 253 253 253 253 253 253 253 253
37377 -253 253 253 253 253 253 253 253 253 253 253 253
37378 -253 253 253 246 246 246 46 46 46 38 38 38
37379 - 42 42 42 14 14 14 38 38 38 14 14 14
37380 - 2 2 6 2 2 6 2 2 6 6 6 6
37381 - 86 86 86 46 46 46 14 14 14 0 0 0
37382 - 0 0 0 0 0 0 0 0 0 0 0 0
37383 - 0 0 0 0 0 0 0 0 0 0 0 0
37384 - 0 0 0 0 0 0 0 0 0 0 0 0
37385 - 0 0 0 0 0 0 0 0 0 0 0 0
37386 - 0 0 0 0 0 0 0 0 0 0 0 0
37387 - 0 0 0 0 0 0 0 0 0 0 0 0
37388 - 0 0 0 0 0 0 0 0 0 0 0 0
37389 - 0 0 0 6 6 6 14 14 14 42 42 42
37390 - 90 90 90 18 18 18 18 18 18 26 26 26
37391 - 2 2 6 116 116 116 253 253 253 253 253 253
37392 -253 253 253 253 253 253 253 253 253 253 253 253
37393 -253 253 253 253 253 253 250 250 250 238 238 238
37394 -253 253 253 253 253 253 253 253 253 253 253 253
37395 -253 253 253 253 253 253 253 253 253 253 253 253
37396 -253 253 253 253 253 253 253 253 253 253 253 253
37397 -253 253 253 253 253 253 253 253 253 253 253 253
37398 -253 253 253 253 253 253 94 94 94 6 6 6
37399 - 2 2 6 2 2 6 10 10 10 34 34 34
37400 - 2 2 6 2 2 6 2 2 6 2 2 6
37401 - 74 74 74 58 58 58 22 22 22 6 6 6
37402 - 0 0 0 0 0 0 0 0 0 0 0 0
37403 - 0 0 0 0 0 0 0 0 0 0 0 0
37404 - 0 0 0 0 0 0 0 0 0 0 0 0
37405 - 0 0 0 0 0 0 0 0 0 0 0 0
37406 - 0 0 0 0 0 0 0 0 0 0 0 0
37407 - 0 0 0 0 0 0 0 0 0 0 0 0
37408 - 0 0 0 0 0 0 0 0 0 0 0 0
37409 - 0 0 0 10 10 10 26 26 26 66 66 66
37410 - 82 82 82 2 2 6 38 38 38 6 6 6
37411 - 14 14 14 210 210 210 253 253 253 253 253 253
37412 -253 253 253 253 253 253 253 253 253 253 253 253
37413 -253 253 253 253 253 253 246 246 246 242 242 242
37414 -253 253 253 253 253 253 253 253 253 253 253 253
37415 -253 253 253 253 253 253 253 253 253 253 253 253
37416 -253 253 253 253 253 253 253 253 253 253 253 253
37417 -253 253 253 253 253 253 253 253 253 253 253 253
37418 -253 253 253 253 253 253 144 144 144 2 2 6
37419 - 2 2 6 2 2 6 2 2 6 46 46 46
37420 - 2 2 6 2 2 6 2 2 6 2 2 6
37421 - 42 42 42 74 74 74 30 30 30 10 10 10
37422 - 0 0 0 0 0 0 0 0 0 0 0 0
37423 - 0 0 0 0 0 0 0 0 0 0 0 0
37424 - 0 0 0 0 0 0 0 0 0 0 0 0
37425 - 0 0 0 0 0 0 0 0 0 0 0 0
37426 - 0 0 0 0 0 0 0 0 0 0 0 0
37427 - 0 0 0 0 0 0 0 0 0 0 0 0
37428 - 0 0 0 0 0 0 0 0 0 0 0 0
37429 - 6 6 6 14 14 14 42 42 42 90 90 90
37430 - 26 26 26 6 6 6 42 42 42 2 2 6
37431 - 74 74 74 250 250 250 253 253 253 253 253 253
37432 -253 253 253 253 253 253 253 253 253 253 253 253
37433 -253 253 253 253 253 253 242 242 242 242 242 242
37434 -253 253 253 253 253 253 253 253 253 253 253 253
37435 -253 253 253 253 253 253 253 253 253 253 253 253
37436 -253 253 253 253 253 253 253 253 253 253 253 253
37437 -253 253 253 253 253 253 253 253 253 253 253 253
37438 -253 253 253 253 253 253 182 182 182 2 2 6
37439 - 2 2 6 2 2 6 2 2 6 46 46 46
37440 - 2 2 6 2 2 6 2 2 6 2 2 6
37441 - 10 10 10 86 86 86 38 38 38 10 10 10
37442 - 0 0 0 0 0 0 0 0 0 0 0 0
37443 - 0 0 0 0 0 0 0 0 0 0 0 0
37444 - 0 0 0 0 0 0 0 0 0 0 0 0
37445 - 0 0 0 0 0 0 0 0 0 0 0 0
37446 - 0 0 0 0 0 0 0 0 0 0 0 0
37447 - 0 0 0 0 0 0 0 0 0 0 0 0
37448 - 0 0 0 0 0 0 0 0 0 0 0 0
37449 - 10 10 10 26 26 26 66 66 66 82 82 82
37450 - 2 2 6 22 22 22 18 18 18 2 2 6
37451 -149 149 149 253 253 253 253 253 253 253 253 253
37452 -253 253 253 253 253 253 253 253 253 253 253 253
37453 -253 253 253 253 253 253 234 234 234 242 242 242
37454 -253 253 253 253 253 253 253 253 253 253 253 253
37455 -253 253 253 253 253 253 253 253 253 253 253 253
37456 -253 253 253 253 253 253 253 253 253 253 253 253
37457 -253 253 253 253 253 253 253 253 253 253 253 253
37458 -253 253 253 253 253 253 206 206 206 2 2 6
37459 - 2 2 6 2 2 6 2 2 6 38 38 38
37460 - 2 2 6 2 2 6 2 2 6 2 2 6
37461 - 6 6 6 86 86 86 46 46 46 14 14 14
37462 - 0 0 0 0 0 0 0 0 0 0 0 0
37463 - 0 0 0 0 0 0 0 0 0 0 0 0
37464 - 0 0 0 0 0 0 0 0 0 0 0 0
37465 - 0 0 0 0 0 0 0 0 0 0 0 0
37466 - 0 0 0 0 0 0 0 0 0 0 0 0
37467 - 0 0 0 0 0 0 0 0 0 0 0 0
37468 - 0 0 0 0 0 0 0 0 0 6 6 6
37469 - 18 18 18 46 46 46 86 86 86 18 18 18
37470 - 2 2 6 34 34 34 10 10 10 6 6 6
37471 -210 210 210 253 253 253 253 253 253 253 253 253
37472 -253 253 253 253 253 253 253 253 253 253 253 253
37473 -253 253 253 253 253 253 234 234 234 242 242 242
37474 -253 253 253 253 253 253 253 253 253 253 253 253
37475 -253 253 253 253 253 253 253 253 253 253 253 253
37476 -253 253 253 253 253 253 253 253 253 253 253 253
37477 -253 253 253 253 253 253 253 253 253 253 253 253
37478 -253 253 253 253 253 253 221 221 221 6 6 6
37479 - 2 2 6 2 2 6 6 6 6 30 30 30
37480 - 2 2 6 2 2 6 2 2 6 2 2 6
37481 - 2 2 6 82 82 82 54 54 54 18 18 18
37482 - 6 6 6 0 0 0 0 0 0 0 0 0
37483 - 0 0 0 0 0 0 0 0 0 0 0 0
37484 - 0 0 0 0 0 0 0 0 0 0 0 0
37485 - 0 0 0 0 0 0 0 0 0 0 0 0
37486 - 0 0 0 0 0 0 0 0 0 0 0 0
37487 - 0 0 0 0 0 0 0 0 0 0 0 0
37488 - 0 0 0 0 0 0 0 0 0 10 10 10
37489 - 26 26 26 66 66 66 62 62 62 2 2 6
37490 - 2 2 6 38 38 38 10 10 10 26 26 26
37491 -238 238 238 253 253 253 253 253 253 253 253 253
37492 -253 253 253 253 253 253 253 253 253 253 253 253
37493 -253 253 253 253 253 253 231 231 231 238 238 238
37494 -253 253 253 253 253 253 253 253 253 253 253 253
37495 -253 253 253 253 253 253 253 253 253 253 253 253
37496 -253 253 253 253 253 253 253 253 253 253 253 253
37497 -253 253 253 253 253 253 253 253 253 253 253 253
37498 -253 253 253 253 253 253 231 231 231 6 6 6
37499 - 2 2 6 2 2 6 10 10 10 30 30 30
37500 - 2 2 6 2 2 6 2 2 6 2 2 6
37501 - 2 2 6 66 66 66 58 58 58 22 22 22
37502 - 6 6 6 0 0 0 0 0 0 0 0 0
37503 - 0 0 0 0 0 0 0 0 0 0 0 0
37504 - 0 0 0 0 0 0 0 0 0 0 0 0
37505 - 0 0 0 0 0 0 0 0 0 0 0 0
37506 - 0 0 0 0 0 0 0 0 0 0 0 0
37507 - 0 0 0 0 0 0 0 0 0 0 0 0
37508 - 0 0 0 0 0 0 0 0 0 10 10 10
37509 - 38 38 38 78 78 78 6 6 6 2 2 6
37510 - 2 2 6 46 46 46 14 14 14 42 42 42
37511 -246 246 246 253 253 253 253 253 253 253 253 253
37512 -253 253 253 253 253 253 253 253 253 253 253 253
37513 -253 253 253 253 253 253 231 231 231 242 242 242
37514 -253 253 253 253 253 253 253 253 253 253 253 253
37515 -253 253 253 253 253 253 253 253 253 253 253 253
37516 -253 253 253 253 253 253 253 253 253 253 253 253
37517 -253 253 253 253 253 253 253 253 253 253 253 253
37518 -253 253 253 253 253 253 234 234 234 10 10 10
37519 - 2 2 6 2 2 6 22 22 22 14 14 14
37520 - 2 2 6 2 2 6 2 2 6 2 2 6
37521 - 2 2 6 66 66 66 62 62 62 22 22 22
37522 - 6 6 6 0 0 0 0 0 0 0 0 0
37523 - 0 0 0 0 0 0 0 0 0 0 0 0
37524 - 0 0 0 0 0 0 0 0 0 0 0 0
37525 - 0 0 0 0 0 0 0 0 0 0 0 0
37526 - 0 0 0 0 0 0 0 0 0 0 0 0
37527 - 0 0 0 0 0 0 0 0 0 0 0 0
37528 - 0 0 0 0 0 0 6 6 6 18 18 18
37529 - 50 50 50 74 74 74 2 2 6 2 2 6
37530 - 14 14 14 70 70 70 34 34 34 62 62 62
37531 -250 250 250 253 253 253 253 253 253 253 253 253
37532 -253 253 253 253 253 253 253 253 253 253 253 253
37533 -253 253 253 253 253 253 231 231 231 246 246 246
37534 -253 253 253 253 253 253 253 253 253 253 253 253
37535 -253 253 253 253 253 253 253 253 253 253 253 253
37536 -253 253 253 253 253 253 253 253 253 253 253 253
37537 -253 253 253 253 253 253 253 253 253 253 253 253
37538 -253 253 253 253 253 253 234 234 234 14 14 14
37539 - 2 2 6 2 2 6 30 30 30 2 2 6
37540 - 2 2 6 2 2 6 2 2 6 2 2 6
37541 - 2 2 6 66 66 66 62 62 62 22 22 22
37542 - 6 6 6 0 0 0 0 0 0 0 0 0
37543 - 0 0 0 0 0 0 0 0 0 0 0 0
37544 - 0 0 0 0 0 0 0 0 0 0 0 0
37545 - 0 0 0 0 0 0 0 0 0 0 0 0
37546 - 0 0 0 0 0 0 0 0 0 0 0 0
37547 - 0 0 0 0 0 0 0 0 0 0 0 0
37548 - 0 0 0 0 0 0 6 6 6 18 18 18
37549 - 54 54 54 62 62 62 2 2 6 2 2 6
37550 - 2 2 6 30 30 30 46 46 46 70 70 70
37551 -250 250 250 253 253 253 253 253 253 253 253 253
37552 -253 253 253 253 253 253 253 253 253 253 253 253
37553 -253 253 253 253 253 253 231 231 231 246 246 246
37554 -253 253 253 253 253 253 253 253 253 253 253 253
37555 -253 253 253 253 253 253 253 253 253 253 253 253
37556 -253 253 253 253 253 253 253 253 253 253 253 253
37557 -253 253 253 253 253 253 253 253 253 253 253 253
37558 -253 253 253 253 253 253 226 226 226 10 10 10
37559 - 2 2 6 6 6 6 30 30 30 2 2 6
37560 - 2 2 6 2 2 6 2 2 6 2 2 6
37561 - 2 2 6 66 66 66 58 58 58 22 22 22
37562 - 6 6 6 0 0 0 0 0 0 0 0 0
37563 - 0 0 0 0 0 0 0 0 0 0 0 0
37564 - 0 0 0 0 0 0 0 0 0 0 0 0
37565 - 0 0 0 0 0 0 0 0 0 0 0 0
37566 - 0 0 0 0 0 0 0 0 0 0 0 0
37567 - 0 0 0 0 0 0 0 0 0 0 0 0
37568 - 0 0 0 0 0 0 6 6 6 22 22 22
37569 - 58 58 58 62 62 62 2 2 6 2 2 6
37570 - 2 2 6 2 2 6 30 30 30 78 78 78
37571 -250 250 250 253 253 253 253 253 253 253 253 253
37572 -253 253 253 253 253 253 253 253 253 253 253 253
37573 -253 253 253 253 253 253 231 231 231 246 246 246
37574 -253 253 253 253 253 253 253 253 253 253 253 253
37575 -253 253 253 253 253 253 253 253 253 253 253 253
37576 -253 253 253 253 253 253 253 253 253 253 253 253
37577 -253 253 253 253 253 253 253 253 253 253 253 253
37578 -253 253 253 253 253 253 206 206 206 2 2 6
37579 - 22 22 22 34 34 34 18 14 6 22 22 22
37580 - 26 26 26 18 18 18 6 6 6 2 2 6
37581 - 2 2 6 82 82 82 54 54 54 18 18 18
37582 - 6 6 6 0 0 0 0 0 0 0 0 0
37583 - 0 0 0 0 0 0 0 0 0 0 0 0
37584 - 0 0 0 0 0 0 0 0 0 0 0 0
37585 - 0 0 0 0 0 0 0 0 0 0 0 0
37586 - 0 0 0 0 0 0 0 0 0 0 0 0
37587 - 0 0 0 0 0 0 0 0 0 0 0 0
37588 - 0 0 0 0 0 0 6 6 6 26 26 26
37589 - 62 62 62 106 106 106 74 54 14 185 133 11
37590 -210 162 10 121 92 8 6 6 6 62 62 62
37591 -238 238 238 253 253 253 253 253 253 253 253 253
37592 -253 253 253 253 253 253 253 253 253 253 253 253
37593 -253 253 253 253 253 253 231 231 231 246 246 246
37594 -253 253 253 253 253 253 253 253 253 253 253 253
37595 -253 253 253 253 253 253 253 253 253 253 253 253
37596 -253 253 253 253 253 253 253 253 253 253 253 253
37597 -253 253 253 253 253 253 253 253 253 253 253 253
37598 -253 253 253 253 253 253 158 158 158 18 18 18
37599 - 14 14 14 2 2 6 2 2 6 2 2 6
37600 - 6 6 6 18 18 18 66 66 66 38 38 38
37601 - 6 6 6 94 94 94 50 50 50 18 18 18
37602 - 6 6 6 0 0 0 0 0 0 0 0 0
37603 - 0 0 0 0 0 0 0 0 0 0 0 0
37604 - 0 0 0 0 0 0 0 0 0 0 0 0
37605 - 0 0 0 0 0 0 0 0 0 0 0 0
37606 - 0 0 0 0 0 0 0 0 0 0 0 0
37607 - 0 0 0 0 0 0 0 0 0 6 6 6
37608 - 10 10 10 10 10 10 18 18 18 38 38 38
37609 - 78 78 78 142 134 106 216 158 10 242 186 14
37610 -246 190 14 246 190 14 156 118 10 10 10 10
37611 - 90 90 90 238 238 238 253 253 253 253 253 253
37612 -253 253 253 253 253 253 253 253 253 253 253 253
37613 -253 253 253 253 253 253 231 231 231 250 250 250
37614 -253 253 253 253 253 253 253 253 253 253 253 253
37615 -253 253 253 253 253 253 253 253 253 253 253 253
37616 -253 253 253 253 253 253 253 253 253 253 253 253
37617 -253 253 253 253 253 253 253 253 253 246 230 190
37618 -238 204 91 238 204 91 181 142 44 37 26 9
37619 - 2 2 6 2 2 6 2 2 6 2 2 6
37620 - 2 2 6 2 2 6 38 38 38 46 46 46
37621 - 26 26 26 106 106 106 54 54 54 18 18 18
37622 - 6 6 6 0 0 0 0 0 0 0 0 0
37623 - 0 0 0 0 0 0 0 0 0 0 0 0
37624 - 0 0 0 0 0 0 0 0 0 0 0 0
37625 - 0 0 0 0 0 0 0 0 0 0 0 0
37626 - 0 0 0 0 0 0 0 0 0 0 0 0
37627 - 0 0 0 6 6 6 14 14 14 22 22 22
37628 - 30 30 30 38 38 38 50 50 50 70 70 70
37629 -106 106 106 190 142 34 226 170 11 242 186 14
37630 -246 190 14 246 190 14 246 190 14 154 114 10
37631 - 6 6 6 74 74 74 226 226 226 253 253 253
37632 -253 253 253 253 253 253 253 253 253 253 253 253
37633 -253 253 253 253 253 253 231 231 231 250 250 250
37634 -253 253 253 253 253 253 253 253 253 253 253 253
37635 -253 253 253 253 253 253 253 253 253 253 253 253
37636 -253 253 253 253 253 253 253 253 253 253 253 253
37637 -253 253 253 253 253 253 253 253 253 228 184 62
37638 -241 196 14 241 208 19 232 195 16 38 30 10
37639 - 2 2 6 2 2 6 2 2 6 2 2 6
37640 - 2 2 6 6 6 6 30 30 30 26 26 26
37641 -203 166 17 154 142 90 66 66 66 26 26 26
37642 - 6 6 6 0 0 0 0 0 0 0 0 0
37643 - 0 0 0 0 0 0 0 0 0 0 0 0
37644 - 0 0 0 0 0 0 0 0 0 0 0 0
37645 - 0 0 0 0 0 0 0 0 0 0 0 0
37646 - 0 0 0 0 0 0 0 0 0 0 0 0
37647 - 6 6 6 18 18 18 38 38 38 58 58 58
37648 - 78 78 78 86 86 86 101 101 101 123 123 123
37649 -175 146 61 210 150 10 234 174 13 246 186 14
37650 -246 190 14 246 190 14 246 190 14 238 190 10
37651 -102 78 10 2 2 6 46 46 46 198 198 198
37652 -253 253 253 253 253 253 253 253 253 253 253 253
37653 -253 253 253 253 253 253 234 234 234 242 242 242
37654 -253 253 253 253 253 253 253 253 253 253 253 253
37655 -253 253 253 253 253 253 253 253 253 253 253 253
37656 -253 253 253 253 253 253 253 253 253 253 253 253
37657 -253 253 253 253 253 253 253 253 253 224 178 62
37658 -242 186 14 241 196 14 210 166 10 22 18 6
37659 - 2 2 6 2 2 6 2 2 6 2 2 6
37660 - 2 2 6 2 2 6 6 6 6 121 92 8
37661 -238 202 15 232 195 16 82 82 82 34 34 34
37662 - 10 10 10 0 0 0 0 0 0 0 0 0
37663 - 0 0 0 0 0 0 0 0 0 0 0 0
37664 - 0 0 0 0 0 0 0 0 0 0 0 0
37665 - 0 0 0 0 0 0 0 0 0 0 0 0
37666 - 0 0 0 0 0 0 0 0 0 0 0 0
37667 - 14 14 14 38 38 38 70 70 70 154 122 46
37668 -190 142 34 200 144 11 197 138 11 197 138 11
37669 -213 154 11 226 170 11 242 186 14 246 190 14
37670 -246 190 14 246 190 14 246 190 14 246 190 14
37671 -225 175 15 46 32 6 2 2 6 22 22 22
37672 -158 158 158 250 250 250 253 253 253 253 253 253
37673 -253 253 253 253 253 253 253 253 253 253 253 253
37674 -253 253 253 253 253 253 253 253 253 253 253 253
37675 -253 253 253 253 253 253 253 253 253 253 253 253
37676 -253 253 253 253 253 253 253 253 253 253 253 253
37677 -253 253 253 250 250 250 242 242 242 224 178 62
37678 -239 182 13 236 186 11 213 154 11 46 32 6
37679 - 2 2 6 2 2 6 2 2 6 2 2 6
37680 - 2 2 6 2 2 6 61 42 6 225 175 15
37681 -238 190 10 236 186 11 112 100 78 42 42 42
37682 - 14 14 14 0 0 0 0 0 0 0 0 0
37683 - 0 0 0 0 0 0 0 0 0 0 0 0
37684 - 0 0 0 0 0 0 0 0 0 0 0 0
37685 - 0 0 0 0 0 0 0 0 0 0 0 0
37686 - 0 0 0 0 0 0 0 0 0 6 6 6
37687 - 22 22 22 54 54 54 154 122 46 213 154 11
37688 -226 170 11 230 174 11 226 170 11 226 170 11
37689 -236 178 12 242 186 14 246 190 14 246 190 14
37690 -246 190 14 246 190 14 246 190 14 246 190 14
37691 -241 196 14 184 144 12 10 10 10 2 2 6
37692 - 6 6 6 116 116 116 242 242 242 253 253 253
37693 -253 253 253 253 253 253 253 253 253 253 253 253
37694 -253 253 253 253 253 253 253 253 253 253 253 253
37695 -253 253 253 253 253 253 253 253 253 253 253 253
37696 -253 253 253 253 253 253 253 253 253 253 253 253
37697 -253 253 253 231 231 231 198 198 198 214 170 54
37698 -236 178 12 236 178 12 210 150 10 137 92 6
37699 - 18 14 6 2 2 6 2 2 6 2 2 6
37700 - 6 6 6 70 47 6 200 144 11 236 178 12
37701 -239 182 13 239 182 13 124 112 88 58 58 58
37702 - 22 22 22 6 6 6 0 0 0 0 0 0
37703 - 0 0 0 0 0 0 0 0 0 0 0 0
37704 - 0 0 0 0 0 0 0 0 0 0 0 0
37705 - 0 0 0 0 0 0 0 0 0 0 0 0
37706 - 0 0 0 0 0 0 0 0 0 10 10 10
37707 - 30 30 30 70 70 70 180 133 36 226 170 11
37708 -239 182 13 242 186 14 242 186 14 246 186 14
37709 -246 190 14 246 190 14 246 190 14 246 190 14
37710 -246 190 14 246 190 14 246 190 14 246 190 14
37711 -246 190 14 232 195 16 98 70 6 2 2 6
37712 - 2 2 6 2 2 6 66 66 66 221 221 221
37713 -253 253 253 253 253 253 253 253 253 253 253 253
37714 -253 253 253 253 253 253 253 253 253 253 253 253
37715 -253 253 253 253 253 253 253 253 253 253 253 253
37716 -253 253 253 253 253 253 253 253 253 253 253 253
37717 -253 253 253 206 206 206 198 198 198 214 166 58
37718 -230 174 11 230 174 11 216 158 10 192 133 9
37719 -163 110 8 116 81 8 102 78 10 116 81 8
37720 -167 114 7 197 138 11 226 170 11 239 182 13
37721 -242 186 14 242 186 14 162 146 94 78 78 78
37722 - 34 34 34 14 14 14 6 6 6 0 0 0
37723 - 0 0 0 0 0 0 0 0 0 0 0 0
37724 - 0 0 0 0 0 0 0 0 0 0 0 0
37725 - 0 0 0 0 0 0 0 0 0 0 0 0
37726 - 0 0 0 0 0 0 0 0 0 6 6 6
37727 - 30 30 30 78 78 78 190 142 34 226 170 11
37728 -239 182 13 246 190 14 246 190 14 246 190 14
37729 -246 190 14 246 190 14 246 190 14 246 190 14
37730 -246 190 14 246 190 14 246 190 14 246 190 14
37731 -246 190 14 241 196 14 203 166 17 22 18 6
37732 - 2 2 6 2 2 6 2 2 6 38 38 38
37733 -218 218 218 253 253 253 253 253 253 253 253 253
37734 -253 253 253 253 253 253 253 253 253 253 253 253
37735 -253 253 253 253 253 253 253 253 253 253 253 253
37736 -253 253 253 253 253 253 253 253 253 253 253 253
37737 -250 250 250 206 206 206 198 198 198 202 162 69
37738 -226 170 11 236 178 12 224 166 10 210 150 10
37739 -200 144 11 197 138 11 192 133 9 197 138 11
37740 -210 150 10 226 170 11 242 186 14 246 190 14
37741 -246 190 14 246 186 14 225 175 15 124 112 88
37742 - 62 62 62 30 30 30 14 14 14 6 6 6
37743 - 0 0 0 0 0 0 0 0 0 0 0 0
37744 - 0 0 0 0 0 0 0 0 0 0 0 0
37745 - 0 0 0 0 0 0 0 0 0 0 0 0
37746 - 0 0 0 0 0 0 0 0 0 10 10 10
37747 - 30 30 30 78 78 78 174 135 50 224 166 10
37748 -239 182 13 246 190 14 246 190 14 246 190 14
37749 -246 190 14 246 190 14 246 190 14 246 190 14
37750 -246 190 14 246 190 14 246 190 14 246 190 14
37751 -246 190 14 246 190 14 241 196 14 139 102 15
37752 - 2 2 6 2 2 6 2 2 6 2 2 6
37753 - 78 78 78 250 250 250 253 253 253 253 253 253
37754 -253 253 253 253 253 253 253 253 253 253 253 253
37755 -253 253 253 253 253 253 253 253 253 253 253 253
37756 -253 253 253 253 253 253 253 253 253 253 253 253
37757 -250 250 250 214 214 214 198 198 198 190 150 46
37758 -219 162 10 236 178 12 234 174 13 224 166 10
37759 -216 158 10 213 154 11 213 154 11 216 158 10
37760 -226 170 11 239 182 13 246 190 14 246 190 14
37761 -246 190 14 246 190 14 242 186 14 206 162 42
37762 -101 101 101 58 58 58 30 30 30 14 14 14
37763 - 6 6 6 0 0 0 0 0 0 0 0 0
37764 - 0 0 0 0 0 0 0 0 0 0 0 0
37765 - 0 0 0 0 0 0 0 0 0 0 0 0
37766 - 0 0 0 0 0 0 0 0 0 10 10 10
37767 - 30 30 30 74 74 74 174 135 50 216 158 10
37768 -236 178 12 246 190 14 246 190 14 246 190 14
37769 -246 190 14 246 190 14 246 190 14 246 190 14
37770 -246 190 14 246 190 14 246 190 14 246 190 14
37771 -246 190 14 246 190 14 241 196 14 226 184 13
37772 - 61 42 6 2 2 6 2 2 6 2 2 6
37773 - 22 22 22 238 238 238 253 253 253 253 253 253
37774 -253 253 253 253 253 253 253 253 253 253 253 253
37775 -253 253 253 253 253 253 253 253 253 253 253 253
37776 -253 253 253 253 253 253 253 253 253 253 253 253
37777 -253 253 253 226 226 226 187 187 187 180 133 36
37778 -216 158 10 236 178 12 239 182 13 236 178 12
37779 -230 174 11 226 170 11 226 170 11 230 174 11
37780 -236 178 12 242 186 14 246 190 14 246 190 14
37781 -246 190 14 246 190 14 246 186 14 239 182 13
37782 -206 162 42 106 106 106 66 66 66 34 34 34
37783 - 14 14 14 6 6 6 0 0 0 0 0 0
37784 - 0 0 0 0 0 0 0 0 0 0 0 0
37785 - 0 0 0 0 0 0 0 0 0 0 0 0
37786 - 0 0 0 0 0 0 0 0 0 6 6 6
37787 - 26 26 26 70 70 70 163 133 67 213 154 11
37788 -236 178 12 246 190 14 246 190 14 246 190 14
37789 -246 190 14 246 190 14 246 190 14 246 190 14
37790 -246 190 14 246 190 14 246 190 14 246 190 14
37791 -246 190 14 246 190 14 246 190 14 241 196 14
37792 -190 146 13 18 14 6 2 2 6 2 2 6
37793 - 46 46 46 246 246 246 253 253 253 253 253 253
37794 -253 253 253 253 253 253 253 253 253 253 253 253
37795 -253 253 253 253 253 253 253 253 253 253 253 253
37796 -253 253 253 253 253 253 253 253 253 253 253 253
37797 -253 253 253 221 221 221 86 86 86 156 107 11
37798 -216 158 10 236 178 12 242 186 14 246 186 14
37799 -242 186 14 239 182 13 239 182 13 242 186 14
37800 -242 186 14 246 186 14 246 190 14 246 190 14
37801 -246 190 14 246 190 14 246 190 14 246 190 14
37802 -242 186 14 225 175 15 142 122 72 66 66 66
37803 - 30 30 30 10 10 10 0 0 0 0 0 0
37804 - 0 0 0 0 0 0 0 0 0 0 0 0
37805 - 0 0 0 0 0 0 0 0 0 0 0 0
37806 - 0 0 0 0 0 0 0 0 0 6 6 6
37807 - 26 26 26 70 70 70 163 133 67 210 150 10
37808 -236 178 12 246 190 14 246 190 14 246 190 14
37809 -246 190 14 246 190 14 246 190 14 246 190 14
37810 -246 190 14 246 190 14 246 190 14 246 190 14
37811 -246 190 14 246 190 14 246 190 14 246 190 14
37812 -232 195 16 121 92 8 34 34 34 106 106 106
37813 -221 221 221 253 253 253 253 253 253 253 253 253
37814 -253 253 253 253 253 253 253 253 253 253 253 253
37815 -253 253 253 253 253 253 253 253 253 253 253 253
37816 -253 253 253 253 253 253 253 253 253 253 253 253
37817 -242 242 242 82 82 82 18 14 6 163 110 8
37818 -216 158 10 236 178 12 242 186 14 246 190 14
37819 -246 190 14 246 190 14 246 190 14 246 190 14
37820 -246 190 14 246 190 14 246 190 14 246 190 14
37821 -246 190 14 246 190 14 246 190 14 246 190 14
37822 -246 190 14 246 190 14 242 186 14 163 133 67
37823 - 46 46 46 18 18 18 6 6 6 0 0 0
37824 - 0 0 0 0 0 0 0 0 0 0 0 0
37825 - 0 0 0 0 0 0 0 0 0 0 0 0
37826 - 0 0 0 0 0 0 0 0 0 10 10 10
37827 - 30 30 30 78 78 78 163 133 67 210 150 10
37828 -236 178 12 246 186 14 246 190 14 246 190 14
37829 -246 190 14 246 190 14 246 190 14 246 190 14
37830 -246 190 14 246 190 14 246 190 14 246 190 14
37831 -246 190 14 246 190 14 246 190 14 246 190 14
37832 -241 196 14 215 174 15 190 178 144 253 253 253
37833 -253 253 253 253 253 253 253 253 253 253 253 253
37834 -253 253 253 253 253 253 253 253 253 253 253 253
37835 -253 253 253 253 253 253 253 253 253 253 253 253
37836 -253 253 253 253 253 253 253 253 253 218 218 218
37837 - 58 58 58 2 2 6 22 18 6 167 114 7
37838 -216 158 10 236 178 12 246 186 14 246 190 14
37839 -246 190 14 246 190 14 246 190 14 246 190 14
37840 -246 190 14 246 190 14 246 190 14 246 190 14
37841 -246 190 14 246 190 14 246 190 14 246 190 14
37842 -246 190 14 246 186 14 242 186 14 190 150 46
37843 - 54 54 54 22 22 22 6 6 6 0 0 0
37844 - 0 0 0 0 0 0 0 0 0 0 0 0
37845 - 0 0 0 0 0 0 0 0 0 0 0 0
37846 - 0 0 0 0 0 0 0 0 0 14 14 14
37847 - 38 38 38 86 86 86 180 133 36 213 154 11
37848 -236 178 12 246 186 14 246 190 14 246 190 14
37849 -246 190 14 246 190 14 246 190 14 246 190 14
37850 -246 190 14 246 190 14 246 190 14 246 190 14
37851 -246 190 14 246 190 14 246 190 14 246 190 14
37852 -246 190 14 232 195 16 190 146 13 214 214 214
37853 -253 253 253 253 253 253 253 253 253 253 253 253
37854 -253 253 253 253 253 253 253 253 253 253 253 253
37855 -253 253 253 253 253 253 253 253 253 253 253 253
37856 -253 253 253 250 250 250 170 170 170 26 26 26
37857 - 2 2 6 2 2 6 37 26 9 163 110 8
37858 -219 162 10 239 182 13 246 186 14 246 190 14
37859 -246 190 14 246 190 14 246 190 14 246 190 14
37860 -246 190 14 246 190 14 246 190 14 246 190 14
37861 -246 190 14 246 190 14 246 190 14 246 190 14
37862 -246 186 14 236 178 12 224 166 10 142 122 72
37863 - 46 46 46 18 18 18 6 6 6 0 0 0
37864 - 0 0 0 0 0 0 0 0 0 0 0 0
37865 - 0 0 0 0 0 0 0 0 0 0 0 0
37866 - 0 0 0 0 0 0 6 6 6 18 18 18
37867 - 50 50 50 109 106 95 192 133 9 224 166 10
37868 -242 186 14 246 190 14 246 190 14 246 190 14
37869 -246 190 14 246 190 14 246 190 14 246 190 14
37870 -246 190 14 246 190 14 246 190 14 246 190 14
37871 -246 190 14 246 190 14 246 190 14 246 190 14
37872 -242 186 14 226 184 13 210 162 10 142 110 46
37873 -226 226 226 253 253 253 253 253 253 253 253 253
37874 -253 253 253 253 253 253 253 253 253 253 253 253
37875 -253 253 253 253 253 253 253 253 253 253 253 253
37876 -198 198 198 66 66 66 2 2 6 2 2 6
37877 - 2 2 6 2 2 6 50 34 6 156 107 11
37878 -219 162 10 239 182 13 246 186 14 246 190 14
37879 -246 190 14 246 190 14 246 190 14 246 190 14
37880 -246 190 14 246 190 14 246 190 14 246 190 14
37881 -246 190 14 246 190 14 246 190 14 242 186 14
37882 -234 174 13 213 154 11 154 122 46 66 66 66
37883 - 30 30 30 10 10 10 0 0 0 0 0 0
37884 - 0 0 0 0 0 0 0 0 0 0 0 0
37885 - 0 0 0 0 0 0 0 0 0 0 0 0
37886 - 0 0 0 0 0 0 6 6 6 22 22 22
37887 - 58 58 58 154 121 60 206 145 10 234 174 13
37888 -242 186 14 246 186 14 246 190 14 246 190 14
37889 -246 190 14 246 190 14 246 190 14 246 190 14
37890 -246 190 14 246 190 14 246 190 14 246 190 14
37891 -246 190 14 246 190 14 246 190 14 246 190 14
37892 -246 186 14 236 178 12 210 162 10 163 110 8
37893 - 61 42 6 138 138 138 218 218 218 250 250 250
37894 -253 253 253 253 253 253 253 253 253 250 250 250
37895 -242 242 242 210 210 210 144 144 144 66 66 66
37896 - 6 6 6 2 2 6 2 2 6 2 2 6
37897 - 2 2 6 2 2 6 61 42 6 163 110 8
37898 -216 158 10 236 178 12 246 190 14 246 190 14
37899 -246 190 14 246 190 14 246 190 14 246 190 14
37900 -246 190 14 246 190 14 246 190 14 246 190 14
37901 -246 190 14 239 182 13 230 174 11 216 158 10
37902 -190 142 34 124 112 88 70 70 70 38 38 38
37903 - 18 18 18 6 6 6 0 0 0 0 0 0
37904 - 0 0 0 0 0 0 0 0 0 0 0 0
37905 - 0 0 0 0 0 0 0 0 0 0 0 0
37906 - 0 0 0 0 0 0 6 6 6 22 22 22
37907 - 62 62 62 168 124 44 206 145 10 224 166 10
37908 -236 178 12 239 182 13 242 186 14 242 186 14
37909 -246 186 14 246 190 14 246 190 14 246 190 14
37910 -246 190 14 246 190 14 246 190 14 246 190 14
37911 -246 190 14 246 190 14 246 190 14 246 190 14
37912 -246 190 14 236 178 12 216 158 10 175 118 6
37913 - 80 54 7 2 2 6 6 6 6 30 30 30
37914 - 54 54 54 62 62 62 50 50 50 38 38 38
37915 - 14 14 14 2 2 6 2 2 6 2 2 6
37916 - 2 2 6 2 2 6 2 2 6 2 2 6
37917 - 2 2 6 6 6 6 80 54 7 167 114 7
37918 -213 154 11 236 178 12 246 190 14 246 190 14
37919 -246 190 14 246 190 14 246 190 14 246 190 14
37920 -246 190 14 242 186 14 239 182 13 239 182 13
37921 -230 174 11 210 150 10 174 135 50 124 112 88
37922 - 82 82 82 54 54 54 34 34 34 18 18 18
37923 - 6 6 6 0 0 0 0 0 0 0 0 0
37924 - 0 0 0 0 0 0 0 0 0 0 0 0
37925 - 0 0 0 0 0 0 0 0 0 0 0 0
37926 - 0 0 0 0 0 0 6 6 6 18 18 18
37927 - 50 50 50 158 118 36 192 133 9 200 144 11
37928 -216 158 10 219 162 10 224 166 10 226 170 11
37929 -230 174 11 236 178 12 239 182 13 239 182 13
37930 -242 186 14 246 186 14 246 190 14 246 190 14
37931 -246 190 14 246 190 14 246 190 14 246 190 14
37932 -246 186 14 230 174 11 210 150 10 163 110 8
37933 -104 69 6 10 10 10 2 2 6 2 2 6
37934 - 2 2 6 2 2 6 2 2 6 2 2 6
37935 - 2 2 6 2 2 6 2 2 6 2 2 6
37936 - 2 2 6 2 2 6 2 2 6 2 2 6
37937 - 2 2 6 6 6 6 91 60 6 167 114 7
37938 -206 145 10 230 174 11 242 186 14 246 190 14
37939 -246 190 14 246 190 14 246 186 14 242 186 14
37940 -239 182 13 230 174 11 224 166 10 213 154 11
37941 -180 133 36 124 112 88 86 86 86 58 58 58
37942 - 38 38 38 22 22 22 10 10 10 6 6 6
37943 - 0 0 0 0 0 0 0 0 0 0 0 0
37944 - 0 0 0 0 0 0 0 0 0 0 0 0
37945 - 0 0 0 0 0 0 0 0 0 0 0 0
37946 - 0 0 0 0 0 0 0 0 0 14 14 14
37947 - 34 34 34 70 70 70 138 110 50 158 118 36
37948 -167 114 7 180 123 7 192 133 9 197 138 11
37949 -200 144 11 206 145 10 213 154 11 219 162 10
37950 -224 166 10 230 174 11 239 182 13 242 186 14
37951 -246 186 14 246 186 14 246 186 14 246 186 14
37952 -239 182 13 216 158 10 185 133 11 152 99 6
37953 -104 69 6 18 14 6 2 2 6 2 2 6
37954 - 2 2 6 2 2 6 2 2 6 2 2 6
37955 - 2 2 6 2 2 6 2 2 6 2 2 6
37956 - 2 2 6 2 2 6 2 2 6 2 2 6
37957 - 2 2 6 6 6 6 80 54 7 152 99 6
37958 -192 133 9 219 162 10 236 178 12 239 182 13
37959 -246 186 14 242 186 14 239 182 13 236 178 12
37960 -224 166 10 206 145 10 192 133 9 154 121 60
37961 - 94 94 94 62 62 62 42 42 42 22 22 22
37962 - 14 14 14 6 6 6 0 0 0 0 0 0
37963 - 0 0 0 0 0 0 0 0 0 0 0 0
37964 - 0 0 0 0 0 0 0 0 0 0 0 0
37965 - 0 0 0 0 0 0 0 0 0 0 0 0
37966 - 0 0 0 0 0 0 0 0 0 6 6 6
37967 - 18 18 18 34 34 34 58 58 58 78 78 78
37968 -101 98 89 124 112 88 142 110 46 156 107 11
37969 -163 110 8 167 114 7 175 118 6 180 123 7
37970 -185 133 11 197 138 11 210 150 10 219 162 10
37971 -226 170 11 236 178 12 236 178 12 234 174 13
37972 -219 162 10 197 138 11 163 110 8 130 83 6
37973 - 91 60 6 10 10 10 2 2 6 2 2 6
37974 - 18 18 18 38 38 38 38 38 38 38 38 38
37975 - 38 38 38 38 38 38 38 38 38 38 38 38
37976 - 38 38 38 38 38 38 26 26 26 2 2 6
37977 - 2 2 6 6 6 6 70 47 6 137 92 6
37978 -175 118 6 200 144 11 219 162 10 230 174 11
37979 -234 174 13 230 174 11 219 162 10 210 150 10
37980 -192 133 9 163 110 8 124 112 88 82 82 82
37981 - 50 50 50 30 30 30 14 14 14 6 6 6
37982 - 0 0 0 0 0 0 0 0 0 0 0 0
37983 - 0 0 0 0 0 0 0 0 0 0 0 0
37984 - 0 0 0 0 0 0 0 0 0 0 0 0
37985 - 0 0 0 0 0 0 0 0 0 0 0 0
37986 - 0 0 0 0 0 0 0 0 0 0 0 0
37987 - 6 6 6 14 14 14 22 22 22 34 34 34
37988 - 42 42 42 58 58 58 74 74 74 86 86 86
37989 -101 98 89 122 102 70 130 98 46 121 87 25
37990 -137 92 6 152 99 6 163 110 8 180 123 7
37991 -185 133 11 197 138 11 206 145 10 200 144 11
37992 -180 123 7 156 107 11 130 83 6 104 69 6
37993 - 50 34 6 54 54 54 110 110 110 101 98 89
37994 - 86 86 86 82 82 82 78 78 78 78 78 78
37995 - 78 78 78 78 78 78 78 78 78 78 78 78
37996 - 78 78 78 82 82 82 86 86 86 94 94 94
37997 -106 106 106 101 101 101 86 66 34 124 80 6
37998 -156 107 11 180 123 7 192 133 9 200 144 11
37999 -206 145 10 200 144 11 192 133 9 175 118 6
38000 -139 102 15 109 106 95 70 70 70 42 42 42
38001 - 22 22 22 10 10 10 0 0 0 0 0 0
38002 - 0 0 0 0 0 0 0 0 0 0 0 0
38003 - 0 0 0 0 0 0 0 0 0 0 0 0
38004 - 0 0 0 0 0 0 0 0 0 0 0 0
38005 - 0 0 0 0 0 0 0 0 0 0 0 0
38006 - 0 0 0 0 0 0 0 0 0 0 0 0
38007 - 0 0 0 0 0 0 6 6 6 10 10 10
38008 - 14 14 14 22 22 22 30 30 30 38 38 38
38009 - 50 50 50 62 62 62 74 74 74 90 90 90
38010 -101 98 89 112 100 78 121 87 25 124 80 6
38011 -137 92 6 152 99 6 152 99 6 152 99 6
38012 -138 86 6 124 80 6 98 70 6 86 66 30
38013 -101 98 89 82 82 82 58 58 58 46 46 46
38014 - 38 38 38 34 34 34 34 34 34 34 34 34
38015 - 34 34 34 34 34 34 34 34 34 34 34 34
38016 - 34 34 34 34 34 34 38 38 38 42 42 42
38017 - 54 54 54 82 82 82 94 86 76 91 60 6
38018 -134 86 6 156 107 11 167 114 7 175 118 6
38019 -175 118 6 167 114 7 152 99 6 121 87 25
38020 -101 98 89 62 62 62 34 34 34 18 18 18
38021 - 6 6 6 0 0 0 0 0 0 0 0 0
38022 - 0 0 0 0 0 0 0 0 0 0 0 0
38023 - 0 0 0 0 0 0 0 0 0 0 0 0
38024 - 0 0 0 0 0 0 0 0 0 0 0 0
38025 - 0 0 0 0 0 0 0 0 0 0 0 0
38026 - 0 0 0 0 0 0 0 0 0 0 0 0
38027 - 0 0 0 0 0 0 0 0 0 0 0 0
38028 - 0 0 0 6 6 6 6 6 6 10 10 10
38029 - 18 18 18 22 22 22 30 30 30 42 42 42
38030 - 50 50 50 66 66 66 86 86 86 101 98 89
38031 -106 86 58 98 70 6 104 69 6 104 69 6
38032 -104 69 6 91 60 6 82 62 34 90 90 90
38033 - 62 62 62 38 38 38 22 22 22 14 14 14
38034 - 10 10 10 10 10 10 10 10 10 10 10 10
38035 - 10 10 10 10 10 10 6 6 6 10 10 10
38036 - 10 10 10 10 10 10 10 10 10 14 14 14
38037 - 22 22 22 42 42 42 70 70 70 89 81 66
38038 - 80 54 7 104 69 6 124 80 6 137 92 6
38039 -134 86 6 116 81 8 100 82 52 86 86 86
38040 - 58 58 58 30 30 30 14 14 14 6 6 6
38041 - 0 0 0 0 0 0 0 0 0 0 0 0
38042 - 0 0 0 0 0 0 0 0 0 0 0 0
38043 - 0 0 0 0 0 0 0 0 0 0 0 0
38044 - 0 0 0 0 0 0 0 0 0 0 0 0
38045 - 0 0 0 0 0 0 0 0 0 0 0 0
38046 - 0 0 0 0 0 0 0 0 0 0 0 0
38047 - 0 0 0 0 0 0 0 0 0 0 0 0
38048 - 0 0 0 0 0 0 0 0 0 0 0 0
38049 - 0 0 0 6 6 6 10 10 10 14 14 14
38050 - 18 18 18 26 26 26 38 38 38 54 54 54
38051 - 70 70 70 86 86 86 94 86 76 89 81 66
38052 - 89 81 66 86 86 86 74 74 74 50 50 50
38053 - 30 30 30 14 14 14 6 6 6 0 0 0
38054 - 0 0 0 0 0 0 0 0 0 0 0 0
38055 - 0 0 0 0 0 0 0 0 0 0 0 0
38056 - 0 0 0 0 0 0 0 0 0 0 0 0
38057 - 6 6 6 18 18 18 34 34 34 58 58 58
38058 - 82 82 82 89 81 66 89 81 66 89 81 66
38059 - 94 86 66 94 86 76 74 74 74 50 50 50
38060 - 26 26 26 14 14 14 6 6 6 0 0 0
38061 - 0 0 0 0 0 0 0 0 0 0 0 0
38062 - 0 0 0 0 0 0 0 0 0 0 0 0
38063 - 0 0 0 0 0 0 0 0 0 0 0 0
38064 - 0 0 0 0 0 0 0 0 0 0 0 0
38065 - 0 0 0 0 0 0 0 0 0 0 0 0
38066 - 0 0 0 0 0 0 0 0 0 0 0 0
38067 - 0 0 0 0 0 0 0 0 0 0 0 0
38068 - 0 0 0 0 0 0 0 0 0 0 0 0
38069 - 0 0 0 0 0 0 0 0 0 0 0 0
38070 - 6 6 6 6 6 6 14 14 14 18 18 18
38071 - 30 30 30 38 38 38 46 46 46 54 54 54
38072 - 50 50 50 42 42 42 30 30 30 18 18 18
38073 - 10 10 10 0 0 0 0 0 0 0 0 0
38074 - 0 0 0 0 0 0 0 0 0 0 0 0
38075 - 0 0 0 0 0 0 0 0 0 0 0 0
38076 - 0 0 0 0 0 0 0 0 0 0 0 0
38077 - 0 0 0 6 6 6 14 14 14 26 26 26
38078 - 38 38 38 50 50 50 58 58 58 58 58 58
38079 - 54 54 54 42 42 42 30 30 30 18 18 18
38080 - 10 10 10 0 0 0 0 0 0 0 0 0
38081 - 0 0 0 0 0 0 0 0 0 0 0 0
38082 - 0 0 0 0 0 0 0 0 0 0 0 0
38083 - 0 0 0 0 0 0 0 0 0 0 0 0
38084 - 0 0 0 0 0 0 0 0 0 0 0 0
38085 - 0 0 0 0 0 0 0 0 0 0 0 0
38086 - 0 0 0 0 0 0 0 0 0 0 0 0
38087 - 0 0 0 0 0 0 0 0 0 0 0 0
38088 - 0 0 0 0 0 0 0 0 0 0 0 0
38089 - 0 0 0 0 0 0 0 0 0 0 0 0
38090 - 0 0 0 0 0 0 0 0 0 6 6 6
38091 - 6 6 6 10 10 10 14 14 14 18 18 18
38092 - 18 18 18 14 14 14 10 10 10 6 6 6
38093 - 0 0 0 0 0 0 0 0 0 0 0 0
38094 - 0 0 0 0 0 0 0 0 0 0 0 0
38095 - 0 0 0 0 0 0 0 0 0 0 0 0
38096 - 0 0 0 0 0 0 0 0 0 0 0 0
38097 - 0 0 0 0 0 0 0 0 0 6 6 6
38098 - 14 14 14 18 18 18 22 22 22 22 22 22
38099 - 18 18 18 14 14 14 10 10 10 6 6 6
38100 - 0 0 0 0 0 0 0 0 0 0 0 0
38101 - 0 0 0 0 0 0 0 0 0 0 0 0
38102 - 0 0 0 0 0 0 0 0 0 0 0 0
38103 - 0 0 0 0 0 0 0 0 0 0 0 0
38104 - 0 0 0 0 0 0 0 0 0 0 0 0
38105 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38106 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38107 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38108 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38109 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38110 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38111 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38112 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38113 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38114 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38115 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38116 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38117 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38119 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38120 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38121 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38122 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38123 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38124 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38125 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38126 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38127 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38128 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38129 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38130 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38131 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38133 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38134 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38135 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38136 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38137 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38138 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38139 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38140 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38141 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38142 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38143 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38144 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38145 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38147 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38148 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38149 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38150 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38151 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38152 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38153 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38154 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38155 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38156 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38157 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38158 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38159 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38161 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38162 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38163 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38164 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38165 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38166 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38167 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38168 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38169 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38170 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38171 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38172 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38173 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38175 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38176 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38177 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38178 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38179 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38180 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38181 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38182 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38183 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38184 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38185 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38186 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38187 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38189 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38190 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38191 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38192 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38193 +4 4 4 4 4 4 4 4 4 3 3 3 0 0 0 0 0 0
38194 +0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 4 4 4
38195 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38196 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38197 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38198 +4 4 4 4 4 4 4 4 4 4 4 4 1 1 1 0 0 0
38199 +0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
38200 +4 4 4 4 4 4 4 4 4 2 1 0 2 1 0 3 2 2
38201 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38203 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38204 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38205 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38206 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38207 +4 4 4 4 4 4 2 2 2 0 0 0 3 4 3 26 28 28
38208 +37 38 37 37 38 37 14 17 19 2 2 2 0 0 0 2 2 2
38209 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38210 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38211 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38212 +4 4 4 4 4 4 3 3 3 0 0 0 1 1 1 6 6 6
38213 +2 2 2 0 0 0 3 3 3 4 4 4 4 4 4 4 4 4
38214 +4 4 5 3 3 3 1 0 0 0 0 0 1 0 0 0 0 0
38215 +1 1 1 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38217 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38218 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38219 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38220 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38221 +2 2 2 0 0 0 0 0 0 14 17 19 60 74 84 137 136 137
38222 +153 152 153 137 136 137 125 124 125 60 73 81 6 6 6 3 1 0
38223 +0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
38224 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38225 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38226 +4 4 4 4 4 4 0 0 0 4 4 4 41 54 63 125 124 125
38227 +60 73 81 6 6 6 4 0 0 3 3 3 4 4 4 4 4 4
38228 +4 4 4 0 0 0 6 9 11 41 54 63 41 65 82 22 30 35
38229 +2 2 2 2 1 0 4 4 4 4 4 4 4 4 4 4 4 4
38231 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38232 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38233 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38234 +4 4 4 4 4 4 5 5 5 5 5 5 2 2 2 0 0 0
38235 +4 0 0 6 6 6 41 54 63 137 136 137 174 174 174 167 166 167
38236 +165 164 165 165 164 165 163 162 163 163 162 163 125 124 125 41 54 63
38237 +1 1 1 0 0 0 0 0 0 3 3 3 5 5 5 4 4 4
38238 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38239 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
38240 +3 3 3 2 0 0 4 0 0 60 73 81 156 155 156 167 166 167
38241 +163 162 163 85 115 134 5 7 8 0 0 0 4 4 4 5 5 5
38242 +0 0 0 2 5 5 55 98 126 90 154 193 90 154 193 72 125 159
38243 +37 51 59 2 0 0 1 1 1 4 5 5 4 4 4 4 4 4
38245 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38246 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38247 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38248 +4 4 4 5 5 5 4 4 4 1 1 1 0 0 0 3 3 3
38249 +37 38 37 125 124 125 163 162 163 174 174 174 158 157 158 158 157 158
38250 +156 155 156 156 155 156 158 157 158 165 164 165 174 174 174 166 165 166
38251 +125 124 125 16 19 21 1 0 0 0 0 0 0 0 0 4 4 4
38252 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
38253 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 1 1 1
38254 +0 0 0 0 0 0 37 38 37 153 152 153 174 174 174 158 157 158
38255 +174 174 174 163 162 163 37 38 37 4 3 3 4 0 0 1 1 1
38256 +0 0 0 22 40 52 101 161 196 101 161 196 90 154 193 101 161 196
38257 +64 123 161 14 17 19 0 0 0 4 4 4 4 4 4 4 4 4
38259 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38260 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38261 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
38262 +5 5 5 2 2 2 0 0 0 4 0 0 24 26 27 85 115 134
38263 +156 155 156 174 174 174 167 166 167 156 155 156 154 153 154 157 156 157
38264 +156 155 156 156 155 156 155 154 155 153 152 153 158 157 158 167 166 167
38265 +174 174 174 156 155 156 60 74 84 16 19 21 0 0 0 0 0 0
38266 +1 1 1 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
38267 +4 4 4 5 5 5 6 6 6 3 3 3 0 0 0 4 0 0
38268 +13 16 17 60 73 81 137 136 137 165 164 165 156 155 156 153 152 153
38269 +174 174 174 177 184 187 60 73 81 3 1 0 0 0 0 1 1 2
38270 +22 30 35 64 123 161 136 185 209 90 154 193 90 154 193 90 154 193
38271 +90 154 193 21 29 34 0 0 0 3 2 2 4 4 5 4 4 4
38273 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38274 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38275 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 3 3 3
38276 +0 0 0 0 0 0 10 13 16 60 74 84 157 156 157 174 174 174
38277 +174 174 174 158 157 158 153 152 153 154 153 154 156 155 156 155 154 155
38278 +156 155 156 155 154 155 154 153 154 157 156 157 154 153 154 153 152 153
38279 +163 162 163 174 174 174 177 184 187 137 136 137 60 73 81 13 16 17
38280 +4 0 0 0 0 0 3 3 3 5 5 5 4 4 4 4 4 4
38281 +5 5 5 4 4 4 1 1 1 0 0 0 3 3 3 41 54 63
38282 +131 129 131 174 174 174 174 174 174 174 174 174 167 166 167 174 174 174
38283 +190 197 201 137 136 137 24 26 27 4 0 0 16 21 25 50 82 103
38284 +90 154 193 136 185 209 90 154 193 101 161 196 101 161 196 101 161 196
38285 +31 91 132 3 6 7 0 0 0 4 4 4 4 4 4 4 4 4
38287 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38288 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38289 +4 4 4 4 4 4 4 4 4 2 2 2 0 0 0 4 0 0
38290 +4 0 0 43 57 68 137 136 137 177 184 187 174 174 174 163 162 163
38291 +155 154 155 155 154 155 156 155 156 155 154 155 158 157 158 165 164 165
38292 +167 166 167 166 165 166 163 162 163 157 156 157 155 154 155 155 154 155
38293 +153 152 153 156 155 156 167 166 167 174 174 174 174 174 174 131 129 131
38294 +41 54 63 5 5 5 0 0 0 0 0 0 3 3 3 4 4 4
38295 +1 1 1 0 0 0 1 0 0 26 28 28 125 124 125 174 174 174
38296 +177 184 187 174 174 174 174 174 174 156 155 156 131 129 131 137 136 137
38297 +125 124 125 24 26 27 4 0 0 41 65 82 90 154 193 136 185 209
38298 +136 185 209 101 161 196 53 118 160 37 112 160 90 154 193 34 86 122
38299 +7 12 15 0 0 0 4 4 4 4 4 4 4 4 4 4 4 4
38301 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38302 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38303 +4 4 4 3 3 3 0 0 0 0 0 0 5 5 5 37 38 37
38304 +125 124 125 167 166 167 174 174 174 167 166 167 158 157 158 155 154 155
38305 +156 155 156 156 155 156 156 155 156 163 162 163 167 166 167 155 154 155
38306 +137 136 137 153 152 153 156 155 156 165 164 165 163 162 163 156 155 156
38307 +156 155 156 156 155 156 155 154 155 158 157 158 166 165 166 174 174 174
38308 +167 166 167 125 124 125 37 38 37 1 0 0 0 0 0 0 0 0
38309 +0 0 0 24 26 27 60 74 84 158 157 158 174 174 174 174 174 174
38310 +166 165 166 158 157 158 125 124 125 41 54 63 13 16 17 6 6 6
38311 +6 6 6 37 38 37 80 127 157 136 185 209 101 161 196 101 161 196
38312 +90 154 193 28 67 93 6 10 14 13 20 25 13 20 25 6 10 14
38313 +1 1 2 4 3 3 4 4 4 4 4 4 4 4 4 4 4 4
38315 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38316 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38317 +1 1 1 1 0 0 4 3 3 37 38 37 60 74 84 153 152 153
38318 +167 166 167 167 166 167 158 157 158 154 153 154 155 154 155 156 155 156
38319 +157 156 157 158 157 158 167 166 167 167 166 167 131 129 131 43 57 68
38320 +26 28 28 37 38 37 60 73 81 131 129 131 165 164 165 166 165 166
38321 +158 157 158 155 154 155 156 155 156 156 155 156 156 155 156 158 157 158
38322 +165 164 165 174 174 174 163 162 163 60 74 84 16 19 21 13 16 17
38323 +60 73 81 131 129 131 174 174 174 174 174 174 167 166 167 165 164 165
38324 +137 136 137 60 73 81 24 26 27 4 0 0 4 0 0 16 19 21
38325 +52 104 138 101 161 196 136 185 209 136 185 209 90 154 193 27 99 146
38326 +13 20 25 4 5 7 2 5 5 4 5 7 1 1 2 0 0 0
38327 +4 4 4 4 4 4 3 3 3 2 2 2 2 2 2 4 4 4
38329 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38330 +4 4 4 4 4 4 4 4 4 4 4 4 3 3 3 0 0 0
38331 +0 0 0 13 16 17 60 73 81 137 136 137 174 174 174 166 165 166
38332 +158 157 158 156 155 156 157 156 157 156 155 156 155 154 155 158 157 158
38333 +167 166 167 174 174 174 153 152 153 60 73 81 16 19 21 4 0 0
38334 +4 0 0 4 0 0 6 6 6 26 28 28 60 74 84 158 157 158
38335 +174 174 174 166 165 166 157 156 157 155 154 155 156 155 156 156 155 156
38336 +155 154 155 158 157 158 167 166 167 167 166 167 131 129 131 125 124 125
38337 +137 136 137 167 166 167 167 166 167 174 174 174 158 157 158 125 124 125
38338 +16 19 21 4 0 0 4 0 0 10 13 16 49 76 92 107 159 188
38339 +136 185 209 136 185 209 90 154 193 26 108 161 22 40 52 6 10 14
38340 +2 3 3 1 1 2 1 1 2 4 4 5 4 4 5 4 4 5
38341 +4 4 5 2 2 1 0 0 0 0 0 0 0 0 0 2 2 2
38343 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38344 +4 4 4 5 5 5 3 3 3 0 0 0 1 0 0 4 0 0
38345 +37 51 59 131 129 131 167 166 167 167 166 167 163 162 163 157 156 157
38346 +157 156 157 155 154 155 153 152 153 157 156 157 167 166 167 174 174 174
38347 +153 152 153 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
38348 +4 3 3 4 3 3 4 0 0 6 6 6 4 0 0 37 38 37
38349 +125 124 125 174 174 174 174 174 174 165 164 165 156 155 156 154 153 154
38350 +156 155 156 156 155 156 155 154 155 163 162 163 158 157 158 163 162 163
38351 +174 174 174 174 174 174 174 174 174 125 124 125 37 38 37 0 0 0
38352 +4 0 0 6 9 11 41 54 63 90 154 193 136 185 209 146 190 211
38353 +136 185 209 37 112 160 22 40 52 6 10 14 3 6 7 1 1 2
38354 +1 1 2 3 3 3 1 1 2 3 3 3 4 4 4 4 4 4
38355 +2 2 2 2 0 0 16 19 21 37 38 37 24 26 27 0 0 0
38357 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
38358 +4 4 4 0 0 0 0 0 0 0 0 0 26 28 28 120 125 127
38359 +158 157 158 174 174 174 165 164 165 157 156 157 155 154 155 156 155 156
38360 +153 152 153 153 152 153 167 166 167 174 174 174 174 174 174 125 124 125
38361 +37 38 37 4 0 0 0 0 0 4 0 0 4 3 3 4 4 4
38362 +4 4 4 4 4 4 5 5 5 4 0 0 4 0 0 4 0 0
38363 +4 3 3 43 57 68 137 136 137 174 174 174 174 174 174 165 164 165
38364 +154 153 154 153 152 153 153 152 153 153 152 153 163 162 163 174 174 174
38365 +174 174 174 153 152 153 60 73 81 6 6 6 4 0 0 4 3 3
38366 +32 43 50 80 127 157 136 185 209 146 190 211 146 190 211 90 154 193
38367 +28 67 93 28 67 93 40 71 93 3 6 7 1 1 2 2 5 5
38368 +50 82 103 79 117 143 26 37 45 0 0 0 3 3 3 1 1 1
38369 +0 0 0 41 54 63 137 136 137 174 174 174 153 152 153 60 73 81
38371 +4 4 4 4 4 4 4 4 4 4 4 4 6 6 6 2 2 2
38372 +0 0 0 2 0 0 24 26 27 60 74 84 153 152 153 174 174 174
38373 +174 174 174 157 156 157 154 153 154 156 155 156 154 153 154 153 152 153
38374 +165 164 165 174 174 174 177 184 187 137 136 137 43 57 68 6 6 6
38375 +4 0 0 2 0 0 3 3 3 5 5 5 5 5 5 4 4 4
38376 +4 4 4 4 4 4 4 4 4 5 5 5 6 6 6 4 3 3
38377 +4 0 0 4 0 0 24 26 27 60 73 81 153 152 153 174 174 174
38378 +174 174 174 158 157 158 158 157 158 174 174 174 174 174 174 158 157 158
38379 +60 74 84 24 26 27 4 0 0 4 0 0 17 23 27 59 113 148
38380 +136 185 209 191 222 234 146 190 211 136 185 209 31 91 132 7 11 13
38381 +22 40 52 101 161 196 90 154 193 6 9 11 3 4 4 43 95 132
38382 +136 185 209 172 205 220 55 98 126 0 0 0 0 0 0 2 0 0
38383 +26 28 28 153 152 153 177 184 187 167 166 167 177 184 187 165 164 165
38385 +4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
38386 +13 16 17 60 73 81 137 136 137 174 174 174 174 174 174 165 164 165
38387 +153 152 153 153 152 153 155 154 155 154 153 154 158 157 158 174 174 174
38388 +177 184 187 163 162 163 60 73 81 16 19 21 4 0 0 4 0 0
38389 +4 3 3 4 4 4 5 5 5 5 5 5 4 4 4 5 5 5
38390 +5 5 5 5 5 5 5 5 5 4 4 4 4 4 4 5 5 5
38391 +6 6 6 4 0 0 4 0 0 4 0 0 24 26 27 60 74 84
38392 +166 165 166 174 174 174 177 184 187 165 164 165 125 124 125 24 26 27
38393 +4 0 0 4 0 0 5 5 5 50 82 103 136 185 209 172 205 220
38394 +146 190 211 136 185 209 26 108 161 22 40 52 7 12 15 44 81 103
38395 +71 116 144 28 67 93 37 51 59 41 65 82 100 139 164 101 161 196
38396 +90 154 193 90 154 193 28 67 93 0 0 0 0 0 0 26 28 28
38397 +125 124 125 167 166 167 163 162 163 153 152 153 163 162 163 174 174 174
38399 +4 4 4 5 5 5 4 4 4 1 0 0 4 0 0 34 47 55
38400 +125 124 125 174 174 174 174 174 174 167 166 167 157 156 157 153 152 153
38401 +155 154 155 155 154 155 158 157 158 166 165 166 167 166 167 154 153 154
38402 +125 124 125 26 28 28 4 0 0 4 0 0 4 0 0 5 5 5
38403 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 1 1 1
38404 +0 0 0 0 0 0 1 1 1 4 4 4 4 4 4 4 4 4
38405 +5 5 5 5 5 5 4 3 3 4 0 0 4 0 0 6 6 6
38406 +37 38 37 131 129 131 137 136 137 37 38 37 0 0 0 4 0 0
38407 +4 5 5 43 61 72 90 154 193 172 205 220 146 190 211 136 185 209
38408 +90 154 193 28 67 93 13 20 25 43 61 72 71 116 144 44 81 103
38409 +2 5 5 7 11 13 59 113 148 101 161 196 90 154 193 28 67 93
38410 +13 20 25 6 10 14 0 0 0 13 16 17 60 73 81 137 136 137
38411 +166 165 166 158 157 158 156 155 156 154 153 154 167 166 167 174 174 174
38413 +4 4 4 4 4 4 0 0 0 3 3 3 60 74 84 174 174 174
38414 +174 174 174 167 166 167 163 162 163 155 154 155 157 156 157 155 154 155
38415 +156 155 156 163 162 163 167 166 167 158 157 158 125 124 125 37 38 37
38416 +4 3 3 4 0 0 4 0 0 6 6 6 6 6 6 5 5 5
38417 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 2 3 3
38418 +10 13 16 7 11 13 1 0 0 0 0 0 2 2 1 4 4 4
38419 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 4 0 0
38420 +4 0 0 7 11 13 13 16 17 4 0 0 3 3 3 34 47 55
38421 +80 127 157 146 190 211 172 205 220 136 185 209 136 185 209 136 185 209
38422 +28 67 93 22 40 52 55 98 126 55 98 126 21 29 34 7 11 13
38423 +50 82 103 101 161 196 101 161 196 35 83 115 13 20 25 2 2 1
38424 +1 1 2 1 1 2 37 51 59 131 129 131 174 174 174 174 174 174
38425 +167 166 167 163 162 163 163 162 163 167 166 167 174 174 174 125 124 125
38427 +4 4 4 4 0 0 4 0 0 60 74 84 174 174 174 174 174 174
38428 +158 157 158 155 154 155 155 154 155 156 155 156 155 154 155 158 157 158
38429 +167 166 167 165 164 165 131 129 131 60 73 81 13 16 17 4 0 0
38430 +4 0 0 4 3 3 6 6 6 4 3 3 5 5 5 4 4 4
38431 +4 4 4 3 2 2 0 0 0 0 0 0 7 11 13 45 69 86
38432 +80 127 157 71 116 144 43 61 72 7 11 13 0 0 0 1 1 1
38433 +4 3 3 4 4 4 4 4 4 4 4 4 6 6 6 5 5 5
38434 +3 2 2 4 0 0 1 0 0 21 29 34 59 113 148 136 185 209
38435 +146 190 211 136 185 209 136 185 209 136 185 209 136 185 209 136 185 209
38436 +68 124 159 44 81 103 22 40 52 13 16 17 43 61 72 90 154 193
38437 +136 185 209 59 113 148 21 29 34 3 4 3 1 1 1 0 0 0
38438 +24 26 27 125 124 125 163 162 163 174 174 174 166 165 166 165 164 165
38439 +163 162 163 125 124 125 125 124 125 125 124 125 125 124 125 26 28 28
38441 +3 3 3 0 0 0 24 26 27 153 152 153 177 184 187 158 157 158
38442 +156 155 156 156 155 156 155 154 155 155 154 155 165 164 165 174 174 174
38443 +155 154 155 60 74 84 26 28 28 4 0 0 4 0 0 3 1 0
38444 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 3 3
38445 +2 0 0 0 0 0 0 0 0 32 43 50 72 125 159 101 161 196
38446 +136 185 209 101 161 196 101 161 196 79 117 143 32 43 50 0 0 0
38447 +0 0 0 2 2 2 4 4 4 4 4 4 3 3 3 1 0 0
38448 +0 0 0 4 5 5 49 76 92 101 161 196 146 190 211 146 190 211
38449 +136 185 209 136 185 209 136 185 209 136 185 209 136 185 209 90 154 193
38450 +28 67 93 13 16 17 37 51 59 80 127 157 136 185 209 90 154 193
38451 +22 40 52 6 9 11 3 4 3 2 2 1 16 19 21 60 73 81
38452 +137 136 137 163 162 163 158 157 158 166 165 166 167 166 167 153 152 153
38453 +60 74 84 37 38 37 6 6 6 13 16 17 4 0 0 1 0 0
38455 +3 2 2 4 0 0 37 38 37 137 136 137 167 166 167 158 157 158
38456 +157 156 157 154 153 154 157 156 157 167 166 167 174 174 174 125 124 125
38457 +37 38 37 4 0 0 4 0 0 4 0 0 4 3 3 4 4 4
38458 +4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
38459 +0 0 0 16 21 25 55 98 126 90 154 193 136 185 209 101 161 196
38460 +101 161 196 101 161 196 136 185 209 136 185 209 101 161 196 55 98 126
38461 +14 17 19 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
38462 +22 40 52 90 154 193 146 190 211 146 190 211 136 185 209 136 185 209
38463 +136 185 209 136 185 209 136 185 209 101 161 196 35 83 115 7 11 13
38464 +17 23 27 59 113 148 136 185 209 101 161 196 34 86 122 7 12 15
38465 +2 5 5 3 4 3 6 6 6 60 73 81 131 129 131 163 162 163
38466 +166 165 166 174 174 174 174 174 174 163 162 163 125 124 125 41 54 63
38467 +13 16 17 4 0 0 4 0 0 4 0 0 1 0 0 2 2 2
38469 +1 1 1 2 1 0 43 57 68 137 136 137 153 152 153 153 152 153
38470 +163 162 163 156 155 156 165 164 165 167 166 167 60 74 84 6 6 6
38471 +4 0 0 4 0 0 5 5 5 4 4 4 4 4 4 4 4 4
38472 +4 5 5 6 6 6 4 3 3 0 0 0 0 0 0 11 15 18
38473 +40 71 93 100 139 164 101 161 196 101 161 196 101 161 196 101 161 196
38474 +101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 136 185 209
38475 +101 161 196 45 69 86 6 6 6 0 0 0 17 23 27 55 98 126
38476 +136 185 209 146 190 211 136 185 209 136 185 209 136 185 209 136 185 209
38477 +136 185 209 136 185 209 90 154 193 22 40 52 7 11 13 50 82 103
38478 +136 185 209 136 185 209 53 118 160 22 40 52 7 11 13 2 5 5
38479 +3 4 3 37 38 37 125 124 125 157 156 157 166 165 166 167 166 167
38480 +174 174 174 174 174 174 137 136 137 60 73 81 4 0 0 4 0 0
38481 +4 0 0 4 0 0 5 5 5 3 3 3 3 3 3 4 4 4
38483 +4 0 0 4 0 0 41 54 63 137 136 137 125 124 125 131 129 131
38484 +155 154 155 167 166 167 174 174 174 60 74 84 6 6 6 4 0 0
38485 +4 3 3 6 6 6 4 4 4 4 4 4 4 4 4 5 5 5
38486 +4 4 4 1 1 1 0 0 0 3 6 7 41 65 82 72 125 159
38487 +101 161 196 101 161 196 101 161 196 90 154 193 90 154 193 101 161 196
38488 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
38489 +136 185 209 136 185 209 80 127 157 55 98 126 101 161 196 146 190 211
38490 +136 185 209 136 185 209 136 185 209 101 161 196 136 185 209 101 161 196
38491 +136 185 209 101 161 196 35 83 115 22 30 35 101 161 196 172 205 220
38492 +90 154 193 28 67 93 7 11 13 2 5 5 3 4 3 13 16 17
38493 +85 115 134 167 166 167 174 174 174 174 174 174 174 174 174 174 174 174
38494 +167 166 167 60 74 84 13 16 17 4 0 0 4 0 0 4 3 3
38495 +6 6 6 5 5 5 4 4 4 5 5 5 4 4 4 5 5 5
38497 +1 1 1 4 0 0 41 54 63 137 136 137 137 136 137 125 124 125
38498 +131 129 131 167 166 167 157 156 157 37 38 37 6 6 6 4 0 0
38499 +6 6 6 5 5 5 4 4 4 4 4 4 4 5 5 2 2 1
38500 +0 0 0 0 0 0 26 37 45 58 111 146 101 161 196 101 161 196
38501 +101 161 196 90 154 193 90 154 193 90 154 193 101 161 196 101 161 196
38502 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38503 +101 161 196 136 185 209 136 185 209 136 185 209 146 190 211 136 185 209
38504 +136 185 209 101 161 196 136 185 209 136 185 209 101 161 196 136 185 209
38505 +101 161 196 136 185 209 136 185 209 136 185 209 136 185 209 16 89 141
38506 +7 11 13 2 5 5 2 5 5 13 16 17 60 73 81 154 154 154
38507 +174 174 174 174 174 174 174 174 174 174 174 174 163 162 163 125 124 125
38508 +24 26 27 4 0 0 4 0 0 4 0 0 5 5 5 5 5 5
38509 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
38511 +4 0 0 6 6 6 37 38 37 137 136 137 137 136 137 131 129 131
38512 +131 129 131 153 152 153 131 129 131 26 28 28 4 0 0 4 3 3
38513 +6 6 6 4 4 4 4 4 4 4 4 4 0 0 0 0 0 0
38514 +13 20 25 51 88 114 90 154 193 101 161 196 101 161 196 90 154 193
38515 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
38516 +101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 101 161 196
38517 +101 161 196 136 185 209 101 161 196 136 185 209 136 185 209 101 161 196
38518 +136 185 209 101 161 196 136 185 209 101 161 196 101 161 196 101 161 196
38519 +136 185 209 136 185 209 136 185 209 37 112 160 21 29 34 5 7 8
38520 +2 5 5 13 16 17 43 57 68 131 129 131 174 174 174 174 174 174
38521 +174 174 174 167 166 167 157 156 157 125 124 125 37 38 37 4 0 0
38522 +4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
38523 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38525 +1 1 1 4 0 0 41 54 63 153 152 153 137 136 137 137 136 137
38526 +137 136 137 153 152 153 125 124 125 24 26 27 4 0 0 3 2 2
38527 +4 4 4 4 4 4 4 3 3 4 0 0 3 6 7 43 61 72
38528 +64 123 161 101 161 196 90 154 193 90 154 193 90 154 193 90 154 193
38529 +90 154 193 90 154 193 90 154 193 90 154 193 101 161 196 90 154 193
38530 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38531 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38532 +136 185 209 101 161 196 101 161 196 136 185 209 136 185 209 101 161 196
38533 +101 161 196 90 154 193 28 67 93 13 16 17 7 11 13 3 6 7
38534 +37 51 59 125 124 125 163 162 163 174 174 174 167 166 167 166 165 166
38535 +167 166 167 131 129 131 60 73 81 4 0 0 4 0 0 4 0 0
38536 +3 3 3 5 5 5 6 6 6 4 4 4 4 4 4 4 4 4
38537 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38539 +4 0 0 4 0 0 41 54 63 137 136 137 153 152 153 137 136 137
38540 +153 152 153 157 156 157 125 124 125 24 26 27 0 0 0 2 2 2
38541 +4 4 4 4 4 4 2 0 0 0 0 0 28 67 93 90 154 193
38542 +90 154 193 90 154 193 90 154 193 90 154 193 64 123 161 90 154 193
38543 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
38544 +90 154 193 101 161 196 101 161 196 101 161 196 90 154 193 136 185 209
38545 +101 161 196 101 161 196 136 185 209 101 161 196 136 185 209 101 161 196
38546 +101 161 196 101 161 196 136 185 209 101 161 196 101 161 196 90 154 193
38547 +35 83 115 13 16 17 3 6 7 2 5 5 13 16 17 60 74 84
38548 +154 154 154 166 165 166 165 164 165 158 157 158 163 162 163 157 156 157
38549 +60 74 84 13 16 17 4 0 0 4 0 0 3 2 2 4 4 4
38550 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38551 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38553 +1 1 1 4 0 0 41 54 63 157 156 157 155 154 155 137 136 137
38554 +153 152 153 158 157 158 137 136 137 26 28 28 2 0 0 2 2 2
38555 +4 4 4 4 4 4 1 0 0 6 10 14 34 86 122 90 154 193
38556 +64 123 161 90 154 193 64 123 161 90 154 193 90 154 193 90 154 193
38557 +64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
38558 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38559 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38560 +136 185 209 101 161 196 136 185 209 90 154 193 26 108 161 22 40 52
38561 +13 16 17 5 7 8 2 5 5 2 5 5 37 38 37 165 164 165
38562 +174 174 174 163 162 163 154 154 154 165 164 165 167 166 167 60 73 81
38563 +6 6 6 4 0 0 4 0 0 4 4 4 4 4 4 4 4 4
38564 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38565 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38567 +4 0 0 6 6 6 41 54 63 156 155 156 158 157 158 153 152 153
38568 +156 155 156 165 164 165 137 136 137 26 28 28 0 0 0 2 2 2
38569 +4 4 5 4 4 4 2 0 0 7 12 15 31 96 139 64 123 161
38570 +90 154 193 64 123 161 90 154 193 90 154 193 64 123 161 90 154 193
38571 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
38572 +90 154 193 90 154 193 90 154 193 101 161 196 101 161 196 101 161 196
38573 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
38574 +101 161 196 136 185 209 26 108 161 22 40 52 7 11 13 5 7 8
38575 +2 5 5 2 5 5 2 5 5 2 2 1 37 38 37 158 157 158
38576 +174 174 174 154 154 154 156 155 156 167 166 167 165 164 165 37 38 37
38577 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38578 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38579 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38581 +3 1 0 4 0 0 60 73 81 157 156 157 163 162 163 153 152 153
38582 +158 157 158 167 166 167 137 136 137 26 28 28 2 0 0 2 2 2
38583 +4 5 5 4 4 4 4 0 0 7 12 15 24 86 132 26 108 161
38584 +37 112 160 64 123 161 90 154 193 64 123 161 90 154 193 90 154 193
38585 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
38586 +90 154 193 101 161 196 90 154 193 101 161 196 101 161 196 101 161 196
38587 +101 161 196 101 161 196 101 161 196 136 185 209 101 161 196 136 185 209
38588 +90 154 193 35 83 115 13 16 17 13 16 17 7 11 13 3 6 7
38589 +5 7 8 6 6 6 3 4 3 2 2 1 30 32 34 154 154 154
38590 +167 166 167 154 154 154 154 154 154 174 174 174 165 164 165 37 38 37
38591 +6 6 6 4 0 0 6 6 6 4 4 4 4 4 4 4 4 4
38592 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38593 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38595 +4 0 0 4 0 0 41 54 63 163 162 163 166 165 166 154 154 154
38596 +163 162 163 174 174 174 137 136 137 26 28 28 0 0 0 2 2 2
38597 +4 5 5 4 4 5 1 1 2 6 10 14 28 67 93 18 97 151
38598 +18 97 151 18 97 151 26 108 161 37 112 160 37 112 160 90 154 193
38599 +64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
38600 +90 154 193 101 161 196 101 161 196 90 154 193 101 161 196 101 161 196
38601 +101 161 196 101 161 196 101 161 196 136 185 209 90 154 193 16 89 141
38602 +13 20 25 7 11 13 5 7 8 5 7 8 2 5 5 4 5 5
38603 +3 4 3 4 5 5 3 4 3 0 0 0 37 38 37 158 157 158
38604 +174 174 174 158 157 158 158 157 158 167 166 167 174 174 174 41 54 63
38605 +4 0 0 3 2 2 5 5 5 4 4 4 4 4 4 4 4 4
38606 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38607 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38609 +1 1 1 4 0 0 60 73 81 165 164 165 174 174 174 158 157 158
38610 +167 166 167 174 174 174 153 152 153 26 28 28 2 0 0 2 2 2
38611 +4 5 5 4 4 4 4 0 0 7 12 15 10 87 144 10 87 144
38612 +18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
38613 +26 108 161 37 112 160 53 118 160 90 154 193 90 154 193 90 154 193
38614 +90 154 193 90 154 193 101 161 196 101 161 196 101 161 196 101 161 196
38615 +101 161 196 136 185 209 90 154 193 26 108 161 22 40 52 13 16 17
38616 +7 11 13 3 6 7 5 7 8 5 7 8 2 5 5 4 5 5
38617 +4 5 5 6 6 6 3 4 3 0 0 0 30 32 34 158 157 158
38618 +174 174 174 156 155 156 155 154 155 165 164 165 154 153 154 37 38 37
38619 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38620 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38621 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38623 +4 0 0 4 0 0 60 73 81 167 166 167 174 174 174 163 162 163
38624 +174 174 174 174 174 174 153 152 153 26 28 28 0 0 0 3 3 3
38625 +5 5 5 4 4 4 1 1 2 7 12 15 28 67 93 18 97 151
38626 +18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
38627 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38628 +90 154 193 26 108 161 90 154 193 90 154 193 90 154 193 101 161 196
38629 +101 161 196 26 108 161 22 40 52 13 16 17 7 11 13 2 5 5
38630 +2 5 5 6 6 6 2 5 5 4 5 5 4 5 5 4 5 5
38631 +3 4 3 5 5 5 3 4 3 2 0 0 30 32 34 137 136 137
38632 +153 152 153 137 136 137 131 129 131 137 136 137 131 129 131 37 38 37
38633 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38634 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38635 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38637 +1 1 1 4 0 0 60 73 81 167 166 167 174 174 174 166 165 166
38638 +174 174 174 177 184 187 153 152 153 30 32 34 1 0 0 3 3 3
38639 +5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
38640 +18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
38641 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38642 +26 108 161 26 108 161 26 108 161 90 154 193 90 154 193 26 108 161
38643 +35 83 115 13 16 17 7 11 13 5 7 8 3 6 7 5 7 8
38644 +2 5 5 6 6 6 4 5 5 4 5 5 3 4 3 4 5 5
38645 +3 4 3 6 6 6 3 4 3 0 0 0 26 28 28 125 124 125
38646 +131 129 131 125 124 125 125 124 125 131 129 131 131 129 131 37 38 37
38647 +4 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38648 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38649 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38651 +3 1 0 4 0 0 60 73 81 174 174 174 177 184 187 167 166 167
38652 +174 174 174 177 184 187 153 152 153 30 32 34 0 0 0 3 3 3
38653 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
38654 +18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
38655 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38656 +26 108 161 90 154 193 26 108 161 26 108 161 24 86 132 13 20 25
38657 +7 11 13 13 20 25 22 40 52 5 7 8 3 4 3 3 4 3
38658 +4 5 5 3 4 3 4 5 5 3 4 3 4 5 5 3 4 3
38659 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
38660 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38661 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38662 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38663 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38665 +1 1 1 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
38666 +174 174 174 190 197 201 157 156 157 30 32 34 1 0 0 3 3 3
38667 +5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
38668 +18 97 151 19 95 150 19 95 150 18 97 151 18 97 151 26 108 161
38669 +18 97 151 26 108 161 26 108 161 26 108 161 26 108 161 90 154 193
38670 +26 108 161 26 108 161 26 108 161 22 40 52 2 5 5 3 4 3
38671 +28 67 93 37 112 160 34 86 122 2 5 5 3 4 3 3 4 3
38672 +3 4 3 3 4 3 3 4 3 2 2 1 3 4 3 4 4 4
38673 +4 5 5 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38674 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38675 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38676 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38677 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38679 +4 0 0 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
38680 +174 174 174 190 197 201 158 157 158 30 32 34 0 0 0 2 2 2
38681 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
38682 +10 87 144 19 95 150 19 95 150 18 97 151 18 97 151 18 97 151
38683 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38684 +18 97 151 22 40 52 2 5 5 2 2 1 22 40 52 26 108 161
38685 +90 154 193 37 112 160 22 40 52 3 4 3 13 20 25 22 30 35
38686 +3 6 7 1 1 1 2 2 2 6 9 11 5 5 5 4 3 3
38687 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
38688 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38689 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38690 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38691 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38693 +1 1 1 4 0 0 60 73 81 177 184 187 193 200 203 174 174 174
38694 +177 184 187 193 200 203 163 162 163 30 32 34 4 0 0 2 2 2
38695 +5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
38696 +10 87 144 10 87 144 19 95 150 19 95 150 19 95 150 18 97 151
38697 +26 108 161 26 108 161 26 108 161 90 154 193 26 108 161 28 67 93
38698 +6 10 14 2 5 5 13 20 25 24 86 132 37 112 160 90 154 193
38699 +10 87 144 7 12 15 2 5 5 28 67 93 37 112 160 28 67 93
38700 +2 2 1 7 12 15 35 83 115 28 67 93 3 6 7 1 0 0
38701 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38702 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38703 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38704 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38705 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38707 +4 0 0 4 0 0 60 73 81 174 174 174 190 197 201 174 174 174
38708 +177 184 187 193 200 203 163 162 163 30 32 34 0 0 0 2 2 2
38709 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
38710 +10 87 144 16 89 141 19 95 150 10 87 144 26 108 161 26 108 161
38711 +26 108 161 26 108 161 26 108 161 28 67 93 6 10 14 1 1 2
38712 +7 12 15 28 67 93 26 108 161 16 89 141 24 86 132 21 29 34
38713 +3 4 3 21 29 34 37 112 160 37 112 160 27 99 146 21 29 34
38714 +21 29 34 26 108 161 90 154 193 35 83 115 1 1 2 2 0 0
38715 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
38716 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38717 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38718 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38719 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38721 +3 1 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
38722 +190 197 201 193 200 203 165 164 165 37 38 37 4 0 0 2 2 2
38723 +5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
38724 +10 87 144 10 87 144 16 89 141 18 97 151 18 97 151 10 87 144
38725 +24 86 132 24 86 132 13 20 25 4 5 7 4 5 7 22 40 52
38726 +18 97 151 37 112 160 26 108 161 7 12 15 1 1 1 0 0 0
38727 +28 67 93 37 112 160 26 108 161 28 67 93 22 40 52 28 67 93
38728 +26 108 161 90 154 193 26 108 161 10 87 144 0 0 0 2 0 0
38729 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38730 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38731 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38732 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38733 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38735 +4 0 0 6 6 6 60 73 81 174 174 174 193 200 203 174 174 174
38736 +190 197 201 193 200 203 165 164 165 30 32 34 0 0 0 2 2 2
38737 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
38738 +10 87 144 10 87 144 10 87 144 18 97 151 28 67 93 6 10 14
38739 +0 0 0 1 1 2 4 5 7 13 20 25 16 89 141 26 108 161
38740 +26 108 161 26 108 161 24 86 132 6 9 11 2 3 3 22 40 52
38741 +37 112 160 16 89 141 22 40 52 28 67 93 26 108 161 26 108 161
38742 +90 154 193 26 108 161 26 108 161 28 67 93 1 1 1 4 0 0
38743 +4 4 4 5 5 5 3 3 3 4 0 0 26 28 28 124 126 130
38744 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38745 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38746 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38747 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38749 +4 0 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
38750 +193 200 203 193 200 203 167 166 167 37 38 37 4 0 0 2 2 2
38751 +5 5 5 4 4 4 4 0 0 6 10 14 28 67 93 10 87 144
38752 +10 87 144 10 87 144 18 97 151 10 87 144 13 20 25 4 5 7
38753 +1 1 2 1 1 1 22 40 52 26 108 161 26 108 161 26 108 161
38754 +26 108 161 26 108 161 26 108 161 24 86 132 22 40 52 22 40 52
38755 +22 40 52 22 40 52 10 87 144 26 108 161 26 108 161 26 108 161
38756 +26 108 161 26 108 161 90 154 193 10 87 144 0 0 0 4 0 0
38757 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38758 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38759 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38760 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38761 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38763 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
38764 +190 197 201 205 212 215 167 166 167 30 32 34 0 0 0 2 2 2
38765 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
38766 +10 87 144 10 87 144 10 87 144 10 87 144 22 40 52 1 1 2
38767 +2 0 0 1 1 2 24 86 132 26 108 161 26 108 161 26 108 161
38768 +26 108 161 19 95 150 16 89 141 10 87 144 22 40 52 22 40 52
38769 +10 87 144 26 108 161 37 112 160 26 108 161 26 108 161 26 108 161
38770 +26 108 161 26 108 161 26 108 161 28 67 93 2 0 0 3 1 0
38771 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
38772 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38773 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38774 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38775 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38777 +4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
38778 +193 200 203 193 200 203 174 174 174 37 38 37 4 0 0 2 2 2
38779 +5 5 5 4 4 4 3 2 2 1 1 2 13 20 25 10 87 144
38780 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 13 20 25
38781 +13 20 25 22 40 52 10 87 144 18 97 151 18 97 151 26 108 161
38782 +10 87 144 13 20 25 6 10 14 21 29 34 24 86 132 18 97 151
38783 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38784 +26 108 161 90 154 193 18 97 151 13 20 25 0 0 0 4 3 3
38785 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38786 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38787 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38788 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38789 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38791 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
38792 +190 197 201 220 221 221 167 166 167 30 32 34 1 0 0 2 2 2
38793 +5 5 5 4 4 4 4 4 5 2 5 5 4 5 7 13 20 25
38794 +28 67 93 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
38795 +10 87 144 10 87 144 18 97 151 10 87 144 18 97 151 18 97 151
38796 +28 67 93 2 3 3 0 0 0 28 67 93 26 108 161 26 108 161
38797 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38798 +26 108 161 10 87 144 13 20 25 1 1 2 3 2 2 4 4 4
38799 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
38800 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38801 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38802 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38803 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38805 +4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
38806 +193 200 203 193 200 203 174 174 174 26 28 28 4 0 0 4 3 3
38807 +5 5 5 4 4 4 4 4 4 4 4 5 1 1 2 2 5 5
38808 +4 5 7 22 40 52 10 87 144 10 87 144 18 97 151 10 87 144
38809 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 18 97 151
38810 +10 87 144 28 67 93 22 40 52 10 87 144 26 108 161 18 97 151
38811 +18 97 151 18 97 151 26 108 161 26 108 161 26 108 161 26 108 161
38812 +22 40 52 1 1 2 0 0 0 2 3 3 4 4 4 4 4 4
38813 +4 4 4 5 5 5 4 4 4 0 0 0 26 28 28 131 129 131
38814 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38815 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38816 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38817 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38819 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
38820 +190 197 201 220 221 221 190 197 201 41 54 63 4 0 0 2 2 2
38821 +6 6 6 4 4 4 4 4 4 4 4 5 4 4 5 3 3 3
38822 +1 1 2 1 1 2 6 10 14 22 40 52 10 87 144 18 97 151
38823 +18 97 151 10 87 144 10 87 144 10 87 144 18 97 151 10 87 144
38824 +10 87 144 18 97 151 26 108 161 18 97 151 18 97 151 10 87 144
38825 +26 108 161 26 108 161 26 108 161 10 87 144 28 67 93 6 10 14
38826 +1 1 2 1 1 2 4 3 3 4 4 5 4 4 4 4 4 4
38827 +5 5 5 5 5 5 1 1 1 4 0 0 37 51 59 137 136 137
38828 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38829 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38830 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38831 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38833 +4 0 0 4 0 0 60 73 81 220 221 221 193 200 203 174 174 174
38834 +193 200 203 193 200 203 220 221 221 137 136 137 13 16 17 4 0 0
38835 +2 2 2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5
38836 +4 4 5 4 3 3 1 1 2 4 5 7 13 20 25 28 67 93
38837 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
38838 +10 87 144 18 97 151 18 97 151 10 87 144 18 97 151 26 108 161
38839 +26 108 161 18 97 151 28 67 93 6 10 14 0 0 0 0 0 0
38840 +2 3 3 4 5 5 4 4 5 4 4 4 4 4 4 5 5 5
38841 +3 3 3 1 1 1 0 0 0 16 19 21 125 124 125 137 136 137
38842 +131 129 131 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38843 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38844 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38845 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38847 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
38848 +193 200 203 190 197 201 220 221 221 220 221 221 153 152 153 30 32 34
38849 +0 0 0 0 0 0 2 2 2 4 4 4 4 4 4 4 4 4
38850 +4 4 4 4 5 5 4 5 7 1 1 2 1 1 2 4 5 7
38851 +13 20 25 28 67 93 10 87 144 18 97 151 10 87 144 10 87 144
38852 +10 87 144 10 87 144 10 87 144 18 97 151 26 108 161 18 97 151
38853 +28 67 93 7 12 15 0 0 0 0 0 0 2 2 1 4 4 4
38854 +4 5 5 4 5 5 4 4 4 4 4 4 3 3 3 0 0 0
38855 +0 0 0 0 0 0 37 38 37 125 124 125 158 157 158 131 129 131
38856 +125 124 125 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38857 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38858 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38859 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38861 +4 3 3 4 0 0 41 54 63 193 200 203 220 221 221 174 174 174
38862 +193 200 203 193 200 203 193 200 203 220 221 221 244 246 246 193 200 203
38863 +120 125 127 5 5 5 1 0 0 0 0 0 1 1 1 4 4 4
38864 +4 4 4 4 4 4 4 5 5 4 5 5 4 4 5 1 1 2
38865 +4 5 7 4 5 7 22 40 52 10 87 144 10 87 144 10 87 144
38866 +10 87 144 10 87 144 18 97 151 10 87 144 10 87 144 13 20 25
38867 +4 5 7 2 3 3 1 1 2 4 4 4 4 5 5 4 4 4
38868 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 1 2
38869 +24 26 27 60 74 84 153 152 153 163 162 163 137 136 137 125 124 125
38870 +125 124 125 125 124 125 125 124 125 137 136 137 125 124 125 26 28 28
38871 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38872 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38873 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38875 +4 0 0 6 6 6 26 28 28 156 155 156 220 221 221 220 221 221
38876 +174 174 174 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
38877 +220 221 221 167 166 167 60 73 81 7 11 13 0 0 0 0 0 0
38878 +3 3 3 4 4 4 4 4 4 4 4 4 4 4 5 4 4 5
38879 +4 4 5 1 1 2 1 1 2 4 5 7 22 40 52 10 87 144
38880 +10 87 144 10 87 144 10 87 144 22 40 52 4 5 7 1 1 2
38881 +1 1 2 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4
38882 +5 5 5 2 2 2 0 0 0 4 0 0 16 19 21 60 73 81
38883 +137 136 137 167 166 167 158 157 158 137 136 137 131 129 131 131 129 131
38884 +125 124 125 125 124 125 131 129 131 155 154 155 60 74 84 5 7 8
38885 +0 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38886 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38887 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38889 +5 5 5 4 0 0 4 0 0 60 73 81 193 200 203 220 221 221
38890 +193 200 203 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
38891 +220 221 221 220 221 221 220 221 221 137 136 137 43 57 68 6 6 6
38892 +4 0 0 1 1 1 4 4 4 4 4 4 4 4 4 4 4 4
38893 +4 4 5 4 4 5 3 2 2 1 1 2 2 5 5 13 20 25
38894 +22 40 52 22 40 52 13 20 25 2 3 3 1 1 2 3 3 3
38895 +4 5 7 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38896 +1 1 1 0 0 0 2 3 3 41 54 63 131 129 131 166 165 166
38897 +166 165 166 155 154 155 153 152 153 137 136 137 137 136 137 125 124 125
38898 +125 124 125 137 136 137 137 136 137 125 124 125 37 38 37 4 3 3
38899 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
38900 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38901 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38903 +4 3 3 6 6 6 6 6 6 13 16 17 60 73 81 167 166 167
38904 +220 221 221 220 221 221 220 221 221 193 200 203 193 200 203 193 200 203
38905 +205 212 215 220 221 221 220 221 221 244 246 246 205 212 215 125 124 125
38906 +24 26 27 0 0 0 0 0 0 2 2 2 5 5 5 5 5 5
38907 +4 4 4 4 4 4 4 4 4 4 4 5 1 1 2 4 5 7
38908 +4 5 7 4 5 7 1 1 2 3 2 2 4 4 5 4 4 4
38909 +4 4 4 4 4 4 5 5 5 4 4 4 0 0 0 0 0 0
38910 +2 0 0 26 28 28 125 124 125 174 174 174 174 174 174 166 165 166
38911 +156 155 156 153 152 153 137 136 137 137 136 137 131 129 131 137 136 137
38912 +137 136 137 137 136 137 60 74 84 30 32 34 4 0 0 4 0 0
38913 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38914 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38915 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38917 +5 5 5 6 6 6 4 0 0 4 0 0 6 6 6 26 28 28
38918 +125 124 125 174 174 174 220 221 221 220 221 221 220 221 221 193 200 203
38919 +205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
38920 +193 200 203 60 74 84 13 16 17 4 0 0 0 0 0 3 3 3
38921 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 5 3 3 3
38922 +1 1 2 3 3 3 4 4 5 4 4 5 4 4 4 4 4 4
38923 +5 5 5 5 5 5 2 2 2 0 0 0 0 0 0 13 16 17
38924 +60 74 84 174 174 174 193 200 203 174 174 174 167 166 167 163 162 163
38925 +153 152 153 153 152 153 137 136 137 137 136 137 153 152 153 137 136 137
38926 +125 124 125 41 54 63 24 26 27 4 0 0 4 0 0 5 5 5
38927 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38928 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38929 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38931 +4 3 3 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
38932 +6 6 6 37 38 37 131 129 131 220 221 221 220 221 221 220 221 221
38933 +193 200 203 193 200 203 220 221 221 205 212 215 220 221 221 244 246 246
38934 +244 246 246 244 246 246 174 174 174 41 54 63 0 0 0 0 0 0
38935 +0 0 0 4 4 4 5 5 5 5 5 5 4 4 4 4 4 5
38936 +4 4 5 4 4 5 4 4 4 4 4 4 6 6 6 6 6 6
38937 +3 3 3 0 0 0 2 0 0 13 16 17 60 73 81 156 155 156
38938 +220 221 221 193 200 203 174 174 174 165 164 165 163 162 163 154 153 154
38939 +153 152 153 153 152 153 158 157 158 163 162 163 137 136 137 60 73 81
38940 +13 16 17 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
38941 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38942 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38943 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38945 +5 5 5 4 3 3 4 3 3 6 6 6 6 6 6 6 6 6
38946 +6 6 6 6 6 6 6 6 6 37 38 37 167 166 167 244 246 246
38947 +244 246 246 220 221 221 205 212 215 205 212 215 220 221 221 193 200 203
38948 +220 221 221 244 246 246 244 246 246 244 246 246 137 136 137 37 38 37
38949 +3 2 2 0 0 0 1 1 1 5 5 5 5 5 5 4 4 4
38950 +4 4 4 4 4 4 4 4 4 5 5 5 4 4 4 1 1 1
38951 +0 0 0 5 5 5 43 57 68 153 152 153 193 200 203 220 221 221
38952 +177 184 187 174 174 174 167 166 167 166 165 166 158 157 158 157 156 157
38953 +158 157 158 166 165 166 156 155 156 85 115 134 13 16 17 4 0 0
38954 +4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
38955 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38956 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38957 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38959 +5 5 5 4 3 3 6 6 6 6 6 6 4 0 0 6 6 6
38960 +6 6 6 6 6 6 6 6 6 6 6 6 13 16 17 60 73 81
38961 +177 184 187 220 221 221 220 221 221 220 221 221 205 212 215 220 221 221
38962 +220 221 221 205 212 215 220 221 221 244 246 246 244 246 246 205 212 215
38963 +125 124 125 30 32 34 0 0 0 0 0 0 2 2 2 5 5 5
38964 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 0 0
38965 +37 38 37 131 129 131 205 212 215 220 221 221 193 200 203 174 174 174
38966 +174 174 174 174 174 174 167 166 167 165 164 165 166 165 166 167 166 167
38967 +158 157 158 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
38968 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
38969 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38970 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38971 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38973 +4 4 4 5 5 5 4 3 3 4 3 3 6 6 6 6 6 6
38974 +4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
38975 +26 28 28 125 124 125 205 212 215 220 221 221 220 221 221 220 221 221
38976 +205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
38977 +244 246 246 190 197 201 60 74 84 16 19 21 4 0 0 0 0 0
38978 +0 0 0 0 0 0 0 0 0 0 0 0 16 19 21 120 125 127
38979 +177 184 187 220 221 221 205 212 215 177 184 187 174 174 174 177 184 187
38980 +174 174 174 174 174 174 167 166 167 174 174 174 166 165 166 137 136 137
38981 +60 73 81 13 16 17 4 0 0 4 0 0 4 3 3 6 6 6
38982 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38983 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38984 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38985 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38987 +5 5 5 4 3 3 5 5 5 4 3 3 6 6 6 4 0 0
38988 +6 6 6 6 6 6 4 0 0 6 6 6 4 0 0 6 6 6
38989 +6 6 6 6 6 6 37 38 37 137 136 137 193 200 203 220 221 221
38990 +220 221 221 205 212 215 220 221 221 205 212 215 205 212 215 220 221 221
38991 +220 221 221 220 221 221 244 246 246 166 165 166 43 57 68 2 2 2
38992 +0 0 0 4 0 0 16 19 21 60 73 81 157 156 157 202 210 214
38993 +220 221 221 193 200 203 177 184 187 177 184 187 177 184 187 174 174 174
38994 +174 174 174 174 174 174 174 174 174 157 156 157 60 74 84 24 26 27
38995 +4 0 0 4 0 0 4 0 0 6 6 6 4 4 4 4 4 4
38996 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38997 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38998 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38999 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39001 +4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
39002 +6 6 6 4 0 0 6 6 6 6 6 6 6 6 6 4 0 0
39003 +4 0 0 4 0 0 6 6 6 24 26 27 60 73 81 167 166 167
39004 +220 221 221 220 221 221 220 221 221 205 212 215 205 212 215 205 212 215
39005 +205 212 215 220 221 221 220 221 221 220 221 221 205 212 215 137 136 137
39006 +60 74 84 125 124 125 137 136 137 190 197 201 220 221 221 193 200 203
39007 +177 184 187 177 184 187 177 184 187 174 174 174 174 174 174 177 184 187
39008 +190 197 201 174 174 174 125 124 125 37 38 37 6 6 6 4 0 0
39009 +4 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39010 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39011 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39012 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39013 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39015 +4 4 4 4 4 4 5 5 5 5 5 5 4 3 3 6 6 6
39016 +4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 6 6 6
39017 +6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
39018 +125 124 125 193 200 203 244 246 246 220 221 221 205 212 215 205 212 215
39019 +205 212 215 193 200 203 205 212 215 205 212 215 220 221 221 220 221 221
39020 +193 200 203 193 200 203 205 212 215 193 200 203 193 200 203 177 184 187
39021 +190 197 201 190 197 201 174 174 174 190 197 201 193 200 203 190 197 201
39022 +153 152 153 60 73 81 4 0 0 4 0 0 4 0 0 3 2 2
39023 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39024 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39025 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39026 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39027 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39029 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
39030 +6 6 6 4 3 3 4 3 3 4 3 3 6 6 6 6 6 6
39031 +4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 4 0 0
39032 +4 0 0 26 28 28 131 129 131 220 221 221 244 246 246 220 221 221
39033 +205 212 215 193 200 203 205 212 215 193 200 203 193 200 203 205 212 215
39034 +220 221 221 193 200 203 193 200 203 193 200 203 190 197 201 174 174 174
39035 +174 174 174 190 197 201 193 200 203 193 200 203 167 166 167 125 124 125
39036 +6 6 6 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
39037 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39038 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39039 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39040 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39041 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39043 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
39044 +5 5 5 4 3 3 5 5 5 6 6 6 4 3 3 5 5 5
39045 +6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
39046 +4 0 0 4 0 0 6 6 6 41 54 63 158 157 158 220 221 221
39047 +220 221 221 220 221 221 193 200 203 193 200 203 193 200 203 190 197 201
39048 +190 197 201 190 197 201 190 197 201 190 197 201 174 174 174 193 200 203
39049 +193 200 203 220 221 221 174 174 174 125 124 125 37 38 37 4 0 0
39050 +4 0 0 4 3 3 6 6 6 4 4 4 4 4 4 4 4 4
39051 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39052 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39053 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39054 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39055 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39057 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39058 +4 4 4 5 5 5 4 3 3 4 3 3 4 3 3 5 5 5
39059 +4 3 3 6 6 6 5 5 5 4 3 3 6 6 6 6 6 6
39060 +6 6 6 6 6 6 4 0 0 4 0 0 13 16 17 60 73 81
39061 +174 174 174 220 221 221 220 221 221 205 212 215 190 197 201 174 174 174
39062 +193 200 203 174 174 174 190 197 201 174 174 174 193 200 203 220 221 221
39063 +193 200 203 131 129 131 37 38 37 6 6 6 4 0 0 4 0 0
39064 +6 6 6 6 6 6 4 3 3 5 5 5 4 4 4 4 4 4
39065 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39066 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39067 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39068 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39069 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39071 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39072 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
39073 +5 5 5 4 3 3 4 3 3 5 5 5 4 3 3 4 3 3
39074 +5 5 5 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
39075 +6 6 6 125 124 125 174 174 174 220 221 221 220 221 221 193 200 203
39076 +193 200 203 193 200 203 193 200 203 193 200 203 220 221 221 158 157 158
39077 +60 73 81 6 6 6 4 0 0 4 0 0 5 5 5 6 6 6
39078 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
39079 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39080 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39081 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39082 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39083 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39085 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39086 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39087 +4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
39088 +5 5 5 5 5 5 6 6 6 6 6 6 4 0 0 4 0 0
39089 +4 0 0 4 0 0 26 28 28 125 124 125 174 174 174 193 200 203
39090 +193 200 203 174 174 174 193 200 203 167 166 167 125 124 125 6 6 6
39091 +6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 5 5 5
39092 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
39093 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39094 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39095 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39096 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39097 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39099 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39100 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39101 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
39102 +4 3 3 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
39103 +6 6 6 4 0 0 4 0 0 6 6 6 37 38 37 125 124 125
39104 +153 152 153 131 129 131 125 124 125 37 38 37 6 6 6 6 6 6
39105 +6 6 6 4 0 0 6 6 6 6 6 6 4 3 3 5 5 5
39106 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39107 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39108 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39109 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39110 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39111 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39113 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39114 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39115 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39116 +4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
39117 +6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
39118 +24 26 27 24 26 27 6 6 6 6 6 6 6 6 6 4 0 0
39119 +6 6 6 6 6 6 4 0 0 6 6 6 5 5 5 4 3 3
39120 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39121 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39122 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39123 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39124 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39125 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39127 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39128 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39129 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39130 +4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
39131 +4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
39132 +6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
39133 +4 0 0 6 6 6 6 6 6 4 3 3 5 5 5 4 4 4
39134 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39135 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39136 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39137 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39138 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39139 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39141 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39142 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39143 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39144 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 5 5 5
39145 +5 5 5 5 5 5 4 0 0 6 6 6 4 0 0 6 6 6
39146 +6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 4 0 0
39147 +6 6 6 4 3 3 5 5 5 4 3 3 5 5 5 4 4 4
39148 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39149 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39150 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39151 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39152 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39153 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39155 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39156 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39157 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39158 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
39159 +4 3 3 6 6 6 4 3 3 6 6 6 6 6 6 6 6 6
39160 +4 0 0 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
39161 +6 6 6 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
39162 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39163 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39164 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39165 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39166 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39167 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39169 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39170 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39171 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39172 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39173 +4 4 4 5 5 5 4 3 3 5 5 5 4 0 0 6 6 6
39174 +6 6 6 4 0 0 6 6 6 6 6 6 4 0 0 6 6 6
39175 +4 3 3 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
39176 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39177 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39178 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39179 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39180 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39181 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39183 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39184 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39185 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39186 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39187 +4 4 4 5 5 5 4 3 3 5 5 5 6 6 6 4 3 3
39188 +4 3 3 6 6 6 6 6 6 4 3 3 6 6 6 4 3 3
39189 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39190 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39191 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39192 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39193 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39194 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39195 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39197 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39198 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39199 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39200 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39201 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 6 6 6
39202 +5 5 5 4 3 3 4 3 3 4 3 3 5 5 5 5 5 5
39203 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39204 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39205 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39206 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39207 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39208 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39209 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39211 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39212 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39213 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39214 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39215 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
39216 +5 5 5 4 3 3 5 5 5 5 5 5 4 4 4 4 4 4
39217 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39218 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39219 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39220 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39221 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39222 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39223 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39225 diff -urNp linux-3.0.9/drivers/video/udlfb.c linux-3.0.9/drivers/video/udlfb.c
39226 --- linux-3.0.9/drivers/video/udlfb.c 2011-11-11 13:12:24.000000000 -0500
39227 +++ linux-3.0.9/drivers/video/udlfb.c 2011-11-15 20:02:59.000000000 -0500
39228 @@ -586,11 +586,11 @@ int dlfb_handle_damage(struct dlfb_data
39229 dlfb_urb_completion(urb);
39232 - atomic_add(bytes_sent, &dev->bytes_sent);
39233 - atomic_add(bytes_identical, &dev->bytes_identical);
39234 - atomic_add(width*height*2, &dev->bytes_rendered);
39235 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
39236 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
39237 + atomic_add_unchecked(width*height*2, &dev->bytes_rendered);
39238 end_cycles = get_cycles();
39239 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
39240 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
39241 >> 10)), /* Kcycles */
39242 &dev->cpu_kcycles_used);
39244 @@ -711,11 +711,11 @@ static void dlfb_dpy_deferred_io(struct
39245 dlfb_urb_completion(urb);
39248 - atomic_add(bytes_sent, &dev->bytes_sent);
39249 - atomic_add(bytes_identical, &dev->bytes_identical);
39250 - atomic_add(bytes_rendered, &dev->bytes_rendered);
39251 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
39252 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
39253 + atomic_add_unchecked(bytes_rendered, &dev->bytes_rendered);
39254 end_cycles = get_cycles();
39255 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
39256 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
39257 >> 10)), /* Kcycles */
39258 &dev->cpu_kcycles_used);
39260 @@ -1307,7 +1307,7 @@ static ssize_t metrics_bytes_rendered_sh
39261 struct fb_info *fb_info = dev_get_drvdata(fbdev);
39262 struct dlfb_data *dev = fb_info->par;
39263 return snprintf(buf, PAGE_SIZE, "%u\n",
39264 - atomic_read(&dev->bytes_rendered));
39265 + atomic_read_unchecked(&dev->bytes_rendered));
39268 static ssize_t metrics_bytes_identical_show(struct device *fbdev,
39269 @@ -1315,7 +1315,7 @@ static ssize_t metrics_bytes_identical_s
39270 struct fb_info *fb_info = dev_get_drvdata(fbdev);
39271 struct dlfb_data *dev = fb_info->par;
39272 return snprintf(buf, PAGE_SIZE, "%u\n",
39273 - atomic_read(&dev->bytes_identical));
39274 + atomic_read_unchecked(&dev->bytes_identical));
39277 static ssize_t metrics_bytes_sent_show(struct device *fbdev,
39278 @@ -1323,7 +1323,7 @@ static ssize_t metrics_bytes_sent_show(s
39279 struct fb_info *fb_info = dev_get_drvdata(fbdev);
39280 struct dlfb_data *dev = fb_info->par;
39281 return snprintf(buf, PAGE_SIZE, "%u\n",
39282 - atomic_read(&dev->bytes_sent));
39283 + atomic_read_unchecked(&dev->bytes_sent));
39286 static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
39287 @@ -1331,7 +1331,7 @@ static ssize_t metrics_cpu_kcycles_used_
39288 struct fb_info *fb_info = dev_get_drvdata(fbdev);
39289 struct dlfb_data *dev = fb_info->par;
39290 return snprintf(buf, PAGE_SIZE, "%u\n",
39291 - atomic_read(&dev->cpu_kcycles_used));
39292 + atomic_read_unchecked(&dev->cpu_kcycles_used));
39295 static ssize_t edid_show(
39296 @@ -1388,10 +1388,10 @@ static ssize_t metrics_reset_store(struc
39297 struct fb_info *fb_info = dev_get_drvdata(fbdev);
39298 struct dlfb_data *dev = fb_info->par;
39300 - atomic_set(&dev->bytes_rendered, 0);
39301 - atomic_set(&dev->bytes_identical, 0);
39302 - atomic_set(&dev->bytes_sent, 0);
39303 - atomic_set(&dev->cpu_kcycles_used, 0);
39304 + atomic_set_unchecked(&dev->bytes_rendered, 0);
39305 + atomic_set_unchecked(&dev->bytes_identical, 0);
39306 + atomic_set_unchecked(&dev->bytes_sent, 0);
39307 + atomic_set_unchecked(&dev->cpu_kcycles_used, 0);
39311 diff -urNp linux-3.0.9/drivers/video/uvesafb.c linux-3.0.9/drivers/video/uvesafb.c
39312 --- linux-3.0.9/drivers/video/uvesafb.c 2011-11-11 13:12:24.000000000 -0500
39313 +++ linux-3.0.9/drivers/video/uvesafb.c 2011-11-15 20:02:59.000000000 -0500
39315 #include <linux/io.h>
39316 #include <linux/mutex.h>
39317 #include <linux/slab.h>
39318 +#include <linux/moduleloader.h>
39319 #include <video/edid.h>
39320 #include <video/uvesafb.h>
39322 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
39326 - return call_usermodehelper(v86d_path, argv, envp, 1);
39327 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
39331 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
39332 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
39333 par->pmi_setpal = par->ypan = 0;
39336 +#ifdef CONFIG_PAX_KERNEXEC
39337 +#ifdef CONFIG_MODULES
39338 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
39340 + if (!par->pmi_code) {
39341 + par->pmi_setpal = par->ypan = 0;
39346 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
39347 + task->t.regs.edi);
39349 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39350 + pax_open_kernel();
39351 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
39352 + pax_close_kernel();
39354 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
39355 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
39357 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
39358 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
39361 printk(KERN_INFO "uvesafb: protected mode interface info at "
39363 (u16)task->t.regs.es, (u16)task->t.regs.edi);
39364 @@ -1821,6 +1844,11 @@ out:
39365 if (par->vbe_modes)
39366 kfree(par->vbe_modes);
39368 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39369 + if (par->pmi_code)
39370 + module_free_exec(NULL, par->pmi_code);
39373 framebuffer_release(info);
39376 @@ -1847,6 +1875,12 @@ static int uvesafb_remove(struct platfor
39377 kfree(par->vbe_state_orig);
39378 if (par->vbe_state_saved)
39379 kfree(par->vbe_state_saved);
39381 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39382 + if (par->pmi_code)
39383 + module_free_exec(NULL, par->pmi_code);
39388 framebuffer_release(info);
39389 diff -urNp linux-3.0.9/drivers/video/vesafb.c linux-3.0.9/drivers/video/vesafb.c
39390 --- linux-3.0.9/drivers/video/vesafb.c 2011-11-11 13:12:24.000000000 -0500
39391 +++ linux-3.0.9/drivers/video/vesafb.c 2011-11-15 20:02:59.000000000 -0500
39395 #include <linux/module.h>
39396 +#include <linux/moduleloader.h>
39397 #include <linux/kernel.h>
39398 #include <linux/errno.h>
39399 #include <linux/string.h>
39400 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
39401 static int vram_total __initdata; /* Set total amount of memory */
39402 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
39403 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
39404 -static void (*pmi_start)(void) __read_mostly;
39405 -static void (*pmi_pal) (void) __read_mostly;
39406 +static void (*pmi_start)(void) __read_only;
39407 +static void (*pmi_pal) (void) __read_only;
39408 static int depth __read_mostly;
39409 static int vga_compat __read_mostly;
39410 /* --------------------------------------------------------------------- */
39411 @@ -233,6 +234,7 @@ static int __init vesafb_probe(struct pl
39412 unsigned int size_vmode;
39413 unsigned int size_remap;
39414 unsigned int size_total;
39415 + void *pmi_code = NULL;
39417 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
39419 @@ -275,10 +277,6 @@ static int __init vesafb_probe(struct pl
39420 size_remap = size_total;
39421 vesafb_fix.smem_len = size_remap;
39424 - screen_info.vesapm_seg = 0;
39427 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
39428 printk(KERN_WARNING
39429 "vesafb: cannot reserve video memory at 0x%lx\n",
39430 @@ -307,9 +305,21 @@ static int __init vesafb_probe(struct pl
39431 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
39432 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
39436 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39437 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
39439 +#elif !defined(CONFIG_PAX_KERNEXEC)
39444 + screen_info.vesapm_seg = 0;
39446 if (screen_info.vesapm_seg) {
39447 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
39448 - screen_info.vesapm_seg,screen_info.vesapm_off);
39449 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
39450 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
39453 if (screen_info.vesapm_seg < 0xc000)
39454 @@ -317,9 +327,25 @@ static int __init vesafb_probe(struct pl
39456 if (ypan || pmi_setpal) {
39457 unsigned short *pmi_base;
39459 pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
39460 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
39461 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
39463 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39464 + pax_open_kernel();
39465 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
39467 + pmi_code = pmi_base;
39470 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
39471 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
39473 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39474 + pmi_start = ktva_ktla(pmi_start);
39475 + pmi_pal = ktva_ktla(pmi_pal);
39476 + pax_close_kernel();
39479 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
39481 printk(KERN_INFO "vesafb: pmi: ports = ");
39482 @@ -488,6 +514,11 @@ static int __init vesafb_probe(struct pl
39483 info->node, info->fix.id);
39487 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39488 + module_free_exec(NULL, pmi_code);
39491 if (info->screen_base)
39492 iounmap(info->screen_base);
39493 framebuffer_release(info);
39494 diff -urNp linux-3.0.9/drivers/video/via/via_clock.h linux-3.0.9/drivers/video/via/via_clock.h
39495 --- linux-3.0.9/drivers/video/via/via_clock.h 2011-11-11 13:12:24.000000000 -0500
39496 +++ linux-3.0.9/drivers/video/via/via_clock.h 2011-11-15 20:02:59.000000000 -0500
39497 @@ -56,7 +56,7 @@ struct via_clock {
39499 void (*set_engine_pll_state)(u8 state);
39500 void (*set_engine_pll)(struct via_pll_config config);
39505 static inline u32 get_pll_internal_frequency(u32 ref_freq,
39506 diff -urNp linux-3.0.9/drivers/virtio/virtio_balloon.c linux-3.0.9/drivers/virtio/virtio_balloon.c
39507 --- linux-3.0.9/drivers/virtio/virtio_balloon.c 2011-11-11 13:12:24.000000000 -0500
39508 +++ linux-3.0.9/drivers/virtio/virtio_balloon.c 2011-11-15 20:02:59.000000000 -0500
39509 @@ -174,6 +174,8 @@ static void update_balloon_stats(struct
39513 + pax_track_stack();
39515 all_vm_events(events);
39518 diff -urNp linux-3.0.9/fs/9p/vfs_inode.c linux-3.0.9/fs/9p/vfs_inode.c
39519 --- linux-3.0.9/fs/9p/vfs_inode.c 2011-11-11 13:12:24.000000000 -0500
39520 +++ linux-3.0.9/fs/9p/vfs_inode.c 2011-11-15 20:02:59.000000000 -0500
39521 @@ -1264,7 +1264,7 @@ static void *v9fs_vfs_follow_link(struct
39523 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
39525 - char *s = nd_get_link(nd);
39526 + const char *s = nd_get_link(nd);
39528 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
39529 IS_ERR(s) ? "<error>" : s);
39530 --- linux-3.0/fs/aio.c~ 2012-06-10 23:06:59.000000000 +0300
39531 +++ linux-3.0/fs/aio.c 2012-06-10 23:22:51.831577737 +0300
39532 @@ -119,7 +119,7 @@ static int aio_setup_ring(struct kioctx
39533 size += sizeof(struct io_event) * nr_events;
39534 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
39536 - if (nr_pages < 0)
39537 + if (nr_pages <= 0)
39540 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
39541 @@ -1088,6 +1088,8 @@ static int read_events(struct kioctx *ct
39542 struct aio_timeout to;
39545 + pax_track_stack();
39547 /* needed to zero any padding within an entry (there shouldn't be
39548 * any, but C is fun!
39550 @@ -1381,18 +1381,19 @@
39551 static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
39554 + struct iovec iovstack;
39556 #ifdef CONFIG_COMPAT
39558 ret = compat_rw_copy_check_uvector(type,
39559 (struct compat_iovec __user *)kiocb->ki_buf,
39560 - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
39561 + kiocb->ki_nbytes, 1, &iovstack,
39565 ret = rw_copy_check_uvector(type,
39566 (struct iovec __user *)kiocb->ki_buf,
39567 - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
39568 + kiocb->ki_nbytes, 1, &iovstack,
39572 @@ -1401,6 +1402,10 @@
39576 + if (kiocb->ki_iovec == &iovstack) {
39577 + kiocb->ki_inline_vec = iovstack;
39578 + kiocb->ki_iovec = &kiocb->ki_inline_vec;
39580 kiocb->ki_nr_segs = kiocb->ki_nbytes;
39581 kiocb->ki_cur_seg = 0;
39582 /* ki_nbytes/left now reflect bytes instead of segs */
39583 diff -urNp linux-3.0.9/fs/attr.c linux-3.0.9/fs/attr.c
39584 --- linux-3.0.9/fs/attr.c 2011-11-11 13:12:24.000000000 -0500
39585 +++ linux-3.0.9/fs/attr.c 2011-11-15 20:02:59.000000000 -0500
39586 @@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
39587 unsigned long limit;
39589 limit = rlimit(RLIMIT_FSIZE);
39590 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
39591 if (limit != RLIM_INFINITY && offset > limit)
39593 if (offset > inode->i_sb->s_maxbytes)
39594 diff -urNp linux-3.0.9/fs/autofs4/waitq.c linux-3.0.9/fs/autofs4/waitq.c
39595 --- linux-3.0.9/fs/autofs4/waitq.c 2011-11-11 13:12:24.000000000 -0500
39596 +++ linux-3.0.9/fs/autofs4/waitq.c 2011-11-15 20:02:59.000000000 -0500
39597 @@ -60,7 +60,7 @@ static int autofs4_write(struct file *fi
39599 unsigned long sigpipe, flags;
39601 - const char *data = (const char *)addr;
39602 + const char __user *data = (const char __force_user *)addr;
39605 /** WARNING: this is not safe for writing more than PIPE_BUF bytes! **/
39606 diff -urNp linux-3.0.9/fs/befs/linuxvfs.c linux-3.0.9/fs/befs/linuxvfs.c
39607 --- linux-3.0.9/fs/befs/linuxvfs.c 2011-11-11 13:12:24.000000000 -0500
39608 +++ linux-3.0.9/fs/befs/linuxvfs.c 2011-11-15 20:02:59.000000000 -0500
39609 @@ -503,7 +503,7 @@ static void befs_put_link(struct dentry
39611 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
39612 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
39613 - char *link = nd_get_link(nd);
39614 + const char *link = nd_get_link(nd);
39618 diff -urNp linux-3.0.9/fs/binfmt_aout.c linux-3.0.9/fs/binfmt_aout.c
39619 --- linux-3.0.9/fs/binfmt_aout.c 2011-11-11 13:12:24.000000000 -0500
39620 +++ linux-3.0.9/fs/binfmt_aout.c 2011-11-15 20:02:59.000000000 -0500
39622 #include <linux/string.h>
39623 #include <linux/fs.h>
39624 #include <linux/file.h>
39625 +#include <linux/security.h>
39626 #include <linux/stat.h>
39627 #include <linux/fcntl.h>
39628 #include <linux/ptrace.h>
39629 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
39631 # define START_STACK(u) ((void __user *)u.start_stack)
39633 + memset(&dump, 0, sizeof(dump));
39638 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
39640 /* If the size of the dump file exceeds the rlimit, then see what would happen
39641 if we wrote the stack, but not the data area. */
39642 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
39643 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
39646 /* Make sure we have enough room to write the stack and data areas. */
39647 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
39648 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
39651 @@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
39652 rlim = rlimit(RLIMIT_DATA);
39653 if (rlim >= RLIM_INFINITY)
39656 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
39657 if (ex.a_data + ex.a_bss > rlim)
39660 @@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
39661 install_exec_creds(bprm);
39662 current->flags &= ~PF_FORKNOEXEC;
39664 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
39665 + current->mm->pax_flags = 0UL;
39668 +#ifdef CONFIG_PAX_PAGEEXEC
39669 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
39670 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
39672 +#ifdef CONFIG_PAX_EMUTRAMP
39673 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
39674 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
39677 +#ifdef CONFIG_PAX_MPROTECT
39678 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
39679 + current->mm->pax_flags |= MF_PAX_MPROTECT;
39685 if (N_MAGIC(ex) == OMAGIC) {
39686 unsigned long text_addr, map_size;
39688 @@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
39690 down_write(¤t->mm->mmap_sem);
39691 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
39692 - PROT_READ | PROT_WRITE | PROT_EXEC,
39693 + PROT_READ | PROT_WRITE,
39694 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
39695 fd_offset + ex.a_text);
39696 up_write(¤t->mm->mmap_sem);
39697 diff -urNp linux-3.0.9/fs/binfmt_elf.c linux-3.0.9/fs/binfmt_elf.c
39698 --- linux-3.0.9/fs/binfmt_elf.c 2011-11-11 13:12:24.000000000 -0500
39699 +++ linux-3.0.9/fs/binfmt_elf.c 2011-11-15 20:02:59.000000000 -0500
39700 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
39701 #define elf_core_dump NULL
39704 +#ifdef CONFIG_PAX_MPROTECT
39705 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
39708 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
39709 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
39711 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
39712 .load_binary = load_elf_binary,
39713 .load_shlib = load_elf_library,
39714 .core_dump = elf_core_dump,
39716 +#ifdef CONFIG_PAX_MPROTECT
39717 + .handle_mprotect= elf_handle_mprotect,
39720 .min_coredump = ELF_EXEC_PAGESIZE,
39723 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
39725 static int set_brk(unsigned long start, unsigned long end)
39727 + unsigned long e = end;
39729 start = ELF_PAGEALIGN(start);
39730 end = ELF_PAGEALIGN(end);
39732 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
39733 if (BAD_ADDR(addr))
39736 - current->mm->start_brk = current->mm->brk = end;
39737 + current->mm->start_brk = current->mm->brk = e;
39741 @@ -148,12 +159,15 @@ create_elf_tables(struct linux_binprm *b
39742 elf_addr_t __user *u_rand_bytes;
39743 const char *k_platform = ELF_PLATFORM;
39744 const char *k_base_platform = ELF_BASE_PLATFORM;
39745 - unsigned char k_rand_bytes[16];
39746 + u32 k_rand_bytes[4];
39748 elf_addr_t *elf_info;
39750 const struct cred *cred = current_cred();
39751 struct vm_area_struct *vma;
39752 + unsigned long saved_auxv[AT_VECTOR_SIZE];
39754 + pax_track_stack();
39757 * In some cases (e.g. Hyper-Threading), we want to avoid L1
39758 @@ -195,8 +209,12 @@ create_elf_tables(struct linux_binprm *b
39759 * Generate 16 random bytes for userspace PRNG seeding.
39761 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
39762 - u_rand_bytes = (elf_addr_t __user *)
39763 - STACK_ALLOC(p, sizeof(k_rand_bytes));
39764 + srandom32(k_rand_bytes[0] ^ random32());
39765 + srandom32(k_rand_bytes[1] ^ random32());
39766 + srandom32(k_rand_bytes[2] ^ random32());
39767 + srandom32(k_rand_bytes[3] ^ random32());
39768 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
39769 + u_rand_bytes = (elf_addr_t __user *) p;
39770 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
39773 @@ -308,9 +326,11 @@ create_elf_tables(struct linux_binprm *b
39775 current->mm->env_end = p;
39777 + memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
39779 /* Put the elf_info on the stack in the right place. */
39780 sp = (elf_addr_t __user *)envp + 1;
39781 - if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
39782 + if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
39786 @@ -381,10 +401,10 @@ static unsigned long load_elf_interp(str
39788 struct elf_phdr *elf_phdata;
39789 struct elf_phdr *eppnt;
39790 - unsigned long load_addr = 0;
39791 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
39792 int load_addr_set = 0;
39793 unsigned long last_bss = 0, elf_bss = 0;
39794 - unsigned long error = ~0UL;
39795 + unsigned long error = -EINVAL;
39796 unsigned long total_size;
39797 int retval, i, size;
39799 @@ -430,6 +450,11 @@ static unsigned long load_elf_interp(str
39803 +#ifdef CONFIG_PAX_SEGMEXEC
39804 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
39805 + pax_task_size = SEGMEXEC_TASK_SIZE;
39808 eppnt = elf_phdata;
39809 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
39810 if (eppnt->p_type == PT_LOAD) {
39811 @@ -473,8 +498,8 @@ static unsigned long load_elf_interp(str
39812 k = load_addr + eppnt->p_vaddr;
39814 eppnt->p_filesz > eppnt->p_memsz ||
39815 - eppnt->p_memsz > TASK_SIZE ||
39816 - TASK_SIZE - eppnt->p_memsz < k) {
39817 + eppnt->p_memsz > pax_task_size ||
39818 + pax_task_size - eppnt->p_memsz < k) {
39822 @@ -528,6 +553,193 @@ out:
39826 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
39827 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
39829 + unsigned long pax_flags = 0UL;
39831 +#ifdef CONFIG_PAX_PAGEEXEC
39832 + if (elf_phdata->p_flags & PF_PAGEEXEC)
39833 + pax_flags |= MF_PAX_PAGEEXEC;
39836 +#ifdef CONFIG_PAX_SEGMEXEC
39837 + if (elf_phdata->p_flags & PF_SEGMEXEC)
39838 + pax_flags |= MF_PAX_SEGMEXEC;
39841 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
39842 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39843 + if ((__supported_pte_mask & _PAGE_NX))
39844 + pax_flags &= ~MF_PAX_SEGMEXEC;
39846 + pax_flags &= ~MF_PAX_PAGEEXEC;
39850 +#ifdef CONFIG_PAX_EMUTRAMP
39851 + if (elf_phdata->p_flags & PF_EMUTRAMP)
39852 + pax_flags |= MF_PAX_EMUTRAMP;
39855 +#ifdef CONFIG_PAX_MPROTECT
39856 + if (elf_phdata->p_flags & PF_MPROTECT)
39857 + pax_flags |= MF_PAX_MPROTECT;
39860 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
39861 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
39862 + pax_flags |= MF_PAX_RANDMMAP;
39865 + return pax_flags;
39869 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
39870 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
39872 + unsigned long pax_flags = 0UL;
39874 +#ifdef CONFIG_PAX_PAGEEXEC
39875 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
39876 + pax_flags |= MF_PAX_PAGEEXEC;
39879 +#ifdef CONFIG_PAX_SEGMEXEC
39880 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
39881 + pax_flags |= MF_PAX_SEGMEXEC;
39884 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
39885 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39886 + if ((__supported_pte_mask & _PAGE_NX))
39887 + pax_flags &= ~MF_PAX_SEGMEXEC;
39889 + pax_flags &= ~MF_PAX_PAGEEXEC;
39893 +#ifdef CONFIG_PAX_EMUTRAMP
39894 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
39895 + pax_flags |= MF_PAX_EMUTRAMP;
39898 +#ifdef CONFIG_PAX_MPROTECT
39899 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
39900 + pax_flags |= MF_PAX_MPROTECT;
39903 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
39904 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
39905 + pax_flags |= MF_PAX_RANDMMAP;
39908 + return pax_flags;
39912 +#ifdef CONFIG_PAX_EI_PAX
39913 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
39915 + unsigned long pax_flags = 0UL;
39917 +#ifdef CONFIG_PAX_PAGEEXEC
39918 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
39919 + pax_flags |= MF_PAX_PAGEEXEC;
39922 +#ifdef CONFIG_PAX_SEGMEXEC
39923 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
39924 + pax_flags |= MF_PAX_SEGMEXEC;
39927 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
39928 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39929 + if ((__supported_pte_mask & _PAGE_NX))
39930 + pax_flags &= ~MF_PAX_SEGMEXEC;
39932 + pax_flags &= ~MF_PAX_PAGEEXEC;
39936 +#ifdef CONFIG_PAX_EMUTRAMP
39937 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
39938 + pax_flags |= MF_PAX_EMUTRAMP;
39941 +#ifdef CONFIG_PAX_MPROTECT
39942 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
39943 + pax_flags |= MF_PAX_MPROTECT;
39946 +#ifdef CONFIG_PAX_ASLR
39947 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
39948 + pax_flags |= MF_PAX_RANDMMAP;
39951 + return pax_flags;
39955 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
39956 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
39958 + unsigned long pax_flags = 0UL;
39960 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
39962 + int found_flags = 0;
39965 +#ifdef CONFIG_PAX_EI_PAX
39966 + pax_flags = pax_parse_ei_pax(elf_ex);
39969 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
39970 + for (i = 0UL; i < elf_ex->e_phnum; i++)
39971 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
39972 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
39973 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
39974 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
39975 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
39976 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
39979 +#ifdef CONFIG_PAX_SOFTMODE
39980 + if (pax_softmode)
39981 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
39985 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
39991 +#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
39992 + if (found_flags == 0) {
39993 + struct elf_phdr phdr;
39994 + memset(&phdr, 0, sizeof(phdr));
39995 + phdr.p_flags = PF_NOEMUTRAMP;
39996 +#ifdef CONFIG_PAX_SOFTMODE
39997 + if (pax_softmode)
39998 + pax_flags = pax_parse_softmode(&phdr);
40001 + pax_flags = pax_parse_hardmode(&phdr);
40005 + if (0 > pax_check_flags(&pax_flags))
40008 + current->mm->pax_flags = pax_flags;
40014 * These are the functions used to load ELF style executables and shared
40015 * libraries. There is no binary dependent code anywhere else.
40016 @@ -544,6 +756,11 @@ static unsigned long randomize_stack_top
40018 unsigned int random_variable = 0;
40020 +#ifdef CONFIG_PAX_RANDUSTACK
40021 + if (randomize_va_space)
40022 + return stack_top - current->mm->delta_stack;
40025 if ((current->flags & PF_RANDOMIZE) &&
40026 !(current->personality & ADDR_NO_RANDOMIZE)) {
40027 random_variable = get_random_int() & STACK_RND_MASK;
40028 @@ -562,7 +779,7 @@ static int load_elf_binary(struct linux_
40029 unsigned long load_addr = 0, load_bias = 0;
40030 int load_addr_set = 0;
40031 char * elf_interpreter = NULL;
40032 - unsigned long error;
40033 + unsigned long error = 0;
40034 struct elf_phdr *elf_ppnt, *elf_phdata;
40035 unsigned long elf_bss, elf_brk;
40037 @@ -572,11 +789,11 @@ static int load_elf_binary(struct linux_
40038 unsigned long start_code, end_code, start_data, end_data;
40039 unsigned long reloc_func_desc __maybe_unused = 0;
40040 int executable_stack = EXSTACK_DEFAULT;
40041 - unsigned long def_flags = 0;
40043 struct elfhdr elf_ex;
40044 struct elfhdr interp_elf_ex;
40046 + unsigned long pax_task_size = TASK_SIZE;
40048 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
40050 @@ -714,11 +931,81 @@ static int load_elf_binary(struct linux_
40052 /* OK, This is the point of no return */
40053 current->flags &= ~PF_FORKNOEXEC;
40054 - current->mm->def_flags = def_flags;
40056 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
40057 + current->mm->pax_flags = 0UL;
40060 +#ifdef CONFIG_PAX_DLRESOLVE
40061 + current->mm->call_dl_resolve = 0UL;
40064 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
40065 + current->mm->call_syscall = 0UL;
40068 +#ifdef CONFIG_PAX_ASLR
40069 + current->mm->delta_mmap = 0UL;
40070 + current->mm->delta_stack = 0UL;
40073 + current->mm->def_flags = 0;
40075 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
40076 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
40077 + send_sig(SIGKILL, current, 0);
40078 + goto out_free_dentry;
40082 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
40083 + pax_set_initial_flags(bprm);
40084 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
40085 + if (pax_set_initial_flags_func)
40086 + (pax_set_initial_flags_func)(bprm);
40089 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
40090 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
40091 + current->mm->context.user_cs_limit = PAGE_SIZE;
40092 + current->mm->def_flags |= VM_PAGEEXEC;
40096 +#ifdef CONFIG_PAX_SEGMEXEC
40097 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
40098 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
40099 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
40100 + pax_task_size = SEGMEXEC_TASK_SIZE;
40101 + current->mm->def_flags |= VM_NOHUGEPAGE;
40105 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
40106 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
40107 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
40112 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
40113 may depend on the personality. */
40114 SET_PERSONALITY(loc->elf_ex);
40116 +#ifdef CONFIG_PAX_ASLR
40117 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
40118 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
40119 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
40123 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
40124 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
40125 + executable_stack = EXSTACK_DISABLE_X;
40126 + current->personality &= ~READ_IMPLIES_EXEC;
40130 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
40131 current->personality |= READ_IMPLIES_EXEC;
40133 @@ -809,6 +1096,20 @@ static int load_elf_binary(struct linux_
40135 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
40138 +#ifdef CONFIG_PAX_RANDMMAP
40139 + /* PaX: randomize base address at the default exe base if requested */
40140 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
40141 +#ifdef CONFIG_SPARC64
40142 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
40144 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
40146 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
40147 + elf_flags |= MAP_FIXED;
40153 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
40154 @@ -841,9 +1142,9 @@ static int load_elf_binary(struct linux_
40155 * allowed task size. Note that p_filesz must always be
40156 * <= p_memsz so it is only necessary to check p_memsz.
40158 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
40159 - elf_ppnt->p_memsz > TASK_SIZE ||
40160 - TASK_SIZE - elf_ppnt->p_memsz < k) {
40161 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
40162 + elf_ppnt->p_memsz > pax_task_size ||
40163 + pax_task_size - elf_ppnt->p_memsz < k) {
40164 /* set_brk can never work. Avoid overflows. */
40165 send_sig(SIGKILL, current, 0);
40167 @@ -871,6 +1172,11 @@ static int load_elf_binary(struct linux_
40168 start_data += load_bias;
40169 end_data += load_bias;
40171 +#ifdef CONFIG_PAX_RANDMMAP
40172 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
40173 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
40176 /* Calling set_brk effectively mmaps the pages that we need
40177 * for the bss and break sections. We must do this before
40178 * mapping in the interpreter, to make sure it doesn't wind
40179 @@ -882,9 +1188,11 @@ static int load_elf_binary(struct linux_
40180 goto out_free_dentry;
40182 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
40183 - send_sig(SIGSEGV, current, 0);
40184 - retval = -EFAULT; /* Nobody gets to see this, but.. */
40185 - goto out_free_dentry;
40187 + * This bss-zeroing can fail if the ELF
40188 + * file specifies odd protections. So
40189 + * we don't check the return value
40193 if (elf_interpreter) {
40194 @@ -1099,7 +1407,7 @@ out:
40195 * Decide what to dump of a segment, part, all or none.
40197 static unsigned long vma_dump_size(struct vm_area_struct *vma,
40198 - unsigned long mm_flags)
40199 + unsigned long mm_flags, long signr)
40201 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
40203 @@ -1133,7 +1441,7 @@ static unsigned long vma_dump_size(struc
40204 if (vma->vm_file == NULL)
40207 - if (FILTER(MAPPED_PRIVATE))
40208 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
40212 @@ -1355,9 +1663,9 @@ static void fill_auxv_note(struct memelf
40214 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
40219 - while (auxv[i - 2] != AT_NULL);
40220 + } while (auxv[i - 2] != AT_NULL);
40221 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
40224 @@ -1863,14 +2171,14 @@ static void fill_extnum_info(struct elfh
40227 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
40228 - unsigned long mm_flags)
40229 + struct coredump_params *cprm)
40231 struct vm_area_struct *vma;
40234 for (vma = first_vma(current, gate_vma); vma != NULL;
40235 vma = next_vma(vma, gate_vma))
40236 - size += vma_dump_size(vma, mm_flags);
40237 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
40241 @@ -1964,7 +2272,7 @@ static int elf_core_dump(struct coredump
40243 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
40245 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
40246 + offset += elf_core_vma_data_size(gate_vma, cprm);
40247 offset += elf_core_extra_data_size();
40250 @@ -1978,10 +2286,12 @@ static int elf_core_dump(struct coredump
40253 size += sizeof(*elf);
40254 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
40255 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
40258 size += sizeof(*phdr4note);
40259 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
40260 if (size > cprm->limit
40261 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
40263 @@ -1995,7 +2305,7 @@ static int elf_core_dump(struct coredump
40264 phdr.p_offset = offset;
40265 phdr.p_vaddr = vma->vm_start;
40267 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
40268 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
40269 phdr.p_memsz = vma->vm_end - vma->vm_start;
40270 offset += phdr.p_filesz;
40271 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
40272 @@ -2006,6 +2316,7 @@ static int elf_core_dump(struct coredump
40273 phdr.p_align = ELF_EXEC_PAGESIZE;
40275 size += sizeof(phdr);
40276 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
40277 if (size > cprm->limit
40278 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
40280 @@ -2030,7 +2341,7 @@ static int elf_core_dump(struct coredump
40281 unsigned long addr;
40284 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
40285 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
40287 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
40289 @@ -2039,6 +2350,7 @@ static int elf_core_dump(struct coredump
40290 page = get_dump_page(addr);
40292 void *kaddr = kmap(page);
40293 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
40294 stop = ((size += PAGE_SIZE) > cprm->limit) ||
40295 !dump_write(cprm->file, kaddr,
40297 @@ -2056,6 +2368,7 @@ static int elf_core_dump(struct coredump
40299 if (e_phnum == PN_XNUM) {
40300 size += sizeof(*shdr4extnum);
40301 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
40302 if (size > cprm->limit
40303 || !dump_write(cprm->file, shdr4extnum,
40304 sizeof(*shdr4extnum)))
40305 @@ -2076,6 +2389,97 @@ out:
40307 #endif /* CONFIG_ELF_CORE */
40309 +#ifdef CONFIG_PAX_MPROTECT
40310 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
40311 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
40312 + * we'll remove VM_MAYWRITE for good on RELRO segments.
40314 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
40315 + * basis because we want to allow the common case and not the special ones.
40317 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
40319 + struct elfhdr elf_h;
40320 + struct elf_phdr elf_p;
40322 + unsigned long oldflags;
40323 + bool is_textrel_rw, is_textrel_rx, is_relro;
40325 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
40328 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
40329 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
40331 +#ifdef CONFIG_PAX_ELFRELOCS
40332 + /* possible TEXTREL */
40333 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
40334 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
40336 + is_textrel_rw = false;
40337 + is_textrel_rx = false;
40340 + /* possible RELRO */
40341 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
40343 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
40346 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
40347 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
40349 +#ifdef CONFIG_PAX_ETEXECRELOCS
40350 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
40352 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
40355 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
40356 + !elf_check_arch(&elf_h) ||
40357 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
40358 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
40361 + for (i = 0UL; i < elf_h.e_phnum; i++) {
40362 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
40364 + switch (elf_p.p_type) {
40366 + if (!is_textrel_rw && !is_textrel_rx)
40369 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
40372 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
40374 + if (dyn.d_tag == DT_NULL)
40376 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
40377 + gr_log_textrel(vma);
40378 + if (is_textrel_rw)
40379 + vma->vm_flags |= VM_MAYWRITE;
40381 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
40382 + vma->vm_flags &= ~VM_MAYWRITE;
40389 + case PT_GNU_RELRO:
40392 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
40393 + vma->vm_flags &= ~VM_MAYWRITE;
40400 static int __init init_elf_binfmt(void)
40402 return register_binfmt(&elf_format);
40403 diff -urNp linux-3.0.9/fs/binfmt_flat.c linux-3.0.9/fs/binfmt_flat.c
40404 --- linux-3.0.9/fs/binfmt_flat.c 2011-11-11 13:12:24.000000000 -0500
40405 +++ linux-3.0.9/fs/binfmt_flat.c 2011-11-15 20:02:59.000000000 -0500
40406 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
40407 realdatastart = (unsigned long) -ENOMEM;
40408 printk("Unable to allocate RAM for process data, errno %d\n",
40409 (int)-realdatastart);
40410 + down_write(¤t->mm->mmap_sem);
40411 do_munmap(current->mm, textpos, text_len);
40412 + up_write(¤t->mm->mmap_sem);
40413 ret = realdatastart;
40416 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
40418 if (IS_ERR_VALUE(result)) {
40419 printk("Unable to read data+bss, errno %d\n", (int)-result);
40420 + down_write(¤t->mm->mmap_sem);
40421 do_munmap(current->mm, textpos, text_len);
40422 do_munmap(current->mm, realdatastart, len);
40423 + up_write(¤t->mm->mmap_sem);
40427 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
40429 if (IS_ERR_VALUE(result)) {
40430 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
40431 + down_write(¤t->mm->mmap_sem);
40432 do_munmap(current->mm, textpos, text_len + data_len + extra +
40433 MAX_SHARED_LIBS * sizeof(unsigned long));
40434 + up_write(¤t->mm->mmap_sem);
40438 diff -urNp linux-3.0.9/fs/bio.c linux-3.0.9/fs/bio.c
40439 --- linux-3.0.9/fs/bio.c 2011-11-11 13:12:24.000000000 -0500
40440 +++ linux-3.0.9/fs/bio.c 2011-11-15 20:02:59.000000000 -0500
40441 @@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
40442 const int read = bio_data_dir(bio) == READ;
40443 struct bio_map_data *bmd = bio->bi_private;
40445 - char *p = bmd->sgvecs[0].iov_base;
40446 + char *p = (char __force_kernel *)bmd->sgvecs[0].iov_base;
40448 __bio_for_each_segment(bvec, bio, i, 0) {
40449 char *addr = page_address(bvec->bv_page);
40450 diff -urNp linux-3.0.9/fs/block_dev.c linux-3.0.9/fs/block_dev.c
40451 --- linux-3.0.9/fs/block_dev.c 2011-11-11 13:12:24.000000000 -0500
40452 +++ linux-3.0.9/fs/block_dev.c 2011-11-15 20:02:59.000000000 -0500
40453 @@ -671,7 +671,7 @@ static bool bd_may_claim(struct block_de
40454 else if (bdev->bd_contains == bdev)
40455 return true; /* is a whole device which isn't held */
40457 - else if (whole->bd_holder == bd_may_claim)
40458 + else if (whole->bd_holder == (void *)bd_may_claim)
40459 return true; /* is a partition of a device that is being partitioned */
40460 else if (whole->bd_holder != NULL)
40461 return false; /* is a partition of a held device */
40462 diff -urNp linux-3.0.9/fs/btrfs/ctree.c linux-3.0.9/fs/btrfs/ctree.c
40463 --- linux-3.0.9/fs/btrfs/ctree.c 2011-11-11 13:12:24.000000000 -0500
40464 +++ linux-3.0.9/fs/btrfs/ctree.c 2011-11-15 20:02:59.000000000 -0500
40465 @@ -454,9 +454,12 @@ static noinline int __btrfs_cow_block(st
40466 free_extent_buffer(buf);
40467 add_root_to_dirty_list(root);
40469 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
40470 - parent_start = parent->start;
40472 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
40474 + parent_start = parent->start;
40476 + parent_start = 0;
40480 WARN_ON(trans->transid != btrfs_header_generation(parent));
40481 diff -urNp linux-3.0.9/fs/btrfs/inode.c linux-3.0.9/fs/btrfs/inode.c
40482 --- linux-3.0.9/fs/btrfs/inode.c 2011-11-11 13:12:24.000000000 -0500
40483 +++ linux-3.0.9/fs/btrfs/inode.c 2011-11-15 20:02:59.000000000 -0500
40484 @@ -6896,7 +6896,7 @@ fail:
40488 -static int btrfs_getattr(struct vfsmount *mnt,
40489 +int btrfs_getattr(struct vfsmount *mnt,
40490 struct dentry *dentry, struct kstat *stat)
40492 struct inode *inode = dentry->d_inode;
40493 @@ -6908,6 +6908,14 @@ static int btrfs_getattr(struct vfsmount
40497 +EXPORT_SYMBOL(btrfs_getattr);
40499 +dev_t get_btrfs_dev_from_inode(struct inode *inode)
40501 + return BTRFS_I(inode)->root->anon_super.s_dev;
40503 +EXPORT_SYMBOL(get_btrfs_dev_from_inode);
40506 * If a file is moved, it will inherit the cow and compression flags of the new
40508 diff -urNp linux-3.0.9/fs/btrfs/ioctl.c linux-3.0.9/fs/btrfs/ioctl.c
40509 --- linux-3.0.9/fs/btrfs/ioctl.c 2011-11-11 13:12:24.000000000 -0500
40510 +++ linux-3.0.9/fs/btrfs/ioctl.c 2011-11-15 20:02:59.000000000 -0500
40511 @@ -2676,9 +2676,12 @@ long btrfs_ioctl_space_info(struct btrfs
40512 for (i = 0; i < num_types; i++) {
40513 struct btrfs_space_info *tmp;
40515 + /* Don't copy in more than we allocated */
40523 list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
40524 @@ -2700,15 +2703,12 @@ long btrfs_ioctl_space_info(struct btrfs
40525 memcpy(dest, &space, sizeof(space));
40527 space_args.total_spaces++;
40533 up_read(&info->groups_sem);
40536 - user_dest = (struct btrfs_ioctl_space_info *)
40537 + user_dest = (struct btrfs_ioctl_space_info __user *)
40538 (arg + sizeof(struct btrfs_ioctl_space_args));
40540 if (copy_to_user(user_dest, dest_orig, alloc_size))
40541 diff -urNp linux-3.0.9/fs/btrfs/relocation.c linux-3.0.9/fs/btrfs/relocation.c
40542 --- linux-3.0.9/fs/btrfs/relocation.c 2011-11-11 13:12:24.000000000 -0500
40543 +++ linux-3.0.9/fs/btrfs/relocation.c 2011-11-15 20:02:59.000000000 -0500
40544 @@ -1242,7 +1242,7 @@ static int __update_reloc_root(struct bt
40546 spin_unlock(&rc->reloc_root_tree.lock);
40548 - BUG_ON((struct btrfs_root *)node->data != root);
40549 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
40552 spin_lock(&rc->reloc_root_tree.lock);
40553 diff -urNp linux-3.0.9/fs/cachefiles/bind.c linux-3.0.9/fs/cachefiles/bind.c
40554 --- linux-3.0.9/fs/cachefiles/bind.c 2011-11-11 13:12:24.000000000 -0500
40555 +++ linux-3.0.9/fs/cachefiles/bind.c 2011-11-15 20:02:59.000000000 -0500
40556 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
40559 /* start by checking things over */
40560 - ASSERT(cache->fstop_percent >= 0 &&
40561 - cache->fstop_percent < cache->fcull_percent &&
40562 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
40563 cache->fcull_percent < cache->frun_percent &&
40564 cache->frun_percent < 100);
40566 - ASSERT(cache->bstop_percent >= 0 &&
40567 - cache->bstop_percent < cache->bcull_percent &&
40568 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
40569 cache->bcull_percent < cache->brun_percent &&
40570 cache->brun_percent < 100);
40572 diff -urNp linux-3.0.9/fs/cachefiles/daemon.c linux-3.0.9/fs/cachefiles/daemon.c
40573 --- linux-3.0.9/fs/cachefiles/daemon.c 2011-11-11 13:12:24.000000000 -0500
40574 +++ linux-3.0.9/fs/cachefiles/daemon.c 2011-11-15 20:02:59.000000000 -0500
40575 @@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(st
40579 - if (copy_to_user(_buffer, buffer, n) != 0)
40580 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
40584 @@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(s
40585 if (test_bit(CACHEFILES_DEAD, &cache->flags))
40588 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
40589 + if (datalen > PAGE_SIZE - 1)
40590 return -EOPNOTSUPP;
40592 /* drag the command string into the kernel so we can parse it */
40593 @@ -386,7 +386,7 @@ static int cachefiles_daemon_fstop(struc
40594 if (args[0] != '%' || args[1] != '\0')
40597 - if (fstop < 0 || fstop >= cache->fcull_percent)
40598 + if (fstop >= cache->fcull_percent)
40599 return cachefiles_daemon_range_error(cache, args);
40601 cache->fstop_percent = fstop;
40602 @@ -458,7 +458,7 @@ static int cachefiles_daemon_bstop(struc
40603 if (args[0] != '%' || args[1] != '\0')
40606 - if (bstop < 0 || bstop >= cache->bcull_percent)
40607 + if (bstop >= cache->bcull_percent)
40608 return cachefiles_daemon_range_error(cache, args);
40610 cache->bstop_percent = bstop;
40611 diff -urNp linux-3.0.9/fs/cachefiles/internal.h linux-3.0.9/fs/cachefiles/internal.h
40612 --- linux-3.0.9/fs/cachefiles/internal.h 2011-11-11 13:12:24.000000000 -0500
40613 +++ linux-3.0.9/fs/cachefiles/internal.h 2011-11-15 20:02:59.000000000 -0500
40614 @@ -57,7 +57,7 @@ struct cachefiles_cache {
40615 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
40616 struct rb_root active_nodes; /* active nodes (can't be culled) */
40617 rwlock_t active_lock; /* lock for active_nodes */
40618 - atomic_t gravecounter; /* graveyard uniquifier */
40619 + atomic_unchecked_t gravecounter; /* graveyard uniquifier */
40620 unsigned frun_percent; /* when to stop culling (% files) */
40621 unsigned fcull_percent; /* when to start culling (% files) */
40622 unsigned fstop_percent; /* when to stop allocating (% files) */
40623 @@ -169,19 +169,19 @@ extern int cachefiles_check_in_use(struc
40626 #ifdef CONFIG_CACHEFILES_HISTOGRAM
40627 -extern atomic_t cachefiles_lookup_histogram[HZ];
40628 -extern atomic_t cachefiles_mkdir_histogram[HZ];
40629 -extern atomic_t cachefiles_create_histogram[HZ];
40630 +extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
40631 +extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
40632 +extern atomic_unchecked_t cachefiles_create_histogram[HZ];
40634 extern int __init cachefiles_proc_init(void);
40635 extern void cachefiles_proc_cleanup(void);
40637 -void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
40638 +void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
40640 unsigned long jif = jiffies - start_jif;
40643 - atomic_inc(&histogram[jif]);
40644 + atomic_inc_unchecked(&histogram[jif]);
40648 diff -urNp linux-3.0.9/fs/cachefiles/namei.c linux-3.0.9/fs/cachefiles/namei.c
40649 --- linux-3.0.9/fs/cachefiles/namei.c 2011-11-11 13:12:24.000000000 -0500
40650 +++ linux-3.0.9/fs/cachefiles/namei.c 2011-11-15 20:02:59.000000000 -0500
40651 @@ -318,7 +318,7 @@ try_again:
40652 /* first step is to make up a grave dentry in the graveyard */
40653 sprintf(nbuffer, "%08x%08x",
40654 (uint32_t) get_seconds(),
40655 - (uint32_t) atomic_inc_return(&cache->gravecounter));
40656 + (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
40658 /* do the multiway lock magic */
40659 trap = lock_rename(cache->graveyard, dir);
40660 diff -urNp linux-3.0.9/fs/cachefiles/proc.c linux-3.0.9/fs/cachefiles/proc.c
40661 --- linux-3.0.9/fs/cachefiles/proc.c 2011-11-11 13:12:24.000000000 -0500
40662 +++ linux-3.0.9/fs/cachefiles/proc.c 2011-11-15 20:02:59.000000000 -0500
40664 #include <linux/seq_file.h>
40665 #include "internal.h"
40667 -atomic_t cachefiles_lookup_histogram[HZ];
40668 -atomic_t cachefiles_mkdir_histogram[HZ];
40669 -atomic_t cachefiles_create_histogram[HZ];
40670 +atomic_unchecked_t cachefiles_lookup_histogram[HZ];
40671 +atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
40672 +atomic_unchecked_t cachefiles_create_histogram[HZ];
40675 * display the latency histogram
40676 @@ -35,9 +35,9 @@ static int cachefiles_histogram_show(str
40679 index = (unsigned long) v - 3;
40680 - x = atomic_read(&cachefiles_lookup_histogram[index]);
40681 - y = atomic_read(&cachefiles_mkdir_histogram[index]);
40682 - z = atomic_read(&cachefiles_create_histogram[index]);
40683 + x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
40684 + y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
40685 + z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
40686 if (x == 0 && y == 0 && z == 0)
40689 diff -urNp linux-3.0.9/fs/cachefiles/rdwr.c linux-3.0.9/fs/cachefiles/rdwr.c
40690 --- linux-3.0.9/fs/cachefiles/rdwr.c 2011-11-11 13:12:24.000000000 -0500
40691 +++ linux-3.0.9/fs/cachefiles/rdwr.c 2011-11-15 20:02:59.000000000 -0500
40692 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
40695 ret = file->f_op->write(
40696 - file, (const void __user *) data, len, &pos);
40697 + file, (const void __force_user *) data, len, &pos);
40701 diff -urNp linux-3.0.9/fs/ceph/dir.c linux-3.0.9/fs/ceph/dir.c
40702 --- linux-3.0.9/fs/ceph/dir.c 2011-11-11 13:12:24.000000000 -0500
40703 +++ linux-3.0.9/fs/ceph/dir.c 2011-11-15 20:02:59.000000000 -0500
40704 @@ -226,7 +226,7 @@ static int ceph_readdir(struct file *fil
40705 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
40706 struct ceph_mds_client *mdsc = fsc->mdsc;
40707 unsigned frag = fpos_frag(filp->f_pos);
40708 - int off = fpos_off(filp->f_pos);
40709 + unsigned int off = fpos_off(filp->f_pos);
40712 struct ceph_mds_reply_info_parsed *rinfo;
40713 diff -urNp linux-3.0.9/fs/cifs/cifs_debug.c linux-3.0.9/fs/cifs/cifs_debug.c
40714 --- linux-3.0.9/fs/cifs/cifs_debug.c 2011-11-11 13:12:24.000000000 -0500
40715 +++ linux-3.0.9/fs/cifs/cifs_debug.c 2011-11-15 20:02:59.000000000 -0500
40716 @@ -265,8 +265,8 @@ static ssize_t cifs_stats_proc_write(str
40718 if (c == '1' || c == 'y' || c == 'Y' || c == '0') {
40719 #ifdef CONFIG_CIFS_STATS2
40720 - atomic_set(&totBufAllocCount, 0);
40721 - atomic_set(&totSmBufAllocCount, 0);
40722 + atomic_set_unchecked(&totBufAllocCount, 0);
40723 + atomic_set_unchecked(&totSmBufAllocCount, 0);
40724 #endif /* CONFIG_CIFS_STATS2 */
40725 spin_lock(&cifs_tcp_ses_lock);
40726 list_for_each(tmp1, &cifs_tcp_ses_list) {
40727 @@ -279,25 +279,25 @@ static ssize_t cifs_stats_proc_write(str
40728 tcon = list_entry(tmp3,
40731 - atomic_set(&tcon->num_smbs_sent, 0);
40732 - atomic_set(&tcon->num_writes, 0);
40733 - atomic_set(&tcon->num_reads, 0);
40734 - atomic_set(&tcon->num_oplock_brks, 0);
40735 - atomic_set(&tcon->num_opens, 0);
40736 - atomic_set(&tcon->num_posixopens, 0);
40737 - atomic_set(&tcon->num_posixmkdirs, 0);
40738 - atomic_set(&tcon->num_closes, 0);
40739 - atomic_set(&tcon->num_deletes, 0);
40740 - atomic_set(&tcon->num_mkdirs, 0);
40741 - atomic_set(&tcon->num_rmdirs, 0);
40742 - atomic_set(&tcon->num_renames, 0);
40743 - atomic_set(&tcon->num_t2renames, 0);
40744 - atomic_set(&tcon->num_ffirst, 0);
40745 - atomic_set(&tcon->num_fnext, 0);
40746 - atomic_set(&tcon->num_fclose, 0);
40747 - atomic_set(&tcon->num_hardlinks, 0);
40748 - atomic_set(&tcon->num_symlinks, 0);
40749 - atomic_set(&tcon->num_locks, 0);
40750 + atomic_set_unchecked(&tcon->num_smbs_sent, 0);
40751 + atomic_set_unchecked(&tcon->num_writes, 0);
40752 + atomic_set_unchecked(&tcon->num_reads, 0);
40753 + atomic_set_unchecked(&tcon->num_oplock_brks, 0);
40754 + atomic_set_unchecked(&tcon->num_opens, 0);
40755 + atomic_set_unchecked(&tcon->num_posixopens, 0);
40756 + atomic_set_unchecked(&tcon->num_posixmkdirs, 0);
40757 + atomic_set_unchecked(&tcon->num_closes, 0);
40758 + atomic_set_unchecked(&tcon->num_deletes, 0);
40759 + atomic_set_unchecked(&tcon->num_mkdirs, 0);
40760 + atomic_set_unchecked(&tcon->num_rmdirs, 0);
40761 + atomic_set_unchecked(&tcon->num_renames, 0);
40762 + atomic_set_unchecked(&tcon->num_t2renames, 0);
40763 + atomic_set_unchecked(&tcon->num_ffirst, 0);
40764 + atomic_set_unchecked(&tcon->num_fnext, 0);
40765 + atomic_set_unchecked(&tcon->num_fclose, 0);
40766 + atomic_set_unchecked(&tcon->num_hardlinks, 0);
40767 + atomic_set_unchecked(&tcon->num_symlinks, 0);
40768 + atomic_set_unchecked(&tcon->num_locks, 0);
40772 @@ -327,8 +327,8 @@ static int cifs_stats_proc_show(struct s
40773 smBufAllocCount.counter, cifs_min_small);
40774 #ifdef CONFIG_CIFS_STATS2
40775 seq_printf(m, "Total Large %d Small %d Allocations\n",
40776 - atomic_read(&totBufAllocCount),
40777 - atomic_read(&totSmBufAllocCount));
40778 + atomic_read_unchecked(&totBufAllocCount),
40779 + atomic_read_unchecked(&totSmBufAllocCount));
40780 #endif /* CONFIG_CIFS_STATS2 */
40782 seq_printf(m, "Operations (MIDs): %d\n", atomic_read(&midCount));
40783 @@ -357,41 +357,41 @@ static int cifs_stats_proc_show(struct s
40784 if (tcon->need_reconnect)
40785 seq_puts(m, "\tDISCONNECTED ");
40786 seq_printf(m, "\nSMBs: %d Oplock Breaks: %d",
40787 - atomic_read(&tcon->num_smbs_sent),
40788 - atomic_read(&tcon->num_oplock_brks));
40789 + atomic_read_unchecked(&tcon->num_smbs_sent),
40790 + atomic_read_unchecked(&tcon->num_oplock_brks));
40791 seq_printf(m, "\nReads: %d Bytes: %lld",
40792 - atomic_read(&tcon->num_reads),
40793 + atomic_read_unchecked(&tcon->num_reads),
40794 (long long)(tcon->bytes_read));
40795 seq_printf(m, "\nWrites: %d Bytes: %lld",
40796 - atomic_read(&tcon->num_writes),
40797 + atomic_read_unchecked(&tcon->num_writes),
40798 (long long)(tcon->bytes_written));
40799 seq_printf(m, "\nFlushes: %d",
40800 - atomic_read(&tcon->num_flushes));
40801 + atomic_read_unchecked(&tcon->num_flushes));
40802 seq_printf(m, "\nLocks: %d HardLinks: %d "
40804 - atomic_read(&tcon->num_locks),
40805 - atomic_read(&tcon->num_hardlinks),
40806 - atomic_read(&tcon->num_symlinks));
40807 + atomic_read_unchecked(&tcon->num_locks),
40808 + atomic_read_unchecked(&tcon->num_hardlinks),
40809 + atomic_read_unchecked(&tcon->num_symlinks));
40810 seq_printf(m, "\nOpens: %d Closes: %d "
40812 - atomic_read(&tcon->num_opens),
40813 - atomic_read(&tcon->num_closes),
40814 - atomic_read(&tcon->num_deletes));
40815 + atomic_read_unchecked(&tcon->num_opens),
40816 + atomic_read_unchecked(&tcon->num_closes),
40817 + atomic_read_unchecked(&tcon->num_deletes));
40818 seq_printf(m, "\nPosix Opens: %d "
40819 "Posix Mkdirs: %d",
40820 - atomic_read(&tcon->num_posixopens),
40821 - atomic_read(&tcon->num_posixmkdirs));
40822 + atomic_read_unchecked(&tcon->num_posixopens),
40823 + atomic_read_unchecked(&tcon->num_posixmkdirs));
40824 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
40825 - atomic_read(&tcon->num_mkdirs),
40826 - atomic_read(&tcon->num_rmdirs));
40827 + atomic_read_unchecked(&tcon->num_mkdirs),
40828 + atomic_read_unchecked(&tcon->num_rmdirs));
40829 seq_printf(m, "\nRenames: %d T2 Renames %d",
40830 - atomic_read(&tcon->num_renames),
40831 - atomic_read(&tcon->num_t2renames));
40832 + atomic_read_unchecked(&tcon->num_renames),
40833 + atomic_read_unchecked(&tcon->num_t2renames));
40834 seq_printf(m, "\nFindFirst: %d FNext %d "
40836 - atomic_read(&tcon->num_ffirst),
40837 - atomic_read(&tcon->num_fnext),
40838 - atomic_read(&tcon->num_fclose));
40839 + atomic_read_unchecked(&tcon->num_ffirst),
40840 + atomic_read_unchecked(&tcon->num_fnext),
40841 + atomic_read_unchecked(&tcon->num_fclose));
40845 diff -urNp linux-3.0.9/fs/cifs/cifsfs.c linux-3.0.9/fs/cifs/cifsfs.c
40846 --- linux-3.0.9/fs/cifs/cifsfs.c 2011-11-11 13:12:24.000000000 -0500
40847 +++ linux-3.0.9/fs/cifs/cifsfs.c 2011-11-15 20:02:59.000000000 -0500
40848 @@ -996,7 +996,7 @@ cifs_init_request_bufs(void)
40849 cifs_req_cachep = kmem_cache_create("cifs_request",
40851 MAX_CIFS_HDR_SIZE, 0,
40852 - SLAB_HWCACHE_ALIGN, NULL);
40853 + SLAB_HWCACHE_ALIGN | SLAB_USERCOPY, NULL);
40854 if (cifs_req_cachep == NULL)
40857 @@ -1023,7 +1023,7 @@ cifs_init_request_bufs(void)
40858 efficient to alloc 1 per page off the slab compared to 17K (5page)
40859 alloc of large cifs buffers even when page debugging is on */
40860 cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
40861 - MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN,
40862 + MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN | SLAB_USERCOPY,
40864 if (cifs_sm_req_cachep == NULL) {
40865 mempool_destroy(cifs_req_poolp);
40866 @@ -1108,8 +1108,8 @@ init_cifs(void)
40867 atomic_set(&bufAllocCount, 0);
40868 atomic_set(&smBufAllocCount, 0);
40869 #ifdef CONFIG_CIFS_STATS2
40870 - atomic_set(&totBufAllocCount, 0);
40871 - atomic_set(&totSmBufAllocCount, 0);
40872 + atomic_set_unchecked(&totBufAllocCount, 0);
40873 + atomic_set_unchecked(&totSmBufAllocCount, 0);
40874 #endif /* CONFIG_CIFS_STATS2 */
40876 atomic_set(&midCount, 0);
40877 diff -urNp linux-3.0.9/fs/cifs/cifsglob.h linux-3.0.9/fs/cifs/cifsglob.h
40878 --- linux-3.0.9/fs/cifs/cifsglob.h 2011-11-11 13:12:24.000000000 -0500
40879 +++ linux-3.0.9/fs/cifs/cifsglob.h 2011-11-15 20:02:59.000000000 -0500
40880 @@ -381,28 +381,28 @@ struct cifs_tcon {
40881 __u16 Flags; /* optional support bits */
40882 enum statusEnum tidStatus;
40883 #ifdef CONFIG_CIFS_STATS
40884 - atomic_t num_smbs_sent;
40885 - atomic_t num_writes;
40886 - atomic_t num_reads;
40887 - atomic_t num_flushes;
40888 - atomic_t num_oplock_brks;
40889 - atomic_t num_opens;
40890 - atomic_t num_closes;
40891 - atomic_t num_deletes;
40892 - atomic_t num_mkdirs;
40893 - atomic_t num_posixopens;
40894 - atomic_t num_posixmkdirs;
40895 - atomic_t num_rmdirs;
40896 - atomic_t num_renames;
40897 - atomic_t num_t2renames;
40898 - atomic_t num_ffirst;
40899 - atomic_t num_fnext;
40900 - atomic_t num_fclose;
40901 - atomic_t num_hardlinks;
40902 - atomic_t num_symlinks;
40903 - atomic_t num_locks;
40904 - atomic_t num_acl_get;
40905 - atomic_t num_acl_set;
40906 + atomic_unchecked_t num_smbs_sent;
40907 + atomic_unchecked_t num_writes;
40908 + atomic_unchecked_t num_reads;
40909 + atomic_unchecked_t num_flushes;
40910 + atomic_unchecked_t num_oplock_brks;
40911 + atomic_unchecked_t num_opens;
40912 + atomic_unchecked_t num_closes;
40913 + atomic_unchecked_t num_deletes;
40914 + atomic_unchecked_t num_mkdirs;
40915 + atomic_unchecked_t num_posixopens;
40916 + atomic_unchecked_t num_posixmkdirs;
40917 + atomic_unchecked_t num_rmdirs;
40918 + atomic_unchecked_t num_renames;
40919 + atomic_unchecked_t num_t2renames;
40920 + atomic_unchecked_t num_ffirst;
40921 + atomic_unchecked_t num_fnext;
40922 + atomic_unchecked_t num_fclose;
40923 + atomic_unchecked_t num_hardlinks;
40924 + atomic_unchecked_t num_symlinks;
40925 + atomic_unchecked_t num_locks;
40926 + atomic_unchecked_t num_acl_get;
40927 + atomic_unchecked_t num_acl_set;
40928 #ifdef CONFIG_CIFS_STATS2
40929 unsigned long long time_writes;
40930 unsigned long long time_reads;
40931 @@ -613,7 +613,7 @@ convert_delimiter(char *path, char delim
40934 #ifdef CONFIG_CIFS_STATS
40935 -#define cifs_stats_inc atomic_inc
40936 +#define cifs_stats_inc atomic_inc_unchecked
40938 static inline void cifs_stats_bytes_written(struct cifs_tcon *tcon,
40939 unsigned int bytes)
40940 @@ -911,8 +911,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnect
40941 /* Various Debug counters */
40942 GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */
40943 #ifdef CONFIG_CIFS_STATS2
40944 -GLOBAL_EXTERN atomic_t totBufAllocCount; /* total allocated over all time */
40945 -GLOBAL_EXTERN atomic_t totSmBufAllocCount;
40946 +GLOBAL_EXTERN atomic_unchecked_t totBufAllocCount; /* total allocated over all time */
40947 +GLOBAL_EXTERN atomic_unchecked_t totSmBufAllocCount;
40949 GLOBAL_EXTERN atomic_t smBufAllocCount;
40950 GLOBAL_EXTERN atomic_t midCount;
40951 diff -urNp linux-3.0.9/fs/cifs/link.c linux-3.0.9/fs/cifs/link.c
40952 --- linux-3.0.9/fs/cifs/link.c 2011-11-11 13:12:24.000000000 -0500
40953 +++ linux-3.0.9/fs/cifs/link.c 2011-11-15 20:02:59.000000000 -0500
40954 @@ -587,7 +587,7 @@ symlink_exit:
40956 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
40958 - char *p = nd_get_link(nd);
40959 + const char *p = nd_get_link(nd);
40963 diff -urNp linux-3.0.9/fs/cifs/misc.c linux-3.0.9/fs/cifs/misc.c
40964 --- linux-3.0.9/fs/cifs/misc.c 2011-11-11 13:12:24.000000000 -0500
40965 +++ linux-3.0.9/fs/cifs/misc.c 2011-11-15 20:02:59.000000000 -0500
40966 @@ -156,7 +156,7 @@ cifs_buf_get(void)
40967 memset(ret_buf, 0, sizeof(struct smb_hdr) + 3);
40968 atomic_inc(&bufAllocCount);
40969 #ifdef CONFIG_CIFS_STATS2
40970 - atomic_inc(&totBufAllocCount);
40971 + atomic_inc_unchecked(&totBufAllocCount);
40972 #endif /* CONFIG_CIFS_STATS2 */
40975 @@ -191,7 +191,7 @@ cifs_small_buf_get(void)
40976 /* memset(ret_buf, 0, sizeof(struct smb_hdr) + 27);*/
40977 atomic_inc(&smBufAllocCount);
40978 #ifdef CONFIG_CIFS_STATS2
40979 - atomic_inc(&totSmBufAllocCount);
40980 + atomic_inc_unchecked(&totSmBufAllocCount);
40981 #endif /* CONFIG_CIFS_STATS2 */
40984 diff -urNp linux-3.0.9/fs/coda/cache.c linux-3.0.9/fs/coda/cache.c
40985 --- linux-3.0.9/fs/coda/cache.c 2011-11-11 13:12:24.000000000 -0500
40986 +++ linux-3.0.9/fs/coda/cache.c 2011-11-15 20:02:59.000000000 -0500
40988 #include "coda_linux.h"
40989 #include "coda_cache.h"
40991 -static atomic_t permission_epoch = ATOMIC_INIT(0);
40992 +static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
40994 /* replace or extend an acl cache hit */
40995 void coda_cache_enter(struct inode *inode, int mask)
40996 @@ -32,7 +32,7 @@ void coda_cache_enter(struct inode *inod
40997 struct coda_inode_info *cii = ITOC(inode);
40999 spin_lock(&cii->c_lock);
41000 - cii->c_cached_epoch = atomic_read(&permission_epoch);
41001 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
41002 if (cii->c_uid != current_fsuid()) {
41003 cii->c_uid = current_fsuid();
41004 cii->c_cached_perm = mask;
41005 @@ -46,14 +46,14 @@ void coda_cache_clear_inode(struct inode
41007 struct coda_inode_info *cii = ITOC(inode);
41008 spin_lock(&cii->c_lock);
41009 - cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
41010 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
41011 spin_unlock(&cii->c_lock);
41014 /* remove all acl caches */
41015 void coda_cache_clear_all(struct super_block *sb)
41017 - atomic_inc(&permission_epoch);
41018 + atomic_inc_unchecked(&permission_epoch);
41022 @@ -66,7 +66,7 @@ int coda_cache_check(struct inode *inode
41023 spin_lock(&cii->c_lock);
41024 hit = (mask & cii->c_cached_perm) == mask &&
41025 cii->c_uid == current_fsuid() &&
41026 - cii->c_cached_epoch == atomic_read(&permission_epoch);
41027 + cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
41028 spin_unlock(&cii->c_lock);
41031 diff -urNp linux-3.0.9/fs/compat_binfmt_elf.c linux-3.0.9/fs/compat_binfmt_elf.c
41032 --- linux-3.0.9/fs/compat_binfmt_elf.c 2011-11-11 13:12:24.000000000 -0500
41033 +++ linux-3.0.9/fs/compat_binfmt_elf.c 2011-11-15 20:02:59.000000000 -0500
41034 @@ -30,11 +30,13 @@
41040 #define elfhdr elf32_hdr
41041 #define elf_phdr elf32_phdr
41042 #define elf_shdr elf32_shdr
41043 #define elf_note elf32_note
41044 +#define elf_dyn Elf32_Dyn
41045 #define elf_addr_t Elf32_Addr
41048 diff -urNp linux-3.0.9/fs/compat.c linux-3.0.9/fs/compat.c
41049 --- linux-3.0.9/fs/compat.c 2011-11-11 13:12:24.000000000 -0500
41050 +++ linux-3.0.9/fs/compat.c 2011-11-15 20:02:59.000000000 -0500
41051 @@ -133,8 +133,8 @@ asmlinkage long compat_sys_utimes(const
41052 static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf)
41054 compat_ino_t ino = stat->ino;
41055 - typeof(ubuf->st_uid) uid = 0;
41056 - typeof(ubuf->st_gid) gid = 0;
41057 + typeof(((struct compat_stat *)0)->st_uid) uid = 0;
41058 + typeof(((struct compat_stat *)0)->st_gid) gid = 0;
41061 SET_UID(uid, stat->uid);
41062 @@ -508,7 +508,7 @@ compat_sys_io_setup(unsigned nr_reqs, u3
41065 /* The __user pointer cast is valid because of the set_fs() */
41066 - ret = sys_io_setup(nr_reqs, (aio_context_t __user *) &ctx64);
41067 + ret = sys_io_setup(nr_reqs, (aio_context_t __force_user *) &ctx64);
41069 /* truncating is ok because it's a user address */
41071 @@ -566,7 +566,7 @@ ssize_t compat_rw_copy_check_uvector(int
41075 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
41076 + if (nr_segs > UIO_MAXIOV)
41078 if (nr_segs > fast_segs) {
41080 @@ -848,6 +848,7 @@ struct compat_old_linux_dirent {
41082 struct compat_readdir_callback {
41083 struct compat_old_linux_dirent __user *dirent;
41084 + struct file * file;
41088 @@ -865,6 +866,10 @@ static int compat_fillonedir(void *__buf
41089 buf->result = -EOVERFLOW;
41093 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
41097 dirent = buf->dirent;
41098 if (!access_ok(VERIFY_WRITE, dirent,
41099 @@ -897,6 +902,7 @@ asmlinkage long compat_sys_old_readdir(u
41102 buf.dirent = dirent;
41105 error = vfs_readdir(file, compat_fillonedir, &buf);
41107 @@ -917,6 +923,7 @@ struct compat_linux_dirent {
41108 struct compat_getdents_callback {
41109 struct compat_linux_dirent __user *current_dir;
41110 struct compat_linux_dirent __user *previous;
41111 + struct file * file;
41115 @@ -938,6 +945,10 @@ static int compat_filldir(void *__buf, c
41116 buf->error = -EOVERFLOW;
41120 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
41123 dirent = buf->previous;
41125 if (__put_user(offset, &dirent->d_off))
41126 @@ -985,6 +996,7 @@ asmlinkage long compat_sys_getdents(unsi
41127 buf.previous = NULL;
41132 error = vfs_readdir(file, compat_filldir, &buf);
41134 @@ -1006,6 +1018,7 @@ out:
41135 struct compat_getdents_callback64 {
41136 struct linux_dirent64 __user *current_dir;
41137 struct linux_dirent64 __user *previous;
41138 + struct file * file;
41142 @@ -1022,6 +1035,10 @@ static int compat_filldir64(void * __buf
41143 buf->error = -EINVAL; /* only used if we fail.. */
41144 if (reclen > buf->count)
41147 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
41150 dirent = buf->previous;
41153 @@ -1073,13 +1090,14 @@ asmlinkage long compat_sys_getdents64(un
41154 buf.previous = NULL;
41159 error = vfs_readdir(file, compat_filldir64, &buf);
41162 lastdirent = buf.previous;
41164 - typeof(lastdirent->d_off) d_off = file->f_pos;
41165 + typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos;
41166 if (__put_user_unaligned(d_off, &lastdirent->d_off))
41169 @@ -1446,6 +1464,8 @@ int compat_core_sys_select(int n, compat
41170 struct fdtable *fdt;
41171 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
41173 + pax_track_stack();
41178 @@ -1904,7 +1924,7 @@ asmlinkage long compat_sys_nfsservctl(in
41181 /* The __user pointer casts are valid because of the set_fs() */
41182 - err = sys_nfsservctl(cmd, (void __user *) karg, (void __user *) kres);
41183 + err = sys_nfsservctl(cmd, (void __force_user *) karg, (void __force_user *) kres);
41187 diff -urNp linux-3.0.9/fs/compat_ioctl.c linux-3.0.9/fs/compat_ioctl.c
41188 --- linux-3.0.9/fs/compat_ioctl.c 2011-11-11 13:12:24.000000000 -0500
41189 +++ linux-3.0.9/fs/compat_ioctl.c 2011-11-15 20:02:59.000000000 -0500
41190 @@ -208,6 +208,8 @@ static int do_video_set_spu_palette(unsi
41192 err = get_user(palp, &up->palette);
41193 err |= get_user(length, &up->length);
41197 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
41198 err = put_user(compat_ptr(palp), &up_native->palette);
41199 @@ -619,7 +621,7 @@ static int serial_struct_ioctl(unsigned
41201 if (__get_user(udata, &ss32->iomem_base))
41203 - ss.iomem_base = compat_ptr(udata);
41204 + ss.iomem_base = (unsigned char __force_kernel *)compat_ptr(udata);
41205 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
41206 __get_user(ss.port_high, &ss32->port_high))
41208 @@ -794,7 +796,7 @@ static int compat_ioctl_preallocate(stru
41209 copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) ||
41210 copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) ||
41211 copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) ||
41212 - copy_in_user(&p->l_pad, &p32->l_pad, 4*sizeof(u32)))
41213 + copy_in_user(p->l_pad, &p32->l_pad, 4*sizeof(u32)))
41216 return ioctl_preallocate(file, p);
41217 @@ -1638,8 +1640,8 @@ asmlinkage long compat_sys_ioctl(unsigne
41218 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
41221 - a = *(unsigned int *)p;
41222 - b = *(unsigned int *)q;
41223 + a = *(const unsigned int *)p;
41224 + b = *(const unsigned int *)q;
41228 diff -urNp linux-3.0.9/fs/configfs/dir.c linux-3.0.9/fs/configfs/dir.c
41229 --- linux-3.0.9/fs/configfs/dir.c 2011-11-11 13:12:24.000000000 -0500
41230 +++ linux-3.0.9/fs/configfs/dir.c 2011-11-15 20:02:59.000000000 -0500
41231 @@ -1575,7 +1575,8 @@ static int configfs_readdir(struct file
41233 for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
41234 struct configfs_dirent *next;
41235 - const char * name;
41236 + const unsigned char * name;
41237 + char d_name[sizeof(next->s_dentry->d_iname)];
41239 struct inode *inode = NULL;
41241 @@ -1585,7 +1586,12 @@ static int configfs_readdir(struct file
41244 name = configfs_get_name(next);
41245 - len = strlen(name);
41246 + if (next->s_dentry && name == next->s_dentry->d_iname) {
41247 + len = next->s_dentry->d_name.len;
41248 + memcpy(d_name, name, len);
41251 + len = strlen(name);
41254 * We'll have a dentry and an inode for
41255 diff -urNp linux-3.0.9/fs/dcache.c linux-3.0.9/fs/dcache.c
41256 --- linux-3.0.9/fs/dcache.c 2011-11-11 13:12:24.000000000 -0500
41257 +++ linux-3.0.9/fs/dcache.c 2011-11-15 20:02:59.000000000 -0500
41258 @@ -3089,7 +3089,7 @@ void __init vfs_caches_init(unsigned lon
41259 mempages -= reserve;
41261 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
41262 - SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
41263 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
41267 diff -urNp linux-3.0.9/fs/ecryptfs/inode.c linux-3.0.9/fs/ecryptfs/inode.c
41268 --- linux-3.0.9/fs/ecryptfs/inode.c 2011-11-11 13:12:24.000000000 -0500
41269 +++ linux-3.0.9/fs/ecryptfs/inode.c 2011-11-15 20:02:59.000000000 -0500
41270 @@ -704,7 +704,7 @@ static int ecryptfs_readlink_lower(struc
41273 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
41274 - (char __user *)lower_buf,
41275 + (char __force_user *)lower_buf,
41279 @@ -750,7 +750,7 @@ static void *ecryptfs_follow_link(struct
41283 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
41284 + rc = dentry->d_inode->i_op->readlink(dentry, (char __force_user *)buf, len);
41288 @@ -765,7 +765,7 @@ out:
41290 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
41292 - char *buf = nd_get_link(nd);
41293 + const char *buf = nd_get_link(nd);
41294 if (!IS_ERR(buf)) {
41295 /* Free the char* */
41297 diff -urNp linux-3.0.9/fs/ecryptfs/miscdev.c linux-3.0.9/fs/ecryptfs/miscdev.c
41298 --- linux-3.0.9/fs/ecryptfs/miscdev.c 2011-11-11 13:12:24.000000000 -0500
41299 +++ linux-3.0.9/fs/ecryptfs/miscdev.c 2011-11-15 20:02:59.000000000 -0500
41300 @@ -328,7 +328,7 @@ check_list:
41301 goto out_unlock_msg_ctx;
41303 if (msg_ctx->msg) {
41304 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
41305 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
41306 goto out_unlock_msg_ctx;
41307 i += packet_length_size;
41308 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
41309 diff -urNp linux-3.0.9/fs/ecryptfs/read_write.c linux-3.0.9/fs/ecryptfs/read_write.c
41310 --- linux-3.0.9/fs/ecryptfs/read_write.c 2011-11-11 13:12:24.000000000 -0500
41311 +++ linux-3.0.9/fs/ecryptfs/read_write.c 2011-11-15 20:02:59.000000000 -0500
41312 @@ -48,7 +48,7 @@ int ecryptfs_write_lower(struct inode *e
41314 fs_save = get_fs();
41316 - rc = vfs_write(lower_file, data, size, &offset);
41317 + rc = vfs_write(lower_file, (const char __force_user *)data, size, &offset);
41319 mark_inode_dirty_sync(ecryptfs_inode);
41321 @@ -235,7 +235,7 @@ int ecryptfs_read_lower(char *data, loff
41323 fs_save = get_fs();
41325 - rc = vfs_read(lower_file, data, size, &offset);
41326 + rc = vfs_read(lower_file, (char __force_user *)data, size, &offset);
41330 diff -urNp linux-3.0.9/fs/exec.c linux-3.0.9/fs/exec.c
41331 --- linux-3.0.9/fs/exec.c 2011-11-11 13:12:24.000000000 -0500
41332 +++ linux-3.0.9/fs/exec.c 2011-11-15 20:02:59.000000000 -0500
41333 @@ -55,12 +55,24 @@
41334 #include <linux/pipe_fs_i.h>
41335 #include <linux/oom.h>
41336 #include <linux/compat.h>
41337 +#include <linux/random.h>
41338 +#include <linux/seq_file.h>
41340 +#ifdef CONFIG_PAX_REFCOUNT
41341 +#include <linux/kallsyms.h>
41342 +#include <linux/kdebug.h>
41345 #include <asm/uaccess.h>
41346 #include <asm/mmu_context.h>
41347 #include <asm/tlb.h>
41348 #include "internal.h"
41350 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
41351 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
41352 +EXPORT_SYMBOL(pax_set_initial_flags_func);
41356 char core_pattern[CORENAME_MAX_SIZE] = "core";
41357 unsigned int core_pipe_limit;
41358 @@ -70,7 +82,7 @@ struct core_name {
41362 -static atomic_t call_count = ATOMIC_INIT(1);
41363 +static atomic_unchecked_t call_count = ATOMIC_INIT(1);
41365 /* The maximal length of core_pattern is also specified in sysctl.c */
41367 @@ -116,7 +128,7 @@ SYSCALL_DEFINE1(uselib, const char __use
41368 char *tmp = getname(library);
41369 int error = PTR_ERR(tmp);
41370 static const struct open_flags uselib_flags = {
41371 - .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
41372 + .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC,
41373 .acc_mode = MAY_READ | MAY_EXEC | MAY_OPEN,
41374 .intent = LOOKUP_OPEN
41376 @@ -195,18 +207,10 @@ static struct page *get_arg_page(struct
41382 -#ifdef CONFIG_STACK_GROWSUP
41384 - ret = expand_downwards(bprm->vma, pos);
41389 - ret = get_user_pages(current, bprm->mm, pos,
41390 - 1, write, 1, &page, NULL);
41392 + if (0 > expand_downwards(bprm->vma, pos))
41394 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
41398 @@ -281,6 +285,11 @@ static int __bprm_mm_init(struct linux_b
41399 vma->vm_end = STACK_TOP_MAX;
41400 vma->vm_start = vma->vm_end - PAGE_SIZE;
41401 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
41403 +#ifdef CONFIG_PAX_SEGMEXEC
41404 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
41407 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
41408 INIT_LIST_HEAD(&vma->anon_vma_chain);
41410 @@ -295,6 +304,12 @@ static int __bprm_mm_init(struct linux_b
41411 mm->stack_vm = mm->total_vm = 1;
41412 up_write(&mm->mmap_sem);
41413 bprm->p = vma->vm_end - sizeof(void *);
41415 +#ifdef CONFIG_PAX_RANDUSTACK
41416 + if (randomize_va_space)
41417 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
41422 up_write(&mm->mmap_sem);
41423 @@ -403,19 +418,7 @@ err:
41427 -struct user_arg_ptr {
41428 -#ifdef CONFIG_COMPAT
41432 - const char __user *const __user *native;
41433 -#ifdef CONFIG_COMPAT
41434 - compat_uptr_t __user *compat;
41439 -static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
41440 +const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
41442 const char __user *native;
41444 @@ -424,14 +427,14 @@ static const char __user *get_user_arg_p
41445 compat_uptr_t compat;
41447 if (get_user(compat, argv.ptr.compat + nr))
41448 - return ERR_PTR(-EFAULT);
41449 + return (const char __force_user *)ERR_PTR(-EFAULT);
41451 return compat_ptr(compat);
41455 if (get_user(native, argv.ptr.native + nr))
41456 - return ERR_PTR(-EFAULT);
41457 + return (const char __force_user *)ERR_PTR(-EFAULT);
41461 @@ -450,7 +453,7 @@ static int count(struct user_arg_ptr arg
41466 + if (IS_ERR((const char __force_kernel *)p))
41470 @@ -484,7 +487,7 @@ static int copy_strings(int argc, struct
41473 str = get_user_arg_ptr(argv, argc);
41475 + if (IS_ERR((const char __force_kernel *)str))
41478 len = strnlen_user(str, MAX_ARG_STRLEN);
41479 @@ -566,7 +569,7 @@ int copy_strings_kernel(int argc, const
41481 mm_segment_t oldfs = get_fs();
41482 struct user_arg_ptr argv = {
41483 - .ptr.native = (const char __user *const __user *)__argv,
41484 + .ptr.native = (const char __force_user *const __force_user *)__argv,
41488 @@ -601,7 +604,8 @@ static int shift_arg_pages(struct vm_are
41489 unsigned long new_end = old_end - shift;
41490 struct mmu_gather tlb;
41492 - BUG_ON(new_start > new_end);
41493 + if (new_start >= new_end || new_start < mmap_min_addr)
41497 * ensure there are no vmas between where we want to go
41498 @@ -610,6 +614,10 @@ static int shift_arg_pages(struct vm_are
41499 if (vma != find_vma(mm, new_start))
41502 +#ifdef CONFIG_PAX_SEGMEXEC
41503 + BUG_ON(pax_find_mirror_vma(vma));
41507 * cover the whole range: [new_start, old_end)
41509 @@ -690,10 +698,6 @@ int setup_arg_pages(struct linux_binprm
41510 stack_top = arch_align_stack(stack_top);
41511 stack_top = PAGE_ALIGN(stack_top);
41513 - if (unlikely(stack_top < mmap_min_addr) ||
41514 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
41517 stack_shift = vma->vm_end - stack_top;
41519 bprm->p -= stack_shift;
41520 @@ -705,8 +709,28 @@ int setup_arg_pages(struct linux_binprm
41521 bprm->exec -= stack_shift;
41523 down_write(&mm->mmap_sem);
41525 + /* Move stack pages down in memory. */
41526 + if (stack_shift) {
41527 + ret = shift_arg_pages(vma, stack_shift);
41532 vm_flags = VM_STACK_FLAGS;
41534 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
41535 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
41536 + vm_flags &= ~VM_EXEC;
41538 +#ifdef CONFIG_PAX_MPROTECT
41539 + if (mm->pax_flags & MF_PAX_MPROTECT)
41540 + vm_flags &= ~VM_MAYEXEC;
41547 * Adjust stack execute permissions; explicitly enable for
41548 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
41549 @@ -725,13 +749,6 @@ int setup_arg_pages(struct linux_binprm
41551 BUG_ON(prev != vma);
41553 - /* Move stack pages down in memory. */
41554 - if (stack_shift) {
41555 - ret = shift_arg_pages(vma, stack_shift);
41560 /* mprotect_fixup is overkill to remove the temporary stack flags */
41561 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
41563 @@ -771,7 +788,7 @@ struct file *open_exec(const char *name)
41566 static const struct open_flags open_exec_flags = {
41567 - .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
41568 + .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC,
41569 .acc_mode = MAY_EXEC | MAY_OPEN,
41570 .intent = LOOKUP_OPEN
41572 @@ -812,7 +829,7 @@ int kernel_read(struct file *file, loff_
41575 /* The cast to a user pointer is valid due to the set_fs() */
41576 - result = vfs_read(file, (void __user *)addr, count, &pos);
41577 + result = vfs_read(file, (void __force_user *)addr, count, &pos);
41581 @@ -1236,7 +1253,7 @@ int check_unsafe_exec(struct linux_binpr
41585 - if (p->fs->users > n_fs) {
41586 + if (atomic_read(&p->fs->users) > n_fs) {
41587 bprm->unsafe |= LSM_UNSAFE_SHARE;
41590 @@ -1430,11 +1447,35 @@ static int do_execve_common(const char *
41591 struct user_arg_ptr envp,
41592 struct pt_regs *regs)
41594 +#ifdef CONFIG_GRKERNSEC
41595 + struct file *old_exec_file;
41596 + struct acl_subject_label *old_acl;
41597 + struct rlimit old_rlim[RLIM_NLIMITS];
41599 struct linux_binprm *bprm;
41601 struct files_struct *displaced;
41602 bool clear_in_exec;
41604 + const struct cred *cred = current_cred();
41606 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
41609 + * We move the actual failure in case of RLIMIT_NPROC excess from
41610 + * set*uid() to execve() because too many poorly written programs
41611 + * don't check setuid() return code. Here we additionally recheck
41612 + * whether NPROC limit is still exceeded.
41614 + if ((current->flags & PF_NPROC_EXCEEDED) &&
41615 + atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) {
41616 + retval = -EAGAIN;
41620 + /* We're below the limit (still or again), so we don't want to make
41621 + * further execve() calls fail. */
41622 + current->flags &= ~PF_NPROC_EXCEEDED;
41624 retval = unshare_files(&displaced);
41626 @@ -1466,6 +1507,16 @@ static int do_execve_common(const char *
41627 bprm->filename = filename;
41628 bprm->interp = filename;
41630 + if (gr_process_user_ban()) {
41635 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
41636 + retval = -EACCES;
41640 retval = bprm_mm_init(bprm);
41643 @@ -1495,9 +1546,40 @@ static int do_execve_common(const char *
41647 + if (!gr_tpe_allow(file)) {
41648 + retval = -EACCES;
41652 + if (gr_check_crash_exec(file)) {
41653 + retval = -EACCES;
41657 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
41659 + gr_handle_exec_args(bprm, argv);
41661 +#ifdef CONFIG_GRKERNSEC
41662 + old_acl = current->acl;
41663 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
41664 + old_exec_file = current->exec_file;
41666 + current->exec_file = file;
41669 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
41670 + bprm->unsafe & LSM_UNSAFE_SHARE);
41674 retval = search_binary_handler(bprm,regs);
41678 +#ifdef CONFIG_GRKERNSEC
41679 + if (old_exec_file)
41680 + fput(old_exec_file);
41683 /* execve succeeded */
41684 current->fs->in_exec = 0;
41685 @@ -1508,6 +1590,14 @@ static int do_execve_common(const char *
41686 put_files_struct(displaced);
41690 +#ifdef CONFIG_GRKERNSEC
41691 + current->acl = old_acl;
41692 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
41693 + fput(current->exec_file);
41694 + current->exec_file = old_exec_file;
41699 acct_arg_size(bprm, 0);
41700 @@ -1581,7 +1671,7 @@ static int expand_corename(struct core_n
41702 char *old_corename = cn->corename;
41704 - cn->size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
41705 + cn->size = CORENAME_MAX_SIZE * atomic_inc_return_unchecked(&call_count);
41706 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
41708 if (!cn->corename) {
41709 @@ -1669,7 +1759,7 @@ static int format_corename(struct core_n
41710 int pid_in_pattern = 0;
41713 - cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count);
41714 + cn->size = CORENAME_MAX_SIZE * atomic_read_unchecked(&call_count);
41715 cn->corename = kmalloc(cn->size, GFP_KERNEL);
41718 @@ -1760,6 +1850,219 @@ out:
41722 +int pax_check_flags(unsigned long *flags)
41726 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
41727 + if (*flags & MF_PAX_SEGMEXEC)
41729 + *flags &= ~MF_PAX_SEGMEXEC;
41730 + retval = -EINVAL;
41734 + if ((*flags & MF_PAX_PAGEEXEC)
41736 +#ifdef CONFIG_PAX_PAGEEXEC
41737 + && (*flags & MF_PAX_SEGMEXEC)
41742 + *flags &= ~MF_PAX_PAGEEXEC;
41743 + retval = -EINVAL;
41746 + if ((*flags & MF_PAX_MPROTECT)
41748 +#ifdef CONFIG_PAX_MPROTECT
41749 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
41754 + *flags &= ~MF_PAX_MPROTECT;
41755 + retval = -EINVAL;
41758 + if ((*flags & MF_PAX_EMUTRAMP)
41760 +#ifdef CONFIG_PAX_EMUTRAMP
41761 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
41766 + *flags &= ~MF_PAX_EMUTRAMP;
41767 + retval = -EINVAL;
41773 +EXPORT_SYMBOL(pax_check_flags);
41775 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
41776 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
41778 + struct task_struct *tsk = current;
41779 + struct mm_struct *mm = current->mm;
41780 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
41781 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
41782 + char *path_exec = NULL;
41783 + char *path_fault = NULL;
41784 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
41786 + if (buffer_exec && buffer_fault) {
41787 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
41789 + down_read(&mm->mmap_sem);
41791 + while (vma && (!vma_exec || !vma_fault)) {
41792 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
41794 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
41796 + vma = vma->vm_next;
41799 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
41800 + if (IS_ERR(path_exec))
41801 + path_exec = "<path too long>";
41803 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
41806 + path_exec = buffer_exec;
41808 + path_exec = "<path too long>";
41812 + start = vma_fault->vm_start;
41813 + end = vma_fault->vm_end;
41814 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
41815 + if (vma_fault->vm_file) {
41816 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
41817 + if (IS_ERR(path_fault))
41818 + path_fault = "<path too long>";
41820 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
41821 + if (path_fault) {
41823 + path_fault = buffer_fault;
41825 + path_fault = "<path too long>";
41828 + path_fault = "<anonymous mapping>";
41830 + up_read(&mm->mmap_sem);
41832 + if (tsk->signal->curr_ip)
41833 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
41835 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
41836 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
41837 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
41838 + task_uid(tsk), task_euid(tsk), pc, sp);
41839 + free_page((unsigned long)buffer_exec);
41840 + free_page((unsigned long)buffer_fault);
41841 + pax_report_insns(pc, sp);
41842 + do_coredump(SIGKILL, SIGKILL, regs);
41846 +#ifdef CONFIG_PAX_REFCOUNT
41847 +void pax_report_refcount_overflow(struct pt_regs *regs)
41849 + if (current->signal->curr_ip)
41850 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
41851 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
41853 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
41854 + current->comm, task_pid_nr(current), current_uid(), current_euid());
41855 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
41857 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
41861 +#ifdef CONFIG_PAX_USERCOPY
41862 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
41863 +int object_is_on_stack(const void *obj, unsigned long len)
41865 + const void * const stack = task_stack_page(current);
41866 + const void * const stackend = stack + THREAD_SIZE;
41868 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
41869 + const void *frame = NULL;
41870 + const void *oldframe;
41873 + if (obj + len < obj)
41876 + if (obj + len <= stack || stackend <= obj)
41879 + if (obj < stack || stackend < obj + len)
41882 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
41883 + oldframe = __builtin_frame_address(1);
41885 + frame = __builtin_frame_address(2);
41887 + low ----------------------------------------------> high
41888 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
41889 + ^----------------^
41890 + allow copies only within here
41892 + while (stack <= frame && frame < stackend) {
41893 + /* if obj + len extends past the last frame, this
41894 + check won't pass and the next frame will be 0,
41895 + causing us to bail out and correctly report
41896 + the copy as invalid
41898 + if (obj + len <= frame)
41899 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
41900 + oldframe = frame;
41901 + frame = *(const void * const *)frame;
41910 +NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
41912 + if (current->signal->curr_ip)
41913 + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
41914 + ¤t->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
41916 + printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
41917 + to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
41919 + gr_handle_kernel_exploit();
41920 + do_group_exit(SIGKILL);
41924 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
41925 +void pax_track_stack(void)
41927 + unsigned long sp = (unsigned long)&sp;
41928 + if (sp < current_thread_info()->lowest_stack &&
41929 + sp > (unsigned long)task_stack_page(current))
41930 + current_thread_info()->lowest_stack = sp;
41932 +EXPORT_SYMBOL(pax_track_stack);
41935 static int zap_process(struct task_struct *start, int exit_code)
41937 struct task_struct *t;
41938 @@ -1971,17 +2274,17 @@ static void wait_for_dump_helpers(struct
41939 pipe = file->f_path.dentry->d_inode->i_pipe;
41944 + atomic_inc(&pipe->readers);
41945 + atomic_dec(&pipe->writers);
41947 - while ((pipe->readers > 1) && (!signal_pending(current))) {
41948 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
41949 wake_up_interruptible_sync(&pipe->wait);
41950 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
41956 + atomic_dec(&pipe->readers);
41957 + atomic_inc(&pipe->writers);
41961 @@ -2042,7 +2345,7 @@ void do_coredump(long signr, int exit_co
41965 - static atomic_t core_dump_count = ATOMIC_INIT(0);
41966 + static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
41967 struct coredump_params cprm = {
41970 @@ -2057,6 +2360,9 @@ void do_coredump(long signr, int exit_co
41972 audit_core_dumps(signr);
41974 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
41975 + gr_handle_brute_attach(current, cprm.mm_flags);
41977 binfmt = mm->binfmt;
41978 if (!binfmt || !binfmt->core_dump)
41980 @@ -2097,6 +2403,8 @@ void do_coredump(long signr, int exit_co
41981 goto fail_corename;
41984 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
41988 char **helper_argv;
41989 @@ -2124,7 +2432,7 @@ void do_coredump(long signr, int exit_co
41991 cprm.limit = RLIM_INFINITY;
41993 - dump_count = atomic_inc_return(&core_dump_count);
41994 + dump_count = atomic_inc_return_unchecked(&core_dump_count);
41995 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
41996 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
41997 task_tgid_vnr(current), current->comm);
41998 @@ -2194,7 +2502,7 @@ close_fail:
41999 filp_close(cprm.file, NULL);
42002 - atomic_dec(&core_dump_count);
42003 + atomic_dec_unchecked(&core_dump_count);
42005 kfree(cn.corename);
42007 @@ -2213,7 +2521,7 @@ fail:
42009 int dump_write(struct file *file, const void *addr, int nr)
42011 - return access_ok(VERIFY_READ, addr, nr) && file->f_op->write(file, addr, nr, &file->f_pos) == nr;
42012 + return access_ok(VERIFY_READ, addr, nr) && file->f_op->write(file, (const char __force_user *)addr, nr, &file->f_pos) == nr;
42014 EXPORT_SYMBOL(dump_write);
42016 diff -urNp linux-3.0.9/fs/ext2/balloc.c linux-3.0.9/fs/ext2/balloc.c
42017 --- linux-3.0.9/fs/ext2/balloc.c 2011-11-11 13:12:24.000000000 -0500
42018 +++ linux-3.0.9/fs/ext2/balloc.c 2011-11-15 20:02:59.000000000 -0500
42019 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
42021 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
42022 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
42023 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
42024 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
42025 sbi->s_resuid != current_fsuid() &&
42026 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
42028 diff -urNp linux-3.0.9/fs/ext3/balloc.c linux-3.0.9/fs/ext3/balloc.c
42029 --- linux-3.0.9/fs/ext3/balloc.c 2011-11-11 13:12:24.000000000 -0500
42030 +++ linux-3.0.9/fs/ext3/balloc.c 2011-11-15 20:02:59.000000000 -0500
42031 @@ -1441,7 +1441,7 @@ static int ext3_has_free_blocks(struct e
42033 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
42034 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
42035 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
42036 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
42037 sbi->s_resuid != current_fsuid() &&
42038 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
42040 diff -urNp linux-3.0.9/fs/ext3/ioctl.c linux-3.0.9/fs/ext3/ioctl.c
42041 --- linux-3.0.9/fs/ext3/ioctl.c 2011-11-11 13:12:24.000000000 -0500
42042 +++ linux-3.0.9/fs/ext3/ioctl.c 2011-11-15 20:02:59.000000000 -0500
42043 @@ -285,7 +285,7 @@ group_add_out:
42044 if (!capable(CAP_SYS_ADMIN))
42047 - if (copy_from_user(&range, (struct fstrim_range *)arg,
42048 + if (copy_from_user(&range, (struct fstrim_range __user *)arg,
42052 @@ -293,7 +293,7 @@ group_add_out:
42056 - if (copy_to_user((struct fstrim_range *)arg, &range,
42057 + if (copy_to_user((struct fstrim_range __user *)arg, &range,
42061 diff -urNp linux-3.0.9/fs/ext4/balloc.c linux-3.0.9/fs/ext4/balloc.c
42062 --- linux-3.0.9/fs/ext4/balloc.c 2011-11-11 13:12:24.000000000 -0500
42063 +++ linux-3.0.9/fs/ext4/balloc.c 2011-11-15 20:02:59.000000000 -0500
42064 @@ -394,8 +394,8 @@ static int ext4_has_free_blocks(struct e
42065 /* Hm, nope. Are (enough) root reserved blocks available? */
42066 if (sbi->s_resuid == current_fsuid() ||
42067 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
42068 - capable(CAP_SYS_RESOURCE) ||
42069 - (flags & EXT4_MB_USE_ROOT_BLOCKS)) {
42070 + (flags & EXT4_MB_USE_ROOT_BLOCKS) ||
42071 + capable_nolog(CAP_SYS_RESOURCE)) {
42073 if (free_blocks >= (nblocks + dirty_blocks))
42075 diff -urNp linux-3.0.9/fs/ext4/ext4.h linux-3.0.9/fs/ext4/ext4.h
42076 --- linux-3.0.9/fs/ext4/ext4.h 2011-11-11 13:12:24.000000000 -0500
42077 +++ linux-3.0.9/fs/ext4/ext4.h 2011-11-15 20:02:59.000000000 -0500
42078 @@ -1177,19 +1177,19 @@ struct ext4_sb_info {
42079 unsigned long s_mb_last_start;
42081 /* stats for buddy allocator */
42082 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
42083 - atomic_t s_bal_success; /* we found long enough chunks */
42084 - atomic_t s_bal_allocated; /* in blocks */
42085 - atomic_t s_bal_ex_scanned; /* total extents scanned */
42086 - atomic_t s_bal_goals; /* goal hits */
42087 - atomic_t s_bal_breaks; /* too long searches */
42088 - atomic_t s_bal_2orders; /* 2^order hits */
42089 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
42090 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
42091 + atomic_unchecked_t s_bal_allocated; /* in blocks */
42092 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
42093 + atomic_unchecked_t s_bal_goals; /* goal hits */
42094 + atomic_unchecked_t s_bal_breaks; /* too long searches */
42095 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
42096 spinlock_t s_bal_lock;
42097 unsigned long s_mb_buddies_generated;
42098 unsigned long long s_mb_generation_time;
42099 - atomic_t s_mb_lost_chunks;
42100 - atomic_t s_mb_preallocated;
42101 - atomic_t s_mb_discarded;
42102 + atomic_unchecked_t s_mb_lost_chunks;
42103 + atomic_unchecked_t s_mb_preallocated;
42104 + atomic_unchecked_t s_mb_discarded;
42105 atomic_t s_lock_busy;
42107 /* locality groups */
42108 diff -urNp linux-3.0.9/fs/ext4/file.c linux-3.0.9/fs/ext4/file.c
42109 --- linux-3.0.9/fs/ext4/file.c 2011-11-11 13:12:24.000000000 -0500
42110 +++ linux-3.0.9/fs/ext4/file.c 2011-11-15 20:02:59.000000000 -0500
42111 @@ -181,8 +181,8 @@ static int ext4_file_open(struct inode *
42112 path.dentry = mnt->mnt_root;
42113 cp = d_path(&path, buf, sizeof(buf));
42115 - memcpy(sbi->s_es->s_last_mounted, cp,
42116 - sizeof(sbi->s_es->s_last_mounted));
42117 + strlcpy(sbi->s_es->s_last_mounted, cp,
42118 + sizeof(sbi->s_es->s_last_mounted));
42119 ext4_mark_super_dirty(sb);
42122 diff -urNp linux-3.0.9/fs/ext4/ioctl.c linux-3.0.9/fs/ext4/ioctl.c
42123 --- linux-3.0.9/fs/ext4/ioctl.c 2011-11-11 13:12:24.000000000 -0500
42124 +++ linux-3.0.9/fs/ext4/ioctl.c 2011-11-15 20:02:59.000000000 -0500
42125 @@ -344,7 +344,7 @@ mext_out:
42126 if (!blk_queue_discard(q))
42127 return -EOPNOTSUPP;
42129 - if (copy_from_user(&range, (struct fstrim_range *)arg,
42130 + if (copy_from_user(&range, (struct fstrim_range __user *)arg,
42134 @@ -354,7 +354,7 @@ mext_out:
42138 - if (copy_to_user((struct fstrim_range *)arg, &range,
42139 + if (copy_to_user((struct fstrim_range __user *)arg, &range,
42143 diff -urNp linux-3.0.9/fs/ext4/mballoc.c linux-3.0.9/fs/ext4/mballoc.c
42144 --- linux-3.0.9/fs/ext4/mballoc.c 2011-11-11 13:12:24.000000000 -0500
42145 +++ linux-3.0.9/fs/ext4/mballoc.c 2011-11-15 20:02:59.000000000 -0500
42146 @@ -1793,7 +1793,7 @@ void ext4_mb_simple_scan_group(struct ex
42147 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
42149 if (EXT4_SB(sb)->s_mb_stats)
42150 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
42151 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
42155 @@ -2087,7 +2087,7 @@ repeat:
42156 ac->ac_status = AC_STATUS_CONTINUE;
42157 ac->ac_flags |= EXT4_MB_HINT_FIRST;
42159 - atomic_inc(&sbi->s_mb_lost_chunks);
42160 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
42164 @@ -2130,6 +2130,8 @@ static int ext4_mb_seq_groups_show(struc
42165 ext4_grpblk_t counters[16];
42168 + pax_track_stack();
42172 seq_printf(seq, "#%-5s: %-5s %-5s %-5s "
42173 @@ -2553,25 +2555,25 @@ int ext4_mb_release(struct super_block *
42174 if (sbi->s_mb_stats) {
42176 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
42177 - atomic_read(&sbi->s_bal_allocated),
42178 - atomic_read(&sbi->s_bal_reqs),
42179 - atomic_read(&sbi->s_bal_success));
42180 + atomic_read_unchecked(&sbi->s_bal_allocated),
42181 + atomic_read_unchecked(&sbi->s_bal_reqs),
42182 + atomic_read_unchecked(&sbi->s_bal_success));
42184 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
42185 "%u 2^N hits, %u breaks, %u lost\n",
42186 - atomic_read(&sbi->s_bal_ex_scanned),
42187 - atomic_read(&sbi->s_bal_goals),
42188 - atomic_read(&sbi->s_bal_2orders),
42189 - atomic_read(&sbi->s_bal_breaks),
42190 - atomic_read(&sbi->s_mb_lost_chunks));
42191 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
42192 + atomic_read_unchecked(&sbi->s_bal_goals),
42193 + atomic_read_unchecked(&sbi->s_bal_2orders),
42194 + atomic_read_unchecked(&sbi->s_bal_breaks),
42195 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
42197 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
42198 sbi->s_mb_buddies_generated++,
42199 sbi->s_mb_generation_time);
42201 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
42202 - atomic_read(&sbi->s_mb_preallocated),
42203 - atomic_read(&sbi->s_mb_discarded));
42204 + atomic_read_unchecked(&sbi->s_mb_preallocated),
42205 + atomic_read_unchecked(&sbi->s_mb_discarded));
42208 free_percpu(sbi->s_locality_groups);
42209 @@ -3041,16 +3043,16 @@ static void ext4_mb_collect_stats(struct
42210 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
42212 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
42213 - atomic_inc(&sbi->s_bal_reqs);
42214 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
42215 + atomic_inc_unchecked(&sbi->s_bal_reqs);
42216 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
42217 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
42218 - atomic_inc(&sbi->s_bal_success);
42219 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
42220 + atomic_inc_unchecked(&sbi->s_bal_success);
42221 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
42222 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
42223 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
42224 - atomic_inc(&sbi->s_bal_goals);
42225 + atomic_inc_unchecked(&sbi->s_bal_goals);
42226 if (ac->ac_found > sbi->s_mb_max_to_scan)
42227 - atomic_inc(&sbi->s_bal_breaks);
42228 + atomic_inc_unchecked(&sbi->s_bal_breaks);
42231 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
42232 @@ -3448,7 +3450,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
42233 trace_ext4_mb_new_inode_pa(ac, pa);
42235 ext4_mb_use_inode_pa(ac, pa);
42236 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
42237 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
42239 ei = EXT4_I(ac->ac_inode);
42240 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
42241 @@ -3508,7 +3510,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
42242 trace_ext4_mb_new_group_pa(ac, pa);
42244 ext4_mb_use_group_pa(ac, pa);
42245 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
42246 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
42248 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
42250 @@ -3595,7 +3597,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
42251 * from the bitmap and continue.
42254 - atomic_add(free, &sbi->s_mb_discarded);
42255 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
42259 @@ -3613,7 +3615,7 @@ ext4_mb_release_group_pa(struct ext4_bud
42260 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
42261 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
42262 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
42263 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
42264 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
42265 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
42268 diff -urNp linux-3.0.9/fs/fcntl.c linux-3.0.9/fs/fcntl.c
42269 --- linux-3.0.9/fs/fcntl.c 2011-11-11 13:12:24.000000000 -0500
42270 +++ linux-3.0.9/fs/fcntl.c 2011-11-15 20:02:59.000000000 -0500
42271 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
42275 + if (gr_handle_chroot_fowner(pid, type))
42277 + if (gr_check_protected_task_fowner(pid, type))
42280 f_modown(filp, pid, type, force);
42283 @@ -266,7 +271,7 @@ pid_t f_getown(struct file *filp)
42285 static int f_setown_ex(struct file *filp, unsigned long arg)
42287 - struct f_owner_ex * __user owner_p = (void * __user)arg;
42288 + struct f_owner_ex __user *owner_p = (void __user *)arg;
42289 struct f_owner_ex owner;
42292 @@ -306,7 +311,7 @@ static int f_setown_ex(struct file *filp
42294 static int f_getown_ex(struct file *filp, unsigned long arg)
42296 - struct f_owner_ex * __user owner_p = (void * __user)arg;
42297 + struct f_owner_ex __user *owner_p = (void __user *)arg;
42298 struct f_owner_ex owner;
42301 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
42304 case F_DUPFD_CLOEXEC:
42305 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
42306 if (arg >= rlimit(RLIMIT_NOFILE))
42308 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
42309 @@ -835,14 +841,14 @@ static int __init fcntl_init(void)
42310 * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
42311 * is defined as O_NONBLOCK on some platforms and not on others.
42313 - BUILD_BUG_ON(19 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
42314 + BUILD_BUG_ON(20 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
42315 O_RDONLY | O_WRONLY | O_RDWR |
42316 O_CREAT | O_EXCL | O_NOCTTY |
42317 O_TRUNC | O_APPEND | /* O_NONBLOCK | */
42318 __O_SYNC | O_DSYNC | FASYNC |
42319 O_DIRECT | O_LARGEFILE | O_DIRECTORY |
42320 O_NOFOLLOW | O_NOATIME | O_CLOEXEC |
42321 - __FMODE_EXEC | O_PATH
42322 + __FMODE_EXEC | O_PATH | FMODE_GREXEC
42325 fasync_cache = kmem_cache_create("fasync_cache",
42326 diff -urNp linux-3.0.9/fs/fifo.c linux-3.0.9/fs/fifo.c
42327 --- linux-3.0.9/fs/fifo.c 2011-11-11 13:12:24.000000000 -0500
42328 +++ linux-3.0.9/fs/fifo.c 2011-11-15 20:02:59.000000000 -0500
42329 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
42331 filp->f_op = &read_pipefifo_fops;
42333 - if (pipe->readers++ == 0)
42334 + if (atomic_inc_return(&pipe->readers) == 1)
42335 wake_up_partner(inode);
42337 - if (!pipe->writers) {
42338 + if (!atomic_read(&pipe->writers)) {
42339 if ((filp->f_flags & O_NONBLOCK)) {
42340 /* suppress POLLHUP until we have
42342 @@ -81,15 +81,15 @@ static int fifo_open(struct inode *inode
42343 * errno=ENXIO when there is no process reading the FIFO.
42346 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
42347 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
42350 filp->f_op = &write_pipefifo_fops;
42352 - if (!pipe->writers++)
42353 + if (atomic_inc_return(&pipe->writers) == 1)
42354 wake_up_partner(inode);
42356 - if (!pipe->readers) {
42357 + if (!atomic_read(&pipe->readers)) {
42358 if (wait_for_partner(inode, &pipe->r_counter))
42361 @@ -105,11 +105,11 @@ static int fifo_open(struct inode *inode
42363 filp->f_op = &rdwr_pipefifo_fops;
42367 + atomic_inc(&pipe->readers);
42368 + atomic_inc(&pipe->writers);
42371 - if (pipe->readers == 1 || pipe->writers == 1)
42372 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
42373 wake_up_partner(inode);
42376 @@ -123,19 +123,19 @@ static int fifo_open(struct inode *inode
42380 - if (!--pipe->readers)
42381 + if (atomic_dec_and_test(&pipe->readers))
42382 wake_up_interruptible(&pipe->wait);
42383 ret = -ERESTARTSYS;
42387 - if (!--pipe->writers)
42388 + if (atomic_dec_and_test(&pipe->writers))
42389 wake_up_interruptible(&pipe->wait);
42390 ret = -ERESTARTSYS;
42394 - if (!pipe->readers && !pipe->writers)
42395 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
42396 free_pipe_info(inode);
42399 diff -urNp linux-3.0.9/fs/file.c linux-3.0.9/fs/file.c
42400 --- linux-3.0.9/fs/file.c 2011-11-11 13:12:24.000000000 -0500
42401 +++ linux-3.0.9/fs/file.c 2011-11-15 20:02:59.000000000 -0500
42403 #include <linux/slab.h>
42404 #include <linux/vmalloc.h>
42405 #include <linux/file.h>
42406 +#include <linux/security.h>
42407 #include <linux/fdtable.h>
42408 #include <linux/bitops.h>
42409 #include <linux/interrupt.h>
42410 @@ -254,6 +255,7 @@ int expand_files(struct files_struct *fi
42411 * N.B. For clone tasks sharing a files structure, this test
42412 * will limit the total number of files that can be opened.
42414 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
42415 if (nr >= rlimit(RLIMIT_NOFILE))
42418 diff -urNp linux-3.0.9/fs/filesystems.c linux-3.0.9/fs/filesystems.c
42419 --- linux-3.0.9/fs/filesystems.c 2011-11-11 13:12:24.000000000 -0500
42420 +++ linux-3.0.9/fs/filesystems.c 2011-11-15 20:02:59.000000000 -0500
42421 @@ -274,7 +274,12 @@ struct file_system_type *get_fs_type(con
42422 int len = dot ? dot - name : strlen(name);
42424 fs = __get_fs_type(name, len);
42426 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
42427 + if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
42429 if (!fs && (request_module("%.*s", len, name) == 0))
42431 fs = __get_fs_type(name, len);
42433 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
42434 diff -urNp linux-3.0.9/fs/fscache/cookie.c linux-3.0.9/fs/fscache/cookie.c
42435 --- linux-3.0.9/fs/fscache/cookie.c 2011-11-11 13:12:24.000000000 -0500
42436 +++ linux-3.0.9/fs/fscache/cookie.c 2011-11-15 20:02:59.000000000 -0500
42437 @@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire
42438 parent ? (char *) parent->def->name : "<no-parent>",
42439 def->name, netfs_data);
42441 - fscache_stat(&fscache_n_acquires);
42442 + fscache_stat_unchecked(&fscache_n_acquires);
42444 /* if there's no parent cookie, then we don't create one here either */
42446 - fscache_stat(&fscache_n_acquires_null);
42447 + fscache_stat_unchecked(&fscache_n_acquires_null);
42448 _leave(" [no parent]");
42451 @@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire
42452 /* allocate and initialise a cookie */
42453 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
42455 - fscache_stat(&fscache_n_acquires_oom);
42456 + fscache_stat_unchecked(&fscache_n_acquires_oom);
42457 _leave(" [ENOMEM]");
42460 @@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire
42462 switch (cookie->def->type) {
42463 case FSCACHE_COOKIE_TYPE_INDEX:
42464 - fscache_stat(&fscache_n_cookie_index);
42465 + fscache_stat_unchecked(&fscache_n_cookie_index);
42467 case FSCACHE_COOKIE_TYPE_DATAFILE:
42468 - fscache_stat(&fscache_n_cookie_data);
42469 + fscache_stat_unchecked(&fscache_n_cookie_data);
42472 - fscache_stat(&fscache_n_cookie_special);
42473 + fscache_stat_unchecked(&fscache_n_cookie_special);
42477 @@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire
42478 if (fscache_acquire_non_index_cookie(cookie) < 0) {
42479 atomic_dec(&parent->n_children);
42480 __fscache_cookie_put(cookie);
42481 - fscache_stat(&fscache_n_acquires_nobufs);
42482 + fscache_stat_unchecked(&fscache_n_acquires_nobufs);
42488 - fscache_stat(&fscache_n_acquires_ok);
42489 + fscache_stat_unchecked(&fscache_n_acquires_ok);
42490 _leave(" = %p", cookie);
42493 @@ -168,7 +168,7 @@ static int fscache_acquire_non_index_coo
42494 cache = fscache_select_cache_for_object(cookie->parent);
42496 up_read(&fscache_addremove_sem);
42497 - fscache_stat(&fscache_n_acquires_no_cache);
42498 + fscache_stat_unchecked(&fscache_n_acquires_no_cache);
42499 _leave(" = -ENOMEDIUM [no cache]");
42502 @@ -256,12 +256,12 @@ static int fscache_alloc_object(struct f
42503 object = cache->ops->alloc_object(cache, cookie);
42504 fscache_stat_d(&fscache_n_cop_alloc_object);
42505 if (IS_ERR(object)) {
42506 - fscache_stat(&fscache_n_object_no_alloc);
42507 + fscache_stat_unchecked(&fscache_n_object_no_alloc);
42508 ret = PTR_ERR(object);
42512 - fscache_stat(&fscache_n_object_alloc);
42513 + fscache_stat_unchecked(&fscache_n_object_alloc);
42515 object->debug_id = atomic_inc_return(&fscache_object_debug_id);
42517 @@ -377,10 +377,10 @@ void __fscache_update_cookie(struct fsca
42518 struct fscache_object *object;
42519 struct hlist_node *_p;
42521 - fscache_stat(&fscache_n_updates);
42522 + fscache_stat_unchecked(&fscache_n_updates);
42525 - fscache_stat(&fscache_n_updates_null);
42526 + fscache_stat_unchecked(&fscache_n_updates_null);
42527 _leave(" [no cookie]");
42530 @@ -414,12 +414,12 @@ void __fscache_relinquish_cookie(struct
42531 struct fscache_object *object;
42532 unsigned long event;
42534 - fscache_stat(&fscache_n_relinquishes);
42535 + fscache_stat_unchecked(&fscache_n_relinquishes);
42537 - fscache_stat(&fscache_n_relinquishes_retire);
42538 + fscache_stat_unchecked(&fscache_n_relinquishes_retire);
42541 - fscache_stat(&fscache_n_relinquishes_null);
42542 + fscache_stat_unchecked(&fscache_n_relinquishes_null);
42543 _leave(" [no cookie]");
42546 @@ -435,7 +435,7 @@ void __fscache_relinquish_cookie(struct
42548 /* wait for the cookie to finish being instantiated (or to fail) */
42549 if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
42550 - fscache_stat(&fscache_n_relinquishes_waitcrt);
42551 + fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
42552 wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
42553 fscache_wait_bit, TASK_UNINTERRUPTIBLE);
42555 diff -urNp linux-3.0.9/fs/fscache/internal.h linux-3.0.9/fs/fscache/internal.h
42556 --- linux-3.0.9/fs/fscache/internal.h 2011-11-11 13:12:24.000000000 -0500
42557 +++ linux-3.0.9/fs/fscache/internal.h 2011-11-15 20:02:59.000000000 -0500
42558 @@ -144,94 +144,94 @@ extern void fscache_proc_cleanup(void);
42559 extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
42560 extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
42562 -extern atomic_t fscache_n_op_pend;
42563 -extern atomic_t fscache_n_op_run;
42564 -extern atomic_t fscache_n_op_enqueue;
42565 -extern atomic_t fscache_n_op_deferred_release;
42566 -extern atomic_t fscache_n_op_release;
42567 -extern atomic_t fscache_n_op_gc;
42568 -extern atomic_t fscache_n_op_cancelled;
42569 -extern atomic_t fscache_n_op_rejected;
42571 -extern atomic_t fscache_n_attr_changed;
42572 -extern atomic_t fscache_n_attr_changed_ok;
42573 -extern atomic_t fscache_n_attr_changed_nobufs;
42574 -extern atomic_t fscache_n_attr_changed_nomem;
42575 -extern atomic_t fscache_n_attr_changed_calls;
42577 -extern atomic_t fscache_n_allocs;
42578 -extern atomic_t fscache_n_allocs_ok;
42579 -extern atomic_t fscache_n_allocs_wait;
42580 -extern atomic_t fscache_n_allocs_nobufs;
42581 -extern atomic_t fscache_n_allocs_intr;
42582 -extern atomic_t fscache_n_allocs_object_dead;
42583 -extern atomic_t fscache_n_alloc_ops;
42584 -extern atomic_t fscache_n_alloc_op_waits;
42586 -extern atomic_t fscache_n_retrievals;
42587 -extern atomic_t fscache_n_retrievals_ok;
42588 -extern atomic_t fscache_n_retrievals_wait;
42589 -extern atomic_t fscache_n_retrievals_nodata;
42590 -extern atomic_t fscache_n_retrievals_nobufs;
42591 -extern atomic_t fscache_n_retrievals_intr;
42592 -extern atomic_t fscache_n_retrievals_nomem;
42593 -extern atomic_t fscache_n_retrievals_object_dead;
42594 -extern atomic_t fscache_n_retrieval_ops;
42595 -extern atomic_t fscache_n_retrieval_op_waits;
42597 -extern atomic_t fscache_n_stores;
42598 -extern atomic_t fscache_n_stores_ok;
42599 -extern atomic_t fscache_n_stores_again;
42600 -extern atomic_t fscache_n_stores_nobufs;
42601 -extern atomic_t fscache_n_stores_oom;
42602 -extern atomic_t fscache_n_store_ops;
42603 -extern atomic_t fscache_n_store_calls;
42604 -extern atomic_t fscache_n_store_pages;
42605 -extern atomic_t fscache_n_store_radix_deletes;
42606 -extern atomic_t fscache_n_store_pages_over_limit;
42608 -extern atomic_t fscache_n_store_vmscan_not_storing;
42609 -extern atomic_t fscache_n_store_vmscan_gone;
42610 -extern atomic_t fscache_n_store_vmscan_busy;
42611 -extern atomic_t fscache_n_store_vmscan_cancelled;
42613 -extern atomic_t fscache_n_marks;
42614 -extern atomic_t fscache_n_uncaches;
42616 -extern atomic_t fscache_n_acquires;
42617 -extern atomic_t fscache_n_acquires_null;
42618 -extern atomic_t fscache_n_acquires_no_cache;
42619 -extern atomic_t fscache_n_acquires_ok;
42620 -extern atomic_t fscache_n_acquires_nobufs;
42621 -extern atomic_t fscache_n_acquires_oom;
42623 -extern atomic_t fscache_n_updates;
42624 -extern atomic_t fscache_n_updates_null;
42625 -extern atomic_t fscache_n_updates_run;
42627 -extern atomic_t fscache_n_relinquishes;
42628 -extern atomic_t fscache_n_relinquishes_null;
42629 -extern atomic_t fscache_n_relinquishes_waitcrt;
42630 -extern atomic_t fscache_n_relinquishes_retire;
42632 -extern atomic_t fscache_n_cookie_index;
42633 -extern atomic_t fscache_n_cookie_data;
42634 -extern atomic_t fscache_n_cookie_special;
42636 -extern atomic_t fscache_n_object_alloc;
42637 -extern atomic_t fscache_n_object_no_alloc;
42638 -extern atomic_t fscache_n_object_lookups;
42639 -extern atomic_t fscache_n_object_lookups_negative;
42640 -extern atomic_t fscache_n_object_lookups_positive;
42641 -extern atomic_t fscache_n_object_lookups_timed_out;
42642 -extern atomic_t fscache_n_object_created;
42643 -extern atomic_t fscache_n_object_avail;
42644 -extern atomic_t fscache_n_object_dead;
42646 -extern atomic_t fscache_n_checkaux_none;
42647 -extern atomic_t fscache_n_checkaux_okay;
42648 -extern atomic_t fscache_n_checkaux_update;
42649 -extern atomic_t fscache_n_checkaux_obsolete;
42650 +extern atomic_unchecked_t fscache_n_op_pend;
42651 +extern atomic_unchecked_t fscache_n_op_run;
42652 +extern atomic_unchecked_t fscache_n_op_enqueue;
42653 +extern atomic_unchecked_t fscache_n_op_deferred_release;
42654 +extern atomic_unchecked_t fscache_n_op_release;
42655 +extern atomic_unchecked_t fscache_n_op_gc;
42656 +extern atomic_unchecked_t fscache_n_op_cancelled;
42657 +extern atomic_unchecked_t fscache_n_op_rejected;
42659 +extern atomic_unchecked_t fscache_n_attr_changed;
42660 +extern atomic_unchecked_t fscache_n_attr_changed_ok;
42661 +extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
42662 +extern atomic_unchecked_t fscache_n_attr_changed_nomem;
42663 +extern atomic_unchecked_t fscache_n_attr_changed_calls;
42665 +extern atomic_unchecked_t fscache_n_allocs;
42666 +extern atomic_unchecked_t fscache_n_allocs_ok;
42667 +extern atomic_unchecked_t fscache_n_allocs_wait;
42668 +extern atomic_unchecked_t fscache_n_allocs_nobufs;
42669 +extern atomic_unchecked_t fscache_n_allocs_intr;
42670 +extern atomic_unchecked_t fscache_n_allocs_object_dead;
42671 +extern atomic_unchecked_t fscache_n_alloc_ops;
42672 +extern atomic_unchecked_t fscache_n_alloc_op_waits;
42674 +extern atomic_unchecked_t fscache_n_retrievals;
42675 +extern atomic_unchecked_t fscache_n_retrievals_ok;
42676 +extern atomic_unchecked_t fscache_n_retrievals_wait;
42677 +extern atomic_unchecked_t fscache_n_retrievals_nodata;
42678 +extern atomic_unchecked_t fscache_n_retrievals_nobufs;
42679 +extern atomic_unchecked_t fscache_n_retrievals_intr;
42680 +extern atomic_unchecked_t fscache_n_retrievals_nomem;
42681 +extern atomic_unchecked_t fscache_n_retrievals_object_dead;
42682 +extern atomic_unchecked_t fscache_n_retrieval_ops;
42683 +extern atomic_unchecked_t fscache_n_retrieval_op_waits;
42685 +extern atomic_unchecked_t fscache_n_stores;
42686 +extern atomic_unchecked_t fscache_n_stores_ok;
42687 +extern atomic_unchecked_t fscache_n_stores_again;
42688 +extern atomic_unchecked_t fscache_n_stores_nobufs;
42689 +extern atomic_unchecked_t fscache_n_stores_oom;
42690 +extern atomic_unchecked_t fscache_n_store_ops;
42691 +extern atomic_unchecked_t fscache_n_store_calls;
42692 +extern atomic_unchecked_t fscache_n_store_pages;
42693 +extern atomic_unchecked_t fscache_n_store_radix_deletes;
42694 +extern atomic_unchecked_t fscache_n_store_pages_over_limit;
42696 +extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
42697 +extern atomic_unchecked_t fscache_n_store_vmscan_gone;
42698 +extern atomic_unchecked_t fscache_n_store_vmscan_busy;
42699 +extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
42701 +extern atomic_unchecked_t fscache_n_marks;
42702 +extern atomic_unchecked_t fscache_n_uncaches;
42704 +extern atomic_unchecked_t fscache_n_acquires;
42705 +extern atomic_unchecked_t fscache_n_acquires_null;
42706 +extern atomic_unchecked_t fscache_n_acquires_no_cache;
42707 +extern atomic_unchecked_t fscache_n_acquires_ok;
42708 +extern atomic_unchecked_t fscache_n_acquires_nobufs;
42709 +extern atomic_unchecked_t fscache_n_acquires_oom;
42711 +extern atomic_unchecked_t fscache_n_updates;
42712 +extern atomic_unchecked_t fscache_n_updates_null;
42713 +extern atomic_unchecked_t fscache_n_updates_run;
42715 +extern atomic_unchecked_t fscache_n_relinquishes;
42716 +extern atomic_unchecked_t fscache_n_relinquishes_null;
42717 +extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
42718 +extern atomic_unchecked_t fscache_n_relinquishes_retire;
42720 +extern atomic_unchecked_t fscache_n_cookie_index;
42721 +extern atomic_unchecked_t fscache_n_cookie_data;
42722 +extern atomic_unchecked_t fscache_n_cookie_special;
42724 +extern atomic_unchecked_t fscache_n_object_alloc;
42725 +extern atomic_unchecked_t fscache_n_object_no_alloc;
42726 +extern atomic_unchecked_t fscache_n_object_lookups;
42727 +extern atomic_unchecked_t fscache_n_object_lookups_negative;
42728 +extern atomic_unchecked_t fscache_n_object_lookups_positive;
42729 +extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
42730 +extern atomic_unchecked_t fscache_n_object_created;
42731 +extern atomic_unchecked_t fscache_n_object_avail;
42732 +extern atomic_unchecked_t fscache_n_object_dead;
42734 +extern atomic_unchecked_t fscache_n_checkaux_none;
42735 +extern atomic_unchecked_t fscache_n_checkaux_okay;
42736 +extern atomic_unchecked_t fscache_n_checkaux_update;
42737 +extern atomic_unchecked_t fscache_n_checkaux_obsolete;
42739 extern atomic_t fscache_n_cop_alloc_object;
42740 extern atomic_t fscache_n_cop_lookup_object;
42741 @@ -255,6 +255,11 @@ static inline void fscache_stat(atomic_t
42745 +static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
42747 + atomic_inc_unchecked(stat);
42750 static inline void fscache_stat_d(atomic_t *stat)
42753 @@ -267,6 +272,7 @@ extern const struct file_operations fsca
42755 #define __fscache_stat(stat) (NULL)
42756 #define fscache_stat(stat) do {} while (0)
42757 +#define fscache_stat_unchecked(stat) do {} while (0)
42758 #define fscache_stat_d(stat) do {} while (0)
42761 diff -urNp linux-3.0.9/fs/fscache/object.c linux-3.0.9/fs/fscache/object.c
42762 --- linux-3.0.9/fs/fscache/object.c 2011-11-11 13:12:24.000000000 -0500
42763 +++ linux-3.0.9/fs/fscache/object.c 2011-11-15 20:02:59.000000000 -0500
42764 @@ -128,7 +128,7 @@ static void fscache_object_state_machine
42765 /* update the object metadata on disk */
42766 case FSCACHE_OBJECT_UPDATING:
42767 clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
42768 - fscache_stat(&fscache_n_updates_run);
42769 + fscache_stat_unchecked(&fscache_n_updates_run);
42770 fscache_stat(&fscache_n_cop_update_object);
42771 object->cache->ops->update_object(object);
42772 fscache_stat_d(&fscache_n_cop_update_object);
42773 @@ -217,7 +217,7 @@ static void fscache_object_state_machine
42774 spin_lock(&object->lock);
42775 object->state = FSCACHE_OBJECT_DEAD;
42776 spin_unlock(&object->lock);
42777 - fscache_stat(&fscache_n_object_dead);
42778 + fscache_stat_unchecked(&fscache_n_object_dead);
42779 goto terminal_transit;
42781 /* handle the parent cache of this object being withdrawn from
42782 @@ -232,7 +232,7 @@ static void fscache_object_state_machine
42783 spin_lock(&object->lock);
42784 object->state = FSCACHE_OBJECT_DEAD;
42785 spin_unlock(&object->lock);
42786 - fscache_stat(&fscache_n_object_dead);
42787 + fscache_stat_unchecked(&fscache_n_object_dead);
42788 goto terminal_transit;
42790 /* complain about the object being woken up once it is
42791 @@ -461,7 +461,7 @@ static void fscache_lookup_object(struct
42792 parent->cookie->def->name, cookie->def->name,
42793 object->cache->tag->name);
42795 - fscache_stat(&fscache_n_object_lookups);
42796 + fscache_stat_unchecked(&fscache_n_object_lookups);
42797 fscache_stat(&fscache_n_cop_lookup_object);
42798 ret = object->cache->ops->lookup_object(object);
42799 fscache_stat_d(&fscache_n_cop_lookup_object);
42800 @@ -472,7 +472,7 @@ static void fscache_lookup_object(struct
42801 if (ret == -ETIMEDOUT) {
42802 /* probably stuck behind another object, so move this one to
42803 * the back of the queue */
42804 - fscache_stat(&fscache_n_object_lookups_timed_out);
42805 + fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
42806 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
42809 @@ -495,7 +495,7 @@ void fscache_object_lookup_negative(stru
42811 spin_lock(&object->lock);
42812 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
42813 - fscache_stat(&fscache_n_object_lookups_negative);
42814 + fscache_stat_unchecked(&fscache_n_object_lookups_negative);
42816 /* transit here to allow write requests to begin stacking up
42817 * and read requests to begin returning ENODATA */
42818 @@ -541,7 +541,7 @@ void fscache_obtained_object(struct fsca
42819 * result, in which case there may be data available */
42820 spin_lock(&object->lock);
42821 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
42822 - fscache_stat(&fscache_n_object_lookups_positive);
42823 + fscache_stat_unchecked(&fscache_n_object_lookups_positive);
42825 clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
42827 @@ -555,7 +555,7 @@ void fscache_obtained_object(struct fsca
42828 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
42830 ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
42831 - fscache_stat(&fscache_n_object_created);
42832 + fscache_stat_unchecked(&fscache_n_object_created);
42834 object->state = FSCACHE_OBJECT_AVAILABLE;
42835 spin_unlock(&object->lock);
42836 @@ -602,7 +602,7 @@ static void fscache_object_available(str
42837 fscache_enqueue_dependents(object);
42839 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
42840 - fscache_stat(&fscache_n_object_avail);
42841 + fscache_stat_unchecked(&fscache_n_object_avail);
42845 @@ -861,7 +861,7 @@ enum fscache_checkaux fscache_check_aux(
42846 enum fscache_checkaux result;
42848 if (!object->cookie->def->check_aux) {
42849 - fscache_stat(&fscache_n_checkaux_none);
42850 + fscache_stat_unchecked(&fscache_n_checkaux_none);
42851 return FSCACHE_CHECKAUX_OKAY;
42854 @@ -870,17 +870,17 @@ enum fscache_checkaux fscache_check_aux(
42856 /* entry okay as is */
42857 case FSCACHE_CHECKAUX_OKAY:
42858 - fscache_stat(&fscache_n_checkaux_okay);
42859 + fscache_stat_unchecked(&fscache_n_checkaux_okay);
42862 /* entry requires update */
42863 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
42864 - fscache_stat(&fscache_n_checkaux_update);
42865 + fscache_stat_unchecked(&fscache_n_checkaux_update);
42868 /* entry requires deletion */
42869 case FSCACHE_CHECKAUX_OBSOLETE:
42870 - fscache_stat(&fscache_n_checkaux_obsolete);
42871 + fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
42875 diff -urNp linux-3.0.9/fs/fscache/operation.c linux-3.0.9/fs/fscache/operation.c
42876 --- linux-3.0.9/fs/fscache/operation.c 2011-11-11 13:12:24.000000000 -0500
42877 +++ linux-3.0.9/fs/fscache/operation.c 2011-11-15 20:02:59.000000000 -0500
42879 #include <linux/slab.h>
42880 #include "internal.h"
42882 -atomic_t fscache_op_debug_id;
42883 +atomic_unchecked_t fscache_op_debug_id;
42884 EXPORT_SYMBOL(fscache_op_debug_id);
42887 @@ -38,7 +38,7 @@ void fscache_enqueue_operation(struct fs
42888 ASSERTCMP(op->object->state, >=, FSCACHE_OBJECT_AVAILABLE);
42889 ASSERTCMP(atomic_read(&op->usage), >, 0);
42891 - fscache_stat(&fscache_n_op_enqueue);
42892 + fscache_stat_unchecked(&fscache_n_op_enqueue);
42893 switch (op->flags & FSCACHE_OP_TYPE) {
42894 case FSCACHE_OP_ASYNC:
42895 _debug("queue async");
42896 @@ -69,7 +69,7 @@ static void fscache_run_op(struct fscach
42897 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
42899 fscache_enqueue_operation(op);
42900 - fscache_stat(&fscache_n_op_run);
42901 + fscache_stat_unchecked(&fscache_n_op_run);
42905 @@ -98,11 +98,11 @@ int fscache_submit_exclusive_op(struct f
42906 if (object->n_ops > 1) {
42907 atomic_inc(&op->usage);
42908 list_add_tail(&op->pend_link, &object->pending_ops);
42909 - fscache_stat(&fscache_n_op_pend);
42910 + fscache_stat_unchecked(&fscache_n_op_pend);
42911 } else if (!list_empty(&object->pending_ops)) {
42912 atomic_inc(&op->usage);
42913 list_add_tail(&op->pend_link, &object->pending_ops);
42914 - fscache_stat(&fscache_n_op_pend);
42915 + fscache_stat_unchecked(&fscache_n_op_pend);
42916 fscache_start_operations(object);
42918 ASSERTCMP(object->n_in_progress, ==, 0);
42919 @@ -118,7 +118,7 @@ int fscache_submit_exclusive_op(struct f
42920 object->n_exclusive++; /* reads and writes must wait */
42921 atomic_inc(&op->usage);
42922 list_add_tail(&op->pend_link, &object->pending_ops);
42923 - fscache_stat(&fscache_n_op_pend);
42924 + fscache_stat_unchecked(&fscache_n_op_pend);
42927 /* not allowed to submit ops in any other state */
42928 @@ -203,11 +203,11 @@ int fscache_submit_op(struct fscache_obj
42929 if (object->n_exclusive > 0) {
42930 atomic_inc(&op->usage);
42931 list_add_tail(&op->pend_link, &object->pending_ops);
42932 - fscache_stat(&fscache_n_op_pend);
42933 + fscache_stat_unchecked(&fscache_n_op_pend);
42934 } else if (!list_empty(&object->pending_ops)) {
42935 atomic_inc(&op->usage);
42936 list_add_tail(&op->pend_link, &object->pending_ops);
42937 - fscache_stat(&fscache_n_op_pend);
42938 + fscache_stat_unchecked(&fscache_n_op_pend);
42939 fscache_start_operations(object);
42941 ASSERTCMP(object->n_exclusive, ==, 0);
42942 @@ -219,12 +219,12 @@ int fscache_submit_op(struct fscache_obj
42944 atomic_inc(&op->usage);
42945 list_add_tail(&op->pend_link, &object->pending_ops);
42946 - fscache_stat(&fscache_n_op_pend);
42947 + fscache_stat_unchecked(&fscache_n_op_pend);
42949 } else if (object->state == FSCACHE_OBJECT_DYING ||
42950 object->state == FSCACHE_OBJECT_LC_DYING ||
42951 object->state == FSCACHE_OBJECT_WITHDRAWING) {
42952 - fscache_stat(&fscache_n_op_rejected);
42953 + fscache_stat_unchecked(&fscache_n_op_rejected);
42955 } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
42956 fscache_report_unexpected_submission(object, op, ostate);
42957 @@ -294,7 +294,7 @@ int fscache_cancel_op(struct fscache_ope
42960 if (!list_empty(&op->pend_link)) {
42961 - fscache_stat(&fscache_n_op_cancelled);
42962 + fscache_stat_unchecked(&fscache_n_op_cancelled);
42963 list_del_init(&op->pend_link);
42965 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
42966 @@ -331,7 +331,7 @@ void fscache_put_operation(struct fscach
42967 if (test_and_set_bit(FSCACHE_OP_DEAD, &op->flags))
42970 - fscache_stat(&fscache_n_op_release);
42971 + fscache_stat_unchecked(&fscache_n_op_release);
42975 @@ -348,7 +348,7 @@ void fscache_put_operation(struct fscach
42976 * lock, and defer it otherwise */
42977 if (!spin_trylock(&object->lock)) {
42978 _debug("defer put");
42979 - fscache_stat(&fscache_n_op_deferred_release);
42980 + fscache_stat_unchecked(&fscache_n_op_deferred_release);
42982 cache = object->cache;
42983 spin_lock(&cache->op_gc_list_lock);
42984 @@ -410,7 +410,7 @@ void fscache_operation_gc(struct work_st
42986 _debug("GC DEFERRED REL OBJ%x OP%x",
42987 object->debug_id, op->debug_id);
42988 - fscache_stat(&fscache_n_op_gc);
42989 + fscache_stat_unchecked(&fscache_n_op_gc);
42991 ASSERTCMP(atomic_read(&op->usage), ==, 0);
42993 diff -urNp linux-3.0.9/fs/fscache/page.c linux-3.0.9/fs/fscache/page.c
42994 --- linux-3.0.9/fs/fscache/page.c 2011-11-11 13:12:24.000000000 -0500
42995 +++ linux-3.0.9/fs/fscache/page.c 2011-11-15 20:02:59.000000000 -0500
42996 @@ -60,7 +60,7 @@ bool __fscache_maybe_release_page(struct
42997 val = radix_tree_lookup(&cookie->stores, page->index);
43000 - fscache_stat(&fscache_n_store_vmscan_not_storing);
43001 + fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
43002 __fscache_uncache_page(cookie, page);
43005 @@ -90,11 +90,11 @@ bool __fscache_maybe_release_page(struct
43006 spin_unlock(&cookie->stores_lock);
43009 - fscache_stat(&fscache_n_store_vmscan_cancelled);
43010 - fscache_stat(&fscache_n_store_radix_deletes);
43011 + fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
43012 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
43013 ASSERTCMP(xpage, ==, page);
43015 - fscache_stat(&fscache_n_store_vmscan_gone);
43016 + fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
43019 wake_up_bit(&cookie->flags, 0);
43020 @@ -107,7 +107,7 @@ page_busy:
43021 /* we might want to wait here, but that could deadlock the allocator as
43022 * the work threads writing to the cache may all end up sleeping
43023 * on memory allocation */
43024 - fscache_stat(&fscache_n_store_vmscan_busy);
43025 + fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
43028 EXPORT_SYMBOL(__fscache_maybe_release_page);
43029 @@ -131,7 +131,7 @@ static void fscache_end_page_write(struc
43030 FSCACHE_COOKIE_STORING_TAG);
43031 if (!radix_tree_tag_get(&cookie->stores, page->index,
43032 FSCACHE_COOKIE_PENDING_TAG)) {
43033 - fscache_stat(&fscache_n_store_radix_deletes);
43034 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
43035 xpage = radix_tree_delete(&cookie->stores, page->index);
43037 spin_unlock(&cookie->stores_lock);
43038 @@ -152,7 +152,7 @@ static void fscache_attr_changed_op(stru
43040 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
43042 - fscache_stat(&fscache_n_attr_changed_calls);
43043 + fscache_stat_unchecked(&fscache_n_attr_changed_calls);
43045 if (fscache_object_is_active(object)) {
43046 fscache_stat(&fscache_n_cop_attr_changed);
43047 @@ -177,11 +177,11 @@ int __fscache_attr_changed(struct fscach
43049 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
43051 - fscache_stat(&fscache_n_attr_changed);
43052 + fscache_stat_unchecked(&fscache_n_attr_changed);
43054 op = kzalloc(sizeof(*op), GFP_KERNEL);
43056 - fscache_stat(&fscache_n_attr_changed_nomem);
43057 + fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
43058 _leave(" = -ENOMEM");
43061 @@ -199,7 +199,7 @@ int __fscache_attr_changed(struct fscach
43062 if (fscache_submit_exclusive_op(object, op) < 0)
43064 spin_unlock(&cookie->lock);
43065 - fscache_stat(&fscache_n_attr_changed_ok);
43066 + fscache_stat_unchecked(&fscache_n_attr_changed_ok);
43067 fscache_put_operation(op);
43070 @@ -207,7 +207,7 @@ int __fscache_attr_changed(struct fscach
43072 spin_unlock(&cookie->lock);
43074 - fscache_stat(&fscache_n_attr_changed_nobufs);
43075 + fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
43076 _leave(" = %d", -ENOBUFS);
43079 @@ -243,7 +243,7 @@ static struct fscache_retrieval *fscache
43080 /* allocate a retrieval operation and attempt to submit it */
43081 op = kzalloc(sizeof(*op), GFP_NOIO);
43083 - fscache_stat(&fscache_n_retrievals_nomem);
43084 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
43088 @@ -271,13 +271,13 @@ static int fscache_wait_for_deferred_loo
43092 - fscache_stat(&fscache_n_retrievals_wait);
43093 + fscache_stat_unchecked(&fscache_n_retrievals_wait);
43096 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
43097 fscache_wait_bit_interruptible,
43098 TASK_INTERRUPTIBLE) != 0) {
43099 - fscache_stat(&fscache_n_retrievals_intr);
43100 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
43101 _leave(" = -ERESTARTSYS");
43102 return -ERESTARTSYS;
43104 @@ -295,8 +295,8 @@ static int fscache_wait_for_deferred_loo
43106 static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
43107 struct fscache_retrieval *op,
43108 - atomic_t *stat_op_waits,
43109 - atomic_t *stat_object_dead)
43110 + atomic_unchecked_t *stat_op_waits,
43111 + atomic_unchecked_t *stat_object_dead)
43115 @@ -304,7 +304,7 @@ static int fscache_wait_for_retrieval_ac
43116 goto check_if_dead;
43119 - fscache_stat(stat_op_waits);
43120 + fscache_stat_unchecked(stat_op_waits);
43121 if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
43122 fscache_wait_bit_interruptible,
43123 TASK_INTERRUPTIBLE) < 0) {
43124 @@ -321,7 +321,7 @@ static int fscache_wait_for_retrieval_ac
43127 if (unlikely(fscache_object_is_dead(object))) {
43128 - fscache_stat(stat_object_dead);
43129 + fscache_stat_unchecked(stat_object_dead);
43133 @@ -348,7 +348,7 @@ int __fscache_read_or_alloc_page(struct
43135 _enter("%p,%p,,,", cookie, page);
43137 - fscache_stat(&fscache_n_retrievals);
43138 + fscache_stat_unchecked(&fscache_n_retrievals);
43140 if (hlist_empty(&cookie->backing_objects))
43142 @@ -381,7 +381,7 @@ int __fscache_read_or_alloc_page(struct
43143 goto nobufs_unlock;
43144 spin_unlock(&cookie->lock);
43146 - fscache_stat(&fscache_n_retrieval_ops);
43147 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
43149 /* pin the netfs read context in case we need to do the actual netfs
43150 * read because we've encountered a cache read failure */
43151 @@ -411,15 +411,15 @@ int __fscache_read_or_alloc_page(struct
43154 if (ret == -ENOMEM)
43155 - fscache_stat(&fscache_n_retrievals_nomem);
43156 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
43157 else if (ret == -ERESTARTSYS)
43158 - fscache_stat(&fscache_n_retrievals_intr);
43159 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
43160 else if (ret == -ENODATA)
43161 - fscache_stat(&fscache_n_retrievals_nodata);
43162 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
43164 - fscache_stat(&fscache_n_retrievals_nobufs);
43165 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
43167 - fscache_stat(&fscache_n_retrievals_ok);
43168 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
43170 fscache_put_retrieval(op);
43171 _leave(" = %d", ret);
43172 @@ -429,7 +429,7 @@ nobufs_unlock:
43173 spin_unlock(&cookie->lock);
43176 - fscache_stat(&fscache_n_retrievals_nobufs);
43177 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
43178 _leave(" = -ENOBUFS");
43181 @@ -467,7 +467,7 @@ int __fscache_read_or_alloc_pages(struct
43183 _enter("%p,,%d,,,", cookie, *nr_pages);
43185 - fscache_stat(&fscache_n_retrievals);
43186 + fscache_stat_unchecked(&fscache_n_retrievals);
43188 if (hlist_empty(&cookie->backing_objects))
43190 @@ -497,7 +497,7 @@ int __fscache_read_or_alloc_pages(struct
43191 goto nobufs_unlock;
43192 spin_unlock(&cookie->lock);
43194 - fscache_stat(&fscache_n_retrieval_ops);
43195 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
43197 /* pin the netfs read context in case we need to do the actual netfs
43198 * read because we've encountered a cache read failure */
43199 @@ -527,15 +527,15 @@ int __fscache_read_or_alloc_pages(struct
43202 if (ret == -ENOMEM)
43203 - fscache_stat(&fscache_n_retrievals_nomem);
43204 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
43205 else if (ret == -ERESTARTSYS)
43206 - fscache_stat(&fscache_n_retrievals_intr);
43207 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
43208 else if (ret == -ENODATA)
43209 - fscache_stat(&fscache_n_retrievals_nodata);
43210 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
43212 - fscache_stat(&fscache_n_retrievals_nobufs);
43213 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
43215 - fscache_stat(&fscache_n_retrievals_ok);
43216 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
43218 fscache_put_retrieval(op);
43219 _leave(" = %d", ret);
43220 @@ -545,7 +545,7 @@ nobufs_unlock:
43221 spin_unlock(&cookie->lock);
43224 - fscache_stat(&fscache_n_retrievals_nobufs);
43225 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
43226 _leave(" = -ENOBUFS");
43229 @@ -569,7 +569,7 @@ int __fscache_alloc_page(struct fscache_
43231 _enter("%p,%p,,,", cookie, page);
43233 - fscache_stat(&fscache_n_allocs);
43234 + fscache_stat_unchecked(&fscache_n_allocs);
43236 if (hlist_empty(&cookie->backing_objects))
43238 @@ -595,7 +595,7 @@ int __fscache_alloc_page(struct fscache_
43239 goto nobufs_unlock;
43240 spin_unlock(&cookie->lock);
43242 - fscache_stat(&fscache_n_alloc_ops);
43243 + fscache_stat_unchecked(&fscache_n_alloc_ops);
43245 ret = fscache_wait_for_retrieval_activation(
43247 @@ -611,11 +611,11 @@ int __fscache_alloc_page(struct fscache_
43250 if (ret == -ERESTARTSYS)
43251 - fscache_stat(&fscache_n_allocs_intr);
43252 + fscache_stat_unchecked(&fscache_n_allocs_intr);
43254 - fscache_stat(&fscache_n_allocs_nobufs);
43255 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
43257 - fscache_stat(&fscache_n_allocs_ok);
43258 + fscache_stat_unchecked(&fscache_n_allocs_ok);
43260 fscache_put_retrieval(op);
43261 _leave(" = %d", ret);
43262 @@ -625,7 +625,7 @@ nobufs_unlock:
43263 spin_unlock(&cookie->lock);
43266 - fscache_stat(&fscache_n_allocs_nobufs);
43267 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
43268 _leave(" = -ENOBUFS");
43271 @@ -666,7 +666,7 @@ static void fscache_write_op(struct fsca
43273 spin_lock(&cookie->stores_lock);
43275 - fscache_stat(&fscache_n_store_calls);
43276 + fscache_stat_unchecked(&fscache_n_store_calls);
43278 /* find a page to store */
43280 @@ -677,7 +677,7 @@ static void fscache_write_op(struct fsca
43282 _debug("gang %d [%lx]", n, page->index);
43283 if (page->index > op->store_limit) {
43284 - fscache_stat(&fscache_n_store_pages_over_limit);
43285 + fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
43289 @@ -689,7 +689,7 @@ static void fscache_write_op(struct fsca
43290 spin_unlock(&cookie->stores_lock);
43291 spin_unlock(&object->lock);
43293 - fscache_stat(&fscache_n_store_pages);
43294 + fscache_stat_unchecked(&fscache_n_store_pages);
43295 fscache_stat(&fscache_n_cop_write_page);
43296 ret = object->cache->ops->write_page(op, page);
43297 fscache_stat_d(&fscache_n_cop_write_page);
43298 @@ -757,7 +757,7 @@ int __fscache_write_page(struct fscache_
43299 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
43300 ASSERT(PageFsCache(page));
43302 - fscache_stat(&fscache_n_stores);
43303 + fscache_stat_unchecked(&fscache_n_stores);
43305 op = kzalloc(sizeof(*op), GFP_NOIO);
43307 @@ -808,7 +808,7 @@ int __fscache_write_page(struct fscache_
43308 spin_unlock(&cookie->stores_lock);
43309 spin_unlock(&object->lock);
43311 - op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
43312 + op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
43313 op->store_limit = object->store_limit;
43315 if (fscache_submit_op(object, &op->op) < 0)
43316 @@ -816,8 +816,8 @@ int __fscache_write_page(struct fscache_
43318 spin_unlock(&cookie->lock);
43319 radix_tree_preload_end();
43320 - fscache_stat(&fscache_n_store_ops);
43321 - fscache_stat(&fscache_n_stores_ok);
43322 + fscache_stat_unchecked(&fscache_n_store_ops);
43323 + fscache_stat_unchecked(&fscache_n_stores_ok);
43325 /* the work queue now carries its own ref on the object */
43326 fscache_put_operation(&op->op);
43327 @@ -825,14 +825,14 @@ int __fscache_write_page(struct fscache_
43331 - fscache_stat(&fscache_n_stores_again);
43332 + fscache_stat_unchecked(&fscache_n_stores_again);
43334 spin_unlock(&cookie->stores_lock);
43335 spin_unlock(&object->lock);
43336 spin_unlock(&cookie->lock);
43337 radix_tree_preload_end();
43339 - fscache_stat(&fscache_n_stores_ok);
43340 + fscache_stat_unchecked(&fscache_n_stores_ok);
43344 @@ -851,14 +851,14 @@ nobufs:
43345 spin_unlock(&cookie->lock);
43346 radix_tree_preload_end();
43348 - fscache_stat(&fscache_n_stores_nobufs);
43349 + fscache_stat_unchecked(&fscache_n_stores_nobufs);
43350 _leave(" = -ENOBUFS");
43356 - fscache_stat(&fscache_n_stores_oom);
43357 + fscache_stat_unchecked(&fscache_n_stores_oom);
43358 _leave(" = -ENOMEM");
43361 @@ -876,7 +876,7 @@ void __fscache_uncache_page(struct fscac
43362 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
43363 ASSERTCMP(page, !=, NULL);
43365 - fscache_stat(&fscache_n_uncaches);
43366 + fscache_stat_unchecked(&fscache_n_uncaches);
43368 /* cache withdrawal may beat us to it */
43369 if (!PageFsCache(page))
43370 @@ -929,7 +929,7 @@ void fscache_mark_pages_cached(struct fs
43371 unsigned long loop;
43373 #ifdef CONFIG_FSCACHE_STATS
43374 - atomic_add(pagevec->nr, &fscache_n_marks);
43375 + atomic_add_unchecked(pagevec->nr, &fscache_n_marks);
43378 for (loop = 0; loop < pagevec->nr; loop++) {
43379 diff -urNp linux-3.0.9/fs/fscache/stats.c linux-3.0.9/fs/fscache/stats.c
43380 --- linux-3.0.9/fs/fscache/stats.c 2011-11-11 13:12:24.000000000 -0500
43381 +++ linux-3.0.9/fs/fscache/stats.c 2011-11-15 20:02:59.000000000 -0500
43382 @@ -18,95 +18,95 @@
43384 * operation counters
43386 -atomic_t fscache_n_op_pend;
43387 -atomic_t fscache_n_op_run;
43388 -atomic_t fscache_n_op_enqueue;
43389 -atomic_t fscache_n_op_requeue;
43390 -atomic_t fscache_n_op_deferred_release;
43391 -atomic_t fscache_n_op_release;
43392 -atomic_t fscache_n_op_gc;
43393 -atomic_t fscache_n_op_cancelled;
43394 -atomic_t fscache_n_op_rejected;
43396 -atomic_t fscache_n_attr_changed;
43397 -atomic_t fscache_n_attr_changed_ok;
43398 -atomic_t fscache_n_attr_changed_nobufs;
43399 -atomic_t fscache_n_attr_changed_nomem;
43400 -atomic_t fscache_n_attr_changed_calls;
43402 -atomic_t fscache_n_allocs;
43403 -atomic_t fscache_n_allocs_ok;
43404 -atomic_t fscache_n_allocs_wait;
43405 -atomic_t fscache_n_allocs_nobufs;
43406 -atomic_t fscache_n_allocs_intr;
43407 -atomic_t fscache_n_allocs_object_dead;
43408 -atomic_t fscache_n_alloc_ops;
43409 -atomic_t fscache_n_alloc_op_waits;
43411 -atomic_t fscache_n_retrievals;
43412 -atomic_t fscache_n_retrievals_ok;
43413 -atomic_t fscache_n_retrievals_wait;
43414 -atomic_t fscache_n_retrievals_nodata;
43415 -atomic_t fscache_n_retrievals_nobufs;
43416 -atomic_t fscache_n_retrievals_intr;
43417 -atomic_t fscache_n_retrievals_nomem;
43418 -atomic_t fscache_n_retrievals_object_dead;
43419 -atomic_t fscache_n_retrieval_ops;
43420 -atomic_t fscache_n_retrieval_op_waits;
43422 -atomic_t fscache_n_stores;
43423 -atomic_t fscache_n_stores_ok;
43424 -atomic_t fscache_n_stores_again;
43425 -atomic_t fscache_n_stores_nobufs;
43426 -atomic_t fscache_n_stores_oom;
43427 -atomic_t fscache_n_store_ops;
43428 -atomic_t fscache_n_store_calls;
43429 -atomic_t fscache_n_store_pages;
43430 -atomic_t fscache_n_store_radix_deletes;
43431 -atomic_t fscache_n_store_pages_over_limit;
43433 -atomic_t fscache_n_store_vmscan_not_storing;
43434 -atomic_t fscache_n_store_vmscan_gone;
43435 -atomic_t fscache_n_store_vmscan_busy;
43436 -atomic_t fscache_n_store_vmscan_cancelled;
43438 -atomic_t fscache_n_marks;
43439 -atomic_t fscache_n_uncaches;
43441 -atomic_t fscache_n_acquires;
43442 -atomic_t fscache_n_acquires_null;
43443 -atomic_t fscache_n_acquires_no_cache;
43444 -atomic_t fscache_n_acquires_ok;
43445 -atomic_t fscache_n_acquires_nobufs;
43446 -atomic_t fscache_n_acquires_oom;
43448 -atomic_t fscache_n_updates;
43449 -atomic_t fscache_n_updates_null;
43450 -atomic_t fscache_n_updates_run;
43452 -atomic_t fscache_n_relinquishes;
43453 -atomic_t fscache_n_relinquishes_null;
43454 -atomic_t fscache_n_relinquishes_waitcrt;
43455 -atomic_t fscache_n_relinquishes_retire;
43457 -atomic_t fscache_n_cookie_index;
43458 -atomic_t fscache_n_cookie_data;
43459 -atomic_t fscache_n_cookie_special;
43461 -atomic_t fscache_n_object_alloc;
43462 -atomic_t fscache_n_object_no_alloc;
43463 -atomic_t fscache_n_object_lookups;
43464 -atomic_t fscache_n_object_lookups_negative;
43465 -atomic_t fscache_n_object_lookups_positive;
43466 -atomic_t fscache_n_object_lookups_timed_out;
43467 -atomic_t fscache_n_object_created;
43468 -atomic_t fscache_n_object_avail;
43469 -atomic_t fscache_n_object_dead;
43471 -atomic_t fscache_n_checkaux_none;
43472 -atomic_t fscache_n_checkaux_okay;
43473 -atomic_t fscache_n_checkaux_update;
43474 -atomic_t fscache_n_checkaux_obsolete;
43475 +atomic_unchecked_t fscache_n_op_pend;
43476 +atomic_unchecked_t fscache_n_op_run;
43477 +atomic_unchecked_t fscache_n_op_enqueue;
43478 +atomic_unchecked_t fscache_n_op_requeue;
43479 +atomic_unchecked_t fscache_n_op_deferred_release;
43480 +atomic_unchecked_t fscache_n_op_release;
43481 +atomic_unchecked_t fscache_n_op_gc;
43482 +atomic_unchecked_t fscache_n_op_cancelled;
43483 +atomic_unchecked_t fscache_n_op_rejected;
43485 +atomic_unchecked_t fscache_n_attr_changed;
43486 +atomic_unchecked_t fscache_n_attr_changed_ok;
43487 +atomic_unchecked_t fscache_n_attr_changed_nobufs;
43488 +atomic_unchecked_t fscache_n_attr_changed_nomem;
43489 +atomic_unchecked_t fscache_n_attr_changed_calls;
43491 +atomic_unchecked_t fscache_n_allocs;
43492 +atomic_unchecked_t fscache_n_allocs_ok;
43493 +atomic_unchecked_t fscache_n_allocs_wait;
43494 +atomic_unchecked_t fscache_n_allocs_nobufs;
43495 +atomic_unchecked_t fscache_n_allocs_intr;
43496 +atomic_unchecked_t fscache_n_allocs_object_dead;
43497 +atomic_unchecked_t fscache_n_alloc_ops;
43498 +atomic_unchecked_t fscache_n_alloc_op_waits;
43500 +atomic_unchecked_t fscache_n_retrievals;
43501 +atomic_unchecked_t fscache_n_retrievals_ok;
43502 +atomic_unchecked_t fscache_n_retrievals_wait;
43503 +atomic_unchecked_t fscache_n_retrievals_nodata;
43504 +atomic_unchecked_t fscache_n_retrievals_nobufs;
43505 +atomic_unchecked_t fscache_n_retrievals_intr;
43506 +atomic_unchecked_t fscache_n_retrievals_nomem;
43507 +atomic_unchecked_t fscache_n_retrievals_object_dead;
43508 +atomic_unchecked_t fscache_n_retrieval_ops;
43509 +atomic_unchecked_t fscache_n_retrieval_op_waits;
43511 +atomic_unchecked_t fscache_n_stores;
43512 +atomic_unchecked_t fscache_n_stores_ok;
43513 +atomic_unchecked_t fscache_n_stores_again;
43514 +atomic_unchecked_t fscache_n_stores_nobufs;
43515 +atomic_unchecked_t fscache_n_stores_oom;
43516 +atomic_unchecked_t fscache_n_store_ops;
43517 +atomic_unchecked_t fscache_n_store_calls;
43518 +atomic_unchecked_t fscache_n_store_pages;
43519 +atomic_unchecked_t fscache_n_store_radix_deletes;
43520 +atomic_unchecked_t fscache_n_store_pages_over_limit;
43522 +atomic_unchecked_t fscache_n_store_vmscan_not_storing;
43523 +atomic_unchecked_t fscache_n_store_vmscan_gone;
43524 +atomic_unchecked_t fscache_n_store_vmscan_busy;
43525 +atomic_unchecked_t fscache_n_store_vmscan_cancelled;
43527 +atomic_unchecked_t fscache_n_marks;
43528 +atomic_unchecked_t fscache_n_uncaches;
43530 +atomic_unchecked_t fscache_n_acquires;
43531 +atomic_unchecked_t fscache_n_acquires_null;
43532 +atomic_unchecked_t fscache_n_acquires_no_cache;
43533 +atomic_unchecked_t fscache_n_acquires_ok;
43534 +atomic_unchecked_t fscache_n_acquires_nobufs;
43535 +atomic_unchecked_t fscache_n_acquires_oom;
43537 +atomic_unchecked_t fscache_n_updates;
43538 +atomic_unchecked_t fscache_n_updates_null;
43539 +atomic_unchecked_t fscache_n_updates_run;
43541 +atomic_unchecked_t fscache_n_relinquishes;
43542 +atomic_unchecked_t fscache_n_relinquishes_null;
43543 +atomic_unchecked_t fscache_n_relinquishes_waitcrt;
43544 +atomic_unchecked_t fscache_n_relinquishes_retire;
43546 +atomic_unchecked_t fscache_n_cookie_index;
43547 +atomic_unchecked_t fscache_n_cookie_data;
43548 +atomic_unchecked_t fscache_n_cookie_special;
43550 +atomic_unchecked_t fscache_n_object_alloc;
43551 +atomic_unchecked_t fscache_n_object_no_alloc;
43552 +atomic_unchecked_t fscache_n_object_lookups;
43553 +atomic_unchecked_t fscache_n_object_lookups_negative;
43554 +atomic_unchecked_t fscache_n_object_lookups_positive;
43555 +atomic_unchecked_t fscache_n_object_lookups_timed_out;
43556 +atomic_unchecked_t fscache_n_object_created;
43557 +atomic_unchecked_t fscache_n_object_avail;
43558 +atomic_unchecked_t fscache_n_object_dead;
43560 +atomic_unchecked_t fscache_n_checkaux_none;
43561 +atomic_unchecked_t fscache_n_checkaux_okay;
43562 +atomic_unchecked_t fscache_n_checkaux_update;
43563 +atomic_unchecked_t fscache_n_checkaux_obsolete;
43565 atomic_t fscache_n_cop_alloc_object;
43566 atomic_t fscache_n_cop_lookup_object;
43567 @@ -133,113 +133,113 @@ static int fscache_stats_show(struct seq
43568 seq_puts(m, "FS-Cache statistics\n");
43570 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
43571 - atomic_read(&fscache_n_cookie_index),
43572 - atomic_read(&fscache_n_cookie_data),
43573 - atomic_read(&fscache_n_cookie_special));
43574 + atomic_read_unchecked(&fscache_n_cookie_index),
43575 + atomic_read_unchecked(&fscache_n_cookie_data),
43576 + atomic_read_unchecked(&fscache_n_cookie_special));
43578 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
43579 - atomic_read(&fscache_n_object_alloc),
43580 - atomic_read(&fscache_n_object_no_alloc),
43581 - atomic_read(&fscache_n_object_avail),
43582 - atomic_read(&fscache_n_object_dead));
43583 + atomic_read_unchecked(&fscache_n_object_alloc),
43584 + atomic_read_unchecked(&fscache_n_object_no_alloc),
43585 + atomic_read_unchecked(&fscache_n_object_avail),
43586 + atomic_read_unchecked(&fscache_n_object_dead));
43587 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
43588 - atomic_read(&fscache_n_checkaux_none),
43589 - atomic_read(&fscache_n_checkaux_okay),
43590 - atomic_read(&fscache_n_checkaux_update),
43591 - atomic_read(&fscache_n_checkaux_obsolete));
43592 + atomic_read_unchecked(&fscache_n_checkaux_none),
43593 + atomic_read_unchecked(&fscache_n_checkaux_okay),
43594 + atomic_read_unchecked(&fscache_n_checkaux_update),
43595 + atomic_read_unchecked(&fscache_n_checkaux_obsolete));
43597 seq_printf(m, "Pages : mrk=%u unc=%u\n",
43598 - atomic_read(&fscache_n_marks),
43599 - atomic_read(&fscache_n_uncaches));
43600 + atomic_read_unchecked(&fscache_n_marks),
43601 + atomic_read_unchecked(&fscache_n_uncaches));
43603 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
43605 - atomic_read(&fscache_n_acquires),
43606 - atomic_read(&fscache_n_acquires_null),
43607 - atomic_read(&fscache_n_acquires_no_cache),
43608 - atomic_read(&fscache_n_acquires_ok),
43609 - atomic_read(&fscache_n_acquires_nobufs),
43610 - atomic_read(&fscache_n_acquires_oom));
43611 + atomic_read_unchecked(&fscache_n_acquires),
43612 + atomic_read_unchecked(&fscache_n_acquires_null),
43613 + atomic_read_unchecked(&fscache_n_acquires_no_cache),
43614 + atomic_read_unchecked(&fscache_n_acquires_ok),
43615 + atomic_read_unchecked(&fscache_n_acquires_nobufs),
43616 + atomic_read_unchecked(&fscache_n_acquires_oom));
43618 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
43619 - atomic_read(&fscache_n_object_lookups),
43620 - atomic_read(&fscache_n_object_lookups_negative),
43621 - atomic_read(&fscache_n_object_lookups_positive),
43622 - atomic_read(&fscache_n_object_created),
43623 - atomic_read(&fscache_n_object_lookups_timed_out));
43624 + atomic_read_unchecked(&fscache_n_object_lookups),
43625 + atomic_read_unchecked(&fscache_n_object_lookups_negative),
43626 + atomic_read_unchecked(&fscache_n_object_lookups_positive),
43627 + atomic_read_unchecked(&fscache_n_object_created),
43628 + atomic_read_unchecked(&fscache_n_object_lookups_timed_out));
43630 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
43631 - atomic_read(&fscache_n_updates),
43632 - atomic_read(&fscache_n_updates_null),
43633 - atomic_read(&fscache_n_updates_run));
43634 + atomic_read_unchecked(&fscache_n_updates),
43635 + atomic_read_unchecked(&fscache_n_updates_null),
43636 + atomic_read_unchecked(&fscache_n_updates_run));
43638 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
43639 - atomic_read(&fscache_n_relinquishes),
43640 - atomic_read(&fscache_n_relinquishes_null),
43641 - atomic_read(&fscache_n_relinquishes_waitcrt),
43642 - atomic_read(&fscache_n_relinquishes_retire));
43643 + atomic_read_unchecked(&fscache_n_relinquishes),
43644 + atomic_read_unchecked(&fscache_n_relinquishes_null),
43645 + atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
43646 + atomic_read_unchecked(&fscache_n_relinquishes_retire));
43648 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
43649 - atomic_read(&fscache_n_attr_changed),
43650 - atomic_read(&fscache_n_attr_changed_ok),
43651 - atomic_read(&fscache_n_attr_changed_nobufs),
43652 - atomic_read(&fscache_n_attr_changed_nomem),
43653 - atomic_read(&fscache_n_attr_changed_calls));
43654 + atomic_read_unchecked(&fscache_n_attr_changed),
43655 + atomic_read_unchecked(&fscache_n_attr_changed_ok),
43656 + atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
43657 + atomic_read_unchecked(&fscache_n_attr_changed_nomem),
43658 + atomic_read_unchecked(&fscache_n_attr_changed_calls));
43660 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
43661 - atomic_read(&fscache_n_allocs),
43662 - atomic_read(&fscache_n_allocs_ok),
43663 - atomic_read(&fscache_n_allocs_wait),
43664 - atomic_read(&fscache_n_allocs_nobufs),
43665 - atomic_read(&fscache_n_allocs_intr));
43666 + atomic_read_unchecked(&fscache_n_allocs),
43667 + atomic_read_unchecked(&fscache_n_allocs_ok),
43668 + atomic_read_unchecked(&fscache_n_allocs_wait),
43669 + atomic_read_unchecked(&fscache_n_allocs_nobufs),
43670 + atomic_read_unchecked(&fscache_n_allocs_intr));
43671 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
43672 - atomic_read(&fscache_n_alloc_ops),
43673 - atomic_read(&fscache_n_alloc_op_waits),
43674 - atomic_read(&fscache_n_allocs_object_dead));
43675 + atomic_read_unchecked(&fscache_n_alloc_ops),
43676 + atomic_read_unchecked(&fscache_n_alloc_op_waits),
43677 + atomic_read_unchecked(&fscache_n_allocs_object_dead));
43679 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
43680 " int=%u oom=%u\n",
43681 - atomic_read(&fscache_n_retrievals),
43682 - atomic_read(&fscache_n_retrievals_ok),
43683 - atomic_read(&fscache_n_retrievals_wait),
43684 - atomic_read(&fscache_n_retrievals_nodata),
43685 - atomic_read(&fscache_n_retrievals_nobufs),
43686 - atomic_read(&fscache_n_retrievals_intr),
43687 - atomic_read(&fscache_n_retrievals_nomem));
43688 + atomic_read_unchecked(&fscache_n_retrievals),
43689 + atomic_read_unchecked(&fscache_n_retrievals_ok),
43690 + atomic_read_unchecked(&fscache_n_retrievals_wait),
43691 + atomic_read_unchecked(&fscache_n_retrievals_nodata),
43692 + atomic_read_unchecked(&fscache_n_retrievals_nobufs),
43693 + atomic_read_unchecked(&fscache_n_retrievals_intr),
43694 + atomic_read_unchecked(&fscache_n_retrievals_nomem));
43695 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
43696 - atomic_read(&fscache_n_retrieval_ops),
43697 - atomic_read(&fscache_n_retrieval_op_waits),
43698 - atomic_read(&fscache_n_retrievals_object_dead));
43699 + atomic_read_unchecked(&fscache_n_retrieval_ops),
43700 + atomic_read_unchecked(&fscache_n_retrieval_op_waits),
43701 + atomic_read_unchecked(&fscache_n_retrievals_object_dead));
43703 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
43704 - atomic_read(&fscache_n_stores),
43705 - atomic_read(&fscache_n_stores_ok),
43706 - atomic_read(&fscache_n_stores_again),
43707 - atomic_read(&fscache_n_stores_nobufs),
43708 - atomic_read(&fscache_n_stores_oom));
43709 + atomic_read_unchecked(&fscache_n_stores),
43710 + atomic_read_unchecked(&fscache_n_stores_ok),
43711 + atomic_read_unchecked(&fscache_n_stores_again),
43712 + atomic_read_unchecked(&fscache_n_stores_nobufs),
43713 + atomic_read_unchecked(&fscache_n_stores_oom));
43714 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
43715 - atomic_read(&fscache_n_store_ops),
43716 - atomic_read(&fscache_n_store_calls),
43717 - atomic_read(&fscache_n_store_pages),
43718 - atomic_read(&fscache_n_store_radix_deletes),
43719 - atomic_read(&fscache_n_store_pages_over_limit));
43720 + atomic_read_unchecked(&fscache_n_store_ops),
43721 + atomic_read_unchecked(&fscache_n_store_calls),
43722 + atomic_read_unchecked(&fscache_n_store_pages),
43723 + atomic_read_unchecked(&fscache_n_store_radix_deletes),
43724 + atomic_read_unchecked(&fscache_n_store_pages_over_limit));
43726 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u\n",
43727 - atomic_read(&fscache_n_store_vmscan_not_storing),
43728 - atomic_read(&fscache_n_store_vmscan_gone),
43729 - atomic_read(&fscache_n_store_vmscan_busy),
43730 - atomic_read(&fscache_n_store_vmscan_cancelled));
43731 + atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
43732 + atomic_read_unchecked(&fscache_n_store_vmscan_gone),
43733 + atomic_read_unchecked(&fscache_n_store_vmscan_busy),
43734 + atomic_read_unchecked(&fscache_n_store_vmscan_cancelled));
43736 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
43737 - atomic_read(&fscache_n_op_pend),
43738 - atomic_read(&fscache_n_op_run),
43739 - atomic_read(&fscache_n_op_enqueue),
43740 - atomic_read(&fscache_n_op_cancelled),
43741 - atomic_read(&fscache_n_op_rejected));
43742 + atomic_read_unchecked(&fscache_n_op_pend),
43743 + atomic_read_unchecked(&fscache_n_op_run),
43744 + atomic_read_unchecked(&fscache_n_op_enqueue),
43745 + atomic_read_unchecked(&fscache_n_op_cancelled),
43746 + atomic_read_unchecked(&fscache_n_op_rejected));
43747 seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
43748 - atomic_read(&fscache_n_op_deferred_release),
43749 - atomic_read(&fscache_n_op_release),
43750 - atomic_read(&fscache_n_op_gc));
43751 + atomic_read_unchecked(&fscache_n_op_deferred_release),
43752 + atomic_read_unchecked(&fscache_n_op_release),
43753 + atomic_read_unchecked(&fscache_n_op_gc));
43755 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
43756 atomic_read(&fscache_n_cop_alloc_object),
43757 diff -urNp linux-3.0.9/fs/fs_struct.c linux-3.0.9/fs/fs_struct.c
43758 --- linux-3.0.9/fs/fs_struct.c 2011-11-11 13:12:24.000000000 -0500
43759 +++ linux-3.0.9/fs/fs_struct.c 2011-11-15 20:02:59.000000000 -0500
43761 #include <linux/path.h>
43762 #include <linux/slab.h>
43763 #include <linux/fs_struct.h>
43764 +#include <linux/grsecurity.h>
43765 #include <linux/vserver/global.h>
43766 #include "internal.h"
43768 @@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
43769 old_root = fs->root;
43771 path_get_longterm(path);
43772 + gr_set_chroot_entries(current, path);
43773 write_seqcount_end(&fs->seq);
43774 spin_unlock(&fs->lock);
43775 if (old_root.dentry)
43776 @@ -74,6 +76,7 @@ void chroot_fs_refs(struct path *old_roo
43777 && fs->root.mnt == old_root->mnt) {
43778 path_get_longterm(new_root);
43779 fs->root = *new_root;
43780 + gr_set_chroot_entries(p, new_root);
43783 if (fs->pwd.dentry == old_root->dentry
43784 @@ -109,7 +112,8 @@ void exit_fs(struct task_struct *tsk)
43785 spin_lock(&fs->lock);
43786 write_seqcount_begin(&fs->seq);
43788 - kill = !--fs->users;
43789 + gr_clear_chroot_entries(tsk);
43790 + kill = !atomic_dec_return(&fs->users);
43791 write_seqcount_end(&fs->seq);
43792 spin_unlock(&fs->lock);
43794 @@ -123,7 +127,7 @@ struct fs_struct *copy_fs_struct(struct
43795 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
43796 /* We don't need to lock fs - think why ;-) */
43799 + atomic_set(&fs->users, 1);
43801 spin_lock_init(&fs->lock);
43802 seqcount_init(&fs->seq);
43803 @@ -132,6 +136,9 @@ struct fs_struct *copy_fs_struct(struct
43804 spin_lock(&old->lock);
43805 fs->root = old->root;
43806 path_get_longterm(&fs->root);
43807 + /* instead of calling gr_set_chroot_entries here,
43808 + we call it from every caller of this function
43810 fs->pwd = old->pwd;
43811 path_get_longterm(&fs->pwd);
43812 spin_unlock(&old->lock);
43813 @@ -150,8 +157,9 @@ int unshare_fs_struct(void)
43815 task_lock(current);
43816 spin_lock(&fs->lock);
43817 - kill = !--fs->users;
43818 + kill = !atomic_dec_return(&fs->users);
43819 current->fs = new_fs;
43820 + gr_set_chroot_entries(current, &new_fs->root);
43821 spin_unlock(&fs->lock);
43822 task_unlock(current);
43824 @@ -170,7 +178,7 @@ EXPORT_SYMBOL(current_umask);
43826 /* to be mentioned only in INIT_TASK */
43827 struct fs_struct init_fs = {
43829 + .users = ATOMIC_INIT(1),
43830 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
43831 .seq = SEQCNT_ZERO,
43833 @@ -186,12 +194,13 @@ void daemonize_fs_struct(void)
43834 task_lock(current);
43836 spin_lock(&init_fs.lock);
43838 + atomic_inc(&init_fs.users);
43839 spin_unlock(&init_fs.lock);
43841 spin_lock(&fs->lock);
43842 current->fs = &init_fs;
43843 - kill = !--fs->users;
43844 + gr_set_chroot_entries(current, ¤t->fs->root);
43845 + kill = !atomic_dec_return(&fs->users);
43846 spin_unlock(&fs->lock);
43848 task_unlock(current);
43849 diff -urNp linux-3.0.9/fs/fuse/cuse.c linux-3.0.9/fs/fuse/cuse.c
43850 --- linux-3.0.9/fs/fuse/cuse.c 2011-11-11 13:12:24.000000000 -0500
43851 +++ linux-3.0.9/fs/fuse/cuse.c 2011-11-15 20:02:59.000000000 -0500
43852 @@ -586,10 +586,12 @@ static int __init cuse_init(void)
43853 INIT_LIST_HEAD(&cuse_conntbl[i]);
43855 /* inherit and extend fuse_dev_operations */
43856 - cuse_channel_fops = fuse_dev_operations;
43857 - cuse_channel_fops.owner = THIS_MODULE;
43858 - cuse_channel_fops.open = cuse_channel_open;
43859 - cuse_channel_fops.release = cuse_channel_release;
43860 + pax_open_kernel();
43861 + memcpy((void *)&cuse_channel_fops, &fuse_dev_operations, sizeof(fuse_dev_operations));
43862 + *(void **)&cuse_channel_fops.owner = THIS_MODULE;
43863 + *(void **)&cuse_channel_fops.open = cuse_channel_open;
43864 + *(void **)&cuse_channel_fops.release = cuse_channel_release;
43865 + pax_close_kernel();
43867 cuse_class = class_create(THIS_MODULE, "cuse");
43868 if (IS_ERR(cuse_class))
43869 diff -urNp linux-3.0.9/fs/fuse/dev.c linux-3.0.9/fs/fuse/dev.c
43870 --- linux-3.0.9/fs/fuse/dev.c 2011-11-11 13:12:24.000000000 -0500
43871 +++ linux-3.0.9/fs/fuse/dev.c 2011-11-15 20:02:59.000000000 -0500
43872 @@ -1242,7 +1242,7 @@ static ssize_t fuse_dev_splice_read(stru
43876 - if (!pipe->readers) {
43877 + if (!atomic_read(&pipe->readers)) {
43878 send_sig(SIGPIPE, current, 0);
43881 diff -urNp linux-3.0.9/fs/fuse/dir.c linux-3.0.9/fs/fuse/dir.c
43882 --- linux-3.0.9/fs/fuse/dir.c 2011-11-11 13:12:24.000000000 -0500
43883 +++ linux-3.0.9/fs/fuse/dir.c 2011-11-15 20:02:59.000000000 -0500
43884 @@ -1148,7 +1148,7 @@ static char *read_link(struct dentry *de
43888 -static void free_link(char *link)
43889 +static void free_link(const char *link)
43892 free_page((unsigned long) link);
43893 diff -urNp linux-3.0.9/fs/gfs2/inode.c linux-3.0.9/fs/gfs2/inode.c
43894 --- linux-3.0.9/fs/gfs2/inode.c 2011-11-11 13:12:24.000000000 -0500
43895 +++ linux-3.0.9/fs/gfs2/inode.c 2011-11-15 20:02:59.000000000 -0500
43896 @@ -1525,7 +1525,7 @@ out:
43898 static void gfs2_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
43900 - char *s = nd_get_link(nd);
43901 + const char *s = nd_get_link(nd);
43905 diff -urNp linux-3.0.9/fs/hfsplus/catalog.c linux-3.0.9/fs/hfsplus/catalog.c
43906 --- linux-3.0.9/fs/hfsplus/catalog.c 2011-11-11 13:12:24.000000000 -0500
43907 +++ linux-3.0.9/fs/hfsplus/catalog.c 2011-11-15 20:02:59.000000000 -0500
43908 @@ -179,6 +179,8 @@ int hfsplus_find_cat(struct super_block
43912 + pax_track_stack();
43914 hfsplus_cat_build_key(sb, fd->search_key, cnid, NULL);
43915 err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
43917 @@ -210,6 +212,8 @@ int hfsplus_create_cat(u32 cnid, struct
43921 + pax_track_stack();
43923 dprint(DBG_CAT_MOD, "create_cat: %s,%u(%d)\n",
43924 str->name, cnid, inode->i_nlink);
43925 hfs_find_init(HFSPLUS_SB(sb)->cat_tree, &fd);
43926 @@ -349,6 +353,8 @@ int hfsplus_rename_cat(u32 cnid,
43927 int entry_size, type;
43930 + pax_track_stack();
43932 dprint(DBG_CAT_MOD, "rename_cat: %u - %lu,%s - %lu,%s\n",
43933 cnid, src_dir->i_ino, src_name->name,
43934 dst_dir->i_ino, dst_name->name);
43935 diff -urNp linux-3.0.9/fs/hfsplus/dir.c linux-3.0.9/fs/hfsplus/dir.c
43936 --- linux-3.0.9/fs/hfsplus/dir.c 2011-11-11 13:12:24.000000000 -0500
43937 +++ linux-3.0.9/fs/hfsplus/dir.c 2011-11-15 20:02:59.000000000 -0500
43938 @@ -129,6 +129,8 @@ static int hfsplus_readdir(struct file *
43939 struct hfsplus_readdir_data *rd;
43942 + pax_track_stack();
43944 if (filp->f_pos >= inode->i_size)
43947 diff -urNp linux-3.0.9/fs/hfsplus/inode.c linux-3.0.9/fs/hfsplus/inode.c
43948 --- linux-3.0.9/fs/hfsplus/inode.c 2011-11-11 13:12:24.000000000 -0500
43949 +++ linux-3.0.9/fs/hfsplus/inode.c 2011-11-15 20:02:59.000000000 -0500
43950 @@ -489,6 +489,8 @@ int hfsplus_cat_read_inode(struct inode
43954 + pax_track_stack();
43956 type = hfs_bnode_read_u16(fd->bnode, fd->entryoffset);
43958 HFSPLUS_I(inode)->linkid = 0;
43959 @@ -552,6 +554,8 @@ int hfsplus_cat_write_inode(struct inode
43960 struct hfs_find_data fd;
43961 hfsplus_cat_entry entry;
43963 + pax_track_stack();
43965 if (HFSPLUS_IS_RSRC(inode))
43966 main_inode = HFSPLUS_I(inode)->rsrc_inode;
43968 diff -urNp linux-3.0.9/fs/hfsplus/ioctl.c linux-3.0.9/fs/hfsplus/ioctl.c
43969 --- linux-3.0.9/fs/hfsplus/ioctl.c 2011-11-11 13:12:24.000000000 -0500
43970 +++ linux-3.0.9/fs/hfsplus/ioctl.c 2011-11-15 20:02:59.000000000 -0500
43971 @@ -122,6 +122,8 @@ int hfsplus_setxattr(struct dentry *dent
43972 struct hfsplus_cat_file *file;
43975 + pax_track_stack();
43977 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
43978 return -EOPNOTSUPP;
43980 @@ -166,6 +168,8 @@ ssize_t hfsplus_getxattr(struct dentry *
43981 struct hfsplus_cat_file *file;
43984 + pax_track_stack();
43986 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
43987 return -EOPNOTSUPP;
43989 diff -urNp linux-3.0.9/fs/hfsplus/super.c linux-3.0.9/fs/hfsplus/super.c
43990 --- linux-3.0.9/fs/hfsplus/super.c 2011-11-11 13:12:24.000000000 -0500
43991 +++ linux-3.0.9/fs/hfsplus/super.c 2011-11-15 20:02:59.000000000 -0500
43992 @@ -340,6 +340,8 @@ static int hfsplus_fill_super(struct sup
43993 struct nls_table *nls = NULL;
43996 + pax_track_stack();
43999 sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
44001 diff -urNp linux-3.0.9/fs/hugetlbfs/inode.c linux-3.0.9/fs/hugetlbfs/inode.c
44002 --- linux-3.0.9/fs/hugetlbfs/inode.c 2011-11-11 13:12:24.000000000 -0500
44003 +++ linux-3.0.9/fs/hugetlbfs/inode.c 2011-11-15 20:02:59.000000000 -0500
44004 @@ -914,7 +914,7 @@ static struct file_system_type hugetlbfs
44005 .kill_sb = kill_litter_super,
44008 -static struct vfsmount *hugetlbfs_vfsmount;
44009 +struct vfsmount *hugetlbfs_vfsmount;
44011 static int can_do_hugetlb_shm(void)
44013 diff -urNp linux-3.0.9/fs/inode.c linux-3.0.9/fs/inode.c
44014 --- linux-3.0.9/fs/inode.c 2011-11-11 13:12:24.000000000 -0500
44015 +++ linux-3.0.9/fs/inode.c 2011-11-15 20:02:59.000000000 -0500
44016 @@ -829,8 +829,8 @@ unsigned int get_next_ino(void)
44019 if (unlikely((res & (LAST_INO_BATCH-1)) == 0)) {
44020 - static atomic_t shared_last_ino;
44021 - int next = atomic_add_return(LAST_INO_BATCH, &shared_last_ino);
44022 + static atomic_unchecked_t shared_last_ino;
44023 + int next = atomic_add_return_unchecked(LAST_INO_BATCH, &shared_last_ino);
44025 res = next - LAST_INO_BATCH;
44027 diff -urNp linux-3.0.9/fs/jbd/checkpoint.c linux-3.0.9/fs/jbd/checkpoint.c
44028 --- linux-3.0.9/fs/jbd/checkpoint.c 2011-11-11 13:12:24.000000000 -0500
44029 +++ linux-3.0.9/fs/jbd/checkpoint.c 2011-11-15 20:02:59.000000000 -0500
44030 @@ -350,6 +350,8 @@ int log_do_checkpoint(journal_t *journal
44034 + pax_track_stack();
44036 jbd_debug(1, "Start checkpoint\n");
44039 diff -urNp linux-3.0.9/fs/jffs2/compr_rtime.c linux-3.0.9/fs/jffs2/compr_rtime.c
44040 --- linux-3.0.9/fs/jffs2/compr_rtime.c 2011-11-11 13:12:24.000000000 -0500
44041 +++ linux-3.0.9/fs/jffs2/compr_rtime.c 2011-11-15 20:02:59.000000000 -0500
44042 @@ -37,6 +37,8 @@ static int jffs2_rtime_compress(unsigned
44046 + pax_track_stack();
44048 memset(positions,0,sizeof(positions));
44050 while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
44051 @@ -78,6 +80,8 @@ static int jffs2_rtime_decompress(unsign
44055 + pax_track_stack();
44057 memset(positions,0,sizeof(positions));
44059 while (outpos<destlen) {
44060 diff -urNp linux-3.0.9/fs/jffs2/compr_rubin.c linux-3.0.9/fs/jffs2/compr_rubin.c
44061 --- linux-3.0.9/fs/jffs2/compr_rubin.c 2011-11-11 13:12:24.000000000 -0500
44062 +++ linux-3.0.9/fs/jffs2/compr_rubin.c 2011-11-15 20:02:59.000000000 -0500
44063 @@ -314,6 +314,8 @@ static int jffs2_dynrubin_compress(unsig
44065 uint32_t mysrclen, mydstlen;
44067 + pax_track_stack();
44069 mysrclen = *sourcelen;
44070 mydstlen = *dstlen - 8;
44072 diff -urNp linux-3.0.9/fs/jffs2/erase.c linux-3.0.9/fs/jffs2/erase.c
44073 --- linux-3.0.9/fs/jffs2/erase.c 2011-11-11 13:12:24.000000000 -0500
44074 +++ linux-3.0.9/fs/jffs2/erase.c 2011-11-15 20:02:59.000000000 -0500
44075 @@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
44076 struct jffs2_unknown_node marker = {
44077 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
44078 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
44079 - .totlen = cpu_to_je32(c->cleanmarker_size)
44080 + .totlen = cpu_to_je32(c->cleanmarker_size),
44081 + .hdr_crc = cpu_to_je32(0)
44084 jffs2_prealloc_raw_node_refs(c, jeb, 1);
44085 diff -urNp linux-3.0.9/fs/jffs2/wbuf.c linux-3.0.9/fs/jffs2/wbuf.c
44086 --- linux-3.0.9/fs/jffs2/wbuf.c 2011-11-11 13:12:24.000000000 -0500
44087 +++ linux-3.0.9/fs/jffs2/wbuf.c 2011-11-15 20:02:59.000000000 -0500
44088 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
44090 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
44091 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
44092 - .totlen = constant_cpu_to_je32(8)
44093 + .totlen = constant_cpu_to_je32(8),
44094 + .hdr_crc = constant_cpu_to_je32(0)
44098 diff -urNp linux-3.0.9/fs/jffs2/xattr.c linux-3.0.9/fs/jffs2/xattr.c
44099 --- linux-3.0.9/fs/jffs2/xattr.c 2011-11-11 13:12:24.000000000 -0500
44100 +++ linux-3.0.9/fs/jffs2/xattr.c 2011-11-15 20:02:59.000000000 -0500
44101 @@ -773,6 +773,8 @@ void jffs2_build_xattr_subsystem(struct
44103 BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
44105 + pax_track_stack();
44107 /* Phase.1 : Merge same xref */
44108 for (i=0; i < XREF_TMPHASH_SIZE; i++)
44109 xref_tmphash[i] = NULL;
44110 diff -urNp linux-3.0.9/fs/jfs/super.c linux-3.0.9/fs/jfs/super.c
44111 --- linux-3.0.9/fs/jfs/super.c 2011-11-11 13:12:24.000000000 -0500
44112 +++ linux-3.0.9/fs/jfs/super.c 2011-11-15 20:02:59.000000000 -0500
44113 @@ -803,7 +803,7 @@ static int __init init_jfs_fs(void)
44116 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
44117 - SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
44118 + SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
44120 if (jfs_inode_cachep == NULL)
44122 diff -urNp linux-3.0.9/fs/Kconfig.binfmt linux-3.0.9/fs/Kconfig.binfmt
44123 --- linux-3.0.9/fs/Kconfig.binfmt 2011-11-11 13:12:24.000000000 -0500
44124 +++ linux-3.0.9/fs/Kconfig.binfmt 2011-11-15 20:02:59.000000000 -0500
44125 @@ -86,7 +86,7 @@ config HAVE_AOUT
44128 tristate "Kernel support for a.out and ECOFF binaries"
44129 - depends on HAVE_AOUT
44130 + depends on HAVE_AOUT && BROKEN
44132 A.out (Assembler.OUTput) is a set of formats for libraries and
44133 executables used in the earliest versions of UNIX. Linux used
44134 diff -urNp linux-3.0.9/fs/libfs.c linux-3.0.9/fs/libfs.c
44135 --- linux-3.0.9/fs/libfs.c 2011-11-11 13:12:24.000000000 -0500
44136 +++ linux-3.0.9/fs/libfs.c 2011-11-15 20:02:59.000000000 -0500
44137 @@ -163,6 +163,9 @@ int dcache_readdir(struct file * filp, v
44139 for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
44140 struct dentry *next;
44141 + char d_name[sizeof(next->d_iname)];
44142 + const unsigned char *name;
44144 next = list_entry(p, struct dentry, d_u.d_child);
44145 spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
44146 if (!simple_positive(next)) {
44147 @@ -172,7 +175,12 @@ int dcache_readdir(struct file * filp, v
44149 spin_unlock(&next->d_lock);
44150 spin_unlock(&dentry->d_lock);
44151 - if (filldir(dirent, next->d_name.name,
44152 + name = next->d_name.name;
44153 + if (name == next->d_iname) {
44154 + memcpy(d_name, name, next->d_name.len);
44157 + if (filldir(dirent, name,
44158 next->d_name.len, filp->f_pos,
44159 next->d_inode->i_ino,
44160 dt_type(next->d_inode)) < 0)
44161 diff -urNp linux-3.0.9/fs/lockd/clntproc.c linux-3.0.9/fs/lockd/clntproc.c
44162 --- linux-3.0.9/fs/lockd/clntproc.c 2011-11-11 13:12:24.000000000 -0500
44163 +++ linux-3.0.9/fs/lockd/clntproc.c 2011-11-15 20:02:59.000000000 -0500
44164 @@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt
44166 * Cookie counter for NLM requests
44168 -static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
44169 +static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
44171 void nlmclnt_next_cookie(struct nlm_cookie *c)
44173 - u32 cookie = atomic_inc_return(&nlm_cookie);
44174 + u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
44176 memcpy(c->data, &cookie, 4);
44178 @@ -620,6 +620,8 @@ nlmclnt_reclaim(struct nlm_host *host, s
44179 struct nlm_rqst reqst, *req;
44182 + pax_track_stack();
44185 memset(req, 0, sizeof(*req));
44186 locks_init_lock(&req->a_args.lock.fl);
44187 diff -urNp linux-3.0.9/fs/locks.c linux-3.0.9/fs/locks.c
44188 --- linux-3.0.9/fs/locks.c 2011-11-11 13:12:24.000000000 -0500
44189 +++ linux-3.0.9/fs/locks.c 2011-11-15 20:02:59.000000000 -0500
44190 @@ -2043,16 +2043,16 @@ void locks_remove_flock(struct file *fil
44193 if (filp->f_op && filp->f_op->flock) {
44194 - struct file_lock fl = {
44195 + struct file_lock flock = {
44196 .fl_pid = current->tgid,
44198 .fl_flags = FL_FLOCK,
44199 .fl_type = F_UNLCK,
44200 .fl_end = OFFSET_MAX,
44202 - filp->f_op->flock(filp, F_SETLKW, &fl);
44203 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
44204 - fl.fl_ops->fl_release_private(&fl);
44205 + filp->f_op->flock(filp, F_SETLKW, &flock);
44206 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
44207 + flock.fl_ops->fl_release_private(&flock);
44211 diff -urNp linux-3.0.9/fs/logfs/super.c linux-3.0.9/fs/logfs/super.c
44212 --- linux-3.0.9/fs/logfs/super.c 2011-11-11 13:12:24.000000000 -0500
44213 +++ linux-3.0.9/fs/logfs/super.c 2011-11-15 20:02:59.000000000 -0500
44214 @@ -266,6 +266,8 @@ static int logfs_recover_sb(struct super
44215 struct logfs_disk_super _ds1, *ds1 = &_ds1;
44216 int err, valid0, valid1;
44218 + pax_track_stack();
44220 /* read first superblock */
44221 err = wbuf_read(sb, super->s_sb_ofs[0], sizeof(*ds0), ds0);
44223 diff -urNp linux-3.0.9/fs/namei.c linux-3.0.9/fs/namei.c
44224 --- linux-3.0.9/fs/namei.c 2011-11-11 13:12:24.000000000 -0500
44225 +++ linux-3.0.9/fs/namei.c 2011-11-16 17:53:31.000000000 -0500
44226 @@ -239,21 +239,23 @@ int generic_permission(struct inode *ino
44230 - * Read/write DACs are always overridable.
44231 - * Executable DACs are overridable for all directories and
44232 - * for non-directories that have least one exec bit set.
44233 + * Searching includes executable on directories, else just read.
44235 - if (!(mask & MAY_EXEC) || execute_ok(inode))
44236 - if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
44237 + mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
44238 + if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE))) {
44239 + if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
44244 - * Searching includes executable on directories, else just read.
44245 + * Read/write DACs are always overridable.
44246 + * Executable DACs are overridable for all directories and
44247 + * for non-directories that have least one exec bit set.
44249 - mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
44250 - if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
44251 - if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
44252 + if (!(mask & MAY_EXEC) || execute_ok(inode)) {
44253 + if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
44259 @@ -595,9 +597,12 @@ static inline int exec_permission(struct
44260 if (ret == -ECHILD)
44263 - if (ns_capable(ns, CAP_DAC_OVERRIDE) ||
44264 - ns_capable(ns, CAP_DAC_READ_SEARCH))
44265 + if (ns_capable_nolog(ns, CAP_DAC_OVERRIDE))
44268 + if (ns_capable(ns, CAP_DAC_READ_SEARCH) || ns_capable(ns, CAP_DAC_OVERRIDE))
44274 @@ -705,11 +710,19 @@ follow_link(struct path *link, struct na
44278 + if (gr_handle_follow_link(dentry->d_parent->d_inode,
44279 + dentry->d_inode, dentry, nd->path.mnt)) {
44281 + *p = ERR_PTR(error); /* no ->put_link(), please */
44282 + path_put(&nd->path);
44286 nd->last_type = LAST_BIND;
44287 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
44288 error = PTR_ERR(*p);
44290 - char *s = nd_get_link(nd);
44291 + const char *s = nd_get_link(nd);
44294 error = __vfs_follow_link(nd, s);
44295 @@ -1606,6 +1619,12 @@ static int path_lookupat(int dfd, const
44297 err = complete_walk(nd);
44299 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
44301 + path_put(&nd->path);
44305 if (!err && nd->flags & LOOKUP_DIRECTORY) {
44306 if (!nd->inode->i_op->lookup) {
44307 path_put(&nd->path);
44308 @@ -1633,6 +1652,9 @@ static int do_path_lookup(int dfd, const
44309 retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd);
44311 if (likely(!retval)) {
44312 + if (*name != '/' && nd->path.dentry && nd->inode && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
44315 if (unlikely(!audit_dummy_context())) {
44316 if (nd->path.dentry && nd->inode)
44317 audit_inode(name, nd->path.dentry);
44318 @@ -1949,6 +1971,30 @@ int vfs_create(struct inode *dir, struct
44323 + * Note that while the flag value (low two bits) for sys_open means:
44325 + * 01 - write-only
44326 + * 10 - read-write
44328 + * it is changed into
44329 + * 00 - no permissions needed
44330 + * 01 - read-permission
44331 + * 10 - write-permission
44332 + * 11 - read-write
44333 + * for the internal routines (ie open_namei()/follow_link() etc)
44334 + * This is more logical, and also allows the 00 "no perm needed"
44335 + * to be used for symlinks (where the permissions are checked
44339 +static inline int open_to_namei_flags(int flag)
44341 + if ((flag+1) & O_ACCMODE)
44346 static int may_open(struct path *path, int acc_mode, int flag)
44348 struct dentry *dentry = path->dentry;
44349 @@ -2001,7 +2047,27 @@ static int may_open(struct path *path, i
44351 * Ensure there are no outstanding leases on the file.
44353 - return break_lease(inode, flag);
44354 + error = break_lease(inode, flag);
44359 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
44364 + if (gr_handle_rawio(inode)) {
44369 + if (!gr_acl_handle_open(dentry, path->mnt, open_to_namei_flags(flag))) {
44377 static int handle_truncate(struct file *filp)
44378 @@ -2027,30 +2093,6 @@ static int handle_truncate(struct file *
44382 - * Note that while the flag value (low two bits) for sys_open means:
44384 - * 01 - write-only
44385 - * 10 - read-write
44387 - * it is changed into
44388 - * 00 - no permissions needed
44389 - * 01 - read-permission
44390 - * 10 - write-permission
44391 - * 11 - read-write
44392 - * for the internal routines (ie open_namei()/follow_link() etc)
44393 - * This is more logical, and also allows the 00 "no perm needed"
44394 - * to be used for symlinks (where the permissions are checked
44398 -static inline int open_to_namei_flags(int flag)
44400 - if ((flag+1) & O_ACCMODE)
44406 * Handle the last step of open()
44408 static struct file *do_last(struct nameidata *nd, struct path *path,
44409 @@ -2059,6 +2101,7 @@ static struct file *do_last(struct namei
44410 struct dentry *dir = nd->path.dentry;
44411 struct dentry *dentry;
44412 int open_flag = op->open_flag;
44413 + int flag = open_to_namei_flags(open_flag);
44414 int will_truncate = open_flag & O_TRUNC;
44415 int want_write = 0;
44416 int acc_mode = op->acc_mode;
44417 @@ -2079,6 +2122,10 @@ static struct file *do_last(struct namei
44418 error = complete_walk(nd);
44420 return ERR_PTR(error);
44421 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
44425 audit_inode(pathname, nd->path.dentry);
44426 if (open_flag & O_CREAT) {
44428 @@ -2089,6 +2136,10 @@ static struct file *do_last(struct namei
44429 error = complete_walk(nd);
44431 return ERR_PTR(error);
44432 + if (!gr_acl_handle_hidden_file(dir, nd->path.mnt)) {
44436 audit_inode(pathname, dir);
44439 @@ -2111,6 +2162,11 @@ static struct file *do_last(struct namei
44441 return ERR_PTR(-ECHILD);
44443 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
44449 if (nd->flags & LOOKUP_DIRECTORY) {
44450 if (!nd->inode->i_op->lookup)
44451 @@ -2150,6 +2206,12 @@ static struct file *do_last(struct namei
44452 /* Negative dentry, just create the file */
44453 if (!dentry->d_inode) {
44454 int mode = op->mode;
44456 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, path->mnt, flag, mode)) {
44458 + goto exit_mutex_unlock;
44461 if (!IS_POSIXACL(dir->d_inode))
44462 mode &= ~current_umask();
44464 @@ -2173,6 +2235,8 @@ static struct file *do_last(struct namei
44465 error = vfs_create(dir->d_inode, dentry, mode, nd);
44467 goto exit_mutex_unlock;
44469 + gr_handle_create(path->dentry, path->mnt);
44470 mutex_unlock(&dir->d_inode->i_mutex);
44471 dput(nd->path.dentry);
44472 nd->path.dentry = dentry;
44473 @@ -2182,6 +2246,19 @@ static struct file *do_last(struct namei
44475 * It already exists.
44478 + if (!gr_acl_handle_hidden_file(dentry, nd->path.mnt)) {
44480 + goto exit_mutex_unlock;
44483 + /* only check if O_CREAT is specified, all other checks need to go
44485 + if (gr_handle_fifo(path->dentry, path->mnt, dir, flag, acc_mode)) {
44487 + goto exit_mutex_unlock;
44490 mutex_unlock(&dir->d_inode->i_mutex);
44491 audit_inode(pathname, path->dentry);
44493 @@ -2398,6 +2475,10 @@ struct dentry *lookup_create(struct name
44497 + if (!gr_acl_handle_hidden_file(dentry, nd->path.mnt)) {
44499 + return ERR_PTR(-ENOENT);
44502 dentry = ERR_PTR(-EEXIST);
44504 @@ -2475,6 +2556,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
44505 error = may_mknod(mode);
44509 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
44514 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
44519 error = mnt_want_write(nd.path.mnt);
44522 @@ -2495,6 +2587,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
44525 mnt_drop_write(nd.path.mnt);
44528 + gr_handle_create(dentry, nd.path.mnt);
44532 @@ -2547,6 +2642,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
44533 if (IS_ERR(dentry))
44536 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
44541 if (!IS_POSIXACL(nd.path.dentry->d_inode))
44542 mode &= ~current_umask();
44543 error = mnt_want_write(nd.path.mnt);
44544 @@ -2558,6 +2658,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
44545 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
44547 mnt_drop_write(nd.path.mnt);
44550 + gr_handle_create(dentry, nd.path.mnt);
44555 @@ -2640,6 +2744,8 @@ static long do_rmdir(int dfd, const char
44557 struct dentry *dentry;
44558 struct nameidata nd;
44559 + ino_t saved_ino = 0;
44560 + dev_t saved_dev = 0;
44562 error = user_path_parent(dfd, pathname, &nd, &name);
44564 @@ -2668,6 +2774,15 @@ static long do_rmdir(int dfd, const char
44569 + saved_ino = dentry->d_inode->i_ino;
44570 + saved_dev = gr_get_dev_from_dentry(dentry);
44572 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
44577 error = mnt_want_write(nd.path.mnt);
44580 @@ -2675,6 +2790,8 @@ static long do_rmdir(int dfd, const char
44583 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
44584 + if (!error && (saved_dev || saved_ino))
44585 + gr_handle_delete(saved_ino, saved_dev);
44587 mnt_drop_write(nd.path.mnt);
44589 @@ -2737,6 +2854,8 @@ static long do_unlinkat(int dfd, const c
44590 struct dentry *dentry;
44591 struct nameidata nd;
44592 struct inode *inode = NULL;
44593 + ino_t saved_ino = 0;
44594 + dev_t saved_dev = 0;
44596 error = user_path_parent(dfd, pathname, &nd, &name);
44598 @@ -2759,6 +2878,16 @@ static long do_unlinkat(int dfd, const c
44603 + if (inode->i_nlink <= 1) {
44604 + saved_ino = inode->i_ino;
44605 + saved_dev = gr_get_dev_from_dentry(dentry);
44607 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
44612 error = mnt_want_write(nd.path.mnt);
44615 @@ -2766,6 +2895,8 @@ static long do_unlinkat(int dfd, const c
44618 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
44619 + if (!error && (saved_ino || saved_dev))
44620 + gr_handle_delete(saved_ino, saved_dev);
44622 mnt_drop_write(nd.path.mnt);
44624 @@ -2843,6 +2974,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
44625 if (IS_ERR(dentry))
44628 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
44633 error = mnt_want_write(nd.path.mnt);
44636 @@ -2850,6 +2986,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
44638 goto out_drop_write;
44639 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
44641 + gr_handle_create(dentry, nd.path.mnt);
44643 mnt_drop_write(nd.path.mnt);
44645 @@ -2958,6 +3096,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
44646 error = PTR_ERR(new_dentry);
44647 if (IS_ERR(new_dentry))
44650 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
44651 + old_path.dentry->d_inode,
44652 + old_path.dentry->d_inode->i_mode, to)) {
44657 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
44658 + old_path.dentry, old_path.mnt, to)) {
44663 error = mnt_want_write(nd.path.mnt);
44666 @@ -2965,6 +3117,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
44668 goto out_drop_write;
44669 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
44671 + gr_handle_create(new_dentry, nd.path.mnt);
44673 mnt_drop_write(nd.path.mnt);
44675 @@ -3142,6 +3296,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
44679 + pax_track_stack();
44681 error = user_path_parent(olddfd, oldname, &oldnd, &from);
44684 @@ -3198,6 +3354,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
44685 if (new_dentry == trap)
44688 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
44689 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
44694 error = mnt_want_write(oldnd.path.mnt);
44697 @@ -3207,6 +3369,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
44699 error = vfs_rename(old_dir->d_inode, old_dentry,
44700 new_dir->d_inode, new_dentry);
44702 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
44703 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
44705 mnt_drop_write(oldnd.path.mnt);
44707 @@ -3232,6 +3397,8 @@ SYSCALL_DEFINE2(rename, const char __use
44709 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
44712 + const char *newlink;
44715 len = PTR_ERR(link);
44716 @@ -3241,7 +3408,14 @@ int vfs_readlink(struct dentry *dentry,
44717 len = strlen(link);
44718 if (len > (unsigned) buflen)
44720 - if (copy_to_user(buffer, link, len))
44722 + if (len < sizeof(tmpbuf)) {
44723 + memcpy(tmpbuf, link, len);
44724 + newlink = tmpbuf;
44728 + if (copy_to_user(buffer, newlink, len))
44732 diff -urNp linux-3.0.9/fs/namespace.c linux-3.0.9/fs/namespace.c
44733 --- linux-3.0.9/fs/namespace.c 2011-11-11 13:12:24.000000000 -0500
44734 +++ linux-3.0.9/fs/namespace.c 2011-11-15 20:02:59.000000000 -0500
44735 @@ -1329,6 +1329,9 @@ static int do_umount(struct vfsmount *mn
44736 if (!(sb->s_flags & MS_RDONLY))
44737 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
44738 up_write(&sb->s_umount);
44740 + gr_log_remount(mnt->mnt_devname, retval);
44745 @@ -1348,6 +1351,9 @@ static int do_umount(struct vfsmount *mn
44746 br_write_unlock(vfsmount_lock);
44747 up_write(&namespace_sem);
44748 release_mounts(&umount_list);
44750 + gr_log_unmount(mnt->mnt_devname, retval);
44755 @@ -2339,6 +2345,16 @@ long do_mount(char *dev_name, char *dir_
44756 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
44759 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
44764 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
44769 if (flags & MS_REMOUNT)
44770 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
44772 @@ -2353,6 +2369,9 @@ long do_mount(char *dev_name, char *dir_
44773 dev_name, data_page);
44777 + gr_log_mount(dev_name, dir_name, retval);
44782 @@ -2576,6 +2595,11 @@ SYSCALL_DEFINE2(pivot_root, const char _
44786 + if (gr_handle_chroot_pivot()) {
44791 get_fs_root(current->fs, &root);
44792 error = lock_mount(&old);
44794 diff -urNp linux-3.0.9/fs/ncpfs/dir.c linux-3.0.9/fs/ncpfs/dir.c
44795 --- linux-3.0.9/fs/ncpfs/dir.c 2011-11-11 13:12:24.000000000 -0500
44796 +++ linux-3.0.9/fs/ncpfs/dir.c 2011-11-15 20:02:59.000000000 -0500
44797 @@ -299,6 +299,8 @@ ncp_lookup_validate(struct dentry *dentr
44798 int res, val = 0, len;
44799 __u8 __name[NCP_MAXPATHLEN + 1];
44801 + pax_track_stack();
44803 if (dentry == dentry->d_sb->s_root)
44806 @@ -844,6 +846,8 @@ static struct dentry *ncp_lookup(struct
44807 int error, res, len;
44808 __u8 __name[NCP_MAXPATHLEN + 1];
44810 + pax_track_stack();
44813 if (!ncp_conn_valid(server))
44815 @@ -931,6 +935,8 @@ int ncp_create_new(struct inode *dir, st
44816 PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
44817 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
44819 + pax_track_stack();
44821 ncp_age_dentry(server, dentry);
44822 len = sizeof(__name);
44823 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
44824 @@ -992,6 +998,8 @@ static int ncp_mkdir(struct inode *dir,
44826 __u8 __name[NCP_MAXPATHLEN + 1];
44828 + pax_track_stack();
44830 DPRINTK("ncp_mkdir: making %s/%s\n",
44831 dentry->d_parent->d_name.name, dentry->d_name.name);
44833 @@ -1140,6 +1148,8 @@ static int ncp_rename(struct inode *old_
44834 int old_len, new_len;
44835 __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
44837 + pax_track_stack();
44839 DPRINTK("ncp_rename: %s/%s to %s/%s\n",
44840 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
44841 new_dentry->d_parent->d_name.name, new_dentry->d_name.name);
44842 diff -urNp linux-3.0.9/fs/ncpfs/inode.c linux-3.0.9/fs/ncpfs/inode.c
44843 --- linux-3.0.9/fs/ncpfs/inode.c 2011-11-11 13:12:24.000000000 -0500
44844 +++ linux-3.0.9/fs/ncpfs/inode.c 2011-11-15 20:02:59.000000000 -0500
44845 @@ -461,6 +461,8 @@ static int ncp_fill_super(struct super_b
44847 struct ncp_entry_info finfo;
44849 + pax_track_stack();
44851 memset(&data, 0, sizeof(data));
44852 server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
44854 diff -urNp linux-3.0.9/fs/nfs/inode.c linux-3.0.9/fs/nfs/inode.c
44855 --- linux-3.0.9/fs/nfs/inode.c 2011-11-11 13:12:24.000000000 -0500
44856 +++ linux-3.0.9/fs/nfs/inode.c 2011-11-15 20:02:59.000000000 -0500
44857 @@ -150,7 +150,7 @@ static void nfs_zap_caches_locked(struct
44858 nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
44859 nfsi->attrtimeo_timestamp = jiffies;
44861 - memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_COOKIEVERF(inode)));
44862 + memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_I(inode)->cookieverf));
44863 if (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))
44864 nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
44866 @@ -1000,16 +1000,16 @@ static int nfs_size_need_update(const st
44867 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
44870 -static atomic_long_t nfs_attr_generation_counter;
44871 +static atomic_long_unchecked_t nfs_attr_generation_counter;
44873 static unsigned long nfs_read_attr_generation_counter(void)
44875 - return atomic_long_read(&nfs_attr_generation_counter);
44876 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
44879 unsigned long nfs_inc_attr_generation_counter(void)
44881 - return atomic_long_inc_return(&nfs_attr_generation_counter);
44882 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
44885 void nfs_fattr_init(struct nfs_fattr *fattr)
44886 diff -urNp linux-3.0.9/fs/nfsd/nfs4state.c linux-3.0.9/fs/nfsd/nfs4state.c
44887 --- linux-3.0.9/fs/nfsd/nfs4state.c 2011-11-11 13:12:24.000000000 -0500
44888 +++ linux-3.0.9/fs/nfsd/nfs4state.c 2011-11-15 20:02:59.000000000 -0500
44889 @@ -3804,6 +3804,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
44890 unsigned int strhashval;
44893 + pax_track_stack();
44895 dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
44896 (long long) lock->lk_offset,
44897 (long long) lock->lk_length);
44898 diff -urNp linux-3.0.9/fs/nfsd/nfs4xdr.c linux-3.0.9/fs/nfsd/nfs4xdr.c
44899 --- linux-3.0.9/fs/nfsd/nfs4xdr.c 2011-11-11 13:12:24.000000000 -0500
44900 +++ linux-3.0.9/fs/nfsd/nfs4xdr.c 2011-11-15 20:02:59.000000000 -0500
44901 @@ -1800,6 +1800,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
44905 + pax_track_stack();
44907 BUG_ON(bmval1 & NFSD_WRITEONLY_ATTRS_WORD1);
44908 BUG_ON(bmval0 & ~nfsd_suppattrs0(minorversion));
44909 BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion));
44910 diff -urNp linux-3.0.9/fs/nfsd/vfs.c linux-3.0.9/fs/nfsd/vfs.c
44911 --- linux-3.0.9/fs/nfsd/vfs.c 2011-11-11 13:12:24.000000000 -0500
44912 +++ linux-3.0.9/fs/nfsd/vfs.c 2011-11-15 20:02:59.000000000 -0500
44913 @@ -896,7 +896,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
44917 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
44918 + host_err = vfs_readv(file, (struct iovec __force_user *)vec, vlen, &offset);
44922 @@ -1000,7 +1000,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
44924 /* Write the data. */
44925 oldfs = get_fs(); set_fs(KERNEL_DS);
44926 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
44927 + host_err = vfs_writev(file, (struct iovec __force_user *)vec, vlen, &offset);
44931 @@ -1535,7 +1535,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
44934 oldfs = get_fs(); set_fs(KERNEL_DS);
44935 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
44936 + host_err = inode->i_op->readlink(dentry, (char __force_user *)buf, *lenp);
44940 diff -urNp linux-3.0.9/fs/notify/fanotify/fanotify_user.c linux-3.0.9/fs/notify/fanotify/fanotify_user.c
44941 --- linux-3.0.9/fs/notify/fanotify/fanotify_user.c 2011-11-11 13:12:24.000000000 -0500
44942 +++ linux-3.0.9/fs/notify/fanotify/fanotify_user.c 2011-11-15 20:02:59.000000000 -0500
44943 @@ -276,7 +276,8 @@ static ssize_t copy_event_to_user(struct
44947 - if (copy_to_user(buf, &fanotify_event_metadata,
44948 + if (fanotify_event_metadata.event_len > sizeof fanotify_event_metadata ||
44949 + copy_to_user(buf, &fanotify_event_metadata,
44950 fanotify_event_metadata.event_len))
44951 goto out_kill_access_response;
44953 diff -urNp linux-3.0.9/fs/notify/notification.c linux-3.0.9/fs/notify/notification.c
44954 --- linux-3.0.9/fs/notify/notification.c 2011-11-11 13:12:24.000000000 -0500
44955 +++ linux-3.0.9/fs/notify/notification.c 2011-11-15 20:02:59.000000000 -0500
44956 @@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event
44957 * get set to 0 so it will never get 'freed'
44959 static struct fsnotify_event *q_overflow_event;
44960 -static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
44961 +static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
44964 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
44965 @@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = A
44967 u32 fsnotify_get_cookie(void)
44969 - return atomic_inc_return(&fsnotify_sync_cookie);
44970 + return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
44972 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
44974 diff -urNp linux-3.0.9/fs/ntfs/dir.c linux-3.0.9/fs/ntfs/dir.c
44975 --- linux-3.0.9/fs/ntfs/dir.c 2011-11-11 13:12:24.000000000 -0500
44976 +++ linux-3.0.9/fs/ntfs/dir.c 2011-11-15 20:02:59.000000000 -0500
44977 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
44978 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
44979 ~(s64)(ndir->itype.index.block_size - 1)));
44980 /* Bounds checks. */
44981 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
44982 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
44983 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
44984 "inode 0x%lx or driver bug.", vdir->i_ino);
44986 diff -urNp linux-3.0.9/fs/ntfs/file.c linux-3.0.9/fs/ntfs/file.c
44987 --- linux-3.0.9/fs/ntfs/file.c 2011-11-11 13:12:24.000000000 -0500
44988 +++ linux-3.0.9/fs/ntfs/file.c 2011-11-15 20:02:59.000000000 -0500
44989 @@ -2222,6 +2222,6 @@ const struct inode_operations ntfs_file_
44990 #endif /* NTFS_RW */
44993 -const struct file_operations ntfs_empty_file_ops = {};
44994 +const struct file_operations ntfs_empty_file_ops __read_only;
44996 -const struct inode_operations ntfs_empty_inode_ops = {};
44997 +const struct inode_operations ntfs_empty_inode_ops __read_only;
44998 diff -urNp linux-3.0.9/fs/ocfs2/localalloc.c linux-3.0.9/fs/ocfs2/localalloc.c
44999 --- linux-3.0.9/fs/ocfs2/localalloc.c 2011-11-11 13:12:24.000000000 -0500
45000 +++ linux-3.0.9/fs/ocfs2/localalloc.c 2011-11-15 20:02:59.000000000 -0500
45001 @@ -1283,7 +1283,7 @@ static int ocfs2_local_alloc_slide_windo
45005 - atomic_inc(&osb->alloc_stats.moves);
45006 + atomic_inc_unchecked(&osb->alloc_stats.moves);
45010 diff -urNp linux-3.0.9/fs/ocfs2/namei.c linux-3.0.9/fs/ocfs2/namei.c
45011 --- linux-3.0.9/fs/ocfs2/namei.c 2011-11-11 13:12:24.000000000 -0500
45012 +++ linux-3.0.9/fs/ocfs2/namei.c 2011-11-15 20:02:59.000000000 -0500
45013 @@ -1063,6 +1063,8 @@ static int ocfs2_rename(struct inode *ol
45014 struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
45015 struct ocfs2_dir_lookup_result target_insert = { NULL, };
45017 + pax_track_stack();
45019 /* At some point it might be nice to break this function up a
45022 diff -urNp linux-3.0.9/fs/ocfs2/ocfs2.h linux-3.0.9/fs/ocfs2/ocfs2.h
45023 --- linux-3.0.9/fs/ocfs2/ocfs2.h 2011-11-11 13:12:24.000000000 -0500
45024 +++ linux-3.0.9/fs/ocfs2/ocfs2.h 2011-11-15 20:02:59.000000000 -0500
45025 @@ -235,11 +235,11 @@ enum ocfs2_vol_state
45027 struct ocfs2_alloc_stats
45030 - atomic_t local_data;
45031 - atomic_t bitmap_data;
45032 - atomic_t bg_allocs;
45033 - atomic_t bg_extends;
45034 + atomic_unchecked_t moves;
45035 + atomic_unchecked_t local_data;
45036 + atomic_unchecked_t bitmap_data;
45037 + atomic_unchecked_t bg_allocs;
45038 + atomic_unchecked_t bg_extends;
45041 enum ocfs2_local_alloc_state
45042 diff -urNp linux-3.0.9/fs/ocfs2/suballoc.c linux-3.0.9/fs/ocfs2/suballoc.c
45043 --- linux-3.0.9/fs/ocfs2/suballoc.c 2011-11-11 13:12:24.000000000 -0500
45044 +++ linux-3.0.9/fs/ocfs2/suballoc.c 2011-11-15 20:02:59.000000000 -0500
45045 @@ -872,7 +872,7 @@ static int ocfs2_reserve_suballoc_bits(s
45046 mlog_errno(status);
45049 - atomic_inc(&osb->alloc_stats.bg_extends);
45050 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
45052 /* You should never ask for this much metadata */
45053 BUG_ON(bits_wanted >
45054 @@ -2008,7 +2008,7 @@ int ocfs2_claim_metadata(handle_t *handl
45055 mlog_errno(status);
45058 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
45059 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
45061 *suballoc_loc = res.sr_bg_blkno;
45062 *suballoc_bit_start = res.sr_bit_offset;
45063 @@ -2172,7 +2172,7 @@ int ocfs2_claim_new_inode_at_loc(handle_
45064 trace_ocfs2_claim_new_inode_at_loc((unsigned long long)di_blkno,
45067 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
45068 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
45070 BUG_ON(res->sr_bits != 1);
45072 @@ -2214,7 +2214,7 @@ int ocfs2_claim_new_inode(handle_t *hand
45073 mlog_errno(status);
45076 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
45077 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
45079 BUG_ON(res.sr_bits != 1);
45081 @@ -2318,7 +2318,7 @@ int __ocfs2_claim_clusters(handle_t *han
45085 - atomic_inc(&osb->alloc_stats.local_data);
45086 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
45088 if (min_clusters > (osb->bitmap_cpg - 1)) {
45089 /* The only paths asking for contiguousness
45090 @@ -2344,7 +2344,7 @@ int __ocfs2_claim_clusters(handle_t *han
45091 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
45093 res.sr_bit_offset);
45094 - atomic_inc(&osb->alloc_stats.bitmap_data);
45095 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
45096 *num_clusters = res.sr_bits;
45099 diff -urNp linux-3.0.9/fs/ocfs2/super.c linux-3.0.9/fs/ocfs2/super.c
45100 --- linux-3.0.9/fs/ocfs2/super.c 2011-11-11 13:12:24.000000000 -0500
45101 +++ linux-3.0.9/fs/ocfs2/super.c 2011-11-15 20:02:59.000000000 -0500
45102 @@ -300,11 +300,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
45103 "%10s => GlobalAllocs: %d LocalAllocs: %d "
45104 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
45106 - atomic_read(&osb->alloc_stats.bitmap_data),
45107 - atomic_read(&osb->alloc_stats.local_data),
45108 - atomic_read(&osb->alloc_stats.bg_allocs),
45109 - atomic_read(&osb->alloc_stats.moves),
45110 - atomic_read(&osb->alloc_stats.bg_extends));
45111 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
45112 + atomic_read_unchecked(&osb->alloc_stats.local_data),
45113 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
45114 + atomic_read_unchecked(&osb->alloc_stats.moves),
45115 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
45117 out += snprintf(buf + out, len - out,
45118 "%10s => State: %u Descriptor: %llu Size: %u bits "
45119 @@ -2112,11 +2112,11 @@ static int ocfs2_initialize_super(struct
45120 spin_lock_init(&osb->osb_xattr_lock);
45121 ocfs2_init_steal_slots(osb);
45123 - atomic_set(&osb->alloc_stats.moves, 0);
45124 - atomic_set(&osb->alloc_stats.local_data, 0);
45125 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
45126 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
45127 - atomic_set(&osb->alloc_stats.bg_extends, 0);
45128 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
45129 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
45130 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
45131 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
45132 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
45134 /* Copy the blockcheck stats from the superblock probe */
45135 osb->osb_ecc_stats = *stats;
45136 diff -urNp linux-3.0.9/fs/ocfs2/symlink.c linux-3.0.9/fs/ocfs2/symlink.c
45137 --- linux-3.0.9/fs/ocfs2/symlink.c 2011-11-11 13:12:24.000000000 -0500
45138 +++ linux-3.0.9/fs/ocfs2/symlink.c 2011-11-15 20:02:59.000000000 -0500
45139 @@ -142,7 +142,7 @@ bail:
45141 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
45143 - char *link = nd_get_link(nd);
45144 + const char *link = nd_get_link(nd);
45148 diff -urNp linux-3.0.9/fs/open.c linux-3.0.9/fs/open.c
45149 --- linux-3.0.9/fs/open.c 2011-11-11 13:12:24.000000000 -0500
45150 +++ linux-3.0.9/fs/open.c 2011-11-15 20:02:59.000000000 -0500
45151 @@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
45152 error = locks_verify_truncate(inode, NULL, length);
45154 error = security_path_truncate(&path);
45156 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
45160 error = do_truncate(path.dentry, length, 0, NULL);
45162 @@ -358,6 +362,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
45163 if (__mnt_is_readonly(path.mnt))
45166 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
45172 @@ -384,6 +391,8 @@ SYSCALL_DEFINE1(chdir, const char __user
45176 + gr_log_chdir(path.dentry, path.mnt);
45178 set_fs_pwd(current->fs, &path);
45181 @@ -410,6 +419,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
45184 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
45186 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
45190 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
45193 set_fs_pwd(current->fs, &file->f_path);
45195 @@ -438,7 +454,13 @@ SYSCALL_DEFINE1(chroot, const char __use
45199 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
45200 + goto dput_and_out;
45202 set_fs_root(current->fs, &path);
45204 + gr_handle_chroot_chdir(&path);
45209 @@ -466,12 +488,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
45210 err = mnt_want_write_file(file);
45214 mutex_lock(&inode->i_mutex);
45216 + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
45221 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
45224 if (mode == (mode_t) -1)
45225 mode = inode->i_mode;
45227 + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
45232 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
45233 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
45234 err = notify_change(dentry, &newattrs);
45235 @@ -499,12 +534,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
45236 error = mnt_want_write(path.mnt);
45240 mutex_lock(&inode->i_mutex);
45242 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
45247 error = security_path_chmod(path.dentry, path.mnt, mode);
45250 if (mode == (mode_t) -1)
45251 mode = inode->i_mode;
45253 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
45258 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
45259 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
45260 error = notify_change(path.dentry, &newattrs);
45261 @@ -528,6 +576,9 @@ static int chown_common(struct path *pat
45263 struct iattr newattrs;
45265 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
45268 newattrs.ia_valid = ATTR_CTIME;
45269 if (user != (uid_t) -1) {
45270 newattrs.ia_valid |= ATTR_UID;
45271 @@ -998,7 +1049,10 @@ long do_sys_open(int dfd, const char __u
45272 if (!IS_ERR(tmp)) {
45273 fd = get_unused_fd_flags(flags);
45275 - struct file *f = do_filp_open(dfd, tmp, &op, lookup);
45277 + /* don't allow to be set by userland */
45278 + flags &= ~FMODE_GREXEC;
45279 + f = do_filp_open(dfd, tmp, &op, lookup);
45283 diff -urNp linux-3.0.9/fs/partitions/ldm.c linux-3.0.9/fs/partitions/ldm.c
45284 --- linux-3.0.9/fs/partitions/ldm.c 2011-11-11 13:12:24.000000000 -0500
45285 +++ linux-3.0.9/fs/partitions/ldm.c 2011-11-15 20:02:59.000000000 -0500
45286 @@ -1311,6 +1311,7 @@ static bool ldm_frag_add (const u8 *data
45287 ldm_error ("A VBLK claims to have %d parts.", num);
45292 ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
45294 @@ -1322,7 +1323,7 @@ static bool ldm_frag_add (const u8 *data
45298 - f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
45299 + f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
45301 ldm_crit ("Out of memory.");
45303 diff -urNp linux-3.0.9/fs/pipe.c linux-3.0.9/fs/pipe.c
45304 --- linux-3.0.9/fs/pipe.c 2011-11-11 13:12:24.000000000 -0500
45305 +++ linux-3.0.9/fs/pipe.c 2011-11-15 20:02:59.000000000 -0500
45306 @@ -420,9 +420,9 @@ redo:
45308 if (bufs) /* More to do? */
45310 - if (!pipe->writers)
45311 + if (!atomic_read(&pipe->writers))
45313 - if (!pipe->waiting_writers) {
45314 + if (!atomic_read(&pipe->waiting_writers)) {
45315 /* syscall merging: Usually we must not sleep
45316 * if O_NONBLOCK is set, or if we got some data.
45317 * But if a writer sleeps in kernel space, then
45318 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
45319 mutex_lock(&inode->i_mutex);
45320 pipe = inode->i_pipe;
45322 - if (!pipe->readers) {
45323 + if (!atomic_read(&pipe->readers)) {
45324 send_sig(SIGPIPE, current, 0);
45327 @@ -530,7 +530,7 @@ redo1:
45331 - if (!pipe->readers) {
45332 + if (!atomic_read(&pipe->readers)) {
45333 send_sig(SIGPIPE, current, 0);
45336 @@ -616,9 +616,9 @@ redo2:
45337 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
45340 - pipe->waiting_writers++;
45341 + atomic_inc(&pipe->waiting_writers);
45343 - pipe->waiting_writers--;
45344 + atomic_dec(&pipe->waiting_writers);
45347 mutex_unlock(&inode->i_mutex);
45348 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
45350 if (filp->f_mode & FMODE_READ) {
45351 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
45352 - if (!pipe->writers && filp->f_version != pipe->w_counter)
45353 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
45357 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
45358 * Most Unices do not set POLLERR for FIFOs but on Linux they
45359 * behave exactly like pipes for poll().
45361 - if (!pipe->readers)
45362 + if (!atomic_read(&pipe->readers))
45366 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
45368 mutex_lock(&inode->i_mutex);
45369 pipe = inode->i_pipe;
45370 - pipe->readers -= decr;
45371 - pipe->writers -= decw;
45372 + atomic_sub(decr, &pipe->readers);
45373 + atomic_sub(decw, &pipe->writers);
45375 - if (!pipe->readers && !pipe->writers) {
45376 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
45377 free_pipe_info(inode);
45379 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
45380 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
45382 if (inode->i_pipe) {
45384 - inode->i_pipe->readers++;
45385 + atomic_inc(&inode->i_pipe->readers);
45388 mutex_unlock(&inode->i_mutex);
45389 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
45391 if (inode->i_pipe) {
45393 - inode->i_pipe->writers++;
45394 + atomic_inc(&inode->i_pipe->writers);
45397 mutex_unlock(&inode->i_mutex);
45398 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
45399 if (inode->i_pipe) {
45401 if (filp->f_mode & FMODE_READ)
45402 - inode->i_pipe->readers++;
45403 + atomic_inc(&inode->i_pipe->readers);
45404 if (filp->f_mode & FMODE_WRITE)
45405 - inode->i_pipe->writers++;
45406 + atomic_inc(&inode->i_pipe->writers);
45409 mutex_unlock(&inode->i_mutex);
45410 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
45411 inode->i_pipe = NULL;
45414 -static struct vfsmount *pipe_mnt __read_mostly;
45415 +struct vfsmount *pipe_mnt __read_mostly;
45418 * pipefs_dname() is called from d_path().
45419 @@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(voi
45421 inode->i_pipe = pipe;
45423 - pipe->readers = pipe->writers = 1;
45424 + atomic_set(&pipe->readers, 1);
45425 + atomic_set(&pipe->writers, 1);
45426 inode->i_fop = &rdwr_pipefifo_fops;
45429 diff -urNp linux-3.0.9/fs/proc/array.c linux-3.0.9/fs/proc/array.c
45430 --- linux-3.0.9/fs/proc/array.c 2011-11-11 13:12:24.000000000 -0500
45431 +++ linux-3.0.9/fs/proc/array.c 2011-11-15 20:02:59.000000000 -0500
45433 #include <linux/tty.h>
45434 #include <linux/string.h>
45435 #include <linux/mman.h>
45436 +#include <linux/grsecurity.h>
45437 #include <linux/proc_fs.h>
45438 #include <linux/ioport.h>
45439 #include <linux/uaccess.h>
45440 @@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
45444 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
45445 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
45448 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
45449 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
45450 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
45451 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
45452 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
45453 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
45455 + seq_printf(m, "PaX:\t-----\n");
45459 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
45460 struct pid *pid, struct task_struct *task)
45462 @@ -354,9 +370,24 @@ int proc_pid_status(struct seq_file *m,
45463 task_cpus_allowed(m, task);
45464 cpuset_task_status_allowed(m, task);
45465 task_context_switch_counts(m, task);
45467 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
45468 + task_pax(m, task);
45471 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
45472 + task_grsec_rbac(m, task);
45478 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45479 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
45480 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
45481 + _mm->pax_flags & MF_PAX_SEGMEXEC))
45484 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
45485 struct pid *pid, struct task_struct *task, int whole)
45487 @@ -375,9 +406,11 @@ static int do_task_stat(struct seq_file
45488 cputime_t cutime, cstime, utime, stime;
45489 cputime_t cgtime, gtime;
45490 unsigned long rsslim = 0;
45491 - char tcomm[sizeof(task->comm)];
45492 + char tcomm[sizeof(task->comm)] = { 0 };
45493 unsigned long flags;
45495 + pax_track_stack();
45497 state = *get_task_state(task);
45498 vsize = eip = esp = 0;
45499 permitted = ptrace_may_access(task, PTRACE_MODE_READ);
45500 @@ -449,6 +482,19 @@ static int do_task_stat(struct seq_file
45501 gtime = task->gtime;
45504 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45505 + if (PAX_RAND_FLAGS(mm)) {
45511 +#ifdef CONFIG_GRKERNSEC_HIDESYM
45517 /* scale priority and nice values from timeslices to -20..20 */
45518 /* to make it look like a "normal" Unix priority/nice value */
45519 priority = task_prio(task);
45520 @@ -489,9 +535,15 @@ static int do_task_stat(struct seq_file
45522 mm ? get_mm_rss(mm) : 0,
45524 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45525 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
45526 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
45527 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
45529 mm ? (permitted ? mm->start_code : 1) : 0,
45530 mm ? (permitted ? mm->end_code : 1) : 0,
45531 (permitted && mm) ? mm->start_stack : 0,
45535 /* The signal information here is obsolete.
45536 @@ -544,3 +596,18 @@ int proc_pid_statm(struct seq_file *m, s
45541 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
45542 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
45545 + unsigned long flags;
45547 + if (lock_task_sighand(task, &flags)) {
45548 + curr_ip = task->signal->curr_ip;
45549 + unlock_task_sighand(task, &flags);
45552 + return sprintf(buffer, "%pI4\n", &curr_ip);
45555 diff -urNp linux-3.0.9/fs/proc/base.c linux-3.0.9/fs/proc/base.c
45556 --- linux-3.0.9/fs/proc/base.c 2011-11-11 13:12:24.000000000 -0500
45557 +++ linux-3.0.9/fs/proc/base.c 2011-11-15 20:02:59.000000000 -0500
45558 @@ -107,6 +107,22 @@ struct pid_entry {
45562 +struct getdents_callback {
45563 + struct linux_dirent __user * current_dir;
45564 + struct linux_dirent __user * previous;
45565 + struct file * file;
45570 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
45571 + loff_t offset, u64 ino, unsigned int d_type)
45573 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
45574 + buf->error = -EINVAL;
45578 #define NOD(NAME, MODE, IOP, FOP, OP) { \
45580 .len = sizeof(NAME) - 1, \
45581 @@ -222,10 +238,12 @@
45582 return ERR_PTR(err);
45584 mm = get_task_mm(task);
45585 - if (mm && mm != current->mm &&
45586 - !ptrace_may_access(task, mode)) {
45588 - mm = ERR_PTR(-EACCES);
45590 + if ((mm != current->mm && !ptrace_may_access(task, mode)) ||
45591 + (mode == PTRACE_MODE_ATTACH && (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task)))) {
45593 + mm = ERR_PTR(-EACCES);
45596 mutex_unlock(&task->signal->cred_guard_mutex);
45598 @@ -282,6 +300,9 @@ static int proc_pid_cmdline(struct task_
45600 goto out_mm; /* Shh! No looking before we're done */
45602 + if (gr_acl_handle_procpidmem(task))
45605 len = mm->arg_end - mm->arg_start;
45607 if (len > PAGE_SIZE)
45608 @@ -309,12 +330,28 @@ out:
45612 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45613 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
45614 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
45615 + _mm->pax_flags & MF_PAX_SEGMEXEC))
45618 static int proc_pid_auxv(struct task_struct *task, char *buffer)
45620 struct mm_struct *mm = mm_for_maps(task);
45621 int res = PTR_ERR(mm);
45622 if (mm && !IS_ERR(mm)) {
45623 unsigned int nwords = 0;
45625 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45626 + /* allow if we're currently ptracing this task */
45627 + if (PAX_RAND_FLAGS(mm) &&
45628 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
45636 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
45637 @@ -328,7 +365,7 @@ static int proc_pid_auxv(struct task_str
45641 -#ifdef CONFIG_KALLSYMS
45642 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45644 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
45645 * Returns the resolved symbol. If that fails, simply return the address.
45646 @@ -367,7 +404,7 @@ static void unlock_trace(struct task_str
45647 mutex_unlock(&task->signal->cred_guard_mutex);
45650 -#ifdef CONFIG_STACKTRACE
45651 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45653 #define MAX_STACK_TRACE_DEPTH 64
45655 @@ -558,7 +595,7 @@ static int proc_pid_limits(struct task_s
45659 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
45660 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
45661 static int proc_pid_syscall(struct task_struct *task, char *buffer)
45664 @@ -587,7 +624,7 @@ static int proc_pid_syscall(struct task_
45665 /************************************************************************/
45667 /* permission checks */
45668 -static int proc_fd_access_allowed(struct inode *inode)
45669 +static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
45671 struct task_struct *task;
45673 @@ -597,7 +634,10 @@ static int proc_fd_access_allowed(struct
45675 task = get_proc_task(inode);
45677 - allowed = ptrace_may_access(task, PTRACE_MODE_READ);
45679 + allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
45681 + allowed = ptrace_may_access(task, PTRACE_MODE_READ);
45682 put_task_struct(task);
45685 @@ -978,6 +1018,9 @@ static ssize_t environ_read(struct file
45689 + if (gr_acl_handle_procpidmem(task))
45693 page = (char *)__get_free_page(GFP_TEMPORARY);
45695 @@ -1614,7 +1657,7 @@ static void *proc_pid_follow_link(struct
45696 path_put(&nd->path);
45698 /* Are we allowed to snoop on the tasks file descriptors? */
45699 - if (!proc_fd_access_allowed(inode))
45700 + if (!proc_fd_access_allowed(inode,0))
45703 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
45704 @@ -1653,8 +1696,18 @@ static int proc_pid_readlink(struct dent
45707 /* Are we allowed to snoop on the tasks file descriptors? */
45708 - if (!proc_fd_access_allowed(inode))
45710 + /* logging this is needed for learning on chromium to work properly,
45711 + but we don't want to flood the logs from 'ps' which does a readlink
45712 + on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
45713 + CAP_SYS_PTRACE as it's not necessary for its basic functionality
45715 + if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
45716 + if (!proc_fd_access_allowed(inode,0))
45719 + if (!proc_fd_access_allowed(inode,1))
45723 error = PROC_I(inode)->op.proc_get_link(inode, &path);
45725 @@ -1719,7 +1772,11 @@ struct inode *proc_pid_make_inode(struct
45727 cred = __task_cred(task);
45728 inode->i_uid = cred->euid;
45729 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45730 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45732 inode->i_gid = cred->egid;
45736 security_task_to_inode(task, inode);
45737 @@ -1737,6 +1794,9 @@ int pid_getattr(struct vfsmount *mnt, st
45738 struct inode *inode = dentry->d_inode;
45739 struct task_struct *task;
45740 const struct cred *cred;
45741 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45742 + const struct cred *tmpcred = current_cred();
45745 generic_fillattr(inode, stat);
45747 @@ -1744,13 +1804,41 @@ int pid_getattr(struct vfsmount *mnt, st
45750 task = pid_task(proc_pid(inode), PIDTYPE_PID);
45752 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
45753 + rcu_read_unlock();
45758 + cred = __task_cred(task);
45759 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45760 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
45761 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45762 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
45766 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
45767 +#ifdef CONFIG_GRKERNSEC_PROC_USER
45768 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
45769 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45770 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
45772 task_dumpable(task)) {
45773 - cred = __task_cred(task);
45774 stat->uid = cred->euid;
45775 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45776 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
45778 stat->gid = cred->egid;
45781 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45783 + rcu_read_unlock();
45790 @@ -1787,11 +1875,20 @@ int pid_revalidate(struct dentry *dentry
45793 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
45794 +#ifdef CONFIG_GRKERNSEC_PROC_USER
45795 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
45796 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45797 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
45799 task_dumpable(task)) {
45801 cred = __task_cred(task);
45802 inode->i_uid = cred->euid;
45803 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45804 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45806 inode->i_gid = cred->egid;
45811 @@ -1909,7 +2006,8 @@ static int proc_fd_info(struct inode *in
45812 int fd = proc_fd(inode);
45815 - files = get_files_struct(task);
45816 + if (!gr_acl_handle_procpidmem(task))
45817 + files = get_files_struct(task);
45818 put_task_struct(task);
45821 @@ -2177,11 +2275,21 @@ static const struct file_operations proc
45823 static int proc_fd_permission(struct inode *inode, int mask, unsigned int flags)
45825 + struct task_struct *task;
45826 int rv = generic_permission(inode, mask, flags, NULL);
45830 if (task_pid(current) == proc_pid(inode))
45833 + task = get_proc_task(inode);
45834 + if (task == NULL)
45837 + if (gr_acl_handle_procpidmem(task))
45840 + put_task_struct(task);
45845 @@ -2291,6 +2399,9 @@ static struct dentry *proc_pident_lookup
45849 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
45853 * Yes, it does not scale. And it should not. Don't add
45854 * new entries into /proc/<tgid>/ without very good reasons.
45855 @@ -2335,6 +2446,9 @@ static int proc_pident_readdir(struct fi
45859 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
45865 @@ -2605,7 +2719,7 @@ static void *proc_self_follow_link(struc
45866 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
45869 - char *s = nd_get_link(nd);
45870 + const char *s = nd_get_link(nd);
45874 @@ -2664,6 +2778,7 @@ static struct dentry *proc_base_instanti
45876 inode->i_fop = p->fop;
45879 d_add(dentry, inode);
45882 @@ -2803,7 +2918,7 @@ static const struct pid_entry tgid_base_
45883 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
45885 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
45886 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
45887 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
45888 INF("syscall", S_IRUGO, proc_pid_syscall),
45890 INF("cmdline", S_IRUGO, proc_pid_cmdline),
45891 @@ -2828,10 +2943,10 @@ static const struct pid_entry tgid_base_
45892 #ifdef CONFIG_SECURITY
45893 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
45895 -#ifdef CONFIG_KALLSYMS
45896 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45897 INF("wchan", S_IRUGO, proc_pid_wchan),
45899 -#ifdef CONFIG_STACKTRACE
45900 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45901 ONE("stack", S_IRUGO, proc_pid_stack),
45903 #ifdef CONFIG_SCHEDSTATS
45904 @@ -2865,6 +2980,9 @@ static const struct pid_entry tgid_base_
45905 INF("hardwall", S_IRUGO, proc_pid_hardwall),
45907 ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
45908 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
45909 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
45913 static int proc_tgid_base_readdir(struct file * filp,
45914 @@ -2990,7 +3108,14 @@ static struct dentry *proc_pid_instantia
45918 +#ifdef CONFIG_GRKERNSEC_PROC_USER
45919 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
45920 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45921 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45922 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
45924 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
45926 inode->i_op = &proc_tgid_base_inode_operations;
45927 inode->i_fop = &proc_tgid_base_operations;
45928 inode->i_flags|=S_IMMUTABLE;
45929 @@ -3032,7 +3157,11 @@ struct dentry *proc_pid_lookup(struct in
45933 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
45934 + goto out_put_task;
45936 result = proc_pid_instantiate(dir, dentry, task, NULL);
45938 put_task_struct(task);
45941 @@ -3097,6 +3226,11 @@ int proc_pid_readdir(struct file * filp,
45944 struct task_struct *reaper;
45945 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45946 + const struct cred *tmpcred = current_cred();
45947 + const struct cred *itercred;
45949 + filldir_t __filldir = filldir;
45950 struct tgid_iter iter;
45951 struct pid_namespace *ns;
45953 @@ -3120,8 +3254,27 @@ int proc_pid_readdir(struct file * filp,
45954 for (iter = next_tgid(ns, iter);
45956 iter.tgid += 1, iter = next_tgid(ns, iter)) {
45957 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45959 + itercred = __task_cred(iter.task);
45961 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
45962 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45963 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
45964 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45965 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
45970 + __filldir = &gr_fake_filldir;
45972 + __filldir = filldir;
45973 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45974 + rcu_read_unlock();
45976 filp->f_pos = iter.tgid + TGID_OFFSET;
45977 if (!vx_proc_task_visible(iter.task))
45979 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
45980 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
45981 put_task_struct(iter.task);
45982 @@ -3149,7 +3302,7 @@ static const struct pid_entry tid_base_s
45983 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
45985 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
45986 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
45987 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
45988 INF("syscall", S_IRUGO, proc_pid_syscall),
45990 INF("cmdline", S_IRUGO, proc_pid_cmdline),
45991 @@ -3173,10 +3326,10 @@ static const struct pid_entry tid_base_s
45992 #ifdef CONFIG_SECURITY
45993 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
45995 -#ifdef CONFIG_KALLSYMS
45996 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45997 INF("wchan", S_IRUGO, proc_pid_wchan),
45999 -#ifdef CONFIG_STACKTRACE
46000 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
46001 ONE("stack", S_IRUGO, proc_pid_stack),
46003 #ifdef CONFIG_SCHEDSTATS
46004 diff -urNp linux-3.0.9/fs/proc/cmdline.c linux-3.0.9/fs/proc/cmdline.c
46005 --- linux-3.0.9/fs/proc/cmdline.c 2011-11-11 13:12:24.000000000 -0500
46006 +++ linux-3.0.9/fs/proc/cmdline.c 2011-11-15 20:02:59.000000000 -0500
46007 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
46009 static int __init proc_cmdline_init(void)
46011 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
46012 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
46014 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
46018 module_init(proc_cmdline_init);
46019 diff -urNp linux-3.0.9/fs/proc/devices.c linux-3.0.9/fs/proc/devices.c
46020 --- linux-3.0.9/fs/proc/devices.c 2011-11-11 13:12:24.000000000 -0500
46021 +++ linux-3.0.9/fs/proc/devices.c 2011-11-15 20:02:59.000000000 -0500
46022 @@ -64,7 +64,11 @@ static const struct file_operations proc
46024 static int __init proc_devices_init(void)
46026 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
46027 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
46029 proc_create("devices", 0, NULL, &proc_devinfo_operations);
46033 module_init(proc_devices_init);
46034 diff -urNp linux-3.0.9/fs/proc/inode.c linux-3.0.9/fs/proc/inode.c
46035 --- linux-3.0.9/fs/proc/inode.c 2011-11-11 13:12:24.000000000 -0500
46036 +++ linux-3.0.9/fs/proc/inode.c 2011-11-15 20:02:59.000000000 -0500
46037 @@ -18,12 +18,18 @@
46038 #include <linux/module.h>
46039 #include <linux/sysctl.h>
46040 #include <linux/slab.h>
46041 +#include <linux/grsecurity.h>
46043 #include <asm/system.h>
46044 #include <asm/uaccess.h>
46046 #include "internal.h"
46048 +#ifdef CONFIG_PROC_SYSCTL
46049 +extern const struct inode_operations proc_sys_inode_operations;
46050 +extern const struct inode_operations proc_sys_dir_operations;
46053 static void proc_evict_inode(struct inode *inode)
46055 struct proc_dir_entry *de;
46056 @@ -49,6 +55,13 @@ static void proc_evict_inode(struct inod
46057 ns_ops = PROC_I(inode)->ns_ops;
46058 if (ns_ops && ns_ops->put)
46059 ns_ops->put(PROC_I(inode)->ns);
46061 +#ifdef CONFIG_PROC_SYSCTL
46062 + if (inode->i_op == &proc_sys_inode_operations ||
46063 + inode->i_op == &proc_sys_dir_operations)
46064 + gr_handle_delete(inode->i_ino, inode->i_sb->s_dev);
46069 static struct kmem_cache * proc_inode_cachep;
46070 @@ -440,7 +453,11 @@ struct inode *proc_get_inode(struct supe
46072 inode->i_mode = de->mode;
46073 inode->i_uid = de->uid;
46074 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
46075 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
46077 inode->i_gid = de->gid;
46081 inode->i_size = de->size;
46082 diff -urNp linux-3.0.9/fs/proc/internal.h linux-3.0.9/fs/proc/internal.h
46083 --- linux-3.0.9/fs/proc/internal.h 2011-11-11 13:12:24.000000000 -0500
46084 +++ linux-3.0.9/fs/proc/internal.h 2011-11-15 20:02:59.000000000 -0500
46085 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
46086 struct pid *pid, struct task_struct *task);
46087 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
46088 struct pid *pid, struct task_struct *task);
46089 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
46090 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
46092 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
46093 struct pid *pid, struct task_struct *task);
46095 diff -urNp linux-3.0.9/fs/proc/Kconfig linux-3.0.9/fs/proc/Kconfig
46096 --- linux-3.0.9/fs/proc/Kconfig 2011-11-11 13:12:24.000000000 -0500
46097 +++ linux-3.0.9/fs/proc/Kconfig 2011-11-15 20:02:59.000000000 -0500
46098 @@ -30,12 +30,12 @@ config PROC_FS
46101 bool "/proc/kcore support" if !ARM
46102 - depends on PROC_FS && MMU
46103 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
46106 bool "/proc/vmcore support"
46107 - depends on PROC_FS && CRASH_DUMP
46109 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
46112 Exports the dump image of crashed kernel in ELF format.
46114 @@ -59,8 +59,8 @@ config PROC_SYSCTL
46117 config PROC_PAGE_MONITOR
46119 - depends on PROC_FS && MMU
46121 + depends on PROC_FS && MMU && !GRKERNSEC
46122 bool "Enable /proc page monitoring" if EXPERT
46124 Various /proc files exist to monitor process memory utilization:
46125 diff -urNp linux-3.0.9/fs/proc/kcore.c linux-3.0.9/fs/proc/kcore.c
46126 --- linux-3.0.9/fs/proc/kcore.c 2011-11-11 13:12:24.000000000 -0500
46127 +++ linux-3.0.9/fs/proc/kcore.c 2011-11-15 20:02:59.000000000 -0500
46128 @@ -321,6 +321,8 @@ static void elf_kcore_store_hdr(char *bu
46130 struct kcore_list *m;
46132 + pax_track_stack();
46134 /* setup ELF header */
46135 elf = (struct elfhdr *) bufp;
46136 bufp += sizeof(struct elfhdr);
46137 @@ -478,9 +480,10 @@ read_kcore(struct file *file, char __use
46138 * the addresses in the elf_phdr on our list.
46140 start = kc_offset_to_vaddr(*fpos - elf_buflen);
46141 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
46142 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
46143 + if (tsz > buflen)
46148 struct kcore_list *m;
46150 @@ -509,20 +512,23 @@ read_kcore(struct file *file, char __use
46153 if (kern_addr_valid(start)) {
46156 + mm_segment_t oldfs;
46158 - n = copy_to_user(buffer, (char *)start, tsz);
46160 - * We cannot distingush between fault on source
46161 - * and fault on destination. When this happens
46162 - * we clear too and hope it will trigger the
46166 - if (clear_user(buffer + tsz - n,
46168 + elf_buf = kmalloc(tsz, GFP_KERNEL);
46171 + oldfs = get_fs();
46172 + set_fs(KERNEL_DS);
46173 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
46175 + if (copy_to_user(buffer, elf_buf, tsz)) {
46183 if (clear_user(buffer, tsz))
46185 @@ -542,6 +548,9 @@ read_kcore(struct file *file, char __use
46187 static int open_kcore(struct inode *inode, struct file *filp)
46189 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
46192 if (!capable(CAP_SYS_RAWIO))
46194 if (kcore_need_update)
46195 diff -urNp linux-3.0.9/fs/proc/meminfo.c linux-3.0.9/fs/proc/meminfo.c
46196 --- linux-3.0.9/fs/proc/meminfo.c 2011-11-11 13:12:24.000000000 -0500
46197 +++ linux-3.0.9/fs/proc/meminfo.c 2011-11-15 20:02:59.000000000 -0500
46198 @@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_
46199 unsigned long pages[NR_LRU_LISTS];
46202 + pax_track_stack();
46205 * display in kilobytes.
46207 @@ -157,7 +159,7 @@ static int meminfo_proc_show(struct seq_
46209 vmi.largest_chunk >> 10
46210 #ifdef CONFIG_MEMORY_FAILURE
46211 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
46212 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
46214 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
46215 ,K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
46216 diff -urNp linux-3.0.9/fs/proc/nommu.c linux-3.0.9/fs/proc/nommu.c
46217 --- linux-3.0.9/fs/proc/nommu.c 2011-11-11 13:12:24.000000000 -0500
46218 +++ linux-3.0.9/fs/proc/nommu.c 2011-11-15 20:02:59.000000000 -0500
46219 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
46222 seq_printf(m, "%*c", len, ' ');
46223 - seq_path(m, &file->f_path, "");
46224 + seq_path(m, &file->f_path, "\n\\");
46228 diff -urNp linux-3.0.9/fs/proc/proc_net.c linux-3.0.9/fs/proc/proc_net.c
46229 --- linux-3.0.9/fs/proc/proc_net.c 2011-11-11 13:12:24.000000000 -0500
46230 +++ linux-3.0.9/fs/proc/proc_net.c 2011-11-15 20:02:59.000000000 -0500
46231 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
46232 struct task_struct *task;
46233 struct nsproxy *ns;
46234 struct net *net = NULL;
46235 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46236 + const struct cred *cred = current_cred();
46239 +#ifdef CONFIG_GRKERNSEC_PROC_USER
46242 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46243 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
46248 task = pid_task(proc_pid(dir), PIDTYPE_PID);
46249 diff -urNp linux-3.0.9/fs/proc/proc_sysctl.c linux-3.0.9/fs/proc/proc_sysctl.c
46250 --- linux-3.0.9/fs/proc/proc_sysctl.c 2011-11-11 13:12:24.000000000 -0500
46251 +++ linux-3.0.9/fs/proc/proc_sysctl.c 2011-11-15 20:02:59.000000000 -0500
46253 #include <linux/namei.h>
46254 #include "internal.h"
46256 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
46258 static const struct dentry_operations proc_sys_dentry_operations;
46259 static const struct file_operations proc_sys_file_operations;
46260 -static const struct inode_operations proc_sys_inode_operations;
46261 +const struct inode_operations proc_sys_inode_operations;
46262 static const struct file_operations proc_sys_dir_file_operations;
46263 -static const struct inode_operations proc_sys_dir_operations;
46264 +const struct inode_operations proc_sys_dir_operations;
46266 static struct inode *proc_sys_make_inode(struct super_block *sb,
46267 struct ctl_table_header *head, struct ctl_table *table)
46268 @@ -121,8 +123,14 @@ static struct dentry *proc_sys_lookup(st
46271 d_set_d_op(dentry, &proc_sys_dentry_operations);
46273 + gr_handle_proc_create(dentry, inode);
46275 d_add(dentry, inode);
46277 + if (gr_handle_sysctl(p, MAY_EXEC))
46278 + err = ERR_PTR(-ENOENT);
46281 sysctl_head_finish(head);
46283 @@ -202,6 +210,9 @@ static int proc_sys_fill_cache(struct fi
46286 d_set_d_op(child, &proc_sys_dentry_operations);
46288 + gr_handle_proc_create(child, inode);
46290 d_add(child, inode);
46293 @@ -230,6 +241,9 @@ static int scan(struct ctl_table_header
46294 if (*pos < file->f_pos)
46297 + if (gr_handle_sysctl(table, 0))
46300 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
46303 @@ -355,6 +369,9 @@ static int proc_sys_getattr(struct vfsmo
46305 return PTR_ERR(head);
46307 + if (table && gr_handle_sysctl(table, MAY_EXEC))
46310 generic_fillattr(inode, stat);
46312 stat->mode = (stat->mode & S_IFMT) | table->mode;
46313 @@ -374,13 +391,13 @@ static const struct file_operations proc
46314 .llseek = generic_file_llseek,
46317 -static const struct inode_operations proc_sys_inode_operations = {
46318 +const struct inode_operations proc_sys_inode_operations = {
46319 .permission = proc_sys_permission,
46320 .setattr = proc_sys_setattr,
46321 .getattr = proc_sys_getattr,
46324 -static const struct inode_operations proc_sys_dir_operations = {
46325 +const struct inode_operations proc_sys_dir_operations = {
46326 .lookup = proc_sys_lookup,
46327 .permission = proc_sys_permission,
46328 .setattr = proc_sys_setattr,
46329 diff -urNp linux-3.0.9/fs/proc/root.c linux-3.0.9/fs/proc/root.c
46330 --- linux-3.0.9/fs/proc/root.c 2011-11-11 13:12:24.000000000 -0500
46331 +++ linux-3.0.9/fs/proc/root.c 2011-11-15 20:02:59.000000000 -0500
46332 @@ -123,7 +123,15 @@ void __init proc_root_init(void)
46333 #ifdef CONFIG_PROC_DEVICETREE
46334 proc_device_tree_init();
46336 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
46337 +#ifdef CONFIG_GRKERNSEC_PROC_USER
46338 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
46339 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46340 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
46343 proc_mkdir("bus", NULL);
46348 diff -urNp linux-3.0.9/fs/proc/task_mmu.c linux-3.0.9/fs/proc/task_mmu.c
46349 --- linux-3.0.9/fs/proc/task_mmu.c 2011-11-11 13:12:24.000000000 -0500
46350 +++ linux-3.0.9/fs/proc/task_mmu.c 2011-11-15 20:02:59.000000000 -0500
46351 @@ -51,8 +51,13 @@ void task_mem(struct seq_file *m, struct
46352 "VmExe:\t%8lu kB\n"
46353 "VmLib:\t%8lu kB\n"
46354 "VmPTE:\t%8lu kB\n"
46355 - "VmSwap:\t%8lu kB\n",
46356 - hiwater_vm << (PAGE_SHIFT-10),
46357 + "VmSwap:\t%8lu kB\n"
46359 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
46360 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
46363 + ,hiwater_vm << (PAGE_SHIFT-10),
46364 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
46365 mm->locked_vm << (PAGE_SHIFT-10),
46366 hiwater_rss << (PAGE_SHIFT-10),
46367 @@ -60,7 +65,13 @@ void task_mem(struct seq_file *m, struct
46368 data << (PAGE_SHIFT-10),
46369 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
46370 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
46371 - swap << (PAGE_SHIFT-10));
46372 + swap << (PAGE_SHIFT-10)
46374 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
46375 + , mm->context.user_cs_base, mm->context.user_cs_limit
46381 unsigned long task_vsize(struct mm_struct *mm)
46382 @@ -207,6 +218,12 @@ static int do_maps_open(struct inode *in
46386 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46387 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
46388 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
46389 + _mm->pax_flags & MF_PAX_SEGMEXEC))
46392 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
46394 struct mm_struct *mm = vma->vm_mm;
46395 @@ -225,13 +242,13 @@ static void show_map_vma(struct seq_file
46396 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
46399 - /* We don't show the stack guard page in /proc/maps */
46400 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46401 + start = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start;
46402 + end = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end;
46404 start = vma->vm_start;
46405 - if (stack_guard_page_start(vma, start))
46406 - start += PAGE_SIZE;
46408 - if (stack_guard_page_end(vma, end))
46409 - end -= PAGE_SIZE;
46412 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
46414 @@ -240,7 +257,11 @@ static void show_map_vma(struct seq_file
46415 flags & VM_WRITE ? 'w' : '-',
46416 flags & VM_EXEC ? 'x' : '-',
46417 flags & VM_MAYSHARE ? 's' : 'p',
46418 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46419 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
46423 MAJOR(dev), MINOR(dev), ino, &len);
46426 @@ -249,7 +270,7 @@ static void show_map_vma(struct seq_file
46429 pad_len_spaces(m, len);
46430 - seq_path(m, &file->f_path, "\n");
46431 + seq_path(m, &file->f_path, "\n\\");
46433 const char *name = arch_vma_name(vma);
46435 @@ -257,8 +278,9 @@ static void show_map_vma(struct seq_file
46436 if (vma->vm_start <= mm->brk &&
46437 vma->vm_end >= mm->start_brk) {
46439 - } else if (vma->vm_start <= mm->start_stack &&
46440 - vma->vm_end >= mm->start_stack) {
46441 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
46442 + (vma->vm_start <= mm->start_stack &&
46443 + vma->vm_end >= mm->start_stack)) {
46447 @@ -433,11 +455,16 @@ static int show_smap(struct seq_file *m,
46450 memset(&mss, 0, sizeof mss);
46452 - /* mmap_sem is held in m_start */
46453 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
46454 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
46456 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46457 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
46460 + /* mmap_sem is held in m_start */
46461 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
46462 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
46463 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46466 show_map_vma(m, vma);
46469 @@ -455,7 +482,11 @@ static int show_smap(struct seq_file *m,
46470 "KernelPageSize: %8lu kB\n"
46471 "MMUPageSize: %8lu kB\n"
46472 "Locked: %8lu kB\n",
46473 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46474 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
46476 (vma->vm_end - vma->vm_start) >> 10,
46478 mss.resident >> 10,
46479 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
46480 mss.shared_clean >> 10,
46481 @@ -1031,7 +1062,7 @@ static int show_numa_map(struct seq_file
46484 seq_printf(m, " file=");
46485 - seq_path(m, &file->f_path, "\n\t= ");
46486 + seq_path(m, &file->f_path, "\n\t\\= ");
46487 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
46488 seq_printf(m, " heap");
46489 } else if (vma->vm_start <= mm->start_stack &&
46490 diff -urNp linux-3.0.9/fs/proc/task_nommu.c linux-3.0.9/fs/proc/task_nommu.c
46491 --- linux-3.0.9/fs/proc/task_nommu.c 2011-11-11 13:12:24.000000000 -0500
46492 +++ linux-3.0.9/fs/proc/task_nommu.c 2011-11-15 20:02:59.000000000 -0500
46493 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
46495 bytes += kobjsize(mm);
46497 - if (current->fs && current->fs->users > 1)
46498 + if (current->fs && atomic_read(¤t->fs->users) > 1)
46499 sbytes += kobjsize(current->fs);
46501 bytes += kobjsize(current->fs);
46502 @@ -166,7 +166,7 @@ static int nommu_vma_show(struct seq_fil
46505 pad_len_spaces(m, len);
46506 - seq_path(m, &file->f_path, "");
46507 + seq_path(m, &file->f_path, "\n\\");
46509 if (vma->vm_start <= mm->start_stack &&
46510 vma->vm_end >= mm->start_stack) {
46511 diff -urNp linux-3.0.9/fs/quota/netlink.c linux-3.0.9/fs/quota/netlink.c
46512 --- linux-3.0.9/fs/quota/netlink.c 2011-11-11 13:12:24.000000000 -0500
46513 +++ linux-3.0.9/fs/quota/netlink.c 2011-11-15 20:02:59.000000000 -0500
46514 @@ -33,7 +33,7 @@ static struct genl_family quota_genl_fam
46515 void quota_send_warning(short type, unsigned int id, dev_t dev,
46516 const char warntype)
46518 - static atomic_t seq;
46519 + static atomic_unchecked_t seq;
46520 struct sk_buff *skb;
46523 @@ -49,7 +49,7 @@ void quota_send_warning(short type, unsi
46524 "VFS: Not enough memory to send quota warning.\n");
46527 - msg_head = genlmsg_put(skb, 0, atomic_add_return(1, &seq),
46528 + msg_head = genlmsg_put(skb, 0, atomic_add_return_unchecked(1, &seq),
46529 "a_genl_family, 0, QUOTA_NL_C_WARNING);
46532 diff -urNp linux-3.0.9/fs/readdir.c linux-3.0.9/fs/readdir.c
46533 --- linux-3.0.9/fs/readdir.c 2011-11-11 13:12:24.000000000 -0500
46534 +++ linux-3.0.9/fs/readdir.c 2011-11-15 20:02:59.000000000 -0500
46536 #include <linux/security.h>
46537 #include <linux/syscalls.h>
46538 #include <linux/unistd.h>
46539 +#include <linux/namei.h>
46541 #include <asm/uaccess.h>
46543 @@ -67,6 +68,7 @@ struct old_linux_dirent {
46545 struct readdir_callback {
46546 struct old_linux_dirent __user * dirent;
46547 + struct file * file;
46551 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
46552 buf->result = -EOVERFLOW;
46556 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
46560 dirent = buf->dirent;
46561 if (!access_ok(VERIFY_WRITE, dirent,
46562 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
46565 buf.dirent = dirent;
46568 error = vfs_readdir(file, fillonedir, &buf);
46570 @@ -142,6 +149,7 @@ struct linux_dirent {
46571 struct getdents_callback {
46572 struct linux_dirent __user * current_dir;
46573 struct linux_dirent __user * previous;
46574 + struct file * file;
46578 @@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
46579 buf->error = -EOVERFLOW;
46583 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
46586 dirent = buf->previous;
46588 if (__put_user(offset, &dirent->d_off))
46589 @@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
46590 buf.previous = NULL;
46595 error = vfs_readdir(file, filldir, &buf);
46597 @@ -229,6 +242,7 @@ out:
46598 struct getdents_callback64 {
46599 struct linux_dirent64 __user * current_dir;
46600 struct linux_dirent64 __user * previous;
46601 + struct file *file;
46605 @@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
46606 buf->error = -EINVAL; /* only used if we fail.. */
46607 if (reclen > buf->count)
46610 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
46613 dirent = buf->previous;
46615 if (__put_user(offset, &dirent->d_off))
46616 @@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
46618 buf.current_dir = dirent;
46619 buf.previous = NULL;
46624 @@ -299,7 +318,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
46626 lastdirent = buf.previous;
46628 - typeof(lastdirent->d_off) d_off = file->f_pos;
46629 + typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos;
46630 if (__put_user(d_off, &lastdirent->d_off))
46633 diff -urNp linux-3.0.9/fs/reiserfs/dir.c linux-3.0.9/fs/reiserfs/dir.c
46634 --- linux-3.0.9/fs/reiserfs/dir.c 2011-11-11 13:12:24.000000000 -0500
46635 +++ linux-3.0.9/fs/reiserfs/dir.c 2011-11-15 20:02:59.000000000 -0500
46636 @@ -66,6 +66,8 @@ int reiserfs_readdir_dentry(struct dentr
46637 struct reiserfs_dir_entry de;
46640 + pax_track_stack();
46642 reiserfs_write_lock(inode->i_sb);
46644 reiserfs_check_lock_depth(inode->i_sb, "readdir");
46645 diff -urNp linux-3.0.9/fs/reiserfs/do_balan.c linux-3.0.9/fs/reiserfs/do_balan.c
46646 --- linux-3.0.9/fs/reiserfs/do_balan.c 2011-11-11 13:12:24.000000000 -0500
46647 +++ linux-3.0.9/fs/reiserfs/do_balan.c 2011-11-15 20:02:59.000000000 -0500
46648 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
46652 - atomic_inc(&(fs_generation(tb->tb_sb)));
46653 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
46654 do_balance_starts(tb);
46656 /* balance leaf returns 0 except if combining L R and S into
46657 diff -urNp linux-3.0.9/fs/reiserfs/journal.c linux-3.0.9/fs/reiserfs/journal.c
46658 --- linux-3.0.9/fs/reiserfs/journal.c 2011-11-11 13:12:24.000000000 -0500
46659 +++ linux-3.0.9/fs/reiserfs/journal.c 2011-11-15 20:02:59.000000000 -0500
46660 @@ -2299,6 +2299,8 @@ static struct buffer_head *reiserfs_brea
46661 struct buffer_head *bh;
46664 + pax_track_stack();
46666 bh = __getblk(dev, block, bufsize);
46667 if (buffer_uptodate(bh))
46669 diff -urNp linux-3.0.9/fs/reiserfs/namei.c linux-3.0.9/fs/reiserfs/namei.c
46670 --- linux-3.0.9/fs/reiserfs/namei.c 2011-11-11 13:12:24.000000000 -0500
46671 +++ linux-3.0.9/fs/reiserfs/namei.c 2011-11-15 20:02:59.000000000 -0500
46672 @@ -1225,6 +1225,8 @@ static int reiserfs_rename(struct inode
46673 unsigned long savelink = 1;
46674 struct timespec ctime;
46676 + pax_track_stack();
46678 /* three balancings: (1) old name removal, (2) new name insertion
46679 and (3) maybe "save" link insertion
46680 stat data updates: (1) old directory,
46681 diff -urNp linux-3.0.9/fs/reiserfs/procfs.c linux-3.0.9/fs/reiserfs/procfs.c
46682 --- linux-3.0.9/fs/reiserfs/procfs.c 2011-11-11 13:12:24.000000000 -0500
46683 +++ linux-3.0.9/fs/reiserfs/procfs.c 2011-11-15 20:02:59.000000000 -0500
46684 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
46685 "SMALL_TAILS " : "NO_TAILS ",
46686 replay_only(sb) ? "REPLAY_ONLY " : "",
46687 convert_reiserfs(sb) ? "CONV " : "",
46688 - atomic_read(&r->s_generation_counter),
46689 + atomic_read_unchecked(&r->s_generation_counter),
46690 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
46691 SF(s_do_balance), SF(s_unneeded_left_neighbor),
46692 SF(s_good_search_by_key_reada), SF(s_bmaps),
46693 @@ -299,6 +299,8 @@ static int show_journal(struct seq_file
46694 struct journal_params *jp = &rs->s_v1.s_journal;
46695 char b[BDEVNAME_SIZE];
46697 + pax_track_stack();
46699 seq_printf(m, /* on-disk fields */
46700 "jp_journal_1st_block: \t%i\n"
46701 "jp_journal_dev: \t%s[%x]\n"
46702 diff -urNp linux-3.0.9/fs/reiserfs/stree.c linux-3.0.9/fs/reiserfs/stree.c
46703 --- linux-3.0.9/fs/reiserfs/stree.c 2011-11-11 13:12:24.000000000 -0500
46704 +++ linux-3.0.9/fs/reiserfs/stree.c 2011-11-15 20:02:59.000000000 -0500
46705 @@ -1196,6 +1196,8 @@ int reiserfs_delete_item(struct reiserfs
46709 + pax_track_stack();
46711 BUG_ON(!th->t_trans_id);
46713 init_tb_struct(th, &s_del_balance, sb, path,
46714 @@ -1333,6 +1335,8 @@ void reiserfs_delete_solid_item(struct r
46716 int quota_cut_bytes = 0;
46718 + pax_track_stack();
46720 BUG_ON(!th->t_trans_id);
46722 le_key2cpu_key(&cpu_key, key);
46723 @@ -1562,6 +1566,8 @@ int reiserfs_cut_from_item(struct reiser
46724 int quota_cut_bytes;
46725 loff_t tail_pos = 0;
46727 + pax_track_stack();
46729 BUG_ON(!th->t_trans_id);
46731 init_tb_struct(th, &s_cut_balance, inode->i_sb, path,
46732 @@ -1957,6 +1963,8 @@ int reiserfs_paste_into_item(struct reis
46736 + pax_track_stack();
46738 BUG_ON(!th->t_trans_id);
46740 fs_gen = get_generation(inode->i_sb);
46741 @@ -2045,6 +2053,8 @@ int reiserfs_insert_item(struct reiserfs
46743 int quota_bytes = 0;
46745 + pax_track_stack();
46747 BUG_ON(!th->t_trans_id);
46749 if (inode) { /* Do we count quotas for item? */
46750 diff -urNp linux-3.0.9/fs/reiserfs/super.c linux-3.0.9/fs/reiserfs/super.c
46751 --- linux-3.0.9/fs/reiserfs/super.c 2011-11-11 13:12:24.000000000 -0500
46752 +++ linux-3.0.9/fs/reiserfs/super.c 2011-11-15 20:02:59.000000000 -0500
46753 @@ -927,6 +927,8 @@ static int reiserfs_parse_options(struct
46754 {.option_name = NULL}
46757 + pax_track_stack();
46760 if (!options || !*options)
46761 /* use default configuration: create tails, journaling on, no
46762 diff -urNp linux-3.0.9/fs/select.c linux-3.0.9/fs/select.c
46763 --- linux-3.0.9/fs/select.c 2011-11-11 13:12:24.000000000 -0500
46764 +++ linux-3.0.9/fs/select.c 2011-11-15 20:02:59.000000000 -0500
46766 #include <linux/module.h>
46767 #include <linux/slab.h>
46768 #include <linux/poll.h>
46769 +#include <linux/security.h>
46770 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
46771 #include <linux/file.h>
46772 #include <linux/fdtable.h>
46773 @@ -403,6 +404,8 @@ int do_select(int n, fd_set_bits *fds, s
46774 int retval, i, timed_out = 0;
46775 unsigned long slack = 0;
46777 + pax_track_stack();
46780 retval = max_select_fd(n, fds);
46782 @@ -528,6 +531,8 @@ int core_sys_select(int n, fd_set __user
46783 /* Allocate small arguments on the stack to save memory and be faster */
46784 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
46786 + pax_track_stack();
46791 @@ -837,6 +842,9 @@ int do_sys_poll(struct pollfd __user *uf
46792 struct poll_list *walk = head;
46793 unsigned long todo = nfds;
46795 + pax_track_stack();
46797 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
46798 if (nfds > rlimit(RLIMIT_NOFILE))
46801 diff -urNp linux-3.0.9/fs/seq_file.c linux-3.0.9/fs/seq_file.c
46802 --- linux-3.0.9/fs/seq_file.c 2011-11-11 13:12:24.000000000 -0500
46803 +++ linux-3.0.9/fs/seq_file.c 2011-11-15 20:02:59.000000000 -0500
46804 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
46808 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
46809 + m->size = PAGE_SIZE;
46810 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
46814 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
46818 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
46820 + m->buf = kmalloc(m->size, GFP_KERNEL);
46821 return !m->buf ? -ENOMEM : -EAGAIN;
46824 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
46825 m->version = file->f_version;
46826 /* grab buffer if we didn't have one */
46828 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
46829 + m->size = PAGE_SIZE;
46830 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
46834 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
46838 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
46840 + m->buf = kmalloc(m->size, GFP_KERNEL);
46844 @@ -549,7 +553,7 @@ static void single_stop(struct seq_file
46845 int single_open(struct file *file, int (*show)(struct seq_file *, void *),
46848 - struct seq_operations *op = kmalloc(sizeof(*op), GFP_KERNEL);
46849 + seq_operations_no_const *op = kmalloc(sizeof(*op), GFP_KERNEL);
46853 diff -urNp linux-3.0.9/fs/splice.c linux-3.0.9/fs/splice.c
46854 --- linux-3.0.9/fs/splice.c 2011-11-11 13:12:24.000000000 -0500
46855 +++ linux-3.0.9/fs/splice.c 2011-11-15 20:02:59.000000000 -0500
46856 @@ -194,7 +194,7 @@ ssize_t splice_to_pipe(struct pipe_inode
46860 - if (!pipe->readers) {
46861 + if (!atomic_read(&pipe->readers)) {
46862 send_sig(SIGPIPE, current, 0);
46865 @@ -248,9 +248,9 @@ ssize_t splice_to_pipe(struct pipe_inode
46869 - pipe->waiting_writers++;
46870 + atomic_inc(&pipe->waiting_writers);
46872 - pipe->waiting_writers--;
46873 + atomic_dec(&pipe->waiting_writers);
46877 @@ -320,6 +320,8 @@ __generic_file_splice_read(struct file *
46878 .spd_release = spd_release_page,
46881 + pax_track_stack();
46883 if (splice_grow_spd(pipe, &spd))
46886 @@ -560,7 +562,7 @@ static ssize_t kernel_readv(struct file
46889 /* The cast to a user pointer is valid due to the set_fs() */
46890 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
46891 + res = vfs_readv(file, (const struct iovec __force_user *)vec, vlen, &pos);
46895 @@ -575,7 +577,7 @@ static ssize_t kernel_write(struct file
46898 /* The cast to a user pointer is valid due to the set_fs() */
46899 - res = vfs_write(file, (const char __user *)buf, count, &pos);
46900 + res = vfs_write(file, (const char __force_user *)buf, count, &pos);
46904 @@ -603,6 +605,8 @@ ssize_t default_file_splice_read(struct
46905 .spd_release = spd_release_page,
46908 + pax_track_stack();
46910 if (splice_grow_spd(pipe, &spd))
46913 @@ -626,7 +630,7 @@ ssize_t default_file_splice_read(struct
46916 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
46917 - vec[i].iov_base = (void __user *) page_address(page);
46918 + vec[i].iov_base = (void __force_user *) page_address(page);
46919 vec[i].iov_len = this_len;
46920 spd.pages[i] = page;
46922 @@ -846,10 +850,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
46923 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
46925 while (!pipe->nrbufs) {
46926 - if (!pipe->writers)
46927 + if (!atomic_read(&pipe->writers))
46930 - if (!pipe->waiting_writers && sd->num_spliced)
46931 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
46934 if (sd->flags & SPLICE_F_NONBLOCK)
46935 @@ -1182,7 +1186,7 @@ ssize_t splice_direct_to_actor(struct fi
46936 * out of the pipe right after the splice_to_pipe(). So set
46937 * PIPE_READERS appropriately.
46939 - pipe->readers = 1;
46940 + atomic_set(&pipe->readers, 1);
46942 current->splice_pipe = pipe;
46944 @@ -1619,6 +1623,8 @@ static long vmsplice_to_pipe(struct file
46948 + pax_track_stack();
46950 pipe = get_pipe_info(file);
46953 @@ -1734,9 +1740,9 @@ static int ipipe_prep(struct pipe_inode_
46954 ret = -ERESTARTSYS;
46957 - if (!pipe->writers)
46958 + if (!atomic_read(&pipe->writers))
46960 - if (!pipe->waiting_writers) {
46961 + if (!atomic_read(&pipe->waiting_writers)) {
46962 if (flags & SPLICE_F_NONBLOCK) {
46965 @@ -1768,7 +1774,7 @@ static int opipe_prep(struct pipe_inode_
46968 while (pipe->nrbufs >= pipe->buffers) {
46969 - if (!pipe->readers) {
46970 + if (!atomic_read(&pipe->readers)) {
46971 send_sig(SIGPIPE, current, 0);
46974 @@ -1781,9 +1787,9 @@ static int opipe_prep(struct pipe_inode_
46975 ret = -ERESTARTSYS;
46978 - pipe->waiting_writers++;
46979 + atomic_inc(&pipe->waiting_writers);
46981 - pipe->waiting_writers--;
46982 + atomic_dec(&pipe->waiting_writers);
46986 @@ -1819,14 +1825,14 @@ retry:
46987 pipe_double_lock(ipipe, opipe);
46990 - if (!opipe->readers) {
46991 + if (!atomic_read(&opipe->readers)) {
46992 send_sig(SIGPIPE, current, 0);
46998 - if (!ipipe->nrbufs && !ipipe->writers)
46999 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
47003 @@ -1923,7 +1929,7 @@ static int link_pipe(struct pipe_inode_i
47004 pipe_double_lock(ipipe, opipe);
47007 - if (!opipe->readers) {
47008 + if (!atomic_read(&opipe->readers)) {
47009 send_sig(SIGPIPE, current, 0);
47012 @@ -1968,7 +1974,7 @@ static int link_pipe(struct pipe_inode_i
47013 * return EAGAIN if we have the potential of some data in the
47014 * future, otherwise just return 0
47016 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
47017 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
47020 pipe_unlock(ipipe);
47021 diff -urNp linux-3.0.9/fs/sysfs/file.c linux-3.0.9/fs/sysfs/file.c
47022 --- linux-3.0.9/fs/sysfs/file.c 2011-11-11 13:12:24.000000000 -0500
47023 +++ linux-3.0.9/fs/sysfs/file.c 2011-11-15 20:02:59.000000000 -0500
47024 @@ -37,7 +37,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent
47026 struct sysfs_open_dirent {
47029 + atomic_unchecked_t event;
47030 wait_queue_head_t poll;
47031 struct list_head buffers; /* goes through sysfs_buffer.list */
47033 @@ -81,7 +81,7 @@ static int fill_read_buffer(struct dentr
47034 if (!sysfs_get_active(attr_sd))
47037 - buffer->event = atomic_read(&attr_sd->s_attr.open->event);
47038 + buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
47039 count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
47041 sysfs_put_active(attr_sd);
47042 @@ -287,7 +287,7 @@ static int sysfs_get_open_dirent(struct
47045 atomic_set(&new_od->refcnt, 0);
47046 - atomic_set(&new_od->event, 1);
47047 + atomic_set_unchecked(&new_od->event, 1);
47048 init_waitqueue_head(&new_od->poll);
47049 INIT_LIST_HEAD(&new_od->buffers);
47051 @@ -432,7 +432,7 @@ static unsigned int sysfs_poll(struct fi
47053 sysfs_put_active(attr_sd);
47055 - if (buffer->event != atomic_read(&od->event))
47056 + if (buffer->event != atomic_read_unchecked(&od->event))
47059 return DEFAULT_POLLMASK;
47060 @@ -451,7 +451,7 @@ void sysfs_notify_dirent(struct sysfs_di
47062 od = sd->s_attr.open;
47064 - atomic_inc(&od->event);
47065 + atomic_inc_unchecked(&od->event);
47066 wake_up_interruptible(&od->poll);
47069 diff -urNp linux-3.0.9/fs/sysfs/mount.c linux-3.0.9/fs/sysfs/mount.c
47070 --- linux-3.0.9/fs/sysfs/mount.c 2011-11-11 13:12:24.000000000 -0500
47071 +++ linux-3.0.9/fs/sysfs/mount.c 2011-11-15 20:02:59.000000000 -0500
47072 @@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
47074 .s_count = ATOMIC_INIT(1),
47075 .s_flags = SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT),
47076 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
47077 + .s_mode = S_IFDIR | S_IRWXU,
47079 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
47084 diff -urNp linux-3.0.9/fs/sysfs/symlink.c linux-3.0.9/fs/sysfs/symlink.c
47085 --- linux-3.0.9/fs/sysfs/symlink.c 2011-11-11 13:12:24.000000000 -0500
47086 +++ linux-3.0.9/fs/sysfs/symlink.c 2011-11-15 20:02:59.000000000 -0500
47087 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
47089 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
47091 - char *page = nd_get_link(nd);
47092 + const char *page = nd_get_link(nd);
47094 free_page((unsigned long)page);
47096 diff -urNp linux-3.0.9/fs/udf/inode.c linux-3.0.9/fs/udf/inode.c
47097 --- linux-3.0.9/fs/udf/inode.c 2011-11-11 13:12:24.000000000 -0500
47098 +++ linux-3.0.9/fs/udf/inode.c 2011-11-15 20:02:59.000000000 -0500
47099 @@ -560,6 +560,8 @@ static struct buffer_head *inode_getblk(
47100 int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
47103 + pax_track_stack();
47105 prev_epos.offset = udf_file_entry_alloc_offset(inode);
47106 prev_epos.block = iinfo->i_location;
47107 prev_epos.bh = NULL;
47108 diff -urNp linux-3.0.9/fs/udf/misc.c linux-3.0.9/fs/udf/misc.c
47109 --- linux-3.0.9/fs/udf/misc.c 2011-11-11 13:12:24.000000000 -0500
47110 +++ linux-3.0.9/fs/udf/misc.c 2011-11-15 20:02:59.000000000 -0500
47111 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
47113 u8 udf_tag_checksum(const struct tag *t)
47115 - u8 *data = (u8 *)t;
47116 + const u8 *data = (const u8 *)t;
47119 for (i = 0; i < sizeof(struct tag); ++i)
47120 diff -urNp linux-3.0.9/fs/utimes.c linux-3.0.9/fs/utimes.c
47121 --- linux-3.0.9/fs/utimes.c 2011-11-11 13:12:24.000000000 -0500
47122 +++ linux-3.0.9/fs/utimes.c 2011-11-15 20:02:59.000000000 -0500
47124 #include <linux/compiler.h>
47125 #include <linux/file.h>
47126 #include <linux/fs.h>
47127 +#include <linux/security.h>
47128 #include <linux/linkage.h>
47129 #include <linux/mount.h>
47130 #include <linux/namei.h>
47131 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
47132 goto mnt_drop_write_and_out;
47136 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
47138 + goto mnt_drop_write_and_out;
47141 mutex_lock(&inode->i_mutex);
47142 error = notify_change(path->dentry, &newattrs);
47143 mutex_unlock(&inode->i_mutex);
47144 diff -urNp linux-3.0.9/fs/xattr_acl.c linux-3.0.9/fs/xattr_acl.c
47145 --- linux-3.0.9/fs/xattr_acl.c 2011-11-11 13:12:24.000000000 -0500
47146 +++ linux-3.0.9/fs/xattr_acl.c 2011-11-15 20:02:59.000000000 -0500
47149 posix_acl_from_xattr(const void *value, size_t size)
47151 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
47152 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
47153 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
47154 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
47156 struct posix_acl *acl;
47157 struct posix_acl_entry *acl_e;
47158 diff -urNp linux-3.0.9/fs/xattr.c linux-3.0.9/fs/xattr.c
47159 --- linux-3.0.9/fs/xattr.c 2011-11-11 13:12:24.000000000 -0500
47160 +++ linux-3.0.9/fs/xattr.c 2011-11-15 20:02:59.000000000 -0500
47161 @@ -254,7 +254,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
47162 * Extended attribute SET operations
47165 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
47166 +setxattr(struct path *path, const char __user *name, const void __user *value,
47167 size_t size, int flags)
47170 @@ -278,7 +278,13 @@ setxattr(struct dentry *d, const char __
47171 return PTR_ERR(kvalue);
47174 - error = vfs_setxattr(d, kname, kvalue, size, flags);
47175 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
47180 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
47185 @@ -295,7 +301,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
47187 error = mnt_want_write(path.mnt);
47189 - error = setxattr(path.dentry, name, value, size, flags);
47190 + error = setxattr(&path, name, value, size, flags);
47191 mnt_drop_write(path.mnt);
47194 @@ -314,7 +320,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
47196 error = mnt_want_write(path.mnt);
47198 - error = setxattr(path.dentry, name, value, size, flags);
47199 + error = setxattr(&path, name, value, size, flags);
47200 mnt_drop_write(path.mnt);
47203 @@ -325,17 +331,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
47204 const void __user *,value, size_t, size, int, flags)
47207 - struct dentry *dentry;
47208 int error = -EBADF;
47213 - dentry = f->f_path.dentry;
47214 - audit_inode(NULL, dentry);
47215 + audit_inode(NULL, f->f_path.dentry);
47216 error = mnt_want_write_file(f);
47218 - error = setxattr(dentry, name, value, size, flags);
47219 + error = setxattr(&f->f_path, name, value, size, flags);
47220 mnt_drop_write(f->f_path.mnt);
47223 diff -urNp linux-3.0.9/fs/xfs/linux-2.6/xfs_ioctl32.c linux-3.0.9/fs/xfs/linux-2.6/xfs_ioctl32.c
47224 --- linux-3.0.9/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-11-11 13:12:24.000000000 -0500
47225 +++ linux-3.0.9/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-11-15 20:02:59.000000000 -0500
47226 @@ -73,6 +73,7 @@ xfs_compat_ioc_fsgeometry_v1(
47227 xfs_fsop_geom_t fsgeo;
47230 + memset(&fsgeo, 0, sizeof(fsgeo));
47231 error = xfs_fs_geometry(mp, &fsgeo, 3);
47234 diff -urNp linux-3.0.9/fs/xfs/linux-2.6/xfs_ioctl.c linux-3.0.9/fs/xfs/linux-2.6/xfs_ioctl.c
47235 --- linux-3.0.9/fs/xfs/linux-2.6/xfs_ioctl.c 2011-11-11 13:12:24.000000000 -0500
47236 +++ linux-3.0.9/fs/xfs/linux-2.6/xfs_ioctl.c 2011-11-15 20:02:59.000000000 -0500
47237 @@ -128,7 +128,7 @@ xfs_find_handle(
47241 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
47242 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
47243 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
47246 diff -urNp linux-3.0.9/fs/xfs/linux-2.6/xfs_iops.c linux-3.0.9/fs/xfs/linux-2.6/xfs_iops.c
47247 --- linux-3.0.9/fs/xfs/linux-2.6/xfs_iops.c 2011-11-11 13:12:24.000000000 -0500
47248 +++ linux-3.0.9/fs/xfs/linux-2.6/xfs_iops.c 2011-11-15 20:02:59.000000000 -0500
47249 @@ -437,7 +437,7 @@ xfs_vn_put_link(
47250 struct nameidata *nd,
47253 - char *s = nd_get_link(nd);
47254 + const char *s = nd_get_link(nd);
47258 diff -urNp linux-3.0.9/fs/xfs/xfs_bmap.c linux-3.0.9/fs/xfs/xfs_bmap.c
47259 --- linux-3.0.9/fs/xfs/xfs_bmap.c 2011-11-11 13:12:24.000000000 -0500
47260 +++ linux-3.0.9/fs/xfs/xfs_bmap.c 2011-11-15 20:02:59.000000000 -0500
47261 @@ -253,7 +253,7 @@ xfs_bmap_validate_ret(
47265 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
47266 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
47270 diff -urNp linux-3.0.9/fs/xfs/xfs_dir2_sf.c linux-3.0.9/fs/xfs/xfs_dir2_sf.c
47271 --- linux-3.0.9/fs/xfs/xfs_dir2_sf.c 2011-11-11 13:12:24.000000000 -0500
47272 +++ linux-3.0.9/fs/xfs/xfs_dir2_sf.c 2011-11-15 20:02:59.000000000 -0500
47273 @@ -780,7 +780,15 @@ xfs_dir2_sf_getdents(
47276 ino = xfs_dir2_sf_get_inumber(sfp, xfs_dir2_sf_inumberp(sfep));
47277 - if (filldir(dirent, (char *)sfep->name, sfep->namelen,
47278 + if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
47279 + char name[sfep->namelen];
47280 + memcpy(name, sfep->name, sfep->namelen);
47281 + if (filldir(dirent, name, sfep->namelen,
47282 + off & 0x7fffffff, ino, DT_UNKNOWN)) {
47283 + *offset = off & 0x7fffffff;
47286 + } else if (filldir(dirent, (char *)sfep->name, sfep->namelen,
47287 off & 0x7fffffff, ino, DT_UNKNOWN)) {
47288 *offset = off & 0x7fffffff;
47290 diff -urNp linux-3.0.9/grsecurity/gracl_alloc.c linux-3.0.9/grsecurity/gracl_alloc.c
47291 --- linux-3.0.9/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
47292 +++ linux-3.0.9/grsecurity/gracl_alloc.c 2011-11-15 20:02:59.000000000 -0500
47294 +#include <linux/kernel.h>
47295 +#include <linux/mm.h>
47296 +#include <linux/slab.h>
47297 +#include <linux/vmalloc.h>
47298 +#include <linux/gracl.h>
47299 +#include <linux/grsecurity.h>
47301 +static unsigned long alloc_stack_next = 1;
47302 +static unsigned long alloc_stack_size = 1;
47303 +static void **alloc_stack;
47305 +static __inline__ int
47308 + if (alloc_stack_next == 1)
47311 + kfree(alloc_stack[alloc_stack_next - 2]);
47313 + alloc_stack_next--;
47318 +static __inline__ int
47319 +alloc_push(void *buf)
47321 + if (alloc_stack_next >= alloc_stack_size)
47324 + alloc_stack[alloc_stack_next - 1] = buf;
47326 + alloc_stack_next++;
47332 +acl_alloc(unsigned long len)
47334 + void *ret = NULL;
47336 + if (!len || len > PAGE_SIZE)
47339 + ret = kmalloc(len, GFP_KERNEL);
47342 + if (alloc_push(ret)) {
47353 +acl_alloc_num(unsigned long num, unsigned long len)
47355 + if (!len || (num > (PAGE_SIZE / len)))
47358 + return acl_alloc(num * len);
47362 +acl_free_all(void)
47364 + if (gr_acl_is_enabled() || !alloc_stack)
47367 + while (alloc_pop()) ;
47369 + if (alloc_stack) {
47370 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
47371 + kfree(alloc_stack);
47373 + vfree(alloc_stack);
47376 + alloc_stack = NULL;
47377 + alloc_stack_size = 1;
47378 + alloc_stack_next = 1;
47384 +acl_alloc_stack_init(unsigned long size)
47386 + if ((size * sizeof (void *)) <= PAGE_SIZE)
47388 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
47390 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
47392 + alloc_stack_size = size;
47394 + if (!alloc_stack)
47399 diff -urNp linux-3.0.9/grsecurity/gracl.c linux-3.0.9/grsecurity/gracl.c
47400 --- linux-3.0.9/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
47401 +++ linux-3.0.9/grsecurity/gracl.c 2011-11-16 17:50:21.000000000 -0500
47403 +#include <linux/kernel.h>
47404 +#include <linux/module.h>
47405 +#include <linux/sched.h>
47406 +#include <linux/mm.h>
47407 +#include <linux/file.h>
47408 +#include <linux/fs.h>
47409 +#include <linux/namei.h>
47410 +#include <linux/mount.h>
47411 +#include <linux/tty.h>
47412 +#include <linux/proc_fs.h>
47413 +#include <linux/lglock.h>
47414 +#include <linux/slab.h>
47415 +#include <linux/vmalloc.h>
47416 +#include <linux/types.h>
47417 +#include <linux/sysctl.h>
47418 +#include <linux/netdevice.h>
47419 +#include <linux/ptrace.h>
47420 +#include <linux/gracl.h>
47421 +#include <linux/gralloc.h>
47422 +#include <linux/grsecurity.h>
47423 +#include <linux/grinternal.h>
47424 +#include <linux/pid_namespace.h>
47425 +#include <linux/fdtable.h>
47426 +#include <linux/percpu.h>
47428 +#include <asm/uaccess.h>
47429 +#include <asm/errno.h>
47430 +#include <asm/mman.h>
47432 +static struct acl_role_db acl_role_set;
47433 +static struct name_db name_set;
47434 +static struct inodev_db inodev_set;
47436 +/* for keeping track of userspace pointers used for subjects, so we
47437 + can share references in the kernel as well
47440 +static struct path real_root;
47442 +static struct acl_subj_map_db subj_map_set;
47444 +static struct acl_role_label *default_role;
47446 +static struct acl_role_label *role_list;
47448 +static u16 acl_sp_role_value;
47450 +extern char *gr_shared_page[4];
47451 +static DEFINE_MUTEX(gr_dev_mutex);
47452 +DEFINE_RWLOCK(gr_inode_lock);
47454 +struct gr_arg *gr_usermode;
47456 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
47458 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
47459 +extern void gr_clear_learn_entries(void);
47461 +#ifdef CONFIG_GRKERNSEC_RESLOG
47462 +extern void gr_log_resource(const struct task_struct *task,
47463 + const int res, const unsigned long wanted, const int gt);
47466 +unsigned char *gr_system_salt;
47467 +unsigned char *gr_system_sum;
47469 +static struct sprole_pw **acl_special_roles = NULL;
47470 +static __u16 num_sprole_pws = 0;
47472 +static struct acl_role_label *kernel_role = NULL;
47474 +static unsigned int gr_auth_attempts = 0;
47475 +static unsigned long gr_auth_expires = 0UL;
47478 +extern struct vfsmount *sock_mnt;
47481 +extern struct vfsmount *pipe_mnt;
47482 +extern struct vfsmount *shm_mnt;
47483 +#ifdef CONFIG_HUGETLBFS
47484 +extern struct vfsmount *hugetlbfs_vfsmount;
47487 +static struct acl_object_label *fakefs_obj_rw;
47488 +static struct acl_object_label *fakefs_obj_rwx;
47490 +extern int gr_init_uidset(void);
47491 +extern void gr_free_uidset(void);
47492 +extern void gr_remove_uid(uid_t uid);
47493 +extern int gr_find_uid(uid_t uid);
47495 +DECLARE_BRLOCK(vfsmount_lock);
47498 +gr_acl_is_enabled(void)
47500 + return (gr_status & GR_READY);
47503 +#ifdef CONFIG_BTRFS_FS
47504 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
47505 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
47508 +static inline dev_t __get_dev(const struct dentry *dentry)
47510 +#ifdef CONFIG_BTRFS_FS
47511 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
47512 + return get_btrfs_dev_from_inode(dentry->d_inode);
47515 + return dentry->d_inode->i_sb->s_dev;
47518 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
47520 + return __get_dev(dentry);
47523 +static char gr_task_roletype_to_char(struct task_struct *task)
47525 + switch (task->role->roletype &
47526 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
47527 + GR_ROLE_SPECIAL)) {
47528 + case GR_ROLE_DEFAULT:
47530 + case GR_ROLE_USER:
47532 + case GR_ROLE_GROUP:
47534 + case GR_ROLE_SPECIAL:
47541 +char gr_roletype_to_char(void)
47543 + return gr_task_roletype_to_char(current);
47547 +gr_acl_tpe_check(void)
47549 + if (unlikely(!(gr_status & GR_READY)))
47551 + if (current->role->roletype & GR_ROLE_TPE)
47558 +gr_handle_rawio(const struct inode *inode)
47560 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
47561 + if (inode && S_ISBLK(inode->i_mode) &&
47562 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
47563 + !capable(CAP_SYS_RAWIO))
47570 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
47572 + if (likely(lena != lenb))
47575 + return !memcmp(a, b, lena);
47578 +static int prepend(char **buffer, int *buflen, const char *str, int namelen)
47580 + *buflen -= namelen;
47582 + return -ENAMETOOLONG;
47583 + *buffer -= namelen;
47584 + memcpy(*buffer, str, namelen);
47588 +static int prepend_name(char **buffer, int *buflen, struct qstr *name)
47590 + return prepend(buffer, buflen, name->name, name->len);
47593 +static int prepend_path(const struct path *path, struct path *root,
47594 + char **buffer, int *buflen)
47596 + struct dentry *dentry = path->dentry;
47597 + struct vfsmount *vfsmnt = path->mnt;
47598 + bool slash = false;
47601 + while (dentry != root->dentry || vfsmnt != root->mnt) {
47602 + struct dentry * parent;
47604 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
47605 + /* Global root? */
47606 + if (vfsmnt->mnt_parent == vfsmnt) {
47609 + dentry = vfsmnt->mnt_mountpoint;
47610 + vfsmnt = vfsmnt->mnt_parent;
47613 + parent = dentry->d_parent;
47614 + prefetch(parent);
47615 + spin_lock(&dentry->d_lock);
47616 + error = prepend_name(buffer, buflen, &dentry->d_name);
47617 + spin_unlock(&dentry->d_lock);
47619 + error = prepend(buffer, buflen, "/", 1);
47628 + if (!error && !slash)
47629 + error = prepend(buffer, buflen, "/", 1);
47634 +/* this must be called with vfsmount_lock and rename_lock held */
47636 +static char *__our_d_path(const struct path *path, struct path *root,
47637 + char *buf, int buflen)
47639 + char *res = buf + buflen;
47642 + prepend(&res, &buflen, "\0", 1);
47643 + error = prepend_path(path, root, &res, &buflen);
47645 + return ERR_PTR(error);
47651 +gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
47655 + retval = __our_d_path(path, root, buf, buflen);
47656 + if (unlikely(IS_ERR(retval)))
47657 + retval = strcpy(buf, "<path too long>");
47658 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
47659 + retval[1] = '\0';
47665 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
47666 + char *buf, int buflen)
47668 + struct path path;
47671 + path.dentry = (struct dentry *)dentry;
47672 + path.mnt = (struct vfsmount *)vfsmnt;
47674 + /* we can use real_root.dentry, real_root.mnt, because this is only called
47675 + by the RBAC system */
47676 + res = gen_full_path(&path, &real_root, buf, buflen);
47682 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
47683 + char *buf, int buflen)
47686 + struct path path;
47687 + struct path root;
47688 + struct task_struct *reaper = &init_task;
47690 + path.dentry = (struct dentry *)dentry;
47691 + path.mnt = (struct vfsmount *)vfsmnt;
47693 + /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
47694 + get_fs_root(reaper->fs, &root);
47696 + write_seqlock(&rename_lock);
47697 + br_read_lock(vfsmount_lock);
47698 + res = gen_full_path(&path, &root, buf, buflen);
47699 + br_read_unlock(vfsmount_lock);
47700 + write_sequnlock(&rename_lock);
47707 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
47710 + write_seqlock(&rename_lock);
47711 + br_read_lock(vfsmount_lock);
47712 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
47714 + br_read_unlock(vfsmount_lock);
47715 + write_sequnlock(&rename_lock);
47720 +gr_to_proc_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
47726 + write_seqlock(&rename_lock);
47727 + br_read_lock(vfsmount_lock);
47728 + buf = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
47729 + ret = __d_real_path(dentry, mnt, buf, PAGE_SIZE - 6);
47730 + buflen = (int)(ret - buf);
47732 + prepend(&ret, &buflen, "/proc", 5);
47734 + ret = strcpy(buf, "<path too long>");
47735 + br_read_unlock(vfsmount_lock);
47736 + write_sequnlock(&rename_lock);
47741 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
47743 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
47748 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
47750 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
47755 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
47757 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
47762 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
47764 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
47769 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
47771 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
47776 +to_gr_audit(const __u32 reqmode)
47778 + /* masks off auditable permission flags, then shifts them to create
47779 + auditing flags, and adds the special case of append auditing if
47780 + we're requesting write */
47781 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
47784 +struct acl_subject_label *
47785 +lookup_subject_map(const struct acl_subject_label *userp)
47787 + unsigned int index = shash(userp, subj_map_set.s_size);
47788 + struct subject_map *match;
47790 + match = subj_map_set.s_hash[index];
47792 + while (match && match->user != userp)
47793 + match = match->next;
47795 + if (match != NULL)
47796 + return match->kernel;
47802 +insert_subj_map_entry(struct subject_map *subjmap)
47804 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
47805 + struct subject_map **curr;
47807 + subjmap->prev = NULL;
47809 + curr = &subj_map_set.s_hash[index];
47810 + if (*curr != NULL)
47811 + (*curr)->prev = subjmap;
47813 + subjmap->next = *curr;
47819 +static struct acl_role_label *
47820 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
47823 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
47824 + struct acl_role_label *match;
47825 + struct role_allowed_ip *ipp;
47827 + u32 curr_ip = task->signal->curr_ip;
47829 + task->signal->saved_ip = curr_ip;
47831 + match = acl_role_set.r_hash[index];
47834 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
47835 + for (x = 0; x < match->domain_child_num; x++) {
47836 + if (match->domain_children[x] == uid)
47839 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
47841 + match = match->next;
47844 + if (match == NULL) {
47846 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
47847 + match = acl_role_set.r_hash[index];
47850 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
47851 + for (x = 0; x < match->domain_child_num; x++) {
47852 + if (match->domain_children[x] == gid)
47855 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
47857 + match = match->next;
47860 + if (match == NULL)
47861 + match = default_role;
47862 + if (match->allowed_ips == NULL)
47865 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
47867 + ((ntohl(curr_ip) & ipp->netmask) ==
47868 + (ntohl(ipp->addr) & ipp->netmask)))
47871 + match = default_role;
47873 + } else if (match->allowed_ips == NULL) {
47876 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
47878 + ((ntohl(curr_ip) & ipp->netmask) ==
47879 + (ntohl(ipp->addr) & ipp->netmask)))
47888 +struct acl_subject_label *
47889 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
47890 + const struct acl_role_label *role)
47892 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
47893 + struct acl_subject_label *match;
47895 + match = role->subj_hash[index];
47897 + while (match && (match->inode != ino || match->device != dev ||
47898 + (match->mode & GR_DELETED))) {
47899 + match = match->next;
47902 + if (match && !(match->mode & GR_DELETED))
47908 +struct acl_subject_label *
47909 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
47910 + const struct acl_role_label *role)
47912 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
47913 + struct acl_subject_label *match;
47915 + match = role->subj_hash[index];
47917 + while (match && (match->inode != ino || match->device != dev ||
47918 + !(match->mode & GR_DELETED))) {
47919 + match = match->next;
47922 + if (match && (match->mode & GR_DELETED))
47928 +static struct acl_object_label *
47929 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
47930 + const struct acl_subject_label *subj)
47932 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
47933 + struct acl_object_label *match;
47935 + match = subj->obj_hash[index];
47937 + while (match && (match->inode != ino || match->device != dev ||
47938 + (match->mode & GR_DELETED))) {
47939 + match = match->next;
47942 + if (match && !(match->mode & GR_DELETED))
47948 +static struct acl_object_label *
47949 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
47950 + const struct acl_subject_label *subj)
47952 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
47953 + struct acl_object_label *match;
47955 + match = subj->obj_hash[index];
47957 + while (match && (match->inode != ino || match->device != dev ||
47958 + !(match->mode & GR_DELETED))) {
47959 + match = match->next;
47962 + if (match && (match->mode & GR_DELETED))
47965 + match = subj->obj_hash[index];
47967 + while (match && (match->inode != ino || match->device != dev ||
47968 + (match->mode & GR_DELETED))) {
47969 + match = match->next;
47972 + if (match && !(match->mode & GR_DELETED))
47978 +static struct name_entry *
47979 +lookup_name_entry(const char *name)
47981 + unsigned int len = strlen(name);
47982 + unsigned int key = full_name_hash(name, len);
47983 + unsigned int index = key % name_set.n_size;
47984 + struct name_entry *match;
47986 + match = name_set.n_hash[index];
47988 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
47989 + match = match->next;
47994 +static struct name_entry *
47995 +lookup_name_entry_create(const char *name)
47997 + unsigned int len = strlen(name);
47998 + unsigned int key = full_name_hash(name, len);
47999 + unsigned int index = key % name_set.n_size;
48000 + struct name_entry *match;
48002 + match = name_set.n_hash[index];
48004 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
48005 + !match->deleted))
48006 + match = match->next;
48008 + if (match && match->deleted)
48011 + match = name_set.n_hash[index];
48013 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
48015 + match = match->next;
48017 + if (match && !match->deleted)
48023 +static struct inodev_entry *
48024 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
48026 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
48027 + struct inodev_entry *match;
48029 + match = inodev_set.i_hash[index];
48031 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
48032 + match = match->next;
48038 +insert_inodev_entry(struct inodev_entry *entry)
48040 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
48041 + inodev_set.i_size);
48042 + struct inodev_entry **curr;
48044 + entry->prev = NULL;
48046 + curr = &inodev_set.i_hash[index];
48047 + if (*curr != NULL)
48048 + (*curr)->prev = entry;
48050 + entry->next = *curr;
48057 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
48059 + unsigned int index =
48060 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
48061 + struct acl_role_label **curr;
48062 + struct acl_role_label *tmp;
48064 + curr = &acl_role_set.r_hash[index];
48066 + /* if role was already inserted due to domains and already has
48067 + a role in the same bucket as it attached, then we need to
48068 + combine these two buckets
48070 + if (role->next) {
48071 + tmp = role->next;
48072 + while (tmp->next)
48074 + tmp->next = *curr;
48076 + role->next = *curr;
48083 +insert_acl_role_label(struct acl_role_label *role)
48087 + if (role_list == NULL) {
48088 + role_list = role;
48089 + role->prev = NULL;
48091 + role->prev = role_list;
48092 + role_list = role;
48095 + /* used for hash chains */
48096 + role->next = NULL;
48098 + if (role->roletype & GR_ROLE_DOMAIN) {
48099 + for (i = 0; i < role->domain_child_num; i++)
48100 + __insert_acl_role_label(role, role->domain_children[i]);
48102 + __insert_acl_role_label(role, role->uidgid);
48106 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
48108 + struct name_entry **curr, *nentry;
48109 + struct inodev_entry *ientry;
48110 + unsigned int len = strlen(name);
48111 + unsigned int key = full_name_hash(name, len);
48112 + unsigned int index = key % name_set.n_size;
48114 + curr = &name_set.n_hash[index];
48116 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
48117 + curr = &((*curr)->next);
48119 + if (*curr != NULL)
48122 + nentry = acl_alloc(sizeof (struct name_entry));
48123 + if (nentry == NULL)
48125 + ientry = acl_alloc(sizeof (struct inodev_entry));
48126 + if (ientry == NULL)
48128 + ientry->nentry = nentry;
48130 + nentry->key = key;
48131 + nentry->name = name;
48132 + nentry->inode = inode;
48133 + nentry->device = device;
48134 + nentry->len = len;
48135 + nentry->deleted = deleted;
48137 + nentry->prev = NULL;
48138 + curr = &name_set.n_hash[index];
48139 + if (*curr != NULL)
48140 + (*curr)->prev = nentry;
48141 + nentry->next = *curr;
48144 + /* insert us into the table searchable by inode/dev */
48145 + insert_inodev_entry(ientry);
48151 +insert_acl_obj_label(struct acl_object_label *obj,
48152 + struct acl_subject_label *subj)
48154 + unsigned int index =
48155 + fhash(obj->inode, obj->device, subj->obj_hash_size);
48156 + struct acl_object_label **curr;
48159 + obj->prev = NULL;
48161 + curr = &subj->obj_hash[index];
48162 + if (*curr != NULL)
48163 + (*curr)->prev = obj;
48165 + obj->next = *curr;
48172 +insert_acl_subj_label(struct acl_subject_label *obj,
48173 + struct acl_role_label *role)
48175 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
48176 + struct acl_subject_label **curr;
48178 + obj->prev = NULL;
48180 + curr = &role->subj_hash[index];
48181 + if (*curr != NULL)
48182 + (*curr)->prev = obj;
48184 + obj->next = *curr;
48190 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
48193 +create_table(__u32 * len, int elementsize)
48195 + unsigned int table_sizes[] = {
48196 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
48197 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
48198 + 4194301, 8388593, 16777213, 33554393, 67108859
48200 + void *newtable = NULL;
48201 + unsigned int pwr = 0;
48203 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
48204 + table_sizes[pwr] <= *len)
48207 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
48210 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
48212 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
48214 + newtable = vmalloc(table_sizes[pwr] * elementsize);
48216 + *len = table_sizes[pwr];
48222 +init_variables(const struct gr_arg *arg)
48224 + struct task_struct *reaper = &init_task;
48225 + unsigned int stacksize;
48227 + subj_map_set.s_size = arg->role_db.num_subjects;
48228 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
48229 + name_set.n_size = arg->role_db.num_objects;
48230 + inodev_set.i_size = arg->role_db.num_objects;
48232 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
48233 + !name_set.n_size || !inodev_set.i_size)
48236 + if (!gr_init_uidset())
48239 + /* set up the stack that holds allocation info */
48241 + stacksize = arg->role_db.num_pointers + 5;
48243 + if (!acl_alloc_stack_init(stacksize))
48246 + /* grab reference for the real root dentry and vfsmount */
48247 + get_fs_root(reaper->fs, &real_root);
48249 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
48250 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root.dentry), real_root.dentry->d_inode->i_ino);
48253 + fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
48254 + if (fakefs_obj_rw == NULL)
48256 + fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
48258 + fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
48259 + if (fakefs_obj_rwx == NULL)
48261 + fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
48263 + subj_map_set.s_hash =
48264 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
48265 + acl_role_set.r_hash =
48266 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
48267 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
48268 + inodev_set.i_hash =
48269 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
48271 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
48272 + !name_set.n_hash || !inodev_set.i_hash)
48275 + memset(subj_map_set.s_hash, 0,
48276 + sizeof(struct subject_map *) * subj_map_set.s_size);
48277 + memset(acl_role_set.r_hash, 0,
48278 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
48279 + memset(name_set.n_hash, 0,
48280 + sizeof (struct name_entry *) * name_set.n_size);
48281 + memset(inodev_set.i_hash, 0,
48282 + sizeof (struct inodev_entry *) * inodev_set.i_size);
48287 +/* free information not needed after startup
48288 + currently contains user->kernel pointer mappings for subjects
48292 +free_init_variables(void)
48296 + if (subj_map_set.s_hash) {
48297 + for (i = 0; i < subj_map_set.s_size; i++) {
48298 + if (subj_map_set.s_hash[i]) {
48299 + kfree(subj_map_set.s_hash[i]);
48300 + subj_map_set.s_hash[i] = NULL;
48304 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
48306 + kfree(subj_map_set.s_hash);
48308 + vfree(subj_map_set.s_hash);
48315 +free_variables(void)
48317 + struct acl_subject_label *s;
48318 + struct acl_role_label *r;
48319 + struct task_struct *task, *task2;
48322 + gr_clear_learn_entries();
48324 + read_lock(&tasklist_lock);
48325 + do_each_thread(task2, task) {
48326 + task->acl_sp_role = 0;
48327 + task->acl_role_id = 0;
48328 + task->acl = NULL;
48329 + task->role = NULL;
48330 + } while_each_thread(task2, task);
48331 + read_unlock(&tasklist_lock);
48333 + /* release the reference to the real root dentry and vfsmount */
48334 + path_put(&real_root);
48336 + /* free all object hash tables */
48338 + FOR_EACH_ROLE_START(r)
48339 + if (r->subj_hash == NULL)
48341 + FOR_EACH_SUBJECT_START(r, s, x)
48342 + if (s->obj_hash == NULL)
48344 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
48345 + kfree(s->obj_hash);
48347 + vfree(s->obj_hash);
48348 + FOR_EACH_SUBJECT_END(s, x)
48349 + FOR_EACH_NESTED_SUBJECT_START(r, s)
48350 + if (s->obj_hash == NULL)
48352 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
48353 + kfree(s->obj_hash);
48355 + vfree(s->obj_hash);
48356 + FOR_EACH_NESTED_SUBJECT_END(s)
48357 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
48358 + kfree(r->subj_hash);
48360 + vfree(r->subj_hash);
48361 + r->subj_hash = NULL;
48363 + FOR_EACH_ROLE_END(r)
48367 + if (acl_role_set.r_hash) {
48368 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
48370 + kfree(acl_role_set.r_hash);
48372 + vfree(acl_role_set.r_hash);
48374 + if (name_set.n_hash) {
48375 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
48377 + kfree(name_set.n_hash);
48379 + vfree(name_set.n_hash);
48382 + if (inodev_set.i_hash) {
48383 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
48385 + kfree(inodev_set.i_hash);
48387 + vfree(inodev_set.i_hash);
48390 + gr_free_uidset();
48392 + memset(&name_set, 0, sizeof (struct name_db));
48393 + memset(&inodev_set, 0, sizeof (struct inodev_db));
48394 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
48395 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
48397 + default_role = NULL;
48398 + role_list = NULL;
48404 +count_user_objs(struct acl_object_label *userp)
48406 + struct acl_object_label o_tmp;
48410 + if (copy_from_user(&o_tmp, userp,
48411 + sizeof (struct acl_object_label)))
48414 + userp = o_tmp.prev;
48421 +static struct acl_subject_label *
48422 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
48425 +copy_user_glob(struct acl_object_label *obj)
48427 + struct acl_object_label *g_tmp, **guser;
48428 + unsigned int len;
48431 + if (obj->globbed == NULL)
48434 + guser = &obj->globbed;
48436 + g_tmp = (struct acl_object_label *)
48437 + acl_alloc(sizeof (struct acl_object_label));
48438 + if (g_tmp == NULL)
48441 + if (copy_from_user(g_tmp, *guser,
48442 + sizeof (struct acl_object_label)))
48445 + len = strnlen_user(g_tmp->filename, PATH_MAX);
48447 + if (!len || len >= PATH_MAX)
48450 + if ((tmp = (char *) acl_alloc(len)) == NULL)
48453 + if (copy_from_user(tmp, g_tmp->filename, len))
48455 + tmp[len-1] = '\0';
48456 + g_tmp->filename = tmp;
48459 + guser = &(g_tmp->next);
48466 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
48467 + struct acl_role_label *role)
48469 + struct acl_object_label *o_tmp;
48470 + unsigned int len;
48475 + if ((o_tmp = (struct acl_object_label *)
48476 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
48479 + if (copy_from_user(o_tmp, userp,
48480 + sizeof (struct acl_object_label)))
48483 + userp = o_tmp->prev;
48485 + len = strnlen_user(o_tmp->filename, PATH_MAX);
48487 + if (!len || len >= PATH_MAX)
48490 + if ((tmp = (char *) acl_alloc(len)) == NULL)
48493 + if (copy_from_user(tmp, o_tmp->filename, len))
48495 + tmp[len-1] = '\0';
48496 + o_tmp->filename = tmp;
48498 + insert_acl_obj_label(o_tmp, subj);
48499 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
48500 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
48503 + ret = copy_user_glob(o_tmp);
48507 + if (o_tmp->nested) {
48508 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
48509 + if (IS_ERR(o_tmp->nested))
48510 + return PTR_ERR(o_tmp->nested);
48512 + /* insert into nested subject list */
48513 + o_tmp->nested->next = role->hash->first;
48514 + role->hash->first = o_tmp->nested;
48522 +count_user_subjs(struct acl_subject_label *userp)
48524 + struct acl_subject_label s_tmp;
48528 + if (copy_from_user(&s_tmp, userp,
48529 + sizeof (struct acl_subject_label)))
48532 + userp = s_tmp.prev;
48533 + /* do not count nested subjects against this count, since
48534 + they are not included in the hash table, but are
48535 + attached to objects. We have already counted
48536 + the subjects in userspace for the allocation
48539 + if (!(s_tmp.mode & GR_NESTED))
48547 +copy_user_allowedips(struct acl_role_label *rolep)
48549 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
48551 + ruserip = rolep->allowed_ips;
48553 + while (ruserip) {
48556 + if ((rtmp = (struct role_allowed_ip *)
48557 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
48560 + if (copy_from_user(rtmp, ruserip,
48561 + sizeof (struct role_allowed_ip)))
48564 + ruserip = rtmp->prev;
48567 + rtmp->prev = NULL;
48568 + rolep->allowed_ips = rtmp;
48570 + rlast->next = rtmp;
48571 + rtmp->prev = rlast;
48575 + rtmp->next = NULL;
48582 +copy_user_transitions(struct acl_role_label *rolep)
48584 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
48586 + unsigned int len;
48589 + rusertp = rolep->transitions;
48591 + while (rusertp) {
48594 + if ((rtmp = (struct role_transition *)
48595 + acl_alloc(sizeof (struct role_transition))) == NULL)
48598 + if (copy_from_user(rtmp, rusertp,
48599 + sizeof (struct role_transition)))
48602 + rusertp = rtmp->prev;
48604 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
48606 + if (!len || len >= GR_SPROLE_LEN)
48609 + if ((tmp = (char *) acl_alloc(len)) == NULL)
48612 + if (copy_from_user(tmp, rtmp->rolename, len))
48614 + tmp[len-1] = '\0';
48615 + rtmp->rolename = tmp;
48618 + rtmp->prev = NULL;
48619 + rolep->transitions = rtmp;
48621 + rlast->next = rtmp;
48622 + rtmp->prev = rlast;
48626 + rtmp->next = NULL;
48632 +static struct acl_subject_label *
48633 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
48635 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
48636 + unsigned int len;
48639 + struct acl_ip_label **i_tmp, *i_utmp2;
48640 + struct gr_hash_struct ghash;
48641 + struct subject_map *subjmap;
48642 + unsigned int i_num;
48645 + s_tmp = lookup_subject_map(userp);
48647 + /* we've already copied this subject into the kernel, just return
48648 + the reference to it, and don't copy it over again
48653 + if ((s_tmp = (struct acl_subject_label *)
48654 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
48655 + return ERR_PTR(-ENOMEM);
48657 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
48658 + if (subjmap == NULL)
48659 + return ERR_PTR(-ENOMEM);
48661 + subjmap->user = userp;
48662 + subjmap->kernel = s_tmp;
48663 + insert_subj_map_entry(subjmap);
48665 + if (copy_from_user(s_tmp, userp,
48666 + sizeof (struct acl_subject_label)))
48667 + return ERR_PTR(-EFAULT);
48669 + len = strnlen_user(s_tmp->filename, PATH_MAX);
48671 + if (!len || len >= PATH_MAX)
48672 + return ERR_PTR(-EINVAL);
48674 + if ((tmp = (char *) acl_alloc(len)) == NULL)
48675 + return ERR_PTR(-ENOMEM);
48677 + if (copy_from_user(tmp, s_tmp->filename, len))
48678 + return ERR_PTR(-EFAULT);
48679 + tmp[len-1] = '\0';
48680 + s_tmp->filename = tmp;
48682 + if (!strcmp(s_tmp->filename, "/"))
48683 + role->root_label = s_tmp;
48685 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
48686 + return ERR_PTR(-EFAULT);
48688 + /* copy user and group transition tables */
48690 + if (s_tmp->user_trans_num) {
48693 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
48694 + if (uidlist == NULL)
48695 + return ERR_PTR(-ENOMEM);
48696 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
48697 + return ERR_PTR(-EFAULT);
48699 + s_tmp->user_transitions = uidlist;
48702 + if (s_tmp->group_trans_num) {
48705 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
48706 + if (gidlist == NULL)
48707 + return ERR_PTR(-ENOMEM);
48708 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
48709 + return ERR_PTR(-EFAULT);
48711 + s_tmp->group_transitions = gidlist;
48714 + /* set up object hash table */
48715 + num_objs = count_user_objs(ghash.first);
48717 + s_tmp->obj_hash_size = num_objs;
48718 + s_tmp->obj_hash =
48719 + (struct acl_object_label **)
48720 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
48722 + if (!s_tmp->obj_hash)
48723 + return ERR_PTR(-ENOMEM);
48725 + memset(s_tmp->obj_hash, 0,
48726 + s_tmp->obj_hash_size *
48727 + sizeof (struct acl_object_label *));
48729 + /* add in objects */
48730 + err = copy_user_objs(ghash.first, s_tmp, role);
48733 + return ERR_PTR(err);
48735 + /* set pointer for parent subject */
48736 + if (s_tmp->parent_subject) {
48737 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
48739 + if (IS_ERR(s_tmp2))
48742 + s_tmp->parent_subject = s_tmp2;
48745 + /* add in ip acls */
48747 + if (!s_tmp->ip_num) {
48748 + s_tmp->ips = NULL;
48753 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
48754 + sizeof (struct acl_ip_label *));
48757 + return ERR_PTR(-ENOMEM);
48759 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
48760 + *(i_tmp + i_num) =
48761 + (struct acl_ip_label *)
48762 + acl_alloc(sizeof (struct acl_ip_label));
48763 + if (!*(i_tmp + i_num))
48764 + return ERR_PTR(-ENOMEM);
48766 + if (copy_from_user
48767 + (&i_utmp2, s_tmp->ips + i_num,
48768 + sizeof (struct acl_ip_label *)))
48769 + return ERR_PTR(-EFAULT);
48771 + if (copy_from_user
48772 + (*(i_tmp + i_num), i_utmp2,
48773 + sizeof (struct acl_ip_label)))
48774 + return ERR_PTR(-EFAULT);
48776 + if ((*(i_tmp + i_num))->iface == NULL)
48779 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
48780 + if (!len || len >= IFNAMSIZ)
48781 + return ERR_PTR(-EINVAL);
48782 + tmp = acl_alloc(len);
48784 + return ERR_PTR(-ENOMEM);
48785 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
48786 + return ERR_PTR(-EFAULT);
48787 + (*(i_tmp + i_num))->iface = tmp;
48790 + s_tmp->ips = i_tmp;
48793 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
48794 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
48795 + return ERR_PTR(-ENOMEM);
48801 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
48803 + struct acl_subject_label s_pre;
48804 + struct acl_subject_label * ret;
48808 + if (copy_from_user(&s_pre, userp,
48809 + sizeof (struct acl_subject_label)))
48812 + /* do not add nested subjects here, add
48813 + while parsing objects
48816 + if (s_pre.mode & GR_NESTED) {
48817 + userp = s_pre.prev;
48821 + ret = do_copy_user_subj(userp, role);
48823 + err = PTR_ERR(ret);
48827 + insert_acl_subj_label(ret, role);
48829 + userp = s_pre.prev;
48836 +copy_user_acl(struct gr_arg *arg)
48838 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
48839 + struct sprole_pw *sptmp;
48840 + struct gr_hash_struct *ghash;
48841 + uid_t *domainlist;
48842 + unsigned int r_num;
48843 + unsigned int len;
48849 + /* we need a default and kernel role */
48850 + if (arg->role_db.num_roles < 2)
48853 + /* copy special role authentication info from userspace */
48855 + num_sprole_pws = arg->num_sprole_pws;
48856 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
48858 + if (!acl_special_roles) {
48863 + for (i = 0; i < num_sprole_pws; i++) {
48864 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
48869 + if (copy_from_user(sptmp, arg->sprole_pws + i,
48870 + sizeof (struct sprole_pw))) {
48876 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
48878 + if (!len || len >= GR_SPROLE_LEN) {
48883 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
48888 + if (copy_from_user(tmp, sptmp->rolename, len)) {
48892 + tmp[len-1] = '\0';
48893 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
48894 + printk(KERN_ALERT "Copying special role %s\n", tmp);
48896 + sptmp->rolename = tmp;
48897 + acl_special_roles[i] = sptmp;
48900 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
48902 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
48903 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
48910 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
48911 + sizeof (struct acl_role_label *))) {
48916 + if (copy_from_user(r_tmp, r_utmp2,
48917 + sizeof (struct acl_role_label))) {
48922 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
48924 + if (!len || len >= PATH_MAX) {
48929 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
48933 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
48937 + tmp[len-1] = '\0';
48938 + r_tmp->rolename = tmp;
48940 + if (!strcmp(r_tmp->rolename, "default")
48941 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
48942 + default_role = r_tmp;
48943 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
48944 + kernel_role = r_tmp;
48947 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
48951 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
48956 + r_tmp->hash = ghash;
48958 + num_subjs = count_user_subjs(r_tmp->hash->first);
48960 + r_tmp->subj_hash_size = num_subjs;
48961 + r_tmp->subj_hash =
48962 + (struct acl_subject_label **)
48963 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
48965 + if (!r_tmp->subj_hash) {
48970 + err = copy_user_allowedips(r_tmp);
48974 + /* copy domain info */
48975 + if (r_tmp->domain_children != NULL) {
48976 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
48977 + if (domainlist == NULL) {
48981 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
48985 + r_tmp->domain_children = domainlist;
48988 + err = copy_user_transitions(r_tmp);
48992 + memset(r_tmp->subj_hash, 0,
48993 + r_tmp->subj_hash_size *
48994 + sizeof (struct acl_subject_label *));
48996 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
49001 + /* set nested subject list to null */
49002 + r_tmp->hash->first = NULL;
49004 + insert_acl_role_label(r_tmp);
49009 + free_variables();
49016 +gracl_init(struct gr_arg *args)
49020 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
49021 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
49023 + if (init_variables(args)) {
49024 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
49026 + free_variables();
49030 + error = copy_user_acl(args);
49031 + free_init_variables();
49033 + free_variables();
49037 + if ((error = gr_set_acls(0))) {
49038 + free_variables();
49042 + pax_open_kernel();
49043 + gr_status |= GR_READY;
49044 + pax_close_kernel();
49050 +/* derived from glibc fnmatch() 0: match, 1: no match*/
49053 +glob_match(const char *p, const char *n)
49057 + while ((c = *p++) != '\0') {
49062 + else if (*n == '/')
49070 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
49073 + else if (c == '?') {
49083 + const char *endp;
49085 + if ((endp = strchr(n, '/')) == NULL)
49086 + endp = n + strlen(n);
49089 + for (--p; n < endp; ++n)
49090 + if (!glob_match(p, n))
49092 + } else if (c == '/') {
49093 + while (*n != '\0' && *n != '/')
49095 + if (*n == '/' && !glob_match(p, n + 1))
49098 + for (--p; n < endp; ++n)
49099 + if (*n == c && !glob_match(p, n))
49110 + if (*n == '\0' || *n == '/')
49113 + not = (*p == '!' || *p == '^');
49119 + unsigned char fn = (unsigned char)*n;
49129 + if (c == '-' && *p != ']') {
49130 + unsigned char cend = *p++;
49132 + if (cend == '\0')
49135 + if (cold <= fn && fn <= cend)
49149 + while (c != ']') {
49176 +static struct acl_object_label *
49177 +chk_glob_label(struct acl_object_label *globbed,
49178 + struct dentry *dentry, struct vfsmount *mnt, char **path)
49180 + struct acl_object_label *tmp;
49182 + if (*path == NULL)
49183 + *path = gr_to_filename_nolock(dentry, mnt);
49188 + if (!glob_match(tmp->filename, *path))
49196 +static struct acl_object_label *
49197 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
49198 + const ino_t curr_ino, const dev_t curr_dev,
49199 + const struct acl_subject_label *subj, char **path, const int checkglob)
49201 + struct acl_subject_label *tmpsubj;
49202 + struct acl_object_label *retval;
49203 + struct acl_object_label *retval2;
49205 + tmpsubj = (struct acl_subject_label *) subj;
49206 + read_lock(&gr_inode_lock);
49208 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
49210 + if (checkglob && retval->globbed) {
49211 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
49212 + (struct vfsmount *)orig_mnt, path);
49214 + retval = retval2;
49218 + } while ((tmpsubj = tmpsubj->parent_subject));
49219 + read_unlock(&gr_inode_lock);
49224 +static __inline__ struct acl_object_label *
49225 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
49226 + struct dentry *curr_dentry,
49227 + const struct acl_subject_label *subj, char **path, const int checkglob)
49229 + int newglob = checkglob;
49233 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
49234 + as we don't want a / * rule to match instead of the / object
49235 + don't do this for create lookups that call this function though, since they're looking up
49236 + on the parent and thus need globbing checks on all paths
49238 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
49239 + newglob = GR_NO_GLOB;
49241 + spin_lock(&curr_dentry->d_lock);
49242 + inode = curr_dentry->d_inode->i_ino;
49243 + device = __get_dev(curr_dentry);
49244 + spin_unlock(&curr_dentry->d_lock);
49246 + return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
49249 +static struct acl_object_label *
49250 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49251 + const struct acl_subject_label *subj, char *path, const int checkglob)
49253 + struct dentry *dentry = (struct dentry *) l_dentry;
49254 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
49255 + struct acl_object_label *retval;
49256 + struct dentry *parent;
49258 + write_seqlock(&rename_lock);
49259 + br_read_lock(vfsmount_lock);
49261 + if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
49263 + mnt == sock_mnt ||
49265 +#ifdef CONFIG_HUGETLBFS
49266 + (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
49268 + /* ignore Eric Biederman */
49269 + IS_PRIVATE(l_dentry->d_inode))) {
49270 + retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
49275 + if (dentry == real_root.dentry && mnt == real_root.mnt)
49278 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
49279 + if (mnt->mnt_parent == mnt)
49282 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
49283 + if (retval != NULL)
49286 + dentry = mnt->mnt_mountpoint;
49287 + mnt = mnt->mnt_parent;
49291 + parent = dentry->d_parent;
49292 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
49293 + if (retval != NULL)
49299 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
49301 + /* real_root is pinned so we don't have to hold a reference */
49302 + if (retval == NULL)
49303 + retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
49305 + br_read_unlock(vfsmount_lock);
49306 + write_sequnlock(&rename_lock);
49308 + BUG_ON(retval == NULL);
49313 +static __inline__ struct acl_object_label *
49314 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49315 + const struct acl_subject_label *subj)
49317 + char *path = NULL;
49318 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
49321 +static __inline__ struct acl_object_label *
49322 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49323 + const struct acl_subject_label *subj)
49325 + char *path = NULL;
49326 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
49329 +static __inline__ struct acl_object_label *
49330 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49331 + const struct acl_subject_label *subj, char *path)
49333 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
49336 +static struct acl_subject_label *
49337 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49338 + const struct acl_role_label *role)
49340 + struct dentry *dentry = (struct dentry *) l_dentry;
49341 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
49342 + struct acl_subject_label *retval;
49343 + struct dentry *parent;
49345 + write_seqlock(&rename_lock);
49346 + br_read_lock(vfsmount_lock);
49349 + if (dentry == real_root.dentry && mnt == real_root.mnt)
49351 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
49352 + if (mnt->mnt_parent == mnt)
49355 + spin_lock(&dentry->d_lock);
49356 + read_lock(&gr_inode_lock);
49358 + lookup_acl_subj_label(dentry->d_inode->i_ino,
49359 + __get_dev(dentry), role);
49360 + read_unlock(&gr_inode_lock);
49361 + spin_unlock(&dentry->d_lock);
49362 + if (retval != NULL)
49365 + dentry = mnt->mnt_mountpoint;
49366 + mnt = mnt->mnt_parent;
49370 + spin_lock(&dentry->d_lock);
49371 + read_lock(&gr_inode_lock);
49372 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
49373 + __get_dev(dentry), role);
49374 + read_unlock(&gr_inode_lock);
49375 + parent = dentry->d_parent;
49376 + spin_unlock(&dentry->d_lock);
49378 + if (retval != NULL)
49384 + spin_lock(&dentry->d_lock);
49385 + read_lock(&gr_inode_lock);
49386 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
49387 + __get_dev(dentry), role);
49388 + read_unlock(&gr_inode_lock);
49389 + spin_unlock(&dentry->d_lock);
49391 + if (unlikely(retval == NULL)) {
49392 + /* real_root is pinned, we don't need to hold a reference */
49393 + read_lock(&gr_inode_lock);
49394 + retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
49395 + __get_dev(real_root.dentry), role);
49396 + read_unlock(&gr_inode_lock);
49399 + br_read_unlock(vfsmount_lock);
49400 + write_sequnlock(&rename_lock);
49402 + BUG_ON(retval == NULL);
49408 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
49410 + struct task_struct *task = current;
49411 + const struct cred *cred = current_cred();
49413 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
49414 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
49415 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
49416 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
49422 +gr_log_learn_sysctl(const char *path, const __u32 mode)
49424 + struct task_struct *task = current;
49425 + const struct cred *cred = current_cred();
49427 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
49428 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
49429 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
49430 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
49436 +gr_log_learn_id_change(const char type, const unsigned int real,
49437 + const unsigned int effective, const unsigned int fs)
49439 + struct task_struct *task = current;
49440 + const struct cred *cred = current_cred();
49442 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
49443 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
49444 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
49445 + type, real, effective, fs, &task->signal->saved_ip);
49451 +gr_search_file(const struct dentry * dentry, const __u32 mode,
49452 + const struct vfsmount * mnt)
49454 + __u32 retval = mode;
49455 + struct acl_subject_label *curracl;
49456 + struct acl_object_label *currobj;
49458 + if (unlikely(!(gr_status & GR_READY)))
49459 + return (mode & ~GR_AUDITS);
49461 + curracl = current->acl;
49463 + currobj = chk_obj_label(dentry, mnt, curracl);
49464 + retval = currobj->mode & mode;
49466 + /* if we're opening a specified transfer file for writing
49467 + (e.g. /dev/initctl), then transfer our role to init
49469 + if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
49470 + current->role->roletype & GR_ROLE_PERSIST)) {
49471 + struct task_struct *task = init_pid_ns.child_reaper;
49473 + if (task->role != current->role) {
49474 + task->acl_sp_role = 0;
49475 + task->acl_role_id = current->acl_role_id;
49476 + task->role = current->role;
49478 + read_lock(&grsec_exec_file_lock);
49479 + gr_apply_subject_to_task(task);
49480 + read_unlock(&grsec_exec_file_lock);
49481 + rcu_read_unlock();
49482 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
49487 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
49488 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
49489 + __u32 new_mode = mode;
49491 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
49493 + retval = new_mode;
49495 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
49496 + new_mode |= GR_INHERIT;
49498 + if (!(mode & GR_NOLEARN))
49499 + gr_log_learn(dentry, mnt, new_mode);
49505 +struct acl_object_label *gr_get_create_object(const struct dentry *new_dentry,
49506 + const struct dentry *parent,
49507 + const struct vfsmount *mnt)
49509 + struct name_entry *match;
49510 + struct acl_object_label *matchpo;
49511 + struct acl_subject_label *curracl;
49514 + if (unlikely(!(gr_status & GR_READY)))
49517 + preempt_disable();
49518 + path = gr_to_filename_rbac(new_dentry, mnt);
49519 + match = lookup_name_entry_create(path);
49521 + curracl = current->acl;
49524 + read_lock(&gr_inode_lock);
49525 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
49526 + read_unlock(&gr_inode_lock);
49529 + preempt_enable();
49536 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
49538 + preempt_enable();
49543 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
49544 + const struct vfsmount * mnt, const __u32 mode)
49546 + struct acl_object_label *matchpo;
49549 + if (unlikely(!(gr_status & GR_READY)))
49550 + return (mode & ~GR_AUDITS);
49552 + matchpo = gr_get_create_object(new_dentry, parent, mnt);
49554 + retval = matchpo->mode & mode;
49556 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
49557 + && (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))) {
49558 + __u32 new_mode = mode;
49560 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
49562 + gr_log_learn(new_dentry, mnt, new_mode);
49570 +gr_check_link(const struct dentry * new_dentry,
49571 + const struct dentry * parent_dentry,
49572 + const struct vfsmount * parent_mnt,
49573 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
49575 + struct acl_object_label *obj;
49576 + __u32 oldmode, newmode;
49578 + __u32 checkmodes = GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC | GR_SETID | GR_READ |
49579 + GR_DELETE | GR_INHERIT;
49581 + if (unlikely(!(gr_status & GR_READY)))
49582 + return (GR_CREATE | GR_LINK);
49584 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
49585 + oldmode = obj->mode;
49587 + obj = gr_get_create_object(new_dentry, parent_dentry, parent_mnt);
49588 + newmode = obj->mode;
49590 + needmode = newmode & checkmodes;
49592 + // old name for hardlink must have at least the permissions of the new name
49593 + if ((oldmode & needmode) != needmode)
49596 + // if old name had restrictions/auditing, make sure the new name does as well
49597 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
49599 + // don't allow hardlinking of suid/sgid files without permission
49600 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
49601 + needmode |= GR_SETID;
49603 + if ((newmode & needmode) != needmode)
49606 + // enforce minimum permissions
49607 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
49610 + needmode = oldmode;
49611 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
49612 + needmode |= GR_SETID;
49614 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
49615 + gr_log_learn(old_dentry, old_mnt, needmode | GR_CREATE | GR_LINK);
49616 + return (GR_CREATE | GR_LINK);
49617 + } else if (newmode & GR_SUPPRESS)
49618 + return GR_SUPPRESS;
49624 +gr_check_hidden_task(const struct task_struct *task)
49626 + if (unlikely(!(gr_status & GR_READY)))
49629 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
49636 +gr_check_protected_task(const struct task_struct *task)
49638 + if (unlikely(!(gr_status & GR_READY) || !task))
49641 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
49642 + task->acl != current->acl)
49649 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
49651 + struct task_struct *p;
49654 + if (unlikely(!(gr_status & GR_READY) || !pid))
49657 + read_lock(&tasklist_lock);
49658 + do_each_pid_task(pid, type, p) {
49659 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
49660 + p->acl != current->acl) {
49664 + } while_each_pid_task(pid, type, p);
49666 + read_unlock(&tasklist_lock);
49672 +gr_copy_label(struct task_struct *tsk)
49674 + tsk->signal->used_accept = 0;
49675 + tsk->acl_sp_role = 0;
49676 + tsk->acl_role_id = current->acl_role_id;
49677 + tsk->acl = current->acl;
49678 + tsk->role = current->role;
49679 + tsk->signal->curr_ip = current->signal->curr_ip;
49680 + tsk->signal->saved_ip = current->signal->saved_ip;
49681 + if (current->exec_file)
49682 + get_file(current->exec_file);
49683 + tsk->exec_file = current->exec_file;
49684 + tsk->is_writable = current->is_writable;
49685 + if (unlikely(current->signal->used_accept)) {
49686 + current->signal->curr_ip = 0;
49687 + current->signal->saved_ip = 0;
49694 +gr_set_proc_res(struct task_struct *task)
49696 + struct acl_subject_label *proc;
49697 + unsigned short i;
49699 + proc = task->acl;
49701 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
49704 + for (i = 0; i < RLIM_NLIMITS; i++) {
49705 + if (!(proc->resmask & (1 << i)))
49708 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
49709 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
49715 +extern int __gr_process_user_ban(struct user_struct *user);
49718 +gr_check_user_change(int real, int effective, int fs)
49725 + int effectiveok = 0;
49728 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
49729 + struct user_struct *user;
49734 + user = find_user(real);
49735 + if (user == NULL)
49738 + if (__gr_process_user_ban(user)) {
49739 + /* for find_user */
49744 + /* for find_user */
49750 + if (unlikely(!(gr_status & GR_READY)))
49753 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
49754 + gr_log_learn_id_change('u', real, effective, fs);
49756 + num = current->acl->user_trans_num;
49757 + uidlist = current->acl->user_transitions;
49759 + if (uidlist == NULL)
49764 + if (effective == -1)
49769 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
49770 + for (i = 0; i < num; i++) {
49771 + curuid = (int)uidlist[i];
49772 + if (real == curuid)
49774 + if (effective == curuid)
49776 + if (fs == curuid)
49779 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
49780 + for (i = 0; i < num; i++) {
49781 + curuid = (int)uidlist[i];
49782 + if (real == curuid)
49784 + if (effective == curuid)
49786 + if (fs == curuid)
49789 + /* not in deny list */
49797 + if (realok && effectiveok && fsok)
49800 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
49806 +gr_check_group_change(int real, int effective, int fs)
49813 + int effectiveok = 0;
49816 + if (unlikely(!(gr_status & GR_READY)))
49819 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
49820 + gr_log_learn_id_change('g', real, effective, fs);
49822 + num = current->acl->group_trans_num;
49823 + gidlist = current->acl->group_transitions;
49825 + if (gidlist == NULL)
49830 + if (effective == -1)
49835 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
49836 + for (i = 0; i < num; i++) {
49837 + curgid = (int)gidlist[i];
49838 + if (real == curgid)
49840 + if (effective == curgid)
49842 + if (fs == curgid)
49845 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
49846 + for (i = 0; i < num; i++) {
49847 + curgid = (int)gidlist[i];
49848 + if (real == curgid)
49850 + if (effective == curgid)
49852 + if (fs == curgid)
49855 + /* not in deny list */
49863 + if (realok && effectiveok && fsok)
49866 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
49872 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
49874 + struct acl_role_label *role = task->role;
49875 + struct acl_subject_label *subj = NULL;
49876 + struct acl_object_label *obj;
49877 + struct file *filp;
49879 + if (unlikely(!(gr_status & GR_READY)))
49882 + filp = task->exec_file;
49884 + /* kernel process, we'll give them the kernel role */
49885 + if (unlikely(!filp)) {
49886 + task->role = kernel_role;
49887 + task->acl = kernel_role->root_label;
49889 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
49890 + role = lookup_acl_role_label(task, uid, gid);
49892 + /* perform subject lookup in possibly new role
49893 + we can use this result below in the case where role == task->role
49895 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
49897 + /* if we changed uid/gid, but result in the same role
49898 + and are using inheritance, don't lose the inherited subject
49899 + if current subject is other than what normal lookup
49900 + would result in, we arrived via inheritance, don't
49903 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
49904 + (subj == task->acl)))
49905 + task->acl = subj;
49907 + task->role = role;
49909 + task->is_writable = 0;
49911 + /* ignore additional mmap checks for processes that are writable
49912 + by the default ACL */
49913 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
49914 + if (unlikely(obj->mode & GR_WRITE))
49915 + task->is_writable = 1;
49916 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
49917 + if (unlikely(obj->mode & GR_WRITE))
49918 + task->is_writable = 1;
49920 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
49921 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
49924 + gr_set_proc_res(task);
49930 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
49931 + const int unsafe_share)
49933 + struct task_struct *task = current;
49934 + struct acl_subject_label *newacl;
49935 + struct acl_object_label *obj;
49938 + if (unlikely(!(gr_status & GR_READY)))
49941 + newacl = chk_subj_label(dentry, mnt, task->role);
49944 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
49945 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
49946 + !(task->role->roletype & GR_ROLE_GOD) &&
49947 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
49948 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
49949 + task_unlock(task);
49950 + if (unsafe_share)
49951 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
49953 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
49956 + task_unlock(task);
49958 + obj = chk_obj_label(dentry, mnt, task->acl);
49959 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
49961 + if (!(task->acl->mode & GR_INHERITLEARN) &&
49962 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
49964 + task->acl = obj->nested;
49966 + task->acl = newacl;
49967 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
49968 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
49970 + task->is_writable = 0;
49972 + /* ignore additional mmap checks for processes that are writable
49973 + by the default ACL */
49974 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
49975 + if (unlikely(obj->mode & GR_WRITE))
49976 + task->is_writable = 1;
49977 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
49978 + if (unlikely(obj->mode & GR_WRITE))
49979 + task->is_writable = 1;
49981 + gr_set_proc_res(task);
49983 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
49984 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
49989 +/* always called with valid inodev ptr */
49991 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
49993 + struct acl_object_label *matchpo;
49994 + struct acl_subject_label *matchps;
49995 + struct acl_subject_label *subj;
49996 + struct acl_role_label *role;
49999 + FOR_EACH_ROLE_START(role)
50000 + FOR_EACH_SUBJECT_START(role, subj, x)
50001 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
50002 + matchpo->mode |= GR_DELETED;
50003 + FOR_EACH_SUBJECT_END(subj,x)
50004 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
50005 + if (subj->inode == ino && subj->device == dev)
50006 + subj->mode |= GR_DELETED;
50007 + FOR_EACH_NESTED_SUBJECT_END(subj)
50008 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
50009 + matchps->mode |= GR_DELETED;
50010 + FOR_EACH_ROLE_END(role)
50012 + inodev->nentry->deleted = 1;
50018 +gr_handle_delete(const ino_t ino, const dev_t dev)
50020 + struct inodev_entry *inodev;
50022 + if (unlikely(!(gr_status & GR_READY)))
50025 + write_lock(&gr_inode_lock);
50026 + inodev = lookup_inodev_entry(ino, dev);
50027 + if (inodev != NULL)
50028 + do_handle_delete(inodev, ino, dev);
50029 + write_unlock(&gr_inode_lock);
50035 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
50036 + const ino_t newinode, const dev_t newdevice,
50037 + struct acl_subject_label *subj)
50039 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
50040 + struct acl_object_label *match;
50042 + match = subj->obj_hash[index];
50044 + while (match && (match->inode != oldinode ||
50045 + match->device != olddevice ||
50046 + !(match->mode & GR_DELETED)))
50047 + match = match->next;
50049 + if (match && (match->inode == oldinode)
50050 + && (match->device == olddevice)
50051 + && (match->mode & GR_DELETED)) {
50052 + if (match->prev == NULL) {
50053 + subj->obj_hash[index] = match->next;
50054 + if (match->next != NULL)
50055 + match->next->prev = NULL;
50057 + match->prev->next = match->next;
50058 + if (match->next != NULL)
50059 + match->next->prev = match->prev;
50061 + match->prev = NULL;
50062 + match->next = NULL;
50063 + match->inode = newinode;
50064 + match->device = newdevice;
50065 + match->mode &= ~GR_DELETED;
50067 + insert_acl_obj_label(match, subj);
50074 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
50075 + const ino_t newinode, const dev_t newdevice,
50076 + struct acl_role_label *role)
50078 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
50079 + struct acl_subject_label *match;
50081 + match = role->subj_hash[index];
50083 + while (match && (match->inode != oldinode ||
50084 + match->device != olddevice ||
50085 + !(match->mode & GR_DELETED)))
50086 + match = match->next;
50088 + if (match && (match->inode == oldinode)
50089 + && (match->device == olddevice)
50090 + && (match->mode & GR_DELETED)) {
50091 + if (match->prev == NULL) {
50092 + role->subj_hash[index] = match->next;
50093 + if (match->next != NULL)
50094 + match->next->prev = NULL;
50096 + match->prev->next = match->next;
50097 + if (match->next != NULL)
50098 + match->next->prev = match->prev;
50100 + match->prev = NULL;
50101 + match->next = NULL;
50102 + match->inode = newinode;
50103 + match->device = newdevice;
50104 + match->mode &= ~GR_DELETED;
50106 + insert_acl_subj_label(match, role);
50113 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
50114 + const ino_t newinode, const dev_t newdevice)
50116 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
50117 + struct inodev_entry *match;
50119 + match = inodev_set.i_hash[index];
50121 + while (match && (match->nentry->inode != oldinode ||
50122 + match->nentry->device != olddevice || !match->nentry->deleted))
50123 + match = match->next;
50125 + if (match && (match->nentry->inode == oldinode)
50126 + && (match->nentry->device == olddevice) &&
50127 + match->nentry->deleted) {
50128 + if (match->prev == NULL) {
50129 + inodev_set.i_hash[index] = match->next;
50130 + if (match->next != NULL)
50131 + match->next->prev = NULL;
50133 + match->prev->next = match->next;
50134 + if (match->next != NULL)
50135 + match->next->prev = match->prev;
50137 + match->prev = NULL;
50138 + match->next = NULL;
50139 + match->nentry->inode = newinode;
50140 + match->nentry->device = newdevice;
50141 + match->nentry->deleted = 0;
50143 + insert_inodev_entry(match);
50150 +__do_handle_create(const struct name_entry *matchn, ino_t ino, dev_t dev)
50152 + struct acl_subject_label *subj;
50153 + struct acl_role_label *role;
50156 + FOR_EACH_ROLE_START(role)
50157 + update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
50159 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
50160 + if ((subj->inode == ino) && (subj->device == dev)) {
50161 + subj->inode = ino;
50162 + subj->device = dev;
50164 + FOR_EACH_NESTED_SUBJECT_END(subj)
50165 + FOR_EACH_SUBJECT_START(role, subj, x)
50166 + update_acl_obj_label(matchn->inode, matchn->device,
50168 + FOR_EACH_SUBJECT_END(subj,x)
50169 + FOR_EACH_ROLE_END(role)
50171 + update_inodev_entry(matchn->inode, matchn->device, ino, dev);
50177 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
50178 + const struct vfsmount *mnt)
50180 + ino_t ino = dentry->d_inode->i_ino;
50181 + dev_t dev = __get_dev(dentry);
50183 + __do_handle_create(matchn, ino, dev);
50189 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
50191 + struct name_entry *matchn;
50193 + if (unlikely(!(gr_status & GR_READY)))
50196 + preempt_disable();
50197 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
50199 + if (unlikely((unsigned long)matchn)) {
50200 + write_lock(&gr_inode_lock);
50201 + do_handle_create(matchn, dentry, mnt);
50202 + write_unlock(&gr_inode_lock);
50204 + preempt_enable();
50210 +gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
50212 + struct name_entry *matchn;
50214 + if (unlikely(!(gr_status & GR_READY)))
50217 + preempt_disable();
50218 + matchn = lookup_name_entry(gr_to_proc_filename_rbac(dentry, init_pid_ns.proc_mnt));
50220 + if (unlikely((unsigned long)matchn)) {
50221 + write_lock(&gr_inode_lock);
50222 + __do_handle_create(matchn, inode->i_ino, inode->i_sb->s_dev);
50223 + write_unlock(&gr_inode_lock);
50225 + preempt_enable();
50231 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
50232 + struct dentry *old_dentry,
50233 + struct dentry *new_dentry,
50234 + struct vfsmount *mnt, const __u8 replace)
50236 + struct name_entry *matchn;
50237 + struct inodev_entry *inodev;
50238 + struct inode *inode = new_dentry->d_inode;
50239 + ino_t old_ino = old_dentry->d_inode->i_ino;
50240 + dev_t old_dev = __get_dev(old_dentry);
50242 + /* vfs_rename swaps the name and parent link for old_dentry and
50244 + at this point, old_dentry has the new name, parent link, and inode
50245 + for the renamed file
50246 + if a file is being replaced by a rename, new_dentry has the inode
50247 + and name for the replaced file
50250 + if (unlikely(!(gr_status & GR_READY)))
50253 + preempt_disable();
50254 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
50256 + /* we wouldn't have to check d_inode if it weren't for
50257 + NFS silly-renaming
50260 + write_lock(&gr_inode_lock);
50261 + if (unlikely(replace && inode)) {
50262 + ino_t new_ino = inode->i_ino;
50263 + dev_t new_dev = __get_dev(new_dentry);
50265 + inodev = lookup_inodev_entry(new_ino, new_dev);
50266 + if (inodev != NULL && ((inode->i_nlink <= 1) || S_ISDIR(inode->i_mode)))
50267 + do_handle_delete(inodev, new_ino, new_dev);
50270 + inodev = lookup_inodev_entry(old_ino, old_dev);
50271 + if (inodev != NULL && ((old_dentry->d_inode->i_nlink <= 1) || S_ISDIR(old_dentry->d_inode->i_mode)))
50272 + do_handle_delete(inodev, old_ino, old_dev);
50274 + if (unlikely((unsigned long)matchn))
50275 + do_handle_create(matchn, old_dentry, mnt);
50277 + write_unlock(&gr_inode_lock);
50278 + preempt_enable();
50284 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
50285 + unsigned char **sum)
50287 + struct acl_role_label *r;
50288 + struct role_allowed_ip *ipp;
50289 + struct role_transition *trans;
50292 + u32 curr_ip = current->signal->curr_ip;
50294 + current->signal->saved_ip = curr_ip;
50296 + /* check transition table */
50298 + for (trans = current->role->transitions; trans; trans = trans->next) {
50299 + if (!strcmp(rolename, trans->rolename)) {
50308 + /* handle special roles that do not require authentication
50311 + FOR_EACH_ROLE_START(r)
50312 + if (!strcmp(rolename, r->rolename) &&
50313 + (r->roletype & GR_ROLE_SPECIAL)) {
50315 + if (r->allowed_ips != NULL) {
50316 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
50317 + if ((ntohl(curr_ip) & ipp->netmask) ==
50318 + (ntohl(ipp->addr) & ipp->netmask))
50326 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
50327 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
50333 + FOR_EACH_ROLE_END(r)
50335 + for (i = 0; i < num_sprole_pws; i++) {
50336 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
50337 + *salt = acl_special_roles[i]->salt;
50338 + *sum = acl_special_roles[i]->sum;
50347 +assign_special_role(char *rolename)
50349 + struct acl_object_label *obj;
50350 + struct acl_role_label *r;
50351 + struct acl_role_label *assigned = NULL;
50352 + struct task_struct *tsk;
50353 + struct file *filp;
50355 + FOR_EACH_ROLE_START(r)
50356 + if (!strcmp(rolename, r->rolename) &&
50357 + (r->roletype & GR_ROLE_SPECIAL)) {
50361 + FOR_EACH_ROLE_END(r)
50366 + read_lock(&tasklist_lock);
50367 + read_lock(&grsec_exec_file_lock);
50369 + tsk = current->real_parent;
50373 + filp = tsk->exec_file;
50374 + if (filp == NULL)
50377 + tsk->is_writable = 0;
50379 + tsk->acl_sp_role = 1;
50380 + tsk->acl_role_id = ++acl_sp_role_value;
50381 + tsk->role = assigned;
50382 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
50384 + /* ignore additional mmap checks for processes that are writable
50385 + by the default ACL */
50386 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
50387 + if (unlikely(obj->mode & GR_WRITE))
50388 + tsk->is_writable = 1;
50389 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
50390 + if (unlikely(obj->mode & GR_WRITE))
50391 + tsk->is_writable = 1;
50393 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
50394 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
50398 + read_unlock(&grsec_exec_file_lock);
50399 + read_unlock(&tasklist_lock);
50403 +int gr_check_secure_terminal(struct task_struct *task)
50405 + struct task_struct *p, *p2, *p3;
50406 + struct files_struct *files;
50407 + struct fdtable *fdt;
50408 + struct file *our_file = NULL, *file;
50411 + if (task->signal->tty == NULL)
50414 + files = get_files_struct(task);
50415 + if (files != NULL) {
50417 + fdt = files_fdtable(files);
50418 + for (i=0; i < fdt->max_fds; i++) {
50419 + file = fcheck_files(files, i);
50420 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
50425 + rcu_read_unlock();
50426 + put_files_struct(files);
50429 + if (our_file == NULL)
50432 + read_lock(&tasklist_lock);
50433 + do_each_thread(p2, p) {
50434 + files = get_files_struct(p);
50435 + if (files == NULL ||
50436 + (p->signal && p->signal->tty == task->signal->tty)) {
50437 + if (files != NULL)
50438 + put_files_struct(files);
50442 + fdt = files_fdtable(files);
50443 + for (i=0; i < fdt->max_fds; i++) {
50444 + file = fcheck_files(files, i);
50445 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
50446 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
50448 + while (p3->pid > 0) {
50451 + p3 = p3->real_parent;
50455 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
50456 + gr_handle_alertkill(p);
50457 + rcu_read_unlock();
50458 + put_files_struct(files);
50459 + read_unlock(&tasklist_lock);
50464 + rcu_read_unlock();
50465 + put_files_struct(files);
50466 + } while_each_thread(p2, p);
50467 + read_unlock(&tasklist_lock);
50474 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
50476 + struct gr_arg_wrapper uwrap;
50477 + unsigned char *sprole_salt = NULL;
50478 + unsigned char *sprole_sum = NULL;
50479 + int error = sizeof (struct gr_arg_wrapper);
50482 + mutex_lock(&gr_dev_mutex);
50484 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
50489 + if (count != sizeof (struct gr_arg_wrapper)) {
50490 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
50496 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
50497 + gr_auth_expires = 0;
50498 + gr_auth_attempts = 0;
50501 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
50506 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
50511 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
50516 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
50517 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
50518 + time_after(gr_auth_expires, get_seconds())) {
50523 + /* if non-root trying to do anything other than use a special role,
50524 + do not attempt authentication, do not count towards authentication
50528 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
50529 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
50535 + /* ensure pw and special role name are null terminated */
50537 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
50538 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
50541 + * We have our enough of the argument structure..(we have yet
50542 + * to copy_from_user the tables themselves) . Copy the tables
50543 + * only if we need them, i.e. for loading operations. */
50545 + switch (gr_usermode->mode) {
50547 + if (gr_status & GR_READY) {
50549 + if (!gr_check_secure_terminal(current))
50554 + case GR_SHUTDOWN:
50555 + if ((gr_status & GR_READY)
50556 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
50557 + pax_open_kernel();
50558 + gr_status &= ~GR_READY;
50559 + pax_close_kernel();
50561 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
50562 + free_variables();
50563 + memset(gr_usermode, 0, sizeof (struct gr_arg));
50564 + memset(gr_system_salt, 0, GR_SALT_LEN);
50565 + memset(gr_system_sum, 0, GR_SHA_LEN);
50566 + } else if (gr_status & GR_READY) {
50567 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
50570 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
50575 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
50576 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
50578 + if (gr_status & GR_READY)
50582 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
50586 + if (!(gr_status & GR_READY)) {
50587 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
50589 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
50590 + preempt_disable();
50592 + pax_open_kernel();
50593 + gr_status &= ~GR_READY;
50594 + pax_close_kernel();
50596 + free_variables();
50597 + if (!(error2 = gracl_init(gr_usermode))) {
50598 + preempt_enable();
50599 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
50601 + preempt_enable();
50603 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
50606 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
50611 + if (unlikely(!(gr_status & GR_READY))) {
50612 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
50617 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
50618 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
50619 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
50620 + struct acl_subject_label *segvacl;
50622 + lookup_acl_subj_label(gr_usermode->segv_inode,
50623 + gr_usermode->segv_device,
50626 + segvacl->crashes = 0;
50627 + segvacl->expires = 0;
50629 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
50630 + gr_remove_uid(gr_usermode->segv_uid);
50633 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
50638 + case GR_SPROLEPAM:
50639 + if (unlikely(!(gr_status & GR_READY))) {
50640 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
50645 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
50646 + current->role->expires = 0;
50647 + current->role->auth_attempts = 0;
50650 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
50651 + time_after(current->role->expires, get_seconds())) {
50656 + if (lookup_special_role_auth
50657 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
50658 + && ((!sprole_salt && !sprole_sum)
50659 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
50661 + assign_special_role(gr_usermode->sp_role);
50662 + read_lock(&tasklist_lock);
50663 + if (current->real_parent)
50664 + p = current->real_parent->role->rolename;
50665 + read_unlock(&tasklist_lock);
50666 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
50667 + p, acl_sp_role_value);
50669 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
50671 + if(!(current->role->auth_attempts++))
50672 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
50677 + case GR_UNSPROLE:
50678 + if (unlikely(!(gr_status & GR_READY))) {
50679 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
50684 + if (current->role->roletype & GR_ROLE_SPECIAL) {
50688 + read_lock(&tasklist_lock);
50689 + if (current->real_parent) {
50690 + p = current->real_parent->role->rolename;
50691 + i = current->real_parent->acl_role_id;
50693 + read_unlock(&tasklist_lock);
50695 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
50703 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
50708 + if (error != -EPERM)
50711 + if(!(gr_auth_attempts++))
50712 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
50715 + mutex_unlock(&gr_dev_mutex);
50719 +/* must be called with
50721 + read_lock(&tasklist_lock);
50722 + read_lock(&grsec_exec_file_lock);
50724 +int gr_apply_subject_to_task(struct task_struct *task)
50726 + struct acl_object_label *obj;
50728 + struct acl_subject_label *tmpsubj;
50729 + struct file *filp;
50730 + struct name_entry *nmatch;
50732 + filp = task->exec_file;
50733 + if (filp == NULL)
50736 + /* the following is to apply the correct subject
50737 + on binaries running when the RBAC system
50738 + is enabled, when the binaries have been
50739 + replaced or deleted since their execution
50741 + when the RBAC system starts, the inode/dev
50742 + from exec_file will be one the RBAC system
50743 + is unaware of. It only knows the inode/dev
50744 + of the present file on disk, or the absence
50747 + preempt_disable();
50748 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
50750 + nmatch = lookup_name_entry(tmpname);
50751 + preempt_enable();
50754 + if (nmatch->deleted)
50755 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
50757 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
50758 + if (tmpsubj != NULL)
50759 + task->acl = tmpsubj;
50761 + if (tmpsubj == NULL)
50762 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
50765 + task->is_writable = 0;
50766 + /* ignore additional mmap checks for processes that are writable
50767 + by the default ACL */
50768 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
50769 + if (unlikely(obj->mode & GR_WRITE))
50770 + task->is_writable = 1;
50771 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
50772 + if (unlikely(obj->mode & GR_WRITE))
50773 + task->is_writable = 1;
50775 + gr_set_proc_res(task);
50777 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
50778 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
50788 +gr_set_acls(const int type)
50790 + struct task_struct *task, *task2;
50791 + struct acl_role_label *role = current->role;
50792 + __u16 acl_role_id = current->acl_role_id;
50793 + const struct cred *cred;
50797 + read_lock(&tasklist_lock);
50798 + read_lock(&grsec_exec_file_lock);
50799 + do_each_thread(task2, task) {
50800 + /* check to see if we're called from the exit handler,
50801 + if so, only replace ACLs that have inherited the admin
50804 + if (type && (task->role != role ||
50805 + task->acl_role_id != acl_role_id))
50808 + task->acl_role_id = 0;
50809 + task->acl_sp_role = 0;
50811 + if (task->exec_file) {
50812 + cred = __task_cred(task);
50813 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
50814 + ret = gr_apply_subject_to_task(task);
50816 + read_unlock(&grsec_exec_file_lock);
50817 + read_unlock(&tasklist_lock);
50818 + rcu_read_unlock();
50819 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
50823 + // it's a kernel process
50824 + task->role = kernel_role;
50825 + task->acl = kernel_role->root_label;
50826 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
50827 + task->acl->mode &= ~GR_PROCFIND;
50830 + } while_each_thread(task2, task);
50831 + read_unlock(&grsec_exec_file_lock);
50832 + read_unlock(&tasklist_lock);
50833 + rcu_read_unlock();
50839 +gr_learn_resource(const struct task_struct *task,
50840 + const int res, const unsigned long wanted, const int gt)
50842 + struct acl_subject_label *acl;
50843 + const struct cred *cred;
50845 + if (unlikely((gr_status & GR_READY) &&
50846 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
50847 + goto skip_reslog;
50849 +#ifdef CONFIG_GRKERNSEC_RESLOG
50850 + gr_log_resource(task, res, wanted, gt);
50854 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
50859 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
50860 + !(acl->resmask & (1 << (unsigned short) res))))
50863 + if (wanted >= acl->res[res].rlim_cur) {
50864 + unsigned long res_add;
50866 + res_add = wanted;
50869 + res_add += GR_RLIM_CPU_BUMP;
50871 + case RLIMIT_FSIZE:
50872 + res_add += GR_RLIM_FSIZE_BUMP;
50874 + case RLIMIT_DATA:
50875 + res_add += GR_RLIM_DATA_BUMP;
50877 + case RLIMIT_STACK:
50878 + res_add += GR_RLIM_STACK_BUMP;
50880 + case RLIMIT_CORE:
50881 + res_add += GR_RLIM_CORE_BUMP;
50884 + res_add += GR_RLIM_RSS_BUMP;
50886 + case RLIMIT_NPROC:
50887 + res_add += GR_RLIM_NPROC_BUMP;
50889 + case RLIMIT_NOFILE:
50890 + res_add += GR_RLIM_NOFILE_BUMP;
50892 + case RLIMIT_MEMLOCK:
50893 + res_add += GR_RLIM_MEMLOCK_BUMP;
50896 + res_add += GR_RLIM_AS_BUMP;
50898 + case RLIMIT_LOCKS:
50899 + res_add += GR_RLIM_LOCKS_BUMP;
50901 + case RLIMIT_SIGPENDING:
50902 + res_add += GR_RLIM_SIGPENDING_BUMP;
50904 + case RLIMIT_MSGQUEUE:
50905 + res_add += GR_RLIM_MSGQUEUE_BUMP;
50907 + case RLIMIT_NICE:
50908 + res_add += GR_RLIM_NICE_BUMP;
50910 + case RLIMIT_RTPRIO:
50911 + res_add += GR_RLIM_RTPRIO_BUMP;
50913 + case RLIMIT_RTTIME:
50914 + res_add += GR_RLIM_RTTIME_BUMP;
50918 + acl->res[res].rlim_cur = res_add;
50920 + if (wanted > acl->res[res].rlim_max)
50921 + acl->res[res].rlim_max = res_add;
50923 + /* only log the subject filename, since resource logging is supported for
50924 + single-subject learning only */
50926 + cred = __task_cred(task);
50927 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
50928 + task->role->roletype, cred->uid, cred->gid, acl->filename,
50929 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
50930 + "", (unsigned long) res, &task->signal->saved_ip);
50931 + rcu_read_unlock();
50937 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
50939 +pax_set_initial_flags(struct linux_binprm *bprm)
50941 + struct task_struct *task = current;
50942 + struct acl_subject_label *proc;
50943 + unsigned long flags;
50945 + if (unlikely(!(gr_status & GR_READY)))
50948 + flags = pax_get_flags(task);
50950 + proc = task->acl;
50952 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
50953 + flags &= ~MF_PAX_PAGEEXEC;
50954 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
50955 + flags &= ~MF_PAX_SEGMEXEC;
50956 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
50957 + flags &= ~MF_PAX_RANDMMAP;
50958 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
50959 + flags &= ~MF_PAX_EMUTRAMP;
50960 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
50961 + flags &= ~MF_PAX_MPROTECT;
50963 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
50964 + flags |= MF_PAX_PAGEEXEC;
50965 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
50966 + flags |= MF_PAX_SEGMEXEC;
50967 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
50968 + flags |= MF_PAX_RANDMMAP;
50969 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
50970 + flags |= MF_PAX_EMUTRAMP;
50971 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
50972 + flags |= MF_PAX_MPROTECT;
50974 + pax_set_flags(task, flags);
50980 +#ifdef CONFIG_SYSCTL
50981 +/* Eric Biederman likes breaking userland ABI and every inode-based security
50982 + system to save 35kb of memory */
50984 +/* we modify the passed in filename, but adjust it back before returning */
50985 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
50987 + struct name_entry *nmatch;
50988 + char *p, *lastp = NULL;
50989 + struct acl_object_label *obj = NULL, *tmp;
50990 + struct acl_subject_label *tmpsubj;
50993 + read_lock(&gr_inode_lock);
50995 + p = name + len - 1;
50997 + nmatch = lookup_name_entry(name);
50998 + if (lastp != NULL)
51001 + if (nmatch == NULL)
51002 + goto next_component;
51003 + tmpsubj = current->acl;
51005 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
51006 + if (obj != NULL) {
51007 + tmp = obj->globbed;
51009 + if (!glob_match(tmp->filename, name)) {
51017 + } while ((tmpsubj = tmpsubj->parent_subject));
51023 + while (*p != '/')
51035 + read_unlock(&gr_inode_lock);
51036 + /* obj returned will always be non-null */
51040 +/* returns 0 when allowing, non-zero on error
51041 + op of 0 is used for readdir, so we don't log the names of hidden files
51044 +gr_handle_sysctl(const struct ctl_table *table, const int op)
51046 + struct ctl_table *tmp;
51047 + const char *proc_sys = "/proc/sys";
51049 + struct acl_object_label *obj;
51050 + unsigned short len = 0, pos = 0, depth = 0, i;
51054 + if (unlikely(!(gr_status & GR_READY)))
51057 + /* for now, ignore operations on non-sysctl entries if it's not a
51059 + if (table->child != NULL && op != 0)
51063 + /* it's only a read if it's an entry, read on dirs is for readdir */
51064 + if (op & MAY_READ)
51066 + if (op & MAY_WRITE)
51067 + mode |= GR_WRITE;
51069 + preempt_disable();
51071 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
51073 + /* it's only a read/write if it's an actual entry, not a dir
51074 + (which are opened for readdir)
51077 + /* convert the requested sysctl entry into a pathname */
51079 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
51080 + len += strlen(tmp->procname);
51085 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
51090 + memset(path, 0, PAGE_SIZE);
51092 + memcpy(path, proc_sys, strlen(proc_sys));
51094 + pos += strlen(proc_sys);
51096 + for (; depth > 0; depth--) {
51099 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
51100 + if (depth == i) {
51101 + memcpy(path + pos, tmp->procname,
51102 + strlen(tmp->procname));
51103 + pos += strlen(tmp->procname);
51109 + obj = gr_lookup_by_name(path, pos);
51110 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
51112 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
51113 + ((err & mode) != mode))) {
51114 + __u32 new_mode = mode;
51116 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
51119 + gr_log_learn_sysctl(path, new_mode);
51120 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
51121 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
51123 + } else if (!(err & GR_FIND)) {
51125 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
51126 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
51127 + path, (mode & GR_READ) ? " reading" : "",
51128 + (mode & GR_WRITE) ? " writing" : "");
51130 + } else if ((err & mode) != mode) {
51132 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
51133 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
51134 + path, (mode & GR_READ) ? " reading" : "",
51135 + (mode & GR_WRITE) ? " writing" : "");
51141 + preempt_enable();
51148 +gr_handle_proc_ptrace(struct task_struct *task)
51150 + struct file *filp;
51151 + struct task_struct *tmp = task;
51152 + struct task_struct *curtemp = current;
51155 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
51156 + if (unlikely(!(gr_status & GR_READY)))
51160 + read_lock(&tasklist_lock);
51161 + read_lock(&grsec_exec_file_lock);
51162 + filp = task->exec_file;
51164 + while (tmp->pid > 0) {
51165 + if (tmp == curtemp)
51167 + tmp = tmp->real_parent;
51170 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
51171 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
51172 + read_unlock(&grsec_exec_file_lock);
51173 + read_unlock(&tasklist_lock);
51177 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
51178 + if (!(gr_status & GR_READY)) {
51179 + read_unlock(&grsec_exec_file_lock);
51180 + read_unlock(&tasklist_lock);
51185 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
51186 + read_unlock(&grsec_exec_file_lock);
51187 + read_unlock(&tasklist_lock);
51189 + if (retmode & GR_NOPTRACE)
51192 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
51193 + && (current->acl != task->acl || (current->acl != current->role->root_label
51194 + && current->pid != task->pid)))
51200 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
51202 + if (unlikely(!(gr_status & GR_READY)))
51205 + if (!(current->role->roletype & GR_ROLE_GOD))
51208 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
51209 + p->role->rolename, gr_task_roletype_to_char(p),
51210 + p->acl->filename);
51214 +gr_handle_ptrace(struct task_struct *task, const long request)
51216 + struct task_struct *tmp = task;
51217 + struct task_struct *curtemp = current;
51220 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
51221 + if (unlikely(!(gr_status & GR_READY)))
51225 + read_lock(&tasklist_lock);
51226 + while (tmp->pid > 0) {
51227 + if (tmp == curtemp)
51229 + tmp = tmp->real_parent;
51232 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
51233 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
51234 + read_unlock(&tasklist_lock);
51235 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
51238 + read_unlock(&tasklist_lock);
51240 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
51241 + if (!(gr_status & GR_READY))
51245 + read_lock(&grsec_exec_file_lock);
51246 + if (unlikely(!task->exec_file)) {
51247 + read_unlock(&grsec_exec_file_lock);
51251 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
51252 + read_unlock(&grsec_exec_file_lock);
51254 + if (retmode & GR_NOPTRACE) {
51255 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
51259 + if (retmode & GR_PTRACERD) {
51260 + switch (request) {
51261 + case PTRACE_POKETEXT:
51262 + case PTRACE_POKEDATA:
51263 + case PTRACE_POKEUSR:
51264 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
51265 + case PTRACE_SETREGS:
51266 + case PTRACE_SETFPREGS:
51269 + case PTRACE_SETFPXREGS:
51271 +#ifdef CONFIG_ALTIVEC
51272 + case PTRACE_SETVRREGS:
51278 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
51279 + !(current->role->roletype & GR_ROLE_GOD) &&
51280 + (current->acl != task->acl)) {
51281 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
51288 +static int is_writable_mmap(const struct file *filp)
51290 + struct task_struct *task = current;
51291 + struct acl_object_label *obj, *obj2;
51293 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
51294 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
51295 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
51296 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
51297 + task->role->root_label);
51298 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
51299 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
51307 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
51311 + if (unlikely(!file || !(prot & PROT_EXEC)))
51314 + if (is_writable_mmap(file))
51318 + gr_search_file(file->f_path.dentry,
51319 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
51320 + file->f_path.mnt);
51322 + if (!gr_tpe_allow(file))
51325 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
51326 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
51328 + } else if (unlikely(!(mode & GR_EXEC))) {
51330 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
51331 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
51339 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
51343 + if (unlikely(!file || !(prot & PROT_EXEC)))
51346 + if (is_writable_mmap(file))
51350 + gr_search_file(file->f_path.dentry,
51351 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
51352 + file->f_path.mnt);
51354 + if (!gr_tpe_allow(file))
51357 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
51358 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
51360 + } else if (unlikely(!(mode & GR_EXEC))) {
51362 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
51363 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
51371 +gr_acl_handle_psacct(struct task_struct *task, const long code)
51373 + unsigned long runtime;
51374 + unsigned long cputime;
51375 + unsigned int wday, cday;
51379 + struct timespec timeval;
51381 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
51382 + !(task->acl->mode & GR_PROCACCT)))
51385 + do_posix_clock_monotonic_gettime(&timeval);
51386 + runtime = timeval.tv_sec - task->start_time.tv_sec;
51387 + wday = runtime / (3600 * 24);
51388 + runtime -= wday * (3600 * 24);
51389 + whr = runtime / 3600;
51390 + runtime -= whr * 3600;
51391 + wmin = runtime / 60;
51392 + runtime -= wmin * 60;
51395 + cputime = (task->utime + task->stime) / HZ;
51396 + cday = cputime / (3600 * 24);
51397 + cputime -= cday * (3600 * 24);
51398 + chr = cputime / 3600;
51399 + cputime -= chr * 3600;
51400 + cmin = cputime / 60;
51401 + cputime -= cmin * 60;
51404 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
51409 +void gr_set_kernel_label(struct task_struct *task)
51411 + if (gr_status & GR_READY) {
51412 + task->role = kernel_role;
51413 + task->acl = kernel_role->root_label;
51418 +#ifdef CONFIG_TASKSTATS
51419 +int gr_is_taskstats_denied(int pid)
51421 + struct task_struct *task;
51422 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
51423 + const struct cred *cred;
51427 + /* restrict taskstats viewing to un-chrooted root users
51428 + who have the 'view' subject flag if the RBAC system is enabled
51432 + read_lock(&tasklist_lock);
51433 + task = find_task_by_vpid(pid);
51435 +#ifdef CONFIG_GRKERNSEC_CHROOT
51436 + if (proc_is_chrooted(task))
51439 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
51440 + cred = __task_cred(task);
51441 +#ifdef CONFIG_GRKERNSEC_PROC_USER
51442 + if (cred->uid != 0)
51444 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
51445 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
51449 + if (gr_status & GR_READY) {
51450 + if (!(task->acl->mode & GR_VIEW))
51456 + read_unlock(&tasklist_lock);
51457 + rcu_read_unlock();
51463 +/* AUXV entries are filled via a descendant of search_binary_handler
51464 + after we've already applied the subject for the target
51466 +int gr_acl_enable_at_secure(void)
51468 + if (unlikely(!(gr_status & GR_READY)))
51471 + if (current->acl->mode & GR_ATSECURE)
51477 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
51479 + struct task_struct *task = current;
51480 + struct dentry *dentry = file->f_path.dentry;
51481 + struct vfsmount *mnt = file->f_path.mnt;
51482 + struct acl_object_label *obj, *tmp;
51483 + struct acl_subject_label *subj;
51484 + unsigned int bufsize;
51487 + dev_t dev = __get_dev(dentry);
51489 + if (unlikely(!(gr_status & GR_READY)))
51492 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
51495 + /* ignore Eric Biederman */
51496 + if (IS_PRIVATE(dentry->d_inode))
51499 + subj = task->acl;
51501 + obj = lookup_acl_obj_label(ino, dev, subj);
51503 + return (obj->mode & GR_FIND) ? 1 : 0;
51504 + } while ((subj = subj->parent_subject));
51506 + /* this is purely an optimization since we're looking for an object
51507 + for the directory we're doing a readdir on
51508 + if it's possible for any globbed object to match the entry we're
51509 + filling into the directory, then the object we find here will be
51510 + an anchor point with attached globbed objects
51512 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
51513 + if (obj->globbed == NULL)
51514 + return (obj->mode & GR_FIND) ? 1 : 0;
51516 + is_not_root = ((obj->filename[0] == '/') &&
51517 + (obj->filename[1] == '\0')) ? 0 : 1;
51518 + bufsize = PAGE_SIZE - namelen - is_not_root;
51520 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
51521 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
51524 + preempt_disable();
51525 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
51528 + bufsize = strlen(path);
51530 + /* if base is "/", don't append an additional slash */
51532 + *(path + bufsize) = '/';
51533 + memcpy(path + bufsize + is_not_root, name, namelen);
51534 + *(path + bufsize + namelen + is_not_root) = '\0';
51536 + tmp = obj->globbed;
51538 + if (!glob_match(tmp->filename, path)) {
51539 + preempt_enable();
51540 + return (tmp->mode & GR_FIND) ? 1 : 0;
51544 + preempt_enable();
51545 + return (obj->mode & GR_FIND) ? 1 : 0;
51548 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
51549 +EXPORT_SYMBOL(gr_acl_is_enabled);
51551 +EXPORT_SYMBOL(gr_learn_resource);
51552 +EXPORT_SYMBOL(gr_set_kernel_label);
51553 +#ifdef CONFIG_SECURITY
51554 +EXPORT_SYMBOL(gr_check_user_change);
51555 +EXPORT_SYMBOL(gr_check_group_change);
51558 diff -urNp linux-3.0.9/grsecurity/gracl_cap.c linux-3.0.9/grsecurity/gracl_cap.c
51559 --- linux-3.0.9/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
51560 +++ linux-3.0.9/grsecurity/gracl_cap.c 2011-11-15 20:02:59.000000000 -0500
51562 +#include <linux/kernel.h>
51563 +#include <linux/module.h>
51564 +#include <linux/sched.h>
51565 +#include <linux/gracl.h>
51566 +#include <linux/grsecurity.h>
51567 +#include <linux/grinternal.h>
51569 +extern const char *captab_log[];
51570 +extern int captab_log_entries;
51573 +gr_acl_is_capable(const int cap)
51575 + struct task_struct *task = current;
51576 + const struct cred *cred = current_cred();
51577 + struct acl_subject_label *curracl;
51578 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
51579 + kernel_cap_t cap_audit = __cap_empty_set;
51581 + if (!gr_acl_is_enabled())
51584 + curracl = task->acl;
51586 + cap_drop = curracl->cap_lower;
51587 + cap_mask = curracl->cap_mask;
51588 + cap_audit = curracl->cap_invert_audit;
51590 + while ((curracl = curracl->parent_subject)) {
51591 + /* if the cap isn't specified in the current computed mask but is specified in the
51592 + current level subject, and is lowered in the current level subject, then add
51593 + it to the set of dropped capabilities
51594 + otherwise, add the current level subject's mask to the current computed mask
51596 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
51597 + cap_raise(cap_mask, cap);
51598 + if (cap_raised(curracl->cap_lower, cap))
51599 + cap_raise(cap_drop, cap);
51600 + if (cap_raised(curracl->cap_invert_audit, cap))
51601 + cap_raise(cap_audit, cap);
51605 + if (!cap_raised(cap_drop, cap)) {
51606 + if (cap_raised(cap_audit, cap))
51607 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
51611 + curracl = task->acl;
51613 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
51614 + && cap_raised(cred->cap_effective, cap)) {
51615 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
51616 + task->role->roletype, cred->uid,
51617 + cred->gid, task->exec_file ?
51618 + gr_to_filename(task->exec_file->f_path.dentry,
51619 + task->exec_file->f_path.mnt) : curracl->filename,
51620 + curracl->filename, 0UL,
51621 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
51625 + if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
51626 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
51631 +gr_acl_is_capable_nolog(const int cap)
51633 + struct acl_subject_label *curracl;
51634 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
51636 + if (!gr_acl_is_enabled())
51639 + curracl = current->acl;
51641 + cap_drop = curracl->cap_lower;
51642 + cap_mask = curracl->cap_mask;
51644 + while ((curracl = curracl->parent_subject)) {
51645 + /* if the cap isn't specified in the current computed mask but is specified in the
51646 + current level subject, and is lowered in the current level subject, then add
51647 + it to the set of dropped capabilities
51648 + otherwise, add the current level subject's mask to the current computed mask
51650 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
51651 + cap_raise(cap_mask, cap);
51652 + if (cap_raised(curracl->cap_lower, cap))
51653 + cap_raise(cap_drop, cap);
51657 + if (!cap_raised(cap_drop, cap))
51663 diff -urNp linux-3.0.9/grsecurity/gracl_fs.c linux-3.0.9/grsecurity/gracl_fs.c
51664 --- linux-3.0.9/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
51665 +++ linux-3.0.9/grsecurity/gracl_fs.c 2011-11-15 20:02:59.000000000 -0500
51667 +#include <linux/kernel.h>
51668 +#include <linux/sched.h>
51669 +#include <linux/types.h>
51670 +#include <linux/fs.h>
51671 +#include <linux/file.h>
51672 +#include <linux/stat.h>
51673 +#include <linux/grsecurity.h>
51674 +#include <linux/grinternal.h>
51675 +#include <linux/gracl.h>
51678 +gr_acl_handle_hidden_file(const struct dentry * dentry,
51679 + const struct vfsmount * mnt)
51683 + if (unlikely(!dentry->d_inode))
51687 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
51689 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
51690 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
51692 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
51693 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
51695 + } else if (unlikely(!(mode & GR_FIND)))
51702 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
51705 + __u32 reqmode = GR_FIND;
51708 + if (unlikely(!dentry->d_inode))
51711 + if (unlikely(fmode & O_APPEND))
51712 + reqmode |= GR_APPEND;
51713 + else if (unlikely(fmode & FMODE_WRITE))
51714 + reqmode |= GR_WRITE;
51715 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
51716 + reqmode |= GR_READ;
51717 + if ((fmode & FMODE_GREXEC) && (fmode & __FMODE_EXEC))
51718 + reqmode &= ~GR_READ;
51720 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
51723 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
51724 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
51725 + reqmode & GR_READ ? " reading" : "",
51726 + reqmode & GR_WRITE ? " writing" : reqmode &
51727 + GR_APPEND ? " appending" : "");
51730 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
51732 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
51733 + reqmode & GR_READ ? " reading" : "",
51734 + reqmode & GR_WRITE ? " writing" : reqmode &
51735 + GR_APPEND ? " appending" : "");
51737 + } else if (unlikely((mode & reqmode) != reqmode))
51744 +gr_acl_handle_creat(const struct dentry * dentry,
51745 + const struct dentry * p_dentry,
51746 + const struct vfsmount * p_mnt, const int fmode,
51749 + __u32 reqmode = GR_WRITE | GR_CREATE;
51752 + if (unlikely(fmode & O_APPEND))
51753 + reqmode |= GR_APPEND;
51754 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
51755 + reqmode |= GR_READ;
51756 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
51757 + reqmode |= GR_SETID;
51760 + gr_check_create(dentry, p_dentry, p_mnt,
51761 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
51763 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
51764 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
51765 + reqmode & GR_READ ? " reading" : "",
51766 + reqmode & GR_WRITE ? " writing" : reqmode &
51767 + GR_APPEND ? " appending" : "");
51770 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
51772 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
51773 + reqmode & GR_READ ? " reading" : "",
51774 + reqmode & GR_WRITE ? " writing" : reqmode &
51775 + GR_APPEND ? " appending" : "");
51777 + } else if (unlikely((mode & reqmode) != reqmode))
51784 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
51787 + __u32 mode, reqmode = GR_FIND;
51789 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
51790 + reqmode |= GR_EXEC;
51791 + if (fmode & S_IWOTH)
51792 + reqmode |= GR_WRITE;
51793 + if (fmode & S_IROTH)
51794 + reqmode |= GR_READ;
51797 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
51800 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
51801 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
51802 + reqmode & GR_READ ? " reading" : "",
51803 + reqmode & GR_WRITE ? " writing" : "",
51804 + reqmode & GR_EXEC ? " executing" : "");
51807 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
51809 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
51810 + reqmode & GR_READ ? " reading" : "",
51811 + reqmode & GR_WRITE ? " writing" : "",
51812 + reqmode & GR_EXEC ? " executing" : "");
51814 + } else if (unlikely((mode & reqmode) != reqmode))
51820 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
51824 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
51826 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
51827 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
51829 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
51830 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
51832 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
51835 + return (reqmode);
51839 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
51841 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
51845 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
51847 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
51851 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
51853 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
51857 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
51859 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
51863 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
51866 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
51869 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
51870 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
51871 + GR_FCHMOD_ACL_MSG);
51873 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
51878 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
51881 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
51882 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
51883 + GR_CHMOD_ACL_MSG);
51885 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
51890 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
51892 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
51896 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
51898 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
51902 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
51904 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
51908 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
51910 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
51911 + GR_UNIXCONNECT_ACL_MSG);
51914 +/* hardlinks require at minimum create and link permission,
51915 + any additional privilege required is based on the
51916 + privilege of the file being linked to
51919 +gr_acl_handle_link(const struct dentry * new_dentry,
51920 + const struct dentry * parent_dentry,
51921 + const struct vfsmount * parent_mnt,
51922 + const struct dentry * old_dentry,
51923 + const struct vfsmount * old_mnt, const char *to)
51926 + __u32 needmode = GR_CREATE | GR_LINK;
51927 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
51930 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
51933 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
51934 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
51936 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
51937 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
51939 + } else if (unlikely((mode & needmode) != needmode))
51946 +gr_acl_handle_symlink(const struct dentry * new_dentry,
51947 + const struct dentry * parent_dentry,
51948 + const struct vfsmount * parent_mnt, const char *from)
51950 + __u32 needmode = GR_WRITE | GR_CREATE;
51954 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
51955 + GR_CREATE | GR_AUDIT_CREATE |
51956 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
51958 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
51959 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
51961 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
51962 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
51964 + } else if (unlikely((mode & needmode) != needmode))
51967 + return (GR_WRITE | GR_CREATE);
51970 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
51974 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
51976 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
51977 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
51979 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
51980 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
51982 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
51985 + return (reqmode);
51989 +gr_acl_handle_mknod(const struct dentry * new_dentry,
51990 + const struct dentry * parent_dentry,
51991 + const struct vfsmount * parent_mnt,
51994 + __u32 reqmode = GR_WRITE | GR_CREATE;
51995 + if (unlikely(mode & (S_ISUID | S_ISGID)))
51996 + reqmode |= GR_SETID;
51998 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
51999 + reqmode, GR_MKNOD_ACL_MSG);
52003 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
52004 + const struct dentry *parent_dentry,
52005 + const struct vfsmount *parent_mnt)
52007 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
52008 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
52011 +#define RENAME_CHECK_SUCCESS(old, new) \
52012 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
52013 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
52016 +gr_acl_handle_rename(struct dentry *new_dentry,
52017 + struct dentry *parent_dentry,
52018 + const struct vfsmount *parent_mnt,
52019 + struct dentry *old_dentry,
52020 + struct inode *old_parent_inode,
52021 + struct vfsmount *old_mnt, const char *newname)
52023 + __u32 comp1, comp2;
52026 + if (unlikely(!gr_acl_is_enabled()))
52029 + if (!new_dentry->d_inode) {
52030 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
52031 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
52032 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
52033 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
52034 + GR_DELETE | GR_AUDIT_DELETE |
52035 + GR_AUDIT_READ | GR_AUDIT_WRITE |
52036 + GR_SUPPRESS, old_mnt);
52038 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
52039 + GR_CREATE | GR_DELETE |
52040 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
52041 + GR_AUDIT_READ | GR_AUDIT_WRITE |
52042 + GR_SUPPRESS, parent_mnt);
52044 + gr_search_file(old_dentry,
52045 + GR_READ | GR_WRITE | GR_AUDIT_READ |
52046 + GR_DELETE | GR_AUDIT_DELETE |
52047 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
52050 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
52051 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
52052 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
52053 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
52054 + && !(comp2 & GR_SUPPRESS)) {
52055 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
52057 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
52064 +gr_acl_handle_exit(void)
52068 + struct file *exec_file;
52070 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
52071 + !(current->role->roletype & GR_ROLE_PERSIST))) {
52072 + id = current->acl_role_id;
52073 + rolename = current->role->rolename;
52075 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
52078 + write_lock(&grsec_exec_file_lock);
52079 + exec_file = current->exec_file;
52080 + current->exec_file = NULL;
52081 + write_unlock(&grsec_exec_file_lock);
52088 +gr_acl_handle_procpidmem(const struct task_struct *task)
52090 + if (unlikely(!gr_acl_is_enabled()))
52093 + if (task != current && task->acl->mode & GR_PROTPROCFD)
52098 diff -urNp linux-3.0.9/grsecurity/gracl_ip.c linux-3.0.9/grsecurity/gracl_ip.c
52099 --- linux-3.0.9/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
52100 +++ linux-3.0.9/grsecurity/gracl_ip.c 2011-11-15 20:02:59.000000000 -0500
52102 +#include <linux/kernel.h>
52103 +#include <asm/uaccess.h>
52104 +#include <asm/errno.h>
52105 +#include <net/sock.h>
52106 +#include <linux/file.h>
52107 +#include <linux/fs.h>
52108 +#include <linux/net.h>
52109 +#include <linux/in.h>
52110 +#include <linux/skbuff.h>
52111 +#include <linux/ip.h>
52112 +#include <linux/udp.h>
52113 +#include <linux/types.h>
52114 +#include <linux/sched.h>
52115 +#include <linux/netdevice.h>
52116 +#include <linux/inetdevice.h>
52117 +#include <linux/gracl.h>
52118 +#include <linux/grsecurity.h>
52119 +#include <linux/grinternal.h>
52121 +#define GR_BIND 0x01
52122 +#define GR_CONNECT 0x02
52123 +#define GR_INVERT 0x04
52124 +#define GR_BINDOVERRIDE 0x08
52125 +#define GR_CONNECTOVERRIDE 0x10
52126 +#define GR_SOCK_FAMILY 0x20
52128 +static const char * gr_protocols[IPPROTO_MAX] = {
52129 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
52130 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
52131 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
52132 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
52133 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
52134 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
52135 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
52136 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
52137 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
52138 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
52139 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
52140 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
52141 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
52142 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
52143 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
52144 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
52145 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
52146 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
52147 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
52148 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
52149 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
52150 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
52151 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
52152 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
52153 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
52154 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
52155 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
52156 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
52157 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
52158 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
52159 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
52160 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
52163 +static const char * gr_socktypes[SOCK_MAX] = {
52164 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
52165 + "unknown:7", "unknown:8", "unknown:9", "packet"
52168 +static const char * gr_sockfamilies[AF_MAX+1] = {
52169 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
52170 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
52171 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
52172 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
52176 +gr_proto_to_name(unsigned char proto)
52178 + return gr_protocols[proto];
52182 +gr_socktype_to_name(unsigned char type)
52184 + return gr_socktypes[type];
52188 +gr_sockfamily_to_name(unsigned char family)
52190 + return gr_sockfamilies[family];
52194 +gr_search_socket(const int domain, const int type, const int protocol)
52196 + struct acl_subject_label *curr;
52197 + const struct cred *cred = current_cred();
52199 + if (unlikely(!gr_acl_is_enabled()))
52202 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
52203 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
52204 + goto exit; // let the kernel handle it
52206 + curr = current->acl;
52208 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
52209 + /* the family is allowed, if this is PF_INET allow it only if
52210 + the extra sock type/protocol checks pass */
52211 + if (domain == PF_INET)
52215 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
52216 + __u32 fakeip = 0;
52217 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
52218 + current->role->roletype, cred->uid,
52219 + cred->gid, current->exec_file ?
52220 + gr_to_filename(current->exec_file->f_path.dentry,
52221 + current->exec_file->f_path.mnt) :
52222 + curr->filename, curr->filename,
52223 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
52224 + ¤t->signal->saved_ip);
52231 + /* the rest of this checking is for IPv4 only */
52235 + if ((curr->ip_type & (1 << type)) &&
52236 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
52239 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
52240 + /* we don't place acls on raw sockets , and sometimes
52241 + dgram/ip sockets are opened for ioctl and not
52242 + bind/connect, so we'll fake a bind learn log */
52243 + if (type == SOCK_RAW || type == SOCK_PACKET) {
52244 + __u32 fakeip = 0;
52245 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
52246 + current->role->roletype, cred->uid,
52247 + cred->gid, current->exec_file ?
52248 + gr_to_filename(current->exec_file->f_path.dentry,
52249 + current->exec_file->f_path.mnt) :
52250 + curr->filename, curr->filename,
52251 + &fakeip, 0, type,
52252 + protocol, GR_CONNECT, ¤t->signal->saved_ip);
52253 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
52254 + __u32 fakeip = 0;
52255 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
52256 + current->role->roletype, cred->uid,
52257 + cred->gid, current->exec_file ?
52258 + gr_to_filename(current->exec_file->f_path.dentry,
52259 + current->exec_file->f_path.mnt) :
52260 + curr->filename, curr->filename,
52261 + &fakeip, 0, type,
52262 + protocol, GR_BIND, ¤t->signal->saved_ip);
52264 + /* we'll log when they use connect or bind */
52269 + if (domain == PF_INET)
52270 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
52271 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
52273 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
52274 + gr_socktype_to_name(type), protocol);
52281 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
52283 + if ((ip->mode & mode) &&
52284 + (ip_port >= ip->low) &&
52285 + (ip_port <= ip->high) &&
52286 + ((ntohl(ip_addr) & our_netmask) ==
52287 + (ntohl(our_addr) & our_netmask))
52288 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
52289 + && (ip->type & (1 << type))) {
52290 + if (ip->mode & GR_INVERT)
52291 + return 2; // specifically denied
52293 + return 1; // allowed
52296 + return 0; // not specifically allowed, may continue parsing
52300 +gr_search_connectbind(const int full_mode, struct sock *sk,
52301 + struct sockaddr_in *addr, const int type)
52303 + char iface[IFNAMSIZ] = {0};
52304 + struct acl_subject_label *curr;
52305 + struct acl_ip_label *ip;
52306 + struct inet_sock *isk;
52307 + struct net_device *dev;
52308 + struct in_device *idev;
52311 + int mode = full_mode & (GR_BIND | GR_CONNECT);
52312 + __u32 ip_addr = 0;
52314 + __u32 our_netmask;
52316 + __u16 ip_port = 0;
52317 + const struct cred *cred = current_cred();
52319 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
52322 + curr = current->acl;
52323 + isk = inet_sk(sk);
52325 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
52326 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
52327 + addr->sin_addr.s_addr = curr->inaddr_any_override;
52328 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
52329 + struct sockaddr_in saddr;
52332 + saddr.sin_family = AF_INET;
52333 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
52334 + saddr.sin_port = isk->inet_sport;
52336 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
52340 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
52348 + ip_addr = addr->sin_addr.s_addr;
52349 + ip_port = ntohs(addr->sin_port);
52351 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
52352 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
52353 + current->role->roletype, cred->uid,
52354 + cred->gid, current->exec_file ?
52355 + gr_to_filename(current->exec_file->f_path.dentry,
52356 + current->exec_file->f_path.mnt) :
52357 + curr->filename, curr->filename,
52358 + &ip_addr, ip_port, type,
52359 + sk->sk_protocol, mode, ¤t->signal->saved_ip);
52363 + for (i = 0; i < curr->ip_num; i++) {
52364 + ip = *(curr->ips + i);
52365 + if (ip->iface != NULL) {
52366 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
52367 + p = strchr(iface, ':');
52370 + dev = dev_get_by_name(sock_net(sk), iface);
52373 + idev = in_dev_get(dev);
52374 + if (idev == NULL) {
52380 + if (!strcmp(ip->iface, ifa->ifa_label)) {
52381 + our_addr = ifa->ifa_address;
52382 + our_netmask = 0xffffffff;
52383 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
52385 + rcu_read_unlock();
52386 + in_dev_put(idev);
52389 + } else if (ret == 2) {
52390 + rcu_read_unlock();
52391 + in_dev_put(idev);
52396 + } endfor_ifa(idev);
52397 + rcu_read_unlock();
52398 + in_dev_put(idev);
52401 + our_addr = ip->addr;
52402 + our_netmask = ip->netmask;
52403 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
52406 + else if (ret == 2)
52412 + if (mode == GR_BIND)
52413 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
52414 + else if (mode == GR_CONNECT)
52415 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
52421 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
52423 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
52427 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
52429 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
52432 +int gr_search_listen(struct socket *sock)
52434 + struct sock *sk = sock->sk;
52435 + struct sockaddr_in addr;
52437 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
52438 + addr.sin_port = inet_sk(sk)->inet_sport;
52440 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
52443 +int gr_search_accept(struct socket *sock)
52445 + struct sock *sk = sock->sk;
52446 + struct sockaddr_in addr;
52448 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
52449 + addr.sin_port = inet_sk(sk)->inet_sport;
52451 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
52455 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
52458 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
52460 + struct sockaddr_in sin;
52461 + const struct inet_sock *inet = inet_sk(sk);
52463 + sin.sin_addr.s_addr = inet->inet_daddr;
52464 + sin.sin_port = inet->inet_dport;
52466 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
52471 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
52473 + struct sockaddr_in sin;
52475 + if (unlikely(skb->len < sizeof (struct udphdr)))
52476 + return 0; // skip this packet
52478 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
52479 + sin.sin_port = udp_hdr(skb)->source;
52481 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
52483 diff -urNp linux-3.0.9/grsecurity/gracl_learn.c linux-3.0.9/grsecurity/gracl_learn.c
52484 --- linux-3.0.9/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
52485 +++ linux-3.0.9/grsecurity/gracl_learn.c 2011-11-15 20:02:59.000000000 -0500
52487 +#include <linux/kernel.h>
52488 +#include <linux/mm.h>
52489 +#include <linux/sched.h>
52490 +#include <linux/poll.h>
52491 +#include <linux/string.h>
52492 +#include <linux/file.h>
52493 +#include <linux/types.h>
52494 +#include <linux/vmalloc.h>
52495 +#include <linux/grinternal.h>
52497 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
52498 + size_t count, loff_t *ppos);
52499 +extern int gr_acl_is_enabled(void);
52501 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
52502 +static int gr_learn_attached;
52504 +/* use a 512k buffer */
52505 +#define LEARN_BUFFER_SIZE (512 * 1024)
52507 +static DEFINE_SPINLOCK(gr_learn_lock);
52508 +static DEFINE_MUTEX(gr_learn_user_mutex);
52510 +/* we need to maintain two buffers, so that the kernel context of grlearn
52511 + uses a semaphore around the userspace copying, and the other kernel contexts
52512 + use a spinlock when copying into the buffer, since they cannot sleep
52514 +static char *learn_buffer;
52515 +static char *learn_buffer_user;
52516 +static int learn_buffer_len;
52517 +static int learn_buffer_user_len;
52520 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
52522 + DECLARE_WAITQUEUE(wait, current);
52523 + ssize_t retval = 0;
52525 + add_wait_queue(&learn_wait, &wait);
52526 + set_current_state(TASK_INTERRUPTIBLE);
52528 + mutex_lock(&gr_learn_user_mutex);
52529 + spin_lock(&gr_learn_lock);
52530 + if (learn_buffer_len)
52532 + spin_unlock(&gr_learn_lock);
52533 + mutex_unlock(&gr_learn_user_mutex);
52534 + if (file->f_flags & O_NONBLOCK) {
52535 + retval = -EAGAIN;
52538 + if (signal_pending(current)) {
52539 + retval = -ERESTARTSYS;
52546 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
52547 + learn_buffer_user_len = learn_buffer_len;
52548 + retval = learn_buffer_len;
52549 + learn_buffer_len = 0;
52551 + spin_unlock(&gr_learn_lock);
52553 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
52554 + retval = -EFAULT;
52556 + mutex_unlock(&gr_learn_user_mutex);
52558 + set_current_state(TASK_RUNNING);
52559 + remove_wait_queue(&learn_wait, &wait);
52563 +static unsigned int
52564 +poll_learn(struct file * file, poll_table * wait)
52566 + poll_wait(file, &learn_wait, wait);
52568 + if (learn_buffer_len)
52569 + return (POLLIN | POLLRDNORM);
52575 +gr_clear_learn_entries(void)
52579 + mutex_lock(&gr_learn_user_mutex);
52580 + spin_lock(&gr_learn_lock);
52581 + tmp = learn_buffer;
52582 + learn_buffer = NULL;
52583 + spin_unlock(&gr_learn_lock);
52586 + if (learn_buffer_user != NULL) {
52587 + vfree(learn_buffer_user);
52588 + learn_buffer_user = NULL;
52590 + learn_buffer_len = 0;
52591 + mutex_unlock(&gr_learn_user_mutex);
52597 +gr_add_learn_entry(const char *fmt, ...)
52600 + unsigned int len;
52602 + if (!gr_learn_attached)
52605 + spin_lock(&gr_learn_lock);
52607 + /* leave a gap at the end so we know when it's "full" but don't have to
52608 + compute the exact length of the string we're trying to append
52610 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
52611 + spin_unlock(&gr_learn_lock);
52612 + wake_up_interruptible(&learn_wait);
52615 + if (learn_buffer == NULL) {
52616 + spin_unlock(&gr_learn_lock);
52620 + va_start(args, fmt);
52621 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
52624 + learn_buffer_len += len + 1;
52626 + spin_unlock(&gr_learn_lock);
52627 + wake_up_interruptible(&learn_wait);
52633 +open_learn(struct inode *inode, struct file *file)
52635 + if (file->f_mode & FMODE_READ && gr_learn_attached)
52637 + if (file->f_mode & FMODE_READ) {
52639 + mutex_lock(&gr_learn_user_mutex);
52640 + if (learn_buffer == NULL)
52641 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
52642 + if (learn_buffer_user == NULL)
52643 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
52644 + if (learn_buffer == NULL) {
52645 + retval = -ENOMEM;
52648 + if (learn_buffer_user == NULL) {
52649 + retval = -ENOMEM;
52652 + learn_buffer_len = 0;
52653 + learn_buffer_user_len = 0;
52654 + gr_learn_attached = 1;
52656 + mutex_unlock(&gr_learn_user_mutex);
52663 +close_learn(struct inode *inode, struct file *file)
52665 + if (file->f_mode & FMODE_READ) {
52666 + char *tmp = NULL;
52667 + mutex_lock(&gr_learn_user_mutex);
52668 + spin_lock(&gr_learn_lock);
52669 + tmp = learn_buffer;
52670 + learn_buffer = NULL;
52671 + spin_unlock(&gr_learn_lock);
52674 + if (learn_buffer_user != NULL) {
52675 + vfree(learn_buffer_user);
52676 + learn_buffer_user = NULL;
52678 + learn_buffer_len = 0;
52679 + learn_buffer_user_len = 0;
52680 + gr_learn_attached = 0;
52681 + mutex_unlock(&gr_learn_user_mutex);
52687 +const struct file_operations grsec_fops = {
52688 + .read = read_learn,
52689 + .write = write_grsec_handler,
52690 + .open = open_learn,
52691 + .release = close_learn,
52692 + .poll = poll_learn,
52694 diff -urNp linux-3.0.9/grsecurity/gracl_res.c linux-3.0.9/grsecurity/gracl_res.c
52695 --- linux-3.0.9/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
52696 +++ linux-3.0.9/grsecurity/gracl_res.c 2011-11-15 20:02:59.000000000 -0500
52698 +#include <linux/kernel.h>
52699 +#include <linux/sched.h>
52700 +#include <linux/gracl.h>
52701 +#include <linux/grinternal.h>
52703 +static const char *restab_log[] = {
52704 + [RLIMIT_CPU] = "RLIMIT_CPU",
52705 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
52706 + [RLIMIT_DATA] = "RLIMIT_DATA",
52707 + [RLIMIT_STACK] = "RLIMIT_STACK",
52708 + [RLIMIT_CORE] = "RLIMIT_CORE",
52709 + [RLIMIT_RSS] = "RLIMIT_RSS",
52710 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
52711 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
52712 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
52713 + [RLIMIT_AS] = "RLIMIT_AS",
52714 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
52715 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
52716 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
52717 + [RLIMIT_NICE] = "RLIMIT_NICE",
52718 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
52719 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
52720 + [GR_CRASH_RES] = "RLIMIT_CRASH"
52724 +gr_log_resource(const struct task_struct *task,
52725 + const int res, const unsigned long wanted, const int gt)
52727 + const struct cred *cred;
52728 + unsigned long rlim;
52730 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
52733 + // not yet supported resource
52734 + if (unlikely(!restab_log[res]))
52737 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
52738 + rlim = task_rlimit_max(task, res);
52740 + rlim = task_rlimit(task, res);
52742 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
52746 + cred = __task_cred(task);
52748 + if (res == RLIMIT_NPROC &&
52749 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
52750 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
52751 + goto out_rcu_unlock;
52752 + else if (res == RLIMIT_MEMLOCK &&
52753 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
52754 + goto out_rcu_unlock;
52755 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
52756 + goto out_rcu_unlock;
52757 + rcu_read_unlock();
52759 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
52763 + rcu_read_unlock();
52766 diff -urNp linux-3.0.9/grsecurity/gracl_segv.c linux-3.0.9/grsecurity/gracl_segv.c
52767 --- linux-3.0.9/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
52768 +++ linux-3.0.9/grsecurity/gracl_segv.c 2011-11-15 20:02:59.000000000 -0500
52770 +#include <linux/kernel.h>
52771 +#include <linux/mm.h>
52772 +#include <asm/uaccess.h>
52773 +#include <asm/errno.h>
52774 +#include <asm/mman.h>
52775 +#include <net/sock.h>
52776 +#include <linux/file.h>
52777 +#include <linux/fs.h>
52778 +#include <linux/net.h>
52779 +#include <linux/in.h>
52780 +#include <linux/slab.h>
52781 +#include <linux/types.h>
52782 +#include <linux/sched.h>
52783 +#include <linux/timer.h>
52784 +#include <linux/gracl.h>
52785 +#include <linux/grsecurity.h>
52786 +#include <linux/grinternal.h>
52788 +static struct crash_uid *uid_set;
52789 +static unsigned short uid_used;
52790 +static DEFINE_SPINLOCK(gr_uid_lock);
52791 +extern rwlock_t gr_inode_lock;
52792 +extern struct acl_subject_label *
52793 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
52794 + struct acl_role_label *role);
52796 +#ifdef CONFIG_BTRFS_FS
52797 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
52798 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
52801 +static inline dev_t __get_dev(const struct dentry *dentry)
52803 +#ifdef CONFIG_BTRFS_FS
52804 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
52805 + return get_btrfs_dev_from_inode(dentry->d_inode);
52808 + return dentry->d_inode->i_sb->s_dev;
52812 +gr_init_uidset(void)
52815 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
52818 + return uid_set ? 1 : 0;
52822 +gr_free_uidset(void)
52831 +gr_find_uid(const uid_t uid)
52833 + struct crash_uid *tmp = uid_set;
52835 + int low = 0, high = uid_used - 1, mid;
52837 + while (high >= low) {
52838 + mid = (low + high) >> 1;
52839 + buid = tmp[mid].uid;
52851 +static __inline__ void
52852 +gr_insertsort(void)
52854 + unsigned short i, j;
52855 + struct crash_uid index;
52857 + for (i = 1; i < uid_used; i++) {
52858 + index = uid_set[i];
52860 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
52861 + uid_set[j] = uid_set[j - 1];
52864 + uid_set[j] = index;
52870 +static __inline__ void
52871 +gr_insert_uid(const uid_t uid, const unsigned long expires)
52875 + if (uid_used == GR_UIDTABLE_MAX)
52878 + loc = gr_find_uid(uid);
52881 + uid_set[loc].expires = expires;
52885 + uid_set[uid_used].uid = uid;
52886 + uid_set[uid_used].expires = expires;
52895 +gr_remove_uid(const unsigned short loc)
52897 + unsigned short i;
52899 + for (i = loc + 1; i < uid_used; i++)
52900 + uid_set[i - 1] = uid_set[i];
52908 +gr_check_crash_uid(const uid_t uid)
52913 + if (unlikely(!gr_acl_is_enabled()))
52916 + spin_lock(&gr_uid_lock);
52917 + loc = gr_find_uid(uid);
52922 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
52923 + gr_remove_uid(loc);
52928 + spin_unlock(&gr_uid_lock);
52932 +static __inline__ int
52933 +proc_is_setxid(const struct cred *cred)
52935 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
52936 + cred->uid != cred->fsuid)
52938 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
52939 + cred->gid != cred->fsgid)
52945 +extern int gr_fake_force_sig(int sig, struct task_struct *t);
52948 +gr_handle_crash(struct task_struct *task, const int sig)
52950 + struct acl_subject_label *curr;
52951 + struct task_struct *tsk, *tsk2;
52952 + const struct cred *cred;
52953 + const struct cred *cred2;
52955 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
52958 + if (unlikely(!gr_acl_is_enabled()))
52961 + curr = task->acl;
52963 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
52966 + if (time_before_eq(curr->expires, get_seconds())) {
52967 + curr->expires = 0;
52968 + curr->crashes = 0;
52973 + if (!curr->expires)
52974 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
52976 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
52977 + time_after(curr->expires, get_seconds())) {
52979 + cred = __task_cred(task);
52980 + if (cred->uid && proc_is_setxid(cred)) {
52981 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
52982 + spin_lock(&gr_uid_lock);
52983 + gr_insert_uid(cred->uid, curr->expires);
52984 + spin_unlock(&gr_uid_lock);
52985 + curr->expires = 0;
52986 + curr->crashes = 0;
52987 + read_lock(&tasklist_lock);
52988 + do_each_thread(tsk2, tsk) {
52989 + cred2 = __task_cred(tsk);
52990 + if (tsk != task && cred2->uid == cred->uid)
52991 + gr_fake_force_sig(SIGKILL, tsk);
52992 + } while_each_thread(tsk2, tsk);
52993 + read_unlock(&tasklist_lock);
52995 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
52996 + read_lock(&tasklist_lock);
52997 + read_lock(&grsec_exec_file_lock);
52998 + do_each_thread(tsk2, tsk) {
52999 + if (likely(tsk != task)) {
53000 + // if this thread has the same subject as the one that triggered
53001 + // RES_CRASH and it's the same binary, kill it
53002 + if (tsk->acl == task->acl && tsk->exec_file == task->exec_file)
53003 + gr_fake_force_sig(SIGKILL, tsk);
53005 + } while_each_thread(tsk2, tsk);
53006 + read_unlock(&grsec_exec_file_lock);
53007 + read_unlock(&tasklist_lock);
53009 + rcu_read_unlock();
53016 +gr_check_crash_exec(const struct file *filp)
53018 + struct acl_subject_label *curr;
53020 + if (unlikely(!gr_acl_is_enabled()))
53023 + read_lock(&gr_inode_lock);
53024 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
53025 + __get_dev(filp->f_path.dentry),
53027 + read_unlock(&gr_inode_lock);
53029 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
53030 + (!curr->crashes && !curr->expires))
53033 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
53034 + time_after(curr->expires, get_seconds()))
53036 + else if (time_before_eq(curr->expires, get_seconds())) {
53037 + curr->crashes = 0;
53038 + curr->expires = 0;
53045 +gr_handle_alertkill(struct task_struct *task)
53047 + struct acl_subject_label *curracl;
53049 + struct task_struct *p, *p2;
53051 + if (unlikely(!gr_acl_is_enabled()))
53054 + curracl = task->acl;
53055 + curr_ip = task->signal->curr_ip;
53057 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
53058 + read_lock(&tasklist_lock);
53059 + do_each_thread(p2, p) {
53060 + if (p->signal->curr_ip == curr_ip)
53061 + gr_fake_force_sig(SIGKILL, p);
53062 + } while_each_thread(p2, p);
53063 + read_unlock(&tasklist_lock);
53064 + } else if (curracl->mode & GR_KILLPROC)
53065 + gr_fake_force_sig(SIGKILL, task);
53069 diff -urNp linux-3.0.9/grsecurity/gracl_shm.c linux-3.0.9/grsecurity/gracl_shm.c
53070 --- linux-3.0.9/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
53071 +++ linux-3.0.9/grsecurity/gracl_shm.c 2011-11-15 20:02:59.000000000 -0500
53073 +#include <linux/kernel.h>
53074 +#include <linux/mm.h>
53075 +#include <linux/sched.h>
53076 +#include <linux/file.h>
53077 +#include <linux/ipc.h>
53078 +#include <linux/gracl.h>
53079 +#include <linux/grsecurity.h>
53080 +#include <linux/grinternal.h>
53083 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
53084 + const time_t shm_createtime, const uid_t cuid, const int shmid)
53086 + struct task_struct *task;
53088 + if (!gr_acl_is_enabled())
53092 + read_lock(&tasklist_lock);
53094 + task = find_task_by_vpid(shm_cprid);
53096 + if (unlikely(!task))
53097 + task = find_task_by_vpid(shm_lapid);
53099 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
53100 + (task->pid == shm_lapid)) &&
53101 + (task->acl->mode & GR_PROTSHM) &&
53102 + (task->acl != current->acl))) {
53103 + read_unlock(&tasklist_lock);
53104 + rcu_read_unlock();
53105 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
53108 + read_unlock(&tasklist_lock);
53109 + rcu_read_unlock();
53113 diff -urNp linux-3.0.9/grsecurity/grsec_chdir.c linux-3.0.9/grsecurity/grsec_chdir.c
53114 --- linux-3.0.9/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
53115 +++ linux-3.0.9/grsecurity/grsec_chdir.c 2011-11-15 20:02:59.000000000 -0500
53117 +#include <linux/kernel.h>
53118 +#include <linux/sched.h>
53119 +#include <linux/fs.h>
53120 +#include <linux/file.h>
53121 +#include <linux/grsecurity.h>
53122 +#include <linux/grinternal.h>
53125 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
53127 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
53128 + if ((grsec_enable_chdir && grsec_enable_group &&
53129 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
53130 + !grsec_enable_group)) {
53131 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
53136 diff -urNp linux-3.0.9/grsecurity/grsec_chroot.c linux-3.0.9/grsecurity/grsec_chroot.c
53137 --- linux-3.0.9/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
53138 +++ linux-3.0.9/grsecurity/grsec_chroot.c 2011-11-15 20:02:59.000000000 -0500
53140 +#include <linux/kernel.h>
53141 +#include <linux/module.h>
53142 +#include <linux/sched.h>
53143 +#include <linux/file.h>
53144 +#include <linux/fs.h>
53145 +#include <linux/mount.h>
53146 +#include <linux/types.h>
53147 +#include <linux/pid_namespace.h>
53148 +#include <linux/grsecurity.h>
53149 +#include <linux/grinternal.h>
53151 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
53153 +#ifdef CONFIG_GRKERNSEC
53154 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
53155 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
53156 + task->gr_is_chrooted = 1;
53158 + task->gr_is_chrooted = 0;
53160 + task->gr_chroot_dentry = path->dentry;
53165 +void gr_clear_chroot_entries(struct task_struct *task)
53167 +#ifdef CONFIG_GRKERNSEC
53168 + task->gr_is_chrooted = 0;
53169 + task->gr_chroot_dentry = NULL;
53175 +gr_handle_chroot_unix(const pid_t pid)
53177 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
53178 + struct task_struct *p;
53180 + if (unlikely(!grsec_enable_chroot_unix))
53183 + if (likely(!proc_is_chrooted(current)))
53187 + read_lock(&tasklist_lock);
53188 + p = find_task_by_vpid_unrestricted(pid);
53189 + if (unlikely(p && !have_same_root(current, p))) {
53190 + read_unlock(&tasklist_lock);
53191 + rcu_read_unlock();
53192 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
53195 + read_unlock(&tasklist_lock);
53196 + rcu_read_unlock();
53202 +gr_handle_chroot_nice(void)
53204 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
53205 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
53206 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
53214 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
53216 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
53217 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
53218 + && proc_is_chrooted(current)) {
53219 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
53227 +gr_handle_chroot_rawio(const struct inode *inode)
53229 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
53230 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
53231 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
53238 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
53240 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
53241 + struct task_struct *p;
53243 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
53246 + read_lock(&tasklist_lock);
53247 + do_each_pid_task(pid, type, p) {
53248 + if (!have_same_root(current, p)) {
53252 + } while_each_pid_task(pid, type, p);
53254 + read_unlock(&tasklist_lock);
53261 +gr_pid_is_chrooted(struct task_struct *p)
53263 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
53264 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
53267 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
53268 + !have_same_root(current, p)) {
53275 +EXPORT_SYMBOL(gr_pid_is_chrooted);
53277 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
53278 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
53280 + struct path path, currentroot;
53283 + path.dentry = (struct dentry *)u_dentry;
53284 + path.mnt = (struct vfsmount *)u_mnt;
53285 + get_fs_root(current->fs, ¤troot);
53286 + if (path_is_under(&path, ¤troot))
53288 + path_put(¤troot);
53295 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
53297 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
53298 + if (!grsec_enable_chroot_fchdir)
53301 + if (!proc_is_chrooted(current))
53303 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
53304 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
53312 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
53313 + const time_t shm_createtime)
53315 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
53316 + struct task_struct *p;
53317 + time_t starttime;
53319 + if (unlikely(!grsec_enable_chroot_shmat))
53322 + if (likely(!proc_is_chrooted(current)))
53326 + read_lock(&tasklist_lock);
53328 + if ((p = find_task_by_vpid_unrestricted(shm_cprid))) {
53329 + starttime = p->start_time.tv_sec;
53330 + if (time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime)) {
53331 + if (have_same_root(current, p)) {
53334 + read_unlock(&tasklist_lock);
53335 + rcu_read_unlock();
53336 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
53340 + /* creator exited, pid reuse, fall through to next check */
53342 + if ((p = find_task_by_vpid_unrestricted(shm_lapid))) {
53343 + if (unlikely(!have_same_root(current, p))) {
53344 + read_unlock(&tasklist_lock);
53345 + rcu_read_unlock();
53346 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
53352 + read_unlock(&tasklist_lock);
53353 + rcu_read_unlock();
53359 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
53361 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
53362 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
53363 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
53369 +gr_handle_chroot_mknod(const struct dentry *dentry,
53370 + const struct vfsmount *mnt, const int mode)
53372 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
53373 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
53374 + proc_is_chrooted(current)) {
53375 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
53383 +gr_handle_chroot_mount(const struct dentry *dentry,
53384 + const struct vfsmount *mnt, const char *dev_name)
53386 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
53387 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
53388 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none", dentry, mnt);
53396 +gr_handle_chroot_pivot(void)
53398 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
53399 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
53400 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
53408 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
53410 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
53411 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
53412 + !gr_is_outside_chroot(dentry, mnt)) {
53413 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
53420 +extern const char *captab_log[];
53421 +extern int captab_log_entries;
53424 +gr_chroot_is_capable(const int cap)
53426 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
53427 + if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
53428 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
53429 + if (cap_raised(chroot_caps, cap)) {
53430 + const struct cred *creds = current_cred();
53431 + if (cap_raised(creds->cap_effective, cap) && cap < captab_log_entries) {
53432 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_CHROOT_MSG, current, captab_log[cap]);
53442 +gr_chroot_is_capable_nolog(const int cap)
53444 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
53445 + if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
53446 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
53447 + if (cap_raised(chroot_caps, cap)) {
53456 +gr_handle_chroot_sysctl(const int op)
53458 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
53459 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
53460 + proc_is_chrooted(current))
53467 +gr_handle_chroot_chdir(struct path *path)
53469 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
53470 + if (grsec_enable_chroot_chdir)
53471 + set_fs_pwd(current->fs, path);
53477 +gr_handle_chroot_chmod(const struct dentry *dentry,
53478 + const struct vfsmount *mnt, const int mode)
53480 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
53481 + /* allow chmod +s on directories, but not files */
53482 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
53483 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
53484 + proc_is_chrooted(current)) {
53485 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
53491 diff -urNp linux-3.0.9/grsecurity/grsec_disabled.c linux-3.0.9/grsecurity/grsec_disabled.c
53492 --- linux-3.0.9/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
53493 +++ linux-3.0.9/grsecurity/grsec_disabled.c 2011-11-15 20:02:59.000000000 -0500
53495 +#include <linux/kernel.h>
53496 +#include <linux/module.h>
53497 +#include <linux/sched.h>
53498 +#include <linux/file.h>
53499 +#include <linux/fs.h>
53500 +#include <linux/kdev_t.h>
53501 +#include <linux/net.h>
53502 +#include <linux/in.h>
53503 +#include <linux/ip.h>
53504 +#include <linux/skbuff.h>
53505 +#include <linux/sysctl.h>
53507 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
53509 +pax_set_initial_flags(struct linux_binprm *bprm)
53515 +#ifdef CONFIG_SYSCTL
53517 +gr_handle_sysctl(const struct ctl_table * table, const int op)
53523 +#ifdef CONFIG_TASKSTATS
53524 +int gr_is_taskstats_denied(int pid)
53531 +gr_acl_is_enabled(void)
53537 +gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
53543 +gr_handle_rawio(const struct inode *inode)
53549 +gr_acl_handle_psacct(struct task_struct *task, const long code)
53555 +gr_handle_ptrace(struct task_struct *task, const long request)
53561 +gr_handle_proc_ptrace(struct task_struct *task)
53567 +gr_learn_resource(const struct task_struct *task,
53568 + const int res, const unsigned long wanted, const int gt)
53574 +gr_set_acls(const int type)
53580 +gr_check_hidden_task(const struct task_struct *tsk)
53586 +gr_check_protected_task(const struct task_struct *task)
53592 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
53598 +gr_copy_label(struct task_struct *tsk)
53604 +gr_set_pax_flags(struct task_struct *task)
53610 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
53611 + const int unsafe_share)
53617 +gr_handle_delete(const ino_t ino, const dev_t dev)
53623 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
53629 +gr_handle_crash(struct task_struct *task, const int sig)
53635 +gr_check_crash_exec(const struct file *filp)
53641 +gr_check_crash_uid(const uid_t uid)
53647 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
53648 + struct dentry *old_dentry,
53649 + struct dentry *new_dentry,
53650 + struct vfsmount *mnt, const __u8 replace)
53656 +gr_search_socket(const int family, const int type, const int protocol)
53662 +gr_search_connectbind(const int mode, const struct socket *sock,
53663 + const struct sockaddr_in *addr)
53669 +gr_handle_alertkill(struct task_struct *task)
53675 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
53681 +gr_acl_handle_hidden_file(const struct dentry * dentry,
53682 + const struct vfsmount * mnt)
53688 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
53695 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
53701 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
53707 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
53708 + unsigned int *vm_flags)
53714 +gr_acl_handle_truncate(const struct dentry * dentry,
53715 + const struct vfsmount * mnt)
53721 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
53727 +gr_acl_handle_access(const struct dentry * dentry,
53728 + const struct vfsmount * mnt, const int fmode)
53734 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
53741 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
53748 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
53754 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
53760 +grsecurity_init(void)
53766 +gr_acl_handle_mknod(const struct dentry * new_dentry,
53767 + const struct dentry * parent_dentry,
53768 + const struct vfsmount * parent_mnt,
53775 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
53776 + const struct dentry * parent_dentry,
53777 + const struct vfsmount * parent_mnt)
53783 +gr_acl_handle_symlink(const struct dentry * new_dentry,
53784 + const struct dentry * parent_dentry,
53785 + const struct vfsmount * parent_mnt, const char *from)
53791 +gr_acl_handle_link(const struct dentry * new_dentry,
53792 + const struct dentry * parent_dentry,
53793 + const struct vfsmount * parent_mnt,
53794 + const struct dentry * old_dentry,
53795 + const struct vfsmount * old_mnt, const char *to)
53801 +gr_acl_handle_rename(const struct dentry *new_dentry,
53802 + const struct dentry *parent_dentry,
53803 + const struct vfsmount *parent_mnt,
53804 + const struct dentry *old_dentry,
53805 + const struct inode *old_parent_inode,
53806 + const struct vfsmount *old_mnt, const char *newname)
53812 +gr_acl_handle_filldir(const struct file *file, const char *name,
53813 + const int namelen, const ino_t ino)
53819 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
53820 + const time_t shm_createtime, const uid_t cuid, const int shmid)
53826 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
53832 +gr_search_accept(const struct socket *sock)
53838 +gr_search_listen(const struct socket *sock)
53844 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
53850 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
53856 +gr_acl_handle_creat(const struct dentry * dentry,
53857 + const struct dentry * p_dentry,
53858 + const struct vfsmount * p_mnt, const int fmode,
53865 +gr_acl_handle_exit(void)
53871 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
53877 +gr_set_role_label(const uid_t uid, const gid_t gid)
53883 +gr_acl_handle_procpidmem(const struct task_struct *task)
53889 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
53895 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
53901 +gr_set_kernel_label(struct task_struct *task)
53907 +gr_check_user_change(int real, int effective, int fs)
53913 +gr_check_group_change(int real, int effective, int fs)
53918 +int gr_acl_enable_at_secure(void)
53923 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
53925 + return dentry->d_inode->i_sb->s_dev;
53928 +EXPORT_SYMBOL(gr_learn_resource);
53929 +EXPORT_SYMBOL(gr_set_kernel_label);
53930 +#ifdef CONFIG_SECURITY
53931 +EXPORT_SYMBOL(gr_check_user_change);
53932 +EXPORT_SYMBOL(gr_check_group_change);
53934 diff -urNp linux-3.0.9/grsecurity/grsec_exec.c linux-3.0.9/grsecurity/grsec_exec.c
53935 --- linux-3.0.9/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
53936 +++ linux-3.0.9/grsecurity/grsec_exec.c 2011-11-15 20:02:59.000000000 -0500
53938 +#include <linux/kernel.h>
53939 +#include <linux/sched.h>
53940 +#include <linux/file.h>
53941 +#include <linux/binfmts.h>
53942 +#include <linux/fs.h>
53943 +#include <linux/types.h>
53944 +#include <linux/grdefs.h>
53945 +#include <linux/grsecurity.h>
53946 +#include <linux/grinternal.h>
53947 +#include <linux/capability.h>
53948 +#include <linux/module.h>
53950 +#include <asm/uaccess.h>
53952 +#ifdef CONFIG_GRKERNSEC_EXECLOG
53953 +static char gr_exec_arg_buf[132];
53954 +static DEFINE_MUTEX(gr_exec_arg_mutex);
53957 +extern const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr);
53960 +gr_handle_exec_args(struct linux_binprm *bprm, struct user_arg_ptr argv)
53962 +#ifdef CONFIG_GRKERNSEC_EXECLOG
53963 + char *grarg = gr_exec_arg_buf;
53964 + unsigned int i, x, execlen = 0;
53967 + if (!((grsec_enable_execlog && grsec_enable_group &&
53968 + in_group_p(grsec_audit_gid))
53969 + || (grsec_enable_execlog && !grsec_enable_group)))
53972 + mutex_lock(&gr_exec_arg_mutex);
53973 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
53975 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
53976 + const char __user *p;
53977 + unsigned int len;
53979 + p = get_user_arg_ptr(argv, i);
53983 + len = strnlen_user(p, 128 - execlen);
53984 + if (len > 128 - execlen)
53985 + len = 128 - execlen;
53986 + else if (len > 0)
53988 + if (copy_from_user(grarg + execlen, p, len))
53991 + /* rewrite unprintable characters */
53992 + for (x = 0; x < len; x++) {
53993 + c = *(grarg + execlen + x);
53994 + if (c < 32 || c > 126)
53995 + *(grarg + execlen + x) = ' ';
53999 + *(grarg + execlen) = ' ';
54000 + *(grarg + execlen + 1) = '\0';
54005 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
54006 + bprm->file->f_path.mnt, grarg);
54007 + mutex_unlock(&gr_exec_arg_mutex);
54012 +#ifdef CONFIG_GRKERNSEC
54013 +extern int gr_acl_is_capable(const int cap);
54014 +extern int gr_acl_is_capable_nolog(const int cap);
54015 +extern int gr_chroot_is_capable(const int cap);
54016 +extern int gr_chroot_is_capable_nolog(const int cap);
54019 +const char *captab_log[] = {
54021 + "CAP_DAC_OVERRIDE",
54022 + "CAP_DAC_READ_SEARCH",
54029 + "CAP_LINUX_IMMUTABLE",
54030 + "CAP_NET_BIND_SERVICE",
54031 + "CAP_NET_BROADCAST",
54036 + "CAP_SYS_MODULE",
54038 + "CAP_SYS_CHROOT",
54039 + "CAP_SYS_PTRACE",
54044 + "CAP_SYS_RESOURCE",
54046 + "CAP_SYS_TTY_CONFIG",
54049 + "CAP_AUDIT_WRITE",
54050 + "CAP_AUDIT_CONTROL",
54052 + "CAP_MAC_OVERRIDE",
54058 +int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]);
54060 +int gr_is_capable(const int cap)
54062 +#ifdef CONFIG_GRKERNSEC
54063 + if (gr_acl_is_capable(cap) && gr_chroot_is_capable(cap))
54071 +int gr_is_capable_nolog(const int cap)
54073 +#ifdef CONFIG_GRKERNSEC
54074 + if (gr_acl_is_capable_nolog(cap) && gr_chroot_is_capable_nolog(cap))
54082 +EXPORT_SYMBOL(gr_is_capable);
54083 +EXPORT_SYMBOL(gr_is_capable_nolog);
54084 diff -urNp linux-3.0.9/grsecurity/grsec_fifo.c linux-3.0.9/grsecurity/grsec_fifo.c
54085 --- linux-3.0.9/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
54086 +++ linux-3.0.9/grsecurity/grsec_fifo.c 2011-11-15 20:02:59.000000000 -0500
54088 +#include <linux/kernel.h>
54089 +#include <linux/sched.h>
54090 +#include <linux/fs.h>
54091 +#include <linux/file.h>
54092 +#include <linux/grinternal.h>
54095 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
54096 + const struct dentry *dir, const int flag, const int acc_mode)
54098 +#ifdef CONFIG_GRKERNSEC_FIFO
54099 + const struct cred *cred = current_cred();
54101 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
54102 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
54103 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
54104 + (cred->fsuid != dentry->d_inode->i_uid)) {
54105 + if (!inode_permission(dentry->d_inode, acc_mode))
54106 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
54112 diff -urNp linux-3.0.9/grsecurity/grsec_fork.c linux-3.0.9/grsecurity/grsec_fork.c
54113 --- linux-3.0.9/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
54114 +++ linux-3.0.9/grsecurity/grsec_fork.c 2011-11-15 20:02:59.000000000 -0500
54116 +#include <linux/kernel.h>
54117 +#include <linux/sched.h>
54118 +#include <linux/grsecurity.h>
54119 +#include <linux/grinternal.h>
54120 +#include <linux/errno.h>
54123 +gr_log_forkfail(const int retval)
54125 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
54126 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
54127 + switch (retval) {
54129 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
54132 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
54139 diff -urNp linux-3.0.9/grsecurity/grsec_init.c linux-3.0.9/grsecurity/grsec_init.c
54140 --- linux-3.0.9/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
54141 +++ linux-3.0.9/grsecurity/grsec_init.c 2011-11-15 20:02:59.000000000 -0500
54143 +#include <linux/kernel.h>
54144 +#include <linux/sched.h>
54145 +#include <linux/mm.h>
54146 +#include <linux/gracl.h>
54147 +#include <linux/slab.h>
54148 +#include <linux/vmalloc.h>
54149 +#include <linux/percpu.h>
54150 +#include <linux/module.h>
54152 +int grsec_enable_brute;
54153 +int grsec_enable_link;
54154 +int grsec_enable_dmesg;
54155 +int grsec_enable_harden_ptrace;
54156 +int grsec_enable_fifo;
54157 +int grsec_enable_execlog;
54158 +int grsec_enable_signal;
54159 +int grsec_enable_forkfail;
54160 +int grsec_enable_audit_ptrace;
54161 +int grsec_enable_time;
54162 +int grsec_enable_audit_textrel;
54163 +int grsec_enable_group;
54164 +int grsec_audit_gid;
54165 +int grsec_enable_chdir;
54166 +int grsec_enable_mount;
54167 +int grsec_enable_rofs;
54168 +int grsec_enable_chroot_findtask;
54169 +int grsec_enable_chroot_mount;
54170 +int grsec_enable_chroot_shmat;
54171 +int grsec_enable_chroot_fchdir;
54172 +int grsec_enable_chroot_double;
54173 +int grsec_enable_chroot_pivot;
54174 +int grsec_enable_chroot_chdir;
54175 +int grsec_enable_chroot_chmod;
54176 +int grsec_enable_chroot_mknod;
54177 +int grsec_enable_chroot_nice;
54178 +int grsec_enable_chroot_execlog;
54179 +int grsec_enable_chroot_caps;
54180 +int grsec_enable_chroot_sysctl;
54181 +int grsec_enable_chroot_unix;
54182 +int grsec_enable_tpe;
54183 +int grsec_tpe_gid;
54184 +int grsec_enable_blackhole;
54185 +#ifdef CONFIG_IPV6_MODULE
54186 +EXPORT_SYMBOL(grsec_enable_blackhole);
54188 +int grsec_lastack_retries;
54189 +int grsec_enable_tpe_all;
54190 +int grsec_enable_tpe_invert;
54191 +int grsec_enable_socket_all;
54192 +int grsec_socket_all_gid;
54193 +int grsec_enable_socket_client;
54194 +int grsec_socket_client_gid;
54195 +int grsec_enable_socket_server;
54196 +int grsec_socket_server_gid;
54197 +int grsec_resource_logging;
54198 +int grsec_disable_privio;
54199 +int grsec_enable_log_rwxmaps;
54202 +DEFINE_SPINLOCK(grsec_alert_lock);
54203 +unsigned long grsec_alert_wtime = 0;
54204 +unsigned long grsec_alert_fyet = 0;
54206 +DEFINE_SPINLOCK(grsec_audit_lock);
54208 +DEFINE_RWLOCK(grsec_exec_file_lock);
54210 +char *gr_shared_page[4];
54212 +char *gr_alert_log_fmt;
54213 +char *gr_audit_log_fmt;
54214 +char *gr_alert_log_buf;
54215 +char *gr_audit_log_buf;
54217 +extern struct gr_arg *gr_usermode;
54218 +extern unsigned char *gr_system_salt;
54219 +extern unsigned char *gr_system_sum;
54222 +grsecurity_init(void)
54225 + /* create the per-cpu shared pages */
54228 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
54231 + for (j = 0; j < 4; j++) {
54232 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
54233 + if (gr_shared_page[j] == NULL) {
54234 + panic("Unable to allocate grsecurity shared page");
54239 + /* allocate log buffers */
54240 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
54241 + if (!gr_alert_log_fmt) {
54242 + panic("Unable to allocate grsecurity alert log format buffer");
54245 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
54246 + if (!gr_audit_log_fmt) {
54247 + panic("Unable to allocate grsecurity audit log format buffer");
54250 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
54251 + if (!gr_alert_log_buf) {
54252 + panic("Unable to allocate grsecurity alert log buffer");
54255 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
54256 + if (!gr_audit_log_buf) {
54257 + panic("Unable to allocate grsecurity audit log buffer");
54261 + /* allocate memory for authentication structure */
54262 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
54263 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
54264 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
54266 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
54267 + panic("Unable to allocate grsecurity authentication structure");
54272 +#ifdef CONFIG_GRKERNSEC_IO
54273 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
54274 + grsec_disable_privio = 1;
54275 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
54276 + grsec_disable_privio = 1;
54278 + grsec_disable_privio = 0;
54282 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
54283 + /* for backward compatibility, tpe_invert always defaults to on if
54284 + enabled in the kernel
54286 + grsec_enable_tpe_invert = 1;
54289 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
54290 +#ifndef CONFIG_GRKERNSEC_SYSCTL
54294 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
54295 + grsec_enable_audit_textrel = 1;
54297 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
54298 + grsec_enable_log_rwxmaps = 1;
54300 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
54301 + grsec_enable_group = 1;
54302 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
54304 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
54305 + grsec_enable_chdir = 1;
54307 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
54308 + grsec_enable_harden_ptrace = 1;
54310 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
54311 + grsec_enable_mount = 1;
54313 +#ifdef CONFIG_GRKERNSEC_LINK
54314 + grsec_enable_link = 1;
54316 +#ifdef CONFIG_GRKERNSEC_BRUTE
54317 + grsec_enable_brute = 1;
54319 +#ifdef CONFIG_GRKERNSEC_DMESG
54320 + grsec_enable_dmesg = 1;
54322 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54323 + grsec_enable_blackhole = 1;
54324 + grsec_lastack_retries = 4;
54326 +#ifdef CONFIG_GRKERNSEC_FIFO
54327 + grsec_enable_fifo = 1;
54329 +#ifdef CONFIG_GRKERNSEC_EXECLOG
54330 + grsec_enable_execlog = 1;
54332 +#ifdef CONFIG_GRKERNSEC_SIGNAL
54333 + grsec_enable_signal = 1;
54335 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
54336 + grsec_enable_forkfail = 1;
54338 +#ifdef CONFIG_GRKERNSEC_TIME
54339 + grsec_enable_time = 1;
54341 +#ifdef CONFIG_GRKERNSEC_RESLOG
54342 + grsec_resource_logging = 1;
54344 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
54345 + grsec_enable_chroot_findtask = 1;
54347 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
54348 + grsec_enable_chroot_unix = 1;
54350 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
54351 + grsec_enable_chroot_mount = 1;
54353 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
54354 + grsec_enable_chroot_fchdir = 1;
54356 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
54357 + grsec_enable_chroot_shmat = 1;
54359 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
54360 + grsec_enable_audit_ptrace = 1;
54362 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
54363 + grsec_enable_chroot_double = 1;
54365 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
54366 + grsec_enable_chroot_pivot = 1;
54368 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
54369 + grsec_enable_chroot_chdir = 1;
54371 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
54372 + grsec_enable_chroot_chmod = 1;
54374 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
54375 + grsec_enable_chroot_mknod = 1;
54377 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
54378 + grsec_enable_chroot_nice = 1;
54380 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
54381 + grsec_enable_chroot_execlog = 1;
54383 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
54384 + grsec_enable_chroot_caps = 1;
54386 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
54387 + grsec_enable_chroot_sysctl = 1;
54389 +#ifdef CONFIG_GRKERNSEC_TPE
54390 + grsec_enable_tpe = 1;
54391 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
54392 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
54393 + grsec_enable_tpe_all = 1;
54396 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
54397 + grsec_enable_socket_all = 1;
54398 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
54400 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
54401 + grsec_enable_socket_client = 1;
54402 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
54404 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
54405 + grsec_enable_socket_server = 1;
54406 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
54412 diff -urNp linux-3.0.9/grsecurity/grsec_link.c linux-3.0.9/grsecurity/grsec_link.c
54413 --- linux-3.0.9/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
54414 +++ linux-3.0.9/grsecurity/grsec_link.c 2011-11-15 20:02:59.000000000 -0500
54416 +#include <linux/kernel.h>
54417 +#include <linux/sched.h>
54418 +#include <linux/fs.h>
54419 +#include <linux/file.h>
54420 +#include <linux/grinternal.h>
54423 +gr_handle_follow_link(const struct inode *parent,
54424 + const struct inode *inode,
54425 + const struct dentry *dentry, const struct vfsmount *mnt)
54427 +#ifdef CONFIG_GRKERNSEC_LINK
54428 + const struct cred *cred = current_cred();
54430 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
54431 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
54432 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
54433 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
54441 +gr_handle_hardlink(const struct dentry *dentry,
54442 + const struct vfsmount *mnt,
54443 + struct inode *inode, const int mode, const char *to)
54445 +#ifdef CONFIG_GRKERNSEC_LINK
54446 + const struct cred *cred = current_cred();
54448 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
54449 + (!S_ISREG(mode) || (mode & S_ISUID) ||
54450 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
54451 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
54452 + !capable(CAP_FOWNER) && cred->uid) {
54453 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
54459 diff -urNp linux-3.0.9/grsecurity/grsec_log.c linux-3.0.9/grsecurity/grsec_log.c
54460 --- linux-3.0.9/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
54461 +++ linux-3.0.9/grsecurity/grsec_log.c 2011-11-15 20:02:59.000000000 -0500
54463 +#include <linux/kernel.h>
54464 +#include <linux/sched.h>
54465 +#include <linux/file.h>
54466 +#include <linux/tty.h>
54467 +#include <linux/fs.h>
54468 +#include <linux/grinternal.h>
54470 +#ifdef CONFIG_TREE_PREEMPT_RCU
54471 +#define DISABLE_PREEMPT() preempt_disable()
54472 +#define ENABLE_PREEMPT() preempt_enable()
54474 +#define DISABLE_PREEMPT()
54475 +#define ENABLE_PREEMPT()
54478 +#define BEGIN_LOCKS(x) \
54479 + DISABLE_PREEMPT(); \
54480 + rcu_read_lock(); \
54481 + read_lock(&tasklist_lock); \
54482 + read_lock(&grsec_exec_file_lock); \
54483 + if (x != GR_DO_AUDIT) \
54484 + spin_lock(&grsec_alert_lock); \
54486 + spin_lock(&grsec_audit_lock)
54488 +#define END_LOCKS(x) \
54489 + if (x != GR_DO_AUDIT) \
54490 + spin_unlock(&grsec_alert_lock); \
54492 + spin_unlock(&grsec_audit_lock); \
54493 + read_unlock(&grsec_exec_file_lock); \
54494 + read_unlock(&tasklist_lock); \
54495 + rcu_read_unlock(); \
54496 + ENABLE_PREEMPT(); \
54497 + if (x == GR_DONT_AUDIT) \
54498 + gr_handle_alertkill(current)
54505 +extern char *gr_alert_log_fmt;
54506 +extern char *gr_audit_log_fmt;
54507 +extern char *gr_alert_log_buf;
54508 +extern char *gr_audit_log_buf;
54510 +static int gr_log_start(int audit)
54512 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
54513 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
54514 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
54515 +#if (CONFIG_GRKERNSEC_FLOODTIME > 0 && CONFIG_GRKERNSEC_FLOODBURST > 0)
54516 + unsigned long curr_secs = get_seconds();
54518 + if (audit == GR_DO_AUDIT)
54521 + if (!grsec_alert_wtime || time_after(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) {
54522 + grsec_alert_wtime = curr_secs;
54523 + grsec_alert_fyet = 0;
54524 + } else if (time_before_eq(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)
54525 + && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
54526 + grsec_alert_fyet++;
54527 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
54528 + grsec_alert_wtime = curr_secs;
54529 + grsec_alert_fyet++;
54530 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
54533 + else return FLOODING;
54537 + memset(buf, 0, PAGE_SIZE);
54538 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
54539 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
54540 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
54541 + } else if (current->signal->curr_ip) {
54542 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
54543 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
54544 + } else if (gr_acl_is_enabled()) {
54545 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
54546 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
54548 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
54549 + strcpy(buf, fmt);
54552 + return NO_FLOODING;
54555 +static void gr_log_middle(int audit, const char *msg, va_list ap)
54556 + __attribute__ ((format (printf, 2, 0)));
54558 +static void gr_log_middle(int audit, const char *msg, va_list ap)
54560 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
54561 + unsigned int len = strlen(buf);
54563 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
54568 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
54569 + __attribute__ ((format (printf, 2, 3)));
54571 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
54573 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
54574 + unsigned int len = strlen(buf);
54577 + va_start(ap, msg);
54578 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
54584 +static void gr_log_end(int audit, int append_default)
54586 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
54588 + if (append_default) {
54589 + unsigned int len = strlen(buf);
54590 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
54593 + printk("%s\n", buf);
54598 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
54601 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
54602 + char *str1 = NULL, *str2 = NULL, *str3 = NULL;
54603 + void *voidptr = NULL;
54604 + int num1 = 0, num2 = 0;
54605 + unsigned long ulong1 = 0, ulong2 = 0;
54606 + struct dentry *dentry = NULL;
54607 + struct vfsmount *mnt = NULL;
54608 + struct file *file = NULL;
54609 + struct task_struct *task = NULL;
54610 + const struct cred *cred, *pcred;
54613 + BEGIN_LOCKS(audit);
54614 + logtype = gr_log_start(audit);
54615 + if (logtype == FLOODING) {
54616 + END_LOCKS(audit);
54619 + va_start(ap, argtypes);
54620 + switch (argtypes) {
54621 + case GR_TTYSNIFF:
54622 + task = va_arg(ap, struct task_struct *);
54623 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
54625 + case GR_SYSCTL_HIDDEN:
54626 + str1 = va_arg(ap, char *);
54627 + gr_log_middle_varargs(audit, msg, result, str1);
54630 + dentry = va_arg(ap, struct dentry *);
54631 + mnt = va_arg(ap, struct vfsmount *);
54632 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
54634 + case GR_RBAC_STR:
54635 + dentry = va_arg(ap, struct dentry *);
54636 + mnt = va_arg(ap, struct vfsmount *);
54637 + str1 = va_arg(ap, char *);
54638 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
54640 + case GR_STR_RBAC:
54641 + str1 = va_arg(ap, char *);
54642 + dentry = va_arg(ap, struct dentry *);
54643 + mnt = va_arg(ap, struct vfsmount *);
54644 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
54646 + case GR_RBAC_MODE2:
54647 + dentry = va_arg(ap, struct dentry *);
54648 + mnt = va_arg(ap, struct vfsmount *);
54649 + str1 = va_arg(ap, char *);
54650 + str2 = va_arg(ap, char *);
54651 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
54653 + case GR_RBAC_MODE3:
54654 + dentry = va_arg(ap, struct dentry *);
54655 + mnt = va_arg(ap, struct vfsmount *);
54656 + str1 = va_arg(ap, char *);
54657 + str2 = va_arg(ap, char *);
54658 + str3 = va_arg(ap, char *);
54659 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
54661 + case GR_FILENAME:
54662 + dentry = va_arg(ap, struct dentry *);
54663 + mnt = va_arg(ap, struct vfsmount *);
54664 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
54666 + case GR_STR_FILENAME:
54667 + str1 = va_arg(ap, char *);
54668 + dentry = va_arg(ap, struct dentry *);
54669 + mnt = va_arg(ap, struct vfsmount *);
54670 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
54672 + case GR_FILENAME_STR:
54673 + dentry = va_arg(ap, struct dentry *);
54674 + mnt = va_arg(ap, struct vfsmount *);
54675 + str1 = va_arg(ap, char *);
54676 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
54678 + case GR_FILENAME_TWO_INT:
54679 + dentry = va_arg(ap, struct dentry *);
54680 + mnt = va_arg(ap, struct vfsmount *);
54681 + num1 = va_arg(ap, int);
54682 + num2 = va_arg(ap, int);
54683 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
54685 + case GR_FILENAME_TWO_INT_STR:
54686 + dentry = va_arg(ap, struct dentry *);
54687 + mnt = va_arg(ap, struct vfsmount *);
54688 + num1 = va_arg(ap, int);
54689 + num2 = va_arg(ap, int);
54690 + str1 = va_arg(ap, char *);
54691 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
54694 + file = va_arg(ap, struct file *);
54695 + ulong1 = va_arg(ap, unsigned long);
54696 + ulong2 = va_arg(ap, unsigned long);
54697 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
54700 + task = va_arg(ap, struct task_struct *);
54701 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
54703 + case GR_RESOURCE:
54704 + task = va_arg(ap, struct task_struct *);
54705 + cred = __task_cred(task);
54706 + pcred = __task_cred(task->real_parent);
54707 + ulong1 = va_arg(ap, unsigned long);
54708 + str1 = va_arg(ap, char *);
54709 + ulong2 = va_arg(ap, unsigned long);
54710 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
54713 + task = va_arg(ap, struct task_struct *);
54714 + cred = __task_cred(task);
54715 + pcred = __task_cred(task->real_parent);
54716 + str1 = va_arg(ap, char *);
54717 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
54720 + str1 = va_arg(ap, char *);
54721 + voidptr = va_arg(ap, void *);
54722 + gr_log_middle_varargs(audit, msg, str1, voidptr);
54725 + task = va_arg(ap, struct task_struct *);
54726 + cred = __task_cred(task);
54727 + pcred = __task_cred(task->real_parent);
54728 + num1 = va_arg(ap, int);
54729 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
54732 + task = va_arg(ap, struct task_struct *);
54733 + cred = __task_cred(task);
54734 + pcred = __task_cred(task->real_parent);
54735 + ulong1 = va_arg(ap, unsigned long);
54736 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
54739 + task = va_arg(ap, struct task_struct *);
54740 + cred = __task_cred(task);
54741 + pcred = __task_cred(task->real_parent);
54742 + ulong1 = va_arg(ap, unsigned long);
54743 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
54746 + file = va_arg(ap, struct file *);
54747 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
54751 + unsigned int wday, cday;
54755 + char cur_tty[64] = { 0 };
54756 + char parent_tty[64] = { 0 };
54758 + task = va_arg(ap, struct task_struct *);
54759 + wday = va_arg(ap, unsigned int);
54760 + cday = va_arg(ap, unsigned int);
54761 + whr = va_arg(ap, int);
54762 + chr = va_arg(ap, int);
54763 + wmin = va_arg(ap, int);
54764 + cmin = va_arg(ap, int);
54765 + wsec = va_arg(ap, int);
54766 + csec = va_arg(ap, int);
54767 + ulong1 = va_arg(ap, unsigned long);
54768 + cred = __task_cred(task);
54769 + pcred = __task_cred(task->real_parent);
54771 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
54775 + gr_log_middle(audit, msg, ap);
54778 + // these don't need DEFAULTSECARGS printed on the end
54779 + if (argtypes == GR_CRASH1 || argtypes == GR_CRASH2)
54780 + gr_log_end(audit, 0);
54782 + gr_log_end(audit, 1);
54783 + END_LOCKS(audit);
54785 diff -urNp linux-3.0.9/grsecurity/grsec_mem.c linux-3.0.9/grsecurity/grsec_mem.c
54786 --- linux-3.0.9/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
54787 +++ linux-3.0.9/grsecurity/grsec_mem.c 2011-11-15 20:02:59.000000000 -0500
54789 +#include <linux/kernel.h>
54790 +#include <linux/sched.h>
54791 +#include <linux/mm.h>
54792 +#include <linux/mman.h>
54793 +#include <linux/grinternal.h>
54796 +gr_handle_ioperm(void)
54798 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
54803 +gr_handle_iopl(void)
54805 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
54810 +gr_handle_mem_readwrite(u64 from, u64 to)
54812 + gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
54817 +gr_handle_vm86(void)
54819 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
54822 diff -urNp linux-3.0.9/grsecurity/grsec_mount.c linux-3.0.9/grsecurity/grsec_mount.c
54823 --- linux-3.0.9/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
54824 +++ linux-3.0.9/grsecurity/grsec_mount.c 2011-11-15 20:02:59.000000000 -0500
54826 +#include <linux/kernel.h>
54827 +#include <linux/sched.h>
54828 +#include <linux/mount.h>
54829 +#include <linux/grsecurity.h>
54830 +#include <linux/grinternal.h>
54833 +gr_log_remount(const char *devname, const int retval)
54835 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
54836 + if (grsec_enable_mount && (retval >= 0))
54837 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
54843 +gr_log_unmount(const char *devname, const int retval)
54845 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
54846 + if (grsec_enable_mount && (retval >= 0))
54847 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
54853 +gr_log_mount(const char *from, const char *to, const int retval)
54855 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
54856 + if (grsec_enable_mount && (retval >= 0))
54857 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to);
54863 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
54865 +#ifdef CONFIG_GRKERNSEC_ROFS
54866 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
54867 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
54876 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
54878 +#ifdef CONFIG_GRKERNSEC_ROFS
54879 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
54880 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
54881 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
54888 diff -urNp linux-3.0.9/grsecurity/grsec_pax.c linux-3.0.9/grsecurity/grsec_pax.c
54889 --- linux-3.0.9/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
54890 +++ linux-3.0.9/grsecurity/grsec_pax.c 2011-11-15 20:02:59.000000000 -0500
54892 +#include <linux/kernel.h>
54893 +#include <linux/sched.h>
54894 +#include <linux/mm.h>
54895 +#include <linux/file.h>
54896 +#include <linux/grinternal.h>
54897 +#include <linux/grsecurity.h>
54900 +gr_log_textrel(struct vm_area_struct * vma)
54902 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
54903 + if (grsec_enable_audit_textrel)
54904 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
54910 +gr_log_rwxmmap(struct file *file)
54912 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
54913 + if (grsec_enable_log_rwxmaps)
54914 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
54920 +gr_log_rwxmprotect(struct file *file)
54922 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
54923 + if (grsec_enable_log_rwxmaps)
54924 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
54928 diff -urNp linux-3.0.9/grsecurity/grsec_ptrace.c linux-3.0.9/grsecurity/grsec_ptrace.c
54929 --- linux-3.0.9/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
54930 +++ linux-3.0.9/grsecurity/grsec_ptrace.c 2011-11-15 20:02:59.000000000 -0500
54932 +#include <linux/kernel.h>
54933 +#include <linux/sched.h>
54934 +#include <linux/grinternal.h>
54935 +#include <linux/grsecurity.h>
54938 +gr_audit_ptrace(struct task_struct *task)
54940 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
54941 + if (grsec_enable_audit_ptrace)
54942 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
54946 diff -urNp linux-3.0.9/grsecurity/grsec_sig.c linux-3.0.9/grsecurity/grsec_sig.c
54947 --- linux-3.0.9/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
54948 +++ linux-3.0.9/grsecurity/grsec_sig.c 2011-11-15 20:02:59.000000000 -0500
54950 +#include <linux/kernel.h>
54951 +#include <linux/sched.h>
54952 +#include <linux/delay.h>
54953 +#include <linux/grsecurity.h>
54954 +#include <linux/grinternal.h>
54955 +#include <linux/hardirq.h>
54957 +char *signames[] = {
54958 + [SIGSEGV] = "Segmentation fault",
54959 + [SIGILL] = "Illegal instruction",
54960 + [SIGABRT] = "Abort",
54961 + [SIGBUS] = "Invalid alignment/Bus error"
54965 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
54967 +#ifdef CONFIG_GRKERNSEC_SIGNAL
54968 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
54969 + (sig == SIGABRT) || (sig == SIGBUS))) {
54970 + if (t->pid == current->pid) {
54971 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
54973 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
54981 +gr_handle_signal(const struct task_struct *p, const int sig)
54983 +#ifdef CONFIG_GRKERNSEC
54984 + if (current->pid > 1 && gr_check_protected_task(p)) {
54985 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
54987 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
54994 +#ifdef CONFIG_GRKERNSEC
54995 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
54997 +int gr_fake_force_sig(int sig, struct task_struct *t)
54999 + unsigned long int flags;
55000 + int ret, blocked, ignored;
55001 + struct k_sigaction *action;
55003 + spin_lock_irqsave(&t->sighand->siglock, flags);
55004 + action = &t->sighand->action[sig-1];
55005 + ignored = action->sa.sa_handler == SIG_IGN;
55006 + blocked = sigismember(&t->blocked, sig);
55007 + if (blocked || ignored) {
55008 + action->sa.sa_handler = SIG_DFL;
55010 + sigdelset(&t->blocked, sig);
55011 + recalc_sigpending_and_wake(t);
55014 + if (action->sa.sa_handler == SIG_DFL)
55015 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
55016 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
55018 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
55024 +#ifdef CONFIG_GRKERNSEC_BRUTE
55025 +#define GR_USER_BAN_TIME (15 * 60)
55027 +static int __get_dumpable(unsigned long mm_flags)
55031 + ret = mm_flags & MMF_DUMPABLE_MASK;
55032 + return (ret >= 2) ? 2 : ret;
55036 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
55038 +#ifdef CONFIG_GRKERNSEC_BRUTE
55041 + if (!grsec_enable_brute)
55045 + read_lock(&tasklist_lock);
55046 + read_lock(&grsec_exec_file_lock);
55047 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
55048 + p->real_parent->brute = 1;
55050 + const struct cred *cred = __task_cred(p), *cred2;
55051 + struct task_struct *tsk, *tsk2;
55053 + if (!__get_dumpable(mm_flags) && cred->uid) {
55054 + struct user_struct *user;
55058 + /* this is put upon execution past expiration */
55059 + user = find_user(uid);
55060 + if (user == NULL)
55062 + user->banned = 1;
55063 + user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
55064 + if (user->ban_expires == ~0UL)
55065 + user->ban_expires--;
55067 + do_each_thread(tsk2, tsk) {
55068 + cred2 = __task_cred(tsk);
55069 + if (tsk != p && cred2->uid == uid)
55070 + gr_fake_force_sig(SIGKILL, tsk);
55071 + } while_each_thread(tsk2, tsk);
55075 + read_unlock(&grsec_exec_file_lock);
55076 + read_unlock(&tasklist_lock);
55077 + rcu_read_unlock();
55080 + printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
55086 +void gr_handle_brute_check(void)
55088 +#ifdef CONFIG_GRKERNSEC_BRUTE
55089 + if (current->brute)
55090 + msleep(30 * 1000);
55095 +void gr_handle_kernel_exploit(void)
55097 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
55098 + const struct cred *cred;
55099 + struct task_struct *tsk, *tsk2;
55100 + struct user_struct *user;
55103 + if (in_irq() || in_serving_softirq() || in_nmi())
55104 + panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
55106 + uid = current_uid();
55109 + panic("grsec: halting the system due to suspicious kernel crash caused by root");
55111 + /* kill all the processes of this user, hold a reference
55112 + to their creds struct, and prevent them from creating
55113 + another process until system reset
55115 + printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
55116 + /* we intentionally leak this ref */
55117 + user = get_uid(current->cred->user);
55119 + user->banned = 1;
55120 + user->ban_expires = ~0UL;
55123 + read_lock(&tasklist_lock);
55124 + do_each_thread(tsk2, tsk) {
55125 + cred = __task_cred(tsk);
55126 + if (cred->uid == uid)
55127 + gr_fake_force_sig(SIGKILL, tsk);
55128 + } while_each_thread(tsk2, tsk);
55129 + read_unlock(&tasklist_lock);
55134 +int __gr_process_user_ban(struct user_struct *user)
55136 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
55137 + if (unlikely(user->banned)) {
55138 + if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
55139 + user->banned = 0;
55140 + user->ban_expires = 0;
55149 +int gr_process_user_ban(void)
55151 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
55152 + return __gr_process_user_ban(current->cred->user);
55156 diff -urNp linux-3.0.9/grsecurity/grsec_sock.c linux-3.0.9/grsecurity/grsec_sock.c
55157 --- linux-3.0.9/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
55158 +++ linux-3.0.9/grsecurity/grsec_sock.c 2011-11-15 20:02:59.000000000 -0500
55160 +#include <linux/kernel.h>
55161 +#include <linux/module.h>
55162 +#include <linux/sched.h>
55163 +#include <linux/file.h>
55164 +#include <linux/net.h>
55165 +#include <linux/in.h>
55166 +#include <linux/ip.h>
55167 +#include <net/sock.h>
55168 +#include <net/inet_sock.h>
55169 +#include <linux/grsecurity.h>
55170 +#include <linux/grinternal.h>
55171 +#include <linux/gracl.h>
55173 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
55174 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
55176 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
55177 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
55179 +#ifdef CONFIG_UNIX_MODULE
55180 +EXPORT_SYMBOL(gr_acl_handle_unix);
55181 +EXPORT_SYMBOL(gr_acl_handle_mknod);
55182 +EXPORT_SYMBOL(gr_handle_chroot_unix);
55183 +EXPORT_SYMBOL(gr_handle_create);
55186 +#ifdef CONFIG_GRKERNSEC
55187 +#define gr_conn_table_size 32749
55188 +struct conn_table_entry {
55189 + struct conn_table_entry *next;
55190 + struct signal_struct *sig;
55193 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
55194 +DEFINE_SPINLOCK(gr_conn_table_lock);
55196 +extern const char * gr_socktype_to_name(unsigned char type);
55197 +extern const char * gr_proto_to_name(unsigned char proto);
55198 +extern const char * gr_sockfamily_to_name(unsigned char family);
55200 +static __inline__ int
55201 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
55203 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
55206 +static __inline__ int
55207 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
55208 + __u16 sport, __u16 dport)
55210 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
55211 + sig->gr_sport == sport && sig->gr_dport == dport))
55217 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
55219 + struct conn_table_entry **match;
55220 + unsigned int index;
55222 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
55223 + sig->gr_sport, sig->gr_dport,
55224 + gr_conn_table_size);
55226 + newent->sig = sig;
55228 + match = &gr_conn_table[index];
55229 + newent->next = *match;
55235 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
55237 + struct conn_table_entry *match, *last = NULL;
55238 + unsigned int index;
55240 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
55241 + sig->gr_sport, sig->gr_dport,
55242 + gr_conn_table_size);
55244 + match = gr_conn_table[index];
55245 + while (match && !conn_match(match->sig,
55246 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
55247 + sig->gr_dport)) {
55249 + match = match->next;
55254 + last->next = match->next;
55256 + gr_conn_table[index] = NULL;
55263 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
55264 + __u16 sport, __u16 dport)
55266 + struct conn_table_entry *match;
55267 + unsigned int index;
55269 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
55271 + match = gr_conn_table[index];
55272 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
55273 + match = match->next;
55276 + return match->sig;
55283 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
55285 +#ifdef CONFIG_GRKERNSEC
55286 + struct signal_struct *sig = task->signal;
55287 + struct conn_table_entry *newent;
55289 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
55290 + if (newent == NULL)
55292 + /* no bh lock needed since we are called with bh disabled */
55293 + spin_lock(&gr_conn_table_lock);
55294 + gr_del_task_from_ip_table_nolock(sig);
55295 + sig->gr_saddr = inet->inet_rcv_saddr;
55296 + sig->gr_daddr = inet->inet_daddr;
55297 + sig->gr_sport = inet->inet_sport;
55298 + sig->gr_dport = inet->inet_dport;
55299 + gr_add_to_task_ip_table_nolock(sig, newent);
55300 + spin_unlock(&gr_conn_table_lock);
55305 +void gr_del_task_from_ip_table(struct task_struct *task)
55307 +#ifdef CONFIG_GRKERNSEC
55308 + spin_lock_bh(&gr_conn_table_lock);
55309 + gr_del_task_from_ip_table_nolock(task->signal);
55310 + spin_unlock_bh(&gr_conn_table_lock);
55316 +gr_attach_curr_ip(const struct sock *sk)
55318 +#ifdef CONFIG_GRKERNSEC
55319 + struct signal_struct *p, *set;
55320 + const struct inet_sock *inet = inet_sk(sk);
55322 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
55325 + set = current->signal;
55327 + spin_lock_bh(&gr_conn_table_lock);
55328 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
55329 + inet->inet_dport, inet->inet_sport);
55330 + if (unlikely(p != NULL)) {
55331 + set->curr_ip = p->curr_ip;
55332 + set->used_accept = 1;
55333 + gr_del_task_from_ip_table_nolock(p);
55334 + spin_unlock_bh(&gr_conn_table_lock);
55337 + spin_unlock_bh(&gr_conn_table_lock);
55339 + set->curr_ip = inet->inet_daddr;
55340 + set->used_accept = 1;
55346 +gr_handle_sock_all(const int family, const int type, const int protocol)
55348 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
55349 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
55350 + (family != AF_UNIX)) {
55351 + if (family == AF_INET)
55352 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
55354 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
55362 +gr_handle_sock_server(const struct sockaddr *sck)
55364 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
55365 + if (grsec_enable_socket_server &&
55366 + in_group_p(grsec_socket_server_gid) &&
55367 + sck && (sck->sa_family != AF_UNIX) &&
55368 + (sck->sa_family != AF_LOCAL)) {
55369 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
55377 +gr_handle_sock_server_other(const struct sock *sck)
55379 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
55380 + if (grsec_enable_socket_server &&
55381 + in_group_p(grsec_socket_server_gid) &&
55382 + sck && (sck->sk_family != AF_UNIX) &&
55383 + (sck->sk_family != AF_LOCAL)) {
55384 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
55392 +gr_handle_sock_client(const struct sockaddr *sck)
55394 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
55395 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
55396 + sck && (sck->sa_family != AF_UNIX) &&
55397 + (sck->sa_family != AF_LOCAL)) {
55398 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
55404 diff -urNp linux-3.0.9/grsecurity/grsec_sysctl.c linux-3.0.9/grsecurity/grsec_sysctl.c
55405 --- linux-3.0.9/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
55406 +++ linux-3.0.9/grsecurity/grsec_sysctl.c 2011-11-15 20:02:59.000000000 -0500
55408 +#include <linux/kernel.h>
55409 +#include <linux/sched.h>
55410 +#include <linux/sysctl.h>
55411 +#include <linux/grsecurity.h>
55412 +#include <linux/grinternal.h>
55415 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
55417 +#ifdef CONFIG_GRKERNSEC_SYSCTL
55418 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
55419 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
55426 +#ifdef CONFIG_GRKERNSEC_ROFS
55427 +static int __maybe_unused one = 1;
55430 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
55431 +struct ctl_table grsecurity_table[] = {
55432 +#ifdef CONFIG_GRKERNSEC_SYSCTL
55433 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
55434 +#ifdef CONFIG_GRKERNSEC_IO
55436 + .procname = "disable_priv_io",
55437 + .data = &grsec_disable_privio,
55438 + .maxlen = sizeof(int),
55440 + .proc_handler = &proc_dointvec,
55444 +#ifdef CONFIG_GRKERNSEC_LINK
55446 + .procname = "linking_restrictions",
55447 + .data = &grsec_enable_link,
55448 + .maxlen = sizeof(int),
55450 + .proc_handler = &proc_dointvec,
55453 +#ifdef CONFIG_GRKERNSEC_BRUTE
55455 + .procname = "deter_bruteforce",
55456 + .data = &grsec_enable_brute,
55457 + .maxlen = sizeof(int),
55459 + .proc_handler = &proc_dointvec,
55462 +#ifdef CONFIG_GRKERNSEC_FIFO
55464 + .procname = "fifo_restrictions",
55465 + .data = &grsec_enable_fifo,
55466 + .maxlen = sizeof(int),
55468 + .proc_handler = &proc_dointvec,
55471 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55473 + .procname = "ip_blackhole",
55474 + .data = &grsec_enable_blackhole,
55475 + .maxlen = sizeof(int),
55477 + .proc_handler = &proc_dointvec,
55480 + .procname = "lastack_retries",
55481 + .data = &grsec_lastack_retries,
55482 + .maxlen = sizeof(int),
55484 + .proc_handler = &proc_dointvec,
55487 +#ifdef CONFIG_GRKERNSEC_EXECLOG
55489 + .procname = "exec_logging",
55490 + .data = &grsec_enable_execlog,
55491 + .maxlen = sizeof(int),
55493 + .proc_handler = &proc_dointvec,
55496 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
55498 + .procname = "rwxmap_logging",
55499 + .data = &grsec_enable_log_rwxmaps,
55500 + .maxlen = sizeof(int),
55502 + .proc_handler = &proc_dointvec,
55505 +#ifdef CONFIG_GRKERNSEC_SIGNAL
55507 + .procname = "signal_logging",
55508 + .data = &grsec_enable_signal,
55509 + .maxlen = sizeof(int),
55511 + .proc_handler = &proc_dointvec,
55514 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
55516 + .procname = "forkfail_logging",
55517 + .data = &grsec_enable_forkfail,
55518 + .maxlen = sizeof(int),
55520 + .proc_handler = &proc_dointvec,
55523 +#ifdef CONFIG_GRKERNSEC_TIME
55525 + .procname = "timechange_logging",
55526 + .data = &grsec_enable_time,
55527 + .maxlen = sizeof(int),
55529 + .proc_handler = &proc_dointvec,
55532 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
55534 + .procname = "chroot_deny_shmat",
55535 + .data = &grsec_enable_chroot_shmat,
55536 + .maxlen = sizeof(int),
55538 + .proc_handler = &proc_dointvec,
55541 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
55543 + .procname = "chroot_deny_unix",
55544 + .data = &grsec_enable_chroot_unix,
55545 + .maxlen = sizeof(int),
55547 + .proc_handler = &proc_dointvec,
55550 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
55552 + .procname = "chroot_deny_mount",
55553 + .data = &grsec_enable_chroot_mount,
55554 + .maxlen = sizeof(int),
55556 + .proc_handler = &proc_dointvec,
55559 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
55561 + .procname = "chroot_deny_fchdir",
55562 + .data = &grsec_enable_chroot_fchdir,
55563 + .maxlen = sizeof(int),
55565 + .proc_handler = &proc_dointvec,
55568 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
55570 + .procname = "chroot_deny_chroot",
55571 + .data = &grsec_enable_chroot_double,
55572 + .maxlen = sizeof(int),
55574 + .proc_handler = &proc_dointvec,
55577 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
55579 + .procname = "chroot_deny_pivot",
55580 + .data = &grsec_enable_chroot_pivot,
55581 + .maxlen = sizeof(int),
55583 + .proc_handler = &proc_dointvec,
55586 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
55588 + .procname = "chroot_enforce_chdir",
55589 + .data = &grsec_enable_chroot_chdir,
55590 + .maxlen = sizeof(int),
55592 + .proc_handler = &proc_dointvec,
55595 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
55597 + .procname = "chroot_deny_chmod",
55598 + .data = &grsec_enable_chroot_chmod,
55599 + .maxlen = sizeof(int),
55601 + .proc_handler = &proc_dointvec,
55604 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
55606 + .procname = "chroot_deny_mknod",
55607 + .data = &grsec_enable_chroot_mknod,
55608 + .maxlen = sizeof(int),
55610 + .proc_handler = &proc_dointvec,
55613 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
55615 + .procname = "chroot_restrict_nice",
55616 + .data = &grsec_enable_chroot_nice,
55617 + .maxlen = sizeof(int),
55619 + .proc_handler = &proc_dointvec,
55622 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
55624 + .procname = "chroot_execlog",
55625 + .data = &grsec_enable_chroot_execlog,
55626 + .maxlen = sizeof(int),
55628 + .proc_handler = &proc_dointvec,
55631 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
55633 + .procname = "chroot_caps",
55634 + .data = &grsec_enable_chroot_caps,
55635 + .maxlen = sizeof(int),
55637 + .proc_handler = &proc_dointvec,
55640 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
55642 + .procname = "chroot_deny_sysctl",
55643 + .data = &grsec_enable_chroot_sysctl,
55644 + .maxlen = sizeof(int),
55646 + .proc_handler = &proc_dointvec,
55649 +#ifdef CONFIG_GRKERNSEC_TPE
55651 + .procname = "tpe",
55652 + .data = &grsec_enable_tpe,
55653 + .maxlen = sizeof(int),
55655 + .proc_handler = &proc_dointvec,
55658 + .procname = "tpe_gid",
55659 + .data = &grsec_tpe_gid,
55660 + .maxlen = sizeof(int),
55662 + .proc_handler = &proc_dointvec,
55665 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
55667 + .procname = "tpe_invert",
55668 + .data = &grsec_enable_tpe_invert,
55669 + .maxlen = sizeof(int),
55671 + .proc_handler = &proc_dointvec,
55674 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
55676 + .procname = "tpe_restrict_all",
55677 + .data = &grsec_enable_tpe_all,
55678 + .maxlen = sizeof(int),
55680 + .proc_handler = &proc_dointvec,
55683 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
55685 + .procname = "socket_all",
55686 + .data = &grsec_enable_socket_all,
55687 + .maxlen = sizeof(int),
55689 + .proc_handler = &proc_dointvec,
55692 + .procname = "socket_all_gid",
55693 + .data = &grsec_socket_all_gid,
55694 + .maxlen = sizeof(int),
55696 + .proc_handler = &proc_dointvec,
55699 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
55701 + .procname = "socket_client",
55702 + .data = &grsec_enable_socket_client,
55703 + .maxlen = sizeof(int),
55705 + .proc_handler = &proc_dointvec,
55708 + .procname = "socket_client_gid",
55709 + .data = &grsec_socket_client_gid,
55710 + .maxlen = sizeof(int),
55712 + .proc_handler = &proc_dointvec,
55715 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
55717 + .procname = "socket_server",
55718 + .data = &grsec_enable_socket_server,
55719 + .maxlen = sizeof(int),
55721 + .proc_handler = &proc_dointvec,
55724 + .procname = "socket_server_gid",
55725 + .data = &grsec_socket_server_gid,
55726 + .maxlen = sizeof(int),
55728 + .proc_handler = &proc_dointvec,
55731 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
55733 + .procname = "audit_group",
55734 + .data = &grsec_enable_group,
55735 + .maxlen = sizeof(int),
55737 + .proc_handler = &proc_dointvec,
55740 + .procname = "audit_gid",
55741 + .data = &grsec_audit_gid,
55742 + .maxlen = sizeof(int),
55744 + .proc_handler = &proc_dointvec,
55747 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
55749 + .procname = "audit_chdir",
55750 + .data = &grsec_enable_chdir,
55751 + .maxlen = sizeof(int),
55753 + .proc_handler = &proc_dointvec,
55756 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
55758 + .procname = "audit_mount",
55759 + .data = &grsec_enable_mount,
55760 + .maxlen = sizeof(int),
55762 + .proc_handler = &proc_dointvec,
55765 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
55767 + .procname = "audit_textrel",
55768 + .data = &grsec_enable_audit_textrel,
55769 + .maxlen = sizeof(int),
55771 + .proc_handler = &proc_dointvec,
55774 +#ifdef CONFIG_GRKERNSEC_DMESG
55776 + .procname = "dmesg",
55777 + .data = &grsec_enable_dmesg,
55778 + .maxlen = sizeof(int),
55780 + .proc_handler = &proc_dointvec,
55783 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
55785 + .procname = "chroot_findtask",
55786 + .data = &grsec_enable_chroot_findtask,
55787 + .maxlen = sizeof(int),
55789 + .proc_handler = &proc_dointvec,
55792 +#ifdef CONFIG_GRKERNSEC_RESLOG
55794 + .procname = "resource_logging",
55795 + .data = &grsec_resource_logging,
55796 + .maxlen = sizeof(int),
55798 + .proc_handler = &proc_dointvec,
55801 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
55803 + .procname = "audit_ptrace",
55804 + .data = &grsec_enable_audit_ptrace,
55805 + .maxlen = sizeof(int),
55807 + .proc_handler = &proc_dointvec,
55810 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
55812 + .procname = "harden_ptrace",
55813 + .data = &grsec_enable_harden_ptrace,
55814 + .maxlen = sizeof(int),
55816 + .proc_handler = &proc_dointvec,
55820 + .procname = "grsec_lock",
55821 + .data = &grsec_lock,
55822 + .maxlen = sizeof(int),
55824 + .proc_handler = &proc_dointvec,
55827 +#ifdef CONFIG_GRKERNSEC_ROFS
55829 + .procname = "romount_protect",
55830 + .data = &grsec_enable_rofs,
55831 + .maxlen = sizeof(int),
55833 + .proc_handler = &proc_dointvec_minmax,
55841 diff -urNp linux-3.0.9/grsecurity/grsec_time.c linux-3.0.9/grsecurity/grsec_time.c
55842 --- linux-3.0.9/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
55843 +++ linux-3.0.9/grsecurity/grsec_time.c 2011-11-15 20:02:59.000000000 -0500
55845 +#include <linux/kernel.h>
55846 +#include <linux/sched.h>
55847 +#include <linux/grinternal.h>
55848 +#include <linux/module.h>
55851 +gr_log_timechange(void)
55853 +#ifdef CONFIG_GRKERNSEC_TIME
55854 + if (grsec_enable_time)
55855 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
55860 +EXPORT_SYMBOL(gr_log_timechange);
55861 diff -urNp linux-3.0.9/grsecurity/grsec_tpe.c linux-3.0.9/grsecurity/grsec_tpe.c
55862 --- linux-3.0.9/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
55863 +++ linux-3.0.9/grsecurity/grsec_tpe.c 2011-11-15 20:02:59.000000000 -0500
55865 +#include <linux/kernel.h>
55866 +#include <linux/sched.h>
55867 +#include <linux/file.h>
55868 +#include <linux/fs.h>
55869 +#include <linux/grinternal.h>
55871 +extern int gr_acl_tpe_check(void);
55874 +gr_tpe_allow(const struct file *file)
55876 +#ifdef CONFIG_GRKERNSEC
55877 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
55878 + const struct cred *cred = current_cred();
55880 + if (cred->uid && ((grsec_enable_tpe &&
55881 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
55882 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
55883 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
55885 + in_group_p(grsec_tpe_gid)
55887 + ) || gr_acl_tpe_check()) &&
55888 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
55889 + (inode->i_mode & S_IWOTH))))) {
55890 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
55893 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
55894 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
55895 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
55896 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
55897 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
55904 diff -urNp linux-3.0.9/grsecurity/grsum.c linux-3.0.9/grsecurity/grsum.c
55905 --- linux-3.0.9/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
55906 +++ linux-3.0.9/grsecurity/grsum.c 2011-11-15 20:02:59.000000000 -0500
55908 +#include <linux/err.h>
55909 +#include <linux/kernel.h>
55910 +#include <linux/sched.h>
55911 +#include <linux/mm.h>
55912 +#include <linux/scatterlist.h>
55913 +#include <linux/crypto.h>
55914 +#include <linux/gracl.h>
55917 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
55918 +#error "crypto and sha256 must be built into the kernel"
55922 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
55925 + struct crypto_hash *tfm;
55926 + struct hash_desc desc;
55927 + struct scatterlist sg;
55928 + unsigned char temp_sum[GR_SHA_LEN];
55929 + volatile int retval = 0;
55930 + volatile int dummy = 0;
55933 + sg_init_table(&sg, 1);
55935 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
55936 + if (IS_ERR(tfm)) {
55937 + /* should never happen, since sha256 should be built in */
55944 + crypto_hash_init(&desc);
55947 + sg_set_buf(&sg, p, GR_SALT_LEN);
55948 + crypto_hash_update(&desc, &sg, sg.length);
55951 + sg_set_buf(&sg, p, strlen(p));
55953 + crypto_hash_update(&desc, &sg, sg.length);
55955 + crypto_hash_final(&desc, temp_sum);
55957 + memset(entry->pw, 0, GR_PW_LEN);
55959 + for (i = 0; i < GR_SHA_LEN; i++)
55960 + if (sum[i] != temp_sum[i])
55963 + dummy = 1; // waste a cycle
55965 + crypto_free_hash(tfm);
55969 diff -urNp linux-3.0.9/grsecurity/Kconfig linux-3.0.9/grsecurity/Kconfig
55970 --- linux-3.0.9/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
55971 +++ linux-3.0.9/grsecurity/Kconfig 2011-11-15 20:02:59.000000000 -0500
55974 +# grecurity configuration
55980 + bool "Grsecurity"
55982 + select CRYPTO_SHA256
55984 + If you say Y here, you will be able to configure many features
55985 + that will enhance the security of your system. It is highly
55986 + recommended that you say Y here and read through the help
55987 + for each option so that you fully understand the features and
55988 + can evaluate their usefulness for your machine.
55991 + prompt "Security Level"
55992 + depends on GRKERNSEC
55993 + default GRKERNSEC_CUSTOM
55995 +config GRKERNSEC_LOW
55997 + select GRKERNSEC_LINK
55998 + select GRKERNSEC_FIFO
55999 + select GRKERNSEC_RANDNET
56000 + select GRKERNSEC_DMESG
56001 + select GRKERNSEC_CHROOT
56002 + select GRKERNSEC_CHROOT_CHDIR
56005 + If you choose this option, several of the grsecurity options will
56006 + be enabled that will give you greater protection against a number
56007 + of attacks, while assuring that none of your software will have any
56008 + conflicts with the additional security measures. If you run a lot
56009 + of unusual software, or you are having problems with the higher
56010 + security levels, you should say Y here. With this option, the
56011 + following features are enabled:
56013 + - Linking restrictions
56014 + - FIFO restrictions
56015 + - Restricted dmesg
56016 + - Enforced chdir("/") on chroot
56017 + - Runtime module disabling
56019 +config GRKERNSEC_MEDIUM
56022 + select PAX_EI_PAX
56023 + select PAX_PT_PAX_FLAGS
56024 + select PAX_HAVE_ACL_FLAGS
56025 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
56026 + select GRKERNSEC_CHROOT
56027 + select GRKERNSEC_CHROOT_SYSCTL
56028 + select GRKERNSEC_LINK
56029 + select GRKERNSEC_FIFO
56030 + select GRKERNSEC_DMESG
56031 + select GRKERNSEC_RANDNET
56032 + select GRKERNSEC_FORKFAIL
56033 + select GRKERNSEC_TIME
56034 + select GRKERNSEC_SIGNAL
56035 + select GRKERNSEC_CHROOT
56036 + select GRKERNSEC_CHROOT_UNIX
56037 + select GRKERNSEC_CHROOT_MOUNT
56038 + select GRKERNSEC_CHROOT_PIVOT
56039 + select GRKERNSEC_CHROOT_DOUBLE
56040 + select GRKERNSEC_CHROOT_CHDIR
56041 + select GRKERNSEC_CHROOT_MKNOD
56042 + select GRKERNSEC_PROC
56043 + select GRKERNSEC_PROC_USERGROUP
56044 + select PAX_RANDUSTACK
56046 + select PAX_RANDMMAP
56047 + select PAX_REFCOUNT if (X86 || SPARC64)
56048 + select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
56051 + If you say Y here, several features in addition to those included
56052 + in the low additional security level will be enabled. These
56053 + features provide even more security to your system, though in rare
56054 + cases they may be incompatible with very old or poorly written
56055 + software. If you enable this option, make sure that your auth
56056 + service (identd) is running as gid 1001. With this option,
56057 + the following features (in addition to those provided in the
56058 + low additional security level) will be enabled:
56060 + - Failed fork logging
56061 + - Time change logging
56063 + - Deny mounts in chroot
56064 + - Deny double chrooting
56065 + - Deny sysctl writes in chroot
56066 + - Deny mknod in chroot
56067 + - Deny access to abstract AF_UNIX sockets out of chroot
56068 + - Deny pivot_root in chroot
56069 + - Denied reads/writes of /dev/kmem, /dev/mem, and /dev/port
56070 + - /proc restrictions with special GID set to 10 (usually wheel)
56071 + - Address Space Layout Randomization (ASLR)
56072 + - Prevent exploitation of most refcount overflows
56073 + - Bounds checking of copying between the kernel and userland
56075 +config GRKERNSEC_HIGH
56077 + select GRKERNSEC_LINK
56078 + select GRKERNSEC_FIFO
56079 + select GRKERNSEC_DMESG
56080 + select GRKERNSEC_FORKFAIL
56081 + select GRKERNSEC_TIME
56082 + select GRKERNSEC_SIGNAL
56083 + select GRKERNSEC_CHROOT
56084 + select GRKERNSEC_CHROOT_SHMAT
56085 + select GRKERNSEC_CHROOT_UNIX
56086 + select GRKERNSEC_CHROOT_MOUNT
56087 + select GRKERNSEC_CHROOT_FCHDIR
56088 + select GRKERNSEC_CHROOT_PIVOT
56089 + select GRKERNSEC_CHROOT_DOUBLE
56090 + select GRKERNSEC_CHROOT_CHDIR
56091 + select GRKERNSEC_CHROOT_MKNOD
56092 + select GRKERNSEC_CHROOT_CAPS
56093 + select GRKERNSEC_CHROOT_SYSCTL
56094 + select GRKERNSEC_CHROOT_FINDTASK
56095 + select GRKERNSEC_SYSFS_RESTRICT
56096 + select GRKERNSEC_PROC
56097 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
56098 + select GRKERNSEC_HIDESYM
56099 + select GRKERNSEC_BRUTE
56100 + select GRKERNSEC_PROC_USERGROUP
56101 + select GRKERNSEC_KMEM
56102 + select GRKERNSEC_RESLOG
56103 + select GRKERNSEC_RANDNET
56104 + select GRKERNSEC_PROC_ADD
56105 + select GRKERNSEC_CHROOT_CHMOD
56106 + select GRKERNSEC_CHROOT_NICE
56107 + select GRKERNSEC_AUDIT_MOUNT
56108 + select GRKERNSEC_MODHARDEN if (MODULES)
56109 + select GRKERNSEC_HARDEN_PTRACE
56110 + select GRKERNSEC_VM86 if (X86_32)
56111 + select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC)
56113 + select PAX_RANDUSTACK
56115 + select PAX_RANDMMAP
56116 + select PAX_NOEXEC
56117 + select PAX_MPROTECT
56118 + select PAX_EI_PAX
56119 + select PAX_PT_PAX_FLAGS
56120 + select PAX_HAVE_ACL_FLAGS
56121 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
56122 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
56123 + select PAX_RANDKSTACK if (X86_TSC && X86)
56124 + select PAX_SEGMEXEC if (X86_32)
56125 + select PAX_PAGEEXEC
56126 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
56127 + select PAX_EMUTRAMP if (PARISC)
56128 + select PAX_EMUSIGRT if (PARISC)
56129 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
56130 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
56131 + select PAX_REFCOUNT if (X86 || SPARC64)
56132 + select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
56134 + If you say Y here, many of the features of grsecurity will be
56135 + enabled, which will protect you against many kinds of attacks
56136 + against your system. The heightened security comes at a cost
56137 + of an increased chance of incompatibilities with rare software
56138 + on your machine. Since this security level enables PaX, you should
56139 + view <http://pax.grsecurity.net> and read about the PaX
56140 + project. While you are there, download chpax and run it on
56141 + binaries that cause problems with PaX. Also remember that
56142 + since the /proc restrictions are enabled, you must run your
56143 + identd as gid 1001. This security level enables the following
56144 + features in addition to those listed in the low and medium
56147 + - Additional /proc restrictions
56148 + - Chmod restrictions in chroot
56149 + - No signals, ptrace, or viewing of processes outside of chroot
56150 + - Capability restrictions in chroot
56151 + - Deny fchdir out of chroot
56152 + - Priority restrictions in chroot
56153 + - Segmentation-based implementation of PaX
56154 + - Mprotect restrictions
56155 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
56156 + - Kernel stack randomization
56157 + - Mount/unmount/remount logging
56158 + - Kernel symbol hiding
56159 + - Hardening of module auto-loading
56160 + - Ptrace restrictions
56161 + - Restricted vm86 mode
56162 + - Restricted sysfs/debugfs
56163 + - Active kernel exploit response
56165 +config GRKERNSEC_CUSTOM
56168 + If you say Y here, you will be able to configure every grsecurity
56169 + option, which allows you to enable many more features that aren't
56170 + covered in the basic security levels. These additional features
56171 + include TPE, socket restrictions, and the sysctl system for
56172 + grsecurity. It is advised that you read through the help for
56173 + each option to determine its usefulness in your situation.
56177 +menu "Address Space Protection"
56178 +depends on GRKERNSEC
56180 +config GRKERNSEC_KMEM
56181 + bool "Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port"
56182 + select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
56184 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
56185 + be written to or read from to modify or leak the contents of the running
56186 + kernel. /dev/port will also not be allowed to be opened. If you have module
56187 + support disabled, enabling this will close up four ways that are
56188 + currently used to insert malicious code into the running kernel.
56189 + Even with all these features enabled, we still highly recommend that
56190 + you use the RBAC system, as it is still possible for an attacker to
56191 + modify the running kernel through privileged I/O granted by ioperm/iopl.
56192 + If you are not using XFree86, you may be able to stop this additional
56193 + case by enabling the 'Disable privileged I/O' option. Though nothing
56194 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
56195 + but only to video memory, which is the only writing we allow in this
56196 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
56197 + not be allowed to mprotect it with PROT_WRITE later.
56198 + It is highly recommended that you say Y here if you meet all the
56199 + conditions above.
56201 +config GRKERNSEC_VM86
56202 + bool "Restrict VM86 mode"
56203 + depends on X86_32
56206 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
56207 + make use of a special execution mode on 32bit x86 processors called
56208 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
56209 + video cards and will still work with this option enabled. The purpose
56210 + of the option is to prevent exploitation of emulation errors in
56211 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
56212 + Nearly all users should be able to enable this option.
56214 +config GRKERNSEC_IO
56215 + bool "Disable privileged I/O"
56218 + select RTC_INTF_DEV
56219 + select RTC_DRV_CMOS
56222 + If you say Y here, all ioperm and iopl calls will return an error.
56223 + Ioperm and iopl can be used to modify the running kernel.
56224 + Unfortunately, some programs need this access to operate properly,
56225 + the most notable of which are XFree86 and hwclock. hwclock can be
56226 + remedied by having RTC support in the kernel, so real-time
56227 + clock support is enabled if this option is enabled, to ensure
56228 + that hwclock operates correctly. XFree86 still will not
56229 + operate correctly with this option enabled, so DO NOT CHOOSE Y
56230 + IF YOU USE XFree86. If you use XFree86 and you still want to
56231 + protect your kernel against modification, use the RBAC system.
56233 +config GRKERNSEC_PROC_MEMMAP
56234 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
56235 + default y if (PAX_NOEXEC || PAX_ASLR)
56236 + depends on PAX_NOEXEC || PAX_ASLR
56238 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
56239 + give no information about the addresses of its mappings if
56240 + PaX features that rely on random addresses are enabled on the task.
56241 + If you use PaX it is greatly recommended that you say Y here as it
56242 + closes up a hole that makes the full ASLR useless for suid
56245 +config GRKERNSEC_BRUTE
56246 + bool "Deter exploit bruteforcing"
56248 + If you say Y here, attempts to bruteforce exploits against forking
56249 + daemons such as apache or sshd, as well as against suid/sgid binaries
56250 + will be deterred. When a child of a forking daemon is killed by PaX
56251 + or crashes due to an illegal instruction or other suspicious signal,
56252 + the parent process will be delayed 30 seconds upon every subsequent
56253 + fork until the administrator is able to assess the situation and
56254 + restart the daemon.
56255 + In the suid/sgid case, the attempt is logged, the user has all their
56256 + processes terminated, and they are prevented from executing any further
56257 + processes for 15 minutes.
56258 + It is recommended that you also enable signal logging in the auditing
56259 + section so that logs are generated when a process triggers a suspicious
56261 + If the sysctl option is enabled, a sysctl option with name
56262 + "deter_bruteforce" is created.
56265 +config GRKERNSEC_MODHARDEN
56266 + bool "Harden module auto-loading"
56267 + depends on MODULES
56269 + If you say Y here, module auto-loading in response to use of some
56270 + feature implemented by an unloaded module will be restricted to
56271 + root users. Enabling this option helps defend against attacks
56272 + by unprivileged users who abuse the auto-loading behavior to
56273 + cause a vulnerable module to load that is then exploited.
56275 + If this option prevents a legitimate use of auto-loading for a
56276 + non-root user, the administrator can execute modprobe manually
56277 + with the exact name of the module mentioned in the alert log.
56278 + Alternatively, the administrator can add the module to the list
56279 + of modules loaded at boot by modifying init scripts.
56281 + Modification of init scripts will most likely be needed on
56282 + Ubuntu servers with encrypted home directory support enabled,
56283 + as the first non-root user logging in will cause the ecb(aes),
56284 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
56286 +config GRKERNSEC_HIDESYM
56287 + bool "Hide kernel symbols"
56289 + If you say Y here, getting information on loaded modules, and
56290 + displaying all kernel symbols through a syscall will be restricted
56291 + to users with CAP_SYS_MODULE. For software compatibility reasons,
56292 + /proc/kallsyms will be restricted to the root user. The RBAC
56293 + system can hide that entry even from root.
56295 + This option also prevents leaking of kernel addresses through
56296 + several /proc entries.
56298 + Note that this option is only effective provided the following
56299 + conditions are met:
56300 + 1) The kernel using grsecurity is not precompiled by some distribution
56301 + 2) You have also enabled GRKERNSEC_DMESG
56302 + 3) You are using the RBAC system and hiding other files such as your
56303 + kernel image and System.map. Alternatively, enabling this option
56304 + causes the permissions on /boot, /lib/modules, and the kernel
56305 + source directory to change at compile time to prevent
56306 + reading by non-root users.
56307 + If the above conditions are met, this option will aid in providing a
56308 + useful protection against local kernel exploitation of overflows
56309 + and arbitrary read/write vulnerabilities.
56311 +config GRKERNSEC_KERN_LOCKOUT
56312 + bool "Active kernel exploit response"
56313 + depends on X86 || ARM || PPC || SPARC
56315 + If you say Y here, when a PaX alert is triggered due to suspicious
56316 + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
56317 + or an OOPs occurs due to bad memory accesses, instead of just
56318 + terminating the offending process (and potentially allowing
56319 + a subsequent exploit from the same user), we will take one of two
56321 + If the user was root, we will panic the system
56322 + If the user was non-root, we will log the attempt, terminate
56323 + all processes owned by the user, then prevent them from creating
56324 + any new processes until the system is restarted
56325 + This deters repeated kernel exploitation/bruteforcing attempts
56326 + and is useful for later forensics.
56329 +menu "Role Based Access Control Options"
56330 +depends on GRKERNSEC
56332 +config GRKERNSEC_RBAC_DEBUG
56335 +config GRKERNSEC_NO_RBAC
56336 + bool "Disable RBAC system"
56338 + If you say Y here, the /dev/grsec device will be removed from the kernel,
56339 + preventing the RBAC system from being enabled. You should only say Y
56340 + here if you have no intention of using the RBAC system, so as to prevent
56341 + an attacker with root access from misusing the RBAC system to hide files
56342 + and processes when loadable module support and /dev/[k]mem have been
56345 +config GRKERNSEC_ACL_HIDEKERN
56346 + bool "Hide kernel processes"
56348 + If you say Y here, all kernel threads will be hidden to all
56349 + processes but those whose subject has the "view hidden processes"
56352 +config GRKERNSEC_ACL_MAXTRIES
56353 + int "Maximum tries before password lockout"
56356 + This option enforces the maximum number of times a user can attempt
56357 + to authorize themselves with the grsecurity RBAC system before being
56358 + denied the ability to attempt authorization again for a specified time.
56359 + The lower the number, the harder it will be to brute-force a password.
56361 +config GRKERNSEC_ACL_TIMEOUT
56362 + int "Time to wait after max password tries, in seconds"
56365 + This option specifies the time the user must wait after attempting to
56366 + authorize to the RBAC system with the maximum number of invalid
56367 + passwords. The higher the number, the harder it will be to brute-force
56371 +menu "Filesystem Protections"
56372 +depends on GRKERNSEC
56374 +config GRKERNSEC_PROC
56375 + bool "Proc restrictions"
56377 + If you say Y here, the permissions of the /proc filesystem
56378 + will be altered to enhance system security and privacy. You MUST
56379 + choose either a user only restriction or a user and group restriction.
56380 + Depending upon the option you choose, you can either restrict users to
56381 + see only the processes they themselves run, or choose a group that can
56382 + view all processes and files normally restricted to root if you choose
56383 + the "restrict to user only" option. NOTE: If you're running identd as
56384 + a non-root user, you will have to run it as the group you specify here.
56386 +config GRKERNSEC_PROC_USER
56387 + bool "Restrict /proc to user only"
56388 + depends on GRKERNSEC_PROC
56390 + If you say Y here, non-root users will only be able to view their own
56391 + processes, and restricts them from viewing network-related information,
56392 + and viewing kernel symbol and module information.
56394 +config GRKERNSEC_PROC_USERGROUP
56395 + bool "Allow special group"
56396 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
56398 + If you say Y here, you will be able to select a group that will be
56399 + able to view all processes and network-related information. If you've
56400 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
56401 + remain hidden. This option is useful if you want to run identd as
56404 +config GRKERNSEC_PROC_GID
56405 + int "GID for special group"
56406 + depends on GRKERNSEC_PROC_USERGROUP
56409 +config GRKERNSEC_PROC_ADD
56410 + bool "Additional restrictions"
56411 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
56413 + If you say Y here, additional restrictions will be placed on
56414 + /proc that keep normal users from viewing device information and
56415 + slabinfo information that could be useful for exploits.
56417 +config GRKERNSEC_LINK
56418 + bool "Linking restrictions"
56420 + If you say Y here, /tmp race exploits will be prevented, since users
56421 + will no longer be able to follow symlinks owned by other users in
56422 + world-writable +t directories (e.g. /tmp), unless the owner of the
56423 + symlink is the owner of the directory. users will also not be
56424 + able to hardlink to files they do not own. If the sysctl option is
56425 + enabled, a sysctl option with name "linking_restrictions" is created.
56427 +config GRKERNSEC_FIFO
56428 + bool "FIFO restrictions"
56430 + If you say Y here, users will not be able to write to FIFOs they don't
56431 + own in world-writable +t directories (e.g. /tmp), unless the owner of
56432 + the FIFO is the same owner of the directory it's held in. If the sysctl
56433 + option is enabled, a sysctl option with name "fifo_restrictions" is
56436 +config GRKERNSEC_SYSFS_RESTRICT
56437 + bool "Sysfs/debugfs restriction"
56440 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
56441 + any filesystem normally mounted under it (e.g. debugfs) will only
56442 + be accessible by root. These filesystems generally provide access
56443 + to hardware and debug information that isn't appropriate for unprivileged
56444 + users of the system. Sysfs and debugfs have also become a large source
56445 + of new vulnerabilities, ranging from infoleaks to local compromise.
56446 + There has been very little oversight with an eye toward security involved
56447 + in adding new exporters of information to these filesystems, so their
56448 + use is discouraged.
56449 + This option is equivalent to a chmod 0700 of the mount paths.
56451 +config GRKERNSEC_ROFS
56452 + bool "Runtime read-only mount protection"
56454 + If you say Y here, a sysctl option with name "romount_protect" will
56455 + be created. By setting this option to 1 at runtime, filesystems
56456 + will be protected in the following ways:
56457 + * No new writable mounts will be allowed
56458 + * Existing read-only mounts won't be able to be remounted read/write
56459 + * Write operations will be denied on all block devices
56460 + This option acts independently of grsec_lock: once it is set to 1,
56461 + it cannot be turned off. Therefore, please be mindful of the resulting
56462 + behavior if this option is enabled in an init script on a read-only
56463 + filesystem. This feature is mainly intended for secure embedded systems.
56465 +config GRKERNSEC_CHROOT
56466 + bool "Chroot jail restrictions"
56468 + If you say Y here, you will be able to choose several options that will
56469 + make breaking out of a chrooted jail much more difficult. If you
56470 + encounter no software incompatibilities with the following options, it
56471 + is recommended that you enable each one.
56473 +config GRKERNSEC_CHROOT_MOUNT
56474 + bool "Deny mounts"
56475 + depends on GRKERNSEC_CHROOT
56477 + If you say Y here, processes inside a chroot will not be able to
56478 + mount or remount filesystems. If the sysctl option is enabled, a
56479 + sysctl option with name "chroot_deny_mount" is created.
56481 +config GRKERNSEC_CHROOT_DOUBLE
56482 + bool "Deny double-chroots"
56483 + depends on GRKERNSEC_CHROOT
56485 + If you say Y here, processes inside a chroot will not be able to chroot
56486 + again outside the chroot. This is a widely used method of breaking
56487 + out of a chroot jail and should not be allowed. If the sysctl
56488 + option is enabled, a sysctl option with name
56489 + "chroot_deny_chroot" is created.
56491 +config GRKERNSEC_CHROOT_PIVOT
56492 + bool "Deny pivot_root in chroot"
56493 + depends on GRKERNSEC_CHROOT
56495 + If you say Y here, processes inside a chroot will not be able to use
56496 + a function called pivot_root() that was introduced in Linux 2.3.41. It
56497 + works similar to chroot in that it changes the root filesystem. This
56498 + function could be misused in a chrooted process to attempt to break out
56499 + of the chroot, and therefore should not be allowed. If the sysctl
56500 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
56503 +config GRKERNSEC_CHROOT_CHDIR
56504 + bool "Enforce chdir(\"/\") on all chroots"
56505 + depends on GRKERNSEC_CHROOT
56507 + If you say Y here, the current working directory of all newly-chrooted
56508 + applications will be set to the the root directory of the chroot.
56509 + The man page on chroot(2) states:
56510 + Note that this call does not change the current working
56511 + directory, so that `.' can be outside the tree rooted at
56512 + `/'. In particular, the super-user can escape from a
56513 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
56515 + It is recommended that you say Y here, since it's not known to break
56516 + any software. If the sysctl option is enabled, a sysctl option with
56517 + name "chroot_enforce_chdir" is created.
56519 +config GRKERNSEC_CHROOT_CHMOD
56520 + bool "Deny (f)chmod +s"
56521 + depends on GRKERNSEC_CHROOT
56523 + If you say Y here, processes inside a chroot will not be able to chmod
56524 + or fchmod files to make them have suid or sgid bits. This protects
56525 + against another published method of breaking a chroot. If the sysctl
56526 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
56529 +config GRKERNSEC_CHROOT_FCHDIR
56530 + bool "Deny fchdir out of chroot"
56531 + depends on GRKERNSEC_CHROOT
56533 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
56534 + to a file descriptor of the chrooting process that points to a directory
56535 + outside the filesystem will be stopped. If the sysctl option
56536 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
56538 +config GRKERNSEC_CHROOT_MKNOD
56539 + bool "Deny mknod"
56540 + depends on GRKERNSEC_CHROOT
56542 + If you say Y here, processes inside a chroot will not be allowed to
56543 + mknod. The problem with using mknod inside a chroot is that it
56544 + would allow an attacker to create a device entry that is the same
56545 + as one on the physical root of your system, which could range from
56546 + anything from the console device to a device for your harddrive (which
56547 + they could then use to wipe the drive or steal data). It is recommended
56548 + that you say Y here, unless you run into software incompatibilities.
56549 + If the sysctl option is enabled, a sysctl option with name
56550 + "chroot_deny_mknod" is created.
56552 +config GRKERNSEC_CHROOT_SHMAT
56553 + bool "Deny shmat() out of chroot"
56554 + depends on GRKERNSEC_CHROOT
56556 + If you say Y here, processes inside a chroot will not be able to attach
56557 + to shared memory segments that were created outside of the chroot jail.
56558 + It is recommended that you say Y here. If the sysctl option is enabled,
56559 + a sysctl option with name "chroot_deny_shmat" is created.
56561 +config GRKERNSEC_CHROOT_UNIX
56562 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
56563 + depends on GRKERNSEC_CHROOT
56565 + If you say Y here, processes inside a chroot will not be able to
56566 + connect to abstract (meaning not belonging to a filesystem) Unix
56567 + domain sockets that were bound outside of a chroot. It is recommended
56568 + that you say Y here. If the sysctl option is enabled, a sysctl option
56569 + with name "chroot_deny_unix" is created.
56571 +config GRKERNSEC_CHROOT_FINDTASK
56572 + bool "Protect outside processes"
56573 + depends on GRKERNSEC_CHROOT
56575 + If you say Y here, processes inside a chroot will not be able to
56576 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
56577 + getsid, or view any process outside of the chroot. If the sysctl
56578 + option is enabled, a sysctl option with name "chroot_findtask" is
56581 +config GRKERNSEC_CHROOT_NICE
56582 + bool "Restrict priority changes"
56583 + depends on GRKERNSEC_CHROOT
56585 + If you say Y here, processes inside a chroot will not be able to raise
56586 + the priority of processes in the chroot, or alter the priority of
56587 + processes outside the chroot. This provides more security than simply
56588 + removing CAP_SYS_NICE from the process' capability set. If the
56589 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
56592 +config GRKERNSEC_CHROOT_SYSCTL
56593 + bool "Deny sysctl writes"
56594 + depends on GRKERNSEC_CHROOT
56596 + If you say Y here, an attacker in a chroot will not be able to
56597 + write to sysctl entries, either by sysctl(2) or through a /proc
56598 + interface. It is strongly recommended that you say Y here. If the
56599 + sysctl option is enabled, a sysctl option with name
56600 + "chroot_deny_sysctl" is created.
56602 +config GRKERNSEC_CHROOT_CAPS
56603 + bool "Capability restrictions"
56604 + depends on GRKERNSEC_CHROOT
56606 + If you say Y here, the capabilities on all processes within a
56607 + chroot jail will be lowered to stop module insertion, raw i/o,
56608 + system and net admin tasks, rebooting the system, modifying immutable
56609 + files, modifying IPC owned by another, and changing the system time.
56610 + This is left an option because it can break some apps. Disable this
56611 + if your chrooted apps are having problems performing those kinds of
56612 + tasks. If the sysctl option is enabled, a sysctl option with
56613 + name "chroot_caps" is created.
56616 +menu "Kernel Auditing"
56617 +depends on GRKERNSEC
56619 +config GRKERNSEC_AUDIT_GROUP
56620 + bool "Single group for auditing"
56622 + If you say Y here, the exec, chdir, and (un)mount logging features
56623 + will only operate on a group you specify. This option is recommended
56624 + if you only want to watch certain users instead of having a large
56625 + amount of logs from the entire system. If the sysctl option is enabled,
56626 + a sysctl option with name "audit_group" is created.
56628 +config GRKERNSEC_AUDIT_GID
56629 + int "GID for auditing"
56630 + depends on GRKERNSEC_AUDIT_GROUP
56633 +config GRKERNSEC_EXECLOG
56634 + bool "Exec logging"
56636 + If you say Y here, all execve() calls will be logged (since the
56637 + other exec*() calls are frontends to execve(), all execution
56638 + will be logged). Useful for shell-servers that like to keep track
56639 + of their users. If the sysctl option is enabled, a sysctl option with
56640 + name "exec_logging" is created.
56641 + WARNING: This option when enabled will produce a LOT of logs, especially
56642 + on an active system.
56644 +config GRKERNSEC_RESLOG
56645 + bool "Resource logging"
56647 + If you say Y here, all attempts to overstep resource limits will
56648 + be logged with the resource name, the requested size, and the current
56649 + limit. It is highly recommended that you say Y here. If the sysctl
56650 + option is enabled, a sysctl option with name "resource_logging" is
56651 + created. If the RBAC system is enabled, the sysctl value is ignored.
56653 +config GRKERNSEC_CHROOT_EXECLOG
56654 + bool "Log execs within chroot"
56656 + If you say Y here, all executions inside a chroot jail will be logged
56657 + to syslog. This can cause a large amount of logs if certain
56658 + applications (eg. djb's daemontools) are installed on the system, and
56659 + is therefore left as an option. If the sysctl option is enabled, a
56660 + sysctl option with name "chroot_execlog" is created.
56662 +config GRKERNSEC_AUDIT_PTRACE
56663 + bool "Ptrace logging"
56665 + If you say Y here, all attempts to attach to a process via ptrace
56666 + will be logged. If the sysctl option is enabled, a sysctl option
56667 + with name "audit_ptrace" is created.
56669 +config GRKERNSEC_AUDIT_CHDIR
56670 + bool "Chdir logging"
56672 + If you say Y here, all chdir() calls will be logged. If the sysctl
56673 + option is enabled, a sysctl option with name "audit_chdir" is created.
56675 +config GRKERNSEC_AUDIT_MOUNT
56676 + bool "(Un)Mount logging"
56678 + If you say Y here, all mounts and unmounts will be logged. If the
56679 + sysctl option is enabled, a sysctl option with name "audit_mount" is
56682 +config GRKERNSEC_SIGNAL
56683 + bool "Signal logging"
56685 + If you say Y here, certain important signals will be logged, such as
56686 + SIGSEGV, which will as a result inform you of when a error in a program
56687 + occurred, which in some cases could mean a possible exploit attempt.
56688 + If the sysctl option is enabled, a sysctl option with name
56689 + "signal_logging" is created.
56691 +config GRKERNSEC_FORKFAIL
56692 + bool "Fork failure logging"
56694 + If you say Y here, all failed fork() attempts will be logged.
56695 + This could suggest a fork bomb, or someone attempting to overstep
56696 + their process limit. If the sysctl option is enabled, a sysctl option
56697 + with name "forkfail_logging" is created.
56699 +config GRKERNSEC_TIME
56700 + bool "Time change logging"
56702 + If you say Y here, any changes of the system clock will be logged.
56703 + If the sysctl option is enabled, a sysctl option with name
56704 + "timechange_logging" is created.
56706 +config GRKERNSEC_PROC_IPADDR
56707 + bool "/proc/<pid>/ipaddr support"
56709 + If you say Y here, a new entry will be added to each /proc/<pid>
56710 + directory that contains the IP address of the person using the task.
56711 + The IP is carried across local TCP and AF_UNIX stream sockets.
56712 + This information can be useful for IDS/IPSes to perform remote response
56713 + to a local attack. The entry is readable by only the owner of the
56714 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
56715 + the RBAC system), and thus does not create privacy concerns.
56717 +config GRKERNSEC_RWXMAP_LOG
56718 + bool 'Denied RWX mmap/mprotect logging'
56719 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
56721 + If you say Y here, calls to mmap() and mprotect() with explicit
56722 + usage of PROT_WRITE and PROT_EXEC together will be logged when
56723 + denied by the PAX_MPROTECT feature. If the sysctl option is
56724 + enabled, a sysctl option with name "rwxmap_logging" is created.
56726 +config GRKERNSEC_AUDIT_TEXTREL
56727 + bool 'ELF text relocations logging (READ HELP)'
56728 + depends on PAX_MPROTECT
56730 + If you say Y here, text relocations will be logged with the filename
56731 + of the offending library or binary. The purpose of the feature is
56732 + to help Linux distribution developers get rid of libraries and
56733 + binaries that need text relocations which hinder the future progress
56734 + of PaX. Only Linux distribution developers should say Y here, and
56735 + never on a production machine, as this option creates an information
56736 + leak that could aid an attacker in defeating the randomization of
56737 + a single memory region. If the sysctl option is enabled, a sysctl
56738 + option with name "audit_textrel" is created.
56742 +menu "Executable Protections"
56743 +depends on GRKERNSEC
56745 +config GRKERNSEC_DMESG
56746 + bool "Dmesg(8) restriction"
56748 + If you say Y here, non-root users will not be able to use dmesg(8)
56749 + to view up to the last 4kb of messages in the kernel's log buffer.
56750 + The kernel's log buffer often contains kernel addresses and other
56751 + identifying information useful to an attacker in fingerprinting a
56752 + system for a targeted exploit.
56753 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
56756 +config GRKERNSEC_HARDEN_PTRACE
56757 + bool "Deter ptrace-based process snooping"
56759 + If you say Y here, TTY sniffers and other malicious monitoring
56760 + programs implemented through ptrace will be defeated. If you
56761 + have been using the RBAC system, this option has already been
56762 + enabled for several years for all users, with the ability to make
56763 + fine-grained exceptions.
56765 + This option only affects the ability of non-root users to ptrace
56766 + processes that are not a descendent of the ptracing process.
56767 + This means that strace ./binary and gdb ./binary will still work,
56768 + but attaching to arbitrary processes will not. If the sysctl
56769 + option is enabled, a sysctl option with name "harden_ptrace" is
56772 +config GRKERNSEC_TPE
56773 + bool "Trusted Path Execution (TPE)"
56775 + If you say Y here, you will be able to choose a gid to add to the
56776 + supplementary groups of users you want to mark as "untrusted."
56777 + These users will not be able to execute any files that are not in
56778 + root-owned directories writable only by root. If the sysctl option
56779 + is enabled, a sysctl option with name "tpe" is created.
56781 +config GRKERNSEC_TPE_ALL
56782 + bool "Partially restrict all non-root users"
56783 + depends on GRKERNSEC_TPE
56785 + If you say Y here, all non-root users will be covered under
56786 + a weaker TPE restriction. This is separate from, and in addition to,
56787 + the main TPE options that you have selected elsewhere. Thus, if a
56788 + "trusted" GID is chosen, this restriction applies to even that GID.
56789 + Under this restriction, all non-root users will only be allowed to
56790 + execute files in directories they own that are not group or
56791 + world-writable, or in directories owned by root and writable only by
56792 + root. If the sysctl option is enabled, a sysctl option with name
56793 + "tpe_restrict_all" is created.
56795 +config GRKERNSEC_TPE_INVERT
56796 + bool "Invert GID option"
56797 + depends on GRKERNSEC_TPE
56799 + If you say Y here, the group you specify in the TPE configuration will
56800 + decide what group TPE restrictions will be *disabled* for. This
56801 + option is useful if you want TPE restrictions to be applied to most
56802 + users on the system. If the sysctl option is enabled, a sysctl option
56803 + with name "tpe_invert" is created. Unlike other sysctl options, this
56804 + entry will default to on for backward-compatibility.
56806 +config GRKERNSEC_TPE_GID
56807 + int "GID for untrusted users"
56808 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
56811 + Setting this GID determines what group TPE restrictions will be
56812 + *enabled* for. If the sysctl option is enabled, a sysctl option
56813 + with name "tpe_gid" is created.
56815 +config GRKERNSEC_TPE_GID
56816 + int "GID for trusted users"
56817 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
56820 + Setting this GID determines what group TPE restrictions will be
56821 + *disabled* for. If the sysctl option is enabled, a sysctl option
56822 + with name "tpe_gid" is created.
56825 +menu "Network Protections"
56826 +depends on GRKERNSEC
56828 +config GRKERNSEC_RANDNET
56829 + bool "Larger entropy pools"
56831 + If you say Y here, the entropy pools used for many features of Linux
56832 + and grsecurity will be doubled in size. Since several grsecurity
56833 + features use additional randomness, it is recommended that you say Y
56834 + here. Saying Y here has a similar effect as modifying
56835 + /proc/sys/kernel/random/poolsize.
56837 +config GRKERNSEC_BLACKHOLE
56838 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
56841 + If you say Y here, neither TCP resets nor ICMP
56842 + destination-unreachable packets will be sent in response to packets
56843 + sent to ports for which no associated listening process exists.
56844 + This feature supports both IPV4 and IPV6 and exempts the
56845 + loopback interface from blackholing. Enabling this feature
56846 + makes a host more resilient to DoS attacks and reduces network
56847 + visibility against scanners.
56849 + The blackhole feature as-implemented is equivalent to the FreeBSD
56850 + blackhole feature, as it prevents RST responses to all packets, not
56851 + just SYNs. Under most application behavior this causes no
56852 + problems, but applications (like haproxy) may not close certain
56853 + connections in a way that cleanly terminates them on the remote
56854 + end, leaving the remote host in LAST_ACK state. Because of this
56855 + side-effect and to prevent intentional LAST_ACK DoSes, this
56856 + feature also adds automatic mitigation against such attacks.
56857 + The mitigation drastically reduces the amount of time a socket
56858 + can spend in LAST_ACK state. If you're using haproxy and not
56859 + all servers it connects to have this option enabled, consider
56860 + disabling this feature on the haproxy host.
56862 + If the sysctl option is enabled, two sysctl options with names
56863 + "ip_blackhole" and "lastack_retries" will be created.
56864 + While "ip_blackhole" takes the standard zero/non-zero on/off
56865 + toggle, "lastack_retries" uses the same kinds of values as
56866 + "tcp_retries1" and "tcp_retries2". The default value of 4
56867 + prevents a socket from lasting more than 45 seconds in LAST_ACK
56870 +config GRKERNSEC_SOCKET
56871 + bool "Socket restrictions"
56874 + If you say Y here, you will be able to choose from several options.
56875 + If you assign a GID on your system and add it to the supplementary
56876 + groups of users you want to restrict socket access to, this patch
56877 + will perform up to three things, based on the option(s) you choose.
56879 +config GRKERNSEC_SOCKET_ALL
56880 + bool "Deny any sockets to group"
56881 + depends on GRKERNSEC_SOCKET
56883 + If you say Y here, you will be able to choose a GID of whose users will
56884 + be unable to connect to other hosts from your machine or run server
56885 + applications from your machine. If the sysctl option is enabled, a
56886 + sysctl option with name "socket_all" is created.
56888 +config GRKERNSEC_SOCKET_ALL_GID
56889 + int "GID to deny all sockets for"
56890 + depends on GRKERNSEC_SOCKET_ALL
56893 + Here you can choose the GID to disable socket access for. Remember to
56894 + add the users you want socket access disabled for to the GID
56895 + specified here. If the sysctl option is enabled, a sysctl option
56896 + with name "socket_all_gid" is created.
56898 +config GRKERNSEC_SOCKET_CLIENT
56899 + bool "Deny client sockets to group"
56900 + depends on GRKERNSEC_SOCKET
56902 + If you say Y here, you will be able to choose a GID of whose users will
56903 + be unable to connect to other hosts from your machine, but will be
56904 + able to run servers. If this option is enabled, all users in the group
56905 + you specify will have to use passive mode when initiating ftp transfers
56906 + from the shell on your machine. If the sysctl option is enabled, a
56907 + sysctl option with name "socket_client" is created.
56909 +config GRKERNSEC_SOCKET_CLIENT_GID
56910 + int "GID to deny client sockets for"
56911 + depends on GRKERNSEC_SOCKET_CLIENT
56914 + Here you can choose the GID to disable client socket access for.
56915 + Remember to add the users you want client socket access disabled for to
56916 + the GID specified here. If the sysctl option is enabled, a sysctl
56917 + option with name "socket_client_gid" is created.
56919 +config GRKERNSEC_SOCKET_SERVER
56920 + bool "Deny server sockets to group"
56921 + depends on GRKERNSEC_SOCKET
56923 + If you say Y here, you will be able to choose a GID of whose users will
56924 + be unable to run server applications from your machine. If the sysctl
56925 + option is enabled, a sysctl option with name "socket_server" is created.
56927 +config GRKERNSEC_SOCKET_SERVER_GID
56928 + int "GID to deny server sockets for"
56929 + depends on GRKERNSEC_SOCKET_SERVER
56932 + Here you can choose the GID to disable server socket access for.
56933 + Remember to add the users you want server socket access disabled for to
56934 + the GID specified here. If the sysctl option is enabled, a sysctl
56935 + option with name "socket_server_gid" is created.
56938 +menu "Sysctl support"
56939 +depends on GRKERNSEC && SYSCTL
56941 +config GRKERNSEC_SYSCTL
56942 + bool "Sysctl support"
56944 + If you say Y here, you will be able to change the options that
56945 + grsecurity runs with at bootup, without having to recompile your
56946 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
56947 + to enable (1) or disable (0) various features. All the sysctl entries
56948 + are mutable until the "grsec_lock" entry is set to a non-zero value.
56949 + All features enabled in the kernel configuration are disabled at boot
56950 + if you do not say Y to the "Turn on features by default" option.
56951 + All options should be set at startup, and the grsec_lock entry should
56952 + be set to a non-zero value after all the options are set.
56953 + *THIS IS EXTREMELY IMPORTANT*
56955 +config GRKERNSEC_SYSCTL_DISTRO
56956 + bool "Extra sysctl support for distro makers (READ HELP)"
56957 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
56959 + If you say Y here, additional sysctl options will be created
56960 + for features that affect processes running as root. Therefore,
56961 + it is critical when using this option that the grsec_lock entry be
56962 + enabled after boot. Only distros with prebuilt kernel packages
56963 + with this option enabled that can ensure grsec_lock is enabled
56964 + after boot should use this option.
56965 + *Failure to set grsec_lock after boot makes all grsec features
56966 + this option covers useless*
56968 + Currently this option creates the following sysctl entries:
56969 + "Disable Privileged I/O": "disable_priv_io"
56971 +config GRKERNSEC_SYSCTL_ON
56972 + bool "Turn on features by default"
56973 + depends on GRKERNSEC_SYSCTL
56975 + If you say Y here, instead of having all features enabled in the
56976 + kernel configuration disabled at boot time, the features will be
56977 + enabled at boot time. It is recommended you say Y here unless
56978 + there is some reason you would want all sysctl-tunable features to
56979 + be disabled by default. As mentioned elsewhere, it is important
56980 + to enable the grsec_lock entry once you have finished modifying
56981 + the sysctl entries.
56984 +menu "Logging Options"
56985 +depends on GRKERNSEC
56987 +config GRKERNSEC_FLOODTIME
56988 + int "Seconds in between log messages (minimum)"
56991 + This option allows you to enforce the number of seconds between
56992 + grsecurity log messages. The default should be suitable for most
56993 + people, however, if you choose to change it, choose a value small enough
56994 + to allow informative logs to be produced, but large enough to
56995 + prevent flooding.
56997 +config GRKERNSEC_FLOODBURST
56998 + int "Number of messages in a burst (maximum)"
57001 + This option allows you to choose the maximum number of messages allowed
57002 + within the flood time interval you chose in a separate option. The
57003 + default should be suitable for most people, however if you find that
57004 + many of your logs are being interpreted as flooding, you may want to
57005 + raise this value.
57010 diff -urNp linux-3.0.9/grsecurity/Makefile linux-3.0.9/grsecurity/Makefile
57011 --- linux-3.0.9/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
57012 +++ linux-3.0.9/grsecurity/Makefile 2011-11-15 20:02:59.000000000 -0500
57014 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
57015 +# during 2001-2009 it has been completely redesigned by Brad Spengler
57016 +# into an RBAC system
57018 +# All code in this directory and various hooks inserted throughout the kernel
57019 +# are copyright Brad Spengler - Open Source Security, Inc., and released
57020 +# under the GPL v2 or higher
57022 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
57023 + grsec_mount.o grsec_sig.o grsec_sysctl.o \
57024 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
57026 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
57027 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
57028 + gracl_learn.o grsec_log.o
57029 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
57032 +obj-y += grsec_sock.o
57033 +obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
57036 +ifndef CONFIG_GRKERNSEC
57037 +obj-y += grsec_disabled.o
57040 +ifdef CONFIG_GRKERNSEC_HIDESYM
57041 +extra-y := grsec_hidesym.o
57042 +$(obj)/grsec_hidesym.o:
57043 + @-chmod -f 500 /boot
57044 + @-chmod -f 500 /lib/modules
57045 + @-chmod -f 500 /lib64/modules
57046 + @-chmod -f 500 /lib32/modules
57048 + @echo ' grsec: protected kernel image paths'
57050 diff -urNp linux-3.0.9/include/acpi/acpi_bus.h linux-3.0.9/include/acpi/acpi_bus.h
57051 --- linux-3.0.9/include/acpi/acpi_bus.h 2011-11-11 13:12:24.000000000 -0500
57052 +++ linux-3.0.9/include/acpi/acpi_bus.h 2011-11-15 20:02:59.000000000 -0500
57053 @@ -107,7 +107,7 @@ struct acpi_device_ops {
57055 acpi_op_unbind unbind;
57056 acpi_op_notify notify;
57060 #define ACPI_DRIVER_ALL_NOTIFY_EVENTS 0x1 /* system AND device events */
57062 diff -urNp linux-3.0.9/include/asm-generic/atomic-long.h linux-3.0.9/include/asm-generic/atomic-long.h
57063 --- linux-3.0.9/include/asm-generic/atomic-long.h 2011-11-11 13:12:24.000000000 -0500
57064 +++ linux-3.0.9/include/asm-generic/atomic-long.h 2011-11-15 20:02:59.000000000 -0500
57067 typedef atomic64_t atomic_long_t;
57069 +#ifdef CONFIG_PAX_REFCOUNT
57070 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
57072 +typedef atomic64_t atomic_long_unchecked_t;
57075 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
57077 static inline long atomic_long_read(atomic_long_t *l)
57078 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
57079 return (long)atomic64_read(v);
57082 +#ifdef CONFIG_PAX_REFCOUNT
57083 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
57085 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57087 + return (long)atomic64_read_unchecked(v);
57091 static inline void atomic_long_set(atomic_long_t *l, long i)
57093 atomic64_t *v = (atomic64_t *)l;
57094 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
57095 atomic64_set(v, i);
57098 +#ifdef CONFIG_PAX_REFCOUNT
57099 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
57101 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57103 + atomic64_set_unchecked(v, i);
57107 static inline void atomic_long_inc(atomic_long_t *l)
57109 atomic64_t *v = (atomic64_t *)l;
57110 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
57114 +#ifdef CONFIG_PAX_REFCOUNT
57115 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
57117 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57119 + atomic64_inc_unchecked(v);
57123 static inline void atomic_long_dec(atomic_long_t *l)
57125 atomic64_t *v = (atomic64_t *)l;
57126 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
57130 +#ifdef CONFIG_PAX_REFCOUNT
57131 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
57133 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57135 + atomic64_dec_unchecked(v);
57139 static inline void atomic_long_add(long i, atomic_long_t *l)
57141 atomic64_t *v = (atomic64_t *)l;
57142 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
57143 atomic64_add(i, v);
57146 +#ifdef CONFIG_PAX_REFCOUNT
57147 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
57149 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57151 + atomic64_add_unchecked(i, v);
57155 static inline void atomic_long_sub(long i, atomic_long_t *l)
57157 atomic64_t *v = (atomic64_t *)l;
57158 @@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
57159 atomic64_sub(i, v);
57162 +#ifdef CONFIG_PAX_REFCOUNT
57163 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
57165 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57167 + atomic64_sub_unchecked(i, v);
57171 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
57173 atomic64_t *v = (atomic64_t *)l;
57174 @@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
57175 return (long)atomic64_inc_return(v);
57178 +#ifdef CONFIG_PAX_REFCOUNT
57179 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
57181 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57183 + return (long)atomic64_inc_return_unchecked(v);
57187 static inline long atomic_long_dec_return(atomic_long_t *l)
57189 atomic64_t *v = (atomic64_t *)l;
57190 @@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
57192 typedef atomic_t atomic_long_t;
57194 +#ifdef CONFIG_PAX_REFCOUNT
57195 +typedef atomic_unchecked_t atomic_long_unchecked_t;
57197 +typedef atomic_t atomic_long_unchecked_t;
57200 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
57201 static inline long atomic_long_read(atomic_long_t *l)
57203 @@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
57204 return (long)atomic_read(v);
57207 +#ifdef CONFIG_PAX_REFCOUNT
57208 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
57210 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57212 + return (long)atomic_read_unchecked(v);
57216 static inline void atomic_long_set(atomic_long_t *l, long i)
57218 atomic_t *v = (atomic_t *)l;
57219 @@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
57223 +#ifdef CONFIG_PAX_REFCOUNT
57224 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
57226 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57228 + atomic_set_unchecked(v, i);
57232 static inline void atomic_long_inc(atomic_long_t *l)
57234 atomic_t *v = (atomic_t *)l;
57235 @@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
57239 +#ifdef CONFIG_PAX_REFCOUNT
57240 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
57242 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57244 + atomic_inc_unchecked(v);
57248 static inline void atomic_long_dec(atomic_long_t *l)
57250 atomic_t *v = (atomic_t *)l;
57251 @@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
57255 +#ifdef CONFIG_PAX_REFCOUNT
57256 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
57258 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57260 + atomic_dec_unchecked(v);
57264 static inline void atomic_long_add(long i, atomic_long_t *l)
57266 atomic_t *v = (atomic_t *)l;
57267 @@ -176,6 +287,15 @@ static inline void atomic_long_add(long
57271 +#ifdef CONFIG_PAX_REFCOUNT
57272 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
57274 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57276 + atomic_add_unchecked(i, v);
57280 static inline void atomic_long_sub(long i, atomic_long_t *l)
57282 atomic_t *v = (atomic_t *)l;
57283 @@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
57287 +#ifdef CONFIG_PAX_REFCOUNT
57288 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
57290 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57292 + atomic_sub_unchecked(i, v);
57296 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
57298 atomic_t *v = (atomic_t *)l;
57299 @@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
57300 return (long)atomic_inc_return(v);
57303 +#ifdef CONFIG_PAX_REFCOUNT
57304 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
57306 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57308 + return (long)atomic_inc_return_unchecked(v);
57312 static inline long atomic_long_dec_return(atomic_long_t *l)
57314 atomic_t *v = (atomic_t *)l;
57315 @@ -255,4 +393,49 @@ static inline long atomic_long_add_unles
57317 #endif /* BITS_PER_LONG == 64 */
57319 +#ifdef CONFIG_PAX_REFCOUNT
57320 +static inline void pax_refcount_needs_these_functions(void)
57322 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
57323 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
57324 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
57325 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
57326 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
57327 + (void)atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
57328 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
57329 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
57330 + atomic_dec_unchecked((atomic_unchecked_t *)NULL);
57331 + atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
57332 + (void)atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
57334 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
57335 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
57336 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
57337 + atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
57338 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
57339 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
57340 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
57343 +#define atomic_read_unchecked(v) atomic_read(v)
57344 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
57345 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
57346 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
57347 +#define atomic_inc_unchecked(v) atomic_inc(v)
57348 +#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
57349 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
57350 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
57351 +#define atomic_dec_unchecked(v) atomic_dec(v)
57352 +#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
57353 +#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
57355 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
57356 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
57357 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
57358 +#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
57359 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
57360 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
57361 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
57364 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
57365 diff -urNp linux-3.0.9/include/asm-generic/cache.h linux-3.0.9/include/asm-generic/cache.h
57366 --- linux-3.0.9/include/asm-generic/cache.h 2011-11-11 13:12:24.000000000 -0500
57367 +++ linux-3.0.9/include/asm-generic/cache.h 2011-11-15 20:02:59.000000000 -0500
57369 * cache lines need to provide their own cache.h.
57372 -#define L1_CACHE_SHIFT 5
57373 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
57374 +#define L1_CACHE_SHIFT 5UL
57375 +#define L1_CACHE_BYTES (1UL << L1_CACHE_SHIFT)
57377 #endif /* __ASM_GENERIC_CACHE_H */
57378 diff -urNp linux-3.0.9/include/asm-generic/int-l64.h linux-3.0.9/include/asm-generic/int-l64.h
57379 --- linux-3.0.9/include/asm-generic/int-l64.h 2011-11-11 13:12:24.000000000 -0500
57380 +++ linux-3.0.9/include/asm-generic/int-l64.h 2011-11-15 20:02:59.000000000 -0500
57381 @@ -46,6 +46,8 @@ typedef unsigned int u32;
57382 typedef signed long s64;
57383 typedef unsigned long u64;
57385 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
57388 #define U8_C(x) x ## U
57390 diff -urNp linux-3.0.9/include/asm-generic/int-ll64.h linux-3.0.9/include/asm-generic/int-ll64.h
57391 --- linux-3.0.9/include/asm-generic/int-ll64.h 2011-11-11 13:12:24.000000000 -0500
57392 +++ linux-3.0.9/include/asm-generic/int-ll64.h 2011-11-15 20:02:59.000000000 -0500
57393 @@ -51,6 +51,8 @@ typedef unsigned int u32;
57394 typedef signed long long s64;
57395 typedef unsigned long long u64;
57397 +typedef unsigned long long intoverflow_t;
57400 #define U8_C(x) x ## U
57402 diff -urNp linux-3.0.9/include/asm-generic/kmap_types.h linux-3.0.9/include/asm-generic/kmap_types.h
57403 --- linux-3.0.9/include/asm-generic/kmap_types.h 2011-11-11 13:12:24.000000000 -0500
57404 +++ linux-3.0.9/include/asm-generic/kmap_types.h 2011-11-15 20:02:59.000000000 -0500
57405 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
57407 KMAP_D(18) KM_NMI_PTE,
57409 +KMAP_D(20) KM_CLEARPAGE,
57411 * Remember to update debug_kmap_atomic() when adding new kmap types!
57413 -KMAP_D(20) KM_TYPE_NR
57414 +KMAP_D(21) KM_TYPE_NR
57418 diff -urNp linux-3.0.9/include/asm-generic/pgtable.h linux-3.0.9/include/asm-generic/pgtable.h
57419 --- linux-3.0.9/include/asm-generic/pgtable.h 2011-11-11 13:12:24.000000000 -0500
57420 +++ linux-3.0.9/include/asm-generic/pgtable.h 2011-11-15 20:02:59.000000000 -0500
57421 @@ -443,6 +443,14 @@ static inline int pmd_write(pmd_t pmd)
57422 #endif /* __HAVE_ARCH_PMD_WRITE */
57425 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
57426 +static inline unsigned long pax_open_kernel(void) { return 0; }
57429 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
57430 +static inline unsigned long pax_close_kernel(void) { return 0; }
57433 #endif /* !__ASSEMBLY__ */
57435 #endif /* _ASM_GENERIC_PGTABLE_H */
57436 diff -urNp linux-3.0.9/include/asm-generic/pgtable-nopmd.h linux-3.0.9/include/asm-generic/pgtable-nopmd.h
57437 --- linux-3.0.9/include/asm-generic/pgtable-nopmd.h 2011-11-11 13:12:24.000000000 -0500
57438 +++ linux-3.0.9/include/asm-generic/pgtable-nopmd.h 2011-11-15 20:02:59.000000000 -0500
57440 #ifndef _PGTABLE_NOPMD_H
57441 #define _PGTABLE_NOPMD_H
57443 -#ifndef __ASSEMBLY__
57445 #include <asm-generic/pgtable-nopud.h>
57449 #define __PAGETABLE_PMD_FOLDED
57451 +#define PMD_SHIFT PUD_SHIFT
57452 +#define PTRS_PER_PMD 1
57453 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
57454 +#define PMD_MASK (~(PMD_SIZE-1))
57456 +#ifndef __ASSEMBLY__
57461 * Having the pmd type consist of a pud gets the size right, and allows
57462 * us to conceptually access the pud entry that this pmd is folded into
57463 @@ -16,11 +21,6 @@ struct mm_struct;
57465 typedef struct { pud_t pud; } pmd_t;
57467 -#define PMD_SHIFT PUD_SHIFT
57468 -#define PTRS_PER_PMD 1
57469 -#define PMD_SIZE (1UL << PMD_SHIFT)
57470 -#define PMD_MASK (~(PMD_SIZE-1))
57473 * The "pud_xxx()" functions here are trivial for a folded two-level
57474 * setup: the pmd is never bad, and a pmd always exists (as it's folded
57475 diff -urNp linux-3.0.9/include/asm-generic/pgtable-nopud.h linux-3.0.9/include/asm-generic/pgtable-nopud.h
57476 --- linux-3.0.9/include/asm-generic/pgtable-nopud.h 2011-11-11 13:12:24.000000000 -0500
57477 +++ linux-3.0.9/include/asm-generic/pgtable-nopud.h 2011-11-15 20:02:59.000000000 -0500
57479 #ifndef _PGTABLE_NOPUD_H
57480 #define _PGTABLE_NOPUD_H
57482 -#ifndef __ASSEMBLY__
57484 #define __PAGETABLE_PUD_FOLDED
57486 +#define PUD_SHIFT PGDIR_SHIFT
57487 +#define PTRS_PER_PUD 1
57488 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
57489 +#define PUD_MASK (~(PUD_SIZE-1))
57491 +#ifndef __ASSEMBLY__
57494 * Having the pud type consist of a pgd gets the size right, and allows
57495 * us to conceptually access the pgd entry that this pud is folded into
57498 typedef struct { pgd_t pgd; } pud_t;
57500 -#define PUD_SHIFT PGDIR_SHIFT
57501 -#define PTRS_PER_PUD 1
57502 -#define PUD_SIZE (1UL << PUD_SHIFT)
57503 -#define PUD_MASK (~(PUD_SIZE-1))
57506 * The "pgd_xxx()" functions here are trivial for a folded two-level
57507 * setup: the pud is never bad, and a pud always exists (as it's folded
57508 diff -urNp linux-3.0.9/include/asm-generic/vmlinux.lds.h linux-3.0.9/include/asm-generic/vmlinux.lds.h
57509 --- linux-3.0.9/include/asm-generic/vmlinux.lds.h 2011-11-11 13:12:24.000000000 -0500
57510 +++ linux-3.0.9/include/asm-generic/vmlinux.lds.h 2011-11-15 20:02:59.000000000 -0500
57511 @@ -217,6 +217,7 @@
57512 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
57513 VMLINUX_SYMBOL(__start_rodata) = .; \
57514 *(.rodata) *(.rodata.*) \
57515 + *(.data..read_only) \
57516 *(__vermagic) /* Kernel version magic */ \
57518 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
57519 @@ -723,17 +724,18 @@
57520 * section in the linker script will go there too. @phdr should have
57523 - * Note that this macros defines __per_cpu_load as an absolute symbol.
57524 + * Note that this macros defines per_cpu_load as an absolute symbol.
57525 * If there is no need to put the percpu section at a predetermined
57526 * address, use PERCPU_SECTION.
57528 #define PERCPU_VADDR(cacheline, vaddr, phdr) \
57529 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
57530 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
57531 + per_cpu_load = .; \
57532 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
57534 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
57535 PERCPU_INPUT(cacheline) \
57537 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
57538 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
57541 * PERCPU_SECTION - define output section for percpu area, simple version
57542 diff -urNp linux-3.0.9/include/drm/drm_crtc_helper.h linux-3.0.9/include/drm/drm_crtc_helper.h
57543 --- linux-3.0.9/include/drm/drm_crtc_helper.h 2011-11-11 13:12:24.000000000 -0500
57544 +++ linux-3.0.9/include/drm/drm_crtc_helper.h 2011-11-15 20:02:59.000000000 -0500
57545 @@ -74,7 +74,7 @@ struct drm_crtc_helper_funcs {
57547 /* disable crtc when not in use - more explicit than dpms off */
57548 void (*disable)(struct drm_crtc *crtc);
57552 struct drm_encoder_helper_funcs {
57553 void (*dpms)(struct drm_encoder *encoder, int mode);
57554 @@ -95,7 +95,7 @@ struct drm_encoder_helper_funcs {
57555 struct drm_connector *connector);
57556 /* disable encoder when not in use - more explicit than dpms off */
57557 void (*disable)(struct drm_encoder *encoder);
57561 struct drm_connector_helper_funcs {
57562 int (*get_modes)(struct drm_connector *connector);
57563 diff -urNp linux-3.0.9/include/drm/drmP.h linux-3.0.9/include/drm/drmP.h
57564 --- linux-3.0.9/include/drm/drmP.h 2011-11-11 13:12:24.000000000 -0500
57565 +++ linux-3.0.9/include/drm/drmP.h 2011-11-15 20:02:59.000000000 -0500
57567 #include <linux/workqueue.h>
57568 #include <linux/poll.h>
57569 #include <asm/pgalloc.h>
57570 +#include <asm/local.h>
57573 #include <linux/idr.h>
57574 @@ -1033,7 +1034,7 @@ struct drm_device {
57576 /** \name Usage Counters */
57578 - int open_count; /**< Outstanding files open */
57579 + local_t open_count; /**< Outstanding files open */
57580 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
57581 atomic_t vma_count; /**< Outstanding vma areas open */
57582 int buf_use; /**< Buffers in use -- cannot alloc */
57583 @@ -1044,7 +1045,7 @@ struct drm_device {
57585 unsigned long counters;
57586 enum drm_stat_type types[15];
57587 - atomic_t counts[15];
57588 + atomic_unchecked_t counts[15];
57591 struct list_head filelist;
57592 diff -urNp linux-3.0.9/include/drm/ttm/ttm_memory.h linux-3.0.9/include/drm/ttm/ttm_memory.h
57593 --- linux-3.0.9/include/drm/ttm/ttm_memory.h 2011-11-11 13:12:24.000000000 -0500
57594 +++ linux-3.0.9/include/drm/ttm/ttm_memory.h 2011-11-15 20:02:59.000000000 -0500
57597 struct ttm_mem_shrink {
57598 int (*do_shrink) (struct ttm_mem_shrink *);
57603 * struct ttm_mem_global - Global memory accounting structure.
57604 diff -urNp linux-3.0.9/include/linux/a.out.h linux-3.0.9/include/linux/a.out.h
57605 --- linux-3.0.9/include/linux/a.out.h 2011-11-11 13:12:24.000000000 -0500
57606 +++ linux-3.0.9/include/linux/a.out.h 2011-11-15 20:02:59.000000000 -0500
57607 @@ -39,6 +39,14 @@ enum machine_type {
57608 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
57611 +/* Constants for the N_FLAGS field */
57612 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
57613 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
57614 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
57615 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
57616 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
57617 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
57619 #if !defined (N_MAGIC)
57620 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
57622 diff -urNp linux-3.0.9/include/linux/atmdev.h linux-3.0.9/include/linux/atmdev.h
57623 --- linux-3.0.9/include/linux/atmdev.h 2011-11-11 13:12:24.000000000 -0500
57624 +++ linux-3.0.9/include/linux/atmdev.h 2011-11-15 20:02:59.000000000 -0500
57625 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
57628 struct k_atm_aal_stats {
57629 -#define __HANDLE_ITEM(i) atomic_t i
57630 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
57632 #undef __HANDLE_ITEM
57634 diff -urNp linux-3.0.9/include/linux/binfmts.h linux-3.0.9/include/linux/binfmts.h
57635 --- linux-3.0.9/include/linux/binfmts.h 2011-11-11 13:12:24.000000000 -0500
57636 +++ linux-3.0.9/include/linux/binfmts.h 2011-11-15 20:02:59.000000000 -0500
57637 @@ -88,6 +88,7 @@ struct linux_binfmt {
57638 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
57639 int (*load_shlib)(struct file *);
57640 int (*core_dump)(struct coredump_params *cprm);
57641 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
57642 unsigned long min_coredump; /* minimal dump size */
57645 diff -urNp linux-3.0.9/include/linux/blkdev.h linux-3.0.9/include/linux/blkdev.h
57646 --- linux-3.0.9/include/linux/blkdev.h 2011-11-11 13:12:24.000000000 -0500
57647 +++ linux-3.0.9/include/linux/blkdev.h 2011-11-15 20:02:59.000000000 -0500
57648 @@ -1308,7 +1308,7 @@ struct block_device_operations {
57649 /* this callback is with swap_lock and sometimes page table lock held */
57650 void (*swap_slot_free_notify) (struct block_device *, unsigned long);
57651 struct module *owner;
57655 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
57657 diff -urNp linux-3.0.9/include/linux/blktrace_api.h linux-3.0.9/include/linux/blktrace_api.h
57658 --- linux-3.0.9/include/linux/blktrace_api.h 2011-11-11 13:12:24.000000000 -0500
57659 +++ linux-3.0.9/include/linux/blktrace_api.h 2011-11-15 20:02:59.000000000 -0500
57660 @@ -161,7 +161,7 @@ struct blk_trace {
57661 struct dentry *dir;
57662 struct dentry *dropped_file;
57663 struct dentry *msg_file;
57664 - atomic_t dropped;
57665 + atomic_unchecked_t dropped;
57668 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
57669 diff -urNp linux-3.0.9/include/linux/byteorder/little_endian.h linux-3.0.9/include/linux/byteorder/little_endian.h
57670 --- linux-3.0.9/include/linux/byteorder/little_endian.h 2011-11-11 13:12:24.000000000 -0500
57671 +++ linux-3.0.9/include/linux/byteorder/little_endian.h 2011-11-15 20:02:59.000000000 -0500
57672 @@ -42,51 +42,51 @@
57674 static inline __le64 __cpu_to_le64p(const __u64 *p)
57676 - return (__force __le64)*p;
57677 + return (__force const __le64)*p;
57679 static inline __u64 __le64_to_cpup(const __le64 *p)
57681 - return (__force __u64)*p;
57682 + return (__force const __u64)*p;
57684 static inline __le32 __cpu_to_le32p(const __u32 *p)
57686 - return (__force __le32)*p;
57687 + return (__force const __le32)*p;
57689 static inline __u32 __le32_to_cpup(const __le32 *p)
57691 - return (__force __u32)*p;
57692 + return (__force const __u32)*p;
57694 static inline __le16 __cpu_to_le16p(const __u16 *p)
57696 - return (__force __le16)*p;
57697 + return (__force const __le16)*p;
57699 static inline __u16 __le16_to_cpup(const __le16 *p)
57701 - return (__force __u16)*p;
57702 + return (__force const __u16)*p;
57704 static inline __be64 __cpu_to_be64p(const __u64 *p)
57706 - return (__force __be64)__swab64p(p);
57707 + return (__force const __be64)__swab64p(p);
57709 static inline __u64 __be64_to_cpup(const __be64 *p)
57711 - return __swab64p((__u64 *)p);
57712 + return __swab64p((const __u64 *)p);
57714 static inline __be32 __cpu_to_be32p(const __u32 *p)
57716 - return (__force __be32)__swab32p(p);
57717 + return (__force const __be32)__swab32p(p);
57719 static inline __u32 __be32_to_cpup(const __be32 *p)
57721 - return __swab32p((__u32 *)p);
57722 + return __swab32p((const __u32 *)p);
57724 static inline __be16 __cpu_to_be16p(const __u16 *p)
57726 - return (__force __be16)__swab16p(p);
57727 + return (__force const __be16)__swab16p(p);
57729 static inline __u16 __be16_to_cpup(const __be16 *p)
57731 - return __swab16p((__u16 *)p);
57732 + return __swab16p((const __u16 *)p);
57734 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
57735 #define __le64_to_cpus(x) do { (void)(x); } while (0)
57736 diff -urNp linux-3.0.9/include/linux/cache.h linux-3.0.9/include/linux/cache.h
57737 --- linux-3.0.9/include/linux/cache.h 2011-11-11 13:12:24.000000000 -0500
57738 +++ linux-3.0.9/include/linux/cache.h 2011-11-15 20:02:59.000000000 -0500
57740 #define __read_mostly
57743 +#ifndef __read_only
57744 +#define __read_only __read_mostly
57747 #ifndef ____cacheline_aligned
57748 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
57750 diff -urNp linux-3.0.9/include/linux/capability.h linux-3.0.9/include/linux/capability.h
57751 --- linux-3.0.9/include/linux/capability.h 2011-11-11 13:12:24.000000000 -0500
57752 +++ linux-3.0.9/include/linux/capability.h 2011-11-15 20:02:59.000000000 -0500
57753 @@ -547,6 +547,9 @@ extern bool capable(int cap);
57754 extern bool ns_capable(struct user_namespace *ns, int cap);
57755 extern bool task_ns_capable(struct task_struct *t, int cap);
57756 extern bool nsown_capable(int cap);
57757 +extern bool task_ns_capable_nolog(struct task_struct *t, int cap);
57758 +extern bool ns_capable_nolog(struct user_namespace *ns, int cap);
57759 +extern bool capable_nolog(int cap);
57761 /* audit system wants to get cap info from files as well */
57762 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
57763 diff -urNp linux-3.0.9/include/linux/cleancache.h linux-3.0.9/include/linux/cleancache.h
57764 --- linux-3.0.9/include/linux/cleancache.h 2011-11-11 13:12:24.000000000 -0500
57765 +++ linux-3.0.9/include/linux/cleancache.h 2011-11-15 20:02:59.000000000 -0500
57766 @@ -31,7 +31,7 @@ struct cleancache_ops {
57767 void (*flush_page)(int, struct cleancache_filekey, pgoff_t);
57768 void (*flush_inode)(int, struct cleancache_filekey);
57769 void (*flush_fs)(int);
57773 extern struct cleancache_ops
57774 cleancache_register_ops(struct cleancache_ops *ops);
57775 diff -urNp linux-3.0.9/include/linux/compiler-gcc4.h linux-3.0.9/include/linux/compiler-gcc4.h
57776 --- linux-3.0.9/include/linux/compiler-gcc4.h 2011-11-11 13:12:24.000000000 -0500
57777 +++ linux-3.0.9/include/linux/compiler-gcc4.h 2011-11-15 20:02:59.000000000 -0500
57781 #if __GNUC_MINOR__ >= 5
57783 +#ifdef CONSTIFY_PLUGIN
57784 +#define __no_const __attribute__((no_const))
57785 +#define __do_const __attribute__((do_const))
57789 * Mark a position in code as unreachable. This can be used to
57790 * suppress control flow warnings after asm blocks that transfer
57792 #define __noclone __attribute__((__noclone__))
57796 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
57797 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
57798 +#define __bos0(ptr) __bos((ptr), 0)
57799 +#define __bos1(ptr) __bos((ptr), 1)
57802 #if __GNUC_MINOR__ > 0
57803 diff -urNp linux-3.0.9/include/linux/compiler.h linux-3.0.9/include/linux/compiler.h
57804 --- linux-3.0.9/include/linux/compiler.h 2011-11-11 13:12:24.000000000 -0500
57805 +++ linux-3.0.9/include/linux/compiler.h 2011-11-15 20:02:59.000000000 -0500
57809 # define __user __attribute__((noderef, address_space(1)))
57810 +# define __force_user __force __user
57811 # define __kernel __attribute__((address_space(0)))
57812 +# define __force_kernel __force __kernel
57813 # define __safe __attribute__((safe))
57814 # define __force __attribute__((force))
57815 # define __nocast __attribute__((nocast))
57816 # define __iomem __attribute__((noderef, address_space(2)))
57817 +# define __force_iomem __force __iomem
57818 # define __acquires(x) __attribute__((context(x,0,1)))
57819 # define __releases(x) __attribute__((context(x,1,0)))
57820 # define __acquire(x) __context__(x,1)
57821 # define __release(x) __context__(x,-1)
57822 # define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0)
57823 # define __percpu __attribute__((noderef, address_space(3)))
57824 +# define __force_percpu __force __percpu
57825 #ifdef CONFIG_SPARSE_RCU_POINTER
57826 # define __rcu __attribute__((noderef, address_space(4)))
57827 +# define __force_rcu __force __rcu
57830 +# define __force_rcu
57832 extern void __chk_user_ptr(const volatile void __user *);
57833 extern void __chk_io_ptr(const volatile void __iomem *);
57834 +#elif defined(CHECKER_PLUGIN)
57836 +//# define __force_user
57837 +//# define __kernel
57838 +//# define __force_kernel
57843 +# define __force_iomem
57844 +# define __chk_user_ptr(x) (void)0
57845 +# define __chk_io_ptr(x) (void)0
57846 +# define __builtin_warning(x, y...) (1)
57847 +# define __acquires(x)
57848 +# define __releases(x)
57849 +# define __acquire(x) (void)0
57850 +# define __release(x) (void)0
57851 +# define __cond_lock(x,c) (c)
57853 +# define __force_percpu
57855 +# define __force_rcu
57858 +# define __force_user
57860 +# define __force_kernel
57865 +# define __force_iomem
57866 # define __chk_user_ptr(x) (void)0
57867 # define __chk_io_ptr(x) (void)0
57868 # define __builtin_warning(x, y...) (1)
57869 @@ -39,7 +70,9 @@ extern void __chk_io_ptr(const volatile
57870 # define __release(x) (void)0
57871 # define __cond_lock(x,c) (c)
57873 +# define __force_percpu
57875 +# define __force_rcu
57879 @@ -264,6 +297,14 @@ void ftrace_likely_update(struct ftrace_
57880 # define __attribute_const__ /* unimplemented */
57883 +#ifndef __no_const
57884 +# define __no_const
57887 +#ifndef __do_const
57888 +# define __do_const
57892 * Tell gcc if a function is cold. The compiler will assume any path
57893 * directly leading to the call is unlikely.
57894 @@ -273,6 +314,22 @@ void ftrace_likely_update(struct ftrace_
57898 +#ifndef __alloc_size
57899 +#define __alloc_size(...)
57903 +#define __bos(ptr, arg)
57907 +#define __bos0(ptr)
57911 +#define __bos1(ptr)
57914 /* Simple shorthand for a section definition */
57916 # define __section(S) __attribute__ ((__section__(#S)))
57917 @@ -306,6 +363,7 @@ void ftrace_likely_update(struct ftrace_
57918 * use is to mediate communication between process-level code and irq/NMI
57919 * handlers, all running on the same CPU.
57921 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
57922 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
57923 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
57925 #endif /* __LINUX_COMPILER_H */
57926 diff -urNp linux-3.0.9/include/linux/crypto.h linux-3.0.9/include/linux/crypto.h
57927 --- linux-3.0.9/include/linux/crypto.h 2011-11-11 13:12:24.000000000 -0500
57928 +++ linux-3.0.9/include/linux/crypto.h 2011-11-15 20:02:59.000000000 -0500
57929 @@ -361,7 +361,7 @@ struct cipher_tfm {
57930 const u8 *key, unsigned int keylen);
57931 void (*cit_encrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
57932 void (*cit_decrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
57937 int (*init)(struct hash_desc *desc);
57938 @@ -382,13 +382,13 @@ struct compress_tfm {
57939 int (*cot_decompress)(struct crypto_tfm *tfm,
57940 const u8 *src, unsigned int slen,
57941 u8 *dst, unsigned int *dlen);
57946 int (*rng_gen_random)(struct crypto_rng *tfm, u8 *rdata,
57947 unsigned int dlen);
57948 int (*rng_reset)(struct crypto_rng *tfm, u8 *seed, unsigned int slen);
57952 #define crt_ablkcipher crt_u.ablkcipher
57953 #define crt_aead crt_u.aead
57954 diff -urNp linux-3.0.9/include/linux/decompress/mm.h linux-3.0.9/include/linux/decompress/mm.h
57955 --- linux-3.0.9/include/linux/decompress/mm.h 2011-11-11 13:12:24.000000000 -0500
57956 +++ linux-3.0.9/include/linux/decompress/mm.h 2011-11-15 20:02:59.000000000 -0500
57957 @@ -77,7 +77,7 @@ static void free(void *where)
57958 * warnings when not needed (indeed large_malloc / large_free are not
57959 * needed by inflate */
57961 -#define malloc(a) kmalloc(a, GFP_KERNEL)
57962 +#define malloc(a) kmalloc((a), GFP_KERNEL)
57963 #define free(a) kfree(a)
57965 #define large_malloc(a) vmalloc(a)
57966 diff -urNp linux-3.0.9/include/linux/dma-mapping.h linux-3.0.9/include/linux/dma-mapping.h
57967 --- linux-3.0.9/include/linux/dma-mapping.h 2011-11-11 13:12:24.000000000 -0500
57968 +++ linux-3.0.9/include/linux/dma-mapping.h 2011-11-15 20:02:59.000000000 -0500
57969 @@ -50,7 +50,7 @@ struct dma_map_ops {
57970 int (*dma_supported)(struct device *dev, u64 mask);
57971 int (*set_dma_mask)(struct device *dev, u64 mask);
57976 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
57978 diff -urNp linux-3.0.9/include/linux/efi.h linux-3.0.9/include/linux/efi.h
57979 --- linux-3.0.9/include/linux/efi.h 2011-11-11 13:12:24.000000000 -0500
57980 +++ linux-3.0.9/include/linux/efi.h 2011-11-15 20:02:59.000000000 -0500
57981 @@ -410,7 +410,7 @@ struct efivar_operations {
57982 efi_get_variable_t *get_variable;
57983 efi_get_next_variable_t *get_next_variable;
57984 efi_set_variable_t *set_variable;
57990 diff -urNp linux-3.0.9/include/linux/elf.h linux-3.0.9/include/linux/elf.h
57991 --- linux-3.0.9/include/linux/elf.h 2011-11-11 13:12:24.000000000 -0500
57992 +++ linux-3.0.9/include/linux/elf.h 2011-11-15 20:03:00.000000000 -0500
57993 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
57994 #define PT_GNU_EH_FRAME 0x6474e550
57996 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
57997 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
57999 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
58001 +/* Constants for the e_flags field */
58002 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
58003 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
58004 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
58005 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
58006 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
58007 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
58010 * Extended Numbering
58011 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
58012 #define DT_DEBUG 21
58013 #define DT_TEXTREL 22
58014 #define DT_JMPREL 23
58015 +#define DT_FLAGS 30
58016 + #define DF_TEXTREL 0x00000004
58017 #define DT_ENCODING 32
58018 #define OLD_DT_LOOS 0x60000000
58019 #define DT_LOOS 0x6000000d
58020 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
58024 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
58025 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
58026 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
58027 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
58028 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
58029 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
58030 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
58031 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
58032 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
58033 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
58034 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
58035 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
58037 typedef struct elf32_phdr{
58039 Elf32_Off p_offset;
58040 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
58046 #define ELFMAG0 0x7f /* EI_MAG */
58047 #define ELFMAG1 'E'
58048 #define ELFMAG2 'L'
58049 @@ -422,6 +450,7 @@ extern Elf32_Dyn _DYNAMIC [];
58050 #define elf_note elf32_note
58051 #define elf_addr_t Elf32_Off
58052 #define Elf_Half Elf32_Half
58053 +#define elf_dyn Elf32_Dyn
58057 @@ -432,6 +461,7 @@ extern Elf64_Dyn _DYNAMIC [];
58058 #define elf_note elf64_note
58059 #define elf_addr_t Elf64_Off
58060 #define Elf_Half Elf64_Half
58061 +#define elf_dyn Elf64_Dyn
58065 diff -urNp linux-3.0.9/include/linux/firewire.h linux-3.0.9/include/linux/firewire.h
58066 --- linux-3.0.9/include/linux/firewire.h 2011-11-11 13:12:24.000000000 -0500
58067 +++ linux-3.0.9/include/linux/firewire.h 2011-11-15 20:03:00.000000000 -0500
58068 @@ -428,7 +428,7 @@ struct fw_iso_context {
58070 fw_iso_callback_t sc;
58071 fw_iso_mc_callback_t mc;
58073 + } __no_const callback;
58074 void *callback_data;
58077 diff -urNp linux-3.0.9/include/linux/fscache-cache.h linux-3.0.9/include/linux/fscache-cache.h
58078 --- linux-3.0.9/include/linux/fscache-cache.h 2011-11-11 13:12:24.000000000 -0500
58079 +++ linux-3.0.9/include/linux/fscache-cache.h 2011-11-15 20:03:00.000000000 -0500
58080 @@ -102,7 +102,7 @@ struct fscache_operation {
58081 fscache_operation_release_t release;
58084 -extern atomic_t fscache_op_debug_id;
58085 +extern atomic_unchecked_t fscache_op_debug_id;
58086 extern void fscache_op_work_func(struct work_struct *work);
58088 extern void fscache_enqueue_operation(struct fscache_operation *);
58089 @@ -122,7 +122,7 @@ static inline void fscache_operation_ini
58091 INIT_WORK(&op->work, fscache_op_work_func);
58092 atomic_set(&op->usage, 1);
58093 - op->debug_id = atomic_inc_return(&fscache_op_debug_id);
58094 + op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
58095 op->processor = processor;
58096 op->release = release;
58097 INIT_LIST_HEAD(&op->pend_link);
58098 diff -urNp linux-3.0.9/include/linux/fs.h linux-3.0.9/include/linux/fs.h
58099 --- linux-3.0.9/include/linux/fs.h 2011-11-11 13:12:24.000000000 -0500
58100 +++ linux-3.0.9/include/linux/fs.h 2011-11-15 20:03:00.000000000 -0500
58101 @@ -109,6 +109,11 @@ struct inodes_stat_t {
58102 /* File was opened by fanotify and shouldn't generate fanotify events */
58103 #define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
58105 +/* Hack for grsec so as not to require read permission simply to execute
58108 +#define FMODE_GREXEC ((__force fmode_t)0x2000000)
58111 * The below are the various read and write types that we support. Some of
58112 * them include behavioral modifiers that send information down to the
58113 @@ -1571,7 +1576,8 @@ struct file_operations {
58114 int (*setlease)(struct file *, long, struct file_lock **);
58115 long (*fallocate)(struct file *file, int mode, loff_t offset,
58119 +typedef struct file_operations __no_const file_operations_no_const;
58121 #define IPERM_FLAG_RCU 0x0001
58123 diff -urNp linux-3.0.9/include/linux/fsnotify.h linux-3.0.9/include/linux/fsnotify.h
58124 --- linux-3.0.9/include/linux/fsnotify.h 2011-11-11 13:12:24.000000000 -0500
58125 +++ linux-3.0.9/include/linux/fsnotify.h 2011-11-15 20:03:00.000000000 -0500
58126 @@ -314,7 +314,7 @@ static inline void fsnotify_change(struc
58128 static inline const unsigned char *fsnotify_oldname_init(const unsigned char *name)
58130 - return kstrdup(name, GFP_KERNEL);
58131 + return (const unsigned char *)kstrdup((const char *)name, GFP_KERNEL);
58135 diff -urNp linux-3.0.9/include/linux/fs_struct.h linux-3.0.9/include/linux/fs_struct.h
58136 --- linux-3.0.9/include/linux/fs_struct.h 2011-11-11 13:12:24.000000000 -0500
58137 +++ linux-3.0.9/include/linux/fs_struct.h 2011-11-15 20:03:00.000000000 -0500
58139 #include <linux/seqlock.h>
58147 diff -urNp linux-3.0.9/include/linux/ftrace_event.h linux-3.0.9/include/linux/ftrace_event.h
58148 --- linux-3.0.9/include/linux/ftrace_event.h 2011-11-11 13:12:24.000000000 -0500
58149 +++ linux-3.0.9/include/linux/ftrace_event.h 2011-11-15 20:03:00.000000000 -0500
58150 @@ -96,7 +96,7 @@ struct trace_event_functions {
58151 trace_print_func raw;
58152 trace_print_func hex;
58153 trace_print_func binary;
58157 struct trace_event {
58158 struct hlist_node node;
58159 @@ -247,7 +247,7 @@ extern int trace_define_field(struct ftr
58160 extern int trace_add_event_call(struct ftrace_event_call *call);
58161 extern void trace_remove_event_call(struct ftrace_event_call *call);
58163 -#define is_signed_type(type) (((type)(-1)) < 0)
58164 +#define is_signed_type(type) (((type)(-1)) < (type)1)
58166 int trace_set_clr_event(const char *system, const char *event, int set);
58168 diff -urNp linux-3.0.9/include/linux/genhd.h linux-3.0.9/include/linux/genhd.h
58169 --- linux-3.0.9/include/linux/genhd.h 2011-11-11 13:12:24.000000000 -0500
58170 +++ linux-3.0.9/include/linux/genhd.h 2011-11-15 20:03:00.000000000 -0500
58171 @@ -184,7 +184,7 @@ struct gendisk {
58172 struct kobject *slave_dir;
58174 struct timer_rand_state *random;
58175 - atomic_t sync_io; /* RAID */
58176 + atomic_unchecked_t sync_io; /* RAID */
58177 struct disk_events *ev;
58178 #ifdef CONFIG_BLK_DEV_INTEGRITY
58179 struct blk_integrity *integrity;
58180 diff -urNp linux-3.0.9/include/linux/gracl.h linux-3.0.9/include/linux/gracl.h
58181 --- linux-3.0.9/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
58182 +++ linux-3.0.9/include/linux/gracl.h 2011-11-15 20:03:00.000000000 -0500
58187 +#include <linux/grdefs.h>
58188 +#include <linux/resource.h>
58189 +#include <linux/capability.h>
58190 +#include <linux/dcache.h>
58191 +#include <asm/resource.h>
58193 +/* Major status information */
58195 +#define GR_VERSION "grsecurity 2.2.2"
58196 +#define GRSECURITY_VERSION 0x2202
58207 + GR_SPROLEPAM = 8,
58210 +/* Password setup definitions
58211 + * kernel/grhash.c */
58214 + GR_SALT_LEN = 16,
58219 + GR_SPROLE_LEN = 64,
58228 +#define GR_NLIMITS 32
58230 +/* Begin Data Structures */
58232 +struct sprole_pw {
58233 + unsigned char *rolename;
58234 + unsigned char salt[GR_SALT_LEN];
58235 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
58238 +struct name_entry {
58245 + struct name_entry *prev;
58246 + struct name_entry *next;
58249 +struct inodev_entry {
58250 + struct name_entry *nentry;
58251 + struct inodev_entry *prev;
58252 + struct inodev_entry *next;
58255 +struct acl_role_db {
58256 + struct acl_role_label **r_hash;
58260 +struct inodev_db {
58261 + struct inodev_entry **i_hash;
58266 + struct name_entry **n_hash;
58270 +struct crash_uid {
58272 + unsigned long expires;
58275 +struct gr_hash_struct {
58277 + void **nametable;
58279 + __u32 table_size;
58284 +/* Userspace Grsecurity ACL data structures */
58286 +struct acl_subject_label {
58291 + kernel_cap_t cap_mask;
58292 + kernel_cap_t cap_lower;
58293 + kernel_cap_t cap_invert_audit;
58295 + struct rlimit res[GR_NLIMITS];
58298 + __u8 user_trans_type;
58299 + __u8 group_trans_type;
58300 + uid_t *user_transitions;
58301 + gid_t *group_transitions;
58302 + __u16 user_trans_num;
58303 + __u16 group_trans_num;
58305 + __u32 sock_families[2];
58306 + __u32 ip_proto[8];
58308 + struct acl_ip_label **ips;
58310 + __u32 inaddr_any_override;
58313 + unsigned long expires;
58315 + struct acl_subject_label *parent_subject;
58316 + struct gr_hash_struct *hash;
58317 + struct acl_subject_label *prev;
58318 + struct acl_subject_label *next;
58320 + struct acl_object_label **obj_hash;
58321 + __u32 obj_hash_size;
58325 +struct role_allowed_ip {
58329 + struct role_allowed_ip *prev;
58330 + struct role_allowed_ip *next;
58333 +struct role_transition {
58336 + struct role_transition *prev;
58337 + struct role_transition *next;
58340 +struct acl_role_label {
58345 + __u16 auth_attempts;
58346 + unsigned long expires;
58348 + struct acl_subject_label *root_label;
58349 + struct gr_hash_struct *hash;
58351 + struct acl_role_label *prev;
58352 + struct acl_role_label *next;
58354 + struct role_transition *transitions;
58355 + struct role_allowed_ip *allowed_ips;
58356 + uid_t *domain_children;
58357 + __u16 domain_child_num;
58359 + struct acl_subject_label **subj_hash;
58360 + __u32 subj_hash_size;
58363 +struct user_acl_role_db {
58364 + struct acl_role_label **r_table;
58365 + __u32 num_pointers; /* Number of allocations to track */
58366 + __u32 num_roles; /* Number of roles */
58367 + __u32 num_domain_children; /* Number of domain children */
58368 + __u32 num_subjects; /* Number of subjects */
58369 + __u32 num_objects; /* Number of objects */
58372 +struct acl_object_label {
58378 + struct acl_subject_label *nested;
58379 + struct acl_object_label *globbed;
58381 + /* next two structures not used */
58383 + struct acl_object_label *prev;
58384 + struct acl_object_label *next;
58387 +struct acl_ip_label {
58396 + /* next two structures not used */
58398 + struct acl_ip_label *prev;
58399 + struct acl_ip_label *next;
58403 + struct user_acl_role_db role_db;
58404 + unsigned char pw[GR_PW_LEN];
58405 + unsigned char salt[GR_SALT_LEN];
58406 + unsigned char sum[GR_SHA_LEN];
58407 + unsigned char sp_role[GR_SPROLE_LEN];
58408 + struct sprole_pw *sprole_pws;
58409 + dev_t segv_device;
58410 + ino_t segv_inode;
58412 + __u16 num_sprole_pws;
58416 +struct gr_arg_wrapper {
58417 + struct gr_arg *arg;
58422 +struct subject_map {
58423 + struct acl_subject_label *user;
58424 + struct acl_subject_label *kernel;
58425 + struct subject_map *prev;
58426 + struct subject_map *next;
58429 +struct acl_subj_map_db {
58430 + struct subject_map **s_hash;
58434 +/* End Data Structures Section */
58436 +/* Hash functions generated by empirical testing by Brad Spengler
58437 + Makes good use of the low bits of the inode. Generally 0-1 times
58438 + in loop for successful match. 0-3 for unsuccessful match.
58439 + Shift/add algorithm with modulus of table size and an XOR*/
58441 +static __inline__ unsigned int
58442 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
58444 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
58447 + static __inline__ unsigned int
58448 +shash(const struct acl_subject_label *userp, const unsigned int sz)
58450 + return ((const unsigned long)userp % sz);
58453 +static __inline__ unsigned int
58454 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
58456 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
58459 +static __inline__ unsigned int
58460 +nhash(const char *name, const __u16 len, const unsigned int sz)
58462 + return full_name_hash((const unsigned char *)name, len) % sz;
58465 +#define FOR_EACH_ROLE_START(role) \
58466 + role = role_list; \
58469 +#define FOR_EACH_ROLE_END(role) \
58470 + role = role->prev; \
58473 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
58476 + while (iter < role->subj_hash_size) { \
58477 + if (subj == NULL) \
58478 + subj = role->subj_hash[iter]; \
58479 + if (subj == NULL) { \
58484 +#define FOR_EACH_SUBJECT_END(subj,iter) \
58485 + subj = subj->next; \
58486 + if (subj == NULL) \
58491 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
58492 + subj = role->hash->first; \
58493 + while (subj != NULL) {
58495 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
58496 + subj = subj->next; \
58501 diff -urNp linux-3.0.9/include/linux/gralloc.h linux-3.0.9/include/linux/gralloc.h
58502 --- linux-3.0.9/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
58503 +++ linux-3.0.9/include/linux/gralloc.h 2011-11-15 20:03:00.000000000 -0500
58505 +#ifndef __GRALLOC_H
58506 +#define __GRALLOC_H
58508 +void acl_free_all(void);
58509 +int acl_alloc_stack_init(unsigned long size);
58510 +void *acl_alloc(unsigned long len);
58511 +void *acl_alloc_num(unsigned long num, unsigned long len);
58514 diff -urNp linux-3.0.9/include/linux/grdefs.h linux-3.0.9/include/linux/grdefs.h
58515 --- linux-3.0.9/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
58516 +++ linux-3.0.9/include/linux/grdefs.h 2011-11-15 20:03:00.000000000 -0500
58521 +/* Begin grsecurity status declarations */
58525 + GR_STATUS_INIT = 0x00 // disabled state
58528 +/* Begin ACL declarations */
58533 + GR_ROLE_USER = 0x0001,
58534 + GR_ROLE_GROUP = 0x0002,
58535 + GR_ROLE_DEFAULT = 0x0004,
58536 + GR_ROLE_SPECIAL = 0x0008,
58537 + GR_ROLE_AUTH = 0x0010,
58538 + GR_ROLE_NOPW = 0x0020,
58539 + GR_ROLE_GOD = 0x0040,
58540 + GR_ROLE_LEARN = 0x0080,
58541 + GR_ROLE_TPE = 0x0100,
58542 + GR_ROLE_DOMAIN = 0x0200,
58543 + GR_ROLE_PAM = 0x0400,
58544 + GR_ROLE_PERSIST = 0x0800
58547 +/* ACL Subject and Object mode flags */
58549 + GR_DELETED = 0x80000000
58552 +/* ACL Object-only mode flags */
58554 + GR_READ = 0x00000001,
58555 + GR_APPEND = 0x00000002,
58556 + GR_WRITE = 0x00000004,
58557 + GR_EXEC = 0x00000008,
58558 + GR_FIND = 0x00000010,
58559 + GR_INHERIT = 0x00000020,
58560 + GR_SETID = 0x00000040,
58561 + GR_CREATE = 0x00000080,
58562 + GR_DELETE = 0x00000100,
58563 + GR_LINK = 0x00000200,
58564 + GR_AUDIT_READ = 0x00000400,
58565 + GR_AUDIT_APPEND = 0x00000800,
58566 + GR_AUDIT_WRITE = 0x00001000,
58567 + GR_AUDIT_EXEC = 0x00002000,
58568 + GR_AUDIT_FIND = 0x00004000,
58569 + GR_AUDIT_INHERIT= 0x00008000,
58570 + GR_AUDIT_SETID = 0x00010000,
58571 + GR_AUDIT_CREATE = 0x00020000,
58572 + GR_AUDIT_DELETE = 0x00040000,
58573 + GR_AUDIT_LINK = 0x00080000,
58574 + GR_PTRACERD = 0x00100000,
58575 + GR_NOPTRACE = 0x00200000,
58576 + GR_SUPPRESS = 0x00400000,
58577 + GR_NOLEARN = 0x00800000,
58578 + GR_INIT_TRANSFER= 0x01000000
58581 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
58582 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
58583 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
58585 +/* ACL subject-only mode flags */
58587 + GR_KILL = 0x00000001,
58588 + GR_VIEW = 0x00000002,
58589 + GR_PROTECTED = 0x00000004,
58590 + GR_LEARN = 0x00000008,
58591 + GR_OVERRIDE = 0x00000010,
58592 + /* just a placeholder, this mode is only used in userspace */
58593 + GR_DUMMY = 0x00000020,
58594 + GR_PROTSHM = 0x00000040,
58595 + GR_KILLPROC = 0x00000080,
58596 + GR_KILLIPPROC = 0x00000100,
58597 + /* just a placeholder, this mode is only used in userspace */
58598 + GR_NOTROJAN = 0x00000200,
58599 + GR_PROTPROCFD = 0x00000400,
58600 + GR_PROCACCT = 0x00000800,
58601 + GR_RELAXPTRACE = 0x00001000,
58602 + GR_NESTED = 0x00002000,
58603 + GR_INHERITLEARN = 0x00004000,
58604 + GR_PROCFIND = 0x00008000,
58605 + GR_POVERRIDE = 0x00010000,
58606 + GR_KERNELAUTH = 0x00020000,
58607 + GR_ATSECURE = 0x00040000,
58608 + GR_SHMEXEC = 0x00080000
58612 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
58613 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
58614 + GR_PAX_ENABLE_MPROTECT = 0x0004,
58615 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
58616 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
58617 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
58618 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
58619 + GR_PAX_DISABLE_MPROTECT = 0x0400,
58620 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
58621 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
58625 + GR_ID_USER = 0x01,
58626 + GR_ID_GROUP = 0x02,
58630 + GR_ID_ALLOW = 0x01,
58631 + GR_ID_DENY = 0x02,
58634 +#define GR_CRASH_RES 31
58635 +#define GR_UIDTABLE_MAX 500
58637 +/* begin resource learning section */
58639 + GR_RLIM_CPU_BUMP = 60,
58640 + GR_RLIM_FSIZE_BUMP = 50000,
58641 + GR_RLIM_DATA_BUMP = 10000,
58642 + GR_RLIM_STACK_BUMP = 1000,
58643 + GR_RLIM_CORE_BUMP = 10000,
58644 + GR_RLIM_RSS_BUMP = 500000,
58645 + GR_RLIM_NPROC_BUMP = 1,
58646 + GR_RLIM_NOFILE_BUMP = 5,
58647 + GR_RLIM_MEMLOCK_BUMP = 50000,
58648 + GR_RLIM_AS_BUMP = 500000,
58649 + GR_RLIM_LOCKS_BUMP = 2,
58650 + GR_RLIM_SIGPENDING_BUMP = 5,
58651 + GR_RLIM_MSGQUEUE_BUMP = 10000,
58652 + GR_RLIM_NICE_BUMP = 1,
58653 + GR_RLIM_RTPRIO_BUMP = 1,
58654 + GR_RLIM_RTTIME_BUMP = 1000000
58658 diff -urNp linux-3.0.9/include/linux/grinternal.h linux-3.0.9/include/linux/grinternal.h
58659 --- linux-3.0.9/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
58660 +++ linux-3.0.9/include/linux/grinternal.h 2011-11-15 20:03:00.000000000 -0500
58662 +#ifndef __GRINTERNAL_H
58663 +#define __GRINTERNAL_H
58665 +#ifdef CONFIG_GRKERNSEC
58667 +#include <linux/fs.h>
58668 +#include <linux/mnt_namespace.h>
58669 +#include <linux/nsproxy.h>
58670 +#include <linux/gracl.h>
58671 +#include <linux/grdefs.h>
58672 +#include <linux/grmsg.h>
58674 +void gr_add_learn_entry(const char *fmt, ...)
58675 + __attribute__ ((format (printf, 1, 2)));
58676 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
58677 + const struct vfsmount *mnt);
58678 +__u32 gr_check_create(const struct dentry *new_dentry,
58679 + const struct dentry *parent,
58680 + const struct vfsmount *mnt, const __u32 mode);
58681 +int gr_check_protected_task(const struct task_struct *task);
58682 +__u32 to_gr_audit(const __u32 reqmode);
58683 +int gr_set_acls(const int type);
58684 +int gr_apply_subject_to_task(struct task_struct *task);
58685 +int gr_acl_is_enabled(void);
58686 +char gr_roletype_to_char(void);
58688 +void gr_handle_alertkill(struct task_struct *task);
58689 +char *gr_to_filename(const struct dentry *dentry,
58690 + const struct vfsmount *mnt);
58691 +char *gr_to_filename1(const struct dentry *dentry,
58692 + const struct vfsmount *mnt);
58693 +char *gr_to_filename2(const struct dentry *dentry,
58694 + const struct vfsmount *mnt);
58695 +char *gr_to_filename3(const struct dentry *dentry,
58696 + const struct vfsmount *mnt);
58698 +extern int grsec_enable_harden_ptrace;
58699 +extern int grsec_enable_link;
58700 +extern int grsec_enable_fifo;
58701 +extern int grsec_enable_execve;
58702 +extern int grsec_enable_shm;
58703 +extern int grsec_enable_execlog;
58704 +extern int grsec_enable_signal;
58705 +extern int grsec_enable_audit_ptrace;
58706 +extern int grsec_enable_forkfail;
58707 +extern int grsec_enable_time;
58708 +extern int grsec_enable_rofs;
58709 +extern int grsec_enable_chroot_shmat;
58710 +extern int grsec_enable_chroot_mount;
58711 +extern int grsec_enable_chroot_double;
58712 +extern int grsec_enable_chroot_pivot;
58713 +extern int grsec_enable_chroot_chdir;
58714 +extern int grsec_enable_chroot_chmod;
58715 +extern int grsec_enable_chroot_mknod;
58716 +extern int grsec_enable_chroot_fchdir;
58717 +extern int grsec_enable_chroot_nice;
58718 +extern int grsec_enable_chroot_execlog;
58719 +extern int grsec_enable_chroot_caps;
58720 +extern int grsec_enable_chroot_sysctl;
58721 +extern int grsec_enable_chroot_unix;
58722 +extern int grsec_enable_tpe;
58723 +extern int grsec_tpe_gid;
58724 +extern int grsec_enable_tpe_all;
58725 +extern int grsec_enable_tpe_invert;
58726 +extern int grsec_enable_socket_all;
58727 +extern int grsec_socket_all_gid;
58728 +extern int grsec_enable_socket_client;
58729 +extern int grsec_socket_client_gid;
58730 +extern int grsec_enable_socket_server;
58731 +extern int grsec_socket_server_gid;
58732 +extern int grsec_audit_gid;
58733 +extern int grsec_enable_group;
58734 +extern int grsec_enable_audit_textrel;
58735 +extern int grsec_enable_log_rwxmaps;
58736 +extern int grsec_enable_mount;
58737 +extern int grsec_enable_chdir;
58738 +extern int grsec_resource_logging;
58739 +extern int grsec_enable_blackhole;
58740 +extern int grsec_lastack_retries;
58741 +extern int grsec_enable_brute;
58742 +extern int grsec_lock;
58744 +extern spinlock_t grsec_alert_lock;
58745 +extern unsigned long grsec_alert_wtime;
58746 +extern unsigned long grsec_alert_fyet;
58748 +extern spinlock_t grsec_audit_lock;
58750 +extern rwlock_t grsec_exec_file_lock;
58752 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
58753 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
58754 + (tsk)->exec_file->f_vfsmnt) : "/")
58756 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
58757 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
58758 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
58760 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
58761 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
58762 + (tsk)->exec_file->f_vfsmnt) : "/")
58764 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
58765 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
58766 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
58768 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
58770 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
58772 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
58773 + (task)->pid, (cred)->uid, \
58774 + (cred)->euid, (cred)->gid, (cred)->egid, \
58775 + gr_parent_task_fullpath(task), \
58776 + (task)->real_parent->comm, (task)->real_parent->pid, \
58777 + (pcred)->uid, (pcred)->euid, \
58778 + (pcred)->gid, (pcred)->egid
58780 +#define GR_CHROOT_CAPS {{ \
58781 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
58782 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
58783 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
58784 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
58785 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
58786 + CAP_TO_MASK(CAP_IPC_OWNER) | CAP_TO_MASK(CAP_SETFCAP), \
58787 + CAP_TO_MASK(CAP_SYSLOG) | CAP_TO_MASK(CAP_MAC_ADMIN) }}
58789 +#define security_learn(normal_msg,args...) \
58791 + read_lock(&grsec_exec_file_lock); \
58792 + gr_add_learn_entry(normal_msg "\n", ## args); \
58793 + read_unlock(&grsec_exec_file_lock); \
58799 + /* used for non-audit messages that we shouldn't kill the task on */
58800 + GR_DONT_AUDIT_GOOD
58811 + GR_SYSCTL_HIDDEN,
58814 + GR_ONE_INT_TWO_STR,
58821 + GR_FIVE_INT_TWO_STR,
58827 + GR_FILENAME_TWO_INT,
58828 + GR_FILENAME_TWO_INT_STR,
58841 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
58842 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
58843 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
58844 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
58845 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
58846 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
58847 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
58848 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
58849 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
58850 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
58851 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
58852 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
58853 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
58854 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
58855 +#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
58856 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
58857 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
58858 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
58859 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
58860 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
58861 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
58862 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
58863 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
58864 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
58865 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
58866 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
58867 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
58868 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
58869 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
58870 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
58871 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
58872 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
58873 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
58874 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
58875 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
58877 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
58882 diff -urNp linux-3.0.9/include/linux/grmsg.h linux-3.0.9/include/linux/grmsg.h
58883 --- linux-3.0.9/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
58884 +++ linux-3.0.9/include/linux/grmsg.h 2011-11-15 20:03:00.000000000 -0500
58886 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
58887 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
58888 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
58889 +#define GR_STOPMOD_MSG "denied modification of module state by "
58890 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
58891 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
58892 +#define GR_IOPERM_MSG "denied use of ioperm() by "
58893 +#define GR_IOPL_MSG "denied use of iopl() by "
58894 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
58895 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
58896 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
58897 +#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
58898 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
58899 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
58900 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
58901 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
58902 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
58903 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
58904 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
58905 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
58906 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
58907 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
58908 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
58909 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
58910 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
58911 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
58912 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
58913 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
58914 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
58915 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
58916 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
58917 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
58918 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
58919 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
58920 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
58921 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
58922 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
58923 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
58924 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
58925 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
58926 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
58927 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
58928 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
58929 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
58930 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
58931 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
58932 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
58933 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
58934 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
58935 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
58936 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
58937 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
58938 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
58939 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
58940 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
58941 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
58942 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
58943 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
58944 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
58945 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
58946 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
58947 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
58948 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
58949 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
58950 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
58951 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
58952 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
58953 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
58954 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
58955 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
58956 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
58957 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
58958 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
58959 +#define GR_NICE_CHROOT_MSG "denied priority change by "
58960 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
58961 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
58962 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
58963 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
58964 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
58965 +#define GR_TIME_MSG "time set by "
58966 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
58967 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
58968 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
58969 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
58970 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
58971 +#define GR_BIND_MSG "denied bind() by "
58972 +#define GR_CONNECT_MSG "denied connect() by "
58973 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
58974 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
58975 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
58976 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
58977 +#define GR_CAP_ACL_MSG "use of %s denied for "
58978 +#define GR_CAP_CHROOT_MSG "use of %s in chroot denied for "
58979 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
58980 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
58981 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
58982 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
58983 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
58984 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
58985 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
58986 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
58987 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
58988 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
58989 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
58990 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
58991 +#define GR_VM86_MSG "denied use of vm86 by "
58992 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
58993 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
58994 diff -urNp linux-3.0.9/include/linux/grsecurity.h linux-3.0.9/include/linux/grsecurity.h
58995 --- linux-3.0.9/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
58996 +++ linux-3.0.9/include/linux/grsecurity.h 2011-11-15 20:03:00.000000000 -0500
58998 +#ifndef GR_SECURITY_H
58999 +#define GR_SECURITY_H
59000 +#include <linux/fs.h>
59001 +#include <linux/fs_struct.h>
59002 +#include <linux/binfmts.h>
59003 +#include <linux/gracl.h>
59005 +/* notify of brain-dead configs */
59006 +#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
59007 +#error "CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP cannot both be enabled."
59009 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
59010 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
59012 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
59013 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
59015 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
59016 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
59018 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
59019 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
59021 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
59022 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
59025 +#include <linux/compat.h>
59027 +struct user_arg_ptr {
59028 +#ifdef CONFIG_COMPAT
59032 + const char __user *const __user *native;
59033 +#ifdef CONFIG_COMPAT
59034 + compat_uptr_t __user *compat;
59039 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
59040 +void gr_handle_brute_check(void);
59041 +void gr_handle_kernel_exploit(void);
59042 +int gr_process_user_ban(void);
59044 +char gr_roletype_to_char(void);
59046 +int gr_acl_enable_at_secure(void);
59048 +int gr_check_user_change(int real, int effective, int fs);
59049 +int gr_check_group_change(int real, int effective, int fs);
59051 +void gr_del_task_from_ip_table(struct task_struct *p);
59053 +int gr_pid_is_chrooted(struct task_struct *p);
59054 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
59055 +int gr_handle_chroot_nice(void);
59056 +int gr_handle_chroot_sysctl(const int op);
59057 +int gr_handle_chroot_setpriority(struct task_struct *p,
59058 + const int niceval);
59059 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
59060 +int gr_handle_chroot_chroot(const struct dentry *dentry,
59061 + const struct vfsmount *mnt);
59062 +void gr_handle_chroot_chdir(struct path *path);
59063 +int gr_handle_chroot_chmod(const struct dentry *dentry,
59064 + const struct vfsmount *mnt, const int mode);
59065 +int gr_handle_chroot_mknod(const struct dentry *dentry,
59066 + const struct vfsmount *mnt, const int mode);
59067 +int gr_handle_chroot_mount(const struct dentry *dentry,
59068 + const struct vfsmount *mnt,
59069 + const char *dev_name);
59070 +int gr_handle_chroot_pivot(void);
59071 +int gr_handle_chroot_unix(const pid_t pid);
59073 +int gr_handle_rawio(const struct inode *inode);
59075 +void gr_handle_ioperm(void);
59076 +void gr_handle_iopl(void);
59078 +int gr_tpe_allow(const struct file *file);
59080 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
59081 +void gr_clear_chroot_entries(struct task_struct *task);
59083 +void gr_log_forkfail(const int retval);
59084 +void gr_log_timechange(void);
59085 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
59086 +void gr_log_chdir(const struct dentry *dentry,
59087 + const struct vfsmount *mnt);
59088 +void gr_log_chroot_exec(const struct dentry *dentry,
59089 + const struct vfsmount *mnt);
59090 +void gr_handle_exec_args(struct linux_binprm *bprm, struct user_arg_ptr argv);
59091 +void gr_log_remount(const char *devname, const int retval);
59092 +void gr_log_unmount(const char *devname, const int retval);
59093 +void gr_log_mount(const char *from, const char *to, const int retval);
59094 +void gr_log_textrel(struct vm_area_struct *vma);
59095 +void gr_log_rwxmmap(struct file *file);
59096 +void gr_log_rwxmprotect(struct file *file);
59098 +int gr_handle_follow_link(const struct inode *parent,
59099 + const struct inode *inode,
59100 + const struct dentry *dentry,
59101 + const struct vfsmount *mnt);
59102 +int gr_handle_fifo(const struct dentry *dentry,
59103 + const struct vfsmount *mnt,
59104 + const struct dentry *dir, const int flag,
59105 + const int acc_mode);
59106 +int gr_handle_hardlink(const struct dentry *dentry,
59107 + const struct vfsmount *mnt,
59108 + struct inode *inode,
59109 + const int mode, const char *to);
59111 +int gr_is_capable(const int cap);
59112 +int gr_is_capable_nolog(const int cap);
59113 +void gr_learn_resource(const struct task_struct *task, const int limit,
59114 + const unsigned long wanted, const int gt);
59115 +void gr_copy_label(struct task_struct *tsk);
59116 +void gr_handle_crash(struct task_struct *task, const int sig);
59117 +int gr_handle_signal(const struct task_struct *p, const int sig);
59118 +int gr_check_crash_uid(const uid_t uid);
59119 +int gr_check_protected_task(const struct task_struct *task);
59120 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
59121 +int gr_acl_handle_mmap(const struct file *file,
59122 + const unsigned long prot);
59123 +int gr_acl_handle_mprotect(const struct file *file,
59124 + const unsigned long prot);
59125 +int gr_check_hidden_task(const struct task_struct *tsk);
59126 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
59127 + const struct vfsmount *mnt);
59128 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
59129 + const struct vfsmount *mnt);
59130 +__u32 gr_acl_handle_access(const struct dentry *dentry,
59131 + const struct vfsmount *mnt, const int fmode);
59132 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
59133 + const struct vfsmount *mnt, mode_t mode);
59134 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
59135 + const struct vfsmount *mnt, mode_t mode);
59136 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
59137 + const struct vfsmount *mnt);
59138 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
59139 + const struct vfsmount *mnt);
59140 +int gr_handle_ptrace(struct task_struct *task, const long request);
59141 +int gr_handle_proc_ptrace(struct task_struct *task);
59142 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
59143 + const struct vfsmount *mnt);
59144 +int gr_check_crash_exec(const struct file *filp);
59145 +int gr_acl_is_enabled(void);
59146 +void gr_set_kernel_label(struct task_struct *task);
59147 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
59148 + const gid_t gid);
59149 +int gr_set_proc_label(const struct dentry *dentry,
59150 + const struct vfsmount *mnt,
59151 + const int unsafe_share);
59152 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
59153 + const struct vfsmount *mnt);
59154 +__u32 gr_acl_handle_open(const struct dentry *dentry,
59155 + const struct vfsmount *mnt, const int fmode);
59156 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
59157 + const struct dentry *p_dentry,
59158 + const struct vfsmount *p_mnt, const int fmode,
59159 + const int imode);
59160 +void gr_handle_create(const struct dentry *dentry,
59161 + const struct vfsmount *mnt);
59162 +void gr_handle_proc_create(const struct dentry *dentry,
59163 + const struct inode *inode);
59164 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
59165 + const struct dentry *parent_dentry,
59166 + const struct vfsmount *parent_mnt,
59168 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
59169 + const struct dentry *parent_dentry,
59170 + const struct vfsmount *parent_mnt);
59171 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
59172 + const struct vfsmount *mnt);
59173 +void gr_handle_delete(const ino_t ino, const dev_t dev);
59174 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
59175 + const struct vfsmount *mnt);
59176 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
59177 + const struct dentry *parent_dentry,
59178 + const struct vfsmount *parent_mnt,
59179 + const char *from);
59180 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
59181 + const struct dentry *parent_dentry,
59182 + const struct vfsmount *parent_mnt,
59183 + const struct dentry *old_dentry,
59184 + const struct vfsmount *old_mnt, const char *to);
59185 +int gr_acl_handle_rename(struct dentry *new_dentry,
59186 + struct dentry *parent_dentry,
59187 + const struct vfsmount *parent_mnt,
59188 + struct dentry *old_dentry,
59189 + struct inode *old_parent_inode,
59190 + struct vfsmount *old_mnt, const char *newname);
59191 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
59192 + struct dentry *old_dentry,
59193 + struct dentry *new_dentry,
59194 + struct vfsmount *mnt, const __u8 replace);
59195 +__u32 gr_check_link(const struct dentry *new_dentry,
59196 + const struct dentry *parent_dentry,
59197 + const struct vfsmount *parent_mnt,
59198 + const struct dentry *old_dentry,
59199 + const struct vfsmount *old_mnt);
59200 +int gr_acl_handle_filldir(const struct file *file, const char *name,
59201 + const unsigned int namelen, const ino_t ino);
59203 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
59204 + const struct vfsmount *mnt);
59205 +void gr_acl_handle_exit(void);
59206 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
59207 +int gr_acl_handle_procpidmem(const struct task_struct *task);
59208 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
59209 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
59210 +void gr_audit_ptrace(struct task_struct *task);
59211 +dev_t gr_get_dev_from_dentry(struct dentry *dentry);
59213 +#ifdef CONFIG_GRKERNSEC
59214 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
59215 +void gr_handle_vm86(void);
59216 +void gr_handle_mem_readwrite(u64 from, u64 to);
59218 +extern int grsec_enable_dmesg;
59219 +extern int grsec_disable_privio;
59220 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
59221 +extern int grsec_enable_chroot_findtask;
59226 diff -urNp linux-3.0.9/include/linux/grsock.h linux-3.0.9/include/linux/grsock.h
59227 --- linux-3.0.9/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
59228 +++ linux-3.0.9/include/linux/grsock.h 2011-11-15 20:03:00.000000000 -0500
59230 +#ifndef __GRSOCK_H
59231 +#define __GRSOCK_H
59233 +extern void gr_attach_curr_ip(const struct sock *sk);
59234 +extern int gr_handle_sock_all(const int family, const int type,
59235 + const int protocol);
59236 +extern int gr_handle_sock_server(const struct sockaddr *sck);
59237 +extern int gr_handle_sock_server_other(const struct sock *sck);
59238 +extern int gr_handle_sock_client(const struct sockaddr *sck);
59239 +extern int gr_search_connect(struct socket * sock,
59240 + struct sockaddr_in * addr);
59241 +extern int gr_search_bind(struct socket * sock,
59242 + struct sockaddr_in * addr);
59243 +extern int gr_search_listen(struct socket * sock);
59244 +extern int gr_search_accept(struct socket * sock);
59245 +extern int gr_search_socket(const int domain, const int type,
59246 + const int protocol);
59249 diff -urNp linux-3.0.9/include/linux/hid.h linux-3.0.9/include/linux/hid.h
59250 --- linux-3.0.9/include/linux/hid.h 2011-11-11 13:12:24.000000000 -0500
59251 +++ linux-3.0.9/include/linux/hid.h 2011-11-15 20:03:00.000000000 -0500
59252 @@ -675,7 +675,7 @@ struct hid_ll_driver {
59253 unsigned int code, int value);
59255 int (*parse)(struct hid_device *hdev);
59259 #define PM_HINT_FULLON 1<<5
59260 #define PM_HINT_NORMAL 1<<1
59261 diff -urNp linux-3.0.9/include/linux/highmem.h linux-3.0.9/include/linux/highmem.h
59262 --- linux-3.0.9/include/linux/highmem.h 2011-11-11 13:12:24.000000000 -0500
59263 +++ linux-3.0.9/include/linux/highmem.h 2011-11-15 20:03:00.000000000 -0500
59264 @@ -185,6 +185,18 @@ static inline void clear_highpage(struct
59265 kunmap_atomic(kaddr, KM_USER0);
59268 +static inline void sanitize_highpage(struct page *page)
59271 + unsigned long flags;
59273 + local_irq_save(flags);
59274 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
59275 + clear_page(kaddr);
59276 + kunmap_atomic(kaddr, KM_CLEARPAGE);
59277 + local_irq_restore(flags);
59280 static inline void zero_user_segments(struct page *page,
59281 unsigned start1, unsigned end1,
59282 unsigned start2, unsigned end2)
59283 diff -urNp linux-3.0.9/include/linux/i2c.h linux-3.0.9/include/linux/i2c.h
59284 --- linux-3.0.9/include/linux/i2c.h 2011-11-11 13:12:24.000000000 -0500
59285 +++ linux-3.0.9/include/linux/i2c.h 2011-11-15 20:03:00.000000000 -0500
59286 @@ -346,6 +346,7 @@ struct i2c_algorithm {
59287 /* To determine what the adapter supports */
59288 u32 (*functionality) (struct i2c_adapter *);
59290 +typedef struct i2c_algorithm __no_const i2c_algorithm_no_const;
59293 * i2c_adapter is the structure used to identify a physical i2c bus along
59294 diff -urNp linux-3.0.9/include/linux/i2o.h linux-3.0.9/include/linux/i2o.h
59295 --- linux-3.0.9/include/linux/i2o.h 2011-11-11 13:12:24.000000000 -0500
59296 +++ linux-3.0.9/include/linux/i2o.h 2011-11-15 20:03:00.000000000 -0500
59297 @@ -564,7 +564,7 @@ struct i2o_controller {
59298 struct i2o_device *exec; /* Executive */
59299 #if BITS_PER_LONG == 64
59300 spinlock_t context_list_lock; /* lock for context_list */
59301 - atomic_t context_list_counter; /* needed for unique contexts */
59302 + atomic_unchecked_t context_list_counter; /* needed for unique contexts */
59303 struct list_head context_list; /* list of context id's
59306 diff -urNp linux-3.0.9/include/linux/init.h linux-3.0.9/include/linux/init.h
59307 --- linux-3.0.9/include/linux/init.h 2011-11-11 13:12:24.000000000 -0500
59308 +++ linux-3.0.9/include/linux/init.h 2011-11-15 20:03:00.000000000 -0500
59309 @@ -293,13 +293,13 @@ void __init parse_early_options(char *cm
59311 /* Each module must use one module_init(). */
59312 #define module_init(initfn) \
59313 - static inline initcall_t __inittest(void) \
59314 + static inline __used initcall_t __inittest(void) \
59315 { return initfn; } \
59316 int init_module(void) __attribute__((alias(#initfn)));
59318 /* This is only required if you want to be unloadable. */
59319 #define module_exit(exitfn) \
59320 - static inline exitcall_t __exittest(void) \
59321 + static inline __used exitcall_t __exittest(void) \
59322 { return exitfn; } \
59323 void cleanup_module(void) __attribute__((alias(#exitfn)));
59325 diff -urNp linux-3.0.9/include/linux/init_task.h linux-3.0.9/include/linux/init_task.h
59326 --- linux-3.0.9/include/linux/init_task.h 2011-11-11 13:12:24.000000000 -0500
59327 +++ linux-3.0.9/include/linux/init_task.h 2011-11-15 20:03:00.000000000 -0500
59328 @@ -126,6 +126,12 @@ extern struct cred init_cred;
59329 # define INIT_PERF_EVENTS(tsk)
59333 +#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
59335 +#define INIT_TASK_THREAD_INFO
59339 * INIT_TASK is used to set up the first task table, touch at
59340 * your own risk!. Base=0, limit=0x1fffff (=2MB)
59341 @@ -164,6 +170,7 @@ extern struct cred init_cred;
59342 RCU_INIT_POINTER(.cred, &init_cred), \
59343 .comm = "swapper", \
59344 .thread = INIT_THREAD, \
59345 + INIT_TASK_THREAD_INFO \
59347 .files = &init_files, \
59348 .signal = &init_signals, \
59349 diff -urNp linux-3.0.9/include/linux/intel-iommu.h linux-3.0.9/include/linux/intel-iommu.h
59350 --- linux-3.0.9/include/linux/intel-iommu.h 2011-11-11 13:12:24.000000000 -0500
59351 +++ linux-3.0.9/include/linux/intel-iommu.h 2011-11-15 20:03:00.000000000 -0500
59352 @@ -296,7 +296,7 @@ struct iommu_flush {
59354 void (*flush_iotlb)(struct intel_iommu *iommu, u16 did, u64 addr,
59355 unsigned int size_order, u64 type);
59361 diff -urNp linux-3.0.9/include/linux/interrupt.h linux-3.0.9/include/linux/interrupt.h
59362 --- linux-3.0.9/include/linux/interrupt.h 2011-11-11 13:12:24.000000000 -0500
59363 +++ linux-3.0.9/include/linux/interrupt.h 2011-11-15 20:03:00.000000000 -0500
59364 @@ -425,7 +425,7 @@ enum
59365 /* map softirq index to softirq name. update 'softirq_to_name' in
59366 * kernel/softirq.c when adding a new softirq.
59368 -extern char *softirq_to_name[NR_SOFTIRQS];
59369 +extern const char * const softirq_to_name[NR_SOFTIRQS];
59371 /* softirq mask and active fields moved to irq_cpustat_t in
59372 * asm/hardirq.h to get better cache usage. KAO
59373 @@ -433,12 +433,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
59375 struct softirq_action
59377 - void (*action)(struct softirq_action *);
59378 + void (*action)(void);
59381 asmlinkage void do_softirq(void);
59382 asmlinkage void __do_softirq(void);
59383 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
59384 +extern void open_softirq(int nr, void (*action)(void));
59385 extern void softirq_init(void);
59386 static inline void __raise_softirq_irqoff(unsigned int nr)
59388 diff -urNp linux-3.0.9/include/linux/kallsyms.h linux-3.0.9/include/linux/kallsyms.h
59389 --- linux-3.0.9/include/linux/kallsyms.h 2011-11-11 13:12:24.000000000 -0500
59390 +++ linux-3.0.9/include/linux/kallsyms.h 2011-11-15 20:03:00.000000000 -0500
59395 -#ifdef CONFIG_KALLSYMS
59396 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
59397 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
59398 /* Lookup the address for a symbol. Returns 0 if not found. */
59399 unsigned long kallsyms_lookup_name(const char *name);
59401 @@ -99,6 +100,16 @@ static inline int lookup_symbol_attrs(un
59402 /* Stupid that this does nothing, but I didn't create this mess. */
59403 #define __print_symbol(fmt, addr)
59404 #endif /*CONFIG_KALLSYMS*/
59405 +#else /* when included by kallsyms.c, vsnprintf.c, or
59406 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
59407 +extern void __print_symbol(const char *fmt, unsigned long address);
59408 +extern int sprint_backtrace(char *buffer, unsigned long address);
59409 +extern int sprint_symbol(char *buffer, unsigned long address);
59410 +const char *kallsyms_lookup(unsigned long addr,
59411 + unsigned long *symbolsize,
59412 + unsigned long *offset,
59413 + char **modname, char *namebuf);
59416 /* This macro allows us to keep printk typechecking */
59417 static void __check_printsym_format(const char *fmt, ...)
59418 diff -urNp linux-3.0.9/include/linux/kgdb.h linux-3.0.9/include/linux/kgdb.h
59419 --- linux-3.0.9/include/linux/kgdb.h 2011-11-11 13:12:24.000000000 -0500
59420 +++ linux-3.0.9/include/linux/kgdb.h 2011-11-15 20:03:00.000000000 -0500
59421 @@ -53,7 +53,7 @@ extern int kgdb_connected;
59422 extern int kgdb_io_module_registered;
59424 extern atomic_t kgdb_setting_breakpoint;
59425 -extern atomic_t kgdb_cpu_doing_single_step;
59426 +extern atomic_unchecked_t kgdb_cpu_doing_single_step;
59428 extern struct task_struct *kgdb_usethread;
59429 extern struct task_struct *kgdb_contthread;
59430 @@ -251,7 +251,7 @@ struct kgdb_arch {
59431 void (*disable_hw_break)(struct pt_regs *regs);
59432 void (*remove_all_hw_break)(void);
59433 void (*correct_hw_break)(void);
59438 * struct kgdb_io - Describe the interface for an I/O driver to talk with KGDB.
59439 @@ -276,7 +276,7 @@ struct kgdb_io {
59440 void (*pre_exception) (void);
59441 void (*post_exception) (void);
59446 extern struct kgdb_arch arch_kgdb_ops;
59448 diff -urNp linux-3.0.9/include/linux/kmod.h linux-3.0.9/include/linux/kmod.h
59449 --- linux-3.0.9/include/linux/kmod.h 2011-11-11 13:12:24.000000000 -0500
59450 +++ linux-3.0.9/include/linux/kmod.h 2011-11-15 20:03:00.000000000 -0500
59451 @@ -34,6 +34,8 @@ extern char modprobe_path[]; /* for sysc
59452 * usually useless though. */
59453 extern int __request_module(bool wait, const char *name, ...) \
59454 __attribute__((format(printf, 2, 3)));
59455 +extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
59456 + __attribute__((format(printf, 3, 4)));
59457 #define request_module(mod...) __request_module(true, mod)
59458 #define request_module_nowait(mod...) __request_module(false, mod)
59459 #define try_then_request_module(x, mod...) \
59460 diff -urNp linux-3.0.9/include/linux/kvm_host.h linux-3.0.9/include/linux/kvm_host.h
59461 --- linux-3.0.9/include/linux/kvm_host.h 2011-11-11 13:12:24.000000000 -0500
59462 +++ linux-3.0.9/include/linux/kvm_host.h 2011-11-15 20:03:00.000000000 -0500
59463 @@ -307,7 +307,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
59464 void vcpu_load(struct kvm_vcpu *vcpu);
59465 void vcpu_put(struct kvm_vcpu *vcpu);
59467 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
59468 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
59469 struct module *module);
59470 void kvm_exit(void);
59472 @@ -446,7 +446,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
59473 struct kvm_guest_debug *dbg);
59474 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
59476 -int kvm_arch_init(void *opaque);
59477 +int kvm_arch_init(const void *opaque);
59478 void kvm_arch_exit(void);
59480 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
59481 diff -urNp linux-3.0.9/include/linux/libata.h linux-3.0.9/include/linux/libata.h
59482 --- linux-3.0.9/include/linux/libata.h 2011-11-11 13:12:24.000000000 -0500
59483 +++ linux-3.0.9/include/linux/libata.h 2011-11-15 20:03:00.000000000 -0500
59484 @@ -899,7 +899,7 @@ struct ata_port_operations {
59485 * fields must be pointers.
59487 const struct ata_port_operations *inherits;
59491 struct ata_port_info {
59492 unsigned long flags;
59493 diff -urNp linux-3.0.9/include/linux/mca.h linux-3.0.9/include/linux/mca.h
59494 --- linux-3.0.9/include/linux/mca.h 2011-11-11 13:12:24.000000000 -0500
59495 +++ linux-3.0.9/include/linux/mca.h 2011-11-15 20:03:00.000000000 -0500
59496 @@ -80,7 +80,7 @@ struct mca_bus_accessor_functions {
59498 void * (*mca_transform_memory)(struct mca_device *,
59504 u64 default_dma_mask;
59505 diff -urNp linux-3.0.9/include/linux/memory.h linux-3.0.9/include/linux/memory.h
59506 --- linux-3.0.9/include/linux/memory.h 2011-11-11 13:12:24.000000000 -0500
59507 +++ linux-3.0.9/include/linux/memory.h 2011-11-15 20:03:00.000000000 -0500
59508 @@ -144,7 +144,7 @@ struct memory_accessor {
59510 ssize_t (*write)(struct memory_accessor *, const char *buf,
59511 off_t offset, size_t count);
59516 * Kernel text modification mutex, used for code patching. Users of this lock
59517 diff -urNp linux-3.0.9/include/linux/mfd/abx500.h linux-3.0.9/include/linux/mfd/abx500.h
59518 --- linux-3.0.9/include/linux/mfd/abx500.h 2011-11-11 13:12:24.000000000 -0500
59519 +++ linux-3.0.9/include/linux/mfd/abx500.h 2011-11-15 20:03:00.000000000 -0500
59520 @@ -234,6 +234,7 @@ struct abx500_ops {
59521 int (*event_registers_startup_state_get) (struct device *, u8 *);
59522 int (*startup_irq_enabled) (struct device *, unsigned int);
59524 +typedef struct abx500_ops __no_const abx500_ops_no_const;
59526 int abx500_register_ops(struct device *core_dev, struct abx500_ops *ops);
59527 void abx500_remove_ops(struct device *dev);
59528 diff -urNp linux-3.0.9/include/linux/mm.h linux-3.0.9/include/linux/mm.h
59529 --- linux-3.0.9/include/linux/mm.h 2011-11-11 13:12:24.000000000 -0500
59530 +++ linux-3.0.9/include/linux/mm.h 2011-11-15 20:03:00.000000000 -0500
59531 @@ -113,7 +113,14 @@ extern unsigned int kobjsize(const void
59533 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
59534 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
59536 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
59537 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
59538 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
59540 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
59543 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
59544 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
59546 @@ -1008,34 +1015,6 @@ int set_page_dirty(struct page *page);
59547 int set_page_dirty_lock(struct page *page);
59548 int clear_page_dirty_for_io(struct page *page);
59550 -/* Is the vma a continuation of the stack vma above it? */
59551 -static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
59553 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
59556 -static inline int stack_guard_page_start(struct vm_area_struct *vma,
59557 - unsigned long addr)
59559 - return (vma->vm_flags & VM_GROWSDOWN) &&
59560 - (vma->vm_start == addr) &&
59561 - !vma_growsdown(vma->vm_prev, addr);
59564 -/* Is the vma a continuation of the stack vma below it? */
59565 -static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
59567 - return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
59570 -static inline int stack_guard_page_end(struct vm_area_struct *vma,
59571 - unsigned long addr)
59573 - return (vma->vm_flags & VM_GROWSUP) &&
59574 - (vma->vm_end == addr) &&
59575 - !vma_growsup(vma->vm_next, addr);
59578 extern unsigned long move_page_tables(struct vm_area_struct *vma,
59579 unsigned long old_addr, struct vm_area_struct *new_vma,
59580 unsigned long new_addr, unsigned long len);
59581 @@ -1168,6 +1147,15 @@ struct shrinker {
59582 extern void register_shrinker(struct shrinker *);
59583 extern void unregister_shrinker(struct shrinker *);
59586 +pgprot_t vm_get_page_prot(vm_flags_t vm_flags);
59588 +static inline pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
59590 + return __pgprot(0);
59594 int vma_wants_writenotify(struct vm_area_struct *vma);
59596 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
59597 @@ -1451,6 +1439,7 @@ out:
59600 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
59601 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
59603 extern unsigned long do_brk(unsigned long, unsigned long);
59605 @@ -1509,6 +1498,10 @@ extern struct vm_area_struct * find_vma(
59606 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
59607 struct vm_area_struct **pprev);
59609 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
59610 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
59611 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
59613 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
59614 NULL if none. Assume start_addr < end_addr. */
59615 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
59616 @@ -1525,15 +1518,6 @@ static inline unsigned long vma_pages(st
59617 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
59621 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
59623 -static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
59625 - return __pgprot(0);
59629 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
59630 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
59631 unsigned long pfn, unsigned long size, pgprot_t);
59632 @@ -1646,7 +1630,7 @@ extern int unpoison_memory(unsigned long
59633 extern int sysctl_memory_failure_early_kill;
59634 extern int sysctl_memory_failure_recovery;
59635 extern void shake_page(struct page *p, int access);
59636 -extern atomic_long_t mce_bad_pages;
59637 +extern atomic_long_unchecked_t mce_bad_pages;
59638 extern int soft_offline_page(struct page *page, int flags);
59640 extern void dump_page(struct page *page);
59641 @@ -1660,5 +1644,11 @@ extern void copy_user_huge_page(struct p
59642 unsigned int pages_per_huge_page);
59643 #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
59645 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
59646 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
59648 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
59651 #endif /* __KERNEL__ */
59652 #endif /* _LINUX_MM_H */
59653 diff -urNp linux-3.0.9/include/linux/mm_types.h linux-3.0.9/include/linux/mm_types.h
59654 --- linux-3.0.9/include/linux/mm_types.h 2011-11-11 13:12:24.000000000 -0500
59655 +++ linux-3.0.9/include/linux/mm_types.h 2011-11-15 20:03:00.000000000 -0500
59656 @@ -198,6 +198,8 @@ struct vm_area_struct {
59658 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
59661 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
59664 struct core_thread {
59665 @@ -330,6 +332,24 @@ struct mm_struct {
59666 #ifdef CONFIG_CPUMASK_OFFSTACK
59667 struct cpumask cpumask_allocation;
59670 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
59671 + unsigned long pax_flags;
59674 +#ifdef CONFIG_PAX_DLRESOLVE
59675 + unsigned long call_dl_resolve;
59678 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
59679 + unsigned long call_syscall;
59682 +#ifdef CONFIG_PAX_ASLR
59683 + unsigned long delta_mmap; /* randomized offset */
59684 + unsigned long delta_stack; /* randomized offset */
59689 static inline void mm_init_cpumask(struct mm_struct *mm)
59690 diff -urNp linux-3.0.9/include/linux/mmu_notifier.h linux-3.0.9/include/linux/mmu_notifier.h
59691 --- linux-3.0.9/include/linux/mmu_notifier.h 2011-11-11 13:12:24.000000000 -0500
59692 +++ linux-3.0.9/include/linux/mmu_notifier.h 2011-11-15 20:03:00.000000000 -0500
59693 @@ -255,12 +255,12 @@ static inline void mmu_notifier_mm_destr
59695 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
59699 struct vm_area_struct *___vma = __vma; \
59700 unsigned long ___address = __address; \
59701 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
59702 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
59703 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
59708 #define pmdp_clear_flush_notify(__vma, __address, __pmdp) \
59709 diff -urNp linux-3.0.9/include/linux/mmzone.h linux-3.0.9/include/linux/mmzone.h
59710 --- linux-3.0.9/include/linux/mmzone.h 2011-11-11 13:12:24.000000000 -0500
59711 +++ linux-3.0.9/include/linux/mmzone.h 2011-11-15 20:03:00.000000000 -0500
59712 @@ -350,7 +350,7 @@ struct zone {
59713 unsigned long flags; /* zone flags, see below */
59715 /* Zone statistics */
59716 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
59717 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
59720 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
59721 diff -urNp linux-3.0.9/include/linux/mod_devicetable.h linux-3.0.9/include/linux/mod_devicetable.h
59722 --- linux-3.0.9/include/linux/mod_devicetable.h 2011-11-11 13:12:24.000000000 -0500
59723 +++ linux-3.0.9/include/linux/mod_devicetable.h 2011-11-15 20:03:00.000000000 -0500
59725 typedef unsigned long kernel_ulong_t;
59728 -#define PCI_ANY_ID (~0)
59729 +#define PCI_ANY_ID ((__u16)~0)
59731 struct pci_device_id {
59732 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
59733 @@ -131,7 +131,7 @@ struct usb_device_id {
59734 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
59735 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
59737 -#define HID_ANY_ID (~0)
59738 +#define HID_ANY_ID (~0U)
59740 struct hid_device_id {
59742 diff -urNp linux-3.0.9/include/linux/module.h linux-3.0.9/include/linux/module.h
59743 --- linux-3.0.9/include/linux/module.h 2011-11-11 13:12:24.000000000 -0500
59744 +++ linux-3.0.9/include/linux/module.h 2011-11-15 20:03:00.000000000 -0500
59746 #include <linux/kobject.h>
59747 #include <linux/moduleparam.h>
59748 #include <linux/tracepoint.h>
59749 +#include <linux/fs.h>
59751 #include <linux/percpu.h>
59752 #include <asm/module.h>
59753 @@ -325,19 +326,16 @@ struct module
59756 /* If this is non-NULL, vfree after init() returns */
59757 - void *module_init;
59758 + void *module_init_rx, *module_init_rw;
59760 /* Here is the actual code + data, vfree'd on unload. */
59761 - void *module_core;
59762 + void *module_core_rx, *module_core_rw;
59764 /* Here are the sizes of the init and core sections */
59765 - unsigned int init_size, core_size;
59766 + unsigned int init_size_rw, core_size_rw;
59768 /* The size of the executable code in each section. */
59769 - unsigned int init_text_size, core_text_size;
59771 - /* Size of RO sections of the module (text+rodata) */
59772 - unsigned int init_ro_size, core_ro_size;
59773 + unsigned int init_size_rx, core_size_rx;
59775 /* Arch-specific module values */
59776 struct mod_arch_specific arch;
59777 @@ -393,6 +391,10 @@ struct module
59778 #ifdef CONFIG_EVENT_TRACING
59779 struct ftrace_event_call **trace_events;
59780 unsigned int num_trace_events;
59781 + struct file_operations trace_id;
59782 + struct file_operations trace_enable;
59783 + struct file_operations trace_format;
59784 + struct file_operations trace_filter;
59786 #ifdef CONFIG_FTRACE_MCOUNT_RECORD
59787 unsigned int num_ftrace_callsites;
59788 @@ -443,16 +445,46 @@ bool is_module_address(unsigned long add
59789 bool is_module_percpu_address(unsigned long addr);
59790 bool is_module_text_address(unsigned long addr);
59792 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
59795 +#ifdef CONFIG_PAX_KERNEXEC
59796 + if (ktla_ktva(addr) >= (unsigned long)start &&
59797 + ktla_ktva(addr) < (unsigned long)start + size)
59801 + return ((void *)addr >= start && (void *)addr < start + size);
59804 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
59806 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
59809 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
59811 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
59814 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
59816 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
59819 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
59821 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
59824 static inline int within_module_core(unsigned long addr, struct module *mod)
59826 - return (unsigned long)mod->module_core <= addr &&
59827 - addr < (unsigned long)mod->module_core + mod->core_size;
59828 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
59831 static inline int within_module_init(unsigned long addr, struct module *mod)
59833 - return (unsigned long)mod->module_init <= addr &&
59834 - addr < (unsigned long)mod->module_init + mod->init_size;
59835 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
59838 /* Search for module by name: must hold module_mutex. */
59839 diff -urNp linux-3.0.9/include/linux/moduleloader.h linux-3.0.9/include/linux/moduleloader.h
59840 --- linux-3.0.9/include/linux/moduleloader.h 2011-11-11 13:12:24.000000000 -0500
59841 +++ linux-3.0.9/include/linux/moduleloader.h 2011-11-15 20:03:00.000000000 -0500
59842 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
59843 sections. Returns NULL on failure. */
59844 void *module_alloc(unsigned long size);
59846 +#ifdef CONFIG_PAX_KERNEXEC
59847 +void *module_alloc_exec(unsigned long size);
59849 +#define module_alloc_exec(x) module_alloc(x)
59852 /* Free memory returned from module_alloc. */
59853 void module_free(struct module *mod, void *module_region);
59855 +#ifdef CONFIG_PAX_KERNEXEC
59856 +void module_free_exec(struct module *mod, void *module_region);
59858 +#define module_free_exec(x, y) module_free((x), (y))
59861 /* Apply the given relocation to the (simplified) ELF. Return -error
59863 int apply_relocate(Elf_Shdr *sechdrs,
59864 diff -urNp linux-3.0.9/include/linux/moduleparam.h linux-3.0.9/include/linux/moduleparam.h
59865 --- linux-3.0.9/include/linux/moduleparam.h 2011-11-11 13:12:24.000000000 -0500
59866 +++ linux-3.0.9/include/linux/moduleparam.h 2011-11-15 20:03:00.000000000 -0500
59867 @@ -255,7 +255,7 @@ static inline void __kernel_param_unlock
59868 * @len is usually just sizeof(string).
59870 #define module_param_string(name, string, len, perm) \
59871 - static const struct kparam_string __param_string_##name \
59872 + static const struct kparam_string __param_string_##name __used \
59873 = { len, string }; \
59874 __module_param_call(MODULE_PARAM_PREFIX, name, \
59875 ¶m_ops_string, \
59876 @@ -370,7 +370,7 @@ extern int param_get_invbool(char *buffe
59877 * module_param_named() for why this might be necessary.
59879 #define module_param_array_named(name, array, type, nump, perm) \
59880 - static const struct kparam_array __param_arr_##name \
59881 + static const struct kparam_array __param_arr_##name __used \
59882 = { .max = ARRAY_SIZE(array), .num = nump, \
59883 .ops = ¶m_ops_##type, \
59884 .elemsize = sizeof(array[0]), .elem = array }; \
59885 diff -urNp linux-3.0.9/include/linux/namei.h linux-3.0.9/include/linux/namei.h
59886 --- linux-3.0.9/include/linux/namei.h 2011-11-11 13:12:24.000000000 -0500
59887 +++ linux-3.0.9/include/linux/namei.h 2011-11-15 20:03:00.000000000 -0500
59888 @@ -24,7 +24,7 @@ struct nameidata {
59892 - char *saved_names[MAX_NESTED_LINKS + 1];
59893 + const char *saved_names[MAX_NESTED_LINKS + 1];
59897 @@ -93,12 +93,12 @@ extern int follow_up(struct path *);
59898 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
59899 extern void unlock_rename(struct dentry *, struct dentry *);
59901 -static inline void nd_set_link(struct nameidata *nd, char *path)
59902 +static inline void nd_set_link(struct nameidata *nd, const char *path)
59904 nd->saved_names[nd->depth] = path;
59907 -static inline char *nd_get_link(struct nameidata *nd)
59908 +static inline const char *nd_get_link(const struct nameidata *nd)
59910 return nd->saved_names[nd->depth];
59912 diff -urNp linux-3.0.9/include/linux/netdevice.h linux-3.0.9/include/linux/netdevice.h
59913 --- linux-3.0.9/include/linux/netdevice.h 2011-11-11 13:12:24.000000000 -0500
59914 +++ linux-3.0.9/include/linux/netdevice.h 2011-11-15 20:03:00.000000000 -0500
59915 @@ -979,6 +979,7 @@ struct net_device_ops {
59916 int (*ndo_set_features)(struct net_device *dev,
59919 +typedef struct net_device_ops __no_const net_device_ops_no_const;
59922 * The DEVICE structure.
59923 diff -urNp linux-3.0.9/include/linux/netfilter/xt_gradm.h linux-3.0.9/include/linux/netfilter/xt_gradm.h
59924 --- linux-3.0.9/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
59925 +++ linux-3.0.9/include/linux/netfilter/xt_gradm.h 2011-11-15 20:03:00.000000000 -0500
59927 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
59928 +#define _LINUX_NETFILTER_XT_GRADM_H 1
59930 +struct xt_gradm_mtinfo {
59936 diff -urNp linux-3.0.9/include/linux/of_pdt.h linux-3.0.9/include/linux/of_pdt.h
59937 --- linux-3.0.9/include/linux/of_pdt.h 2011-11-11 13:12:24.000000000 -0500
59938 +++ linux-3.0.9/include/linux/of_pdt.h 2011-11-15 20:03:00.000000000 -0500
59939 @@ -32,7 +32,7 @@ struct of_pdt_ops {
59941 /* return 0 on success; fill in 'len' with number of bytes in path */
59942 int (*pkg2path)(phandle node, char *buf, const int buflen, int *len);
59946 extern void *prom_early_alloc(unsigned long size);
59948 diff -urNp linux-3.0.9/include/linux/oprofile.h linux-3.0.9/include/linux/oprofile.h
59949 --- linux-3.0.9/include/linux/oprofile.h 2011-11-11 13:12:24.000000000 -0500
59950 +++ linux-3.0.9/include/linux/oprofile.h 2011-11-15 20:03:00.000000000 -0500
59951 @@ -139,9 +139,9 @@ int oprofilefs_create_ulong(struct super
59952 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
59953 char const * name, ulong * val);
59955 -/** Create a file for read-only access to an atomic_t. */
59956 +/** Create a file for read-only access to an atomic_unchecked_t. */
59957 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
59958 - char const * name, atomic_t * val);
59959 + char const * name, atomic_unchecked_t * val);
59961 /** create a directory */
59962 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
59963 diff -urNp linux-3.0.9/include/linux/padata.h linux-3.0.9/include/linux/padata.h
59964 --- linux-3.0.9/include/linux/padata.h 2011-11-11 13:12:24.000000000 -0500
59965 +++ linux-3.0.9/include/linux/padata.h 2011-11-15 20:03:00.000000000 -0500
59966 @@ -129,7 +129,7 @@ struct parallel_data {
59967 struct padata_instance *pinst;
59968 struct padata_parallel_queue __percpu *pqueue;
59969 struct padata_serial_queue __percpu *squeue;
59971 + atomic_unchecked_t seq_nr;
59972 atomic_t reorder_objects;
59974 unsigned int max_seq_nr;
59975 diff -urNp linux-3.0.9/include/linux/perf_event.h linux-3.0.9/include/linux/perf_event.h
59976 --- linux-3.0.9/include/linux/perf_event.h 2011-11-11 13:12:24.000000000 -0500
59977 +++ linux-3.0.9/include/linux/perf_event.h 2011-11-15 20:03:00.000000000 -0500
59978 @@ -761,8 +761,8 @@ struct perf_event {
59980 enum perf_event_active_state state;
59981 unsigned int attach_state;
59983 - atomic64_t child_count;
59984 + local64_t count; /* PaX: fix it one day */
59985 + atomic64_unchecked_t child_count;
59988 * These are the total time in nanoseconds that the event
59989 @@ -813,8 +813,8 @@ struct perf_event {
59990 * These accumulate total time (in nanoseconds) that children
59991 * events have been enabled and running, respectively.
59993 - atomic64_t child_total_time_enabled;
59994 - atomic64_t child_total_time_running;
59995 + atomic64_unchecked_t child_total_time_enabled;
59996 + atomic64_unchecked_t child_total_time_running;
59999 * Protect attach/detach and child_list:
60000 diff -urNp linux-3.0.9/include/linux/pipe_fs_i.h linux-3.0.9/include/linux/pipe_fs_i.h
60001 --- linux-3.0.9/include/linux/pipe_fs_i.h 2011-11-11 13:12:24.000000000 -0500
60002 +++ linux-3.0.9/include/linux/pipe_fs_i.h 2011-11-15 20:03:00.000000000 -0500
60003 @@ -46,9 +46,9 @@ struct pipe_buffer {
60004 struct pipe_inode_info {
60005 wait_queue_head_t wait;
60006 unsigned int nrbufs, curbuf, buffers;
60007 - unsigned int readers;
60008 - unsigned int writers;
60009 - unsigned int waiting_writers;
60010 + atomic_t readers;
60011 + atomic_t writers;
60012 + atomic_t waiting_writers;
60013 unsigned int r_counter;
60014 unsigned int w_counter;
60015 struct page *tmp_page;
60016 diff -urNp linux-3.0.9/include/linux/pm_runtime.h linux-3.0.9/include/linux/pm_runtime.h
60017 --- linux-3.0.9/include/linux/pm_runtime.h 2011-11-11 13:12:24.000000000 -0500
60018 +++ linux-3.0.9/include/linux/pm_runtime.h 2011-11-15 20:03:00.000000000 -0500
60019 @@ -94,7 +94,7 @@ static inline bool pm_runtime_callbacks_
60021 static inline void pm_runtime_mark_last_busy(struct device *dev)
60023 - ACCESS_ONCE(dev->power.last_busy) = jiffies;
60024 + ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
60027 #else /* !CONFIG_PM_RUNTIME */
60028 diff -urNp linux-3.0.9/include/linux/poison.h linux-3.0.9/include/linux/poison.h
60029 --- linux-3.0.9/include/linux/poison.h 2011-11-11 13:12:24.000000000 -0500
60030 +++ linux-3.0.9/include/linux/poison.h 2011-11-15 20:03:00.000000000 -0500
60032 * under normal circumstances, used to verify that nobody uses
60033 * non-initialized list entries.
60035 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
60036 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
60037 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
60038 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
60040 /********** include/linux/timer.h **********/
60042 diff -urNp linux-3.0.9/include/linux/preempt.h linux-3.0.9/include/linux/preempt.h
60043 --- linux-3.0.9/include/linux/preempt.h 2011-11-11 13:12:24.000000000 -0500
60044 +++ linux-3.0.9/include/linux/preempt.h 2011-11-15 20:03:00.000000000 -0500
60045 @@ -115,7 +115,7 @@ struct preempt_ops {
60046 void (*sched_in)(struct preempt_notifier *notifier, int cpu);
60047 void (*sched_out)(struct preempt_notifier *notifier,
60048 struct task_struct *next);
60053 * preempt_notifier - key for installing preemption notifiers
60054 diff -urNp linux-3.0.9/include/linux/proc_fs.h linux-3.0.9/include/linux/proc_fs.h
60055 --- linux-3.0.9/include/linux/proc_fs.h 2011-11-11 13:12:24.000000000 -0500
60056 +++ linux-3.0.9/include/linux/proc_fs.h 2011-11-15 20:03:00.000000000 -0500
60057 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
60058 return proc_create_data(name, mode, parent, proc_fops, NULL);
60061 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
60062 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
60064 +#ifdef CONFIG_GRKERNSEC_PROC_USER
60065 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
60066 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
60067 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
60069 + return proc_create_data(name, mode, parent, proc_fops, NULL);
60074 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
60075 mode_t mode, struct proc_dir_entry *base,
60076 read_proc_t *read_proc, void * data)
60077 @@ -278,7 +291,7 @@ union proc_op {
60078 int (*proc_vs_read)(char *page);
60079 int (*proc_vxi_read)(struct vx_info *vxi, char *page);
60080 int (*proc_nxi_read)(struct nx_info *nxi, char *page);
60084 struct ctl_table_header;
60086 diff -urNp linux-3.0.9/include/linux/ptrace.h linux-3.0.9/include/linux/ptrace.h
60087 --- linux-3.0.9/include/linux/ptrace.h 2011-11-11 13:12:24.000000000 -0500
60088 +++ linux-3.0.9/include/linux/ptrace.h 2011-11-15 20:03:00.000000000 -0500
60089 @@ -115,10 +115,10 @@ extern void __ptrace_unlink(struct task_
60090 extern void exit_ptrace(struct task_struct *tracer);
60091 #define PTRACE_MODE_READ 1
60092 #define PTRACE_MODE_ATTACH 2
60093 -/* Returns 0 on success, -errno on denial. */
60094 -extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
60095 /* Returns true on success, false on denial. */
60096 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
60097 +/* Returns true on success, false on denial. */
60098 +extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
60100 static inline int ptrace_reparented(struct task_struct *child)
60102 diff -urNp linux-3.0.9/include/linux/random.h linux-3.0.9/include/linux/random.h
60103 --- linux-3.0.9/include/linux/random.h 2011-11-11 13:12:24.000000000 -0500
60104 +++ linux-3.0.9/include/linux/random.h 2011-11-15 20:03:00.000000000 -0500
60105 @@ -69,12 +69,17 @@ void srandom32(u32 seed);
60107 u32 prandom32(struct rnd_state *);
60109 +static inline unsigned long pax_get_random_long(void)
60111 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
60115 * Handle minimum values for seeds
60117 static inline u32 __seed(u32 x, u32 m)
60119 - return (x < m) ? x + m : x;
60120 + return (x <= m) ? x + m + 1 : x;
60124 diff -urNp linux-3.0.9/include/linux/reboot.h linux-3.0.9/include/linux/reboot.h
60125 --- linux-3.0.9/include/linux/reboot.h 2011-11-11 13:12:24.000000000 -0500
60126 +++ linux-3.0.9/include/linux/reboot.h 2011-11-15 20:03:00.000000000 -0500
60127 @@ -47,9 +47,9 @@ extern int unregister_reboot_notifier(st
60128 * Architecture-specific implementations of sys_reboot commands.
60131 -extern void machine_restart(char *cmd);
60132 -extern void machine_halt(void);
60133 -extern void machine_power_off(void);
60134 +extern void machine_restart(char *cmd) __noreturn;
60135 +extern void machine_halt(void) __noreturn;
60136 +extern void machine_power_off(void) __noreturn;
60138 extern void machine_shutdown(void);
60140 @@ -60,9 +60,9 @@ extern void machine_crash_shutdown(struc
60143 extern void kernel_restart_prepare(char *cmd);
60144 -extern void kernel_restart(char *cmd);
60145 -extern void kernel_halt(void);
60146 -extern void kernel_power_off(void);
60147 +extern void kernel_restart(char *cmd) __noreturn;
60148 +extern void kernel_halt(void) __noreturn;
60149 +extern void kernel_power_off(void) __noreturn;
60151 extern int C_A_D; /* for sysctl */
60152 void ctrl_alt_del(void);
60153 @@ -76,7 +76,7 @@ extern int orderly_poweroff(bool force);
60154 * Emergency restart, callable from an interrupt handler.
60157 -extern void emergency_restart(void);
60158 +extern void emergency_restart(void) __noreturn;
60159 #include <asm/emergency-restart.h>
60162 diff -urNp linux-3.0.9/include/linux/reiserfs_fs.h linux-3.0.9/include/linux/reiserfs_fs.h
60163 --- linux-3.0.9/include/linux/reiserfs_fs.h 2011-11-11 13:12:24.000000000 -0500
60164 +++ linux-3.0.9/include/linux/reiserfs_fs.h 2011-11-15 20:03:00.000000000 -0500
60165 @@ -1406,7 +1406,7 @@ static inline loff_t max_reiserfs_offset
60166 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
60168 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
60169 -#define get_generation(s) atomic_read (&fs_generation(s))
60170 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
60171 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
60172 #define __fs_changed(gen,s) (gen != get_generation (s))
60173 #define fs_changed(gen,s) \
60174 diff -urNp linux-3.0.9/include/linux/reiserfs_fs_sb.h linux-3.0.9/include/linux/reiserfs_fs_sb.h
60175 --- linux-3.0.9/include/linux/reiserfs_fs_sb.h 2011-11-11 13:12:24.000000000 -0500
60176 +++ linux-3.0.9/include/linux/reiserfs_fs_sb.h 2011-11-15 20:03:00.000000000 -0500
60177 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
60178 /* Comment? -Hans */
60179 wait_queue_head_t s_wait;
60180 /* To be obsoleted soon by per buffer seals.. -Hans */
60181 - atomic_t s_generation_counter; // increased by one every time the
60182 + atomic_unchecked_t s_generation_counter; // increased by one every time the
60183 // tree gets re-balanced
60184 unsigned long s_properties; /* File system properties. Currently holds
60185 on-disk FS format */
60186 diff -urNp linux-3.0.9/include/linux/relay.h linux-3.0.9/include/linux/relay.h
60187 --- linux-3.0.9/include/linux/relay.h 2011-11-11 13:12:24.000000000 -0500
60188 +++ linux-3.0.9/include/linux/relay.h 2011-11-15 20:03:00.000000000 -0500
60189 @@ -159,7 +159,7 @@ struct rchan_callbacks
60190 * The callback should return 0 if successful, negative if not.
60192 int (*remove_buf_file)(struct dentry *dentry);
60197 * CONFIG_RELAY kernel API, kernel/relay.c
60198 diff -urNp linux-3.0.9/include/linux/rfkill.h linux-3.0.9/include/linux/rfkill.h
60199 --- linux-3.0.9/include/linux/rfkill.h 2011-11-11 13:12:24.000000000 -0500
60200 +++ linux-3.0.9/include/linux/rfkill.h 2011-11-15 20:03:00.000000000 -0500
60201 @@ -147,6 +147,7 @@ struct rfkill_ops {
60202 void (*query)(struct rfkill *rfkill, void *data);
60203 int (*set_block)(void *data, bool blocked);
60205 +typedef struct rfkill_ops __no_const rfkill_ops_no_const;
60207 #if defined(CONFIG_RFKILL) || defined(CONFIG_RFKILL_MODULE)
60209 diff -urNp linux-3.0.9/include/linux/rmap.h linux-3.0.9/include/linux/rmap.h
60210 --- linux-3.0.9/include/linux/rmap.h 2011-11-11 13:12:24.000000000 -0500
60211 +++ linux-3.0.9/include/linux/rmap.h 2011-11-15 20:03:00.000000000 -0500
60212 @@ -119,8 +119,8 @@ static inline void anon_vma_unlock(struc
60213 void anon_vma_init(void); /* create anon_vma_cachep */
60214 int anon_vma_prepare(struct vm_area_struct *);
60215 void unlink_anon_vmas(struct vm_area_struct *);
60216 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
60217 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
60218 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
60219 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
60220 void __anon_vma_link(struct vm_area_struct *);
60222 static inline void anon_vma_merge(struct vm_area_struct *vma,
60223 diff -urNp linux-3.0.9/include/linux/sched.h linux-3.0.9/include/linux/sched.h
60224 --- linux-3.0.9/include/linux/sched.h 2011-11-11 13:12:24.000000000 -0500
60225 +++ linux-3.0.9/include/linux/sched.h 2011-11-15 20:03:00.000000000 -0500
60226 @@ -100,6 +100,7 @@ struct bio_list;
60228 struct perf_event_context;
60230 +struct linux_binprm;
60233 * List of flags we want to share for kernel threads,
60234 @@ -380,10 +381,13 @@ struct user_namespace;
60235 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
60237 extern int sysctl_max_map_count;
60238 +extern unsigned long sysctl_heap_stack_gap;
60240 #include <linux/aio.h>
60243 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
60244 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
60245 extern void arch_pick_mmap_layout(struct mm_struct *mm);
60246 extern unsigned long
60247 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
60248 @@ -629,6 +633,17 @@ struct signal_struct {
60249 #ifdef CONFIG_TASKSTATS
60250 struct taskstats *stats;
60253 +#ifdef CONFIG_GRKERNSEC
60260 + u8 used_accept:1;
60263 #ifdef CONFIG_AUDIT
60264 unsigned audit_tty;
60265 struct tty_audit_buf *tty_audit_buf;
60266 @@ -710,6 +725,11 @@ struct user_struct {
60267 struct key *session_keyring; /* UID's default session keyring */
60270 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
60271 + unsigned int banned;
60272 + unsigned long ban_expires;
60275 /* Hash table maintenance information */
60276 struct hlist_node uidhash_node;
60278 @@ -1340,8 +1360,8 @@ struct task_struct {
60279 struct list_head thread_group;
60281 struct completion *vfork_done; /* for vfork() */
60282 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
60283 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
60284 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
60285 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
60287 cputime_t utime, stime, utimescaled, stimescaled;
60289 @@ -1357,13 +1377,6 @@ struct task_struct {
60290 struct task_cputime cputime_expires;
60291 struct list_head cpu_timers[3];
60293 -/* process credentials */
60294 - const struct cred __rcu *real_cred; /* objective and real subjective task
60295 - * credentials (COW) */
60296 - const struct cred __rcu *cred; /* effective (overridable) subjective task
60297 - * credentials (COW) */
60298 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
60300 char comm[TASK_COMM_LEN]; /* executable name excluding path
60301 - access with [gs]et_task_comm (which lock
60302 it with task_lock())
60303 @@ -1380,8 +1393,16 @@ struct task_struct {
60305 /* CPU-specific state of this task */
60306 struct thread_struct thread;
60307 +/* thread_info moved to task_struct */
60309 + struct thread_info tinfo;
60311 /* filesystem information */
60312 struct fs_struct *fs;
60314 + const struct cred __rcu *cred; /* effective (overridable) subjective task
60315 + * credentials (COW) */
60317 /* open file information */
60318 struct files_struct *files;
60320 @@ -1428,6 +1449,11 @@ struct task_struct {
60321 struct rt_mutex_waiter *pi_blocked_on;
60324 +/* process credentials */
60325 + const struct cred __rcu *real_cred; /* objective and real subjective task
60326 + * credentials (COW) */
60327 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
60329 #ifdef CONFIG_DEBUG_MUTEXES
60330 /* mutex deadlock detection */
60331 struct mutex_waiter *blocked_on;
60332 @@ -1538,6 +1564,21 @@ struct task_struct {
60333 unsigned long default_timer_slack_ns;
60335 struct list_head *scm_work_list;
60337 +#ifdef CONFIG_GRKERNSEC
60339 + struct dentry *gr_chroot_dentry;
60340 + struct acl_subject_label *acl;
60341 + struct acl_role_label *role;
60342 + struct file *exec_file;
60344 + /* is this the task that authenticated to the special role */
60348 + u8 gr_is_chrooted;
60351 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
60352 /* Index of current stored address in ret_stack */
60353 int curr_ret_stack;
60354 @@ -1572,6 +1613,57 @@ struct task_struct {
60358 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
60359 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
60360 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
60361 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
60362 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
60363 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
60365 +#ifdef CONFIG_PAX_SOFTMODE
60366 +extern int pax_softmode;
60369 +extern int pax_check_flags(unsigned long *);
60371 +/* if tsk != current then task_lock must be held on it */
60372 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
60373 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
60375 + if (likely(tsk->mm))
60376 + return tsk->mm->pax_flags;
60381 +/* if tsk != current then task_lock must be held on it */
60382 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
60384 + if (likely(tsk->mm)) {
60385 + tsk->mm->pax_flags = flags;
60392 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
60393 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
60394 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
60395 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
60398 +extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
60399 +extern void pax_report_insns(void *pc, void *sp);
60400 +extern void pax_report_refcount_overflow(struct pt_regs *regs);
60401 +extern NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) ATTRIB_NORET;
60403 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
60404 +extern void pax_track_stack(void);
60406 +static inline void pax_track_stack(void) {}
60409 /* Future-safe accessor for struct task_struct's cpus_allowed. */
60410 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
60412 @@ -1768,6 +1860,7 @@ extern void thread_group_times(struct ta
60413 #define PF_DUMPCORE 0x00000200 /* dumped core */
60414 #define PF_SIGNALED 0x00000400 /* killed by a signal */
60415 #define PF_MEMALLOC 0x00000800 /* Allocating memory */
60416 +#define PF_NPROC_EXCEEDED 0x00001000 /* set_user noticed that RLIMIT_NPROC was exceeded */
60417 #define PF_USED_MATH 0x00002000 /* if unset the fpu must be initialized before use */
60418 #define PF_FREEZING 0x00004000 /* freeze in progress. do not account to load */
60419 #define PF_NOFREEZE 0x00008000 /* this thread should not be frozen */
60420 @@ -2055,7 +2148,9 @@ void yield(void);
60421 extern struct exec_domain default_exec_domain;
60423 union thread_union {
60424 +#ifndef CONFIG_X86
60425 struct thread_info thread_info;
60427 unsigned long stack[THREAD_SIZE/sizeof(long)];
60430 @@ -2088,6 +2183,7 @@ extern struct pid_namespace init_pid_ns;
60433 extern struct task_struct *find_task_by_vpid(pid_t nr);
60434 +extern struct task_struct *find_task_by_vpid_unrestricted(pid_t nr);
60435 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
60436 struct pid_namespace *ns);
60438 @@ -2224,7 +2320,7 @@ extern void __cleanup_sighand(struct sig
60439 extern void exit_itimers(struct signal_struct *);
60440 extern void flush_itimer_signals(void);
60442 -extern NORET_TYPE void do_group_exit(int);
60443 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
60445 extern void daemonize(const char *, ...);
60446 extern int allow_signal(int);
60447 @@ -2392,13 +2488,17 @@ static inline unsigned long *end_of_stac
60451 -static inline int object_is_on_stack(void *obj)
60452 +static inline int object_starts_on_stack(void *obj)
60454 - void *stack = task_stack_page(current);
60455 + const void *stack = task_stack_page(current);
60457 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
60460 +#ifdef CONFIG_PAX_USERCOPY
60461 +extern int object_is_on_stack(const void *obj, unsigned long len);
60464 extern void thread_info_cache_init(void);
60466 #ifdef CONFIG_DEBUG_STACK_USAGE
60467 diff -urNp linux-3.0.9/include/linux/screen_info.h linux-3.0.9/include/linux/screen_info.h
60468 --- linux-3.0.9/include/linux/screen_info.h 2011-11-11 13:12:24.000000000 -0500
60469 +++ linux-3.0.9/include/linux/screen_info.h 2011-11-15 20:03:00.000000000 -0500
60470 @@ -43,7 +43,8 @@ struct screen_info {
60471 __u16 pages; /* 0x32 */
60472 __u16 vesa_attributes; /* 0x34 */
60473 __u32 capabilities; /* 0x36 */
60474 - __u8 _reserved[6]; /* 0x3a */
60475 + __u16 vesapm_size; /* 0x3a */
60476 + __u8 _reserved[4]; /* 0x3c */
60477 } __attribute__((packed));
60479 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
60480 diff -urNp linux-3.0.9/include/linux/security.h linux-3.0.9/include/linux/security.h
60481 --- linux-3.0.9/include/linux/security.h 2011-11-11 13:12:24.000000000 -0500
60482 +++ linux-3.0.9/include/linux/security.h 2011-11-15 20:03:00.000000000 -0500
60484 #include <linux/key.h>
60485 #include <linux/xfrm.h>
60486 #include <linux/slab.h>
60487 +#include <linux/grsecurity.h>
60488 #include <net/flow.h>
60490 /* Maximum number of letters for an LSM name string */
60491 diff -urNp linux-3.0.9/include/linux/seq_file.h linux-3.0.9/include/linux/seq_file.h
60492 --- linux-3.0.9/include/linux/seq_file.h 2011-11-11 13:12:24.000000000 -0500
60493 +++ linux-3.0.9/include/linux/seq_file.h 2011-11-15 20:03:00.000000000 -0500
60494 @@ -32,6 +32,7 @@ struct seq_operations {
60495 void * (*next) (struct seq_file *m, void *v, loff_t *pos);
60496 int (*show) (struct seq_file *m, void *v);
60498 +typedef struct seq_operations __no_const seq_operations_no_const;
60502 diff -urNp linux-3.0.9/include/linux/shmem_fs.h linux-3.0.9/include/linux/shmem_fs.h
60503 --- linux-3.0.9/include/linux/shmem_fs.h 2011-11-11 13:12:24.000000000 -0500
60504 +++ linux-3.0.9/include/linux/shmem_fs.h 2011-11-15 20:03:00.000000000 -0500
60507 #define SHMEM_NR_DIRECT 16
60509 -#define SHMEM_SYMLINK_INLINE_LEN (SHMEM_NR_DIRECT * sizeof(swp_entry_t))
60510 +#define SHMEM_SYMLINK_INLINE_LEN 64
60512 struct shmem_inode_info {
60514 diff -urNp linux-3.0.9/include/linux/shm.h linux-3.0.9/include/linux/shm.h
60515 --- linux-3.0.9/include/linux/shm.h 2011-11-11 13:12:24.000000000 -0500
60516 +++ linux-3.0.9/include/linux/shm.h 2011-11-15 20:03:00.000000000 -0500
60517 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
60520 struct user_struct *mlock_user;
60521 +#ifdef CONFIG_GRKERNSEC
60522 + time_t shm_createtime;
60527 /* shm_mode upper byte flags */
60528 diff -urNp linux-3.0.9/include/linux/skbuff.h linux-3.0.9/include/linux/skbuff.h
60529 --- linux-3.0.9/include/linux/skbuff.h 2011-11-11 13:12:24.000000000 -0500
60530 +++ linux-3.0.9/include/linux/skbuff.h 2011-11-15 20:03:00.000000000 -0500
60531 @@ -592,7 +592,7 @@ static inline struct skb_shared_hwtstamp
60533 static inline int skb_queue_empty(const struct sk_buff_head *list)
60535 - return list->next == (struct sk_buff *)list;
60536 + return list->next == (const struct sk_buff *)list;
60540 @@ -605,7 +605,7 @@ static inline int skb_queue_empty(const
60541 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
60542 const struct sk_buff *skb)
60544 - return skb->next == (struct sk_buff *)list;
60545 + return skb->next == (const struct sk_buff *)list;
60549 @@ -618,7 +618,7 @@ static inline bool skb_queue_is_last(con
60550 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
60551 const struct sk_buff *skb)
60553 - return skb->prev == (struct sk_buff *)list;
60554 + return skb->prev == (const struct sk_buff *)list;
60558 @@ -1440,7 +1440,7 @@ static inline int pskb_network_may_pull(
60559 * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
60561 #ifndef NET_SKB_PAD
60562 -#define NET_SKB_PAD max(32, L1_CACHE_BYTES)
60563 +#define NET_SKB_PAD max(_AC(32,UL), L1_CACHE_BYTES)
60566 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
60567 diff -urNp linux-3.0.9/include/linux/slab_def.h linux-3.0.9/include/linux/slab_def.h
60568 --- linux-3.0.9/include/linux/slab_def.h 2011-11-11 13:12:24.000000000 -0500
60569 +++ linux-3.0.9/include/linux/slab_def.h 2011-11-15 20:03:00.000000000 -0500
60570 @@ -96,10 +96,10 @@ struct kmem_cache {
60571 unsigned long node_allocs;
60572 unsigned long node_frees;
60573 unsigned long node_overflow;
60574 - atomic_t allochit;
60575 - atomic_t allocmiss;
60576 - atomic_t freehit;
60577 - atomic_t freemiss;
60578 + atomic_unchecked_t allochit;
60579 + atomic_unchecked_t allocmiss;
60580 + atomic_unchecked_t freehit;
60581 + atomic_unchecked_t freemiss;
60584 * If debugging is enabled, then the allocator can add additional
60585 diff -urNp linux-3.0.9/include/linux/slab.h linux-3.0.9/include/linux/slab.h
60586 --- linux-3.0.9/include/linux/slab.h 2011-11-11 13:12:24.000000000 -0500
60587 +++ linux-3.0.9/include/linux/slab.h 2011-11-15 20:03:00.000000000 -0500
60588 @@ -11,12 +11,20 @@
60590 #include <linux/gfp.h>
60591 #include <linux/types.h>
60592 +#include <linux/err.h>
60595 * Flags to pass to kmem_cache_create().
60596 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
60598 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
60600 +#ifdef CONFIG_PAX_USERCOPY
60601 +#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
60603 +#define SLAB_USERCOPY 0x00000000UL
60606 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
60607 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
60608 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
60609 @@ -87,10 +95,13 @@
60610 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
60611 * Both make kfree a no-op.
60613 -#define ZERO_SIZE_PTR ((void *)16)
60614 +#define ZERO_SIZE_PTR \
60616 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
60617 + (void *)(-MAX_ERRNO-1L); \
60620 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
60621 - (unsigned long)ZERO_SIZE_PTR)
60622 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
60625 * struct kmem_cache related prototypes
60626 @@ -141,6 +152,7 @@ void * __must_check krealloc(const void
60627 void kfree(const void *);
60628 void kzfree(const void *);
60629 size_t ksize(const void *);
60630 +void check_object_size(const void *ptr, unsigned long n, bool to);
60633 * Allocator specific definitions. These are mainly used to establish optimized
60634 @@ -333,4 +345,59 @@ static inline void *kzalloc_node(size_t
60636 void __init kmem_cache_init_late(void);
60638 +#define kmalloc(x, y) \
60640 + void *___retval; \
60641 + intoverflow_t ___x = (intoverflow_t)x; \
60642 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n")) \
60643 + ___retval = NULL; \
60645 + ___retval = kmalloc((size_t)___x, (y)); \
60649 +#define kmalloc_node(x, y, z) \
60651 + void *___retval; \
60652 + intoverflow_t ___x = (intoverflow_t)x; \
60653 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
60654 + ___retval = NULL; \
60656 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
60660 +#define kzalloc(x, y) \
60662 + void *___retval; \
60663 + intoverflow_t ___x = (intoverflow_t)x; \
60664 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n")) \
60665 + ___retval = NULL; \
60667 + ___retval = kzalloc((size_t)___x, (y)); \
60671 +#define __krealloc(x, y, z) \
60673 + void *___retval; \
60674 + intoverflow_t ___y = (intoverflow_t)y; \
60675 + if (WARN(___y > ULONG_MAX, "__krealloc size overflow\n"))\
60676 + ___retval = NULL; \
60678 + ___retval = __krealloc((x), (size_t)___y, (z)); \
60682 +#define krealloc(x, y, z) \
60684 + void *___retval; \
60685 + intoverflow_t ___y = (intoverflow_t)y; \
60686 + if (WARN(___y > ULONG_MAX, "krealloc size overflow\n")) \
60687 + ___retval = NULL; \
60689 + ___retval = krealloc((x), (size_t)___y, (z)); \
60693 #endif /* _LINUX_SLAB_H */
60694 diff -urNp linux-3.0.9/include/linux/slub_def.h linux-3.0.9/include/linux/slub_def.h
60695 --- linux-3.0.9/include/linux/slub_def.h 2011-11-11 13:12:24.000000000 -0500
60696 +++ linux-3.0.9/include/linux/slub_def.h 2011-11-15 20:03:00.000000000 -0500
60697 @@ -82,7 +82,7 @@ struct kmem_cache {
60698 struct kmem_cache_order_objects max;
60699 struct kmem_cache_order_objects min;
60700 gfp_t allocflags; /* gfp flags to use on each alloc */
60701 - int refcount; /* Refcount for slab cache destroy */
60702 + atomic_t refcount; /* Refcount for slab cache destroy */
60703 void (*ctor)(void *);
60704 int inuse; /* Offset to metadata */
60705 int align; /* Alignment */
60706 @@ -218,7 +218,7 @@ static __always_inline struct kmem_cache
60709 void *kmem_cache_alloc(struct kmem_cache *, gfp_t);
60710 -void *__kmalloc(size_t size, gfp_t flags);
60711 +void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1);
60713 static __always_inline void *
60714 kmalloc_order(size_t size, gfp_t flags, unsigned int order)
60715 diff -urNp linux-3.0.9/include/linux/sonet.h linux-3.0.9/include/linux/sonet.h
60716 --- linux-3.0.9/include/linux/sonet.h 2011-11-11 13:12:24.000000000 -0500
60717 +++ linux-3.0.9/include/linux/sonet.h 2011-11-15 20:03:00.000000000 -0500
60718 @@ -61,7 +61,7 @@ struct sonet_stats {
60719 #include <asm/atomic.h>
60721 struct k_sonet_stats {
60722 -#define __HANDLE_ITEM(i) atomic_t i
60723 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
60725 #undef __HANDLE_ITEM
60727 diff -urNp linux-3.0.9/include/linux/sunrpc/clnt.h linux-3.0.9/include/linux/sunrpc/clnt.h
60728 --- linux-3.0.9/include/linux/sunrpc/clnt.h 2011-11-11 13:12:24.000000000 -0500
60729 +++ linux-3.0.9/include/linux/sunrpc/clnt.h 2011-11-15 20:03:00.000000000 -0500
60730 @@ -169,9 +169,9 @@ static inline unsigned short rpc_get_por
60732 switch (sap->sa_family) {
60734 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
60735 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
60737 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
60738 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
60742 @@ -204,7 +204,7 @@ static inline bool __rpc_cmp_addr4(const
60743 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
60744 const struct sockaddr *src)
60746 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
60747 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
60748 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
60750 dsin->sin_family = ssin->sin_family;
60751 @@ -301,7 +301,7 @@ static inline u32 rpc_get_scope_id(const
60752 if (sa->sa_family != AF_INET6)
60755 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
60756 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
60759 #endif /* __KERNEL__ */
60760 diff -urNp linux-3.0.9/include/linux/sunrpc/svc_rdma.h linux-3.0.9/include/linux/sunrpc/svc_rdma.h
60761 --- linux-3.0.9/include/linux/sunrpc/svc_rdma.h 2011-11-11 13:12:24.000000000 -0500
60762 +++ linux-3.0.9/include/linux/sunrpc/svc_rdma.h 2011-11-15 20:03:00.000000000 -0500
60763 @@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
60764 extern unsigned int svcrdma_max_requests;
60765 extern unsigned int svcrdma_max_req_size;
60767 -extern atomic_t rdma_stat_recv;
60768 -extern atomic_t rdma_stat_read;
60769 -extern atomic_t rdma_stat_write;
60770 -extern atomic_t rdma_stat_sq_starve;
60771 -extern atomic_t rdma_stat_rq_starve;
60772 -extern atomic_t rdma_stat_rq_poll;
60773 -extern atomic_t rdma_stat_rq_prod;
60774 -extern atomic_t rdma_stat_sq_poll;
60775 -extern atomic_t rdma_stat_sq_prod;
60776 +extern atomic_unchecked_t rdma_stat_recv;
60777 +extern atomic_unchecked_t rdma_stat_read;
60778 +extern atomic_unchecked_t rdma_stat_write;
60779 +extern atomic_unchecked_t rdma_stat_sq_starve;
60780 +extern atomic_unchecked_t rdma_stat_rq_starve;
60781 +extern atomic_unchecked_t rdma_stat_rq_poll;
60782 +extern atomic_unchecked_t rdma_stat_rq_prod;
60783 +extern atomic_unchecked_t rdma_stat_sq_poll;
60784 +extern atomic_unchecked_t rdma_stat_sq_prod;
60786 #define RPCRDMA_VERSION 1
60788 diff -urNp linux-3.0.9/include/linux/sysctl.h linux-3.0.9/include/linux/sysctl.h
60789 --- linux-3.0.9/include/linux/sysctl.h 2011-11-11 13:12:24.000000000 -0500
60790 +++ linux-3.0.9/include/linux/sysctl.h 2011-11-15 20:03:00.000000000 -0500
60791 @@ -155,7 +155,11 @@ enum
60792 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
60796 +#ifdef CONFIG_PAX_SOFTMODE
60798 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
60802 /* CTL_VM names: */
60804 @@ -967,6 +971,8 @@ typedef int proc_handler (struct ctl_tab
60806 extern int proc_dostring(struct ctl_table *, int,
60807 void __user *, size_t *, loff_t *);
60808 +extern int proc_dostring_modpriv(struct ctl_table *, int,
60809 + void __user *, size_t *, loff_t *);
60810 extern int proc_dointvec(struct ctl_table *, int,
60811 void __user *, size_t *, loff_t *);
60812 extern int proc_dointvec_minmax(struct ctl_table *, int,
60813 diff -urNp linux-3.0.9/include/linux/tty_ldisc.h linux-3.0.9/include/linux/tty_ldisc.h
60814 --- linux-3.0.9/include/linux/tty_ldisc.h 2011-11-11 13:12:24.000000000 -0500
60815 +++ linux-3.0.9/include/linux/tty_ldisc.h 2011-11-15 20:03:00.000000000 -0500
60816 @@ -148,7 +148,7 @@ struct tty_ldisc_ops {
60818 struct module *owner;
60821 + atomic_t refcount;
60825 diff -urNp linux-3.0.9/include/linux/types.h linux-3.0.9/include/linux/types.h
60826 --- linux-3.0.9/include/linux/types.h 2011-11-11 13:12:24.000000000 -0500
60827 +++ linux-3.0.9/include/linux/types.h 2011-11-15 20:03:00.000000000 -0500
60828 @@ -213,10 +213,26 @@ typedef struct {
60832 +#ifdef CONFIG_PAX_REFCOUNT
60835 +} atomic_unchecked_t;
60837 +typedef atomic_t atomic_unchecked_t;
60840 #ifdef CONFIG_64BIT
60845 +#ifdef CONFIG_PAX_REFCOUNT
60848 +} atomic64_unchecked_t;
60850 +typedef atomic64_t atomic64_unchecked_t;
60855 diff -urNp linux-3.0.9/include/linux/uaccess.h linux-3.0.9/include/linux/uaccess.h
60856 --- linux-3.0.9/include/linux/uaccess.h 2011-11-11 13:12:24.000000000 -0500
60857 +++ linux-3.0.9/include/linux/uaccess.h 2011-11-15 20:03:00.000000000 -0500
60858 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
60860 mm_segment_t old_fs = get_fs(); \
60862 - set_fs(KERNEL_DS); \
60863 pagefault_disable(); \
60864 - ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
60865 - pagefault_enable(); \
60866 + set_fs(KERNEL_DS); \
60867 + ret = __copy_from_user_inatomic(&(retval), (typeof(retval) __force_user *)(addr), sizeof(retval)); \
60869 + pagefault_enable(); \
60873 diff -urNp linux-3.0.9/include/linux/unaligned/access_ok.h linux-3.0.9/include/linux/unaligned/access_ok.h
60874 --- linux-3.0.9/include/linux/unaligned/access_ok.h 2011-11-11 13:12:24.000000000 -0500
60875 +++ linux-3.0.9/include/linux/unaligned/access_ok.h 2011-11-15 20:03:00.000000000 -0500
60878 static inline u16 get_unaligned_le16(const void *p)
60880 - return le16_to_cpup((__le16 *)p);
60881 + return le16_to_cpup((const __le16 *)p);
60884 static inline u32 get_unaligned_le32(const void *p)
60886 - return le32_to_cpup((__le32 *)p);
60887 + return le32_to_cpup((const __le32 *)p);
60890 static inline u64 get_unaligned_le64(const void *p)
60892 - return le64_to_cpup((__le64 *)p);
60893 + return le64_to_cpup((const __le64 *)p);
60896 static inline u16 get_unaligned_be16(const void *p)
60898 - return be16_to_cpup((__be16 *)p);
60899 + return be16_to_cpup((const __be16 *)p);
60902 static inline u32 get_unaligned_be32(const void *p)
60904 - return be32_to_cpup((__be32 *)p);
60905 + return be32_to_cpup((const __be32 *)p);
60908 static inline u64 get_unaligned_be64(const void *p)
60910 - return be64_to_cpup((__be64 *)p);
60911 + return be64_to_cpup((const __be64 *)p);
60914 static inline void put_unaligned_le16(u16 val, void *p)
60915 diff -urNp linux-3.0.9/include/linux/vermagic.h linux-3.0.9/include/linux/vermagic.h
60916 --- linux-3.0.9/include/linux/vermagic.h 2011-11-11 13:12:24.000000000 -0500
60917 +++ linux-3.0.9/include/linux/vermagic.h 2011-11-15 20:03:00.000000000 -0500
60919 #define MODULE_ARCH_VERMAGIC ""
60922 +#ifdef CONFIG_PAX_REFCOUNT
60923 +#define MODULE_PAX_REFCOUNT "REFCOUNT "
60925 +#define MODULE_PAX_REFCOUNT ""
60928 +#ifdef CONSTIFY_PLUGIN
60929 +#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN "
60931 +#define MODULE_CONSTIFY_PLUGIN ""
60934 +#ifdef CONFIG_GRKERNSEC
60935 +#define MODULE_GRSEC "GRSEC "
60937 +#define MODULE_GRSEC ""
60940 #define VERMAGIC_STRING \
60942 MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \
60943 MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \
60944 - MODULE_ARCH_VERMAGIC
60945 + MODULE_ARCH_VERMAGIC \
60946 + MODULE_PAX_REFCOUNT MODULE_CONSTIFY_PLUGIN MODULE_GRSEC
60948 diff -urNp linux-3.0.9/include/linux/vmalloc.h linux-3.0.9/include/linux/vmalloc.h
60949 --- linux-3.0.9/include/linux/vmalloc.h 2011-11-11 13:12:24.000000000 -0500
60950 +++ linux-3.0.9/include/linux/vmalloc.h 2011-11-15 20:03:00.000000000 -0500
60951 @@ -14,6 +14,11 @@ struct vm_area_struct; /* vma defining
60952 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
60953 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
60954 #define VM_UNLIST 0x00000020 /* vm_struct is not listed in vmlist */
60956 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
60957 +#define VM_KERNEXEC 0x00000040 /* allocate from executable kernel memory range */
60960 /* bits [20..32] reserved for arch specific ioremap internals */
60963 @@ -156,4 +161,103 @@ pcpu_free_vm_areas(struct vm_struct **vm
60967 +#define vmalloc(x) \
60969 + void *___retval; \
60970 + intoverflow_t ___x = (intoverflow_t)x; \
60971 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
60972 + ___retval = NULL; \
60974 + ___retval = vmalloc((unsigned long)___x); \
60978 +#define vzalloc(x) \
60980 + void *___retval; \
60981 + intoverflow_t ___x = (intoverflow_t)x; \
60982 + if (WARN(___x > ULONG_MAX, "vzalloc size overflow\n")) \
60983 + ___retval = NULL; \
60985 + ___retval = vzalloc((unsigned long)___x); \
60989 +#define __vmalloc(x, y, z) \
60991 + void *___retval; \
60992 + intoverflow_t ___x = (intoverflow_t)x; \
60993 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
60994 + ___retval = NULL; \
60996 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
61000 +#define vmalloc_user(x) \
61002 + void *___retval; \
61003 + intoverflow_t ___x = (intoverflow_t)x; \
61004 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
61005 + ___retval = NULL; \
61007 + ___retval = vmalloc_user((unsigned long)___x); \
61011 +#define vmalloc_exec(x) \
61013 + void *___retval; \
61014 + intoverflow_t ___x = (intoverflow_t)x; \
61015 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
61016 + ___retval = NULL; \
61018 + ___retval = vmalloc_exec((unsigned long)___x); \
61022 +#define vmalloc_node(x, y) \
61024 + void *___retval; \
61025 + intoverflow_t ___x = (intoverflow_t)x; \
61026 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
61027 + ___retval = NULL; \
61029 + ___retval = vmalloc_node((unsigned long)___x, (y));\
61033 +#define vzalloc_node(x, y) \
61035 + void *___retval; \
61036 + intoverflow_t ___x = (intoverflow_t)x; \
61037 + if (WARN(___x > ULONG_MAX, "vzalloc_node size overflow\n"))\
61038 + ___retval = NULL; \
61040 + ___retval = vzalloc_node((unsigned long)___x, (y));\
61044 +#define vmalloc_32(x) \
61046 + void *___retval; \
61047 + intoverflow_t ___x = (intoverflow_t)x; \
61048 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
61049 + ___retval = NULL; \
61051 + ___retval = vmalloc_32((unsigned long)___x); \
61055 +#define vmalloc_32_user(x) \
61057 +void *___retval; \
61058 + intoverflow_t ___x = (intoverflow_t)x; \
61059 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
61060 + ___retval = NULL; \
61062 + ___retval = vmalloc_32_user((unsigned long)___x);\
61066 #endif /* _LINUX_VMALLOC_H */
61067 diff -urNp linux-3.0.9/include/linux/vmstat.h linux-3.0.9/include/linux/vmstat.h
61068 --- linux-3.0.9/include/linux/vmstat.h 2011-11-11 13:12:24.000000000 -0500
61069 +++ linux-3.0.9/include/linux/vmstat.h 2011-11-15 20:03:00.000000000 -0500
61070 @@ -87,18 +87,18 @@ static inline void vm_events_fold_cpu(in
61072 * Zone based page accounting with per cpu differentials.
61074 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
61075 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
61077 static inline void zone_page_state_add(long x, struct zone *zone,
61078 enum zone_stat_item item)
61080 - atomic_long_add(x, &zone->vm_stat[item]);
61081 - atomic_long_add(x, &vm_stat[item]);
61082 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
61083 + atomic_long_add_unchecked(x, &vm_stat[item]);
61086 static inline unsigned long global_page_state(enum zone_stat_item item)
61088 - long x = atomic_long_read(&vm_stat[item]);
61089 + long x = atomic_long_read_unchecked(&vm_stat[item]);
61093 @@ -109,7 +109,7 @@ static inline unsigned long global_page_
61094 static inline unsigned long zone_page_state(struct zone *zone,
61095 enum zone_stat_item item)
61097 - long x = atomic_long_read(&zone->vm_stat[item]);
61098 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
61102 @@ -126,7 +126,7 @@ static inline unsigned long zone_page_st
61103 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
61104 enum zone_stat_item item)
61106 - long x = atomic_long_read(&zone->vm_stat[item]);
61107 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
61111 @@ -221,8 +221,8 @@ static inline void __mod_zone_page_state
61113 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
61115 - atomic_long_inc(&zone->vm_stat[item]);
61116 - atomic_long_inc(&vm_stat[item]);
61117 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
61118 + atomic_long_inc_unchecked(&vm_stat[item]);
61121 static inline void __inc_zone_page_state(struct page *page,
61122 @@ -233,8 +233,8 @@ static inline void __inc_zone_page_state
61124 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
61126 - atomic_long_dec(&zone->vm_stat[item]);
61127 - atomic_long_dec(&vm_stat[item]);
61128 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
61129 + atomic_long_dec_unchecked(&vm_stat[item]);
61132 static inline void __dec_zone_page_state(struct page *page,
61133 diff -urNp linux-3.0.9/include/media/saa7146_vv.h linux-3.0.9/include/media/saa7146_vv.h
61134 --- linux-3.0.9/include/media/saa7146_vv.h 2011-11-11 13:12:24.000000000 -0500
61135 +++ linux-3.0.9/include/media/saa7146_vv.h 2011-11-15 20:03:00.000000000 -0500
61136 @@ -163,7 +163,7 @@ struct saa7146_ext_vv
61137 int (*std_callback)(struct saa7146_dev*, struct saa7146_standard *);
61139 /* the extension can override this */
61140 - struct v4l2_ioctl_ops ops;
61141 + v4l2_ioctl_ops_no_const ops;
61142 /* pointer to the saa7146 core ops */
61143 const struct v4l2_ioctl_ops *core_ops;
61145 diff -urNp linux-3.0.9/include/media/v4l2-dev.h linux-3.0.9/include/media/v4l2-dev.h
61146 --- linux-3.0.9/include/media/v4l2-dev.h 2011-11-11 13:12:24.000000000 -0500
61147 +++ linux-3.0.9/include/media/v4l2-dev.h 2011-11-15 20:03:00.000000000 -0500
61148 @@ -56,7 +56,7 @@ int v4l2_prio_check(struct v4l2_prio_sta
61151 struct v4l2_file_operations {
61152 - struct module *owner;
61153 + struct module * const owner;
61154 ssize_t (*read) (struct file *, char __user *, size_t, loff_t *);
61155 ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *);
61156 unsigned int (*poll) (struct file *, struct poll_table_struct *);
61157 @@ -68,6 +68,7 @@ struct v4l2_file_operations {
61158 int (*open) (struct file *);
61159 int (*release) (struct file *);
61161 +typedef struct v4l2_file_operations __no_const v4l2_file_operations_no_const;
61164 * Newer version of video_device, handled by videodev2.c
61165 diff -urNp linux-3.0.9/include/media/v4l2-ioctl.h linux-3.0.9/include/media/v4l2-ioctl.h
61166 --- linux-3.0.9/include/media/v4l2-ioctl.h 2011-11-11 13:12:24.000000000 -0500
61167 +++ linux-3.0.9/include/media/v4l2-ioctl.h 2011-11-15 20:03:00.000000000 -0500
61168 @@ -272,6 +272,7 @@ struct v4l2_ioctl_ops {
61169 long (*vidioc_default) (struct file *file, void *fh,
61170 bool valid_prio, int cmd, void *arg);
61172 +typedef struct v4l2_ioctl_ops __no_const v4l2_ioctl_ops_no_const;
61175 /* v4l debugging and diagnostics */
61176 diff -urNp linux-3.0.9/include/net/caif/cfctrl.h linux-3.0.9/include/net/caif/cfctrl.h
61177 --- linux-3.0.9/include/net/caif/cfctrl.h 2011-11-11 13:12:24.000000000 -0500
61178 +++ linux-3.0.9/include/net/caif/cfctrl.h 2011-11-15 20:03:00.000000000 -0500
61179 @@ -52,7 +52,7 @@ struct cfctrl_rsp {
61180 void (*radioset_rsp)(void);
61181 void (*reject_rsp)(struct cflayer *layer, u8 linkid,
61182 struct cflayer *client_layer);
61186 /* Link Setup Parameters for CAIF-Links. */
61187 struct cfctrl_link_param {
61188 @@ -101,8 +101,8 @@ struct cfctrl_request_info {
61190 struct cfsrvl serv;
61191 struct cfctrl_rsp res;
61192 - atomic_t req_seq_no;
61193 - atomic_t rsp_seq_no;
61194 + atomic_unchecked_t req_seq_no;
61195 + atomic_unchecked_t rsp_seq_no;
61196 struct list_head list;
61197 /* Protects from simultaneous access to first_req list */
61198 spinlock_t info_list_lock;
61199 diff -urNp linux-3.0.9/include/net/flow.h linux-3.0.9/include/net/flow.h
61200 --- linux-3.0.9/include/net/flow.h 2011-11-11 13:12:24.000000000 -0500
61201 +++ linux-3.0.9/include/net/flow.h 2011-11-15 20:03:00.000000000 -0500
61202 @@ -207,6 +207,6 @@ extern struct flow_cache_object *flow_ca
61203 u8 dir, flow_resolve_t resolver, void *ctx);
61205 extern void flow_cache_flush(void);
61206 -extern atomic_t flow_cache_genid;
61207 +extern atomic_unchecked_t flow_cache_genid;
61210 diff -urNp linux-3.0.9/include/net/inetpeer.h linux-3.0.9/include/net/inetpeer.h
61211 --- linux-3.0.9/include/net/inetpeer.h 2011-11-11 13:12:24.000000000 -0500
61212 +++ linux-3.0.9/include/net/inetpeer.h 2011-11-15 20:03:00.000000000 -0500
61213 @@ -43,8 +43,8 @@ struct inet_peer {
61217 - atomic_t rid; /* Frag reception counter */
61218 - atomic_t ip_id_count; /* IP ID for the next packet */
61219 + atomic_unchecked_t rid; /* Frag reception counter */
61220 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
61222 __u32 tcp_ts_stamp;
61223 u32 metrics[RTAX_MAX];
61224 @@ -108,7 +108,7 @@ static inline __u16 inet_getid(struct in
61227 inet_peer_refcheck(p);
61228 - return atomic_add_return(more, &p->ip_id_count) - more;
61229 + return atomic_add_return_unchecked(more, &p->ip_id_count) - more;
61232 #endif /* _NET_INETPEER_H */
61233 diff -urNp linux-3.0.9/include/net/ip_fib.h linux-3.0.9/include/net/ip_fib.h
61234 --- linux-3.0.9/include/net/ip_fib.h 2011-11-11 13:12:24.000000000 -0500
61235 +++ linux-3.0.9/include/net/ip_fib.h 2011-11-15 20:03:00.000000000 -0500
61236 @@ -146,7 +146,7 @@ extern __be32 fib_info_update_nh_saddr(s
61238 #define FIB_RES_SADDR(net, res) \
61239 ((FIB_RES_NH(res).nh_saddr_genid == \
61240 - atomic_read(&(net)->ipv4.dev_addr_genid)) ? \
61241 + atomic_read_unchecked(&(net)->ipv4.dev_addr_genid)) ? \
61242 FIB_RES_NH(res).nh_saddr : \
61243 fib_info_update_nh_saddr((net), &FIB_RES_NH(res)))
61244 #define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw)
61245 diff -urNp linux-3.0.9/include/net/ip_vs.h linux-3.0.9/include/net/ip_vs.h
61246 --- linux-3.0.9/include/net/ip_vs.h 2011-11-11 13:12:24.000000000 -0500
61247 +++ linux-3.0.9/include/net/ip_vs.h 2011-11-15 20:03:00.000000000 -0500
61248 @@ -509,7 +509,7 @@ struct ip_vs_conn {
61249 struct ip_vs_conn *control; /* Master control connection */
61250 atomic_t n_control; /* Number of controlled ones */
61251 struct ip_vs_dest *dest; /* real server */
61252 - atomic_t in_pkts; /* incoming packet counter */
61253 + atomic_unchecked_t in_pkts; /* incoming packet counter */
61255 /* packet transmitter for different forwarding methods. If it
61256 mangles the packet, it must return NF_DROP or better NF_STOLEN,
61257 @@ -647,7 +647,7 @@ struct ip_vs_dest {
61258 __be16 port; /* port number of the server */
61259 union nf_inet_addr addr; /* IP address of the server */
61260 volatile unsigned flags; /* dest status flags */
61261 - atomic_t conn_flags; /* flags to copy to conn */
61262 + atomic_unchecked_t conn_flags; /* flags to copy to conn */
61263 atomic_t weight; /* server weight */
61265 atomic_t refcnt; /* reference counter */
61266 diff -urNp linux-3.0.9/include/net/irda/ircomm_core.h linux-3.0.9/include/net/irda/ircomm_core.h
61267 --- linux-3.0.9/include/net/irda/ircomm_core.h 2011-11-11 13:12:24.000000000 -0500
61268 +++ linux-3.0.9/include/net/irda/ircomm_core.h 2011-11-15 20:03:00.000000000 -0500
61269 @@ -51,7 +51,7 @@ typedef struct {
61270 int (*connect_response)(struct ircomm_cb *, struct sk_buff *);
61271 int (*disconnect_request)(struct ircomm_cb *, struct sk_buff *,
61272 struct ircomm_info *);
61274 +} __no_const call_t;
61277 irda_queue_t queue;
61278 diff -urNp linux-3.0.9/include/net/irda/ircomm_tty.h linux-3.0.9/include/net/irda/ircomm_tty.h
61279 --- linux-3.0.9/include/net/irda/ircomm_tty.h 2011-11-11 13:12:24.000000000 -0500
61280 +++ linux-3.0.9/include/net/irda/ircomm_tty.h 2011-11-15 20:03:00.000000000 -0500
61282 #include <linux/termios.h>
61283 #include <linux/timer.h>
61284 #include <linux/tty.h> /* struct tty_struct */
61285 +#include <asm/local.h>
61287 #include <net/irda/irias_object.h>
61288 #include <net/irda/ircomm_core.h>
61289 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
61290 unsigned short close_delay;
61291 unsigned short closing_wait; /* time to wait before closing */
61294 - int blocked_open; /* # of blocked opens */
61295 + local_t open_count;
61296 + local_t blocked_open; /* # of blocked opens */
61298 /* Protect concurent access to :
61299 * o self->open_count
61300 diff -urNp linux-3.0.9/include/net/iucv/af_iucv.h linux-3.0.9/include/net/iucv/af_iucv.h
61301 --- linux-3.0.9/include/net/iucv/af_iucv.h 2011-11-11 13:12:24.000000000 -0500
61302 +++ linux-3.0.9/include/net/iucv/af_iucv.h 2011-11-15 20:03:00.000000000 -0500
61303 @@ -87,7 +87,7 @@ struct iucv_sock {
61304 struct iucv_sock_list {
61305 struct hlist_head head;
61307 - atomic_t autobind_name;
61308 + atomic_unchecked_t autobind_name;
61311 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
61312 diff -urNp linux-3.0.9/include/net/lapb.h linux-3.0.9/include/net/lapb.h
61313 --- linux-3.0.9/include/net/lapb.h 2011-11-11 13:12:24.000000000 -0500
61314 +++ linux-3.0.9/include/net/lapb.h 2011-11-15 20:03:00.000000000 -0500
61315 @@ -95,7 +95,7 @@ struct lapb_cb {
61316 struct sk_buff_head write_queue;
61317 struct sk_buff_head ack_queue;
61318 unsigned char window;
61319 - struct lapb_register_struct callbacks;
61320 + struct lapb_register_struct *callbacks;
61322 /* FRMR control information */
61323 struct lapb_frame frmr_data;
61324 diff -urNp linux-3.0.9/include/net/neighbour.h linux-3.0.9/include/net/neighbour.h
61325 --- linux-3.0.9/include/net/neighbour.h 2011-11-11 13:12:24.000000000 -0500
61326 +++ linux-3.0.9/include/net/neighbour.h 2011-11-15 20:03:00.000000000 -0500
61327 @@ -124,7 +124,7 @@ struct neigh_ops {
61328 int (*connected_output)(struct sk_buff*);
61329 int (*hh_output)(struct sk_buff*);
61330 int (*queue_xmit)(struct sk_buff*);
61334 struct pneigh_entry {
61335 struct pneigh_entry *next;
61336 diff -urNp linux-3.0.9/include/net/netlink.h linux-3.0.9/include/net/netlink.h
61337 --- linux-3.0.9/include/net/netlink.h 2011-11-11 13:12:24.000000000 -0500
61338 +++ linux-3.0.9/include/net/netlink.h 2011-11-15 20:03:00.000000000 -0500
61339 @@ -562,7 +562,7 @@ static inline void *nlmsg_get_pos(struct
61340 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
61343 - skb_trim(skb, (unsigned char *) mark - skb->data);
61344 + skb_trim(skb, (const unsigned char *) mark - skb->data);
61348 diff -urNp linux-3.0.9/include/net/netns/ipv4.h linux-3.0.9/include/net/netns/ipv4.h
61349 --- linux-3.0.9/include/net/netns/ipv4.h 2011-11-11 13:12:24.000000000 -0500
61350 +++ linux-3.0.9/include/net/netns/ipv4.h 2011-11-15 20:03:00.000000000 -0500
61351 @@ -56,8 +56,8 @@ struct netns_ipv4 {
61353 unsigned int sysctl_ping_group_range[2];
61355 - atomic_t rt_genid;
61356 - atomic_t dev_addr_genid;
61357 + atomic_unchecked_t rt_genid;
61358 + atomic_unchecked_t dev_addr_genid;
61360 #ifdef CONFIG_IP_MROUTE
61361 #ifndef CONFIG_IP_MROUTE_MULTIPLE_TABLES
61362 diff -urNp linux-3.0.9/include/net/sctp/sctp.h linux-3.0.9/include/net/sctp/sctp.h
61363 --- linux-3.0.9/include/net/sctp/sctp.h 2011-11-11 13:12:24.000000000 -0500
61364 +++ linux-3.0.9/include/net/sctp/sctp.h 2011-11-15 20:03:00.000000000 -0500
61365 @@ -315,9 +315,9 @@ do { \
61367 #else /* SCTP_DEBUG */
61369 -#define SCTP_DEBUG_PRINTK(whatever...)
61370 -#define SCTP_DEBUG_PRINTK_CONT(fmt, args...)
61371 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
61372 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
61373 +#define SCTP_DEBUG_PRINTK_CONT(fmt, args...) do {} while (0)
61374 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
61375 #define SCTP_ENABLE_DEBUG
61376 #define SCTP_DISABLE_DEBUG
61377 #define SCTP_ASSERT(expr, str, func)
61378 diff -urNp linux-3.0.9/include/net/sock.h linux-3.0.9/include/net/sock.h
61379 --- linux-3.0.9/include/net/sock.h 2011-11-11 13:12:24.000000000 -0500
61380 +++ linux-3.0.9/include/net/sock.h 2011-11-15 20:03:00.000000000 -0500
61381 @@ -277,7 +277,7 @@ struct sock {
61385 - atomic_t sk_drops;
61386 + atomic_unchecked_t sk_drops;
61389 struct sk_filter __rcu *sk_filter;
61390 @@ -1390,7 +1390,7 @@ static inline void sk_nocaps_add(struct
61393 static inline int skb_do_copy_data_nocache(struct sock *sk, struct sk_buff *skb,
61394 - char __user *from, char *to,
61395 + char __user *from, unsigned char *to,
61396 int copy, int offset)
61398 if (skb->ip_summed == CHECKSUM_NONE) {
61399 diff -urNp linux-3.0.9/include/net/tcp.h linux-3.0.9/include/net/tcp.h
61400 --- linux-3.0.9/include/net/tcp.h 2011-11-11 13:12:24.000000000 -0500
61401 +++ linux-3.0.9/include/net/tcp.h 2011-11-15 20:03:00.000000000 -0500
61402 @@ -1374,8 +1374,8 @@ enum tcp_seq_states {
61403 struct tcp_seq_afinfo {
61405 sa_family_t family;
61406 - struct file_operations seq_fops;
61407 - struct seq_operations seq_ops;
61408 + file_operations_no_const seq_fops;
61409 + seq_operations_no_const seq_ops;
61412 struct tcp_iter_state {
61413 diff -urNp linux-3.0.9/include/net/udp.h linux-3.0.9/include/net/udp.h
61414 --- linux-3.0.9/include/net/udp.h 2011-11-11 13:12:24.000000000 -0500
61415 +++ linux-3.0.9/include/net/udp.h 2011-11-15 20:03:00.000000000 -0500
61416 @@ -234,8 +234,8 @@ struct udp_seq_afinfo {
61418 sa_family_t family;
61419 struct udp_table *udp_table;
61420 - struct file_operations seq_fops;
61421 - struct seq_operations seq_ops;
61422 + file_operations_no_const seq_fops;
61423 + seq_operations_no_const seq_ops;
61426 struct udp_iter_state {
61427 diff -urNp linux-3.0.9/include/net/xfrm.h linux-3.0.9/include/net/xfrm.h
61428 --- linux-3.0.9/include/net/xfrm.h 2011-11-11 13:12:24.000000000 -0500
61429 +++ linux-3.0.9/include/net/xfrm.h 2011-11-15 20:03:00.000000000 -0500
61430 @@ -505,7 +505,7 @@ struct xfrm_policy {
61431 struct timer_list timer;
61433 struct flow_cache_object flo;
61435 + atomic_unchecked_t genid;
61438 struct xfrm_mark mark;
61439 diff -urNp linux-3.0.9/include/rdma/iw_cm.h linux-3.0.9/include/rdma/iw_cm.h
61440 --- linux-3.0.9/include/rdma/iw_cm.h 2011-11-11 13:12:24.000000000 -0500
61441 +++ linux-3.0.9/include/rdma/iw_cm.h 2011-11-15 20:03:00.000000000 -0500
61442 @@ -120,7 +120,7 @@ struct iw_cm_verbs {
61445 int (*destroy_listen)(struct iw_cm_id *cm_id);
61450 * iw_create_cm_id - Create an IW CM identifier.
61451 diff -urNp linux-3.0.9/include/scsi/libfc.h linux-3.0.9/include/scsi/libfc.h
61452 --- linux-3.0.9/include/scsi/libfc.h 2011-11-11 13:12:24.000000000 -0500
61453 +++ linux-3.0.9/include/scsi/libfc.h 2011-11-15 20:03:00.000000000 -0500
61454 @@ -750,6 +750,7 @@ struct libfc_function_template {
61456 void (*disc_stop_final) (struct fc_lport *);
61458 +typedef struct libfc_function_template __no_const libfc_function_template_no_const;
61461 * struct fc_disc - Discovery context
61462 @@ -853,7 +854,7 @@ struct fc_lport {
61463 struct fc_vport *vport;
61465 /* Operational Information */
61466 - struct libfc_function_template tt;
61467 + libfc_function_template_no_const tt;
61470 enum fc_lport_state state;
61471 diff -urNp linux-3.0.9/include/scsi/scsi_device.h linux-3.0.9/include/scsi/scsi_device.h
61472 --- linux-3.0.9/include/scsi/scsi_device.h 2011-11-11 13:12:24.000000000 -0500
61473 +++ linux-3.0.9/include/scsi/scsi_device.h 2011-11-15 20:03:00.000000000 -0500
61474 @@ -161,9 +161,9 @@ struct scsi_device {
61475 unsigned int max_device_blocked; /* what device_blocked counts down from */
61476 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
61478 - atomic_t iorequest_cnt;
61479 - atomic_t iodone_cnt;
61480 - atomic_t ioerr_cnt;
61481 + atomic_unchecked_t iorequest_cnt;
61482 + atomic_unchecked_t iodone_cnt;
61483 + atomic_unchecked_t ioerr_cnt;
61485 struct device sdev_gendev,
61487 diff -urNp linux-3.0.9/include/scsi/scsi_transport_fc.h linux-3.0.9/include/scsi/scsi_transport_fc.h
61488 --- linux-3.0.9/include/scsi/scsi_transport_fc.h 2011-11-11 13:12:24.000000000 -0500
61489 +++ linux-3.0.9/include/scsi/scsi_transport_fc.h 2011-11-15 20:03:00.000000000 -0500
61490 @@ -711,7 +711,7 @@ struct fc_function_template {
61491 unsigned long show_host_system_hostname:1;
61493 unsigned long disable_target_scan:1;
61499 diff -urNp linux-3.0.9/include/sound/ak4xxx-adda.h linux-3.0.9/include/sound/ak4xxx-adda.h
61500 --- linux-3.0.9/include/sound/ak4xxx-adda.h 2011-11-11 13:12:24.000000000 -0500
61501 +++ linux-3.0.9/include/sound/ak4xxx-adda.h 2011-11-15 20:03:00.000000000 -0500
61502 @@ -35,7 +35,7 @@ struct snd_ak4xxx_ops {
61503 void (*write)(struct snd_akm4xxx *ak, int chip, unsigned char reg,
61504 unsigned char val);
61505 void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate);
61509 #define AK4XXX_IMAGE_SIZE (AK4XXX_MAX_CHIPS * 16) /* 64 bytes */
61511 diff -urNp linux-3.0.9/include/sound/hwdep.h linux-3.0.9/include/sound/hwdep.h
61512 --- linux-3.0.9/include/sound/hwdep.h 2011-11-11 13:12:24.000000000 -0500
61513 +++ linux-3.0.9/include/sound/hwdep.h 2011-11-15 20:03:00.000000000 -0500
61514 @@ -49,7 +49,7 @@ struct snd_hwdep_ops {
61515 struct snd_hwdep_dsp_status *status);
61516 int (*dsp_load)(struct snd_hwdep *hw,
61517 struct snd_hwdep_dsp_image *image);
61522 struct snd_card *card;
61523 diff -urNp linux-3.0.9/include/sound/info.h linux-3.0.9/include/sound/info.h
61524 --- linux-3.0.9/include/sound/info.h 2011-11-11 13:12:24.000000000 -0500
61525 +++ linux-3.0.9/include/sound/info.h 2011-11-15 20:03:00.000000000 -0500
61526 @@ -44,7 +44,7 @@ struct snd_info_entry_text {
61527 struct snd_info_buffer *buffer);
61528 void (*write)(struct snd_info_entry *entry,
61529 struct snd_info_buffer *buffer);
61533 struct snd_info_entry_ops {
61534 int (*open)(struct snd_info_entry *entry,
61535 diff -urNp linux-3.0.9/include/sound/pcm.h linux-3.0.9/include/sound/pcm.h
61536 --- linux-3.0.9/include/sound/pcm.h 2011-11-11 13:12:24.000000000 -0500
61537 +++ linux-3.0.9/include/sound/pcm.h 2011-11-15 20:03:00.000000000 -0500
61538 @@ -81,6 +81,7 @@ struct snd_pcm_ops {
61539 int (*mmap)(struct snd_pcm_substream *substream, struct vm_area_struct *vma);
61540 int (*ack)(struct snd_pcm_substream *substream);
61542 +typedef struct snd_pcm_ops __no_const snd_pcm_ops_no_const;
61546 diff -urNp linux-3.0.9/include/sound/sb16_csp.h linux-3.0.9/include/sound/sb16_csp.h
61547 --- linux-3.0.9/include/sound/sb16_csp.h 2011-11-11 13:12:24.000000000 -0500
61548 +++ linux-3.0.9/include/sound/sb16_csp.h 2011-11-15 20:03:00.000000000 -0500
61549 @@ -146,7 +146,7 @@ struct snd_sb_csp_ops {
61550 int (*csp_start) (struct snd_sb_csp * p, int sample_width, int channels);
61551 int (*csp_stop) (struct snd_sb_csp * p);
61552 int (*csp_qsound_transfer) (struct snd_sb_csp * p);
61558 diff -urNp linux-3.0.9/include/sound/soc.h linux-3.0.9/include/sound/soc.h
61559 --- linux-3.0.9/include/sound/soc.h 2011-11-11 13:12:24.000000000 -0500
61560 +++ linux-3.0.9/include/sound/soc.h 2011-11-15 20:03:00.000000000 -0500
61561 @@ -636,7 +636,7 @@ struct snd_soc_platform_driver {
61563 /* platform stream ops */
61564 struct snd_pcm_ops *ops;
61568 struct snd_soc_platform {
61570 diff -urNp linux-3.0.9/include/sound/ymfpci.h linux-3.0.9/include/sound/ymfpci.h
61571 --- linux-3.0.9/include/sound/ymfpci.h 2011-11-11 13:12:24.000000000 -0500
61572 +++ linux-3.0.9/include/sound/ymfpci.h 2011-11-15 20:03:00.000000000 -0500
61573 @@ -358,7 +358,7 @@ struct snd_ymfpci {
61574 spinlock_t reg_lock;
61575 spinlock_t voice_lock;
61576 wait_queue_head_t interrupt_sleep;
61577 - atomic_t interrupt_sleep_count;
61578 + atomic_unchecked_t interrupt_sleep_count;
61579 struct snd_info_entry *proc_entry;
61580 const struct firmware *dsp_microcode;
61581 const struct firmware *controller_microcode;
61582 diff -urNp linux-3.0.9/include/target/target_core_base.h linux-3.0.9/include/target/target_core_base.h
61583 --- linux-3.0.9/include/target/target_core_base.h 2011-11-11 13:12:24.000000000 -0500
61584 +++ linux-3.0.9/include/target/target_core_base.h 2011-11-15 20:03:00.000000000 -0500
61585 @@ -364,7 +364,7 @@ struct t10_reservation_ops {
61586 int (*t10_seq_non_holder)(struct se_cmd *, unsigned char *, u32);
61587 int (*t10_pr_register)(struct se_cmd *);
61588 int (*t10_pr_clear)(struct se_cmd *);
61592 struct t10_reservation_template {
61593 /* Reservation effects all target ports */
61594 @@ -432,8 +432,8 @@ struct se_transport_task {
61595 atomic_t t_task_cdbs_left;
61596 atomic_t t_task_cdbs_ex_left;
61597 atomic_t t_task_cdbs_timeout_left;
61598 - atomic_t t_task_cdbs_sent;
61599 - atomic_t t_transport_aborted;
61600 + atomic_unchecked_t t_task_cdbs_sent;
61601 + atomic_unchecked_t t_transport_aborted;
61602 atomic_t t_transport_active;
61603 atomic_t t_transport_complete;
61604 atomic_t t_transport_queue_active;
61605 @@ -774,7 +774,7 @@ struct se_device {
61606 atomic_t active_cmds;
61607 atomic_t simple_cmds;
61608 atomic_t depth_left;
61609 - atomic_t dev_ordered_id;
61610 + atomic_unchecked_t dev_ordered_id;
61611 atomic_t dev_tur_active;
61612 atomic_t execute_tasks;
61613 atomic_t dev_status_thr_count;
61614 diff -urNp linux-3.0.9/include/trace/events/irq.h linux-3.0.9/include/trace/events/irq.h
61615 --- linux-3.0.9/include/trace/events/irq.h 2011-11-11 13:12:24.000000000 -0500
61616 +++ linux-3.0.9/include/trace/events/irq.h 2011-11-15 20:03:00.000000000 -0500
61617 @@ -36,7 +36,7 @@ struct softirq_action;
61619 TRACE_EVENT(irq_handler_entry,
61621 - TP_PROTO(int irq, struct irqaction *action),
61622 + TP_PROTO(int irq, const struct irqaction *action),
61624 TP_ARGS(irq, action),
61626 @@ -66,7 +66,7 @@ TRACE_EVENT(irq_handler_entry,
61628 TRACE_EVENT(irq_handler_exit,
61630 - TP_PROTO(int irq, struct irqaction *action, int ret),
61631 + TP_PROTO(int irq, const struct irqaction *action, int ret),
61633 TP_ARGS(irq, action, ret),
61635 diff -urNp linux-3.0.9/include/video/udlfb.h linux-3.0.9/include/video/udlfb.h
61636 --- linux-3.0.9/include/video/udlfb.h 2011-11-11 13:12:24.000000000 -0500
61637 +++ linux-3.0.9/include/video/udlfb.h 2011-11-15 20:03:00.000000000 -0500
61638 @@ -51,10 +51,10 @@ struct dlfb_data {
61640 u32 pseudo_palette[256];
61641 /* blit-only rendering path metrics, exposed through sysfs */
61642 - atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
61643 - atomic_t bytes_identical; /* saved effort with backbuffer comparison */
61644 - atomic_t bytes_sent; /* to usb, after compression including overhead */
61645 - atomic_t cpu_kcycles_used; /* transpired during pixel processing */
61646 + atomic_unchecked_t bytes_rendered; /* raw pixel-bytes driver asked to render */
61647 + atomic_unchecked_t bytes_identical; /* saved effort with backbuffer comparison */
61648 + atomic_unchecked_t bytes_sent; /* to usb, after compression including overhead */
61649 + atomic_unchecked_t cpu_kcycles_used; /* transpired during pixel processing */
61652 #define NR_USB_REQUEST_I2C_SUB_IO 0x02
61653 diff -urNp linux-3.0.9/include/video/uvesafb.h linux-3.0.9/include/video/uvesafb.h
61654 --- linux-3.0.9/include/video/uvesafb.h 2011-11-11 13:12:24.000000000 -0500
61655 +++ linux-3.0.9/include/video/uvesafb.h 2011-11-15 20:03:00.000000000 -0500
61656 @@ -177,6 +177,7 @@ struct uvesafb_par {
61657 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
61658 u8 pmi_setpal; /* PMI for palette changes */
61659 u16 *pmi_base; /* protected mode interface location */
61660 + u8 *pmi_code; /* protected mode code location */
61663 u8 *vbe_state_orig; /*
61664 diff -urNp linux-3.0.9/init/do_mounts.c linux-3.0.9/init/do_mounts.c
61665 --- linux-3.0.9/init/do_mounts.c 2011-11-11 13:12:24.000000000 -0500
61666 +++ linux-3.0.9/init/do_mounts.c 2011-11-15 20:03:00.000000000 -0500
61667 @@ -287,11 +287,11 @@ static void __init get_fs_names(char *pa
61669 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
61671 - int err = sys_mount(name, "/root", fs, flags, data);
61672 + int err = sys_mount((char __force_user *)name, (char __force_user *)"/root", (char __force_user *)fs, flags, (void __force_user *)data);
61676 - sys_chdir((const char __user __force *)"/root");
61677 + sys_chdir((const char __force_user*)"/root");
61678 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
61680 "VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
61681 @@ -383,18 +383,18 @@ void __init change_floppy(char *fmt, ...
61682 va_start(args, fmt);
61683 vsprintf(buf, fmt, args);
61685 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
61686 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
61688 sys_ioctl(fd, FDEJECT, 0);
61691 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
61692 - fd = sys_open("/dev/console", O_RDWR, 0);
61693 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
61695 sys_ioctl(fd, TCGETS, (long)&termios);
61696 termios.c_lflag &= ~ICANON;
61697 sys_ioctl(fd, TCSETSF, (long)&termios);
61698 - sys_read(fd, &c, 1);
61699 + sys_read(fd, (char __user *)&c, 1);
61700 termios.c_lflag |= ICANON;
61701 sys_ioctl(fd, TCSETSF, (long)&termios);
61703 @@ -488,6 +488,6 @@ void __init prepare_namespace(void)
61706 devtmpfs_mount("dev");
61707 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
61708 - sys_chroot((const char __user __force *)".");
61709 + sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
61710 + sys_chroot((const char __force_user *)".");
61712 diff -urNp linux-3.0.9/init/do_mounts.h linux-3.0.9/init/do_mounts.h
61713 --- linux-3.0.9/init/do_mounts.h 2011-11-11 13:12:24.000000000 -0500
61714 +++ linux-3.0.9/init/do_mounts.h 2011-11-15 20:03:00.000000000 -0500
61715 @@ -15,15 +15,15 @@ extern int root_mountflags;
61717 static inline int create_dev(char *name, dev_t dev)
61719 - sys_unlink(name);
61720 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
61721 + sys_unlink((char __force_user *)name);
61722 + return sys_mknod((char __force_user *)name, S_IFBLK|0600, new_encode_dev(dev));
61725 #if BITS_PER_LONG == 32
61726 static inline u32 bstat(char *name)
61728 struct stat64 stat;
61729 - if (sys_stat64(name, &stat) != 0)
61730 + if (sys_stat64((char __force_user *)name, (struct stat64 __force_user *)&stat) != 0)
61732 if (!S_ISBLK(stat.st_mode))
61734 @@ -35,7 +35,7 @@ static inline u32 bstat(char *name)
61735 static inline u32 bstat(char *name)
61738 - if (sys_newstat(name, &stat) != 0)
61739 + if (sys_newstat((const char __force_user *)name, (struct stat __force_user *)&stat) != 0)
61741 if (!S_ISBLK(stat.st_mode))
61743 diff -urNp linux-3.0.9/init/do_mounts_initrd.c linux-3.0.9/init/do_mounts_initrd.c
61744 --- linux-3.0.9/init/do_mounts_initrd.c 2011-11-11 13:12:24.000000000 -0500
61745 +++ linux-3.0.9/init/do_mounts_initrd.c 2011-11-15 20:03:00.000000000 -0500
61746 @@ -44,13 +44,13 @@ static void __init handle_initrd(void)
61747 create_dev("/dev/root.old", Root_RAM0);
61748 /* mount initrd on rootfs' /root */
61749 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
61750 - sys_mkdir("/old", 0700);
61751 - root_fd = sys_open("/", 0, 0);
61752 - old_fd = sys_open("/old", 0, 0);
61753 + sys_mkdir((const char __force_user *)"/old", 0700);
61754 + root_fd = sys_open((const char __force_user *)"/", 0, 0);
61755 + old_fd = sys_open((const char __force_user *)"/old", 0, 0);
61756 /* move initrd over / and chdir/chroot in initrd root */
61757 - sys_chdir("/root");
61758 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
61760 + sys_chdir((const char __force_user *)"/root");
61761 + sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
61762 + sys_chroot((const char __force_user *)".");
61765 * In case that a resume from disk is carried out by linuxrc or one of
61766 @@ -67,15 +67,15 @@ static void __init handle_initrd(void)
61768 /* move initrd to rootfs' /old */
61769 sys_fchdir(old_fd);
61770 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
61771 + sys_mount((char __force_user *)"/", (char __force_user *)".", NULL, MS_MOVE, NULL);
61772 /* switch root and cwd back to / of rootfs */
61773 sys_fchdir(root_fd);
61775 + sys_chroot((const char __force_user *)".");
61777 sys_close(root_fd);
61779 if (new_decode_dev(real_root_dev) == Root_RAM0) {
61780 - sys_chdir("/old");
61781 + sys_chdir((const char __force_user *)"/old");
61785 @@ -83,17 +83,17 @@ static void __init handle_initrd(void)
61788 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
61789 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
61790 + error = sys_mount((char __force_user *)"/old", (char __force_user *)"/root/initrd", NULL, MS_MOVE, NULL);
61794 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
61795 + int fd = sys_open((const char __force_user *)"/dev/root.old", O_RDWR, 0);
61796 if (error == -ENOENT)
61797 printk("/initrd does not exist. Ignored.\n");
61799 printk("failed\n");
61800 printk(KERN_NOTICE "Unmounting old root\n");
61801 - sys_umount("/old", MNT_DETACH);
61802 + sys_umount((char __force_user *)"/old", MNT_DETACH);
61803 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
61806 @@ -116,11 +116,11 @@ int __init initrd_load(void)
61807 * mounted in the normal path.
61809 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
61810 - sys_unlink("/initrd.image");
61811 + sys_unlink((const char __force_user *)"/initrd.image");
61816 - sys_unlink("/initrd.image");
61817 + sys_unlink((const char __force_user *)"/initrd.image");
61820 diff -urNp linux-3.0.9/init/do_mounts_md.c linux-3.0.9/init/do_mounts_md.c
61821 --- linux-3.0.9/init/do_mounts_md.c 2011-11-11 13:12:24.000000000 -0500
61822 +++ linux-3.0.9/init/do_mounts_md.c 2011-11-15 20:03:00.000000000 -0500
61823 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
61824 partitioned ? "_d" : "", minor,
61825 md_setup_args[ent].device_names);
61827 - fd = sys_open(name, 0, 0);
61828 + fd = sys_open((char __force_user *)name, 0, 0);
61830 printk(KERN_ERR "md: open failed - cannot start "
61831 "array %s\n", name);
61832 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
61836 - fd = sys_open(name, 0, 0);
61837 + fd = sys_open((char __force_user *)name, 0, 0);
61838 sys_ioctl(fd, BLKRRPART, 0);
61841 @@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
61843 wait_for_device_probe();
61845 - fd = sys_open((const char __user __force *) "/dev/md0", 0, 0);
61846 + fd = sys_open((const char __force_user *) "/dev/md0", 0, 0);
61848 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
61850 diff -urNp linux-3.0.9/init/initramfs.c linux-3.0.9/init/initramfs.c
61851 --- linux-3.0.9/init/initramfs.c 2011-11-11 13:12:24.000000000 -0500
61852 +++ linux-3.0.9/init/initramfs.c 2011-11-15 20:03:00.000000000 -0500
61853 @@ -74,7 +74,7 @@ static void __init free_hash(void)
61857 -static long __init do_utime(char __user *filename, time_t mtime)
61858 +static long __init do_utime(__force char __user *filename, time_t mtime)
61860 struct timespec t[2];
61862 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
61863 struct dir_entry *de, *tmp;
61864 list_for_each_entry_safe(de, tmp, &dir_list, list) {
61865 list_del(&de->list);
61866 - do_utime(de->name, de->mtime);
61867 + do_utime((char __force_user *)de->name, de->mtime);
61871 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
61873 char *old = find_link(major, minor, ino, mode, collected);
61875 - return (sys_link(old, collected) < 0) ? -1 : 1;
61876 + return (sys_link((char __force_user *)old, (char __force_user *)collected) < 0) ? -1 : 1;
61880 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
61884 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
61885 + if (!sys_newlstat((char __force_user *)path, (struct stat __force_user *)&st) && (st.st_mode^mode) & S_IFMT) {
61886 if (S_ISDIR(st.st_mode))
61888 + sys_rmdir((char __force_user *)path);
61890 - sys_unlink(path);
61891 + sys_unlink((char __force_user *)path);
61895 @@ -305,7 +305,7 @@ static int __init do_name(void)
61896 int openflags = O_WRONLY|O_CREAT;
61898 openflags |= O_TRUNC;
61899 - wfd = sys_open(collected, openflags, mode);
61900 + wfd = sys_open((char __force_user *)collected, openflags, mode);
61903 sys_fchown(wfd, uid, gid);
61904 @@ -317,17 +317,17 @@ static int __init do_name(void)
61907 } else if (S_ISDIR(mode)) {
61908 - sys_mkdir(collected, mode);
61909 - sys_chown(collected, uid, gid);
61910 - sys_chmod(collected, mode);
61911 + sys_mkdir((char __force_user *)collected, mode);
61912 + sys_chown((char __force_user *)collected, uid, gid);
61913 + sys_chmod((char __force_user *)collected, mode);
61914 dir_add(collected, mtime);
61915 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
61916 S_ISFIFO(mode) || S_ISSOCK(mode)) {
61917 if (maybe_link() == 0) {
61918 - sys_mknod(collected, mode, rdev);
61919 - sys_chown(collected, uid, gid);
61920 - sys_chmod(collected, mode);
61921 - do_utime(collected, mtime);
61922 + sys_mknod((char __force_user *)collected, mode, rdev);
61923 + sys_chown((char __force_user *)collected, uid, gid);
61924 + sys_chmod((char __force_user *)collected, mode);
61925 + do_utime((char __force_user *)collected, mtime);
61929 @@ -336,15 +336,15 @@ static int __init do_name(void)
61930 static int __init do_copy(void)
61932 if (count >= body_len) {
61933 - sys_write(wfd, victim, body_len);
61934 + sys_write(wfd, (char __force_user *)victim, body_len);
61936 - do_utime(vcollected, mtime);
61937 + do_utime((char __force_user *)vcollected, mtime);
61943 - sys_write(wfd, victim, count);
61944 + sys_write(wfd, (char __force_user *)victim, count);
61948 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
61950 collected[N_ALIGN(name_len) + body_len] = '\0';
61951 clean_path(collected, 0);
61952 - sys_symlink(collected + N_ALIGN(name_len), collected);
61953 - sys_lchown(collected, uid, gid);
61954 - do_utime(collected, mtime);
61955 + sys_symlink((char __force_user *)collected + N_ALIGN(name_len), (char __force_user *)collected);
61956 + sys_lchown((char __force_user *)collected, uid, gid);
61957 + do_utime((char __force_user *)collected, mtime);
61959 next_state = Reset;
61961 diff -urNp linux-3.0.9/init/Kconfig linux-3.0.9/init/Kconfig
61962 --- linux-3.0.9/init/Kconfig 2011-11-11 13:12:24.000000000 -0500
61963 +++ linux-3.0.9/init/Kconfig 2011-11-15 20:03:00.000000000 -0500
61964 @@ -1195,7 +1195,7 @@ config SLUB_DEBUG
61967 bool "Disable heap randomization"
61971 Randomizing heap placement makes heap exploits harder, but it
61972 also breaks ancient binaries (including anything libc5 based).
61973 diff -urNp linux-3.0.9/init/main.c linux-3.0.9/init/main.c
61974 --- linux-3.0.9/init/main.c 2011-11-11 13:12:24.000000000 -0500
61975 +++ linux-3.0.9/init/main.c 2011-11-15 20:03:00.000000000 -0500
61976 @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void)
61977 extern void tc_init(void);
61980 +extern void grsecurity_init(void);
61983 * Debug helper: via this flag we know that we are in 'early bootup code'
61984 * where only the boot processor is running with IRQ disabled. This means
61985 @@ -149,6 +151,49 @@ static int __init set_reset_devices(char
61987 __setup("reset_devices", set_reset_devices);
61989 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
61990 +extern char pax_enter_kernel_user[];
61991 +extern char pax_exit_kernel_user[];
61992 +extern pgdval_t clone_pgd_mask;
61995 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
61996 +static int __init setup_pax_nouderef(char *str)
61998 +#ifdef CONFIG_X86_32
61999 + unsigned int cpu;
62000 + struct desc_struct *gdt;
62002 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
62003 + gdt = get_cpu_gdt_table(cpu);
62004 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
62005 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
62006 + gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
62007 + gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
62009 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
62011 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
62012 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
62013 + clone_pgd_mask = ~(pgdval_t)0UL;
62018 +early_param("pax_nouderef", setup_pax_nouderef);
62021 +#ifdef CONFIG_PAX_SOFTMODE
62024 +static int __init setup_pax_softmode(char *str)
62026 + get_option(&str, &pax_softmode);
62029 +__setup("pax_softmode=", setup_pax_softmode);
62032 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
62033 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
62034 static const char *panic_later, *panic_param;
62035 @@ -667,6 +712,7 @@ int __init_or_module do_one_initcall(ini
62037 int count = preempt_count();
62039 + const char *msg1 = "", *msg2 = "";
62041 if (initcall_debug)
62042 ret = do_one_initcall_debug(fn);
62043 @@ -679,15 +725,15 @@ int __init_or_module do_one_initcall(ini
62044 sprintf(msgbuf, "error code %d ", ret);
62046 if (preempt_count() != count) {
62047 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
62048 + msg1 = " preemption imbalance";
62049 preempt_count() = count;
62051 if (irqs_disabled()) {
62052 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
62053 + msg2 = " disabled interrupts";
62054 local_irq_enable();
62057 - printk("initcall %pF returned with %s\n", fn, msgbuf);
62058 + if (msgbuf[0] || *msg1 || *msg2) {
62059 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
62063 @@ -805,7 +851,7 @@ static int __init kernel_init(void * unu
62066 /* Open the /dev/console on the rootfs, this should never fail */
62067 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
62068 + if (sys_open((const char __force_user *) "/dev/console", O_RDWR, 0) < 0)
62069 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
62072 @@ -818,11 +864,13 @@ static int __init kernel_init(void * unu
62073 if (!ramdisk_execute_command)
62074 ramdisk_execute_command = "/init";
62076 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
62077 + if (sys_access((const char __force_user *) ramdisk_execute_command, 0) != 0) {
62078 ramdisk_execute_command = NULL;
62079 prepare_namespace();
62082 + grsecurity_init();
62085 * Ok, we have completed the initial bootup, and
62086 * we're essentially up and running. Get rid of the
62087 diff -urNp linux-3.0.9/ipc/mqueue.c linux-3.0.9/ipc/mqueue.c
62088 --- linux-3.0.9/ipc/mqueue.c 2011-11-11 13:12:24.000000000 -0500
62089 +++ linux-3.0.9/ipc/mqueue.c 2011-11-15 20:03:00.000000000 -0500
62090 @@ -156,6 +156,7 @@ static struct inode *mqueue_get_inode(st
62091 mq_bytes = (mq_msg_tblsz +
62092 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
62094 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
62095 spin_lock(&mq_lock);
62096 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
62097 u->mq_bytes + mq_bytes > task_rlimit(p, RLIMIT_MSGQUEUE)) {
62098 diff -urNp linux-3.0.9/ipc/msg.c linux-3.0.9/ipc/msg.c
62099 --- linux-3.0.9/ipc/msg.c 2011-11-11 13:12:24.000000000 -0500
62100 +++ linux-3.0.9/ipc/msg.c 2011-11-15 20:03:00.000000000 -0500
62101 @@ -309,18 +309,19 @@ static inline int msg_security(struct ke
62102 return security_msg_queue_associate(msq, msgflg);
62105 +static struct ipc_ops msg_ops = {
62106 + .getnew = newque,
62107 + .associate = msg_security,
62108 + .more_checks = NULL
62111 SYSCALL_DEFINE2(msgget, key_t, key, int, msgflg)
62113 struct ipc_namespace *ns;
62114 - struct ipc_ops msg_ops;
62115 struct ipc_params msg_params;
62117 ns = current->nsproxy->ipc_ns;
62119 - msg_ops.getnew = newque;
62120 - msg_ops.associate = msg_security;
62121 - msg_ops.more_checks = NULL;
62123 msg_params.key = key;
62124 msg_params.flg = msgflg;
62126 diff -urNp linux-3.0.9/ipc/sem.c linux-3.0.9/ipc/sem.c
62127 --- linux-3.0.9/ipc/sem.c 2011-11-11 13:12:24.000000000 -0500
62128 +++ linux-3.0.9/ipc/sem.c 2011-11-15 20:03:00.000000000 -0500
62129 @@ -318,10 +318,15 @@ static inline int sem_more_checks(struct
62133 +static struct ipc_ops sem_ops = {
62134 + .getnew = newary,
62135 + .associate = sem_security,
62136 + .more_checks = sem_more_checks
62139 SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg)
62141 struct ipc_namespace *ns;
62142 - struct ipc_ops sem_ops;
62143 struct ipc_params sem_params;
62145 ns = current->nsproxy->ipc_ns;
62146 @@ -329,10 +334,6 @@ SYSCALL_DEFINE3(semget, key_t, key, int,
62147 if (nsems < 0 || nsems > ns->sc_semmsl)
62150 - sem_ops.getnew = newary;
62151 - sem_ops.associate = sem_security;
62152 - sem_ops.more_checks = sem_more_checks;
62154 sem_params.key = key;
62155 sem_params.flg = semflg;
62156 sem_params.u.nsems = nsems;
62157 @@ -854,6 +855,8 @@ static int semctl_main(struct ipc_namesp
62159 struct list_head tasks;
62161 + pax_track_stack();
62163 sma = sem_lock_check(ns, semid);
62165 return PTR_ERR(sma);
62166 @@ -1301,6 +1304,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
62167 struct ipc_namespace *ns;
62168 struct list_head tasks;
62170 + pax_track_stack();
62172 ns = current->nsproxy->ipc_ns;
62174 if (nsops < 1 || semid < 0)
62175 diff -urNp linux-3.0.9/ipc/shm.c linux-3.0.9/ipc/shm.c
62176 --- linux-3.0.9/ipc/shm.c 2011-11-11 13:12:24.000000000 -0500
62177 +++ linux-3.0.9/ipc/shm.c 2011-11-15 20:03:00.000000000 -0500
62178 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
62179 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
62182 +#ifdef CONFIG_GRKERNSEC
62183 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
62184 + const time_t shm_createtime, const uid_t cuid,
62185 + const int shmid);
62186 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
62187 + const time_t shm_createtime);
62190 void shm_init_ns(struct ipc_namespace *ns)
62192 ns->shm_ctlmax = SHMMAX;
62193 @@ -401,6 +409,14 @@ static int newseg(struct ipc_namespace *
62194 shp->shm_lprid = 0;
62195 shp->shm_atim = shp->shm_dtim = 0;
62196 shp->shm_ctim = get_seconds();
62197 +#ifdef CONFIG_GRKERNSEC
62199 + struct timespec timeval;
62200 + do_posix_clock_monotonic_gettime(&timeval);
62202 + shp->shm_createtime = timeval.tv_sec;
62205 shp->shm_segsz = size;
62206 shp->shm_nattch = 0;
62207 shp->shm_file = file;
62208 @@ -451,18 +467,19 @@ static inline int shm_more_checks(struct
62212 +static struct ipc_ops shm_ops = {
62213 + .getnew = newseg,
62214 + .associate = shm_security,
62215 + .more_checks = shm_more_checks
62218 SYSCALL_DEFINE3(shmget, key_t, key, size_t, size, int, shmflg)
62220 struct ipc_namespace *ns;
62221 - struct ipc_ops shm_ops;
62222 struct ipc_params shm_params;
62224 ns = current->nsproxy->ipc_ns;
62226 - shm_ops.getnew = newseg;
62227 - shm_ops.associate = shm_security;
62228 - shm_ops.more_checks = shm_more_checks;
62230 shm_params.key = key;
62231 shm_params.flg = shmflg;
62232 shm_params.u.size = size;
62233 @@ -762,8 +779,6 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int,
62237 - struct file *uninitialized_var(shm_file);
62239 lru_add_drain_all(); /* drain pagevecs to lru lists */
62241 shp = shm_lock_check(ns, shmid);
62242 @@ -896,9 +911,21 @@ long do_shmat(int shmid, char __user *sh
62246 +#ifdef CONFIG_GRKERNSEC
62247 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
62248 + shp->shm_perm.cuid, shmid) ||
62249 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
62255 path = shp->shm_file->f_path;
62258 +#ifdef CONFIG_GRKERNSEC
62259 + shp->shm_lapid = current->pid;
62261 size = i_size_read(path.dentry->d_inode);
62264 diff -urNp linux-3.0.9/kernel/acct.c linux-3.0.9/kernel/acct.c
62265 --- linux-3.0.9/kernel/acct.c 2011-11-11 13:12:24.000000000 -0500
62266 +++ linux-3.0.9/kernel/acct.c 2011-11-15 20:03:00.000000000 -0500
62267 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
62269 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
62270 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
62271 - file->f_op->write(file, (char *)&ac,
62272 + file->f_op->write(file, (char __force_user *)&ac,
62273 sizeof(acct_t), &file->f_pos);
62274 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
62276 diff -urNp linux-3.0.9/kernel/audit.c linux-3.0.9/kernel/audit.c
62277 --- linux-3.0.9/kernel/audit.c 2011-11-11 13:12:24.000000000 -0500
62278 +++ linux-3.0.9/kernel/audit.c 2011-11-15 20:03:00.000000000 -0500
62279 @@ -112,7 +112,7 @@ u32 audit_sig_sid = 0;
62280 3) suppressed due to audit_rate_limit
62281 4) suppressed due to audit_backlog_limit
62283 -static atomic_t audit_lost = ATOMIC_INIT(0);
62284 +static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
62286 /* The netlink socket. */
62287 static struct sock *audit_sock;
62288 @@ -234,7 +234,7 @@ void audit_log_lost(const char *message)
62292 - atomic_inc(&audit_lost);
62293 + atomic_inc_unchecked(&audit_lost);
62295 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
62297 @@ -253,7 +253,7 @@ void audit_log_lost(const char *message)
62298 printk(KERN_WARNING
62299 "audit: audit_lost=%d audit_rate_limit=%d "
62300 "audit_backlog_limit=%d\n",
62301 - atomic_read(&audit_lost),
62302 + atomic_read_unchecked(&audit_lost),
62304 audit_backlog_limit);
62305 audit_panic(message);
62306 @@ -686,7 +686,7 @@ static int audit_receive_msg(struct sk_b
62307 status_set.pid = audit_pid;
62308 status_set.rate_limit = audit_rate_limit;
62309 status_set.backlog_limit = audit_backlog_limit;
62310 - status_set.lost = atomic_read(&audit_lost);
62311 + status_set.lost = atomic_read_unchecked(&audit_lost);
62312 status_set.backlog = skb_queue_len(&audit_skb_queue);
62313 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
62314 &status_set, sizeof(status_set));
62315 diff -urNp linux-3.0.9/kernel/auditsc.c linux-3.0.9/kernel/auditsc.c
62316 --- linux-3.0.9/kernel/auditsc.c 2011-11-11 13:12:24.000000000 -0500
62317 +++ linux-3.0.9/kernel/auditsc.c 2011-11-15 20:03:00.000000000 -0500
62318 @@ -2118,7 +2118,7 @@ int auditsc_get_stamp(struct audit_conte
62321 /* global counter which is incremented every time something logs in */
62322 -static atomic_t session_id = ATOMIC_INIT(0);
62323 +static atomic_unchecked_t session_id = ATOMIC_INIT(0);
62326 * audit_set_loginuid - set a task's audit_context loginuid
62327 @@ -2131,7 +2131,7 @@ static atomic_t session_id = ATOMIC_INIT
62329 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
62331 - unsigned int sessionid = atomic_inc_return(&session_id);
62332 + unsigned int sessionid = atomic_inc_return_unchecked(&session_id);
62333 struct audit_context *context = task->audit_context;
62335 if (context && context->in_syscall) {
62336 diff -urNp linux-3.0.9/kernel/capability.c linux-3.0.9/kernel/capability.c
62337 --- linux-3.0.9/kernel/capability.c 2011-11-11 13:12:24.000000000 -0500
62338 +++ linux-3.0.9/kernel/capability.c 2011-11-15 20:03:00.000000000 -0500
62339 @@ -202,6 +202,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
62340 * before modification is attempted and the application
62343 + if (tocopy > ARRAY_SIZE(kdata))
62346 if (copy_to_user(dataptr, kdata, tocopy
62347 * sizeof(struct __user_cap_data_struct))) {
62349 @@ -374,7 +377,7 @@ bool ns_capable(struct user_namespace *n
62353 - if (security_capable(ns, current_cred(), cap) == 0) {
62354 + if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable(cap)) {
62355 current->flags |= PF_SUPERPRIV;
62358 @@ -382,6 +385,27 @@ bool ns_capable(struct user_namespace *n
62360 EXPORT_SYMBOL(ns_capable);
62362 +bool ns_capable_nolog(struct user_namespace *ns, int cap)
62364 + if (unlikely(!cap_valid(cap))) {
62365 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
62369 + if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable_nolog(cap)) {
62370 + current->flags |= PF_SUPERPRIV;
62375 +EXPORT_SYMBOL(ns_capable_nolog);
62377 +bool capable_nolog(int cap)
62379 + return ns_capable_nolog(&init_user_ns, cap);
62381 +EXPORT_SYMBOL(capable_nolog);
62384 * task_ns_capable - Determine whether current task has a superior
62385 * capability targeted at a specific task's user namespace.
62386 @@ -396,6 +420,12 @@ bool task_ns_capable(struct task_struct
62388 EXPORT_SYMBOL(task_ns_capable);
62390 +bool task_ns_capable_nolog(struct task_struct *t, int cap)
62392 + return ns_capable_nolog(task_cred_xxx(t, user)->user_ns, cap);
62394 +EXPORT_SYMBOL(task_ns_capable_nolog);
62397 * nsown_capable - Check superior capability to one's own user_ns
62398 * @cap: The capability in question
62399 diff -urNp linux-3.0.9/kernel/cgroup.c linux-3.0.9/kernel/cgroup.c
62400 --- linux-3.0.9/kernel/cgroup.c 2011-11-11 13:12:24.000000000 -0500
62401 +++ linux-3.0.9/kernel/cgroup.c 2011-11-15 20:03:00.000000000 -0500
62402 @@ -593,6 +593,8 @@ static struct css_set *find_css_set(
62403 struct hlist_head *hhead;
62404 struct cg_cgroup_link *link;
62406 + pax_track_stack();
62408 /* First see if we already have a cgroup group that matches
62409 * the desired set */
62410 read_lock(&css_set_lock);
62411 diff -urNp linux-3.0.9/kernel/compat.c linux-3.0.9/kernel/compat.c
62412 --- linux-3.0.9/kernel/compat.c 2011-11-11 13:12:24.000000000 -0500
62413 +++ linux-3.0.9/kernel/compat.c 2011-11-15 20:03:00.000000000 -0500
62416 #include <linux/linkage.h>
62417 #include <linux/compat.h>
62418 +#include <linux/module.h>
62419 #include <linux/errno.h>
62420 #include <linux/time.h>
62421 #include <linux/signal.h>
62422 @@ -166,7 +167,7 @@ static long compat_nanosleep_restart(str
62423 mm_segment_t oldfs;
62426 - restart->nanosleep.rmtp = (struct timespec __user *) &rmt;
62427 + restart->nanosleep.rmtp = (struct timespec __force_user *) &rmt;
62430 ret = hrtimer_nanosleep_restart(restart);
62431 @@ -198,7 +199,7 @@ asmlinkage long compat_sys_nanosleep(str
62434 ret = hrtimer_nanosleep(&tu,
62435 - rmtp ? (struct timespec __user *)&rmt : NULL,
62436 + rmtp ? (struct timespec __force_user *)&rmt : NULL,
62437 HRTIMER_MODE_REL, CLOCK_MONOTONIC);
62440 @@ -307,7 +308,7 @@ asmlinkage long compat_sys_sigpending(co
62441 mm_segment_t old_fs = get_fs();
62444 - ret = sys_sigpending((old_sigset_t __user *) &s);
62445 + ret = sys_sigpending((old_sigset_t __force_user *) &s);
62448 ret = put_user(s, set);
62449 @@ -368,7 +369,7 @@ asmlinkage long compat_sys_old_getrlimit
62450 mm_segment_t old_fs = get_fs();
62453 - ret = sys_old_getrlimit(resource, &r);
62454 + ret = sys_old_getrlimit(resource, (struct rlimit __force_user *)&r);
62458 @@ -440,7 +441,7 @@ asmlinkage long compat_sys_getrusage(int
62459 mm_segment_t old_fs = get_fs();
62462 - ret = sys_getrusage(who, (struct rusage __user *) &r);
62463 + ret = sys_getrusage(who, (struct rusage __force_user *) &r);
62467 @@ -467,8 +468,8 @@ compat_sys_wait4(compat_pid_t pid, compa
62468 set_fs (KERNEL_DS);
62469 ret = sys_wait4(pid,
62471 - (unsigned int __user *) &status : NULL),
62472 - options, (struct rusage __user *) &r);
62473 + (unsigned int __force_user *) &status : NULL),
62474 + options, (struct rusage __force_user *) &r);
62478 @@ -493,8 +494,8 @@ asmlinkage long compat_sys_waitid(int wh
62479 memset(&info, 0, sizeof(info));
62482 - ret = sys_waitid(which, pid, (siginfo_t __user *)&info, options,
62483 - uru ? (struct rusage __user *)&ru : NULL);
62484 + ret = sys_waitid(which, pid, (siginfo_t __force_user *)&info, options,
62485 + uru ? (struct rusage __force_user *)&ru : NULL);
62488 if ((ret < 0) || (info.si_signo == 0))
62489 @@ -624,8 +625,8 @@ long compat_sys_timer_settime(timer_t ti
62492 err = sys_timer_settime(timer_id, flags,
62493 - (struct itimerspec __user *) &newts,
62494 - (struct itimerspec __user *) &oldts);
62495 + (struct itimerspec __force_user *) &newts,
62496 + (struct itimerspec __force_user *) &oldts);
62498 if (!err && old && put_compat_itimerspec(old, &oldts))
62500 @@ -642,7 +643,7 @@ long compat_sys_timer_gettime(timer_t ti
62503 err = sys_timer_gettime(timer_id,
62504 - (struct itimerspec __user *) &ts);
62505 + (struct itimerspec __force_user *) &ts);
62507 if (!err && put_compat_itimerspec(setting, &ts))
62509 @@ -661,7 +662,7 @@ long compat_sys_clock_settime(clockid_t
62512 err = sys_clock_settime(which_clock,
62513 - (struct timespec __user *) &ts);
62514 + (struct timespec __force_user *) &ts);
62518 @@ -676,7 +677,7 @@ long compat_sys_clock_gettime(clockid_t
62521 err = sys_clock_gettime(which_clock,
62522 - (struct timespec __user *) &ts);
62523 + (struct timespec __force_user *) &ts);
62525 if (!err && put_compat_timespec(&ts, tp))
62527 @@ -696,7 +697,7 @@ long compat_sys_clock_adjtime(clockid_t
62531 - ret = sys_clock_adjtime(which_clock, (struct timex __user *) &txc);
62532 + ret = sys_clock_adjtime(which_clock, (struct timex __force_user *) &txc);
62535 err = compat_put_timex(utp, &txc);
62536 @@ -716,7 +717,7 @@ long compat_sys_clock_getres(clockid_t w
62539 err = sys_clock_getres(which_clock,
62540 - (struct timespec __user *) &ts);
62541 + (struct timespec __force_user *) &ts);
62543 if (!err && tp && put_compat_timespec(&ts, tp))
62545 @@ -728,9 +729,9 @@ static long compat_clock_nanosleep_resta
62547 mm_segment_t oldfs;
62548 struct timespec tu;
62549 - struct compat_timespec *rmtp = restart->nanosleep.compat_rmtp;
62550 + struct compat_timespec __user *rmtp = restart->nanosleep.compat_rmtp;
62552 - restart->nanosleep.rmtp = (struct timespec __user *) &tu;
62553 + restart->nanosleep.rmtp = (struct timespec __force_user *) &tu;
62556 err = clock_nanosleep_restart(restart);
62557 @@ -762,8 +763,8 @@ long compat_sys_clock_nanosleep(clockid_
62560 err = sys_clock_nanosleep(which_clock, flags,
62561 - (struct timespec __user *) &in,
62562 - (struct timespec __user *) &out);
62563 + (struct timespec __force_user *) &in,
62564 + (struct timespec __force_user *) &out);
62567 if ((err == -ERESTART_RESTARTBLOCK) && rmtp &&
62568 diff -urNp linux-3.0.9/kernel/configs.c linux-3.0.9/kernel/configs.c
62569 --- linux-3.0.9/kernel/configs.c 2011-11-11 13:12:24.000000000 -0500
62570 +++ linux-3.0.9/kernel/configs.c 2011-11-15 20:03:00.000000000 -0500
62571 @@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
62572 struct proc_dir_entry *entry;
62574 /* create the current config file */
62575 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
62576 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
62577 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
62578 + &ikconfig_file_ops);
62579 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
62580 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
62581 + &ikconfig_file_ops);
62584 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
62585 &ikconfig_file_ops);
62591 diff -urNp linux-3.0.9/kernel/cred.c linux-3.0.9/kernel/cred.c
62592 --- linux-3.0.9/kernel/cred.c 2011-11-11 13:12:24.000000000 -0500
62593 +++ linux-3.0.9/kernel/cred.c 2011-11-15 20:03:00.000000000 -0500
62594 @@ -158,6 +158,8 @@ static void put_cred_rcu(struct rcu_head
62596 void __put_cred(struct cred *cred)
62598 + pax_track_stack();
62600 kdebug("__put_cred(%p{%d,%d})", cred,
62601 atomic_read(&cred->usage),
62602 read_cred_subscribers(cred));
62603 @@ -182,6 +184,8 @@ void exit_creds(struct task_struct *tsk)
62607 + pax_track_stack();
62609 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
62610 atomic_read(&tsk->cred->usage),
62611 read_cred_subscribers(tsk->cred));
62612 @@ -220,6 +224,8 @@ const struct cred *get_task_cred(struct
62614 const struct cred *cred;
62616 + pax_track_stack();
62621 @@ -239,6 +245,8 @@ struct cred *cred_alloc_blank(void)
62625 + pax_track_stack();
62627 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
62630 @@ -268,6 +276,8 @@ struct cred *__prepare_creds(const struc
62634 + pax_track_stack();
62636 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
62639 @@ -333,6 +343,8 @@ struct cred *prepare_exec_creds(void)
62640 struct thread_group_cred *tgcred = NULL;
62643 + pax_track_stack();
62646 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
62648 @@ -385,6 +397,8 @@ int copy_creds(struct task_struct *p, un
62652 + pax_track_stack();
62656 !p->cred->thread_keyring &&
62657 @@ -475,6 +489,8 @@ int commit_creds(struct cred *new)
62658 struct task_struct *task = current;
62659 const struct cred *old = task->real_cred;
62661 + pax_track_stack();
62663 kdebug("commit_creds(%p{%d,%d})", new,
62664 atomic_read(&new->usage),
62665 read_cred_subscribers(new));
62666 @@ -489,6 +505,8 @@ int commit_creds(struct cred *new)
62668 get_cred(new); /* we will require a ref for the subj creds too */
62670 + gr_set_role_label(task, new->uid, new->gid);
62672 /* dumpability changes */
62673 if (old->euid != new->euid ||
62674 old->egid != new->egid ||
62675 @@ -508,10 +526,8 @@ int commit_creds(struct cred *new)
62676 key_fsgid_changed(task);
62679 - * - What if a process setreuid()'s and this brings the
62680 - * new uid over his NPROC rlimit? We can check this now
62681 - * cheaply with the new uid cache, so if it matters
62682 - * we should be checking for it. -DaveM
62683 + * RLIMIT_NPROC limits on user->processes have already been checked
62686 alter_cred_subscribers(new, 2);
62687 if (new->user != old->user)
62688 @@ -551,6 +567,8 @@ EXPORT_SYMBOL(commit_creds);
62690 void abort_creds(struct cred *new)
62692 + pax_track_stack();
62694 kdebug("abort_creds(%p{%d,%d})", new,
62695 atomic_read(&new->usage),
62696 read_cred_subscribers(new));
62697 @@ -574,6 +592,8 @@ const struct cred *override_creds(const
62699 const struct cred *old = current->cred;
62701 + pax_track_stack();
62703 kdebug("override_creds(%p{%d,%d})", new,
62704 atomic_read(&new->usage),
62705 read_cred_subscribers(new));
62706 @@ -603,6 +623,8 @@ void revert_creds(const struct cred *old
62708 const struct cred *override = current->cred;
62710 + pax_track_stack();
62712 kdebug("revert_creds(%p{%d,%d})", old,
62713 atomic_read(&old->usage),
62714 read_cred_subscribers(old));
62715 @@ -649,6 +671,8 @@ struct cred *prepare_kernel_cred(struct
62716 const struct cred *old;
62719 + pax_track_stack();
62721 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
62724 @@ -703,6 +727,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
62726 int set_security_override(struct cred *new, u32 secid)
62728 + pax_track_stack();
62730 return security_kernel_act_as(new, secid);
62732 EXPORT_SYMBOL(set_security_override);
62733 @@ -722,6 +748,8 @@ int set_security_override_from_ctx(struc
62737 + pax_track_stack();
62739 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
62742 diff -urNp linux-3.0.9/kernel/debug/debug_core.c linux-3.0.9/kernel/debug/debug_core.c
62743 --- linux-3.0.9/kernel/debug/debug_core.c 2011-11-11 13:12:24.000000000 -0500
62744 +++ linux-3.0.9/kernel/debug/debug_core.c 2011-11-15 20:03:00.000000000 -0500
62745 @@ -119,7 +119,7 @@ static DEFINE_RAW_SPINLOCK(dbg_slave_loc
62747 static atomic_t masters_in_kgdb;
62748 static atomic_t slaves_in_kgdb;
62749 -static atomic_t kgdb_break_tasklet_var;
62750 +static atomic_unchecked_t kgdb_break_tasklet_var;
62751 atomic_t kgdb_setting_breakpoint;
62753 struct task_struct *kgdb_usethread;
62754 @@ -129,7 +129,7 @@ int kgdb_single_step;
62755 static pid_t kgdb_sstep_pid;
62757 /* to keep track of the CPU which is doing the single stepping*/
62758 -atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
62759 +atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
62762 * If you are debugging a problem where roundup (the collection of
62763 @@ -542,7 +542,7 @@ return_normal:
62764 * kernel will only try for the value of sstep_tries before
62765 * giving up and continuing on.
62767 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
62768 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
62769 (kgdb_info[cpu].task &&
62770 kgdb_info[cpu].task->pid != kgdb_sstep_pid) && --sstep_tries) {
62771 atomic_set(&kgdb_active, -1);
62772 @@ -636,8 +636,8 @@ cpu_master_loop:
62776 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
62777 - int sstep_cpu = atomic_read(&kgdb_cpu_doing_single_step);
62778 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
62779 + int sstep_cpu = atomic_read_unchecked(&kgdb_cpu_doing_single_step);
62780 if (kgdb_info[sstep_cpu].task)
62781 kgdb_sstep_pid = kgdb_info[sstep_cpu].task->pid;
62783 @@ -834,18 +834,18 @@ static void kgdb_unregister_callbacks(vo
62784 static void kgdb_tasklet_bpt(unsigned long ing)
62787 - atomic_set(&kgdb_break_tasklet_var, 0);
62788 + atomic_set_unchecked(&kgdb_break_tasklet_var, 0);
62791 static DECLARE_TASKLET(kgdb_tasklet_breakpoint, kgdb_tasklet_bpt, 0);
62793 void kgdb_schedule_breakpoint(void)
62795 - if (atomic_read(&kgdb_break_tasklet_var) ||
62796 + if (atomic_read_unchecked(&kgdb_break_tasklet_var) ||
62797 atomic_read(&kgdb_active) != -1 ||
62798 atomic_read(&kgdb_setting_breakpoint))
62800 - atomic_inc(&kgdb_break_tasklet_var);
62801 + atomic_inc_unchecked(&kgdb_break_tasklet_var);
62802 tasklet_schedule(&kgdb_tasklet_breakpoint);
62804 EXPORT_SYMBOL_GPL(kgdb_schedule_breakpoint);
62805 diff -urNp linux-3.0.9/kernel/debug/kdb/kdb_main.c linux-3.0.9/kernel/debug/kdb/kdb_main.c
62806 --- linux-3.0.9/kernel/debug/kdb/kdb_main.c 2011-11-11 13:12:24.000000000 -0500
62807 +++ linux-3.0.9/kernel/debug/kdb/kdb_main.c 2011-11-15 20:03:00.000000000 -0500
62808 @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
62809 list_for_each_entry(mod, kdb_modules, list) {
62811 kdb_printf("%-20s%8u 0x%p ", mod->name,
62812 - mod->core_size, (void *)mod);
62813 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
62814 #ifdef CONFIG_MODULE_UNLOAD
62815 kdb_printf("%4d ", module_refcount(mod));
62817 @@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
62818 kdb_printf(" (Loading)");
62820 kdb_printf(" (Live)");
62821 - kdb_printf(" 0x%p", mod->module_core);
62822 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
62824 #ifdef CONFIG_MODULE_UNLOAD
62826 diff -urNp linux-3.0.9/kernel/events/core.c linux-3.0.9/kernel/events/core.c
62827 --- linux-3.0.9/kernel/events/core.c 2011-11-11 13:12:24.000000000 -0500
62828 +++ linux-3.0.9/kernel/events/core.c 2011-11-15 20:03:00.000000000 -0500
62829 @@ -170,7 +170,7 @@ int perf_proc_update_handler(struct ctl_
62833 -static atomic64_t perf_event_id;
62834 +static atomic64_unchecked_t perf_event_id;
62836 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
62837 enum event_type_t event_type);
62838 @@ -2488,7 +2488,7 @@ static void __perf_event_read(void *info
62840 static inline u64 perf_event_count(struct perf_event *event)
62842 - return local64_read(&event->count) + atomic64_read(&event->child_count);
62843 + return local64_read(&event->count) + atomic64_read_unchecked(&event->child_count);
62846 static u64 perf_event_read(struct perf_event *event)
62847 @@ -3023,9 +3023,9 @@ u64 perf_event_read_value(struct perf_ev
62848 mutex_lock(&event->child_mutex);
62849 total += perf_event_read(event);
62850 *enabled += event->total_time_enabled +
62851 - atomic64_read(&event->child_total_time_enabled);
62852 + atomic64_read_unchecked(&event->child_total_time_enabled);
62853 *running += event->total_time_running +
62854 - atomic64_read(&event->child_total_time_running);
62855 + atomic64_read_unchecked(&event->child_total_time_running);
62857 list_for_each_entry(child, &event->child_list, child_list) {
62858 total += perf_event_read(child);
62859 @@ -3388,10 +3388,10 @@ void perf_event_update_userpage(struct p
62860 userpg->offset -= local64_read(&event->hw.prev_count);
62862 userpg->time_enabled = event->total_time_enabled +
62863 - atomic64_read(&event->child_total_time_enabled);
62864 + atomic64_read_unchecked(&event->child_total_time_enabled);
62866 userpg->time_running = event->total_time_running +
62867 - atomic64_read(&event->child_total_time_running);
62868 + atomic64_read_unchecked(&event->child_total_time_running);
62872 @@ -4188,11 +4188,11 @@ static void perf_output_read_one(struct
62873 values[n++] = perf_event_count(event);
62874 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
62875 values[n++] = enabled +
62876 - atomic64_read(&event->child_total_time_enabled);
62877 + atomic64_read_unchecked(&event->child_total_time_enabled);
62879 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
62880 values[n++] = running +
62881 - atomic64_read(&event->child_total_time_running);
62882 + atomic64_read_unchecked(&event->child_total_time_running);
62884 if (read_format & PERF_FORMAT_ID)
62885 values[n++] = primary_event_id(event);
62886 @@ -4833,12 +4833,12 @@ static void perf_event_mmap_event(struct
62887 * need to add enough zero bytes after the string to handle
62888 * the 64bit alignment we do later.
62890 - buf = kzalloc(PATH_MAX + sizeof(u64), GFP_KERNEL);
62891 + buf = kzalloc(PATH_MAX, GFP_KERNEL);
62893 name = strncpy(tmp, "//enomem", sizeof(tmp));
62896 - name = d_path(&file->f_path, buf, PATH_MAX);
62897 + name = d_path(&file->f_path, buf, PATH_MAX - sizeof(u64));
62898 if (IS_ERR(name)) {
62899 name = strncpy(tmp, "//toolong", sizeof(tmp));
62901 @@ -6190,7 +6190,7 @@ perf_event_alloc(struct perf_event_attr
62902 event->parent = parent_event;
62904 event->ns = get_pid_ns(current->nsproxy->pid_ns);
62905 - event->id = atomic64_inc_return(&perf_event_id);
62906 + event->id = atomic64_inc_return_unchecked(&perf_event_id);
62908 event->state = PERF_EVENT_STATE_INACTIVE;
62910 @@ -6713,10 +6713,10 @@ static void sync_child_event(struct perf
62912 * Add back the child's count to the parent's count:
62914 - atomic64_add(child_val, &parent_event->child_count);
62915 - atomic64_add(child_event->total_time_enabled,
62916 + atomic64_add_unchecked(child_val, &parent_event->child_count);
62917 + atomic64_add_unchecked(child_event->total_time_enabled,
62918 &parent_event->child_total_time_enabled);
62919 - atomic64_add(child_event->total_time_running,
62920 + atomic64_add_unchecked(child_event->total_time_running,
62921 &parent_event->child_total_time_running);
62924 diff -urNp linux-3.0.9/kernel/exit.c linux-3.0.9/kernel/exit.c
62925 --- linux-3.0.9/kernel/exit.c 2011-11-11 13:12:24.000000000 -0500
62926 +++ linux-3.0.9/kernel/exit.c 2011-11-15 20:03:00.000000000 -0500
62928 #include <asm/pgtable.h>
62929 #include <asm/mmu_context.h>
62931 +#ifdef CONFIG_GRKERNSEC
62932 +extern rwlock_t grsec_exec_file_lock;
62935 static void exit_mm(struct task_struct * tsk);
62937 static void __unhash_process(struct task_struct *p, bool group_dead)
62938 @@ -169,6 +173,10 @@ void release_task(struct task_struct * p
62939 struct task_struct *leader;
62943 + gr_del_task_from_ip_table(p);
62946 tracehook_prepare_release_task(p);
62947 /* don't need to get the RCU readlock here - the process is dead and
62948 * can't be modifying its own credentials. But shut RCU-lockdep up */
62949 @@ -338,11 +346,22 @@ static void reparent_to_kthreadd(void)
62951 write_lock_irq(&tasklist_lock);
62953 +#ifdef CONFIG_GRKERNSEC
62954 + write_lock(&grsec_exec_file_lock);
62955 + if (current->exec_file) {
62956 + fput(current->exec_file);
62957 + current->exec_file = NULL;
62959 + write_unlock(&grsec_exec_file_lock);
62962 ptrace_unlink(current);
62963 /* Reparent to init */
62964 current->real_parent = current->parent = kthreadd_task;
62965 list_move_tail(¤t->sibling, ¤t->real_parent->children);
62967 + gr_set_kernel_label(current);
62969 /* Set the exit signal to SIGCHLD so we signal init on exit */
62970 current->exit_signal = SIGCHLD;
62972 @@ -394,7 +413,7 @@ int allow_signal(int sig)
62973 * know it'll be handled, so that they don't get converted to
62974 * SIGKILL or just silently dropped.
62976 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
62977 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
62978 recalc_sigpending();
62979 spin_unlock_irq(¤t->sighand->siglock);
62981 @@ -430,6 +449,17 @@ void daemonize(const char *name, ...)
62982 vsnprintf(current->comm, sizeof(current->comm), name, args);
62985 +#ifdef CONFIG_GRKERNSEC
62986 + write_lock(&grsec_exec_file_lock);
62987 + if (current->exec_file) {
62988 + fput(current->exec_file);
62989 + current->exec_file = NULL;
62991 + write_unlock(&grsec_exec_file_lock);
62994 + gr_set_kernel_label(current);
62997 * If we were started as result of loading a module, close all of the
62998 * user space pages. We don't need them, and if we didn't close them
62999 @@ -904,15 +934,8 @@ NORET_TYPE void do_exit(long code)
63000 struct task_struct *tsk = current;
63003 - profile_task_exit(tsk);
63005 - WARN_ON(atomic_read(&tsk->fs_excl));
63006 - WARN_ON(blk_needs_flush_plug(tsk));
63008 if (unlikely(in_interrupt()))
63009 panic("Aiee, killing interrupt handler!");
63010 - if (unlikely(!tsk->pid))
63011 - panic("Attempted to kill the idle task!");
63014 * If do_exit is called because this processes oopsed, it's possible
63015 @@ -923,6 +946,14 @@ NORET_TYPE void do_exit(long code)
63019 + profile_task_exit(tsk);
63021 + WARN_ON(atomic_read(&tsk->fs_excl));
63022 + WARN_ON(blk_needs_flush_plug(tsk));
63024 + if (unlikely(!tsk->pid))
63025 + panic("Attempted to kill the idle task!");
63027 tracehook_report_exit(&code);
63029 validate_creds_for_do_exit(tsk);
63030 @@ -983,6 +1014,9 @@ NORET_TYPE void do_exit(long code)
63031 tsk->exit_code = code;
63032 taskstats_exit(tsk, group_dead);
63034 + gr_acl_handle_psacct(tsk, code);
63035 + gr_acl_handle_exit();
63040 diff -urNp linux-3.0.9/kernel/fork.c linux-3.0.9/kernel/fork.c
63041 --- linux-3.0.9/kernel/fork.c 2011-11-11 13:12:24.000000000 -0500
63042 +++ linux-3.0.9/kernel/fork.c 2011-11-15 20:03:00.000000000 -0500
63043 @@ -286,7 +286,7 @@ static struct task_struct *dup_task_stru
63044 *stackend = STACK_END_MAGIC; /* for overflow detection */
63046 #ifdef CONFIG_CC_STACKPROTECTOR
63047 - tsk->stack_canary = get_random_int();
63048 + tsk->stack_canary = pax_get_random_long();
63051 /* One for us, one for whoever does the "release_task()" (usually parent) */
63052 @@ -308,13 +308,77 @@ out:
63056 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
63058 + struct vm_area_struct *tmp;
63059 + unsigned long charge;
63060 + struct mempolicy *pol;
63061 + struct file *file;
63064 + if (mpnt->vm_flags & VM_ACCOUNT) {
63065 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
63066 + if (security_vm_enough_memory(len))
63070 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
63075 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
63076 + pol = mpol_dup(vma_policy(mpnt));
63078 + goto fail_nomem_policy;
63079 + vma_set_policy(tmp, pol);
63080 + if (anon_vma_fork(tmp, mpnt))
63081 + goto fail_nomem_anon_vma_fork;
63082 + tmp->vm_flags &= ~VM_LOCKED;
63083 + tmp->vm_next = tmp->vm_prev = NULL;
63084 + tmp->vm_mirror = NULL;
63085 + file = tmp->vm_file;
63087 + struct inode *inode = file->f_path.dentry->d_inode;
63088 + struct address_space *mapping = file->f_mapping;
63091 + if (tmp->vm_flags & VM_DENYWRITE)
63092 + atomic_dec(&inode->i_writecount);
63093 + mutex_lock(&mapping->i_mmap_mutex);
63094 + if (tmp->vm_flags & VM_SHARED)
63095 + mapping->i_mmap_writable++;
63096 + flush_dcache_mmap_lock(mapping);
63097 + /* insert tmp into the share list, just after mpnt */
63098 + vma_prio_tree_add(tmp, mpnt);
63099 + flush_dcache_mmap_unlock(mapping);
63100 + mutex_unlock(&mapping->i_mmap_mutex);
63104 + * Clear hugetlb-related page reserves for children. This only
63105 + * affects MAP_PRIVATE mappings. Faults generated by the child
63106 + * are not guaranteed to succeed, even if read-only
63108 + if (is_vm_hugetlb_page(tmp))
63109 + reset_vma_resv_huge_pages(tmp);
63113 +fail_nomem_anon_vma_fork:
63115 +fail_nomem_policy:
63116 + kmem_cache_free(vm_area_cachep, tmp);
63118 + vm_unacct_memory(charge);
63122 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
63124 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
63125 struct rb_node **rb_link, *rb_parent;
63127 - unsigned long charge;
63128 - struct mempolicy *pol;
63130 down_write(&oldmm->mmap_sem);
63131 flush_cache_dup_mm(oldmm);
63132 @@ -326,8 +390,8 @@ static int dup_mmap(struct mm_struct *mm
63135 mm->mmap_cache = NULL;
63136 - mm->free_area_cache = oldmm->mmap_base;
63137 - mm->cached_hole_size = ~0UL;
63138 + mm->free_area_cache = oldmm->free_area_cache;
63139 + mm->cached_hole_size = oldmm->cached_hole_size;
63141 cpumask_clear(mm_cpumask(mm));
63142 mm->mm_rb = RB_ROOT;
63143 @@ -343,8 +407,6 @@ static int dup_mmap(struct mm_struct *mm
63146 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
63147 - struct file *file;
63149 if (mpnt->vm_flags & VM_DONTCOPY) {
63150 long pages = vma_pages(mpnt);
63151 mm->total_vm -= pages;
63152 @@ -352,55 +414,13 @@ static int dup_mmap(struct mm_struct *mm
63157 - if (mpnt->vm_flags & VM_ACCOUNT) {
63158 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
63159 - if (security_vm_enough_memory(len))
63163 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
63167 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
63168 - pol = mpol_dup(vma_policy(mpnt));
63169 - retval = PTR_ERR(pol);
63171 - goto fail_nomem_policy;
63172 - vma_set_policy(tmp, pol);
63174 - if (anon_vma_fork(tmp, mpnt))
63175 - goto fail_nomem_anon_vma_fork;
63176 - tmp->vm_flags &= ~VM_LOCKED;
63177 - tmp->vm_next = tmp->vm_prev = NULL;
63178 - file = tmp->vm_file;
63180 - struct inode *inode = file->f_path.dentry->d_inode;
63181 - struct address_space *mapping = file->f_mapping;
63184 - if (tmp->vm_flags & VM_DENYWRITE)
63185 - atomic_dec(&inode->i_writecount);
63186 - mutex_lock(&mapping->i_mmap_mutex);
63187 - if (tmp->vm_flags & VM_SHARED)
63188 - mapping->i_mmap_writable++;
63189 - flush_dcache_mmap_lock(mapping);
63190 - /* insert tmp into the share list, just after mpnt */
63191 - vma_prio_tree_add(tmp, mpnt);
63192 - flush_dcache_mmap_unlock(mapping);
63193 - mutex_unlock(&mapping->i_mmap_mutex);
63194 + tmp = dup_vma(mm, mpnt);
63196 + retval = -ENOMEM;
63201 - * Clear hugetlb-related page reserves for children. This only
63202 - * affects MAP_PRIVATE mappings. Faults generated by the child
63203 - * are not guaranteed to succeed, even if read-only
63205 - if (is_vm_hugetlb_page(tmp))
63206 - reset_vma_resv_huge_pages(tmp);
63209 * Link in the new vma and copy the page table entries.
63212 @@ -421,6 +441,31 @@ static int dup_mmap(struct mm_struct *mm
63217 +#ifdef CONFIG_PAX_SEGMEXEC
63218 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
63219 + struct vm_area_struct *mpnt_m;
63221 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
63222 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
63224 + if (!mpnt->vm_mirror)
63227 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
63228 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
63229 + mpnt->vm_mirror = mpnt_m;
63231 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
63232 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
63233 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
63234 + mpnt->vm_mirror->vm_mirror = mpnt;
63241 /* a new mm has just been created */
63242 arch_dup_mmap(oldmm, mm);
63244 @@ -429,14 +474,6 @@ out:
63245 flush_tlb_mm(oldmm);
63246 up_write(&oldmm->mmap_sem);
63248 -fail_nomem_anon_vma_fork:
63250 -fail_nomem_policy:
63251 - kmem_cache_free(vm_area_cachep, tmp);
63253 - retval = -ENOMEM;
63254 - vm_unacct_memory(charge);
63258 static inline int mm_alloc_pgd(struct mm_struct * mm)
63259 @@ -836,13 +873,14 @@ static int copy_fs(unsigned long clone_f
63260 spin_unlock(&fs->lock);
63264 + atomic_inc(&fs->users);
63265 spin_unlock(&fs->lock);
63268 tsk->fs = copy_fs_struct(fs);
63271 + gr_set_chroot_entries(tsk, &tsk->fs->root);
63275 @@ -1156,15 +1194,18 @@ static struct task_struct *copy_process(
63276 init_vx_info(&p->vx_info, current_vx_info());
63277 init_nx_info(&p->nx_info, current_nx_info());
63279 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
63282 if (!vx_nproc_avail(1))
63283 goto bad_fork_free;
63284 if (atomic_read(&p->real_cred->user->processes) >=
63285 task_rlimit(p, RLIMIT_NPROC)) {
63286 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
63287 - p->real_cred->user != INIT_USER)
63288 + if (p->real_cred->user != INIT_USER &&
63289 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
63290 goto bad_fork_free;
63292 + current->flags &= ~PF_NPROC_EXCEEDED;
63294 retval = copy_creds(p, clone_flags);
63296 @@ -1250,6 +1291,8 @@ static struct task_struct *copy_process(
63297 if (clone_flags & CLONE_THREAD)
63298 p->tgid = current->tgid;
63300 + gr_copy_label(p);
63302 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
63304 * Clear TID on mm_release()?
63305 @@ -1414,6 +1457,8 @@ bad_fork_cleanup_count:
63309 + gr_log_forkfail(retval);
63311 return ERR_PTR(retval);
63314 @@ -1502,6 +1547,8 @@ long do_fork(unsigned long clone_flags,
63315 if (clone_flags & CLONE_PARENT_SETTID)
63316 put_user(nr, parent_tidptr);
63318 + gr_handle_brute_check();
63320 if (clone_flags & CLONE_VFORK) {
63321 p->vfork_done = &vfork;
63322 init_completion(&vfork);
63323 @@ -1610,7 +1657,7 @@ static int unshare_fs(unsigned long unsh
63326 /* don't need lock here; in the worst case we'll do useless copy */
63327 - if (fs->users == 1)
63328 + if (atomic_read(&fs->users) == 1)
63331 *new_fsp = copy_fs_struct(fs);
63332 @@ -1697,7 +1744,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
63334 spin_lock(&fs->lock);
63335 current->fs = new_fs;
63337 + gr_set_chroot_entries(current, ¤t->fs->root);
63338 + if (atomic_dec_return(&fs->users))
63342 diff -urNp linux-3.0.9/kernel/futex.c linux-3.0.9/kernel/futex.c
63343 --- linux-3.0.9/kernel/futex.c 2011-11-11 13:12:24.000000000 -0500
63344 +++ linux-3.0.9/kernel/futex.c 2011-11-15 20:03:00.000000000 -0500
63345 @@ -238,6 +239,11 @@ get_futex_key(u32 __user *uaddr, int fsh
63346 struct page *page, *page_head;
63349 +#ifdef CONFIG_PAX_SEGMEXEC
63350 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
63355 * The futex address must be "naturally" aligned.
63357 @@ -1863,6 +1869,8 @@ static int futex_wait(u32 __user *uaddr,
63358 struct futex_q q = futex_q_init;
63361 + pax_track_stack();
63366 @@ -2259,6 +2267,8 @@ static int futex_wait_requeue_pi(u32 __u
63367 struct futex_q q = futex_q_init;
63370 + pax_track_stack();
63375 @@ -2712,6 +2729,7 @@ static int __init futex_init(void)
63379 + mm_segment_t oldfs;
63382 * This will fail and we want it. Some arch implementations do
63383 @@ -2723,8 +2741,11 @@ static int __init futex_init(void)
63384 * implementation, the non-functional ones will return
63387 + oldfs = get_fs();
63389 if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT)
63390 futex_cmpxchg_enabled = 1;
63393 for (i = 0; i < ARRAY_SIZE(futex_queues); i++) {
63394 plist_head_init(&futex_queues[i].chain, &futex_queues[i].lock);
63395 diff -urNp linux-3.0.9/kernel/gcov/base.c linux-3.0.9/kernel/gcov/base.c
63396 --- linux-3.0.9/kernel/gcov/base.c 2011-11-11 13:12:24.000000000 -0500
63397 +++ linux-3.0.9/kernel/gcov/base.c 2011-11-15 20:03:00.000000000 -0500
63398 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
63401 #ifdef CONFIG_MODULES
63402 -static inline int within(void *addr, void *start, unsigned long size)
63404 - return ((addr >= start) && (addr < start + size));
63407 /* Update list and generate events when modules are unloaded. */
63408 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
63410 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
63412 /* Remove entries located in module from linked list. */
63413 for (info = gcov_info_head; info; info = info->next) {
63414 - if (within(info, mod->module_core, mod->core_size)) {
63415 + if (within_module_core_rw((unsigned long)info, mod)) {
63417 prev->next = info->next;
63419 diff -urNp linux-3.0.9/kernel/hrtimer.c linux-3.0.9/kernel/hrtimer.c
63420 --- linux-3.0.9/kernel/hrtimer.c 2011-11-11 13:12:24.000000000 -0500
63421 +++ linux-3.0.9/kernel/hrtimer.c 2011-11-15 20:03:00.000000000 -0500
63422 @@ -1391,7 +1391,7 @@ void hrtimer_peek_ahead_timers(void)
63423 local_irq_restore(flags);
63426 -static void run_hrtimer_softirq(struct softirq_action *h)
63427 +static void run_hrtimer_softirq(void)
63429 hrtimer_peek_ahead_timers();
63431 diff -urNp linux-3.0.9/kernel/jump_label.c linux-3.0.9/kernel/jump_label.c
63432 --- linux-3.0.9/kernel/jump_label.c 2011-11-11 13:12:24.000000000 -0500
63433 +++ linux-3.0.9/kernel/jump_label.c 2011-11-15 20:03:00.000000000 -0500
63434 @@ -55,7 +55,9 @@ jump_label_sort_entries(struct jump_entr
63436 size = (((unsigned long)stop - (unsigned long)start)
63437 / sizeof(struct jump_entry));
63438 + pax_open_kernel();
63439 sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
63440 + pax_close_kernel();
63443 static void jump_label_update(struct jump_label_key *key, int enable);
63444 @@ -297,10 +299,12 @@ static void jump_label_invalidate_module
63445 struct jump_entry *iter_stop = iter_start + mod->num_jump_entries;
63446 struct jump_entry *iter;
63448 + pax_open_kernel();
63449 for (iter = iter_start; iter < iter_stop; iter++) {
63450 if (within_module_init(iter->code, mod))
63453 + pax_close_kernel();
63457 diff -urNp linux-3.0.9/kernel/kallsyms.c linux-3.0.9/kernel/kallsyms.c
63458 --- linux-3.0.9/kernel/kallsyms.c 2011-11-11 13:12:24.000000000 -0500
63459 +++ linux-3.0.9/kernel/kallsyms.c 2011-11-15 20:03:00.000000000 -0500
63461 * Changed the compression method from stem compression to "table lookup"
63462 * compression (see scripts/kallsyms.c for a more complete description)
63464 +#ifdef CONFIG_GRKERNSEC_HIDESYM
63465 +#define __INCLUDED_BY_HIDESYM 1
63467 #include <linux/kallsyms.h>
63468 #include <linux/module.h>
63469 #include <linux/init.h>
63470 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
63472 static inline int is_kernel_inittext(unsigned long addr)
63474 + if (system_state != SYSTEM_BOOTING)
63477 if (addr >= (unsigned long)_sinittext
63478 && addr <= (unsigned long)_einittext)
63483 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
63484 +#ifdef CONFIG_MODULES
63485 +static inline int is_module_text(unsigned long addr)
63487 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
63490 + addr = ktla_ktva(addr);
63491 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
63494 +static inline int is_module_text(unsigned long addr)
63501 static inline int is_kernel_text(unsigned long addr)
63503 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
63504 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
63506 static inline int is_kernel(unsigned long addr)
63509 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
63510 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
63513 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
63515 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
63519 return in_gate_area_no_mm(addr);
63522 static int is_ksym_addr(unsigned long addr)
63525 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
63526 + if (is_module_text(addr))
63531 return is_kernel(addr);
63533 @@ -454,7 +493,6 @@ static unsigned long get_ksymbol_core(st
63535 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
63537 - iter->name[0] = '\0';
63538 iter->nameoff = get_symbol_offset(new_pos);
63539 iter->pos = new_pos;
63541 @@ -502,6 +540,11 @@ static int s_show(struct seq_file *m, vo
63543 struct kallsym_iter *iter = m->private;
63545 +#ifdef CONFIG_GRKERNSEC_HIDESYM
63546 + if (current_uid())
63550 /* Some debugging symbols have no name. Ignore them. */
63551 if (!iter->name[0])
63553 @@ -540,7 +583,7 @@ static int kallsyms_open(struct inode *i
63554 struct kallsym_iter *iter;
63557 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
63558 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
63561 reset_iter(iter, 0);
63562 diff -urNp linux-3.0.9/kernel/kexec.c linux-3.0.9/kernel/kexec.c
63563 --- linux-3.0.9/kernel/kexec.c 2011-11-11 13:12:24.000000000 -0500
63564 +++ linux-3.0.9/kernel/kexec.c 2011-11-15 20:03:00.000000000 -0500
63565 @@ -1033,7 +1033,8 @@ asmlinkage long compat_sys_kexec_load(un
63566 unsigned long flags)
63568 struct compat_kexec_segment in;
63569 - struct kexec_segment out, __user *ksegments;
63570 + struct kexec_segment out;
63571 + struct kexec_segment __user *ksegments;
63572 unsigned long i, result;
63574 /* Don't allow clients that don't understand the native
63575 diff -urNp linux-3.0.9/kernel/kmod.c linux-3.0.9/kernel/kmod.c
63576 --- linux-3.0.9/kernel/kmod.c 2011-11-11 13:12:24.000000000 -0500
63577 +++ linux-3.0.9/kernel/kmod.c 2011-11-15 20:03:00.000000000 -0500
63578 @@ -73,13 +73,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
63579 * If module auto-loading support is disabled then this function
63580 * becomes a no-operation.
63582 -int __request_module(bool wait, const char *fmt, ...)
63583 +static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
63586 char module_name[MODULE_NAME_LEN];
63587 unsigned int max_modprobes;
63589 - char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
63590 + char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
63591 static char *envp[] = { "HOME=/",
63593 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
63594 @@ -88,9 +87,7 @@ int __request_module(bool wait, const ch
63595 #define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
63596 static int kmod_loop_msg;
63598 - va_start(args, fmt);
63599 - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
63601 + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
63602 if (ret >= MODULE_NAME_LEN)
63603 return -ENAMETOOLONG;
63605 @@ -98,6 +95,20 @@ int __request_module(bool wait, const ch
63609 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
63610 + if (!current_uid()) {
63611 + /* hack to workaround consolekit/udisks stupidity */
63612 + read_lock(&tasklist_lock);
63613 + if (!strcmp(current->comm, "mount") &&
63614 + current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
63615 + read_unlock(&tasklist_lock);
63616 + printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
63619 + read_unlock(&tasklist_lock);
63623 /* If modprobe needs a service that is in a module, we get a recursive
63624 * loop. Limit the number of running kmod threads to max_threads/2 or
63625 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
63626 @@ -133,6 +144,47 @@ int __request_module(bool wait, const ch
63627 atomic_dec(&kmod_concurrent);
63631 +int ___request_module(bool wait, char *module_param, const char *fmt, ...)
63636 + va_start(args, fmt);
63637 + ret = ____request_module(wait, module_param, fmt, args);
63643 +int __request_module(bool wait, const char *fmt, ...)
63648 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
63649 + if (current_uid()) {
63650 + char module_param[MODULE_NAME_LEN];
63652 + memset(module_param, 0, sizeof(module_param));
63654 + snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
63656 + va_start(args, fmt);
63657 + ret = ____request_module(wait, module_param, fmt, args);
63664 + va_start(args, fmt);
63665 + ret = ____request_module(wait, NULL, fmt, args);
63671 EXPORT_SYMBOL(__request_module);
63672 #endif /* CONFIG_MODULES */
63674 @@ -222,7 +274,7 @@ static int wait_for_helper(void *data)
63676 * Thus the __user pointer cast is valid here.
63678 - sys_wait4(pid, (int __user *)&ret, 0, NULL);
63679 + sys_wait4(pid, (int __force_user *)&ret, 0, NULL);
63682 * If ret is 0, either ____call_usermodehelper failed and the
63683 diff -urNp linux-3.0.9/kernel/kprobes.c linux-3.0.9/kernel/kprobes.c
63684 --- linux-3.0.9/kernel/kprobes.c 2011-11-11 13:12:24.000000000 -0500
63685 +++ linux-3.0.9/kernel/kprobes.c 2011-11-15 20:03:00.000000000 -0500
63686 @@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_
63687 * kernel image and loaded module images reside. This is required
63688 * so x86_64 can correctly handle the %rip-relative fixups.
63690 - kip->insns = module_alloc(PAGE_SIZE);
63691 + kip->insns = module_alloc_exec(PAGE_SIZE);
63695 @@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(st
63697 if (!list_is_singular(&kip->list)) {
63698 list_del(&kip->list);
63699 - module_free(NULL, kip->insns);
63700 + module_free_exec(NULL, kip->insns);
63704 @@ -1936,7 +1936,7 @@ static int __init init_kprobes(void)
63707 unsigned long offset = 0, size = 0;
63708 - char *modname, namebuf[128];
63709 + char *modname, namebuf[KSYM_NAME_LEN];
63710 const char *symbol_name;
63712 struct kprobe_blackpoint *kb;
63713 @@ -2062,7 +2062,7 @@ static int __kprobes show_kprobe_addr(st
63714 const char *sym = NULL;
63715 unsigned int i = *(loff_t *) v;
63716 unsigned long offset = 0;
63717 - char *modname, namebuf[128];
63718 + char *modname, namebuf[KSYM_NAME_LEN];
63720 head = &kprobe_table[i];
63722 diff -urNp linux-3.0.9/kernel/lockdep.c linux-3.0.9/kernel/lockdep.c
63723 --- linux-3.0.9/kernel/lockdep.c 2011-11-11 13:12:24.000000000 -0500
63724 +++ linux-3.0.9/kernel/lockdep.c 2011-11-15 20:03:00.000000000 -0500
63725 @@ -583,6 +583,10 @@ static int static_obj(void *obj)
63726 end = (unsigned long) &_end,
63727 addr = (unsigned long) obj;
63729 +#ifdef CONFIG_PAX_KERNEXEC
63730 + start = ktla_ktva(start);
63736 @@ -718,6 +722,7 @@ register_lock_class(struct lockdep_map *
63737 if (!static_obj(lock->key)) {
63739 printk("INFO: trying to register non-static key.\n");
63740 + printk("lock:%pS key:%pS.\n", lock, lock->key);
63741 printk("the code is fine but needs lockdep annotation.\n");
63742 printk("turning off the locking correctness validator.\n");
63744 @@ -2936,7 +2941,7 @@ static int __lock_acquire(struct lockdep
63748 - atomic_inc((atomic_t *)&class->ops);
63749 + atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
63750 if (very_verbose(class)) {
63751 printk("\nacquire class [%p] %s", class->key, class->name);
63752 if (class->name_version > 1)
63753 diff -urNp linux-3.0.9/kernel/lockdep_proc.c linux-3.0.9/kernel/lockdep_proc.c
63754 --- linux-3.0.9/kernel/lockdep_proc.c 2011-11-11 13:12:24.000000000 -0500
63755 +++ linux-3.0.9/kernel/lockdep_proc.c 2011-11-15 20:03:00.000000000 -0500
63756 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
63758 static void print_name(struct seq_file *m, struct lock_class *class)
63761 + char str[KSYM_NAME_LEN];
63762 const char *name = class->name;
63765 diff -urNp linux-3.0.9/kernel/module.c linux-3.0.9/kernel/module.c
63766 --- linux-3.0.9/kernel/module.c 2011-11-11 13:12:24.000000000 -0500
63767 +++ linux-3.0.9/kernel/module.c 2011-11-15 20:03:00.000000000 -0500
63769 #include <linux/jump_label.h>
63770 #include <linux/pfn.h>
63771 #include <linux/bsearch.h>
63772 +#include <linux/grsecurity.h>
63774 #define CREATE_TRACE_POINTS
63775 #include <trace/events/module.h>
63776 @@ -119,7 +120,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
63778 /* Bounds of module allocation, for speeding __module_address.
63779 * Protected by module_mutex. */
63780 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
63781 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
63782 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
63784 int register_module_notifier(struct notifier_block * nb)
63786 @@ -284,7 +286,7 @@ bool each_symbol_section(bool (*fn)(cons
63789 list_for_each_entry_rcu(mod, &modules, list) {
63790 - struct symsearch arr[] = {
63791 + struct symsearch modarr[] = {
63792 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
63793 NOT_GPL_ONLY, false },
63794 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
63795 @@ -306,7 +308,7 @@ bool each_symbol_section(bool (*fn)(cons
63799 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
63800 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
63804 @@ -438,7 +440,7 @@ static inline void __percpu *mod_percpu(
63805 static int percpu_modalloc(struct module *mod,
63806 unsigned long size, unsigned long align)
63808 - if (align > PAGE_SIZE) {
63809 + if (align-1 >= PAGE_SIZE) {
63810 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
63811 mod->name, align, PAGE_SIZE);
63813 @@ -1166,7 +1168,7 @@ resolve_symbol_wait(struct module *mod,
63815 #ifdef CONFIG_SYSFS
63817 -#ifdef CONFIG_KALLSYMS
63818 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
63819 static inline bool sect_empty(const Elf_Shdr *sect)
63821 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
63822 @@ -1632,21 +1634,21 @@ static void set_section_ro_nx(void *base
63824 static void unset_module_core_ro_nx(struct module *mod)
63826 - set_page_attributes(mod->module_core + mod->core_text_size,
63827 - mod->module_core + mod->core_size,
63828 + set_page_attributes(mod->module_core_rw,
63829 + mod->module_core_rw + mod->core_size_rw,
63831 - set_page_attributes(mod->module_core,
63832 - mod->module_core + mod->core_ro_size,
63833 + set_page_attributes(mod->module_core_rx,
63834 + mod->module_core_rx + mod->core_size_rx,
63838 static void unset_module_init_ro_nx(struct module *mod)
63840 - set_page_attributes(mod->module_init + mod->init_text_size,
63841 - mod->module_init + mod->init_size,
63842 + set_page_attributes(mod->module_init_rw,
63843 + mod->module_init_rw + mod->init_size_rw,
63845 - set_page_attributes(mod->module_init,
63846 - mod->module_init + mod->init_ro_size,
63847 + set_page_attributes(mod->module_init_rx,
63848 + mod->module_init_rx + mod->init_size_rx,
63852 @@ -1657,14 +1659,14 @@ void set_all_modules_text_rw(void)
63854 mutex_lock(&module_mutex);
63855 list_for_each_entry_rcu(mod, &modules, list) {
63856 - if ((mod->module_core) && (mod->core_text_size)) {
63857 - set_page_attributes(mod->module_core,
63858 - mod->module_core + mod->core_text_size,
63859 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
63860 + set_page_attributes(mod->module_core_rx,
63861 + mod->module_core_rx + mod->core_size_rx,
63864 - if ((mod->module_init) && (mod->init_text_size)) {
63865 - set_page_attributes(mod->module_init,
63866 - mod->module_init + mod->init_text_size,
63867 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
63868 + set_page_attributes(mod->module_init_rx,
63869 + mod->module_init_rx + mod->init_size_rx,
63873 @@ -1678,14 +1680,14 @@ void set_all_modules_text_ro(void)
63875 mutex_lock(&module_mutex);
63876 list_for_each_entry_rcu(mod, &modules, list) {
63877 - if ((mod->module_core) && (mod->core_text_size)) {
63878 - set_page_attributes(mod->module_core,
63879 - mod->module_core + mod->core_text_size,
63880 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
63881 + set_page_attributes(mod->module_core_rx,
63882 + mod->module_core_rx + mod->core_size_rx,
63885 - if ((mod->module_init) && (mod->init_text_size)) {
63886 - set_page_attributes(mod->module_init,
63887 - mod->module_init + mod->init_text_size,
63888 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
63889 + set_page_attributes(mod->module_init_rx,
63890 + mod->module_init_rx + mod->init_size_rx,
63894 @@ -1722,16 +1724,19 @@ static void free_module(struct module *m
63896 /* This may be NULL, but that's OK */
63897 unset_module_init_ro_nx(mod);
63898 - module_free(mod, mod->module_init);
63899 + module_free(mod, mod->module_init_rw);
63900 + module_free_exec(mod, mod->module_init_rx);
63902 percpu_modfree(mod);
63904 /* Free lock-classes: */
63905 - lockdep_free_key_range(mod->module_core, mod->core_size);
63906 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
63907 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
63909 /* Finally, free the core (containing the module structure) */
63910 unset_module_core_ro_nx(mod);
63911 - module_free(mod, mod->module_core);
63912 + module_free_exec(mod, mod->module_core_rx);
63913 + module_free(mod, mod->module_core_rw);
63916 update_protections(current->mm);
63917 @@ -1800,10 +1805,31 @@ static int simplify_symbols(struct modul
63920 const struct kernel_symbol *ksym;
63921 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
63922 + int is_fs_load = 0;
63923 + int register_filesystem_found = 0;
63926 + p = strstr(mod->args, "grsec_modharden_fs");
63928 + char *endptr = p + strlen("grsec_modharden_fs");
63929 + /* copy \0 as well */
63930 + memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
63935 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
63936 const char *name = info->strtab + sym[i].st_name;
63938 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
63939 + /* it's a real shame this will never get ripped and copied
63942 + if (is_fs_load && !strcmp(name, "register_filesystem"))
63943 + register_filesystem_found = 1;
63946 switch (sym[i].st_shndx) {
63948 /* We compiled with -fno-common. These are not
63949 @@ -1824,7 +1850,9 @@ static int simplify_symbols(struct modul
63950 ksym = resolve_symbol_wait(mod, info, name);
63951 /* Ok if resolved. */
63952 if (ksym && !IS_ERR(ksym)) {
63953 + pax_open_kernel();
63954 sym[i].st_value = ksym->value;
63955 + pax_close_kernel();
63959 @@ -1843,11 +1871,20 @@ static int simplify_symbols(struct modul
63960 secbase = (unsigned long)mod_percpu(mod);
63962 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
63963 + pax_open_kernel();
63964 sym[i].st_value += secbase;
63965 + pax_close_kernel();
63970 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
63971 + if (is_fs_load && !register_filesystem_found) {
63972 + printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
63980 @@ -1931,22 +1968,12 @@ static void layout_sections(struct modul
63981 || s->sh_entsize != ~0UL
63982 || strstarts(sname, ".init"))
63984 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
63985 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
63986 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
63988 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
63989 DEBUGP("\t%s\n", name);
63992 - case 0: /* executable */
63993 - mod->core_size = debug_align(mod->core_size);
63994 - mod->core_text_size = mod->core_size;
63996 - case 1: /* RO: text and ro-data */
63997 - mod->core_size = debug_align(mod->core_size);
63998 - mod->core_ro_size = mod->core_size;
64000 - case 3: /* whole core */
64001 - mod->core_size = debug_align(mod->core_size);
64006 DEBUGP("Init section allocation order:\n");
64007 @@ -1960,23 +1987,13 @@ static void layout_sections(struct modul
64008 || s->sh_entsize != ~0UL
64009 || !strstarts(sname, ".init"))
64011 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
64012 - | INIT_OFFSET_MASK);
64013 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
64014 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
64016 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
64017 + s->sh_entsize |= INIT_OFFSET_MASK;
64018 DEBUGP("\t%s\n", sname);
64021 - case 0: /* executable */
64022 - mod->init_size = debug_align(mod->init_size);
64023 - mod->init_text_size = mod->init_size;
64025 - case 1: /* RO: text and ro-data */
64026 - mod->init_size = debug_align(mod->init_size);
64027 - mod->init_ro_size = mod->init_size;
64029 - case 3: /* whole init */
64030 - mod->init_size = debug_align(mod->init_size);
64036 @@ -2141,7 +2158,7 @@ static void layout_symtab(struct module
64038 /* Put symbol section at end of init part of module. */
64039 symsect->sh_flags |= SHF_ALLOC;
64040 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
64041 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
64042 info->index.sym) | INIT_OFFSET_MASK;
64043 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
64045 @@ -2158,19 +2175,19 @@ static void layout_symtab(struct module
64048 /* Append room for core symbols at end of core part. */
64049 - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
64050 - mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
64051 + info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
64052 + mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
64054 /* Put string table section at end of init part of module. */
64055 strsect->sh_flags |= SHF_ALLOC;
64056 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
64057 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
64058 info->index.str) | INIT_OFFSET_MASK;
64059 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
64061 /* Append room for core symbols' strings at end of core part. */
64062 - info->stroffs = mod->core_size;
64063 + info->stroffs = mod->core_size_rx;
64064 __set_bit(0, info->strmap);
64065 - mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
64066 + mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
64069 static void add_kallsyms(struct module *mod, const struct load_info *info)
64070 @@ -2186,11 +2203,13 @@ static void add_kallsyms(struct module *
64071 /* Make sure we get permanent strtab: don't use info->strtab. */
64072 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
64074 + pax_open_kernel();
64076 /* Set types up while we still have access to sections. */
64077 for (i = 0; i < mod->num_symtab; i++)
64078 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
64080 - mod->core_symtab = dst = mod->module_core + info->symoffs;
64081 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
64084 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
64085 @@ -2203,10 +2222,12 @@ static void add_kallsyms(struct module *
64087 mod->core_num_syms = ndst;
64089 - mod->core_strtab = s = mod->module_core + info->stroffs;
64090 + mod->core_strtab = s = mod->module_core_rx + info->stroffs;
64091 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
64092 if (test_bit(i, info->strmap))
64093 *++s = mod->strtab[i];
64095 + pax_close_kernel();
64098 static inline void layout_symtab(struct module *mod, struct load_info *info)
64099 @@ -2235,17 +2256,33 @@ static void dynamic_debug_remove(struct
64100 ddebug_remove_module(debug->modname);
64103 -static void *module_alloc_update_bounds(unsigned long size)
64104 +static void *module_alloc_update_bounds_rw(unsigned long size)
64106 void *ret = module_alloc(size);
64109 mutex_lock(&module_mutex);
64110 /* Update module bounds. */
64111 - if ((unsigned long)ret < module_addr_min)
64112 - module_addr_min = (unsigned long)ret;
64113 - if ((unsigned long)ret + size > module_addr_max)
64114 - module_addr_max = (unsigned long)ret + size;
64115 + if ((unsigned long)ret < module_addr_min_rw)
64116 + module_addr_min_rw = (unsigned long)ret;
64117 + if ((unsigned long)ret + size > module_addr_max_rw)
64118 + module_addr_max_rw = (unsigned long)ret + size;
64119 + mutex_unlock(&module_mutex);
64124 +static void *module_alloc_update_bounds_rx(unsigned long size)
64126 + void *ret = module_alloc_exec(size);
64129 + mutex_lock(&module_mutex);
64130 + /* Update module bounds. */
64131 + if ((unsigned long)ret < module_addr_min_rx)
64132 + module_addr_min_rx = (unsigned long)ret;
64133 + if ((unsigned long)ret + size > module_addr_max_rx)
64134 + module_addr_max_rx = (unsigned long)ret + size;
64135 mutex_unlock(&module_mutex);
64138 @@ -2538,7 +2575,7 @@ static int move_module(struct module *mo
64141 /* Do the allocs. */
64142 - ptr = module_alloc_update_bounds(mod->core_size);
64143 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
64145 * The pointer to this block is stored in the module structure
64146 * which is inside the block. Just mark it as not being a
64147 @@ -2548,23 +2585,50 @@ static int move_module(struct module *mo
64151 - memset(ptr, 0, mod->core_size);
64152 - mod->module_core = ptr;
64153 + memset(ptr, 0, mod->core_size_rw);
64154 + mod->module_core_rw = ptr;
64156 - ptr = module_alloc_update_bounds(mod->init_size);
64157 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
64159 * The pointer to this block is stored in the module structure
64160 * which is inside the block. This block doesn't need to be
64161 * scanned as it contains data and code that will be freed
64162 * after the module is initialized.
64164 - kmemleak_ignore(ptr);
64165 - if (!ptr && mod->init_size) {
64166 - module_free(mod, mod->module_core);
64167 + kmemleak_not_leak(ptr);
64168 + if (!ptr && mod->init_size_rw) {
64169 + module_free(mod, mod->module_core_rw);
64172 - memset(ptr, 0, mod->init_size);
64173 - mod->module_init = ptr;
64174 + memset(ptr, 0, mod->init_size_rw);
64175 + mod->module_init_rw = ptr;
64177 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
64178 + kmemleak_not_leak(ptr);
64180 + module_free(mod, mod->module_init_rw);
64181 + module_free(mod, mod->module_core_rw);
64185 + pax_open_kernel();
64186 + memset(ptr, 0, mod->core_size_rx);
64187 + pax_close_kernel();
64188 + mod->module_core_rx = ptr;
64190 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
64191 + kmemleak_not_leak(ptr);
64192 + if (!ptr && mod->init_size_rx) {
64193 + module_free_exec(mod, mod->module_core_rx);
64194 + module_free(mod, mod->module_init_rw);
64195 + module_free(mod, mod->module_core_rw);
64199 + pax_open_kernel();
64200 + memset(ptr, 0, mod->init_size_rx);
64201 + pax_close_kernel();
64202 + mod->module_init_rx = ptr;
64204 /* Transfer each section which specifies SHF_ALLOC */
64205 DEBUGP("final section addresses:\n");
64206 @@ -2575,16 +2639,45 @@ static int move_module(struct module *mo
64207 if (!(shdr->sh_flags & SHF_ALLOC))
64210 - if (shdr->sh_entsize & INIT_OFFSET_MASK)
64211 - dest = mod->module_init
64212 - + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
64214 - dest = mod->module_core + shdr->sh_entsize;
64215 + if (shdr->sh_entsize & INIT_OFFSET_MASK) {
64216 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
64217 + dest = mod->module_init_rw
64218 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
64220 + dest = mod->module_init_rx
64221 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
64223 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
64224 + dest = mod->module_core_rw + shdr->sh_entsize;
64226 + dest = mod->module_core_rx + shdr->sh_entsize;
64229 + if (shdr->sh_type != SHT_NOBITS) {
64231 +#ifdef CONFIG_PAX_KERNEXEC
64232 +#ifdef CONFIG_X86_64
64233 + if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
64234 + set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
64236 + if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
64237 + pax_open_kernel();
64238 + memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
64239 + pax_close_kernel();
64243 - if (shdr->sh_type != SHT_NOBITS)
64244 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
64246 /* Update sh_addr to point to copy in image. */
64247 - shdr->sh_addr = (unsigned long)dest;
64249 +#ifdef CONFIG_PAX_KERNEXEC
64250 + if (shdr->sh_flags & SHF_EXECINSTR)
64251 + shdr->sh_addr = ktva_ktla((unsigned long)dest);
64255 + shdr->sh_addr = (unsigned long)dest;
64256 DEBUGP("\t0x%lx %s\n",
64257 shdr->sh_addr, info->secstrings + shdr->sh_name);
64259 @@ -2635,12 +2728,12 @@ static void flush_module_icache(const st
64260 * Do it before processing of module parameters, so the module
64261 * can provide parameter accessor functions of its own.
64263 - if (mod->module_init)
64264 - flush_icache_range((unsigned long)mod->module_init,
64265 - (unsigned long)mod->module_init
64266 - + mod->init_size);
64267 - flush_icache_range((unsigned long)mod->module_core,
64268 - (unsigned long)mod->module_core + mod->core_size);
64269 + if (mod->module_init_rx)
64270 + flush_icache_range((unsigned long)mod->module_init_rx,
64271 + (unsigned long)mod->module_init_rx
64272 + + mod->init_size_rx);
64273 + flush_icache_range((unsigned long)mod->module_core_rx,
64274 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
64278 @@ -2712,8 +2805,10 @@ static void module_deallocate(struct mod
64280 kfree(info->strmap);
64281 percpu_modfree(mod);
64282 - module_free(mod, mod->module_init);
64283 - module_free(mod, mod->module_core);
64284 + module_free_exec(mod, mod->module_init_rx);
64285 + module_free_exec(mod, mod->module_core_rx);
64286 + module_free(mod, mod->module_init_rw);
64287 + module_free(mod, mod->module_core_rw);
64290 static int post_relocation(struct module *mod, const struct load_info *info)
64291 @@ -2770,9 +2865,38 @@ static struct module *load_module(void _
64295 + /* Now copy in args */
64296 + mod->args = strndup_user(uargs, ~0UL >> 1);
64297 + if (IS_ERR(mod->args)) {
64298 + err = PTR_ERR(mod->args);
64299 + goto free_unload;
64302 /* Set up MODINFO_ATTR fields */
64303 setup_modinfo(mod, &info);
64305 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
64309 + if (strstr(mod->args, "grsec_modharden_netdev")) {
64310 + printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
64312 + goto free_modinfo;
64313 + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
64314 + p += strlen("grsec_modharden_normal");
64315 + p2 = strstr(p, "_");
64318 + printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
64322 + goto free_modinfo;
64327 /* Fix up syms, so that st_value is a pointer to location. */
64328 err = simplify_symbols(mod, &info);
64330 @@ -2788,13 +2912,6 @@ static struct module *load_module(void _
64332 flush_module_icache(mod);
64334 - /* Now copy in args */
64335 - mod->args = strndup_user(uargs, ~0UL >> 1);
64336 - if (IS_ERR(mod->args)) {
64337 - err = PTR_ERR(mod->args);
64338 - goto free_arch_cleanup;
64341 /* Mark state as coming so strong_try_module_get() ignores us. */
64342 mod->state = MODULE_STATE_COMING;
64344 @@ -2854,11 +2971,10 @@ static struct module *load_module(void _
64346 mutex_unlock(&module_mutex);
64347 synchronize_sched();
64348 - kfree(mod->args);
64349 - free_arch_cleanup:
64350 module_arch_cleanup(mod);
64353 + kfree(mod->args);
64355 module_unload_free(mod);
64357 @@ -2899,16 +3015,16 @@ SYSCALL_DEFINE3(init_module, void __user
64358 MODULE_STATE_COMING, mod);
64360 /* Set RO and NX regions for core */
64361 - set_section_ro_nx(mod->module_core,
64362 - mod->core_text_size,
64363 - mod->core_ro_size,
64365 + set_section_ro_nx(mod->module_core_rx,
64366 + mod->core_size_rx,
64367 + mod->core_size_rx,
64368 + mod->core_size_rx);
64370 /* Set RO and NX regions for init */
64371 - set_section_ro_nx(mod->module_init,
64372 - mod->init_text_size,
64373 - mod->init_ro_size,
64375 + set_section_ro_nx(mod->module_init_rx,
64376 + mod->init_size_rx,
64377 + mod->init_size_rx,
64378 + mod->init_size_rx);
64381 /* Start the module */
64382 @@ -2954,11 +3070,12 @@ SYSCALL_DEFINE3(init_module, void __user
64383 mod->strtab = mod->core_strtab;
64385 unset_module_init_ro_nx(mod);
64386 - module_free(mod, mod->module_init);
64387 - mod->module_init = NULL;
64388 - mod->init_size = 0;
64389 - mod->init_ro_size = 0;
64390 - mod->init_text_size = 0;
64391 + module_free(mod, mod->module_init_rw);
64392 + module_free_exec(mod, mod->module_init_rx);
64393 + mod->module_init_rw = NULL;
64394 + mod->module_init_rx = NULL;
64395 + mod->init_size_rw = 0;
64396 + mod->init_size_rx = 0;
64397 mutex_unlock(&module_mutex);
64400 @@ -2989,10 +3106,16 @@ static const char *get_ksymbol(struct mo
64401 unsigned long nextval;
64403 /* At worse, next value is at end of module */
64404 - if (within_module_init(addr, mod))
64405 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
64406 + if (within_module_init_rx(addr, mod))
64407 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
64408 + else if (within_module_init_rw(addr, mod))
64409 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
64410 + else if (within_module_core_rx(addr, mod))
64411 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
64412 + else if (within_module_core_rw(addr, mod))
64413 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
64415 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
64418 /* Scan for closest preceding symbol, and next symbol. (ELF
64419 starts real symbols at 1). */
64420 @@ -3238,7 +3361,7 @@ static int m_show(struct seq_file *m, vo
64423 seq_printf(m, "%s %u",
64424 - mod->name, mod->init_size + mod->core_size);
64425 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
64426 print_unload_info(m, mod);
64428 /* Informative for users. */
64429 @@ -3247,7 +3370,7 @@ static int m_show(struct seq_file *m, vo
64430 mod->state == MODULE_STATE_COMING ? "Loading":
64432 /* Used by oprofile and other similar tools. */
64433 - seq_printf(m, " 0x%pK", mod->module_core);
64434 + seq_printf(m, " 0x%pK 0x%pK", mod->module_core_rx, mod->module_core_rw);
64438 @@ -3283,7 +3406,17 @@ static const struct file_operations proc
64440 static int __init proc_modules_init(void)
64442 +#ifndef CONFIG_GRKERNSEC_HIDESYM
64443 +#ifdef CONFIG_GRKERNSEC_PROC_USER
64444 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
64445 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
64446 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
64448 proc_create("modules", 0, NULL, &proc_modules_operations);
64451 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
64455 module_init(proc_modules_init);
64456 @@ -3342,12 +3475,12 @@ struct module *__module_address(unsigned
64458 struct module *mod;
64460 - if (addr < module_addr_min || addr > module_addr_max)
64461 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
64462 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
64465 list_for_each_entry_rcu(mod, &modules, list)
64466 - if (within_module_core(addr, mod)
64467 - || within_module_init(addr, mod))
64468 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
64472 @@ -3381,11 +3514,20 @@ bool is_module_text_address(unsigned lon
64474 struct module *__module_text_address(unsigned long addr)
64476 - struct module *mod = __module_address(addr);
64477 + struct module *mod;
64479 +#ifdef CONFIG_X86_32
64480 + addr = ktla_ktva(addr);
64483 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
64486 + mod = __module_address(addr);
64489 /* Make sure it's within the text section. */
64490 - if (!within(addr, mod->module_init, mod->init_text_size)
64491 - && !within(addr, mod->module_core, mod->core_text_size))
64492 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
64496 diff -urNp linux-3.0.9/kernel/mutex.c linux-3.0.9/kernel/mutex.c
64497 --- linux-3.0.9/kernel/mutex.c 2011-11-11 13:12:24.000000000 -0500
64498 +++ linux-3.0.9/kernel/mutex.c 2011-11-15 20:03:00.000000000 -0500
64499 @@ -198,7 +198,7 @@ __mutex_lock_common(struct mutex *lock,
64500 spin_lock_mutex(&lock->wait_lock, flags);
64502 debug_mutex_lock_common(lock, &waiter);
64503 - debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
64504 + debug_mutex_add_waiter(lock, &waiter, task);
64506 /* add waiting tasks to the end of the waitqueue (FIFO): */
64507 list_add_tail(&waiter.list, &lock->wait_list);
64508 @@ -227,8 +227,7 @@ __mutex_lock_common(struct mutex *lock,
64509 * TASK_UNINTERRUPTIBLE case.)
64511 if (unlikely(signal_pending_state(state, task))) {
64512 - mutex_remove_waiter(lock, &waiter,
64513 - task_thread_info(task));
64514 + mutex_remove_waiter(lock, &waiter, task);
64515 mutex_release(&lock->dep_map, 1, ip);
64516 spin_unlock_mutex(&lock->wait_lock, flags);
64518 @@ -249,7 +248,7 @@ __mutex_lock_common(struct mutex *lock,
64520 lock_acquired(&lock->dep_map, ip);
64521 /* got the lock - rejoice! */
64522 - mutex_remove_waiter(lock, &waiter, current_thread_info());
64523 + mutex_remove_waiter(lock, &waiter, task);
64524 mutex_set_owner(lock);
64526 /* set it to 0 if there are no waiters left: */
64527 diff -urNp linux-3.0.9/kernel/mutex-debug.c linux-3.0.9/kernel/mutex-debug.c
64528 --- linux-3.0.9/kernel/mutex-debug.c 2011-11-11 13:12:24.000000000 -0500
64529 +++ linux-3.0.9/kernel/mutex-debug.c 2011-11-15 20:03:00.000000000 -0500
64530 @@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
64533 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
64534 - struct thread_info *ti)
64535 + struct task_struct *task)
64537 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
64539 /* Mark the current thread as blocked on the lock: */
64540 - ti->task->blocked_on = waiter;
64541 + task->blocked_on = waiter;
64544 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
64545 - struct thread_info *ti)
64546 + struct task_struct *task)
64548 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
64549 - DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
64550 - DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
64551 - ti->task->blocked_on = NULL;
64552 + DEBUG_LOCKS_WARN_ON(waiter->task != task);
64553 + DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
64554 + task->blocked_on = NULL;
64556 list_del_init(&waiter->list);
64557 waiter->task = NULL;
64558 diff -urNp linux-3.0.9/kernel/mutex-debug.h linux-3.0.9/kernel/mutex-debug.h
64559 --- linux-3.0.9/kernel/mutex-debug.h 2011-11-11 13:12:24.000000000 -0500
64560 +++ linux-3.0.9/kernel/mutex-debug.h 2011-11-15 20:03:00.000000000 -0500
64561 @@ -20,9 +20,9 @@ extern void debug_mutex_wake_waiter(stru
64562 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
64563 extern void debug_mutex_add_waiter(struct mutex *lock,
64564 struct mutex_waiter *waiter,
64565 - struct thread_info *ti);
64566 + struct task_struct *task);
64567 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
64568 - struct thread_info *ti);
64569 + struct task_struct *task);
64570 extern void debug_mutex_unlock(struct mutex *lock);
64571 extern void debug_mutex_init(struct mutex *lock, const char *name,
64572 struct lock_class_key *key);
64573 diff -urNp linux-3.0.9/kernel/padata.c linux-3.0.9/kernel/padata.c
64574 --- linux-3.0.9/kernel/padata.c 2011-11-11 13:12:24.000000000 -0500
64575 +++ linux-3.0.9/kernel/padata.c 2011-11-15 20:03:00.000000000 -0500
64576 @@ -132,10 +132,10 @@ int padata_do_parallel(struct padata_ins
64578 padata->cb_cpu = cb_cpu;
64580 - if (unlikely(atomic_read(&pd->seq_nr) == pd->max_seq_nr))
64581 - atomic_set(&pd->seq_nr, -1);
64582 + if (unlikely(atomic_read_unchecked(&pd->seq_nr) == pd->max_seq_nr))
64583 + atomic_set_unchecked(&pd->seq_nr, -1);
64585 - padata->seq_nr = atomic_inc_return(&pd->seq_nr);
64586 + padata->seq_nr = atomic_inc_return_unchecked(&pd->seq_nr);
64588 target_cpu = padata_cpu_hash(padata);
64589 queue = per_cpu_ptr(pd->pqueue, target_cpu);
64590 @@ -444,7 +444,7 @@ static struct parallel_data *padata_allo
64591 padata_init_pqueues(pd);
64592 padata_init_squeues(pd);
64593 setup_timer(&pd->timer, padata_reorder_timer, (unsigned long)pd);
64594 - atomic_set(&pd->seq_nr, -1);
64595 + atomic_set_unchecked(&pd->seq_nr, -1);
64596 atomic_set(&pd->reorder_objects, 0);
64597 atomic_set(&pd->refcnt, 0);
64599 diff -urNp linux-3.0.9/kernel/panic.c linux-3.0.9/kernel/panic.c
64600 --- linux-3.0.9/kernel/panic.c 2011-11-11 13:12:24.000000000 -0500
64601 +++ linux-3.0.9/kernel/panic.c 2011-11-15 20:03:00.000000000 -0500
64602 @@ -369,7 +369,7 @@ static void warn_slowpath_common(const c
64605 printk(KERN_WARNING "------------[ cut here ]------------\n");
64606 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
64607 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
64608 board = dmi_get_system_info(DMI_PRODUCT_NAME);
64610 printk(KERN_WARNING "Hardware name: %s\n", board);
64611 @@ -424,7 +424,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
64613 void __stack_chk_fail(void)
64615 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
64617 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
64618 __builtin_return_address(0));
64620 EXPORT_SYMBOL(__stack_chk_fail);
64621 diff -urNp linux-3.0.9/kernel/pid.c linux-3.0.9/kernel/pid.c
64622 --- linux-3.0.9/kernel/pid.c 2011-11-11 13:12:24.000000000 -0500
64623 +++ linux-3.0.9/kernel/pid.c 2011-11-15 20:03:00.000000000 -0500
64625 #include <linux/rculist.h>
64626 #include <linux/bootmem.h>
64627 #include <linux/hash.h>
64628 +#include <linux/security.h>
64629 #include <linux/pid_namespace.h>
64630 #include <linux/init_task.h>
64631 #include <linux/syscalls.h>
64632 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
64634 int pid_max = PID_MAX_DEFAULT;
64636 -#define RESERVED_PIDS 300
64637 +#define RESERVED_PIDS 500
64639 int pid_max_min = RESERVED_PIDS + 1;
64640 int pid_max_max = PID_MAX_LIMIT;
64641 @@ -419,8 +420,15 @@ EXPORT_SYMBOL(pid_task);
64643 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
64645 + struct task_struct *task;
64647 rcu_lockdep_assert(rcu_read_lock_held());
64648 - return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
64649 + task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
64651 + if (gr_pid_is_chrooted(task))
64657 struct task_struct *find_task_by_vpid(pid_t vnr)
64658 @@ -428,6 +436,12 @@ struct task_struct *find_task_by_vpid(pi
64659 return find_task_by_pid_ns(vnr, current->nsproxy->pid_ns);
64662 +struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
64664 + rcu_lockdep_assert(rcu_read_lock_held());
64665 + return pid_task(find_pid_ns(vnr, current->nsproxy->pid_ns), PIDTYPE_PID);
64668 struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
64671 diff -urNp linux-3.0.9/kernel/posix-cpu-timers.c linux-3.0.9/kernel/posix-cpu-timers.c
64672 --- linux-3.0.9/kernel/posix-cpu-timers.c 2011-11-11 13:12:24.000000000 -0500
64673 +++ linux-3.0.9/kernel/posix-cpu-timers.c 2011-11-15 20:03:00.000000000 -0500
64675 #include <linux/posix-timers.h>
64676 #include <linux/errno.h>
64677 #include <linux/math64.h>
64678 +#include <linux/security.h>
64679 #include <asm/uaccess.h>
64680 #include <linux/kernel_stat.h>
64681 #include <trace/events/timer.h>
64682 @@ -1606,14 +1607,14 @@ struct k_clock clock_posix_cpu = {
64684 static __init int init_posix_cpu_timers(void)
64686 - struct k_clock process = {
64687 + static struct k_clock process = {
64688 .clock_getres = process_cpu_clock_getres,
64689 .clock_get = process_cpu_clock_get,
64690 .timer_create = process_cpu_timer_create,
64691 .nsleep = process_cpu_nsleep,
64692 .nsleep_restart = process_cpu_nsleep_restart,
64694 - struct k_clock thread = {
64695 + static struct k_clock thread = {
64696 .clock_getres = thread_cpu_clock_getres,
64697 .clock_get = thread_cpu_clock_get,
64698 .timer_create = thread_cpu_timer_create,
64699 diff -urNp linux-3.0.9/kernel/posix-timers.c linux-3.0.9/kernel/posix-timers.c
64700 --- linux-3.0.9/kernel/posix-timers.c 2011-11-11 13:12:24.000000000 -0500
64701 +++ linux-3.0.9/kernel/posix-timers.c 2011-11-15 20:03:00.000000000 -0500
64703 #include <linux/idr.h>
64704 #include <linux/posix-clock.h>
64705 #include <linux/posix-timers.h>
64706 +#include <linux/grsecurity.h>
64707 #include <linux/syscalls.h>
64708 #include <linux/wait.h>
64709 #include <linux/workqueue.h>
64710 @@ -129,7 +130,7 @@ static DEFINE_SPINLOCK(idr_lock);
64711 * which we beg off on and pass to do_sys_settimeofday().
64714 -static struct k_clock posix_clocks[MAX_CLOCKS];
64715 +static struct k_clock *posix_clocks[MAX_CLOCKS];
64718 * These ones are defined below.
64719 @@ -227,7 +228,7 @@ static int posix_get_boottime(const cloc
64721 static __init int init_posix_timers(void)
64723 - struct k_clock clock_realtime = {
64724 + static struct k_clock clock_realtime = {
64725 .clock_getres = hrtimer_get_res,
64726 .clock_get = posix_clock_realtime_get,
64727 .clock_set = posix_clock_realtime_set,
64728 @@ -239,7 +240,7 @@ static __init int init_posix_timers(void
64729 .timer_get = common_timer_get,
64730 .timer_del = common_timer_del,
64732 - struct k_clock clock_monotonic = {
64733 + static struct k_clock clock_monotonic = {
64734 .clock_getres = hrtimer_get_res,
64735 .clock_get = posix_ktime_get_ts,
64736 .nsleep = common_nsleep,
64737 @@ -249,19 +250,19 @@ static __init int init_posix_timers(void
64738 .timer_get = common_timer_get,
64739 .timer_del = common_timer_del,
64741 - struct k_clock clock_monotonic_raw = {
64742 + static struct k_clock clock_monotonic_raw = {
64743 .clock_getres = hrtimer_get_res,
64744 .clock_get = posix_get_monotonic_raw,
64746 - struct k_clock clock_realtime_coarse = {
64747 + static struct k_clock clock_realtime_coarse = {
64748 .clock_getres = posix_get_coarse_res,
64749 .clock_get = posix_get_realtime_coarse,
64751 - struct k_clock clock_monotonic_coarse = {
64752 + static struct k_clock clock_monotonic_coarse = {
64753 .clock_getres = posix_get_coarse_res,
64754 .clock_get = posix_get_monotonic_coarse,
64756 - struct k_clock clock_boottime = {
64757 + static struct k_clock clock_boottime = {
64758 .clock_getres = hrtimer_get_res,
64759 .clock_get = posix_get_boottime,
64760 .nsleep = common_nsleep,
64761 @@ -272,6 +273,8 @@ static __init int init_posix_timers(void
64762 .timer_del = common_timer_del,
64765 + pax_track_stack();
64767 posix_timers_register_clock(CLOCK_REALTIME, &clock_realtime);
64768 posix_timers_register_clock(CLOCK_MONOTONIC, &clock_monotonic);
64769 posix_timers_register_clock(CLOCK_MONOTONIC_RAW, &clock_monotonic_raw);
64770 @@ -473,7 +476,7 @@ void posix_timers_register_clock(const c
64774 - posix_clocks[clock_id] = *new_clock;
64775 + posix_clocks[clock_id] = new_clock;
64777 EXPORT_SYMBOL_GPL(posix_timers_register_clock);
64779 @@ -519,9 +522,9 @@ static struct k_clock *clockid_to_kclock
64780 return (id & CLOCKFD_MASK) == CLOCKFD ?
64781 &clock_posix_dynamic : &clock_posix_cpu;
64783 - if (id >= MAX_CLOCKS || !posix_clocks[id].clock_getres)
64784 + if (id >= MAX_CLOCKS || !posix_clocks[id] || !posix_clocks[id]->clock_getres)
64786 - return &posix_clocks[id];
64787 + return posix_clocks[id];
64790 static int common_timer_create(struct k_itimer *new_timer)
64791 @@ -959,6 +962,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
64792 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
64795 + /* only the CLOCK_REALTIME clock can be set, all other clocks
64796 + have their clock_set fptr set to a nosettime dummy function
64797 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
64798 + call common_clock_set, which calls do_sys_settimeofday, which
64802 return kc->clock_set(which_clock, &new_tp);
64805 diff -urNp linux-3.0.9/kernel/power/poweroff.c linux-3.0.9/kernel/power/poweroff.c
64806 --- linux-3.0.9/kernel/power/poweroff.c 2011-11-11 13:12:24.000000000 -0500
64807 +++ linux-3.0.9/kernel/power/poweroff.c 2011-11-15 20:03:00.000000000 -0500
64808 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
64809 .enable_mask = SYSRQ_ENABLE_BOOT,
64812 -static int pm_sysrq_init(void)
64813 +static int __init pm_sysrq_init(void)
64815 register_sysrq_key('o', &sysrq_poweroff_op);
64817 diff -urNp linux-3.0.9/kernel/power/process.c linux-3.0.9/kernel/power/process.c
64818 --- linux-3.0.9/kernel/power/process.c 2011-11-11 13:12:24.000000000 -0500
64819 +++ linux-3.0.9/kernel/power/process.c 2011-11-15 20:03:00.000000000 -0500
64820 @@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_
64821 u64 elapsed_csecs64;
64822 unsigned int elapsed_csecs;
64823 bool wakeup = false;
64824 + bool timedout = false;
64826 do_gettimeofday(&start);
64828 @@ -51,6 +52,8 @@ static int try_to_freeze_tasks(bool sig_
64832 + if (time_after(jiffies, end_time))
64834 read_lock(&tasklist_lock);
64835 do_each_thread(g, p) {
64836 if (frozen(p) || !freezable(p))
64837 @@ -71,9 +74,13 @@ static int try_to_freeze_tasks(bool sig_
64838 * try_to_stop() after schedule() in ptrace/signal
64839 * stop sees TIF_FREEZE.
64841 - if (!task_is_stopped_or_traced(p) &&
64842 - !freezer_should_skip(p))
64843 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
64846 + printk(KERN_ERR "Task refusing to freeze:\n");
64847 + sched_show_task(p);
64850 } while_each_thread(g, p);
64851 read_unlock(&tasklist_lock);
64853 @@ -82,7 +89,7 @@ static int try_to_freeze_tasks(bool sig_
64857 - if (!todo || time_after(jiffies, end_time))
64858 + if (!todo || timedout)
64861 if (pm_wakeup_pending()) {
64862 diff -urNp linux-3.0.9/kernel/printk.c linux-3.0.9/kernel/printk.c
64863 --- linux-3.0.9/kernel/printk.c 2011-11-11 13:12:24.000000000 -0500
64864 +++ linux-3.0.9/kernel/printk.c 2011-11-15 20:03:00.000000000 -0500
64865 @@ -313,7 +313,12 @@ static int check_syslog_permissions(int
64866 if (from_file && type != SYSLOG_ACTION_OPEN)
64869 +#ifdef CONFIG_GRKERNSEC_DMESG
64870 + if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
64874 if (syslog_action_restricted(type)) {
64875 if (vx_capable(CAP_SYSLOG, VXC_SYSLOG))
64877 /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
64878 diff -urNp linux-3.0.9/kernel/profile.c linux-3.0.9/kernel/profile.c
64879 --- linux-3.0.9/kernel/profile.c 2011-11-11 13:12:24.000000000 -0500
64880 +++ linux-3.0.9/kernel/profile.c 2011-11-15 20:03:00.000000000 -0500
64881 @@ -39,7 +39,7 @@ struct profile_hit {
64882 /* Oprofile timer tick hook */
64883 static int (*timer_hook)(struct pt_regs *) __read_mostly;
64885 -static atomic_t *prof_buffer;
64886 +static atomic_unchecked_t *prof_buffer;
64887 static unsigned long prof_len, prof_shift;
64889 int prof_on __read_mostly;
64890 @@ -281,7 +281,7 @@ static void profile_flip_buffers(void)
64894 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
64895 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
64896 hits[i].hits = hits[i].pc = 0;
64899 @@ -342,9 +342,9 @@ static void do_profile_hits(int type, vo
64900 * Add the current hit(s) and flush the write-queue out
64901 * to the global buffer:
64903 - atomic_add(nr_hits, &prof_buffer[pc]);
64904 + atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
64905 for (i = 0; i < NR_PROFILE_HIT; ++i) {
64906 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
64907 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
64908 hits[i].pc = hits[i].hits = 0;
64911 @@ -419,7 +419,7 @@ static void do_profile_hits(int type, vo
64914 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
64915 - atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
64916 + atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
64918 #endif /* !CONFIG_SMP */
64920 @@ -517,7 +517,7 @@ read_profile(struct file *file, char __u
64922 buf++; p++; count--; read++;
64924 - pnt = (char *)prof_buffer + p - sizeof(atomic_t);
64925 + pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
64926 if (copy_to_user(buf, (void *)pnt, count))
64929 @@ -548,7 +548,7 @@ static ssize_t write_profile(struct file
64932 profile_discard_flip_buffers();
64933 - memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
64934 + memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
64938 diff -urNp linux-3.0.9/kernel/ptrace.c linux-3.0.9/kernel/ptrace.c
64939 --- linux-3.0.9/kernel/ptrace.c 2011-11-11 13:12:24.000000000 -0500
64940 +++ linux-3.0.9/kernel/ptrace.c 2011-11-15 20:03:00.000000000 -0500
64941 @@ -132,7 +132,8 @@ int ptrace_check_attach(struct task_stru
64945 -int __ptrace_may_access(struct task_struct *task, unsigned int mode)
64946 +static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
64947 + unsigned int log)
64949 const struct cred *cred = current_cred(), *tcred;
64951 @@ -158,7 +159,8 @@ int __ptrace_may_access(struct task_stru
64952 cred->gid == tcred->sgid &&
64953 cred->gid == tcred->gid))
64955 - if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
64956 + if ((!log && ns_capable_nolog(tcred->user->user_ns, CAP_SYS_PTRACE)) ||
64957 + (log && ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE)))
64961 @@ -167,7 +169,9 @@ ok:
64964 dumpable = get_dumpable(task->mm);
64965 - if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE))
64967 + ((!log && !task_ns_capable_nolog(task, CAP_SYS_PTRACE)) ||
64968 + (log && !task_ns_capable(task, CAP_SYS_PTRACE))))
64971 return security_ptrace_access_check(task, mode);
64972 @@ -177,7 +181,16 @@ bool ptrace_may_access(struct task_struc
64976 - err = __ptrace_may_access(task, mode);
64977 + err = __ptrace_may_access(task, mode, 0);
64978 + task_unlock(task);
64982 +bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
64986 + err = __ptrace_may_access(task, mode, 1);
64990 @@ -205,7 +218,7 @@ static int ptrace_attach(struct task_str
64994 - retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
64995 + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
64999 @@ -218,7 +231,7 @@ static int ptrace_attach(struct task_str
65000 goto unlock_tasklist;
65002 task->ptrace = PT_PTRACED;
65003 - if (task_ns_capable(task, CAP_SYS_PTRACE))
65004 + if (task_ns_capable_nolog(task, CAP_SYS_PTRACE))
65005 task->ptrace |= PT_PTRACE_CAP;
65007 __ptrace_link(task, current);
65008 @@ -406,6 +419,8 @@ int ptrace_readdata(struct task_struct *
65012 + pax_track_stack();
65016 int this_len, retval;
65017 @@ -417,7 +432,7 @@ int ptrace_readdata(struct task_struct *
65021 - if (copy_to_user(dst, buf, retval))
65022 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
65026 @@ -431,6 +446,8 @@ int ptrace_writedata(struct task_struct
65030 + pax_track_stack();
65034 int this_len, retval;
65035 @@ -613,9 +630,11 @@ int ptrace_request(struct task_struct *c
65039 - void __user *datavp = (void __user *) data;
65040 + void __user *datavp = (__force void __user *) data;
65041 unsigned long __user *datalp = datavp;
65043 + pax_track_stack();
65046 case PTRACE_PEEKTEXT:
65047 case PTRACE_PEEKDATA:
65048 @@ -761,14 +780,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
65052 + if (gr_handle_ptrace(child, request)) {
65054 + goto out_put_task_struct;
65057 if (request == PTRACE_ATTACH) {
65058 ret = ptrace_attach(child);
65060 * Some architectures need to do book-keeping after
65065 arch_ptrace_attach(child);
65066 + gr_audit_ptrace(child);
65068 goto out_put_task_struct;
65071 @@ -793,7 +819,7 @@ int generic_ptrace_peekdata(struct task_
65072 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
65073 if (copied != sizeof(tmp))
65075 - return put_user(tmp, (unsigned long __user *)data);
65076 + return put_user(tmp, (__force unsigned long __user *)data);
65079 int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
65080 @@ -816,6 +842,8 @@ int compat_ptrace_request(struct task_st
65084 + pax_track_stack();
65087 case PTRACE_PEEKTEXT:
65088 case PTRACE_PEEKDATA:
65089 @@ -903,14 +931,21 @@ asmlinkage long compat_sys_ptrace(compat
65093 + if (gr_handle_ptrace(child, request)) {
65095 + goto out_put_task_struct;
65098 if (request == PTRACE_ATTACH) {
65099 ret = ptrace_attach(child);
65101 * Some architectures need to do book-keeping after
65106 arch_ptrace_attach(child);
65107 + gr_audit_ptrace(child);
65109 goto out_put_task_struct;
65112 diff -urNp linux-3.0.9/kernel/rcutorture.c linux-3.0.9/kernel/rcutorture.c
65113 --- linux-3.0.9/kernel/rcutorture.c 2011-11-11 13:12:24.000000000 -0500
65114 +++ linux-3.0.9/kernel/rcutorture.c 2011-11-15 20:03:00.000000000 -0500
65115 @@ -138,12 +138,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_
65117 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
65119 -static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
65120 -static atomic_t n_rcu_torture_alloc;
65121 -static atomic_t n_rcu_torture_alloc_fail;
65122 -static atomic_t n_rcu_torture_free;
65123 -static atomic_t n_rcu_torture_mberror;
65124 -static atomic_t n_rcu_torture_error;
65125 +static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
65126 +static atomic_unchecked_t n_rcu_torture_alloc;
65127 +static atomic_unchecked_t n_rcu_torture_alloc_fail;
65128 +static atomic_unchecked_t n_rcu_torture_free;
65129 +static atomic_unchecked_t n_rcu_torture_mberror;
65130 +static atomic_unchecked_t n_rcu_torture_error;
65131 static long n_rcu_torture_boost_ktrerror;
65132 static long n_rcu_torture_boost_rterror;
65133 static long n_rcu_torture_boost_failure;
65134 @@ -223,11 +223,11 @@ rcu_torture_alloc(void)
65136 spin_lock_bh(&rcu_torture_lock);
65137 if (list_empty(&rcu_torture_freelist)) {
65138 - atomic_inc(&n_rcu_torture_alloc_fail);
65139 + atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
65140 spin_unlock_bh(&rcu_torture_lock);
65143 - atomic_inc(&n_rcu_torture_alloc);
65144 + atomic_inc_unchecked(&n_rcu_torture_alloc);
65145 p = rcu_torture_freelist.next;
65147 spin_unlock_bh(&rcu_torture_lock);
65148 @@ -240,7 +240,7 @@ rcu_torture_alloc(void)
65150 rcu_torture_free(struct rcu_torture *p)
65152 - atomic_inc(&n_rcu_torture_free);
65153 + atomic_inc_unchecked(&n_rcu_torture_free);
65154 spin_lock_bh(&rcu_torture_lock);
65155 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
65156 spin_unlock_bh(&rcu_torture_lock);
65157 @@ -360,7 +360,7 @@ rcu_torture_cb(struct rcu_head *p)
65158 i = rp->rtort_pipe_count;
65159 if (i > RCU_TORTURE_PIPE_LEN)
65160 i = RCU_TORTURE_PIPE_LEN;
65161 - atomic_inc(&rcu_torture_wcount[i]);
65162 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
65163 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
65164 rp->rtort_mbtest = 0;
65165 rcu_torture_free(rp);
65166 @@ -407,7 +407,7 @@ static void rcu_sync_torture_deferred_fr
65167 i = rp->rtort_pipe_count;
65168 if (i > RCU_TORTURE_PIPE_LEN)
65169 i = RCU_TORTURE_PIPE_LEN;
65170 - atomic_inc(&rcu_torture_wcount[i]);
65171 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
65172 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
65173 rp->rtort_mbtest = 0;
65174 list_del(&rp->rtort_free);
65175 @@ -882,7 +882,7 @@ rcu_torture_writer(void *arg)
65176 i = old_rp->rtort_pipe_count;
65177 if (i > RCU_TORTURE_PIPE_LEN)
65178 i = RCU_TORTURE_PIPE_LEN;
65179 - atomic_inc(&rcu_torture_wcount[i]);
65180 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
65181 old_rp->rtort_pipe_count++;
65182 cur_ops->deferred_free(old_rp);
65184 @@ -951,7 +951,7 @@ static void rcu_torture_timer(unsigned l
65187 if (p->rtort_mbtest == 0)
65188 - atomic_inc(&n_rcu_torture_mberror);
65189 + atomic_inc_unchecked(&n_rcu_torture_mberror);
65190 spin_lock(&rand_lock);
65191 cur_ops->read_delay(&rand);
65192 n_rcu_torture_timers++;
65193 @@ -1013,7 +1013,7 @@ rcu_torture_reader(void *arg)
65196 if (p->rtort_mbtest == 0)
65197 - atomic_inc(&n_rcu_torture_mberror);
65198 + atomic_inc_unchecked(&n_rcu_torture_mberror);
65199 cur_ops->read_delay(&rand);
65201 pipe_count = p->rtort_pipe_count;
65202 @@ -1072,16 +1072,16 @@ rcu_torture_printk(char *page)
65203 rcu_torture_current,
65204 rcu_torture_current_version,
65205 list_empty(&rcu_torture_freelist),
65206 - atomic_read(&n_rcu_torture_alloc),
65207 - atomic_read(&n_rcu_torture_alloc_fail),
65208 - atomic_read(&n_rcu_torture_free),
65209 - atomic_read(&n_rcu_torture_mberror),
65210 + atomic_read_unchecked(&n_rcu_torture_alloc),
65211 + atomic_read_unchecked(&n_rcu_torture_alloc_fail),
65212 + atomic_read_unchecked(&n_rcu_torture_free),
65213 + atomic_read_unchecked(&n_rcu_torture_mberror),
65214 n_rcu_torture_boost_ktrerror,
65215 n_rcu_torture_boost_rterror,
65216 n_rcu_torture_boost_failure,
65217 n_rcu_torture_boosts,
65218 n_rcu_torture_timers);
65219 - if (atomic_read(&n_rcu_torture_mberror) != 0 ||
65220 + if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0 ||
65221 n_rcu_torture_boost_ktrerror != 0 ||
65222 n_rcu_torture_boost_rterror != 0 ||
65223 n_rcu_torture_boost_failure != 0)
65224 @@ -1089,7 +1089,7 @@ rcu_torture_printk(char *page)
65225 cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
65227 cnt += sprintf(&page[cnt], "!!! ");
65228 - atomic_inc(&n_rcu_torture_error);
65229 + atomic_inc_unchecked(&n_rcu_torture_error);
65232 cnt += sprintf(&page[cnt], "Reader Pipe: ");
65233 @@ -1103,7 +1103,7 @@ rcu_torture_printk(char *page)
65234 cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
65235 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
65236 cnt += sprintf(&page[cnt], " %d",
65237 - atomic_read(&rcu_torture_wcount[i]));
65238 + atomic_read_unchecked(&rcu_torture_wcount[i]));
65240 cnt += sprintf(&page[cnt], "\n");
65241 if (cur_ops->stats)
65242 @@ -1412,7 +1412,7 @@ rcu_torture_cleanup(void)
65244 if (cur_ops->cleanup)
65245 cur_ops->cleanup();
65246 - if (atomic_read(&n_rcu_torture_error))
65247 + if (atomic_read_unchecked(&n_rcu_torture_error))
65248 rcu_torture_print_module_parms(cur_ops, "End of test: FAILURE");
65250 rcu_torture_print_module_parms(cur_ops, "End of test: SUCCESS");
65251 @@ -1476,17 +1476,17 @@ rcu_torture_init(void)
65253 rcu_torture_current = NULL;
65254 rcu_torture_current_version = 0;
65255 - atomic_set(&n_rcu_torture_alloc, 0);
65256 - atomic_set(&n_rcu_torture_alloc_fail, 0);
65257 - atomic_set(&n_rcu_torture_free, 0);
65258 - atomic_set(&n_rcu_torture_mberror, 0);
65259 - atomic_set(&n_rcu_torture_error, 0);
65260 + atomic_set_unchecked(&n_rcu_torture_alloc, 0);
65261 + atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
65262 + atomic_set_unchecked(&n_rcu_torture_free, 0);
65263 + atomic_set_unchecked(&n_rcu_torture_mberror, 0);
65264 + atomic_set_unchecked(&n_rcu_torture_error, 0);
65265 n_rcu_torture_boost_ktrerror = 0;
65266 n_rcu_torture_boost_rterror = 0;
65267 n_rcu_torture_boost_failure = 0;
65268 n_rcu_torture_boosts = 0;
65269 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
65270 - atomic_set(&rcu_torture_wcount[i], 0);
65271 + atomic_set_unchecked(&rcu_torture_wcount[i], 0);
65272 for_each_possible_cpu(cpu) {
65273 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
65274 per_cpu(rcu_torture_count, cpu)[i] = 0;
65275 diff -urNp linux-3.0.9/kernel/rcutree.c linux-3.0.9/kernel/rcutree.c
65276 --- linux-3.0.9/kernel/rcutree.c 2011-11-11 13:12:24.000000000 -0500
65277 +++ linux-3.0.9/kernel/rcutree.c 2011-11-15 20:03:00.000000000 -0500
65278 @@ -356,9 +356,9 @@ void rcu_enter_nohz(void)
65280 /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
65281 smp_mb__before_atomic_inc(); /* See above. */
65282 - atomic_inc(&rdtp->dynticks);
65283 + atomic_inc_unchecked(&rdtp->dynticks);
65284 smp_mb__after_atomic_inc(); /* Force ordering with next sojourn. */
65285 - WARN_ON_ONCE(atomic_read(&rdtp->dynticks) & 0x1);
65286 + WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks) & 0x1);
65287 local_irq_restore(flags);
65289 /* If the interrupt queued a callback, get out of dyntick mode. */
65290 @@ -387,10 +387,10 @@ void rcu_exit_nohz(void)
65293 smp_mb__before_atomic_inc(); /* Force ordering w/previous sojourn. */
65294 - atomic_inc(&rdtp->dynticks);
65295 + atomic_inc_unchecked(&rdtp->dynticks);
65296 /* CPUs seeing atomic_inc() must see later RCU read-side crit sects */
65297 smp_mb__after_atomic_inc(); /* See above. */
65298 - WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
65299 + WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
65300 local_irq_restore(flags);
65303 @@ -406,14 +406,14 @@ void rcu_nmi_enter(void)
65304 struct rcu_dynticks *rdtp = &__get_cpu_var(rcu_dynticks);
65306 if (rdtp->dynticks_nmi_nesting == 0 &&
65307 - (atomic_read(&rdtp->dynticks) & 0x1))
65308 + (atomic_read_unchecked(&rdtp->dynticks) & 0x1))
65310 rdtp->dynticks_nmi_nesting++;
65311 smp_mb__before_atomic_inc(); /* Force delay from prior write. */
65312 - atomic_inc(&rdtp->dynticks);
65313 + atomic_inc_unchecked(&rdtp->dynticks);
65314 /* CPUs seeing atomic_inc() must see later RCU read-side crit sects */
65315 smp_mb__after_atomic_inc(); /* See above. */
65316 - WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
65317 + WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
65321 @@ -432,9 +432,9 @@ void rcu_nmi_exit(void)
65323 /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
65324 smp_mb__before_atomic_inc(); /* See above. */
65325 - atomic_inc(&rdtp->dynticks);
65326 + atomic_inc_unchecked(&rdtp->dynticks);
65327 smp_mb__after_atomic_inc(); /* Force delay to next write. */
65328 - WARN_ON_ONCE(atomic_read(&rdtp->dynticks) & 0x1);
65329 + WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks) & 0x1);
65333 @@ -469,7 +469,7 @@ void rcu_irq_exit(void)
65335 static int dyntick_save_progress_counter(struct rcu_data *rdp)
65337 - rdp->dynticks_snap = atomic_add_return(0, &rdp->dynticks->dynticks);
65338 + rdp->dynticks_snap = atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
65342 @@ -484,7 +484,7 @@ static int rcu_implicit_dynticks_qs(stru
65343 unsigned long curr;
65344 unsigned long snap;
65346 - curr = (unsigned long)atomic_add_return(0, &rdp->dynticks->dynticks);
65347 + curr = (unsigned long)atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
65348 snap = (unsigned long)rdp->dynticks_snap;
65351 @@ -1470,7 +1470,7 @@ __rcu_process_callbacks(struct rcu_state
65353 * Do softirq processing for the current CPU.
65355 -static void rcu_process_callbacks(struct softirq_action *unused)
65356 +static void rcu_process_callbacks(void)
65358 __rcu_process_callbacks(&rcu_sched_state,
65359 &__get_cpu_var(rcu_sched_data));
65360 diff -urNp linux-3.0.9/kernel/rcutree.h linux-3.0.9/kernel/rcutree.h
65361 --- linux-3.0.9/kernel/rcutree.h 2011-11-11 13:12:24.000000000 -0500
65362 +++ linux-3.0.9/kernel/rcutree.h 2011-11-15 20:03:00.000000000 -0500
65364 struct rcu_dynticks {
65365 int dynticks_nesting; /* Track irq/process nesting level. */
65366 int dynticks_nmi_nesting; /* Track NMI nesting level. */
65367 - atomic_t dynticks; /* Even value for dynticks-idle, else odd. */
65368 + atomic_unchecked_t dynticks; /* Even value for dynticks-idle, else odd. */
65371 /* RCU's kthread states for tracing. */
65372 diff -urNp linux-3.0.9/kernel/rcutree_plugin.h linux-3.0.9/kernel/rcutree_plugin.h
65373 --- linux-3.0.9/kernel/rcutree_plugin.h 2011-11-11 13:12:24.000000000 -0500
65374 +++ linux-3.0.9/kernel/rcutree_plugin.h 2011-11-15 20:03:00.000000000 -0500
65375 @@ -822,7 +822,7 @@ void synchronize_rcu_expedited(void)
65377 /* Clean up and exit. */
65378 smp_mb(); /* ensure expedited GP seen before counter increment. */
65379 - ACCESS_ONCE(sync_rcu_preempt_exp_count)++;
65380 + ACCESS_ONCE_RW(sync_rcu_preempt_exp_count)++;
65382 mutex_unlock(&sync_rcu_preempt_exp_mutex);
65384 @@ -1774,8 +1774,8 @@ EXPORT_SYMBOL_GPL(synchronize_sched_expe
65386 #else /* #ifndef CONFIG_SMP */
65388 -static atomic_t sync_sched_expedited_started = ATOMIC_INIT(0);
65389 -static atomic_t sync_sched_expedited_done = ATOMIC_INIT(0);
65390 +static atomic_unchecked_t sync_sched_expedited_started = ATOMIC_INIT(0);
65391 +static atomic_unchecked_t sync_sched_expedited_done = ATOMIC_INIT(0);
65393 static int synchronize_sched_expedited_cpu_stop(void *data)
65395 @@ -1830,7 +1830,7 @@ void synchronize_sched_expedited(void)
65396 int firstsnap, s, snap, trycount = 0;
65398 /* Note that atomic_inc_return() implies full memory barrier. */
65399 - firstsnap = snap = atomic_inc_return(&sync_sched_expedited_started);
65400 + firstsnap = snap = atomic_inc_return_unchecked(&sync_sched_expedited_started);
65404 @@ -1851,7 +1851,7 @@ void synchronize_sched_expedited(void)
65407 /* Check to see if someone else did our work for us. */
65408 - s = atomic_read(&sync_sched_expedited_done);
65409 + s = atomic_read_unchecked(&sync_sched_expedited_done);
65410 if (UINT_CMP_GE((unsigned)s, (unsigned)firstsnap)) {
65411 smp_mb(); /* ensure test happens before caller kfree */
65413 @@ -1866,7 +1866,7 @@ void synchronize_sched_expedited(void)
65414 * grace period works for us.
65417 - snap = atomic_read(&sync_sched_expedited_started) - 1;
65418 + snap = atomic_read_unchecked(&sync_sched_expedited_started) - 1;
65419 smp_mb(); /* ensure read is before try_stop_cpus(). */
65422 @@ -1877,12 +1877,12 @@ void synchronize_sched_expedited(void)
65423 * than we did beat us to the punch.
65426 - s = atomic_read(&sync_sched_expedited_done);
65427 + s = atomic_read_unchecked(&sync_sched_expedited_done);
65428 if (UINT_CMP_GE((unsigned)s, (unsigned)snap)) {
65429 smp_mb(); /* ensure test happens before caller kfree */
65432 - } while (atomic_cmpxchg(&sync_sched_expedited_done, s, snap) != s);
65433 + } while (atomic_cmpxchg_unchecked(&sync_sched_expedited_done, s, snap) != s);
65437 diff -urNp linux-3.0.9/kernel/relay.c linux-3.0.9/kernel/relay.c
65438 --- linux-3.0.9/kernel/relay.c 2011-11-11 13:12:24.000000000 -0500
65439 +++ linux-3.0.9/kernel/relay.c 2011-11-15 20:03:00.000000000 -0500
65440 @@ -1236,6 +1236,8 @@ static ssize_t subbuf_splice_actor(struc
65444 + pax_track_stack();
65446 if (rbuf->subbufs_produced == rbuf->subbufs_consumed)
65448 if (splice_grow_spd(pipe, &spd))
65449 diff -urNp linux-3.0.9/kernel/resource.c linux-3.0.9/kernel/resource.c
65450 --- linux-3.0.9/kernel/resource.c 2011-11-11 13:12:24.000000000 -0500
65451 +++ linux-3.0.9/kernel/resource.c 2011-11-15 20:03:00.000000000 -0500
65452 @@ -141,8 +141,18 @@ static const struct file_operations proc
65454 static int __init ioresources_init(void)
65456 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
65457 +#ifdef CONFIG_GRKERNSEC_PROC_USER
65458 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
65459 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
65460 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
65461 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
65462 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
65465 proc_create("ioports", 0, NULL, &proc_ioports_operations);
65466 proc_create("iomem", 0, NULL, &proc_iomem_operations);
65470 __initcall(ioresources_init);
65471 diff -urNp linux-3.0.9/kernel/rtmutex-tester.c linux-3.0.9/kernel/rtmutex-tester.c
65472 --- linux-3.0.9/kernel/rtmutex-tester.c 2011-11-11 13:12:24.000000000 -0500
65473 +++ linux-3.0.9/kernel/rtmutex-tester.c 2011-11-15 20:03:00.000000000 -0500
65475 #define MAX_RT_TEST_MUTEXES 8
65477 static spinlock_t rttest_lock;
65478 -static atomic_t rttest_event;
65479 +static atomic_unchecked_t rttest_event;
65481 struct test_thread_data {
65483 @@ -61,7 +61,7 @@ static int handle_op(struct test_thread_
65485 case RTTEST_LOCKCONT:
65486 td->mutexes[td->opdata] = 1;
65487 - td->event = atomic_add_return(1, &rttest_event);
65488 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65492 @@ -74,7 +74,7 @@ static int handle_op(struct test_thread_
65495 case RTTEST_RESETEVENT:
65496 - atomic_set(&rttest_event, 0);
65497 + atomic_set_unchecked(&rttest_event, 0);
65501 @@ -91,9 +91,9 @@ static int handle_op(struct test_thread_
65504 td->mutexes[id] = 1;
65505 - td->event = atomic_add_return(1, &rttest_event);
65506 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65507 rt_mutex_lock(&mutexes[id]);
65508 - td->event = atomic_add_return(1, &rttest_event);
65509 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65510 td->mutexes[id] = 4;
65513 @@ -104,9 +104,9 @@ static int handle_op(struct test_thread_
65516 td->mutexes[id] = 1;
65517 - td->event = atomic_add_return(1, &rttest_event);
65518 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65519 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
65520 - td->event = atomic_add_return(1, &rttest_event);
65521 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65522 td->mutexes[id] = ret ? 0 : 4;
65523 return ret ? -EINTR : 0;
65525 @@ -115,9 +115,9 @@ static int handle_op(struct test_thread_
65526 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
65529 - td->event = atomic_add_return(1, &rttest_event);
65530 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65531 rt_mutex_unlock(&mutexes[id]);
65532 - td->event = atomic_add_return(1, &rttest_event);
65533 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65534 td->mutexes[id] = 0;
65537 @@ -164,7 +164,7 @@ void schedule_rt_mutex_test(struct rt_mu
65540 td->mutexes[dat] = 2;
65541 - td->event = atomic_add_return(1, &rttest_event);
65542 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65546 @@ -184,7 +184,7 @@ void schedule_rt_mutex_test(struct rt_mu
65549 td->mutexes[dat] = 3;
65550 - td->event = atomic_add_return(1, &rttest_event);
65551 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65554 case RTTEST_LOCKNOWAIT:
65555 @@ -196,7 +196,7 @@ void schedule_rt_mutex_test(struct rt_mu
65558 td->mutexes[dat] = 1;
65559 - td->event = atomic_add_return(1, &rttest_event);
65560 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65564 diff -urNp linux-3.0.9/kernel/sched_autogroup.c linux-3.0.9/kernel/sched_autogroup.c
65565 --- linux-3.0.9/kernel/sched_autogroup.c 2011-11-11 13:12:24.000000000 -0500
65566 +++ linux-3.0.9/kernel/sched_autogroup.c 2011-11-15 20:03:00.000000000 -0500
65569 unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1;
65570 static struct autogroup autogroup_default;
65571 -static atomic_t autogroup_seq_nr;
65572 +static atomic_unchecked_t autogroup_seq_nr;
65574 static void __init autogroup_init(struct task_struct *init_task)
65576 @@ -78,7 +78,7 @@ static inline struct autogroup *autogrou
65578 kref_init(&ag->kref);
65579 init_rwsem(&ag->lock);
65580 - ag->id = atomic_inc_return(&autogroup_seq_nr);
65581 + ag->id = atomic_inc_return_unchecked(&autogroup_seq_nr);
65583 #ifdef CONFIG_RT_GROUP_SCHED
65585 diff -urNp linux-3.0.9/kernel/sched.c linux-3.0.9/kernel/sched.c
65586 --- linux-3.0.9/kernel/sched.c 2011-11-11 13:12:24.000000000 -0500
65587 +++ linux-3.0.9/kernel/sched.c 2011-11-15 20:03:00.000000000 -0500
65588 @@ -4227,6 +4227,8 @@ static void __sched __schedule(void)
65592 + pax_track_stack();
65596 cpu = smp_processor_id();
65597 @@ -4920,6 +4922,8 @@ int can_nice(const struct task_struct *p
65598 /* convert nice value [19,-20] to rlimit style value [1,40] */
65599 int nice_rlim = 20 - nice;
65601 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
65603 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
65604 capable(CAP_SYS_NICE));
65606 @@ -4953,7 +4957,8 @@ SYSCALL_DEFINE1(nice, int, increment)
65610 - if (increment < 0 && !can_nice(current, nice))
65611 + if (increment < 0 && (!can_nice(current, nice) ||
65612 + gr_handle_chroot_nice()))
65613 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
65615 retval = security_task_setnice(current, nice);
65616 @@ -5097,6 +5102,7 @@ recheck:
65617 unsigned long rlim_rtprio =
65618 task_rlimit(p, RLIMIT_RTPRIO);
65620 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
65621 /* can't set/change the rt policy */
65622 if (policy != p->policy && !rlim_rtprio)
65624 diff -urNp linux-3.0.9/kernel/sched_fair.c linux-3.0.9/kernel/sched_fair.c
65625 --- linux-3.0.9/kernel/sched_fair.c 2011-11-11 13:12:24.000000000 -0500
65626 +++ linux-3.0.9/kernel/sched_fair.c 2011-11-15 20:03:00.000000000 -0500
65627 @@ -4050,7 +4050,7 @@ static void nohz_idle_balance(int this_c
65628 * run_rebalance_domains is triggered when needed from the scheduler tick.
65629 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
65631 -static void run_rebalance_domains(struct softirq_action *h)
65632 +static void run_rebalance_domains(void)
65634 int this_cpu = smp_processor_id();
65635 struct rq *this_rq = cpu_rq(this_cpu);
65636 diff -urNp linux-3.0.9/kernel/signal.c linux-3.0.9/kernel/signal.c
65637 --- linux-3.0.9/kernel/signal.c 2011-11-11 13:12:24.000000000 -0500
65638 +++ linux-3.0.9/kernel/signal.c 2011-11-15 20:03:00.000000000 -0500
65639 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
65641 int print_fatal_signals __read_mostly;
65643 -static void __user *sig_handler(struct task_struct *t, int sig)
65644 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
65646 return t->sighand->action[sig - 1].sa.sa_handler;
65649 -static int sig_handler_ignored(void __user *handler, int sig)
65650 +static int sig_handler_ignored(__sighandler_t handler, int sig)
65652 /* Is it explicitly or implicitly ignored? */
65653 return handler == SIG_IGN ||
65654 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
65655 static int sig_task_ignored(struct task_struct *t, int sig,
65656 int from_ancestor_ns)
65658 - void __user *handler;
65659 + __sighandler_t handler;
65661 handler = sig_handler(t, sig);
65663 @@ -320,6 +320,9 @@ __sigqueue_alloc(int sig, struct task_st
65664 atomic_inc(&user->sigpending);
65667 + if (!override_rlimit)
65668 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
65670 if (override_rlimit ||
65671 atomic_read(&user->sigpending) <=
65672 task_rlimit(t, RLIMIT_SIGPENDING)) {
65673 @@ -444,7 +447,7 @@ flush_signal_handlers(struct task_struct
65675 int unhandled_signal(struct task_struct *tsk, int sig)
65677 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
65678 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
65679 if (is_global_init(tsk))
65681 if (handler != SIG_IGN && handler != SIG_DFL)
65682 @@ -797,6 +800,14 @@
65683 sig, info, t, vx_task_xid(t), t->pid, current->xid);
65687 + /* allow glibc communication via tgkill to other threads in our
65689 + if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
65690 + sig != (SIGRTMIN+1) || task_tgid_vnr(t) != info->si_pid)
65691 + && gr_handle_signal(t, sig))
65695 return security_task_kill(t, info, sig, 0);
65697 @@ -1092,7 +1103,7 @@ __group_send_sig_info(int sig, struct si
65698 return send_signal(sig, info, p, 1);
65703 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
65705 return send_signal(sig, info, t, 0);
65706 @@ -1129,6 +1140,7 @@ force_sig_info(int sig, struct siginfo *
65707 unsigned long int flags;
65708 int ret, blocked, ignored;
65709 struct k_sigaction *action;
65710 + int is_unhandled = 0;
65712 spin_lock_irqsave(&t->sighand->siglock, flags);
65713 action = &t->sighand->action[sig-1];
65714 @@ -1143,9 +1155,18 @@ force_sig_info(int sig, struct siginfo *
65716 if (action->sa.sa_handler == SIG_DFL)
65717 t->signal->flags &= ~SIGNAL_UNKILLABLE;
65718 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
65719 + is_unhandled = 1;
65720 ret = specific_send_sig_info(sig, info, t);
65721 spin_unlock_irqrestore(&t->sighand->siglock, flags);
65723 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
65724 + normal operation */
65725 + if (is_unhandled) {
65726 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
65727 + gr_handle_crash(t, sig);
65733 @@ -1212,8 +1233,11 @@ int group_send_sig_info(int sig, struct
65734 ret = check_kill_permission(sig, info, p);
65738 + if (!ret && sig) {
65739 ret = do_send_sig_info(sig, info, p, true);
65741 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
65746 @@ -1839,6 +1863,8 @@ void ptrace_notify(int exit_code)
65750 + pax_track_stack();
65752 BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
65754 memset(&info, 0, sizeof info);
65755 @@ -2637,7 +2663,15 @@ do_send_specific(pid_t tgid, pid_t pid,
65756 int error = -ESRCH;
65759 - p = find_task_by_vpid(pid);
65760 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
65761 + /* allow glibc communication via tgkill to other threads in our
65763 + if (grsec_enable_chroot_findtask && info->si_code == SI_TKILL &&
65764 + sig == (SIGRTMIN+1) && tgid == info->si_pid)
65765 + p = find_task_by_vpid_unrestricted(pid);
65768 + p = find_task_by_vpid(pid);
65769 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
65770 error = check_kill_permission(sig, info, p);
65772 diff -urNp linux-3.0.9/kernel/smp.c linux-3.0.9/kernel/smp.c
65773 --- linux-3.0.9/kernel/smp.c 2011-11-11 13:12:24.000000000 -0500
65774 +++ linux-3.0.9/kernel/smp.c 2011-11-15 20:03:00.000000000 -0500
65775 @@ -580,22 +580,22 @@ int smp_call_function(smp_call_func_t fu
65777 EXPORT_SYMBOL(smp_call_function);
65779 -void ipi_call_lock(void)
65780 +void ipi_call_lock(void) __acquires(call_function.lock)
65782 raw_spin_lock(&call_function.lock);
65785 -void ipi_call_unlock(void)
65786 +void ipi_call_unlock(void) __releases(call_function.lock)
65788 raw_spin_unlock(&call_function.lock);
65791 -void ipi_call_lock_irq(void)
65792 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
65794 raw_spin_lock_irq(&call_function.lock);
65797 -void ipi_call_unlock_irq(void)
65798 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
65800 raw_spin_unlock_irq(&call_function.lock);
65802 diff -urNp linux-3.0.9/kernel/softirq.c linux-3.0.9/kernel/softirq.c
65803 --- linux-3.0.9/kernel/softirq.c 2011-11-11 13:12:24.000000000 -0500
65804 +++ linux-3.0.9/kernel/softirq.c 2011-11-15 20:03:00.000000000 -0500
65805 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
65807 DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
65809 -char *softirq_to_name[NR_SOFTIRQS] = {
65810 +const char * const softirq_to_name[NR_SOFTIRQS] = {
65811 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
65812 "TASKLET", "SCHED", "HRTIMER", "RCU"
65814 @@ -235,7 +235,7 @@ restart:
65815 kstat_incr_softirqs_this_cpu(vec_nr);
65817 trace_softirq_entry(vec_nr);
65820 trace_softirq_exit(vec_nr);
65821 if (unlikely(prev_count != preempt_count())) {
65822 printk(KERN_ERR "huh, entered softirq %u %s %p"
65823 @@ -385,9 +385,11 @@ void raise_softirq(unsigned int nr)
65824 local_irq_restore(flags);
65827 -void open_softirq(int nr, void (*action)(struct softirq_action *))
65828 +void open_softirq(int nr, void (*action)(void))
65830 - softirq_vec[nr].action = action;
65831 + pax_open_kernel();
65832 + *(void **)&softirq_vec[nr].action = action;
65833 + pax_close_kernel();
65837 @@ -441,7 +443,7 @@ void __tasklet_hi_schedule_first(struct
65839 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
65841 -static void tasklet_action(struct softirq_action *a)
65842 +static void tasklet_action(void)
65844 struct tasklet_struct *list;
65846 @@ -476,7 +478,7 @@ static void tasklet_action(struct softir
65850 -static void tasklet_hi_action(struct softirq_action *a)
65851 +static void tasklet_hi_action(void)
65853 struct tasklet_struct *list;
65855 diff -urNp linux-3.0.9/kernel/sys.c linux-3.0.9/kernel/sys.c
65856 --- linux-3.0.9/kernel/sys.c 2011-11-11 13:12:24.000000000 -0500
65857 +++ linux-3.0.9/kernel/sys.c 2011-11-15 20:03:00.000000000 -0500
65858 @@ -158,6 +158,12 @@ static int set_one_prio(struct task_stru
65863 + if (gr_handle_chroot_setpriority(p, niceval)) {
65868 no_nice = security_task_setnice(p, niceval);
65871 @@ -541,6 +547,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
65875 + if (gr_check_group_change(new->gid, new->egid, -1))
65878 if (rgid != (gid_t) -1 ||
65879 (egid != (gid_t) -1 && egid != old->gid))
65880 new->sgid = new->egid;
65881 @@ -570,6 +579,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
65882 old = current_cred();
65886 + if (gr_check_group_change(gid, gid, gid))
65889 if (nsown_capable(CAP_SETGID))
65890 new->gid = new->egid = new->sgid = new->fsgid = gid;
65891 else if (gid == old->gid || gid == old->sgid)
65892 @@ -595,11 +608,18 @@ static int set_user(struct cred *new)
65897 + * We don't fail in case of NPROC limit excess here because too many
65898 + * poorly written programs don't check set*uid() return code, assuming
65899 + * it never fails if called by root. We may still enforce NPROC limit
65900 + * for programs doing set*uid()+execve() by harmlessly deferring the
65901 + * failure to the execve() stage.
65903 if (atomic_read(&new_user->processes) >= rlimit(RLIMIT_NPROC) &&
65904 - new_user != INIT_USER) {
65905 - free_uid(new_user);
65908 + new_user != INIT_USER)
65909 + current->flags |= PF_NPROC_EXCEEDED;
65911 + current->flags &= ~PF_NPROC_EXCEEDED;
65913 free_uid(new->user);
65914 new->user = new_user;
65915 @@ -650,6 +670,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
65919 + if (gr_check_user_change(new->uid, new->euid, -1))
65922 if (new->uid != old->uid) {
65923 retval = set_user(new);
65925 @@ -694,6 +717,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
65926 old = current_cred();
65930 + if (gr_check_crash_uid(uid))
65932 + if (gr_check_user_change(uid, uid, uid))
65935 if (nsown_capable(CAP_SETUID)) {
65936 new->suid = new->uid = uid;
65937 if (uid != old->uid) {
65938 @@ -748,6 +777,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
65942 + if (gr_check_user_change(ruid, euid, -1))
65945 if (ruid != (uid_t) -1) {
65947 if (ruid != old->uid) {
65948 @@ -812,6 +844,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
65952 + if (gr_check_group_change(rgid, egid, -1))
65955 if (rgid != (gid_t) -1)
65957 if (egid != (gid_t) -1)
65958 @@ -858,6 +893,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
65959 old = current_cred();
65960 old_fsuid = old->fsuid;
65962 + if (gr_check_user_change(-1, -1, uid))
65965 if (uid == old->uid || uid == old->euid ||
65966 uid == old->suid || uid == old->fsuid ||
65967 nsown_capable(CAP_SETUID)) {
65968 @@ -868,6 +906,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
65976 @@ -894,12 +933,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
65977 if (gid == old->gid || gid == old->egid ||
65978 gid == old->sgid || gid == old->fsgid ||
65979 nsown_capable(CAP_SETGID)) {
65980 + if (gr_check_group_change(-1, -1, gid))
65983 if (gid != old_fsgid) {
65993 @@ -1205,19 +1248,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_
65996 down_read(&uts_sem);
65997 - error = __copy_to_user(&name->sysname, &utsname()->sysname,
65998 + error = __copy_to_user(name->sysname, &utsname()->sysname,
66000 error |= __put_user(0, name->sysname + __OLD_UTS_LEN);
66001 - error |= __copy_to_user(&name->nodename, &utsname()->nodename,
66002 + error |= __copy_to_user(name->nodename, &utsname()->nodename,
66004 error |= __put_user(0, name->nodename + __OLD_UTS_LEN);
66005 - error |= __copy_to_user(&name->release, &utsname()->release,
66006 + error |= __copy_to_user(name->release, &utsname()->release,
66008 error |= __put_user(0, name->release + __OLD_UTS_LEN);
66009 - error |= __copy_to_user(&name->version, &utsname()->version,
66010 + error |= __copy_to_user(name->version, &utsname()->version,
66012 error |= __put_user(0, name->version + __OLD_UTS_LEN);
66013 - error |= __copy_to_user(&name->machine, &utsname()->machine,
66014 + error |= __copy_to_user(name->machine, &utsname()->machine,
66016 error |= __put_user(0, name->machine + __OLD_UTS_LEN);
66018 @@ -1680,7 +1723,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
66019 error = get_dumpable(me->mm);
66021 case PR_SET_DUMPABLE:
66022 - if (arg2 < 0 || arg2 > 1) {
66027 diff -urNp linux-3.0.9/kernel/sysctl_binary.c linux-3.0.9/kernel/sysctl_binary.c
66028 --- linux-3.0.9/kernel/sysctl_binary.c 2011-11-11 13:12:24.000000000 -0500
66029 +++ linux-3.0.9/kernel/sysctl_binary.c 2011-11-15 20:03:00.000000000 -0500
66030 @@ -989,7 +989,7 @@ static ssize_t bin_intvec(struct file *f
66034 - result = vfs_read(file, buffer, BUFSZ - 1, &pos);
66035 + result = vfs_read(file, (char __force_user *)buffer, BUFSZ - 1, &pos);
66039 @@ -1034,7 +1034,7 @@ static ssize_t bin_intvec(struct file *f
66043 - result = vfs_write(file, buffer, str - buffer, &pos);
66044 + result = vfs_write(file, (const char __force_user *)buffer, str - buffer, &pos);
66048 @@ -1067,7 +1067,7 @@ static ssize_t bin_ulongvec(struct file
66052 - result = vfs_read(file, buffer, BUFSZ - 1, &pos);
66053 + result = vfs_read(file, (char __force_user *)buffer, BUFSZ - 1, &pos);
66057 @@ -1112,7 +1112,7 @@ static ssize_t bin_ulongvec(struct file
66061 - result = vfs_write(file, buffer, str - buffer, &pos);
66062 + result = vfs_write(file, (const char __force_user *)buffer, str - buffer, &pos);
66066 @@ -1138,7 +1138,7 @@ static ssize_t bin_uuid(struct file *fil
66070 - result = vfs_read(file, buf, sizeof(buf) - 1, &pos);
66071 + result = vfs_read(file, (char __force_user *)buf, sizeof(buf) - 1, &pos);
66075 @@ -1185,7 +1185,7 @@ static ssize_t bin_dn_node_address(struc
66079 - result = vfs_read(file, buf, sizeof(buf) - 1, &pos);
66080 + result = vfs_read(file, (char __force_user *)buf, sizeof(buf) - 1, &pos);
66084 @@ -1233,7 +1233,7 @@ static ssize_t bin_dn_node_address(struc
66085 le16_to_cpu(dnaddr) & 0x3ff);
66088 - result = vfs_write(file, buf, len, &pos);
66089 + result = vfs_write(file, (const char __force_user *)buf, len, &pos);
66093 diff -urNp linux-3.0.9/kernel/sysctl.c linux-3.0.9/kernel/sysctl.c
66094 --- linux-3.0.9/kernel/sysctl.c 2011-11-11 13:12:24.000000000 -0500
66095 +++ linux-3.0.9/kernel/sysctl.c 2011-11-15 20:03:00.000000000 -0500
66099 #if defined(CONFIG_SYSCTL)
66100 +#include <linux/grsecurity.h>
66101 +#include <linux/grinternal.h>
66103 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
66104 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
66106 +extern int gr_handle_chroot_sysctl(const int op);
66108 /* External variables not in a header file. */
66109 extern int sysctl_overcommit_memory;
66110 @@ -197,6 +204,7 @@ static int sysrq_sysctl_handler(ctl_tabl
66114 +extern struct ctl_table grsecurity_table[];
66116 static struct ctl_table root_table[];
66117 static struct ctl_table_root sysctl_table_root;
66118 @@ -226,6 +234,20 @@ extern struct ctl_table epoll_table[];
66119 int sysctl_legacy_va_layout;
66122 +#ifdef CONFIG_PAX_SOFTMODE
66123 +static ctl_table pax_table[] = {
66125 + .procname = "softmode",
66126 + .data = &pax_softmode,
66127 + .maxlen = sizeof(unsigned int),
66129 + .proc_handler = &proc_dointvec,
66136 /* The default sysctl tables: */
66138 static struct ctl_table root_table[] = {
66139 @@ -272,6 +294,22 @@ static int max_extfrag_threshold = 1000;
66142 static struct ctl_table kern_table[] = {
66143 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
66145 + .procname = "grsecurity",
66147 + .child = grsecurity_table,
66151 +#ifdef CONFIG_PAX_SOFTMODE
66153 + .procname = "pax",
66155 + .child = pax_table,
66160 .procname = "sched_child_runs_first",
66161 .data = &sysctl_sched_child_runs_first,
66162 @@ -546,7 +584,7 @@ static struct ctl_table kern_table[] = {
66163 .data = &modprobe_path,
66164 .maxlen = KMOD_PATH_LEN,
66166 - .proc_handler = proc_dostring,
66167 + .proc_handler = proc_dostring_modpriv,
66170 .procname = "modules_disabled",
66171 @@ -713,16 +751,20 @@ static struct ctl_table kern_table[] = {
66177 .procname = "kptr_restrict",
66178 .data = &kptr_restrict,
66179 .maxlen = sizeof(int),
66181 .proc_handler = proc_dointvec_minmax_sysadmin,
66182 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66191 .procname = "ngroups_max",
66192 .data = &ngroups_max,
66193 @@ -1205,6 +1247,13 @@ static struct ctl_table vm_table[] = {
66194 .proc_handler = proc_dointvec_minmax,
66198 + .procname = "heap_stack_gap",
66199 + .data = &sysctl_heap_stack_gap,
66200 + .maxlen = sizeof(sysctl_heap_stack_gap),
66202 + .proc_handler = proc_doulongvec_minmax,
66206 .procname = "nr_trim_pages",
66207 @@ -1714,6 +1763,17 @@ static int test_perm(int mode, int op)
66208 int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op)
66213 + if (table->parent != NULL && table->parent->procname != NULL &&
66214 + table->procname != NULL &&
66215 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
66217 + if (gr_handle_chroot_sysctl(op))
66219 + error = gr_handle_sysctl(table, op);
66223 if (root->permissions)
66224 mode = root->permissions(root, current->nsproxy, table);
66225 @@ -2118,6 +2178,16 @@ int proc_dostring(struct ctl_table *tabl
66226 buffer, lenp, ppos);
66229 +int proc_dostring_modpriv(struct ctl_table *table, int write,
66230 + void __user *buffer, size_t *lenp, loff_t *ppos)
66232 + if (write && !capable(CAP_SYS_MODULE))
66235 + return _proc_do_string(table->data, table->maxlen, write,
66236 + buffer, lenp, ppos);
66239 static size_t proc_skip_spaces(char **buf)
66242 @@ -2223,6 +2293,8 @@ static int proc_put_long(void __user **b
66246 + if (len > sizeof(tmp))
66247 + len = sizeof(tmp);
66248 if (copy_to_user(*buf, tmp, len))
66251 @@ -2539,8 +2611,11 @@ static int __do_proc_doulongvec_minmax(v
66254 val = convdiv * (*i) / convmul;
66257 err = proc_put_char(&buffer, &left, '\t');
66261 err = proc_put_long(&buffer, &left, val, false);
66264 @@ -2935,6 +3010,12 @@ int proc_dostring(struct ctl_table *tabl
66268 +int proc_dostring_modpriv(struct ctl_table *table, int write,
66269 + void __user *buffer, size_t *lenp, loff_t *ppos)
66274 int proc_dointvec(struct ctl_table *table, int write,
66275 void __user *buffer, size_t *lenp, loff_t *ppos)
66277 @@ -2991,6 +3072,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
66278 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
66279 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
66280 EXPORT_SYMBOL(proc_dostring);
66281 +EXPORT_SYMBOL(proc_dostring_modpriv);
66282 EXPORT_SYMBOL(proc_doulongvec_minmax);
66283 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
66284 EXPORT_SYMBOL(register_sysctl_table);
66285 diff -urNp linux-3.0.9/kernel/sysctl_check.c linux-3.0.9/kernel/sysctl_check.c
66286 --- linux-3.0.9/kernel/sysctl_check.c 2011-11-11 13:12:24.000000000 -0500
66287 +++ linux-3.0.9/kernel/sysctl_check.c 2011-11-15 20:03:00.000000000 -0500
66288 @@ -129,6 +129,7 @@ int sysctl_check_table(struct nsproxy *n
66289 set_fail(&fail, table, "Directory with extra2");
66291 if ((table->proc_handler == proc_dostring) ||
66292 + (table->proc_handler == proc_dostring_modpriv) ||
66293 (table->proc_handler == proc_dointvec) ||
66294 (table->proc_handler == proc_dointvec_minmax) ||
66295 (table->proc_handler == proc_dointvec_jiffies) ||
66296 diff -urNp linux-3.0.9/kernel/taskstats.c linux-3.0.9/kernel/taskstats.c
66297 --- linux-3.0.9/kernel/taskstats.c 2011-11-11 13:12:24.000000000 -0500
66298 +++ linux-3.0.9/kernel/taskstats.c 2011-11-15 20:03:00.000000000 -0500
66300 #include <linux/cgroup.h>
66301 #include <linux/fs.h>
66302 #include <linux/file.h>
66303 +#include <linux/grsecurity.h>
66304 #include <net/genetlink.h>
66305 #include <asm/atomic.h>
66307 +extern int gr_is_taskstats_denied(int pid);
66310 * Maximum length of a cpumask that can be specified in
66311 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
66312 @@ -558,6 +561,9 @@ err:
66314 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
66316 + if (gr_is_taskstats_denied(current->pid))
66319 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
66320 return cmd_attr_register_cpumask(info);
66321 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
66322 diff -urNp linux-3.0.9/kernel/time/alarmtimer.c linux-3.0.9/kernel/time/alarmtimer.c
66323 --- linux-3.0.9/kernel/time/alarmtimer.c 2011-11-11 13:12:24.000000000 -0500
66324 +++ linux-3.0.9/kernel/time/alarmtimer.c 2011-11-15 20:03:00.000000000 -0500
66325 @@ -693,7 +693,7 @@ static int __init alarmtimer_init(void)
66329 - struct k_clock alarm_clock = {
66330 + static struct k_clock alarm_clock = {
66331 .clock_getres = alarm_clock_getres,
66332 .clock_get = alarm_clock_get,
66333 .timer_create = alarm_timer_create,
66334 diff -urNp linux-3.0.9/kernel/time/tick-broadcast.c linux-3.0.9/kernel/time/tick-broadcast.c
66335 --- linux-3.0.9/kernel/time/tick-broadcast.c 2011-11-11 13:12:24.000000000 -0500
66336 +++ linux-3.0.9/kernel/time/tick-broadcast.c 2011-11-15 20:03:00.000000000 -0500
66337 @@ -115,7 +115,7 @@ int tick_device_uses_broadcast(struct cl
66338 * then clear the broadcast bit.
66340 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
66341 - int cpu = smp_processor_id();
66342 + cpu = smp_processor_id();
66344 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
66345 tick_broadcast_clear_oneshot(cpu);
66346 diff -urNp linux-3.0.9/kernel/time/timekeeping.c linux-3.0.9/kernel/time/timekeeping.c
66347 --- linux-3.0.9/kernel/time/timekeeping.c 2011-11-11 13:12:24.000000000 -0500
66348 +++ linux-3.0.9/kernel/time/timekeeping.c 2011-11-15 20:03:00.000000000 -0500
66350 #include <linux/init.h>
66351 #include <linux/mm.h>
66352 #include <linux/sched.h>
66353 +#include <linux/grsecurity.h>
66354 #include <linux/syscore_ops.h>
66355 #include <linux/clocksource.h>
66356 #include <linux/jiffies.h>
66357 @@ -361,6 +362,8 @@ int do_settimeofday(const struct timespe
66358 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
66361 + gr_log_timechange();
66363 write_seqlock_irqsave(&xtime_lock, flags);
66365 timekeeping_forward_now();
66366 diff -urNp linux-3.0.9/kernel/time/timer_list.c linux-3.0.9/kernel/time/timer_list.c
66367 --- linux-3.0.9/kernel/time/timer_list.c 2011-11-11 13:12:24.000000000 -0500
66368 +++ linux-3.0.9/kernel/time/timer_list.c 2011-11-15 20:03:00.000000000 -0500
66369 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
66371 static void print_name_offset(struct seq_file *m, void *sym)
66373 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66374 + SEQ_printf(m, "<%p>", NULL);
66376 char symname[KSYM_NAME_LEN];
66378 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
66379 SEQ_printf(m, "<%pK>", sym);
66381 SEQ_printf(m, "%s", symname);
66386 @@ -112,7 +116,11 @@ next_one:
66388 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
66390 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66391 + SEQ_printf(m, " .base: %p\n", NULL);
66393 SEQ_printf(m, " .base: %pK\n", base);
66395 SEQ_printf(m, " .index: %d\n",
66397 SEQ_printf(m, " .resolution: %Lu nsecs\n",
66398 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
66400 struct proc_dir_entry *pe;
66402 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
66403 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
66405 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
66410 diff -urNp linux-3.0.9/kernel/time/timer_stats.c linux-3.0.9/kernel/time/timer_stats.c
66411 --- linux-3.0.9/kernel/time/timer_stats.c 2011-11-11 13:12:24.000000000 -0500
66412 +++ linux-3.0.9/kernel/time/timer_stats.c 2011-11-15 20:03:00.000000000 -0500
66413 @@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
66414 static unsigned long nr_entries;
66415 static struct entry entries[MAX_ENTRIES];
66417 -static atomic_t overflow_count;
66418 +static atomic_unchecked_t overflow_count;
66421 * The entries are in a hash-table, for fast lookup:
66422 @@ -140,7 +140,7 @@ static void reset_entries(void)
66424 memset(entries, 0, sizeof(entries));
66425 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
66426 - atomic_set(&overflow_count, 0);
66427 + atomic_set_unchecked(&overflow_count, 0);
66430 static struct entry *alloc_entry(void)
66431 @@ -261,7 +261,7 @@ void timer_stats_update_stats(void *time
66435 - atomic_inc(&overflow_count);
66436 + atomic_inc_unchecked(&overflow_count);
66439 raw_spin_unlock_irqrestore(lock, flags);
66440 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
66442 static void print_name_offset(struct seq_file *m, unsigned long addr)
66444 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66445 + seq_printf(m, "<%p>", NULL);
66447 char symname[KSYM_NAME_LEN];
66449 if (lookup_symbol_name(addr, symname) < 0)
66450 seq_printf(m, "<%p>", (void *)addr);
66452 seq_printf(m, "%s", symname);
66456 static int tstats_show(struct seq_file *m, void *v)
66457 @@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *
66459 seq_puts(m, "Timer Stats Version: v0.2\n");
66460 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
66461 - if (atomic_read(&overflow_count))
66462 + if (atomic_read_unchecked(&overflow_count))
66463 seq_printf(m, "Overflow: %d entries\n",
66464 - atomic_read(&overflow_count));
66465 + atomic_read_unchecked(&overflow_count));
66467 for (i = 0; i < nr_entries; i++) {
66468 entry = entries + i;
66469 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
66471 struct proc_dir_entry *pe;
66473 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
66474 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
66476 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
66481 diff -urNp linux-3.0.9/kernel/time.c linux-3.0.9/kernel/time.c
66482 --- linux-3.0.9/kernel/time.c 2011-11-11 13:12:24.000000000 -0500
66483 +++ linux-3.0.9/kernel/time.c 2011-11-15 20:03:00.000000000 -0500
66484 @@ -163,6 +163,11 @@ int do_sys_settimeofday(const struct tim
66488 + /* we log in do_settimeofday called below, so don't log twice
66491 + gr_log_timechange();
66493 /* SMP safe, global irq locking makes it work. */
66495 update_vsyscall_tz();
66496 diff -urNp linux-3.0.9/kernel/timer.c linux-3.0.9/kernel/timer.c
66497 --- linux-3.0.9/kernel/timer.c 2011-11-11 13:12:24.000000000 -0500
66498 +++ linux-3.0.9/kernel/timer.c 2011-11-15 20:03:00.000000000 -0500
66499 @@ -1304,7 +1304,7 @@ void update_process_times(int user_tick)
66501 * This function runs timers and the timer-tq in bottom half context.
66503 -static void run_timer_softirq(struct softirq_action *h)
66504 +static void run_timer_softirq(void)
66506 struct tvec_base *base = __this_cpu_read(tvec_bases);
66508 diff -urNp linux-3.0.9/kernel/trace/blktrace.c linux-3.0.9/kernel/trace/blktrace.c
66509 --- linux-3.0.9/kernel/trace/blktrace.c 2011-11-11 13:12:24.000000000 -0500
66510 +++ linux-3.0.9/kernel/trace/blktrace.c 2011-11-15 20:03:00.000000000 -0500
66511 @@ -321,7 +321,7 @@ static ssize_t blk_dropped_read(struct f
66512 struct blk_trace *bt = filp->private_data;
66515 - snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
66516 + snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
66518 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
66520 @@ -386,7 +386,7 @@ static int blk_subbuf_start_callback(str
66523 bt = buf->chan->private_data;
66524 - atomic_inc(&bt->dropped);
66525 + atomic_inc_unchecked(&bt->dropped);
66529 @@ -487,7 +487,7 @@ int do_blk_trace_setup(struct request_qu
66533 - atomic_set(&bt->dropped, 0);
66534 + atomic_set_unchecked(&bt->dropped, 0);
66537 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
66538 diff -urNp linux-3.0.9/kernel/trace/ftrace.c linux-3.0.9/kernel/trace/ftrace.c
66539 --- linux-3.0.9/kernel/trace/ftrace.c 2011-11-11 13:12:24.000000000 -0500
66540 +++ linux-3.0.9/kernel/trace/ftrace.c 2011-11-15 20:03:00.000000000 -0500
66541 @@ -1566,12 +1566,17 @@ ftrace_code_disable(struct module *mod,
66542 if (unlikely(ftrace_disabled))
66545 + ret = ftrace_arch_code_modify_prepare();
66546 + FTRACE_WARN_ON(ret);
66550 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
66551 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
66553 ftrace_bug(ret, ip);
66557 + return ret ? 0 : 1;
66561 @@ -2570,7 +2575,7 @@ static void ftrace_free_entry_rcu(struct
66564 register_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
66568 struct ftrace_func_probe *entry;
66569 struct ftrace_page *pg;
66570 diff -urNp linux-3.0.9/kernel/trace/trace.c linux-3.0.9/kernel/trace/trace.c
66571 --- linux-3.0.9/kernel/trace/trace.c 2011-11-11 13:12:24.000000000 -0500
66572 +++ linux-3.0.9/kernel/trace/trace.c 2011-11-15 20:03:00.000000000 -0500
66573 @@ -3339,6 +3339,8 @@ static ssize_t tracing_splice_read_pipe(
66577 + pax_track_stack();
66579 if (splice_grow_spd(pipe, &spd))
66582 @@ -3822,6 +3824,8 @@ tracing_buffers_splice_read(struct file
66583 int entries, size, i;
66586 + pax_track_stack();
66588 if (splice_grow_spd(pipe, &spd))
66591 @@ -3990,10 +3994,9 @@ static const struct file_operations trac
66595 -static struct dentry *d_tracer;
66597 struct dentry *tracing_init_dentry(void)
66599 + static struct dentry *d_tracer;
66603 @@ -4013,10 +4016,9 @@ struct dentry *tracing_init_dentry(void)
66607 -static struct dentry *d_percpu;
66609 struct dentry *tracing_dentry_percpu(void)
66611 + static struct dentry *d_percpu;
66613 struct dentry *d_tracer;
66615 diff -urNp linux-3.0.9/kernel/trace/trace_events.c linux-3.0.9/kernel/trace/trace_events.c
66616 --- linux-3.0.9/kernel/trace/trace_events.c 2011-11-11 13:12:24.000000000 -0500
66617 +++ linux-3.0.9/kernel/trace/trace_events.c 2011-11-15 20:03:00.000000000 -0500
66618 @@ -1318,10 +1318,6 @@ static LIST_HEAD(ftrace_module_file_list
66619 struct ftrace_module_file_ops {
66620 struct list_head list;
66621 struct module *mod;
66622 - struct file_operations id;
66623 - struct file_operations enable;
66624 - struct file_operations format;
66625 - struct file_operations filter;
66628 static struct ftrace_module_file_ops *
66629 @@ -1342,17 +1338,12 @@ trace_create_file_ops(struct module *mod
66631 file_ops->mod = mod;
66633 - file_ops->id = ftrace_event_id_fops;
66634 - file_ops->id.owner = mod;
66636 - file_ops->enable = ftrace_enable_fops;
66637 - file_ops->enable.owner = mod;
66639 - file_ops->filter = ftrace_event_filter_fops;
66640 - file_ops->filter.owner = mod;
66642 - file_ops->format = ftrace_event_format_fops;
66643 - file_ops->format.owner = mod;
66644 + pax_open_kernel();
66645 + *(void **)&mod->trace_id.owner = mod;
66646 + *(void **)&mod->trace_enable.owner = mod;
66647 + *(void **)&mod->trace_filter.owner = mod;
66648 + *(void **)&mod->trace_format.owner = mod;
66649 + pax_close_kernel();
66651 list_add(&file_ops->list, &ftrace_module_file_list);
66653 @@ -1376,8 +1367,8 @@ static void trace_module_add_events(stru
66655 for_each_event(call, start, end) {
66656 __trace_add_event_call(*call, mod,
66657 - &file_ops->id, &file_ops->enable,
66658 - &file_ops->filter, &file_ops->format);
66659 + &mod->trace_id, &mod->trace_enable,
66660 + &mod->trace_filter, &mod->trace_format);
66664 diff -urNp linux-3.0.9/kernel/trace/trace_kprobe.c linux-3.0.9/kernel/trace/trace_kprobe.c
66665 --- linux-3.0.9/kernel/trace/trace_kprobe.c 2011-11-11 13:12:24.000000000 -0500
66666 +++ linux-3.0.9/kernel/trace/trace_kprobe.c 2011-11-15 20:03:00.000000000 -0500
66667 @@ -217,7 +217,7 @@ static __kprobes void FETCH_FUNC_NAME(me
66669 int maxlen = get_rloc_len(*(u32 *)dest);
66670 u8 *dst = get_rloc_data(dest);
66672 + const u8 __user *src = (const u8 __force_user *)addr;
66673 mm_segment_t old_fs = get_fs();
66676 @@ -229,7 +229,7 @@ static __kprobes void FETCH_FUNC_NAME(me
66677 pagefault_disable();
66679 ret = __copy_from_user_inatomic(dst++, src++, 1);
66680 - while (dst[-1] && ret == 0 && src - (u8 *)addr < maxlen);
66681 + while (dst[-1] && ret == 0 && src - (const u8 __force_user *)addr < maxlen);
66683 pagefault_enable();
66685 @@ -238,7 +238,7 @@ static __kprobes void FETCH_FUNC_NAME(me
66686 ((u8 *)get_rloc_data(dest))[0] = '\0';
66687 *(u32 *)dest = make_data_rloc(0, get_rloc_offs(*(u32 *)dest));
66689 - *(u32 *)dest = make_data_rloc(src - (u8 *)addr,
66690 + *(u32 *)dest = make_data_rloc(src - (const u8 __force_user *)addr,
66691 get_rloc_offs(*(u32 *)dest));
66693 /* Return the length of string -- including null terminal byte */
66694 @@ -252,7 +252,7 @@ static __kprobes void FETCH_FUNC_NAME(me
66696 pagefault_disable();
66698 - ret = __copy_from_user_inatomic(&c, (u8 *)addr + len, 1);
66699 + ret = __copy_from_user_inatomic(&c, (const u8 __force_user *)addr + len, 1);
66701 } while (c && ret == 0 && len < MAX_STRING_SIZE);
66702 pagefault_enable();
66703 diff -urNp linux-3.0.9/kernel/trace/trace_mmiotrace.c linux-3.0.9/kernel/trace/trace_mmiotrace.c
66704 --- linux-3.0.9/kernel/trace/trace_mmiotrace.c 2011-11-11 13:12:24.000000000 -0500
66705 +++ linux-3.0.9/kernel/trace/trace_mmiotrace.c 2011-11-15 20:03:00.000000000 -0500
66706 @@ -24,7 +24,7 @@ struct header_iter {
66707 static struct trace_array *mmio_trace_array;
66708 static bool overrun_detected;
66709 static unsigned long prev_overruns;
66710 -static atomic_t dropped_count;
66711 +static atomic_unchecked_t dropped_count;
66713 static void mmio_reset_data(struct trace_array *tr)
66715 @@ -127,7 +127,7 @@ static void mmio_close(struct trace_iter
66717 static unsigned long count_overruns(struct trace_iterator *iter)
66719 - unsigned long cnt = atomic_xchg(&dropped_count, 0);
66720 + unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
66721 unsigned long over = ring_buffer_overruns(iter->tr->buffer);
66723 if (over > prev_overruns)
66724 @@ -317,7 +317,7 @@ static void __trace_mmiotrace_rw(struct
66725 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
66726 sizeof(*entry), 0, pc);
66728 - atomic_inc(&dropped_count);
66729 + atomic_inc_unchecked(&dropped_count);
66732 entry = ring_buffer_event_data(event);
66733 @@ -347,7 +347,7 @@ static void __trace_mmiotrace_map(struct
66734 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
66735 sizeof(*entry), 0, pc);
66737 - atomic_inc(&dropped_count);
66738 + atomic_inc_unchecked(&dropped_count);
66741 entry = ring_buffer_event_data(event);
66742 diff -urNp linux-3.0.9/kernel/trace/trace_output.c linux-3.0.9/kernel/trace/trace_output.c
66743 --- linux-3.0.9/kernel/trace/trace_output.c 2011-11-11 13:12:24.000000000 -0500
66744 +++ linux-3.0.9/kernel/trace/trace_output.c 2011-11-15 20:03:00.000000000 -0500
66745 @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
66747 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
66749 - p = mangle_path(s->buffer + s->len, p, "\n");
66750 + p = mangle_path(s->buffer + s->len, p, "\n\\");
66752 s->len = p - s->buffer;
66754 diff -urNp linux-3.0.9/kernel/trace/trace_stack.c linux-3.0.9/kernel/trace/trace_stack.c
66755 --- linux-3.0.9/kernel/trace/trace_stack.c 2011-11-11 13:12:24.000000000 -0500
66756 +++ linux-3.0.9/kernel/trace/trace_stack.c 2011-11-15 20:03:00.000000000 -0500
66757 @@ -50,7 +50,7 @@ static inline void check_stack(void)
66760 /* we do not handle interrupt stacks yet */
66761 - if (!object_is_on_stack(&this_size))
66762 + if (!object_starts_on_stack(&this_size))
66765 local_irq_save(flags);
66766 diff -urNp linux-3.0.9/kernel/trace/trace_workqueue.c linux-3.0.9/kernel/trace/trace_workqueue.c
66767 --- linux-3.0.9/kernel/trace/trace_workqueue.c 2011-11-11 13:12:24.000000000 -0500
66768 +++ linux-3.0.9/kernel/trace/trace_workqueue.c 2011-11-15 20:03:00.000000000 -0500
66769 @@ -22,7 +22,7 @@ struct cpu_workqueue_stats {
66772 /* Can be inserted from interrupt or user context, need to be atomic */
66773 - atomic_t inserted;
66774 + atomic_unchecked_t inserted;
66776 * Don't need to be atomic, works are serialized in a single workqueue thread
66778 @@ -60,7 +60,7 @@ probe_workqueue_insertion(void *ignore,
66779 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
66780 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
66781 if (node->pid == wq_thread->pid) {
66782 - atomic_inc(&node->inserted);
66783 + atomic_inc_unchecked(&node->inserted);
66787 @@ -210,7 +210,7 @@ static int workqueue_stat_show(struct se
66788 tsk = get_pid_task(pid, PIDTYPE_PID);
66790 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
66791 - atomic_read(&cws->inserted), cws->executed,
66792 + atomic_read_unchecked(&cws->inserted), cws->executed,
66794 put_task_struct(tsk);
66796 diff -urNp linux-3.0.9/lib/bitmap.c linux-3.0.9/lib/bitmap.c
66797 --- linux-3.0.9/lib/bitmap.c 2011-11-11 13:12:24.000000000 -0500
66798 +++ linux-3.0.9/lib/bitmap.c 2011-11-15 20:03:00.000000000 -0500
66799 @@ -421,7 +421,7 @@ int __bitmap_parse(const char *buf, unsi
66801 int c, old_c, totaldigits, ndigits, nchunks, nbits;
66803 - const char __user *ubuf = buf;
66804 + const char __user *ubuf = (const char __force_user *)buf;
66806 bitmap_zero(maskp, nmaskbits);
66808 @@ -506,7 +506,7 @@ int bitmap_parse_user(const char __user
66810 if (!access_ok(VERIFY_READ, ubuf, ulen))
66812 - return __bitmap_parse((const char *)ubuf, ulen, 1, maskp, nmaskbits);
66813 + return __bitmap_parse((const char __force_kernel *)ubuf, ulen, 1, maskp, nmaskbits);
66815 EXPORT_SYMBOL(bitmap_parse_user);
66817 @@ -596,7 +596,7 @@ static int __bitmap_parselist(const char
66820 int c, old_c, totaldigits;
66821 - const char __user *ubuf = buf;
66822 + const char __user *ubuf = (const char __force_user *)buf;
66823 int exp_digit, in_range;
66825 totaldigits = c = 0;
66826 @@ -696,7 +696,7 @@ int bitmap_parselist_user(const char __u
66828 if (!access_ok(VERIFY_READ, ubuf, ulen))
66830 - return __bitmap_parselist((const char *)ubuf,
66831 + return __bitmap_parselist((const char __force_kernel *)ubuf,
66832 ulen, 1, maskp, nmaskbits);
66834 EXPORT_SYMBOL(bitmap_parselist_user);
66835 diff -urNp linux-3.0.9/lib/bug.c linux-3.0.9/lib/bug.c
66836 --- linux-3.0.9/lib/bug.c 2011-11-11 13:12:24.000000000 -0500
66837 +++ linux-3.0.9/lib/bug.c 2011-11-15 20:03:00.000000000 -0500
66838 @@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
66839 return BUG_TRAP_TYPE_NONE;
66841 bug = find_bug(bugaddr);
66843 + return BUG_TRAP_TYPE_NONE;
66847 diff -urNp linux-3.0.9/lib/debugobjects.c linux-3.0.9/lib/debugobjects.c
66848 --- linux-3.0.9/lib/debugobjects.c 2011-11-11 13:12:24.000000000 -0500
66849 +++ linux-3.0.9/lib/debugobjects.c 2011-11-15 20:03:00.000000000 -0500
66850 @@ -284,7 +284,7 @@ static void debug_object_is_on_stack(voi
66854 - is_on_stack = object_is_on_stack(addr);
66855 + is_on_stack = object_starts_on_stack(addr);
66856 if (is_on_stack == onstack)
66859 diff -urNp linux-3.0.9/lib/devres.c linux-3.0.9/lib/devres.c
66860 --- linux-3.0.9/lib/devres.c 2011-11-11 13:12:24.000000000 -0500
66861 +++ linux-3.0.9/lib/devres.c 2011-11-15 20:03:00.000000000 -0500
66862 @@ -81,7 +81,7 @@ void devm_iounmap(struct device *dev, vo
66865 WARN_ON(devres_destroy(dev, devm_ioremap_release, devm_ioremap_match,
66867 + (void __force *)addr));
66869 EXPORT_SYMBOL(devm_iounmap);
66871 @@ -141,7 +141,7 @@ void devm_ioport_unmap(struct device *de
66873 ioport_unmap(addr);
66874 WARN_ON(devres_destroy(dev, devm_ioport_map_release,
66875 - devm_ioport_map_match, (void *)addr));
66876 + devm_ioport_map_match, (void __force *)addr));
66878 EXPORT_SYMBOL(devm_ioport_unmap);
66880 diff -urNp linux-3.0.9/lib/dma-debug.c linux-3.0.9/lib/dma-debug.c
66881 --- linux-3.0.9/lib/dma-debug.c 2011-11-11 13:12:24.000000000 -0500
66882 +++ linux-3.0.9/lib/dma-debug.c 2011-11-15 20:03:00.000000000 -0500
66883 @@ -870,7 +870,7 @@ out:
66885 static void check_for_stack(struct device *dev, void *addr)
66887 - if (object_is_on_stack(addr))
66888 + if (object_starts_on_stack(addr))
66889 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
66890 "stack [addr=%p]\n", addr);
66892 diff -urNp linux-3.0.9/lib/extable.c linux-3.0.9/lib/extable.c
66893 --- linux-3.0.9/lib/extable.c 2011-11-11 13:12:24.000000000 -0500
66894 +++ linux-3.0.9/lib/extable.c 2011-11-15 20:03:00.000000000 -0500
66896 #include <linux/init.h>
66897 #include <linux/sort.h>
66898 #include <asm/uaccess.h>
66899 +#include <asm/pgtable.h>
66901 #ifndef ARCH_HAS_SORT_EXTABLE
66903 @@ -36,8 +37,10 @@ static int cmp_ex(const void *a, const v
66904 void sort_extable(struct exception_table_entry *start,
66905 struct exception_table_entry *finish)
66907 + pax_open_kernel();
66908 sort(start, finish - start, sizeof(struct exception_table_entry),
66910 + pax_close_kernel();
66913 #ifdef CONFIG_MODULES
66914 diff -urNp linux-3.0.9/lib/inflate.c linux-3.0.9/lib/inflate.c
66915 --- linux-3.0.9/lib/inflate.c 2011-11-11 13:12:24.000000000 -0500
66916 +++ linux-3.0.9/lib/inflate.c 2011-11-15 20:03:00.000000000 -0500
66917 @@ -269,7 +269,7 @@ static void free(void *where)
66918 malloc_ptr = free_mem_ptr;
66921 -#define malloc(a) kmalloc(a, GFP_KERNEL)
66922 +#define malloc(a) kmalloc((a), GFP_KERNEL)
66923 #define free(a) kfree(a)
66926 diff -urNp linux-3.0.9/lib/Kconfig.debug linux-3.0.9/lib/Kconfig.debug
66927 --- linux-3.0.9/lib/Kconfig.debug 2011-11-11 13:12:24.000000000 -0500
66928 +++ linux-3.0.9/lib/Kconfig.debug 2011-11-15 20:03:00.000000000 -0500
66929 @@ -1088,6 +1088,7 @@ config LATENCYTOP
66930 depends on DEBUG_KERNEL
66931 depends on STACKTRACE_SUPPORT
66933 + depends on !GRKERNSEC_HIDESYM
66934 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
66936 select KALLSYMS_ALL
66937 diff -urNp linux-3.0.9/lib/kref.c linux-3.0.9/lib/kref.c
66938 --- linux-3.0.9/lib/kref.c 2011-11-11 13:12:24.000000000 -0500
66939 +++ linux-3.0.9/lib/kref.c 2011-11-15 20:03:00.000000000 -0500
66940 @@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
66942 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
66944 - WARN_ON(release == NULL);
66945 + BUG_ON(release == NULL);
66946 WARN_ON(release == (void (*)(struct kref *))kfree);
66948 if (atomic_dec_and_test(&kref->refcount)) {
66949 diff -urNp linux-3.0.9/lib/radix-tree.c linux-3.0.9/lib/radix-tree.c
66950 --- linux-3.0.9/lib/radix-tree.c 2011-11-11 13:12:24.000000000 -0500
66951 +++ linux-3.0.9/lib/radix-tree.c 2011-11-15 20:03:00.000000000 -0500
66952 @@ -80,7 +80,7 @@ struct radix_tree_preload {
66954 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
66956 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
66957 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
66959 static inline void *ptr_to_indirect(void *ptr)
66961 diff -urNp linux-3.0.9/lib/vsprintf.c linux-3.0.9/lib/vsprintf.c
66962 --- linux-3.0.9/lib/vsprintf.c 2011-11-11 13:12:24.000000000 -0500
66963 +++ linux-3.0.9/lib/vsprintf.c 2011-11-15 20:03:00.000000000 -0500
66965 * - scnprintf and vscnprintf
66968 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66969 +#define __INCLUDED_BY_HIDESYM 1
66971 #include <stdarg.h>
66972 #include <linux/module.h>
66973 #include <linux/types.h>
66974 @@ -435,7 +438,7 @@ char *symbol_string(char *buf, char *end
66975 char sym[KSYM_SYMBOL_LEN];
66977 sprint_backtrace(sym, value);
66978 - else if (ext != 'f' && ext != 's')
66979 + else if (ext != 'f' && ext != 's' && ext != 'a')
66980 sprint_symbol(sym, value);
66982 kallsyms_lookup(value, NULL, NULL, NULL, sym);
66983 @@ -799,7 +802,11 @@ char *uuid_string(char *buf, char *end,
66984 return string(buf, end, uuid, spec);
66987 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66988 +int kptr_restrict __read_mostly = 2;
66990 int kptr_restrict __read_mostly;
66994 * Show a '%p' thing. A kernel extension is that the '%p' is followed
66995 @@ -813,6 +820,8 @@ int kptr_restrict __read_mostly;
66996 * - 'S' For symbolic direct pointers with offset
66997 * - 's' For symbolic direct pointers without offset
66998 * - 'B' For backtraced symbolic direct pointers with offset
66999 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
67000 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
67001 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
67002 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
67003 * - 'M' For a 6-byte MAC address, it prints the address in the
67004 @@ -857,12 +866,12 @@ char *pointer(const char *fmt, char *buf
67006 if (!ptr && *fmt != 'K') {
67008 - * Print (null) with the same width as a pointer so it makes
67009 + * Print (nil) with the same width as a pointer so it makes
67010 * tabular output look nice.
67012 if (spec.field_width == -1)
67013 spec.field_width = 2 * sizeof(void *);
67014 - return string(buf, end, "(null)", spec);
67015 + return string(buf, end, "(nil)", spec);
67019 @@ -872,6 +881,13 @@ char *pointer(const char *fmt, char *buf
67023 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67026 + return symbol_string(buf, end, ptr, spec, *fmt);
67031 return symbol_string(buf, end, ptr, spec, *fmt);
67033 @@ -1631,11 +1647,11 @@ int bstr_printf(char *buf, size_t size,
67034 typeof(type) value; \
67035 if (sizeof(type) == 8) { \
67036 args = PTR_ALIGN(args, sizeof(u32)); \
67037 - *(u32 *)&value = *(u32 *)args; \
67038 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
67039 + *(u32 *)&value = *(const u32 *)args; \
67040 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
67042 args = PTR_ALIGN(args, sizeof(type)); \
67043 - value = *(typeof(type) *)args; \
67044 + value = *(const typeof(type) *)args; \
67046 args += sizeof(type); \
67048 @@ -1698,7 +1714,7 @@ int bstr_printf(char *buf, size_t size,
67049 case FORMAT_TYPE_STR: {
67050 const char *str_arg = args;
67051 args += strlen(str_arg) + 1;
67052 - str = string(str, end, (char *)str_arg, spec);
67053 + str = string(str, end, str_arg, spec);
67057 diff -urNp linux-3.0.9/localversion-grsec linux-3.0.9/localversion-grsec
67058 --- linux-3.0.9/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
67059 +++ linux-3.0.9/localversion-grsec 2011-11-15 20:03:00.000000000 -0500
67062 diff -urNp linux-3.0.9/Makefile linux-3.0.9/Makefile
67063 --- linux-3.0.9/Makefile 2011-11-11 13:12:24.000000000 -0500
67064 +++ linux-3.0.9/Makefile 2011-11-15 20:03:00.000000000 -0500
67065 @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
67069 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
67070 -HOSTCXXFLAGS = -O2
67071 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
67072 +HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
67073 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
67075 # Decide whether to build built-in, modular, or both.
67076 # Normally, just do built-in.
67077 @@ -365,10 +366,12 @@ LINUXINCLUDE := -I$(srctree)/arch/$(h
67078 KBUILD_CPPFLAGS := -D__KERNEL__
67080 KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
67081 + -W -Wno-unused-parameter -Wno-missing-field-initializers \
67082 -fno-strict-aliasing -fno-common \
67083 -Werror-implicit-function-declaration \
67084 -Wno-format-security \
67085 -fno-delete-null-pointer-checks
67086 +KBUILD_CFLAGS += $(call cc-option, -Wno-empty-body)
67087 KBUILD_AFLAGS_KERNEL :=
67088 KBUILD_CFLAGS_KERNEL :=
67089 KBUILD_AFLAGS := -D__ASSEMBLY__
67090 @@ -407,8 +410,8 @@ export RCS_TAR_IGNORE := --exclude SCCS
67091 # Rules shared between *config targets and build targets
67093 # Basic helpers built in scripts/
67094 -PHONY += scripts_basic
67096 +PHONY += scripts_basic gcc-plugins
67097 +scripts_basic: gcc-plugins
67098 $(Q)$(MAKE) $(build)=scripts/basic
67099 $(Q)rm -f .tmp_quiet_recordmcount
67101 @@ -564,6 +567,36 @@ else
67102 KBUILD_CFLAGS += -O2
67105 +ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(CC)"), y)
67106 +CONSTIFY_PLUGIN := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN
67107 +ifdef CONFIG_PAX_MEMORY_STACKLEAK
67108 +STACKLEAK_PLUGIN := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -fplugin-arg-stackleak_plugin-track-lowest-sp=100
67110 +ifdef CONFIG_KALLOCSTAT_PLUGIN
67111 +KALLOCSTAT_PLUGIN := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so
67113 +ifdef CONFIG_PAX_KERNEXEC_PLUGIN
67114 +KERNEXEC_PLUGIN := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so
67116 +ifdef CONFIG_CHECKER_PLUGIN
67117 +ifeq ($(call cc-ifversion, -ge, 0406, y), y)
67118 +CHECKER_PLUGIN := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN
67121 +GCC_PLUGINS := $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) $(KALLOCSTAT_PLUGIN) $(KERNEXEC_PLUGIN) $(CHECKER_PLUGIN)
67122 +export CONSTIFY_PLUGIN STACKLEAK_PLUGIN KERNEXEC_PLUGIN CHECKER_PLUGIN
67124 + $(Q)$(MAKE) $(build)=tools/gcc
67127 +ifeq ($(call cc-ifversion, -ge, 0405, y), y)
67128 + $(error Your gcc installation does not support plugins. If the necessary headers for plugin support are missing, they should be installed. On Debian, apt-get install gcc-<ver>-plugin-dev.))
67130 + $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
67132 + $(Q)echo "PAX_MEMORY_STACKLEAK and constification will be less secure"
67135 include $(srctree)/arch/$(SRCARCH)/Makefile
67137 ifneq ($(CONFIG_FRAME_WARN),0)
67138 @@ -708,7 +741,7 @@ export mod_strip_cmd
67141 ifeq ($(KBUILD_EXTMOD),)
67142 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
67143 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
67145 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
67146 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
67147 @@ -932,6 +965,7 @@ vmlinux.o: $(modpost-init) $(vmlinux-mai
67149 # The actual objects are generated when descending,
67150 # make sure no implicit rule kicks in
67151 +$(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): KBUILD_CFLAGS += $(GCC_PLUGINS)
67152 $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ;
67154 # Handle descending into subdirectories listed in $(vmlinux-dirs)
67155 @@ -941,7 +975,7 @@ $(sort $(vmlinux-init) $(vmlinux-main))
67156 # Error messages still appears in the original language
67158 PHONY += $(vmlinux-dirs)
67159 -$(vmlinux-dirs): prepare scripts
67160 +$(vmlinux-dirs): gcc-plugins prepare scripts
67161 $(Q)$(MAKE) $(build)=$@
67163 # Store (new) KERNELRELASE string in include/config/kernel.release
67164 @@ -986,6 +1020,7 @@ prepare0: archprepare FORCE
67165 $(Q)$(MAKE) $(build)=. missing-syscalls
67167 # All the preparing..
67168 +prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS),$(KBUILD_CFLAGS))
67171 # Generate some files
67172 @@ -1087,6 +1122,7 @@ all: modules
67173 # using awk while concatenating to the final file.
67176 +modules: KBUILD_CFLAGS += $(GCC_PLUGINS)
67177 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin
67178 $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
67179 @$(kecho) ' Building modules, stage 2.';
67180 @@ -1102,7 +1138,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modu
67182 # Target to prepare building external modules
67183 PHONY += modules_prepare
67184 -modules_prepare: prepare scripts
67185 +modules_prepare: gcc-plugins prepare scripts
67187 # Target to install modules
67188 PHONY += modules_install
67189 @@ -1198,7 +1234,7 @@ distclean: mrproper
67190 @find $(srctree) $(RCS_FIND_IGNORE) \
67191 \( -name '*.orig' -o -name '*.rej' -o -name '*~' \
67192 -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
67193 - -o -name '.*.rej' -o -size 0 \
67194 + -o -name '.*.rej' -o -name '*.so' -o -size 0 \
67195 -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \
67196 -type f -print | xargs rm -f
67198 @@ -1359,6 +1395,7 @@ PHONY += $(module-dirs) modules
67199 $(module-dirs): crmodverdir $(objtree)/Module.symvers
67200 $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
67202 +modules: KBUILD_CFLAGS += $(GCC_PLUGINS)
67203 modules: $(module-dirs)
67204 @$(kecho) ' Building modules, stage 2.';
67205 $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
67206 @@ -1485,17 +1522,19 @@ else
67207 target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
67210 -%.s: %.c prepare scripts FORCE
67211 +%.s: KBUILD_CFLAGS += $(GCC_PLUGINS)
67212 +%.s: %.c gcc-plugins prepare scripts FORCE
67213 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67214 %.i: %.c prepare scripts FORCE
67215 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67216 -%.o: %.c prepare scripts FORCE
67217 +%.o: KBUILD_CFLAGS += $(GCC_PLUGINS)
67218 +%.o: %.c gcc-plugins prepare scripts FORCE
67219 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67220 %.lst: %.c prepare scripts FORCE
67221 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67222 -%.s: %.S prepare scripts FORCE
67223 +%.s: %.S gcc-plugins prepare scripts FORCE
67224 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67225 -%.o: %.S prepare scripts FORCE
67226 +%.o: %.S gcc-plugins prepare scripts FORCE
67227 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67228 %.symtypes: %.c prepare scripts FORCE
67229 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67230 @@ -1505,11 +1544,13 @@ endif
67232 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
67233 $(build)=$(build-dir)
67234 -%/: prepare scripts FORCE
67235 +%/: KBUILD_CFLAGS += $(GCC_PLUGINS)
67236 +%/: gcc-plugins prepare scripts FORCE
67238 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
67239 $(build)=$(build-dir)
67240 -%.ko: prepare scripts FORCE
67241 +%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS)
67242 +%.ko: gcc-plugins prepare scripts FORCE
67244 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
67245 $(build)=$(build-dir) $(@:.ko=.o)
67246 diff -urNp linux-3.0.9/mm/filemap.c linux-3.0.9/mm/filemap.c
67247 --- linux-3.0.9/mm/filemap.c 2011-11-11 13:12:24.000000000 -0500
67248 +++ linux-3.0.9/mm/filemap.c 2011-11-15 20:03:00.000000000 -0500
67249 @@ -1763,7 +1763,7 @@ int generic_file_mmap(struct file * file
67250 struct address_space *mapping = file->f_mapping;
67252 if (!mapping->a_ops->readpage)
67255 file_accessed(file);
67256 vma->vm_ops = &generic_file_vm_ops;
67257 vma->vm_flags |= VM_CAN_NONLINEAR;
67258 @@ -2169,6 +2169,7 @@ inline int generic_write_checks(struct f
67259 *pos = i_size_read(inode);
67261 if (limit != RLIM_INFINITY) {
67262 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
67263 if (*pos >= limit) {
67264 send_sig(SIGXFSZ, current, 0);
67266 diff -urNp linux-3.0.9/mm/fremap.c linux-3.0.9/mm/fremap.c
67267 --- linux-3.0.9/mm/fremap.c 2011-11-11 13:12:24.000000000 -0500
67268 +++ linux-3.0.9/mm/fremap.c 2011-11-15 20:03:00.000000000 -0500
67269 @@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
67271 vma = find_vma(mm, start);
67273 +#ifdef CONFIG_PAX_SEGMEXEC
67274 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
67279 * Make sure the vma is shared, that it supports prefaulting,
67280 * and that the remapped range is valid and fully within
67281 diff -urNp linux-3.0.9/mm/highmem.c linux-3.0.9/mm/highmem.c
67282 --- linux-3.0.9/mm/highmem.c 2011-11-11 13:12:24.000000000 -0500
67283 +++ linux-3.0.9/mm/highmem.c 2011-11-15 20:03:00.000000000 -0500
67284 @@ -125,9 +125,10 @@ static void flush_all_zero_pkmaps(void)
67285 * So no dangers, even with speculative execution.
67287 page = pte_page(pkmap_page_table[i]);
67288 + pax_open_kernel();
67289 pte_clear(&init_mm, (unsigned long)page_address(page),
67290 &pkmap_page_table[i]);
67292 + pax_close_kernel();
67293 set_page_address(page, NULL);
67296 @@ -186,9 +187,11 @@ start:
67299 vaddr = PKMAP_ADDR(last_pkmap_nr);
67301 + pax_open_kernel();
67302 set_pte_at(&init_mm, vaddr,
67303 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
67305 + pax_close_kernel();
67306 pkmap_count[last_pkmap_nr] = 1;
67307 set_page_address(page, (void *)vaddr);
67309 diff -urNp linux-3.0.9/mm/huge_memory.c linux-3.0.9/mm/huge_memory.c
67310 --- linux-3.0.9/mm/huge_memory.c 2011-11-11 13:12:24.000000000 -0500
67311 +++ linux-3.0.9/mm/huge_memory.c 2011-11-15 20:03:00.000000000 -0500
67312 @@ -702,7 +702,7 @@ out:
67313 * run pte_offset_map on the pmd, if an huge pmd could
67314 * materialize from under us from a different thread.
67316 - if (unlikely(__pte_alloc(mm, vma, pmd, address)))
67317 + if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
67318 return VM_FAULT_OOM;
67319 /* if an huge pmd materialized from under us just retry later */
67320 if (unlikely(pmd_trans_huge(*pmd)))
67321 diff -urNp linux-3.0.9/mm/hugetlb.c linux-3.0.9/mm/hugetlb.c
67322 --- linux-3.0.9/mm/hugetlb.c 2011-11-11 13:12:24.000000000 -0500
67323 +++ linux-3.0.9/mm/hugetlb.c 2011-11-15 20:03:00.000000000 -0500
67324 @@ -2339,6 +2339,27 @@ static int unmap_ref_private(struct mm_s
67328 +#ifdef CONFIG_PAX_SEGMEXEC
67329 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
67331 + struct mm_struct *mm = vma->vm_mm;
67332 + struct vm_area_struct *vma_m;
67333 + unsigned long address_m;
67336 + vma_m = pax_find_mirror_vma(vma);
67340 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67341 + address_m = address + SEGMEXEC_TASK_SIZE;
67342 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
67343 + get_page(page_m);
67344 + hugepage_add_anon_rmap(page_m, vma_m, address_m);
67345 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
67350 * Hugetlb_cow() should be called with page lock of the original hugepage held.
67352 @@ -2440,6 +2461,11 @@ retry_avoidcopy:
67353 make_huge_pte(vma, new_page, 1));
67354 page_remove_rmap(old_page);
67355 hugepage_add_new_anon_rmap(new_page, vma, address);
67357 +#ifdef CONFIG_PAX_SEGMEXEC
67358 + pax_mirror_huge_pte(vma, address, new_page);
67361 /* Make the old page be freed below */
67362 new_page = old_page;
67363 mmu_notifier_invalidate_range_end(mm,
67364 @@ -2591,6 +2617,10 @@ retry:
67365 && (vma->vm_flags & VM_SHARED)));
67366 set_huge_pte_at(mm, address, ptep, new_pte);
67368 +#ifdef CONFIG_PAX_SEGMEXEC
67369 + pax_mirror_huge_pte(vma, address, page);
67372 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
67373 /* Optimization, do the COW without a second fault */
67374 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
67375 @@ -2620,6 +2650,10 @@ int hugetlb_fault(struct mm_struct *mm,
67376 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
67377 struct hstate *h = hstate_vma(vma);
67379 +#ifdef CONFIG_PAX_SEGMEXEC
67380 + struct vm_area_struct *vma_m;
67383 ptep = huge_pte_offset(mm, address);
67385 entry = huge_ptep_get(ptep);
67386 @@ -2631,6 +2665,26 @@ int hugetlb_fault(struct mm_struct *mm,
67387 VM_FAULT_SET_HINDEX(h - hstates);
67390 +#ifdef CONFIG_PAX_SEGMEXEC
67391 + vma_m = pax_find_mirror_vma(vma);
67393 + unsigned long address_m;
67395 + if (vma->vm_start > vma_m->vm_start) {
67396 + address_m = address;
67397 + address -= SEGMEXEC_TASK_SIZE;
67399 + h = hstate_vma(vma);
67401 + address_m = address + SEGMEXEC_TASK_SIZE;
67403 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
67404 + return VM_FAULT_OOM;
67405 + address_m &= HPAGE_MASK;
67406 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
67410 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
67412 return VM_FAULT_OOM;
67413 diff -urNp linux-3.0.9/mm/internal.h linux-3.0.9/mm/internal.h
67414 --- linux-3.0.9/mm/internal.h 2011-11-11 13:12:24.000000000 -0500
67415 +++ linux-3.0.9/mm/internal.h 2011-11-15 20:03:00.000000000 -0500
67416 @@ -95,6 +95,7 @@ extern void putback_lru_page(struct page
67417 * in mm/page_alloc.c
67419 extern void __free_pages_bootmem(struct page *page, unsigned int order);
67420 +extern void free_compound_page(struct page *page);
67421 extern void prep_compound_page(struct page *page, unsigned long order);
67422 #ifdef CONFIG_MEMORY_FAILURE
67423 extern bool is_free_buddy_page(struct page *page);
67424 diff -urNp linux-3.0.9/mm/Kconfig linux-3.0.9/mm/Kconfig
67425 --- linux-3.0.9/mm/Kconfig 2011-11-11 13:12:24.000000000 -0500
67426 +++ linux-3.0.9/mm/Kconfig 2011-11-15 20:03:00.000000000 -0500
67427 @@ -240,7 +240,7 @@ config KSM
67428 config DEFAULT_MMAP_MIN_ADDR
67429 int "Low address space to protect from user allocation"
67434 This is the portion of low virtual memory which should be protected
67435 from userspace allocation. Keeping a user from writing to low pages
67436 diff -urNp linux-3.0.9/mm/kmemleak.c linux-3.0.9/mm/kmemleak.c
67437 --- linux-3.0.9/mm/kmemleak.c 2011-11-11 13:12:24.000000000 -0500
67438 +++ linux-3.0.9/mm/kmemleak.c 2011-11-15 20:03:00.000000000 -0500
67439 @@ -357,7 +357,7 @@ static void print_unreferenced(struct se
67441 for (i = 0; i < object->trace_len; i++) {
67442 void *ptr = (void *)object->trace[i];
67443 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
67444 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
67448 diff -urNp linux-3.0.9/mm/maccess.c linux-3.0.9/mm/maccess.c
67449 --- linux-3.0.9/mm/maccess.c 2011-11-11 13:12:24.000000000 -0500
67450 +++ linux-3.0.9/mm/maccess.c 2011-11-15 20:03:00.000000000 -0500
67451 @@ -26,7 +26,7 @@ long __probe_kernel_read(void *dst, cons
67453 pagefault_disable();
67454 ret = __copy_from_user_inatomic(dst,
67455 - (__force const void __user *)src, size);
67456 + (const void __force_user *)src, size);
67457 pagefault_enable();
67460 @@ -53,7 +53,7 @@ long __probe_kernel_write(void *dst, con
67463 pagefault_disable();
67464 - ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
67465 + ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
67466 pagefault_enable();
67469 diff -urNp linux-3.0.9/mm/madvise.c linux-3.0.9/mm/madvise.c
67470 --- linux-3.0.9/mm/madvise.c 2011-11-11 13:12:24.000000000 -0500
67471 +++ linux-3.0.9/mm/madvise.c 2011-11-15 20:03:00.000000000 -0500
67472 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
67474 unsigned long new_flags = vma->vm_flags;
67476 +#ifdef CONFIG_PAX_SEGMEXEC
67477 + struct vm_area_struct *vma_m;
67480 switch (behavior) {
67482 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
67483 @@ -110,6 +114,13 @@ success:
67485 * vm_flags is protected by the mmap_sem held in write mode.
67488 +#ifdef CONFIG_PAX_SEGMEXEC
67489 + vma_m = pax_find_mirror_vma(vma);
67491 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
67494 vma->vm_flags = new_flags;
67497 @@ -168,6 +179,11 @@ static long madvise_dontneed(struct vm_a
67498 struct vm_area_struct ** prev,
67499 unsigned long start, unsigned long end)
67502 +#ifdef CONFIG_PAX_SEGMEXEC
67503 + struct vm_area_struct *vma_m;
67507 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
67509 @@ -180,6 +196,21 @@ static long madvise_dontneed(struct vm_a
67510 zap_page_range(vma, start, end - start, &details);
67512 zap_page_range(vma, start, end - start, NULL);
67514 +#ifdef CONFIG_PAX_SEGMEXEC
67515 + vma_m = pax_find_mirror_vma(vma);
67517 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
67518 + struct zap_details details = {
67519 + .nonlinear_vma = vma_m,
67520 + .last_index = ULONG_MAX,
67522 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
67524 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
67531 @@ -376,6 +407,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
67535 +#ifdef CONFIG_PAX_SEGMEXEC
67536 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
67537 + if (end > SEGMEXEC_TASK_SIZE)
67542 + if (end > TASK_SIZE)
67548 diff -urNp linux-3.0.9/mm/memory.c linux-3.0.9/mm/memory.c
67549 --- linux-3.0.9/mm/memory.c 2011-11-11 13:12:24.000000000 -0500
67550 +++ linux-3.0.9/mm/memory.c 2011-11-15 20:03:00.000000000 -0500
67551 @@ -457,8 +457,12 @@ static inline void free_pmd_range(struct
67554 pmd = pmd_offset(pud, start);
67556 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
67558 pmd_free_tlb(tlb, pmd, start);
67563 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
67564 @@ -489,9 +493,12 @@ static inline void free_pud_range(struct
67565 if (end - 1 > ceiling - 1)
67568 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
67569 pud = pud_offset(pgd, start);
67571 pud_free_tlb(tlb, pud, start);
67577 @@ -1577,12 +1584,6 @@ no_page_table:
67581 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
67583 - return stack_guard_page_start(vma, addr) ||
67584 - stack_guard_page_end(vma, addr+PAGE_SIZE);
67588 * __get_user_pages() - pin user pages in memory
67589 * @tsk: task_struct of target task
67590 @@ -1655,10 +1656,10 @@ int __get_user_pages(struct task_struct
67591 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
67595 + while (nr_pages) {
67596 struct vm_area_struct *vma;
67598 - vma = find_extend_vma(mm, start);
67599 + vma = find_vma(mm, start);
67600 if (!vma && in_gate_area(mm, start)) {
67601 unsigned long pg = start & PAGE_MASK;
67603 @@ -1706,7 +1707,7 @@ int __get_user_pages(struct task_struct
67608 + if (!vma || start < vma->vm_start ||
67609 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
67610 !(vm_flags & vma->vm_flags))
67611 return i ? : -EFAULT;
67612 @@ -1733,11 +1734,6 @@ int __get_user_pages(struct task_struct
67614 unsigned int fault_flags = 0;
67616 - /* For mlock, just skip the stack guard page. */
67617 - if (foll_flags & FOLL_MLOCK) {
67618 - if (stack_guard_page(vma, start))
67621 if (foll_flags & FOLL_WRITE)
67622 fault_flags |= FAULT_FLAG_WRITE;
67624 @@ -1811,7 +1807,7 @@ next_page:
67625 start += PAGE_SIZE;
67627 } while (nr_pages && start < vma->vm_end);
67628 - } while (nr_pages);
67632 EXPORT_SYMBOL(__get_user_pages);
67633 @@ -2018,6 +2014,10 @@ static int insert_page(struct vm_area_st
67634 page_add_file_rmap(page);
67635 set_pte_at(mm, addr, pte, mk_pte(page, prot));
67637 +#ifdef CONFIG_PAX_SEGMEXEC
67638 + pax_mirror_file_pte(vma, addr, page, ptl);
67642 pte_unmap_unlock(pte, ptl);
67644 @@ -2052,10 +2052,22 @@ out:
67645 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
67649 +#ifdef CONFIG_PAX_SEGMEXEC
67650 + struct vm_area_struct *vma_m;
67653 if (addr < vma->vm_start || addr >= vma->vm_end)
67655 if (!page_count(page))
67658 +#ifdef CONFIG_PAX_SEGMEXEC
67659 + vma_m = pax_find_mirror_vma(vma);
67661 + vma_m->vm_flags |= VM_INSERTPAGE;
67664 vma->vm_flags |= VM_INSERTPAGE;
67665 return insert_page(vma, addr, page, vma->vm_page_prot);
67667 @@ -2141,6 +2153,7 @@ int vm_insert_mixed(struct vm_area_struc
67670 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
67671 + BUG_ON(vma->vm_mirror);
67673 if (addr < vma->vm_start || addr >= vma->vm_end)
67675 @@ -2456,6 +2469,186 @@ static inline void cow_user_page(struct
67676 copy_user_highpage(dst, src, va, vma);
67679 +#ifdef CONFIG_PAX_SEGMEXEC
67680 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
67682 + struct mm_struct *mm = vma->vm_mm;
67684 + pte_t *pte, entry;
67686 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
67688 + if (!pte_present(entry)) {
67689 + if (!pte_none(entry)) {
67690 + BUG_ON(pte_file(entry));
67691 + free_swap_and_cache(pte_to_swp_entry(entry));
67692 + pte_clear_not_present_full(mm, address, pte, 0);
67695 + struct page *page;
67697 + flush_cache_page(vma, address, pte_pfn(entry));
67698 + entry = ptep_clear_flush(vma, address, pte);
67699 + BUG_ON(pte_dirty(entry));
67700 + page = vm_normal_page(vma, address, entry);
67702 + update_hiwater_rss(mm);
67703 + if (PageAnon(page))
67704 + dec_mm_counter_fast(mm, MM_ANONPAGES);
67706 + dec_mm_counter_fast(mm, MM_FILEPAGES);
67707 + page_remove_rmap(page);
67708 + page_cache_release(page);
67711 + pte_unmap_unlock(pte, ptl);
67714 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
67716 + * the ptl of the lower mapped page is held on entry and is not released on exit
67717 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
67719 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
67721 + struct mm_struct *mm = vma->vm_mm;
67722 + unsigned long address_m;
67723 + spinlock_t *ptl_m;
67724 + struct vm_area_struct *vma_m;
67726 + pte_t *pte_m, entry_m;
67728 + BUG_ON(!page_m || !PageAnon(page_m));
67730 + vma_m = pax_find_mirror_vma(vma);
67734 + BUG_ON(!PageLocked(page_m));
67735 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67736 + address_m = address + SEGMEXEC_TASK_SIZE;
67737 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
67738 + pte_m = pte_offset_map(pmd_m, address_m);
67739 + ptl_m = pte_lockptr(mm, pmd_m);
67740 + if (ptl != ptl_m) {
67741 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
67742 + if (!pte_none(*pte_m))
67746 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
67747 + page_cache_get(page_m);
67748 + page_add_anon_rmap(page_m, vma_m, address_m);
67749 + inc_mm_counter_fast(mm, MM_ANONPAGES);
67750 + set_pte_at(mm, address_m, pte_m, entry_m);
67751 + update_mmu_cache(vma_m, address_m, entry_m);
67753 + if (ptl != ptl_m)
67754 + spin_unlock(ptl_m);
67755 + pte_unmap(pte_m);
67756 + unlock_page(page_m);
67759 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
67761 + struct mm_struct *mm = vma->vm_mm;
67762 + unsigned long address_m;
67763 + spinlock_t *ptl_m;
67764 + struct vm_area_struct *vma_m;
67766 + pte_t *pte_m, entry_m;
67768 + BUG_ON(!page_m || PageAnon(page_m));
67770 + vma_m = pax_find_mirror_vma(vma);
67774 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67775 + address_m = address + SEGMEXEC_TASK_SIZE;
67776 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
67777 + pte_m = pte_offset_map(pmd_m, address_m);
67778 + ptl_m = pte_lockptr(mm, pmd_m);
67779 + if (ptl != ptl_m) {
67780 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
67781 + if (!pte_none(*pte_m))
67785 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
67786 + page_cache_get(page_m);
67787 + page_add_file_rmap(page_m);
67788 + inc_mm_counter_fast(mm, MM_FILEPAGES);
67789 + set_pte_at(mm, address_m, pte_m, entry_m);
67790 + update_mmu_cache(vma_m, address_m, entry_m);
67792 + if (ptl != ptl_m)
67793 + spin_unlock(ptl_m);
67794 + pte_unmap(pte_m);
67797 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
67799 + struct mm_struct *mm = vma->vm_mm;
67800 + unsigned long address_m;
67801 + spinlock_t *ptl_m;
67802 + struct vm_area_struct *vma_m;
67804 + pte_t *pte_m, entry_m;
67806 + vma_m = pax_find_mirror_vma(vma);
67810 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67811 + address_m = address + SEGMEXEC_TASK_SIZE;
67812 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
67813 + pte_m = pte_offset_map(pmd_m, address_m);
67814 + ptl_m = pte_lockptr(mm, pmd_m);
67815 + if (ptl != ptl_m) {
67816 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
67817 + if (!pte_none(*pte_m))
67821 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
67822 + set_pte_at(mm, address_m, pte_m, entry_m);
67824 + if (ptl != ptl_m)
67825 + spin_unlock(ptl_m);
67826 + pte_unmap(pte_m);
67829 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
67831 + struct page *page_m;
67834 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
67838 + page_m = vm_normal_page(vma, address, entry);
67840 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
67841 + else if (PageAnon(page_m)) {
67842 + if (pax_find_mirror_vma(vma)) {
67843 + pte_unmap_unlock(pte, ptl);
67844 + lock_page(page_m);
67845 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
67846 + if (pte_same(entry, *pte))
67847 + pax_mirror_anon_pte(vma, address, page_m, ptl);
67849 + unlock_page(page_m);
67852 + pax_mirror_file_pte(vma, address, page_m, ptl);
67855 + pte_unmap_unlock(pte, ptl);
67860 * This routine handles present pages, when users try to write
67861 * to a shared page. It is done by copying the page to a new address
67862 @@ -2667,6 +2860,12 @@ gotten:
67864 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
67865 if (likely(pte_same(*page_table, orig_pte))) {
67867 +#ifdef CONFIG_PAX_SEGMEXEC
67868 + if (pax_find_mirror_vma(vma))
67869 + BUG_ON(!trylock_page(new_page));
67873 if (!PageAnon(old_page)) {
67874 dec_mm_counter_fast(mm, MM_FILEPAGES);
67875 @@ -2718,6 +2917,10 @@ gotten:
67876 page_remove_rmap(old_page);
67879 +#ifdef CONFIG_PAX_SEGMEXEC
67880 + pax_mirror_anon_pte(vma, address, new_page, ptl);
67883 /* Free the old page.. */
67884 new_page = old_page;
67885 ret |= VM_FAULT_WRITE;
67886 @@ -2997,6 +3200,11 @@ static int do_swap_page(struct mm_struct
67888 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
67889 try_to_free_swap(page);
67891 +#ifdef CONFIG_PAX_SEGMEXEC
67892 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
67898 @@ -3020,6 +3228,11 @@ static int do_swap_page(struct mm_struct
67900 /* No need to invalidate - it was non-present before */
67901 update_mmu_cache(vma, address, page_table);
67903 +#ifdef CONFIG_PAX_SEGMEXEC
67904 + pax_mirror_anon_pte(vma, address, page, ptl);
67908 pte_unmap_unlock(page_table, ptl);
67910 @@ -3039,40 +3252,6 @@ out_release:
67914 - * This is like a special single-page "expand_{down|up}wards()",
67915 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
67916 - * doesn't hit another vma.
67918 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
67920 - address &= PAGE_MASK;
67921 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
67922 - struct vm_area_struct *prev = vma->vm_prev;
67925 - * Is there a mapping abutting this one below?
67927 - * That's only ok if it's the same stack mapping
67928 - * that has gotten split..
67930 - if (prev && prev->vm_end == address)
67931 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
67933 - expand_downwards(vma, address - PAGE_SIZE);
67935 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
67936 - struct vm_area_struct *next = vma->vm_next;
67938 - /* As VM_GROWSDOWN but s/below/above/ */
67939 - if (next && next->vm_start == address + PAGE_SIZE)
67940 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
67942 - expand_upwards(vma, address + PAGE_SIZE);
67948 * We enter with non-exclusive mmap_sem (to exclude vma changes,
67949 * but allow concurrent faults), and pte mapped but not yet locked.
67950 * We return with mmap_sem still held, but pte unmapped and unlocked.
67951 @@ -3081,27 +3260,23 @@ static int do_anonymous_page(struct mm_s
67952 unsigned long address, pte_t *page_table, pmd_t *pmd,
67953 unsigned int flags)
67955 - struct page *page;
67956 + struct page *page = NULL;
67960 - pte_unmap(page_table);
67962 - /* Check if we need to add a guard page to the stack */
67963 - if (check_stack_guard_page(vma, address) < 0)
67964 - return VM_FAULT_SIGBUS;
67966 - /* Use the zero-page for reads */
67967 if (!(flags & FAULT_FLAG_WRITE)) {
67968 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
67969 vma->vm_page_prot));
67970 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
67971 + ptl = pte_lockptr(mm, pmd);
67973 if (!pte_none(*page_table))
67978 /* Allocate our own private page. */
67979 + pte_unmap(page_table);
67981 if (unlikely(anon_vma_prepare(vma)))
67983 page = alloc_zeroed_user_highpage_movable(vma, address);
67984 @@ -3120,6 +3295,11 @@ static int do_anonymous_page(struct mm_s
67985 if (!pte_none(*page_table))
67988 +#ifdef CONFIG_PAX_SEGMEXEC
67989 + if (pax_find_mirror_vma(vma))
67990 + BUG_ON(!trylock_page(page));
67993 inc_mm_counter_fast(mm, MM_ANONPAGES);
67994 page_add_new_anon_rmap(page, vma, address);
67996 @@ -3127,6 +3307,12 @@ setpte:
67998 /* No need to invalidate - it was non-present before */
67999 update_mmu_cache(vma, address, page_table);
68001 +#ifdef CONFIG_PAX_SEGMEXEC
68003 + pax_mirror_anon_pte(vma, address, page, ptl);
68007 pte_unmap_unlock(page_table, ptl);
68009 @@ -3264,6 +3450,12 @@ static int __do_fault(struct mm_struct *
68011 /* Only go through if we didn't race with anybody else... */
68012 if (likely(pte_same(*page_table, orig_pte))) {
68014 +#ifdef CONFIG_PAX_SEGMEXEC
68015 + if (anon && pax_find_mirror_vma(vma))
68016 + BUG_ON(!trylock_page(page));
68019 flush_icache_page(vma, page);
68020 entry = mk_pte(page, vma->vm_page_prot);
68021 if (flags & FAULT_FLAG_WRITE)
68022 @@ -3283,6 +3475,14 @@ static int __do_fault(struct mm_struct *
68024 /* no need to invalidate: a not-present page won't be cached */
68025 update_mmu_cache(vma, address, page_table);
68027 +#ifdef CONFIG_PAX_SEGMEXEC
68029 + pax_mirror_anon_pte(vma, address, page, ptl);
68031 + pax_mirror_file_pte(vma, address, page, ptl);
68036 mem_cgroup_uncharge_page(page);
68037 @@ -3430,6 +3630,12 @@ int handle_pte_fault(struct mm_struct *m
68038 if (flags & FAULT_FLAG_WRITE)
68039 flush_tlb_fix_spurious_fault(vma, address);
68042 +#ifdef CONFIG_PAX_SEGMEXEC
68043 + pax_mirror_pte(vma, address, pte, pmd, ptl);
68048 pte_unmap_unlock(pte, ptl);
68050 @@ -3446,6 +3652,10 @@ int handle_mm_fault(struct mm_struct *mm
68054 +#ifdef CONFIG_PAX_SEGMEXEC
68055 + struct vm_area_struct *vma_m;
68058 __set_current_state(TASK_RUNNING);
68060 count_vm_event(PGFAULT);
68061 @@ -3457,6 +3667,34 @@ int handle_mm_fault(struct mm_struct *mm
68062 if (unlikely(is_vm_hugetlb_page(vma)))
68063 return hugetlb_fault(mm, vma, address, flags);
68065 +#ifdef CONFIG_PAX_SEGMEXEC
68066 + vma_m = pax_find_mirror_vma(vma);
68068 + unsigned long address_m;
68073 + if (vma->vm_start > vma_m->vm_start) {
68074 + address_m = address;
68075 + address -= SEGMEXEC_TASK_SIZE;
68078 + address_m = address + SEGMEXEC_TASK_SIZE;
68080 + pgd_m = pgd_offset(mm, address_m);
68081 + pud_m = pud_alloc(mm, pgd_m, address_m);
68083 + return VM_FAULT_OOM;
68084 + pmd_m = pmd_alloc(mm, pud_m, address_m);
68086 + return VM_FAULT_OOM;
68087 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
68088 + return VM_FAULT_OOM;
68089 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
68093 pgd = pgd_offset(mm, address);
68094 pud = pud_alloc(mm, pgd, address);
68096 @@ -3486,7 +3724,7 @@ int handle_mm_fault(struct mm_struct *mm
68097 * run pte_offset_map on the pmd, if an huge pmd could
68098 * materialize from under us from a different thread.
68100 - if (unlikely(pmd_none(*pmd)) && __pte_alloc(mm, vma, pmd, address))
68101 + if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
68102 return VM_FAULT_OOM;
68103 /* if an huge pmd materialized from under us just retry later */
68104 if (unlikely(pmd_trans_huge(*pmd)))
68105 @@ -3590,7 +3828,7 @@ static int __init gate_vma_init(void)
68106 gate_vma.vm_start = FIXADDR_USER_START;
68107 gate_vma.vm_end = FIXADDR_USER_END;
68108 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
68109 - gate_vma.vm_page_prot = __P101;
68110 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
68112 * Make sure the vDSO gets into every core dump.
68113 * Dumping its contents makes post-mortem fully interpretable later
68114 diff -urNp linux-3.0.9/mm/memory-failure.c linux-3.0.9/mm/memory-failure.c
68115 --- linux-3.0.9/mm/memory-failure.c 2011-11-11 13:12:24.000000000 -0500
68116 +++ linux-3.0.9/mm/memory-failure.c 2011-11-15 20:03:00.000000000 -0500
68117 @@ -59,7 +59,7 @@ int sysctl_memory_failure_early_kill __r
68119 int sysctl_memory_failure_recovery __read_mostly = 1;
68121 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
68122 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
68124 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
68126 @@ -200,7 +200,7 @@ static int kill_proc_ao(struct task_stru
68127 si.si_signo = SIGBUS;
68129 si.si_code = BUS_MCEERR_AO;
68130 - si.si_addr = (void *)addr;
68131 + si.si_addr = (void __user *)addr;
68132 #ifdef __ARCH_SI_TRAPNO
68133 si.si_trapno = trapno;
68135 @@ -1008,7 +1008,7 @@ int __memory_failure(unsigned long pfn,
68138 nr_pages = 1 << compound_trans_order(hpage);
68139 - atomic_long_add(nr_pages, &mce_bad_pages);
68140 + atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
68143 * We need/can do nothing about count=0 pages.
68144 @@ -1038,7 +1038,7 @@ int __memory_failure(unsigned long pfn,
68145 if (!PageHWPoison(hpage)
68146 || (hwpoison_filter(p) && TestClearPageHWPoison(p))
68147 || (p != hpage && TestSetPageHWPoison(hpage))) {
68148 - atomic_long_sub(nr_pages, &mce_bad_pages);
68149 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
68152 set_page_hwpoison_huge_page(hpage);
68153 @@ -1096,7 +1096,7 @@ int __memory_failure(unsigned long pfn,
68155 if (hwpoison_filter(p)) {
68156 if (TestClearPageHWPoison(p))
68157 - atomic_long_sub(nr_pages, &mce_bad_pages);
68158 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
68159 unlock_page(hpage);
68162 @@ -1222,7 +1222,7 @@ int unpoison_memory(unsigned long pfn)
68165 if (TestClearPageHWPoison(p))
68166 - atomic_long_sub(nr_pages, &mce_bad_pages);
68167 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
68168 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
68171 @@ -1236,7 +1236,7 @@ int unpoison_memory(unsigned long pfn)
68173 if (TestClearPageHWPoison(page)) {
68174 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
68175 - atomic_long_sub(nr_pages, &mce_bad_pages);
68176 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
68178 if (PageHuge(page))
68179 clear_page_hwpoison_huge_page(page);
68180 @@ -1349,7 +1349,7 @@ static int soft_offline_huge_page(struct
68183 if (!PageHWPoison(hpage))
68184 - atomic_long_add(1 << compound_trans_order(hpage), &mce_bad_pages);
68185 + atomic_long_add_unchecked(1 << compound_trans_order(hpage), &mce_bad_pages);
68186 set_page_hwpoison_huge_page(hpage);
68187 dequeue_hwpoisoned_huge_page(hpage);
68188 /* keep elevated page count for bad page */
68189 @@ -1480,7 +1480,7 @@ int soft_offline_page(struct page *page,
68193 - atomic_long_add(1, &mce_bad_pages);
68194 + atomic_long_add_unchecked(1, &mce_bad_pages);
68195 SetPageHWPoison(page);
68196 /* keep elevated page count for bad page */
68198 --- kernel-longterm-3.0.34/mm/mempolicy.c 2012-06-10 23:50:56.908064131 +0300
68199 +++ kernel-longterm-3.0.34/mm/mempolicy.c 2012-06-10 23:50:10.725871821 +0300
68200 @@ -618,6 +618,10 @@
68201 unsigned long vmstart;
68202 unsigned long vmend;
68204 +#ifdef CONFIG_PAX_SEGMEXEC
68205 + struct vm_area_struct *vma_m;
68208 vma = find_vma_prev(mm, start, &prev);
68209 if (!vma || vma->vm_start > start)
68211 @@ -1095,6 +1099,17 @@
68216 +#ifdef CONFIG_PAX_SEGMEXEC
68217 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
68218 + if (end > SEGMEXEC_TASK_SIZE)
68223 + if (end > TASK_SIZE)
68229 @@ -1322,8 +1337,7 @@
68231 tcred = __task_cred(task);
68232 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
68233 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
68234 - !capable(CAP_SYS_NICE)) {
68235 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
68239 @@ -2382,6 +2396,16 @@
68244 +#ifdef CONFIG_PAX_SEGMEXEC
68245 + vma_m = pax_find_mirror_vma(vma);
68247 + err = policy_vma(vma_m, new_pol);
68256 @@ -2453,6 +2477,14 @@
68257 unsigned short mode;
68258 unsigned short flags = pol ? pol->flags : 0;
68260 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
68261 + if (mm != current->mm &&
68262 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
68269 * Sanity check: room for longest mode, flag and some nodes
68271 diff -urNp linux-3.0.9/mm/migrate.c linux-3.0.9/mm/migrate.c
68272 --- linux-3.0.9/mm/migrate.c 2011-11-11 13:12:24.000000000 -0500
68273 +++ linux-3.0.9/mm/migrate.c 2011-11-15 20:03:00.000000000 -0500
68274 @@ -1124,6 +1124,8 @@ static int do_pages_move(struct mm_struc
68275 unsigned long chunk_start;
68278 + pax_track_stack();
68280 task_nodes = cpuset_mems_allowed(task);
68283 @@ -1308,6 +1310,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
68287 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
68288 + if (mm != current->mm &&
68289 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
68296 * Check if this process has the right to modify the specified
68297 * process. The right exists if the process has administrative
68298 @@ -1317,8 +1327,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
68300 tcred = __task_cred(task);
68301 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
68302 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
68303 - !capable(CAP_SYS_NICE)) {
68304 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
68308 diff -urNp linux-3.0.9/mm/mlock.c linux-3.0.9/mm/mlock.c
68309 --- linux-3.0.9/mm/mlock.c 2011-11-11 13:12:24.000000000 -0500
68310 +++ linux-3.0.9/mm/mlock.c 2011-11-15 20:03:00.000000000 -0500
68312 #include <linux/pagemap.h>
68313 #include <linux/mempolicy.h>
68314 #include <linux/syscalls.h>
68315 +#include <linux/security.h>
68316 #include <linux/sched.h>
68317 #include <linux/module.h>
68318 #include <linux/rmap.h>
68319 @@ -377,6 +378,9 @@ static int do_mlock(unsigned long start,
68323 + if (end > TASK_SIZE)
68326 vma = find_vma_prev(current->mm, start, &prev);
68327 if (!vma || vma->vm_start > start)
68329 @@ -387,6 +391,11 @@ static int do_mlock(unsigned long start,
68330 for (nstart = start ; ; ) {
68331 vm_flags_t newflags;
68333 +#ifdef CONFIG_PAX_SEGMEXEC
68334 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
68338 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
68340 newflags = vma->vm_flags | VM_LOCKED;
68341 @@ -492,6 +501,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
68342 lock_limit >>= PAGE_SHIFT;
68344 /* check against resource limits */
68345 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
68346 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
68347 error = do_mlock(start, len, 1);
68348 up_write(¤t->mm->mmap_sem);
68349 @@ -515,17 +525,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
68350 static int do_mlockall(int flags)
68352 struct vm_area_struct * vma, * prev = NULL;
68353 - unsigned int def_flags = 0;
68355 if (flags & MCL_FUTURE)
68356 - def_flags = VM_LOCKED;
68357 - current->mm->def_flags = def_flags;
68358 + current->mm->def_flags |= VM_LOCKED;
68360 + current->mm->def_flags &= ~VM_LOCKED;
68361 if (flags == MCL_FUTURE)
68364 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
68365 vm_flags_t newflags;
68367 +#ifdef CONFIG_PAX_SEGMEXEC
68368 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
68372 + BUG_ON(vma->vm_end > TASK_SIZE);
68373 newflags = vma->vm_flags | VM_LOCKED;
68374 if (!(flags & MCL_CURRENT))
68375 newflags &= ~VM_LOCKED;
68376 @@ -557,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
68377 lock_limit >>= PAGE_SHIFT;
68380 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
68381 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
68382 capable(CAP_IPC_LOCK))
68383 ret = do_mlockall(flags);
68384 diff -urNp linux-3.0.9/mm/mmap.c linux-3.0.9/mm/mmap.c
68385 --- linux-3.0.9/mm/mmap.c 2011-11-11 13:12:24.000000000 -0500
68386 +++ linux-3.0.9/mm/mmap.c 2011-11-15 20:03:00.000000000 -0500
68388 #define arch_rebalance_pgtables(addr, len) (addr)
68391 +static inline void verify_mm_writelocked(struct mm_struct *mm)
68393 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
68394 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
68395 + up_read(&mm->mmap_sem);
68401 static void unmap_region(struct mm_struct *mm,
68402 struct vm_area_struct *vma, struct vm_area_struct *prev,
68403 unsigned long start, unsigned long end);
68404 @@ -71,22 +81,32 @@ static void unmap_region(struct mm_struc
68405 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
68408 -pgprot_t protection_map[16] = {
68409 +pgprot_t protection_map[16] __read_only = {
68410 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
68411 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
68414 -pgprot_t vm_get_page_prot(unsigned long vm_flags)
68415 +pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
68417 - return __pgprot(pgprot_val(protection_map[vm_flags &
68418 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
68419 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
68420 pgprot_val(arch_vm_get_page_prot(vm_flags)));
68422 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68423 + if (!(__supported_pte_mask & _PAGE_NX) &&
68424 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
68425 + (vm_flags & (VM_READ | VM_WRITE)))
68426 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
68431 EXPORT_SYMBOL(vm_get_page_prot);
68433 int sysctl_overcommit_memory __read_mostly = OVERCOMMIT_GUESS; /* heuristic overcommit */
68434 int sysctl_overcommit_ratio __read_mostly = 50; /* default is 50% */
68435 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
68436 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
68438 * Make sure vm_committed_as in one cacheline and not cacheline shared with
68439 * other variables. It can be updated by several CPUs frequently.
68440 @@ -236,6 +256,7 @@ static struct vm_area_struct *remove_vma
68441 struct vm_area_struct *next = vma->vm_next;
68444 + BUG_ON(vma->vm_mirror);
68445 if (vma->vm_ops && vma->vm_ops->close)
68446 vma->vm_ops->close(vma);
68447 if (vma->vm_file) {
68448 @@ -280,6 +301,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
68449 * not page aligned -Ram Gupta
68451 rlim = rlimit(RLIMIT_DATA);
68452 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
68453 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
68454 (mm->end_data - mm->start_data) > rlim)
68456 @@ -697,6 +719,12 @@ static int
68457 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
68458 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
68461 +#ifdef CONFIG_PAX_SEGMEXEC
68462 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
68466 if (is_mergeable_vma(vma, file, vm_flags) &&
68467 is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
68468 if (vma->vm_pgoff == vm_pgoff)
68469 @@ -716,6 +744,12 @@ static int
68470 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
68471 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
68474 +#ifdef CONFIG_PAX_SEGMEXEC
68475 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
68479 if (is_mergeable_vma(vma, file, vm_flags) &&
68480 is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
68482 @@ -758,13 +792,20 @@ can_vma_merge_after(struct vm_area_struc
68483 struct vm_area_struct *vma_merge(struct mm_struct *mm,
68484 struct vm_area_struct *prev, unsigned long addr,
68485 unsigned long end, unsigned long vm_flags,
68486 - struct anon_vma *anon_vma, struct file *file,
68487 + struct anon_vma *anon_vma, struct file *file,
68488 pgoff_t pgoff, struct mempolicy *policy)
68490 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
68491 struct vm_area_struct *area, *next;
68494 +#ifdef CONFIG_PAX_SEGMEXEC
68495 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
68496 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
68498 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
68502 * We later require that vma->vm_flags == vm_flags,
68503 * so this tests vma->vm_flags & VM_SPECIAL, too.
68504 @@ -780,6 +821,15 @@ struct vm_area_struct *vma_merge(struct
68505 if (next && next->vm_end == end) /* cases 6, 7, 8 */
68506 next = next->vm_next;
68508 +#ifdef CONFIG_PAX_SEGMEXEC
68510 + prev_m = pax_find_mirror_vma(prev);
68512 + area_m = pax_find_mirror_vma(area);
68514 + next_m = pax_find_mirror_vma(next);
68518 * Can it merge with the predecessor?
68520 @@ -799,9 +849,24 @@ struct vm_area_struct *vma_merge(struct
68522 err = vma_adjust(prev, prev->vm_start,
68523 next->vm_end, prev->vm_pgoff, NULL);
68524 - } else /* cases 2, 5, 7 */
68526 +#ifdef CONFIG_PAX_SEGMEXEC
68527 + if (!err && prev_m)
68528 + err = vma_adjust(prev_m, prev_m->vm_start,
68529 + next_m->vm_end, prev_m->vm_pgoff, NULL);
68532 + } else { /* cases 2, 5, 7 */
68533 err = vma_adjust(prev, prev->vm_start,
68534 end, prev->vm_pgoff, NULL);
68536 +#ifdef CONFIG_PAX_SEGMEXEC
68537 + if (!err && prev_m)
68538 + err = vma_adjust(prev_m, prev_m->vm_start,
68539 + end_m, prev_m->vm_pgoff, NULL);
68545 khugepaged_enter_vma_merge(prev);
68546 @@ -815,12 +880,27 @@ struct vm_area_struct *vma_merge(struct
68547 mpol_equal(policy, vma_policy(next)) &&
68548 can_vma_merge_before(next, vm_flags,
68549 anon_vma, file, pgoff+pglen)) {
68550 - if (prev && addr < prev->vm_end) /* case 4 */
68551 + if (prev && addr < prev->vm_end) { /* case 4 */
68552 err = vma_adjust(prev, prev->vm_start,
68553 addr, prev->vm_pgoff, NULL);
68554 - else /* cases 3, 8 */
68556 +#ifdef CONFIG_PAX_SEGMEXEC
68557 + if (!err && prev_m)
68558 + err = vma_adjust(prev_m, prev_m->vm_start,
68559 + addr_m, prev_m->vm_pgoff, NULL);
68562 + } else { /* cases 3, 8 */
68563 err = vma_adjust(area, addr, next->vm_end,
68564 next->vm_pgoff - pglen, NULL);
68566 +#ifdef CONFIG_PAX_SEGMEXEC
68567 + if (!err && area_m)
68568 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
68569 + next_m->vm_pgoff - pglen, NULL);
68575 khugepaged_enter_vma_merge(area);
68576 @@ -929,14 +1009,11 @@ none:
68577 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
68578 struct file *file, long pages)
68580 - const unsigned long stack_flags
68581 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
68584 mm->shared_vm += pages;
68585 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
68586 mm->exec_vm += pages;
68587 - } else if (flags & stack_flags)
68588 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
68589 mm->stack_vm += pages;
68590 if (flags & (VM_RESERVED|VM_IO))
68591 mm->reserved_vm += pages;
68592 @@ -963,7 +1040,7 @@ unsigned long do_mmap_pgoff(struct file
68593 * (the exception is when the underlying filesystem is noexec
68594 * mounted, in which case we dont add PROT_EXEC.)
68596 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
68597 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
68598 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
68601 @@ -989,7 +1066,7 @@ unsigned long do_mmap_pgoff(struct file
68602 /* Obtain the address to map to. we verify (or select) it and ensure
68603 * that it represents a valid section of the address space.
68605 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
68606 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
68607 if (addr & ~PAGE_MASK)
68610 @@ -1000,6 +1077,36 @@ unsigned long do_mmap_pgoff(struct file
68611 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
68612 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
68614 +#ifdef CONFIG_PAX_MPROTECT
68615 + if (mm->pax_flags & MF_PAX_MPROTECT) {
68616 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
68617 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
68618 + gr_log_rwxmmap(file);
68620 +#ifdef CONFIG_PAX_EMUPLT
68621 + vm_flags &= ~VM_EXEC;
68628 + if (!(vm_flags & VM_EXEC))
68629 + vm_flags &= ~VM_MAYEXEC;
68631 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
68632 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
68635 + vm_flags &= ~VM_MAYWRITE;
68639 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68640 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
68641 + vm_flags &= ~VM_PAGEEXEC;
68644 if (flags & MAP_LOCKED)
68645 if (!can_do_mlock())
68647 @@ -1011,6 +1118,7 @@ unsigned long do_mmap_pgoff(struct file
68648 locked += mm->locked_vm;
68649 lock_limit = rlimit(RLIMIT_MEMLOCK);
68650 lock_limit >>= PAGE_SHIFT;
68651 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
68652 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
68655 @@ -1081,6 +1189,9 @@ unsigned long do_mmap_pgoff(struct file
68659 + if (!gr_acl_handle_mmap(file, prot))
68662 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
68664 EXPORT_SYMBOL(do_mmap_pgoff);
68665 @@ -1161,7 +1272,7 @@ int vma_wants_writenotify(struct vm_area
68666 vm_flags_t vm_flags = vma->vm_flags;
68668 /* If it was private or non-writable, the write bit is already clear */
68669 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
68670 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
68673 /* The backer wishes to know when pages are first written to? */
68674 @@ -1210,14 +1321,24 @@ unsigned long mmap_region(struct file *f
68675 unsigned long charged = 0;
68676 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
68678 +#ifdef CONFIG_PAX_SEGMEXEC
68679 + struct vm_area_struct *vma_m = NULL;
68683 + * mm->mmap_sem is required to protect against another thread
68684 + * changing the mappings in case we sleep.
68686 + verify_mm_writelocked(mm);
68688 /* Clear old maps */
68691 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
68692 if (vma && vma->vm_start < addr + len) {
68693 if (do_munmap(mm, addr, len))
68695 - goto munmap_back;
68696 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
68697 + BUG_ON(vma && vma->vm_start < addr + len);
68700 /* Check against address space limit. */
68701 @@ -1266,6 +1387,16 @@ munmap_back:
68705 +#ifdef CONFIG_PAX_SEGMEXEC
68706 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
68707 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
68716 vma->vm_start = addr;
68717 vma->vm_end = addr + len;
68718 @@ -1289,6 +1420,19 @@ munmap_back:
68719 error = file->f_op->mmap(file, vma);
68721 goto unmap_and_free_vma;
68723 +#ifdef CONFIG_PAX_SEGMEXEC
68724 + if (vma_m && (vm_flags & VM_EXECUTABLE))
68725 + added_exe_file_vma(mm);
68728 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68729 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
68730 + vma->vm_flags |= VM_PAGEEXEC;
68731 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
68735 if (vm_flags & VM_EXECUTABLE)
68736 added_exe_file_vma(mm);
68738 @@ -1324,6 +1468,11 @@ munmap_back:
68739 vma_link(mm, vma, prev, rb_link, rb_parent);
68740 file = vma->vm_file;
68742 +#ifdef CONFIG_PAX_SEGMEXEC
68744 + BUG_ON(pax_mirror_vma(vma_m, vma));
68747 /* Once vma denies write, undo our temporary denial count */
68748 if (correct_wcount)
68749 atomic_inc(&inode->i_writecount);
68750 @@ -1332,6 +1481,7 @@ out:
68752 mm->total_vm += len >> PAGE_SHIFT;
68753 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
68754 + track_exec_limit(mm, addr, addr + len, vm_flags);
68755 if (vm_flags & VM_LOCKED) {
68756 if (!mlock_vma_pages_range(vma, addr, addr + len))
68757 mm->locked_vm += (len >> PAGE_SHIFT);
68758 @@ -1349,6 +1499,12 @@ unmap_and_free_vma:
68759 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
68763 +#ifdef CONFIG_PAX_SEGMEXEC
68765 + kmem_cache_free(vm_area_cachep, vma_m);
68768 kmem_cache_free(vm_area_cachep, vma);
68771 @@ -1356,6 +1512,44 @@ unacct_error:
68775 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
68778 +#ifdef CONFIG_STACK_GROWSUP
68779 + if (addr > sysctl_heap_stack_gap)
68780 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
68782 + vma = find_vma(current->mm, 0);
68783 + if (vma && (vma->vm_flags & VM_GROWSUP))
68789 + if (addr + len > vma->vm_start)
68792 + if (vma->vm_flags & VM_GROWSDOWN)
68793 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
68794 +#ifdef CONFIG_STACK_GROWSUP
68795 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
68796 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
68802 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
68804 + if (vma->vm_start < len)
68806 + if (!(vma->vm_flags & VM_GROWSDOWN))
68807 + return vma->vm_start - len;
68808 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
68809 + return vma->vm_start - len - sysctl_heap_stack_gap;
68813 /* Get an address range which is currently unmapped.
68814 * For shmat() with addr=0.
68816 @@ -1382,18 +1576,23 @@ arch_get_unmapped_area(struct file *filp
68817 if (flags & MAP_FIXED)
68820 +#ifdef CONFIG_PAX_RANDMMAP
68821 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
68825 addr = PAGE_ALIGN(addr);
68826 - vma = find_vma(mm, addr);
68827 - if (TASK_SIZE - len >= addr &&
68828 - (!vma || addr + len <= vma->vm_start))
68830 + if (TASK_SIZE - len >= addr) {
68831 + vma = find_vma(mm, addr);
68832 + if (check_heap_stack_gap(vma, addr, len))
68836 if (len > mm->cached_hole_size) {
68837 - start_addr = addr = mm->free_area_cache;
68838 + start_addr = addr = mm->free_area_cache;
68840 - start_addr = addr = TASK_UNMAPPED_BASE;
68841 - mm->cached_hole_size = 0;
68842 + start_addr = addr = mm->mmap_base;
68843 + mm->cached_hole_size = 0;
68847 @@ -1404,34 +1603,40 @@ full_search:
68848 * Start a new search - just in case we missed
68851 - if (start_addr != TASK_UNMAPPED_BASE) {
68852 - addr = TASK_UNMAPPED_BASE;
68853 - start_addr = addr;
68854 + if (start_addr != mm->mmap_base) {
68855 + start_addr = addr = mm->mmap_base;
68856 mm->cached_hole_size = 0;
68861 - if (!vma || addr + len <= vma->vm_start) {
68863 - * Remember the place where we stopped the search:
68865 - mm->free_area_cache = addr + len;
68868 + if (check_heap_stack_gap(vma, addr, len))
68870 if (addr + mm->cached_hole_size < vma->vm_start)
68871 mm->cached_hole_size = vma->vm_start - addr;
68872 addr = vma->vm_end;
68876 + * Remember the place where we stopped the search:
68878 + mm->free_area_cache = addr + len;
68883 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
68886 +#ifdef CONFIG_PAX_SEGMEXEC
68887 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
68892 * Is this a new hole at the lowest possible address?
68894 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
68895 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
68896 mm->free_area_cache = addr;
68897 mm->cached_hole_size = ~0UL;
68899 @@ -1449,7 +1654,7 @@ arch_get_unmapped_area_topdown(struct fi
68901 struct vm_area_struct *vma;
68902 struct mm_struct *mm = current->mm;
68903 - unsigned long addr = addr0;
68904 + unsigned long base = mm->mmap_base, addr = addr0;
68906 /* requested length too big for entire address space */
68907 if (len > TASK_SIZE)
68908 @@ -1458,13 +1663,18 @@ arch_get_unmapped_area_topdown(struct fi
68909 if (flags & MAP_FIXED)
68912 +#ifdef CONFIG_PAX_RANDMMAP
68913 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
68916 /* requesting a specific address */
68918 addr = PAGE_ALIGN(addr);
68919 - vma = find_vma(mm, addr);
68920 - if (TASK_SIZE - len >= addr &&
68921 - (!vma || addr + len <= vma->vm_start))
68923 + if (TASK_SIZE - len >= addr) {
68924 + vma = find_vma(mm, addr);
68925 + if (check_heap_stack_gap(vma, addr, len))
68930 /* check if free_area_cache is useful for us */
68931 @@ -1479,7 +1689,7 @@ arch_get_unmapped_area_topdown(struct fi
68932 /* make sure it can fit in the remaining address space */
68934 vma = find_vma(mm, addr-len);
68935 - if (!vma || addr <= vma->vm_start)
68936 + if (check_heap_stack_gap(vma, addr - len, len))
68937 /* remember the address as a hint for next time */
68938 return (mm->free_area_cache = addr-len);
68940 @@ -1496,7 +1706,7 @@ arch_get_unmapped_area_topdown(struct fi
68941 * return with success:
68943 vma = find_vma(mm, addr);
68944 - if (!vma || addr+len <= vma->vm_start)
68945 + if (check_heap_stack_gap(vma, addr, len))
68946 /* remember the address as a hint for next time */
68947 return (mm->free_area_cache = addr);
68949 @@ -1505,8 +1715,8 @@ arch_get_unmapped_area_topdown(struct fi
68950 mm->cached_hole_size = vma->vm_start - addr;
68952 /* try just below the current vma->vm_start */
68953 - addr = vma->vm_start-len;
68954 - } while (len < vma->vm_start);
68955 + addr = skip_heap_stack_gap(vma, len);
68956 + } while (!IS_ERR_VALUE(addr));
68960 @@ -1515,13 +1725,21 @@ bottomup:
68961 * can happen with large stack limits and large mmap()
68964 + mm->mmap_base = TASK_UNMAPPED_BASE;
68966 +#ifdef CONFIG_PAX_RANDMMAP
68967 + if (mm->pax_flags & MF_PAX_RANDMMAP)
68968 + mm->mmap_base += mm->delta_mmap;
68971 + mm->free_area_cache = mm->mmap_base;
68972 mm->cached_hole_size = ~0UL;
68973 - mm->free_area_cache = TASK_UNMAPPED_BASE;
68974 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
68976 * Restore the topdown base:
68978 - mm->free_area_cache = mm->mmap_base;
68979 + mm->mmap_base = base;
68980 + mm->free_area_cache = base;
68981 mm->cached_hole_size = ~0UL;
68984 @@ -1530,6 +1748,12 @@ bottomup:
68986 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
68989 +#ifdef CONFIG_PAX_SEGMEXEC
68990 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
68995 * Is this a new hole at the highest possible address?
68997 @@ -1537,8 +1761,10 @@ void arch_unmap_area_topdown(struct mm_s
68998 mm->free_area_cache = addr;
69000 /* dont allow allocations above current base */
69001 - if (mm->free_area_cache > mm->mmap_base)
69002 + if (mm->free_area_cache > mm->mmap_base) {
69003 mm->free_area_cache = mm->mmap_base;
69004 + mm->cached_hole_size = ~0UL;
69009 @@ -1646,6 +1872,28 @@ out:
69010 return prev ? prev->vm_next : vma;
69013 +#ifdef CONFIG_PAX_SEGMEXEC
69014 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
69016 + struct vm_area_struct *vma_m;
69018 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
69019 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
69020 + BUG_ON(vma->vm_mirror);
69023 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
69024 + vma_m = vma->vm_mirror;
69025 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
69026 + BUG_ON(vma->vm_file != vma_m->vm_file);
69027 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
69028 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
69029 + BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
69030 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
69036 * Verify that the stack growth is acceptable and
69037 * update accounting. This is shared with both the
69038 @@ -1662,6 +1910,7 @@ static int acct_stack_growth(struct vm_a
69041 /* Stack limit test */
69042 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
69043 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
69046 @@ -1672,6 +1921,7 @@ static int acct_stack_growth(struct vm_a
69047 locked = mm->locked_vm + grow;
69048 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
69049 limit >>= PAGE_SHIFT;
69050 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
69051 if (locked > limit && !capable(CAP_IPC_LOCK))
69054 @@ -1702,37 +1952,48 @@ static int acct_stack_growth(struct vm_a
69055 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
69056 * vma is the last one with address > vma->vm_end. Have to extend vma.
69058 +#ifndef CONFIG_IA64
69061 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
69066 if (!(vma->vm_flags & VM_GROWSUP))
69069 + /* Also guard against wrapping around to address 0. */
69070 + if (address < PAGE_ALIGN(address+1))
69071 + address = PAGE_ALIGN(address+1);
69076 * We must make sure the anon_vma is allocated
69077 * so that the anon_vma locking is not a noop.
69079 if (unlikely(anon_vma_prepare(vma)))
69081 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
69082 + if (locknext && anon_vma_prepare(vma->vm_next))
69084 vma_lock_anon_vma(vma);
69086 + vma_lock_anon_vma(vma->vm_next);
69089 * vma->vm_start/vm_end cannot change under us because the caller
69090 * is required to hold the mmap_sem in read mode. We need the
69091 - * anon_vma lock to serialize against concurrent expand_stacks.
69092 - * Also guard against wrapping around to address 0.
69093 + * anon_vma locks to serialize against concurrent expand_stacks
69094 + * and expand_upwards.
69096 - if (address < PAGE_ALIGN(address+4))
69097 - address = PAGE_ALIGN(address+4);
69099 - vma_unlock_anon_vma(vma);
69104 /* Somebody else might have raced and expanded it already */
69105 - if (address > vma->vm_end) {
69106 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
69108 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
69109 unsigned long size, grow;
69111 size = address - vma->vm_start;
69112 @@ -1747,6 +2008,8 @@ int expand_upwards(struct vm_area_struct
69117 + vma_unlock_anon_vma(vma->vm_next);
69118 vma_unlock_anon_vma(vma);
69119 khugepaged_enter_vma_merge(vma);
69121 @@ -1760,6 +2023,8 @@ int expand_downwards(struct vm_area_stru
69122 unsigned long address)
69125 + bool lockprev = false;
69126 + struct vm_area_struct *prev;
69129 * We must make sure the anon_vma is allocated
69130 @@ -1773,6 +2038,15 @@ int expand_downwards(struct vm_area_stru
69134 + prev = vma->vm_prev;
69135 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
69136 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
69138 + if (lockprev && anon_vma_prepare(prev))
69141 + vma_lock_anon_vma(prev);
69143 vma_lock_anon_vma(vma);
69146 @@ -1782,9 +2056,17 @@ int expand_downwards(struct vm_area_stru
69149 /* Somebody else might have raced and expanded it already */
69150 - if (address < vma->vm_start) {
69151 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
69153 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
69154 unsigned long size, grow;
69156 +#ifdef CONFIG_PAX_SEGMEXEC
69157 + struct vm_area_struct *vma_m;
69159 + vma_m = pax_find_mirror_vma(vma);
69162 size = vma->vm_end - address;
69163 grow = (vma->vm_start - address) >> PAGE_SHIFT;
69165 @@ -1794,11 +2076,22 @@ int expand_downwards(struct vm_area_stru
69167 vma->vm_start = address;
69168 vma->vm_pgoff -= grow;
69169 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
69171 +#ifdef CONFIG_PAX_SEGMEXEC
69173 + vma_m->vm_start -= grow << PAGE_SHIFT;
69174 + vma_m->vm_pgoff -= grow;
69178 perf_event_mmap(vma);
69182 vma_unlock_anon_vma(vma);
69184 + vma_unlock_anon_vma(prev);
69185 khugepaged_enter_vma_merge(vma);
69188 @@ -1868,6 +2161,13 @@ static void remove_vma_list(struct mm_st
69190 long nrpages = vma_pages(vma);
69192 +#ifdef CONFIG_PAX_SEGMEXEC
69193 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
69194 + vma = remove_vma(vma);
69199 mm->total_vm -= nrpages;
69200 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
69201 vma = remove_vma(vma);
69202 @@ -1913,6 +2213,16 @@ detach_vmas_to_be_unmapped(struct mm_str
69203 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
69204 vma->vm_prev = NULL;
69207 +#ifdef CONFIG_PAX_SEGMEXEC
69208 + if (vma->vm_mirror) {
69209 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
69210 + vma->vm_mirror->vm_mirror = NULL;
69211 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
69212 + vma->vm_mirror = NULL;
69216 rb_erase(&vma->vm_rb, &mm->mm_rb);
69219 @@ -1941,14 +2251,33 @@ static int __split_vma(struct mm_struct
69220 struct vm_area_struct *new;
69223 +#ifdef CONFIG_PAX_SEGMEXEC
69224 + struct vm_area_struct *vma_m, *new_m = NULL;
69225 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
69228 if (is_vm_hugetlb_page(vma) && (addr &
69229 ~(huge_page_mask(hstate_vma(vma)))))
69232 +#ifdef CONFIG_PAX_SEGMEXEC
69233 + vma_m = pax_find_mirror_vma(vma);
69236 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
69240 +#ifdef CONFIG_PAX_SEGMEXEC
69242 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
69244 + kmem_cache_free(vm_area_cachep, new);
69250 /* most fields are the same, copy all, and then fixup */
69253 @@ -1961,6 +2290,22 @@ static int __split_vma(struct mm_struct
69254 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
69257 +#ifdef CONFIG_PAX_SEGMEXEC
69260 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
69261 + new_m->vm_mirror = new;
69262 + new->vm_mirror = new_m;
69265 + new_m->vm_end = addr_m;
69267 + new_m->vm_start = addr_m;
69268 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
69273 pol = mpol_dup(vma_policy(vma));
69275 err = PTR_ERR(pol);
69276 @@ -1986,6 +2331,42 @@ static int __split_vma(struct mm_struct
69278 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
69280 +#ifdef CONFIG_PAX_SEGMEXEC
69281 + if (!err && vma_m) {
69282 + if (anon_vma_clone(new_m, vma_m))
69283 + goto out_free_mpol;
69286 + vma_set_policy(new_m, pol);
69288 + if (new_m->vm_file) {
69289 + get_file(new_m->vm_file);
69290 + if (vma_m->vm_flags & VM_EXECUTABLE)
69291 + added_exe_file_vma(mm);
69294 + if (new_m->vm_ops && new_m->vm_ops->open)
69295 + new_m->vm_ops->open(new_m);
69298 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
69299 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
69301 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
69304 + if (new_m->vm_ops && new_m->vm_ops->close)
69305 + new_m->vm_ops->close(new_m);
69306 + if (new_m->vm_file) {
69307 + if (vma_m->vm_flags & VM_EXECUTABLE)
69308 + removed_exe_file_vma(mm);
69309 + fput(new_m->vm_file);
69319 @@ -1998,10 +2379,18 @@ static int __split_vma(struct mm_struct
69320 removed_exe_file_vma(mm);
69321 fput(new->vm_file);
69323 - unlink_anon_vmas(new);
69328 +#ifdef CONFIG_PAX_SEGMEXEC
69330 + unlink_anon_vmas(new_m);
69331 + kmem_cache_free(vm_area_cachep, new_m);
69335 + unlink_anon_vmas(new);
69336 kmem_cache_free(vm_area_cachep, new);
69339 @@ -2014,6 +2403,15 @@ static int __split_vma(struct mm_struct
69340 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
69341 unsigned long addr, int new_below)
69344 +#ifdef CONFIG_PAX_SEGMEXEC
69345 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
69346 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
69347 + if (mm->map_count >= sysctl_max_map_count-1)
69352 if (mm->map_count >= sysctl_max_map_count)
69355 @@ -2025,11 +2423,30 @@ int split_vma(struct mm_struct *mm, stru
69356 * work. This now handles partial unmappings.
69357 * Jeremy Fitzhardinge <jeremy@goop.org>
69359 +#ifdef CONFIG_PAX_SEGMEXEC
69360 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
69362 + int ret = __do_munmap(mm, start, len);
69363 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
69366 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
69369 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
69371 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
69375 struct vm_area_struct *vma, *prev, *last;
69378 + * mm->mmap_sem is required to protect against another thread
69379 + * changing the mappings in case we sleep.
69381 + verify_mm_writelocked(mm);
69383 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
69386 @@ -2104,6 +2521,8 @@ int do_munmap(struct mm_struct *mm, unsi
69387 /* Fix up all other VM information */
69388 remove_vma_list(mm, vma);
69390 + track_exec_limit(mm, start, end, 0UL);
69395 @@ -2116,22 +2535,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
69397 profile_munmap(addr);
69399 +#ifdef CONFIG_PAX_SEGMEXEC
69400 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
69401 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
69405 down_write(&mm->mmap_sem);
69406 ret = do_munmap(mm, addr, len);
69407 up_write(&mm->mmap_sem);
69411 -static inline void verify_mm_writelocked(struct mm_struct *mm)
69413 -#ifdef CONFIG_DEBUG_VM
69414 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
69416 - up_read(&mm->mmap_sem);
69422 * this is really a simplified "do_mmap". it only handles
69423 * anonymous maps. eventually we may be able to do some
69424 @@ -2145,6 +2560,7 @@ unsigned long do_brk(unsigned long addr,
69425 struct rb_node ** rb_link, * rb_parent;
69426 pgoff_t pgoff = addr >> PAGE_SHIFT;
69428 + unsigned long charged;
69430 len = PAGE_ALIGN(len);
69432 @@ -2156,16 +2572,30 @@ unsigned long do_brk(unsigned long addr,
69434 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
69436 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
69437 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
69438 + flags &= ~VM_EXEC;
69440 +#ifdef CONFIG_PAX_MPROTECT
69441 + if (mm->pax_flags & MF_PAX_MPROTECT)
69442 + flags &= ~VM_MAYEXEC;
69448 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
69449 if (error & ~PAGE_MASK)
69452 + charged = len >> PAGE_SHIFT;
69455 * mlock MCL_FUTURE?
69457 if (mm->def_flags & VM_LOCKED) {
69458 unsigned long locked, lock_limit;
69459 - locked = len >> PAGE_SHIFT;
69460 + locked = charged;
69461 locked += mm->locked_vm;
69462 lock_limit = rlimit(RLIMIT_MEMLOCK);
69463 lock_limit >>= PAGE_SHIFT;
69464 @@ -2182,22 +2612,22 @@ unsigned long do_brk(unsigned long addr,
69466 * Clear old maps. this also does some error checking for us
69469 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
69470 if (vma && vma->vm_start < addr + len) {
69471 if (do_munmap(mm, addr, len))
69473 - goto munmap_back;
69474 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
69475 + BUG_ON(vma && vma->vm_start < addr + len);
69478 /* Check against address space limits *after* clearing old maps... */
69479 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
69480 + if (!may_expand_vm(mm, charged))
69483 if (mm->map_count > sysctl_max_map_count)
69486 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
69487 + if (security_vm_enough_memory(charged))
69490 /* Can we just expand an old private anonymous mapping? */
69491 @@ -2211,7 +2641,7 @@ unsigned long do_brk(unsigned long addr,
69493 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69495 - vm_unacct_memory(len >> PAGE_SHIFT);
69496 + vm_unacct_memory(charged);
69500 @@ -2225,11 +2655,12 @@ unsigned long do_brk(unsigned long addr,
69501 vma_link(mm, vma, prev, rb_link, rb_parent);
69503 perf_event_mmap(vma);
69504 - mm->total_vm += len >> PAGE_SHIFT;
69505 + mm->total_vm += charged;
69506 if (flags & VM_LOCKED) {
69507 if (!mlock_vma_pages_range(vma, addr, addr + len))
69508 - mm->locked_vm += (len >> PAGE_SHIFT);
69509 + mm->locked_vm += charged;
69511 + track_exec_limit(mm, addr, addr + len, flags);
69515 @@ -2276,8 +2707,10 @@ void exit_mmap(struct mm_struct *mm)
69516 * Walk the list again, actually closing and freeing it,
69517 * with preemption enabled, without holding any MM locks.
69521 + vma->vm_mirror = NULL;
69522 vma = remove_vma(vma);
69525 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
69527 @@ -2291,6 +2724,13 @@ int insert_vm_struct(struct mm_struct *
69528 struct vm_area_struct * __vma, * prev;
69529 struct rb_node ** rb_link, * rb_parent;
69531 +#ifdef CONFIG_PAX_SEGMEXEC
69532 + struct vm_area_struct *vma_m = NULL;
69535 + if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1))
69539 * The vm_pgoff of a purely anonymous vma should be irrelevant
69540 * until its first write fault, when page's anon_vma and index
69541 @@ -2313,7 +2753,22 @@ int insert_vm_struct(struct mm_struct *
69542 if ((vma->vm_flags & VM_ACCOUNT) &&
69543 security_vm_enough_memory_mm(mm, vma_pages(vma)))
69546 +#ifdef CONFIG_PAX_SEGMEXEC
69547 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
69548 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69554 vma_link(mm, vma, prev, rb_link, rb_parent);
69556 +#ifdef CONFIG_PAX_SEGMEXEC
69558 + BUG_ON(pax_mirror_vma(vma_m, vma));
69564 @@ -2331,6 +2786,8 @@ struct vm_area_struct *copy_vma(struct v
69565 struct rb_node **rb_link, *rb_parent;
69566 struct mempolicy *pol;
69568 + BUG_ON(vma->vm_mirror);
69571 * If anonymous vma has not yet been faulted, update new pgoff
69572 * to match new location, to increase its chance of merging.
69573 @@ -2381,6 +2838,39 @@ struct vm_area_struct *copy_vma(struct v
69577 +#ifdef CONFIG_PAX_SEGMEXEC
69578 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
69580 + struct vm_area_struct *prev_m;
69581 + struct rb_node **rb_link_m, *rb_parent_m;
69582 + struct mempolicy *pol_m;
69584 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
69585 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
69586 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
69588 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
69589 + if (anon_vma_clone(vma_m, vma))
69591 + pol_m = vma_policy(vma_m);
69593 + vma_set_policy(vma_m, pol_m);
69594 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
69595 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
69596 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
69597 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
69598 + if (vma_m->vm_file)
69599 + get_file(vma_m->vm_file);
69600 + if (vma_m->vm_ops && vma_m->vm_ops->open)
69601 + vma_m->vm_ops->open(vma_m);
69602 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
69603 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
69604 + vma_m->vm_mirror = vma;
69605 + vma->vm_mirror = vma_m;
69611 * Return true if the calling process may expand its vm space by the passed
69613 @@ -2391,7 +2881,7 @@ int may_expand_vm(struct mm_struct *mm,
69616 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
69618 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
69619 if (cur + npages > lim)
69622 @@ -2462,6 +2952,22 @@ int install_special_mapping(struct mm_st
69623 vma->vm_start = addr;
69624 vma->vm_end = addr + len;
69626 +#ifdef CONFIG_PAX_MPROTECT
69627 + if (mm->pax_flags & MF_PAX_MPROTECT) {
69628 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
69629 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
69631 + if (!(vm_flags & VM_EXEC))
69632 + vm_flags &= ~VM_MAYEXEC;
69634 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
69635 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
69638 + vm_flags &= ~VM_MAYWRITE;
69642 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
69643 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
69645 diff -urNp linux-3.0.9/mm/mprotect.c linux-3.0.9/mm/mprotect.c
69646 --- linux-3.0.9/mm/mprotect.c 2011-11-11 13:12:24.000000000 -0500
69647 +++ linux-3.0.9/mm/mprotect.c 2011-11-15 20:03:00.000000000 -0500
69648 @@ -23,10 +23,16 @@
69649 #include <linux/mmu_notifier.h>
69650 #include <linux/migrate.h>
69651 #include <linux/perf_event.h>
69653 +#ifdef CONFIG_PAX_MPROTECT
69654 +#include <linux/elf.h>
69657 #include <asm/uaccess.h>
69658 #include <asm/pgtable.h>
69659 #include <asm/cacheflush.h>
69660 #include <asm/tlbflush.h>
69661 +#include <asm/mmu_context.h>
69663 #ifndef pgprot_modify
69664 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
69665 @@ -141,6 +147,48 @@ static void change_protection(struct vm_
69666 flush_tlb_range(vma, start, end);
69669 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
69670 +/* called while holding the mmap semaphor for writing except stack expansion */
69671 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
69673 + unsigned long oldlimit, newlimit = 0UL;
69675 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
69678 + spin_lock(&mm->page_table_lock);
69679 + oldlimit = mm->context.user_cs_limit;
69680 + if ((prot & VM_EXEC) && oldlimit < end)
69681 + /* USER_CS limit moved up */
69683 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
69684 + /* USER_CS limit moved down */
69685 + newlimit = start;
69688 + mm->context.user_cs_limit = newlimit;
69692 + cpus_clear(mm->context.cpu_user_cs_mask);
69693 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
69696 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
69698 + spin_unlock(&mm->page_table_lock);
69699 + if (newlimit == end) {
69700 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
69702 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
69703 + if (is_vm_hugetlb_page(vma))
69704 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
69706 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
69712 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
69713 unsigned long start, unsigned long end, unsigned long newflags)
69714 @@ -153,11 +201,29 @@ mprotect_fixup(struct vm_area_struct *vm
69716 int dirty_accountable = 0;
69718 +#ifdef CONFIG_PAX_SEGMEXEC
69719 + struct vm_area_struct *vma_m = NULL;
69720 + unsigned long start_m, end_m;
69722 + start_m = start + SEGMEXEC_TASK_SIZE;
69723 + end_m = end + SEGMEXEC_TASK_SIZE;
69726 if (newflags == oldflags) {
69731 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
69732 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
69734 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
69737 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
69742 * If we make a private mapping writable we increase our commit;
69743 * but (without finer accounting) cannot reduce our commit if we
69744 @@ -174,6 +240,42 @@ mprotect_fixup(struct vm_area_struct *vm
69748 +#ifdef CONFIG_PAX_SEGMEXEC
69749 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
69750 + if (start != vma->vm_start) {
69751 + error = split_vma(mm, vma, start, 1);
69754 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
69755 + *pprev = (*pprev)->vm_next;
69758 + if (end != vma->vm_end) {
69759 + error = split_vma(mm, vma, end, 0);
69764 + if (pax_find_mirror_vma(vma)) {
69765 + error = __do_munmap(mm, start_m, end_m - start_m);
69769 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69774 + vma->vm_flags = newflags;
69775 + error = pax_mirror_vma(vma_m, vma);
69777 + vma->vm_flags = oldflags;
69785 * First try to merge with previous and/or next vma.
69787 @@ -204,9 +306,21 @@ success:
69788 * vm_flags and vm_page_prot are protected by the mmap_sem
69789 * held in write mode.
69792 +#ifdef CONFIG_PAX_SEGMEXEC
69793 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
69794 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
69797 vma->vm_flags = newflags;
69799 +#ifdef CONFIG_PAX_MPROTECT
69800 + if (mm->binfmt && mm->binfmt->handle_mprotect)
69801 + mm->binfmt->handle_mprotect(vma, newflags);
69804 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
69805 - vm_get_page_prot(newflags));
69806 + vm_get_page_prot(vma->vm_flags));
69808 if (vma_wants_writenotify(vma)) {
69809 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
69810 @@ -248,6 +362,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69815 +#ifdef CONFIG_PAX_SEGMEXEC
69816 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
69817 + if (end > SEGMEXEC_TASK_SIZE)
69822 + if (end > TASK_SIZE)
69825 if (!arch_validate_prot(prot))
69828 @@ -255,7 +380,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69830 * Does the application expect PROT_READ to imply PROT_EXEC:
69832 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
69833 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
69836 vm_flags = calc_vm_prot_bits(prot);
69837 @@ -287,6 +412,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69838 if (start > vma->vm_start)
69841 +#ifdef CONFIG_PAX_MPROTECT
69842 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
69843 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
69846 for (nstart = start ; ; ) {
69847 unsigned long newflags;
69849 @@ -296,6 +426,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69851 /* newflags >> 4 shift VM_MAY% in place of VM_% */
69852 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
69853 + if (prot & (PROT_WRITE | PROT_EXEC))
69854 + gr_log_rwxmprotect(vma->vm_file);
69860 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
69864 @@ -310,6 +448,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69865 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
69869 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
69873 if (nstart < prev->vm_end)
69874 diff -urNp linux-3.0.9/mm/mremap.c linux-3.0.9/mm/mremap.c
69875 --- linux-3.0.9/mm/mremap.c 2011-11-11 13:12:24.000000000 -0500
69876 +++ linux-3.0.9/mm/mremap.c 2011-11-15 20:03:00.000000000 -0500
69877 @@ -113,6 +113,12 @@ static void move_ptes(struct vm_area_str
69879 pte = ptep_clear_flush(vma, old_addr, old_pte);
69880 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
69882 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
69883 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
69884 + pte = pte_exprotect(pte);
69887 set_pte_at(mm, new_addr, new_pte, pte);
69890 @@ -272,6 +278,11 @@ static struct vm_area_struct *vma_to_res
69891 if (is_vm_hugetlb_page(vma))
69894 +#ifdef CONFIG_PAX_SEGMEXEC
69895 + if (pax_find_mirror_vma(vma))
69899 /* We can't remap across vm area boundaries */
69900 if (old_len > vma->vm_end - addr)
69902 @@ -328,20 +339,25 @@ static unsigned long mremap_to(unsigned
69903 unsigned long ret = -EINVAL;
69904 unsigned long charged = 0;
69905 unsigned long map_flags;
69906 + unsigned long pax_task_size = TASK_SIZE;
69908 if (new_addr & ~PAGE_MASK)
69911 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
69912 +#ifdef CONFIG_PAX_SEGMEXEC
69913 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
69914 + pax_task_size = SEGMEXEC_TASK_SIZE;
69917 + pax_task_size -= PAGE_SIZE;
69919 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
69922 /* Check if the location we're moving into overlaps the
69923 * old location at all, and fail if it does.
69925 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
69928 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
69929 + if (addr + old_len > new_addr && new_addr + new_len > addr)
69932 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
69933 @@ -413,6 +429,7 @@ unsigned long do_mremap(unsigned long ad
69934 struct vm_area_struct *vma;
69935 unsigned long ret = -EINVAL;
69936 unsigned long charged = 0;
69937 + unsigned long pax_task_size = TASK_SIZE;
69939 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
69941 @@ -431,6 +448,17 @@ unsigned long do_mremap(unsigned long ad
69945 +#ifdef CONFIG_PAX_SEGMEXEC
69946 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
69947 + pax_task_size = SEGMEXEC_TASK_SIZE;
69950 + pax_task_size -= PAGE_SIZE;
69952 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
69953 + old_len > pax_task_size || addr > pax_task_size-old_len)
69956 if (flags & MREMAP_FIXED) {
69957 if (flags & MREMAP_MAYMOVE)
69958 ret = mremap_to(addr, old_len, new_addr, new_len);
69959 @@ -480,6 +508,7 @@ unsigned long do_mremap(unsigned long ad
69963 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
69967 @@ -506,7 +535,13 @@ unsigned long do_mremap(unsigned long ad
69968 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
69972 + map_flags = vma->vm_flags;
69973 ret = move_vma(vma, addr, old_len, new_len, new_addr);
69974 + if (!(ret & ~PAGE_MASK)) {
69975 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
69976 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
69980 if (ret & ~PAGE_MASK)
69981 diff -urNp linux-3.0.9/mm/nobootmem.c linux-3.0.9/mm/nobootmem.c
69982 --- linux-3.0.9/mm/nobootmem.c 2011-11-11 13:12:24.000000000 -0500
69983 +++ linux-3.0.9/mm/nobootmem.c 2011-11-15 20:03:00.000000000 -0500
69984 @@ -110,19 +110,30 @@ static void __init __free_pages_memory(u
69985 unsigned long __init free_all_memory_core_early(int nodeid)
69989 + u64 start, end, startrange, endrange;
69990 unsigned long count = 0;
69991 - struct range *range = NULL;
69992 + struct range *range = NULL, rangerange = { 0, 0 };
69995 nr_range = get_free_all_memory_range(&range, nodeid);
69996 + startrange = __pa(range) >> PAGE_SHIFT;
69997 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
69999 for (i = 0; i < nr_range; i++) {
70000 start = range[i].start;
70001 end = range[i].end;
70002 + if (start <= endrange && startrange < end) {
70003 + BUG_ON(rangerange.start | rangerange.end);
70004 + rangerange = range[i];
70007 count += end - start;
70008 __free_pages_memory(start, end);
70010 + start = rangerange.start;
70011 + end = rangerange.end;
70012 + count += end - start;
70013 + __free_pages_memory(start, end);
70017 diff -urNp linux-3.0.9/mm/nommu.c linux-3.0.9/mm/nommu.c
70018 --- linux-3.0.9/mm/nommu.c 2011-11-11 13:12:24.000000000 -0500
70019 +++ linux-3.0.9/mm/nommu.c 2011-11-15 20:03:00.000000000 -0500
70020 @@ -63,7 +63,6 @@ int sysctl_overcommit_memory = OVERCOMMI
70021 int sysctl_overcommit_ratio = 50; /* default is 50% */
70022 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
70023 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
70024 -int heap_stack_gap = 0;
70026 atomic_long_t mmap_pages_allocated;
70028 @@ -826,15 +825,6 @@ struct vm_area_struct *find_vma(struct m
70029 EXPORT_SYMBOL(find_vma);
70033 - * - we don't extend stack VMAs under NOMMU conditions
70035 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
70037 - return find_vma(mm, addr);
70041 * expand a stack to a given address
70042 * - not supported under NOMMU conditions
70044 @@ -1554,6 +1544,7 @@ int split_vma(struct mm_struct *mm, stru
70046 /* most fields are the same, copy all, and then fixup */
70048 + INIT_LIST_HEAD(&new->anon_vma_chain);
70049 *region = *vma->vm_region;
70050 new->vm_region = region;
70052 diff -urNp linux-3.0.9/mm/page_alloc.c linux-3.0.9/mm/page_alloc.c
70053 --- linux-3.0.9/mm/page_alloc.c 2011-11-11 13:12:24.000000000 -0500
70054 +++ linux-3.0.9/mm/page_alloc.c 2011-11-15 20:03:00.000000000 -0500
70055 @@ -340,7 +340,7 @@ out:
70056 * This usage means that zero-order pages may not be compound.
70059 -static void free_compound_page(struct page *page)
70060 +void free_compound_page(struct page *page)
70062 __free_pages_ok(page, compound_order(page));
70064 @@ -653,6 +653,10 @@ static bool free_pages_prepare(struct pa
70068 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
70069 + unsigned long index = 1UL << order;
70072 trace_mm_page_free_direct(page, order);
70073 kmemcheck_free_shadow(page, order);
70075 @@ -668,6 +672,12 @@ static bool free_pages_prepare(struct pa
70076 debug_check_no_obj_freed(page_address(page),
70077 PAGE_SIZE << order);
70080 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
70081 + for (; index; --index)
70082 + sanitize_highpage(page + index - 1);
70085 arch_free_page(page, order);
70086 kernel_map_pages(page, 1 << order, 0);
70088 @@ -783,8 +793,10 @@ static int prep_new_page(struct page *pa
70089 arch_alloc_page(page, order);
70090 kernel_map_pages(page, 1 << order, 1);
70092 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
70093 if (gfp_flags & __GFP_ZERO)
70094 prep_zero_page(page, order, gfp_flags);
70097 if (order && (gfp_flags & __GFP_COMP))
70098 prep_compound_page(page, order);
70099 @@ -2557,6 +2569,8 @@ void show_free_areas(unsigned int filter
70103 + pax_track_stack();
70105 for_each_populated_zone(zone) {
70106 if (skip_free_areas_node(filter, zone_to_nid(zone)))
70108 @@ -3368,7 +3382,13 @@ static int pageblock_is_reserved(unsigne
70111 for (pfn = start_pfn; pfn < end_pfn; pfn++) {
70112 +#ifdef CONFIG_X86_32
70113 + /* boot failures in VMware 8 on 32bit vanilla since
70115 + if (!pfn_valid(pfn) || PageReserved(pfn_to_page(pfn)))
70117 if (!pfn_valid_within(pfn) || PageReserved(pfn_to_page(pfn)))
70122 diff -urNp linux-3.0.9/mm/percpu.c linux-3.0.9/mm/percpu.c
70123 --- linux-3.0.9/mm/percpu.c 2011-11-11 13:12:24.000000000 -0500
70124 +++ linux-3.0.9/mm/percpu.c 2011-11-15 20:03:00.000000000 -0500
70125 @@ -121,7 +121,7 @@ static unsigned int pcpu_first_unit_cpu
70126 static unsigned int pcpu_last_unit_cpu __read_mostly;
70128 /* the address of the first chunk which starts with the kernel static area */
70129 -void *pcpu_base_addr __read_mostly;
70130 +void *pcpu_base_addr __read_only;
70131 EXPORT_SYMBOL_GPL(pcpu_base_addr);
70133 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
70134 diff -urNp linux-3.0.9/mm/rmap.c linux-3.0.9/mm/rmap.c
70135 --- linux-3.0.9/mm/rmap.c 2011-11-11 13:12:24.000000000 -0500
70136 +++ linux-3.0.9/mm/rmap.c 2011-11-15 20:03:00.000000000 -0500
70137 @@ -153,6 +153,10 @@ int anon_vma_prepare(struct vm_area_stru
70138 struct anon_vma *anon_vma = vma->anon_vma;
70139 struct anon_vma_chain *avc;
70141 +#ifdef CONFIG_PAX_SEGMEXEC
70142 + struct anon_vma_chain *avc_m = NULL;
70146 if (unlikely(!anon_vma)) {
70147 struct mm_struct *mm = vma->vm_mm;
70148 @@ -162,6 +166,12 @@ int anon_vma_prepare(struct vm_area_stru
70152 +#ifdef CONFIG_PAX_SEGMEXEC
70153 + avc_m = anon_vma_chain_alloc(GFP_KERNEL);
70155 + goto out_enomem_free_avc;
70158 anon_vma = find_mergeable_anon_vma(vma);
70161 @@ -175,6 +185,21 @@ int anon_vma_prepare(struct vm_area_stru
70162 /* page_table_lock to protect against threads */
70163 spin_lock(&mm->page_table_lock);
70164 if (likely(!vma->anon_vma)) {
70166 +#ifdef CONFIG_PAX_SEGMEXEC
70167 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
70170 + BUG_ON(vma_m->anon_vma);
70171 + vma_m->anon_vma = anon_vma;
70172 + avc_m->anon_vma = anon_vma;
70173 + avc_m->vma = vma;
70174 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
70175 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
70180 vma->anon_vma = anon_vma;
70181 avc->anon_vma = anon_vma;
70183 @@ -188,12 +213,24 @@ int anon_vma_prepare(struct vm_area_stru
70185 if (unlikely(allocated))
70186 put_anon_vma(allocated);
70188 +#ifdef CONFIG_PAX_SEGMEXEC
70189 + if (unlikely(avc_m))
70190 + anon_vma_chain_free(avc_m);
70194 anon_vma_chain_free(avc);
70198 out_enomem_free_avc:
70200 +#ifdef CONFIG_PAX_SEGMEXEC
70202 + anon_vma_chain_free(avc_m);
70205 anon_vma_chain_free(avc);
70208 @@ -244,7 +281,7 @@ static void anon_vma_chain_link(struct v
70209 * Attach the anon_vmas from src to dst.
70210 * Returns 0 on success, -ENOMEM on failure.
70212 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
70213 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
70215 struct anon_vma_chain *avc, *pavc;
70216 struct anon_vma *root = NULL;
70217 @@ -277,7 +314,7 @@ int anon_vma_clone(struct vm_area_struct
70218 * the corresponding VMA in the parent process is attached to.
70219 * Returns 0 on success, non-zero on failure.
70221 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
70222 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
70224 struct anon_vma_chain *avc;
70225 struct anon_vma *anon_vma;
70226 diff -urNp linux-3.0.9/mm/shmem.c linux-3.0.9/mm/shmem.c
70227 --- linux-3.0.9/mm/shmem.c 2011-11-11 13:12:24.000000000 -0500
70228 +++ linux-3.0.9/mm/shmem.c 2011-11-15 20:03:00.000000000 -0500
70230 #include <linux/percpu_counter.h>
70231 #include <linux/swap.h>
70233 -static struct vfsmount *shm_mnt;
70234 +struct vfsmount *shm_mnt;
70236 #ifdef CONFIG_SHMEM
70238 @@ -1101,6 +1101,8 @@ static int shmem_writepage(struct page *
70241 entry = shmem_swp_entry(info, index, NULL);
70246 * The more uptodate page coming down from a stacked
70247 @@ -1172,6 +1174,8 @@ static struct page *shmem_swapin(swp_ent
70248 struct vm_area_struct pvma;
70251 + pax_track_stack();
70253 spol = mpol_cond_copy(&mpol,
70254 mpol_shared_policy_lookup(&info->policy, idx));
70256 @@ -2568,8 +2572,7 @@ int shmem_fill_super(struct super_block
70259 /* Round up to L1_CACHE_BYTES to resist false sharing */
70260 - sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
70261 - L1_CACHE_BYTES), GFP_KERNEL);
70262 + sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
70266 diff -urNp linux-3.0.9/mm/slab.c linux-3.0.9/mm/slab.c
70267 --- linux-3.0.9/mm/slab.c 2011-11-11 13:12:24.000000000 -0500
70268 +++ linux-3.0.9/mm/slab.c 2011-11-15 20:03:00.000000000 -0500
70269 @@ -151,7 +151,7 @@
70271 /* Legal flag mask for kmem_cache_create(). */
70273 -# define CREATE_MASK (SLAB_RED_ZONE | \
70274 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
70275 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
70277 SLAB_STORE_USER | \
70278 @@ -159,7 +159,7 @@
70279 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
70280 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
70282 -# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
70283 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
70285 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
70286 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
70287 @@ -288,7 +288,7 @@ struct kmem_list3 {
70288 * Need this for bootstrapping a per node allocator.
70290 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
70291 -static struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
70292 +static struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
70293 #define CACHE_CACHE 0
70294 #define SIZE_AC MAX_NUMNODES
70295 #define SIZE_L3 (2 * MAX_NUMNODES)
70296 @@ -389,10 +389,10 @@ static void kmem_list3_init(struct kmem_
70297 if ((x)->max_freeable < i) \
70298 (x)->max_freeable = i; \
70300 -#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
70301 -#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
70302 -#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
70303 -#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
70304 +#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
70305 +#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
70306 +#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
70307 +#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
70309 #define STATS_INC_ACTIVE(x) do { } while (0)
70310 #define STATS_DEC_ACTIVE(x) do { } while (0)
70311 @@ -538,7 +538,7 @@ static inline void *index_to_obj(struct
70312 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
70314 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
70315 - const struct slab *slab, void *obj)
70316 + const struct slab *slab, const void *obj)
70318 u32 offset = (obj - slab->s_mem);
70319 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
70320 @@ -564,7 +564,7 @@ struct cache_names {
70321 static struct cache_names __initdata cache_names[] = {
70322 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
70323 #include <linux/kmalloc_sizes.h>
70329 @@ -1530,7 +1530,7 @@ void __init kmem_cache_init(void)
70330 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
70331 sizes[INDEX_AC].cs_size,
70332 ARCH_KMALLOC_MINALIGN,
70333 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
70334 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
70337 if (INDEX_AC != INDEX_L3) {
70338 @@ -1538,7 +1538,7 @@ void __init kmem_cache_init(void)
70339 kmem_cache_create(names[INDEX_L3].name,
70340 sizes[INDEX_L3].cs_size,
70341 ARCH_KMALLOC_MINALIGN,
70342 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
70343 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
70347 @@ -1556,7 +1556,7 @@ void __init kmem_cache_init(void)
70348 sizes->cs_cachep = kmem_cache_create(names->name,
70350 ARCH_KMALLOC_MINALIGN,
70351 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
70352 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
70355 #ifdef CONFIG_ZONE_DMA
70356 @@ -4272,10 +4272,10 @@ static int s_show(struct seq_file *m, vo
70360 - unsigned long allochit = atomic_read(&cachep->allochit);
70361 - unsigned long allocmiss = atomic_read(&cachep->allocmiss);
70362 - unsigned long freehit = atomic_read(&cachep->freehit);
70363 - unsigned long freemiss = atomic_read(&cachep->freemiss);
70364 + unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
70365 + unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
70366 + unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
70367 + unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
70369 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
70370 allochit, allocmiss, freehit, freemiss);
70371 @@ -4532,15 +4532,66 @@ static const struct file_operations proc
70373 static int __init slab_proc_init(void)
70375 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
70376 + mode_t gr_mode = S_IRUGO;
70378 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
70379 + gr_mode = S_IRUSR;
70382 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
70383 #ifdef CONFIG_DEBUG_SLAB_LEAK
70384 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
70385 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
70389 module_init(slab_proc_init);
70392 +void check_object_size(const void *ptr, unsigned long n, bool to)
70395 +#ifdef CONFIG_PAX_USERCOPY
70396 + struct page *page;
70397 + struct kmem_cache *cachep = NULL;
70398 + struct slab *slabp;
70399 + unsigned int objnr;
70400 + unsigned long offset;
70405 + if (ZERO_OR_NULL_PTR(ptr))
70408 + if (!virt_addr_valid(ptr))
70411 + page = virt_to_head_page(ptr);
70413 + if (!PageSlab(page)) {
70414 + if (object_is_on_stack(ptr, n) == -1)
70419 + cachep = page_get_cache(page);
70420 + if (!(cachep->flags & SLAB_USERCOPY))
70423 + slabp = page_get_slab(page);
70424 + objnr = obj_to_index(cachep, slabp, ptr);
70425 + BUG_ON(objnr >= cachep->num);
70426 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
70427 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
70431 + pax_report_usercopy(ptr, n, to, cachep ? cachep->name : NULL);
70435 +EXPORT_SYMBOL(check_object_size);
70438 * ksize - get the actual amount of memory allocated for a given object
70439 * @objp: Pointer to the object
70440 diff -urNp linux-3.0.9/mm/slob.c linux-3.0.9/mm/slob.c
70441 --- linux-3.0.9/mm/slob.c 2011-11-11 13:12:24.000000000 -0500
70442 +++ linux-3.0.9/mm/slob.c 2011-11-15 20:03:00.000000000 -0500
70444 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
70445 * alloc_pages() directly, allocating compound pages so the page order
70446 * does not have to be separately tracked, and also stores the exact
70447 - * allocation size in page->private so that it can be used to accurately
70448 + * allocation size in slob_page->size so that it can be used to accurately
70449 * provide ksize(). These objects are detected in kfree() because slob_page()
70450 * is false for them.
70455 #include <linux/kernel.h>
70456 +#include <linux/sched.h>
70457 #include <linux/slab.h>
70458 #include <linux/mm.h>
70459 #include <linux/swap.h> /* struct reclaim_state */
70460 @@ -102,7 +103,8 @@ struct slob_page {
70461 unsigned long flags; /* mandatory */
70462 atomic_t _count; /* mandatory */
70463 slobidx_t units; /* free units left in page */
70464 - unsigned long pad[2];
70465 + unsigned long pad[1];
70466 + unsigned long size; /* size when >=PAGE_SIZE */
70467 slob_t *free; /* first free slob_t in page */
70468 struct list_head list; /* linked list of free pages */
70470 @@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
70472 static inline int is_slob_page(struct slob_page *sp)
70474 - return PageSlab((struct page *)sp);
70475 + return PageSlab((struct page *)sp) && !sp->size;
70478 static inline void set_slob_page(struct slob_page *sp)
70479 @@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
70481 static inline struct slob_page *slob_page(const void *addr)
70483 - return (struct slob_page *)virt_to_page(addr);
70484 + return (struct slob_page *)virt_to_head_page(addr);
70488 @@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
70490 * Return the size of a slob block.
70492 -static slobidx_t slob_units(slob_t *s)
70493 +static slobidx_t slob_units(const slob_t *s)
70497 @@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
70499 * Return the next free slob block pointer after this one.
70501 -static slob_t *slob_next(slob_t *s)
70502 +static slob_t *slob_next(const slob_t *s)
70504 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
70506 @@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
70508 * Returns true if s is the last free block in its page.
70510 -static int slob_last(slob_t *s)
70511 +static int slob_last(const slob_t *s)
70513 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
70515 @@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
70519 + set_slob_page(page);
70520 return page_address(page);
70523 @@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
70527 - set_slob_page(sp);
70529 spin_lock_irqsave(&slob_lock, flags);
70530 sp->units = SLOB_UNITS(PAGE_SIZE);
70533 INIT_LIST_HEAD(&sp->list);
70534 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
70535 set_slob_page_free(sp, slob_list);
70536 @@ -476,10 +479,9 @@ out:
70537 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
70540 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
70541 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
70544 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70548 lockdep_trace_alloc(gfp);
70549 @@ -492,7 +494,10 @@ void *__kmalloc_node(size_t size, gfp_t
70554 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
70555 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
70556 + m[0].units = size;
70557 + m[1].units = align;
70558 ret = (void *)m + align;
70560 trace_kmalloc_node(_RET_IP_, ret,
70561 @@ -504,16 +509,25 @@ void *__kmalloc_node(size_t size, gfp_t
70563 ret = slob_new_pages(gfp, order, node);
70565 - struct page *page;
70566 - page = virt_to_page(ret);
70567 - page->private = size;
70568 + struct slob_page *sp;
70569 + sp = slob_page(ret);
70573 trace_kmalloc_node(_RET_IP_, ret,
70574 size, PAGE_SIZE << order, gfp, node);
70577 - kmemleak_alloc(ret, size, 1, gfp);
70581 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
70583 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70584 + void *ret = __kmalloc_node_align(size, gfp, node, align);
70586 + if (!ZERO_OR_NULL_PTR(ret))
70587 + kmemleak_alloc(ret, size, 1, gfp);
70590 EXPORT_SYMBOL(__kmalloc_node);
70591 @@ -531,13 +545,88 @@ void kfree(const void *block)
70592 sp = slob_page(block);
70593 if (is_slob_page(sp)) {
70594 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70595 - unsigned int *m = (unsigned int *)(block - align);
70596 - slob_free(m, *m + align);
70598 + slob_t *m = (slob_t *)(block - align);
70599 + slob_free(m, m[0].units + align);
70601 + clear_slob_page(sp);
70602 + free_slob_page(sp);
70604 put_page(&sp->page);
70607 EXPORT_SYMBOL(kfree);
70609 +void check_object_size(const void *ptr, unsigned long n, bool to)
70612 +#ifdef CONFIG_PAX_USERCOPY
70613 + struct slob_page *sp;
70614 + const slob_t *free;
70615 + const void *base;
70616 + unsigned long flags;
70621 + if (ZERO_OR_NULL_PTR(ptr))
70624 + if (!virt_addr_valid(ptr))
70627 + sp = slob_page(ptr);
70628 + if (!PageSlab((struct page*)sp)) {
70629 + if (object_is_on_stack(ptr, n) == -1)
70635 + base = page_address(&sp->page);
70636 + if (base <= ptr && n <= sp->size - (ptr - base))
70641 + /* some tricky double walking to find the chunk */
70642 + spin_lock_irqsave(&slob_lock, flags);
70643 + base = (void *)((unsigned long)ptr & PAGE_MASK);
70646 + while (!slob_last(free) && (void *)free <= ptr) {
70647 + base = free + slob_units(free);
70648 + free = slob_next(free);
70651 + while (base < (void *)free) {
70652 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
70653 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
70656 + if (ptr < base + align)
70659 + offset = ptr - base - align;
70660 + if (offset >= m) {
70665 + if (n > m - offset)
70668 + spin_unlock_irqrestore(&slob_lock, flags);
70672 + spin_unlock_irqrestore(&slob_lock, flags);
70674 + pax_report_usercopy(ptr, n, to, NULL);
70678 +EXPORT_SYMBOL(check_object_size);
70680 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
70681 size_t ksize(const void *block)
70683 @@ -550,10 +639,10 @@ size_t ksize(const void *block)
70684 sp = slob_page(block);
70685 if (is_slob_page(sp)) {
70686 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70687 - unsigned int *m = (unsigned int *)(block - align);
70688 - return SLOB_UNITS(*m) * SLOB_UNIT;
70689 + slob_t *m = (slob_t *)(block - align);
70690 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
70692 - return sp->page.private;
70695 EXPORT_SYMBOL(ksize);
70697 @@ -569,8 +658,13 @@ struct kmem_cache *kmem_cache_create(con
70699 struct kmem_cache *c;
70701 +#ifdef CONFIG_PAX_USERCOPY
70702 + c = __kmalloc_node_align(sizeof(struct kmem_cache),
70703 + GFP_KERNEL, -1, ARCH_KMALLOC_MINALIGN);
70705 c = slob_alloc(sizeof(struct kmem_cache),
70706 GFP_KERNEL, ARCH_KMALLOC_MINALIGN, -1);
70711 @@ -608,17 +702,25 @@ void *kmem_cache_alloc_node(struct kmem_
70715 +#ifdef CONFIG_PAX_USERCOPY
70716 + b = __kmalloc_node_align(c->size, flags, node, c->align);
70718 if (c->size < PAGE_SIZE) {
70719 b = slob_alloc(c->size, flags, c->align, node);
70720 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
70721 SLOB_UNITS(c->size) * SLOB_UNIT,
70724 + struct slob_page *sp;
70726 b = slob_new_pages(flags, get_order(c->size), node);
70727 + sp = slob_page(b);
70728 + sp->size = c->size;
70729 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
70730 PAGE_SIZE << get_order(c->size),
70737 @@ -630,10 +732,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
70739 static void __kmem_cache_free(void *b, int size)
70741 - if (size < PAGE_SIZE)
70742 + struct slob_page *sp = slob_page(b);
70744 + if (is_slob_page(sp))
70745 slob_free(b, size);
70748 + clear_slob_page(sp);
70749 + free_slob_page(sp);
70751 slob_free_pages(b, get_order(size));
70755 static void kmem_rcu_free(struct rcu_head *head)
70756 @@ -646,17 +754,31 @@ static void kmem_rcu_free(struct rcu_hea
70758 void kmem_cache_free(struct kmem_cache *c, void *b)
70760 + int size = c->size;
70762 +#ifdef CONFIG_PAX_USERCOPY
70763 + if (size + c->align < PAGE_SIZE) {
70764 + size += c->align;
70769 kmemleak_free_recursive(b, c->flags);
70770 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
70771 struct slob_rcu *slob_rcu;
70772 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
70773 - slob_rcu->size = c->size;
70774 + slob_rcu = b + (size - sizeof(struct slob_rcu));
70775 + slob_rcu->size = size;
70776 call_rcu(&slob_rcu->head, kmem_rcu_free);
70778 - __kmem_cache_free(b, c->size);
70779 + __kmem_cache_free(b, size);
70782 +#ifdef CONFIG_PAX_USERCOPY
70783 + trace_kfree(_RET_IP_, b);
70785 trace_kmem_cache_free(_RET_IP_, b);
70789 EXPORT_SYMBOL(kmem_cache_free);
70791 diff -urNp linux-3.0.9/mm/slub.c linux-3.0.9/mm/slub.c
70792 --- linux-3.0.9/mm/slub.c 2011-11-11 13:12:24.000000000 -0500
70793 +++ linux-3.0.9/mm/slub.c 2011-11-15 20:03:00.000000000 -0500
70794 @@ -200,7 +200,7 @@ struct track {
70796 enum track_item { TRACK_ALLOC, TRACK_FREE };
70798 -#ifdef CONFIG_SYSFS
70799 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70800 static int sysfs_slab_add(struct kmem_cache *);
70801 static int sysfs_slab_alias(struct kmem_cache *, const char *);
70802 static void sysfs_slab_remove(struct kmem_cache *);
70803 @@ -442,7 +442,7 @@ static void print_track(const char *s, s
70807 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
70808 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
70809 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
70812 @@ -2137,6 +2137,8 @@ void kmem_cache_free(struct kmem_cache *
70814 page = virt_to_head_page(x);
70816 + BUG_ON(!PageSlab(page));
70818 slab_free(s, page, x, _RET_IP_);
70820 trace_kmem_cache_free(_RET_IP_, x);
70821 @@ -2170,7 +2172,7 @@ static int slub_min_objects;
70822 * Merge control. If this is set then no merging of slab caches will occur.
70823 * (Could be removed. This was introduced to pacify the merge skeptics.)
70825 -static int slub_nomerge;
70826 +static int slub_nomerge = 1;
70829 * Calculate the order of allocation given an slab object size.
70830 @@ -2594,7 +2596,7 @@ static int kmem_cache_open(struct kmem_c
70831 * list to avoid pounding the page allocator excessively.
70833 set_min_partial(s, ilog2(s->size));
70835 + atomic_set(&s->refcount, 1);
70837 s->remote_node_defrag_ratio = 1000;
70839 @@ -2699,8 +2701,7 @@ static inline int kmem_cache_close(struc
70840 void kmem_cache_destroy(struct kmem_cache *s)
70842 down_write(&slub_lock);
70844 - if (!s->refcount) {
70845 + if (atomic_dec_and_test(&s->refcount)) {
70846 list_del(&s->list);
70847 if (kmem_cache_close(s)) {
70848 printk(KERN_ERR "SLUB %s: %s called for cache that "
70849 @@ -2910,6 +2911,46 @@ void *__kmalloc_node(size_t size, gfp_t
70850 EXPORT_SYMBOL(__kmalloc_node);
70853 +void check_object_size(const void *ptr, unsigned long n, bool to)
70856 +#ifdef CONFIG_PAX_USERCOPY
70857 + struct page *page;
70858 + struct kmem_cache *s = NULL;
70859 + unsigned long offset;
70864 + if (ZERO_OR_NULL_PTR(ptr))
70867 + if (!virt_addr_valid(ptr))
70870 + page = virt_to_head_page(ptr);
70872 + if (!PageSlab(page)) {
70873 + if (object_is_on_stack(ptr, n) == -1)
70879 + if (!(s->flags & SLAB_USERCOPY))
70882 + offset = (ptr - page_address(page)) % s->size;
70883 + if (offset <= s->objsize && n <= s->objsize - offset)
70887 + pax_report_usercopy(ptr, n, to, s ? s->name : NULL);
70891 +EXPORT_SYMBOL(check_object_size);
70893 size_t ksize(const void *object)
70896 @@ -3154,7 +3195,7 @@ static void __init kmem_cache_bootstrap_
70899 list_add(&s->list, &slab_caches);
70900 - s->refcount = -1;
70901 + atomic_set(&s->refcount, -1);
70903 for_each_node_state(node, N_NORMAL_MEMORY) {
70904 struct kmem_cache_node *n = get_node(s, node);
70905 @@ -3271,17 +3312,17 @@ void __init kmem_cache_init(void)
70907 /* Caches that are not of the two-to-the-power-of size */
70908 if (KMALLOC_MIN_SIZE <= 32) {
70909 - kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, 0);
70910 + kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, SLAB_USERCOPY);
70914 if (KMALLOC_MIN_SIZE <= 64) {
70915 - kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, 0);
70916 + kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, SLAB_USERCOPY);
70920 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
70921 - kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, 0);
70922 + kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, SLAB_USERCOPY);
70926 @@ -3349,7 +3390,7 @@ static int slab_unmergeable(struct kmem_
70928 * We may have set a slab to be unmergeable during bootstrap.
70930 - if (s->refcount < 0)
70931 + if (atomic_read(&s->refcount) < 0)
70935 @@ -3408,7 +3449,7 @@ struct kmem_cache *kmem_cache_create(con
70936 down_write(&slub_lock);
70937 s = find_mergeable(size, align, flags, name, ctor);
70940 + atomic_inc(&s->refcount);
70942 * Adjust the object sizes so that we clear
70943 * the complete object on kzalloc.
70944 @@ -3417,7 +3458,7 @@ struct kmem_cache *kmem_cache_create(con
70945 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
70947 if (sysfs_slab_alias(s, name)) {
70949 + atomic_dec(&s->refcount);
70952 up_write(&slub_lock);
70953 @@ -3545,7 +3586,7 @@ void *__kmalloc_node_track_caller(size_t
70957 -#ifdef CONFIG_SYSFS
70958 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70959 static int count_inuse(struct page *page)
70961 return page->inuse;
70962 @@ -3935,12 +3976,12 @@ static void resiliency_test(void)
70963 validate_slab_cache(kmalloc_caches[9]);
70966 -#ifdef CONFIG_SYSFS
70967 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70968 static void resiliency_test(void) {};
70972 -#ifdef CONFIG_SYSFS
70973 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70974 enum slab_stat_type {
70975 SL_ALL, /* All slabs */
70976 SL_PARTIAL, /* Only partially allocated slabs */
70977 @@ -4150,7 +4191,7 @@ SLAB_ATTR_RO(ctor);
70979 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
70981 - return sprintf(buf, "%d\n", s->refcount - 1);
70982 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
70984 SLAB_ATTR_RO(aliases);
70986 @@ -4662,6 +4703,7 @@ static char *create_unique_id(struct kme
70990 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70991 static int sysfs_slab_add(struct kmem_cache *s)
70994 @@ -4724,6 +4766,7 @@ static void sysfs_slab_remove(struct kme
70995 kobject_del(&s->kobj);
70996 kobject_put(&s->kobj);
71001 * Need to buffer aliases during bootup until sysfs becomes
71002 @@ -4737,6 +4780,7 @@ struct saved_alias {
71004 static struct saved_alias *alias_list;
71006 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
71007 static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
71009 struct saved_alias *al;
71010 @@ -4759,6 +4803,7 @@ static int sysfs_slab_alias(struct kmem_
71016 static int __init slab_sysfs_init(void)
71018 @@ -4894,7 +4939,13 @@ static const struct file_operations proc
71020 static int __init slab_proc_init(void)
71022 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
71023 + mode_t gr_mode = S_IRUGO;
71025 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
71026 + gr_mode = S_IRUSR;
71029 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
71032 module_init(slab_proc_init);
71033 diff -urNp linux-3.0.9/mm/swap.c linux-3.0.9/mm/swap.c
71034 --- linux-3.0.9/mm/swap.c 2011-11-11 13:12:24.000000000 -0500
71035 +++ linux-3.0.9/mm/swap.c 2011-11-15 20:03:00.000000000 -0500
71037 #include <linux/backing-dev.h>
71038 #include <linux/memcontrol.h>
71039 #include <linux/gfp.h>
71040 +#include <linux/hugetlb.h>
71042 #include "internal.h"
71044 @@ -71,6 +72,8 @@ static void __put_compound_page(struct p
71046 __page_cache_release(page);
71047 dtor = get_compound_page_dtor(page);
71048 + if (!PageHuge(page))
71049 + BUG_ON(dtor != free_compound_page);
71053 diff -urNp linux-3.0.9/mm/swapfile.c linux-3.0.9/mm/swapfile.c
71054 --- linux-3.0.9/mm/swapfile.c 2011-11-11 13:12:24.000000000 -0500
71055 +++ linux-3.0.9/mm/swapfile.c 2011-11-15 20:03:00.000000000 -0500
71056 @@ -62,7 +62,7 @@ static DEFINE_MUTEX(swapon_mutex);
71058 static DECLARE_WAIT_QUEUE_HEAD(proc_poll_wait);
71059 /* Activity counter to indicate that a swapon or swapoff has occurred */
71060 -static atomic_t proc_poll_event = ATOMIC_INIT(0);
71061 +static atomic_unchecked_t proc_poll_event = ATOMIC_INIT(0);
71063 static inline unsigned char swap_count(unsigned char ent)
71065 @@ -1671,7 +1671,7 @@ SYSCALL_DEFINE1(swapoff, const char __us
71067 filp_close(swap_file, NULL);
71069 - atomic_inc(&proc_poll_event);
71070 + atomic_inc_unchecked(&proc_poll_event);
71071 wake_up_interruptible(&proc_poll_wait);
71074 @@ -1692,8 +1692,8 @@ static unsigned swaps_poll(struct file *
71076 poll_wait(file, &proc_poll_wait, wait);
71078 - if (s->event != atomic_read(&proc_poll_event)) {
71079 - s->event = atomic_read(&proc_poll_event);
71080 + if (s->event != atomic_read_unchecked(&proc_poll_event)) {
71081 + s->event = atomic_read_unchecked(&proc_poll_event);
71082 return POLLIN | POLLRDNORM | POLLERR | POLLPRI;
71085 @@ -1799,7 +1799,7 @@ static int swaps_open(struct inode *inod
71088 s->seq.private = s;
71089 - s->event = atomic_read(&proc_poll_event);
71090 + s->event = atomic_read_unchecked(&proc_poll_event);
71094 @@ -2133,7 +2133,7 @@ SYSCALL_DEFINE2(swapon, const char __use
71095 (p->flags & SWP_DISCARDABLE) ? "D" : "");
71097 mutex_unlock(&swapon_mutex);
71098 - atomic_inc(&proc_poll_event);
71099 + atomic_inc_unchecked(&proc_poll_event);
71100 wake_up_interruptible(&proc_poll_wait);
71102 if (S_ISREG(inode->i_mode))
71103 diff -urNp linux-3.0.9/mm/util.c linux-3.0.9/mm/util.c
71104 --- linux-3.0.9/mm/util.c 2011-11-11 13:12:24.000000000 -0500
71105 +++ linux-3.0.9/mm/util.c 2011-11-15 20:03:00.000000000 -0500
71106 @@ -114,6 +114,7 @@ EXPORT_SYMBOL(memdup_user);
71107 * allocated buffer. Use this if you don't want to free the buffer immediately
71108 * like, for example, with RCU.
71111 void *__krealloc(const void *p, size_t new_size, gfp_t flags)
71114 @@ -147,6 +148,7 @@ EXPORT_SYMBOL(__krealloc);
71115 * behaves exactly like kmalloc(). If @size is 0 and @p is not a
71116 * %NULL pointer, the object pointed to is freed.
71119 void *krealloc(const void *p, size_t new_size, gfp_t flags)
71122 @@ -243,6 +245,12 @@ void __vma_link_list(struct mm_struct *m
71123 void arch_pick_mmap_layout(struct mm_struct *mm)
71125 mm->mmap_base = TASK_UNMAPPED_BASE;
71127 +#ifdef CONFIG_PAX_RANDMMAP
71128 + if (mm->pax_flags & MF_PAX_RANDMMAP)
71129 + mm->mmap_base += mm->delta_mmap;
71132 mm->get_unmapped_area = arch_get_unmapped_area;
71133 mm->unmap_area = arch_unmap_area;
71135 diff -urNp linux-3.0.9/mm/vmalloc.c linux-3.0.9/mm/vmalloc.c
71136 --- linux-3.0.9/mm/vmalloc.c 2011-11-11 13:12:24.000000000 -0500
71137 +++ linux-3.0.9/mm/vmalloc.c 2011-11-16 18:00:19.000000000 -0500
71138 @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd,
71140 pte = pte_offset_kernel(pmd, addr);
71142 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
71143 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
71145 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
71146 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
71147 + BUG_ON(!pte_exec(*pte));
71148 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
71154 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
71155 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
71157 } while (pte++, addr += PAGE_SIZE, addr != end);
71160 @@ -91,6 +102,7 @@ static int vmap_pte_range(pmd_t *pmd, un
71161 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
71164 + int ret = -ENOMEM;
71167 * nr is a running index into the array which helps higher level
71168 @@ -100,17 +112,30 @@ static int vmap_pte_range(pmd_t *pmd, un
71169 pte = pte_alloc_kernel(pmd, addr);
71173 + pax_open_kernel();
71175 struct page *page = pages[*nr];
71177 - if (WARN_ON(!pte_none(*pte)))
71179 - if (WARN_ON(!page))
71181 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
71182 + if (pgprot_val(prot) & _PAGE_NX)
71185 + if (WARN_ON(!pte_none(*pte))) {
71189 + if (WARN_ON(!page)) {
71193 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
71195 } while (pte++, addr += PAGE_SIZE, addr != end);
71199 + pax_close_kernel();
71203 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
71204 @@ -191,11 +216,20 @@ int is_vmalloc_or_module_addr(const void
71205 * and fall back on vmalloc() if that fails. Others
71206 * just put it in the vmalloc space.
71208 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
71209 +#ifdef CONFIG_MODULES
71210 +#ifdef MODULES_VADDR
71211 unsigned long addr = (unsigned long)x;
71212 if (addr >= MODULES_VADDR && addr < MODULES_END)
71216 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
71217 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
71223 return is_vmalloc_addr(x);
71226 @@ -216,8 +250,14 @@ struct page *vmalloc_to_page(const void
71228 if (!pgd_none(*pgd)) {
71229 pud_t *pud = pud_offset(pgd, addr);
71231 + if (!pud_large(*pud))
71233 if (!pud_none(*pud)) {
71234 pmd_t *pmd = pmd_offset(pud, addr);
71236 + if (!pmd_large(*pmd))
71238 if (!pmd_none(*pmd)) {
71241 @@ -1308,6 +1348,16 @@ static struct vm_struct *__get_vm_area_n
71242 struct vm_struct *area;
71244 BUG_ON(in_interrupt());
71246 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
71247 + if (flags & VM_KERNEXEC) {
71248 + if (start != VMALLOC_START || end != VMALLOC_END)
71250 + start = (unsigned long)MODULES_EXEC_VADDR;
71251 + end = (unsigned long)MODULES_EXEC_END;
71255 if (flags & VM_IOREMAP) {
71256 int bit = fls(size);
71258 @@ -1540,6 +1590,11 @@ void *vmap(struct page **pages, unsigned
71259 if (count > totalram_pages)
71262 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
71263 + if (!(pgprot_val(prot) & _PAGE_NX))
71264 + flags |= VM_KERNEXEC;
71267 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
71268 __builtin_return_address(0));
71270 @@ -1641,6 +1696,13 @@ void *__vmalloc_node_range(unsigned long
71271 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
71274 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
71275 + if (!(pgprot_val(prot) & _PAGE_NX))
71276 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNLIST | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
71277 + node, gfp_mask, caller);
71281 area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNLIST,
71282 start, end, node, gfp_mask, caller);
71284 @@ -1686,6 +1748,7 @@ static void *__vmalloc_node(unsigned lon
71285 gfp_mask, prot, node, caller);
71289 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
71291 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
71292 @@ -1709,6 +1772,7 @@ static inline void *__vmalloc_node_flags
71293 * For tight control over page level allocator and protection flags
71294 * use __vmalloc() instead.
71297 void *vmalloc(unsigned long size)
71299 return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
71300 @@ -1725,6 +1789,7 @@ EXPORT_SYMBOL(vmalloc);
71301 * For tight control over page level allocator and protection flags
71302 * use __vmalloc() instead.
71305 void *vzalloc(unsigned long size)
71307 return __vmalloc_node_flags(size, -1,
71308 @@ -1739,6 +1804,7 @@ EXPORT_SYMBOL(vzalloc);
71309 * The resulting memory area is zeroed so it can be mapped to userspace
71310 * without leaking data.
71312 +#undef vmalloc_user
71313 void *vmalloc_user(unsigned long size)
71315 struct vm_struct *area;
71316 @@ -1766,6 +1832,7 @@ EXPORT_SYMBOL(vmalloc_user);
71317 * For tight control over page level allocator and protection flags
71318 * use __vmalloc() instead.
71320 +#undef vmalloc_node
71321 void *vmalloc_node(unsigned long size, int node)
71323 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
71324 @@ -1785,6 +1852,7 @@ EXPORT_SYMBOL(vmalloc_node);
71325 * For tight control over page level allocator and protection flags
71326 * use __vmalloc_node() instead.
71328 +#undef vzalloc_node
71329 void *vzalloc_node(unsigned long size, int node)
71331 return __vmalloc_node_flags(size, node,
71332 @@ -1807,10 +1875,10 @@ EXPORT_SYMBOL(vzalloc_node);
71333 * For tight control over page level allocator and protection flags
71334 * use __vmalloc() instead.
71337 +#undef vmalloc_exec
71338 void *vmalloc_exec(unsigned long size)
71340 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
71341 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
71342 -1, __builtin_return_address(0));
71345 @@ -1829,6 +1897,7 @@ void *vmalloc_exec(unsigned long size)
71346 * Allocate enough 32bit PA addressable pages to cover @size from the
71347 * page level allocator and map them into contiguous kernel virtual space.
71350 void *vmalloc_32(unsigned long size)
71352 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
71353 @@ -1843,6 +1912,7 @@ EXPORT_SYMBOL(vmalloc_32);
71354 * The resulting memory area is 32bit addressable and zeroed so it can be
71355 * mapped to userspace without leaking data.
71357 +#undef vmalloc_32_user
71358 void *vmalloc_32_user(unsigned long size)
71360 struct vm_struct *area;
71361 @@ -2105,6 +2175,8 @@ int remap_vmalloc_range(struct vm_area_s
71362 unsigned long uaddr = vma->vm_start;
71363 unsigned long usize = vma->vm_end - vma->vm_start;
71365 + BUG_ON(vma->vm_mirror);
71367 if ((PAGE_SIZE-1) & (unsigned long)addr)
71370 diff -urNp linux-3.0.9/mm/vmstat.c linux-3.0.9/mm/vmstat.c
71371 --- linux-3.0.9/mm/vmstat.c 2011-11-11 13:12:24.000000000 -0500
71372 +++ linux-3.0.9/mm/vmstat.c 2011-11-15 20:03:00.000000000 -0500
71373 @@ -78,7 +78,7 @@ void vm_events_fold_cpu(int cpu)
71375 * vm_stat contains the global counters
71377 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS] __cacheline_aligned_in_smp;
71378 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS] __cacheline_aligned_in_smp;
71379 EXPORT_SYMBOL(vm_stat);
71382 @@ -454,7 +454,7 @@ void refresh_cpu_vm_stats(int cpu)
71383 v = p->vm_stat_diff[i];
71384 p->vm_stat_diff[i] = 0;
71385 local_irq_restore(flags);
71386 - atomic_long_add(v, &zone->vm_stat[i]);
71387 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
71388 global_diff[i] += v;
71390 /* 3 seconds idle till flush */
71391 @@ -492,7 +492,7 @@ void refresh_cpu_vm_stats(int cpu)
71393 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
71394 if (global_diff[i])
71395 - atomic_long_add(global_diff[i], &vm_stat[i]);
71396 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
71400 @@ -1207,10 +1207,20 @@ static int __init setup_vmstat(void)
71401 start_cpu_timer(cpu);
71403 #ifdef CONFIG_PROC_FS
71404 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
71405 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
71406 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
71407 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
71409 + mode_t gr_mode = S_IRUGO;
71410 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
71411 + gr_mode = S_IRUSR;
71413 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
71414 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
71415 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
71416 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
71418 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
71420 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
71425 diff -urNp linux-3.0.9/net/8021q/vlan.c linux-3.0.9/net/8021q/vlan.c
71426 --- linux-3.0.9/net/8021q/vlan.c 2011-11-11 13:12:24.000000000 -0500
71427 +++ linux-3.0.9/net/8021q/vlan.c 2011-11-15 20:03:00.000000000 -0500
71428 @@ -591,8 +591,7 @@ static int vlan_ioctl_handler(struct net
71430 if (!capable(CAP_NET_ADMIN))
71432 - if ((args.u.name_type >= 0) &&
71433 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
71434 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
71435 struct vlan_net *vn;
71437 vn = net_generic(net, vlan_net_id);
71438 diff -urNp linux-3.0.9/net/9p/trans_fd.c linux-3.0.9/net/9p/trans_fd.c
71439 --- linux-3.0.9/net/9p/trans_fd.c 2011-11-11 13:12:24.000000000 -0500
71440 +++ linux-3.0.9/net/9p/trans_fd.c 2011-11-15 20:03:00.000000000 -0500
71441 @@ -423,7 +423,7 @@ static int p9_fd_write(struct p9_client
71444 /* The cast to a user pointer is valid due to the set_fs() */
71445 - ret = vfs_write(ts->wr, (__force void __user *)v, len, &ts->wr->f_pos);
71446 + ret = vfs_write(ts->wr, (void __force_user *)v, len, &ts->wr->f_pos);
71449 if (ret <= 0 && ret != -ERESTARTSYS && ret != -EAGAIN)
71450 diff -urNp linux-3.0.9/net/9p/trans_virtio.c linux-3.0.9/net/9p/trans_virtio.c
71451 --- linux-3.0.9/net/9p/trans_virtio.c 2011-11-11 13:12:24.000000000 -0500
71452 +++ linux-3.0.9/net/9p/trans_virtio.c 2011-11-15 20:03:00.000000000 -0500
71453 @@ -327,7 +327,7 @@ req_retry_pinned:
71456 if (req->tc->pubuf)
71457 - pbuf = (__force char *) req->tc->pubuf;
71458 + pbuf = (char __force_kernel *) req->tc->pubuf;
71460 pbuf = req->tc->pkbuf;
71461 outp = pack_sg_list(chan->sg, out, VIRTQUEUE_NUM, pbuf,
71462 @@ -357,7 +357,7 @@ req_retry_pinned:
71465 if (req->tc->pubuf)
71466 - pbuf = (__force char *) req->tc->pubuf;
71467 + pbuf = (char __force_kernel *) req->tc->pubuf;
71469 pbuf = req->tc->pkbuf;
71471 diff -urNp linux-3.0.9/net/atm/atm_misc.c linux-3.0.9/net/atm/atm_misc.c
71472 --- linux-3.0.9/net/atm/atm_misc.c 2011-11-11 13:12:24.000000000 -0500
71473 +++ linux-3.0.9/net/atm/atm_misc.c 2011-11-15 20:03:00.000000000 -0500
71474 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
71475 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
71477 atm_return(vcc, truesize);
71478 - atomic_inc(&vcc->stats->rx_drop);
71479 + atomic_inc_unchecked(&vcc->stats->rx_drop);
71482 EXPORT_SYMBOL(atm_charge);
71483 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
71486 atm_return(vcc, guess);
71487 - atomic_inc(&vcc->stats->rx_drop);
71488 + atomic_inc_unchecked(&vcc->stats->rx_drop);
71491 EXPORT_SYMBOL(atm_alloc_charge);
71492 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
71494 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
71496 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
71497 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
71499 #undef __HANDLE_ITEM
71501 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
71503 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
71505 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
71506 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
71508 #undef __HANDLE_ITEM
71510 diff -urNp linux-3.0.9/net/atm/lec.h linux-3.0.9/net/atm/lec.h
71511 --- linux-3.0.9/net/atm/lec.h 2011-11-11 13:12:24.000000000 -0500
71512 +++ linux-3.0.9/net/atm/lec.h 2011-11-15 20:03:00.000000000 -0500
71513 @@ -48,7 +48,7 @@ struct lane2_ops {
71514 const u8 *tlvs, u32 sizeoftlvs);
71515 void (*associate_indicator) (struct net_device *dev, const u8 *mac_addr,
71516 const u8 *tlvs, u32 sizeoftlvs);
71521 * ATM LAN Emulation supports both LLC & Dix Ethernet EtherType
71522 diff -urNp linux-3.0.9/net/atm/mpc.h linux-3.0.9/net/atm/mpc.h
71523 --- linux-3.0.9/net/atm/mpc.h 2011-11-11 13:12:24.000000000 -0500
71524 +++ linux-3.0.9/net/atm/mpc.h 2011-11-15 20:03:00.000000000 -0500
71525 @@ -33,7 +33,7 @@ struct mpoa_client {
71526 struct mpc_parameters parameters; /* parameters for this client */
71528 const struct net_device_ops *old_ops;
71529 - struct net_device_ops new_ops;
71530 + net_device_ops_no_const new_ops;
71534 diff -urNp linux-3.0.9/net/atm/mpoa_caches.c linux-3.0.9/net/atm/mpoa_caches.c
71535 --- linux-3.0.9/net/atm/mpoa_caches.c 2011-11-11 13:12:24.000000000 -0500
71536 +++ linux-3.0.9/net/atm/mpoa_caches.c 2011-11-15 20:03:00.000000000 -0500
71537 @@ -255,6 +255,8 @@ static void check_resolving_entries(stru
71538 struct timeval now;
71539 struct k_message msg;
71541 + pax_track_stack();
71543 do_gettimeofday(&now);
71545 read_lock_bh(&client->ingress_lock);
71546 diff -urNp linux-3.0.9/net/atm/proc.c linux-3.0.9/net/atm/proc.c
71547 --- linux-3.0.9/net/atm/proc.c 2011-11-11 13:12:24.000000000 -0500
71548 +++ linux-3.0.9/net/atm/proc.c 2011-11-15 20:03:00.000000000 -0500
71549 @@ -45,9 +45,9 @@ static void add_stats(struct seq_file *s
71550 const struct k_atm_aal_stats *stats)
71552 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
71553 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
71554 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
71555 - atomic_read(&stats->rx_drop));
71556 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
71557 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
71558 + atomic_read_unchecked(&stats->rx_drop));
71561 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
71562 diff -urNp linux-3.0.9/net/atm/resources.c linux-3.0.9/net/atm/resources.c
71563 --- linux-3.0.9/net/atm/resources.c 2011-11-11 13:12:24.000000000 -0500
71564 +++ linux-3.0.9/net/atm/resources.c 2011-11-15 20:03:00.000000000 -0500
71565 @@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
71566 static void copy_aal_stats(struct k_atm_aal_stats *from,
71567 struct atm_aal_stats *to)
71569 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
71570 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
71572 #undef __HANDLE_ITEM
71574 @@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_
71575 static void subtract_aal_stats(struct k_atm_aal_stats *from,
71576 struct atm_aal_stats *to)
71578 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
71579 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
71581 #undef __HANDLE_ITEM
71583 diff -urNp linux-3.0.9/net/batman-adv/hard-interface.c linux-3.0.9/net/batman-adv/hard-interface.c
71584 --- linux-3.0.9/net/batman-adv/hard-interface.c 2011-11-11 13:12:24.000000000 -0500
71585 +++ linux-3.0.9/net/batman-adv/hard-interface.c 2011-11-15 20:03:00.000000000 -0500
71586 @@ -351,8 +351,8 @@ int hardif_enable_interface(struct hard_
71587 hard_iface->batman_adv_ptype.dev = hard_iface->net_dev;
71588 dev_add_pack(&hard_iface->batman_adv_ptype);
71590 - atomic_set(&hard_iface->seqno, 1);
71591 - atomic_set(&hard_iface->frag_seqno, 1);
71592 + atomic_set_unchecked(&hard_iface->seqno, 1);
71593 + atomic_set_unchecked(&hard_iface->frag_seqno, 1);
71594 bat_info(hard_iface->soft_iface, "Adding interface: %s\n",
71595 hard_iface->net_dev->name);
71597 diff -urNp linux-3.0.9/net/batman-adv/routing.c linux-3.0.9/net/batman-adv/routing.c
71598 --- linux-3.0.9/net/batman-adv/routing.c 2011-11-11 13:12:24.000000000 -0500
71599 +++ linux-3.0.9/net/batman-adv/routing.c 2011-11-15 20:03:00.000000000 -0500
71600 @@ -627,7 +627,7 @@ void receive_bat_packet(struct ethhdr *e
71603 /* could be changed by schedule_own_packet() */
71604 - if_incoming_seqno = atomic_read(&if_incoming->seqno);
71605 + if_incoming_seqno = atomic_read_unchecked(&if_incoming->seqno);
71607 has_directlink_flag = (batman_packet->flags & DIRECTLINK ? 1 : 0);
71609 diff -urNp linux-3.0.9/net/batman-adv/send.c linux-3.0.9/net/batman-adv/send.c
71610 --- linux-3.0.9/net/batman-adv/send.c 2011-11-11 13:12:24.000000000 -0500
71611 +++ linux-3.0.9/net/batman-adv/send.c 2011-11-15 20:03:00.000000000 -0500
71612 @@ -279,7 +279,7 @@ void schedule_own_packet(struct hard_ifa
71614 /* change sequence number to network order */
71615 batman_packet->seqno =
71616 - htonl((uint32_t)atomic_read(&hard_iface->seqno));
71617 + htonl((uint32_t)atomic_read_unchecked(&hard_iface->seqno));
71619 if (vis_server == VIS_TYPE_SERVER_SYNC)
71620 batman_packet->flags |= VIS_SERVER;
71621 @@ -293,7 +293,7 @@ void schedule_own_packet(struct hard_ifa
71623 batman_packet->gw_flags = 0;
71625 - atomic_inc(&hard_iface->seqno);
71626 + atomic_inc_unchecked(&hard_iface->seqno);
71628 slide_own_bcast_window(hard_iface);
71629 send_time = own_send_time(bat_priv);
71630 diff -urNp linux-3.0.9/net/batman-adv/soft-interface.c linux-3.0.9/net/batman-adv/soft-interface.c
71631 --- linux-3.0.9/net/batman-adv/soft-interface.c 2011-11-11 13:12:24.000000000 -0500
71632 +++ linux-3.0.9/net/batman-adv/soft-interface.c 2011-11-15 20:03:00.000000000 -0500
71633 @@ -628,7 +628,7 @@ int interface_tx(struct sk_buff *skb, st
71635 /* set broadcast sequence number */
71636 bcast_packet->seqno =
71637 - htonl(atomic_inc_return(&bat_priv->bcast_seqno));
71638 + htonl(atomic_inc_return_unchecked(&bat_priv->bcast_seqno));
71640 add_bcast_packet_to_list(bat_priv, skb);
71642 @@ -830,7 +830,7 @@ struct net_device *softif_create(char *n
71643 atomic_set(&bat_priv->batman_queue_left, BATMAN_QUEUE_LEN);
71645 atomic_set(&bat_priv->mesh_state, MESH_INACTIVE);
71646 - atomic_set(&bat_priv->bcast_seqno, 1);
71647 + atomic_set_unchecked(&bat_priv->bcast_seqno, 1);
71648 atomic_set(&bat_priv->tt_local_changed, 0);
71650 bat_priv->primary_if = NULL;
71651 diff -urNp linux-3.0.9/net/batman-adv/types.h linux-3.0.9/net/batman-adv/types.h
71652 --- linux-3.0.9/net/batman-adv/types.h 2011-11-11 13:12:24.000000000 -0500
71653 +++ linux-3.0.9/net/batman-adv/types.h 2011-11-15 20:03:00.000000000 -0500
71654 @@ -38,8 +38,8 @@ struct hard_iface {
71657 struct net_device *net_dev;
71659 - atomic_t frag_seqno;
71660 + atomic_unchecked_t seqno;
71661 + atomic_unchecked_t frag_seqno;
71662 unsigned char *packet_buff;
71664 struct kobject *hardif_obj;
71665 @@ -142,7 +142,7 @@ struct bat_priv {
71666 atomic_t orig_interval; /* uint */
71667 atomic_t hop_penalty; /* uint */
71668 atomic_t log_level; /* uint */
71669 - atomic_t bcast_seqno;
71670 + atomic_unchecked_t bcast_seqno;
71671 atomic_t bcast_queue_left;
71672 atomic_t batman_queue_left;
71674 diff -urNp linux-3.0.9/net/batman-adv/unicast.c linux-3.0.9/net/batman-adv/unicast.c
71675 --- linux-3.0.9/net/batman-adv/unicast.c 2011-11-11 13:12:24.000000000 -0500
71676 +++ linux-3.0.9/net/batman-adv/unicast.c 2011-11-15 20:03:00.000000000 -0500
71677 @@ -265,7 +265,7 @@ int frag_send_skb(struct sk_buff *skb, s
71678 frag1->flags = UNI_FRAG_HEAD | large_tail;
71679 frag2->flags = large_tail;
71681 - seqno = atomic_add_return(2, &hard_iface->frag_seqno);
71682 + seqno = atomic_add_return_unchecked(2, &hard_iface->frag_seqno);
71683 frag1->seqno = htons(seqno - 1);
71684 frag2->seqno = htons(seqno);
71686 diff -urNp linux-3.0.9/net/bridge/br_multicast.c linux-3.0.9/net/bridge/br_multicast.c
71687 --- linux-3.0.9/net/bridge/br_multicast.c 2011-11-11 13:12:24.000000000 -0500
71688 +++ linux-3.0.9/net/bridge/br_multicast.c 2011-11-15 20:03:00.000000000 -0500
71689 @@ -1485,7 +1485,7 @@ static int br_multicast_ipv6_rcv(struct
71690 nexthdr = ip6h->nexthdr;
71691 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
71693 - if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
71694 + if (nexthdr != IPPROTO_ICMPV6)
71697 /* Okay, we found ICMPv6 header */
71698 diff -urNp linux-3.0.9/net/bridge/netfilter/ebtables.c linux-3.0.9/net/bridge/netfilter/ebtables.c
71699 --- linux-3.0.9/net/bridge/netfilter/ebtables.c 2011-11-11 13:12:24.000000000 -0500
71700 +++ linux-3.0.9/net/bridge/netfilter/ebtables.c 2011-11-15 20:03:00.000000000 -0500
71701 @@ -1512,7 +1512,7 @@ static int do_ebt_get_ctl(struct sock *s
71702 tmp.valid_hooks = t->table->valid_hooks;
71704 mutex_unlock(&ebt_mutex);
71705 - if (copy_to_user(user, &tmp, *len) != 0){
71706 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
71707 BUGPRINT("c2u Didn't work\n");
71710 @@ -1780,6 +1780,8 @@ static int compat_copy_everything_to_use
71714 + pax_track_stack();
71716 memset(&tinfo, 0, sizeof(tinfo));
71718 if (cmd == EBT_SO_GET_ENTRIES) {
71719 diff -urNp linux-3.0.9/net/caif/caif_socket.c linux-3.0.9/net/caif/caif_socket.c
71720 --- linux-3.0.9/net/caif/caif_socket.c 2011-11-11 13:12:24.000000000 -0500
71721 +++ linux-3.0.9/net/caif/caif_socket.c 2011-11-15 20:03:00.000000000 -0500
71722 @@ -48,19 +48,20 @@ static struct dentry *debugfsdir;
71723 #ifdef CONFIG_DEBUG_FS
71724 struct debug_fs_counter {
71725 atomic_t caif_nr_socks;
71726 - atomic_t caif_sock_create;
71727 - atomic_t num_connect_req;
71728 - atomic_t num_connect_resp;
71729 - atomic_t num_connect_fail_resp;
71730 - atomic_t num_disconnect;
71731 - atomic_t num_remote_shutdown_ind;
71732 - atomic_t num_tx_flow_off_ind;
71733 - atomic_t num_tx_flow_on_ind;
71734 - atomic_t num_rx_flow_off;
71735 - atomic_t num_rx_flow_on;
71736 + atomic_unchecked_t caif_sock_create;
71737 + atomic_unchecked_t num_connect_req;
71738 + atomic_unchecked_t num_connect_resp;
71739 + atomic_unchecked_t num_connect_fail_resp;
71740 + atomic_unchecked_t num_disconnect;
71741 + atomic_unchecked_t num_remote_shutdown_ind;
71742 + atomic_unchecked_t num_tx_flow_off_ind;
71743 + atomic_unchecked_t num_tx_flow_on_ind;
71744 + atomic_unchecked_t num_rx_flow_off;
71745 + atomic_unchecked_t num_rx_flow_on;
71747 static struct debug_fs_counter cnt;
71748 #define dbfs_atomic_inc(v) atomic_inc_return(v)
71749 +#define dbfs_atomic_inc_unchecked(v) atomic_inc_return_unchecked(v)
71750 #define dbfs_atomic_dec(v) atomic_dec_return(v)
71752 #define dbfs_atomic_inc(v) 0
71753 @@ -161,7 +162,7 @@ static int caif_queue_rcv_skb(struct soc
71754 atomic_read(&cf_sk->sk.sk_rmem_alloc),
71755 sk_rcvbuf_lowwater(cf_sk));
71756 set_rx_flow_off(cf_sk);
71757 - dbfs_atomic_inc(&cnt.num_rx_flow_off);
71758 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
71759 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
71762 @@ -172,7 +173,7 @@ static int caif_queue_rcv_skb(struct soc
71763 set_rx_flow_off(cf_sk);
71764 if (net_ratelimit())
71765 pr_debug("sending flow OFF due to rmem_schedule\n");
71766 - dbfs_atomic_inc(&cnt.num_rx_flow_off);
71767 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
71768 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
71771 @@ -233,14 +234,14 @@ static void caif_ctrl_cb(struct cflayer
71773 case CAIF_CTRLCMD_FLOW_ON_IND:
71774 /* OK from modem to start sending again */
71775 - dbfs_atomic_inc(&cnt.num_tx_flow_on_ind);
71776 + dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_on_ind);
71777 set_tx_flow_on(cf_sk);
71778 cf_sk->sk.sk_state_change(&cf_sk->sk);
71781 case CAIF_CTRLCMD_FLOW_OFF_IND:
71782 /* Modem asks us to shut up */
71783 - dbfs_atomic_inc(&cnt.num_tx_flow_off_ind);
71784 + dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_off_ind);
71785 set_tx_flow_off(cf_sk);
71786 cf_sk->sk.sk_state_change(&cf_sk->sk);
71788 @@ -249,7 +250,7 @@ static void caif_ctrl_cb(struct cflayer
71789 /* We're now connected */
71790 caif_client_register_refcnt(&cf_sk->layer,
71791 cfsk_hold, cfsk_put);
71792 - dbfs_atomic_inc(&cnt.num_connect_resp);
71793 + dbfs_atomic_inc_unchecked(&cnt.num_connect_resp);
71794 cf_sk->sk.sk_state = CAIF_CONNECTED;
71795 set_tx_flow_on(cf_sk);
71796 cf_sk->sk.sk_state_change(&cf_sk->sk);
71797 @@ -263,7 +264,7 @@ static void caif_ctrl_cb(struct cflayer
71799 case CAIF_CTRLCMD_INIT_FAIL_RSP:
71800 /* Connect request failed */
71801 - dbfs_atomic_inc(&cnt.num_connect_fail_resp);
71802 + dbfs_atomic_inc_unchecked(&cnt.num_connect_fail_resp);
71803 cf_sk->sk.sk_err = ECONNREFUSED;
71804 cf_sk->sk.sk_state = CAIF_DISCONNECTED;
71805 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
71806 @@ -277,7 +278,7 @@ static void caif_ctrl_cb(struct cflayer
71808 case CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND:
71809 /* Modem has closed this connection, or device is down. */
71810 - dbfs_atomic_inc(&cnt.num_remote_shutdown_ind);
71811 + dbfs_atomic_inc_unchecked(&cnt.num_remote_shutdown_ind);
71812 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
71813 cf_sk->sk.sk_err = ECONNRESET;
71814 set_rx_flow_on(cf_sk);
71815 @@ -297,7 +298,7 @@ static void caif_check_flow_release(stru
71818 if (atomic_read(&sk->sk_rmem_alloc) <= sk_rcvbuf_lowwater(cf_sk)) {
71819 - dbfs_atomic_inc(&cnt.num_rx_flow_on);
71820 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_on);
71821 set_rx_flow_on(cf_sk);
71822 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_ON_REQ);
71824 @@ -854,7 +855,7 @@ static int caif_connect(struct socket *s
71825 /*ifindex = id of the interface.*/
71826 cf_sk->conn_req.ifindex = cf_sk->sk.sk_bound_dev_if;
71828 - dbfs_atomic_inc(&cnt.num_connect_req);
71829 + dbfs_atomic_inc_unchecked(&cnt.num_connect_req);
71830 cf_sk->layer.receive = caif_sktrecv_cb;
71832 err = caif_connect_client(sock_net(sk), &cf_sk->conn_req,
71833 @@ -943,7 +944,7 @@ static int caif_release(struct socket *s
71834 spin_unlock_bh(&sk->sk_receive_queue.lock);
71837 - dbfs_atomic_inc(&cnt.num_disconnect);
71838 + dbfs_atomic_inc_unchecked(&cnt.num_disconnect);
71840 WARN_ON(IS_ERR(cf_sk->debugfs_socket_dir));
71841 if (cf_sk->debugfs_socket_dir != NULL)
71842 @@ -1122,7 +1123,7 @@ static int caif_create(struct net *net,
71843 cf_sk->conn_req.protocol = protocol;
71844 /* Increase the number of sockets created. */
71845 dbfs_atomic_inc(&cnt.caif_nr_socks);
71846 - num = dbfs_atomic_inc(&cnt.caif_sock_create);
71847 + num = dbfs_atomic_inc_unchecked(&cnt.caif_sock_create);
71848 #ifdef CONFIG_DEBUG_FS
71849 if (!IS_ERR(debugfsdir)) {
71851 diff -urNp linux-3.0.9/net/caif/cfctrl.c linux-3.0.9/net/caif/cfctrl.c
71852 --- linux-3.0.9/net/caif/cfctrl.c 2011-11-11 13:12:24.000000000 -0500
71853 +++ linux-3.0.9/net/caif/cfctrl.c 2011-11-15 20:03:00.000000000 -0500
71855 #include <linux/stddef.h>
71856 #include <linux/spinlock.h>
71857 #include <linux/slab.h>
71858 +#include <linux/sched.h>
71859 #include <net/caif/caif_layer.h>
71860 #include <net/caif/cfpkt.h>
71861 #include <net/caif/cfctrl.h>
71862 @@ -45,8 +46,8 @@ struct cflayer *cfctrl_create(void)
71863 dev_info.id = 0xff;
71864 memset(this, 0, sizeof(*this));
71865 cfsrvl_init(&this->serv, 0, &dev_info, false);
71866 - atomic_set(&this->req_seq_no, 1);
71867 - atomic_set(&this->rsp_seq_no, 1);
71868 + atomic_set_unchecked(&this->req_seq_no, 1);
71869 + atomic_set_unchecked(&this->rsp_seq_no, 1);
71870 this->serv.layer.receive = cfctrl_recv;
71871 sprintf(this->serv.layer.name, "ctrl");
71872 this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
71873 @@ -132,8 +133,8 @@ static void cfctrl_insert_req(struct cfc
71874 struct cfctrl_request_info *req)
71876 spin_lock_bh(&ctrl->info_list_lock);
71877 - atomic_inc(&ctrl->req_seq_no);
71878 - req->sequence_no = atomic_read(&ctrl->req_seq_no);
71879 + atomic_inc_unchecked(&ctrl->req_seq_no);
71880 + req->sequence_no = atomic_read_unchecked(&ctrl->req_seq_no);
71881 list_add_tail(&req->list, &ctrl->list);
71882 spin_unlock_bh(&ctrl->info_list_lock);
71884 @@ -151,7 +152,7 @@ static struct cfctrl_request_info *cfctr
71886 pr_warn("Requests are not received in order\n");
71888 - atomic_set(&ctrl->rsp_seq_no,
71889 + atomic_set_unchecked(&ctrl->rsp_seq_no,
71891 list_del(&p->list);
71893 @@ -364,6 +365,7 @@ static int cfctrl_recv(struct cflayer *l
71894 struct cfctrl *cfctrl = container_obj(layer);
71895 struct cfctrl_request_info rsp, *req;
71897 + pax_track_stack();
71899 cfpkt_extr_head(pkt, &cmdrsp, 1);
71900 cmd = cmdrsp & CFCTRL_CMD_MASK;
71901 diff -urNp linux-3.0.9/net/compat.c linux-3.0.9/net/compat.c
71902 --- linux-3.0.9/net/compat.c 2011-11-11 13:12:24.000000000 -0500
71903 +++ linux-3.0.9/net/compat.c 2011-11-15 20:03:00.000000000 -0500
71904 @@ -70,9 +70,9 @@ int get_compat_msghdr(struct msghdr *kms
71905 __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
71906 __get_user(kmsg->msg_flags, &umsg->msg_flags))
71908 - kmsg->msg_name = compat_ptr(tmp1);
71909 - kmsg->msg_iov = compat_ptr(tmp2);
71910 - kmsg->msg_control = compat_ptr(tmp3);
71911 + kmsg->msg_name = (void __force_kernel *)compat_ptr(tmp1);
71912 + kmsg->msg_iov = (void __force_kernel *)compat_ptr(tmp2);
71913 + kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3);
71917 @@ -84,7 +84,7 @@ int verify_compat_iovec(struct msghdr *k
71919 if (kern_msg->msg_namelen) {
71920 if (mode == VERIFY_READ) {
71921 - int err = move_addr_to_kernel(kern_msg->msg_name,
71922 + int err = move_addr_to_kernel((void __force_user *)kern_msg->msg_name,
71923 kern_msg->msg_namelen,
71926 @@ -95,7 +95,7 @@ int verify_compat_iovec(struct msghdr *k
71927 kern_msg->msg_name = NULL;
71929 tot_len = iov_from_user_compat_to_kern(kern_iov,
71930 - (struct compat_iovec __user *)kern_msg->msg_iov,
71931 + (struct compat_iovec __force_user *)kern_msg->msg_iov,
71932 kern_msg->msg_iovlen);
71934 kern_msg->msg_iov = kern_iov;
71935 @@ -115,20 +115,20 @@ int verify_compat_iovec(struct msghdr *k
71937 #define CMSG_COMPAT_FIRSTHDR(msg) \
71938 (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \
71939 - (struct compat_cmsghdr __user *)((msg)->msg_control) : \
71940 + (struct compat_cmsghdr __force_user *)((msg)->msg_control) : \
71941 (struct compat_cmsghdr __user *)NULL)
71943 #define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \
71944 ((ucmlen) >= sizeof(struct compat_cmsghdr) && \
71945 (ucmlen) <= (unsigned long) \
71946 ((mhdr)->msg_controllen - \
71947 - ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
71948 + ((char __force_kernel *)(ucmsg) - (char *)(mhdr)->msg_control)))
71950 static inline struct compat_cmsghdr __user *cmsg_compat_nxthdr(struct msghdr *msg,
71951 struct compat_cmsghdr __user *cmsg, int cmsg_len)
71953 char __user *ptr = (char __user *)cmsg + CMSG_COMPAT_ALIGN(cmsg_len);
71954 - if ((unsigned long)(ptr + 1 - (char __user *)msg->msg_control) >
71955 + if ((unsigned long)(ptr + 1 - (char __force_user *)msg->msg_control) >
71956 msg->msg_controllen)
71958 return (struct compat_cmsghdr __user *)ptr;
71959 @@ -220,7 +220,7 @@ int put_cmsg_compat(struct msghdr *kmsg,
71961 struct compat_timeval ctv;
71962 struct compat_timespec cts[3];
71963 - struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
71964 + struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
71965 struct compat_cmsghdr cmhdr;
71968 @@ -272,7 +272,7 @@ int put_cmsg_compat(struct msghdr *kmsg,
71970 void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
71972 - struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
71973 + struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
71974 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
71975 int fdnum = scm->fp->count;
71976 struct file **fp = scm->fp->fp;
71977 @@ -369,7 +369,7 @@ static int do_set_sock_timeout(struct so
71981 - err = sock_setsockopt(sock, level, optname, (char *)&ktime, sizeof(ktime));
71982 + err = sock_setsockopt(sock, level, optname, (char __force_user *)&ktime, sizeof(ktime));
71986 @@ -430,7 +430,7 @@ static int do_get_sock_timeout(struct so
71987 len = sizeof(ktime);
71990 - err = sock_getsockopt(sock, level, optname, (char *) &ktime, &len);
71991 + err = sock_getsockopt(sock, level, optname, (char __force_user *) &ktime, (int __force_user *)&len);
71995 @@ -565,7 +565,7 @@ int compat_mc_setsockopt(struct sock *so
71996 case MCAST_JOIN_GROUP:
71997 case MCAST_LEAVE_GROUP:
71999 - struct compat_group_req __user *gr32 = (void *)optval;
72000 + struct compat_group_req __user *gr32 = (void __user *)optval;
72001 struct group_req __user *kgr =
72002 compat_alloc_user_space(sizeof(struct group_req));
72004 @@ -586,7 +586,7 @@ int compat_mc_setsockopt(struct sock *so
72005 case MCAST_BLOCK_SOURCE:
72006 case MCAST_UNBLOCK_SOURCE:
72008 - struct compat_group_source_req __user *gsr32 = (void *)optval;
72009 + struct compat_group_source_req __user *gsr32 = (void __user *)optval;
72010 struct group_source_req __user *kgsr = compat_alloc_user_space(
72011 sizeof(struct group_source_req));
72013 @@ -607,7 +607,7 @@ int compat_mc_setsockopt(struct sock *so
72015 case MCAST_MSFILTER:
72017 - struct compat_group_filter __user *gf32 = (void *)optval;
72018 + struct compat_group_filter __user *gf32 = (void __user *)optval;
72019 struct group_filter __user *kgf;
72020 u32 interface, fmode, numsrc;
72022 @@ -645,7 +645,7 @@ int compat_mc_getsockopt(struct sock *so
72023 char __user *optval, int __user *optlen,
72024 int (*getsockopt)(struct sock *, int, int, char __user *, int __user *))
72026 - struct compat_group_filter __user *gf32 = (void *)optval;
72027 + struct compat_group_filter __user *gf32 = (void __user *)optval;
72028 struct group_filter __user *kgf;
72029 int __user *koptlen;
72030 u32 interface, fmode, numsrc;
72031 diff -urNp linux-3.0.9/net/core/datagram.c linux-3.0.9/net/core/datagram.c
72032 --- linux-3.0.9/net/core/datagram.c 2011-11-11 13:12:24.000000000 -0500
72033 +++ linux-3.0.9/net/core/datagram.c 2011-11-15 20:03:00.000000000 -0500
72034 @@ -285,7 +285,7 @@ int skb_kill_datagram(struct sock *sk, s
72038 - atomic_inc(&sk->sk_drops);
72039 + atomic_inc_unchecked(&sk->sk_drops);
72040 sk_mem_reclaim_partial(sk);
72043 diff -urNp linux-3.0.9/net/core/dev.c linux-3.0.9/net/core/dev.c
72044 --- linux-3.0.9/net/core/dev.c 2011-11-11 13:12:24.000000000 -0500
72045 +++ linux-3.0.9/net/core/dev.c 2011-11-15 20:03:00.000000000 -0500
72046 @@ -1125,10 +1125,14 @@ void dev_load(struct net *net, const cha
72047 if (no_module && capable(CAP_NET_ADMIN))
72048 no_module = request_module("netdev-%s", name);
72049 if (no_module && capable(CAP_SYS_MODULE)) {
72050 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
72051 + ___request_module(true, "grsec_modharden_netdev", "%s", name);
72053 if (!request_module("%s", name))
72054 pr_err("Loading kernel module for a network device "
72055 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
72056 "instead\n", name);
72060 EXPORT_SYMBOL(dev_load);
72061 @@ -1959,7 +1963,7 @@ static int illegal_highdma(struct net_de
72063 struct dev_gso_cb {
72064 void (*destructor)(struct sk_buff *skb);
72068 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
72070 @@ -2912,7 +2916,7 @@ int netif_rx_ni(struct sk_buff *skb)
72072 EXPORT_SYMBOL(netif_rx_ni);
72074 -static void net_tx_action(struct softirq_action *h)
72075 +static void net_tx_action(void)
72077 struct softnet_data *sd = &__get_cpu_var(softnet_data);
72079 @@ -3761,7 +3765,7 @@ void netif_napi_del(struct napi_struct *
72081 EXPORT_SYMBOL(netif_napi_del);
72083 -static void net_rx_action(struct softirq_action *h)
72084 +static void net_rx_action(void)
72086 struct softnet_data *sd = &__get_cpu_var(softnet_data);
72087 unsigned long time_limit = jiffies + 2;
72088 diff -urNp linux-3.0.9/net/core/flow.c linux-3.0.9/net/core/flow.c
72089 --- linux-3.0.9/net/core/flow.c 2011-11-11 13:12:24.000000000 -0500
72090 +++ linux-3.0.9/net/core/flow.c 2011-11-15 20:03:00.000000000 -0500
72091 @@ -60,7 +60,7 @@ struct flow_cache {
72092 struct timer_list rnd_timer;
72095 -atomic_t flow_cache_genid = ATOMIC_INIT(0);
72096 +atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
72097 EXPORT_SYMBOL(flow_cache_genid);
72098 static struct flow_cache flow_cache_global;
72099 static struct kmem_cache *flow_cachep __read_mostly;
72100 @@ -85,7 +85,7 @@ static void flow_cache_new_hashrnd(unsig
72102 static int flow_entry_valid(struct flow_cache_entry *fle)
72104 - if (atomic_read(&flow_cache_genid) != fle->genid)
72105 + if (atomic_read_unchecked(&flow_cache_genid) != fle->genid)
72107 if (fle->object && !fle->object->ops->check(fle->object))
72109 @@ -256,7 +256,7 @@ flow_cache_lookup(struct net *net, const
72110 hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
72113 - } else if (likely(fle->genid == atomic_read(&flow_cache_genid))) {
72114 + } else if (likely(fle->genid == atomic_read_unchecked(&flow_cache_genid))) {
72118 @@ -277,7 +277,7 @@ nocache:
72120 flo = resolver(net, key, family, dir, flo, ctx);
72122 - fle->genid = atomic_read(&flow_cache_genid);
72123 + fle->genid = atomic_read_unchecked(&flow_cache_genid);
72127 diff -urNp linux-3.0.9/net/core/iovec.c linux-3.0.9/net/core/iovec.c
72128 --- linux-3.0.9/net/core/iovec.c 2011-11-11 13:12:24.000000000 -0500
72129 +++ linux-3.0.9/net/core/iovec.c 2011-11-15 20:03:00.000000000 -0500
72130 @@ -42,7 +42,7 @@ int verify_iovec(struct msghdr *m, struc
72131 if (m->msg_namelen) {
72132 if (mode == VERIFY_READ) {
72133 void __user *namep;
72134 - namep = (void __user __force *) m->msg_name;
72135 + namep = (void __force_user *) m->msg_name;
72136 err = move_addr_to_kernel(namep, m->msg_namelen,
72139 @@ -54,7 +54,7 @@ int verify_iovec(struct msghdr *m, struc
72142 size = m->msg_iovlen * sizeof(struct iovec);
72143 - if (copy_from_user(iov, (void __user __force *) m->msg_iov, size))
72144 + if (copy_from_user(iov, (void __force_user *) m->msg_iov, size))
72148 diff -urNp linux-3.0.9/net/core/rtnetlink.c linux-3.0.9/net/core/rtnetlink.c
72149 --- linux-3.0.9/net/core/rtnetlink.c 2011-11-11 13:12:24.000000000 -0500
72150 +++ linux-3.0.9/net/core/rtnetlink.c 2011-11-15 20:03:00.000000000 -0500
72153 rtnl_doit_func doit;
72154 rtnl_dumpit_func dumpit;
72158 static DEFINE_MUTEX(rtnl_mutex);
72160 diff -urNp linux-3.0.9/net/core/scm.c linux-3.0.9/net/core/scm.c
72161 --- linux-3.0.9/net/core/scm.c 2011-11-11 13:12:24.000000000 -0500
72162 +++ linux-3.0.9/net/core/scm.c 2011-11-15 20:03:00.000000000 -0500
72163 @@ -218,7 +218,7 @@ EXPORT_SYMBOL(__scm_send);
72164 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
72166 struct cmsghdr __user *cm
72167 - = (__force struct cmsghdr __user *)msg->msg_control;
72168 + = (struct cmsghdr __force_user *)msg->msg_control;
72169 struct cmsghdr cmhdr;
72170 int cmlen = CMSG_LEN(len);
72172 @@ -241,7 +241,7 @@ int put_cmsg(struct msghdr * msg, int le
72174 if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
72176 - if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
72177 + if (copy_to_user((void __force_user *)CMSG_DATA((void __force_kernel *)cm), data, cmlen - sizeof(struct cmsghdr)))
72179 cmlen = CMSG_SPACE(len);
72180 if (msg->msg_controllen < cmlen)
72181 @@ -257,7 +257,7 @@ EXPORT_SYMBOL(put_cmsg);
72182 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
72184 struct cmsghdr __user *cm
72185 - = (__force struct cmsghdr __user*)msg->msg_control;
72186 + = (struct cmsghdr __force_user *)msg->msg_control;
72189 int fdnum = scm->fp->count;
72190 @@ -277,7 +277,7 @@ void scm_detach_fds(struct msghdr *msg,
72194 - for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
72195 + for (i=0, cmfptr=(int __force_user *)CMSG_DATA((void __force_kernel *)cm); i<fdmax;
72199 diff -urNp linux-3.0.9/net/core/skbuff.c linux-3.0.9/net/core/skbuff.c
72200 --- linux-3.0.9/net/core/skbuff.c 2011-11-11 13:12:24.000000000 -0500
72201 +++ linux-3.0.9/net/core/skbuff.c 2011-11-15 20:03:00.000000000 -0500
72202 @@ -1543,6 +1543,8 @@ int skb_splice_bits(struct sk_buff *skb,
72203 struct sock *sk = skb->sk;
72206 + pax_track_stack();
72208 if (splice_grow_spd(pipe, &spd))
72211 diff -urNp linux-3.0.9/net/core/sock.c linux-3.0.9/net/core/sock.c
72212 --- linux-3.0.9/net/core/sock.c 2011-11-11 13:12:24.000000000 -0500
72213 +++ linux-3.0.9/net/core/sock.c 2011-11-15 20:03:00.000000000 -0500
72214 @@ -291,7 +291,7 @@ int sock_queue_rcv_skb(struct sock *sk,
72216 if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
72217 (unsigned)sk->sk_rcvbuf) {
72218 - atomic_inc(&sk->sk_drops);
72219 + atomic_inc_unchecked(&sk->sk_drops);
72223 @@ -300,7 +300,7 @@ int sock_queue_rcv_skb(struct sock *sk,
72226 if (!sk_rmem_schedule(sk, skb->truesize)) {
72227 - atomic_inc(&sk->sk_drops);
72228 + atomic_inc_unchecked(&sk->sk_drops);
72232 @@ -320,7 +320,7 @@ int sock_queue_rcv_skb(struct sock *sk,
72233 skb_dst_force(skb);
72235 spin_lock_irqsave(&list->lock, flags);
72236 - skb->dropcount = atomic_read(&sk->sk_drops);
72237 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
72238 __skb_queue_tail(list, skb);
72239 spin_unlock_irqrestore(&list->lock, flags);
72241 @@ -340,7 +340,7 @@ int sk_receive_skb(struct sock *sk, stru
72244 if (sk_rcvqueues_full(sk, skb)) {
72245 - atomic_inc(&sk->sk_drops);
72246 + atomic_inc_unchecked(&sk->sk_drops);
72247 goto discard_and_relse;
72250 @@ -358,7 +358,7 @@ int sk_receive_skb(struct sock *sk, stru
72251 mutex_release(&sk->sk_lock.dep_map, 1, _RET_IP_);
72252 } else if (sk_add_backlog(sk, skb)) {
72253 bh_unlock_sock(sk);
72254 - atomic_inc(&sk->sk_drops);
72255 + atomic_inc_unchecked(&sk->sk_drops);
72256 goto discard_and_relse;
72259 @@ -921,7 +921,7 @@ int sock_getsockopt(struct socket *sock,
72260 if (len > sizeof(peercred))
72261 len = sizeof(peercred);
72262 cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred, &peercred);
72263 - if (copy_to_user(optval, &peercred, len))
72264 + if (len > sizeof(peercred) || copy_to_user(optval, &peercred, len))
72268 @@ -934,7 +934,7 @@ int sock_getsockopt(struct socket *sock,
72272 - if (copy_to_user(optval, address, len))
72273 + if (len > sizeof(address) || copy_to_user(optval, address, len))
72277 @@ -967,7 +967,7 @@ int sock_getsockopt(struct socket *sock,
72281 - if (copy_to_user(optval, &v, len))
72282 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
72285 if (put_user(len, optlen))
72286 @@ -2024,7 +2024,7 @@ void sock_init_data(struct socket *sock,
72289 atomic_set(&sk->sk_refcnt, 1);
72290 - atomic_set(&sk->sk_drops, 0);
72291 + atomic_set_unchecked(&sk->sk_drops, 0);
72293 EXPORT_SYMBOL(sock_init_data);
72295 diff -urNp linux-3.0.9/net/decnet/sysctl_net_decnet.c linux-3.0.9/net/decnet/sysctl_net_decnet.c
72296 --- linux-3.0.9/net/decnet/sysctl_net_decnet.c 2011-11-11 13:12:24.000000000 -0500
72297 +++ linux-3.0.9/net/decnet/sysctl_net_decnet.c 2011-11-15 20:03:00.000000000 -0500
72298 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
72300 if (len > *lenp) len = *lenp;
72302 - if (copy_to_user(buffer, addr, len))
72303 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
72307 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
72309 if (len > *lenp) len = *lenp;
72311 - if (copy_to_user(buffer, devname, len))
72312 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
72316 diff -urNp linux-3.0.9/net/econet/Kconfig linux-3.0.9/net/econet/Kconfig
72317 --- linux-3.0.9/net/econet/Kconfig 2011-11-11 13:12:24.000000000 -0500
72318 +++ linux-3.0.9/net/econet/Kconfig 2011-11-15 20:03:00.000000000 -0500
72322 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
72323 - depends on EXPERIMENTAL && INET
72324 + depends on EXPERIMENTAL && INET && BROKEN
72326 Econet is a fairly old and slow networking protocol mainly used by
72327 Acorn computers to access file and print servers. It uses native
72328 diff -urNp linux-3.0.9/net/ipv4/fib_frontend.c linux-3.0.9/net/ipv4/fib_frontend.c
72329 --- linux-3.0.9/net/ipv4/fib_frontend.c 2011-11-11 13:12:24.000000000 -0500
72330 +++ linux-3.0.9/net/ipv4/fib_frontend.c 2011-11-15 20:03:00.000000000 -0500
72331 @@ -970,12 +970,12 @@ static int fib_inetaddr_event(struct not
72332 #ifdef CONFIG_IP_ROUTE_MULTIPATH
72335 - atomic_inc(&net->ipv4.dev_addr_genid);
72336 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
72337 rt_cache_flush(dev_net(dev), -1);
72340 fib_del_ifaddr(ifa, NULL);
72341 - atomic_inc(&net->ipv4.dev_addr_genid);
72342 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
72343 if (ifa->ifa_dev->ifa_list == NULL) {
72344 /* Last address was deleted from this interface.
72346 @@ -1011,7 +1011,7 @@ static int fib_netdev_event(struct notif
72347 #ifdef CONFIG_IP_ROUTE_MULTIPATH
72350 - atomic_inc(&net->ipv4.dev_addr_genid);
72351 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
72352 rt_cache_flush(dev_net(dev), -1);
72355 diff -urNp linux-3.0.9/net/ipv4/fib_semantics.c linux-3.0.9/net/ipv4/fib_semantics.c
72356 --- linux-3.0.9/net/ipv4/fib_semantics.c 2011-11-11 13:12:24.000000000 -0500
72357 +++ linux-3.0.9/net/ipv4/fib_semantics.c 2011-11-15 20:03:00.000000000 -0500
72358 @@ -691,7 +691,7 @@ __be32 fib_info_update_nh_saddr(struct n
72359 nh->nh_saddr = inet_select_addr(nh->nh_dev,
72361 nh->nh_parent->fib_scope);
72362 - nh->nh_saddr_genid = atomic_read(&net->ipv4.dev_addr_genid);
72363 + nh->nh_saddr_genid = atomic_read_unchecked(&net->ipv4.dev_addr_genid);
72365 return nh->nh_saddr;
72367 diff -urNp linux-3.0.9/net/ipv4/inet_diag.c linux-3.0.9/net/ipv4/inet_diag.c
72368 --- linux-3.0.9/net/ipv4/inet_diag.c 2011-11-11 13:12:24.000000000 -0500
72369 +++ linux-3.0.9/net/ipv4/inet_diag.c 2011-11-15 20:03:00.000000000 -0500
72370 @@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
72371 r->idiag_retrans = 0;
72373 r->id.idiag_if = sk->sk_bound_dev_if;
72375 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72376 + r->id.idiag_cookie[0] = 0;
72377 + r->id.idiag_cookie[1] = 0;
72379 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
72380 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
72383 r->id.idiag_sport = inet->inet_sport;
72384 r->id.idiag_dport = inet->inet_dport;
72385 @@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
72386 r->idiag_family = tw->tw_family;
72387 r->idiag_retrans = 0;
72388 r->id.idiag_if = tw->tw_bound_dev_if;
72390 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72391 + r->id.idiag_cookie[0] = 0;
72392 + r->id.idiag_cookie[1] = 0;
72394 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
72395 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
72398 r->id.idiag_sport = tw->tw_sport;
72399 r->id.idiag_dport = tw->tw_dport;
72400 r->id.idiag_src[0] = tw->tw_rcv_saddr;
72401 @@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
72405 +#ifndef CONFIG_GRKERNSEC_HIDESYM
72407 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
72408 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
72409 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
72410 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
72415 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
72416 @@ -580,8 +595,14 @@ static int inet_diag_fill_req(struct sk_
72417 r->idiag_retrans = req->retrans;
72419 r->id.idiag_if = sk->sk_bound_dev_if;
72421 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72422 + r->id.idiag_cookie[0] = 0;
72423 + r->id.idiag_cookie[1] = 0;
72425 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
72426 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
72429 tmo = req->expires - jiffies;
72431 diff -urNp linux-3.0.9/net/ipv4/inet_hashtables.c linux-3.0.9/net/ipv4/inet_hashtables.c
72432 --- linux-3.0.9/net/ipv4/inet_hashtables.c 2011-11-11 13:12:24.000000000 -0500
72433 +++ linux-3.0.9/net/ipv4/inet_hashtables.c 2011-11-15 20:03:00.000000000 -0500
72434 @@ -18,12 +18,15 @@
72435 #include <linux/sched.h>
72436 #include <linux/slab.h>
72437 #include <linux/wait.h>
72438 +#include <linux/security.h>
72440 #include <net/inet_connection_sock.h>
72441 #include <net/inet_hashtables.h>
72442 #include <net/secure_seq.h>
72443 #include <net/route.h>
72444 #include <net/ip.h>
72446 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
72449 * Allocate and initialize a new local port bind bucket.
72450 @@ -530,6 +533,8 @@ ok:
72451 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
72452 spin_unlock(&head->lock);
72454 + gr_update_task_in_ip_table(current, inet_sk(sk));
72457 inet_twsk_deschedule(tw, death_row);
72459 diff -urNp linux-3.0.9/net/ipv4/inetpeer.c linux-3.0.9/net/ipv4/inetpeer.c
72460 --- linux-3.0.9/net/ipv4/inetpeer.c 2011-11-11 13:12:24.000000000 -0500
72461 +++ linux-3.0.9/net/ipv4/inetpeer.c 2011-11-15 20:03:00.000000000 -0500
72462 @@ -481,6 +481,8 @@ struct inet_peer *inet_getpeer(struct in
72463 unsigned int sequence;
72464 int invalidated, newrefcnt = 0;
72466 + pax_track_stack();
72468 /* Look up for the address quickly, lockless.
72469 * Because of a concurrent writer, we might not find an existing entry.
72471 @@ -517,8 +519,8 @@ found: /* The existing node has been fo
72474 atomic_set(&p->refcnt, 1);
72475 - atomic_set(&p->rid, 0);
72476 - atomic_set(&p->ip_id_count, secure_ip_id(daddr->addr.a4));
72477 + atomic_set_unchecked(&p->rid, 0);
72478 + atomic_set_unchecked(&p->ip_id_count, secure_ip_id(daddr->addr.a4));
72479 p->tcp_ts_stamp = 0;
72480 p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
72481 p->rate_tokens = 0;
72482 diff -urNp linux-3.0.9/net/ipv4/ipconfig.c linux-3.0.9/net/ipv4/ipconfig.c
72483 --- linux-3.0.9/net/ipv4/ipconfig.c 2011-11-11 13:12:24.000000000 -0500
72484 +++ linux-3.0.9/net/ipv4/ipconfig.c 2011-11-15 20:03:00.000000000 -0500
72485 @@ -313,7 +313,7 @@ static int __init ic_devinet_ioctl(unsig
72487 mm_segment_t oldfs = get_fs();
72489 - res = devinet_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
72490 + res = devinet_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
72494 @@ -324,7 +324,7 @@ static int __init ic_dev_ioctl(unsigned
72496 mm_segment_t oldfs = get_fs();
72498 - res = dev_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
72499 + res = dev_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
72503 @@ -335,7 +335,7 @@ static int __init ic_route_ioctl(unsigne
72505 mm_segment_t oldfs = get_fs();
72507 - res = ip_rt_ioctl(&init_net, cmd, (void __user *) arg);
72508 + res = ip_rt_ioctl(&init_net, cmd, (void __force_user *) arg);
72512 diff -urNp linux-3.0.9/net/ipv4/ip_fragment.c linux-3.0.9/net/ipv4/ip_fragment.c
72513 --- linux-3.0.9/net/ipv4/ip_fragment.c 2011-11-11 13:12:24.000000000 -0500
72514 +++ linux-3.0.9/net/ipv4/ip_fragment.c 2011-11-15 20:03:00.000000000 -0500
72515 @@ -315,7 +315,7 @@ static inline int ip_frag_too_far(struct
72519 - end = atomic_inc_return(&peer->rid);
72520 + end = atomic_inc_return_unchecked(&peer->rid);
72523 rc = qp->q.fragments && (end - start) > max;
72524 diff -urNp linux-3.0.9/net/ipv4/ip_sockglue.c linux-3.0.9/net/ipv4/ip_sockglue.c
72525 --- linux-3.0.9/net/ipv4/ip_sockglue.c 2011-11-11 13:12:24.000000000 -0500
72526 +++ linux-3.0.9/net/ipv4/ip_sockglue.c 2011-11-15 20:03:00.000000000 -0500
72527 @@ -1073,6 +1073,8 @@ static int do_ip_getsockopt(struct sock
72531 + pax_track_stack();
72533 if (level != SOL_IP)
72534 return -EOPNOTSUPP;
72536 @@ -1110,7 +1112,8 @@ static int do_ip_getsockopt(struct sock
72537 len = min_t(unsigned int, len, opt->optlen);
72538 if (put_user(len, optlen))
72540 - if (copy_to_user(optval, opt->__data, len))
72541 + if ((len > (sizeof(optbuf) - sizeof(struct ip_options))) ||
72542 + copy_to_user(optval, opt->__data, len))
72546 @@ -1238,7 +1241,7 @@ static int do_ip_getsockopt(struct sock
72547 if (sk->sk_type != SOCK_STREAM)
72548 return -ENOPROTOOPT;
72550 - msg.msg_control = optval;
72551 + msg.msg_control = (void __force_kernel *)optval;
72552 msg.msg_controllen = len;
72555 diff -urNp linux-3.0.9/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-3.0.9/net/ipv4/netfilter/nf_nat_snmp_basic.c
72556 --- linux-3.0.9/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-11-11 13:12:24.000000000 -0500
72557 +++ linux-3.0.9/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-11-15 20:03:00.000000000 -0500
72558 @@ -399,7 +399,7 @@ static unsigned char asn1_octets_decode(
72562 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
72563 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
72564 if (*octets == NULL) {
72565 if (net_ratelimit())
72566 pr_notice("OOM in bsalg (%d)\n", __LINE__);
72567 diff -urNp linux-3.0.9/net/ipv4/ping.c linux-3.0.9/net/ipv4/ping.c
72568 --- linux-3.0.9/net/ipv4/ping.c 2011-11-11 13:12:24.000000000 -0500
72569 +++ linux-3.0.9/net/ipv4/ping.c 2011-11-15 20:03:00.000000000 -0500
72570 @@ -837,7 +837,7 @@ static void ping_format_sock(struct sock
72571 sk_rmem_alloc_get(sp),
72572 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
72573 atomic_read(&sp->sk_refcnt), sp,
72574 - atomic_read(&sp->sk_drops), len);
72575 + atomic_read_unchecked(&sp->sk_drops), len);
72578 static int ping_seq_show(struct seq_file *seq, void *v)
72579 diff -urNp linux-3.0.9/net/ipv4/raw.c linux-3.0.9/net/ipv4/raw.c
72580 --- linux-3.0.9/net/ipv4/raw.c 2011-11-11 13:12:24.000000000 -0500
72581 +++ linux-3.0.9/net/ipv4/raw.c 2011-11-15 20:03:00.000000000 -0500
72582 @@ -302,7 +302,7 @@ static int raw_rcv_skb(struct sock * sk,
72583 int raw_rcv(struct sock *sk, struct sk_buff *skb)
72585 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
72586 - atomic_inc(&sk->sk_drops);
72587 + atomic_inc_unchecked(&sk->sk_drops);
72589 return NET_RX_DROP;
72591 @@ -736,16 +736,20 @@ static int raw_init(struct sock *sk)
72593 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
72595 + struct icmp_filter filter;
72597 if (optlen > sizeof(struct icmp_filter))
72598 optlen = sizeof(struct icmp_filter);
72599 - if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
72600 + if (copy_from_user(&filter, optval, optlen))
72602 + raw_sk(sk)->filter = filter;
72606 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
72608 int len, ret = -EFAULT;
72609 + struct icmp_filter filter;
72611 if (get_user(len, optlen))
72613 @@ -755,8 +759,9 @@ static int raw_geticmpfilter(struct sock
72614 if (len > sizeof(struct icmp_filter))
72615 len = sizeof(struct icmp_filter);
72617 - if (put_user(len, optlen) ||
72618 - copy_to_user(optval, &raw_sk(sk)->filter, len))
72619 + filter = raw_sk(sk)->filter;
72620 + if (put_user(len, optlen) || len > sizeof filter ||
72621 + copy_to_user(optval, &filter, len))
72625 @@ -984,7 +989,13 @@ static void raw_sock_seq_show(struct seq
72626 sk_wmem_alloc_get(sp),
72627 sk_rmem_alloc_get(sp),
72628 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
72629 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
72630 + atomic_read(&sp->sk_refcnt),
72631 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72636 + atomic_read_unchecked(&sp->sk_drops));
72639 static int raw_seq_show(struct seq_file *seq, void *v)
72640 diff -urNp linux-3.0.9/net/ipv4/route.c linux-3.0.9/net/ipv4/route.c
72641 --- linux-3.0.9/net/ipv4/route.c 2011-11-11 13:12:24.000000000 -0500
72642 +++ linux-3.0.9/net/ipv4/route.c 2011-11-15 20:03:00.000000000 -0500
72643 @@ -304,7 +304,7 @@ static inline unsigned int rt_hash(__be3
72645 static inline int rt_genid(struct net *net)
72647 - return atomic_read(&net->ipv4.rt_genid);
72648 + return atomic_read_unchecked(&net->ipv4.rt_genid);
72651 #ifdef CONFIG_PROC_FS
72652 @@ -832,7 +832,7 @@ static void rt_cache_invalidate(struct n
72653 unsigned char shuffle;
72655 get_random_bytes(&shuffle, sizeof(shuffle));
72656 - atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
72657 + atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
72661 @@ -2832,7 +2832,7 @@ static int rt_fill_info(struct net *net,
72662 error = rt->dst.error;
72664 inet_peer_refcheck(rt->peer);
72665 - id = atomic_read(&peer->ip_id_count) & 0xffff;
72666 + id = atomic_read_unchecked(&peer->ip_id_count) & 0xffff;
72667 if (peer->tcp_ts_stamp) {
72669 tsage = get_seconds() - peer->tcp_ts_stamp;
72670 diff -urNp linux-3.0.9/net/ipv4/tcp.c linux-3.0.9/net/ipv4/tcp.c
72671 --- linux-3.0.9/net/ipv4/tcp.c 2011-11-11 13:12:24.000000000 -0500
72672 +++ linux-3.0.9/net/ipv4/tcp.c 2011-11-15 20:03:00.000000000 -0500
72673 @@ -2122,6 +2122,8 @@ static int do_tcp_setsockopt(struct sock
72677 + pax_track_stack();
72679 /* These are data/string values, all the others are ints */
72681 case TCP_CONGESTION: {
72682 @@ -2501,6 +2503,8 @@ static int do_tcp_getsockopt(struct sock
72683 struct tcp_sock *tp = tcp_sk(sk);
72686 + pax_track_stack();
72688 if (get_user(len, optlen))
72691 diff -urNp linux-3.0.9/net/ipv4/tcp_ipv4.c linux-3.0.9/net/ipv4/tcp_ipv4.c
72692 --- linux-3.0.9/net/ipv4/tcp_ipv4.c 2011-11-11 13:12:24.000000000 -0500
72693 +++ linux-3.0.9/net/ipv4/tcp_ipv4.c 2011-11-15 20:03:00.000000000 -0500
72694 @@ -87,6 +87,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
72695 int sysctl_tcp_low_latency __read_mostly;
72696 EXPORT_SYMBOL(sysctl_tcp_low_latency);
72698 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72699 +extern int grsec_enable_blackhole;
72702 #ifdef CONFIG_TCP_MD5SIG
72703 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
72704 @@ -1610,6 +1613,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
72708 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72709 + if (!grsec_enable_blackhole)
72711 tcp_v4_send_reset(rsk, skb);
72714 @@ -1672,12 +1678,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
72715 TCP_SKB_CB(skb)->sacked = 0;
72717 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
72720 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72723 goto no_tcp_socket;
72727 - if (sk->sk_state == TCP_TIME_WAIT)
72728 + if (sk->sk_state == TCP_TIME_WAIT) {
72729 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72735 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
72736 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
72737 @@ -1727,6 +1740,10 @@ no_tcp_socket:
72739 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
72741 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72742 + if (!grsec_enable_blackhole || (ret == 1 &&
72743 + (skb->dev->flags & IFF_LOOPBACK)))
72745 tcp_v4_send_reset(NULL, skb);
72748 @@ -2391,7 +2408,11 @@ static void get_openreq4(struct sock *sk
72749 0, /* non standard timer */
72750 0, /* open_requests have no inode */
72751 atomic_read(&sk->sk_refcnt),
72752 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72760 @@ -2441,7 +2462,12 @@ static void get_tcp4_sock(struct sock *s
72762 icsk->icsk_probes_out,
72764 - atomic_read(&sk->sk_refcnt), sk,
72765 + atomic_read(&sk->sk_refcnt),
72766 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72771 jiffies_to_clock_t(icsk->icsk_rto),
72772 jiffies_to_clock_t(icsk->icsk_ack.ato),
72773 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
72774 @@ -2469,7 +2495,13 @@ static void get_timewait4_sock(struct in
72775 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK%n",
72776 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
72777 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
72778 - atomic_read(&tw->tw_refcnt), tw, len);
72779 + atomic_read(&tw->tw_refcnt),
72780 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72789 diff -urNp linux-3.0.9/net/ipv4/tcp_minisocks.c linux-3.0.9/net/ipv4/tcp_minisocks.c
72790 --- linux-3.0.9/net/ipv4/tcp_minisocks.c 2011-11-11 13:12:24.000000000 -0500
72791 +++ linux-3.0.9/net/ipv4/tcp_minisocks.c 2011-11-15 20:03:00.000000000 -0500
72793 #include <net/inet_common.h>
72794 #include <net/xfrm.h>
72796 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72797 +extern int grsec_enable_blackhole;
72800 int sysctl_tcp_syncookies __read_mostly = 1;
72801 EXPORT_SYMBOL(sysctl_tcp_syncookies);
72803 @@ -745,6 +749,10 @@ listen_overflow:
72806 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
72808 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72809 + if (!grsec_enable_blackhole)
72811 if (!(flg & TCP_FLAG_RST))
72812 req->rsk_ops->send_reset(sk, skb);
72814 diff -urNp linux-3.0.9/net/ipv4/tcp_output.c linux-3.0.9/net/ipv4/tcp_output.c
72815 --- linux-3.0.9/net/ipv4/tcp_output.c 2011-11-11 13:12:24.000000000 -0500
72816 +++ linux-3.0.9/net/ipv4/tcp_output.c 2011-11-15 20:03:00.000000000 -0500
72817 @@ -2421,6 +2421,8 @@ struct sk_buff *tcp_make_synack(struct s
72819 int s_data_desired = 0;
72821 + pax_track_stack();
72823 if (cvp != NULL && cvp->s_data_constant && cvp->s_data_desired)
72824 s_data_desired = cvp->s_data_desired;
72825 skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15 + s_data_desired, 1, GFP_ATOMIC);
72826 diff -urNp linux-3.0.9/net/ipv4/tcp_probe.c linux-3.0.9/net/ipv4/tcp_probe.c
72827 --- linux-3.0.9/net/ipv4/tcp_probe.c 2011-11-11 13:12:24.000000000 -0500
72828 +++ linux-3.0.9/net/ipv4/tcp_probe.c 2011-11-15 20:03:00.000000000 -0500
72829 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
72830 if (cnt + width >= len)
72833 - if (copy_to_user(buf + cnt, tbuf, width))
72834 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
72838 diff -urNp linux-3.0.9/net/ipv4/tcp_timer.c linux-3.0.9/net/ipv4/tcp_timer.c
72839 --- linux-3.0.9/net/ipv4/tcp_timer.c 2011-11-11 13:12:24.000000000 -0500
72840 +++ linux-3.0.9/net/ipv4/tcp_timer.c 2011-11-15 20:03:00.000000000 -0500
72842 #include <linux/gfp.h>
72843 #include <net/tcp.h>
72845 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72846 +extern int grsec_lastack_retries;
72849 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
72850 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
72851 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
72852 @@ -199,6 +203,13 @@ static int tcp_write_timeout(struct sock
72856 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72857 + if ((sk->sk_state == TCP_LAST_ACK) &&
72858 + (grsec_lastack_retries > 0) &&
72859 + (grsec_lastack_retries < retry_until))
72860 + retry_until = grsec_lastack_retries;
72863 if (retransmits_timed_out(sk, retry_until,
72864 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
72865 /* Has it gone just too far? */
72866 diff -urNp linux-3.0.9/net/ipv4/udp.c linux-3.0.9/net/ipv4/udp.c
72867 --- linux-3.0.9/net/ipv4/udp.c 2011-11-11 13:12:24.000000000 -0500
72868 +++ linux-3.0.9/net/ipv4/udp.c 2011-11-15 20:03:00.000000000 -0500
72870 #include <linux/types.h>
72871 #include <linux/fcntl.h>
72872 #include <linux/module.h>
72873 +#include <linux/security.h>
72874 #include <linux/socket.h>
72875 #include <linux/sockios.h>
72876 #include <linux/igmp.h>
72877 @@ -107,6 +108,10 @@
72878 #include <net/xfrm.h>
72879 #include "udp_impl.h"
72881 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72882 +extern int grsec_enable_blackhole;
72885 struct udp_table udp_table __read_mostly;
72886 EXPORT_SYMBOL(udp_table);
72888 @@ -564,6 +569,9 @@ found:
72892 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
72893 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
72896 * This routine is called by the ICMP module when it gets some
72897 * sort of error condition. If err < 0 then the socket should
72898 @@ -855,9 +863,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
72899 dport = usin->sin_port;
72903 + err = gr_search_udp_sendmsg(sk, usin);
72907 if (sk->sk_state != TCP_ESTABLISHED)
72908 return -EDESTADDRREQ;
72910 + err = gr_search_udp_sendmsg(sk, NULL);
72914 daddr = inet->inet_daddr;
72915 dport = inet->inet_dport;
72916 /* Open fast path for connected socket.
72917 @@ -1098,7 +1115,7 @@ static unsigned int first_packet_length(
72918 udp_lib_checksum_complete(skb)) {
72919 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
72921 - atomic_inc(&sk->sk_drops);
72922 + atomic_inc_unchecked(&sk->sk_drops);
72923 __skb_unlink(skb, rcvq);
72924 __skb_queue_tail(&list_kill, skb);
72926 @@ -1184,6 +1201,10 @@ try_again:
72930 + err = gr_search_udp_recvmsg(sk, skb);
72934 ulen = skb->len - sizeof(struct udphdr);
72937 @@ -1483,7 +1504,7 @@ int udp_queue_rcv_skb(struct sock *sk, s
72940 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
72941 - atomic_inc(&sk->sk_drops);
72942 + atomic_inc_unchecked(&sk->sk_drops);
72946 @@ -1502,7 +1523,7 @@ static void flush_stack(struct sock **st
72947 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
72950 - atomic_inc(&sk->sk_drops);
72951 + atomic_inc_unchecked(&sk->sk_drops);
72952 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
72954 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
72955 @@ -1671,6 +1692,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
72958 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
72959 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72960 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
72962 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
72965 @@ -2098,8 +2122,13 @@ static void udp4_format_sock(struct sock
72966 sk_wmem_alloc_get(sp),
72967 sk_rmem_alloc_get(sp),
72968 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
72969 - atomic_read(&sp->sk_refcnt), sp,
72970 - atomic_read(&sp->sk_drops), len);
72971 + atomic_read(&sp->sk_refcnt),
72972 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72977 + atomic_read_unchecked(&sp->sk_drops), len);
72980 int udp4_seq_show(struct seq_file *seq, void *v)
72981 diff -urNp linux-3.0.9/net/ipv6/addrconf.c linux-3.0.9/net/ipv6/addrconf.c
72982 --- linux-3.0.9/net/ipv6/addrconf.c 2011-11-11 13:12:24.000000000 -0500
72983 +++ linux-3.0.9/net/ipv6/addrconf.c 2011-11-15 20:03:00.000000000 -0500
72984 @@ -2072,7 +2072,7 @@ int addrconf_set_dstaddr(struct net *net
72986 p.iph.protocol = IPPROTO_IPV6;
72988 - ifr.ifr_ifru.ifru_data = (__force void __user *)&p;
72989 + ifr.ifr_ifru.ifru_data = (void __force_user *)&p;
72991 if (ops->ndo_do_ioctl) {
72992 mm_segment_t oldfs = get_fs();
72993 diff -urNp linux-3.0.9/net/ipv6/inet6_connection_sock.c linux-3.0.9/net/ipv6/inet6_connection_sock.c
72994 --- linux-3.0.9/net/ipv6/inet6_connection_sock.c 2011-11-11 13:12:24.000000000 -0500
72995 +++ linux-3.0.9/net/ipv6/inet6_connection_sock.c 2011-11-15 20:03:00.000000000 -0500
72996 @@ -178,7 +178,7 @@ void __inet6_csk_dst_store(struct sock *
72999 struct rt6_info *rt = (struct rt6_info *)dst;
73000 - rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
73001 + rt->rt6i_flow_cache_genid = atomic_read_unchecked(&flow_cache_genid);
73005 @@ -193,7 +193,7 @@ struct dst_entry *__inet6_csk_dst_check(
73008 struct rt6_info *rt = (struct rt6_info *)dst;
73009 - if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
73010 + if (rt->rt6i_flow_cache_genid != atomic_read_unchecked(&flow_cache_genid)) {
73011 __sk_dst_reset(sk);
73014 diff -urNp linux-3.0.9/net/ipv6/ipv6_sockglue.c linux-3.0.9/net/ipv6/ipv6_sockglue.c
73015 --- linux-3.0.9/net/ipv6/ipv6_sockglue.c 2011-11-11 13:12:24.000000000 -0500
73016 +++ linux-3.0.9/net/ipv6/ipv6_sockglue.c 2011-11-15 20:03:00.000000000 -0500
73017 @@ -129,6 +129,8 @@ static int do_ipv6_setsockopt(struct soc
73019 int retv = -ENOPROTOOPT;
73021 + pax_track_stack();
73023 if (optval == NULL)
73026 @@ -919,6 +921,8 @@ static int do_ipv6_getsockopt(struct soc
73030 + pax_track_stack();
73032 if (ip6_mroute_opt(optname))
73033 return ip6_mroute_getsockopt(sk, optname, optval, optlen);
73035 @@ -960,7 +964,7 @@ static int do_ipv6_getsockopt(struct soc
73036 if (sk->sk_type != SOCK_STREAM)
73037 return -ENOPROTOOPT;
73039 - msg.msg_control = optval;
73040 + msg.msg_control = (void __force_kernel *)optval;
73041 msg.msg_controllen = len;
73042 msg.msg_flags = flags;
73044 diff -urNp linux-3.0.9/net/ipv6/raw.c linux-3.0.9/net/ipv6/raw.c
73045 --- linux-3.0.9/net/ipv6/raw.c 2011-11-11 13:12:24.000000000 -0500
73046 +++ linux-3.0.9/net/ipv6/raw.c 2011-11-15 20:03:00.000000000 -0500
73047 @@ -376,7 +376,7 @@ static inline int rawv6_rcv_skb(struct s
73049 if ((raw6_sk(sk)->checksum || rcu_dereference_raw(sk->sk_filter)) &&
73050 skb_checksum_complete(skb)) {
73051 - atomic_inc(&sk->sk_drops);
73052 + atomic_inc_unchecked(&sk->sk_drops);
73054 return NET_RX_DROP;
73056 @@ -403,7 +403,7 @@ int rawv6_rcv(struct sock *sk, struct sk
73057 struct raw6_sock *rp = raw6_sk(sk);
73059 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
73060 - atomic_inc(&sk->sk_drops);
73061 + atomic_inc_unchecked(&sk->sk_drops);
73063 return NET_RX_DROP;
73065 @@ -427,7 +427,7 @@ int rawv6_rcv(struct sock *sk, struct sk
73067 if (inet->hdrincl) {
73068 if (skb_checksum_complete(skb)) {
73069 - atomic_inc(&sk->sk_drops);
73070 + atomic_inc_unchecked(&sk->sk_drops);
73072 return NET_RX_DROP;
73074 @@ -601,7 +601,7 @@ out:
73078 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
73079 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
73080 struct flowi6 *fl6, struct dst_entry **dstp,
73081 unsigned int flags)
73083 @@ -742,6 +742,8 @@ static int rawv6_sendmsg(struct kiocb *i
73087 + pax_track_stack();
73089 /* Rough check on arithmetic overflow,
73090 better check is made in ip6_append_data().
73092 @@ -909,12 +911,15 @@ do_confirm:
73093 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
73094 char __user *optval, int optlen)
73096 + struct icmp6_filter filter;
73099 case ICMPV6_FILTER:
73100 if (optlen > sizeof(struct icmp6_filter))
73101 optlen = sizeof(struct icmp6_filter);
73102 - if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
73103 + if (copy_from_user(&filter, optval, optlen))
73105 + raw6_sk(sk)->filter = filter;
73108 return -ENOPROTOOPT;
73109 @@ -927,6 +932,7 @@ static int rawv6_geticmpfilter(struct so
73110 char __user *optval, int __user *optlen)
73113 + struct icmp6_filter filter;
73116 case ICMPV6_FILTER:
73117 @@ -938,7 +944,8 @@ static int rawv6_geticmpfilter(struct so
73118 len = sizeof(struct icmp6_filter);
73119 if (put_user(len, optlen))
73121 - if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
73122 + filter = raw6_sk(sk)->filter;
73123 + if (len > sizeof filter || copy_to_user(optval, &filter, len))
73127 @@ -1252,7 +1259,13 @@ static void raw6_sock_seq_show(struct se
73131 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
73132 + atomic_read(&sp->sk_refcnt),
73133 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73138 + atomic_read_unchecked(&sp->sk_drops));
73141 static int raw6_seq_show(struct seq_file *seq, void *v)
73142 diff -urNp linux-3.0.9/net/ipv6/tcp_ipv6.c linux-3.0.9/net/ipv6/tcp_ipv6.c
73143 --- linux-3.0.9/net/ipv6/tcp_ipv6.c 2011-11-11 13:12:24.000000000 -0500
73144 +++ linux-3.0.9/net/ipv6/tcp_ipv6.c 2011-11-15 20:03:00.000000000 -0500
73145 @@ -93,6 +93,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
73149 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73150 +extern int grsec_enable_blackhole;
73153 static void tcp_v6_hash(struct sock *sk)
73155 if (sk->sk_state != TCP_CLOSE) {
73156 @@ -1667,6 +1671,9 @@ static int tcp_v6_do_rcv(struct sock *sk
73160 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73161 + if (!grsec_enable_blackhole)
73163 tcp_v6_send_reset(sk, skb);
73166 @@ -1746,12 +1753,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
73167 TCP_SKB_CB(skb)->sacked = 0;
73169 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
73172 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73175 goto no_tcp_socket;
73179 - if (sk->sk_state == TCP_TIME_WAIT)
73180 + if (sk->sk_state == TCP_TIME_WAIT) {
73181 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73187 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
73188 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
73189 @@ -1799,6 +1814,10 @@ no_tcp_socket:
73191 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
73193 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73194 + if (!grsec_enable_blackhole || (ret == 1 &&
73195 + (skb->dev->flags & IFF_LOOPBACK)))
73197 tcp_v6_send_reset(NULL, skb);
73200 @@ -2059,7 +2078,13 @@ static void get_openreq6(struct seq_file
73202 0, /* non standard timer */
73203 0, /* open_requests have no inode */
73206 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73214 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
73215 @@ -2109,7 +2134,12 @@ static void get_tcp6_sock(struct seq_fil
73217 icsk->icsk_probes_out,
73219 - atomic_read(&sp->sk_refcnt), sp,
73220 + atomic_read(&sp->sk_refcnt),
73221 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73226 jiffies_to_clock_t(icsk->icsk_rto),
73227 jiffies_to_clock_t(icsk->icsk_ack.ato),
73228 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
73229 @@ -2144,7 +2174,13 @@ static void get_timewait6_sock(struct se
73230 dest->s6_addr32[2], dest->s6_addr32[3], destp,
73231 tw->tw_substate, 0, 0,
73232 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
73233 - atomic_read(&tw->tw_refcnt), tw);
73234 + atomic_read(&tw->tw_refcnt),
73235 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73243 static int tcp6_seq_show(struct seq_file *seq, void *v)
73244 diff -urNp linux-3.0.9/net/ipv6/udp.c linux-3.0.9/net/ipv6/udp.c
73245 --- linux-3.0.9/net/ipv6/udp.c 2011-11-11 13:12:24.000000000 -0500
73246 +++ linux-3.0.9/net/ipv6/udp.c 2011-11-15 20:03:00.000000000 -0500
73248 #include <linux/seq_file.h>
73249 #include "udp_impl.h"
73251 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73252 +extern int grsec_enable_blackhole;
73255 int ipv6_rcv_saddr_equal(const struct sock *sk1, const struct sock *sk2)
73257 const struct in6_addr *sk1_rcv_saddr6 = &inet6_sk(sk1)->rcv_saddr;
73258 @@ -548,7 +552,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
73262 - atomic_inc(&sk->sk_drops);
73263 + atomic_inc_unchecked(&sk->sk_drops);
73264 drop_no_sk_drops_inc:
73265 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
73267 @@ -624,7 +628,7 @@ static void flush_stack(struct sock **st
73271 - atomic_inc(&sk->sk_drops);
73272 + atomic_inc_unchecked(&sk->sk_drops);
73273 UDP6_INC_STATS_BH(sock_net(sk),
73274 UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk));
73275 UDP6_INC_STATS_BH(sock_net(sk),
73276 @@ -779,6 +783,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
73277 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
73278 proto == IPPROTO_UDPLITE);
73280 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73281 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
73283 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
73286 @@ -795,7 +802,7 @@ int __udp6_lib_rcv(struct sk_buff *skb,
73287 if (!sock_owned_by_user(sk))
73288 udpv6_queue_rcv_skb(sk, skb);
73289 else if (sk_add_backlog(sk, skb)) {
73290 - atomic_inc(&sk->sk_drops);
73291 + atomic_inc_unchecked(&sk->sk_drops);
73292 bh_unlock_sock(sk);
73295 @@ -1408,8 +1415,13 @@ static void udp6_sock_seq_show(struct se
73299 - atomic_read(&sp->sk_refcnt), sp,
73300 - atomic_read(&sp->sk_drops));
73301 + atomic_read(&sp->sk_refcnt),
73302 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73307 + atomic_read_unchecked(&sp->sk_drops));
73310 int udp6_seq_show(struct seq_file *seq, void *v)
73311 diff -urNp linux-3.0.9/net/irda/ircomm/ircomm_tty.c linux-3.0.9/net/irda/ircomm/ircomm_tty.c
73312 --- linux-3.0.9/net/irda/ircomm/ircomm_tty.c 2011-11-11 13:12:24.000000000 -0500
73313 +++ linux-3.0.9/net/irda/ircomm/ircomm_tty.c 2011-11-15 20:03:00.000000000 -0500
73314 @@ -282,16 +282,16 @@ static int ircomm_tty_block_til_ready(st
73315 add_wait_queue(&self->open_wait, &wait);
73317 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
73318 - __FILE__,__LINE__, tty->driver->name, self->open_count );
73319 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
73321 /* As far as I can see, we protect open_count - Jean II */
73322 spin_lock_irqsave(&self->spinlock, flags);
73323 if (!tty_hung_up_p(filp)) {
73325 - self->open_count--;
73326 + local_dec(&self->open_count);
73328 spin_unlock_irqrestore(&self->spinlock, flags);
73329 - self->blocked_open++;
73330 + local_inc(&self->blocked_open);
73333 if (tty->termios->c_cflag & CBAUD) {
73334 @@ -331,7 +331,7 @@ static int ircomm_tty_block_til_ready(st
73337 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
73338 - __FILE__,__LINE__, tty->driver->name, self->open_count );
73339 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
73343 @@ -342,13 +342,13 @@ static int ircomm_tty_block_til_ready(st
73345 /* ++ is not atomic, so this should be protected - Jean II */
73346 spin_lock_irqsave(&self->spinlock, flags);
73347 - self->open_count++;
73348 + local_inc(&self->open_count);
73349 spin_unlock_irqrestore(&self->spinlock, flags);
73351 - self->blocked_open--;
73352 + local_dec(&self->blocked_open);
73354 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
73355 - __FILE__,__LINE__, tty->driver->name, self->open_count);
73356 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
73359 self->flags |= ASYNC_NORMAL_ACTIVE;
73360 @@ -417,14 +417,14 @@ static int ircomm_tty_open(struct tty_st
73362 /* ++ is not atomic, so this should be protected - Jean II */
73363 spin_lock_irqsave(&self->spinlock, flags);
73364 - self->open_count++;
73365 + local_inc(&self->open_count);
73367 tty->driver_data = self;
73369 spin_unlock_irqrestore(&self->spinlock, flags);
73371 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
73372 - self->line, self->open_count);
73373 + self->line, local_read(&self->open_count));
73375 /* Not really used by us, but lets do it anyway */
73376 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
73377 @@ -510,7 +510,7 @@ static void ircomm_tty_close(struct tty_
73381 - if ((tty->count == 1) && (self->open_count != 1)) {
73382 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
73384 * Uh, oh. tty->count is 1, which means that the tty
73385 * structure will be freed. state->count should always
73386 @@ -520,16 +520,16 @@ static void ircomm_tty_close(struct tty_
73388 IRDA_DEBUG(0, "%s(), bad serial port count; "
73389 "tty->count is 1, state->count is %d\n", __func__ ,
73390 - self->open_count);
73391 - self->open_count = 1;
73392 + local_read(&self->open_count));
73393 + local_set(&self->open_count, 1);
73396 - if (--self->open_count < 0) {
73397 + if (local_dec_return(&self->open_count) < 0) {
73398 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
73399 - __func__, self->line, self->open_count);
73400 - self->open_count = 0;
73401 + __func__, self->line, local_read(&self->open_count));
73402 + local_set(&self->open_count, 0);
73404 - if (self->open_count) {
73405 + if (local_read(&self->open_count)) {
73406 spin_unlock_irqrestore(&self->spinlock, flags);
73408 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
73409 @@ -561,7 +561,7 @@ static void ircomm_tty_close(struct tty_
73413 - if (self->blocked_open) {
73414 + if (local_read(&self->blocked_open)) {
73415 if (self->close_delay)
73416 schedule_timeout_interruptible(self->close_delay);
73417 wake_up_interruptible(&self->open_wait);
73418 @@ -1013,7 +1013,7 @@ static void ircomm_tty_hangup(struct tty
73419 spin_lock_irqsave(&self->spinlock, flags);
73420 self->flags &= ~ASYNC_NORMAL_ACTIVE;
73422 - self->open_count = 0;
73423 + local_set(&self->open_count, 0);
73424 spin_unlock_irqrestore(&self->spinlock, flags);
73426 wake_up_interruptible(&self->open_wait);
73427 @@ -1360,7 +1360,7 @@ static void ircomm_tty_line_info(struct
73430 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
73431 - seq_printf(m, "Open count: %d\n", self->open_count);
73432 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
73433 seq_printf(m, "Max data size: %d\n", self->max_data_size);
73434 seq_printf(m, "Max header size: %d\n", self->max_header_size);
73436 diff -urNp linux-3.0.9/net/iucv/af_iucv.c linux-3.0.9/net/iucv/af_iucv.c
73437 --- linux-3.0.9/net/iucv/af_iucv.c 2011-11-11 13:12:24.000000000 -0500
73438 +++ linux-3.0.9/net/iucv/af_iucv.c 2011-11-15 20:03:00.000000000 -0500
73439 @@ -648,10 +648,10 @@ static int iucv_sock_autobind(struct soc
73441 write_lock_bh(&iucv_sk_list.lock);
73443 - sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
73444 + sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
73445 while (__iucv_get_sock_by_name(name)) {
73446 sprintf(name, "%08x",
73447 - atomic_inc_return(&iucv_sk_list.autobind_name));
73448 + atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
73451 write_unlock_bh(&iucv_sk_list.lock);
73452 diff -urNp linux-3.0.9/net/key/af_key.c linux-3.0.9/net/key/af_key.c
73453 --- linux-3.0.9/net/key/af_key.c 2011-11-11 13:12:24.000000000 -0500
73454 +++ linux-3.0.9/net/key/af_key.c 2011-11-15 20:03:00.000000000 -0500
73455 @@ -2481,6 +2481,8 @@ static int pfkey_migrate(struct sock *sk
73456 struct xfrm_migrate m[XFRM_MAX_DEPTH];
73457 struct xfrm_kmaddress k;
73459 + pax_track_stack();
73461 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
73462 ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
73463 !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
73464 @@ -3016,10 +3018,10 @@ static int pfkey_send_policy_notify(stru
73465 static u32 get_acqseq(void)
73468 - static atomic_t acqseq;
73469 + static atomic_unchecked_t acqseq;
73472 - res = atomic_inc_return(&acqseq);
73473 + res = atomic_inc_return_unchecked(&acqseq);
73477 diff -urNp linux-3.0.9/net/lapb/lapb_iface.c linux-3.0.9/net/lapb/lapb_iface.c
73478 --- linux-3.0.9/net/lapb/lapb_iface.c 2011-11-11 13:12:24.000000000 -0500
73479 +++ linux-3.0.9/net/lapb/lapb_iface.c 2011-11-15 20:03:00.000000000 -0500
73480 @@ -158,7 +158,7 @@ int lapb_register(struct net_device *dev
73484 - lapb->callbacks = *callbacks;
73485 + lapb->callbacks = callbacks;
73487 __lapb_insert_cb(lapb);
73489 @@ -380,32 +380,32 @@ int lapb_data_received(struct net_device
73491 void lapb_connect_confirmation(struct lapb_cb *lapb, int reason)
73493 - if (lapb->callbacks.connect_confirmation)
73494 - lapb->callbacks.connect_confirmation(lapb->dev, reason);
73495 + if (lapb->callbacks->connect_confirmation)
73496 + lapb->callbacks->connect_confirmation(lapb->dev, reason);
73499 void lapb_connect_indication(struct lapb_cb *lapb, int reason)
73501 - if (lapb->callbacks.connect_indication)
73502 - lapb->callbacks.connect_indication(lapb->dev, reason);
73503 + if (lapb->callbacks->connect_indication)
73504 + lapb->callbacks->connect_indication(lapb->dev, reason);
73507 void lapb_disconnect_confirmation(struct lapb_cb *lapb, int reason)
73509 - if (lapb->callbacks.disconnect_confirmation)
73510 - lapb->callbacks.disconnect_confirmation(lapb->dev, reason);
73511 + if (lapb->callbacks->disconnect_confirmation)
73512 + lapb->callbacks->disconnect_confirmation(lapb->dev, reason);
73515 void lapb_disconnect_indication(struct lapb_cb *lapb, int reason)
73517 - if (lapb->callbacks.disconnect_indication)
73518 - lapb->callbacks.disconnect_indication(lapb->dev, reason);
73519 + if (lapb->callbacks->disconnect_indication)
73520 + lapb->callbacks->disconnect_indication(lapb->dev, reason);
73523 int lapb_data_indication(struct lapb_cb *lapb, struct sk_buff *skb)
73525 - if (lapb->callbacks.data_indication)
73526 - return lapb->callbacks.data_indication(lapb->dev, skb);
73527 + if (lapb->callbacks->data_indication)
73528 + return lapb->callbacks->data_indication(lapb->dev, skb);
73531 return NET_RX_SUCCESS; /* For now; must be != NET_RX_DROP */
73532 @@ -415,8 +415,8 @@ int lapb_data_transmit(struct lapb_cb *l
73536 - if (lapb->callbacks.data_transmit) {
73537 - lapb->callbacks.data_transmit(lapb->dev, skb);
73538 + if (lapb->callbacks->data_transmit) {
73539 + lapb->callbacks->data_transmit(lapb->dev, skb);
73543 diff -urNp linux-3.0.9/net/mac80211/debugfs_sta.c linux-3.0.9/net/mac80211/debugfs_sta.c
73544 --- linux-3.0.9/net/mac80211/debugfs_sta.c 2011-11-11 13:12:24.000000000 -0500
73545 +++ linux-3.0.9/net/mac80211/debugfs_sta.c 2011-11-15 20:03:00.000000000 -0500
73546 @@ -140,6 +140,8 @@ static ssize_t sta_agg_status_read(struc
73547 struct tid_ampdu_rx *tid_rx;
73548 struct tid_ampdu_tx *tid_tx;
73550 + pax_track_stack();
73554 p += scnprintf(p, sizeof(buf) + buf - p, "next dialog_token: %#02x\n",
73555 @@ -240,6 +242,8 @@ static ssize_t sta_ht_capa_read(struct f
73556 struct sta_info *sta = file->private_data;
73557 struct ieee80211_sta_ht_cap *htc = &sta->sta.ht_cap;
73559 + pax_track_stack();
73561 p += scnprintf(p, sizeof(buf) + buf - p, "ht %ssupported\n",
73562 htc->ht_supported ? "" : "not ");
73563 if (htc->ht_supported) {
73564 diff -urNp linux-3.0.9/net/mac80211/ieee80211_i.h linux-3.0.9/net/mac80211/ieee80211_i.h
73565 --- linux-3.0.9/net/mac80211/ieee80211_i.h 2011-11-11 13:12:24.000000000 -0500
73566 +++ linux-3.0.9/net/mac80211/ieee80211_i.h 2011-11-15 20:03:00.000000000 -0500
73568 #include <net/ieee80211_radiotap.h>
73569 #include <net/cfg80211.h>
73570 #include <net/mac80211.h>
73571 +#include <asm/local.h>
73573 #include "sta_info.h"
73575 @@ -723,7 +724,7 @@ struct ieee80211_local {
73576 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
73577 spinlock_t queue_stop_reason_lock;
73580 + local_t open_count;
73581 int monitors, cooked_mntrs;
73582 /* number of interfaces with corresponding FIF_ flags */
73583 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
73584 diff -urNp linux-3.0.9/net/mac80211/iface.c linux-3.0.9/net/mac80211/iface.c
73585 --- linux-3.0.9/net/mac80211/iface.c 2011-11-11 13:12:24.000000000 -0500
73586 +++ linux-3.0.9/net/mac80211/iface.c 2011-11-15 20:03:00.000000000 -0500
73587 @@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_
73591 - if (local->open_count == 0) {
73592 + if (local_read(&local->open_count) == 0) {
73593 res = drv_start(local);
73596 @@ -235,7 +235,7 @@ static int ieee80211_do_open(struct net_
73597 memcpy(dev->perm_addr, dev->dev_addr, ETH_ALEN);
73599 if (!is_valid_ether_addr(dev->dev_addr)) {
73600 - if (!local->open_count)
73601 + if (!local_read(&local->open_count))
73603 return -EADDRNOTAVAIL;
73605 @@ -327,7 +327,7 @@ static int ieee80211_do_open(struct net_
73606 mutex_unlock(&local->mtx);
73609 - local->open_count++;
73610 + local_inc(&local->open_count);
73612 if (hw_reconf_flags) {
73613 ieee80211_hw_config(local, hw_reconf_flags);
73614 @@ -347,7 +347,7 @@ static int ieee80211_do_open(struct net_
73616 drv_remove_interface(local, &sdata->vif);
73618 - if (!local->open_count)
73619 + if (!local_read(&local->open_count))
73623 @@ -475,7 +475,7 @@ static void ieee80211_do_stop(struct iee
73627 - local->open_count--;
73628 + local_dec(&local->open_count);
73630 switch (sdata->vif.type) {
73631 case NL80211_IFTYPE_AP_VLAN:
73632 @@ -534,7 +534,7 @@ static void ieee80211_do_stop(struct iee
73634 ieee80211_recalc_ps(local, -1);
73636 - if (local->open_count == 0) {
73637 + if (local_read(&local->open_count) == 0) {
73638 if (local->ops->napi_poll)
73639 napi_disable(&local->napi);
73640 ieee80211_clear_tx_pending(local);
73641 diff -urNp linux-3.0.9/net/mac80211/main.c linux-3.0.9/net/mac80211/main.c
73642 --- linux-3.0.9/net/mac80211/main.c 2011-11-11 13:12:24.000000000 -0500
73643 +++ linux-3.0.9/net/mac80211/main.c 2011-11-15 20:03:00.000000000 -0500
73644 @@ -209,7 +209,7 @@ int ieee80211_hw_config(struct ieee80211
73645 local->hw.conf.power_level = power;
73648 - if (changed && local->open_count) {
73649 + if (changed && local_read(&local->open_count)) {
73650 ret = drv_config(local, changed);
73653 diff -urNp linux-3.0.9/net/mac80211/mlme.c linux-3.0.9/net/mac80211/mlme.c
73654 --- linux-3.0.9/net/mac80211/mlme.c 2011-11-11 13:12:24.000000000 -0500
73655 +++ linux-3.0.9/net/mac80211/mlme.c 2011-11-15 20:03:00.000000000 -0500
73656 @@ -1447,6 +1447,8 @@ static bool ieee80211_assoc_success(stru
73657 bool have_higher_than_11mbit = false;
73658 u16 ap_ht_cap_flags;
73660 + pax_track_stack();
73662 /* AssocResp and ReassocResp have identical structure */
73664 aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
73665 diff -urNp linux-3.0.9/net/mac80211/pm.c linux-3.0.9/net/mac80211/pm.c
73666 --- linux-3.0.9/net/mac80211/pm.c 2011-11-11 13:12:24.000000000 -0500
73667 +++ linux-3.0.9/net/mac80211/pm.c 2011-11-15 20:03:00.000000000 -0500
73668 @@ -47,7 +47,7 @@ int __ieee80211_suspend(struct ieee80211
73669 cancel_work_sync(&local->dynamic_ps_enable_work);
73670 del_timer_sync(&local->dynamic_ps_timer);
73672 - local->wowlan = wowlan && local->open_count;
73673 + local->wowlan = wowlan && local_read(&local->open_count);
73674 if (local->wowlan) {
73675 int err = drv_suspend(local, wowlan);
73677 @@ -111,7 +111,7 @@ int __ieee80211_suspend(struct ieee80211
73680 /* stop hardware - this must stop RX */
73681 - if (local->open_count)
73682 + if (local_read(&local->open_count))
73683 ieee80211_stop_device(local);
73686 diff -urNp linux-3.0.9/net/mac80211/rate.c linux-3.0.9/net/mac80211/rate.c
73687 --- linux-3.0.9/net/mac80211/rate.c 2011-11-11 13:12:24.000000000 -0500
73688 +++ linux-3.0.9/net/mac80211/rate.c 2011-11-15 20:03:00.000000000 -0500
73689 @@ -371,7 +371,7 @@ int ieee80211_init_rate_ctrl_alg(struct
73693 - if (local->open_count)
73694 + if (local_read(&local->open_count))
73697 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
73698 diff -urNp linux-3.0.9/net/mac80211/rc80211_pid_debugfs.c linux-3.0.9/net/mac80211/rc80211_pid_debugfs.c
73699 --- linux-3.0.9/net/mac80211/rc80211_pid_debugfs.c 2011-11-11 13:12:24.000000000 -0500
73700 +++ linux-3.0.9/net/mac80211/rc80211_pid_debugfs.c 2011-11-15 20:03:00.000000000 -0500
73701 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
73703 spin_unlock_irqrestore(&events->lock, status);
73705 - if (copy_to_user(buf, pb, p))
73706 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
73710 diff -urNp linux-3.0.9/net/mac80211/util.c linux-3.0.9/net/mac80211/util.c
73711 --- linux-3.0.9/net/mac80211/util.c 2011-11-11 13:12:24.000000000 -0500
73712 +++ linux-3.0.9/net/mac80211/util.c 2011-11-15 20:03:00.000000000 -0500
73713 @@ -1147,7 +1147,7 @@ int ieee80211_reconfig(struct ieee80211_
73716 /* restart hardware */
73717 - if (local->open_count) {
73718 + if (local_read(&local->open_count)) {
73720 * Upon resume hardware can sometimes be goofy due to
73721 * various platform / driver / bus issues, so restarting
73722 diff -urNp linux-3.0.9/net/netfilter/ipvs/ip_vs_conn.c linux-3.0.9/net/netfilter/ipvs/ip_vs_conn.c
73723 --- linux-3.0.9/net/netfilter/ipvs/ip_vs_conn.c 2011-11-11 13:12:24.000000000 -0500
73724 +++ linux-3.0.9/net/netfilter/ipvs/ip_vs_conn.c 2011-11-15 20:03:00.000000000 -0500
73725 @@ -556,7 +556,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, s
73726 /* Increase the refcnt counter of the dest */
73727 atomic_inc(&dest->refcnt);
73729 - conn_flags = atomic_read(&dest->conn_flags);
73730 + conn_flags = atomic_read_unchecked(&dest->conn_flags);
73731 if (cp->protocol != IPPROTO_UDP)
73732 conn_flags &= ~IP_VS_CONN_F_ONE_PACKET;
73733 /* Bind with the destination and its corresponding transmitter */
73734 @@ -869,7 +869,7 @@ ip_vs_conn_new(const struct ip_vs_conn_p
73735 atomic_set(&cp->refcnt, 1);
73737 atomic_set(&cp->n_control, 0);
73738 - atomic_set(&cp->in_pkts, 0);
73739 + atomic_set_unchecked(&cp->in_pkts, 0);
73741 atomic_inc(&ipvs->conn_count);
73742 if (flags & IP_VS_CONN_F_NO_CPORT)
73743 @@ -1149,7 +1149,7 @@ static inline int todrop_entry(struct ip
73745 /* Don't drop the entry if its number of incoming packets is not
73746 located in [0, 8] */
73747 - i = atomic_read(&cp->in_pkts);
73748 + i = atomic_read_unchecked(&cp->in_pkts);
73749 if (i > 8 || i < 0) return 0;
73751 if (!todrop_rate[i]) return 0;
73752 diff -urNp linux-3.0.9/net/netfilter/ipvs/ip_vs_core.c linux-3.0.9/net/netfilter/ipvs/ip_vs_core.c
73753 --- linux-3.0.9/net/netfilter/ipvs/ip_vs_core.c 2011-11-11 13:12:24.000000000 -0500
73754 +++ linux-3.0.9/net/netfilter/ipvs/ip_vs_core.c 2011-11-15 20:03:00.000000000 -0500
73755 @@ -563,7 +563,7 @@ int ip_vs_leave(struct ip_vs_service *sv
73756 ret = cp->packet_xmit(skb, cp, pd->pp);
73757 /* do not touch skb anymore */
73759 - atomic_inc(&cp->in_pkts);
73760 + atomic_inc_unchecked(&cp->in_pkts);
73761 ip_vs_conn_put(cp);
73764 @@ -1613,7 +1613,7 @@ ip_vs_in(unsigned int hooknum, struct sk
73765 if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
73766 pkts = sysctl_sync_threshold(ipvs);
73768 - pkts = atomic_add_return(1, &cp->in_pkts);
73769 + pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
73771 if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&
73772 cp->protocol == IPPROTO_SCTP) {
73773 diff -urNp linux-3.0.9/net/netfilter/ipvs/ip_vs_ctl.c linux-3.0.9/net/netfilter/ipvs/ip_vs_ctl.c
73774 --- linux-3.0.9/net/netfilter/ipvs/ip_vs_ctl.c 2011-11-11 13:12:24.000000000 -0500
73775 +++ linux-3.0.9/net/netfilter/ipvs/ip_vs_ctl.c 2011-11-15 20:03:00.000000000 -0500
73776 @@ -782,7 +782,7 @@ __ip_vs_update_dest(struct ip_vs_service
73777 ip_vs_rs_hash(ipvs, dest);
73778 write_unlock_bh(&ipvs->rs_lock);
73780 - atomic_set(&dest->conn_flags, conn_flags);
73781 + atomic_set_unchecked(&dest->conn_flags, conn_flags);
73783 /* bind the service */
73785 @@ -2027,7 +2027,7 @@ static int ip_vs_info_seq_show(struct se
73786 " %-7s %-6d %-10d %-10d\n",
73789 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
73790 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
73791 atomic_read(&dest->weight),
73792 atomic_read(&dest->activeconns),
73793 atomic_read(&dest->inactconns));
73794 @@ -2038,7 +2038,7 @@ static int ip_vs_info_seq_show(struct se
73795 "%-7s %-6d %-10d %-10d\n",
73796 ntohl(dest->addr.ip),
73798 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
73799 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
73800 atomic_read(&dest->weight),
73801 atomic_read(&dest->activeconns),
73802 atomic_read(&dest->inactconns));
73803 @@ -2284,6 +2284,8 @@ do_ip_vs_set_ctl(struct sock *sk, int cm
73804 struct ip_vs_dest_user *udest_compat;
73805 struct ip_vs_dest_user_kern udest;
73807 + pax_track_stack();
73809 if (!capable(CAP_NET_ADMIN))
73812 @@ -2498,7 +2500,7 @@ __ip_vs_get_dest_entries(struct net *net
73814 entry.addr = dest->addr.ip;
73815 entry.port = dest->port;
73816 - entry.conn_flags = atomic_read(&dest->conn_flags);
73817 + entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
73818 entry.weight = atomic_read(&dest->weight);
73819 entry.u_threshold = dest->u_threshold;
73820 entry.l_threshold = dest->l_threshold;
73821 @@ -3026,7 +3028,7 @@ static int ip_vs_genl_fill_dest(struct s
73822 NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
73824 NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
73825 - atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
73826 + atomic_read_unchecked(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
73827 NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
73828 NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
73829 NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
73830 diff -urNp linux-3.0.9/net/netfilter/ipvs/ip_vs_sync.c linux-3.0.9/net/netfilter/ipvs/ip_vs_sync.c
73831 --- linux-3.0.9/net/netfilter/ipvs/ip_vs_sync.c 2011-11-11 13:12:24.000000000 -0500
73832 +++ linux-3.0.9/net/netfilter/ipvs/ip_vs_sync.c 2011-11-15 20:03:00.000000000 -0500
73833 @@ -648,7 +648,7 @@ control:
73834 * i.e only increment in_pkts for Templates.
73836 if (cp->flags & IP_VS_CONN_F_TEMPLATE) {
73837 - int pkts = atomic_add_return(1, &cp->in_pkts);
73838 + int pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
73840 if (pkts % sysctl_sync_period(ipvs) != 1)
73842 @@ -794,7 +794,7 @@ static void ip_vs_proc_conn(struct net *
73845 memcpy(&cp->in_seq, opt, sizeof(*opt));
73846 - atomic_set(&cp->in_pkts, sysctl_sync_threshold(ipvs));
73847 + atomic_set_unchecked(&cp->in_pkts, sysctl_sync_threshold(ipvs));
73849 cp->old_state = cp->state;
73851 diff -urNp linux-3.0.9/net/netfilter/ipvs/ip_vs_xmit.c linux-3.0.9/net/netfilter/ipvs/ip_vs_xmit.c
73852 --- linux-3.0.9/net/netfilter/ipvs/ip_vs_xmit.c 2011-11-11 13:12:24.000000000 -0500
73853 +++ linux-3.0.9/net/netfilter/ipvs/ip_vs_xmit.c 2011-11-15 20:03:00.000000000 -0500
73854 @@ -1151,7 +1151,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, str
73857 /* do not touch skb anymore */
73858 - atomic_inc(&cp->in_pkts);
73859 + atomic_inc_unchecked(&cp->in_pkts);
73863 @@ -1272,7 +1272,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb,
73866 /* do not touch skb anymore */
73867 - atomic_inc(&cp->in_pkts);
73868 + atomic_inc_unchecked(&cp->in_pkts);
73872 diff -urNp linux-3.0.9/net/netfilter/Kconfig linux-3.0.9/net/netfilter/Kconfig
73873 --- linux-3.0.9/net/netfilter/Kconfig 2011-11-11 13:12:24.000000000 -0500
73874 +++ linux-3.0.9/net/netfilter/Kconfig 2011-11-15 20:03:00.000000000 -0500
73875 @@ -781,6 +781,16 @@ config NETFILTER_XT_MATCH_ESP
73877 To compile it as a module, choose M here. If unsure, say N.
73879 +config NETFILTER_XT_MATCH_GRADM
73880 + tristate '"gradm" match support'
73881 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
73882 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
73884 + The gradm match allows to match on grsecurity RBAC being enabled.
73885 + It is useful when iptables rules are applied early on bootup to
73886 + prevent connections to the machine (except from a trusted host)
73887 + while the RBAC system is disabled.
73889 config NETFILTER_XT_MATCH_HASHLIMIT
73890 tristate '"hashlimit" match support'
73891 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
73892 diff -urNp linux-3.0.9/net/netfilter/Makefile linux-3.0.9/net/netfilter/Makefile
73893 --- linux-3.0.9/net/netfilter/Makefile 2011-11-11 13:12:24.000000000 -0500
73894 +++ linux-3.0.9/net/netfilter/Makefile 2011-11-15 20:03:00.000000000 -0500
73895 @@ -81,6 +81,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) +=
73896 obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
73897 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
73898 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
73899 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
73900 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
73901 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
73902 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
73903 diff -urNp linux-3.0.9/net/netfilter/nfnetlink_log.c linux-3.0.9/net/netfilter/nfnetlink_log.c
73904 --- linux-3.0.9/net/netfilter/nfnetlink_log.c 2011-11-11 13:12:24.000000000 -0500
73905 +++ linux-3.0.9/net/netfilter/nfnetlink_log.c 2011-11-15 20:03:00.000000000 -0500
73906 @@ -70,7 +70,7 @@ struct nfulnl_instance {
73909 static DEFINE_SPINLOCK(instances_lock);
73910 -static atomic_t global_seq;
73911 +static atomic_unchecked_t global_seq;
73913 #define INSTANCE_BUCKETS 16
73914 static struct hlist_head instance_table[INSTANCE_BUCKETS];
73915 @@ -505,7 +505,7 @@ __build_packet_message(struct nfulnl_ins
73916 /* global sequence number */
73917 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
73918 NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
73919 - htonl(atomic_inc_return(&global_seq)));
73920 + htonl(atomic_inc_return_unchecked(&global_seq)));
73923 struct nlattr *nla;
73924 diff -urNp linux-3.0.9/net/netfilter/nfnetlink_queue.c linux-3.0.9/net/netfilter/nfnetlink_queue.c
73925 --- linux-3.0.9/net/netfilter/nfnetlink_queue.c 2011-11-11 13:12:24.000000000 -0500
73926 +++ linux-3.0.9/net/netfilter/nfnetlink_queue.c 2011-11-15 20:03:00.000000000 -0500
73927 @@ -58,7 +58,7 @@ struct nfqnl_instance {
73930 unsigned int queue_total;
73931 - atomic_t id_sequence; /* 'sequence' of pkt ids */
73932 + atomic_unchecked_t id_sequence; /* 'sequence' of pkt ids */
73933 struct list_head queue_list; /* packets in queue */
73936 @@ -272,7 +272,7 @@ nfqnl_build_packet_message(struct nfqnl_
73937 nfmsg->version = NFNETLINK_V0;
73938 nfmsg->res_id = htons(queue->queue_num);
73940 - entry->id = atomic_inc_return(&queue->id_sequence);
73941 + entry->id = atomic_inc_return_unchecked(&queue->id_sequence);
73942 pmsg.packet_id = htonl(entry->id);
73943 pmsg.hw_protocol = entskb->protocol;
73944 pmsg.hook = entry->hook;
73945 @@ -870,7 +870,7 @@ static int seq_show(struct seq_file *s,
73946 inst->peer_pid, inst->queue_total,
73947 inst->copy_mode, inst->copy_range,
73948 inst->queue_dropped, inst->queue_user_dropped,
73949 - atomic_read(&inst->id_sequence), 1);
73950 + atomic_read_unchecked(&inst->id_sequence), 1);
73953 static const struct seq_operations nfqnl_seq_ops = {
73954 diff -urNp linux-3.0.9/net/netfilter/xt_gradm.c linux-3.0.9/net/netfilter/xt_gradm.c
73955 --- linux-3.0.9/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
73956 +++ linux-3.0.9/net/netfilter/xt_gradm.c 2011-11-15 20:03:00.000000000 -0500
73959 + * gradm match for netfilter
73960 + * Copyright © Zbigniew Krzystolik, 2010
73962 + * This program is free software; you can redistribute it and/or modify
73963 + * it under the terms of the GNU General Public License; either version
73964 + * 2 or 3 as published by the Free Software Foundation.
73966 +#include <linux/module.h>
73967 +#include <linux/moduleparam.h>
73968 +#include <linux/skbuff.h>
73969 +#include <linux/netfilter/x_tables.h>
73970 +#include <linux/grsecurity.h>
73971 +#include <linux/netfilter/xt_gradm.h>
73974 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
73976 + const struct xt_gradm_mtinfo *info = par->matchinfo;
73977 + bool retval = false;
73978 + if (gr_acl_is_enabled())
73980 + return retval ^ info->invflags;
73983 +static struct xt_match gradm_mt_reg __read_mostly = {
73986 + .family = NFPROTO_UNSPEC,
73987 + .match = gradm_mt,
73988 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
73989 + .me = THIS_MODULE,
73992 +static int __init gradm_mt_init(void)
73994 + return xt_register_match(&gradm_mt_reg);
73997 +static void __exit gradm_mt_exit(void)
73999 + xt_unregister_match(&gradm_mt_reg);
74002 +module_init(gradm_mt_init);
74003 +module_exit(gradm_mt_exit);
74004 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
74005 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
74006 +MODULE_LICENSE("GPL");
74007 +MODULE_ALIAS("ipt_gradm");
74008 +MODULE_ALIAS("ip6t_gradm");
74009 diff -urNp linux-3.0.9/net/netfilter/xt_statistic.c linux-3.0.9/net/netfilter/xt_statistic.c
74010 --- linux-3.0.9/net/netfilter/xt_statistic.c 2011-11-11 13:12:24.000000000 -0500
74011 +++ linux-3.0.9/net/netfilter/xt_statistic.c 2011-11-15 20:03:00.000000000 -0500
74013 #include <linux/netfilter/x_tables.h>
74015 struct xt_statistic_priv {
74017 + atomic_unchecked_t count;
74018 } ____cacheline_aligned_in_smp;
74020 MODULE_LICENSE("GPL");
74021 @@ -41,9 +41,9 @@ statistic_mt(const struct sk_buff *skb,
74023 case XT_STATISTIC_MODE_NTH:
74025 - oval = atomic_read(&info->master->count);
74026 + oval = atomic_read_unchecked(&info->master->count);
74027 nval = (oval == info->u.nth.every) ? 0 : oval + 1;
74028 - } while (atomic_cmpxchg(&info->master->count, oval, nval) != oval);
74029 + } while (atomic_cmpxchg_unchecked(&info->master->count, oval, nval) != oval);
74033 @@ -63,7 +63,7 @@ static int statistic_mt_check(const stru
74034 info->master = kzalloc(sizeof(*info->master), GFP_KERNEL);
74035 if (info->master == NULL)
74037 - atomic_set(&info->master->count, info->u.nth.count);
74038 + atomic_set_unchecked(&info->master->count, info->u.nth.count);
74042 diff -urNp linux-3.0.9/net/netlink/af_netlink.c linux-3.0.9/net/netlink/af_netlink.c
74043 --- linux-3.0.9/net/netlink/af_netlink.c 2011-11-11 13:12:24.000000000 -0500
74044 +++ linux-3.0.9/net/netlink/af_netlink.c 2011-11-15 20:03:00.000000000 -0500
74045 @@ -742,7 +742,7 @@ static void netlink_overrun(struct sock
74046 sk->sk_error_report(sk);
74049 - atomic_inc(&sk->sk_drops);
74050 + atomic_inc_unchecked(&sk->sk_drops);
74053 static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid)
74054 @@ -1994,7 +1994,7 @@ static int netlink_seq_show(struct seq_f
74055 sk_wmem_alloc_get(s),
74057 atomic_read(&s->sk_refcnt),
74058 - atomic_read(&s->sk_drops),
74059 + atomic_read_unchecked(&s->sk_drops),
74063 diff -urNp linux-3.0.9/net/netrom/af_netrom.c linux-3.0.9/net/netrom/af_netrom.c
74064 --- linux-3.0.9/net/netrom/af_netrom.c 2011-11-11 13:12:24.000000000 -0500
74065 +++ linux-3.0.9/net/netrom/af_netrom.c 2011-11-15 20:03:00.000000000 -0500
74066 @@ -839,6 +839,7 @@ static int nr_getname(struct socket *soc
74067 struct sock *sk = sock->sk;
74068 struct nr_sock *nr = nr_sk(sk);
74070 + memset(sax, 0, sizeof(*sax));
74073 if (sk->sk_state != TCP_ESTABLISHED) {
74074 @@ -853,7 +854,6 @@ static int nr_getname(struct socket *soc
74075 *uaddr_len = sizeof(struct full_sockaddr_ax25);
74077 sax->fsa_ax25.sax25_family = AF_NETROM;
74078 - sax->fsa_ax25.sax25_ndigis = 0;
74079 sax->fsa_ax25.sax25_call = nr->source_addr;
74080 *uaddr_len = sizeof(struct sockaddr_ax25);
74082 diff -urNp linux-3.0.9/net/packet/af_packet.c linux-3.0.9/net/packet/af_packet.c
74083 --- linux-3.0.9/net/packet/af_packet.c 2011-11-11 13:12:24.000000000 -0500
74084 +++ linux-3.0.9/net/packet/af_packet.c 2011-11-15 20:03:00.000000000 -0500
74085 @@ -647,7 +647,7 @@ static int packet_rcv(struct sk_buff *sk
74087 spin_lock(&sk->sk_receive_queue.lock);
74088 po->stats.tp_packets++;
74089 - skb->dropcount = atomic_read(&sk->sk_drops);
74090 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
74091 __skb_queue_tail(&sk->sk_receive_queue, skb);
74092 spin_unlock(&sk->sk_receive_queue.lock);
74093 sk->sk_data_ready(sk, skb->len);
74094 @@ -656,7 +656,7 @@ static int packet_rcv(struct sk_buff *sk
74096 spin_lock(&sk->sk_receive_queue.lock);
74097 po->stats.tp_drops++;
74098 - atomic_inc(&sk->sk_drops);
74099 + atomic_inc_unchecked(&sk->sk_drops);
74100 spin_unlock(&sk->sk_receive_queue.lock);
74103 @@ -2171,7 +2171,7 @@ static int packet_getsockopt(struct sock
74104 case PACKET_HDRLEN:
74105 if (len > sizeof(int))
74107 - if (copy_from_user(&val, optval, len))
74108 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
74112 @@ -2209,7 +2209,7 @@ static int packet_getsockopt(struct sock
74114 if (put_user(len, optlen))
74116 - if (copy_to_user(optval, data, len))
74117 + if (len > sizeof(st) || copy_to_user(optval, data, len))
74121 diff -urNp linux-3.0.9/net/phonet/af_phonet.c linux-3.0.9/net/phonet/af_phonet.c
74122 --- linux-3.0.9/net/phonet/af_phonet.c 2011-11-11 13:12:24.000000000 -0500
74123 +++ linux-3.0.9/net/phonet/af_phonet.c 2011-11-15 20:03:00.000000000 -0500
74124 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
74126 struct phonet_protocol *pp;
74128 - if (protocol >= PHONET_NPROTO)
74129 + if (protocol < 0 || protocol >= PHONET_NPROTO)
74133 @@ -469,7 +469,7 @@ int __init_or_module phonet_proto_regist
74137 - if (protocol >= PHONET_NPROTO)
74138 + if (protocol < 0 || protocol >= PHONET_NPROTO)
74141 err = proto_register(pp->prot, 1);
74142 diff -urNp linux-3.0.9/net/phonet/pep.c linux-3.0.9/net/phonet/pep.c
74143 --- linux-3.0.9/net/phonet/pep.c 2011-11-11 13:12:24.000000000 -0500
74144 +++ linux-3.0.9/net/phonet/pep.c 2011-11-15 20:03:00.000000000 -0500
74145 @@ -387,7 +387,7 @@ static int pipe_do_rcv(struct sock *sk,
74147 case PNS_PEP_CTRL_REQ:
74148 if (skb_queue_len(&pn->ctrlreq_queue) >= PNPIPE_CTRLREQ_MAX) {
74149 - atomic_inc(&sk->sk_drops);
74150 + atomic_inc_unchecked(&sk->sk_drops);
74153 __skb_pull(skb, 4);
74154 @@ -408,7 +408,7 @@ static int pipe_do_rcv(struct sock *sk,
74157 if (pn->rx_credits == 0) {
74158 - atomic_inc(&sk->sk_drops);
74159 + atomic_inc_unchecked(&sk->sk_drops);
74163 @@ -556,7 +556,7 @@ static int pipe_handler_do_rcv(struct so
74166 if (pn->rx_credits == 0) {
74167 - atomic_inc(&sk->sk_drops);
74168 + atomic_inc_unchecked(&sk->sk_drops);
74172 diff -urNp linux-3.0.9/net/phonet/socket.c linux-3.0.9/net/phonet/socket.c
74173 --- linux-3.0.9/net/phonet/socket.c 2011-11-11 13:12:24.000000000 -0500
74174 +++ linux-3.0.9/net/phonet/socket.c 2011-11-15 20:03:00.000000000 -0500
74175 @@ -612,8 +612,13 @@ static int pn_sock_seq_show(struct seq_f
74176 pn->resource, sk->sk_state,
74177 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
74178 sock_i_uid(sk), sock_i_ino(sk),
74179 - atomic_read(&sk->sk_refcnt), sk,
74180 - atomic_read(&sk->sk_drops), &len);
74181 + atomic_read(&sk->sk_refcnt),
74182 +#ifdef CONFIG_GRKERNSEC_HIDESYM
74187 + atomic_read_unchecked(&sk->sk_drops), &len);
74189 seq_printf(seq, "%*s\n", 127 - len, "");
74191 diff -urNp linux-3.0.9/net/rds/cong.c linux-3.0.9/net/rds/cong.c
74192 --- linux-3.0.9/net/rds/cong.c 2011-11-11 13:12:24.000000000 -0500
74193 +++ linux-3.0.9/net/rds/cong.c 2011-11-15 20:03:00.000000000 -0500
74195 * finds that the saved generation number is smaller than the global generation
74196 * number, it wakes up the process.
74198 -static atomic_t rds_cong_generation = ATOMIC_INIT(0);
74199 +static atomic_unchecked_t rds_cong_generation = ATOMIC_INIT(0);
74202 * Congestion monitoring
74203 @@ -232,7 +232,7 @@ void rds_cong_map_updated(struct rds_con
74204 rdsdebug("waking map %p for %pI4\n",
74205 map, &map->m_addr);
74206 rds_stats_inc(s_cong_update_received);
74207 - atomic_inc(&rds_cong_generation);
74208 + atomic_inc_unchecked(&rds_cong_generation);
74209 if (waitqueue_active(&map->m_waitq))
74210 wake_up(&map->m_waitq);
74211 if (waitqueue_active(&rds_poll_waitq))
74212 @@ -258,7 +258,7 @@ EXPORT_SYMBOL_GPL(rds_cong_map_updated);
74214 int rds_cong_updated_since(unsigned long *recent)
74216 - unsigned long gen = atomic_read(&rds_cong_generation);
74217 + unsigned long gen = atomic_read_unchecked(&rds_cong_generation);
74219 if (likely(*recent == gen))
74221 diff -urNp linux-3.0.9/net/rds/ib_cm.c linux-3.0.9/net/rds/ib_cm.c
74222 --- linux-3.0.9/net/rds/ib_cm.c 2011-11-11 13:12:24.000000000 -0500
74223 +++ linux-3.0.9/net/rds/ib_cm.c 2011-11-15 20:03:00.000000000 -0500
74224 @@ -720,7 +720,7 @@ void rds_ib_conn_shutdown(struct rds_con
74225 /* Clear the ACK state */
74226 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
74227 #ifdef KERNEL_HAS_ATOMIC64
74228 - atomic64_set(&ic->i_ack_next, 0);
74229 + atomic64_set_unchecked(&ic->i_ack_next, 0);
74231 ic->i_ack_next = 0;
74233 diff -urNp linux-3.0.9/net/rds/ib.h linux-3.0.9/net/rds/ib.h
74234 --- linux-3.0.9/net/rds/ib.h 2011-11-11 13:12:24.000000000 -0500
74235 +++ linux-3.0.9/net/rds/ib.h 2011-11-15 20:03:00.000000000 -0500
74236 @@ -127,7 +127,7 @@ struct rds_ib_connection {
74238 unsigned long i_ack_flags;
74239 #ifdef KERNEL_HAS_ATOMIC64
74240 - atomic64_t i_ack_next; /* next ACK to send */
74241 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
74243 spinlock_t i_ack_lock; /* protect i_ack_next */
74244 u64 i_ack_next; /* next ACK to send */
74245 diff -urNp linux-3.0.9/net/rds/ib_recv.c linux-3.0.9/net/rds/ib_recv.c
74246 --- linux-3.0.9/net/rds/ib_recv.c 2011-11-11 13:12:24.000000000 -0500
74247 +++ linux-3.0.9/net/rds/ib_recv.c 2011-11-15 20:03:00.000000000 -0500
74248 @@ -592,7 +592,7 @@ static u64 rds_ib_get_ack(struct rds_ib_
74249 static void rds_ib_set_ack(struct rds_ib_connection *ic, u64 seq,
74252 - atomic64_set(&ic->i_ack_next, seq);
74253 + atomic64_set_unchecked(&ic->i_ack_next, seq);
74254 if (ack_required) {
74255 smp_mb__before_clear_bit();
74256 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
74257 @@ -604,7 +604,7 @@ static u64 rds_ib_get_ack(struct rds_ib_
74258 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
74259 smp_mb__after_clear_bit();
74261 - return atomic64_read(&ic->i_ack_next);
74262 + return atomic64_read_unchecked(&ic->i_ack_next);
74266 diff -urNp linux-3.0.9/net/rds/iw_cm.c linux-3.0.9/net/rds/iw_cm.c
74267 --- linux-3.0.9/net/rds/iw_cm.c 2011-11-11 13:12:24.000000000 -0500
74268 +++ linux-3.0.9/net/rds/iw_cm.c 2011-11-15 20:03:00.000000000 -0500
74269 @@ -664,7 +664,7 @@ void rds_iw_conn_shutdown(struct rds_con
74270 /* Clear the ACK state */
74271 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
74272 #ifdef KERNEL_HAS_ATOMIC64
74273 - atomic64_set(&ic->i_ack_next, 0);
74274 + atomic64_set_unchecked(&ic->i_ack_next, 0);
74276 ic->i_ack_next = 0;
74278 diff -urNp linux-3.0.9/net/rds/iw.h linux-3.0.9/net/rds/iw.h
74279 --- linux-3.0.9/net/rds/iw.h 2011-11-11 13:12:24.000000000 -0500
74280 +++ linux-3.0.9/net/rds/iw.h 2011-11-15 20:03:00.000000000 -0500
74281 @@ -133,7 +133,7 @@ struct rds_iw_connection {
74283 unsigned long i_ack_flags;
74284 #ifdef KERNEL_HAS_ATOMIC64
74285 - atomic64_t i_ack_next; /* next ACK to send */
74286 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
74288 spinlock_t i_ack_lock; /* protect i_ack_next */
74289 u64 i_ack_next; /* next ACK to send */
74290 diff -urNp linux-3.0.9/net/rds/iw_rdma.c linux-3.0.9/net/rds/iw_rdma.c
74291 --- linux-3.0.9/net/rds/iw_rdma.c 2011-11-11 13:12:24.000000000 -0500
74292 +++ linux-3.0.9/net/rds/iw_rdma.c 2011-11-15 20:03:00.000000000 -0500
74293 @@ -182,6 +182,8 @@ int rds_iw_update_cm_id(struct rds_iw_de
74294 struct rdma_cm_id *pcm_id;
74297 + pax_track_stack();
74299 src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
74300 dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
74302 diff -urNp linux-3.0.9/net/rds/iw_recv.c linux-3.0.9/net/rds/iw_recv.c
74303 --- linux-3.0.9/net/rds/iw_recv.c 2011-11-11 13:12:24.000000000 -0500
74304 +++ linux-3.0.9/net/rds/iw_recv.c 2011-11-15 20:03:00.000000000 -0500
74305 @@ -427,7 +427,7 @@ static u64 rds_iw_get_ack(struct rds_iw_
74306 static void rds_iw_set_ack(struct rds_iw_connection *ic, u64 seq,
74309 - atomic64_set(&ic->i_ack_next, seq);
74310 + atomic64_set_unchecked(&ic->i_ack_next, seq);
74311 if (ack_required) {
74312 smp_mb__before_clear_bit();
74313 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
74314 @@ -439,7 +439,7 @@ static u64 rds_iw_get_ack(struct rds_iw_
74315 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
74316 smp_mb__after_clear_bit();
74318 - return atomic64_read(&ic->i_ack_next);
74319 + return atomic64_read_unchecked(&ic->i_ack_next);
74323 diff -urNp linux-3.0.9/net/rds/tcp.c linux-3.0.9/net/rds/tcp.c
74324 --- linux-3.0.9/net/rds/tcp.c 2011-11-11 13:12:24.000000000 -0500
74325 +++ linux-3.0.9/net/rds/tcp.c 2011-11-15 20:03:00.000000000 -0500
74326 @@ -58,7 +58,7 @@ void rds_tcp_nonagle(struct socket *sock
74330 - sock->ops->setsockopt(sock, SOL_TCP, TCP_NODELAY, (char __user *)&val,
74331 + sock->ops->setsockopt(sock, SOL_TCP, TCP_NODELAY, (char __force_user *)&val,
74335 diff -urNp linux-3.0.9/net/rds/tcp_send.c linux-3.0.9/net/rds/tcp_send.c
74336 --- linux-3.0.9/net/rds/tcp_send.c 2011-11-11 13:12:24.000000000 -0500
74337 +++ linux-3.0.9/net/rds/tcp_send.c 2011-11-15 20:03:00.000000000 -0500
74338 @@ -43,7 +43,7 @@ static void rds_tcp_cork(struct socket *
74342 - sock->ops->setsockopt(sock, SOL_TCP, TCP_CORK, (char __user *)&val,
74343 + sock->ops->setsockopt(sock, SOL_TCP, TCP_CORK, (char __force_user *)&val,
74347 diff -urNp linux-3.0.9/net/rxrpc/af_rxrpc.c linux-3.0.9/net/rxrpc/af_rxrpc.c
74348 --- linux-3.0.9/net/rxrpc/af_rxrpc.c 2011-11-11 13:12:24.000000000 -0500
74349 +++ linux-3.0.9/net/rxrpc/af_rxrpc.c 2011-11-15 20:03:00.000000000 -0500
74350 @@ -39,7 +39,7 @@ static const struct proto_ops rxrpc_rpc_
74351 __be32 rxrpc_epoch;
74353 /* current debugging ID */
74354 -atomic_t rxrpc_debug_id;
74355 +atomic_unchecked_t rxrpc_debug_id;
74357 /* count of skbs currently in use */
74358 atomic_t rxrpc_n_skbs;
74359 diff -urNp linux-3.0.9/net/rxrpc/ar-ack.c linux-3.0.9/net/rxrpc/ar-ack.c
74360 --- linux-3.0.9/net/rxrpc/ar-ack.c 2011-11-11 13:12:24.000000000 -0500
74361 +++ linux-3.0.9/net/rxrpc/ar-ack.c 2011-11-15 20:03:00.000000000 -0500
74362 @@ -175,7 +175,7 @@ static void rxrpc_resend(struct rxrpc_ca
74364 _enter("{%d,%d,%d,%d},",
74365 call->acks_hard, call->acks_unacked,
74366 - atomic_read(&call->sequence),
74367 + atomic_read_unchecked(&call->sequence),
74368 CIRC_CNT(call->acks_head, call->acks_tail, call->acks_winsz));
74371 @@ -199,7 +199,7 @@ static void rxrpc_resend(struct rxrpc_ca
74373 /* each Tx packet has a new serial number */
74375 - htonl(atomic_inc_return(&call->conn->serial));
74376 + htonl(atomic_inc_return_unchecked(&call->conn->serial));
74378 hdr = (struct rxrpc_header *) txb->head;
74379 hdr->serial = sp->hdr.serial;
74380 @@ -403,7 +403,7 @@ static void rxrpc_rotate_tx_window(struc
74382 static void rxrpc_clear_tx_window(struct rxrpc_call *call)
74384 - rxrpc_rotate_tx_window(call, atomic_read(&call->sequence));
74385 + rxrpc_rotate_tx_window(call, atomic_read_unchecked(&call->sequence));
74389 @@ -629,7 +629,7 @@ process_further:
74391 latest = ntohl(sp->hdr.serial);
74392 hard = ntohl(ack.firstPacket);
74393 - tx = atomic_read(&call->sequence);
74394 + tx = atomic_read_unchecked(&call->sequence);
74396 _proto("Rx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
74398 @@ -842,6 +842,8 @@ void rxrpc_process_call(struct work_stru
74399 u32 abort_code = RX_PROTOCOL_ERROR;
74402 + pax_track_stack();
74404 //printk("\n--------------------\n");
74405 _enter("{%d,%s,%lx} [%lu]",
74406 call->debug_id, rxrpc_call_states[call->state], call->events,
74407 @@ -1161,7 +1163,7 @@ void rxrpc_process_call(struct work_stru
74408 goto maybe_reschedule;
74410 send_ACK_with_skew:
74411 - ack.maxSkew = htons(atomic_read(&call->conn->hi_serial) -
74412 + ack.maxSkew = htons(atomic_read_unchecked(&call->conn->hi_serial) -
74413 ntohl(ack.serial));
74415 mtu = call->conn->trans->peer->if_mtu;
74416 @@ -1173,7 +1175,7 @@ send_ACK:
74417 ackinfo.rxMTU = htonl(5692);
74418 ackinfo.jumbo_max = htonl(4);
74420 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
74421 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
74422 _proto("Tx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
74424 ntohs(ack.maxSkew),
74425 @@ -1191,7 +1193,7 @@ send_ACK:
74427 _debug("send message");
74429 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
74430 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
74431 _proto("Tx %s %%%u", rxrpc_pkts[hdr.type], ntohl(hdr.serial));
74434 diff -urNp linux-3.0.9/net/rxrpc/ar-call.c linux-3.0.9/net/rxrpc/ar-call.c
74435 --- linux-3.0.9/net/rxrpc/ar-call.c 2011-11-11 13:12:24.000000000 -0500
74436 +++ linux-3.0.9/net/rxrpc/ar-call.c 2011-11-15 20:03:00.000000000 -0500
74437 @@ -83,7 +83,7 @@ static struct rxrpc_call *rxrpc_alloc_ca
74438 spin_lock_init(&call->lock);
74439 rwlock_init(&call->state_lock);
74440 atomic_set(&call->usage, 1);
74441 - call->debug_id = atomic_inc_return(&rxrpc_debug_id);
74442 + call->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
74443 call->state = RXRPC_CALL_CLIENT_SEND_REQUEST;
74445 memset(&call->sock_node, 0xed, sizeof(call->sock_node));
74446 diff -urNp linux-3.0.9/net/rxrpc/ar-connection.c linux-3.0.9/net/rxrpc/ar-connection.c
74447 --- linux-3.0.9/net/rxrpc/ar-connection.c 2011-11-11 13:12:24.000000000 -0500
74448 +++ linux-3.0.9/net/rxrpc/ar-connection.c 2011-11-15 20:03:00.000000000 -0500
74449 @@ -206,7 +206,7 @@ static struct rxrpc_connection *rxrpc_al
74450 rwlock_init(&conn->lock);
74451 spin_lock_init(&conn->state_lock);
74452 atomic_set(&conn->usage, 1);
74453 - conn->debug_id = atomic_inc_return(&rxrpc_debug_id);
74454 + conn->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
74455 conn->avail_calls = RXRPC_MAXCALLS;
74456 conn->size_align = 4;
74457 conn->header_size = sizeof(struct rxrpc_header);
74458 diff -urNp linux-3.0.9/net/rxrpc/ar-connevent.c linux-3.0.9/net/rxrpc/ar-connevent.c
74459 --- linux-3.0.9/net/rxrpc/ar-connevent.c 2011-11-11 13:12:24.000000000 -0500
74460 +++ linux-3.0.9/net/rxrpc/ar-connevent.c 2011-11-15 20:03:00.000000000 -0500
74461 @@ -109,7 +109,7 @@ static int rxrpc_abort_connection(struct
74463 len = iov[0].iov_len + iov[1].iov_len;
74465 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
74466 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
74467 _proto("Tx CONN ABORT %%%u { %d }", ntohl(hdr.serial), abort_code);
74469 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
74470 diff -urNp linux-3.0.9/net/rxrpc/ar-input.c linux-3.0.9/net/rxrpc/ar-input.c
74471 --- linux-3.0.9/net/rxrpc/ar-input.c 2011-11-11 13:12:24.000000000 -0500
74472 +++ linux-3.0.9/net/rxrpc/ar-input.c 2011-11-15 20:03:00.000000000 -0500
74473 @@ -340,9 +340,9 @@ void rxrpc_fast_process_packet(struct rx
74474 /* track the latest serial number on this connection for ACK packet
74476 serial = ntohl(sp->hdr.serial);
74477 - hi_serial = atomic_read(&call->conn->hi_serial);
74478 + hi_serial = atomic_read_unchecked(&call->conn->hi_serial);
74479 while (serial > hi_serial)
74480 - hi_serial = atomic_cmpxchg(&call->conn->hi_serial, hi_serial,
74481 + hi_serial = atomic_cmpxchg_unchecked(&call->conn->hi_serial, hi_serial,
74484 /* request ACK generation for any ACK or DATA packet that requests
74485 diff -urNp linux-3.0.9/net/rxrpc/ar-internal.h linux-3.0.9/net/rxrpc/ar-internal.h
74486 --- linux-3.0.9/net/rxrpc/ar-internal.h 2011-11-11 13:12:24.000000000 -0500
74487 +++ linux-3.0.9/net/rxrpc/ar-internal.h 2011-11-15 20:03:00.000000000 -0500
74488 @@ -272,8 +272,8 @@ struct rxrpc_connection {
74489 int error; /* error code for local abort */
74490 int debug_id; /* debug ID for printks */
74491 unsigned call_counter; /* call ID counter */
74492 - atomic_t serial; /* packet serial number counter */
74493 - atomic_t hi_serial; /* highest serial number received */
74494 + atomic_unchecked_t serial; /* packet serial number counter */
74495 + atomic_unchecked_t hi_serial; /* highest serial number received */
74496 u8 avail_calls; /* number of calls available */
74497 u8 size_align; /* data size alignment (for security) */
74498 u8 header_size; /* rxrpc + security header size */
74499 @@ -346,7 +346,7 @@ struct rxrpc_call {
74501 rwlock_t state_lock; /* lock for state transition */
74503 - atomic_t sequence; /* Tx data packet sequence counter */
74504 + atomic_unchecked_t sequence; /* Tx data packet sequence counter */
74505 u32 abort_code; /* local/remote abort code */
74506 enum { /* current state of call */
74507 RXRPC_CALL_CLIENT_SEND_REQUEST, /* - client sending request phase */
74508 @@ -420,7 +420,7 @@ static inline void rxrpc_abort_call(stru
74510 extern atomic_t rxrpc_n_skbs;
74511 extern __be32 rxrpc_epoch;
74512 -extern atomic_t rxrpc_debug_id;
74513 +extern atomic_unchecked_t rxrpc_debug_id;
74514 extern struct workqueue_struct *rxrpc_workqueue;
74517 diff -urNp linux-3.0.9/net/rxrpc/ar-local.c linux-3.0.9/net/rxrpc/ar-local.c
74518 --- linux-3.0.9/net/rxrpc/ar-local.c 2011-11-11 13:12:24.000000000 -0500
74519 +++ linux-3.0.9/net/rxrpc/ar-local.c 2011-11-15 20:03:00.000000000 -0500
74520 @@ -45,7 +45,7 @@ struct rxrpc_local *rxrpc_alloc_local(st
74521 spin_lock_init(&local->lock);
74522 rwlock_init(&local->services_lock);
74523 atomic_set(&local->usage, 1);
74524 - local->debug_id = atomic_inc_return(&rxrpc_debug_id);
74525 + local->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
74526 memcpy(&local->srx, srx, sizeof(*srx));
74529 diff -urNp linux-3.0.9/net/rxrpc/ar-output.c linux-3.0.9/net/rxrpc/ar-output.c
74530 --- linux-3.0.9/net/rxrpc/ar-output.c 2011-11-11 13:12:24.000000000 -0500
74531 +++ linux-3.0.9/net/rxrpc/ar-output.c 2011-11-15 20:03:00.000000000 -0500
74532 @@ -681,9 +681,9 @@ static int rxrpc_send_data(struct kiocb
74533 sp->hdr.cid = call->cid;
74534 sp->hdr.callNumber = call->call_id;
74536 - htonl(atomic_inc_return(&call->sequence));
74537 + htonl(atomic_inc_return_unchecked(&call->sequence));
74539 - htonl(atomic_inc_return(&conn->serial));
74540 + htonl(atomic_inc_return_unchecked(&conn->serial));
74541 sp->hdr.type = RXRPC_PACKET_TYPE_DATA;
74542 sp->hdr.userStatus = 0;
74543 sp->hdr.securityIndex = conn->security_ix;
74544 diff -urNp linux-3.0.9/net/rxrpc/ar-peer.c linux-3.0.9/net/rxrpc/ar-peer.c
74545 --- linux-3.0.9/net/rxrpc/ar-peer.c 2011-11-11 13:12:24.000000000 -0500
74546 +++ linux-3.0.9/net/rxrpc/ar-peer.c 2011-11-15 20:03:00.000000000 -0500
74547 @@ -72,7 +72,7 @@ static struct rxrpc_peer *rxrpc_alloc_pe
74548 INIT_LIST_HEAD(&peer->error_targets);
74549 spin_lock_init(&peer->lock);
74550 atomic_set(&peer->usage, 1);
74551 - peer->debug_id = atomic_inc_return(&rxrpc_debug_id);
74552 + peer->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
74553 memcpy(&peer->srx, srx, sizeof(*srx));
74555 rxrpc_assess_MTU_size(peer);
74556 diff -urNp linux-3.0.9/net/rxrpc/ar-proc.c linux-3.0.9/net/rxrpc/ar-proc.c
74557 --- linux-3.0.9/net/rxrpc/ar-proc.c 2011-11-11 13:12:24.000000000 -0500
74558 +++ linux-3.0.9/net/rxrpc/ar-proc.c 2011-11-15 20:03:00.000000000 -0500
74559 @@ -164,8 +164,8 @@ static int rxrpc_connection_seq_show(str
74560 atomic_read(&conn->usage),
74561 rxrpc_conn_states[conn->state],
74562 key_serial(conn->key),
74563 - atomic_read(&conn->serial),
74564 - atomic_read(&conn->hi_serial));
74565 + atomic_read_unchecked(&conn->serial),
74566 + atomic_read_unchecked(&conn->hi_serial));
74570 diff -urNp linux-3.0.9/net/rxrpc/ar-transport.c linux-3.0.9/net/rxrpc/ar-transport.c
74571 --- linux-3.0.9/net/rxrpc/ar-transport.c 2011-11-11 13:12:24.000000000 -0500
74572 +++ linux-3.0.9/net/rxrpc/ar-transport.c 2011-11-15 20:03:00.000000000 -0500
74573 @@ -47,7 +47,7 @@ static struct rxrpc_transport *rxrpc_all
74574 spin_lock_init(&trans->client_lock);
74575 rwlock_init(&trans->conn_lock);
74576 atomic_set(&trans->usage, 1);
74577 - trans->debug_id = atomic_inc_return(&rxrpc_debug_id);
74578 + trans->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
74580 if (peer->srx.transport.family == AF_INET) {
74581 switch (peer->srx.transport_type) {
74582 diff -urNp linux-3.0.9/net/rxrpc/rxkad.c linux-3.0.9/net/rxrpc/rxkad.c
74583 --- linux-3.0.9/net/rxrpc/rxkad.c 2011-11-11 13:12:24.000000000 -0500
74584 +++ linux-3.0.9/net/rxrpc/rxkad.c 2011-11-15 20:03:00.000000000 -0500
74585 @@ -211,6 +211,8 @@ static int rxkad_secure_packet_encrypt(c
74589 + pax_track_stack();
74591 sp = rxrpc_skb(skb);
74594 @@ -338,6 +340,8 @@ static int rxkad_verify_packet_auth(cons
74598 + pax_track_stack();
74602 sp = rxrpc_skb(skb);
74603 @@ -610,7 +614,7 @@ static int rxkad_issue_challenge(struct
74605 len = iov[0].iov_len + iov[1].iov_len;
74607 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
74608 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
74609 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial));
74611 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
74612 @@ -660,7 +664,7 @@ static int rxkad_send_response(struct rx
74614 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
74616 - hdr->serial = htonl(atomic_inc_return(&conn->serial));
74617 + hdr->serial = htonl(atomic_inc_return_unchecked(&conn->serial));
74618 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
74620 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
74621 diff -urNp linux-3.0.9/net/sctp/proc.c linux-3.0.9/net/sctp/proc.c
74622 --- linux-3.0.9/net/sctp/proc.c 2011-11-11 13:12:24.000000000 -0500
74623 +++ linux-3.0.9/net/sctp/proc.c 2011-11-15 20:03:00.000000000 -0500
74624 @@ -318,7 +318,8 @@ static int sctp_assocs_seq_show(struct s
74626 "%8pK %8pK %-3d %-3d %-2d %-4d "
74627 "%4d %8d %8d %7d %5lu %-5d %5d ",
74628 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
74630 + sctp_sk(sk)->type, sk->sk_state,
74631 assoc->state, hash,
74633 assoc->sndbuf_used,
74634 diff -urNp linux-3.0.9/net/sctp/socket.c linux-3.0.9/net/sctp/socket.c
74635 --- linux-3.0.9/net/sctp/socket.c 2011-11-11 13:12:24.000000000 -0500
74636 +++ linux-3.0.9/net/sctp/socket.c 2011-11-15 20:03:00.000000000 -0500
74637 @@ -4452,7 +4452,7 @@ static int sctp_getsockopt_peer_addrs(st
74638 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
74639 if (space_left < addrlen)
74641 - if (copy_to_user(to, &temp, addrlen))
74642 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
74646 diff -urNp linux-3.0.9/net/socket.c linux-3.0.9/net/socket.c
74647 --- linux-3.0.9/net/socket.c 2011-11-11 13:12:24.000000000 -0500
74648 +++ linux-3.0.9/net/socket.c 2011-11-15 20:03:00.000000000 -0500
74650 #include <linux/nsproxy.h>
74651 #include <linux/magic.h>
74652 #include <linux/slab.h>
74653 +#include <linux/in.h>
74655 #include <asm/uaccess.h>
74656 #include <asm/unistd.h>
74657 @@ -105,6 +106,8 @@
74658 #include <linux/sockios.h>
74659 #include <linux/atalk.h>
74661 +#include <linux/grsock.h>
74663 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
74664 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
74665 unsigned long nr_segs, loff_t pos);
74666 @@ -321,7 +324,7 @@ static struct dentry *sockfs_mount(struc
74667 &sockfs_dentry_operations, SOCKFS_MAGIC);
74670 -static struct vfsmount *sock_mnt __read_mostly;
74671 +struct vfsmount *sock_mnt __read_mostly;
74673 static struct file_system_type sock_fs_type = {
74675 @@ -1187,6 +1190,8 @@ int __sock_create(struct net *net, int f
74676 return -EAFNOSUPPORT;
74677 if (type < 0 || type >= SOCK_MAX)
74679 + if (protocol < 0)
74684 @@ -1319,6 +1324,16 @@ SYSCALL_DEFINE3(socket, int, family, int
74685 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
74686 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
74688 + if(!gr_search_socket(family, type, protocol)) {
74689 + retval = -EACCES;
74693 + if (gr_handle_sock_all(family, type, protocol)) {
74694 + retval = -EACCES;
74698 retval = sock_create(family, type, protocol, &sock);
74701 @@ -1431,6 +1446,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
74703 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
74705 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
74709 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
74713 err = security_socket_bind(sock,
74714 (struct sockaddr *)&address,
74716 @@ -1439,6 +1462,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
74717 (struct sockaddr *)
74718 &address, addrlen);
74721 fput_light(sock->file, fput_needed);
74724 @@ -1462,10 +1486,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
74725 if ((unsigned)backlog > somaxconn)
74726 backlog = somaxconn;
74728 + if (gr_handle_sock_server_other(sock->sk)) {
74733 + err = gr_search_listen(sock);
74737 err = security_socket_listen(sock, backlog);
74739 err = sock->ops->listen(sock, backlog);
74742 fput_light(sock->file, fput_needed);
74745 @@ -1509,6 +1543,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
74746 newsock->type = sock->type;
74747 newsock->ops = sock->ops;
74749 + if (gr_handle_sock_server_other(sock->sk)) {
74751 + sock_release(newsock);
74755 + err = gr_search_accept(sock);
74757 + sock_release(newsock);
74762 * We don't need try_module_get here, as the listening socket (sock)
74763 * has the protocol module (sock->ops->owner) held.
74764 @@ -1547,6 +1593,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
74765 fd_install(newfd, newfile);
74768 + gr_attach_curr_ip(newsock->sk);
74771 fput_light(sock->file, fput_needed);
74773 @@ -1579,6 +1627,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
74776 struct socket *sock;
74777 + struct sockaddr *sck;
74778 struct sockaddr_storage address;
74779 int err, fput_needed;
74781 @@ -1589,6 +1638,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
74785 + sck = (struct sockaddr *)&address;
74787 + if (gr_handle_sock_client(sck)) {
74792 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
74797 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
74799 @@ -1890,6 +1950,8 @@ static int __sys_sendmsg(struct socket *
74800 unsigned char *ctl_buf = ctl;
74801 int err, ctl_len, iov_size, total_len;
74803 + pax_track_stack();
74806 if (MSG_CMSG_COMPAT & flags) {
74807 if (get_compat_msghdr(msg_sys, msg_compat))
74808 @@ -1950,7 +2012,7 @@ static int __sys_sendmsg(struct socket *
74809 * checking falls down on this.
74811 if (copy_from_user(ctl_buf,
74812 - (void __user __force *)msg_sys->msg_control,
74813 + (void __force_user *)msg_sys->msg_control,
74816 msg_sys->msg_control = ctl_buf;
74817 @@ -2120,7 +2182,7 @@ static int __sys_recvmsg(struct socket *
74818 * kernel msghdr to use the kernel address space)
74821 - uaddr = (__force void __user *)msg_sys->msg_name;
74822 + uaddr = (void __force_user *)msg_sys->msg_name;
74823 uaddr_len = COMPAT_NAMELEN(msg);
74824 if (MSG_CMSG_COMPAT & flags) {
74825 err = verify_compat_iovec(msg_sys, iov,
74826 @@ -2748,7 +2810,7 @@ static int ethtool_ioctl(struct net *net
74829 ifr = compat_alloc_user_space(buf_size);
74830 - rxnfc = (void *)ifr + ALIGN(sizeof(struct ifreq), 8);
74831 + rxnfc = (void __user *)ifr + ALIGN(sizeof(struct ifreq), 8);
74833 if (copy_in_user(&ifr->ifr_name, &ifr32->ifr_name, IFNAMSIZ))
74835 @@ -2772,12 +2834,12 @@ static int ethtool_ioctl(struct net *net
74836 offsetof(struct ethtool_rxnfc, fs.ring_cookie));
74838 if (copy_in_user(rxnfc, compat_rxnfc,
74839 - (void *)(&rxnfc->fs.m_ext + 1) -
74840 - (void *)rxnfc) ||
74841 + (void __user *)(&rxnfc->fs.m_ext + 1) -
74842 + (void __user *)rxnfc) ||
74843 copy_in_user(&rxnfc->fs.ring_cookie,
74844 &compat_rxnfc->fs.ring_cookie,
74845 - (void *)(&rxnfc->fs.location + 1) -
74846 - (void *)&rxnfc->fs.ring_cookie) ||
74847 + (void __user *)(&rxnfc->fs.location + 1) -
74848 + (void __user *)&rxnfc->fs.ring_cookie) ||
74849 copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt,
74850 sizeof(rxnfc->rule_cnt)))
74852 @@ -2789,12 +2851,12 @@ static int ethtool_ioctl(struct net *net
74855 if (copy_in_user(compat_rxnfc, rxnfc,
74856 - (const void *)(&rxnfc->fs.m_ext + 1) -
74857 - (const void *)rxnfc) ||
74858 + (const void __user *)(&rxnfc->fs.m_ext + 1) -
74859 + (const void __user *)rxnfc) ||
74860 copy_in_user(&compat_rxnfc->fs.ring_cookie,
74861 &rxnfc->fs.ring_cookie,
74862 - (const void *)(&rxnfc->fs.location + 1) -
74863 - (const void *)&rxnfc->fs.ring_cookie) ||
74864 + (const void __user *)(&rxnfc->fs.location + 1) -
74865 + (const void __user *)&rxnfc->fs.ring_cookie) ||
74866 copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt,
74867 sizeof(rxnfc->rule_cnt)))
74869 @@ -2864,7 +2926,7 @@ static int bond_ioctl(struct net *net, u
74872 err = dev_ioctl(net, cmd,
74873 - (struct ifreq __user __force *) &kifr);
74874 + (struct ifreq __force_user *) &kifr);
74878 @@ -2973,7 +3035,7 @@ static int compat_sioc_ifmap(struct net
74882 - err = dev_ioctl(net, cmd, (void __user __force *)&ifr);
74883 + err = dev_ioctl(net, cmd, (void __force_user *)&ifr);
74886 if (cmd == SIOCGIFMAP && !err) {
74887 @@ -3078,7 +3140,7 @@ static int routing_ioctl(struct net *net
74888 ret |= __get_user(rtdev, &(ur4->rt_dev));
74890 ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
74891 - r4.rt_dev = (char __user __force *)devname;
74892 + r4.rt_dev = (char __force_user *)devname;
74896 @@ -3318,8 +3380,8 @@ int kernel_getsockopt(struct socket *soc
74897 int __user *uoptlen;
74900 - uoptval = (char __user __force *) optval;
74901 - uoptlen = (int __user __force *) optlen;
74902 + uoptval = (char __force_user *) optval;
74903 + uoptlen = (int __force_user *) optlen;
74906 if (level == SOL_SOCKET)
74907 @@ -3339,7 +3401,7 @@ int kernel_setsockopt(struct socket *soc
74908 char __user *uoptval;
74911 - uoptval = (char __user __force *) optval;
74912 + uoptval = (char __force_user *) optval;
74915 if (level == SOL_SOCKET)
74916 diff -urNp linux-3.0.9/net/sunrpc/sched.c linux-3.0.9/net/sunrpc/sched.c
74917 --- linux-3.0.9/net/sunrpc/sched.c 2011-11-11 13:12:24.000000000 -0500
74918 +++ linux-3.0.9/net/sunrpc/sched.c 2011-11-15 20:03:00.000000000 -0500
74919 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
74921 static void rpc_task_set_debuginfo(struct rpc_task *task)
74923 - static atomic_t rpc_pid;
74924 + static atomic_unchecked_t rpc_pid;
74926 - task->tk_pid = atomic_inc_return(&rpc_pid);
74927 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
74930 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
74931 diff -urNp linux-3.0.9/net/sunrpc/svcsock.c linux-3.0.9/net/sunrpc/svcsock.c
74932 --- linux-3.0.9/net/sunrpc/svcsock.c 2011-11-11 13:12:24.000000000 -0500
74933 +++ linux-3.0.9/net/sunrpc/svcsock.c 2011-11-15 20:03:00.000000000 -0500
74934 @@ -392,7 +392,7 @@ static int svc_partial_recvfrom(struct s
74935 int buflen, unsigned int base)
74937 size_t save_iovlen;
74938 - void __user *save_iovbase;
74939 + void *save_iovbase;
74943 diff -urNp linux-3.0.9/net/sunrpc/xprtrdma/svc_rdma.c linux-3.0.9/net/sunrpc/xprtrdma/svc_rdma.c
74944 --- linux-3.0.9/net/sunrpc/xprtrdma/svc_rdma.c 2011-11-11 13:12:24.000000000 -0500
74945 +++ linux-3.0.9/net/sunrpc/xprtrdma/svc_rdma.c 2011-11-15 20:03:00.000000000 -0500
74946 @@ -61,15 +61,15 @@ unsigned int svcrdma_max_req_size = RPCR
74947 static unsigned int min_max_inline = 4096;
74948 static unsigned int max_max_inline = 65536;
74950 -atomic_t rdma_stat_recv;
74951 -atomic_t rdma_stat_read;
74952 -atomic_t rdma_stat_write;
74953 -atomic_t rdma_stat_sq_starve;
74954 -atomic_t rdma_stat_rq_starve;
74955 -atomic_t rdma_stat_rq_poll;
74956 -atomic_t rdma_stat_rq_prod;
74957 -atomic_t rdma_stat_sq_poll;
74958 -atomic_t rdma_stat_sq_prod;
74959 +atomic_unchecked_t rdma_stat_recv;
74960 +atomic_unchecked_t rdma_stat_read;
74961 +atomic_unchecked_t rdma_stat_write;
74962 +atomic_unchecked_t rdma_stat_sq_starve;
74963 +atomic_unchecked_t rdma_stat_rq_starve;
74964 +atomic_unchecked_t rdma_stat_rq_poll;
74965 +atomic_unchecked_t rdma_stat_rq_prod;
74966 +atomic_unchecked_t rdma_stat_sq_poll;
74967 +atomic_unchecked_t rdma_stat_sq_prod;
74969 /* Temporary NFS request map and context caches */
74970 struct kmem_cache *svc_rdma_map_cachep;
74971 @@ -109,7 +109,7 @@ static int read_reset_stat(ctl_table *ta
74975 - if (len && copy_to_user(buffer, str_buf, len))
74976 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
74980 @@ -150,63 +150,63 @@ static ctl_table svcrdma_parm_table[] =
74982 .procname = "rdma_stat_read",
74983 .data = &rdma_stat_read,
74984 - .maxlen = sizeof(atomic_t),
74985 + .maxlen = sizeof(atomic_unchecked_t),
74987 .proc_handler = read_reset_stat,
74990 .procname = "rdma_stat_recv",
74991 .data = &rdma_stat_recv,
74992 - .maxlen = sizeof(atomic_t),
74993 + .maxlen = sizeof(atomic_unchecked_t),
74995 .proc_handler = read_reset_stat,
74998 .procname = "rdma_stat_write",
74999 .data = &rdma_stat_write,
75000 - .maxlen = sizeof(atomic_t),
75001 + .maxlen = sizeof(atomic_unchecked_t),
75003 .proc_handler = read_reset_stat,
75006 .procname = "rdma_stat_sq_starve",
75007 .data = &rdma_stat_sq_starve,
75008 - .maxlen = sizeof(atomic_t),
75009 + .maxlen = sizeof(atomic_unchecked_t),
75011 .proc_handler = read_reset_stat,
75014 .procname = "rdma_stat_rq_starve",
75015 .data = &rdma_stat_rq_starve,
75016 - .maxlen = sizeof(atomic_t),
75017 + .maxlen = sizeof(atomic_unchecked_t),
75019 .proc_handler = read_reset_stat,
75022 .procname = "rdma_stat_rq_poll",
75023 .data = &rdma_stat_rq_poll,
75024 - .maxlen = sizeof(atomic_t),
75025 + .maxlen = sizeof(atomic_unchecked_t),
75027 .proc_handler = read_reset_stat,
75030 .procname = "rdma_stat_rq_prod",
75031 .data = &rdma_stat_rq_prod,
75032 - .maxlen = sizeof(atomic_t),
75033 + .maxlen = sizeof(atomic_unchecked_t),
75035 .proc_handler = read_reset_stat,
75038 .procname = "rdma_stat_sq_poll",
75039 .data = &rdma_stat_sq_poll,
75040 - .maxlen = sizeof(atomic_t),
75041 + .maxlen = sizeof(atomic_unchecked_t),
75043 .proc_handler = read_reset_stat,
75046 .procname = "rdma_stat_sq_prod",
75047 .data = &rdma_stat_sq_prod,
75048 - .maxlen = sizeof(atomic_t),
75049 + .maxlen = sizeof(atomic_unchecked_t),
75051 .proc_handler = read_reset_stat,
75053 diff -urNp linux-3.0.9/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c linux-3.0.9/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
75054 --- linux-3.0.9/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-11-11 13:12:24.000000000 -0500
75055 +++ linux-3.0.9/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-11-15 20:03:00.000000000 -0500
75056 @@ -499,7 +499,7 @@ next_sge:
75057 svc_rdma_put_context(ctxt, 0);
75060 - atomic_inc(&rdma_stat_read);
75061 + atomic_inc_unchecked(&rdma_stat_read);
75063 if (read_wr.num_sge < chl_map->ch[ch_no].count) {
75064 chl_map->ch[ch_no].count -= read_wr.num_sge;
75065 @@ -609,7 +609,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
75067 list_del_init(&ctxt->dto_q);
75069 - atomic_inc(&rdma_stat_rq_starve);
75070 + atomic_inc_unchecked(&rdma_stat_rq_starve);
75071 clear_bit(XPT_DATA, &xprt->xpt_flags);
75074 @@ -629,7 +629,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
75075 dprintk("svcrdma: processing ctxt=%p on xprt=%p, rqstp=%p, status=%d\n",
75076 ctxt, rdma_xprt, rqstp, ctxt->wc_status);
75077 BUG_ON(ctxt->wc_status != IB_WC_SUCCESS);
75078 - atomic_inc(&rdma_stat_recv);
75079 + atomic_inc_unchecked(&rdma_stat_recv);
75081 /* Build up the XDR from the receive buffers. */
75082 rdma_build_arg_xdr(rqstp, ctxt, ctxt->byte_len);
75083 diff -urNp linux-3.0.9/net/sunrpc/xprtrdma/svc_rdma_sendto.c linux-3.0.9/net/sunrpc/xprtrdma/svc_rdma_sendto.c
75084 --- linux-3.0.9/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-11-11 13:12:24.000000000 -0500
75085 +++ linux-3.0.9/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-11-15 20:03:00.000000000 -0500
75086 @@ -362,7 +362,7 @@ static int send_write(struct svcxprt_rdm
75087 write_wr.wr.rdma.remote_addr = to;
75090 - atomic_inc(&rdma_stat_write);
75091 + atomic_inc_unchecked(&rdma_stat_write);
75092 if (svc_rdma_send(xprt, &write_wr))
75095 diff -urNp linux-3.0.9/net/sunrpc/xprtrdma/svc_rdma_transport.c linux-3.0.9/net/sunrpc/xprtrdma/svc_rdma_transport.c
75096 --- linux-3.0.9/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-11-11 13:12:24.000000000 -0500
75097 +++ linux-3.0.9/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-11-15 20:03:00.000000000 -0500
75098 @@ -298,7 +298,7 @@ static void rq_cq_reap(struct svcxprt_rd
75101 ib_req_notify_cq(xprt->sc_rq_cq, IB_CQ_NEXT_COMP);
75102 - atomic_inc(&rdma_stat_rq_poll);
75103 + atomic_inc_unchecked(&rdma_stat_rq_poll);
75105 while ((ret = ib_poll_cq(xprt->sc_rq_cq, 1, &wc)) > 0) {
75106 ctxt = (struct svc_rdma_op_ctxt *)(unsigned long)wc.wr_id;
75107 @@ -320,7 +320,7 @@ static void rq_cq_reap(struct svcxprt_rd
75111 - atomic_inc(&rdma_stat_rq_prod);
75112 + atomic_inc_unchecked(&rdma_stat_rq_prod);
75114 set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags);
75116 @@ -392,7 +392,7 @@ static void sq_cq_reap(struct svcxprt_rd
75119 ib_req_notify_cq(xprt->sc_sq_cq, IB_CQ_NEXT_COMP);
75120 - atomic_inc(&rdma_stat_sq_poll);
75121 + atomic_inc_unchecked(&rdma_stat_sq_poll);
75122 while ((ret = ib_poll_cq(cq, 1, &wc)) > 0) {
75123 if (wc.status != IB_WC_SUCCESS)
75124 /* Close the transport */
75125 @@ -410,7 +410,7 @@ static void sq_cq_reap(struct svcxprt_rd
75129 - atomic_inc(&rdma_stat_sq_prod);
75130 + atomic_inc_unchecked(&rdma_stat_sq_prod);
75133 static void sq_comp_handler(struct ib_cq *cq, void *cq_context)
75134 @@ -1272,7 +1272,7 @@ int svc_rdma_send(struct svcxprt_rdma *x
75135 spin_lock_bh(&xprt->sc_lock);
75136 if (xprt->sc_sq_depth < atomic_read(&xprt->sc_sq_count) + wr_count) {
75137 spin_unlock_bh(&xprt->sc_lock);
75138 - atomic_inc(&rdma_stat_sq_starve);
75139 + atomic_inc_unchecked(&rdma_stat_sq_starve);
75141 /* See if we can opportunistically reap SQ WR to make room */
75143 diff -urNp linux-3.0.9/net/sysctl_net.c linux-3.0.9/net/sysctl_net.c
75144 --- linux-3.0.9/net/sysctl_net.c 2011-11-11 13:12:24.000000000 -0500
75145 +++ linux-3.0.9/net/sysctl_net.c 2011-11-15 20:03:00.000000000 -0500
75146 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
75147 struct ctl_table *table)
75149 /* Allow network administrator to have same access as root. */
75150 - if (capable(CAP_NET_ADMIN)) {
75151 + if (capable_nolog(CAP_NET_ADMIN)) {
75152 int mode = (table->mode >> 6) & 7;
75153 return (mode << 6) | (mode << 3) | mode;
75155 diff -urNp linux-3.0.9/net/tipc/link.c linux-3.0.9/net/tipc/link.c
75156 --- linux-3.0.9/net/tipc/link.c 2011-11-11 13:12:24.000000000 -0500
75157 +++ linux-3.0.9/net/tipc/link.c 2011-11-15 20:03:00.000000000 -0500
75158 @@ -1170,7 +1170,7 @@ static int link_send_sections_long(struc
75159 struct tipc_msg fragm_hdr;
75160 struct sk_buff *buf, *buf_chain, *prev;
75161 u32 fragm_crs, fragm_rest, hsz, sect_rest;
75162 - const unchar *sect_crs;
75163 + const unchar __user *sect_crs;
75167 @@ -1214,7 +1214,7 @@ again:
75170 sect_rest = msg_sect[++curr_sect].iov_len;
75171 - sect_crs = (const unchar *)msg_sect[curr_sect].iov_base;
75172 + sect_crs = (const unchar __user *)msg_sect[curr_sect].iov_base;
75175 if (sect_rest < fragm_rest)
75176 @@ -1233,7 +1233,7 @@ error:
75179 skb_copy_to_linear_data_offset(buf, fragm_crs,
75181 + (const void __force_kernel *)sect_crs, sz);
75185 diff -urNp linux-3.0.9/net/tipc/msg.c linux-3.0.9/net/tipc/msg.c
75186 --- linux-3.0.9/net/tipc/msg.c 2011-11-11 13:12:24.000000000 -0500
75187 +++ linux-3.0.9/net/tipc/msg.c 2011-11-15 20:03:00.000000000 -0500
75188 @@ -101,7 +101,7 @@ int tipc_msg_build(struct tipc_msg *hdr,
75189 msg_sect[cnt].iov_len);
75191 skb_copy_to_linear_data_offset(*buf, pos,
75192 - msg_sect[cnt].iov_base,
75193 + (const void __force_kernel *)msg_sect[cnt].iov_base,
75194 msg_sect[cnt].iov_len);
75195 pos += msg_sect[cnt].iov_len;
75197 diff -urNp linux-3.0.9/net/tipc/subscr.c linux-3.0.9/net/tipc/subscr.c
75198 --- linux-3.0.9/net/tipc/subscr.c 2011-11-11 13:12:24.000000000 -0500
75199 +++ linux-3.0.9/net/tipc/subscr.c 2011-11-15 20:03:00.000000000 -0500
75200 @@ -101,7 +101,7 @@ static void subscr_send_event(struct sub
75202 struct iovec msg_sect;
75204 - msg_sect.iov_base = (void *)&sub->evt;
75205 + msg_sect.iov_base = (void __force_user *)&sub->evt;
75206 msg_sect.iov_len = sizeof(struct tipc_event);
75208 sub->evt.event = htohl(event, sub->swap);
75209 diff -urNp linux-3.0.9/net/unix/af_unix.c linux-3.0.9/net/unix/af_unix.c
75210 --- linux-3.0.9/net/unix/af_unix.c 2011-11-11 13:12:24.000000000 -0500
75211 +++ linux-3.0.9/net/unix/af_unix.c 2011-11-15 20:03:00.000000000 -0500
75212 @@ -767,6 +767,12 @@ static struct sock *unix_find_other(stru
75213 err = -ECONNREFUSED;
75214 if (!S_ISSOCK(inode->i_mode))
75217 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
75222 u = unix_find_socket_byinode(inode);
75225 @@ -787,6 +793,13 @@ static struct sock *unix_find_other(stru
75227 struct dentry *dentry;
75228 dentry = unix_sk(u)->dentry;
75230 + if (!gr_handle_chroot_unix(pid_vnr(u->sk_peer_pid))) {
75237 touch_atime(unix_sk(u)->mnt, dentry);
75239 @@ -872,11 +885,18 @@ static int unix_bind(struct socket *sock
75240 err = security_path_mknod(&nd.path, dentry, mode, 0);
75242 goto out_mknod_drop_write;
75243 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
75245 + goto out_mknod_drop_write;
75247 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
75248 out_mknod_drop_write:
75249 mnt_drop_write(nd.path.mnt);
75251 goto out_mknod_dput;
75253 + gr_handle_create(dentry, nd.path.mnt);
75255 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
75256 dput(nd.path.dentry);
75257 nd.path.dentry = dentry;
75258 diff -urNp linux-3.0.9/net/wireless/core.h linux-3.0.9/net/wireless/core.h
75259 --- linux-3.0.9/net/wireless/core.h 2011-11-11 13:12:24.000000000 -0500
75260 +++ linux-3.0.9/net/wireless/core.h 2011-11-15 20:03:00.000000000 -0500
75261 @@ -27,7 +27,7 @@ struct cfg80211_registered_device {
75264 /* rfkill support */
75265 - struct rfkill_ops rfkill_ops;
75266 + rfkill_ops_no_const rfkill_ops;
75267 struct rfkill *rfkill;
75268 struct work_struct rfkill_sync;
75270 diff -urNp linux-3.0.9/net/wireless/wext-core.c linux-3.0.9/net/wireless/wext-core.c
75271 --- linux-3.0.9/net/wireless/wext-core.c 2011-11-11 13:12:24.000000000 -0500
75272 +++ linux-3.0.9/net/wireless/wext-core.c 2011-11-15 20:03:00.000000000 -0500
75273 @@ -746,8 +746,7 @@ static int ioctl_standard_iw_point(struc
75276 /* Support for very large requests */
75277 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
75278 - (user_length > descr->max_tokens)) {
75279 + if (user_length > descr->max_tokens) {
75280 /* Allow userspace to GET more than max so
75281 * we can support any size GET requests.
75282 * There is still a limit : -ENOMEM.
75283 @@ -784,22 +783,6 @@ static int ioctl_standard_iw_point(struc
75287 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
75289 - * If this is a GET, but not NOMAX, it means that the extra
75290 - * data is not bounded by userspace, but by max_tokens. Thus
75291 - * set the length to max_tokens. This matches the extra data
75293 - * The driver should fill it with the number of tokens it
75294 - * provided, and it may check iwp->length rather than having
75295 - * knowledge of max_tokens. If the driver doesn't change the
75296 - * iwp->length, this ioctl just copies back max_token tokens
75297 - * filled with zeroes. Hopefully the driver isn't claiming
75298 - * them to be valid data.
75300 - iwp->length = descr->max_tokens;
75303 err = handler(dev, info, (union iwreq_data *) iwp, extra);
75305 iwp->length += essid_compat;
75306 diff -urNp linux-3.0.9/net/xfrm/xfrm_policy.c linux-3.0.9/net/xfrm/xfrm_policy.c
75307 --- linux-3.0.9/net/xfrm/xfrm_policy.c 2011-11-11 13:12:24.000000000 -0500
75308 +++ linux-3.0.9/net/xfrm/xfrm_policy.c 2011-11-15 20:03:00.000000000 -0500
75309 @@ -299,7 +299,7 @@ static void xfrm_policy_kill(struct xfrm
75311 policy->walk.dead = 1;
75313 - atomic_inc(&policy->genid);
75314 + atomic_inc_unchecked(&policy->genid);
75316 if (del_timer(&policy->timer))
75317 xfrm_pol_put(policy);
75318 @@ -583,7 +583,7 @@ int xfrm_policy_insert(int dir, struct x
75319 hlist_add_head(&policy->bydst, chain);
75320 xfrm_pol_hold(policy);
75321 net->xfrm.policy_count[dir]++;
75322 - atomic_inc(&flow_cache_genid);
75323 + atomic_inc_unchecked(&flow_cache_genid);
75325 __xfrm_policy_unlink(delpol, dir);
75326 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
75327 @@ -1528,7 +1528,7 @@ free_dst:
75333 xfrm_dst_alloc_copy(void **target, const void *src, int size)
75336 @@ -1540,7 +1540,7 @@ xfrm_dst_alloc_copy(void **target, const
75342 xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
75344 #ifdef CONFIG_XFRM_SUB_POLICY
75345 @@ -1552,7 +1552,7 @@ xfrm_dst_update_parent(struct dst_entry
75351 xfrm_dst_update_origin(struct dst_entry *dst, const struct flowi *fl)
75353 #ifdef CONFIG_XFRM_SUB_POLICY
75354 @@ -1646,7 +1646,7 @@ xfrm_resolve_and_create_bundle(struct xf
75356 xdst->num_pols = num_pols;
75357 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols);
75358 - xdst->policy_genid = atomic_read(&pols[0]->genid);
75359 + xdst->policy_genid = atomic_read_unchecked(&pols[0]->genid);
75363 @@ -2333,7 +2333,7 @@ static int xfrm_bundle_ok(struct xfrm_ds
75364 if (xdst->xfrm_genid != dst->xfrm->genid)
75366 if (xdst->num_pols > 0 &&
75367 - xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
75368 + xdst->policy_genid != atomic_read_unchecked(&xdst->pols[0]->genid))
75371 mtu = dst_mtu(dst->child);
75372 @@ -2861,7 +2861,7 @@ static int xfrm_policy_migrate(struct xf
75373 sizeof(pol->xfrm_vec[i].saddr));
75374 pol->xfrm_vec[i].encap_family = mp->new_family;
75375 /* flush bundles */
75376 - atomic_inc(&pol->genid);
75377 + atomic_inc_unchecked(&pol->genid);
75381 diff -urNp linux-3.0.9/net/xfrm/xfrm_user.c linux-3.0.9/net/xfrm/xfrm_user.c
75382 --- linux-3.0.9/net/xfrm/xfrm_user.c 2011-11-11 13:12:24.000000000 -0500
75383 +++ linux-3.0.9/net/xfrm/xfrm_user.c 2011-11-15 20:03:00.000000000 -0500
75384 @@ -1394,6 +1394,8 @@ static int copy_to_user_tmpl(struct xfrm
75385 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
75388 + pax_track_stack();
75390 if (xp->xfrm_nr == 0)
75393 @@ -2062,6 +2064,8 @@ static int xfrm_do_migrate(struct sk_buf
75397 + pax_track_stack();
75399 if (attrs[XFRMA_MIGRATE] == NULL)
75402 diff -urNp linux-3.0.9/scripts/basic/fixdep.c linux-3.0.9/scripts/basic/fixdep.c
75403 --- linux-3.0.9/scripts/basic/fixdep.c 2011-11-11 13:12:24.000000000 -0500
75404 +++ linux-3.0.9/scripts/basic/fixdep.c 2011-11-15 20:03:00.000000000 -0500
75405 @@ -161,7 +161,7 @@ static unsigned int strhash(const char *
75407 * Lookup a value in the configuration string.
75409 -static int is_defined_config(const char *name, int len, unsigned int hash)
75410 +static int is_defined_config(const char *name, unsigned int len, unsigned int hash)
75414 @@ -211,10 +211,10 @@ static void clear_config(void)
75416 * Record the use of a CONFIG_* word.
75418 -static void use_config(const char *m, int slen)
75419 +static void use_config(const char *m, unsigned int slen)
75421 unsigned int hash = strhash(m, slen);
75423 + unsigned int c, i;
75425 if (is_defined_config(m, slen, hash))
75427 @@ -235,9 +235,9 @@ static void use_config(const char *m, in
75429 static void parse_config_file(const char *map, size_t len)
75431 - const int *end = (const int *) (map + len);
75432 + const unsigned int *end = (const unsigned int *) (map + len);
75433 /* start at +1, so that p can never be < map */
75434 - const int *m = (const int *) map + 1;
75435 + const unsigned int *m = (const unsigned int *) map + 1;
75438 for (; m < end; m++) {
75439 @@ -405,7 +405,7 @@ static void print_deps(void)
75440 static void traps(void)
75442 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
75443 - int *p = (int *)test;
75444 + unsigned int *p = (unsigned int *)test;
75446 if (*p != INT_CONF) {
75447 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
75448 diff -urNp linux-3.0.9/scripts/gcc-plugin.sh linux-3.0.9/scripts/gcc-plugin.sh
75449 --- linux-3.0.9/scripts/gcc-plugin.sh 1969-12-31 19:00:00.000000000 -0500
75450 +++ linux-3.0.9/scripts/gcc-plugin.sh 2011-11-15 20:03:00.000000000 -0500
75453 +echo "#include \"gcc-plugin.h\"\n#include \"rtl.h\"" | $1 -x c -shared - -o /dev/null -I`$2 -print-file-name=plugin`/include >/dev/null 2>&1 && echo "y"
75454 diff -urNp linux-3.0.9/scripts/Makefile.build linux-3.0.9/scripts/Makefile.build
75455 --- linux-3.0.9/scripts/Makefile.build 2011-11-11 13:12:24.000000000 -0500
75456 +++ linux-3.0.9/scripts/Makefile.build 2011-11-15 20:03:00.000000000 -0500
75457 @@ -109,7 +109,7 @@ endif
75460 # Do not include host rules unless needed
75461 -ifneq ($(hostprogs-y)$(hostprogs-m),)
75462 +ifneq ($(hostprogs-y)$(hostprogs-m)$(hostlibs-y)$(hostlibs-m),)
75463 include scripts/Makefile.host
75466 diff -urNp linux-3.0.9/scripts/Makefile.clean linux-3.0.9/scripts/Makefile.clean
75467 --- linux-3.0.9/scripts/Makefile.clean 2011-11-11 13:12:24.000000000 -0500
75468 +++ linux-3.0.9/scripts/Makefile.clean 2011-11-15 20:03:00.000000000 -0500
75469 @@ -43,7 +43,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subd
75470 __clean-files := $(extra-y) $(always) \
75471 $(targets) $(clean-files) \
75473 - $(hostprogs-y) $(hostprogs-m) $(hostprogs-)
75474 + $(hostprogs-y) $(hostprogs-m) $(hostprogs-) \
75475 + $(hostlibs-y) $(hostlibs-m) $(hostlibs-)
75477 __clean-files := $(filter-out $(no-clean-files), $(__clean-files))
75479 diff -urNp linux-3.0.9/scripts/Makefile.host linux-3.0.9/scripts/Makefile.host
75480 --- linux-3.0.9/scripts/Makefile.host 2011-11-11 13:12:24.000000000 -0500
75481 +++ linux-3.0.9/scripts/Makefile.host 2011-11-15 20:03:00.000000000 -0500
75483 # Note: Shared libraries consisting of C++ files are not supported
75485 __hostprogs := $(sort $(hostprogs-y) $(hostprogs-m))
75486 +__hostlibs := $(sort $(hostlibs-y) $(hostlibs-m))
75489 # Executables compiled from a single .c file
75490 @@ -54,6 +55,7 @@ host-cxxobjs := $(sort $(foreach m,$(hos
75491 # Shared libaries (only .c supported)
75492 # Shared libraries (.so) - all .so files referenced in "xxx-objs"
75493 host-cshlib := $(sort $(filter %.so, $(host-cobjs)))
75494 +host-cshlib += $(sort $(filter %.so, $(__hostlibs)))
75495 # Remove .so files from "xxx-objs"
75496 host-cobjs := $(filter-out %.so,$(host-cobjs))
75498 diff -urNp linux-3.0.9/scripts/mod/file2alias.c linux-3.0.9/scripts/mod/file2alias.c
75499 --- linux-3.0.9/scripts/mod/file2alias.c 2011-11-11 13:12:24.000000000 -0500
75500 +++ linux-3.0.9/scripts/mod/file2alias.c 2011-11-15 20:03:00.000000000 -0500
75501 @@ -72,7 +72,7 @@ static void device_id_check(const char *
75502 unsigned long size, unsigned long id_size,
75508 if (size % id_size || size < id_size) {
75509 if (cross_build != 0)
75510 @@ -102,7 +102,7 @@ static void device_id_check(const char *
75511 /* USB is special because the bcdDevice can be matched against a numeric range */
75512 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
75513 static void do_usb_entry(struct usb_device_id *id,
75514 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
75515 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
75516 unsigned char range_lo, unsigned char range_hi,
75517 unsigned char max, struct module *mod)
75519 @@ -203,7 +203,7 @@ static void do_usb_entry_multi(struct us
75521 unsigned int devlo, devhi;
75522 unsigned char chi, clo, max;
75524 + unsigned int ndigits;
75526 id->match_flags = TO_NATIVE(id->match_flags);
75527 id->idVendor = TO_NATIVE(id->idVendor);
75528 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
75529 for (i = 0; i < count; i++) {
75530 const char *id = (char *)devs[i].id;
75531 char acpi_id[sizeof(devs[0].id)];
75535 buf_printf(&mod->dev_table_buf,
75536 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
75537 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
75539 for (j = 0; j < PNP_MAX_DEVICES; j++) {
75540 const char *id = (char *)card->devs[j].id;
75542 + unsigned int i2, j2;
75546 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
75547 /* add an individual alias for every device entry */
75549 char acpi_id[sizeof(card->devs[0].id)];
75553 buf_printf(&mod->dev_table_buf,
75554 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
75555 @@ -786,7 +786,7 @@ static void dmi_ascii_filter(char *d, co
75556 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
75560 + unsigned int i, j;
75562 sprintf(alias, "dmi*");
75564 diff -urNp linux-3.0.9/scripts/mod/modpost.c linux-3.0.9/scripts/mod/modpost.c
75565 --- linux-3.0.9/scripts/mod/modpost.c 2011-11-11 13:12:24.000000000 -0500
75566 +++ linux-3.0.9/scripts/mod/modpost.c 2011-11-15 20:03:00.000000000 -0500
75567 @@ -892,6 +892,7 @@ enum mismatch {
75568 ANY_INIT_TO_ANY_EXIT,
75569 ANY_EXIT_TO_ANY_INIT,
75570 EXPORT_TO_INIT_EXIT,
75574 struct sectioncheck {
75575 @@ -1000,6 +1001,12 @@ const struct sectioncheck sectioncheck[]
75576 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
75577 .mismatch = EXPORT_TO_INIT_EXIT,
75578 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
75580 +/* Do not reference code from writable data */
75582 + .fromsec = { DATA_SECTIONS, NULL },
75583 + .tosec = { TEXT_SECTIONS, NULL },
75584 + .mismatch = DATA_TO_TEXT
75588 @@ -1122,10 +1129,10 @@ static Elf_Sym *find_elf_symbol(struct e
75590 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
75592 - if (sym->st_value == addr)
75594 /* Find a symbol nearby - addr are maybe negative */
75595 d = sym->st_value - addr;
75599 d = addr - sym->st_value;
75600 if (d < distance) {
75601 @@ -1404,6 +1411,14 @@ static void report_sec_mismatch(const ch
75602 tosym, prl_to, prl_to, tosym);
75605 + case DATA_TO_TEXT:
75608 + "The variable %s references\n"
75609 + "the %s %s%s%s\n",
75610 + fromsym, to, sec2annotation(tosec), tosym, to_p);
75614 fprintf(stderr, "\n");
75616 @@ -1629,7 +1644,7 @@ static void section_rel(const char *modn
75617 static void check_sec_ref(struct module *mod, const char *modname,
75618 struct elf_info *elf)
75622 Elf_Shdr *sechdrs = elf->sechdrs;
75624 /* Walk through all sections */
75625 @@ -1727,7 +1742,7 @@ void __attribute__((format(printf, 2, 3)
75629 -void buf_write(struct buffer *buf, const char *s, int len)
75630 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
75632 if (buf->size - buf->pos < len) {
75633 buf->size += len + SZ;
75634 @@ -1939,7 +1954,7 @@ static void write_if_changed(struct buff
75635 if (fstat(fileno(file), &st) < 0)
75638 - if (st.st_size != b->pos)
75639 + if (st.st_size != (off_t)b->pos)
75642 tmp = NOFAIL(malloc(b->pos));
75643 diff -urNp linux-3.0.9/scripts/mod/modpost.h linux-3.0.9/scripts/mod/modpost.h
75644 --- linux-3.0.9/scripts/mod/modpost.h 2011-11-11 13:12:24.000000000 -0500
75645 +++ linux-3.0.9/scripts/mod/modpost.h 2011-11-15 20:03:00.000000000 -0500
75646 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
75652 + unsigned int pos;
75653 + unsigned int size;
75656 void __attribute__((format(printf, 2, 3)))
75657 buf_printf(struct buffer *buf, const char *fmt, ...);
75660 -buf_write(struct buffer *buf, const char *s, int len);
75661 +buf_write(struct buffer *buf, const char *s, unsigned int len);
75664 struct module *next;
75665 diff -urNp linux-3.0.9/scripts/mod/sumversion.c linux-3.0.9/scripts/mod/sumversion.c
75666 --- linux-3.0.9/scripts/mod/sumversion.c 2011-11-11 13:12:24.000000000 -0500
75667 +++ linux-3.0.9/scripts/mod/sumversion.c 2011-11-15 20:03:00.000000000 -0500
75668 @@ -470,7 +470,7 @@ static void write_version(const char *fi
75672 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
75673 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
75674 warn("writing sum in %s failed: %s\n",
75675 filename, strerror(errno));
75677 diff -urNp linux-3.0.9/scripts/pnmtologo.c linux-3.0.9/scripts/pnmtologo.c
75678 --- linux-3.0.9/scripts/pnmtologo.c 2011-11-11 13:12:24.000000000 -0500
75679 +++ linux-3.0.9/scripts/pnmtologo.c 2011-11-15 20:03:00.000000000 -0500
75680 @@ -237,14 +237,14 @@ static void write_header(void)
75681 fprintf(out, " * Linux logo %s\n", logoname);
75682 fputs(" */\n\n", out);
75683 fputs("#include <linux/linux_logo.h>\n\n", out);
75684 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
75685 + fprintf(out, "static unsigned char %s_data[] = {\n",
75689 static void write_footer(void)
75691 fputs("\n};\n\n", out);
75692 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
75693 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
75694 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
75695 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
75696 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
75697 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
75698 fputs("\n};\n\n", out);
75700 /* write logo clut */
75701 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
75702 + fprintf(out, "static unsigned char %s_clut[] = {\n",
75705 for (i = 0; i < logo_clutsize; i++) {
75706 diff -urNp linux-3.0.9/security/apparmor/lsm.c linux-3.0.9/security/apparmor/lsm.c
75707 --- linux-3.0.9/security/apparmor/lsm.c 2011-11-11 13:12:24.000000000 -0500
75708 +++ linux-3.0.9/security/apparmor/lsm.c 2011-11-15 20:03:00.000000000 -0500
75709 @@ -621,7 +621,7 @@ static int apparmor_task_setrlimit(struc
75713 -static struct security_operations apparmor_ops = {
75714 +static struct security_operations apparmor_ops __read_only = {
75715 .name = "apparmor",
75717 .ptrace_access_check = apparmor_ptrace_access_check,
75718 diff -urNp linux-3.0.9/security/commoncap.c linux-3.0.9/security/commoncap.c
75719 --- linux-3.0.9/security/commoncap.c 2011-11-11 13:12:24.000000000 -0500
75720 +++ linux-3.0.9/security/commoncap.c 2011-11-15 20:03:00.000000000 -0500
75722 #include <linux/securebits.h>
75723 #include <linux/user_namespace.h>
75724 #include <linux/personality.h>
75725 +#include <net/sock.h>
75728 * If a non-root user executes a setuid-root binary in
75729 @@ -58,7 +59,7 @@ int cap_netlink_send(struct sock *sk, st
75731 int cap_netlink_recv(struct sk_buff *skb, int cap)
75733 - if (!cap_raised(current_cap(), cap))
75734 + if (!cap_raised(current_cap(), cap) || !gr_is_capable(cap))
75738 @@ -575,6 +576,9 @@ int cap_bprm_secureexec(struct linux_bin
75740 const struct cred *cred = current_cred();
75742 + if (gr_acl_enable_at_secure())
75745 if (cred->uid != 0) {
75746 if (bprm->cap_effective)
75748 diff -urNp linux-3.0.9/security/integrity/ima/ima_api.c linux-3.0.9/security/integrity/ima/ima_api.c
75749 --- linux-3.0.9/security/integrity/ima/ima_api.c 2011-11-11 13:12:24.000000000 -0500
75750 +++ linux-3.0.9/security/integrity/ima/ima_api.c 2011-11-15 20:03:00.000000000 -0500
75751 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
75754 /* can overflow, only indicator */
75755 - atomic_long_inc(&ima_htable.violations);
75756 + atomic_long_inc_unchecked(&ima_htable.violations);
75758 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
75760 diff -urNp linux-3.0.9/security/integrity/ima/ima_fs.c linux-3.0.9/security/integrity/ima/ima_fs.c
75761 --- linux-3.0.9/security/integrity/ima/ima_fs.c 2011-11-11 13:12:24.000000000 -0500
75762 +++ linux-3.0.9/security/integrity/ima/ima_fs.c 2011-11-15 20:03:00.000000000 -0500
75763 @@ -28,12 +28,12 @@
75764 static int valid_policy = 1;
75765 #define TMPBUFLEN 12
75766 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
75767 - loff_t *ppos, atomic_long_t *val)
75768 + loff_t *ppos, atomic_long_unchecked_t *val)
75770 char tmpbuf[TMPBUFLEN];
75773 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
75774 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
75775 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
75778 diff -urNp linux-3.0.9/security/integrity/ima/ima.h linux-3.0.9/security/integrity/ima/ima.h
75779 --- linux-3.0.9/security/integrity/ima/ima.h 2011-11-11 13:12:24.000000000 -0500
75780 +++ linux-3.0.9/security/integrity/ima/ima.h 2011-11-15 20:03:00.000000000 -0500
75781 @@ -85,8 +85,8 @@ void ima_add_violation(struct inode *ino
75782 extern spinlock_t ima_queue_lock;
75784 struct ima_h_table {
75785 - atomic_long_t len; /* number of stored measurements in the list */
75786 - atomic_long_t violations;
75787 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
75788 + atomic_long_unchecked_t violations;
75789 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
75791 extern struct ima_h_table ima_htable;
75792 diff -urNp linux-3.0.9/security/integrity/ima/ima_queue.c linux-3.0.9/security/integrity/ima/ima_queue.c
75793 --- linux-3.0.9/security/integrity/ima/ima_queue.c 2011-11-11 13:12:24.000000000 -0500
75794 +++ linux-3.0.9/security/integrity/ima/ima_queue.c 2011-11-15 20:03:00.000000000 -0500
75795 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
75796 INIT_LIST_HEAD(&qe->later);
75797 list_add_tail_rcu(&qe->later, &ima_measurements);
75799 - atomic_long_inc(&ima_htable.len);
75800 + atomic_long_inc_unchecked(&ima_htable.len);
75801 key = ima_hash_key(entry->digest);
75802 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
75804 diff -urNp linux-3.0.9/security/Kconfig linux-3.0.9/security/Kconfig
75805 --- linux-3.0.9/security/Kconfig 2011-11-11 13:12:24.000000000 -0500
75806 +++ linux-3.0.9/security/Kconfig 2011-11-15 20:03:00.000000000 -0500
75809 menu "Security options"
75811 +source grsecurity/Kconfig
75815 + config ARCH_TRACK_EXEC_LIMIT
75818 + config PAX_KERNEXEC_PLUGIN
75821 + config PAX_PER_CPU_PGD
75824 + config TASK_SIZE_MAX_SHIFT
75826 + depends on X86_64
75827 + default 47 if !PAX_PER_CPU_PGD
75828 + default 42 if PAX_PER_CPU_PGD
75830 + config PAX_ENABLE_PAE
75832 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
75835 + bool "Enable various PaX features"
75836 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
75838 + This allows you to enable various PaX features. PaX adds
75839 + intrusion prevention mechanisms to the kernel that reduce
75840 + the risks posed by exploitable memory corruption bugs.
75842 +menu "PaX Control"
75845 +config PAX_SOFTMODE
75846 + bool 'Support soft mode'
75847 + select PAX_PT_PAX_FLAGS
75849 + Enabling this option will allow you to run PaX in soft mode, that
75850 + is, PaX features will not be enforced by default, only on executables
75851 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
75852 + is the only way to mark executables for soft mode use.
75854 + Soft mode can be activated by using the "pax_softmode=1" kernel command
75855 + line option on boot. Furthermore you can control various PaX features
75856 + at runtime via the entries in /proc/sys/kernel/pax.
75859 + bool 'Use legacy ELF header marking'
75861 + Enabling this option will allow you to control PaX features on
75862 + a per executable basis via the 'chpax' utility available at
75863 + http://pax.grsecurity.net/. The control flags will be read from
75864 + an otherwise reserved part of the ELF header. This marking has
75865 + numerous drawbacks (no support for soft-mode, toolchain does not
75866 + know about the non-standard use of the ELF header) therefore it
75867 + has been deprecated in favour of PT_PAX_FLAGS support.
75869 + Note that if you enable PT_PAX_FLAGS marking support as well,
75870 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
75872 +config PAX_PT_PAX_FLAGS
75873 + bool 'Use ELF program header marking'
75875 + Enabling this option will allow you to control PaX features on
75876 + a per executable basis via the 'paxctl' utility available at
75877 + http://pax.grsecurity.net/. The control flags will be read from
75878 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
75879 + has the benefits of supporting both soft mode and being fully
75880 + integrated into the toolchain (the binutils patch is available
75881 + from http://pax.grsecurity.net).
75883 + If your toolchain does not support PT_PAX_FLAGS markings,
75884 + you can create one in most cases with 'paxctl -C'.
75886 + Note that if you enable the legacy EI_PAX marking support as well,
75887 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
75890 + prompt 'MAC system integration'
75891 + default PAX_HAVE_ACL_FLAGS
75893 + Mandatory Access Control systems have the option of controlling
75894 + PaX flags on a per executable basis, choose the method supported
75895 + by your particular system.
75897 + - "none": if your MAC system does not interact with PaX,
75898 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
75899 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
75901 + NOTE: this option is for developers/integrators only.
75903 + config PAX_NO_ACL_FLAGS
75906 + config PAX_HAVE_ACL_FLAGS
75909 + config PAX_HOOK_ACL_FLAGS
75915 +menu "Non-executable pages"
75919 + bool "Enforce non-executable pages"
75920 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
75922 + By design some architectures do not allow for protecting memory
75923 + pages against execution or even if they do, Linux does not make
75924 + use of this feature. In practice this means that if a page is
75925 + readable (such as the stack or heap) it is also executable.
75927 + There is a well known exploit technique that makes use of this
75928 + fact and a common programming mistake where an attacker can
75929 + introduce code of his choice somewhere in the attacked program's
75930 + memory (typically the stack or the heap) and then execute it.
75932 + If the attacked program was running with different (typically
75933 + higher) privileges than that of the attacker, then he can elevate
75934 + his own privilege level (e.g. get a root shell, write to files for
75935 + which he does not have write access to, etc).
75937 + Enabling this option will let you choose from various features
75938 + that prevent the injection and execution of 'foreign' code in
75941 + This will also break programs that rely on the old behaviour and
75942 + expect that dynamically allocated memory via the malloc() family
75943 + of functions is executable (which it is not). Notable examples
75944 + are the XFree86 4.x server, the java runtime and wine.
75946 +config PAX_PAGEEXEC
75947 + bool "Paging based non-executable pages"
75948 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
75949 + select S390_SWITCH_AMODE if S390
75950 + select S390_EXEC_PROTECT if S390
75951 + select ARCH_TRACK_EXEC_LIMIT if X86_32
75953 + This implementation is based on the paging feature of the CPU.
75954 + On i386 without hardware non-executable bit support there is a
75955 + variable but usually low performance impact, however on Intel's
75956 + P4 core based CPUs it is very high so you should not enable this
75957 + for kernels meant to be used on such CPUs.
75959 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
75960 + with hardware non-executable bit support there is no performance
75961 + impact, on ppc the impact is negligible.
75963 + Note that several architectures require various emulations due to
75964 + badly designed userland ABIs, this will cause a performance impact
75965 + but will disappear as soon as userland is fixed. For example, ppc
75966 + userland MUST have been built with secure-plt by a recent toolchain.
75968 +config PAX_SEGMEXEC
75969 + bool "Segmentation based non-executable pages"
75970 + depends on PAX_NOEXEC && X86_32
75972 + This implementation is based on the segmentation feature of the
75973 + CPU and has a very small performance impact, however applications
75974 + will be limited to a 1.5 GB address space instead of the normal
75977 +config PAX_EMUTRAMP
75978 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
75979 + default y if PARISC
75981 + There are some programs and libraries that for one reason or
75982 + another attempt to execute special small code snippets from
75983 + non-executable memory pages. Most notable examples are the
75984 + signal handler return code generated by the kernel itself and
75985 + the GCC trampolines.
75987 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
75988 + such programs will no longer work under your kernel.
75990 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
75991 + utilities to enable trampoline emulation for the affected programs
75992 + yet still have the protection provided by the non-executable pages.
75994 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
75995 + your system will not even boot.
75997 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
75998 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
75999 + for the affected files.
76001 + NOTE: enabling this feature *may* open up a loophole in the
76002 + protection provided by non-executable pages that an attacker
76003 + could abuse. Therefore the best solution is to not have any
76004 + files on your system that would require this option. This can
76005 + be achieved by not using libc5 (which relies on the kernel
76006 + signal handler return code) and not using or rewriting programs
76007 + that make use of the nested function implementation of GCC.
76008 + Skilled users can just fix GCC itself so that it implements
76009 + nested function calls in a way that does not interfere with PaX.
76011 +config PAX_EMUSIGRT
76012 + bool "Automatically emulate sigreturn trampolines"
76013 + depends on PAX_EMUTRAMP && PARISC
76016 + Enabling this option will have the kernel automatically detect
76017 + and emulate signal return trampolines executing on the stack
76018 + that would otherwise lead to task termination.
76020 + This solution is intended as a temporary one for users with
76021 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
76022 + Modula-3 runtime, etc) or executables linked to such, basically
76023 + everything that does not specify its own SA_RESTORER function in
76024 + normal executable memory like glibc 2.1+ does.
76026 + On parisc you MUST enable this option, otherwise your system will
76029 + NOTE: this feature cannot be disabled on a per executable basis
76030 + and since it *does* open up a loophole in the protection provided
76031 + by non-executable pages, the best solution is to not have any
76032 + files on your system that would require this option.
76034 +config PAX_MPROTECT
76035 + bool "Restrict mprotect()"
76036 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
76038 + Enabling this option will prevent programs from
76039 + - changing the executable status of memory pages that were
76040 + not originally created as executable,
76041 + - making read-only executable pages writable again,
76042 + - creating executable pages from anonymous memory,
76043 + - making read-only-after-relocations (RELRO) data pages writable again.
76045 + You should say Y here to complete the protection provided by
76046 + the enforcement of non-executable pages.
76048 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
76049 + this feature on a per file basis.
76051 +config PAX_MPROTECT_COMPAT
76052 + bool "Use legacy/compat protection demoting (read help)"
76053 + depends on PAX_MPROTECT
76056 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
76057 + by sending the proper error code to the application. For some broken
76058 + userland, this can cause problems with Python or other applications. The
76059 + current implementation however allows for applications like clamav to
76060 + detect if JIT compilation/execution is allowed and to fall back gracefully
76061 + to an interpreter-based mode if it does not. While we encourage everyone
76062 + to use the current implementation as-is and push upstream to fix broken
76063 + userland (note that the RWX logging option can assist with this), in some
76064 + environments this may not be possible. Having to disable MPROTECT
76065 + completely on certain binaries reduces the security benefit of PaX,
76066 + so this option is provided for those environments to revert to the old
76069 +config PAX_ELFRELOCS
76070 + bool "Allow ELF text relocations (read help)"
76071 + depends on PAX_MPROTECT
76074 + Non-executable pages and mprotect() restrictions are effective
76075 + in preventing the introduction of new executable code into an
76076 + attacked task's address space. There remain only two venues
76077 + for this kind of attack: if the attacker can execute already
76078 + existing code in the attacked task then he can either have it
76079 + create and mmap() a file containing his code or have it mmap()
76080 + an already existing ELF library that does not have position
76081 + independent code in it and use mprotect() on it to make it
76082 + writable and copy his code there. While protecting against
76083 + the former approach is beyond PaX, the latter can be prevented
76084 + by having only PIC ELF libraries on one's system (which do not
76085 + need to relocate their code). If you are sure this is your case,
76086 + as is the case with all modern Linux distributions, then leave
76087 + this option disabled. You should say 'n' here.
76089 +config PAX_ETEXECRELOCS
76090 + bool "Allow ELF ET_EXEC text relocations"
76091 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
76092 + select PAX_ELFRELOCS
76095 + On some architectures there are incorrectly created applications
76096 + that require text relocations and would not work without enabling
76097 + this option. If you are an alpha, ia64 or parisc user, you should
76098 + enable this option and disable it once you have made sure that
76099 + none of your applications need it.
76102 + bool "Automatically emulate ELF PLT"
76103 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
76106 + Enabling this option will have the kernel automatically detect
76107 + and emulate the Procedure Linkage Table entries in ELF files.
76108 + On some architectures such entries are in writable memory, and
76109 + become non-executable leading to task termination. Therefore
76110 + it is mandatory that you enable this option on alpha, parisc,
76111 + sparc and sparc64, otherwise your system would not even boot.
76113 + NOTE: this feature *does* open up a loophole in the protection
76114 + provided by the non-executable pages, therefore the proper
76115 + solution is to modify the toolchain to produce a PLT that does
76116 + not need to be writable.
76118 +config PAX_DLRESOLVE
76119 + bool 'Emulate old glibc resolver stub'
76120 + depends on PAX_EMUPLT && SPARC
76123 + This option is needed if userland has an old glibc (before 2.4)
76124 + that puts a 'save' instruction into the runtime generated resolver
76125 + stub that needs special emulation.
76127 +config PAX_KERNEXEC
76128 + bool "Enforce non-executable kernel pages"
76129 + depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
76130 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
76131 + select PAX_KERNEXEC_PLUGIN if X86_64
76133 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
76134 + that is, enabling this option will make it harder to inject
76135 + and execute 'foreign' code in kernel memory itself.
76137 + Note that on x86_64 kernels there is a known regression when
76138 + this feature and KVM/VMX are both enabled in the host kernel.
76140 +config PAX_KERNEXEC_MODULE_TEXT
76141 + int "Minimum amount of memory reserved for module code"
76143 + depends on PAX_KERNEXEC && X86_32 && MODULES
76145 + Due to implementation details the kernel must reserve a fixed
76146 + amount of memory for module code at compile time that cannot be
76147 + changed at runtime. Here you can specify the minimum amount
76148 + in MB that will be reserved. Due to the same implementation
76149 + details this size will always be rounded up to the next 2/4 MB
76150 + boundary (depends on PAE) so the actually available memory for
76151 + module code will usually be more than this minimum.
76153 + The default 4 MB should be enough for most users but if you have
76154 + an excessive number of modules (e.g., most distribution configs
76155 + compile many drivers as modules) or use huge modules such as
76156 + nvidia's kernel driver, you will need to adjust this amount.
76157 + A good rule of thumb is to look at your currently loaded kernel
76158 + modules and add up their sizes.
76162 +menu "Address Space Layout Randomization"
76166 + bool "Address Space Layout Randomization"
76167 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
76169 + Many if not most exploit techniques rely on the knowledge of
76170 + certain addresses in the attacked program. The following options
76171 + will allow the kernel to apply a certain amount of randomization
76172 + to specific parts of the program thereby forcing an attacker to
76173 + guess them in most cases. Any failed guess will most likely crash
76174 + the attacked program which allows the kernel to detect such attempts
76175 + and react on them. PaX itself provides no reaction mechanisms,
76176 + instead it is strongly encouraged that you make use of Nergal's
76177 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
76178 + (http://www.grsecurity.net/) built-in crash detection features or
76179 + develop one yourself.
76181 + By saying Y here you can choose to randomize the following areas:
76182 + - top of the task's kernel stack
76183 + - top of the task's userland stack
76184 + - base address for mmap() requests that do not specify one
76185 + (this includes all libraries)
76186 + - base address of the main executable
76188 + It is strongly recommended to say Y here as address space layout
76189 + randomization has negligible impact on performance yet it provides
76190 + a very effective protection.
76192 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
76193 + this feature on a per file basis.
76195 +config PAX_RANDKSTACK
76196 + bool "Randomize kernel stack base"
76197 + depends on X86_TSC && X86
76199 + By saying Y here the kernel will randomize every task's kernel
76200 + stack on every system call. This will not only force an attacker
76201 + to guess it but also prevent him from making use of possible
76202 + leaked information about it.
76204 + Since the kernel stack is a rather scarce resource, randomization
76205 + may cause unexpected stack overflows, therefore you should very
76206 + carefully test your system. Note that once enabled in the kernel
76207 + configuration, this feature cannot be disabled on a per file basis.
76209 +config PAX_RANDUSTACK
76210 + bool "Randomize user stack base"
76211 + depends on PAX_ASLR
76213 + By saying Y here the kernel will randomize every task's userland
76214 + stack. The randomization is done in two steps where the second
76215 + one may apply a big amount of shift to the top of the stack and
76216 + cause problems for programs that want to use lots of memory (more
76217 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
76218 + For this reason the second step can be controlled by 'chpax' or
76219 + 'paxctl' on a per file basis.
76221 +config PAX_RANDMMAP
76222 + bool "Randomize mmap() base"
76223 + depends on PAX_ASLR
76225 + By saying Y here the kernel will use a randomized base address for
76226 + mmap() requests that do not specify one themselves. As a result
76227 + all dynamically loaded libraries will appear at random addresses
76228 + and therefore be harder to exploit by a technique where an attacker
76229 + attempts to execute library code for his purposes (e.g. spawn a
76230 + shell from an exploited program that is running at an elevated
76231 + privilege level).
76233 + Furthermore, if a program is relinked as a dynamic ELF file, its
76234 + base address will be randomized as well, completing the full
76235 + randomization of the address space layout. Attacking such programs
76236 + becomes a guess game. You can find an example of doing this at
76237 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
76238 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
76240 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
76241 + feature on a per file basis.
76245 +menu "Miscellaneous hardening features"
76247 +config PAX_MEMORY_SANITIZE
76248 + bool "Sanitize all freed memory"
76250 + By saying Y here the kernel will erase memory pages as soon as they
76251 + are freed. This in turn reduces the lifetime of data stored in the
76252 + pages, making it less likely that sensitive information such as
76253 + passwords, cryptographic secrets, etc stay in memory for too long.
76255 + This is especially useful for programs whose runtime is short, long
76256 + lived processes and the kernel itself benefit from this as long as
76257 + they operate on whole memory pages and ensure timely freeing of pages
76258 + that may hold sensitive information.
76260 + The tradeoff is performance impact, on a single CPU system kernel
76261 + compilation sees a 3% slowdown, other systems and workloads may vary
76262 + and you are advised to test this feature on your expected workload
76263 + before deploying it.
76265 + Note that this feature does not protect data stored in live pages,
76266 + e.g., process memory swapped to disk may stay there for a long time.
76268 +config PAX_MEMORY_STACKLEAK
76269 + bool "Sanitize kernel stack"
76272 + By saying Y here the kernel will erase the kernel stack before it
76273 + returns from a system call. This in turn reduces the information
76274 + that a kernel stack leak bug can reveal.
76276 + Note that such a bug can still leak information that was put on
76277 + the stack by the current system call (the one eventually triggering
76278 + the bug) but traces of earlier system calls on the kernel stack
76279 + cannot leak anymore.
76281 + The tradeoff is performance impact: on a single CPU system kernel
76282 + compilation sees a 1% slowdown, other systems and workloads may vary
76283 + and you are advised to test this feature on your expected workload
76284 + before deploying it.
76286 + Note: full support for this feature requires gcc with plugin support
76287 + so make sure your compiler is at least gcc 4.5.0 (cross compilation
76288 + is not supported). Using older gcc versions means that functions
76289 + with large enough stack frames may leave uninitialized memory behind
76290 + that may be exposed to a later syscall leaking the stack.
76292 +config PAX_MEMORY_UDEREF
76293 + bool "Prevent invalid userland pointer dereference"
76294 + depends on X86 && !UML_X86 && !XEN
76295 + select PAX_PER_CPU_PGD if X86_64
76297 + By saying Y here the kernel will be prevented from dereferencing
76298 + userland pointers in contexts where the kernel expects only kernel
76299 + pointers. This is both a useful runtime debugging feature and a
76300 + security measure that prevents exploiting a class of kernel bugs.
76302 + The tradeoff is that some virtualization solutions may experience
76303 + a huge slowdown and therefore you should not enable this feature
76304 + for kernels meant to run in such environments. Whether a given VM
76305 + solution is affected or not is best determined by simply trying it
76306 + out, the performance impact will be obvious right on boot as this
76307 + mechanism engages from very early on. A good rule of thumb is that
76308 + VMs running on CPUs without hardware virtualization support (i.e.,
76309 + the majority of IA-32 CPUs) will likely experience the slowdown.
76311 +config PAX_REFCOUNT
76312 + bool "Prevent various kernel object reference counter overflows"
76313 + depends on GRKERNSEC && (X86 || SPARC64)
76315 + By saying Y here the kernel will detect and prevent overflowing
76316 + various (but not all) kinds of object reference counters. Such
76317 + overflows can normally occur due to bugs only and are often, if
76318 + not always, exploitable.
76320 + The tradeoff is that data structures protected by an overflowed
76321 + refcount will never be freed and therefore will leak memory. Note
76322 + that this leak also happens even without this protection but in
76323 + that case the overflow can eventually trigger the freeing of the
76324 + data structure while it is still being used elsewhere, resulting
76325 + in the exploitable situation that this feature prevents.
76327 + Since this has a negligible performance impact, you should enable
76330 +config PAX_USERCOPY
76331 + bool "Harden heap object copies between kernel and userland"
76332 + depends on X86 || PPC || SPARC || ARM
76333 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
76335 + By saying Y here the kernel will enforce the size of heap objects
76336 + when they are copied in either direction between the kernel and
76337 + userland, even if only a part of the heap object is copied.
76339 + Specifically, this checking prevents information leaking from the
76340 + kernel heap during kernel to userland copies (if the kernel heap
76341 + object is otherwise fully initialized) and prevents kernel heap
76342 + overflows during userland to kernel copies.
76344 + Note that the current implementation provides the strictest bounds
76345 + checks for the SLUB allocator.
76347 + Enabling this option also enables per-slab cache protection against
76348 + data in a given cache being copied into/out of via userland
76349 + accessors. Though the whitelist of regions will be reduced over
76350 + time, it notably protects important data structures like task structs.
76352 + If frame pointers are enabled on x86, this option will also restrict
76353 + copies into and out of the kernel stack to local variables within a
76356 + Since this has a negligible performance impact, you should enable
76364 bool "Enable access key retention support"
76366 @@ -167,7 +719,7 @@ config INTEL_TXT
76367 config LSM_MMAP_MIN_ADDR
76368 int "Low address space for LSM to protect from user allocation"
76369 depends on SECURITY && SECURITY_SELINUX
76370 - default 32768 if ARM
76371 + default 32768 if ALPHA || ARM || PARISC || SPARC32
76374 This is the portion of low virtual memory which should be protected
76375 diff -urNp linux-3.0.9/security/keys/compat.c linux-3.0.9/security/keys/compat.c
76376 --- linux-3.0.9/security/keys/compat.c 2011-11-11 13:12:24.000000000 -0500
76377 +++ linux-3.0.9/security/keys/compat.c 2011-11-15 20:03:00.000000000 -0500
76378 @@ -44,7 +44,7 @@ long compat_keyctl_instantiate_key_iov(
76380 goto no_payload_free;
76382 - ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
76383 + ret = keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, ioc, ret, ringid);
76385 if (iov != iovstack)
76387 diff -urNp linux-3.0.9/security/keys/keyctl.c linux-3.0.9/security/keys/keyctl.c
76388 --- linux-3.0.9/security/keys/keyctl.c 2011-11-11 13:12:24.000000000 -0500
76389 +++ linux-3.0.9/security/keys/keyctl.c 2011-11-15 20:03:00.000000000 -0500
76390 @@ -921,7 +921,7 @@ static int keyctl_change_reqkey_auth(str
76392 * Copy the iovec data from userspace
76394 -static long copy_from_user_iovec(void *buffer, const struct iovec *iov,
76395 +static long copy_from_user_iovec(void *buffer, const struct iovec __user *iov,
76398 for (; ioc > 0; ioc--) {
76399 @@ -943,7 +943,7 @@ static long copy_from_user_iovec(void *b
76400 * If successful, 0 will be returned.
76402 long keyctl_instantiate_key_common(key_serial_t id,
76403 - const struct iovec *payload_iov,
76404 + const struct iovec __user *payload_iov,
76407 key_serial_t ringid)
76408 @@ -1038,7 +1038,7 @@ long keyctl_instantiate_key(key_serial_t
76412 - return keyctl_instantiate_key_common(id, iov, 1, plen, ringid);
76413 + return keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, 1, plen, ringid);
76416 return keyctl_instantiate_key_common(id, NULL, 0, 0, ringid);
76417 @@ -1071,7 +1071,7 @@ long keyctl_instantiate_key_iov(key_seri
76419 goto no_payload_free;
76421 - ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
76422 + ret = keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, ioc, ret, ringid);
76424 if (iov != iovstack)
76426 diff -urNp linux-3.0.9/security/keys/keyring.c linux-3.0.9/security/keys/keyring.c
76427 --- linux-3.0.9/security/keys/keyring.c 2011-11-11 13:12:24.000000000 -0500
76428 +++ linux-3.0.9/security/keys/keyring.c 2011-11-15 20:03:00.000000000 -0500
76429 @@ -215,15 +215,15 @@ static long keyring_read(const struct ke
76432 for (loop = 0; loop < klist->nkeys; loop++) {
76433 + key_serial_t serial;
76434 key = klist->keys[loop];
76435 + serial = key->serial;
76437 tmp = sizeof(key_serial_t);
76441 - if (copy_to_user(buffer,
76444 + if (copy_to_user(buffer, &serial, tmp))
76448 diff -urNp linux-3.0.9/security/min_addr.c linux-3.0.9/security/min_addr.c
76449 --- linux-3.0.9/security/min_addr.c 2011-11-11 13:12:24.000000000 -0500
76450 +++ linux-3.0.9/security/min_addr.c 2011-11-15 20:03:00.000000000 -0500
76451 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
76453 static void update_mmap_min_addr(void)
76456 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
76457 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
76458 mmap_min_addr = dac_mmap_min_addr;
76459 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
76461 mmap_min_addr = dac_mmap_min_addr;
76467 diff -urNp linux-3.0.9/security/security.c linux-3.0.9/security/security.c
76468 --- linux-3.0.9/security/security.c 2011-11-11 13:12:24.000000000 -0500
76469 +++ linux-3.0.9/security/security.c 2011-11-15 20:03:00.000000000 -0500
76470 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
76471 /* things that live in capability.c */
76472 extern void __init security_fixup_ops(struct security_operations *ops);
76474 -static struct security_operations *security_ops;
76475 -static struct security_operations default_security_ops = {
76476 +static struct security_operations *security_ops __read_only;
76477 +static struct security_operations default_security_ops __read_only = {
76481 @@ -67,7 +67,9 @@ int __init security_init(void)
76483 void reset_security_ops(void)
76485 + pax_open_kernel();
76486 security_ops = &default_security_ops;
76487 + pax_close_kernel();
76490 /* Save user chosen LSM */
76491 diff -urNp linux-3.0.9/security/selinux/hooks.c linux-3.0.9/security/selinux/hooks.c
76492 --- linux-3.0.9/security/selinux/hooks.c 2011-11-11 13:12:24.000000000 -0500
76493 +++ linux-3.0.9/security/selinux/hooks.c 2011-11-15 20:03:00.000000000 -0500
76495 #define NUM_SEL_MNT_OPTS 5
76497 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
76498 -extern struct security_operations *security_ops;
76500 /* SECMARK reference count */
76501 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
76502 @@ -5454,7 +5453,7 @@ static int selinux_key_getsecurity(struc
76506 -static struct security_operations selinux_ops = {
76507 +static struct security_operations selinux_ops __read_only = {
76510 .ptrace_access_check = selinux_ptrace_access_check,
76511 diff -urNp linux-3.0.9/security/selinux/include/xfrm.h linux-3.0.9/security/selinux/include/xfrm.h
76512 --- linux-3.0.9/security/selinux/include/xfrm.h 2011-11-11 13:12:24.000000000 -0500
76513 +++ linux-3.0.9/security/selinux/include/xfrm.h 2011-11-15 20:03:00.000000000 -0500
76514 @@ -48,7 +48,7 @@ int selinux_xfrm_decode_session(struct s
76516 static inline void selinux_xfrm_notify_policyload(void)
76518 - atomic_inc(&flow_cache_genid);
76519 + atomic_inc_unchecked(&flow_cache_genid);
76522 static inline int selinux_xfrm_enabled(void)
76523 diff -urNp linux-3.0.9/security/selinux/ss/services.c linux-3.0.9/security/selinux/ss/services.c
76524 --- linux-3.0.9/security/selinux/ss/services.c 2011-11-11 13:12:24.000000000 -0500
76525 +++ linux-3.0.9/security/selinux/ss/services.c 2011-11-15 20:03:00.000000000 -0500
76526 @@ -1814,6 +1814,8 @@ int security_load_policy(void *data, siz
76528 struct policy_file file = { data, len }, *fp = &file;
76530 + pax_track_stack();
76532 if (!ss_initialized) {
76533 avtab_cache_init();
76534 rc = policydb_read(&policydb, fp);
76535 diff -urNp linux-3.0.9/security/smack/smack_lsm.c linux-3.0.9/security/smack/smack_lsm.c
76536 --- linux-3.0.9/security/smack/smack_lsm.c 2011-11-11 13:12:24.000000000 -0500
76537 +++ linux-3.0.9/security/smack/smack_lsm.c 2011-11-15 20:03:00.000000000 -0500
76538 @@ -3392,7 +3392,7 @@ static int smack_inode_getsecctx(struct
76542 -struct security_operations smack_ops = {
76543 +struct security_operations smack_ops __read_only = {
76546 .ptrace_access_check = smack_ptrace_access_check,
76547 diff -urNp linux-3.0.9/security/tomoyo/tomoyo.c linux-3.0.9/security/tomoyo/tomoyo.c
76548 --- linux-3.0.9/security/tomoyo/tomoyo.c 2011-11-11 13:12:24.000000000 -0500
76549 +++ linux-3.0.9/security/tomoyo/tomoyo.c 2011-11-15 20:03:00.000000000 -0500
76550 @@ -240,7 +240,7 @@ static int tomoyo_sb_pivotroot(struct pa
76551 * tomoyo_security_ops is a "struct security_operations" which is used for
76552 * registering TOMOYO.
76554 -static struct security_operations tomoyo_security_ops = {
76555 +static struct security_operations tomoyo_security_ops __read_only = {
76557 .cred_alloc_blank = tomoyo_cred_alloc_blank,
76558 .cred_prepare = tomoyo_cred_prepare,
76559 diff -urNp linux-3.0.9/sound/aoa/codecs/onyx.c linux-3.0.9/sound/aoa/codecs/onyx.c
76560 --- linux-3.0.9/sound/aoa/codecs/onyx.c 2011-11-11 13:12:24.000000000 -0500
76561 +++ linux-3.0.9/sound/aoa/codecs/onyx.c 2011-11-15 20:03:00.000000000 -0500
76562 @@ -54,7 +54,7 @@ struct onyx {
76567 + local_t open_count;
76568 struct codec_info *codec_info;
76570 /* mutex serializes concurrent access to the device
76571 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
76572 struct onyx *onyx = cii->codec_data;
76574 mutex_lock(&onyx->mutex);
76575 - onyx->open_count++;
76576 + local_inc(&onyx->open_count);
76577 mutex_unlock(&onyx->mutex);
76580 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
76581 struct onyx *onyx = cii->codec_data;
76583 mutex_lock(&onyx->mutex);
76584 - onyx->open_count--;
76585 - if (!onyx->open_count)
76586 + if (local_dec_and_test(&onyx->open_count))
76587 onyx->spdif_locked = onyx->analog_locked = 0;
76588 mutex_unlock(&onyx->mutex);
76590 diff -urNp linux-3.0.9/sound/aoa/codecs/onyx.h linux-3.0.9/sound/aoa/codecs/onyx.h
76591 --- linux-3.0.9/sound/aoa/codecs/onyx.h 2011-11-11 13:12:24.000000000 -0500
76592 +++ linux-3.0.9/sound/aoa/codecs/onyx.h 2011-11-15 20:03:00.000000000 -0500
76594 #include <linux/i2c.h>
76595 #include <asm/pmac_low_i2c.h>
76596 #include <asm/prom.h>
76597 +#include <asm/local.h>
76599 /* PCM3052 register definitions */
76601 diff -urNp linux-3.0.9/sound/core/oss/pcm_oss.c linux-3.0.9/sound/core/oss/pcm_oss.c
76602 --- linux-3.0.9/sound/core/oss/pcm_oss.c 2011-11-11 13:12:24.000000000 -0500
76603 +++ linux-3.0.9/sound/core/oss/pcm_oss.c 2011-11-15 20:03:00.000000000 -0500
76604 @@ -1189,10 +1189,10 @@ snd_pcm_sframes_t snd_pcm_oss_write3(str
76607 fs = snd_enter_user();
76608 - ret = snd_pcm_lib_write(substream, (void __force __user *)ptr, frames);
76609 + ret = snd_pcm_lib_write(substream, (void __force_user *)ptr, frames);
76610 snd_leave_user(fs);
76612 - ret = snd_pcm_lib_write(substream, (void __force __user *)ptr, frames);
76613 + ret = snd_pcm_lib_write(substream, (void __force_user *)ptr, frames);
76615 if (ret != -EPIPE && ret != -ESTRPIPE)
76617 @@ -1234,10 +1234,10 @@ snd_pcm_sframes_t snd_pcm_oss_read3(stru
76620 fs = snd_enter_user();
76621 - ret = snd_pcm_lib_read(substream, (void __force __user *)ptr, frames);
76622 + ret = snd_pcm_lib_read(substream, (void __force_user *)ptr, frames);
76623 snd_leave_user(fs);
76625 - ret = snd_pcm_lib_read(substream, (void __force __user *)ptr, frames);
76626 + ret = snd_pcm_lib_read(substream, (void __force_user *)ptr, frames);
76628 if (ret == -EPIPE) {
76629 if (runtime->status->state == SNDRV_PCM_STATE_DRAINING) {
76630 @@ -1337,7 +1337,7 @@ static ssize_t snd_pcm_oss_write2(struct
76631 struct snd_pcm_plugin_channel *channels;
76632 size_t oss_frame_bytes = (runtime->oss.plugin_first->src_width * runtime->oss.plugin_first->src_format.channels) / 8;
76634 - if (copy_from_user(runtime->oss.buffer, (const char __force __user *)buf, bytes))
76635 + if (copy_from_user(runtime->oss.buffer, (const char __force_user *)buf, bytes))
76637 buf = runtime->oss.buffer;
76639 @@ -1407,7 +1407,7 @@ static ssize_t snd_pcm_oss_write1(struct
76642 tmp = snd_pcm_oss_write2(substream,
76643 - (const char __force *)buf,
76644 + (const char __force_kernel *)buf,
76645 runtime->oss.period_bytes, 0);
76648 @@ -1433,7 +1433,7 @@ static ssize_t snd_pcm_oss_read2(struct
76649 struct snd_pcm_runtime *runtime = substream->runtime;
76650 snd_pcm_sframes_t frames, frames1;
76651 #ifdef CONFIG_SND_PCM_OSS_PLUGINS
76652 - char __user *final_dst = (char __force __user *)buf;
76653 + char __user *final_dst = (char __force_user *)buf;
76654 if (runtime->oss.plugin_first) {
76655 struct snd_pcm_plugin_channel *channels;
76656 size_t oss_frame_bytes = (runtime->oss.plugin_last->dst_width * runtime->oss.plugin_last->dst_format.channels) / 8;
76657 @@ -1495,7 +1495,7 @@ static ssize_t snd_pcm_oss_read1(struct
76659 runtime->oss.buffer_used -= tmp;
76661 - tmp = snd_pcm_oss_read2(substream, (char __force *)buf,
76662 + tmp = snd_pcm_oss_read2(substream, (char __force_kernel *)buf,
76663 runtime->oss.period_bytes, 0);
76666 @@ -1663,7 +1663,7 @@ static int snd_pcm_oss_sync(struct snd_p
76668 size1 /= runtime->channels; /* frames */
76669 fs = snd_enter_user();
76670 - snd_pcm_lib_write(substream, (void __force __user *)runtime->oss.buffer, size1);
76671 + snd_pcm_lib_write(substream, (void __force_user *)runtime->oss.buffer, size1);
76672 snd_leave_user(fs);
76674 } else if (runtime->access == SNDRV_PCM_ACCESS_RW_NONINTERLEAVED) {
76675 diff -urNp linux-3.0.9/sound/core/pcm_compat.c linux-3.0.9/sound/core/pcm_compat.c
76676 --- linux-3.0.9/sound/core/pcm_compat.c 2011-11-11 13:12:24.000000000 -0500
76677 +++ linux-3.0.9/sound/core/pcm_compat.c 2011-11-15 20:03:00.000000000 -0500
76678 @@ -31,7 +31,7 @@ static int snd_pcm_ioctl_delay_compat(st
76681 fs = snd_enter_user();
76682 - err = snd_pcm_delay(substream, &delay);
76683 + err = snd_pcm_delay(substream, (snd_pcm_sframes_t __force_user *)&delay);
76684 snd_leave_user(fs);
76687 diff -urNp linux-3.0.9/sound/core/pcm_native.c linux-3.0.9/sound/core/pcm_native.c
76688 --- linux-3.0.9/sound/core/pcm_native.c 2011-11-11 13:12:24.000000000 -0500
76689 +++ linux-3.0.9/sound/core/pcm_native.c 2011-11-15 20:03:00.000000000 -0500
76690 @@ -2770,11 +2770,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_
76691 switch (substream->stream) {
76692 case SNDRV_PCM_STREAM_PLAYBACK:
76693 result = snd_pcm_playback_ioctl1(NULL, substream, cmd,
76694 - (void __user *)arg);
76695 + (void __force_user *)arg);
76697 case SNDRV_PCM_STREAM_CAPTURE:
76698 result = snd_pcm_capture_ioctl1(NULL, substream, cmd,
76699 - (void __user *)arg);
76700 + (void __force_user *)arg);
76704 diff -urNp linux-3.0.9/sound/core/seq/seq_device.c linux-3.0.9/sound/core/seq/seq_device.c
76705 --- linux-3.0.9/sound/core/seq/seq_device.c 2011-11-11 13:12:24.000000000 -0500
76706 +++ linux-3.0.9/sound/core/seq/seq_device.c 2011-11-15 20:03:00.000000000 -0500
76707 @@ -63,7 +63,7 @@ struct ops_list {
76708 int argsize; /* argument size */
76711 - struct snd_seq_dev_ops ops;
76712 + struct snd_seq_dev_ops *ops;
76714 /* registred devices */
76715 struct list_head dev_list; /* list of devices */
76716 @@ -332,7 +332,7 @@ int snd_seq_device_register_driver(char
76718 mutex_lock(&ops->reg_mutex);
76719 /* copy driver operators */
76720 - ops->ops = *entry;
76721 + ops->ops = entry;
76722 ops->driver |= DRIVER_LOADED;
76723 ops->argsize = argsize;
76725 @@ -462,7 +462,7 @@ static int init_device(struct snd_seq_de
76726 dev->name, ops->id, ops->argsize, dev->argsize);
76729 - if (ops->ops.init_device(dev) >= 0) {
76730 + if (ops->ops->init_device(dev) >= 0) {
76731 dev->status = SNDRV_SEQ_DEVICE_REGISTERED;
76732 ops->num_init_devices++;
76734 @@ -489,7 +489,7 @@ static int free_device(struct snd_seq_de
76735 dev->name, ops->id, ops->argsize, dev->argsize);
76738 - if ((result = ops->ops.free_device(dev)) >= 0 || result == -ENXIO) {
76739 + if ((result = ops->ops->free_device(dev)) >= 0 || result == -ENXIO) {
76740 dev->status = SNDRV_SEQ_DEVICE_FREE;
76741 dev->driver_data = NULL;
76742 ops->num_init_devices--;
76743 diff -urNp linux-3.0.9/sound/drivers/mts64.c linux-3.0.9/sound/drivers/mts64.c
76744 --- linux-3.0.9/sound/drivers/mts64.c 2011-11-11 13:12:24.000000000 -0500
76745 +++ linux-3.0.9/sound/drivers/mts64.c 2011-11-15 20:03:00.000000000 -0500
76747 #include <sound/initval.h>
76748 #include <sound/rawmidi.h>
76749 #include <sound/control.h>
76750 +#include <asm/local.h>
76752 #define CARD_NAME "Miditerminal 4140"
76753 #define DRIVER_NAME "MTS64"
76754 @@ -66,7 +67,7 @@ struct mts64 {
76755 struct pardevice *pardev;
76756 int pardev_claimed;
76759 + local_t open_count;
76760 int current_midi_output_port;
76761 int current_midi_input_port;
76762 u8 mode[MTS64_NUM_INPUT_PORTS];
76763 @@ -696,7 +697,7 @@ static int snd_mts64_rawmidi_open(struct
76765 struct mts64 *mts = substream->rmidi->private_data;
76767 - if (mts->open_count == 0) {
76768 + if (local_read(&mts->open_count) == 0) {
76769 /* We don't need a spinlock here, because this is just called
76770 if the device has not been opened before.
76771 So there aren't any IRQs from the device */
76772 @@ -704,7 +705,7 @@ static int snd_mts64_rawmidi_open(struct
76776 - ++(mts->open_count);
76777 + local_inc(&mts->open_count);
76781 @@ -714,8 +715,7 @@ static int snd_mts64_rawmidi_close(struc
76782 struct mts64 *mts = substream->rmidi->private_data;
76783 unsigned long flags;
76785 - --(mts->open_count);
76786 - if (mts->open_count == 0) {
76787 + if (local_dec_return(&mts->open_count) == 0) {
76788 /* We need the spinlock_irqsave here because we can still
76789 have IRQs at this point */
76790 spin_lock_irqsave(&mts->lock, flags);
76791 @@ -724,8 +724,8 @@ static int snd_mts64_rawmidi_close(struc
76795 - } else if (mts->open_count < 0)
76796 - mts->open_count = 0;
76797 + } else if (local_read(&mts->open_count) < 0)
76798 + local_set(&mts->open_count, 0);
76802 diff -urNp linux-3.0.9/sound/drivers/opl4/opl4_lib.c linux-3.0.9/sound/drivers/opl4/opl4_lib.c
76803 --- linux-3.0.9/sound/drivers/opl4/opl4_lib.c 2011-11-11 13:12:24.000000000 -0500
76804 +++ linux-3.0.9/sound/drivers/opl4/opl4_lib.c 2011-11-15 20:03:00.000000000 -0500
76805 @@ -28,7 +28,7 @@ MODULE_AUTHOR("Clemens Ladisch <clemens@
76806 MODULE_DESCRIPTION("OPL4 driver");
76807 MODULE_LICENSE("GPL");
76809 -static void inline snd_opl4_wait(struct snd_opl4 *opl4)
76810 +static inline void snd_opl4_wait(struct snd_opl4 *opl4)
76813 while ((inb(opl4->fm_port) & OPL4_STATUS_BUSY) && --timeout > 0)
76814 diff -urNp linux-3.0.9/sound/drivers/portman2x4.c linux-3.0.9/sound/drivers/portman2x4.c
76815 --- linux-3.0.9/sound/drivers/portman2x4.c 2011-11-11 13:12:24.000000000 -0500
76816 +++ linux-3.0.9/sound/drivers/portman2x4.c 2011-11-15 20:03:00.000000000 -0500
76818 #include <sound/initval.h>
76819 #include <sound/rawmidi.h>
76820 #include <sound/control.h>
76821 +#include <asm/local.h>
76823 #define CARD_NAME "Portman 2x4"
76824 #define DRIVER_NAME "portman"
76825 @@ -84,7 +85,7 @@ struct portman {
76826 struct pardevice *pardev;
76827 int pardev_claimed;
76830 + local_t open_count;
76831 int mode[PORTMAN_NUM_INPUT_PORTS];
76832 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
76834 diff -urNp linux-3.0.9/sound/firewire/amdtp.c linux-3.0.9/sound/firewire/amdtp.c
76835 --- linux-3.0.9/sound/firewire/amdtp.c 2011-11-11 13:12:24.000000000 -0500
76836 +++ linux-3.0.9/sound/firewire/amdtp.c 2011-11-15 20:03:00.000000000 -0500
76837 @@ -371,7 +371,7 @@ static void queue_out_packet(struct amdt
76838 ptr = s->pcm_buffer_pointer + data_blocks;
76839 if (ptr >= pcm->runtime->buffer_size)
76840 ptr -= pcm->runtime->buffer_size;
76841 - ACCESS_ONCE(s->pcm_buffer_pointer) = ptr;
76842 + ACCESS_ONCE_RW(s->pcm_buffer_pointer) = ptr;
76844 s->pcm_period_pointer += data_blocks;
76845 if (s->pcm_period_pointer >= pcm->runtime->period_size) {
76846 @@ -511,7 +511,7 @@ EXPORT_SYMBOL(amdtp_out_stream_start);
76848 void amdtp_out_stream_update(struct amdtp_out_stream *s)
76850 - ACCESS_ONCE(s->source_node_id_field) =
76851 + ACCESS_ONCE_RW(s->source_node_id_field) =
76852 (fw_parent_device(s->unit)->card->node_id & 0x3f) << 24;
76854 EXPORT_SYMBOL(amdtp_out_stream_update);
76855 diff -urNp linux-3.0.9/sound/firewire/amdtp.h linux-3.0.9/sound/firewire/amdtp.h
76856 --- linux-3.0.9/sound/firewire/amdtp.h 2011-11-11 13:12:24.000000000 -0500
76857 +++ linux-3.0.9/sound/firewire/amdtp.h 2011-11-15 20:03:00.000000000 -0500
76858 @@ -146,7 +146,7 @@ static inline void amdtp_out_stream_pcm_
76859 static inline void amdtp_out_stream_pcm_trigger(struct amdtp_out_stream *s,
76860 struct snd_pcm_substream *pcm)
76862 - ACCESS_ONCE(s->pcm) = pcm;
76863 + ACCESS_ONCE_RW(s->pcm) = pcm;
76867 diff -urNp linux-3.0.9/sound/firewire/isight.c linux-3.0.9/sound/firewire/isight.c
76868 --- linux-3.0.9/sound/firewire/isight.c 2011-11-11 13:12:24.000000000 -0500
76869 +++ linux-3.0.9/sound/firewire/isight.c 2011-11-15 20:03:00.000000000 -0500
76870 @@ -97,7 +97,7 @@ static void isight_update_pointers(struc
76872 if (ptr >= runtime->buffer_size)
76873 ptr -= runtime->buffer_size;
76874 - ACCESS_ONCE(isight->buffer_pointer) = ptr;
76875 + ACCESS_ONCE_RW(isight->buffer_pointer) = ptr;
76877 isight->period_counter += count;
76878 if (isight->period_counter >= runtime->period_size) {
76879 @@ -308,7 +308,7 @@ static int isight_hw_params(struct snd_p
76883 - ACCESS_ONCE(isight->pcm_active) = true;
76884 + ACCESS_ONCE_RW(isight->pcm_active) = true;
76888 @@ -341,7 +341,7 @@ static int isight_hw_free(struct snd_pcm
76890 struct isight *isight = substream->private_data;
76892 - ACCESS_ONCE(isight->pcm_active) = false;
76893 + ACCESS_ONCE_RW(isight->pcm_active) = false;
76895 mutex_lock(&isight->mutex);
76896 isight_stop_streaming(isight);
76897 @@ -434,10 +434,10 @@ static int isight_trigger(struct snd_pcm
76900 case SNDRV_PCM_TRIGGER_START:
76901 - ACCESS_ONCE(isight->pcm_running) = true;
76902 + ACCESS_ONCE_RW(isight->pcm_running) = true;
76904 case SNDRV_PCM_TRIGGER_STOP:
76905 - ACCESS_ONCE(isight->pcm_running) = false;
76906 + ACCESS_ONCE_RW(isight->pcm_running) = false;
76910 diff -urNp linux-3.0.9/sound/isa/cmi8330.c linux-3.0.9/sound/isa/cmi8330.c
76911 --- linux-3.0.9/sound/isa/cmi8330.c 2011-11-11 13:12:24.000000000 -0500
76912 +++ linux-3.0.9/sound/isa/cmi8330.c 2011-11-15 20:03:00.000000000 -0500
76913 @@ -172,7 +172,7 @@ struct snd_cmi8330 {
76915 struct snd_pcm *pcm;
76916 struct snd_cmi8330_stream {
76917 - struct snd_pcm_ops ops;
76918 + snd_pcm_ops_no_const ops;
76919 snd_pcm_open_callback_t open;
76920 void *private_data; /* sb or wss */
76922 diff -urNp linux-3.0.9/sound/oss/sb_audio.c linux-3.0.9/sound/oss/sb_audio.c
76923 --- linux-3.0.9/sound/oss/sb_audio.c 2011-11-11 13:12:24.000000000 -0500
76924 +++ linux-3.0.9/sound/oss/sb_audio.c 2011-11-15 20:03:00.000000000 -0500
76925 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
76926 buf16 = (signed short *)(localbuf + localoffs);
76929 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
76930 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
76931 if (copy_from_user(lbuf8,
76932 userbuf+useroffs + p,
76934 diff -urNp linux-3.0.9/sound/oss/swarm_cs4297a.c linux-3.0.9/sound/oss/swarm_cs4297a.c
76935 --- linux-3.0.9/sound/oss/swarm_cs4297a.c 2011-11-11 13:12:24.000000000 -0500
76936 +++ linux-3.0.9/sound/oss/swarm_cs4297a.c 2011-11-15 20:03:00.000000000 -0500
76937 @@ -2606,7 +2606,6 @@ static int __init cs4297a_init(void)
76939 struct cs4297a_state *s;
76943 #ifndef CONFIG_BCM_CS4297A_CSWARM
76945 @@ -2696,22 +2695,23 @@ static int __init cs4297a_init(void)
76947 char *sb1250_duart_present;
76954 val = SOUND_MASK_LINE;
76955 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
76956 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
76957 val = initvol[i].vol;
76958 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
76961 // cs4297a_write_ac97(s, 0x18, 0x0808);
76963 // cs4297a_write_ac97(s, 0x5e, 0x180);
76964 cs4297a_write_ac97(s, 0x02, 0x0808);
76965 cs4297a_write_ac97(s, 0x18, 0x0808);
76969 list_add(&s->list, &cs4297a_devs);
76971 diff -urNp linux-3.0.9/sound/pci/hda/hda_codec.h linux-3.0.9/sound/pci/hda/hda_codec.h
76972 --- linux-3.0.9/sound/pci/hda/hda_codec.h 2011-11-11 13:12:24.000000000 -0500
76973 +++ linux-3.0.9/sound/pci/hda/hda_codec.h 2011-11-15 20:03:00.000000000 -0500
76974 @@ -615,7 +615,7 @@ struct hda_bus_ops {
76975 /* notify power-up/down from codec to controller */
76976 void (*pm_notify)(struct hda_bus *bus);
76981 /* template to pass to the bus constructor */
76982 struct hda_bus_template {
76983 @@ -713,6 +713,7 @@ struct hda_codec_ops {
76985 void (*reboot_notify)(struct hda_codec *codec);
76987 +typedef struct hda_codec_ops __no_const hda_codec_ops_no_const;
76989 /* record for amp information cache */
76990 struct hda_cache_head {
76991 @@ -743,7 +744,7 @@ struct hda_pcm_ops {
76992 struct snd_pcm_substream *substream);
76993 int (*cleanup)(struct hda_pcm_stream *info, struct hda_codec *codec,
76994 struct snd_pcm_substream *substream);
76998 /* PCM information for each substream */
76999 struct hda_pcm_stream {
77000 @@ -801,7 +802,7 @@ struct hda_codec {
77001 const char *modelname; /* model name for preset */
77004 - struct hda_codec_ops patch_ops;
77005 + hda_codec_ops_no_const patch_ops;
77007 /* PCM to create, set by patch_ops.build_pcms callback */
77008 unsigned int num_pcms;
77009 diff -urNp linux-3.0.9/sound/pci/ice1712/ice1712.h linux-3.0.9/sound/pci/ice1712/ice1712.h
77010 --- linux-3.0.9/sound/pci/ice1712/ice1712.h 2011-11-11 13:12:24.000000000 -0500
77011 +++ linux-3.0.9/sound/pci/ice1712/ice1712.h 2011-11-15 20:03:00.000000000 -0500
77012 @@ -269,7 +269,7 @@ struct snd_ak4xxx_private {
77013 unsigned int mask_flags; /* total mask bits */
77014 struct snd_akm4xxx_ops {
77015 void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate);
77017 + } __no_const ops;
77020 struct snd_ice1712_spdif {
77021 @@ -285,7 +285,7 @@ struct snd_ice1712_spdif {
77022 int (*default_put)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
77023 void (*stream_get)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
77024 int (*stream_put)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
77026 + } __no_const ops;
77030 diff -urNp linux-3.0.9/sound/pci/ymfpci/ymfpci_main.c linux-3.0.9/sound/pci/ymfpci/ymfpci_main.c
77031 --- linux-3.0.9/sound/pci/ymfpci/ymfpci_main.c 2011-11-11 13:12:24.000000000 -0500
77032 +++ linux-3.0.9/sound/pci/ymfpci/ymfpci_main.c 2011-11-15 20:03:00.000000000 -0500
77033 @@ -202,8 +202,8 @@ static void snd_ymfpci_hw_stop(struct sn
77034 if ((snd_ymfpci_readl(chip, YDSXGR_STATUS) & 2) == 0)
77037 - if (atomic_read(&chip->interrupt_sleep_count)) {
77038 - atomic_set(&chip->interrupt_sleep_count, 0);
77039 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
77040 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
77041 wake_up(&chip->interrupt_sleep);
77044 @@ -787,7 +787,7 @@ static void snd_ymfpci_irq_wait(struct s
77046 init_waitqueue_entry(&wait, current);
77047 add_wait_queue(&chip->interrupt_sleep, &wait);
77048 - atomic_inc(&chip->interrupt_sleep_count);
77049 + atomic_inc_unchecked(&chip->interrupt_sleep_count);
77050 schedule_timeout_uninterruptible(msecs_to_jiffies(50));
77051 remove_wait_queue(&chip->interrupt_sleep, &wait);
77053 @@ -825,8 +825,8 @@ static irqreturn_t snd_ymfpci_interrupt(
77054 snd_ymfpci_writel(chip, YDSXGR_MODE, mode);
77055 spin_unlock(&chip->reg_lock);
77057 - if (atomic_read(&chip->interrupt_sleep_count)) {
77058 - atomic_set(&chip->interrupt_sleep_count, 0);
77059 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
77060 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
77061 wake_up(&chip->interrupt_sleep);
77064 @@ -2363,7 +2363,7 @@ int __devinit snd_ymfpci_create(struct s
77065 spin_lock_init(&chip->reg_lock);
77066 spin_lock_init(&chip->voice_lock);
77067 init_waitqueue_head(&chip->interrupt_sleep);
77068 - atomic_set(&chip->interrupt_sleep_count, 0);
77069 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
77073 diff -urNp linux-3.0.9/sound/soc/soc-core.c linux-3.0.9/sound/soc/soc-core.c
77074 --- linux-3.0.9/sound/soc/soc-core.c 2011-11-11 13:12:24.000000000 -0500
77075 +++ linux-3.0.9/sound/soc/soc-core.c 2011-11-15 20:03:00.000000000 -0500
77076 @@ -1021,7 +1021,7 @@ static snd_pcm_uframes_t soc_pcm_pointer
77079 /* ASoC PCM operations */
77080 -static struct snd_pcm_ops soc_pcm_ops = {
77081 +static snd_pcm_ops_no_const soc_pcm_ops = {
77082 .open = soc_pcm_open,
77083 .close = soc_codec_close,
77084 .hw_params = soc_pcm_hw_params,
77085 @@ -2128,6 +2128,7 @@ static int soc_new_pcm(struct snd_soc_pc
77087 pcm->private_data = rtd;
77088 if (platform->driver->ops) {
77089 + /* this whole logic is broken... */
77090 soc_pcm_ops.mmap = platform->driver->ops->mmap;
77091 soc_pcm_ops.pointer = platform->driver->ops->pointer;
77092 soc_pcm_ops.ioctl = platform->driver->ops->ioctl;
77093 diff -urNp linux-3.0.9/sound/usb/card.h linux-3.0.9/sound/usb/card.h
77094 --- linux-3.0.9/sound/usb/card.h 2011-11-11 13:12:24.000000000 -0500
77095 +++ linux-3.0.9/sound/usb/card.h 2011-11-15 20:03:00.000000000 -0500
77096 @@ -44,6 +44,7 @@ struct snd_urb_ops {
77097 int (*prepare_sync)(struct snd_usb_substream *subs, struct snd_pcm_runtime *runtime, struct urb *u);
77098 int (*retire_sync)(struct snd_usb_substream *subs, struct snd_pcm_runtime *runtime, struct urb *u);
77100 +typedef struct snd_urb_ops __no_const snd_urb_ops_no_const;
77102 struct snd_usb_substream {
77103 struct snd_usb_stream *stream;
77104 @@ -93,7 +94,7 @@ struct snd_usb_substream {
77105 struct snd_pcm_hw_constraint_list rate_list; /* limited rates */
77108 - struct snd_urb_ops ops; /* callbacks (must be filled at init) */
77109 + snd_urb_ops_no_const ops; /* callbacks (must be filled at init) */
77112 struct snd_usb_stream {
77113 diff -urNp linux-3.0.9/tools/gcc/checker_plugin.c linux-3.0.9/tools/gcc/checker_plugin.c
77114 --- linux-3.0.9/tools/gcc/checker_plugin.c 1969-12-31 19:00:00.000000000 -0500
77115 +++ linux-3.0.9/tools/gcc/checker_plugin.c 2011-11-15 20:03:00.000000000 -0500
77118 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
77119 + * Licensed under the GPL v2
77121 + * Note: the choice of the license means that the compilation process is
77122 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
77123 + * but for the kernel it doesn't matter since it doesn't link against
77124 + * any of the gcc libraries
77126 + * gcc plugin to implement various sparse (source code checker) features
77129 + * - define separate __iomem, __percpu and __rcu address spaces (lots of code to patch)
77134 +#include "gcc-plugin.h"
77135 +#include "config.h"
77136 +#include "system.h"
77137 +#include "coretypes.h"
77139 +#include "tree-pass.h"
77141 +#include "plugin-version.h"
77143 +#include "toplev.h"
77144 +#include "basic-block.h"
77145 +#include "gimple.h"
77146 +//#include "expr.h" where are you...
77147 +#include "diagnostic.h"
77149 +#include "emit-rtl.h"
77150 +#include "function.h"
77151 +#include "tree-flow.h"
77152 +#include "target.h"
77154 +extern void c_register_addr_space (const char *str, addr_space_t as);
77155 +extern enum machine_mode default_addr_space_pointer_mode (addr_space_t);
77156 +extern enum machine_mode default_addr_space_address_mode (addr_space_t);
77157 +extern bool default_addr_space_valid_pointer_mode(enum machine_mode mode, addr_space_t as);
77158 +extern bool default_addr_space_legitimate_address_p(enum machine_mode mode, rtx mem, bool strict, addr_space_t as);
77159 +extern rtx default_addr_space_legitimize_address(rtx x, rtx oldx, enum machine_mode mode, addr_space_t as);
77161 +extern void print_gimple_stmt(FILE *, gimple, int, int);
77162 +extern rtx emit_move_insn(rtx x, rtx y);
77164 +int plugin_is_GPL_compatible;
77166 +static struct plugin_info checker_plugin_info = {
77167 + .version = "201110031940",
77170 +#define ADDR_SPACE_KERNEL 0
77171 +#define ADDR_SPACE_FORCE_KERNEL 1
77172 +#define ADDR_SPACE_USER 2
77173 +#define ADDR_SPACE_FORCE_USER 3
77174 +#define ADDR_SPACE_IOMEM 0
77175 +#define ADDR_SPACE_FORCE_IOMEM 0
77176 +#define ADDR_SPACE_PERCPU 0
77177 +#define ADDR_SPACE_FORCE_PERCPU 0
77178 +#define ADDR_SPACE_RCU 0
77179 +#define ADDR_SPACE_FORCE_RCU 0
77181 +static enum machine_mode checker_addr_space_pointer_mode(addr_space_t addrspace)
77183 + return default_addr_space_pointer_mode(ADDR_SPACE_GENERIC);
77186 +static enum machine_mode checker_addr_space_address_mode(addr_space_t addrspace)
77188 + return default_addr_space_address_mode(ADDR_SPACE_GENERIC);
77191 +static bool checker_addr_space_valid_pointer_mode(enum machine_mode mode, addr_space_t as)
77193 + return default_addr_space_valid_pointer_mode(mode, as);
77196 +static bool checker_addr_space_legitimate_address_p(enum machine_mode mode, rtx mem, bool strict, addr_space_t as)
77198 + return default_addr_space_legitimate_address_p(mode, mem, strict, ADDR_SPACE_GENERIC);
77201 +static rtx checker_addr_space_legitimize_address(rtx x, rtx oldx, enum machine_mode mode, addr_space_t as)
77203 + return default_addr_space_legitimize_address(x, oldx, mode, as);
77206 +static bool checker_addr_space_subset_p(addr_space_t subset, addr_space_t superset)
77208 + if (subset == ADDR_SPACE_FORCE_KERNEL && superset == ADDR_SPACE_KERNEL)
77211 + if (subset == ADDR_SPACE_FORCE_USER && superset == ADDR_SPACE_USER)
77214 + if (subset == ADDR_SPACE_FORCE_IOMEM && superset == ADDR_SPACE_IOMEM)
77217 + if (subset == ADDR_SPACE_KERNEL && superset == ADDR_SPACE_FORCE_USER)
77220 + if (subset == ADDR_SPACE_KERNEL && superset == ADDR_SPACE_FORCE_IOMEM)
77223 + if (subset == ADDR_SPACE_USER && superset == ADDR_SPACE_FORCE_KERNEL)
77226 + if (subset == ADDR_SPACE_IOMEM && superset == ADDR_SPACE_FORCE_KERNEL)
77229 + return subset == superset;
77232 +static rtx checker_addr_space_convert(rtx op, tree from_type, tree to_type)
77234 +// addr_space_t from_as = TYPE_ADDR_SPACE(TREE_TYPE(from_type));
77235 +// addr_space_t to_as = TYPE_ADDR_SPACE(TREE_TYPE(to_type));
77240 +static void register_checker_address_spaces(void *event_data, void *data)
77242 + c_register_addr_space("__kernel", ADDR_SPACE_KERNEL);
77243 + c_register_addr_space("__force_kernel", ADDR_SPACE_FORCE_KERNEL);
77244 + c_register_addr_space("__user", ADDR_SPACE_USER);
77245 + c_register_addr_space("__force_user", ADDR_SPACE_FORCE_USER);
77246 +// c_register_addr_space("__iomem", ADDR_SPACE_IOMEM);
77247 +// c_register_addr_space("__force_iomem", ADDR_SPACE_FORCE_IOMEM);
77248 +// c_register_addr_space("__percpu", ADDR_SPACE_PERCPU);
77249 +// c_register_addr_space("__force_percpu", ADDR_SPACE_FORCE_PERCPU);
77250 +// c_register_addr_space("__rcu", ADDR_SPACE_RCU);
77251 +// c_register_addr_space("__force_rcu", ADDR_SPACE_FORCE_RCU);
77253 + targetm.addr_space.pointer_mode = checker_addr_space_pointer_mode;
77254 + targetm.addr_space.address_mode = checker_addr_space_address_mode;
77255 + targetm.addr_space.valid_pointer_mode = checker_addr_space_valid_pointer_mode;
77256 + targetm.addr_space.legitimate_address_p = checker_addr_space_legitimate_address_p;
77257 +// targetm.addr_space.legitimize_address = checker_addr_space_legitimize_address;
77258 + targetm.addr_space.subset_p = checker_addr_space_subset_p;
77259 + targetm.addr_space.convert = checker_addr_space_convert;
77262 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
77264 + const char * const plugin_name = plugin_info->base_name;
77265 + const int argc = plugin_info->argc;
77266 + const struct plugin_argument * const argv = plugin_info->argv;
77269 + if (!plugin_default_version_check(version, &gcc_version)) {
77270 + error(G_("incompatible gcc/plugin versions"));
77274 + register_callback(plugin_name, PLUGIN_INFO, NULL, &checker_plugin_info);
77276 + for (i = 0; i < argc; ++i)
77277 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
77279 + if (TARGET_64BIT == 0)
77282 + register_callback (plugin_name, PLUGIN_PRAGMAS, register_checker_address_spaces, NULL);
77286 diff -urNp linux-3.0.9/tools/gcc/constify_plugin.c linux-3.0.9/tools/gcc/constify_plugin.c
77287 --- linux-3.0.9/tools/gcc/constify_plugin.c 1969-12-31 19:00:00.000000000 -0500
77288 +++ linux-3.0.9/tools/gcc/constify_plugin.c 2011-11-15 20:03:00.000000000 -0500
77291 + * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
77292 + * Copyright 2011 by PaX Team <pageexec@freemail.hu>
77293 + * Licensed under the GPL v2, or (at your option) v3
77295 + * This gcc plugin constifies all structures which contain only function pointers or are explicitly marked for constification.
77298 + * http://www.grsecurity.net/~ephox/const_plugin/
77301 + * $ gcc -I`gcc -print-file-name=plugin`/include -fPIC -shared -O2 -o constify_plugin.so constify_plugin.c
77302 + * $ gcc -fplugin=constify_plugin.so test.c -O2
77305 +#include "gcc-plugin.h"
77306 +#include "config.h"
77307 +#include "system.h"
77308 +#include "coretypes.h"
77310 +#include "tree-pass.h"
77312 +#include "plugin-version.h"
77314 +#include "toplev.h"
77315 +#include "function.h"
77316 +#include "tree-flow.h"
77317 +#include "plugin.h"
77318 +#include "diagnostic.h"
77319 +//#include "c-tree.h"
77321 +#define C_TYPE_FIELDS_READONLY(TYPE) TREE_LANG_FLAG_1(TYPE)
77323 +int plugin_is_GPL_compatible;
77325 +static struct plugin_info const_plugin_info = {
77326 + .version = "20110826",
77327 + .help = "no-constify\tturn off constification\n",
77330 +static void constify_type(tree type);
77331 +static bool walk_struct(tree node);
77333 +static tree deconstify_type(tree old_type)
77335 + tree new_type, field;
77337 + new_type = build_qualified_type(old_type, TYPE_QUALS(old_type) & ~TYPE_QUAL_CONST);
77338 + TYPE_FIELDS(new_type) = copy_list(TYPE_FIELDS(new_type));
77339 + for (field = TYPE_FIELDS(new_type); field; field = TREE_CHAIN(field))
77340 + DECL_FIELD_CONTEXT(field) = new_type;
77341 + TYPE_READONLY(new_type) = 0;
77342 + C_TYPE_FIELDS_READONLY(new_type) = 0;
77346 +static tree handle_no_const_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
77350 + *no_add_attrs = true;
77351 + if (TREE_CODE(*node) == FUNCTION_DECL) {
77352 + error("%qE attribute does not apply to functions", name);
77353 + return NULL_TREE;
77356 + if (TREE_CODE(*node) == VAR_DECL) {
77357 + error("%qE attribute does not apply to variables", name);
77358 + return NULL_TREE;
77361 + if (TYPE_P(*node)) {
77362 + if (TREE_CODE(*node) == RECORD_TYPE || TREE_CODE(*node) == UNION_TYPE)
77363 + *no_add_attrs = false;
77365 + error("%qE attribute applies to struct and union types only", name);
77366 + return NULL_TREE;
77369 + type = TREE_TYPE(*node);
77371 + if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE) {
77372 + error("%qE attribute applies to struct and union types only", name);
77373 + return NULL_TREE;
77376 + if (lookup_attribute(IDENTIFIER_POINTER(name), TYPE_ATTRIBUTES(type))) {
77377 + error("%qE attribute is already applied to the type", name);
77378 + return NULL_TREE;
77381 + if (TREE_CODE(*node) == TYPE_DECL && !TYPE_READONLY(type)) {
77382 + error("%qE attribute used on type that is not constified", name);
77383 + return NULL_TREE;
77386 + if (TREE_CODE(*node) == TYPE_DECL) {
77387 + TREE_TYPE(*node) = deconstify_type(type);
77388 + TREE_READONLY(*node) = 0;
77389 + return NULL_TREE;
77392 + return NULL_TREE;
77395 +static tree handle_do_const_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
77397 + *no_add_attrs = true;
77398 + if (!TYPE_P(*node)) {
77399 + error("%qE attribute applies to types only", name);
77400 + return NULL_TREE;
77403 + if (TREE_CODE(*node) != RECORD_TYPE && TREE_CODE(*node) != UNION_TYPE) {
77404 + error("%qE attribute applies to struct and union types only", name);
77405 + return NULL_TREE;
77408 + *no_add_attrs = false;
77409 + constify_type(*node);
77410 + return NULL_TREE;
77413 +static struct attribute_spec no_const_attr = {
77414 + .name = "no_const",
77417 + .decl_required = false,
77418 + .type_required = false,
77419 + .function_type_required = false,
77420 + .handler = handle_no_const_attribute
77423 +static struct attribute_spec do_const_attr = {
77424 + .name = "do_const",
77427 + .decl_required = false,
77428 + .type_required = false,
77429 + .function_type_required = false,
77430 + .handler = handle_do_const_attribute
77433 +static void register_attributes(void *event_data, void *data)
77435 + register_attribute(&no_const_attr);
77436 + register_attribute(&do_const_attr);
77439 +static void constify_type(tree type)
77441 + TYPE_READONLY(type) = 1;
77442 + C_TYPE_FIELDS_READONLY(type) = 1;
77445 +static bool is_fptr(tree field)
77447 + tree ptr = TREE_TYPE(field);
77449 + if (TREE_CODE(ptr) != POINTER_TYPE)
77452 + return TREE_CODE(TREE_TYPE(ptr)) == FUNCTION_TYPE;
77455 +static bool walk_struct(tree node)
77459 + if (lookup_attribute("no_const", TYPE_ATTRIBUTES(node)))
77462 + if (TYPE_FIELDS(node) == NULL_TREE)
77465 + for (field = TYPE_FIELDS(node); field; field = TREE_CHAIN(field)) {
77466 + tree type = TREE_TYPE(field);
77467 + enum tree_code code = TREE_CODE(type);
77468 + if (code == RECORD_TYPE || code == UNION_TYPE) {
77469 + if (!(walk_struct(type)))
77471 + } else if (!is_fptr(field) && !TREE_READONLY(field))
77477 +static void finish_type(void *event_data, void *data)
77479 + tree type = (tree)event_data;
77481 + if (type == NULL_TREE)
77484 + if (TYPE_READONLY(type))
77487 + if (walk_struct(type))
77488 + constify_type(type);
77491 +static unsigned int check_local_variables(void);
77493 +struct gimple_opt_pass pass_local_variable = {
77495 + .type = GIMPLE_PASS,
77496 + .name = "check_local_variables",
77498 + .execute = check_local_variables,
77501 + .static_pass_number = 0,
77502 + .tv_id = TV_NONE,
77503 + .properties_required = 0,
77504 + .properties_provided = 0,
77505 + .properties_destroyed = 0,
77506 + .todo_flags_start = 0,
77507 + .todo_flags_finish = 0
77511 +static unsigned int check_local_variables(void)
77514 + referenced_var_iterator rvi;
77516 +#if __GNUC__ == 4 && __GNUC_MINOR__ == 5
77517 + FOR_EACH_REFERENCED_VAR(var, rvi) {
77519 + FOR_EACH_REFERENCED_VAR(cfun, var, rvi) {
77521 + tree type = TREE_TYPE(var);
77523 + if (!DECL_P(var) || TREE_STATIC(var) || DECL_EXTERNAL(var))
77526 + if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE)
77529 + if (!TYPE_READONLY(type))
77532 +// if (lookup_attribute("no_const", DECL_ATTRIBUTES(var)))
77535 +// if (lookup_attribute("no_const", TYPE_ATTRIBUTES(type)))
77538 + if (walk_struct(type)) {
77539 + error("constified variable %qE cannot be local", var);
77546 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
77548 + const char * const plugin_name = plugin_info->base_name;
77549 + const int argc = plugin_info->argc;
77550 + const struct plugin_argument * const argv = plugin_info->argv;
77552 + bool constify = true;
77554 + struct register_pass_info local_variable_pass_info = {
77555 + .pass = &pass_local_variable.pass,
77556 + .reference_pass_name = "*referenced_vars",
77557 + .ref_pass_instance_number = 0,
77558 + .pos_op = PASS_POS_INSERT_AFTER
77561 + if (!plugin_default_version_check(version, &gcc_version)) {
77562 + error(G_("incompatible gcc/plugin versions"));
77566 + for (i = 0; i < argc; ++i) {
77567 + if (!(strcmp(argv[i].key, "no-constify"))) {
77568 + constify = false;
77571 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
77574 + register_callback(plugin_name, PLUGIN_INFO, NULL, &const_plugin_info);
77576 + register_callback(plugin_name, PLUGIN_FINISH_TYPE, finish_type, NULL);
77577 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &local_variable_pass_info);
77579 + register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
77583 diff -urNp linux-3.0.9/tools/gcc/kallocstat_plugin.c linux-3.0.9/tools/gcc/kallocstat_plugin.c
77584 --- linux-3.0.9/tools/gcc/kallocstat_plugin.c 1969-12-31 19:00:00.000000000 -0500
77585 +++ linux-3.0.9/tools/gcc/kallocstat_plugin.c 2011-11-15 20:03:00.000000000 -0500
77588 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
77589 + * Licensed under the GPL v2
77591 + * Note: the choice of the license means that the compilation process is
77592 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
77593 + * but for the kernel it doesn't matter since it doesn't link against
77594 + * any of the gcc libraries
77596 + * gcc plugin to find the distribution of k*alloc sizes
77603 +#include "gcc-plugin.h"
77604 +#include "config.h"
77605 +#include "system.h"
77606 +#include "coretypes.h"
77608 +#include "tree-pass.h"
77610 +#include "plugin-version.h"
77612 +#include "toplev.h"
77613 +#include "basic-block.h"
77614 +#include "gimple.h"
77615 +//#include "expr.h" where are you...
77616 +#include "diagnostic.h"
77618 +#include "emit-rtl.h"
77619 +#include "function.h"
77621 +extern void print_gimple_stmt(FILE *, gimple, int, int);
77623 +int plugin_is_GPL_compatible;
77625 +static const char * const kalloc_functions[] = {
77631 + "kmalloc_order_trace",
77637 +static struct plugin_info kallocstat_plugin_info = {
77638 + .version = "201109121100",
77641 +static unsigned int execute_kallocstat(void);
77643 +static struct gimple_opt_pass kallocstat_pass = {
77645 + .type = GIMPLE_PASS,
77646 + .name = "kallocstat",
77648 + .execute = execute_kallocstat,
77651 + .static_pass_number = 0,
77652 + .tv_id = TV_NONE,
77653 + .properties_required = 0,
77654 + .properties_provided = 0,
77655 + .properties_destroyed = 0,
77656 + .todo_flags_start = 0,
77657 + .todo_flags_finish = 0
77661 +static bool is_kalloc(const char *fnname)
77665 + for (i = 0; i < ARRAY_SIZE(kalloc_functions); i++)
77666 + if (!strcmp(fnname, kalloc_functions[i]))
77671 +static unsigned int execute_kallocstat(void)
77675 + // 1. loop through BBs and GIMPLE statements
77676 + FOR_EACH_BB(bb) {
77677 + gimple_stmt_iterator gsi;
77678 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
77680 + tree fndecl, size;
77681 + gimple call_stmt;
77682 + const char *fnname;
77685 + call_stmt = gsi_stmt(gsi);
77686 + if (!is_gimple_call(call_stmt))
77688 + fndecl = gimple_call_fndecl(call_stmt);
77689 + if (fndecl == NULL_TREE)
77691 + if (TREE_CODE(fndecl) != FUNCTION_DECL)
77694 + // is it a call to k*alloc
77695 + fnname = IDENTIFIER_POINTER(DECL_NAME(fndecl));
77696 + if (!is_kalloc(fnname))
77699 + // is the size arg the result of a simple const assignment
77700 + size = gimple_call_arg(call_stmt, 0);
77703 + expanded_location xloc;
77706 + if (TREE_CODE(size) != SSA_NAME)
77708 + def_stmt = SSA_NAME_DEF_STMT(size);
77709 + if (!def_stmt || !is_gimple_assign(def_stmt))
77711 + if (gimple_num_ops(def_stmt) != 2)
77713 + size = gimple_assign_rhs1(def_stmt);
77714 + if (!TREE_CONSTANT(size))
77716 + xloc = expand_location(gimple_location(def_stmt));
77718 + xloc = expand_location(DECL_SOURCE_LOCATION(current_function_decl));
77719 + size_val = TREE_INT_CST_LOW(size);
77720 + fprintf(stderr, "kallocsize: %8zu %8zx %s %s:%u\n", size_val, size_val, fnname, xloc.file, xloc.line);
77723 +//print_gimple_stmt(stderr, call_stmt, 0, TDF_LINENO);
77724 +//debug_tree(gimple_call_fn(call_stmt));
77725 +//print_node(stderr, "pax", fndecl, 4);
77732 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
77734 + const char * const plugin_name = plugin_info->base_name;
77735 + struct register_pass_info kallocstat_pass_info = {
77736 + .pass = &kallocstat_pass.pass,
77737 + .reference_pass_name = "ssa",
77738 + .ref_pass_instance_number = 0,
77739 + .pos_op = PASS_POS_INSERT_AFTER
77742 + if (!plugin_default_version_check(version, &gcc_version)) {
77743 + error(G_("incompatible gcc/plugin versions"));
77747 + register_callback(plugin_name, PLUGIN_INFO, NULL, &kallocstat_plugin_info);
77748 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kallocstat_pass_info);
77752 diff -urNp linux-3.0.9/tools/gcc/kernexec_plugin.c linux-3.0.9/tools/gcc/kernexec_plugin.c
77753 --- linux-3.0.9/tools/gcc/kernexec_plugin.c 1969-12-31 19:00:00.000000000 -0500
77754 +++ linux-3.0.9/tools/gcc/kernexec_plugin.c 2011-11-15 20:03:00.000000000 -0500
77757 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
77758 + * Licensed under the GPL v2
77760 + * Note: the choice of the license means that the compilation process is
77761 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
77762 + * but for the kernel it doesn't matter since it doesn't link against
77763 + * any of the gcc libraries
77765 + * gcc plugin to make KERNEXEC/amd64 almost as good as it is on i386
77772 +#include "gcc-plugin.h"
77773 +#include "config.h"
77774 +#include "system.h"
77775 +#include "coretypes.h"
77777 +#include "tree-pass.h"
77779 +#include "plugin-version.h"
77781 +#include "toplev.h"
77782 +#include "basic-block.h"
77783 +#include "gimple.h"
77784 +//#include "expr.h" where are you...
77785 +#include "diagnostic.h"
77787 +#include "emit-rtl.h"
77788 +#include "function.h"
77789 +#include "tree-flow.h"
77791 +extern void print_gimple_stmt(FILE *, gimple, int, int);
77792 +extern rtx emit_move_insn(rtx x, rtx y);
77794 +int plugin_is_GPL_compatible;
77796 +static struct plugin_info kernexec_plugin_info = {
77797 + .version = "201110032145",
77800 +static unsigned int execute_kernexec_fptr(void);
77801 +static unsigned int execute_kernexec_retaddr(void);
77802 +static bool kernexec_cmodel_check(void);
77804 +static struct gimple_opt_pass kernexec_fptr_pass = {
77806 + .type = GIMPLE_PASS,
77807 + .name = "kernexec_fptr",
77808 + .gate = kernexec_cmodel_check,
77809 + .execute = execute_kernexec_fptr,
77812 + .static_pass_number = 0,
77813 + .tv_id = TV_NONE,
77814 + .properties_required = 0,
77815 + .properties_provided = 0,
77816 + .properties_destroyed = 0,
77817 + .todo_flags_start = 0,
77818 + .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_remove_unused_locals | TODO_update_ssa_no_phi
77822 +static struct rtl_opt_pass kernexec_retaddr_pass = {
77824 + .type = RTL_PASS,
77825 + .name = "kernexec_retaddr",
77826 + .gate = kernexec_cmodel_check,
77827 + .execute = execute_kernexec_retaddr,
77830 + .static_pass_number = 0,
77831 + .tv_id = TV_NONE,
77832 + .properties_required = 0,
77833 + .properties_provided = 0,
77834 + .properties_destroyed = 0,
77835 + .todo_flags_start = 0,
77836 + .todo_flags_finish = TODO_dump_func | TODO_ggc_collect
77840 +static bool kernexec_cmodel_check(void)
77844 + if (ix86_cmodel != CM_KERNEL)
77847 + section = lookup_attribute("__section__", DECL_ATTRIBUTES(current_function_decl));
77848 + if (!section || !TREE_VALUE(section))
77851 + section = TREE_VALUE(TREE_VALUE(section));
77852 + if (strncmp(TREE_STRING_POINTER(section), ".vsyscall_", 10))
77859 + * add special KERNEXEC instrumentation: force MSB of fptr to 1, which will produce
77860 + * a non-canonical address from a userland ptr and will just trigger a GPF on dereference
77862 +static void kernexec_instrument_fptr(gimple_stmt_iterator gsi)
77864 + gimple assign_intptr, assign_new_fptr, call_stmt;
77865 + tree intptr, old_fptr, new_fptr, kernexec_mask;
77867 + call_stmt = gsi_stmt(gsi);
77868 + old_fptr = gimple_call_fn(call_stmt);
77870 + // create temporary unsigned long variable used for bitops and cast fptr to it
77871 + intptr = create_tmp_var(long_unsigned_type_node, NULL);
77872 + add_referenced_var(intptr);
77873 + mark_sym_for_renaming(intptr);
77874 + assign_intptr = gimple_build_assign(intptr, fold_convert(long_unsigned_type_node, old_fptr));
77875 + update_stmt(assign_intptr);
77876 + gsi_insert_before(&gsi, assign_intptr, GSI_SAME_STMT);
77878 + // apply logical or to temporary unsigned long and bitmask
77879 + kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0x8000000000000000LL);
77880 +// kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0xffffffff80000000LL);
77881 + assign_intptr = gimple_build_assign(intptr, fold_build2(BIT_IOR_EXPR, long_long_unsigned_type_node, intptr, kernexec_mask));
77882 + update_stmt(assign_intptr);
77883 + gsi_insert_before(&gsi, assign_intptr, GSI_SAME_STMT);
77885 + // cast temporary unsigned long back to a temporary fptr variable
77886 + new_fptr = create_tmp_var(TREE_TYPE(old_fptr), NULL);
77887 + add_referenced_var(new_fptr);
77888 + mark_sym_for_renaming(new_fptr);
77889 + assign_new_fptr = gimple_build_assign(new_fptr, fold_convert(TREE_TYPE(old_fptr), intptr));
77890 + update_stmt(assign_new_fptr);
77891 + gsi_insert_before(&gsi, assign_new_fptr, GSI_SAME_STMT);
77893 + // replace call stmt fn with the new fptr
77894 + gimple_call_set_fn(call_stmt, new_fptr);
77895 + update_stmt(call_stmt);
77899 + * find all C level function pointer dereferences and forcibly set the highest bit of the pointer
77901 +static unsigned int execute_kernexec_fptr(void)
77904 + gimple_stmt_iterator gsi;
77906 + // 1. loop through BBs and GIMPLE statements
77907 + FOR_EACH_BB(bb) {
77908 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
77909 + // gimple match: h_1 = get_fptr (); D.2709_3 = h_1 (x_2(D));
77911 + gimple call_stmt;
77913 + // is it a call ...
77914 + call_stmt = gsi_stmt(gsi);
77915 + if (!is_gimple_call(call_stmt))
77917 + fn = gimple_call_fn(call_stmt);
77918 + if (TREE_CODE(fn) == ADDR_EXPR)
77920 + if (TREE_CODE(fn) != SSA_NAME)
77921 + gcc_unreachable();
77923 + // ... through a function pointer
77924 + fn = SSA_NAME_VAR(fn);
77925 + if (TREE_CODE(fn) != VAR_DECL && TREE_CODE(fn) != PARM_DECL)
77927 + fn = TREE_TYPE(fn);
77928 + if (TREE_CODE(fn) != POINTER_TYPE)
77930 + fn = TREE_TYPE(fn);
77931 + if (TREE_CODE(fn) != FUNCTION_TYPE)
77934 + kernexec_instrument_fptr(gsi);
77936 +//debug_tree(gimple_call_fn(call_stmt));
77937 +//print_gimple_stmt(stderr, call_stmt, 0, TDF_LINENO);
77944 +// add special KERNEXEC instrumentation: btsq $63,(%rsp) just before retn
77945 +static void kernexec_instrument_retaddr(rtx insn)
77948 + rtvec argvec, constraintvec, labelvec;
77951 + // create asm volatile("btsq $63,(%%rsp)":::)
77952 + argvec = rtvec_alloc(0);
77953 + constraintvec = rtvec_alloc(0);
77954 + labelvec = rtvec_alloc(0);
77955 + line = expand_location(RTL_LOCATION(insn)).line;
77956 + btsq = gen_rtx_ASM_OPERANDS(VOIDmode, "btsq $63,(%%rsp)", empty_string, 0, argvec, constraintvec, labelvec, line);
77957 + MEM_VOLATILE_P(btsq) = 1;
77958 + RTX_FRAME_RELATED_P(btsq) = 1;
77959 + emit_insn_before(btsq, insn);
77963 + * find all asm level function returns and forcibly set the highest bit of the return address
77965 +static unsigned int execute_kernexec_retaddr(void)
77969 + // 1. find function returns
77970 + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
77971 + // rtl match: (jump_insn 41 40 42 2 (return) fptr.c:42 634 {return_internal} (nil))
77972 + // (jump_insn 12 9 11 2 (parallel [ (return) (unspec [ (0) ] UNSPEC_REP) ]) fptr.c:46 635 {return_internal_long} (nil))
77976 + if (!JUMP_P(insn))
77978 + body = PATTERN(insn);
77979 + if (GET_CODE(body) == PARALLEL)
77980 + body = XVECEXP(body, 0, 0);
77981 + if (GET_CODE(body) != RETURN)
77983 + kernexec_instrument_retaddr(insn);
77986 +// print_simple_rtl(stderr, get_insns());
77987 +// print_rtl(stderr, get_insns());
77992 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
77994 + const char * const plugin_name = plugin_info->base_name;
77995 + const int argc = plugin_info->argc;
77996 + const struct plugin_argument * const argv = plugin_info->argv;
77998 + struct register_pass_info kernexec_fptr_pass_info = {
77999 + .pass = &kernexec_fptr_pass.pass,
78000 + .reference_pass_name = "ssa",
78001 + .ref_pass_instance_number = 0,
78002 + .pos_op = PASS_POS_INSERT_AFTER
78004 + struct register_pass_info kernexec_retaddr_pass_info = {
78005 + .pass = &kernexec_retaddr_pass.pass,
78006 + .reference_pass_name = "pro_and_epilogue",
78007 + .ref_pass_instance_number = 0,
78008 + .pos_op = PASS_POS_INSERT_AFTER
78011 + if (!plugin_default_version_check(version, &gcc_version)) {
78012 + error(G_("incompatible gcc/plugin versions"));
78016 + register_callback(plugin_name, PLUGIN_INFO, NULL, &kernexec_plugin_info);
78018 + for (i = 0; i < argc; ++i)
78019 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
78021 + if (TARGET_64BIT == 0)
78024 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kernexec_fptr_pass_info);
78025 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kernexec_retaddr_pass_info);
78029 diff -urNp linux-3.0.9/tools/gcc/Makefile linux-3.0.9/tools/gcc/Makefile
78030 --- linux-3.0.9/tools/gcc/Makefile 1969-12-31 19:00:00.000000000 -0500
78031 +++ linux-3.0.9/tools/gcc/Makefile 2011-11-15 20:03:00.000000000 -0500
78034 +#PLUGIN_SOURCE_FILES := pax_plugin.c
78035 +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
78036 +GCCPLUGINS_DIR := $(shell $(HOSTCC) -print-file-name=plugin)
78037 +#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W
78039 +HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include
78041 +hostlibs-y := constify_plugin.so
78042 +hostlibs-$(CONFIG_PAX_MEMORY_STACKLEAK) += stackleak_plugin.so
78043 +hostlibs-$(CONFIG_KALLOCSTAT_PLUGIN) += kallocstat_plugin.so
78044 +hostlibs-$(CONFIG_PAX_KERNEXEC_PLUGIN) += kernexec_plugin.so
78045 +hostlibs-$(CONFIG_CHECKER_PLUGIN) += checker_plugin.so
78047 +always := $(hostlibs-y)
78049 +stackleak_plugin-objs := stackleak_plugin.o
78050 +constify_plugin-objs := constify_plugin.o
78051 +kallocstat_plugin-objs := kallocstat_plugin.o
78052 +kernexec_plugin-objs := kernexec_plugin.o
78053 +checker_plugin-objs := checker_plugin.o
78054 diff -urNp linux-3.0.9/tools/gcc/stackleak_plugin.c linux-3.0.9/tools/gcc/stackleak_plugin.c
78055 --- linux-3.0.9/tools/gcc/stackleak_plugin.c 1969-12-31 19:00:00.000000000 -0500
78056 +++ linux-3.0.9/tools/gcc/stackleak_plugin.c 2011-11-15 20:03:00.000000000 -0500
78059 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
78060 + * Licensed under the GPL v2
78062 + * Note: the choice of the license means that the compilation process is
78063 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
78064 + * but for the kernel it doesn't matter since it doesn't link against
78065 + * any of the gcc libraries
78067 + * gcc plugin to help implement various PaX features
78069 + * - track lowest stack pointer
78072 + * - initialize all local variables
78077 +#include "gcc-plugin.h"
78078 +#include "config.h"
78079 +#include "system.h"
78080 +#include "coretypes.h"
78082 +#include "tree-pass.h"
78084 +#include "plugin-version.h"
78086 +#include "toplev.h"
78087 +#include "basic-block.h"
78088 +#include "gimple.h"
78089 +//#include "expr.h" where are you...
78090 +#include "diagnostic.h"
78092 +#include "emit-rtl.h"
78093 +#include "function.h"
78095 +int plugin_is_GPL_compatible;
78097 +static int track_frame_size = -1;
78098 +static const char track_function[] = "pax_track_stack";
78099 +static bool init_locals;
78101 +static struct plugin_info stackleak_plugin_info = {
78102 + .version = "201109112100",
78103 + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n"
78104 +// "initialize-locals\t\tforcibly initialize all stack frames\n"
78107 +static bool gate_stackleak_track_stack(void);
78108 +static unsigned int execute_stackleak_tree_instrument(void);
78109 +static unsigned int execute_stackleak_final(void);
78111 +static struct gimple_opt_pass stackleak_tree_instrument_pass = {
78113 + .type = GIMPLE_PASS,
78114 + .name = "stackleak_tree_instrument",
78115 + .gate = gate_stackleak_track_stack,
78116 + .execute = execute_stackleak_tree_instrument,
78119 + .static_pass_number = 0,
78120 + .tv_id = TV_NONE,
78121 + .properties_required = PROP_gimple_leh | PROP_cfg,
78122 + .properties_provided = 0,
78123 + .properties_destroyed = 0,
78124 + .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts,
78125 + .todo_flags_finish = TODO_verify_stmts | TODO_dump_func
78129 +static struct rtl_opt_pass stackleak_final_rtl_opt_pass = {
78131 + .type = RTL_PASS,
78132 + .name = "stackleak_final",
78133 + .gate = gate_stackleak_track_stack,
78134 + .execute = execute_stackleak_final,
78137 + .static_pass_number = 0,
78138 + .tv_id = TV_NONE,
78139 + .properties_required = 0,
78140 + .properties_provided = 0,
78141 + .properties_destroyed = 0,
78142 + .todo_flags_start = 0,
78143 + .todo_flags_finish = TODO_dump_func
78147 +static bool gate_stackleak_track_stack(void)
78149 + return track_frame_size >= 0;
78152 +static void stackleak_add_instrumentation(gimple_stmt_iterator *gsi, bool before)
78155 + tree fndecl, type;
78157 + // insert call to void pax_track_stack(void)
78158 + type = build_function_type_list(void_type_node, NULL_TREE);
78159 + fndecl = build_fn_decl(track_function, type);
78160 + DECL_ASSEMBLER_NAME(fndecl); // for LTO
78161 + call = gimple_build_call(fndecl, 0);
78163 + gsi_insert_before(gsi, call, GSI_CONTINUE_LINKING);
78165 + gsi_insert_after(gsi, call, GSI_CONTINUE_LINKING);
78168 +static unsigned int execute_stackleak_tree_instrument(void)
78170 + basic_block bb, entry_bb;
78171 + gimple_stmt_iterator gsi;
78172 + bool prologue_instrumented = false;
78174 + entry_bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb;
78176 + // 1. loop through BBs and GIMPLE statements
78177 + FOR_EACH_BB(bb) {
78178 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
78179 + // gimple match: align 8 built-in BUILT_IN_NORMAL:BUILT_IN_ALLOCA attributes <tree_list 0xb7576450>
78181 + gimple stmt = gsi_stmt(gsi);
78183 + if (!is_gimple_call(stmt))
78185 + fndecl = gimple_call_fndecl(stmt);
78188 + if (TREE_CODE(fndecl) != FUNCTION_DECL)
78190 + if (!DECL_BUILT_IN(fndecl))
78192 + if (DECL_BUILT_IN_CLASS(fndecl) != BUILT_IN_NORMAL)
78194 + if (DECL_FUNCTION_CODE(fndecl) != BUILT_IN_ALLOCA)
78197 + // 2. insert track call after each __builtin_alloca call
78198 + stackleak_add_instrumentation(&gsi, false);
78199 + if (bb == entry_bb)
78200 + prologue_instrumented = true;
78201 +// print_node(stderr, "pax", fndecl, 4);
78205 + // 3. insert track call at the beginning
78206 + if (!prologue_instrumented) {
78207 + gsi = gsi_start_bb(entry_bb);
78208 + stackleak_add_instrumentation(&gsi, true);
78214 +static unsigned int execute_stackleak_final(void)
78218 + if (cfun->calls_alloca)
78221 + // keep calls only if function frame is big enough
78222 + if (get_frame_size() >= track_frame_size)
78225 + // 1. find pax_track_stack calls
78226 + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
78227 + // rtl match: (call_insn 8 7 9 3 (call (mem (symbol_ref ("pax_track_stack") [flags 0x41] <function_decl 0xb7470e80 pax_track_stack>) [0 S1 A8]) (4)) -1 (nil) (nil))
78230 + if (!CALL_P(insn))
78232 + body = PATTERN(insn);
78233 + if (GET_CODE(body) != CALL)
78235 + body = XEXP(body, 0);
78236 + if (GET_CODE(body) != MEM)
78238 + body = XEXP(body, 0);
78239 + if (GET_CODE(body) != SYMBOL_REF)
78241 + if (strcmp(XSTR(body, 0), track_function))
78243 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
78244 + // 2. delete call
78245 + delete_insn_and_edges(insn);
78248 +// print_simple_rtl(stderr, get_insns());
78249 +// print_rtl(stderr, get_insns());
78250 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
78255 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
78257 + const char * const plugin_name = plugin_info->base_name;
78258 + const int argc = plugin_info->argc;
78259 + const struct plugin_argument * const argv = plugin_info->argv;
78261 + struct register_pass_info stackleak_tree_instrument_pass_info = {
78262 + .pass = &stackleak_tree_instrument_pass.pass,
78263 +// .reference_pass_name = "tree_profile",
78264 + .reference_pass_name = "optimized",
78265 + .ref_pass_instance_number = 0,
78266 + .pos_op = PASS_POS_INSERT_AFTER
78268 + struct register_pass_info stackleak_final_pass_info = {
78269 + .pass = &stackleak_final_rtl_opt_pass.pass,
78270 + .reference_pass_name = "final",
78271 + .ref_pass_instance_number = 0,
78272 + .pos_op = PASS_POS_INSERT_BEFORE
78275 + if (!plugin_default_version_check(version, &gcc_version)) {
78276 + error(G_("incompatible gcc/plugin versions"));
78280 + register_callback(plugin_name, PLUGIN_INFO, NULL, &stackleak_plugin_info);
78282 + for (i = 0; i < argc; ++i) {
78283 + if (!strcmp(argv[i].key, "track-lowest-sp")) {
78284 + if (!argv[i].value) {
78285 + error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
78288 + track_frame_size = atoi(argv[i].value);
78289 + if (argv[i].value[0] < '0' || argv[i].value[0] > '9' || track_frame_size < 0)
78290 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
78293 + if (!strcmp(argv[i].key, "initialize-locals")) {
78294 + if (argv[i].value) {
78295 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
78298 + init_locals = true;
78301 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
78304 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_tree_instrument_pass_info);
78305 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_final_pass_info);
78309 diff -urNp linux-3.0.9/tools/perf/util/include/asm/alternative-asm.h linux-3.0.9/tools/perf/util/include/asm/alternative-asm.h
78310 --- linux-3.0.9/tools/perf/util/include/asm/alternative-asm.h 2011-11-11 13:12:24.000000000 -0500
78311 +++ linux-3.0.9/tools/perf/util/include/asm/alternative-asm.h 2011-11-15 20:03:00.000000000 -0500
78314 #define altinstruction_entry #
78316 + .macro pax_force_retaddr rip=0
78320 diff -urNp linux-3.0.9/usr/gen_init_cpio.c linux-3.0.9/usr/gen_init_cpio.c
78321 --- linux-3.0.9/usr/gen_init_cpio.c 2011-11-11 13:12:24.000000000 -0500
78322 +++ linux-3.0.9/usr/gen_init_cpio.c 2011-11-15 20:03:00.000000000 -0500
78323 @@ -303,7 +303,7 @@ static int cpio_mkfile(const char *name,
78332 @@ -392,9 +392,10 @@ static char *cpio_replace_env(char *new_
78333 *env_var = *expanded = '\0';
78334 strncat(env_var, start + 2, end - start - 2);
78335 strncat(expanded, new_location, start - new_location);
78336 - strncat(expanded, getenv(env_var), PATH_MAX);
78337 - strncat(expanded, end + 1, PATH_MAX);
78338 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
78339 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
78340 strncpy(new_location, expanded, PATH_MAX);
78341 + new_location[PATH_MAX] = 0;
78345 diff -urNp linux-3.0.9/virt/kvm/kvm_main.c linux-3.0.9/virt/kvm/kvm_main.c
78346 --- linux-3.0.9/virt/kvm/kvm_main.c 2011-11-11 13:12:24.000000000 -0500
78347 +++ linux-3.0.9/virt/kvm/kvm_main.c 2011-11-15 20:03:00.000000000 -0500
78348 @@ -73,7 +73,7 @@ LIST_HEAD(vm_list);
78350 static cpumask_var_t cpus_hardware_enabled;
78351 static int kvm_usage_count = 0;
78352 -static atomic_t hardware_enable_failed;
78353 +static atomic_unchecked_t hardware_enable_failed;
78355 struct kmem_cache *kvm_vcpu_cache;
78356 EXPORT_SYMBOL_GPL(kvm_vcpu_cache);
78357 @@ -2176,7 +2176,7 @@ static void hardware_enable_nolock(void
78360 cpumask_clear_cpu(cpu, cpus_hardware_enabled);
78361 - atomic_inc(&hardware_enable_failed);
78362 + atomic_inc_unchecked(&hardware_enable_failed);
78363 printk(KERN_INFO "kvm: enabling virtualization on "
78364 "CPU%d failed\n", cpu);
78366 @@ -2230,10 +2230,10 @@ static int hardware_enable_all(void)
78369 if (kvm_usage_count == 1) {
78370 - atomic_set(&hardware_enable_failed, 0);
78371 + atomic_set_unchecked(&hardware_enable_failed, 0);
78372 on_each_cpu(hardware_enable_nolock, NULL, 1);
78374 - if (atomic_read(&hardware_enable_failed)) {
78375 + if (atomic_read_unchecked(&hardware_enable_failed)) {
78376 hardware_disable_all_nolock();
78379 @@ -2498,7 +2498,7 @@ static void kvm_sched_out(struct preempt
78380 kvm_arch_vcpu_put(vcpu);
78383 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
78384 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
78385 struct module *module)
78388 @@ -2561,7 +2561,7 @@ int kvm_init(void *opaque, unsigned vcpu
78390 vcpu_align = __alignof__(struct kvm_vcpu);
78391 kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align,
78393 + SLAB_USERCOPY, NULL);
78394 if (!kvm_vcpu_cache) {
78397 @@ -2571,9 +2571,11 @@ int kvm_init(void *opaque, unsigned vcpu
78401 - kvm_chardev_ops.owner = module;
78402 - kvm_vm_fops.owner = module;
78403 - kvm_vcpu_fops.owner = module;
78404 + pax_open_kernel();
78405 + *(void **)&kvm_chardev_ops.owner = module;
78406 + *(void **)&kvm_vm_fops.owner = module;
78407 + *(void **)&kvm_vcpu_fops.owner = module;
78408 + pax_close_kernel();
78410 r = misc_register(&kvm_dev);
projects / packages / kernel.git / blob